282863 – pf(4): Cannot add multiple filtering rules with IP address range

Bug 282863 - pf(4): Cannot add multiple filtering rules with IP address range

Summary: pf(4): Cannot add multiple filtering rules with IP address range

Status:	New

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	14.2-STABLE
Hardware:	amd64 Any

Importance:	--- Affects Only Me
Assignee:	freebsd-pf (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-11-19 14:36 UTC by Sergey V. Koupreyenko
Modified:	2024-11-19 15:06 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sergey V. Koupreyenko 2024-11-19 14:36:58 UTC

How to reproduce:
1) Use the pf.conf file below

set skip on lo0
set block-policy drop
set loginterface pflog0
set ruleset-optimization none

block in on net16
pass out on net16

pass in quick on net16 inet from 10.41.2.130 to any no state
pass in quick on net16 inet from 10.41.2.128 - 10.41.2.191 to any no state
pass in quick on net16 inet from 10.1.0.128 - 10.1.0.145 to any no state
pass in quick on net16 inet from 10.42.1.128 - 10.42.1.145 to any no state
pass in quick on net16 inet from 192.168.78.254 to any no state
pass in quick on net16 inet from 10.41.2.128/26 to any no state
pass in quick on net16 inet from 10.1.0.0/16 to any no state
pass in quick on net16 inet from 10.1.1.0/24 to any no state

2) Enter the command (pf(4) service is enabled)
pfctl -vvv -F all -f /path/to/pf.conf

No ALTQ support in kernel
ALTQ related functions disabled
Ethernet rules cleared
rules cleared
nat cleared
1 tables deleted.
0 states cleared
source tracking entries cleared
pf: statistics cleared
pf: interface flags reset
Loaded 762 passive OS fingerprints
table <fnp4_acl> persist { 10.41.2.130 }
set skip on { lo0 }
set block-policy drop
set loginterface pflog0
@0 block drop in on net16 all
@1 pass out on net16 all flags S/SA keep state
@2 pass in quick on net16 inet from 10.41.2.130 to any no state
@3 pass in quick on net16 inet from 10.41.2.128 - 10.41.2.191 to any no state
@4 pass in quick on net16 inet from 10.1.0.128 - 10.1.0.145 to any no state -- rule was already present
@5 pass in quick on net16 inet from 10.42.1.128 - 10.42.1.145 to any no state -- rule was already present
@6 pass in quick on net16 inet from 192.168.78.254 to any no state
@7 pass in quick on net16 inet from 10.41.2.128/26 to any no state
@8 pass in quick on net16 inet from 10.1.0.0/16 to any no state
@9 pass in quick on net16 inet from 10.1.1.0/24 to any no state

Rules @4 and @5 is marked as "rule was already present". Why?

3) Show the result
pfctl -s rules

block drop in on net16 all
pass out on net16 all flags S/SA keep state
pass in quick on net16 inet from 10.41.2.130 to any no state
pass in quick on net16 inet from 10.41.2.128 - 10.41.2.191 to any no state
pass in quick on net16 inet from 192.168.78.254 to any no state
pass in quick on net16 inet from 10.41.2.128/26 to any no state
pass in quick on net16 inet from 10.1.0.0/16 to any no state
pass in quick on net16 inet from 10.1.1.0/24 to any no state