Re: Question about tables in nested anchor on pf since 6.1
Hi,
I've applied the patch on 6.2 and it fixes the problem.
# pfctl -ef /etc/pf.conf
pf enabled
# pfctl -a /uno/due -t foo -T show
10.0.0.1
# pfctl -a /uno/due -s r
pass from to any flags S/SA
#
Thank You
Leo
On Tue, Nov 14, 2017 at 11:07:31AM +0100, Alexandr Nedvedicky wrote:
> Hello Leo,
>
> this looks like my bad, which goes back to commit [1], which tried to fix 'mix
> up of anchor names and anchor paths'. I've completely forgot to take care of
> pfctl/parse.y back then. Please let me know if patch below solves your
> problem.
> thank you for great troubleshooting and excellent test case.
>
> sorry for any inconveniences
> regards
> sasha
>
> [1]
> https://github.com/openbsd/src/commit/3bf93159c5f63841415c20c3b4c861fd39edaf82#diff-0ad00dde5326b7d2b54b5c11cef40842
>
> 8<---8<---8<--8<
> diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
> index c170e60d2a0..b56ed47ff8b 100644
> --- a/sbin/pfctl/parse.y
> +++ b/sbin/pfctl/parse.y
> @@ -4133,7 +4133,7 @@ process_tabledef(char *name, struct table_opts *opts,
> int popts)
> >init_nodes);
> if (!(pf->opts & PF_OPT_NOACTION) &&
> pfctl_define_table(name, opts->flags, opts->init_addr,
> - pf->anchor->name, , pf->anchor->ruleset.tticket)) {
> + pf->anchor->path, , pf->anchor->ruleset.tticket)) {
> yyerror("cannot define table %s: %s", name,
> pfr_strerror(errno));
> goto _error;
>
Re: Question about tables in nested anchor on pf since 6.1
If I change the load statement in pf.uno using
the full path ( /uno/due instead of due ); thens
there is no error; but still no table is loaded.
/etc/pf.conf:
###
block log
anchor "uno"
load anchor "uno" from "/etc/pf.uno"
###
/etc/pf.uno
###
anchor "due"
load anchor "/uno/due" from "/etc/pf.due"
###
/etc/pf.due
###
table { 10.0.0.1 }
pass from
###
Now no error is given:
# pfctl -ef /etc/pf.conf
pfctl: pfctl_rules
pfctl: load anchors
#
But the table is not loaded:
# pfctl -a uno/due -t foo -T show
pfctl: Table does not exist.
#
Question about tables in nested anchor on pf since 6.1
Hi,
there is a confusing error message in 6.1 and 6.2
(not in 6.0) when using a table inside a nested anchor.
here the rules:
/etc/pf.conf:
###
block log
anchor "uno"
load anchor "uno" from "/etc/pf.uno"
###
/etc/pf.uno
###
anchor "due"
load anchor "due" from "/etc/pf.due"
###
/etc/pf.due
###
table { 10.0.0.1 }
pass from
###
on OpenBSD 6.0:
# pfctl -ef /etc/pf.conf
pfctl: pf already enabled
on 6.1 and 6.2:
# pfctl -ef /etc/pf.conf
/etc/pf.due:1: cannot define table foo: Device busy
pfctl: Syntax error in config file: pf rules not loaded
pfctl: load anchors
I've tried to debug, and here is the backtrace for 6.0 and 6.1:
OpenBSD-6.0:
Thread 3 hit Breakpoint 1, pfr_ina_define (tbl=0x80314800,
addr=0x10cf6f2a7300, size=1, nadd=0x80314c3c, naddr=0x80314c38,
ticket=11, flags=268435472)
at ../../../../net/pf_table.c:1609
1609{
(gdb) bt
#0 pfr_ina_define (tbl=0x80314800, addr=0x10cf6f2a7300, size=1,
nadd=0x80314c3c, naddr=0x80314c38, ticket=11, flags=268435472)
at ../../../../net/pf_table.c:1609
#1 0x811ca27a in pfioctl (dev=18688, cmd=3293594701,
addr=0x80314800 "uno/due", flags=3, p=0x8000212a5c88) at
../../../../net/pf_ioctl.c:1999
#2 0x8129b086 in spec_ioctl (v=0x8000212eeb40) at
../../../../kern/spec_vnops.c:370
#3 0x812979b7 in VOP_IOCTL (vp=0xff006fa93cc0, command=3293594701,
data=0x80314800, fflag=3, cred=0xff0005bfc840, p=0x8000212a5c88)
at ../../../../kern/vfs_vops.c:259
#4 0x81299600 in vn_ioctl (fp=0xff006db65558, com=3293594701,
data=0x80314800 "uno/due", p=0x8000212a5c88) at
../../../../kern/vfs_vnops.c:485
#5 0x8125b746 in sys_ioctl (p=0x8000212a5c88,
v=0x8000212eee50, retval=0x8000212eeea0) at
../../../../kern/sys_generic.c:516
#6 0x8147fea0 in mi_syscall (p=0x8000212a5c88, code=54,
callp=0x81b87040 , argp=0x8000212eee50,
retval=0x8000212eeea0)
at ../../../../sys/syscall_mi.h:77
#7 0x8147fc94 in syscall (frame=0x8000212eef20) at
../../../../arch/amd64/amd64/trap.c:597
#8 0x8100180b in Xsyscall ()
#9 0x0003 in ?? ()
#10 0xc450444d in ?? ()
#11 0x7f7d0e40 in ?? ()
#12 0x10cd57535c1a in ?? ()
#13 0x7f7d1268 in ?? ()
#14 0x7f7d1728 in ?? ()
#15 0x in ?? ()
(gdb)
OpenBSD-6.1:
Thread 1 hit Breakpoint 1, pfr_ina_define (tbl=0x8035c800,
addr=0x1fced50fc300, size=1, nadd=0x8035cc3c, naddr=0x8035cc38,
ticket=7, flags=268435472)
at /usr/src/sys/net/pf_table.c:1599
1599{
(gdb) bt
#0 pfr_ina_define (tbl=0x8035c800, addr=0x1fced50fc300, size=1,
nadd=0x8035cc3c, naddr=0x8035cc38, ticket=7, flags=268435472)
at /usr/src/sys/net/pf_table.c:1599
#1 0x811cb163 in pfioctl (dev=18688, cmd=3293594701,
addr=0x8035c800 "/due", flags=3, p=0x8000212ab0d8) at
/usr/src/sys/net/pf_ioctl.c:2000
#2 0x8129a8f6 in spec_ioctl (v=0x80002132cb40) at
/usr/src/sys/kern/spec_vnops.c:370
#3 0x81297223 in VOP_IOCTL (vp=0xff0056011230, command=3293594701,
data=0x8035c800, fflag=3, cred=0xff007f7ac840, p=0x8000212ab0d8)
at /usr/src/sys/kern/vfs_vops.c:259
#4 0x81298e71 in vn_ioctl (fp=0xff005c9d1aa0, com=3293594701,
data=0x8035c800 "/due", p=0x8000212ab0d8) at
/usr/src/sys/kern/vfs_vnops.c:487
#5 0x8125c5ba in sys_ioctl (p=0x8000212ab0d8,
v=0x80002132ce50, retval=0x80002132cea0) at
/usr/src/sys/kern/sys_generic.c:516
#6 0x8148a642 in mi_syscall (p=0x8000212ab0d8, code=54,
callp=0x81bc1260 , argp=0x80002132ce50,
retval=0x80002132cea0)
at /usr/src/sys/sys/syscall_mi.h:77
#7 0x8148a436 in syscall (frame=0x80002132cf20) at
/usr/src/sys/arch/amd64/amd64/trap.c:600
#8 0x8100180b in Xsyscall ()
#9 0x0003 in ?? ()
#10 0xc450444d in ?? ()
#11 0x7f7bbae0 in ?? ()
#12 0x1fcccfb2f47a in ?? ()
#13 0x7f7bbf08 in ?? ()
#14 0x7f7bc3c8 in ?? ()
#15 0x in ?? ()
(gdb)
I can see that in 6.0 pfioctl() is passed "uno/due"; while in 6.1 there is only
"/due" in addr.
Also, I see the code execution difference at /usr/src/sys/net/pf_table.c:1624
when calling:
rs = pf_find_ruleset(tbl->pfrt_anchor);
in 6.0 I have rs filled, with :
(gdb) p rs
$2 = (struct pf_ruleset *) 0x80310490
(gdb) p rs->topen
$3 = 1
(gdb) p ticket
$4 = 11
(gdb) p rs->tticket
$5 = 11
that make the the following test pass:
1625if (rs == NULL || !rs->topen || ticket != rs->tticket)
1626return (EBUSY);
this is not happening in 6.1:
(gdb)
amdmsr_probe() fails on PCEngines' ALIX2D13
I'm using OpenBSD-current (cvs'd 2 days ago)
Trying to use flashrom on this board (AMD Geode LX 800 + CS 5536),
I found that the /dev/amdmsr device was Not Configured.
Early in the boot, when calling amdmsr_probe() the code doesn't
configure MSR access because when reading GLX_GP_GLD_MSR_CAP
the returned value is 0xD0C1EE10.
So the DID is 0x1EE1 instead of the expected 0x03D4.
I've bypassed this last check to return 1, and flashrom
now is able to access msr registers via /dev/amdmsr.
Reading the Processor datasheet the value IS 0x03D4, so
I don't know why this happens.
Any suggestion?
Leonardo
--- amdmsr.c2013-04-10 19:18:05.038996550 +0200
+++ amdmsr-fix.c2013-04-10 19:22:13.508890253 +0200
@@ -77,8 +77,8 @@
/* Check for graphics processor presence */
gld_msr_cap = rdmsr(GLX_CPU_GLD_MSR_CAP);
if (((gld_msr_cap 8) 0x0fff) == GLX_CPU_DID) {
- gld_msr_cap = rdmsr(GLX_GP_GLD_MSR_CAP);
- if (((gld_msr_cap 8) 0x0fff) == GLX_GP_DID)
+ //gld_msr_cap = rdmsr(GLX_GP_GLD_MSR_CAP);
+ //if (((gld_msr_cap 8) 0x0fff) == GLX_GP_DID)
return 1;
}
}
Re: pf logs: def/(short) pass in , but should say block
On 05/14/2012 08:41 PM, Alexander Bluhm wrote: The variable action does not hold the final action at this place. It could be PF_SYNPROXY_DROP PF_DEFER PF_DIVERT PF_AFRT, we don't want to log this. It is rewrittren in the switch (action) block below. Moving the logging after the switch is not an option as the mbuf *m0 might get freed there. Can *m0 freeing be postponed? We could do PFLOG_PACKET(pd, reason, action == PF_PASS ? PF_PASS : PF_DROP, ri-r, a, ruleset) for most cases. Unfortunately PF_AFRT could be set to PF_DROP in some cases. Also PF_PASS could be set to PF_DROP by pf_refragment6() in pf.c:7025 Any ideas for a better fix? If *m0 could be freed at the very end of pf_test(), it would be possible to move PFLOG_PACKET() ( and pf_counters_inc() ) to the end right before the *m0 freeing. The only cases where this cannot be controlled is when pf_route() or pf_route6() is called ( the case PF_AFRT: and default: of the last switch(action) ). Maybe in those cases *m0 can be copied before passing it to pf_route() so it can be used by PFLOG_PACKET(). But probably this would impact badly the performances. Leonardo
pf logs: def/(short) pass in , but should say block
Hi,
here is a solution to the problem I posted on bugs@ about pf logging
incoming UDP packets to port 0 as pass while being blocked instead.
action is added to pflog_packet() arguments.
I tried it and works.
Here are the diffs:
--- if_pflog.c 2012-05-10 20:04:40.16484 +0200
+++ if_pflog-new.c 2012-05-10 15:21:23.0 +0200
@@ -215,7 +215,7 @@ pflogioctl(struct ifnet *ifp, u_long cmd
}
int
-pflog_packet(struct pf_pdesc *pd, u_int8_t reason, struct pf_rule *rm,
+pflog_packet(struct pf_pdesc *pd, u_int8_t reason, u_int8_t action,
struct pf_rule *rm,
struct pf_rule *am, struct pf_ruleset *ruleset)
{
#if NBPFILTER 0
@@ -230,7 +230,7 @@ pflog_packet(struct pf_pdesc *pd, u_int8
bzero(hdr, sizeof(hdr));
hdr.length = PFLOG_REAL_HDRLEN;
- hdr.action = rm-action;
+ hdr.action = action;
hdr.reason = reason;
memcpy(hdr.ifname, pd-kif-pfik_name, sizeof(hdr.ifname));
--- if_pflog.h 2012-05-10 20:04:46.80682 +0200
+++ if_pflog-new.h 2012-05-10 15:22:25.0 +0200
@@ -71,9 +71,9 @@ struct pfloghdr {
void pflog_bpfcopy(const void *, void *, size_t);
#if NPFLOG 0
-#definePFLOG_PACKET(a,b,c,d,e) pflog_packet(a,b,c,d,e)
+#definePFLOG_PACKET(a,b,c,d,e,f) pflog_packet(a,b,c,d,e,f)
#else
-#definePFLOG_PACKET(a,b,c,d,e) ((void)0)
+#definePFLOG_PACKET(a,b,c,d,e,f) ((void)0)
#endif /* NPFLOG 0 */
#endif /* _KERNEL */
#endif /* _NET_IF_PFLOG_H_ */
--- pfvar.h 2012-05-10 20:05:05.31684 +0200
+++ pfvar-new.h 2012-05-10 15:40:37.0 +0200
@@ -1795,7 +1795,7 @@ void pf_addr_inc(struct pf_addr *, sa_fa
void *pf_pull_hdr(struct mbuf *, int, void *, int, u_short *, u_short *,
sa_family_t);
void pf_change_a(void *, u_int16_t *, u_int32_t, u_int8_t);
-intpflog_packet(struct pf_pdesc *, u_int8_t, struct pf_rule *,
+intpflog_packet(struct pf_pdesc *, u_int8_t, u_int8_t, struct pf_rule *,
struct pf_rule *, struct pf_ruleset *);
void pf_send_deferred_syn(struct pf_state *);
intpf_match_addr(u_int8_t, struct pf_addr *, struct pf_addr *,
--- pf.c2012-05-10 20:05:04.90284 +0200
+++ pf-new.c2012-05-10 16:15:46.0 +0200
@@ -3492,14 +3492,16 @@ pf_test_rule(struct pf_pdesc *pd, struct
goto cleanup;
}
if (r-log || act.log PF_LOG_MATCHES)
- PFLOG_PACKET(pd, reason, r, a, ruleset);
+ PFLOG_PACKET(pd, reason, r-action, r,
+ a, ruleset);
} else {
match = 1;
*rm = r;
*am = a;
*rsm = ruleset;
if (act.log PF_LOG_MATCHES)
- PFLOG_PACKET(pd, reason, r, a, ruleset);
+ PFLOG_PACKET(pd, reason, r-action, r,
+ a, ruleset);
}
if ((*rm)-quick)
@@ -3529,7 +3531,7 @@ pf_test_rule(struct pf_pdesc *pd, struct
REASON_SET(reason, PFRES_MATCH);
if (r-log || act.log PF_LOG_MATCHES)
- PFLOG_PACKET(pd, reason, r, a, ruleset);
+ PFLOG_PACKET(pd, reason, r-action, r, a, ruleset);
if (pd-virtual_proto != PF_VPROTO_FRAGMENT
(r-action == PF_DROP)
@@ -6951,12 +6953,12 @@ done:
struct pf_rule_item *ri;
if (pd.pflog PF_LOG_FORCE || r-log PF_LOG_ALL)
- PFLOG_PACKET(pd, reason, r, a, ruleset);
+ PFLOG_PACKET(pd, reason, action, r, a, ruleset);
if (s) {
SLIST_FOREACH(ri, s-match_rules, entry)
if (ri-r-log PF_LOG_ALL)
- PFLOG_PACKET(pd, reason, ri-r, a,
- ruleset);
+ PFLOG_PACKET(pd, reason, action,
+ ri-r, a, ruleset);
}
}
Are they ok?
Leonardo.
Original Message
Subject: pf logs: def/(short) pass in , but should say block
Date: Wed, 09 May 2012 01:29:16 +0200
From: Leonardo Guardati leona...@guardati.it
To: b...@openbsd.org
Hi,
here is the setup ( I saw this on 5.0, 5.1, 5.1-current).
On a fresh installation.
/etc/pf.conf:
block log all
I send to the machine an UDP packet to port 0. I used from another machine:
nmap -Pn -sU -pU:0 target_ip
pf will log the packet as pass.
... rule def/(short) pass in on ...
I tried to debug the code.
I see the packet is dropped (pf_test() returns PF_DROP), but
pflog_packet() doesn't know it.
Here is what I saw
