Hello OpenBSD-Team,
I discovered a strange behaviour since OpenBSD 6.2 with pf logging, when
an "anchor" is in the ruleset of /etc/pf.conf. It logs in some cases the
rule number of the anchor and not the matching rule, although the
correct rule is used.
I discovered the problem on three different machines (all AMD64).
Notes:
- Occured since 6.2, 6.1 works as expected.
- Without quick-rules, it logs always the anchor rule number.
- With quick-rules, it logs the correct rule number, if the
matching rule is before the anchor and the anchor rule number,
if the rule matches is after the anchor.
I build a test without quick rules.
If you need more information, don't hesistate to contact me.
Thank you for your time and your work
Illya Meyer
===== Test environment =====
OS: OpenBSD 6.2 (full patched)
Machine: AMD64
+--------+ +---------+ +-----+
| Client |---em0-| OpenBSD |-em1---| LAN |
+--------+ +---------+ +-----+
OpenBSD is configured as bridge, but it is not necessary for producing
the error.
Client: Linux on 10.69.245.50/16 attached on em0
OpenBSD:
---- hostname.em0 ----
inet 10.69.228.156 255.255.0.0
---- /hostname.em0 ----
---- hostname.em1 ----
up
---- /hostname.em1 ----
---- hostname.bridge0 ----
add em0
add em1
up
---- /hostname.bridge0 ----
---- sysctl.conf ----
net.inet.ip.forwarding=1
---- /sysctl.conf ----
==== 1. Test ====
Test without an anchor in the ruleset => Correct logging.
---- pf.conf ----
int=em0
ext=em1
set skip on lo
block in log on $ext from any to any
block out log on $ext from any to any
pass out log on $ext proto tcp from any to any port 22
---- /pf.conf ----
---- pfctl -s rules | nl -v 0 ----
0 block drop in log on em1 all
1 block drop out log on em1 all
2 pass out log on em1 proto tcp from any to any port = 22 flags S/SA
---- /pfctl -s rules | nl -v 0 ----
> Logging with: tcpdump -nettti pflog0 src 10.69.245.50
Result (correct):
> ping 10.69.0.1
Feb 14 22:46:37.928813 rule 1/(match) block out on em1: 10.69.245.50 >
10.69.0.1: icmp: echo request (DF)
> ssh login@10.69.0.253
Feb 14 22:47:19.519580 rule 2/(match) pass out on em1:
10.69.245.50.41986 > 10.69.0.253.22: S 1682236102:1682236102(0) win
29200 <mss 1460,sackOK,timestamp 201134 0,nop,wscale 7> (DF)
==== 2. Test ====
Test with an anchor in the ruleset => Incorrect logging.
---- pf.conf ----
int=em0
ext=em1
set skip on lo
block in log on $ext from any to any
block out log on $ext from any to any
anchor "test/*"
pass out log on $ext proto tcp from any to any port 22
---- /pf.conf ----
---- pfctl -s rules | nl -v 0 ----
0 block drop in log on em1 all
1 block drop out log on em1 all
2 anchor "test/*" all
3 pass out log on em1 proto tcp from any to any port = 22 flags S/SA
---- /pfctl -s rules | nl -v 0 ----
> Logging with: tcpdump -nettti pflog0 src 10.69.245.50
Result:
> ping 10.69.0.1
Feb 14 22:49:29.310651 rule 2/(match) block out on em1: 10.69.245.50 >
10.69.0.1: icmp: echo request (DF)
> ssh login@10.69.0.253
Feb 14 22:49:48.225126 rule 2/(match) pass out on em1:
10.69.245.50.41988 > 10.69.0.253.22: S 3757241004:3757241004(0) win
29200 <mss 1460,sackOK,timestamp 238312 0,nop,wscale 7> (DF)
Expected:
> ping 10.69.0.1
... rule 1/(match) ...
> ssh login@10.69.0.253
... rule 3/(match) ...
OpenBSD 6.2 (GENERIC.MP) #5: Wed Feb 14 23:11:22 CET 2018
r...@feuerwand.na.lokal:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4163919872 (3971MB)
avail mem = 4030709760 (3843MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xebfd0 (49 entries)
bios0: vendor American Megatrends Inc. version "5.6.5" date 12/13/2016
bios0: Thomas-Krenn.AG Default string
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT MCFG LPIT HPET SSDT SSDT SSDT UEFI
acpi0: wakeup devices PS2K(S3) PS2M(S3) XHC1(S4) PXSX(S4) PXSX(S4) PXSX(S4)
PXSX(S4) PWRB(S0)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) CPU N2930 @ 1.83GHz, 1833.75 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: TSC frequency 1833749940 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 83MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3.3, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Celeron(R) CPU N2930 @ 1.83GHz, 1833.34 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu1: 1MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Celeron(R) CPU N2930 @ 1.83GHz, 1833.34 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu2: 1MB 64b/line 16-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Celeron(R) CPU N2930 @ 1.83GHz, 1833.34 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu3: 1MB 64b/line 16-way L2 cache
cpu3: smt 0, core 3, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec00000, version 20, 87 pins
acpimcfg0 at acpi0 addr 0xe0000000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (RP01)
acpiprt2 at acpi0: bus 2 (RP02)
acpiprt3 at acpi0: bus 3 (RP03)
acpiprt4 at acpi0: bus 4 (RP04)
acpiec0 at acpi0: not present
acpicpu0 at acpi0: C1(@1 halt!), PSS
acpicpu1 at acpi0: C1(@1 halt!), PSS
acpicpu2 at acpi0: C1(@1 halt!), PSS
acpicpu3 at acpi0: C1(@1 halt!), PSS
acpipwrres0 at acpi0: PLPE
acpipwrres1 at acpi0: PLPE
acpipwrres2 at acpi0: USBC, resource for EHC1, OTG1
acpipwrres3 at acpi0: CLK0, resource for CAM1
acpipwrres4 at acpi0: CLK1, resource for CAM0, CAM2
"MSFT0001" at acpi0 not configured
"MSFT0003" at acpi0 not configured
"DMA0F28" at acpi0 not configured
acpibtn0 at acpi0: PWRB
acpibtn1 at acpi0: SLPB
"INTCF0B" at acpi0 not configured
"INTCF1A" at acpi0 not configured
"INTCF1C" at acpi0 not configured
"SMO91D0" at acpi0 not configured
"MXT3432" at acpi0 not configured
acpivideo0 at acpi0: GFX0
cpu0: Enhanced SpeedStep 1833 MHz: speeds: 1827, 1826, 1660, 1494, 1328, 1162,
996, 830, 498 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Bay Trail Host" rev 0x0e
inteldrm0 at pci0 dev 2 function 0 "Intel Bay Trail Video" rev 0x0e
drm0 at inteldrm0
inteldrm0: msi
inteldrm0: 1280x1024, 32bpp
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
ahci0 at pci0 dev 19 function 0 "Intel Bay Trail AHCI" rev 0x0e: msi, AHCI 1.3
ahci0: port 0: 3.0Gb/s
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0: <ATA, TS32GMSA370, N112> SCSI3 0/direct fixed
t10.ATA_TS32GMSA370_D957300327_
sd0: 30533MB, 512 bytes/sector, 62533296 sectors, thin
xhci0 at pci0 dev 20 function 0 "Intel Bay Trail xHCI" rev 0x0e: msi
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00
addr 1
"Intel Bay Trail TXE" rev 0x0e at pci0 dev 26 function 0 not configured
azalia0 at pci0 dev 27 function 0 "Intel Bay Trail HD Audio" rev 0x0e: msi
azalia0: codecs: Realtek ALC662, Intel/0x2882, using Realtek ALC662
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 "Intel Bay Trail PCIE" rev 0x0e: msi
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 1 "Intel Bay Trail PCIE" rev 0x0e: msi
pci2 at ppb1 bus 2
ppb2 at pci0 dev 28 function 2 "Intel Bay Trail PCIE" rev 0x0e: msi
pci3 at ppb2 bus 3
em0 at pci3 dev 0 function 0 "Intel 82583V" rev 0x00: msi, address
00:30:18:06:9f:94
ppb3 at pci0 dev 28 function 3 "Intel Bay Trail PCIE" rev 0x0e: msi
pci4 at ppb3 bus 4
em1 at pci4 dev 0 function 0 "Intel 82583V" rev 0x00: msi, address
00:30:18:06:9f:93
pcib0 at pci0 dev 31 function 0 "Intel Bay Trail LPC" rev 0x0e
ichiic0 at pci0 dev 31 function 3 "Intel Bay Trail SMBus" rev 0x0e: apic 1 int
18
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 4GB DDR3 SDRAM PC3-12800 SO-DIMM
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: probed fifo depth: 15 bytes
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
vmm0 at mainbus0: VMX/EPT
uhidev0 at uhub0 port 3 configuration 1 interface 0 "DELL Dell USB Entry
Keyboard" rev 1.10/1.78 addr 2
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 variable keys, 6 key codes
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
uhub1 at uhub0 port 4 configuration 1 interface 0 "Genesys Logic USB2.0 Hub"
rev 2.00/88.32 addr 3
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on sd0a (ea44963b0108c50a.a) swap on sd0b dump on sd0b
