NetBSD Problem Report #58884
From www@netbsd.org Mon Dec 9 05:52:24 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 940D11A9238
for <gnats-bugs@gnats.NetBSD.org>; Mon, 9 Dec 2024 05:52:24 +0000 (UTC)
Message-Id: <20241209055223.9C7301A923B@mollari.NetBSD.org>
Date: Mon, 9 Dec 2024 05:52:23 +0000 (UTC)
From: yamt9999@gmail.com
Reply-To: yamt9999@gmail.com
To: gnats-bugs@NetBSD.org
Subject: npfctl validate seems to ignore "!" in the rules
X-Send-Pr-Version: www-1.0
>Number: 58884
>Category: bin
>Synopsis: npfctl validate seems to ignore "!" in the rules
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Dec 09 05:55:00 +0000 2024
>Last-Modified: Mon Jan 27 07:55:01 +0000 2025
>Originator: YAMAMOTO Takashi
>Release: 10.0
>Organization:
>Environment:
NetBSD tadpole 10.0 NetBSD 10.0 (GENERIC) #0: Thu Mar 28 08:33:33 UTC 2024 mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/evbarm/compile/GENERIC evbarm
>Description:
my expectation: "! $table" is an inverse of "$table"
actual: see below.
(i'm just learning the npf.conf syntax. my expectation might be wrong.
but IMO the current behavior is very confusing even if it isn't considered broken.)
tadpole% cat npf.conf
$private = { 10.0.0.0/8 }
map lo0 dynamic any -> 192.168.1.1 pass from any to ! $private
map lo0 dynamic any -> 192.168.1.1 pass from any to $private
group default {
}
tadpole% npfctl validate npf.conf
map lo0 dynamic any -> 192.168.1.1 pass family inet4 to 10.0.0.0/8
map lo0 dynamic any -> 192.168.1.1 pass family inet4 to 10.0.0.0/8
group default {
}
tadpole%
>How-To-Repeat:
see above.
>Fix:
>Audit-Trail:
From: mlelstv@serpens.de (Michael van Elst)
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/58884: npfctl validate seems to ignore "!" in the rules
Date: Mon, 9 Dec 2024 11:55:24 -0000 (UTC)
yamt9999@gmail.com writes:
>>Description:
>my expectation: "! $table" is an inverse of "$table"
>actual: see below.
It is, the bug is in printing the (compiled) rule.
npfctl debug -c npf.conf
shows the compiled byte code, that checks protocol number and prefix.
In the inverted case, some extra instructions invert the jobflow
and thus the result
RULE AT LINE 2
(000) ld M[0]
(001) jeq #0x4 jt 2 jf 8
(002) ld [16]
(003) and #0xff000000
(004) jeq #0xa000000 jt 6 jf 5
(005) ja 7
(006) ret #0
(007) ret #-1
(008) ret #0
In the simple case, the check just jumps to the true/false result.
RULE AT LINE 3
(000) ld M[0]
(001) jeq #0x4 jt 2 jf 6
(002) ld [16]
(003) and #0xff000000
(004) jeq #0xa000000 jt 5 jf 6
(005) ret #-1
(006) ret #0
npfctl validate prints the compiled rules again, by using
information from the parser and "decompiling" it.
It should collect marks left by the compiler into the 'seen_marks'
bitmap, but just stores the last.
With this patch:
Index: npf_show.c
===================================================================
RCS file: /cvsroot/src/usr.sbin/npf/npfctl/npf_show.c,v
retrieving revision 1.33
diff -p -u -r1.33 npf_show.c
--- npf_show.c 1 Aug 2023 20:09:12 -0000 1.33
+++ npf_show.c 9 Dec 2024 11:49:50 -0000
@@ -378,7 +378,7 @@ scan_marks(npf_conf_info_t *ctx, const s
*/
ctx->curmark = m;
assert(BM_COUNT < (sizeof(uint64_t) * CHAR_BIT));
- ctx->seen_marks = UINT64_C(1) << m;
+ ctx->seen_marks |= UINT64_C(1) << m;
assert(mk->fwords == nwords);
if (mk->printfn) {
@@ -499,6 +499,7 @@ npfctl_print_filter(npf_conf_info_t *ctx
/*
* BPF filter criteria described by the byte-code marks.
*/
+ ctx->seen_marks = 0;
for (unsigned i = 0; i < __arraycount(mark_keyword_map); i++) {
const struct mark_keyword_mapent *mk = &mark_keyword_map[i];
scan_marks(ctx, mk, marks, mlen);
I get:
% ./npfctl validate npf.conf
map lo0 dynamic any -> 192.168.1.1 pass family inet4 to ! 10.0.0.0/8
map lo0 dynamic any -> 192.168.1.1 pass family inet4 to 10.0.0.0/8
group default {
}
From: Takashi YAMAMOTO <yamt9999@gmail.com>
To: gnats-bugs@netbsd.org
Cc: gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: bin/58884: npfctl validate seems to ignore "!" in the rules
Date: Mon, 27 Jan 2025 16:37:35 +0900
hi,
> With this patch:
your analysis and fix look reasonable to me. thank you.
are you going to commit it?
From: "Michael van Elst" <mlelstv@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58884 CVS commit: src/usr.sbin/npf/npfctl
Date: Mon, 27 Jan 2025 07:54:30 +0000
Module Name: src
Committed By: mlelstv
Date: Mon Jan 27 07:54:30 UTC 2025
Modified Files:
src/usr.sbin/npf/npfctl: npf_show.c
Log Message:
Collect compiler marks for decompilation.
Fixes PR 58884
To generate a diff of this commit:
cvs rdiff -u -r1.33 -r1.34 src/usr.sbin/npf/npfctl/npf_show.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2025
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home