From: Alexandr Nedvedicky Subject: ifa_load() pfctl parser should adhere interface flags To: tech@openbsd.org Date: Tue, 25 Nov 2025 09:24:53 +0100 Hello, the issue has been pointed by claudio@ off-list. the ifa_load9() function does not distinct between broadcast address and peer address when it processes interface item (`ifa`) obtained by getifaddrs(3) from kernel. as I understand it the IFF_BROADCAST and IFF_POINTOPOINT flags are mutually exclusive so ifa_load() should use the address either as brodacst or as peer (when dealing with ppp interface). the change makes code more correct. I could not spot any change on pfctl behavior. this is interface list on machine where I test the change; --------8<-------- lo0: flags=2008049 mtu 32768 index 4 priority 0 llprio 3 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff000000 re0: flags=808843 mtu 1500 lladdr fc:5c:ee:37:bd:06 index 1 priority 0 llprio 3 groups: egress media: Ethernet autoselect (1000baseT full-duplex,master) status: active inet 192.168.2.61 netmask 0xffffff00 broadcast 192.168.2.255 .... ppp0: flags=8051 mtu 1300 index 21 priority 0 llprio 3 groups: ppp inet 172.31.254.102 --> 172.31.254.100 netmask 0xffffffff tap0: flags=8843 mtu 1500 lladdr fe:e1:ba:df:7a:bf description: vm1-if0-puffy index 28 priority 0 llprio 3 groups: tap status: active inet 100.64.1.2 netmask 0xfffffffe tap1: flags=8943 mtu 1500 lladdr fe:e1:ba:d0:30:c5 description: vm1-if1-puffy index 29 priority 0 llprio 3 groups: tap status: active --------8<-------- and this is pf.conf I did use to test the change: --------8<-------- pass in from any to ppp0:peer pass in from any to ppp0:broadcast pass in from any to re0:broadcast pass in from any to re0:peer --------8<-------- trying to load the rules above with current pfctl I get error as follows: lifty# pfctl -f /tmp/pf.conf no IP address found for ppp0:peer /tmp/pf.conf:1: could not parse host specification no IP address found for ppp0:broadcast /tmp/pf.conf:2: could not parse host specification no IP address found for re0:peer /tmp/pf.conf:4: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded trying the same rules with fixed pfctl: lifty# ./pfctl -f /tmp/pf.conf no IP address found for ppp0:peer /tmp/pf.conf:1: could not parse host specification no IP address found for ppp0:broadcast /tmp/pf.conf:2: could not parse host specification no IP address found for re0:peer /tmp/pf.conf:4: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded so the diff below just adds extra line of defense it does not change a behaviour of pfctl. thanks and regards sashan --------8<---------------8<---------------8<------------------8<-------- diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 3a7cc6885b3..eb29edb900a 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1459,13 +1459,14 @@ ifa_load(void) copy_satopfaddr(&n->addr.v.a.addr, ifa->ifa_addr); ifa->ifa_netmask->sa_family = ifa->ifa_addr->sa_family; copy_satopfaddr(&n->addr.v.a.mask, ifa->ifa_netmask); - if (ifa->ifa_broadaddr != NULL && + if (ifa->ifa_flags & IFF_BROADCAST && + ifa->ifa_broadaddr != NULL && ifa->ifa_broadaddr->sa_len != 0) { ifa->ifa_broadaddr->sa_family = ifa->ifa_addr->sa_family; copy_satopfaddr(&n->bcast, ifa->ifa_broadaddr); - } - if (ifa->ifa_dstaddr != NULL && + } else if (ifa->ifa_flags & IFF_POINTOPOINT && + ifa->ifa_dstaddr != NULL && ifa->ifa_dstaddr->sa_len != 0) { ifa->ifa_dstaddr->sa_family = ifa->ifa_addr->sa_family;