Question about tables in nested anchor on pf since 6.1

[Leonardo Guardati]

Hi,
   there is a confusing error message in 6.1 and 6.2
(not in 6.0) when using a table inside a nested anchor.

here the rules:

/etc/pf.conf:
###########################

block log


anchor "uno"
load anchor "uno" from "/etc/pf.uno"

###########################


/etc/pf.uno
###########################


anchor "due"
load anchor "due" from "/etc/pf.due"

###########################


/etc/pf.due
###########################

table <foo> { 10.0.0.1 }

pass from <foo>

###########################


on OpenBSD 6.0:

# pfctl -ef /etc/pf.conf
pfctl: pf already enabled



on 6.1 and 6.2:

# pfctl -ef /etc/pf.conf
/etc/pf.due:1: cannot define table foo: Device busy
pfctl: Syntax error in config file: pf rules not loaded
pfctl: load anchors




I've tried to debug, and here is the backtrace for 6.0 and 6.1:


OpenBSD-6.0:

Thread 3 hit Breakpoint 1, pfr_ina_define (tbl=0xffff800000314800, 
addr=0x10cf6f2a7300, size=1, nadd=0xffff800000314c3c, naddr=0xffff800000314c38, 
ticket=11, flags=268435472)
    at ../../../../net/pf_table.c:1609
1609    {
(gdb) bt
#0  pfr_ina_define (tbl=0xffff800000314800, addr=0x10cf6f2a7300, size=1, 
nadd=0xffff800000314c3c, naddr=0xffff800000314c38, ticket=11, flags=268435472) 
at ../../../../net/pf_table.c:1609
#1  0xffffffff811ca27a in pfioctl (dev=18688, cmd=3293594701, 
addr=0xffff800000314800 "uno/due", flags=3, p=0xffff8000212a5c88) at 
../../../../net/pf_ioctl.c:1999
#2  0xffffffff8129b086 in spec_ioctl (v=0xffff8000212eeb40) at 
../../../../kern/spec_vnops.c:370
#3  0xffffffff812979b7 in VOP_IOCTL (vp=0xffffff006fa93cc0, command=3293594701, 
data=0xffff800000314800, fflag=3, cred=0xffffff0005bfc840, p=0xffff8000212a5c88)
    at ../../../../kern/vfs_vops.c:259
#4  0xffffffff81299600 in vn_ioctl (fp=0xffffff006db65558, com=3293594701, 
data=0xffff800000314800 "uno/due", p=0xffff8000212a5c88) at 
../../../../kern/vfs_vnops.c:485
#5  0xffffffff8125b746 in sys_ioctl (p=0xffff8000212a5c88, 
v=0xffff8000212eee50, retval=0xffff8000212eeea0) at 
../../../../kern/sys_generic.c:516
#6  0xffffffff8147fea0 in mi_syscall (p=0xffff8000212a5c88, code=54, 
callp=0xffffffff81b87040 <sysent+864>, argp=0xffff8000212eee50, 
retval=0xffff8000212eeea0)
    at ../../../../sys/syscall_mi.h:77
#7  0xffffffff8147fc94 in syscall (frame=0xffff8000212eef20) at 
../../../../arch/amd64/amd64/trap.c:597
#8  0xffffffff8100180b in Xsyscall ()
#9  0x0000000000000003 in ?? ()
#10 0x00000000c450444d in ?? ()
#11 0x00007f7ffffd0e40 in ?? ()
#12 0x000010cd57535c1a in ?? ()
#13 0x00007f7ffffd1268 in ?? ()
#14 0x00007f7ffffd1728 in ?? ()
#15 0x0000000000000000 in ?? ()
(gdb) 







OpenBSD-6.1:
Thread 1 hit Breakpoint 1, pfr_ina_define (tbl=0xffff80000035c800, 
addr=0x1fced50fc300, size=1, nadd=0xffff80000035cc3c, naddr=0xffff80000035cc38, 
ticket=7, flags=268435472)
    at /usr/src/sys/net/pf_table.c:1599
1599    {
(gdb) bt
#0  pfr_ina_define (tbl=0xffff80000035c800, addr=0x1fced50fc300, size=1, 
nadd=0xffff80000035cc3c, naddr=0xffff80000035cc38, ticket=7, flags=268435472) 
at /usr/src/sys/net/pf_table.c:1599
#1  0xffffffff811cb163 in pfioctl (dev=18688, cmd=3293594701, 
addr=0xffff80000035c800 "/due", flags=3, p=0xffff8000212ab0d8) at 
/usr/src/sys/net/pf_ioctl.c:2000
#2  0xffffffff8129a8f6 in spec_ioctl (v=0xffff80002132cb40) at 
/usr/src/sys/kern/spec_vnops.c:370
#3  0xffffffff81297223 in VOP_IOCTL (vp=0xffffff0056011230, command=3293594701, 
data=0xffff80000035c800, fflag=3, cred=0xffffff007f7ac840, p=0xffff8000212ab0d8)
    at /usr/src/sys/kern/vfs_vops.c:259
#4  0xffffffff81298e71 in vn_ioctl (fp=0xffffff005c9d1aa0, com=3293594701, 
data=0xffff80000035c800 "/due", p=0xffff8000212ab0d8) at 
/usr/src/sys/kern/vfs_vnops.c:487
#5  0xffffffff8125c5ba in sys_ioctl (p=0xffff8000212ab0d8, 
v=0xffff80002132ce50, retval=0xffff80002132cea0) at 
/usr/src/sys/kern/sys_generic.c:516
#6  0xffffffff8148a642 in mi_syscall (p=0xffff8000212ab0d8, code=54, 
callp=0xffffffff81bc1260 <sysent+864>, argp=0xffff80002132ce50, 
retval=0xffff80002132cea0)
    at /usr/src/sys/sys/syscall_mi.h:77
#7  0xffffffff8148a436 in syscall (frame=0xffff80002132cf20) at 
/usr/src/sys/arch/amd64/amd64/trap.c:600
#8  0xffffffff8100180b in Xsyscall ()
#9  0x0000000000000003 in ?? ()
#10 0x00000000c450444d in ?? ()
#11 0x00007f7ffffbbae0 in ?? ()
#12 0x00001fcccfb2f47a in ?? ()
#13 0x00007f7ffffbbf08 in ?? ()
#14 0x00007f7ffffbc3c8 in ?? ()
#15 0x0000000000000000 in ?? ()
(gdb) 





I can see that in 6.0 pfioctl() is passed "uno/due"; while in 6.1 there is only 
"/due" in addr.

Also, I see the code execution difference at /usr/src/sys/net/pf_table.c:1624 
when calling:

  rs = pf_find_ruleset(tbl->pfrt_anchor);

in 6.0 I have rs filled, with :

(gdb) p rs
$2 = (struct pf_ruleset *) 0xffff800000310490
(gdb) p rs->topen
$3 = 1
(gdb) p ticket
$4 = 11
(gdb) p rs->tticket
$5 = 11

that make the the following test pass:

1625            if (rs == NULL || !rs->topen || ticket != rs->tticket)
1626                    return (EBUSY);


this is not happening in 6.1:

(gdb) p rs
$8 = (struct pf_ruleset *) 0xffff80000035bc90
(gdb) p rs->topen
$9 = 0
(gdb) p ticket
$10 = 7
(gdb) p rs->tticket
$11 = 9

so it is explained the Device Busy message...but not the cause.


I suppose this could be caused by the MP changes and some race accessing the 
data.


Any hint where to look next?


Leo