On 2018/03/23 18:31, Williams, Cory R. wrote:
> >Synopsis: pflog appears to be using the anchor rule number for all
> >traffic regardless of which rule is actually used
> >Category: amd64
> >Environment:
> System : OpenBSD 6.2
> Details : OpenBSD 6.2 (GENERIC) #7: Sat Mar 17 20:59:53 CET 2018
>
> [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC
>
> Architecture: OpenBSD.amd64
> Machine : amd64
> >Description:
> pflog displaying wrong rule number when anchors are declared in pf.
> this does not occur in openbsd 6.1 (amd64, with or without syspatches).
> >How-To-Repeat:
> On OpenBSD 6.2 (amd64, with or without syspatches):
> Edit /etc/pf.conf to look something like this:
> anchor "ftp-proxy/*"
> block log
> pass out log
> block in log
> pass out log quick proto icmp
> pass in log quick proto icmp
> Reload pf (pfctl -f /etc/pf.conf)
> Run 'tcpdump -n -e -ttt -i pflog0' (windowed tmux, or separate
> session)
> Ping to and from the openbsd server. Notice it shows only 'rule
> 0/(match)' in this example.
> This is also repeatable with addition of any anchors in any ruleset
> as long as traffic is logged.
> Removal of anchor(s) will result in correct rule numbers appearing in
> pflog.
> >Fix:
> Fix unknown.
Known issue, fixed in -current (net/pf.c r1.1061). The simplest way to
get the fix is to update to a snapshot, which is quite close to what
will become OpenBSD 6.3 at the moment.
Alternatively here's an *untested* backport of the fix commit.
Index: pf.c
===================================================================
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.1042
diff -u -p -r1.1042 pf.c
--- pf.c 14 Aug 2017 15:58:16 -0000 1.1042
+++ pf.c 23 Mar 2018 23:03:36 -0000
@@ -3480,6 +3480,8 @@ enum pf_test_status
pf_match_rule(struct pf_test_ctx *ctx, struct pf_ruleset *ruleset)
{
struct pf_rule *r;
+ struct pf_rule *save_a;
+ struct pf_ruleset *save_aruleset;
r = TAILQ_FIRST(ruleset->rules.active.ptr);
while (r != NULL) {
@@ -3658,11 +3660,18 @@ pf_match_rule(struct pf_test_ctx *ctx, s
break;
}
} else {
+ save_a = ctx->a;
+ save_aruleset = ctx->aruleset;
ctx->a = r; /* remember anchor */
ctx->aruleset = ruleset; /* and its ruleset */
- if (pf_step_into_anchor(ctx, r) != PF_TEST_OK) {
+ /*
+ * Note: we don't need to restore if we are not going
+ * to continue with ruleset evaluation.
+ */
+ if (pf_step_into_anchor(ctx, r) != PF_TEST_OK)
break;
- }
+ ctx->a = save_a;
+ ctx->aruleset = save_aruleset;
}
r = TAILQ_NEXT(r, entries);
}
@@ -3758,9 +3767,9 @@ pf_test_rule(struct pf_pdesc *pd, struct
#if NPFLOG > 0
if (r->log)
- PFLOG_PACKET(pd, ctx.reason, r, ctx.a, ruleset, NULL);
+ PFLOG_PACKET(pd, ctx.reason, r, a, ruleset, NULL);
if (ctx.act.log & PF_LOG_MATCHES)
- pf_log_matches(pd, r, ctx.a, ruleset, &ctx.rules);
+ pf_log_matches(pd, r, a, ruleset, &ctx.rules);
#endif /* NPFLOG > 0 */
if (pd->virtual_proto != PF_VPROTO_FRAGMENT &&
