On 2020-11-23, Szél Gábor <gabor.s...@wantax.eu> wrote: > Dear @misc > > We test OpenBSD with Suricata in IPS mode. > IPS mode requires PF divert-packet. > > simple rule to divert: > pass in log quick on $xxxx_if proto tcp from !<ADMINIPs> to any > divert-packet port 700 > > At first look everything is good! > The packet goes to suricata, suricata check packet, if packet is "bad", > throw away. > But, not working good! > > if suricata does not drop packet, packet does not reinjected to PF! > After divert-packet rule, any rule nothing works. > > a simple example: > pass in log quick on $xxxx_if proto tcp from !<ADMINIPs> to any > divert-packet port 700 > block log all > > I'm trying to connect to host with SSH, divert to suricata is okay, and > SSH connect is successful. > Why? Next rule is block all! > > i thought apples wouldn't reinject packets, so i made a simple test: > https://man.openbsd.org/divert.4 - example C code > > If i replaced suricate with example C code, the situation is the same! > I see the packet in example log, and SSH connection is successfully. > I think PF divert-packet does not reinject packets to PF.
This is all exactly as described in the divert(4) manual; Writing to a divert socket can be achieved using sendto(2) and it will skip pf(4) filters to avoid loops. Note that this means that a reinjected inbound packet will also not run through the pf out rules after being forwarded. A diverted packet that is not reinjected into the kernel stack is lost. > Is there a solution for this? Block packets first, then pass any remaining packets with divert-to?
