From owner-freebsd-net@freebsd.org Thu Feb 18 06:57:09 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B485152C65C; Thu, 18 Feb 2021 06:57:09 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "anubis.delphij.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Dh59d45rSz3J3y; Thu, 18 Feb 2021 06:57:09 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from odin.corp.delphij.net (unknown [IPv6:2601:646:8601:f4a:c851:5816:19b9:8261]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id ABA52375FC; Wed, 17 Feb 2021 22:57:07 -0800 (PST) Reply-To: d@delphij.net Subject: Re: [pf] stable/12: block by OS broken To: Kristof Provost , d@delphij.net Cc: freebsd-net@freebsd.org, FreeBSD stable References: <37b0e157-8173-7fb7-7ca3-c4a8b2ad0b31@delphij.net> <11E53D9F-CE51-4726-85FB-A0B4558572CD@FreeBSD.org> From: Xin Li Message-ID: <323f0a06-5b47-19d7-25f9-08c863f9daa8@delphij.net> Date: Wed, 17 Feb 2021 22:57:06 -0800 User-Agent: Thunderbird MIME-Version: 1.0 In-Reply-To: <11E53D9F-CE51-4726-85FB-A0B4558572CD@FreeBSD.org> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="MWTvpmXUZCpOkQPMIPirekE3cUJRJDi9w" X-Rspamd-Queue-Id: 4Dh59d45rSz3J3y X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Feb 2021 06:57:09 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --MWTvpmXUZCpOkQPMIPirekE3cUJRJDi9w Content-Type: multipart/mixed; boundary="l8mEV8uGWhhLZ0NgksiQPGmAzDm3Tdt2n"; protected-headers="v1" From: Xin Li Reply-To: d@delphij.net To: Kristof Provost , d@delphij.net Cc: freebsd-net@freebsd.org, FreeBSD stable Message-ID: <323f0a06-5b47-19d7-25f9-08c863f9daa8@delphij.net> Subject: Re: [pf] stable/12: block by OS broken References: <37b0e157-8173-7fb7-7ca3-c4a8b2ad0b31@delphij.net> <11E53D9F-CE51-4726-85FB-A0B4558572CD@FreeBSD.org> In-Reply-To: <11E53D9F-CE51-4726-85FB-A0B4558572CD@FreeBSD.org> --l8mEV8uGWhhLZ0NgksiQPGmAzDm3Tdt2n Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 2/17/21 22:35, Kristof Provost wrote: > On 18 Feb 2021, at 6:01, Xin Li wrote: >=20 > Hi, >=20 > It appears that some change between 939430f2377 (December 31) and > b4bf7bdeb70 (today) on stable/12 have broken pf in a way that the > following rule: >=20 > block in quick proto tcp from any os "Linux" to any port ssh >=20 > would get interpreted as: >=20 > block drop in quick proto tcp from any to any port =3D 22 >=20 > (and block all SSH connection instead of just the ones initiated fr= om > Linux). >=20 > Thanks for the report. I think I see the problem. >=20 > Can you test this patch? >=20 > |diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c > index 593a38d4a360..458c6af3fa5e 100644 --- a/sys/netpfil/pf/pf_ioctl.c= > +++ b/sys/netpfil/pf/pf_ioctl.c @@ -1623,7 +1623,7 @@ > pf_rule_to_krule(const struct pf_rule *rule, struct pf_krule *krule) /*= > Don't allow userspace to set evaulations, packets or bytes. */ /* kif, > anchor, overload_tbl are not copied over. */ - krule->os_fingerprint =3D= > krule->os_fingerprint; + krule->os_fingerprint =3D rule->os_fingerprint= ; > krule->rtableid =3D rule->rtableid; bcopy(rule->timeout, krule->timeout= , > sizeof(krule->timeout)); | >=20 > With any luck we=E2=80=99ll be able to include the fix in 13.0. Thanks, I'll try this on a -CURRENT box which is exhibiting the same issue and report back as soon as possible. Cheers, --l8mEV8uGWhhLZ0NgksiQPGmAzDm3Tdt2n-- --MWTvpmXUZCpOkQPMIPirekE3cUJRJDi9w Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wsF5BAABCAAjFiEEceNg5NEMZIki80nQQHl/fJX0g08FAmAuD8IFAwAAAAAACgkQQHl/fJX0g08h XA//YMIyNwN/KVuUYGxzo5VVAgujkruF9YTBBOV039pWCIY0K1qo3OC0IsW/EX49zdQKP7+fHj72 MQyd4V9hj3GoUqcsJd3DjCSEu2ETnnL4AY9ItlVIQIMI8D9WIQOVbeuyEHgJZFSJMg2MeNVrSi6F esBzTIUqCp5qLqZY3RVqwA4/XjZvYXxyLG3fuhOaxetcUh4VFsrw6k0SEXA5zg15nTCeqL1CUbmG Mh6IVyTzvXo78bRzMgrE+zJ0JdPr0OJMxDEFMb/riqoK34lJIijna0e7+/s8J4PT5tzqvPqH0VsO AH8YsHxyOWH7xUVPfS6xLqZLKJ07OIFvnO/ouvE9U2mMdRnPvZlcnbRpof9kacLJa6rxYAYkIObZ vQcOFc0a0CHeMJy9yIF1N1HLNG4n2DR1+SOfykAiUQv8irv0ay/gRNkRMXUWqmHlOSz20bs7vPas Lht16a1zVlc8wpTlmtZS3OYjDaiTaY5MQqs58+HEx9LqIQ67m5/U6k351Pj/PDknBdIdrXGKPAxE ytmomR+Gosjl8xOWlbkT5lV54ILbfa0WvesPO51P2WTEkg9+lMUbhw2B7SpzVAK5JnrY4SMEpYKK bMZ97YLFPvV9f+D9laNTInQ+lsLtgJCsm3tnSn6TMtvX5NSJFhQK4n9iFuQdMeaUbABqJYPz0dQA ejk= =seJ3 -----END PGP SIGNATURE----- --MWTvpmXUZCpOkQPMIPirekE3cUJRJDi9w--