On Thu, Feb 15, 2018 at 10:25:07AM +0100, Illya Meyer wrote:
> Hello OpenBSD-Team,
>
> I discovered a strange behaviour since OpenBSD 6.2 with pf logging, when an
> "anchor" is in the ruleset of /etc/pf.conf. It logs in some cases the rule
> number of the anchor and not the matching rule, although the correct rule is
> used.
>
> I discovered the problem on three different machines (all AMD64).
>
> Notes:
> - Occured since 6.2, 6.1 works as expected.
> - Without quick-rules, it logs always the anchor rule number.
> - With quick-rules, it logs the correct rule number, if the
> matching rule is before the anchor and the anchor rule number,
> if the rule matches is after the anchor.
>
> I build a test without quick rules.
>
> If you need more information, don't hesistate to contact me.
>
> Thank you for your time and your work
> Illya Meyer
Does this still happen on current? There were some fixes by sashan@
related to anchors about two months ago.
-Otto
>
> ===== Test environment =====
>
> OS: OpenBSD 6.2 (full patched)
> Machine: AMD64
>
> +--------+ +---------+ +-----+
> | Client |---em0-| OpenBSD |-em1---| LAN |
> +--------+ +---------+ +-----+
>
> OpenBSD is configured as bridge, but it is not necessary for producing the
> error.
>
> Client: Linux on 10.69.245.50/16 attached on em0
>
> OpenBSD:
> ---- hostname.em0 ----
> inet 10.69.228.156 255.255.0.0
> ---- /hostname.em0 ----
>
> ---- hostname.em1 ----
> up
> ---- /hostname.em1 ----
>
> ---- hostname.bridge0 ----
> add em0
> add em1
> up
> ---- /hostname.bridge0 ----
>
> ---- sysctl.conf ----
> net.inet.ip.forwarding=1
> ---- /sysctl.conf ----
>
> ==== 1. Test ====
>
> Test without an anchor in the ruleset => Correct logging.
>
> ---- pf.conf ----
> int=em0
> ext=em1
>
> set skip on lo
>
> block in log on $ext from any to any
> block out log on $ext from any to any
>
> pass out log on $ext proto tcp from any to any port 22
> ---- /pf.conf ----
>
> ---- pfctl -s rules | nl -v 0 ----
> 0 block drop in log on em1 all
> 1 block drop out log on em1 all
> 2 pass out log on em1 proto tcp from any to any port = 22 flags S/SA
> ---- /pfctl -s rules | nl -v 0 ----
>
> > Logging with: tcpdump -nettti pflog0 src 10.69.245.50
>
> Result (correct):
> > ping 10.69.0.1
> Feb 14 22:46:37.928813 rule 1/(match) block out on em1: 10.69.245.50 >
> 10.69.0.1: icmp: echo request (DF)
>
> > ssh login@10.69.0.253
> Feb 14 22:47:19.519580 rule 2/(match) pass out on em1: 10.69.245.50.41986 >
> 10.69.0.253.22: S 1682236102:1682236102(0) win 29200 <mss
> 1460,sackOK,timestamp 201134 0,nop,wscale 7> (DF)
>
>
> ==== 2. Test ====
>
> Test with an anchor in the ruleset => Incorrect logging.
>
> ---- pf.conf ----
> int=em0
> ext=em1
>
> set skip on lo
>
> block in log on $ext from any to any
> block out log on $ext from any to any
>
> anchor "test/*"
>
> pass out log on $ext proto tcp from any to any port 22
> ---- /pf.conf ----
>
> ---- pfctl -s rules | nl -v 0 ----
> 0 block drop in log on em1 all
> 1 block drop out log on em1 all
> 2 anchor "test/*" all
> 3 pass out log on em1 proto tcp from any to any port = 22 flags S/SA
> ---- /pfctl -s rules | nl -v 0 ----
>
> > Logging with: tcpdump -nettti pflog0 src 10.69.245.50
>
> Result:
> > ping 10.69.0.1
> Feb 14 22:49:29.310651 rule 2/(match) block out on em1: 10.69.245.50 >
> 10.69.0.1: icmp: echo request (DF)
>
> > ssh login@10.69.0.253
> Feb 14 22:49:48.225126 rule 2/(match) pass out on em1: 10.69.245.50.41988 >
> 10.69.0.253.22: S 3757241004:3757241004(0) win 29200 <mss
> 1460,sackOK,timestamp 238312 0,nop,wscale 7> (DF)
>
> Expected:
> > ping 10.69.0.1
> ... rule 1/(match) ...
>
> > ssh login@10.69.0.253
> ... rule 3/(match) ...
>
> OpenBSD 6.2 (GENERIC.MP) #5: Wed Feb 14 23:11:22 CET 2018
> r...@feuerwand.na.lokal:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 4163919872 (3971MB)
> avail mem = 4030709760 (3843MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xebfd0 (49 entries)
> bios0: vendor American Megatrends Inc. version "5.6.5" date 12/13/2016
> bios0: Thomas-Krenn.AG Default string
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP APIC FPDT FIDT MCFG LPIT HPET SSDT SSDT SSDT UEFI
> acpi0: wakeup devices PS2K(S3) PS2M(S3) XHC1(S4) PXSX(S4) PXSX(S4) PXSX(S4)
> PXSX(S4) PWRB(S0)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Celeron(R) CPU N2930 @ 1.83GHz, 1833.75 MHz
> cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
> cpu0: 1MB 64b/line 16-way L2 cache
> cpu0: TSC frequency 1833749940 Hz
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 83MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3.3, IBE
> cpu1 at mainbus0: apid 2 (application processor)
> cpu1: Intel(R) Celeron(R) CPU N2930 @ 1.83GHz, 1833.34 MHz
> cpu1:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
> cpu1: 1MB 64b/line 16-way L2 cache
> cpu1: smt 0, core 1, package 0
> cpu2 at mainbus0: apid 4 (application processor)
> cpu2: Intel(R) Celeron(R) CPU N2930 @ 1.83GHz, 1833.34 MHz
> cpu2:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
> cpu2: 1MB 64b/line 16-way L2 cache
> cpu2: smt 0, core 2, package 0
> cpu3 at mainbus0: apid 6 (application processor)
> cpu3: Intel(R) Celeron(R) CPU N2930 @ 1.83GHz, 1833.34 MHz
> cpu3:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
> cpu3: 1MB 64b/line 16-way L2 cache
> cpu3: smt 0, core 3, package 0
> ioapic0 at mainbus0: apid 1 pa 0xfec00000, version 20, 87 pins
> acpimcfg0 at acpi0 addr 0xe0000000, bus 0-255
> acpihpet0 at acpi0: 14318179 Hz
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus 1 (RP01)
> acpiprt2 at acpi0: bus 2 (RP02)
> acpiprt3 at acpi0: bus 3 (RP03)
> acpiprt4 at acpi0: bus 4 (RP04)
> acpiec0 at acpi0: not present
> acpicpu0 at acpi0: C1(@1 halt!), PSS
> acpicpu1 at acpi0: C1(@1 halt!), PSS
> acpicpu2 at acpi0: C1(@1 halt!), PSS
> acpicpu3 at acpi0: C1(@1 halt!), PSS
> acpipwrres0 at acpi0: PLPE
> acpipwrres1 at acpi0: PLPE
> acpipwrres2 at acpi0: USBC, resource for EHC1, OTG1
> acpipwrres3 at acpi0: CLK0, resource for CAM1
> acpipwrres4 at acpi0: CLK1, resource for CAM0, CAM2
> "MSFT0001" at acpi0 not configured
> "MSFT0003" at acpi0 not configured
> "DMA0F28" at acpi0 not configured
> acpibtn0 at acpi0: PWRB
> acpibtn1 at acpi0: SLPB
> "INTCF0B" at acpi0 not configured
> "INTCF1A" at acpi0 not configured
> "INTCF1C" at acpi0 not configured
> "SMO91D0" at acpi0 not configured
> "MXT3432" at acpi0 not configured
> acpivideo0 at acpi0: GFX0
> cpu0: Enhanced SpeedStep 1833 MHz: speeds: 1827, 1826, 1660, 1494, 1328,
> 1162, 996, 830, 498 MHz
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "Intel Bay Trail Host" rev 0x0e
> inteldrm0 at pci0 dev 2 function 0 "Intel Bay Trail Video" rev 0x0e
> drm0 at inteldrm0
> inteldrm0: msi
> inteldrm0: 1280x1024, 32bpp
> wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
> wsdisplay0: screen 1-5 added (std, vt100 emulation)
> ahci0 at pci0 dev 19 function 0 "Intel Bay Trail AHCI" rev 0x0e: msi, AHCI 1.3
> ahci0: port 0: 3.0Gb/s
> scsibus1 at ahci0: 32 targets
> sd0 at scsibus1 targ 0 lun 0: <ATA, TS32GMSA370, N112> SCSI3 0/direct fixed
> t10.ATA_TS32GMSA370_D957300327_
> sd0: 30533MB, 512 bytes/sector, 62533296 sectors, thin
> xhci0 at pci0 dev 20 function 0 "Intel Bay Trail xHCI" rev 0x0e: msi
> usb0 at xhci0: USB revision 3.0
> uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00
> addr 1
> "Intel Bay Trail TXE" rev 0x0e at pci0 dev 26 function 0 not configured
> azalia0 at pci0 dev 27 function 0 "Intel Bay Trail HD Audio" rev 0x0e: msi
> azalia0: codecs: Realtek ALC662, Intel/0x2882, using Realtek ALC662
> audio0 at azalia0
> ppb0 at pci0 dev 28 function 0 "Intel Bay Trail PCIE" rev 0x0e: msi
> pci1 at ppb0 bus 1
> ppb1 at pci0 dev 28 function 1 "Intel Bay Trail PCIE" rev 0x0e: msi
> pci2 at ppb1 bus 2
> ppb2 at pci0 dev 28 function 2 "Intel Bay Trail PCIE" rev 0x0e: msi
> pci3 at ppb2 bus 3
> em0 at pci3 dev 0 function 0 "Intel 82583V" rev 0x00: msi, address
> 00:30:18:06:9f:94
> ppb3 at pci0 dev 28 function 3 "Intel Bay Trail PCIE" rev 0x0e: msi
> pci4 at ppb3 bus 4
> em1 at pci4 dev 0 function 0 "Intel 82583V" rev 0x00: msi, address
> 00:30:18:06:9f:93
> pcib0 at pci0 dev 31 function 0 "Intel Bay Trail LPC" rev 0x0e
> ichiic0 at pci0 dev 31 function 3 "Intel Bay Trail SMBus" rev 0x0e: apic 1
> int 18
> iic0 at ichiic0
> spdmem0 at iic0 addr 0x50: 4GB DDR3 SDRAM PC3-12800 SO-DIMM
> isa0 at pcib0
> isadma0 at isa0
> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> com0: probed fifo depth: 15 bytes
> pckbc0 at isa0 port 0x60/5 irq 1 irq 12
> pckbd0 at pckbc0 (kbd slot)
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pcppi0 at isa0 port 0x61
> spkr0 at pcppi0
> vmm0 at mainbus0: VMX/EPT
> uhidev0 at uhub0 port 3 configuration 1 interface 0 "DELL Dell USB Entry
> Keyboard" rev 1.10/1.78 addr 2
> uhidev0: iclass 3/1
> ukbd0 at uhidev0: 8 variable keys, 6 key codes
> wskbd1 at ukbd0 mux 1
> wskbd1: connecting to wsdisplay0
> uhub1 at uhub0 port 4 configuration 1 interface 0 "Genesys Logic USB2.0 Hub"
> rev 2.00/88.32 addr 3
> vscsi0 at root
> scsibus2 at vscsi0: 256 targets
> softraid0 at root
> scsibus3 at softraid0: 256 targets
> root on sd0a (ea44963b0108c50a.a) swap on sd0b dump on sd0b
