system/5195: pfctl loses group members when using multiple groups in a list

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

system/5195: pfctl loses group members when using multiple groups in a list

andrew fresh
>Number:         5195
>Category:       system
>Synopsis:       pfctl loses group members when using multiple groups in a list
>Confidential:   yes
>Severity:       non-critical
>Priority:       medium
>Responsible:    bugs
>State:          open
>Quarter:        
>Keywords:      
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Aug 07 20:40:02 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Andrew Fresh
>Release:        OPENBSD_3_9
>Organization:
Red River Communications
>Environment:
        <machine, os, target, libraries (multiple lines)>
        System      : OpenBSD 3.9
        Architecture: OpenBSD.i386
        Machine     : i386

>Description:
If you have a list containing multiple groups and the first group has
more than one IP, one of the IPs does not get expanded into a rule.

If you look at the output below, you will see that in the output from
pf.conf1 the 192.168.206.0 address is in the output, but in the output
from pf.conf2 the adddress is not there.

It also apparently happens on
OpenBSD 4.0-beta (GENERIC) #1026: Wed Jul 26 20:35:18 MDT 2006

http://marc.theaimsgroup.com/?t=115412014600001&r=1&w=2

>How-To-Repeat:

$ cat pf.conf1
pass inet from { wild } to any keep state
pass inet from { wild:network } to any keep state

$ pfctl -nvf pf.conf1
pass inet from 192.168.207.1 to any keep state
pass inet from 192.168.206.1 to any keep state
pass inet from 192.168.207.0/24 to any keep state
pass inet from 192.168.206.0/24 to any keep state

$ cat pf.conf2
pass inet from { wild internal } to any keep state
pass inet from { wild:network internal:network } to any keep state

$ pfctl -nvf pf.conf2
pass inet from 192.168.207.1 to any keep state
pass inet from 192.168.204.1 to any keep state
pass inet from 192.168.205.1 to any keep state
pass inet from 192.168.207.0/24 to any keep state
pass inet from 192.168.204.0/24 to any keep state
pass inet from 192.168.205.0/24 to any keep state

$ ifconfig wild
dc2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:06:2b:02:3f:6d
        description: Link  to Tech Bench
        groups: wild tech_bench
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 192.168.207.1 netmask 0xffffff00 broadcast 192.168.207.255
        inet6 fe80::206:2bff:fe02:3f6d%dc2 prefixlen 64 scopeid 0x3
dc3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:06:2b:02:3f:6e
        description: Link  to Admin Bench
        groups: wild admin_bench
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 192.168.206.1 netmask 0xffffff00 broadcast 192.168.206.255
        inet6 fe80::206:2bff:fe02:3f6e%dc3 prefixlen 64 scopeid 0x4

$ ifconfig internal
dc1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:06:2b:02:3f:6c
        description: Link  to Tech Office/Internal Servers
        groups: internal
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 192.168.204.1 netmask 0xffffff00 broadcast 192.168.204.255
        inet6 fe80::206:2bff:fe02:3f6c%dc1 prefixlen 64 scopeid 0x2
dc11: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:06:2b:04:2d:5e
        description: Link  to Billing Office
        groups: internal
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 192.168.205.1 netmask 0xffffff00 broadcast 192.168.205.255
        inet6 fe80::206:2bff:fe04:2d5e%dc11 prefixlen 64 scopeid 0xc

$ head /var/run/dmesg.boot
OpenBSD 3.9-stable (GENERIC.MP) #0: Thu Jul  6 10:35:42 MST 2006
    [hidden email]:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel Pentium III Xeon ("GenuineIntel" 686-class) 699 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
real mem  = 1073319936 (1048164K)
avail mem = 972619776 (949824K)
using 4278 buffers containing 53768192 bytes (52508K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 07/07/04, BIOS32 rev. 0 @ 0xffe90
pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000

I can provide a full dmesg, but it is pfctl and as it is reproducible on
different machines, this seemed like enough.

>Fix:
Not sure, but I just made separate lines for each thing I used to have
in the list.

for example:
pass inet from wild     to any keep state
pass inet from internal to any keep state

instead of:
pass inet from { wild internal } to any keep state


>Release-Note:
>Audit-Trail:
>Unformatted:

Reply | Threaded
Open this post in threaded view
|

Re: system/5195: pfctl loses group members when using multiple groups in a list

Daniel Hartmeier
The following reply was made to PR system/5195; it has been noted by GNATS.

From: Daniel Hartmeier <[hidden email]>
To: andrew fresh <[hidden email]>
Cc: [hidden email], [hidden email]
Subject: Re: system/5195: pfctl loses group members when using multiple groups in a list
Date: Tue, 8 Aug 2006 10:05:54 +0200

 On Mon, Aug 07, 2006 at 01:25:07PM -0700, andrew fresh wrote:
 
 > >Number:         5195
 > >Synopsis:       pfctl loses group members when using multiple groups in a list
 
 There seems to be a confusion about the list tail pointer semantics in
 ifa_grouplookup(), can you retry with the patch below?
 
 I.e. while all nodes of the list have a tail pointer each, only the head
 node's tail pointer is relevant. It points to the last node of the list
 (where tail->next == NULL). Hence, there is no need to traverse the list
 to find that last node.
 
 When joining two lists, one lets the first list's tail->next point to
 the second list's head, and then adjusts the one tail pointer.
 
 Daniel
 
 
 Index: pfctl_parser.c
 ===================================================================
 RCS file: /cvs/src/sbin/pfctl/pfctl_parser.c,v
 retrieving revision 1.226
 diff -u -r1.226 pfctl_parser.c
 --- pfctl_parser.c 6 Jul 2006 13:26:41 -0000 1.226
 +++ pfctl_parser.c 8 Aug 2006 07:55:17 -0000
 @@ -1207,7 +1207,7 @@
  struct ifg_req *ifg;
  struct ifgroupreq ifgr;
  int s, len;
 - struct node_host *n, *h = NULL, *hn;
 + struct node_host *n, *h = NULL;
 
  if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
  err(1, "socket");
 @@ -1232,10 +1232,8 @@
  if (h == NULL)
  h = n;
  else {
 - for (hn = h; hn->next != NULL; hn = hn->next)
 - ; /* nothing */
 - hn->next = n;
 - n->tail = hn;
 + h->tail->next = n;
 + h->tail = n->tail;
  }
  }
  free(ifgr.ifgr_groups);

Reply | Threaded
Open this post in threaded view
|

Re: system/5195: pfctl loses group members when using multiple groups in a list

andrew fresh
In reply to this post by andrew fresh
The following reply was made to PR system/5195; it has been noted by GNATS.

From: andrew fresh <[hidden email]>
To: Daniel Hartmeier <[hidden email]>
Cc: [hidden email], [hidden email]
Subject: Re: system/5195: pfctl loses group members when using multiple groups in a list
Date: Tue, 8 Aug 2006 11:35:39 -0700

 I guess you may also want to see this, or at least get it attached to
 the bug report.  The network config is still the same as in the original
 report.
 
 $ cat pf.conf1
 pass inet from { wild } to any keep state
 pass inet from { wild:network } to any keep state
 
 $ ./pfctl -nvf pf.conf1
 pass inet from 192.168.207.1 to any keep state
 pass inet from 192.168.206.1 to any keep state
 pass inet from 192.168.207.0/24 to any keep state
 pass inet from 192.168.206.0/24 to any keep state
 
 
 $ cat pf.conf2
 pass inet from { wild internal } to any keep state
 pass inet from { wild:network internal:network } to any keep state
 
 $ ./pfctl -nvf pf.conf2
 pass inet from 192.168.207.1 to any keep state
 pass inet from 192.168.206.1 to any keep state
 pass inet from 192.168.204.1 to any keep state
 pass inet from 192.168.205.1 to any keep state
 pass inet from 192.168.207.0/24 to any keep state
 pass inet from 192.168.206.0/24 to any keep state
 pass inet from 192.168.204.0/24 to any keep state
 pass inet from 192.168.205.0/24 to any keep state
 
 l8rZ,
 --
 andrew - ICQ# 253198 - JID: [hidden email]
 
 BOFH excuse of the day: You can tune a file system, but you can't tune
     a fish (from most tunefs man pages)

Reply | Threaded
Open this post in threaded view
|

Re: system/5195: pfctl loses group members when using multiple groups in a list

andrew fresh
In reply to this post by andrew fresh
The following reply was made to PR system/5195; it has been noted by GNATS.

From: andrew fresh <[hidden email]>
To: Daniel Hartmeier <[hidden email]>
Cc: [hidden email], [hidden email]
Subject: Re: system/5195: pfctl loses group members when using multiple groups in a list
Date: Tue, 8 Aug 2006 11:28:42 -0700

 On Tue, Aug 08, 2006 at 10:05:54AM +0200, Daniel Hartmeier wrote:
 > On Mon, Aug 07, 2006 at 01:25:07PM -0700, andrew fresh wrote:
 >
 > > >Number:         5195
 > > >Synopsis:       pfctl loses group members when using multiple groups in a list
 >
 > There seems to be a confusion about the list tail pointer semantics in
 > ifa_grouplookup(), can you retry with the patch below?
 
 I am still running 3.9 on that box, but I did manually apply that patch
 against the 3.9 sources I have.  
 
 The important bit being that it appears to have fixed that issue.
 
 I also used both the old pfctl and the new one against my current
 pf.conf and what it generated were identical, so it doesn't look like it
 broke anything I am using.  
 
 The diff against pfctl_parser.c v1.222:
 
 $ pwd
 /usr/src/sbin/pfctl
 $ cvs -d [hidden email]:/cvs diff -u
 cvs server: Diffing .
 Index: pfctl_parser.c
 ===================================================================
 RCS file: /cvs/src/sbin/pfctl/pfctl_parser.c,v
 retrieving revision 1.222
 diff -u -r1.222 pfctl_parser.c
 --- pfctl_parser.c      4 Nov 2005 08:24:15 -0000       1.222
 +++ pfctl_parser.c      8 Aug 2006 18:24:33 -0000
 @@ -1204,7 +1204,7 @@
         struct ifg_req          *ifg;
         struct ifgroupreq        ifgr;
         int                      s, len;
 -       struct node_host        *n, *h = NULL, *hn;
 +       struct node_host        *n, *h = NULL;
 
         if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
                 err(1, "socket");
 @@ -1228,10 +1228,8 @@
                 if (h == NULL)
                         h = n;
                 else {
 -                       for (hn = h; hn->next != NULL; hn = hn->next)
 -                               ;       /* nothing */
 -                       hn->next = n;
 -                       n->tail = hn;
 +                       h->tail->next = n;
 +                       h->tail = n->tail;
                 }
         }
         free(ifgr.ifgr_groups);
 
 l8rZ,
 --
 andrew - ICQ# 253198 - JID: [hidden email]
 
 BOFH excuse of the day: Your cat tried to eat the mouse.