Re: bin/59511: some variable addresses not processed by firewall rules.

["Michael van Elst via gnats" <gnats-admin%NetBSD.org@localhost>]

The following reply was made to PR bin/59511; it has been noted by GNATS.

From: mlelstv%serpens.de@localhost (Michael van Elst)
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: bin/59511: some variable addresses not processed by firewall rules.
Date: Sat, 5 Jul 2025 16:28:25 -0000 (UTC)

 emmankoko519%gmail.com@localhost writes:
 
 >packets from some of my blocklist addresses that are appended in variables passes.
 >192.168.100.8 passes but those from 192.168.100.5 rightly gets blocked.
 
 
 Maybe this:
 
 
 Index: usr.sbin/npf/npfctl/npf_var.c
 ===================================================================
 RCS file: /cvsroot/src/usr.sbin/npf/npfctl/npf_var.c,v
 retrieving revision 1.15
 diff -p -u -r1.15 npf_var.c
 --- usr.sbin/npf/npfctl/npf_var.c	1 Jun 2025 00:54:36 -0000	1.15
 +++ usr.sbin/npf/npfctl/npf_var.c	5 Jul 2025 16:26:30 -0000
 @@ -57,6 +57,8 @@ struct npfvar {
  	void *		v_next;
  };
  
 +static size_t npfvar_get_count1(const npfvar_t *, size_t);
 +
  static npfvar_t *	var_list = NULL;
  static size_t		var_num = 0;
  
 @@ -222,16 +224,47 @@ npf_var_rid(char *var_id, rid_parser par
  	}
  }
  
 +static size_t
 +npfvar_get_count1(const npfvar_t *vp, size_t level)
 +{
 +	npf_element_t *el;
 +	size_t count = 0;
 +
 +	if (vp == NULL) {
 +		return 0;
 +	}
 +	if (level >= var_num) {
 +		yyerror("circular dependency for variable '%s'", vp->v_key);
 +		return 0;
 +	}
 +	el = vp->v_elements;
 +	while (el) {
 +		if (el->e_type == NPFVAR_VAR_ID) {
 +			const npfvar_t *rvp;
 +			rvp = npfvar_lookup(el->e_data);
 +			if (rvp != NULL)
 +				count += npfvar_get_count1(rvp, level + 1);
 +		} else {
 +			count += 1;
 +		}
 +		el = el->e_next;
 +	}
 +
 +	return count;
 +}
 +
  size_t
  npfvar_get_count(const npfvar_t *vp)
  {
 -	return vp ? vp->v_count : 0;
 +	return npfvar_get_count1(vp, 0);
  }
  
  static npf_element_t *
  npfvar_get_element(const npfvar_t *vp, size_t idx, size_t level)
  {
  	npf_element_t *el;
 +	size_t togo, total;
 +	const npfvar_t *rvp;
  
  	/*
  	 * Verify the parameters.
 @@ -243,27 +276,40 @@ npfvar_get_element(const npfvar_t *vp, s
  		yyerror("circular dependency for variable '%s'", vp->v_key);
  		return NULL;
  	}
 -	if (vp->v_count <= idx) {
 -		yyerror("variable '%s' has only %zu elements, requested %zu",
 -		    vp->v_key, vp->v_count, idx);
 -		return NULL;
 -	}
 -
  	/*
  	 * Get the element at the given index.
  	 */
  	el = vp->v_elements;
 -	while (idx--) {
 +	rvp = NULL;
 +	togo = idx;
 +	total = 0;
 +	while (el) {
 +		/*
 +		 * Resolve if it is a reference to another variable.
 +		 */
 +		if (el->e_type == NPFVAR_VAR_ID) {
 +			rvp = npfvar_lookup(el->e_data);
 +			if (rvp != NULL && rvp->v_count > 0) {
 +				if (togo < rvp->v_count)
 +					return npfvar_get_element(rvp,
 +					    togo, level + 1);
 +				total += (rvp->v_count - 1);
 +				togo -= (rvp->v_count - 1);
 +			}
 +		}
 +
 +		total += 1;
 +		if (togo-- == 0)
 +			break;
 +
  		el = el->e_next;
  	}
  
 -	/*
 -	 * Resolve if it is a reference to another variable.
 -	 */
 -	if (el->e_type == NPFVAR_VAR_ID) {
 -		const npfvar_t *rvp = npfvar_lookup(el->e_data);
 -		return npfvar_get_element(rvp, 0, level + 1);
 +	if (el == NULL) {
 +		yyerror("variable '%s' has only %zu elements, requested %zu",
 +		    vp->v_key, total, idx);
  	}
 +
  	return el;
  }