PF PF and CIDR notation

This is my /etc/pf.conf:
Code:
ext_if="vtnet0"
localnet="192.168.101.0/24"
set skip on lo0
scrub in

block in
pass out

pass in on $ext_if proto tcp from $localnet to ($ext_if) port {22, 80}

this is pfctl -vf /etc/pf.conf output:
Code:
No ALTQ support in kernel
ALTQ related functions disabled
ext_if = "vt_net0"
localnet = "192.168.101.0/24"
set skip on { lo0 }
scrub in all fragment reassemble
block drop in all
pass in on vtnet0 inet proto tcp from 64.168.101.0/0 to (vtnet0) port = ssh flags S/SA keep state
pass in on vtnet0 inet proto tcp from 64.168.101.0/0 to (vtnet0) port = http flags S/SA keep state
pass out all flags S/SA keep state

Notice that the address has changed from 192.168.101.0/24 to 64.168.101.0/0. What's wrong with my configuration?

Running FreeBSD 12.1 in QEMU.
 
Not sure how you're getting that unless you have bad memory/emulation. The addresses load/parse correctly for me.
 
I can't reproduce that on HEAD.

What version are you running? Does this happen after a reboot as well? Try recreating the pf.conf file. Perhaps you have some unprintable characters in there causing parsing oddness.
 
The ext_if content changes from vtnet0 to vt_net0 too. That's super weird.
 
Tried rebooting. Same issue.
Also tried to create a separate file, rewrite it word by word, and still got the same result.
I'm on 12.1-RELEASE.

If I replace $localnet with an IP address it parses correctly.
If I type 192.168.101.0/24 directly, it doesn't.

Replacing the address with the each input below got me the following results:
input ($localnet) --> output
192.168.101.0/24 --> 64.168.101.0/0
192.168.101.0/7 --> 192.0.0.0/7
255.168.101.0/24 --> 127.168.101.0/0
255.168.101.0/7 --> 254.0.0.0/7
255.168.101.0/6 --> 252.0.0.0/6
255.168.101.0/5 --> 248.0.0.0/5

It seems like the parser is doing some kind of arithmetic operation for certain masks. Just thought I would leave this here as I'm starting over with another image.
 
I hit the same nasty issue with FreeBSD guest on Linux QEMU host.

The /24 CIDRs (and smaller subnets) were loaded as /0 by PF,
for example: 192.168.200.0/24 becomes 64.168.200.0/0.

Fixed it by setting the qemu cpu type to 'host':
-enable-kvm -cpu host

Cheers,
Dimitar Fidanov
 
Back
Top