| Summary: | pf(4): Cannot add multiple filtering rules with IP address range | ||
|---|---|---|---|
| Product: | Base System | Reporter: | Sergey V. Koupreyenko <sergey.koupreyenko> |
| Component: | kern | Assignee: | freebsd-pf (Nobody) <pf> |
| Status: | New --- | ||
| Severity: | Affects Only Me | ||
| Priority: | --- | ||
| Version: | 14.2-STABLE | ||
| Hardware: | amd64 | ||
| OS: | Any | ||
How to reproduce: 1) Use the pf.conf file below set skip on lo0 set block-policy drop set loginterface pflog0 set ruleset-optimization none block in on net16 pass out on net16 pass in quick on net16 inet from 10.41.2.130 to any no state pass in quick on net16 inet from 10.41.2.128 - 10.41.2.191 to any no state pass in quick on net16 inet from 10.1.0.128 - 10.1.0.145 to any no state pass in quick on net16 inet from 10.42.1.128 - 10.42.1.145 to any no state pass in quick on net16 inet from 192.168.78.254 to any no state pass in quick on net16 inet from 10.41.2.128/26 to any no state pass in quick on net16 inet from 10.1.0.0/16 to any no state pass in quick on net16 inet from 10.1.1.0/24 to any no state 2) Enter the command (pf(4) service is enabled) pfctl -vvv -F all -f /path/to/pf.conf No ALTQ support in kernel ALTQ related functions disabled Ethernet rules cleared rules cleared nat cleared 1 tables deleted. 0 states cleared source tracking entries cleared pf: statistics cleared pf: interface flags reset Loaded 762 passive OS fingerprints table <fnp4_acl> persist { 10.41.2.130 } set skip on { lo0 } set block-policy drop set loginterface pflog0 @0 block drop in on net16 all @1 pass out on net16 all flags S/SA keep state @2 pass in quick on net16 inet from 10.41.2.130 to any no state @3 pass in quick on net16 inet from 10.41.2.128 - 10.41.2.191 to any no state @4 pass in quick on net16 inet from 10.1.0.128 - 10.1.0.145 to any no state -- rule was already present @5 pass in quick on net16 inet from 10.42.1.128 - 10.42.1.145 to any no state -- rule was already present @6 pass in quick on net16 inet from 192.168.78.254 to any no state @7 pass in quick on net16 inet from 10.41.2.128/26 to any no state @8 pass in quick on net16 inet from 10.1.0.0/16 to any no state @9 pass in quick on net16 inet from 10.1.1.0/24 to any no state Rules @4 and @5 is marked as "rule was already present". Why? 3) Show the result pfctl -s rules block drop in on net16 all pass out on net16 all flags S/SA keep state pass in quick on net16 inet from 10.41.2.130 to any no state pass in quick on net16 inet from 10.41.2.128 - 10.41.2.191 to any no state pass in quick on net16 inet from 192.168.78.254 to any no state pass in quick on net16 inet from 10.41.2.128/26 to any no state pass in quick on net16 inet from 10.1.0.0/16 to any no state pass in quick on net16 inet from 10.1.1.0/24 to any no state