Re: bin/58884: npfctl validate seems to ignore "!" in the rules

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,yamt9999%gmail.com@localhost
Subject: Re: bin/58884: npfctl validate seems to ignore "!" in the rules
From: "Michael van Elst via gnats" <gnats-admin%NetBSD.org@localhost>
Date: Mon, 9 Dec 2024 13:15:01 +0000 (UTC)

The following reply was made to PR bin/58884; it has been noted by GNATS.

From: mlelstv%serpens.de@localhost (Michael van Elst)
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: bin/58884: npfctl validate seems to ignore "!" in the rules
Date: Mon, 9 Dec 2024 11:55:24 -0000 (UTC)

 yamt9999%gmail.com@localhost writes:
 
 >>Description:
 >my expectation: "! $table" is an inverse of "$table"
 
 >actual: see below.
 
 
 It is, the bug is in printing the (compiled) rule.
 
    npfctl debug -c npf.conf
 
 shows the compiled byte code, that checks protocol number and prefix.
 
 In the inverted case, some extra instructions invert the jobflow
 and thus the result
 
 RULE AT LINE 2
 (000) ld       M[0]
 (001) jeq      #0x4             jt 2    jf 8
 (002) ld       [16]
 (003) and      #0xff000000
 (004) jeq      #0xa000000       jt 6    jf 5
 (005) ja       7
 (006) ret      #0
 (007) ret      #-1
 (008) ret      #0
 
 
 In the simple case, the check just jumps to the true/false result.
 
 RULE AT LINE 3
 (000) ld       M[0]
 (001) jeq      #0x4             jt 2    jf 6
 (002) ld       [16]
 (003) and      #0xff000000
 (004) jeq      #0xa000000       jt 5    jf 6
 (005) ret      #-1
 (006) ret      #0
 
 
 npfctl validate prints the compiled rules again, by using
 information from the parser and "decompiling" it.
 
 It should collect marks left by the compiler into the 'seen_marks'
 bitmap, but just stores the last.
 
 With this patch:
 
 Index: npf_show.c
 ===================================================================
 RCS file: /cvsroot/src/usr.sbin/npf/npfctl/npf_show.c,v
 retrieving revision 1.33
 diff -p -u -r1.33 npf_show.c
 --- npf_show.c  1 Aug 2023 20:09:12 -0000       1.33
 +++ npf_show.c  9 Dec 2024 11:49:50 -0000
 @@ -378,7 +378,7 @@ scan_marks(npf_conf_info_t *ctx, const s
                          */
                         ctx->curmark = m;
                         assert(BM_COUNT < (sizeof(uint64_t) * CHAR_BIT));
 -                       ctx->seen_marks = UINT64_C(1) << m;
 +                       ctx->seen_marks |= UINT64_C(1) << m;
                         assert(mk->fwords == nwords);
  
                         if (mk->printfn) {
 @@ -499,6 +499,7 @@ npfctl_print_filter(npf_conf_info_t *ctx
         /*
          * BPF filter criteria described by the byte-code marks.
          */
 +       ctx->seen_marks = 0;
         for (unsigned i = 0; i < __arraycount(mark_keyword_map); i++) {
                 const struct mark_keyword_mapent *mk = &mark_keyword_map[i];
                 scan_marks(ctx, mk, marks, mlen);
 
 I get:
 
 % ./npfctl validate npf.conf
 map lo0 dynamic any -> 192.168.1.1 pass family inet4 to ! 10.0.0.0/8 
 map lo0 dynamic any -> 192.168.1.1 pass family inet4 to 10.0.0.0/8 
 
 group default { 
 }

Prev by Date: bin/58884: npfctl validate seems to ignore "!" in the rules
Next by Date: bin/58885: mtree: Fix FreeBSD 9 compatibility output
Previous by Thread: bin/58884: npfctl validate seems to ignore "!" in the rules
Next by Thread: bin/58885: mtree: Fix FreeBSD 9 compatibility output
Indexes:

Home | Main Index | Thread Index | Old Index