Thanks for pointing this out, it was an oversight in the recent changes
to pf_test_rule().
I recommend specifying explicitly the correct protocols if you're
wanting to to match by user/group/os fingerprints.
block return out log proto { tcp, udp } all user = 1002
If you'd like, you can apply the patch below which will force you to do
it this way, but it's not strictly necessary. (hopefully this will be in
a snapshot near you soon)
On Tue, Jul 12, 2011 at 11:46:47AM -0400, Jiri B wrote:
> Hello,
>
> with latest snapshot (Jul 11 2011) I see this strange behavior
> which I haven't seen before upgrade (ping caught by strange pf
> rule).
>
> $ id ;netstat -rnf inet | grep default
> uid=1000(jirib) gid=10(users) groups=10(users), 0(wheel), 5(operator)
> default 192.168.1.1 UGS 6 1320 - 12 iwn0
>
> $ ping 192.168.1.1
> PING 192.168.1.1 (192.168.1.1): 56 data bytes
> ping: sendto: No route to host
> ping: wrote 192.168.1.1 64 chars, ret=-1
> --- 192.168.1.1 ping statistics ---
> 1 packets transmitted, 0 packets received, 100.0% packet loss
>
> OK, why? It was caught by pf:
>
> # tcpdump -i pflog0 -n -ttt -e icmp
> tcpdump: WARNING: snaplen raised from 116 to 160
>
> tcpdump: listening on pflog0, link-type PFLOG
> Jul 12 17:43:00.412525 rule 9/(match) block out on iwn0: 192.168.1.254 >
> 192.168.1.1: icmp: echo request
>
> Interesting... what is that rule?
>
> # pfctl -R 9 -vv -sr
> @9 block return out log all user = 1002
> [ Evaluations: 275 Packets: 23 Bytes: 1912 States: 0
> ]
> [ Inserted: uid 0 pid 30333 State Creations: 0 ]
>
> So, why was ping caught by rule which should apply only to
> uid = 1002? FYI, the ping is caught for root as well?
>
> Am i doing something wrong or I haven't seen some info for
> -current followers?
>
> jirib
>
--
Index: parse.y
===================================================================
RCS file: /cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.604
diff -u -p -r1.604 parse.y
--- parse.y 8 Jul 2011 18:52:47 -0000 1.604
+++ parse.y 13 Jul 2011 03:52:25 -0000
@@ -3941,9 +3941,23 @@ rule_consistent(struct pf_rule *r, int a
{
int problems = 0;
+ if (r->proto != IPPROTO_TCP && r->os_fingerprint != PF_OSFP_ANY) {
+ yyerror("os only applies to tcp");
+ problems++;
+ }
if (r->proto != IPPROTO_TCP && r->proto != IPPROTO_UDP &&
(r->src.port_op || r->dst.port_op)) {
yyerror("port only applies to tcp/udp");
+ problems++;
+ }
+ if (r->proto != IPPROTO_TCP && r->proto != IPPROTO_UDP &&
+ r->uid.op) {
+ yyerror("user only applies to tcp/udp");
+ problems++;
+ }
+ if (r->proto != IPPROTO_TCP && r->proto != IPPROTO_UDP &&
+ r->gid.op) {
+ yyerror("group only applies to tcp/udp");
problems++;
}
if (r->proto != IPPROTO_ICMP && r->proto != IPPROTO_ICMPV6 &&
