On Fri, Nov 13, 2009 at 05:44:41PM +0100, Henning Brauer wrote:
> * Bryan S. Leaman <lea...@bitbytes.com> [2009-11-13 17:37]:
> > Henning Brauer wrote:
> > >* Bryan S. Leaman <lea...@bitbytes.com> [2009-11-13 01:12]:
> > >>I'm converting a pf ruleset to work with the new nat/rdr changes in 4.6
> > >>-current and I came across an issue that seems like a problem in the way
> > >>"tagged" rules are handled. It's breaking ftp-proxy with tagging when I
> > >>try to apply additional rules to the tagged packets. The result is that I
> > >>can login to an FTP server but the inbound data connection seems to get
> > >>lost--I don't get a passed or blocked packet in the pf log and the data
> > >>connection fails to establish.
> > >>
> > >>If I remove my "tagged <TAGNAME>" rules, then everything works fine but
> > >>then I can't use the tags to do further processing of these packets.
> > >>Here are the anchor rules generated by ftp-proxy:
> > >>
> > >># pfctl -sA -v
> > >> ftp-proxy
> > >> ftp-proxy/16553.9
> > >># pfctl -v -a ftp-proxy/16553.9 -sr
> > >>pass in log inet proto tcp from 192.168.99.237 to 192.168.99.234 port =
> > >>54237 flags S/SA keep state (max 1) tag FTPPROXY rtable 0 rdr-to 10.0.1.21
> > >>port 47008
> > >> [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0
> > >> ]
> > >> [ Inserted: uid 71 pid 16553 State Creations: 0 ]
> > >>pass out log inet proto tcp from 192.168.99.237 to 10.0.1.21 port = 47008
> > >>flags S/SA keep state (max 1) tag FTPPROXY rtable 0 nat-to 192.168.99.237
> > >> [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0
> > >> ]
> > >> [ Inserted: uid 71 pid 16553 State Creations: 0 ]
> > >
> > >hrm. ftp-proxy would need to use match instead of pass in that case.
> > >
> > Can you please elaborate on this? I know the ftp-proxy code already
> > supresses the "quick" keyword when using the tagging option, so
> > wouldn't that be sufficient for pf to continue processing the packet
> > with the additional "tagged FTPPROXY" rule? In previous releases I
> > was able to use "pass out" and then later a "pass out quick" to
> > match what was passed by the previous rule. Is this handled
> > differently with the new nat/rdr changes in -current or am I
> > misunderstanding something? It's working for the first ftp-proxy
> > rule (pass in), but not the second (pass out). Thanks!
>
> nat-to and rdr-to on pass rules are only applied if it is the last
> matching rule. for match rules they're always applied.
>
Maybe something like this. The result are that you need to have a
"pass tagged FTPTAG" rule after the anchor (or one rule per direction) or
the traffic may be blocked.
--
:wq Claudio
Index: filter.c
===================================================================
RCS file: /cvs/src/usr.sbin/ftp-proxy/filter.c,v
retrieving revision 1.9
diff -u -p -r1.9 filter.c
--- filter.c 1 Sep 2009 13:46:14 -0000 1.9
+++ filter.c 13 Nov 2009 17:11:47 -0000
@@ -236,7 +236,10 @@ prepare_rule(u_int32_t id, int rs_num, s
* from $src to $dst port = $d_port flags S/SA keep state
* (max 1) [queue qname] [tag tagname]
*/
- pfr.rule.action = PF_PASS;
+ if (tagname != NULL)
+ pfr.rule.action = PF_MATCH;
+ else
+ pfr.rule.action = PF_PASS;
pfr.rule.quick = 1;
pfr.rule.log = rule_log;
pfr.rule.keep_state = 1;
