On 2020-11-23, Szél Gábor wrote:
> Dear @misc
>
> We test OpenBSD with Suricata in IPS mode.
> IPS mode requires PF divert-packet.
>
> simple rule to divert:
> pass in log quick on $_if proto tcp from ! to any
> divert-packet port 700
>
> At first look everything is good!
> The packet goes to suricata, suricata check packet, if packet is "bad",
> throw away.
> But, not working good!
>
> if suricata does not drop packet, packet does not reinjected to PF!
> After divert-packet rule, any rule nothing works.
>
> a simple example:
> pass in log quick on $_if proto tcp from ! to any
> divert-packet port 700
> block log all
>
> I'm trying to connect to host with SSH, divert to suricata is okay, and
> SSH connect is successful.
> Why? Next rule is block all!
>
> i thought apples wouldn't reinject packets, so i made a simple test:
> https://man.openbsd.org/divert.4 - example C code
>
> If i replaced suricate with example C code, the situation is the same!
> I see the packet in example log, and SSH connection is successfully.
> I think PF divert-packet does not reinject packets to PF.
This is all exactly as described in the divert(4) manual;
Writing to a divert socket can be achieved using sendto(2) and it will skip
pf(4) filters to avoid loops. Note that this means that a reinjected
inbound packet will also not run through the pf out rules after being
forwarded. A diverted packet that is not reinjected into the kernel stack
is lost.
> Is there a solution for this?
Block packets first, then pass any remaining packets with divert-to?
