subject:"Unexpected match set prio behaviour"

Re: Unexpected match set prio behaviour

2013-11-18 Thread Alexey Suslikov

On Mon, Nov 18, 2013 at 3:03 AM, Alexander Bluhm
alexander.bl...@gmx.net wrote:
 On Thu, Nov 14, 2013 at 12:03:21AM +0200, Alexey Suslikov wrote:
 This is on 5.4-stable. vlan is only used to see what resulting prio is.

 #match on { $int_if } inet proto icmp all icmp-type echoreq set prio 5
 pass quick on { $ext_if, $int_if }

 Can you test wether this diff matches your expected behaviour?
 Please try various combinations of pass and match rules.

 bluhm

 Index: net/pf.c
 ===
 RCS file: /data/mirror/openbsd/cvs/src/sys/net/pf.c,v
 retrieving revision 1.861
 diff -u -p -r1.861 pf.c
 --- net/pf.c16 Nov 2013 00:36:01 -  1.861
 +++ net/pf.c18 Nov 2013 00:56:55 -
 @@ -3110,8 +3110,10 @@ pf_rule_to_actions(struct pf_rule *r, st
 a-max_mss = r-max_mss;
 a-flags |= (r-scrub_flags  (PFSTATE_NODF|PFSTATE_RANDOMID|
 PFSTATE_SETTOS|PFSTATE_SCRUB_TCP|PFSTATE_SETPRIO));
 -   a-set_prio[0] = r-set_prio[0];
 -   a-set_prio[1] = r-set_prio[1];
 +   if (r-scrub_flags  PFSTATE_SETPRIO) {
 +   a-set_prio[0] = r-set_prio[0];
 +   a-set_prio[1] = r-set_prio[1];
 +   }
  }

  #define PF_TEST_ATTRIB(t, a)   \

well, it seems like now I have expected results. at least for following
test cases. please tell if you need more.

for a record, issue in question was discovered by Roman Kravchuk,
I just assisted with analysis and reporting.

Test 1 (default prio):

# cat /etc/pf.conf
ext_if=em0
int_if=vlan2525
set skip on { lo enc0 em1 }
block log all
#match on { $int_if } inet proto icmp all icmp-type echoreq set prio 6
#match on { $int_if } inet proto udp to port domain set prio 5
#match on { $int_if } inet proto tcp set prio (2, 4)
pass quick on { $ext_if, $int_if }

ICMP
12:45:57.293179 802.1Q vid 2525 pri 3 192.168.100.1  192.168.100.2:
icmp: echo request
12:45:57.293491 802.1Q vid 2525 pri 3 192.168.100.2  192.168.100.1:
icmp: echo reply

TCP
12:46:39.953468 802.1Q vid 2525 pri 3 192.168.100.1.17637 
192.168.100.2.80: S 370622106:370622106(0) win 16384 mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1183962946 0 (DF)
12:46:39.953944 802.1Q vid 2525 pri 3 192.168.100.2.80 
192.168.100.1.17637: S 3464733189:3464733189(0) ack 370622107 win
16384 mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp
448817884 1183962946 (DF)
12:46:39.954024 802.1Q vid 2525 pri 3 192.168.100.1.17637 
192.168.100.2.80: . ack 1 win 2048 nop,nop,timestamp 1183962946
448817884 (DF)
12:46:39.963421 802.1Q vid 2525 pri 3 192.168.100.1.17637 
192.168.100.2.80: P 1:230(229) ack 1 win 2048 nop,nop,timestamp
1183962946 448817884 (DF)
12:46:39.970068 802.1Q vid 2525 pri 3 192.168.100.2.80 
192.168.100.1.17637: . 1:1449(1448) ack 230 win 2172
nop,nop,timestamp 448817884 1183962946 (DF)
12:46:39.970095 802.1Q vid 2525 pri 3 192.168.100.2.80 
192.168.100.1.17637: P 1449:2516(1067) ack 230 win 2172
nop,nop,timestamp 448817884 1183962946 (DF)
12:46:39.970172 802.1Q vid 2525 pri 3 192.168.100.1.17637 
192.168.100.2.80: . ack 2516 win 1733 nop,nop,timestamp 1183962946
448817884 (DF)
12:46:39.970214 802.1Q vid 2525 pri 3 192.168.100.2.80 
192.168.100.1.17637: F 2516:2516(0) ack 230 win 2172
nop,nop,timestamp 448817884 1183962946 (DF)
12:46:39.970280 802.1Q vid 2525 pri 3 192.168.100.1.17637 
192.168.100.2.80: . ack 2517 win 1733 nop,nop,timestamp 1183962946
448817884 (DF)
12:46:39.993600 802.1Q vid 2525 pri 3 192.168.100.1.17637 
192.168.100.2.80: F 230:230(0) ack 2517 win 2048 nop,nop,timestamp
1183962946 448817884 (DF)
12:46:39.993927 802.1Q vid 2525 pri 3 192.168.100.2.80 
192.168.100.1.17637: . ack 231 win 2172 nop,nop,timestamp 448817884
1183962946 (DF)

UDP
12:47:58.298665 802.1Q vid 2525 pri 3 192.168.100.1.39295 
192.168.100.2.53: 36561+ A? i.ua. (22)
12:47:58.552804 802.1Q vid 2525 pri 3 192.168.100.2.53 
192.168.100.1.39295: 36561 1/2/0 A 91.198.36.14 (74)

Test 2 (match takes care of prio):

# cat /etc/pf.conf
ext_if=em0
int_if=vlan2525
set skip on { lo enc0 em1 }
block log all
match on { $int_if } inet proto icmp all icmp-type echoreq set prio 6
match on { $int_if } inet proto udp to port domain set prio 5
match on { $int_if } inet proto tcp set prio (2, 4)
pass quick on { $ext_if, $int_if }

ICMP
12:52:44.783107 802.1Q vid 2525 pri 6 192.168.100.1  192.168.100.2:
icmp: echo request
12:52:44.783516 802.1Q vid 2525 pri 6 192.168.100.2  192.168.100.1:
icmp: echo reply

TCP
12:53:28.007629 802.1Q vid 2525 pri 2 192.168.100.1.49012 
192.168.100.2.80: S 2694025614:2694025614(0) win 16384 mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 80976101 0 (DF)
12:53:28.007915 802.1Q vid 2525 pri 3 192.168.100.2.80 
192.168.100.1.49012: S 704605823:704605823(0) ack 2694025615 win 16384
mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 281624921
80976101 (DF)
12:53:28.007990 802.1Q vid 2525 pri 4 192.168.100.1.49012 
192.168.100.2.80: . ack 1 win 2048 nop,nop,timestamp 80976101

Re: Unexpected match set prio behaviour

2013-11-17 Thread Alexander Bluhm

On Thu, Nov 14, 2013 at 12:03:21AM +0200, Alexey Suslikov wrote:
 This is on 5.4-stable. vlan is only used to see what resulting prio is.

 #match on { $int_if } inet proto icmp all icmp-type echoreq set prio 5
 pass quick on { $ext_if, $int_if }

Can you test wether this diff matches your expected behaviour?
Please try various combinations of pass and match rules. 

bluhm

Index: net/pf.c
===
RCS file: /data/mirror/openbsd/cvs/src/sys/net/pf.c,v
retrieving revision 1.861
diff -u -p -r1.861 pf.c
--- net/pf.c16 Nov 2013 00:36:01 -  1.861
+++ net/pf.c18 Nov 2013 00:56:55 -
@@ -3110,8 +3110,10 @@ pf_rule_to_actions(struct pf_rule *r, st
a-max_mss = r-max_mss;
a-flags |= (r-scrub_flags  (PFSTATE_NODF|PFSTATE_RANDOMID|
PFSTATE_SETTOS|PFSTATE_SCRUB_TCP|PFSTATE_SETPRIO));
-   a-set_prio[0] = r-set_prio[0];
-   a-set_prio[1] = r-set_prio[1];
+   if (r-scrub_flags  PFSTATE_SETPRIO) {
+   a-set_prio[0] = r-set_prio[0];
+   a-set_prio[1] = r-set_prio[1];
+   }
 }
 
 #define PF_TEST_ATTRIB(t, a)   \

Unexpected match set prio behaviour

2013-11-13 Thread Alexey Suslikov

Hi tech@.

This is on 5.4-stable. vlan is only used to see what resulting prio is.

The ruleset:
---
ext_if=em0
int_if=vlan2525
set skip on { lo enc0 em1 }
block log all
#match on { $int_if } inet proto icmp all icmp-type echoreq set prio 5
pass quick on { $ext_if, $int_if }
---

The vlan:
---
vlan2525: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500
lladdr 00:1a:4a:a8:0a:8c
description: LAN
priority: 0
vlan: 2525 parent interface: em1
groups: vlan
status: active
inet 192.168.100.1 netmask 0xff00 broadcast 192.168.100.255
---

Pinging 192.168.100.2 (which is behind vlan2525) gives expected result:

23:51:02.154928 802.1Q vid 2525 pri 3 192.168.100.1  192.168.100.2:
icmp: echo request
23:51:02.155313 802.1Q vid 2525 pri 3 192.168.100.2  192.168.100.1:
icmp: echo reply

prio is set to 3 according to documentation.

Now, after I uncomment match rule and ping 192.168.100.2, the result is:

23:54:02.865267 802.1Q vid 2525 pri 0 192.168.100.1  192.168.100.2:
icmp: echo request
23:54:02.865485 802.1Q vid 2525 pri 0 192.168.100.2  192.168.100.1:
icmp: echo reply

prio 0 is somewhat unexpected.

Am I doing something wrong?

Cheers,
Alexey

Re: Unexpected match set prio behaviour

Re: Unexpected match set prio behaviour

Unexpected match set prio behaviour

3 matches

Site Navigation

Mail list logo

Footer information