Hi Joachim,
As requested by you I reproduced the problem with a minimal pf.conf. The
bad thing
however is that the 'solution' I found is not portable to my real system
so it is probably
only part of the cause (or even a symptom only) Below a full fresh story
such that you
do not need to locate/reread my old mail etc
On my firewall (PC engines 3 port ethernet device with 1 additional tun0
device) I have various unexplained problems. Reproducable is that
UID/PID of rules on one of the ethernet ports does not work. In an attempt
to find a minimal pf.conf and hoping that fixing this also fixes my other
(unexplained) problems I ported the firewall to vmware.
The following minimal pf.conf causes the loss of UID/PID in pflog:
---- pf.conf ----
nat on vic2 to any -> (vic2)
nat-anchor "ftp-proxy/*"
pass out quick log (user) proto tcp to port 54321
pass quick on lo0
pass in quick on vic2 from 172.16.1.1/24
-----
So if I do
telnet 172.16.1.250 54321
pflog shows:
08:17:50.571260 rule 0/(match) [uid 0, pid 13539] pass out on vic2:
192.168....
If either of the two nat statements is removed from pf.conf the UID/PID
appears resulting in pflog:
08:18:22.455949 rule 0/(match) [uid 0, pid 12076] pass out on vic2: [uid
1000, pid 9145] 172.16...
On my real firewall I tried removing the nat-anchor (I cannot remove the
other nat or the firewall does not work anymore) hoping to get UID/PID
again but there that DOES NOT HAPPEN.
Probably there is another related cause.
This all was tested on OpenBSD 4.6 GENERIC#58 i386. Yes I know somewhat
outdated but please read the following too.
OpenBSD Upgrade Guide: 4.6 to 4.7 shows in section 'pf(4) NAT syntax
change' that exactly in the nat part pf was changed considerably.
Therefore it might be the problem I detected has already been removed
in 4.7. !!! Might be !!!
However given doing the same on my real firewall DOES NOT fix the problem
(i.e. still no UID/PID) there is probably another related cause. Based
upon that I think it makes sense to find in 4.6 what really happens (I
expect: some buffer overflow) and then determine whether the cause has
actually been replaced in 4.7 due to the large rewrite of nat in pf.
----------
On 2/21/2011 10:17, Joachim Schipper wrote:
On Sun, Feb 20, 2011 at 10:23:32PM +0100, Peter [prive] wrote:
Trying to find the problem I did the following:
I added 1 rule as the first rule.
pass out quick log (user) proto tcp to port 54321
Can you post a minimal pf.conf that exhibits this problem? It looks like
you have other rules as well, possibly including some configuration that
may be relevant.
Joachim
