Re: bin/59511: some variable addresses not processed by firewall rules.

[Emmanuel Nyarko <emmankoko519%gmail.com@localhost>]

Hi Michael,

Thanks for the pointers and the patch. I will make make use of it. 

Thanks again!!

> On 5 Jul 2025, at 4:30 PM, Michael van Elst via gnats <gnats-admin%NetBSD.org@localhost> wrote:
> 
> The following reply was made to PR bin/59511; it has been noted by GNATS.
> 
> From: mlelstv%serpens.de@localhost (Michael van Elst)
> To: gnats-bugs%netbsd.org@localhost
> Cc: 
> Subject: Re: bin/59511: some variable addresses not processed by firewall rules.
> Date: Sat, 5 Jul 2025 16:28:25 -0000 (UTC)
> 
> emmankoko519%gmail.com@localhost writes:
> 
>> packets from some of my blocklist addresses that are appended in variables passes.
>> 192.168.100.8 passes but those from 192.168.100.5 rightly gets blocked.
> 
> 
> Maybe this:
> 
> 
> Index: usr.sbin/npf/npfctl/npf_var.c
> ===================================================================
> RCS file: /cvsroot/src/usr.sbin/npf/npfctl/npf_var.c,v
> retrieving revision 1.15
> diff -p -u -r1.15 npf_var.c
> --- usr.sbin/npf/npfctl/npf_var.c 1 Jun 2025 00:54:36 -0000 1.15
> +++ usr.sbin/npf/npfctl/npf_var.c 5 Jul 2025 16:26:30 -0000
> @@ -57,6 +57,8 @@ struct npfvar {
>   void * v_next;
>  };
> 
> +static size_t npfvar_get_count1(const npfvar_t *, size_t);
> +
>  static npfvar_t * var_list = NULL;
>  static size_t var_num = 0;
> 
> @@ -222,16 +224,47 @@ npf_var_rid(char *var_id, rid_parser par
>   }
>  }
> 
> +static size_t
> +npfvar_get_count1(const npfvar_t *vp, size_t level)
> +{
> + npf_element_t *el;
> + size_t count = 0;
> +
> + if (vp == NULL) {
> + return 0;
> + }
> + if (level >= var_num) {
> + yyerror("circular dependency for variable '%s'", vp->v_key);
> + return 0;
> + }
> + el = vp->v_elements;
> + while (el) {
> + if (el->e_type == NPFVAR_VAR_ID) {
> + const npfvar_t *rvp;
> + rvp = npfvar_lookup(el->e_data);
> + if (rvp != NULL)
> + count += npfvar_get_count1(rvp, level + 1);
> + } else {
> + count += 1;
> + }
> + el = el->e_next;
> + }
> +
> + return count;
> +}
> +
>  size_t
>  npfvar_get_count(const npfvar_t *vp)
>  {
> - return vp ? vp->v_count : 0;
> + return npfvar_get_count1(vp, 0);
>  }
> 
>  static npf_element_t *
>  npfvar_get_element(const npfvar_t *vp, size_t idx, size_t level)
>  {
>   npf_element_t *el;
> + size_t togo, total;
> + const npfvar_t *rvp;
> 
>   /*
>   * Verify the parameters.
> @@ -243,27 +276,40 @@ npfvar_get_element(const npfvar_t *vp, s
>   yyerror("circular dependency for variable '%s'", vp->v_key);
>   return NULL;
>   }
> - if (vp->v_count <= idx) {
> - yyerror("variable '%s' has only %zu elements, requested %zu",
> -    vp->v_key, vp->v_count, idx);
> - return NULL;
> - }
> -
>   /*
>   * Get the element at the given index.
>   */
>   el = vp->v_elements;
> - while (idx--) {
> + rvp = NULL;
> + togo = idx;
> + total = 0;
> + while (el) {
> + /*
> + * Resolve if it is a reference to another variable.
> + */
> + if (el->e_type == NPFVAR_VAR_ID) {
> + rvp = npfvar_lookup(el->e_data);
> + if (rvp != NULL && rvp->v_count > 0) {
> + if (togo < rvp->v_count)
> + return npfvar_get_element(rvp,
> +    togo, level + 1);
> + total += (rvp->v_count - 1);
> + togo -= (rvp->v_count - 1);
> + }
> + }
> +
> + total += 1;
> + if (togo-- == 0)
> + break;
> +
>   el = el->e_next;
>   }
> 
> - /*
> - * Resolve if it is a reference to another variable.
> - */
> - if (el->e_type == NPFVAR_VAR_ID) {
> - const npfvar_t *rvp = npfvar_lookup(el->e_data);
> - return npfvar_get_element(rvp, 0, level + 1);
> + if (el == NULL) {
> + yyerror("variable '%s' has only %zu elements, requested %zu",
> +    vp->v_key, total, idx);
>   }
> +
>   return el;
>  }
> 
> 

Emmanuel