From owner-freebsd-pf@FreeBSD.ORG Thu Mar 13 19:50:03 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 22A331065670 for ; Thu, 13 Mar 2008 19:50:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 0BEA38FC19 for ; Thu, 13 Mar 2008 19:50:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m2DJo21I006729 for ; Thu, 13 Mar 2008 19:50:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m2DJo2Ir006726; Thu, 13 Mar 2008 19:50:02 GMT (envelope-from gnats) Date: Thu, 13 Mar 2008 19:50:02 GMT Message-Id: <200803131950.m2DJo2Ir006726@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Kian Mohageri Cc: Subject: Re: kern/121668: connect randomly fails with EPERM with some pf rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Kian Mohageri List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Mar 2008 19:50:03 -0000 The following reply was made to PR kern/121668; it has been noted by GNATS. From: Kian Mohageri To: Laurent Frigault Cc: bug-followup@FreeBSD.org Subject: Re: kern/121668: connect randomly fails with EPERM with some pf rules Date: Thu, 13 Mar 2008 12:44:48 -0700 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig1FD5631B7DA864ECD09DF906 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Laurent Frigault wrote: > On Thu, Mar 13, 2008 at 11:29:52AM -0700, Kian Mohageri wrote: >> Does state-mismatch counter increase when this happens (pfctl -si)? >=20 > I re-run the teste and yes and the state-mismatch counter increase is > exactly the number of connect failling with EPERM. >=20 >> I remember similar behavior and it was caused by source port reuse on >> the client (so the new connection caused a state mismatch on an old >> state). >=20 > The previous connection are closed. > If the source port can't be reused yet, then the kernel should use an > other one for the new connection. If it can, then pf should allow it. >=20 > If the connect (SYN) does not match an existing state, The pf rule > should create a new state.=20 >=20 It does "match" a state (source/dest is same), which is the problem. Even though the connection is closed, the state hasn't yet been purged. Refer to pf.conf(5) for how to adjust tcp.closed so the state is purged sooner, or adjust the available dynamic port range (sysctl net.inet.ip.portrange). I don't know if this is intended behavior or not. I've never run into it on OpenBSD, but pf is integrated much more tightly into their system obviously and I'm guessing their port reuse code is pretty different too.= --------------enig1FD5631B7DA864ECD09DF906 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkfZhDMACgkQfLazdIP7nIPoxwCcCpBWdXiAgDzZaVFoT0kDXTu/ 8HkAn2PZMIDfks+DWYOxg26SMe3knOOO =uZ0y -----END PGP SIGNATURE----- --------------enig1FD5631B7DA864ECD09DF906--