Hi, Having any of these two rules in /etc/pf.conf: block in quick from no-route to any or block in quick from urpf-failed to any trigger following error while loading rules: # cat /etc/pf.conf; echo; pfctl -v -f /etc/pf.conf block in quick from urpf-failed to any No ALTQ support in kernel ALTQ related functions disabled pfctl: DIOCADDRULE: Invalid argument # cat /etc/pf.conf; echo; pfctl -v -f /etc/pf.conf block in quick from no-route to any No ALTQ support in kernel ALTQ related functions disabled pfctl: DIOCADDRULE: Invalid argument This worked flawlessly in stable/12. # uname -a FreeBSD beastie 13.0-STABLE FreeBSD 13.0-STABLE #2 stable/13-8874f305d: Sat Feb 13 10:50:10 CET 2021 root@beastie:/usr/obj/usr/src/amd64.amd64/sys/BEASTIE amd64
I can reproduce this, and think that it's likely caused by 7a808c5ee3296fdb72d8e8bc6c7ad6f316a520ab It's probably overly strict input validation, but I still need to work out what the correct validation code should be.
Can you test https://reviews.freebsd.org/D28650 ? I'll try to get it merged to releng/13.0 in time for the release.
Applied the patch to latest stable/13 tree. Looks good to me: # pfctl -v -f ./pf.conf No ALTQ support in kernel ALTQ related functions disabled block drop in quick from no-route to any block drop in quick from urpf-failed to any # pfctl -sr block drop in quick from no-route to any block drop in quick from urpf-failed to any Thanks
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=5e42cb139fc17f165c9c93ac97069dc7770490e2 commit 5e42cb139fc17f165c9c93ac97069dc7770490e2 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2021-02-13 15:31:52 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2021-02-14 11:07:31 +0000 pf: Slightly relax pf_rule_addr validation Ensure we don't reject no-route / urpf-failed addresses. PR: 253479 Reported by: michal AT microwave.sk Revied by: donner@ MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D28650 sys/netpfil/pf/pf_ioctl.c | 47 ++++++++++++++++++++++++++++++----------------- 1 file changed, 30 insertions(+), 17 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=6b52139eb8e8eda0ea263b24735556194f918642 commit 6b52139eb8e8eda0ea263b24735556194f918642 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2021-02-15 21:16:36 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2021-02-16 09:48:58 +0000 pf tests: Test unicast reverse path forwarding check Ensure that pf's urpf-failed keyword works as expected. PR: 253479 MFC after: 1 week Reviewed by: melifaro@ Differential Revision: https://reviews.freebsd.org/D28694 tests/sys/netpfil/common/pft_ping.py | 52 ++++++++++++++++++++++++++++ tests/sys/netpfil/pf/pass_block.sh | 67 ++++++++++++++++++++++++++++++++++++ 2 files changed, 119 insertions(+)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=f9a66bb91ae1f3f175d0c16730c683841525bd1d commit f9a66bb91ae1f3f175d0c16730c683841525bd1d Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2021-02-13 15:31:52 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2021-02-17 13:03:58 +0000 pf: Slightly relax pf_rule_addr validation Ensure we don't reject no-route / urpf-failed addresses. PR: 253479 Reported by: michal AT microwave.sk Revied by: donner@ MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D28650 (cherry picked from commit 5e42cb139fc17f165c9c93ac97069dc7770490e2) sys/netpfil/pf/pf_ioctl.c | 47 ++++++++++++++++++++++++++++++----------------- 1 file changed, 30 insertions(+), 17 deletions(-)
A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=f8d1f2da0922fdff846b13baa7315652b43aa95c commit f8d1f2da0922fdff846b13baa7315652b43aa95c Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2021-02-13 15:31:52 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2021-02-17 09:11:19 +0000 pf: Slightly relax pf_rule_addr validation Ensure we don't reject no-route / urpf-failed addresses. PR: 253479 Reported by: michal AT microwave.sk Revied by: donner@ MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D28650 (cherry picked from commit 5e42cb139fc17f165c9c93ac97069dc7770490e2) sys/netpfil/pf/pf_ioctl.c | 47 ++++++++++++++++++++++++++++++----------------- 1 file changed, 30 insertions(+), 17 deletions(-)
A commit in branch releng/13.0 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=00abeecb4a25728f36f763822bd584e7bf4f50b7 commit 00abeecb4a25728f36f763822bd584e7bf4f50b7 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2021-02-13 15:31:52 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2021-02-17 16:48:58 +0000 pf: Slightly relax pf_rule_addr validation Ensure we don't reject no-route / urpf-failed addresses. PR: 253479 Approved by: re (gjb) Reported by: michal AT microwave.sk Revied by: donner@ MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D28650 (cherry picked from commit 5e42cb139fc17f165c9c93ac97069dc7770490e2) (cherry picked from commit f9a66bb91ae1f3f175d0c16730c683841525bd1d) sys/netpfil/pf/pf_ioctl.c | 47 ++++++++++++++++++++++++++++++----------------- 1 file changed, 30 insertions(+), 17 deletions(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=04535d6a572ac63b448a5def4525947bd00d9f8a commit 04535d6a572ac63b448a5def4525947bd00d9f8a Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2021-02-15 21:16:36 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2021-02-23 11:46:25 +0000 pf tests: Test unicast reverse path forwarding check Ensure that pf's urpf-failed keyword works as expected. PR: 253479 MFC after: 1 week Reviewed by: melifaro@ Differential Revision: https://reviews.freebsd.org/D28694 (cherry picked from commit 6b52139eb8e8eda0ea263b24735556194f918642) tests/sys/netpfil/common/pft_ping.py | 52 ++++++++++++++++++++++++++++ tests/sys/netpfil/pf/pass_block.sh | 67 ++++++++++++++++++++++++++++++++++++ 2 files changed, 119 insertions(+)