Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 17 Feb 2021 22:57:06 -0800
From:      Xin Li <delphij@delphij.net>
To:        Kristof Provost <kp@FreeBSD.org>, d@delphij.net
Cc:        freebsd-net@freebsd.org, FreeBSD stable <freebsd-stable@freebsd.org>
Subject:   Re: [pf] stable/12: block by OS broken
Message-ID:  <323f0a06-5b47-19d7-25f9-08c863f9daa8@delphij.net>
In-Reply-To: <11E53D9F-CE51-4726-85FB-A0B4558572CD@FreeBSD.org>
References:  <37b0e157-8173-7fb7-7ca3-c4a8b2ad0b31@delphij.net> <11E53D9F-CE51-4726-85FB-A0B4558572CD@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--MWTvpmXUZCpOkQPMIPirekE3cUJRJDi9w
Content-Type: multipart/mixed; boundary="l8mEV8uGWhhLZ0NgksiQPGmAzDm3Tdt2n";
 protected-headers="v1"
From: Xin Li <delphij@delphij.net>
Reply-To: d@delphij.net
To: Kristof Provost <kp@FreeBSD.org>, d@delphij.net
Cc: freebsd-net@freebsd.org, FreeBSD stable <freebsd-stable@freebsd.org>
Message-ID: <323f0a06-5b47-19d7-25f9-08c863f9daa8@delphij.net>
Subject: Re: [pf] stable/12: block by OS broken
References: <37b0e157-8173-7fb7-7ca3-c4a8b2ad0b31@delphij.net>
 <11E53D9F-CE51-4726-85FB-A0B4558572CD@FreeBSD.org>
In-Reply-To: <11E53D9F-CE51-4726-85FB-A0B4558572CD@FreeBSD.org>

--l8mEV8uGWhhLZ0NgksiQPGmAzDm3Tdt2n
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 2/17/21 22:35, Kristof Provost wrote:
> On 18 Feb 2021, at 6:01, Xin Li wrote:
>=20
>     Hi,
>=20
>     It appears that some change between 939430f2377 (December 31) and
>     b4bf7bdeb70 (today) on stable/12 have broken pf in a way that the
>     following rule:
>=20
>     block in quick proto tcp from any os "Linux" to any port ssh
>=20
>     would get interpreted as:
>=20
>     block drop in quick proto tcp from any to any port =3D 22
>=20
>     (and block all SSH connection instead of just the ones initiated fr=
om
>     Linux).
>=20
> Thanks for the report. I think I see the problem.
>=20
> Can you test this patch?
>=20
> |diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
> index 593a38d4a360..458c6af3fa5e 100644 --- a/sys/netpfil/pf/pf_ioctl.c=

> +++ b/sys/netpfil/pf/pf_ioctl.c @@ -1623,7 +1623,7 @@
> pf_rule_to_krule(const struct pf_rule *rule, struct pf_krule *krule) /*=

> Don't allow userspace to set evaulations, packets or bytes. */ /* kif,
> anchor, overload_tbl are not copied over. */ - krule->os_fingerprint =3D=

> krule->os_fingerprint; + krule->os_fingerprint =3D rule->os_fingerprint=
;
> krule->rtableid =3D rule->rtableid; bcopy(rule->timeout, krule->timeout=
,
> sizeof(krule->timeout)); |
>=20
> With any luck we=E2=80=99ll be able to include the fix in 13.0.

Thanks, I'll try this on a -CURRENT box which is exhibiting the same
issue and report back as soon as possible.

Cheers,



--l8mEV8uGWhhLZ0NgksiQPGmAzDm3Tdt2n--

--MWTvpmXUZCpOkQPMIPirekE3cUJRJDi9w
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEEceNg5NEMZIki80nQQHl/fJX0g08FAmAuD8IFAwAAAAAACgkQQHl/fJX0g08h
XA//YMIyNwN/KVuUYGxzo5VVAgujkruF9YTBBOV039pWCIY0K1qo3OC0IsW/EX49zdQKP7+fHj72
MQyd4V9hj3GoUqcsJd3DjCSEu2ETnnL4AY9ItlVIQIMI8D9WIQOVbeuyEHgJZFSJMg2MeNVrSi6F
esBzTIUqCp5qLqZY3RVqwA4/XjZvYXxyLG3fuhOaxetcUh4VFsrw6k0SEXA5zg15nTCeqL1CUbmG
Mh6IVyTzvXo78bRzMgrE+zJ0JdPr0OJMxDEFMb/riqoK34lJIijna0e7+/s8J4PT5tzqvPqH0VsO
AH8YsHxyOWH7xUVPfS6xLqZLKJ07OIFvnO/ouvE9U2mMdRnPvZlcnbRpof9kacLJa6rxYAYkIObZ
vQcOFc0a0CHeMJy9yIF1N1HLNG4n2DR1+SOfykAiUQv8irv0ay/gRNkRMXUWqmHlOSz20bs7vPas
Lht16a1zVlc8wpTlmtZS3OYjDaiTaY5MQqs58+HEx9LqIQ67m5/U6k351Pj/PDknBdIdrXGKPAxE
ytmomR+Gosjl8xOWlbkT5lV54ILbfa0WvesPO51P2WTEkg9+lMUbhw2B7SpzVAK5JnrY4SMEpYKK
bMZ97YLFPvV9f+D9laNTInQ+lsLtgJCsm3tnSn6TMtvX5NSJFhQK4n9iFuQdMeaUbABqJYPz0dQA
ejk=
=seJ3
-----END PGP SIGNATURE-----

--MWTvpmXUZCpOkQPMIPirekE3cUJRJDi9w--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?323f0a06-5b47-19d7-25f9-08c863f9daa8>