Forwarding to bugs@ where is should have gone in the first place. Tim.
-------- Original Message -------- Date: Sun, 05 Nov 2017 12:06:10 -0500 From: trondd <tro...@kagu-tsuchi.com> To: t...@openbsd.org Subject: Re: Wrong rule number in pflog with anchors "trondd" <tro...@kagu-tsuchi.com> wrote: > If you have an anchor in your pf ruleset, a packet that matches a rule > with a log directive will reflect the rule number of the last anchor > definition instead of the rule that caused the logging. > > My first rule in pf.conf is 'block log (all) all'. In 6.1, packets > matching the block rule will show rule 1 as the matching rule. Since 6.2 > and in current (not sure when during 6.2's development this started) the > same blocked packet will show the rule number of the last anchor in the > ruleset as the matching rule. > I found that this was introduced in R1.1024 of pf.c which makes sense given that the commit reworks anchor stacks. A simplified pf.conf to demonstrate what I am seeing: set skip on lo block log all pass out proto { udp tcp } to any port { ssh http https domain } anchor "test" Tim. > > This is what I expect, and do get when no anchor is defined: > > root@portabsd:~$ pfctl -sr -R1 > block return log (all) all > > root@portabsd:~$ tcpdump -nettti pflog0 action block > tcpdump: WARNING: snaplen raised from 116 to 160 > tcpdump: listening on pflog0, link-type PFLOG > Oct 11 20:43:58.834603 rule 1/(match) block in on iwm0: 192.168.1.3.5353 > > 224.0.0.251.5353: 0 [17q][|domain] > Oct 11 20:43:58.837980 rule 1/(match) block in on iwm0: > fe80::8c2:5295:cd0e:f5e4.5353 > ff02::fb.5353: 0 [17q][|domain] [flowlabel > 0x84d6b] > Oct 11 20:44:18.233207 rule 1/(match) block in on iwm0: 192.168.1.3.52286 > > 192.168.1.15.445: S 176378676:176378676(0) win 65535 <mss > 1460,nop,wscale 5,nop,nop,timestamp 2314135130 0,[|tcp]> (DF) [tos 0x10] ^C > 3 packets received by filter > 0 packets dropped by kernel > > > Add a bogus 'anchor "test"' to the bottom of pf.conf and reload. Hit the > system with blockable traffic again: > > root@portabsd:~$ tcpdump -nettti pflog0 action block > tcpdump: WARNING: snaplen raised from 116 to 160 > tcpdump: listening on pflog0, link-type PFLOG > Oct 11 20:44:50.038509 rule 43/(match) block in on iwm0: 192.168.1.3.52289 > > 192.168.1.15.445: SWE 3438533119:3438533119(0) win 65535 <mss > 1460,nop,wscale 5,nop,nop,timestamp 2314166871 0,[|tcp]> (DF) [tos 0x10] ^C > 1 packets received by filter > 0 packets dropped by kernel > > root@portabsd:~$ pfctl -sr -R1 > block return log (all) all > > root@portabsd:~$ pfctl -sr -R 43 > anchor "test" all > > > My cleaned up pf.conf used in the above reproductions: > > wan_services = "{ http https pop3s imaps smtps whois 11371 ssh 53589 8008 }" > set skip on { lo enc } > match in all scrub (no-df random-id reassemble tcp) > set block-policy return > block log (all) all > antispoof quick for egress > vm_net = "{ 10.10.10.0/24 }" > match out on egress inet from $vm_net to any nat-to (egress:0) > pass in quick on vether0 from $vm_net to any > pass out quick proto { tcp udp } to 192.168.1.1 port 53 > pass out quick proto tcp to any port { 6667 6697 } user irc > block out quick proto { udp tcp } user irc > pass out quick proto tcp to any port $wan_services > pass out quick proto { udp } to any port 123 > pass quick proto udp to any port { 67 68 } > pass out quick proto icmp all > pass quick inet proto icmp all icmp-type unreach code needfrag > pass out quick proto udp to port 33433 >< 33626 > block in quick from 192.168.1.1 to 224.0.0.1 > vpn_dest = "{ xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx }" > pass in on egress proto esp from $vpn_dest to (self) > pass out on egress proto esp from (self) to $vpn_dest > pass in on egress proto udp from $vpn_dest to (self) port { isakmp > ipsec-nat-t } > pass out on egress proto udp from (self) to $vpn_dest port { isakmp > ipsec-nat-t } > pass in log quick proto tcp from 192.168.1.0/24 to (self) port ssh pass > quick on egress proto tcp to any port 22000 > anchor "test" dmesg: OpenBSD 6.2-current (GENERIC.MP) #234: Fri Nov 24 09:21:20 MST 2017 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8277159936 (7893MB) avail mem = 8019398656 (7647MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xccbfd000 (64 entries) bios0: vendor LENOVO version "N10ET36W (1.15 )" date 06/19/2015 bios0: LENOVO 20CMCTO1WW acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP ASF! HPET ECDT APIC MCFG SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT PCCT SSDT TCPA SSDT UEFI MSDM BATB FPDT UEFI DMAR acpi0: wakeup devices LID_(S4) SLPB(S3) IGBE(S4) EXP2(S4) XHCI(S3) EHC1(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpiec0 at acpi0 acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz, 798.30 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,PT,SENSOR,ARAT cpu0: 256KB 64b/line 8-way L2 cache acpihpet0: recalibrated TSC frequency 2194928491 Hz cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz, 798.16 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,PT,SENSOR,ARAT cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 1, core 0, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz, 798.16 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,PT,SENSOR,ARAT cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 1, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz, 798.16 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,PT,SENSOR,ARAT cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 1, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 20, 40 pins acpimcfg0 at acpi0 addr 0xf8000000, bus 0-63 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (PEG_) acpiprt2 at acpi0: bus 2 (EXP1) acpiprt3 at acpi0: bus 3 (EXP2) acpiprt4 at acpi0: bus -1 (EXP3) acpicpu0 at acpi0: C3(200@233 mwait.1@0x40), C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpicpu1 at acpi0: C3(200@233 mwait.1@0x40), C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpicpu2 at acpi0: C3(200@233 mwait.1@0x40), C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpicpu3 at acpi0: C3(200@233 mwait.1@0x40), C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpipwrres0 at acpi0: PUBS, resource for XHCI, EHC1 acpipwrres1 at acpi0: NVP3, resource for PEG_ acpipwrres2 at acpi0: NVP2, resource for PEG_ acpitz0 at acpi0: critical temperature is 128 degC acpibtn0 at acpi0: LID_ acpibtn1 at acpi0: SLPB "LEN0071" at acpi0 not configured "LEN0046" at acpi0 not configured acpibat0 at acpi0: BAT0 model "45N1111" serial 14690 type LiP oem "SONY" acpibat1 at acpi0: BAT1 model "45N1738" serial 3105 type LION oem "LGC" acpiac0 at acpi0: AC unit offline acpithinkpad0 at acpi0 "SMO1200" at acpi0 not configured "PNP0C14" at acpi0 not configured "PNP0C14" at acpi0 not configured "PNP0C14" at acpi0 not configured "INT340F" at acpi0 not configured acpivideo0 at acpi0: VID_ acpivout at acpivideo0 not configured acpivideo1 at acpi0: VID_ cpu0: Enhanced SpeedStep 798 MHz: speeds: 2201, 2200, 2100, 2000, 1800, 1700, 1600, 1500, 1300, 1200, 1100, 1000, 900, 700, 600, 500 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel Core 5G Host" rev 0x09 inteldrm0 at pci0 dev 2 function 0 "Intel HD Graphics 5500" rev 0x09 drm0 at inteldrm0 inteldrm0: msi inteldrm0: 1920x1080, 32bpp wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation) wsdisplay0: screen 1-5 added (std, vt100 emulation) azalia0 at pci0 dev 3 function 0 "Intel Core 5G HD Audio" rev 0x09: msi xhci0 at pci0 dev 20 function 0 "Intel 9 Series xHCI" rev 0x03: msi usb0 at xhci0: USB revision 3.0 uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 addr 1 "Intel 9 Series MEI" rev 0x03 at pci0 dev 22 function 0 not configured em0 at pci0 dev 25 function 0 "Intel I218-LM" rev 0x03: msi, address 50:7b:9d:54:4f:f7 azalia1 at pci0 dev 27 function 0 "Intel 9 Series HD Audio" rev 0x03: msi azalia1: codecs: Realtek ALC292 audio0 at azalia1 ppb0 at pci0 dev 28 function 0 "Intel 9 Series PCIE" rev 0xe3: msi pci1 at ppb0 bus 2 rtsx0 at pci1 dev 0 function 0 "Realtek RTS5227 Card Reader" rev 0x01: msi sdmmc0 at rtsx0: 4-bit, dma ppb1 at pci0 dev 28 function 1 "Intel 9 Series PCIE" rev 0xe3: msi pci2 at ppb1 bus 3 iwm0 at pci2 dev 0 function 0 "Intel Dual Band Wireless AC 7265" rev 0x59, msi ehci0 at pci0 dev 29 function 0 "Intel 9 Series USB" rev 0x03: apic 2 int 23 usb1 at ehci0: USB revision 2.0 uhub1 at usb1 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 pcib0 at pci0 dev 31 function 0 "Intel 9 Series LPC" rev 0x03 ahci0 at pci0 dev 31 function 2 "Intel 9 Series AHCI" rev 0x03: msi, AHCI 1.3 ahci0: port 0: 6.0Gb/s ahci0: port 1: 6.0Gb/s scsibus1 at ahci0: 32 targets sd0 at scsibus1 targ 0 lun 0: <ATA, Samsung SSD 850, EMT0> SCSI3 0/direct fixed naa.5002538d404eb48d sd0: 476940MB, 512 bytes/sector, 976773168 sectors, thin sd1 at scsibus1 targ 1 lun 0: <ATA, SB M2 SSD, S9FM> SCSI3 0/direct fixed t10.ATA_SB_M2_SSD_FF73075A080802779735 sd1: 228936MB, 512 bytes/sector, 468862128 sectors, thin ichiic0 at pci0 dev 31 function 3 "Intel 9 Series SMBus" rev 0x03: apic 2 int 18 iic0 at ichiic0 pchtemp0 at pci0 dev 31 function 6 "Intel 9 Series Thermal" rev 0x03 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 irq 1 irq 12 pckbd0 at pckbc0 (kbd slot) wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) wsmouse0 at pms0 mux 0 wsmouse1 at pms0 mux 0 pms0: Synaptics clickpad, firmware 8.1, 0x1e2b1 0x943300 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 vmm0 at mainbus0: VMX/EPT Unclaimed register detected before reading register 0x23a0 uhidev0 at uhub0 port 5 configuration 1 interface 0 "ELAN Touchscreen" rev 2.00/0.11 addr 2 uhidev0: iclass 3/0, 68 report ids ums0 at uhidev0 reportid 1: 1 button, tip wsmouse2 at ums0 mux 0 uhid0 at uhidev0 reportid 2: input=64, output=0, feature=0 uhid1 at uhidev0 reportid 3: input=0, output=31, feature=0 uhid2 at uhidev0 reportid 4: input=19, output=0, feature=0 uhid3 at uhidev0 reportid 10: input=0, output=0, feature=1 ums1 at uhidev0 reportid 68 ums1: mouse has no X report uhub2 at uhub1 port 1 configuration 1 interface 0 "Intel Rate Matching Hub" rev 2.00/0.03 addr 2 vscsi0 at root scsibus2 at vscsi0: 256 targets softraid0 at root scsibus3 at softraid0: 256 targets sd2 at scsibus3 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006> SCSI2 0/direct fixed sd2: 476937MB, 512 bytes/sector, 976767473 sectors root on sd2a (df4f7850546ee3cd.a) swap on sd2b dump on sd2b iwm0: hw rev 0x210, fw ver 16.242414.0, address dc:53:60:4a:b1:ea sd3 at scsibus3 targ 2 lun 0: <OPENBSD, SR CRYPTO, 006> SCSI2 0/direct fixed sd3: 228933MB, 512 bytes/sector, 468856433 sectors acpivideo0: unknown event 0x00 acpivideo0: unknown event 0x00 acpivideo0: unknown event 0x00 acpivideo0: unknown event 0x00 acpivideo0: unknown event 0x00