diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2026-04-09 16:11:41 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2026-04-23 09:11:38 +0000 |
| commit | fb838352751767e756bd45cd2040fa464ed4de20 (patch) | |
| tree | e7a19df07d89ec3444006f9f14d2d0463cf1b5db | |
| parent | 3103d39cd99f0a49414f907459d8fd3c11dc36b8 (diff) | |
pf: fix duplicate rule detection for automatic tables
We should look at the table name for automatic tables as well. These
are different tables, so the rules using them are (or can be) different
as well.
MFC after: 3 days
Reported by: Michael Sinatra <michael@burnttofu.net>
Sponsored by: Rubicon Communications, LLC ("Netgate")
| -rw-r--r-- | sys/netpfil/pf/pf_ioctl.c | 4 | ||||
| -rw-r--r-- | tests/sys/netpfil/pf/pass_block.sh | 42 |
2 files changed, 43 insertions, 3 deletions
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 586d896d0e2d..d3e60b137c1a 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -1354,9 +1354,7 @@ pf_hash_rule_addr(MD5_CTX *ctx, struct pf_rule_addr *pfr) PF_MD5_UPD(pfr, addr.iflags); break; case PF_ADDR_TABLE: - if (strncmp(pfr->addr.v.tblname, PF_OPTIMIZER_TABLE_PFX, - strlen(PF_OPTIMIZER_TABLE_PFX))) - PF_MD5_UPD(pfr, addr.v.tblname); + PF_MD5_UPD(pfr, addr.v.tblname); break; case PF_ADDR_ADDRMASK: case PF_ADDR_RANGE: diff --git a/tests/sys/netpfil/pf/pass_block.sh b/tests/sys/netpfil/pf/pass_block.sh index f6d973de7cf4..a5cd04f1db22 100644 --- a/tests/sys/netpfil/pf/pass_block.sh +++ b/tests/sys/netpfil/pf/pass_block.sh @@ -488,6 +488,47 @@ addr_range_cleanup() pft_cleanup } +atf_test_case "auto_tables" "cleanup" +auto_tables_head() +{ + atf_set descr 'Test rulesets with different automatic tables' + atf_set require.user root +} + +auto_tables_body() +{ + pft_init + + epair=$(vnet_mkepair) + ifconfig ${epair}b 192.0.2.2/24 up + + vnet_mkjail alcatraz ${epair}a + jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up + + # Sanity check + atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.1 + + jexec alcatraz pfctl -e + pft_set_rules alcatraz \ + "set ruleset-optimization basic" \ + "test_a = \"203.0.113.1 203.0.113.2 203.0.113.3 203.0.113.4 + 203.0.113.5 203.0.113.6 203.0.113.7 203.0.113.8 203.0.113.9 + 203.0.113.10\"" \ + "test_b = \"192.0.2.1 192.0.2.2 192.0.2.3 192.0.2.4 192.0.2.5 + 192.0.2.6 192.0.2.7 192.0.2.8 192.0.2.9 192.0.2.10\"" \ + "block" \ + "pass inet from any to { \$test_a }" \ + "pass inet from 198.51.100.1 to 198.51.100.2 no state" \ + "pass inet from any to { \$test_b }" + + atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.1 +} + +auto_tables_cleanup() +{ + pft_cleanup +} + atf_init_test_cases() { atf_add_test_case "enable_disable" @@ -500,4 +541,5 @@ atf_init_test_cases() atf_add_test_case "optimize_any" atf_add_test_case "any_if" atf_add_test_case "addr_range" + atf_add_test_case "auto_tables" } |