NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: bin/59511: some variable addresses not processed by firewall rules.
The following reply was made to PR bin/59511; it has been noted by GNATS.
From: mlelstv%serpens.de@localhost (Michael van Elst)
To: gnats-bugs%netbsd.org@localhost
Cc:
Subject: Re: bin/59511: some variable addresses not processed by firewall rules.
Date: Sat, 5 Jul 2025 16:28:25 -0000 (UTC)
emmankoko519%gmail.com@localhost writes:
>packets from some of my blocklist addresses that are appended in variables passes.
>192.168.100.8 passes but those from 192.168.100.5 rightly gets blocked.
Maybe this:
Index: usr.sbin/npf/npfctl/npf_var.c
===================================================================
RCS file: /cvsroot/src/usr.sbin/npf/npfctl/npf_var.c,v
retrieving revision 1.15
diff -p -u -r1.15 npf_var.c
--- usr.sbin/npf/npfctl/npf_var.c 1 Jun 2025 00:54:36 -0000 1.15
+++ usr.sbin/npf/npfctl/npf_var.c 5 Jul 2025 16:26:30 -0000
@@ -57,6 +57,8 @@ struct npfvar {
void * v_next;
};
+static size_t npfvar_get_count1(const npfvar_t *, size_t);
+
static npfvar_t * var_list = NULL;
static size_t var_num = 0;
@@ -222,16 +224,47 @@ npf_var_rid(char *var_id, rid_parser par
}
}
+static size_t
+npfvar_get_count1(const npfvar_t *vp, size_t level)
+{
+ npf_element_t *el;
+ size_t count = 0;
+
+ if (vp == NULL) {
+ return 0;
+ }
+ if (level >= var_num) {
+ yyerror("circular dependency for variable '%s'", vp->v_key);
+ return 0;
+ }
+ el = vp->v_elements;
+ while (el) {
+ if (el->e_type == NPFVAR_VAR_ID) {
+ const npfvar_t *rvp;
+ rvp = npfvar_lookup(el->e_data);
+ if (rvp != NULL)
+ count += npfvar_get_count1(rvp, level + 1);
+ } else {
+ count += 1;
+ }
+ el = el->e_next;
+ }
+
+ return count;
+}
+
size_t
npfvar_get_count(const npfvar_t *vp)
{
- return vp ? vp->v_count : 0;
+ return npfvar_get_count1(vp, 0);
}
static npf_element_t *
npfvar_get_element(const npfvar_t *vp, size_t idx, size_t level)
{
npf_element_t *el;
+ size_t togo, total;
+ const npfvar_t *rvp;
/*
* Verify the parameters.
@@ -243,27 +276,40 @@ npfvar_get_element(const npfvar_t *vp, s
yyerror("circular dependency for variable '%s'", vp->v_key);
return NULL;
}
- if (vp->v_count <= idx) {
- yyerror("variable '%s' has only %zu elements, requested %zu",
- vp->v_key, vp->v_count, idx);
- return NULL;
- }
-
/*
* Get the element at the given index.
*/
el = vp->v_elements;
- while (idx--) {
+ rvp = NULL;
+ togo = idx;
+ total = 0;
+ while (el) {
+ /*
+ * Resolve if it is a reference to another variable.
+ */
+ if (el->e_type == NPFVAR_VAR_ID) {
+ rvp = npfvar_lookup(el->e_data);
+ if (rvp != NULL && rvp->v_count > 0) {
+ if (togo < rvp->v_count)
+ return npfvar_get_element(rvp,
+ togo, level + 1);
+ total += (rvp->v_count - 1);
+ togo -= (rvp->v_count - 1);
+ }
+ }
+
+ total += 1;
+ if (togo-- == 0)
+ break;
+
el = el->e_next;
}
- /*
- * Resolve if it is a reference to another variable.
- */
- if (el->e_type == NPFVAR_VAR_ID) {
- const npfvar_t *rvp = npfvar_lookup(el->e_data);
- return npfvar_get_element(rvp, 0, level + 1);
+ if (el == NULL) {
+ yyerror("variable '%s' has only %zu elements, requested %zu",
+ vp->v_key, total, idx);
}
+
return el;
}
Home |
Main Index |
Thread Index |
Old Index