Who is 'anchor 11' (pfctl -vvss ./. pfctl -vsA)?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Who is 'anchor 11' (pfctl -vvss ./. pfctl -vsA)?

Philipp Buehler
Hello,

in the midst of debugging ruleset/migrations, I came across this output
in 'pfctl -vvss':
all tcp 10.45.30.7:993 (public-nat:993) <- remote-ip:4690      
ESTABLISHED:ESTABLISHED
    [1683650613 + 66296] wscale 7  [3702552199 + 16768] wscale 2
    age 04:32:22, expires in 00:09:25, 745:737 pkts, 55579:87226 bytes,
anchor 11, rule 0, source-track
    id: 5b5139707ff0259a creatorid: cfe3cb20

Now, who is 'anchor 11'? By no means 'relayctl show redirects' or 'pfctl
-vsA' or "pfctl -a 'relayd/*' -vvsr"
would give me a "numbered" clue. The anchors are ascii/literally named -
no number like on the
rules in 'pfctl -vvsr'.

In the current case I've only one relayd-redirection with port 993, so I
can guestimate the anchor.

Am I overlooking a pfctl/relayctl option or is '11' internal only?

TIA,
--
pb

Reply | Threaded
Open this post in threaded view
|

Re: Who is 'anchor 11' (pfctl -vvss ./. pfctl -vsA)?

Klemens Nanni-2
On Wed, Jan 02, 2019 at 07:09:54PM +0100, Philipp Buehler wrote:
> 'pfctl -vvss':
> all tcp 10.45.30.7:993 (public-nat:993) <- remote-ip:4690
> ESTABLISHED:ESTABLISHED
>    [1683650613 + 66296] wscale 7  [3702552199 + 16768] wscale 2
>    age 04:32:22, expires in 00:09:25, 745:737 pkts, 55579:87226 bytes,
> anchor 11, rule 0, source-track
Anchor 11 is the twelfth rule in your main ruleset (the anchor rule),
in which the first rule established this state.

>    id: 5b5139707ff0259a creatorid: cfe3cb20
>
> Now, who is 'anchor 11'? By no means 'relayctl show redirects' or 'pfctl
> -vsA' or "pfctl -a 'relayd/*' -vvsr"
> would give me a "numbered" clue. The anchors are ascii/literally named - no
> number like on the
> rules in 'pfctl -vvsr'.
`pfctl -vv -s rules -R 11' shows this very rule,
`pfctl -vv -s states -R 11' will show all states established by this
rule if any.

> In the current case I've only one relayd-redirection with port 993, so I can
> guestimate the anchor.
>
> Am I overlooking a pfctl/relayctl option or is '11' internal only?
Provide your ruleset so we can look at actual rules without guessing in
case your problem persists, `pfctl -a\* -s rules' prints them including
anchors.

Reply | Threaded
Open this post in threaded view
|

Re: Who is 'anchor 11' (pfctl -vvss ./. pfctl -vsA)?

Philipp Buehler
Am 02.01.2019 21:35 schrieb Klemens Nanni:
> Anchor 11 is the twelfth rule in your main ruleset (the anchor rule),
> in which the first rule established this state.

Ouch, overlooked this one. Thanks..

> Provide your ruleset so we can look at actual rules without guessing in
> case your problem persists, `pfctl -a\* -s rules' prints them including
> anchors.

Hmm, still a bit ambigious:
===
@11 anchor "relayd/*" all {
   [ Evaluations: 21256227  Packets: 845613    Bytes: 363090876   States:
31    ]
   [ Inserted: uid 0 pid 12958 State Creations: 16822 ]
anchor "depa_portal_http" all {
}
anchor "depa_portal_https" all {
}
anchor "rnexus_portal_http" all {
@0 pass in quick on rdomain 0 inet proto tcp from any to public-ip port
= 80 flags S/SA keep state (tcp.established 600) tag RNEXUS_PORTAL_HTTP
rdr-to <rnexus_portal_http:1> port 60280 round-robin sticky-address
   [ Evaluations: 8919094   Packets: 1101      Bytes: 56088       States:
0     ]
   [ Inserted: uid 89 pid 29940 State Creations: 162   ]
}
anchor "rnexus_portal_https" all {
@0 pass in quick on rdomain 0 inet proto tcp from any to public-ip port
= 443 flags S/SA keep state (tcp.established 600) tag
RNEXUS_PORTAL_HTTPS rdr-to <rnexus_portal_https:1> port 60643
round-robin sticky-address
   [ Evaluations: 13343728  Packets: 253       Bytes: 57853       States:
0     ]
   [ Inserted: uid 89 pid 29940 State Creations: 18    ]
}
anchor "ssfn-imaps" all {
@0 pass in quick on rdomain 0 inet proto tcp from any to public-ip port
= 993 flags S/SA keep state (tcp.established 600) tag SSFN_IMAPS rdr-to
<ssfn-imaps:1> port 993 round-robin sticky-address
   [ Evaluations: 169032000  Packets: 4965436   Bytes: 1932456130  
States: 22    ]
   [ Inserted: uid 89 pid 29940 State Creations: 33036 ]
}
====
So, for every redirect one anchor (as expected/designed) - and each has
a rule 0.
Besides from the ip/port tuple (the state in question was to port 993),
I cannot follow this down
to which relayd-subanchor?

ciao
--
pb