Bug 253479

Summary: [pf] pfctl: DIOCADDRULE: Invalid argument
Product: Base System Reporter: Michal Vanco <michal>
Component: kernAssignee: Kristof Provost <kp>
Status: Closed FIXED    
Severity: Affects Only Me CC: kp
Priority: ---    
Version: 13.0-STABLE   
Hardware: Any   
OS: Any   

Description Michal Vanco 2021-02-13 10:49:01 UTC 
Hi,

Having any of these two rules in /etc/pf.conf:

  block in quick from no-route to any

or

  block in quick from urpf-failed to any

trigger following error while loading rules:

# cat /etc/pf.conf; echo; pfctl -v -f /etc/pf.conf
block in quick from urpf-failed to any

No ALTQ support in kernel
ALTQ related functions disabled
pfctl: DIOCADDRULE: Invalid argument

# cat /etc/pf.conf; echo; pfctl -v -f /etc/pf.conf
block in quick from no-route to any

No ALTQ support in kernel
ALTQ related functions disabled
pfctl: DIOCADDRULE: Invalid argument

This worked flawlessly in stable/12.

# uname -a
FreeBSD beastie 13.0-STABLE FreeBSD 13.0-STABLE #2 stable/13-8874f305d: Sat Feb 13 10:50:10 CET 2021     root@beastie:/usr/obj/usr/src/amd64.amd64/sys/BEASTIE  amd64
Comment 1 Kristof Provost freebsd_committer freebsd_triage 2021-02-13 12:11:47 UTC 
I can reproduce this, and think that it's likely caused by 7a808c5ee3296fdb72d8e8bc6c7ad6f316a520ab

It's probably overly strict input validation, but I still need to work out what the correct validation code should be.
Comment 2 Kristof Provost freebsd_committer freebsd_triage 2021-02-13 16:33:36 UTC 
Can you test https://reviews.freebsd.org/D28650 ?

I'll try to get it merged to releng/13.0 in time for the release.
Comment 3 Michal Vanco 2021-02-13 17:25:22 UTC 
Applied the patch to latest stable/13 tree. Looks good to me:

# pfctl -v -f ./pf.conf 
No ALTQ support in kernel
ALTQ related functions disabled
block drop in quick from no-route to any
block drop in quick from urpf-failed to any

# pfctl -sr
block drop in quick from no-route to any
block drop in quick from urpf-failed to any


Thanks
Comment 4 commit-hook freebsd_committer freebsd_triage 2021-02-14 12:09:02 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=5e42cb139fc17f165c9c93ac97069dc7770490e2

commit 5e42cb139fc17f165c9c93ac97069dc7770490e2
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2021-02-13 15:31:52 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2021-02-14 11:07:31 +0000

    pf: Slightly relax pf_rule_addr validation

    Ensure we don't reject no-route / urpf-failed addresses.

    PR:             253479
    Reported by:    michal AT microwave.sk
    Revied by:      donner@
    MFC after:      3 days
    Differential Revision:  https://reviews.freebsd.org/D28650

 sys/netpfil/pf/pf_ioctl.c | 47 ++++++++++++++++++++++++++++++-----------------
 1 file changed, 30 insertions(+), 17 deletions(-)
Comment 5 commit-hook freebsd_committer freebsd_triage 2021-02-16 10:51:43 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=6b52139eb8e8eda0ea263b24735556194f918642

commit 6b52139eb8e8eda0ea263b24735556194f918642
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2021-02-15 21:16:36 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2021-02-16 09:48:58 +0000

    pf tests: Test unicast reverse path forwarding check

    Ensure that pf's urpf-failed keyword works as expected.

    PR:             253479
    MFC after:      1 week
    Reviewed by:    melifaro@
    Differential Revision:  https://reviews.freebsd.org/D28694

 tests/sys/netpfil/common/pft_ping.py | 52 ++++++++++++++++++++++++++++
 tests/sys/netpfil/pf/pass_block.sh   | 67 ++++++++++++++++++++++++++++++++++++
 2 files changed, 119 insertions(+)
Comment 6 commit-hook freebsd_committer freebsd_triage 2021-02-17 13:06:18 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=f9a66bb91ae1f3f175d0c16730c683841525bd1d

commit f9a66bb91ae1f3f175d0c16730c683841525bd1d
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2021-02-13 15:31:52 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2021-02-17 13:03:58 +0000

    pf: Slightly relax pf_rule_addr validation

    Ensure we don't reject no-route / urpf-failed addresses.

    PR:             253479
    Reported by:    michal AT microwave.sk
    Revied by:      donner@
    MFC after:      3 days
    Differential Revision:  https://reviews.freebsd.org/D28650

    (cherry picked from commit 5e42cb139fc17f165c9c93ac97069dc7770490e2)

 sys/netpfil/pf/pf_ioctl.c | 47 ++++++++++++++++++++++++++++++-----------------
 1 file changed, 30 insertions(+), 17 deletions(-)
Comment 7 commit-hook freebsd_committer freebsd_triage 2021-02-17 13:06:19 UTC 
A commit in branch stable/12 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=f8d1f2da0922fdff846b13baa7315652b43aa95c

commit f8d1f2da0922fdff846b13baa7315652b43aa95c
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2021-02-13 15:31:52 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2021-02-17 09:11:19 +0000

    pf: Slightly relax pf_rule_addr validation

    Ensure we don't reject no-route / urpf-failed addresses.

    PR:             253479
    Reported by:    michal AT microwave.sk
    Revied by:      donner@
    MFC after:      3 days
    Differential Revision:  https://reviews.freebsd.org/D28650

    (cherry picked from commit 5e42cb139fc17f165c9c93ac97069dc7770490e2)

 sys/netpfil/pf/pf_ioctl.c | 47 ++++++++++++++++++++++++++++++-----------------
 1 file changed, 30 insertions(+), 17 deletions(-)
Comment 8 commit-hook freebsd_committer freebsd_triage 2021-02-17 16:51:01 UTC 
A commit in branch releng/13.0 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=00abeecb4a25728f36f763822bd584e7bf4f50b7

commit 00abeecb4a25728f36f763822bd584e7bf4f50b7
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2021-02-13 15:31:52 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2021-02-17 16:48:58 +0000

    pf: Slightly relax pf_rule_addr validation

    Ensure we don't reject no-route / urpf-failed addresses.

    PR:             253479
    Approved by:    re (gjb)
    Reported by:    michal AT microwave.sk
    Revied by:      donner@
    MFC after:      3 days
    Differential Revision:  https://reviews.freebsd.org/D28650

    (cherry picked from commit 5e42cb139fc17f165c9c93ac97069dc7770490e2)
    (cherry picked from commit f9a66bb91ae1f3f175d0c16730c683841525bd1d)

 sys/netpfil/pf/pf_ioctl.c | 47 ++++++++++++++++++++++++++++++-----------------
 1 file changed, 30 insertions(+), 17 deletions(-)
Comment 9 commit-hook freebsd_committer freebsd_triage 2021-02-23 11:51:16 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=04535d6a572ac63b448a5def4525947bd00d9f8a

commit 04535d6a572ac63b448a5def4525947bd00d9f8a
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2021-02-15 21:16:36 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2021-02-23 11:46:25 +0000

    pf tests: Test unicast reverse path forwarding check

    Ensure that pf's urpf-failed keyword works as expected.

    PR:             253479
    MFC after:      1 week
    Reviewed by:    melifaro@
    Differential Revision:  https://reviews.freebsd.org/D28694

    (cherry picked from commit 6b52139eb8e8eda0ea263b24735556194f918642)

 tests/sys/netpfil/common/pft_ping.py | 52 ++++++++++++++++++++++++++++
 tests/sys/netpfil/pf/pass_block.sh   | 67 ++++++++++++++++++++++++++++++++++++
 2 files changed, 119 insertions(+)