Re: kern/58543: NPF rule with multiple addresses in "from" disregards source address constraint

[Tobias Nygren <tnn%nygren.pp.se@localhost>]

The following reply was made to PR kern/58543; it has been noted by GNATS.

From: Tobias Nygren <tnn%nygren.pp.se@localhost>
To: mlelstv%serpens.de@localhost (Michael van Elst)
Cc: gnats-bugs%netbsd.org@localhost
Subject: Re: kern/58543: NPF rule with multiple addresses in "from"
 disregards source address constraint
Date: Sat, 3 Aug 2024 13:10:09 +0200

 On Sat,  3 Aug 2024 05:40:01 +0000 (UTC)
 mlelstv%serpens.de@localhost (Michael van Elst) wrote:
 
 >  The compiler generates bad BPF code for IPv6 (see bin/55403).
 >  
 >  Quick workaround is to use a table instead of a list of addresses.
 >  
 >  I am using this patch that compiles working, but maybe not
 >  optimal BPF code. Please check if that helps in your case:
 
 Thanks, the patch seems to work OK on my router box. Other than
 exposing that my full ruleset is incomplete and relies on the broken
 behaviour. Which is a good thing to discover.
 Should I close this PR as duplicate?
 Optimal or not, please ask tech-net@ for review and commit your patch
 with pullups sooner rather than later. Common npf usage patterns such as
 
 $ext_v6 = inet6(wm0)
 pass stateful out final family inet6 proto tcp from $ext_v6 to any
 
 will actually expand to a set containing at least two addresses in
 almost all cases, because of the link local scope. Which then risks
 exposing the unsuspecting user's internal services to the Internet.