Bug 224415 - 460.status-mail-rejects and 520.pfdenied appear broken
Summary: 460.status-mail-rejects and 520.pfdenied appear broken
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: conf (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-bugs mailing list
URL:
Keywords: regression
Depends on:
Blocks:
 
Reported: 2017-12-18 01:48 UTC by Chris Hutchinson
Modified: 2018-11-04 20:44 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Hutchinson 2017-12-18 01:48:52 UTC
On a fresh build/install on
FreeBSD dev-box 12.0-CURRENT FreeBSD 12.0-CURRENT #0: Wed Dec 13 06:07:59 PST 2017 root@dev-box:/usr/obj/usr/src/amd64.amd64/sys/DEVBOX (r326056)

460.status-mail-rejects returns:
Checking for rejected mail hosts:
usage: fetch [-146AadFlMmnPpqRrsUv] [-B bytes] [--bind-address=host]
       [--ca-cert=file] [--ca-path=dir] [--cert=file] [--crl=file]
       [-i file] [--key=file] [-N file] [--no-passive] [--no-proxy=list]
       [--no-sslv3] [--no-tlsv1] [--no-verify-hostname] [--no-verify-peer]
       [-o file] [--referer=URL] [-S bytes] [-T seconds]
       [--user-agent=agent-string] [-w seconds] URL ...
       fetch [-146AadFlMmnPpqRrsUv] [-B bytes] [--bind-address=host]
       [--ca-cert=file] [--ca-path=dir] [--cert=file] [--crl=file]
       [-i file] [--key=file] [-N file] [--no-passive] [--no-proxy=list]
       [--no-sslv3] [--no-tlsv1] [--no-verify-hostname] [--no-verify-peer]
       [-o file] [--referer=URL] [-S bytes] [-T seconds]
       [--user-agent=agent-string] [-w seconds] -h host -f file [-c dir]

in the daily logs

and 520.pfdenied
doesn't even show up.

Both worked fine on 9, and early 11.

Thanks!

--Chris
Comment 1 Dag-Erling Smørgrav freebsd_committer 2018-10-09 09:31:14 UTC
Can you still reproduce any of this?

There is no way 460.status-mail-rejects would ever run fetch(1), so there must be something wrong on your system.

As for 520.pfdenied, it is part of the security report, not the daily report.
Comment 2 sigsys 2018-11-04 20:44:32 UTC
I noticed the problem with 520.pfdenied not reporting denied packets anymore as well. Seems like the problem appeared when support for blacklistd anchors was added.

Here's a fix:

diff --git a/usr.sbin/periodic/etc/security/520.pfdenied b/usr.sbin/periodic/etc/security/520.pfdenied
index e3021ce857c..69d9df78436 100755
--- a/usr.sbin/periodic/etc/security/520.pfdenied
+++ b/usr.sbin/periodic/etc/security/520.pfdenied
@@ -46,7 +46,7 @@ then
 	TMP=`mktemp -t security`
 	for _a in "" $(pfctl -a "blacklistd" -sA 2>/dev/null)
 	do
-		pfctl -a ${_a} -sr -v -z 2>/dev/null | \
+		pfctl -a "${_a}" -sr -v -z 2>/dev/null | \
 		nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP}
 	done
 	if [ -s ${TMP} ]; then