Re: PR/53036 CVS commit: src/sys/dist/pf/net

[Alexander Nasonov <alnsn%yandex.ru@localhost>]

The following reply was made to PR kern/53036; it has been noted by GNATS.

From: Alexander Nasonov <alnsn%yandex.ru@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: kern-bug-people%netbsd.org@localhost, gnats-admin%netbsd.org@localhost,
	netbsd-bugs%netbsd.org@localhost, alnsn%NetBSD.org@localhost
Subject: Re: PR/53036 CVS commit: src/sys/dist/pf/net
Date: Mon, 19 Feb 2018 00:16:24 +0000

 Christos Zoulas wrote:
 >  Log Message:
 >  PR/53036: Alexander Nasonov: 'block user' in pf's ruleset panics 8.0_BETA
 >  Check for NULL.
 
 > +     if (so == NULL)
 > +             return -1;
 > +     if (so->so_cred == NULL) {
 > +             DPFPRINTF(PF_DEBUG_URGENT,
 > +                 ("%s: so->so_cred == NULL so=%p\n", __func__, so));
 > +             return -1;
 > +     }
 
 This change fixes the panic but my /var/log/messages is now full of
 these debug messages https://twitter.com/nasonov/status/965371936447565824
 
 I also see that some incoming messages are blocked in /var/log/pflogd:
 
 23:48:33.xxxxxx rule 0/0(match): block in on wm0: xxx.xxx.xxx.xxx > xxx.xxx.xxx.xxx: Flags [.], seq 468711:469427, ack 149621, win 475, length 716
 23:48:33.xxxxxx rule 0/0(match): block in on wm0: xxx.xxx.xxx.xxx > xxx.xxx.xxx.xxx: ip-proto-6
 23:48:33.xxxxxx rule 0/0(match): block in on wm0: xxx.xxx.xxx.xxx > xxx.xxx.xxx.xxx: ip-proto-6
 23:48:40.xxxxxx rule 0/0(match): block in on wm0: xxx.xxx.xxx.xxx > xxx.xxx.xxx.xxx: Flags [.], seq 0:1440, ack 2, win 271, options [nop,nop,TS val 1121107037 ecr 601], length 1440
 23:48:40.xxxxxx rule 0/0(match): block in on wm0: xxx.xxx.xxx.xxx > xxx.xxx.xxx.xxx: ip-proto-6
 
 If I add 'pass all' rule, this weird behaviour stops.
 
 My new pf rules:
 
 proxy_users="{ dnsmasq, privoxy }"
 local_users="{ _tcpdump, _pflogd }"
 
 pass all
 block quick log user $local_users
 block log user $proxy_users
 pass on lo0 all
 
 -- 
 Alex