Re: pf.conf from/to negation homogeneous behavior

2015-05-23 Thread Stuart Henderson 
On 2015/05/22 11:09, Henning Brauer wrote:
 
 this doesn't do what you think it does. You think it matches
 everything but 8.8.8.8 and 8.8.4.4, while in reality, it matches
 everything. Feed that rule through
   pfctl -nvf -
 and you'll see it expanded to
 
 match log on vic0 proto icmp from any to ! 8.8.8.8
 match log on vic0 proto icmp from any to ! 8.8.4,4
 
 the list negation discussion is as old as pf.

It became more confusing after the ruleset optimizer was enabled though.

$ echo 'pass proto tcp from {!1.1.1.1 !2.2.2.2 !3.3.3.3 !4.4.4.4 !5.5.5.5 
!6.6.6.6}' | pfctl -nvf -
table __automatic_0 const { 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4 5.5.5.5 6.6.6.6 }
pass inet proto tcp from ! __automatic_0 to any flags S/SA

$ echo 'pass proto tcp from {!1.1.1.1 !2.2.2.2 !3.3.3.3 !4.4.4.4}' | pfctl -nvf 
-
pass inet proto tcp from ! 1.1.1.1 to any flags S/SA
pass inet proto tcp from ! 2.2.2.2 to any flags S/SA
pass inet proto tcp from ! 3.3.3.3 to any flags S/SA
pass inet proto tcp from ! 4.4.4.4 to any flags S/SA

Re: pf.conf from/to negation homogeneous behavior

2015-05-22 Thread Henning Brauer 
* sven falempin sven.falem...@gmail.com [2015-05-21 17:29]:
 I propose
 
 Index: pfctl/parse.y
 ===
 RCS file: /cvs/src/sbin/pfctl/parse.y,v
 retrieving revision 1.648
 diff -u -p -r1.648 parse.y
 --- pfctl/parse.y   21 Apr 2015 16:34:59 -  1.648
 +++ pfctl/parse.y   21 May 2015 15:21:54 -
 @@ -2563,7 +2563,7 @@ optnl : '\n' optnl
 
  ipspec : ANY   { $$ = NULL; }
 | xhost { $$ = $1; }
 -   | '{' optnl host_list '}'   { $$ = $3; }
 +   | not '{'  optnl host_list '}'  { $$ = $4; $$-not = $1; }
 
 
 I tested it on i386 current with a small ruleset ! table and ! {} got now
 same behavior,

huh?

 match log on vic0 proto icmp from any to !{ 8.8.8.8, 8.8.4.4 }

this doesn't do what you think it does. You think it matches
everything but 8.8.8.8 and 8.8.4.4, while in reality, it matches
everything. Feed that rule through
  pfctl -nvf -
and you'll see it expanded to

match log on vic0 proto icmp from any to ! 8.8.8.8
match log on vic0 proto icmp from any to ! 8.8.4,4

the list negation discussion is as old as pf.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual  Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

Re: pf.conf from/to negation homogeneous behavior

2015-05-22 Thread sven falempin 
On Fri, May 22, 2015 at 5:09 AM, Henning Brauer hb-openbsdt...@ml.bsws.de
wrote:

 * sven falempin sven.falem...@gmail.com [2015-05-21 17:29]:
  I propose
 
  Index: pfctl/parse.y
  ===
  RCS file: /cvs/src/sbin/pfctl/parse.y,v
  retrieving revision 1.648
  diff -u -p -r1.648 parse.y
  --- pfctl/parse.y   21 Apr 2015 16:34:59 -  1.648
  +++ pfctl/parse.y   21 May 2015 15:21:54 -
  @@ -2563,7 +2563,7 @@ optnl : '\n' optnl
 
   ipspec : ANY   { $$ = NULL; }
  | xhost { $$ = $1; }
  -   | '{' optnl host_list '}'   { $$ = $3; }
  +   | not '{'  optnl host_list '}'  { $$ = $4; $$-not = $1;
 }
 
 
 this doesn't do what you think it does. You think it matches
 everything but 8.8.8.8 and 8.8.4.4, while in reality, it matches
 everything. Feed that rule through
   pfctl -nvf -
 and you'll see it expanded to

 match log on vic0 proto icmp from any to ! 8.8.8.8
 match log on vic0 proto icmp from any to ! 8.8.4,4

 the list negation discussion is as old as pf.



Sir,

looking the rule actually show and unexpected result :


[0]-[sn386.localdomain]-[/root]
# pfctl -s rules
block return all
match log on vic0 inet proto icmp from any to ! 8.8.8.8
match log on vic0 inet proto icmp from any to 8.8.4.4
match log on vic0 proto icmp from any to ! dns
pass all flags S/SA
block return in on ! lo0 proto tcp from any to any port 6000:6010

I did my small test of yesterday again , i can imagine things but not the
same twice ;-)

[0]-[sn386.localdomain]-[/root]
# tcpdump -tteni pflog0 icmp
[1] 25796
[0]-[sn386.localdomain]-[/root]
# tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
ping -c 4 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=51 time=26.397 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=51 time=24.652 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=51 time=28.601 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=51 time=23.564 ms
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 23.564/25.803/28.601/1.911 ms
[0]-[sn386.localdomain]-[/root]
# ping -c 4 8.8.4.4
PING 8.8.4.4 (8.8.4.4): 56 data bytes
64 bytes from 8.8.4.4: icmp_seq=0 ttl=51 time=30.802 ms
64 bytes from 8.8.4.4: icmp_seq=1 ttl=51 time=21.942 ms
64 bytes from 8.8.4.4: icmp_seq=2 ttl=51 time=28.501 ms
64 bytes from 8.8.4.4: icmp_seq=3 ttl=51 time=28.315 ms
--- 8.8.4.4 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 21.942/27.390/30.802/3.294 ms
[0]-[sn386.localdomain]-[/root]
# ping -c 4 192.168.238.1
PING 192.168.238.1 (192.168.238.1): 56 data bytes
64 bytes from 192.168.238.1: icmp_seq=0 ttl=128 time=0.452 ms
1432296447.095596 rule 1/(match) match out on vic0: 192.168.238.133 
192.168.238.1: icmp: echo request
1432296447.095604 rule 3/(match) match out on vic0: 192.168.238.133 
192.168.238.1: icmp: echo request
64 bytes from 192.168.238.1: icmp_seq=1 ttl=128 time=0.321 ms
64 bytes from 192.168.238.1: icmp_seq=2 ttl=128 time=0.379 ms
64 bytes from 192.168.238.1: icmp_seq=3 ttl=128 time=0.406 ms
--- 192.168.238.1 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.321/0.389/0.452/0.051 ms
[0]-[sn386.localdomain]-[/root]
#

Only 192.168.238.1 show result in pflog0,

This result are really puzzling for me,
when i first test the table negation i was really glad that list negation
was possible,
the (block) alternative is often ridiculous to write.



-- 
-
() ascii ribbon campaign - against html e-mail
/\

Re: pf.conf from/to negation homogeneous behavior

2015-05-22 Thread Henning Brauer 
* sven falempin sven.falem...@gmail.com [2015-05-22 14:18]:
 looking the rule actually show and unexpected result :

 match log on vic0 inet proto icmp from any to ! 8.8.8.8
 match log on vic0 inet proto icmp from any to 8.8.4.4

so it's even worse, you lose the negation on expansion for subsequent
rules.

 This result are really puzzling for me,
 when i first test the table negation i was really glad that list negation
 was possible,
 the (block) alternative is often ridiculous to write.

so use a table - since lists are expanded at load time, negation there
just can't work that way.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual  Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

Re: pf.conf from/to negation homogeneous behavior

2015-05-22 Thread sven falempin 
On Fri, May 22, 2015 at 1:13 PM, Henning Brauer hb-openbsdt...@ml.bsws.de
wrote:

 * sven falempin sven.falem...@gmail.com [2015-05-22 16:33]:
  But it does not explain the output i have.

 otoh I'd say your diff is incomplete and misses a bit in expand_rule.


Ok i get it now, log is not like pass, the to log or not is compute
through the ruleset and use,
at the end so the !dns was clearing the mistake.

So no ! { } for the moment, as it is an miss-leading expansion, even doing
it like this :

Index: parse.y
===
RCS file: /cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.648
diff -u -p -r1.648 parse.y
--- parse.y 21 Apr 2015 16:34:59 -  1.648
+++ parse.y 22 May 2015 18:56:35 -
@@ -2563,7 +2563,12 @@ optnl: '\n' optnl

 ipspec : ANY   { $$ = NULL; }
| xhost { $$ = $1; }
-   | '{' optnl host_list '}'   { $$ = $3; }
+   | not '{'  optnl host_list '}'  {
+   struct node_host*n;
+   for (n = $4; n != NULL; n = n-next)
+   n-not = $1;
+   $$ = $4;
+   }
;

Creating a anonymous table would be a bad idea because it would be hard to
flush during a reload ?

-- 
-
() ascii ribbon campaign - against html e-mail
/\

Re: pf.conf from/to negation homogeneous behavior

2015-05-22 Thread Henning Brauer 
* sven falempin sven.falem...@gmail.com [2015-05-22 16:33]:
 But it does not explain the output i have.

otoh I'd say your diff is incomplete and misses a bit in expand_rule.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual  Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

pf.conf from/to negation homogeneous behavior

2015-05-21 Thread sven falempin 
Dear Tech,

I propose

Index: pfctl/parse.y
===
RCS file: /cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.648
diff -u -p -r1.648 parse.y
--- pfctl/parse.y   21 Apr 2015 16:34:59 -  1.648
+++ pfctl/parse.y   21 May 2015 15:21:54 -
@@ -2563,7 +2563,7 @@ optnl : '\n' optnl

 ipspec : ANY   { $$ = NULL; }
| xhost { $$ = $1; }
-   | '{' optnl host_list '}'   { $$ = $3; }
+   | not '{'  optnl host_list '}'  { $$ = $4; $$-not = $1; }


I tested it on i386 current with a small ruleset ! table and ! {} got now
same behavior,
i can see the ping in pflog0 only if there not to the destination in dns:

#   $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

set skip on lo

block return# block stateless traffic

table dns { 8.8.8.8, 8.8.4.4 }

match log on vic0 proto icmp from any to !{ 8.8.8.8, 8.8.4.4 }
#match log on vic0 proto icmp from any to ! dns
#match log on vic0 proto icmp from any to dns
#match log on vic0 proto icmp from any to { 8.8.8.8, 8.8.4.4 }

pass# establish keep-state

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

Thank you for reading.

-- 
-
() ascii ribbon campaign - against html e-mail
/\