Thank you for your reply. Yes, this does appear to be the same problem previously reported. Are there no plans to backport this to 6.2? I am not comfortable running current for our purposes but I can wait until 6.3 if necessary.
-Cory ________________________________ From: Stuart Henderson <[email protected]> Sent: Friday, March 23, 2018 6:07 PM To: Williams, Cory R. Cc: [email protected] Subject: Re: pflog showing wrong rule numbers when pf is utilizing anchors On 2018/03/23 18:31, Williams, Cory R. wrote: > >Synopsis: pflog appears to be using the anchor rule number for all > >traffic regardless of which rule is actually used > >Category: amd64 > >Environment: > System : OpenBSD 6.2 > Details : OpenBSD 6.2 (GENERIC) #7: Sat Mar 17 20:59:53 CET 2018 > > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC > > Architecture: OpenBSD.amd64 > Machine : amd64 > >Description: > pflog displaying wrong rule number when anchors are declared in pf. > this does not occur in openbsd 6.1 (amd64, with or without syspatches). > >How-To-Repeat: > On OpenBSD 6.2 (amd64, with or without syspatches): > Edit /etc/pf.conf to look something like this: > anchor "ftp-proxy/*" > block log > pass out log > block in log > pass out log quick proto icmp > pass in log quick proto icmp > Reload pf (pfctl -f /etc/pf.conf) > Run 'tcpdump -n -e -ttt -i pflog0' (windowed tmux, or separate > session) > Ping to and from the openbsd server. Notice it shows only 'rule > 0/(match)' in this example. > This is also repeatable with addition of any anchors in any ruleset > as long as traffic is logged. > Removal of anchor(s) will result in correct rule numbers appearing in > pflog. > >Fix: > Fix unknown. Known issue, fixed in -current (net/pf.c r1.1061). The simplest way to get the fix is to update to a snapshot, which is quite close to what will become OpenBSD 6.3 at the moment. Alternatively here's an *untested* backport of the fix commit. Index: pf.c =================================================================== RCS file: /cvs/src/sys/net/pf.c,v retrieving revision 1.1042 diff -u -p -r1.1042 pf.c --- pf.c 14 Aug 2017 15:58:16 -0000 1.1042 +++ pf.c 23 Mar 2018 23:03:36 -0000 @@ -3480,6 +3480,8 @@ enum pf_test_status pf_match_rule(struct pf_test_ctx *ctx, struct pf_ruleset *ruleset) { struct pf_rule *r; + struct pf_rule *save_a; + struct pf_ruleset *save_aruleset; r = TAILQ_FIRST(ruleset->rules.active.ptr); while (r != NULL) { @@ -3658,11 +3660,18 @@ pf_match_rule(struct pf_test_ctx *ctx, s break; } } else { + save_a = ctx->a; + save_aruleset = ctx->aruleset; ctx->a = r; /* remember anchor */ ctx->aruleset = ruleset; /* and its ruleset */ - if (pf_step_into_anchor(ctx, r) != PF_TEST_OK) { + /* + * Note: we don't need to restore if we are not going + * to continue with ruleset evaluation. + */ + if (pf_step_into_anchor(ctx, r) != PF_TEST_OK) break; - } + ctx->a = save_a; + ctx->aruleset = save_aruleset; } r = TAILQ_NEXT(r, entries); } @@ -3758,9 +3767,9 @@ pf_test_rule(struct pf_pdesc *pd, struct #if NPFLOG > 0 if (r->log) - PFLOG_PACKET(pd, ctx.reason, r, ctx.a, ruleset, NULL); + PFLOG_PACKET(pd, ctx.reason, r, a, ruleset, NULL); if (ctx.act.log & PF_LOG_MATCHES) - pf_log_matches(pd, r, ctx.a, ruleset, &ctx.rules); + pf_log_matches(pd, r, a, ruleset, &ctx.rules); #endif /* NPFLOG > 0 */ if (pd->virtual_proto != PF_VPROTO_FRAGMENT &&
