Re: pfctl table cleared time is jumping around
On Wed, Feb 24, 2010 at 08:30:05AM +0100, Henning Brauer wrote: * Dan Harnett dan...@harnett.name [2010-02-23 21:19]: Probably wrong, but this fixes it. i would not call that wrong. i don't understand how this ever worked and I don't understand what broke it. the only commit in that timeframe that could cause this is ryan's pool removal and that doesn't touch anything near that codepath. puzzled. Ryan's commit actually removed a very similar line. $ cd /usr/src/sys/net $ cvs diff -D 2010/01/11 -D 2010/01/12 pf_table.c Index: pf_table.c === RCS file: /home/cvs/openbsd/src/sys/net/pf_table.c,v retrieving revision 1.80 retrieving revision 1.81 diff -u -p -r1.80 -r1.81 --- pf_table.c 24 Nov 2008 13:22:09 - 1.80 +++ pf_table.c 12 Jan 2010 03:20:51 - 1.81 [... snip! ...] @@ -1087,7 +,6 @@ pfr_walktree(struct radix_node *rn, void as.pfras_a.pfra_fback = PFR_FB_NOCOUNT; } splx(s); - as.pfras_tzero = ke-pfrke_tzero; if (COPYOUT(as, w-pfrw_astats, sizeof(as), flags)) return (EFAULT); [... snip! ...]
Re: pfctl table cleared time is jumping around
* Dan Harnett dan...@harnett.name [2010-02-24 15:29]: On Wed, Feb 24, 2010 at 08:30:05AM +0100, Henning Brauer wrote: * Dan Harnett dan...@harnett.name [2010-02-23 21:19]: Probably wrong, but this fixes it. i would not call that wrong. i don't understand how this ever worked and I don't understand what broke it. the only commit in that timeframe that could cause this is ryan's pool removal and that doesn't touch anything near that codepath. puzzled. Ryan's commit actually removed a very similar line. I'm blind and the mystery is solved. thanks for tracking this down. $ cd /usr/src/sys/net $ cvs diff -D 2010/01/11 -D 2010/01/12 pf_table.c Index: pf_table.c === RCS file: /home/cvs/openbsd/src/sys/net/pf_table.c,v retrieving revision 1.80 retrieving revision 1.81 diff -u -p -r1.80 -r1.81 --- pf_table.c 24 Nov 2008 13:22:09 - 1.80 +++ pf_table.c 12 Jan 2010 03:20:51 - 1.81 [... snip! ...] @@ -1087,7 +,6 @@ pfr_walktree(struct radix_node *rn, void as.pfras_a.pfra_fback = PFR_FB_NOCOUNT; } splx(s); - as.pfras_tzero = ke-pfrke_tzero; if (COPYOUT(as, w-pfrw_astats, sizeof(as), flags)) return (EFAULT); [... snip! ...] -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: pfctl table cleared time is jumping around
On Mon, Feb 22, 2010 at 10:40:29PM +0100, Michael Lechtermann wrote: it's a slightly weird side-effect. a quick glance indicates that the tzero timestamp is part of the stats struct and tables don't keep stats/counters by default any more. for some time tho. i don't remember any recent changes to the table code (as if anybody wanted to touch that mess) by default, does that mean it is possible to somehow keep the stats/counters with a configuration option and have it work again? Add 'counters' to the table definition. That didn't fix it. The stats are shown now, but the dates are still jumping around. :-( 'pfctl -t tablename -T expire ' is also currently broken. Everything appears to be removed from the table immediately regardless of ''. $ sudo cat /etc/pf.conf table testing persist counters $ sudo pfctl -vv -t testing -T add 172.16.1.8 172.16.1.9 2/2 addresses added. A 172.16.1.8 A 172.16.1.9 $ sudo pfctl -vv -t testing -T expire 7200 2/2 addresses expired. D 172.16.1.8 D 172.16.1.9
Re: pfctl table cleared time is jumping around
* Dan Harnett dan...@harnett.name [2010-02-23 17:19]: 'pfctl -t tablename -T expire ' is also currently broken. Everything appears to be removed from the table immediately regardless of ''. $ sudo cat /etc/pf.conf table testing persist counters $ sudo pfctl -vv -t testing -T add 172.16.1.8 172.16.1.9 2/2 addresses added. A 172.16.1.8 A 172.16.1.9 $ sudo pfctl -vv -t testing -T expire 7200 2/2 addresses expired. D 172.16.1.8 D 172.16.1.9 I don't remember any changes in that area lately so this puzzles me. do we know when this breakage was introduced, approximately? -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: pfctl table cleared time is jumping around
On 2010-02-23, Henning Brauer lists-open...@bsws.de wrote: * Dan Harnett dan...@harnett.name [2010-02-23 17:19]: 'pfctl -t tablename -T expire ' is also currently broken. Everything appears to be removed from the table immediately regardless of ''. $ sudo cat /etc/pf.conf table testing persist counters $ sudo pfctl -vv -t testing -T add 172.16.1.8 172.16.1.9 2/2 addresses added. A 172.16.1.8 A 172.16.1.9 $ sudo pfctl -vv -t testing -T expire 7200 2/2 addresses expired. D 172.16.1.8 D 172.16.1.9 I don't remember any changes in that area lately so this puzzles me. do we know when this breakage was introduced, approximately? I found a couple of boxes with May 2009 kernels where expire works as expected. I can't think of anything I have running code dated between then and now to pinpoint it any better than that (the downside of actually testing diffs ;-)
Re: pfctl table cleared time is jumping around
Hi, I don't remember any changes in that area lately so this puzzles me. do we know when this breakage was introduced, approximately? I found a couple of boxes with May 2009 kernels where expire works as expected. I can't think of anything I have running code dated between then and now to pinpoint it any better than that (the downside of actually testing diffs ;-) It still worked with the snapshot from around 08/2009. Michael
Re: pfctl table cleared time is jumping around
On Tue, Feb 23, 2010 at 05:24:30PM +0100, Henning Brauer wrote: * Dan Harnett dan...@harnett.name [2010-02-23 17:19]: 'pfctl -t tablename -T expire ' is also currently broken. Everything appears to be removed from the table immediately regardless of ''. $ sudo cat /etc/pf.conf table testing persist counters $ sudo pfctl -vv -t testing -T add 172.16.1.8 172.16.1.9 2/2 addresses added. A 172.16.1.8 A 172.16.1.9 $ sudo pfctl -vv -t testing -T expire 7200 2/2 addresses expired. D 172.16.1.8 D 172.16.1.9 I don't remember any changes in that area lately so this puzzles me. do we know when this breakage was introduced, approximately? I have narrowed it down to between 2010/01/11 and 2010/01/12. It worked fine on 2010/01/11.
Re: pfctl table cleared time is jumping around
On Tue, Feb 23, 2010 at 02:28:17PM -0500, Dan Harnett wrote: On Tue, Feb 23, 2010 at 05:24:30PM +0100, Henning Brauer wrote: I don't remember any changes in that area lately so this puzzles me. do we know when this breakage was introduced, approximately? I have narrowed it down to between 2010/01/11 and 2010/01/12. It worked fine on 2010/01/11. Probably wrong, but this fixes it. Index: pf_table.c === RCS file: /cvs/src/sys/net/pf_table.c,v retrieving revision 1.82 diff -N -u -p pf_table.c --- pf_table.c 18 Jan 2010 23:52:46 - 1.82 +++ pf_table.c 23 Feb 2010 20:09:59 - @@ -1112,6 +1112,7 @@ pfr_walktree(struct radix_node *rn, void *arg) as.pfras_a.pfra_fback = PFR_FB_NOCOUNT; } splx(s); + as.pfras_tzero = ke-u._ke._pfrke_tzero; if (COPYOUT(as, w-pfrw_astats, sizeof(as), flags)) return (EFAULT);
Re: pfctl table cleared time is jumping around
* Dan Harnett dan...@harnett.name [2010-02-23 21:19]: On Tue, Feb 23, 2010 at 02:28:17PM -0500, Dan Harnett wrote: On Tue, Feb 23, 2010 at 05:24:30PM +0100, Henning Brauer wrote: I don't remember any changes in that area lately so this puzzles me. do we know when this breakage was introduced, approximately? I have narrowed it down to between 2010/01/11 and 2010/01/12. It worked fine on 2010/01/11. Probably wrong, but this fixes it. i would not call that wrong. i don't understand how this ever worked and I don't understand what broke it. the only commit in that timeframe that could cause this is ryan's pool removal and that doesn't touch anything near that codepath. puzzled. Index: pf_table.c === RCS file: /cvs/src/sys/net/pf_table.c,v retrieving revision 1.82 diff -N -u -p pf_table.c --- pf_table.c18 Jan 2010 23:52:46 - 1.82 +++ pf_table.c23 Feb 2010 20:09:59 - @@ -1112,6 +1112,7 @@ pfr_walktree(struct radix_node *rn, void *arg) as.pfras_a.pfra_fback = PFR_FB_NOCOUNT; } splx(s); + as.pfras_tzero = ke-u._ke._pfrke_tzero; if (COPYOUT(as, w-pfrw_astats, sizeof(as), flags)) return (EFAULT); -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: pfctl table cleared time is jumping around
Hi, it's a slightly weird side-effect. a quick glance indicates that the tzero timestamp is part of the stats struct and tables don't keep stats/counters by default any more. for some time tho. i don't remember any recent changes to the table code (as if anybody wanted to touch that mess) by default, does that mean it is possible to somehow keep the stats/counters with a configuration option and have it work again? I couldn't find anything regarding that in the pf.conf manpage. Michael
Re: pfctl table cleared time is jumping around
On 2010-02-22, Michael Lechtermann mich...@lechtermann.net wrote: Hi, it's a slightly weird side-effect. a quick glance indicates that the tzero timestamp is part of the stats struct and tables don't keep stats/counters by default any more. for some time tho. i don't remember any recent changes to the table code (as if anybody wanted to touch that mess) by default, does that mean it is possible to somehow keep the stats/counters with a configuration option and have it work again? Add 'counters' to the table definition.
Re: pfctl table cleared time is jumping around
Hi, it's a slightly weird side-effect. a quick glance indicates that the tzero timestamp is part of the stats struct and tables don't keep stats/counters by default any more. for some time tho. i don't remember any recent changes to the table code (as if anybody wanted to touch that mess) by default, does that mean it is possible to somehow keep the stats/counters with a configuration option and have it work again? Add 'counters' to the table definition. That didn't fix it. The stats are shown now, but the dates are still jumping around. :-( Michael
Re: pfctl table cleared time is jumping around
* Didier Wiroth dwir...@gmail.com [2010-01-23 23:15]: On Wednesday 20 January 2010 23:21:35 Michael Lechtermann wrote: Am 20.01.2010 23:15, schrieb frantisek holop: hmm, on Wed, Jan 20, 2010 at 04:58:32PM +0100, Michael Lechtermann said that it seems there is a bug in pfctl regarding the cleared time of a table entry. The attack actually happend this year, but the date shown is constantly changing: been like this forever... -pa-r-- bad-ssh Addresses: 3 Cleared: Thu Jan 1 01:00:00 1970 References: [ Anchors: 0 Rules: 2 ] Evaluations: [ NoMatch: 0 Match: 0 ] In/Block:[ Packets: 0 Bytes: 0 ] In/Pass: [ Packets: 0 Bytes: 0 ] In/XPass:[ Packets: 0 Bytes: 0 ] Out/Block: [ Packets: 0 Bytes: 0 ] Out/Pass:[ Packets: 0 Bytes: 0 ] Out/XPass: [ Packets: 0 Bytes: 0 ] i think i have sent a message about it ages ago but only to misc@ For me, it is a new behavior. It still worked with OpenBSD snapshot from around 08/2009. Hello, I'm running latest current and I have the same issues now: # pfctl -t tb1 -Ts -vvv 172.16.43.34 Cleared: Wed Dec 31 11:19:39 1969 172.16.43.35 Cleared: Wed Dec 31 11:19:39 1969 Actually this used to be displayed correctly 2 or 3 snapshots ago. Is this a known bug? it's a slightly weird side-effect. a quick glance indicates that the tzero timestamp is part of the stats struct and tables don't keep stats/counters by default any more. for some time tho. i don't remember any recent changes to the table code (as if anybody wanted to touch that mess) -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: pfctl table cleared time is jumping around
On Wednesday 20 January 2010 23:21:35 Michael Lechtermann wrote: Am 20.01.2010 23:15, schrieb frantisek holop: hmm, on Wed, Jan 20, 2010 at 04:58:32PM +0100, Michael Lechtermann said that it seems there is a bug in pfctl regarding the cleared time of a table entry. The attack actually happend this year, but the date shown is constantly changing: been like this forever... -pa-r-- bad-ssh Addresses: 3 Cleared: Thu Jan 1 01:00:00 1970 References: [ Anchors: 0 Rules: 2 ] Evaluations: [ NoMatch: 0 Match: 0 ] In/Block:[ Packets: 0 Bytes: 0 ] In/Pass: [ Packets: 0 Bytes: 0 ] In/XPass:[ Packets: 0 Bytes: 0 ] Out/Block: [ Packets: 0 Bytes: 0 ] Out/Pass:[ Packets: 0 Bytes: 0 ] Out/XPass: [ Packets: 0 Bytes: 0 ] i think i have sent a message about it ages ago but only to misc@ For me, it is a new behavior. It still worked with OpenBSD snapshot from around 08/2009. Hello, I'm running latest current and I have the same issues now: # pfctl -t tb1 -Ts -vvv 172.16.43.34 Cleared: Wed Dec 31 11:19:39 1969 172.16.43.35 Cleared: Wed Dec 31 11:19:39 1969 Actually this used to be displayed correctly 2 or 3 snapshots ago. Is this a known bug? Kind regards, Didier
pfctl table cleared time is jumping around
Hi, it seems there is a bug in pfctl regarding the cleared time of a table entry. The attack actually happend this year, but the date shown is constantly changing: # pfctl -t bruteforce -vT show 81.38.199.134 Cleared: Sun Apr 12 18:24:16 2009 88.183.20.179 Cleared: Sun Apr 12 18:24:16 2009 210.51.48.71 Cleared: Sun Apr 12 18:24:16 2009 # pfctl -t bruteforce -vT show 81.38.199.134 Cleared: Sun Apr 12 18:24:16 2009 88.183.20.179 Cleared: Sun Apr 12 18:24:16 2009 210.51.48.71 Cleared: Sun Apr 12 18:24:16 2009 # pfctl -t bruteforce -vT show 81.38.199.134 Cleared: Mon Apr 13 03:30:24 2009 88.183.20.179 Cleared: Mon Apr 13 03:30:24 2009 210.51.48.71 Cleared: Mon Apr 13 03:30:24 2009 # pfctl -t bruteforce -vT show 81.38.199.134 Cleared: Sun Jul 6 11:53:04 1986 88.183.20.179 Cleared: Sun Jul 6 11:53:04 1986 210.51.48.71 Cleared: Sun Jul 6 11:53:04 1986 # grep 81.38.199.134 /var/log/authlog Jan 20 12:42:17 warden sshd[12934]: Did not receive identification string from 81.38.199.134 Jan 20 12:42:21 warden sshd[13182]: Failed password for root from 81.38.199.134 port 21471 ssh2 Jan 20 12:42:21 warden sshd[30963]: Received disconnect from 81.38.199.134: 11: Goodbye Jan 20 12:42:25 warden sshd[25143]: Failed password for root from 81.38.199.134 port 21590 ssh2 Jan 20 12:42:25 warden sshd[10472]: Received disconnect from 81.38.199.134: 11: Goodbye Jan 20 12:42:32 warden sshd[18071]: Failed password for root from 81.38.199.134 port 21689 ssh2 Jan 20 12:42:32 warden sshd[22432]: Received disconnect from 81.38.199.134: 11: Goodbye Jan 20 12:42:36 warden sshd[6172]: Failed password for root from 81.38.199.134 port 21883 ssh2 Jan 20 12:42:36 warden sshd[18517]: Received disconnect from 81.38.199.134: 11: Goodbye Jan 20 12:42:40 warden sshd[4324]: Failed password for root from 81.38.199.134 port 21999 ssh2 Jan 20 12:42:42 warden sshd[29797]: Received disconnect from 81.38.199.134: 11: Goodbye Jan 20 12:42:49 warden sshd[21681]: Failed password for root from 81.38.199.134 port 22104 ssh2 Jan 20 12:42:50 warden sshd[11246]: Received disconnect from 81.38.199.134: 11: Goodbye Jan 20 12:42:56 warden sshd[14492]: Failed password for root from 81.38.199.134 port 22351 ssh2 Jan 20 12:42:57 warden sshd[20990]: Received disconnect from 81.38.199.134: 11: Goodbye Jan 20 12:43:00 warden sshd[13399]: Failed password for root from 81.38.199.134 port 22545 ssh2 Jan 20 12:43:03 warden sshd[16824]: Received disconnect from 81.38.199.134: 11: Goodbye Jan 20 12:43:07 warden sshd[29615]: Failed password for root from 81.38.199.134 port 22652 ssh2 Jan 20 12:43:08 warden sshd[32628]: Received disconnect from 81.38.199.134: 11: Goodbye # dmesg http://openbsd.lechtermann.net/pub/misc/dmesg.SUNv440
Re: pfctl table cleared time is jumping around
hmm, on Wed, Jan 20, 2010 at 04:58:32PM +0100, Michael Lechtermann said that it seems there is a bug in pfctl regarding the cleared time of a table entry. The attack actually happend this year, but the date shown is constantly changing: been like this forever... -pa-r-- bad-ssh Addresses: 3 Cleared: Thu Jan 1 01:00:00 1970 References: [ Anchors: 0 Rules: 2 ] Evaluations: [ NoMatch: 0 Match: 0 ] In/Block:[ Packets: 0 Bytes: 0 ] In/Pass: [ Packets: 0 Bytes: 0 ] In/XPass:[ Packets: 0 Bytes: 0 ] Out/Block: [ Packets: 0 Bytes: 0 ] Out/Pass:[ Packets: 0 Bytes: 0 ] Out/XPass: [ Packets: 0 Bytes: 0 ] i think i have sent a message about it ages ago but only to misc@ -f -- this message written by sandy. a highly trained dolphin.
Re: pfctl table cleared time is jumping around
Am 20.01.2010 23:15, schrieb frantisek holop: hmm, on Wed, Jan 20, 2010 at 04:58:32PM +0100, Michael Lechtermann said that it seems there is a bug in pfctl regarding the cleared time of a table entry. The attack actually happend this year, but the date shown is constantly changing: been like this forever... -pa-r-- bad-ssh Addresses: 3 Cleared: Thu Jan 1 01:00:00 1970 References: [ Anchors: 0 Rules: 2 ] Evaluations: [ NoMatch: 0 Match: 0 ] In/Block:[ Packets: 0 Bytes: 0 ] In/Pass: [ Packets: 0 Bytes: 0 ] In/XPass:[ Packets: 0 Bytes: 0 ] Out/Block: [ Packets: 0 Bytes: 0 ] Out/Pass:[ Packets: 0 Bytes: 0 ] Out/XPass: [ Packets: 0 Bytes: 0 ] i think i have sent a message about it ages ago but only to misc@ For me, it is a new behavior. It still worked with OpenBSD snapshot from around 08/2009.
