From owner-freebsd-pf@FreeBSD.ORG Wed Mar 20 15:23:49 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id C9A2D49F for ; Wed, 20 Mar 2013 15:23:49 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-qa0-f53.google.com (mail-qa0-f53.google.com [209.85.216.53]) by mx1.freebsd.org (Postfix) with ESMTP id 8D736E94 for ; Wed, 20 Mar 2013 15:23:49 +0000 (UTC) Received: by mail-qa0-f53.google.com with SMTP id k4so255188qaq.12 for ; Wed, 20 Mar 2013 08:23:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=qZaRZkR+02VYUj+PORIFEvRYrF3bycKK2cjJ7wN4yMo=; b=NqXz8ie2xxYJMHlo2e5pLJ5/FxRHqGgrnsAIZjSMa4erQLbsc7CcvrY7koQxjrOcoQ aV6l+8Xl+/t5RfpiIyPxK3sG2K6yABiYWL9p6+wDDI+uWcUq4y+k7pkaK4x3YRYUTEB+ IiDWSI+IBKYxbU5nrOew74KdH6XQuJ7PIP2sHKoOvepIJIHtAO9Tr1DtZGU/VGx6XJFZ SbNsUFXlJ3iO/WXRkulmYp4/Kl6tM1qc6KZD+K+ViOsqz3JBm/MZwUHdt3cMKZVTM1Xj MGO28wCdBp2P3exFVjpjt69VuStqPBnAOsoeTQ+cXgYwotkHFvCSMZgMMZZ0NuQicmjb gzPg== MIME-Version: 1.0 X-Received: by 10.229.128.65 with SMTP id j1mr1552068qcs.101.1363793023401; Wed, 20 Mar 2013 08:23:43 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.49.98.103 with HTTP; Wed, 20 Mar 2013 08:23:43 -0700 (PDT) In-Reply-To: <5149BE75.3040308@incore.de> References: <5134C218.6060701@incore.de> <5149BE75.3040308@incore.de> Date: Wed, 20 Mar 2013 16:23:43 +0100 X-Google-Sender-Auth: 5cE49esLCV6iLnqwDSt80AEcc-o Message-ID: Subject: Re: [pach] Reloading pf rules breaks connections on lo0 From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Andreas Longwitz Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Mar 2013 15:23:49 -0000 That is intended behavior. There is an option -m to merge the configs which should not break it. On Wed, Mar 20, 2013 at 2:49 PM, Andreas Longwitz wrote: > Am 04.03.2013 16:47, schrieb Andreas Longwitz: > > I run FreeBSD 8 Stable with pf enabled and have the line >> set skip on lo0 >> in my /etc/pf.conf. Reloading the pf rules with >> pfctl -f /etc/pf.conf >> breaks any active running connections on lo0. >> >> Example: >> -> scp bigfile 127.0.0.1:bigfile.copy >> bigfile 10% 96MB 10.5MB/s >> 01:15 ETA >> Write failed: Operation not permitted >> lost connection >> >> In pflog I see >> 15:33:37.310320 127.0.0.1 -> 127.0.0.1 TCP 164 [block lo0/0] >> ssh > 52650 [PSH, ACK] Seq=1 Ack=1 Win=8960 Len=48 >> 15:33:37.310732 127.0.0.1 -> 127.0.0.1 TCP 14452 [block lo0/0] >> 52650 > ssh [ACK] Seq=1 Ack=1 Win=8960 Len=14336 >> 15:33:37.311153 127.0.0.1 -> 127.0.0.1 TCP 2212 [block lo0/0] >> 52650 > ssh [FIN, PSH, ACK] Seq=14337 Ack=1 Win=8960 Len=2096 >> 15:33:37.314473 127.0.0.1 -> 127.0.0.1 TCP 116 [block lo0/0] >> ssh > 52650 [FIN, ACK] Seq=49 Ack=1 Win=8960 Len=0 >> >> I can avoid the break on active connections on lo0 using the commands >> pfctl -d >> pfctl -f /etc/pf.conf >> pfctl -e >> but this may break other things and is not what I want. >> >> From man pf.conf "set skip on .." >> Packets passing in or out on such interfaces are passed as if pf was >> disabled, i.e. pf does not process them in any way. >> >> I think this should be true for reloading the rules too. >> >> >> This problem is caused by the way pfctl -f works: In a first step the > kernel is requested to clear all interface flags, therefore the kernel does > not respect an old skip lo0 rule anymore. In a second step the new file > pf.conf - with skip lo0 included - is loaded in the kernel. So there is a > short time window between step 1 and step 2 without any active skip rule in > the kernel. A running socket on lo0 will break immediately. This behavior > of pfctl is well known, see kern/166336. > > To get rid of the problem I use the following patch for pfctl. The patch > executes the first step only if a new option c (=clearifflag) is given. > Therefore a simple pfctl -f /etc/pf.conf does not break running connections > on lo0 anymore. > > --- pfctl_parser.h.orig 2013-01-14 15:17:48.000000000 +0100 > +++ pfctl_parser.h 2013-03-19 18:22:39.000000000 +0100 > @@ -51,6 +51,7 @@ > #define PF_OPT_NUMERIC 0x1000 > #define PF_OPT_MERGE 0x2000 > #define PF_OPT_RECURSE 0x4000 > +#define PF_OPT_CLRIFFLAG 0x10000 > > #define PF_TH_ALL 0xFF > > --- pfctl.c.orig 2013-01-14 15:17:48.000000000 +0100 > +++ pfctl.c 2013-03-19 18:40:02.000000000 +0100 > @@ -235,7 +235,7 @@ > { > extern char *__progname; > > - fprintf(stderr, "usage: %s [-AdeghmNnOPqRrvz] ", __progname); > + fprintf(stderr, "usage: %s [-AcdeghmNnOPqRrvz] ", __progname); > fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]\n"); > fprintf(stderr, "\t[-f file] [-i interface] [-K host | network] "); > fprintf(stderr, "[-k host | network ]\n"); > @@ -301,7 +301,8 @@ > { > struct pfioc_iface pi; > > - if ((opts & PF_OPT_NOACTION) == 0) { > + if (((opts & PF_OPT_NOACTION) == 0) && > + ((opts & PF_OPT_CLRIFFLAG) != 0)) { > bzero(&pi, sizeof(pi)); > pi.pfiio_flags = PFI_IFLAG_SKIP; > > @@ -1980,11 +1981,14 @@ > usage(); > > while ((ch = getopt(argc, argv, > - "a:AdD:eqf:F:ghi:k:K:mnNOo::**Pp:rRs:t:T:vx:z")) != -1) { > + "a:AcdD:eqf:F:ghi:k:K:mnNOo::**Pp:rRs:t:T:vx:z")) != -1) { > switch (ch) { > case 'a': > anchoropt = optarg; > break; > + case 'c': > + opts |= PF_OPT_CLRIFFLAG; > + break; > case 'd': > opts |= PF_OPT_DISABLE; > mode = O_RDWR; > > A better solution for the skip-problem requires assistence of the kernel. > With a function pfctl_get_interface_flags() pfctl could show the active > skip interfaces (not possible now) and realize a one shot solution for > reloading all rules. > > > Andreas Longwitz > ______________________________**_________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/**mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@**freebsd.org > " > -- Ermal