Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 12 Jul 2007 11:56:42 -0400
From:      "Scott Ullrich" <sullrich@gmail.com>
To:        adler <adler@smtp.ru>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: Seems like pf skips some packets.
Message-ID:  <d5992baf0707120856n31c0480aw6209be33820e3e30@mail.gmail.com>
In-Reply-To: <241432407.20070712131014@smtp.ru>
References:  <241432407.20070712131014@smtp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 7/12/07, Alexey Sopov <adler@smtp.ru> wrote:
>   Hi
>
>   On my machine with FreeBSD 6.2-STABLE #4 I noticed there are
>   outgoing packets from net 192.168.0.0/16 on external interface
>
>   Some details:
>   Here 1 < a,b,c,d,e,f < 254
>
>
> ~> ifconfig internal
> internal: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         options=4b<RXCSUM,TXCSUM,VLAN_MTU,POLLING>
>         inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
>         ether 00:04:23:b0:53:ca
>         media: Ethernet autoselect (1000baseTX <full-duplex>)
>         status: active
> ~> ifconfig external
> external: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         options=48<VLAN_MTU,POLLING>
>         inet a.b.c.22 netmask 0xfffffffc broadcast a.b.c.23
>         ether 00:02:b3:4c:83:6e
>         media: Ethernet autoselect (100baseTX <full-duplex>)
>         status: active
>
> ~> grep -v '^#' /etc/pf.conf | grep mynet
> table <mynet> { 192.168.0.0/16, 172.16.0.0/16 }
>
> ~> sudo pfctl -s a | less
> No ALTQ support in kernel
> ALTQ related functions disabled
> TRANSLATION RULES:
> nat on external inet from <mynet> to ! <mynet> -> a.b.d.240/28 bitmask
> rdr on external inet proto tcp from any to a.b.e.1 port = ftp -> 192.168.0.2 port 21
> rdr on external inet proto udp from any to a.b.e.1 port = 4127 -> 192.168.0.2 port 4127
> rdr on external inet proto tcp from any to a.b.e.1 port = 4899 -> 192.168.0.2 port 4899
> rdr on external inet proto tcp from any to a.b.c.22 port = 4022 -> 172.16.56.57 port 22
>
> FILTER RULES:
> pass in all
> pass out all
> pass out quick on external inet from a.b.c.20/30 to any
> pass out quick on external inet from a.b.d.224/27 to any
> pass out quick on external inet from a.b.e.0/24 to any
> block drop out on external all
>
> STATES:
> #a lot of states
>
> INFO:
> Status: Enabled for 0 days 11:06:40           Debug: Urgent
>
> Hostid: 0x2055eb8b
>
> State Table                          Total             Rate
>   current entries                     4182
>   searches                       250779576         6269.5/s
>   inserts                          1877065           46.9/s
>   removals                         1872883           46.8/s
> Counters
>   match                          165990128         4149.8/s
>   bad-offset                             0            0.0/s
>   fragment                              15            0.0/s
>   short                                  2            0.0/s
>   normalize                              0            0.0/s
>   memory                                 0            0.0/s
>   bad-timestamp                          0            0.0/s
>   congestion                             0            0.0/s
>   ip-option                           4550            0.1/s
>   proto-cksum                            0            0.0/s
>   state-mismatch                      6233            0.2/s
>   state-insert                           0            0.0/s
>   state-limit                            0            0.0/s
>   src-limit                              0            0.0/s
>   synproxy                               0            0.0/s
>
> TIMEOUTS:
> tcp.first                    30s
> tcp.opening                   5s
> tcp.established           18000s
> tcp.closing                  60s
> tcp.finwait                  30s
> tcp.closed                   30s
> tcp.tsdiff                   10s
> udp.first                    60s
> udp.single                   30s
> udp.multiple                 60s
> icmp.first                   20s
> icmp.error                   10s
> other.first                  60s
> other.single                 30s
> other.multiple               60s
> frag                          5s
> interval                      2s
> adaptive.start                0 states
> adaptive.end                  0 states
> src.track                     0s
>
> LIMITS:
> states     hard limit  50000
> src-nodes  hard limit  30000
> frags      hard limit  50000
>
> TABLES:
> mynet
>
> OS FINGERPRINTS:
> 348 fingerprints loaded
>
>
> Here I try to catch packets on external interface:
>
> ~> sudo tcpdump -ni external src net 192.168.0.0/16
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on external, link-type EN10MB (Ethernet), capture size 96 bytes
> 12:59:44.401906 IP 192.168.56.152.1090 > 64.12.31.180.5190: . ack 1528988903 win 0
> 12:59:44.401921 IP 192.168.12.43.60481 > 81.19.88.11.80: . ack 2815867423 win 0
> 12:59:44.401933 IP 192.168.46.101.1650 > 81.176.76.116.80: . ack 669974985 win 0
> 12:59:44.401946 IP 192.168.54.12.2124 > 194.145.212.35.80: . ack 2208596276 win 0
> 12:59:44.401958 IP 192.168.22.10.1510 > 194.67.45.129.80: . ack 1166126606 win 0
> 12:59:44.401971 IP 192.168.46.101.1652 > 81.19.80.2.80: . ack 1004425830 win 0
> 12:59:44.401983 IP 192.168.38.79.63441 > 66.102.11.164.80: . ack 1120457487 win 0
> 12:59:44.401995 IP 192.168.54.71.1578 > 87.248.217.79.80: . ack 2473371997 win 0
> 12:59:44.402022 IP 192.168.38.49.4183 > 65.54.195.188.80: . ack 964472648 win 0
> 12:59:44.402041 IP 192.168.42.90.60363 > 66.249.93.91.80: . ack 2862783680 win 0
> 12:59:44.402055 IP 192.168.46.46.58867 > 89.188.102.70.80: . ack 2523375288 win 0
> 12:59:44.402075 IP 192.168.38.16.1222 > 208.166.56.114.80: . ack 0 win 0
> 12:59:44.402087 IP 192.168.60.38.2050 > 66.235.180.76.8080: . ack 2443543023 win 0
> 12:59:49.400160 IP 192.168.42.124.1313 > 81.222.128.13.80: . ack 1468803329 win 0
> 12:59:49.400176 IP 192.168.42.124.1312 > 81.222.128.13.80: . ack 1482657113 win 0
> 12:59:49.400190 IP 192.168.42.124.1314 > 81.19.80.2.80: . ack 1518361964 win 0
> 12:59:49.400202 IP 192.168.42.124.1315 > 217.16.26.60.80: . ack 2295931572 win 0
> 12:59:49.400218 IP 192.168.22.10.1510 > 194.67.45.129.80: . ack 1 win 0
> 12:59:49.400229 IP 192.168.42.124.1311 > 81.222.128.13.80: . ack 1477893358 win 0
> 12:59:49.400242 IP 192.168.42.60.61035 > 203.75.40.14.21: . ack 2868867767 win 0
> 12:59:49.400255 IP 192.168.42.124.1309 > 194.67.23.108.80: . ack 2813951723 win 0
> 12:59:49.400269 IP 192.168.38.16.1311 > 88.85.78.58.80: . ack 3157990844 win 0
> 12:59:49.400281 IP 192.168.38.79.63441 > 66.102.11.164.80: . ack 1 win 0
> 12:59:49.400318 IP 192.168.11.118.2487 > 213.180.214.31.80: . ack 0 win 0
> 12:59:49.400331 IP 192.168.52.33.64997 > 193.192.41.2.80: . ack 69990011 win 0
> 12:59:49.400352 IP 192.168.24.16.1047 > 64.12.31.144.5190: . ack 2248286157 win 0
> 12:59:49.400371 IP 192.168.60.38.2057 > 66.235.180.76.8080: . ack 2458160570 win 0
> 12:59:49.400383 IP 192.168.38.16.1222 > 208.166.56.114.80: . ack 1 win 0
> ^C
> 28 packets captured
> 45864 packets received by filter
> 0 packets dropped by kernel
>
> Why these packets weren't translated by pf nat rules or filtered by pf
> block rule?
>
> Note they appear once in five seconds. Tried to modify frag parameter,
> but this didn't help. Also I noticed they all have ACK bit set.
>
> Thank you.

What is the date of your build (uname -a).   There was a commit
recently to fix fragmented packets w/ hardware checksums
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf_norm.c.diff?r1=1.11.2.4;r2=1.11.2.5;only_with_tag=RELENG_6

Maybe you just need to cvsup and build a new kernel / world?

Scott

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d5992baf0707120856n31c0480aw6209be33820e3e30>