From owner-freebsd-stable@freebsd.org  Thu Feb 18 05:02:00 2021
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id C25B2528C17;
 Thu, 18 Feb 2021 05:02:00 +0000 (UTC)
 (envelope-from delphij@delphij.net)
Received: from anubis.delphij.net (anubis.delphij.net
 [IPv6:2001:470:1:117::25])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "anubis.delphij.net", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4Dh2cl2MXbz4vbh;
 Thu, 18 Feb 2021 05:01:59 +0000 (UTC)
 (envelope-from delphij@delphij.net)
Received: from odin.corp.delphij.net (unknown
 [IPv6:2601:646:8601:f4a:5d69:5d68:a7f0:ffe7])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (Client did not present a certificate)
 by anubis.delphij.net (Postfix) with ESMTPSA id 38BB53753C;
 Wed, 17 Feb 2021 21:01:52 -0800 (PST)
Reply-To: d@delphij.net
To: freebsd-net@freebsd.org, FreeBSD stable <freebsd-stable@freebsd.org>
Cc: Kristof Provost <kp@FreeBSD.org>
From: Xin Li <delphij@delphij.net>
Subject: [pf] stable/12: block by OS broken
Message-ID: <37b0e157-8173-7fb7-7ca3-c4a8b2ad0b31@delphij.net>
Date: Wed, 17 Feb 2021 21:01:50 -0800
User-Agent: Thunderbird
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="Qz95rXKr2gyMXZj3QrJ6eKAjeZnXIzjMb"
X-Rspamd-Queue-Id: 4Dh2cl2MXbz4vbh
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.89 / 15.00];
 HAS_REPLYTO(0.00)[d@delphij.net]; RCVD_VIA_SMTP_AUTH(0.00)[];
 XM_UA_NO_VERSION(0.01)[]; TO_DN_SOME(0.00)[];
 R_SPF_ALLOW(-0.20)[+a:sirius.delphij.net];
 HAS_ATTACHMENT(0.00)[]; DKIM_TRACE(0.00)[delphij.net:+];
 DMARC_POLICY_ALLOW(-0.50)[delphij.net,reject];
 SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+,1:+,2:+,3:~];
 RBL_DBL_DONT_QUERY_IPS(0.00)[2001:470:1:117::25:from];
 ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US];
 MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
 R_DKIM_ALLOW(-0.20)[delphij.net:s=m7e2];
 FREEFALL_USER(0.00)[delphij]; FROM_HAS_DN(0.00)[];
 RCPT_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 NEURAL_HAM_LONG(-1.00)[-1.000];
 MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain];
 REPLYTO_DOM_EQ_FROM_DOM(0.00)[];
 NEURAL_SPAM_SHORT(0.20)[0.197];
 SPAMHAUS_ZRD(0.00)[2001:470:1:117::25:from:127.0.2.255];
 RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[];
 MAILMAN_DEST(0.00)[freebsd-net,freebsd-stable]
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Feb 2021 05:02:00 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--Qz95rXKr2gyMXZj3QrJ6eKAjeZnXIzjMb
Content-Type: multipart/mixed; boundary="vmRz5g7ZXGFF11HvNexgvG9d71eyOJzo0";
 protected-headers="v1"
From: Xin Li <delphij@delphij.net>
Reply-To: d@delphij.net
To: freebsd-net@freebsd.org, FreeBSD stable <freebsd-stable@freebsd.org>
Cc: Kristof Provost <kp@FreeBSD.org>
Message-ID: <37b0e157-8173-7fb7-7ca3-c4a8b2ad0b31@delphij.net>
Subject: [pf] stable/12: block by OS broken

--vmRz5g7ZXGFF11HvNexgvG9d71eyOJzo0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

Hi,

It appears that some change between 939430f2377 (December 31) and
b4bf7bdeb70 (today) on stable/12 have broken pf in a way that the
following rule:

block in quick proto tcp from any os "Linux" to any port ssh

would get interpreted as:

block drop in quick proto tcp from any to any port =3D 22

(and block all SSH connection instead of just the ones initiated from
Linux).

Cheers,


--vmRz5g7ZXGFF11HvNexgvG9d71eyOJzo0--

--Qz95rXKr2gyMXZj3QrJ6eKAjeZnXIzjMb
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEEceNg5NEMZIki80nQQHl/fJX0g08FAmAt9L4FAwAAAAAACgkQQHl/fJX0g09t
/Q/+O01KWMHf01Jl9zC+ur/LWFVovwRKYBPY/649Iq9tCIuJy94n5cFyQcupaa859l4NGR5V+cOE
fcLeBGoIvqYCTKcnzxUnxomN37yLdyP4n7aj0qX/sTFWjxl0oDCyr3kMJlveq6K79I482x1EbvHJ
d+qjRmRSg6SgbL3mTdJzWzoGTtdw5/9nj5Q2Zrhjvsnhy2Mpu9pcITn/WP+qUS2ha5OEd5DcNeWv
7JJ+w6ImTRiJFn2wl1JXxmUHHHXcFZWARG27ikITSmlSQlQjvbiz6sCx+Uu2l13dwfVVDeUgrnJC
We7TxndUPDr+oTnRFe/NPC4AFpIGvYnDgus7/jqNKjHDlzaw0MXBYOiWcUYFA+ZFHc1BefbCSOCD
yv0lwcBhZRt+gbRIWsSUXP8WZROJul/uh7S2+ic/Y2jPsS9QiUCoT4K+vPDzjUyQIwKK4XoP7Irb
R4AGUJP5XQyYInyGJSIFgtm1QEsan1Gw4f1BwM0aeE+yzuO6OjiMVaANYaiZSl4Iy30cMKn3Ej9w
pl7lySNJo3DP+/EHf4EKRiMHc0o8J5d6fjSz8yKdE7mgHEm5iUs2xYcfCl6S6O3LCww8jMaSi9k4
HA81nhfN5f9tD31o7omh4lZHop9zFp3M5g4cXZuw7DjRS4MNXp8xXRGO3EYZiUsFsSZODwOD0PFo
Ub4=
=+ByP
-----END PGP SIGNATURE-----

--Qz95rXKr2gyMXZj3QrJ6eKAjeZnXIzjMb--