Question about tables in nested anchor on pf since 6.1

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Question about tables in nested anchor on pf since 6.1

Leonardo Guardati-2
Hi,
   there is a confusing error message in 6.1 and 6.2
(not in 6.0) when using a table inside a nested anchor.

here the rules:

/etc/pf.conf:
###########################

block log


anchor "uno"
load anchor "uno" from "/etc/pf.uno"

###########################


/etc/pf.uno
###########################


anchor "due"
load anchor "due" from "/etc/pf.due"

###########################


/etc/pf.due
###########################

table <foo> { 10.0.0.1 }

pass from <foo>

###########################


on OpenBSD 6.0:

# pfctl -ef /etc/pf.conf
pfctl: pf already enabled



on 6.1 and 6.2:

# pfctl -ef /etc/pf.conf
/etc/pf.due:1: cannot define table foo: Device busy
pfctl: Syntax error in config file: pf rules not loaded
pfctl: load anchors




I've tried to debug, and here is the backtrace for 6.0 and 6.1:


OpenBSD-6.0:

Thread 3 hit Breakpoint 1, pfr_ina_define (tbl=0xffff800000314800, addr=0x10cf6f2a7300, size=1, nadd=0xffff800000314c3c, naddr=0xffff800000314c38, ticket=11, flags=268435472)
    at ../../../../net/pf_table.c:1609
1609 {
(gdb) bt
#0  pfr_ina_define (tbl=0xffff800000314800, addr=0x10cf6f2a7300, size=1, nadd=0xffff800000314c3c, naddr=0xffff800000314c38, ticket=11, flags=268435472) at ../../../../net/pf_table.c:1609
#1  0xffffffff811ca27a in pfioctl (dev=18688, cmd=3293594701, addr=0xffff800000314800 "uno/due", flags=3, p=0xffff8000212a5c88) at ../../../../net/pf_ioctl.c:1999
#2  0xffffffff8129b086 in spec_ioctl (v=0xffff8000212eeb40) at ../../../../kern/spec_vnops.c:370
#3  0xffffffff812979b7 in VOP_IOCTL (vp=0xffffff006fa93cc0, command=3293594701, data=0xffff800000314800, fflag=3, cred=0xffffff0005bfc840, p=0xffff8000212a5c88)
    at ../../../../kern/vfs_vops.c:259
#4  0xffffffff81299600 in vn_ioctl (fp=0xffffff006db65558, com=3293594701, data=0xffff800000314800 "uno/due", p=0xffff8000212a5c88) at ../../../../kern/vfs_vnops.c:485
#5  0xffffffff8125b746 in sys_ioctl (p=0xffff8000212a5c88, v=0xffff8000212eee50, retval=0xffff8000212eeea0) at ../../../../kern/sys_generic.c:516
#6  0xffffffff8147fea0 in mi_syscall (p=0xffff8000212a5c88, code=54, callp=0xffffffff81b87040 <sysent+864>, argp=0xffff8000212eee50, retval=0xffff8000212eeea0)
    at ../../../../sys/syscall_mi.h:77
#7  0xffffffff8147fc94 in syscall (frame=0xffff8000212eef20) at ../../../../arch/amd64/amd64/trap.c:597
#8  0xffffffff8100180b in Xsyscall ()
#9  0x0000000000000003 in ?? ()
#10 0x00000000c450444d in ?? ()
#11 0x00007f7ffffd0e40 in ?? ()
#12 0x000010cd57535c1a in ?? ()
#13 0x00007f7ffffd1268 in ?? ()
#14 0x00007f7ffffd1728 in ?? ()
#15 0x0000000000000000 in ?? ()
(gdb)







OpenBSD-6.1:
Thread 1 hit Breakpoint 1, pfr_ina_define (tbl=0xffff80000035c800, addr=0x1fced50fc300, size=1, nadd=0xffff80000035cc3c, naddr=0xffff80000035cc38, ticket=7, flags=268435472)
    at /usr/src/sys/net/pf_table.c:1599
1599 {
(gdb) bt
#0  pfr_ina_define (tbl=0xffff80000035c800, addr=0x1fced50fc300, size=1, nadd=0xffff80000035cc3c, naddr=0xffff80000035cc38, ticket=7, flags=268435472) at /usr/src/sys/net/pf_table.c:1599
#1  0xffffffff811cb163 in pfioctl (dev=18688, cmd=3293594701, addr=0xffff80000035c800 "/due", flags=3, p=0xffff8000212ab0d8) at /usr/src/sys/net/pf_ioctl.c:2000
#2  0xffffffff8129a8f6 in spec_ioctl (v=0xffff80002132cb40) at /usr/src/sys/kern/spec_vnops.c:370
#3  0xffffffff81297223 in VOP_IOCTL (vp=0xffffff0056011230, command=3293594701, data=0xffff80000035c800, fflag=3, cred=0xffffff007f7ac840, p=0xffff8000212ab0d8)
    at /usr/src/sys/kern/vfs_vops.c:259
#4  0xffffffff81298e71 in vn_ioctl (fp=0xffffff005c9d1aa0, com=3293594701, data=0xffff80000035c800 "/due", p=0xffff8000212ab0d8) at /usr/src/sys/kern/vfs_vnops.c:487
#5  0xffffffff8125c5ba in sys_ioctl (p=0xffff8000212ab0d8, v=0xffff80002132ce50, retval=0xffff80002132cea0) at /usr/src/sys/kern/sys_generic.c:516
#6  0xffffffff8148a642 in mi_syscall (p=0xffff8000212ab0d8, code=54, callp=0xffffffff81bc1260 <sysent+864>, argp=0xffff80002132ce50, retval=0xffff80002132cea0)
    at /usr/src/sys/sys/syscall_mi.h:77
#7  0xffffffff8148a436 in syscall (frame=0xffff80002132cf20) at /usr/src/sys/arch/amd64/amd64/trap.c:600
#8  0xffffffff8100180b in Xsyscall ()
#9  0x0000000000000003 in ?? ()
#10 0x00000000c450444d in ?? ()
#11 0x00007f7ffffbbae0 in ?? ()
#12 0x00001fcccfb2f47a in ?? ()
#13 0x00007f7ffffbbf08 in ?? ()
#14 0x00007f7ffffbc3c8 in ?? ()
#15 0x0000000000000000 in ?? ()
(gdb)





I can see that in 6.0 pfioctl() is passed "uno/due"; while in 6.1 there is only "/due" in addr.

Also, I see the code execution difference at /usr/src/sys/net/pf_table.c:1624 when calling:

  rs = pf_find_ruleset(tbl->pfrt_anchor);

in 6.0 I have rs filled, with :

(gdb) p rs
$2 = (struct pf_ruleset *) 0xffff800000310490
(gdb) p rs->topen
$3 = 1
(gdb) p ticket
$4 = 11
(gdb) p rs->tticket
$5 = 11

that make the the following test pass:

1625 if (rs == NULL || !rs->topen || ticket != rs->tticket)
1626 return (EBUSY);


this is not happening in 6.1:

(gdb) p rs
$8 = (struct pf_ruleset *) 0xffff80000035bc90
(gdb) p rs->topen
$9 = 0
(gdb) p ticket
$10 = 7
(gdb) p rs->tticket
$11 = 9

so it is explained the Device Busy message...but not the cause.


I suppose this could be caused by the MP changes and some race accessing the data.


Any hint where to look next?


Leo

Reply | Threaded
Open this post in threaded view
|

Re: Question about tables in nested anchor on pf since 6.1

Leonardo Guardati-2
If I change the load statement in pf.uno using
the full path ( /uno/due instead of due ); thens
 there is no error; but still no table is loaded.

/etc/pf.conf:
###########################

block log


anchor "uno"
load anchor "uno" from "/etc/pf.uno"

###########################


/etc/pf.uno
###########################


anchor "due"
load anchor "/uno/due" from "/etc/pf.due"

###########################


/etc/pf.due
###########################

table <foo> { 10.0.0.1 }

pass from <foo>

###########################




Now no error is given:

# pfctl -ef /etc/pf.conf  
pfctl: pfctl_rules
pfctl: load anchors
#


But the table is not loaded:

# pfctl -a uno/due -t foo -T show  
pfctl: Table does not exist.
#

Reply | Threaded
Open this post in threaded view
|

Re: Question about tables in nested anchor on pf since 6.1

Alexandr Nedvedicky
In reply to this post by Leonardo Guardati-2
Hello Leo,

this looks like my bad, which goes back to commit [1], which tried to fix 'mix
up of anchor names and anchor paths'. I've completely forgot to take care of
pfctl/parse.y back then. Please let me know if patch below solves your problem.
thank you for great troubleshooting and excellent test case.

sorry for any inconveniences
regards
sasha

[1] https://github.com/openbsd/src/commit/3bf93159c5f63841415c20c3b4c861fd39edaf82#diff-0ad00dde5326b7d2b54b5c11cef40842

--------8<---------------8<---------------8<------------------8<--------
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index c170e60d2a0..b56ed47ff8b 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -4133,7 +4133,7 @@ process_tabledef(char *name, struct table_opts *opts, int popts)
     &opts->init_nodes);
  if (!(pf->opts & PF_OPT_NOACTION) &&
     pfctl_define_table(name, opts->flags, opts->init_addr,
-    pf->anchor->name, &ab, pf->anchor->ruleset.tticket)) {
+    pf->anchor->path, &ab, pf->anchor->ruleset.tticket)) {
  yyerror("cannot define table %s: %s", name,
     pfr_strerror(errno));
  goto _error;

Reply | Threaded
Open this post in threaded view
|

Re: Question about tables in nested anchor on pf since 6.1

Leonardo Guardati-2
Hi,

I've applied the patch on 6.2 and it fixes the problem.

# pfctl -ef /etc/pf.conf                                                                                                                                            
pf enabled
#  pfctl -a /uno/due -t foo -T show
   10.0.0.1
#  pfctl -a /uno/due -s r          
pass from <foo> to any flags S/SA
#


Thank You

Leo

On Tue, Nov 14, 2017 at 11:07:31AM +0100, Alexandr Nedvedicky wrote:

> Hello Leo,
>
> this looks like my bad, which goes back to commit [1], which tried to fix 'mix
> up of anchor names and anchor paths'. I've completely forgot to take care of
> pfctl/parse.y back then. Please let me know if patch below solves your problem.
> thank you for great troubleshooting and excellent test case.
>
> sorry for any inconveniences
> regards
> sasha
>
> [1] https://github.com/openbsd/src/commit/3bf93159c5f63841415c20c3b4c861fd39edaf82#diff-0ad00dde5326b7d2b54b5c11cef40842
>
> --------8<---------------8<---------------8<------------------8<--------
> diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
> index c170e60d2a0..b56ed47ff8b 100644
> --- a/sbin/pfctl/parse.y
> +++ b/sbin/pfctl/parse.y
> @@ -4133,7 +4133,7 @@ process_tabledef(char *name, struct table_opts *opts, int popts)
>      &opts->init_nodes);
>   if (!(pf->opts & PF_OPT_NOACTION) &&
>      pfctl_define_table(name, opts->flags, opts->init_addr,
> -    pf->anchor->name, &ab, pf->anchor->ruleset.tticket)) {
> +    pf->anchor->path, &ab, pf->anchor->ruleset.tticket)) {
>   yyerror("cannot define table %s: %s", name,
>      pfr_strerror(errno));
>   goto _error;
>