Re: Question about tables in nested anchor on pf since 6.1

2017-11-14 Thread Leonardo Guardati 
Hi,

I've applied the patch on 6.2 and it fixes the problem.

# pfctl -ef /etc/pf.conf

 
pf enabled
#  pfctl -a /uno/due -t foo -T show 
   10.0.0.1
#  pfctl -a /uno/due -s r   
pass from  to any flags S/SA
# 


Thank You

Leo

On Tue, Nov 14, 2017 at 11:07:31AM +0100, Alexandr Nedvedicky wrote:
> Hello Leo,
> 
> this looks like my bad, which goes back to commit [1], which tried to fix 'mix
> up of anchor names and anchor paths'. I've completely forgot to take care of
> pfctl/parse.y back then. Please let me know if patch below solves your 
> problem.
> thank you for great troubleshooting and excellent test case.
> 
> sorry for any inconveniences
> regards
> sasha
> 
> [1] 
> https://github.com/openbsd/src/commit/3bf93159c5f63841415c20c3b4c861fd39edaf82#diff-0ad00dde5326b7d2b54b5c11cef40842
> 
> 8<---8<---8<--8<
> diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
> index c170e60d2a0..b56ed47ff8b 100644
> --- a/sbin/pfctl/parse.y
> +++ b/sbin/pfctl/parse.y
> @@ -4133,7 +4133,7 @@ process_tabledef(char *name, struct table_opts *opts, 
> int popts)
>   &opts->init_nodes);
>   if (!(pf->opts & PF_OPT_NOACTION) &&
>   pfctl_define_table(name, opts->flags, opts->init_addr,
> - pf->anchor->name, &ab, pf->anchor->ruleset.tticket)) {
> + pf->anchor->path, &ab, pf->anchor->ruleset.tticket)) {
>   yyerror("cannot define table %s: %s", name,
>   pfr_strerror(errno));
>   goto _error;
>

Re: Question about tables in nested anchor on pf since 6.1

2017-11-14 Thread Alexandr Nedvedicky 
Hello Leo,

this looks like my bad, which goes back to commit [1], which tried to fix 'mix
up of anchor names and anchor paths'. I've completely forgot to take care of
pfctl/parse.y back then. Please let me know if patch below solves your problem.
thank you for great troubleshooting and excellent test case.

sorry for any inconveniences
regards
sasha

[1] 
https://github.com/openbsd/src/commit/3bf93159c5f63841415c20c3b4c861fd39edaf82#diff-0ad00dde5326b7d2b54b5c11cef40842

8<---8<---8<--8<
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index c170e60d2a0..b56ed47ff8b 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -4133,7 +4133,7 @@ process_tabledef(char *name, struct table_opts *opts, int 
popts)
&opts->init_nodes);
if (!(pf->opts & PF_OPT_NOACTION) &&
pfctl_define_table(name, opts->flags, opts->init_addr,
-   pf->anchor->name, &ab, pf->anchor->ruleset.tticket)) {
+   pf->anchor->path, &ab, pf->anchor->ruleset.tticket)) {
yyerror("cannot define table %s: %s", name,
pfr_strerror(errno));
goto _error;

Re: Question about tables in nested anchor on pf since 6.1

2017-11-13 Thread Leonardo Guardati 
If I change the load statement in pf.uno using
the full path ( /uno/due instead of due ); thens
 there is no error; but still no table is loaded.

/etc/pf.conf:
###

block log


anchor "uno"
load anchor "uno" from "/etc/pf.uno"

###


/etc/pf.uno
###


anchor "due"
load anchor "/uno/due" from "/etc/pf.due"

###


/etc/pf.due
###

table  { 10.0.0.1 }

pass from 

###




Now no error is given:

# pfctl -ef /etc/pf.conf  
pfctl: pfctl_rules
pfctl: load anchors
# 


But the table is not loaded:

# pfctl -a uno/due -t foo -T show  
pfctl: Table does not exist.
#

Question about tables in nested anchor on pf since 6.1

2017-11-13 Thread Leonardo Guardati 
Hi,
   there is a confusing error message in 6.1 and 6.2
(not in 6.0) when using a table inside a nested anchor.

here the rules:

/etc/pf.conf:
###

block log


anchor "uno"
load anchor "uno" from "/etc/pf.uno"

###


/etc/pf.uno
###


anchor "due"
load anchor "due" from "/etc/pf.due"

###


/etc/pf.due
###

table  { 10.0.0.1 }

pass from 

###


on OpenBSD 6.0:

# pfctl -ef /etc/pf.conf
pfctl: pf already enabled



on 6.1 and 6.2:

# pfctl -ef /etc/pf.conf
/etc/pf.due:1: cannot define table foo: Device busy
pfctl: Syntax error in config file: pf rules not loaded
pfctl: load anchors




I've tried to debug, and here is the backtrace for 6.0 and 6.1:


OpenBSD-6.0:

Thread 3 hit Breakpoint 1, pfr_ina_define (tbl=0x80314800, 
addr=0x10cf6f2a7300, size=1, nadd=0x80314c3c, naddr=0x80314c38, 
ticket=11, flags=268435472)
at ../../../../net/pf_table.c:1609
1609{
(gdb) bt
#0  pfr_ina_define (tbl=0x80314800, addr=0x10cf6f2a7300, size=1, 
nadd=0x80314c3c, naddr=0x80314c38, ticket=11, flags=268435472) 
at ../../../../net/pf_table.c:1609
#1  0x811ca27a in pfioctl (dev=18688, cmd=3293594701, 
addr=0x80314800 "uno/due", flags=3, p=0x8000212a5c88) at 
../../../../net/pf_ioctl.c:1999
#2  0x8129b086 in spec_ioctl (v=0x8000212eeb40) at 
../../../../kern/spec_vnops.c:370
#3  0x812979b7 in VOP_IOCTL (vp=0xff006fa93cc0, command=3293594701, 
data=0x80314800, fflag=3, cred=0xff0005bfc840, p=0x8000212a5c88)
at ../../../../kern/vfs_vops.c:259
#4  0x81299600 in vn_ioctl (fp=0xff006db65558, com=3293594701, 
data=0x80314800 "uno/due", p=0x8000212a5c88) at 
../../../../kern/vfs_vnops.c:485
#5  0x8125b746 in sys_ioctl (p=0x8000212a5c88, 
v=0x8000212eee50, retval=0x8000212eeea0) at 
../../../../kern/sys_generic.c:516
#6  0x8147fea0 in mi_syscall (p=0x8000212a5c88, code=54, 
callp=0x81b87040 , argp=0x8000212eee50, 
retval=0x8000212eeea0)
at ../../../../sys/syscall_mi.h:77
#7  0x8147fc94 in syscall (frame=0x8000212eef20) at 
../../../../arch/amd64/amd64/trap.c:597
#8  0x8100180b in Xsyscall ()
#9  0x0003 in ?? ()
#10 0xc450444d in ?? ()
#11 0x7f7d0e40 in ?? ()
#12 0x10cd57535c1a in ?? ()
#13 0x7f7d1268 in ?? ()
#14 0x7f7d1728 in ?? ()
#15 0x in ?? ()
(gdb) 







OpenBSD-6.1:
Thread 1 hit Breakpoint 1, pfr_ina_define (tbl=0x8035c800, 
addr=0x1fced50fc300, size=1, nadd=0x8035cc3c, naddr=0x8035cc38, 
ticket=7, flags=268435472)
at /usr/src/sys/net/pf_table.c:1599
1599{
(gdb) bt
#0  pfr_ina_define (tbl=0x8035c800, addr=0x1fced50fc300, size=1, 
nadd=0x8035cc3c, naddr=0x8035cc38, ticket=7, flags=268435472) 
at /usr/src/sys/net/pf_table.c:1599
#1  0x811cb163 in pfioctl (dev=18688, cmd=3293594701, 
addr=0x8035c800 "/due", flags=3, p=0x8000212ab0d8) at 
/usr/src/sys/net/pf_ioctl.c:2000
#2  0x8129a8f6 in spec_ioctl (v=0x80002132cb40) at 
/usr/src/sys/kern/spec_vnops.c:370
#3  0x81297223 in VOP_IOCTL (vp=0xff0056011230, command=3293594701, 
data=0x8035c800, fflag=3, cred=0xff007f7ac840, p=0x8000212ab0d8)
at /usr/src/sys/kern/vfs_vops.c:259
#4  0x81298e71 in vn_ioctl (fp=0xff005c9d1aa0, com=3293594701, 
data=0x8035c800 "/due", p=0x8000212ab0d8) at 
/usr/src/sys/kern/vfs_vnops.c:487
#5  0x8125c5ba in sys_ioctl (p=0x8000212ab0d8, 
v=0x80002132ce50, retval=0x80002132cea0) at 
/usr/src/sys/kern/sys_generic.c:516
#6  0x8148a642 in mi_syscall (p=0x8000212ab0d8, code=54, 
callp=0x81bc1260 , argp=0x80002132ce50, 
retval=0x80002132cea0)
at /usr/src/sys/sys/syscall_mi.h:77
#7  0x8148a436 in syscall (frame=0x80002132cf20) at 
/usr/src/sys/arch/amd64/amd64/trap.c:600
#8  0x8100180b in Xsyscall ()
#9  0x0003 in ?? ()
#10 0xc450444d in ?? ()
#11 0x7f7bbae0 in ?? ()
#12 0x1fcccfb2f47a in ?? ()
#13 0x7f7bbf08 in ?? ()
#14 0x7f7bc3c8 in ?? ()
#15 0x in ?? ()
(gdb) 





I can see that in 6.0 pfioctl() is passed "uno/due"; while in 6.1 there is only 
"/due" in addr.

Also, I see the code execution difference at /usr/src/sys/net/pf_table.c:1624 
when calling:

  rs = pf_find_ruleset(tbl->pfrt_anchor);

in 6.0 I have rs filled, with :

(gdb) p rs
$2 = (struct pf_ruleset *) 0x80310490
(gdb) p rs->topen
$3 = 1
(gdb) p ticket
$4 = 11
(gdb) p rs->tticket
$5 = 11

that make the the following test pass:

1625if (rs == NULL || !rs->topen || ticket != rs->tticket)
1626return (EBUSY);


this is not happening in 6.1:

(gdb) p rs
$8 = (struct pf_rul