Date: Wed, 17 Feb 2021 23:06:14 -0800 From: Xin Li <delphij@delphij.net> To: Kristof Provost <kp@FreeBSD.org>, d@delphij.net Cc: freebsd-net@freebsd.org, FreeBSD stable <freebsd-stable@freebsd.org> Subject: Re: [pf] stable/12: block by OS broken Message-ID: <be645179-b0d0-cbae-e628-4630b046dade@delphij.net> In-Reply-To: <323f0a06-5b47-19d7-25f9-08c863f9daa8@delphij.net> References: <37b0e157-8173-7fb7-7ca3-c4a8b2ad0b31@delphij.net> <11E53D9F-CE51-4726-85FB-A0B4558572CD@FreeBSD.org> <323f0a06-5b47-19d7-25f9-08c863f9daa8@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --yK86SxeVfmd7iKrEzYAIzq9O9xh1Aj2aY Content-Type: multipart/mixed; boundary="mIeGb1aSpomEPpQv5IbOP9BVKTrk1YGgB"; protected-headers="v1" From: Xin Li <delphij@delphij.net> Reply-To: d@delphij.net To: Kristof Provost <kp@FreeBSD.org>, d@delphij.net Cc: freebsd-net@freebsd.org, FreeBSD stable <freebsd-stable@freebsd.org> Message-ID: <be645179-b0d0-cbae-e628-4630b046dade@delphij.net> Subject: Re: [pf] stable/12: block by OS broken References: <37b0e157-8173-7fb7-7ca3-c4a8b2ad0b31@delphij.net> <11E53D9F-CE51-4726-85FB-A0B4558572CD@FreeBSD.org> <323f0a06-5b47-19d7-25f9-08c863f9daa8@delphij.net> In-Reply-To: <323f0a06-5b47-19d7-25f9-08c863f9daa8@delphij.net> --mIeGb1aSpomEPpQv5IbOP9BVKTrk1YGgB Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 2/17/21 22:57, Xin Li wrote: > On 2/17/21 22:35, Kristof Provost wrote: >> On 18 Feb 2021, at 6:01, Xin Li wrote: >> >> Hi, >> >> It appears that some change between 939430f2377 (December 31) and >> b4bf7bdeb70 (today) on stable/12 have broken pf in a way that the >> following rule: >> >> block in quick proto tcp from any os "Linux" to any port ssh >> >> would get interpreted as: >> >> block drop in quick proto tcp from any to any port =3D 22 >> >> (and block all SSH connection instead of just the ones initiated f= rom >> Linux). >> >> Thanks for the report. I think I see the problem. >> >> Can you test this patch? >> >> |diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c >> index 593a38d4a360..458c6af3fa5e 100644 --- a/sys/netpfil/pf/pf_ioctl.= c >> +++ b/sys/netpfil/pf/pf_ioctl.c @@ -1623,7 +1623,7 @@ >> pf_rule_to_krule(const struct pf_rule *rule, struct pf_krule *krule) /= * >> Don't allow userspace to set evaulations, packets or bytes. */ /* kif,= >> anchor, overload_tbl are not copied over. */ - krule->os_fingerprint =3D= >> krule->os_fingerprint; + krule->os_fingerprint =3D rule->os_fingerprin= t; >> krule->rtableid =3D rule->rtableid; bcopy(rule->timeout, krule->timeou= t, >> sizeof(krule->timeout)); | >> >> With any luck we=E2=80=99ll be able to include the fix in 13.0. >=20 > Thanks, I'll try this on a -CURRENT box which is exhibiting the same > issue and report back as soon as possible. And I can confirm that this fixed the issue on -CURRENT, thanks for the quick fix! Cheers, --mIeGb1aSpomEPpQv5IbOP9BVKTrk1YGgB-- --yK86SxeVfmd7iKrEzYAIzq9O9xh1Aj2aY Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wsF5BAABCAAjFiEEceNg5NEMZIki80nQQHl/fJX0g08FAmAuEeYFAwAAAAAACgkQQHl/fJX0g089 8hAAlTIOnV/UCE3U7dBlgKPcIQQHFFgixyXn9F3n4R7ia3OVndl8l0Uk2HfhGBKprKPNkjGHn2c3 sGZvcVDDby/DdQnN5aFLY/vAaMbvYwaM8NNVgES3sf7feCFXX8UDu/vq2Sp4BFWF7h5ij85gAwGR IIKfLMoBzcPmXHqnhYGYqtJlYM6mdwDgTJio/RdUme1jPpEh7C7mf/VNcgXgwVYP6pwi0QXcQu7C 8Y1Le4UyLBoRLlNlJm+wuV4i0E6zdtVoJJDUJbLMmVIv51EKvbHVaaRxjTQ/J6XyceRGGCxBr9Lc ePOJmOJi+aGanzwSN6AFzWZheuLG9yr3OUZuPMYWSpGMz9fYEeyKvFlVoRomyGGiJkXVn7DO6p85 zQZ4mXoBK0DKvFX/avwP50IOslajAR8Gw2jFK699TqiWpzmimtosNJMxIL0xbASzbKutiN3/oA46 sY1eopz3gvlXybLrMd+jB8+hsgFoDbHGV9JLWV2XweIj6SnRO5iypKgZiSxPpZOiv6kaRPsNFcTX U7s+byfBmr3djvYGGMMlpOmegwemQlcdxsa1gRqyzOy4cxoHSVLLrZs44g7xueTEEJH8qX2w2mjE g2q0nYxUu17pGIgE5m/Ejz4s5D2NnJiOoPOgDGSkkroyCIH65mtAQaHdsKqrFUv6TQ9JhFFWq6VY Qdw= =KKEI -----END PGP SIGNATURE----- --yK86SxeVfmd7iKrEzYAIzq9O9xh1Aj2aY--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?be645179-b0d0-cbae-e628-4630b046dade>