NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: PR/53036 CVS commit: src/sys/dist/pf/net

Christos Zoulas wrote:
>  Log Message:
>  PR/53036: Alexander Nasonov: 'block user' in pf's ruleset panics 8.0_BETA
>  Check for NULL.

> +     if (so == NULL)
> +             return -1;
> +     if (so->so_cred == NULL) {
> +             DPFPRINTF(PF_DEBUG_URGENT,
> +                 ("%s: so->so_cred == NULL so=%p\n", __func__, so));
> +             return -1;
> +     }

This change fixes the panic but my /var/log/messages is now full of
these debug messages https://twitter.com/nasonov/status/965371936447565824

I also see that some incoming messages are blocked in /var/log/pflogd:

23:48:33.xxxxxx rule 0/0(match): block in on wm0: xxx.xxx.xxx.xxx > xxx.xxx.xxx.xxx: Flags [.], seq 468711:469427, ack 149621, win 475, length 716
23:48:33.xxxxxx rule 0/0(match): block in on wm0: xxx.xxx.xxx.xxx > xxx.xxx.xxx.xxx: ip-proto-6
23:48:33.xxxxxx rule 0/0(match): block in on wm0: xxx.xxx.xxx.xxx > xxx.xxx.xxx.xxx: ip-proto-6
23:48:40.xxxxxx rule 0/0(match): block in on wm0: xxx.xxx.xxx.xxx > xxx.xxx.xxx.xxx: Flags [.], seq 0:1440, ack 2, win 271, options [nop,nop,TS val 1121107037 ecr 601], length 1440
23:48:40.xxxxxx rule 0/0(match): block in on wm0: xxx.xxx.xxx.xxx > xxx.xxx.xxx.xxx: ip-proto-6

If I add 'pass all' rule, this weird behaviour stops.

My new pf rules:

proxy_users="{ dnsmasq, privoxy }"
local_users="{ _tcpdump, _pflogd }"

pass all
block quick log user $local_users
block log user $proxy_users
pass on lo0 all

-- 
Alex
Home | Main Index | Thread Index | Old Index