On Thu, Feb 15, 2018 at 10:25:07AM +0100, Illya Meyer wrote: > Hello OpenBSD-Team, > > I discovered a strange behaviour since OpenBSD 6.2 with pf logging, when an > "anchor" is in the ruleset of /etc/pf.conf. It logs in some cases the rule > number of the anchor and not the matching rule, although the correct rule is > used. > > I discovered the problem on three different machines (all AMD64). > > Notes: > - Occured since 6.2, 6.1 works as expected. > - Without quick-rules, it logs always the anchor rule number. > - With quick-rules, it logs the correct rule number, if the > matching rule is before the anchor and the anchor rule number, > if the rule matches is after the anchor. > > I build a test without quick rules. > > If you need more information, don't hesistate to contact me. > > Thank you for your time and your work > Illya Meyer
Does this still happen on current? There were some fixes by sashan@ related to anchors about two months ago. -Otto > > ===== Test environment ===== > > OS: OpenBSD 6.2 (full patched) > Machine: AMD64 > > +--------+ +---------+ +-----+ > | Client |---em0-| OpenBSD |-em1---| LAN | > +--------+ +---------+ +-----+ > > OpenBSD is configured as bridge, but it is not necessary for producing the > error. > > Client: Linux on 10.69.245.50/16 attached on em0 > > OpenBSD: > ---- hostname.em0 ---- > inet 10.69.228.156 255.255.0.0 > ---- /hostname.em0 ---- > > ---- hostname.em1 ---- > up > ---- /hostname.em1 ---- > > ---- hostname.bridge0 ---- > add em0 > add em1 > up > ---- /hostname.bridge0 ---- > > ---- sysctl.conf ---- > net.inet.ip.forwarding=1 > ---- /sysctl.conf ---- > > ==== 1. Test ==== > > Test without an anchor in the ruleset => Correct logging. > > ---- pf.conf ---- > int=em0 > ext=em1 > > set skip on lo > > block in log on $ext from any to any > block out log on $ext from any to any > > pass out log on $ext proto tcp from any to any port 22 > ---- /pf.conf ---- > > ---- pfctl -s rules | nl -v 0 ---- > 0 block drop in log on em1 all > 1 block drop out log on em1 all > 2 pass out log on em1 proto tcp from any to any port = 22 flags S/SA > ---- /pfctl -s rules | nl -v 0 ---- > > > Logging with: tcpdump -nettti pflog0 src 10.69.245.50 > > Result (correct): > > ping 10.69.0.1 > Feb 14 22:46:37.928813 rule 1/(match) block out on em1: 10.69.245.50 > > 10.69.0.1: icmp: echo request (DF) > > > ssh login@10.69.0.253 > Feb 14 22:47:19.519580 rule 2/(match) pass out on em1: 10.69.245.50.41986 > > 10.69.0.253.22: S 1682236102:1682236102(0) win 29200 <mss > 1460,sackOK,timestamp 201134 0,nop,wscale 7> (DF) > > > ==== 2. Test ==== > > Test with an anchor in the ruleset => Incorrect logging. > > ---- pf.conf ---- > int=em0 > ext=em1 > > set skip on lo > > block in log on $ext from any to any > block out log on $ext from any to any > > anchor "test/*" > > pass out log on $ext proto tcp from any to any port 22 > ---- /pf.conf ---- > > ---- pfctl -s rules | nl -v 0 ---- > 0 block drop in log on em1 all > 1 block drop out log on em1 all > 2 anchor "test/*" all > 3 pass out log on em1 proto tcp from any to any port = 22 flags S/SA > ---- /pfctl -s rules | nl -v 0 ---- > > > Logging with: tcpdump -nettti pflog0 src 10.69.245.50 > > Result: > > ping 10.69.0.1 > Feb 14 22:49:29.310651 rule 2/(match) block out on em1: 10.69.245.50 > > 10.69.0.1: icmp: echo request (DF) > > > ssh login@10.69.0.253 > Feb 14 22:49:48.225126 rule 2/(match) pass out on em1: 10.69.245.50.41988 > > 10.69.0.253.22: S 3757241004:3757241004(0) win 29200 <mss > 1460,sackOK,timestamp 238312 0,nop,wscale 7> (DF) > > Expected: > > ping 10.69.0.1 > ... rule 1/(match) ... > > > ssh login@10.69.0.253 > ... rule 3/(match) ... > > OpenBSD 6.2 (GENERIC.MP) #5: Wed Feb 14 23:11:22 CET 2018 > r...@feuerwand.na.lokal:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 4163919872 (3971MB) > avail mem = 4030709760 (3843MB) > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xebfd0 (49 entries) > bios0: vendor American Megatrends Inc. version "5.6.5" date 12/13/2016 > bios0: Thomas-Krenn.AG Default string > acpi0 at bios0: rev 2 > acpi0: sleep states S0 S3 S4 S5 > acpi0: tables DSDT FACP APIC FPDT FIDT MCFG LPIT HPET SSDT SSDT SSDT UEFI > acpi0: wakeup devices PS2K(S3) PS2M(S3) XHC1(S4) PXSX(S4) PXSX(S4) PXSX(S4) > PXSX(S4) PWRB(S0) > acpitimer0 at acpi0: 3579545 Hz, 24 bits > acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: Intel(R) Celeron(R) CPU N2930 @ 1.83GHz, 1833.75 MHz > cpu0: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT > cpu0: 1MB 64b/line 16-way L2 cache > cpu0: TSC frequency 1833749940 Hz > cpu0: smt 0, core 0, package 0 > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges > cpu0: apic clock running at 83MHz > cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3.3, IBE > cpu1 at mainbus0: apid 2 (application processor) > cpu1: Intel(R) Celeron(R) CPU N2930 @ 1.83GHz, 1833.34 MHz > cpu1: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT > cpu1: 1MB 64b/line 16-way L2 cache > cpu1: smt 0, core 1, package 0 > cpu2 at mainbus0: apid 4 (application processor) > cpu2: Intel(R) Celeron(R) CPU N2930 @ 1.83GHz, 1833.34 MHz > cpu2: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT > cpu2: 1MB 64b/line 16-way L2 cache > cpu2: smt 0, core 2, package 0 > cpu3 at mainbus0: apid 6 (application processor) > cpu3: Intel(R) Celeron(R) CPU N2930 @ 1.83GHz, 1833.34 MHz > cpu3: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT > cpu3: 1MB 64b/line 16-way L2 cache > cpu3: smt 0, core 3, package 0 > ioapic0 at mainbus0: apid 1 pa 0xfec00000, version 20, 87 pins > acpimcfg0 at acpi0 addr 0xe0000000, bus 0-255 > acpihpet0 at acpi0: 14318179 Hz > acpiprt0 at acpi0: bus 0 (PCI0) > acpiprt1 at acpi0: bus 1 (RP01) > acpiprt2 at acpi0: bus 2 (RP02) > acpiprt3 at acpi0: bus 3 (RP03) > acpiprt4 at acpi0: bus 4 (RP04) > acpiec0 at acpi0: not present > acpicpu0 at acpi0: C1(@1 halt!), PSS > acpicpu1 at acpi0: C1(@1 halt!), PSS > acpicpu2 at acpi0: C1(@1 halt!), PSS > acpicpu3 at acpi0: C1(@1 halt!), PSS > acpipwrres0 at acpi0: PLPE > acpipwrres1 at acpi0: PLPE > acpipwrres2 at acpi0: USBC, resource for EHC1, OTG1 > acpipwrres3 at acpi0: CLK0, resource for CAM1 > acpipwrres4 at acpi0: CLK1, resource for CAM0, CAM2 > "MSFT0001" at acpi0 not configured > "MSFT0003" at acpi0 not configured > "DMA0F28" at acpi0 not configured > acpibtn0 at acpi0: PWRB > acpibtn1 at acpi0: SLPB > "INTCF0B" at acpi0 not configured > "INTCF1A" at acpi0 not configured > "INTCF1C" at acpi0 not configured > "SMO91D0" at acpi0 not configured > "MXT3432" at acpi0 not configured > acpivideo0 at acpi0: GFX0 > cpu0: Enhanced SpeedStep 1833 MHz: speeds: 1827, 1826, 1660, 1494, 1328, > 1162, 996, 830, 498 MHz > pci0 at mainbus0 bus 0 > pchb0 at pci0 dev 0 function 0 "Intel Bay Trail Host" rev 0x0e > inteldrm0 at pci0 dev 2 function 0 "Intel Bay Trail Video" rev 0x0e > drm0 at inteldrm0 > inteldrm0: msi > inteldrm0: 1280x1024, 32bpp > wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation) > wsdisplay0: screen 1-5 added (std, vt100 emulation) > ahci0 at pci0 dev 19 function 0 "Intel Bay Trail AHCI" rev 0x0e: msi, AHCI 1.3 > ahci0: port 0: 3.0Gb/s > scsibus1 at ahci0: 32 targets > sd0 at scsibus1 targ 0 lun 0: <ATA, TS32GMSA370, N112> SCSI3 0/direct fixed > t10.ATA_TS32GMSA370_D957300327_ > sd0: 30533MB, 512 bytes/sector, 62533296 sectors, thin > xhci0 at pci0 dev 20 function 0 "Intel Bay Trail xHCI" rev 0x0e: msi > usb0 at xhci0: USB revision 3.0 > uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 > addr 1 > "Intel Bay Trail TXE" rev 0x0e at pci0 dev 26 function 0 not configured > azalia0 at pci0 dev 27 function 0 "Intel Bay Trail HD Audio" rev 0x0e: msi > azalia0: codecs: Realtek ALC662, Intel/0x2882, using Realtek ALC662 > audio0 at azalia0 > ppb0 at pci0 dev 28 function 0 "Intel Bay Trail PCIE" rev 0x0e: msi > pci1 at ppb0 bus 1 > ppb1 at pci0 dev 28 function 1 "Intel Bay Trail PCIE" rev 0x0e: msi > pci2 at ppb1 bus 2 > ppb2 at pci0 dev 28 function 2 "Intel Bay Trail PCIE" rev 0x0e: msi > pci3 at ppb2 bus 3 > em0 at pci3 dev 0 function 0 "Intel 82583V" rev 0x00: msi, address > 00:30:18:06:9f:94 > ppb3 at pci0 dev 28 function 3 "Intel Bay Trail PCIE" rev 0x0e: msi > pci4 at ppb3 bus 4 > em1 at pci4 dev 0 function 0 "Intel 82583V" rev 0x00: msi, address > 00:30:18:06:9f:93 > pcib0 at pci0 dev 31 function 0 "Intel Bay Trail LPC" rev 0x0e > ichiic0 at pci0 dev 31 function 3 "Intel Bay Trail SMBus" rev 0x0e: apic 1 > int 18 > iic0 at ichiic0 > spdmem0 at iic0 addr 0x50: 4GB DDR3 SDRAM PC3-12800 SO-DIMM > isa0 at pcib0 > isadma0 at isa0 > com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo > com0: probed fifo depth: 15 bytes > pckbc0 at isa0 port 0x60/5 irq 1 irq 12 > pckbd0 at pckbc0 (kbd slot) > wskbd0 at pckbd0: console keyboard, using wsdisplay0 > pcppi0 at isa0 port 0x61 > spkr0 at pcppi0 > vmm0 at mainbus0: VMX/EPT > uhidev0 at uhub0 port 3 configuration 1 interface 0 "DELL Dell USB Entry > Keyboard" rev 1.10/1.78 addr 2 > uhidev0: iclass 3/1 > ukbd0 at uhidev0: 8 variable keys, 6 key codes > wskbd1 at ukbd0 mux 1 > wskbd1: connecting to wsdisplay0 > uhub1 at uhub0 port 4 configuration 1 interface 0 "Genesys Logic USB2.0 Hub" > rev 2.00/88.32 addr 3 > vscsi0 at root > scsibus2 at vscsi0: 256 targets > softraid0 at root > scsibus3 at softraid0: 256 targets > root on sd0a (ea44963b0108c50a.a) swap on sd0b dump on sd0b