Re: packets logged by pf without log rule
On Tue, Sep 16, 2014 at 12:20 AM, Alexander Salmin wrote: > Did you see it in previous versions? > I would compare the same ruleset with a fresh 5.5 and see if you > experience the same and in that case continue compare the relevant > sourcecode. > The behaviour is the same as far back as 5.4 at least. I have another one. With the "pass quick all" rule-set. of I send: 09:34:28.490074 00:25:90:c1:f1:8c 01:00:5e:40:68:01 0800 1514: 10.69.48.14.5404 > 239.192.104.1.5405: udp 1473 (frag 49575:1480@0+) [ttl 1] twice within 60s (frag timer ?) I get: Sep 16 09:34:28.490095 rule def/(match) pass in on em0: 10.69.48.14.5404 > 239.192.104.1.5405: udp 1473 (frag 49575:1480@0+) [ttl 1] I see this a lot in our production and test environment, but there it is triggered without the duplicate packet. Example from live firewall. Traffic: pf0.swe1# tcpdump -n -i vlan57 host 10.69.48.14 and not tcp tcpdump: listening on vlan57, link-type EN10MB tcpdump: WARNING: compensating for unaligned libpcap packets 09:51:56.710780 10.69.48.14.5404 > 239.192.104.1.5405: udp 75 (DF) [ttl 1] 09:51:56.711161 10.69.48.14.5404 > 239.192.104.1.5405: udp 1473 (frag 27013:1480@0+) [ttl 1] 09:51:56.711163 10.69.48.14 > 239.192.104.1: (frag 27013:1@1480) [ttl 1] 09:51:56.711164 10.69.48.14.5404 > 239.192.104.1.5405: udp 1473 (frag 27014:1480@0+) [ttl 1] 09:51:56.711166 10.69.48.14 > 239.192.104.1: (frag 27014:1@1480) [ttl 1] 09:51:56.711167 10.69.48.14.5404 > 239.192.104.1.5405: udp 1473 (frag 27015:1480@0+) [ttl 1] 09:51:56.711168 10.69.48.14 > 239.192.104.1: (frag 27015:1@1480) [ttl 1] 09:51:56.711169 10.69.48.14.5404 > 239.192.104.1.5405: udp 1473 (frag 27016:1480@0+) [ttl 1] 09:51:56.711171 10.69.48.14 > 239.192.104.1: (frag 27016:1@1480) [ttl 1] 09:51:56.711172 10.69.48.14.5404 > 239.192.104.1.5405: udp 1473 (frag 27017:1480@0+) [ttl 1] 09:51:56.711173 10.69.48.14 > 239.192.104.1: (frag 27017:1@1480) [ttl 1] 09:51:56.711175 10.69.48.14.5404 > 239.192.104.1.5405: udp 617 (DF) [ttl 1] 09:51:56.713383 10.69.48.14.5404 > 239.192.104.1.5405: udp 753 (DF) [ttl 1] 09:51:56.724606 10.69.48.14.5404 > 239.192.104.1.5405: udp 1473 (frag 27018:1480@0+) [ttl 1] 09:51:56.724608 10.69.48.14 > 239.192.104.1: (frag 27018:1@1480) [ttl 1] 09:51:56.724609 10.69.48.14.5404 > 239.192.104.1.5405: udp 707 (DF) [ttl 1] 09:51:56.724986 10.69.48.14.5404 > 239.192.104.1.5405: udp 1412 (DF) [ttl 1] 09:51:56.730168 10.69.48.14.5404 > 239.192.104.1.5405: udp 650 (DF) [ttl 1] ^C Log: pf0.swe1# tcpdump -n -e -ttt -i pflog0 host 10.69.48.14 tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG Sep 16 09:51:56.711185 rule def/(match) pass in on vlan57: 10.69.48.14.5404 > 239.192.104.1.5405: udp 1473 (frag 27013:1480@0+) [ttl 1] tcpdump: WARNING: compensating for unaligned libpcap packets Sep 16 09:51:56.711190 rule def/(match) pass in on vlan57: 10.69.48.14.5404 > 239.192.104.1.5405: udp 1473 (frag 27014:1480@0+) [ttl 1] Sep 16 09:51:56.711194 rule def/(match) pass in on vlan57: 10.69.48.14.5404 > 239.192.104.1.5405: udp 1473 (frag 27015:1480@0+) [ttl 1] Sep 16 09:51:56.711198 rule def/(match) pass in on vlan57: 10.69.48.14.5404 > 239.192.104.1.5405: udp 1473 (frag 27016:1480@0+) [ttl 1] Sep 16 09:51:56.711202 rule def/(match) pass in on vlan57: 10.69.48.14.5404 > 239.192.104.1.5405: udp 1473 (frag 27017:1480@0+) [ttl 1] Sep 16 09:51:56.724622 rule def/(match) pass in on vlan57: 10.69.48.14.5404 > 239.192.104.1.5405: udp 1473 (frag 27018:1480@0+) [ttl 1] ^C 20 packets received by filter 0 packets dropped by kernel pf0.swe1# There is no rule that should log this in the live firewalls. Happens on 5.4 and 5.5, if memory serves me right I saw it on 5.3's also. Assistance with understanding this would be appreciated. I will use free time slots to look at the code, but due to limited knowledge and skills it is quite time consuming. Regards Tony
Re: packets logged by pf without log rule
Did you see it in previous versions? I would compare the same ruleset with a fresh 5.5 and see if you experience the same and in that case continue compare the relevant sourcecode. Regards, Alexander Salmin On 2014-09-15 16:18:26, Tony Sarendal wrote: > I'm currently looking into some logging strangeness in we are seeing. > Does anyone know why this is logged ? > > obc3.rad# cat /etc/pf.conf > pass quick all > obc3.rad# pfctl -sr > pass quick all flags S/SA > obc3.rad# tcpdump -n -e -ttt -i pflog0 > tcpdump: WARNING: snaplen raised from 116 to 160 > tcpdump: listening on pflog0, link-type PFLOG > Sep 15 16:07:31.276913 rule 0/(match) pass in on em0: 10.69.48.14 > > 239.192.104.1: igmp nreport 239.192.104.1 (DF) [tos 0xc0] [ttl 1] > Sep 15 16:07:31.278020 rule 0/(match) pass in on em0: 10.69.48.14 > > 239.192.104.1: igmp nreport 239.192.104.1 (DF) [tos 0xc0] [ttl 1] > > > obc3.rad# tcpdump -n -i em0 igmp > tcpdump: listening on em0, link-type EN10MB > tcpdump: WARNING: compensating for unaligned libpcap packets > 16:07:31.276905 10.69.48.14 > 239.192.104.1: igmp nreport 239.192.104.1 > (DF) [tos 0xc0] [ttl 1] > 16:07:31.278014 10.69.48.14 > 239.192.104.1: igmp nreport 239.192.104.1 > (DF) [tos 0xc0] [ttl 1] > > > Regards Tony > > > OpenBSD 5.6-current (GENERIC.MP) #0: Wed Sep 10 13:39:02 CEST 2014 > r...@obc3.rad.unibet.com:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 8545173504 (8149MB) > avail mem = 8308969472 (7924MB) > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb4c0 (54 entries) > bios0: vendor American Megatrends Inc. version "2.0a" date 06/08/2012 > bios0: Supermicro X9SCD > acpi0 at bios0: rev 2 > acpi0: sleep states S0 S1 S4 S5 > acpi0: tables DSDT FACP APIC FPDT MCFG HPET SSDT PRAD SPMI SSDT SPCR EINJ > ERST HEST BERT BGRT > acpi0: wakeup devices PS2K(S4) PS2M(S4) UAR1(S4) P0P1(S4) USB1(S4) USB2(S4) > USB3(S4) USB4(S4) USB5(S4) USB6(S4) USB7(S4) PXSX(S4) RP01(S4) PXSX(S4) > RP02(S4) PXSX(S4) [...] > acpitimer0 at acpi0: 3579545 Hz, 24 bits > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: Intel(R) Xeon(R) CPU E3-1270 V2 @ 3.50GHz, 3500.49 MHz > cpu0: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS > H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX > ,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,A > ES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS > cpu0: 256KB 64b/line 8-way L2 cache > cpu0: smt 0, core 0, package 0 > mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges > cpu0: apic clock running at 100MHz > cpu0: mwait min=64, max=64, C-substates=0.2.1.1.0, IBE > cpu1 at mainbus0: apid 2 (application processor) > cpu1: Intel(R) Xeon(R) CPU E3-1270 V2 @ 3.50GHz, 3500.02 MHz > cpu1: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS > H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX > ,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,A > ES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS > cpu1: 256KB 64b/line 8-way L2 cache > cpu1: smt 0, core 1, package 0 > cpu2 at mainbus0: apid 4 (application processor) > cpu2: Intel(R) Xeon(R) CPU E3-1270 V2 @ 3.50GHz, 3500.02 MHz > cpu2: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS > H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX > ,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,A > ES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS > cpu2: 256KB 64b/line 8-way L2 cache > cpu2: smt 0, core 2, package 0 > cpu3 at mainbus0: apid 6 (application processor) > cpu3: Intel(R) Xeon(R) CPU E3-1270 V2 @ 3.50GHz, 3500.02 MHz > cpu3: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS > H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX > ,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,A > ES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS > cpu3: 256KB 64b/line 8-way L2 cache > cpu3: smt 0, core 3, package 0 > cpu4 at mainbus0: apid 1 (application processor) > cpu4: Intel(R) Xeon(R) CPU E3-1270 V2 @ 3.50GHz, 3500.02 MHz > cpu4: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS > H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX > ,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,A > ES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS > cpu4: 256KB 64b/line 8-way L2 cache > cpu4: smt 1, core 0, package 0 > cpu5 at mainbus0: apid 3 (application processor) > cpu5: Intel(R) Xeon(R) CPU E3-1270 V2 @ 3.50GHz, 3500.02 MHz > cpu5: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS > H,
packets logged by pf without log rule
I'm currently looking into some logging strangeness in we are seeing. Does anyone know why this is logged ? obc3.rad# cat /etc/pf.conf pass quick all obc3.rad# pfctl -sr pass quick all flags S/SA obc3.rad# tcpdump -n -e -ttt -i pflog0 tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG Sep 15 16:07:31.276913 rule 0/(match) pass in on em0: 10.69.48.14 > 239.192.104.1: igmp nreport 239.192.104.1 (DF) [tos 0xc0] [ttl 1] Sep 15 16:07:31.278020 rule 0/(match) pass in on em0: 10.69.48.14 > 239.192.104.1: igmp nreport 239.192.104.1 (DF) [tos 0xc0] [ttl 1] obc3.rad# tcpdump -n -i em0 igmp tcpdump: listening on em0, link-type EN10MB tcpdump: WARNING: compensating for unaligned libpcap packets 16:07:31.276905 10.69.48.14 > 239.192.104.1: igmp nreport 239.192.104.1 (DF) [tos 0xc0] [ttl 1] 16:07:31.278014 10.69.48.14 > 239.192.104.1: igmp nreport 239.192.104.1 (DF) [tos 0xc0] [ttl 1] Regards Tony OpenBSD 5.6-current (GENERIC.MP) #0: Wed Sep 10 13:39:02 CEST 2014 r...@obc3.rad.unibet.com:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8545173504 (8149MB) avail mem = 8308969472 (7924MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb4c0 (54 entries) bios0: vendor American Megatrends Inc. version "2.0a" date 06/08/2012 bios0: Supermicro X9SCD acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC FPDT MCFG HPET SSDT PRAD SPMI SSDT SPCR EINJ ERST HEST BERT BGRT acpi0: wakeup devices PS2K(S4) PS2M(S4) UAR1(S4) P0P1(S4) USB1(S4) USB2(S4) USB3(S4) USB4(S4) USB5(S4) USB6(S4) USB7(S4) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E3-1270 V2 @ 3.50GHz, 3500.49 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,A ES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 100MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.1.0, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU E3-1270 V2 @ 3.50GHz, 3500.02 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,A ES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Xeon(R) CPU E3-1270 V2 @ 3.50GHz, 3500.02 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,A ES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Xeon(R) CPU E3-1270 V2 @ 3.50GHz, 3500.02 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,A ES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 0, core 3, package 0 cpu4 at mainbus0: apid 1 (application processor) cpu4: Intel(R) Xeon(R) CPU E3-1270 V2 @ 3.50GHz, 3500.02 MHz cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,A ES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS cpu4: 256KB 64b/line 8-way L2 cache cpu4: smt 1, core 0, package 0 cpu5 at mainbus0: apid 3 (application processor) cpu5: Intel(R) Xeon(R) CPU E3-1270 V2 @ 3.50GHz, 3500.02 MHz cpu5: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,A ES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS cpu5: 256KB 64b/line 8-way L2 cache cpu5: smt 1, core 1, package 0 cpu6 at mainbus0: apid 5 (application processor) cpu6: Intel(R) Xeon(R) CPU E3-1270 V2 @ 3.50GHz, 3500.02 MHz cpu6: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PG
