From 4e7c1ff95a5187faee524055f22c4cf4134d1147 Mon Sep 17 00:00:00 2001 From: Kristof Provost Date: Thu, 7 May 2026 11:58:17 +0200 Subject: [PATCH] pfctl: relax interface name requirement MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The FreeBSD network stack, for better or worse, does not impose any requirements on interface names. As such it's valid for an interface name to start with a number (or indeed, be something like '⭐'). Allow this in pfctl, and add a test case for the specific case of interface names starting with a number. Note that we don't support UTF-8 names fully, so those may still fail. PR: 295064 MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") --- sbin/pfctl/parse.y | 2 +- tests/sys/netpfil/pf/names.sh | 40 +++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+), 1 deletion(-) diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 57a5140ffeb..7e9d81da6ed 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -4242,7 +4242,7 @@ dynaddr : '(' STRING ')' { char *p, *op; op = $2; - if (!isalpha(op[0])) { + if (op[0] == '\0') { yyerror("invalid interface name '%s'", op); free(op); YYERROR; diff --git a/tests/sys/netpfil/pf/names.sh b/tests/sys/netpfil/pf/names.sh index e47b0917cfe..c6f2a06c15f 100644 --- a/tests/sys/netpfil/pf/names.sh +++ b/tests/sys/netpfil/pf/names.sh @@ -95,8 +95,48 @@ group_cleanup() pft_cleanup } +atf_test_case "start_number" "cleanup" +start_number_head() +{ + atf_set descr 'Test interface names starting with a number' + atf_set require.user root +} + +start_number_body() +{ + pft_init + + epair=$(vnet_mkepair) + ifconfig ${epair}a 192.0.2.1/24 up + + vnet_mkjail alcatraz ${epair}b + jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up + jexec alcatraz ifconfig ${epair}b name 4ever + jexec alcatraz pfctl -e + + jexec alcatraz ifconfig + + pft_set_rules alcatraz \ + "block" \ + "pass in from any to (4ever)" + + atf_check -o ignore ping -c 3 192.0.2.2 + + # Negative test, if the interface doesn't exist we don't pass packets + pft_set_rules alcatraz \ + "block" \ + "pass in from any to (5ever)" + atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2 +} + +start_number_cleanup() +{ + pft_cleanup +} + atf_init_test_cases() { atf_add_test_case "names" atf_add_test_case "group" + atf_add_test_case "start_number" }