Re: Unexpected match set prio behaviour

Alexey Suslikov Mon, 18 Nov 2013 03:29:55 -0800

On Mon, Nov 18, 2013 at 3:03 AM, Alexander Bluhm
<alexander.bl...@gmx.net> wrote:
> On Thu, Nov 14, 2013 at 12:03:21AM +0200, Alexey Suslikov wrote:
>> This is on 5.4-stable. vlan is only used to see what resulting prio is.
>
>> #match on { $int_if } inet proto icmp all icmp-type echoreq set prio 5
>> pass quick on { $ext_if, $int_if }
>
> Can you test wether this diff matches your expected behaviour?
> Please try various combinations of pass and match rules.
>
> bluhm
>
> Index: net/pf.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/net/pf.c,v
> retrieving revision 1.861
> diff -u -p -r1.861 pf.c
> --- net/pf.c    16 Nov 2013 00:36:01 -0000      1.861
> +++ net/pf.c    18 Nov 2013 00:56:55 -0000
> @@ -3110,8 +3110,10 @@ pf_rule_to_actions(struct pf_rule *r, st
>                 a->max_mss = r->max_mss;
>         a->flags |= (r->scrub_flags & (PFSTATE_NODF|PFSTATE_RANDOMID|
>             PFSTATE_SETTOS|PFSTATE_SCRUB_TCP|PFSTATE_SETPRIO));
> -       a->set_prio[0] = r->set_prio[0];
> -       a->set_prio[1] = r->set_prio[1];
> +       if (r->scrub_flags & PFSTATE_SETPRIO) {
> +               a->set_prio[0] = r->set_prio[0];
> +               a->set_prio[1] = r->set_prio[1];
> +       }
>  }
>
>  #define PF_TEST_ATTRIB(t, a)                   \


well, it seems like now I have expected results. at least for following
test cases. please tell if you need more.

for a record, issue in question was discovered by Roman Kravchuk,
I just assisted with analysis and reporting.

Test 1 (default prio):

# cat /etc/pf.conf
ext_if="em0"
int_if="vlan2525"
set skip on { lo enc0 em1 }
block log all
#match on { $int_if } inet proto icmp all icmp-type echoreq set prio 6
#match on { $int_if } inet proto udp to port domain set prio 5
#match on { $int_if } inet proto tcp set prio (2, 4)
pass quick on { $ext_if, $int_if }

ICMP
12:45:57.293179 802.1Q vid 2525 pri 3 192.168.100.1 > 192.168.100.2:
icmp: echo request
12:45:57.293491 802.1Q vid 2525 pri 3 192.168.100.2 > 192.168.100.1:
icmp: echo reply

TCP
12:46:39.953468 802.1Q vid 2525 pri 3 192.168.100.1.17637 >
192.168.100.2.80: S 370622106:370622106(0) win 16384 <mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1183962946 0> (DF)
12:46:39.953944 802.1Q vid 2525 pri 3 192.168.100.2.80 >
192.168.100.1.17637: S 3464733189:3464733189(0) ack 370622107 win
16384 <mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp
448817884 1183962946> (DF)
12:46:39.954024 802.1Q vid 2525 pri 3 192.168.100.1.17637 >
192.168.100.2.80: . ack 1 win 2048 <nop,nop,timestamp 1183962946
448817884> (DF)
12:46:39.963421 802.1Q vid 2525 pri 3 192.168.100.1.17637 >
192.168.100.2.80: P 1:230(229) ack 1 win 2048 <nop,nop,timestamp
1183962946 448817884> (DF)
12:46:39.970068 802.1Q vid 2525 pri 3 192.168.100.2.80 >
192.168.100.1.17637: . 1:1449(1448) ack 230 win 2172
<nop,nop,timestamp 448817884 1183962946> (DF)
12:46:39.970095 802.1Q vid 2525 pri 3 192.168.100.2.80 >
192.168.100.1.17637: P 1449:2516(1067) ack 230 win 2172
<nop,nop,timestamp 448817884 1183962946> (DF)
12:46:39.970172 802.1Q vid 2525 pri 3 192.168.100.1.17637 >
192.168.100.2.80: . ack 2516 win 1733 <nop,nop,timestamp 1183962946
448817884> (DF)
12:46:39.970214 802.1Q vid 2525 pri 3 192.168.100.2.80 >
192.168.100.1.17637: F 2516:2516(0) ack 230 win 2172
<nop,nop,timestamp 448817884 1183962946> (DF)
12:46:39.970280 802.1Q vid 2525 pri 3 192.168.100.1.17637 >
192.168.100.2.80: . ack 2517 win 1733 <nop,nop,timestamp 1183962946
448817884> (DF)
12:46:39.993600 802.1Q vid 2525 pri 3 192.168.100.1.17637 >
192.168.100.2.80: F 230:230(0) ack 2517 win 2048 <nop,nop,timestamp
1183962946 448817884> (DF)
12:46:39.993927 802.1Q vid 2525 pri 3 192.168.100.2.80 >
192.168.100.1.17637: . ack 231 win 2172 <nop,nop,timestamp 448817884
1183962946> (DF)

UDP
12:47:58.298665 802.1Q vid 2525 pri 3 192.168.100.1.39295 >
192.168.100.2.53: 36561+ A? i.ua. (22)
12:47:58.552804 802.1Q vid 2525 pri 3 192.168.100.2.53 >
192.168.100.1.39295: 36561 1/2/0 A 91.198.36.14 (74)

Test 2 (match takes care of prio):

# cat /etc/pf.conf
ext_if="em0"
int_if="vlan2525"
set skip on { lo enc0 em1 }
block log all
match on { $int_if } inet proto icmp all icmp-type echoreq set prio 6
match on { $int_if } inet proto udp to port domain set prio 5
match on { $int_if } inet proto tcp set prio (2, 4)
pass quick on { $ext_if, $int_if }

ICMP
12:52:44.783107 802.1Q vid 2525 pri 6 192.168.100.1 > 192.168.100.2:
icmp: echo request
12:52:44.783516 802.1Q vid 2525 pri 6 192.168.100.2 > 192.168.100.1:
icmp: echo reply

TCP
12:53:28.007629 802.1Q vid 2525 pri 2 192.168.100.1.49012 >
192.168.100.2.80: S 2694025614:2694025614(0) win 16384 <mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 80976101 0> (DF)
12:53:28.007915 802.1Q vid 2525 pri 3 192.168.100.2.80 >
192.168.100.1.49012: S 704605823:704605823(0) ack 2694025615 win 16384
<mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 281624921
80976101> (DF)
12:53:28.007990 802.1Q vid 2525 pri 4 192.168.100.1.49012 >
192.168.100.2.80: . ack 1 win 2048 <nop,nop,timestamp 80976101
281624921> (DF)
12:53:28.017534 802.1Q vid 2525 pri 2 192.168.100.1.49012 >
192.168.100.2.80: P 1:230(229) ack 1 win 2048 <nop,nop,timestamp
80976101 281624921> (DF)
12:53:28.018242 802.1Q vid 2525 pri 3 192.168.100.2.80 >
192.168.100.1.49012: . 1:1449(1448) ack 230 win 2172
<nop,nop,timestamp 281624921 80976101> (DF)
12:53:28.018304 802.1Q vid 2525 pri 3 192.168.100.2.80 >
192.168.100.1.49012: P 1449:2516(1067) ack 230 win 2172
<nop,nop,timestamp 281624921 80976101> (DF)
12:53:28.018400 802.1Q vid 2525 pri 4 192.168.100.1.49012 >
192.168.100.2.80: . ack 2516 win 1733 <nop,nop,timestamp 80976101
281624921> (DF)
12:53:28.018464 802.1Q vid 2525 pri 3 192.168.100.2.80 >
192.168.100.1.49012: F 2516:2516(0) ack 230 win 2172
<nop,nop,timestamp 281624921 80976101> (DF)
12:53:28.018518 802.1Q vid 2525 pri 4 192.168.100.1.49012 >
192.168.100.2.80: . ack 2517 win 1733 <nop,nop,timestamp 80976101
281624921> (DF)
12:53:28.047526 802.1Q vid 2525 pri 4 192.168.100.1.49012 >
192.168.100.2.80: F 230:230(0) ack 2517 win 2048 <nop,nop,timestamp
80976101 281624921> (DF)
12:53:28.047804 802.1Q vid 2525 pri 3 192.168.100.2.80 >
192.168.100.1.49012: . ack 231 win 2172 <nop,nop,timestamp 281624921
80976101> (DF)

UDP
12:54:44.550079 802.1Q vid 2525 pri 5 192.168.100.1.17802 >
192.168.100.2.53: 48562+ A? i.ua. (22)
12:54:44.550512 802.1Q vid 2525 pri 3 192.168.100.2.53 >
192.168.100.1.17802: 48562 1/2/0 A 91.198.36.14 (74)

Test 3 (match takes care of prio, but pass overrides it):

# cat /etc/pf.conf
ext_if="em0"
int_if="vlan2525"
set skip on { lo enc0 em1 }
block log all
match on { $int_if } inet proto icmp all icmp-type echoreq set prio 6
match on { $int_if } inet proto udp to port domain set prio 5
match on { $int_if } inet proto tcp set prio (2, 4)
pass quick on $int_if set prio (1, 7)
pass quick on $ext_if

ICMP
13:14:44.434256 802.1Q vid 2525 pri 1 192.168.100.1 > 192.168.100.2:
icmp: echo request
13:14:44.434455 802.1Q vid 2525 pri 1 192.168.100.2 > 192.168.100.1:
icmp: echo reply

TCP
13:15:23.344681 802.1Q vid 2525 pri 1 192.168.100.1.22271 >
192.168.100.2.80: S 2507078145:2507078145(0) win 16384 <mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 2430168412 0> (DF)
13:15:23.344957 802.1Q vid 2525 pri 3 192.168.100.2.80 >
192.168.100.1.22271: S 981467249:981467249(0) ack 2507078146 win 16384
<mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 697090010
2430168412> (DF)
13:15:23.345017 802.1Q vid 2525 pri 7 192.168.100.1.22271 >
192.168.100.2.80: . ack 1 win 2048 <nop,nop,timestamp 2430168412
697090010> (DF)
13:15:23.354717 802.1Q vid 2525 pri 1 192.168.100.1.22271 >
192.168.100.2.80: P 1:230(229) ack 1 win 2048 <nop,nop,timestamp
2430168412 697090010> (DF)
13:15:23.355485 802.1Q vid 2525 pri 3 192.168.100.2.80 >
192.168.100.1.22271: . 1:1449(1448) ack 230 win 2172
<nop,nop,timestamp 697090010 2430168412> (DF)
13:15:23.355663 802.1Q vid 2525 pri 3 192.168.100.2.80 >
192.168.100.1.22271: P 1449:2516(1067) ack 230 win 2172
<nop,nop,timestamp 697090010 2430168412> (DF)
13:15:23.355720 802.1Q vid 2525 pri 3 192.168.100.2.80 >
192.168.100.1.22271: F 2516:2516(0) ack 230 win 2172
<nop,nop,timestamp 697090010 2430168412> (DF)
13:15:23.355775 802.1Q vid 2525 pri 7 192.168.100.1.22271 >
192.168.100.2.80: . ack 2516 win 1733 <nop,nop,timestamp 2430168412
697090010> (DF)
13:15:23.355784 802.1Q vid 2525 pri 7 192.168.100.1.22271 >
192.168.100.2.80: . ack 2517 win 1733 <nop,nop,timestamp 2430168412
697090010> (DF)
13:15:23.384621 802.1Q vid 2525 pri 7 192.168.100.1.22271 >
192.168.100.2.80: F 230:230(0) ack 2517 win 2048 <nop,nop,timestamp
2430168412 697090010> (DF)
13:15:23.384954 802.1Q vid 2525 pri 3 192.168.100.2.80 >
192.168.100.1.22271: . ack 231 win 2172 <nop,nop,timestamp 697090010
2430168412> (DF)

UDP
13:16:21.090521 802.1Q vid 2525 pri 1 192.168.100.1.45128 >
192.168.100.2.53: 59328+ A? i.ua. (22)
13:16:21.090925 802.1Q vid 2525 pri 3 192.168.100.2.53 >
192.168.100.1.45128: 59328 1/2/0 A 91.198.36.14 (74)

Re: Unexpected match set prio behaviour

Reply via email to