OpenBSD 6.8 errata 014 breaks pf

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenBSD 6.8 errata 014 breaks pf

steffen
>Synopsis: After installing OpenBSD 6.8 errata 014 pf allows no connections and knows no tables
>Category: kernel
>Environment:
        System      : OpenBSD 6.8
        Details     : OpenBSD 6.8 (GENERIC) #4: Mon Jan 11 10:34:36 MST 2021
                         [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC

        Architecture: OpenBSD.amd64
        Machine     : amd64
>Description:
        After patching my system with syspatch to 6.8-014 no connections to the server where possible, no ssh, no smtp, https, imap.  Disabling pf allowed connections.


>How-To-Repeat:

        Patch system using syspatch.

>Fix:
        I had to revert the most recently installed patch with syspatch -r.


dmesg:
OpenBSD 6.8 (GENERIC) #4: Mon Jan 11 10:34:36 MST 2021
    [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 2080231424 (1983MB)
avail mem = 2002292736 (1909MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf6a80 (9 entries)
bios0: vendor Hetzner version "20171111" date 11/11/2017
bios0: Hetzner vServer
acpi0 at bios0: ACPI 1.0
acpi0: sleep states S5
acpi0: tables DSDT FACP APIC
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel Xeon Processor (Skylake, IBRS), 2100.30 MHz, 06-55-04
cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,AVX512F,AVX512DQ,RDSEED,ADX,SMAP,CLWB,AVX512CD,AVX512BW,AVX512VL,PKU,MD_CLEAR,IBRS,IBPB,SSBD,ARAT,XSAVEOPT,XSAVEC,XGETBV1,MELTDOWN
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache
cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 1000MHz
ioapic0 at mainbus0: apid 0 pa 0xfec00000, version 11, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
"ACPI0006" at acpi0 not configured
acpipci0 at acpi0 PCI0
acpicmos0 at acpi0
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"QEMU0002" at acpi0 not configured
"ACPI0010" at acpi0 not configured
acpicpu0 at acpi0: C1(@1 halt!)
cpu0: using VERW MDS workaround
pvbus0 at mainbus0: KVM
pvclock0 at pvbus0
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility
pciide0: channel 0 disabled (no drives)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: <QEMU, QEMU DVD-ROM, 2.5+> removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 int 9
iic0 at piixpm0
vga1 at pci0 dev 2 function 0 "Bochs VGA" rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
vio0 at virtio0: address 96:00:00:11:9d:53
virtio0: msix shared
virtio1 at pci0 dev 4 function 0 "Qumranet Virtio SCSI" rev 0x00
vioscsi0 at virtio1: qsize 128
scsibus2 at vioscsi0: 255 targets
sd0 at scsibus2 targ 0 lun 0: <QEMU, QEMU HARDDISK, 2.5+>
sd0: 19532MB, 512 bytes/sector, 40001536 sectors, thin
virtio1: msix shared
virtio2 at pci0 dev 5 function 0 "Qumranet Virtio Memory Balloon" rev 0x00
viomb0 at virtio2
virtio2: apic 0 int 10
virtio3 at pci0 dev 6 function 0 "Qumranet Virtio Console" rev 0x00
virtio3: no matching child driver; not configured
xhci0 at pci0 dev 7 function 0 vendor "Red Hat", unknown product 0x000d rev 0x01: apic 0 int 11, xHCI 0.0
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Red Hat xHCI root hub" rev 3.00/1.00 addr 1
isa0 at pcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
uhidev0 at uhub0 port 5 configuration 1 interface 0 "QEMU QEMU USB Tablet" rev 2.00/0.00 addr 2
uhidev0: iclass 3/0
ums0 at uhidev0: 3 buttons, Z dir
wsmouse1 at ums0 mux 0
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd0a (8571636dddb8c6f9.a) swap on sd0b dump on sd0b
fd0 at fdc0 drive 1: density unknown

usbdevs:
Controller /dev/usb0:
addr 01: 1b36:0000 Red Hat, xHCI root hub
         super speed, self powered, config 1, rev 1.00
         driver: uhub0
addr 02: 0627:0001 QEMU, QEMU USB Tablet
         high speed, power 100 mA, config 1, rev 0.00, iSerial 28754-0000:00:07.0-1
         driver: uhidev0

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 6.8 errata 014 breaks pf

Mikolaj Kucharski-3
On Thu, Feb 25, 2021 at 10:07:32AM +0100, [hidden email] wrote:

> >Synopsis: After installing OpenBSD 6.8 errata 014 pf allows no connections and knows no tables
> >Category: kernel
> >Environment:
> System      : OpenBSD 6.8
> Details     : OpenBSD 6.8 (GENERIC) #4: Mon Jan 11 10:34:36 MST 2021
> [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC
>
> Architecture: OpenBSD.amd64
> Machine     : amd64
> >Description:
> After patching my system with syspatch to 6.8-014 no connections to the server where possible, no ssh, no smtp, https, imap.  Disabling pf allowed connections.
>
>
> >How-To-Repeat:
>
>         Patch system using syspatch.
>
> >Fix:
>         I had to revert the most recently installed patch with syspatch -r.
>
>
> dmesg:
> OpenBSD 6.8 (GENERIC) #4: Mon Jan 11 10:34:36 MST 2021
>     [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC

Can you show your pf.conf? I don't see that problem here.

# syspatch | wc -l
       0

# sysctl -n kern.version
OpenBSD 6.8 (GENERIC.MP) #5: Mon Feb 22 04:36:10 MST 2021
[hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP

# pfctl -sr
block return all
pass all flags S/SA
block return in on ! lo0 proto tcp from any to any port 6000:6010
block return out log proto tcp all user = 55
block return out log proto udp all user = 55

# grep -ve '^$' -e '^#' /etc/pf.conf
set skip on lo
block return    # block stateless traffic
pass            # establish keep-state
block return in on ! lo0 proto tcp to port 6000:6010
block return out log proto {tcp udp} user _pbuild


OpenBSD 6.8 (GENERIC.MP) #5: Mon Feb 22 04:36:10 MST 2021
    [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4259995648 (4062MB)
avail mem = 4115845120 (3925MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xcfea7020 (12 entries)
bios0: vendor coreboot version "v4.10.0.0" date 08/08/2019
bios0: PC Engines apu3
acpi0 at bios0: ACPI 4.0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP SSDT APIC HEST IVRS SSDT SSDT HPET
acpi0: wakeup devices PWRB(S4) PBR4(S4) PBR5(S4) PBR6(S4) PBR7(S4) PBR8(S4) UOH1(S3) UOH2(S3) UOH3(S3) UOH4(S3) UOH5(S3) UOH6(S3) XHC0(S4)
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD GX-412TC SOC, 998.26 MHz, 16-30-01
cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,XSAVEOPT
cpu0: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB 64b/line 16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD GX-412TC SOC, 998.14 MHz, 16-30-01
cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,XSAVEOPT
cpu1: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB 64b/line 16-way L2 cache
cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu1: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: AMD GX-412TC SOC, 998.20 MHz, 16-30-01
cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,XSAVEOPT
cpu2: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB 64b/line 16-way L2 cache
cpu2: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu2: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: AMD GX-412TC SOC, 998.14 MHz, 16-30-01
cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,XSAVEOPT
cpu3: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB 64b/line 16-way L2 cache
cpu3: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu3: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative
cpu3: smt 0, core 3, package 0
ioapic0 at mainbus0: apid 4 pa 0xfec00000, version 21, 24 pins
ioapic1 at mainbus0: apid 5 pa 0xfec20000, version 21, 32 pins, remapped
acpihpet0 at acpi0: 14318180 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PBR4)
acpiprt2 at acpi0: bus 1 (PBR5)
acpiprt3 at acpi0: bus 2 (PBR6)
acpiprt4 at acpi0: bus 3 (PBR7)
acpiprt5 at acpi0: bus -1 (PBR8)
acpibtn0 at acpi0: PWRB
acpipci0 at acpi0 PCI0: 0x00000000 0x00000011 0x00000001
acpicmos0 at acpi0
amdgpio0 at acpi0 GPIO uid 0 addr 0xfed81500/0x300 irq 7, 184 pins
"PRP0001" at acpi0 not configured
"PRP0001" at acpi0 not configured
"PRP0001" at acpi0 not configured
"PRP0001" at acpi0 not configured
"PRP0001" at acpi0 not configured
"PRP0001" at acpi0 not configured
"BOOT0000" at acpi0 not configured
acpicpu0 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS
acpicpu1 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS
acpicpu2 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS
acpicpu3 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS
cpu0: 998 MHz: speeds: 1000 800 600 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "AMD 16h Root Complex" rev 0x00
vendor "AMD", unknown product 0x1567 (class system subclass IOMMU, rev 0x00) at pci0 dev 0 function 2 not configured
pchb1 at pci0 dev 2 function 0 "AMD 16h Host" rev 0x00
ppb0 at pci0 dev 2 function 2 "AMD 16h PCIE" rev 0x00: msi
pci1 at ppb0 bus 1
em0 at pci1 dev 0 function 0 "Intel I211" rev 0x03: msi, address 00:0d:b9:4a:f9:b4
ppb1 at pci0 dev 2 function 3 "AMD 16h PCIE" rev 0x00: msi
pci2 at ppb1 bus 2
em1 at pci2 dev 0 function 0 "Intel I211" rev 0x03: msi, address 00:0d:b9:4a:f9:b5
ppb2 at pci0 dev 2 function 4 "AMD 16h PCIE" rev 0x00: msi
pci3 at ppb2 bus 3
em2 at pci3 dev 0 function 0 "Intel I211" rev 0x03: msi, address 00:0d:b9:4a:f9:b6
ccp0 at pci0 dev 8 function 0 "AMD 16h Crypto" rev 0x00
xhci0 at pci0 dev 16 function 0 "AMD Bolton xHCI" rev 0x11: msi, xHCI 1.0
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "AMD xHCI root hub" rev 3.00/1.00 addr 1
ahci0 at pci0 dev 17 function 0 "AMD Hudson-2 SATA" rev 0x39: msi, AHCI 1.3
ahci0: port 0: 6.0Gb/s
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0: <ATA, Samsung SSD 850, EMT4> naa.5002538d42848069
sd0: 238475MB, 512 bytes/sector, 488397168 sectors, thin
ehci0 at pci0 dev 19 function 0 "AMD Hudson-2 USB2" rev 0x39: apic 4 int 18
usb1 at ehci0: USB revision 2.0
uhub1 at usb1 configuration 1 interface 0 "AMD EHCI root hub" rev 2.00/1.00 addr 1
piixpm0 at pci0 dev 20 function 0 "AMD Hudson-2 SMBus" rev 0x42: SMI
iic0 at piixpm0
iic1 at piixpm0
pcib0 at pci0 dev 20 function 3 "AMD Hudson-2 LPC" rev 0x11
sdhc0 at pci0 dev 20 function 7 "AMD Bolton SD/MMC" rev 0x01: apic 4 int 16
sdhc0: SDHC 2.0, 50 MHz base clock
sdmmc0 at sdhc0: 4-bit, sd high-speed, mmc high-speed, dma
pchb2 at pci0 dev 24 function 0 "AMD 16h Link Cfg" rev 0x00
pchb3 at pci0 dev 24 function 1 "AMD 16h Address Map" rev 0x00
pchb4 at pci0 dev 24 function 2 "AMD 16h DRAM Cfg" rev 0x00
km0 at pci0 dev 24 function 3 "AMD 16h Misc Cfg" rev 0x00
pchb5 at pci0 dev 24 function 4 "AMD 16h CPU Power" rev 0x00
pchb6 at pci0 dev 24 function 5 "AMD 16h Misc Cfg" rev 0x00
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
com2 at isa0 port 0x3e8/8 irq 5: ns16550a, 16 byte fifo
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
intr_establish: pic ioapic0 pin 7: can't share type 3 with 2
wbsio0 at isa0 port 0x2e/2: NCT5104D rev 0x52
vmm0 at mainbus0: SVM/RVI
uhub2 at uhub1 port 1 configuration 1 interface 0 "Advanced Micro Devices Hub" rev 2.00/0.18 addr 2
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on sd0a (5dac508a191082e8.a) swap on sd0b dump on sd0b

--
Regards,
 Mikolaj

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 6.8 errata 014 breaks pf

Landry Breuil-5
On Thu, Feb 25, 2021 at 10:31:59AM +0000, Mikolaj Kucharski wrote:

> On Thu, Feb 25, 2021 at 10:07:32AM +0100, [hidden email] wrote:
> > >Synopsis: After installing OpenBSD 6.8 errata 014 pf allows no connections and knows no tables
> > >Category: kernel
> > >Environment:
> > System      : OpenBSD 6.8
> > Details     : OpenBSD 6.8 (GENERIC) #4: Mon Jan 11 10:34:36 MST 2021
> > [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC
> >
> > Architecture: OpenBSD.amd64
> > Machine     : amd64
> > >Description:
> > After patching my system with syspatch to 6.8-014 no connections to the server where possible, no ssh, no smtp, https, imap.  Disabling pf allowed connections.
> >
> >
> > >How-To-Repeat:
> >
> >         Patch system using syspatch.
> >
> > >Fix:
> >         I had to revert the most recently installed patch with syspatch -r.
> >
> >
> > dmesg:
> > OpenBSD 6.8 (GENERIC) #4: Mon Jan 11 10:34:36 MST 2021
> >     [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC
>
> Can you show your pf.conf? I don't see that problem here.
>
> # syspatch | wc -l
>        0
>
> # sysctl -n kern.version
> OpenBSD 6.8 (GENERIC.MP) #5: Mon Feb 22 04:36:10 MST 2021
> [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP

no problem either on a VM doing dns/dhcp, i can connect over ssh and it
correctly does dns/dhcp:

furka# pfctl -sr
block drop in all
pass in on vio0 inet proto icmp from any to 172.20.97.3 icmp-type echorep
pass in on vio0 inet proto icmp from any to 172.20.97.3 icmp-type echoreq
pass in on vio0 inet proto icmp from any to 172.20.97.3 icmp-type timex
pass in on vio0 inet proto icmp from any to 172.20.97.3 icmp-type unreach
pass out all flags S/SA
pass in log on vio0 inet proto tcp from <__automatic_1e5c56b2_0> to 172.20.97.3 port = 22 flags S/SA
pass in log on vio0 inet proto tcp from 172.20.97.21 to 172.20.97.3 port = 2812 flags S/SA
pass in log on vio0 inet proto udp from <__automatic_1e5c56b2_1> to 172.20.97.3 port = 53
pass in log on vio0 inet proto udp from any to any port = 67

furka# sysctl kern.version
kern.version=OpenBSD 6.8 (GENERIC) #5: Mon Feb 22 04:04:49 MST 2021
    [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 6.8 errata 014 breaks pf

steffen
Sure.

BR,

Steffen

##############################

set reassemble yes
set block-policy return
set loginterface egress
set skip on lo

match in all scrub (no-df random-id max-mss 1440)

table <bruteforce> persist
table <blacklist> persist
table <spamd> persist
table <spamd-white> persist
table <company-white> persist file "/etc/mail/company_whitelist"

block in log
block in quick from urpf-failed label uRPF
block quick from <bruteforce>

pass out all modulate state

pass in quick inet proto icmp icmp-type { echoreq, unreach }
pass in quick inet proto tcp from <company-white> to egress port smtp flags S/SA synproxy state rdr-to lo0

# ssh
pass in quick proto tcp from any \
     to (egress) port 2222 \
     flags S/SA modulate state \
     (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)


# imaps
pass in quick proto tcp from any \
     to (egress) port imaps \
     flags S/SA modulate state \
     (max-src-conn 50, max-src-conn-rate 15/5, overload <bruteforce> flush global)



pass in log on egress inet proto tcp from  <spamd-white> to egress port smtp keep state rdr-to lo0
pass in log on egress inet proto tcp from  <spamd-white> to egress port 465 keep state rdr-to lo0
pass in log on egress inet proto tcp from !<spamd-white> to egress port smtp keep state rdr-to lo0 port spamd
pass in log on egress inet proto tcp from !<spamd-white> to egress port 465 keep state rdr-to lo0 port spamd


pass in proto tcp from any \
     to (egress) port { submission } \
     flags S/SA modulate state \
     (max-src-conn 50, max-src-conn-rate 25/5, overload <bruteforce> flush global)


pass in quick proto tcp from any \
     to (egress) port { http, https } \
     flags S/SA modulate state \
     (max-src-conn 50, max-src-conn-rate 25/5, overload <bruteforce> flush global)


################



Am Thu, Feb 25, 2021 at 11:40:26AM +0100 schrieb Landry Breuil:

> On Thu, Feb 25, 2021 at 10:31:59AM +0000, Mikolaj Kucharski wrote:
> > On Thu, Feb 25, 2021 at 10:07:32AM +0100, [hidden email] wrote:
> > > >Synopsis: After installing OpenBSD 6.8 errata 014 pf allows no connections and knows no tables
> > > >Category: kernel
> > > >Environment:
> > > System      : OpenBSD 6.8
> > > Details     : OpenBSD 6.8 (GENERIC) #4: Mon Jan 11 10:34:36 MST 2021
> > > [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC
> > >
> > > Architecture: OpenBSD.amd64
> > > Machine     : amd64
> > > >Description:
> > > After patching my system with syspatch to 6.8-014 no connections to the server where possible, no ssh, no smtp, https, imap.  Disabling pf allowed connections.
> > >
> > >
> > > >How-To-Repeat:
> > >
> > >         Patch system using syspatch.
> > >
> > > >Fix:
> > >         I had to revert the most recently installed patch with syspatch -r.
> > >
> > >
> > > dmesg:
> > > OpenBSD 6.8 (GENERIC) #4: Mon Jan 11 10:34:36 MST 2021
> > >     [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC
> >
> > Can you show your pf.conf? I don't see that problem here.
> >
> > # syspatch | wc -l
> >        0
> >
> > # sysctl -n kern.version
> > OpenBSD 6.8 (GENERIC.MP) #5: Mon Feb 22 04:36:10 MST 2021
> > [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>
> no problem either on a VM doing dns/dhcp, i can connect over ssh and it
> correctly does dns/dhcp:
>
> furka# pfctl -sr
> block drop in all
> pass in on vio0 inet proto icmp from any to 172.20.97.3 icmp-type echorep
> pass in on vio0 inet proto icmp from any to 172.20.97.3 icmp-type echoreq
> pass in on vio0 inet proto icmp from any to 172.20.97.3 icmp-type timex
> pass in on vio0 inet proto icmp from any to 172.20.97.3 icmp-type unreach
> pass out all flags S/SA
> pass in log on vio0 inet proto tcp from <__automatic_1e5c56b2_0> to 172.20.97.3 port = 22 flags S/SA
> pass in log on vio0 inet proto tcp from 172.20.97.21 to 172.20.97.3 port = 2812 flags S/SA
> pass in log on vio0 inet proto udp from <__automatic_1e5c56b2_1> to 172.20.97.3 port = 53
> pass in log on vio0 inet proto udp from any to any port = 67
>
> furka# sysctl kern.version
> kern.version=OpenBSD 6.8 (GENERIC) #5: Mon Feb 22 04:04:49 MST 2021
>     [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC

--
Steffen Fritz

T: +49 7141 505 36 12
W: https://fritz.wtf

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 6.8 errata 014 breaks pf

Alexander Bluhm
In reply to this post by steffen
On Thu, Feb 25, 2021 at 10:07:32AM +0100, [hidden email] wrote:
> >Description:
> After patching my system with syspatch to 6.8-014 no connections to the server where possible, no ssh, no smtp, https, imap.  Disabling pf allowed connections.

I don't see how the errata diff can create the behavior you describe.
The new code is only triggered if there are special overlapping
fragments which are very unlikely in real live.

>         I had to revert the most recently installed patch with syspatch -r.

Is this exactly what you were running before?  Or did you apply
more than one syspatch and revert only the latest?

How long did it take to trigger the problem after syspatching?

Did you change anything else?

Do you use forwarding or local services only?

bluhm

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 6.8 errata 014 breaks pf

Stuart Henderson
In reply to this post by steffen
On 2021/02/25 12:57, Steffen Fritz wrote:
> Sure.

Any difference if you change "modulate state" to "keep state"?

> BR,
>
> Steffen
>
> ##############################
>
> set reassemble yes
> set block-policy return
> set loginterface egress
> set skip on lo
>
> match in all scrub (no-df random-id max-mss 1440)
>
> table <bruteforce> persist
> table <blacklist> persist
> table <spamd> persist
> table <spamd-white> persist
> table <company-white> persist file "/etc/mail/company_whitelist"
>
> block in log
> block in quick from urpf-failed label uRPF
> block quick from <bruteforce>
>
> pass out all modulate state
>
> pass in quick inet proto icmp icmp-type { echoreq, unreach }
> pass in quick inet proto tcp from <company-white> to egress port smtp flags S/SA synproxy state rdr-to lo0
>
> # ssh
> pass in quick proto tcp from any \
>      to (egress) port 2222 \
>      flags S/SA modulate state \
>      (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)
>
>
> # imaps
> pass in quick proto tcp from any \
>      to (egress) port imaps \
>      flags S/SA modulate state \
>      (max-src-conn 50, max-src-conn-rate 15/5, overload <bruteforce> flush global)
>
>
>
> pass in log on egress inet proto tcp from  <spamd-white> to egress port smtp keep state rdr-to lo0
> pass in log on egress inet proto tcp from  <spamd-white> to egress port 465 keep state rdr-to lo0
> pass in log on egress inet proto tcp from !<spamd-white> to egress port smtp keep state rdr-to lo0 port spamd
> pass in log on egress inet proto tcp from !<spamd-white> to egress port 465 keep state rdr-to lo0 port spamd
>
>
> pass in proto tcp from any \
>      to (egress) port { submission } \
>      flags S/SA modulate state \
>      (max-src-conn 50, max-src-conn-rate 25/5, overload <bruteforce> flush global)
>
>
> pass in quick proto tcp from any \
>      to (egress) port { http, https } \
>      flags S/SA modulate state \
>      (max-src-conn 50, max-src-conn-rate 25/5, overload <bruteforce> flush global)
>
>
> ################
>
>
>
> Am Thu, Feb 25, 2021 at 11:40:26AM +0100 schrieb Landry Breuil:
> > On Thu, Feb 25, 2021 at 10:31:59AM +0000, Mikolaj Kucharski wrote:
> > > On Thu, Feb 25, 2021 at 10:07:32AM +0100, [hidden email] wrote:
> > > > >Synopsis: After installing OpenBSD 6.8 errata 014 pf allows no connections and knows no tables
> > > > >Category: kernel
> > > > >Environment:
> > > > System      : OpenBSD 6.8
> > > > Details     : OpenBSD 6.8 (GENERIC) #4: Mon Jan 11 10:34:36 MST 2021
> > > > [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC
> > > >
> > > > Architecture: OpenBSD.amd64
> > > > Machine     : amd64
> > > > >Description:
> > > > After patching my system with syspatch to 6.8-014 no connections to the server where possible, no ssh, no smtp, https, imap.  Disabling pf allowed connections.
> > > >
> > > >
> > > > >How-To-Repeat:
> > > >
> > > >         Patch system using syspatch.
> > > >
> > > > >Fix:
> > > >         I had to revert the most recently installed patch with syspatch -r.
> > > >
> > > >
> > > > dmesg:
> > > > OpenBSD 6.8 (GENERIC) #4: Mon Jan 11 10:34:36 MST 2021
> > > >     [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC
> > >
> > > Can you show your pf.conf? I don't see that problem here.
> > >
> > > # syspatch | wc -l
> > >        0
> > >
> > > # sysctl -n kern.version
> > > OpenBSD 6.8 (GENERIC.MP) #5: Mon Feb 22 04:36:10 MST 2021
> > > [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> >
> > no problem either on a VM doing dns/dhcp, i can connect over ssh and it
> > correctly does dns/dhcp:
> >
> > furka# pfctl -sr
> > block drop in all
> > pass in on vio0 inet proto icmp from any to 172.20.97.3 icmp-type echorep
> > pass in on vio0 inet proto icmp from any to 172.20.97.3 icmp-type echoreq
> > pass in on vio0 inet proto icmp from any to 172.20.97.3 icmp-type timex
> > pass in on vio0 inet proto icmp from any to 172.20.97.3 icmp-type unreach
> > pass out all flags S/SA
> > pass in log on vio0 inet proto tcp from <__automatic_1e5c56b2_0> to 172.20.97.3 port = 22 flags S/SA
> > pass in log on vio0 inet proto tcp from 172.20.97.21 to 172.20.97.3 port = 2812 flags S/SA
> > pass in log on vio0 inet proto udp from <__automatic_1e5c56b2_1> to 172.20.97.3 port = 53
> > pass in log on vio0 inet proto udp from any to any port = 67
> >
> > furka# sysctl kern.version
> > kern.version=OpenBSD 6.8 (GENERIC) #5: Mon Feb 22 04:04:49 MST 2021
> >     [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC
>
> --
> Steffen Fritz
>
> T: +49 7141 505 36 12
> W: https://fritz.wtf
>

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 6.8 errata 014 breaks pf

steffen
In reply to this post by Alexander Bluhm
Hello,

Am Thu, Feb 25, 2021 at 01:09:58PM +0100 schrieb Alexander Bluhm:
>
> Is this exactly what you were running before?  Or did you apply
> more than one syspatch and revert only the latest?
Yes, exactly. I applied only one syspatch. The host was also rebooted
a few days before.

> How long did it take to trigger the problem after syspatching?

Directly after the reboot. I tested this twice.

> Did you change anything else?

No.

> Do you use forwarding or local services only?

Only local services.

BR,

Steffen

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 6.8 errata 014 breaks pf

steffen
In reply to this post by Stuart Henderson
Hello,

Am Thu, Feb 25, 2021 at 01:21:54PM +0000 schrieb Stuart Henderson:
>
> Any difference if you change "modulate state" to "keep state"?

as this is a (privatley used) productive system and I don't have a
testing stage I cannot test this easily. I would have to syspatch and
render the system unusable for some time. If nothing helps I can do it
but maybe someone else can check this on a test system?

Best regards,

Steffen

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 6.8 errata 014 breaks pf

Stuart Henderson
On 2021/02/25 15:32, Steffen Fritz wrote:

> Hello,
>
> Am Thu, Feb 25, 2021 at 01:21:54PM +0000 schrieb Stuart Henderson:
> >
> > Any difference if you change "modulate state" to "keep state"?
>
> as this is a (privatley used) productive system and I don't have a
> testing stage I cannot test this easily. I would have to syspatch and
> render the system unusable for some time. If nothing helps I can do it
> but maybe someone else can check this on a test system?
>
> Best regards,
>
> Steffen
>

btw, if you look at what "modulate state" does as described in
pf.conf(5), using it on services hosted on the machine running PF
itself doesn't make much sense in the first place, it's for protecting
machines that have junk sequence number generation. OpenBSD's TCP stack
already uses a good rng so there's no point in PF adjusting every single
packet in the connection to replace sequence numbers/acks with something
that isn't any better than it was already (and adjusting checksums to
match).

(if that _is_ responsible for the problem then obviously it wants
fixing but I wanted to mention that on-list as this feature seems to get
cargo-culted a lot where it isn't useful..)

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 6.8 errata 014 breaks pf

steffen
Hello,

I just

1. changed the configuration to "keep state"
2. did a syspatch
3. rebooted the host
4. all connections were possible
5. changed the configuration back to "modulate state" to verify
6. reloaded the configuration
7. still, all connections were possible
8. rebooted the system
9. still all connections were possible
10. Changed back to "keep state" due to Stuart's helpful advice.

So, layer 8 problem? Don't think so, but I cannot reproduce it and it
works now.

Ok, blame me...

Thanks for your help and time!

Best regards,

Steffen


Am Thu, Feb 25, 2021 at 02:51:02PM +0000 schrieb Stuart Henderson:

> On 2021/02/25 15:32, Steffen Fritz wrote:
> > Hello,
> >
> > Am Thu, Feb 25, 2021 at 01:21:54PM +0000 schrieb Stuart Henderson:
> > >
> > > Any difference if you change "modulate state" to "keep state"?
> >
> > as this is a (privatley used) productive system and I don't have a
> > testing stage I cannot test this easily. I would have to syspatch and
> > render the system unusable for some time. If nothing helps I can do it
> > but maybe someone else can check this on a test system?
> >
> > Best regards,
> >
> > Steffen
> >
>
> btw, if you look at what "modulate state" does as described in
> pf.conf(5), using it on services hosted on the machine running PF
> itself doesn't make much sense in the first place, it's for protecting
> machines that have junk sequence number generation. OpenBSD's TCP stack
> already uses a good rng so there's no point in PF adjusting every single
> packet in the connection to replace sequence numbers/acks with something
> that isn't any better than it was already (and adjusting checksums to
> match).
>
> (if that _is_ responsible for the problem then obviously it wants
> fixing but I wanted to mention that on-list as this feature seems to get
> cargo-culted a lot where it isn't useful..)
>

--
Steffen Fritz

T: +49 7141 505 36 12
W: https://fritz.wtf

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 6.8 errata 014 breaks pf

Alexander Bluhm
On Thu, Feb 25, 2021 at 05:00:20PM +0100, Steffen Fritz wrote:
> So, layer 8 problem? Don't think so, but I cannot reproduce it and it
> works now.

I don't know.  tobhe@ saw simmilar problems yesterday evening.  But
there GENERIC was accidently replaced with GENERIC.MP when errata
was applied.  And it went from 6.8 release kernel to -stable.  So
it could be something else.  Today we switched kernel and tried to
stress it, but the bug never happend again.  Also we looked into
the code and saw no connection between the buggy behavior and the
patch.  Also you need very special IP fragments to reach the new
code.

A simmilar machine next to it is testing the diff since Friday.  No
problems there.  And I applied the errata diff on 7 other machines
before releasing it.

> Thanks for your help and time!

Thanks for testing and reporting.

bluhm

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 6.8 errata 014 breaks pf

Alexander Bluhm
On Thu, Feb 25, 2021 at 06:46:05PM +0100, Alexander Bluhm wrote:
> tobhe@ saw simmilar problems yesterday evening.  But
> there GENERIC was accidently replaced with GENERIC.MP when errata
> was applied.

My problem is definitely unrelated to the errata patch.  It happend
again, the clock interrupt stopped firing.  Processes hanging in
nanosleep, date stopped at Sat Feb 27 02:15:48 CET 2021.

It is an old sparc hardware.  Sun Netra X1 (UltraSPARC-IIe 400MHz)
Firmware detected the problem.
LOM event: +687d+1h6m2s host FAULT: watchdog triggered

Either GENERIC.MP does not work well on this machine or it is a
hardware problem.  It is rather old.

Firmware CORE  Sun Microsystems, Inc.
@(#) core 1.0.1 2001/02/19 09:55

Is the clock exhausted after 20 years?  I expected Sun machines
were built for eternity.

I went back to GENERIC SP kernel and will see if it happens again.

bluhm


Copyright (c) 1982, 1986, 1989, 1991, 1993
 The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2020 OpenBSD. All rights reserved.  https://www.OpenBSD.org
Copyright (c) 1995-2020 OpenBSD. All rights reserved.  https://www.OpenBSD.org
OpenBSD 6.8-stable (GENERIC.MP) #2: Thu Feb 25 14:37:10 CET 2021
    [hidden email]:/usr/src/sys/arch/sparc64/compile/GENERIC.MP
real mem = 536870912 (512MB)
avail mem = 509157376 (485MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root: Sun Netra X1 (UltraSPARC-IIe 400MHz)
cpu0 at mainbus0: SUNW,UltraSPARC-IIe (rev 1.4) @ 400 MHz
cpu0: physical 16K instruction (32 b/l), 16K data (32 b/l), 256K external (64 b/l)
psycho0 at mainbus0: SUNW,sabre, impl 0, version 0, ign 7c0
psycho0: bus range 0-0, PCI bus 0
psycho0: dvma map 60000000-7fffffff
pci0 at psycho0
ebus0 at pci0 dev 7 function 0 "Acer Labs M1533 ISA" rev 0x00
"dma" at ebus0 addr 0-ffff ivec 0x2a not configured
rtc0 at ebus0 addr 70-71: ds1287
power0 at ebus0 addr 2000-2007 ivec 0x23
lom0 at ebus0 addr 8010-8011 ivec 0x2a: LOMlite2 rev 3.8
com0 at ebus0 addr 3f8-3ff ivec 0x2b: ns16550a, 16 byte fifo
com0: console
com1 at ebus0 addr 2e8-2ef ivec 0x2b: ns16550a, 16 byte fifo
"flashprom" at ebus0 addr 0-7ffff not configured
alipm0 at pci0 dev 3 function 0 "Acer Labs M7101 Power" rev 0x00: 74KHz clock
iic0 at alipm0
"max1617" at alipm0 addr 0x18 skipped due to alipm0 bugs
spdmem0 at iic0 addr 0x56: 256MB SDRAM registered ECC PC133CL2
spdmem1 at iic0 addr 0x57: 256MB SDRAM registered ECC PC133CL2
dc0 at pci0 dev 12 function 0 "Davicom DM9102" rev 0x31: ivec 0x7c6, address 00:03:ba:05:0e:7a
amphy0 at dc0 phy 1: DM9102 10/100 PHY, rev. 0
dc1 at pci0 dev 5 function 0 "Davicom DM9102" rev 0x31: ivec 0x7dc, address 00:03:ba:05:0e:7b
amphy1 at dc1 phy 1: DM9102 10/100 PHY, rev. 0
ohci0 at pci0 dev 10 function 0 "Acer Labs M5237 USB" rev 0x03: ivec 0x7e4, version 1.0, legacy support
pciide0 at pci0 dev 13 function 0 "Acer Labs M5229 UDMA IDE" rev 0xc3: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI
pciide0: using ivec 0x7cc for native-PCI interrupt
wd0 at pciide0 channel 0 drive 0: <ST380021A>
wd0: 16-sector PIO, LBA, 76319MB, 156301488 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
usb0 at ohci0: USB revision 1.0
uhub0 at usb0 configuration 1 interface 0 "Acer Labs OHCI root hub" rev 1.00/1.00 addr 1
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
bootpath: /pci@1f,0/ide@d,0/disk@0,0
root on wd0a (c15f27024cfa7e6f.a) swap on wd0b dump on wd0b