From owner-freebsd-pf@FreeBSD.ORG Sun Dec 18 09:08:29 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5DC8A16A41F for ; Sun, 18 Dec 2005 09:08:29 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received: from dbmail-mx4.orcon.co.nz (loadbalancer1.orcon.net.nz [219.88.242.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id BDA4543D45 for ; Sun, 18 Dec 2005 09:08:28 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received: from heff.fud.org.nz (60-234-149-201.bitstream.orcon.net.nz [60.234.149.201]) by dbmail-mx4.orcon.co.nz (8.13.5/8.13.5/Debian-3) with ESMTP id jBI98Mid008446 for ; Sun, 18 Dec 2005 22:08:27 +1300 Received: by heff.fud.org.nz (Postfix, from userid 1001) id 70E7128431; Sun, 18 Dec 2005 22:08:22 +1300 (NZDT) Date: Sun, 18 Dec 2005 22:08:22 +1300 From: Andrew Thompson To: freebsd-pf@freebsd.org Message-ID: <20051218090822.GA8358@heff.fud.org.nz> References: <200507201858.j6KIwRNZ097685@repoman.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200507201858.j6KIwRNZ097685@repoman.freebsd.org> User-Agent: Mutt/1.5.11 X-Virus-Scanned: ClamAV version 0.87.1, clamav-milter version 0.87 on dbmail-mx4.orcon.co.nz X-Virus-Status: Clean Subject: Re: cvs commit: src/sys/contrib/pf/net pf.c pfvar.h X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Dec 2005 09:08:29 -0000 On Wed, Jul 20, 2005 at 06:58:27PM +0000, Max Laier wrote: > mlaier 2005-07-20 18:58:27 UTC > > FreeBSD src repository > > Modified files: > sys/contrib/pf/net pf.c pfvar.h > Log: > Prevent a race condition. As pf_send_tcp() - called for expired synproxy > states - has to drop the lock when calling back to ip_output(), the state > purge timeout might run and gc the state. This results in a rb-tree > inconsistency. With this change we flag expiring states while holding the > lock and back off if the flag is already set. This commit seems to have broken net/pfflowd in ports. It still recieves packets from pfsync0 but nothing with action == PFSYNC_ACT_DEL. I am at a loss as to why. > Reported by: glebius > MFC after: 2 weeks > > Revision Changes Path > 1.35 +5 -0 src/sys/contrib/pf/net/pf.c > 1.12 +3 -0 src/sys/contrib/pf/net/pfvar.h From owner-freebsd-pf@FreeBSD.ORG Mon Dec 19 03:21:37 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D786816A41F; Mon, 19 Dec 2005 03:21:37 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received: from dbmail-mx1.orcon.net.nz (loadbalancer1.orcon.net.nz [219.88.242.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4BBFF43D4C; Mon, 19 Dec 2005 03:21:32 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received-SPF: none Received: from heff.fud.org.nz (60-234-149-201.bitstream.orcon.net.nz [60.234.149.201]) by dbmail-mx1.orcon.net.nz (8.13.2/8.13.2/Debian-1) with ESMTP id jBJ3MEHq006433; Mon, 19 Dec 2005 16:22:15 +1300 Received: by heff.fud.org.nz (Postfix, from userid 1001) id D777328457; Mon, 19 Dec 2005 16:21:29 +1300 (NZDT) Date: Mon, 19 Dec 2005 16:21:29 +1300 From: Andrew Thompson To: freebsd-pf@freebsd.org Message-ID: <20051219032129.GA10219@heff.fud.org.nz> References: <200507201858.j6KIwRNZ097685@repoman.freebsd.org> <20051218090822.GA8358@heff.fud.org.nz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051218090822.GA8358@heff.fud.org.nz> User-Agent: Mutt/1.5.11 X-Virus-Scanned: ClamAV version 0.87.1, clamav-milter version 0.87 on dbmail-mx1.orcon.net.nz X-Virus-Status: Clean Cc: mlaier@freebsd.org, dhartmei@freebsd.org Subject: Re: cvs commit: src/sys/contrib/pf/net pf.c pfvar.h X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2005 03:21:38 -0000 On Sun, Dec 18, 2005 at 10:08:22PM +1300, Andrew Thompson wrote: > On Wed, Jul 20, 2005 at 06:58:27PM +0000, Max Laier wrote: > > mlaier 2005-07-20 18:58:27 UTC > > > > FreeBSD src repository > > > > Modified files: > > sys/contrib/pf/net pf.c pfvar.h > > Log: > > Prevent a race condition. As pf_send_tcp() - called for expired synproxy > > states - has to drop the lock when calling back to ip_output(), the state > > purge timeout might run and gc the state. This results in a rb-tree > > inconsistency. With this change we flag expiring states while holding the > > lock and back off if the flag is already set. > > This commit seems to have broken net/pfflowd in ports. It still recieves > packets from pfsync0 but nothing with action == PFSYNC_ACT_DEL. More specifically the pfsync_delete_state() macro is broken. pf_purge_expired_state(struct pf_state *cur) { if (cur->sync_flags & PFSTATE_EXPIRING) return; cur->sync_flags |= PFSTATE_EXPIRING; <...> pfsync_delete_state(cur); But this will not do anything since sync_flags is not non-zero, as it is checked in the macro. #define pfsync_delete_state(st) do { \ if (!st->sync_flags) \ pfsync_pack_state(PFSYNC_ACT_DEL, (st), \ PFSYNC_FLAG_COMPRESS); \ st->sync_flags &= ~PFSTATE_FROMSYNC; \ } while (0) -- Andrew From owner-freebsd-pf@FreeBSD.ORG Mon Dec 19 11:02:49 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 620C616A420 for ; Mon, 19 Dec 2005 11:02:49 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 824CA43D9B for ; Mon, 19 Dec 2005 11:02:27 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id jBJB2Pd6011307 for ; Mon, 19 Dec 2005 11:02:25 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id jBJB2ORf011301 for freebsd-pf@freebsd.org; Mon, 19 Dec 2005 11:02:24 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 19 Dec 2005 11:02:24 GMT Message-Id: <200512191102.jBJB2ORf011301@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2005 11:02:49 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency f [2005/07/31] kern/84370 pf [modules] Unload pf.ko cause page fault f [2005/09/13] kern/86072 pf [pf] Packet Filter rule not working prope 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre o [2005/12/09] kern/90148 pf [pf] pf_enable="YES" -> Fatal trap 12: pa 2 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Dec 19 12:19:30 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 47B6616A41F; Mon, 19 Dec 2005 12:19:30 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id 27E8A43D53; Mon, 19 Dec 2005 12:19:28 +0000 (GMT) (envelope-from max@love2party.net) Received: from [84.163.246.200] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis), id 0MKwtQ-1EoJzD1dnc-0000mq; Mon, 19 Dec 2005 13:19:28 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Mon, 19 Dec 2005 13:19:29 +0100 User-Agent: KMail/1.8.3 References: <200507201858.j6KIwRNZ097685@repoman.freebsd.org> <20051218090822.GA8358@heff.fud.org.nz> <20051219032129.GA10219@heff.fud.org.nz> In-Reply-To: <20051219032129.GA10219@heff.fud.org.nz> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1186789.5yYGLEeU4N"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200512191319.35764.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Andrew Thompson , dhartmei@freebsd.org Subject: Re: cvs commit: src/sys/contrib/pf/net pf.c pfvar.h X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2005 12:19:30 -0000 --nextPart1186789.5yYGLEeU4N Content-Type: multipart/mixed; boundary="Boundary-01=_SVqpDalcTOfvl3U" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_SVqpDalcTOfvl3U Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 19 December 2005 04:21, Andrew Thompson wrote: > On Sun, Dec 18, 2005 at 10:08:22PM +1300, Andrew Thompson wrote: > > On Wed, Jul 20, 2005 at 06:58:27PM +0000, Max Laier wrote: > > > mlaier 2005-07-20 18:58:27 UTC > > > > > > FreeBSD src repository > > > > > > Modified files: > > > sys/contrib/pf/net pf.c pfvar.h > > > Log: > > > Prevent a race condition. As pf_send_tcp() - called for expired > > > synproxy states - has to drop the lock when calling back to > > > ip_output(), the state purge timeout might run and gc the state. This > > > results in a rb-tree inconsistency. With this change we flag expiring > > > states while holding the lock and back off if the flag is already set. > > > > This commit seems to have broken net/pfflowd in ports. It still recieves > > packets from pfsync0 but nothing with action =3D=3D PFSYNC_ACT_DEL. > > More specifically the pfsync_delete_state() macro is broken. > > pf_purge_expired_state(struct pf_state *cur) > { > if (cur->sync_flags & PFSTATE_EXPIRING) > return; > cur->sync_flags |=3D PFSTATE_EXPIRING; > <...> > pfsync_delete_state(cur); > > > But this will not do anything since sync_flags is not non-zero, as it is > checked in the macro. > > #define pfsync_delete_state(st) do { \ > if (!st->sync_flags) \ > pfsync_pack_state(PFSYNC_ACT_DEL, (st), \ > PFSYNC_FLAG_COMPRESS); \ > st->sync_flags &=3D ~PFSTATE_FROMSYNC; \ > } while (0) Autsch - good catch! Quick fix, using pad-space, attached. Not sure if th= is=20 is the best sollution, but it certainly is the least invasive. Looking at= =20 the current OpenBSD code we still have 8bit padding somewhere in struct=20 pf_state, so we can continue like this. I will commit and MFC this, unless= I=20 hear complains. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_SVqpDalcTOfvl3U Content-Type: text/x-diff; charset="iso-8859-1"; name="pf_state_expiring.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="pf_state_expiring.diff" Index: pf.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf.c,v retrieving revision 1.38 diff -u -r1.38 pf.c =2D-- pf.c 5 Dec 2005 11:58:31 -0000 1.38 +++ pf.c 19 Dec 2005 12:11:22 -0000 @@ -1102,9 +1102,9 @@ pf_purge_expired_state(struct pf_state *cur) { #ifdef __FreeBSD__ =2D if (cur->sync_flags & PFSTATE_EXPIRING) + if (cur->local_flags & PFSTATE_EXPIRING) return; =2D cur->sync_flags |=3D PFSTATE_EXPIRING; + cur->local_flags |=3D PFSTATE_EXPIRING; #endif if (cur->src.state =3D=3D PF_TCPS_PROXY_DST) pf_send_tcp(cur->rule.ptr, cur->af, Index: pfvar.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pfvar.h,v retrieving revision 1.12 diff -u -r1.12 pfvar.h =2D-- pfvar.h 20 Jul 2005 18:58:27 -0000 1.12 +++ pfvar.h 19 Dec 2005 12:09:51 -0000 @@ -791,9 +791,11 @@ #define PFSTATE_FROMSYNC 0x02 #define PFSTATE_STALE 0x04 #ifdef __FreeBSD__ =2D#define PFSTATE_EXPIRING 0x10 =2D#endif + u_int8_t local_flags; +#define PFSTATE_EXPIRING 0x01 +#else u_int8_t pad; +#endif }; =20 TAILQ_HEAD(pf_rulequeue, pf_rule); --Boundary-01=_SVqpDalcTOfvl3U-- --nextPart1186789.5yYGLEeU4N Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDpqVXXyyEoT62BG0RAjLPAJ92Sy/WOyc2nXS50gs75dS8nEsAYgCdENKW YYlDMlnRo3woordK9q6pC4c= =/lIX -----END PGP SIGNATURE----- --nextPart1186789.5yYGLEeU4N-- From owner-freebsd-pf@FreeBSD.ORG Tue Dec 20 06:30:54 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 720E016A41F for ; Tue, 20 Dec 2005 06:30:54 +0000 (GMT) (envelope-from marketability@galindo.com) Received: from ti121210a081-11257.bb.online.no (ti121210a081-11257.bb.online.no [83.108.43.249]) by mx1.FreeBSD.org (Postfix) with SMTP id EF99243D76 for ; Tue, 20 Dec 2005 06:30:48 +0000 (GMT) (envelope-from marketability@galindo.com) Received: from unknown (HELO drapery) (192.168.64.92) by ti121210a081-11257.bb.online.no with SMTP; Tue, 20 Dec 2005 07:32:29 +0100 Content-Transfer-Encoding: 7bit Message-Id: <67753104071.18958128818@ti121210a081-11257.bb.online.no> Content-Type: text/plain; charset=us-ascii To: freebsd-pf@freebsd.org From: Roger Dunlap Date: Tue, 20 Dec 2005 06:30:48 +0000 (GMT) Subject: YOU WANT SOME OUTRIGHT SEX - DON'T YOU? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Dec 2005 06:30:54 -0000 Enhance your sexual lifestyle! http://lgvoef.d01kir0mjp13ddvpidvpivdv.chinchge.com/?naj Beware of the man whose God is in the skies. The pure and simple truth is rarely pure and never simple. The intermediate stage between socialism and capitalism is alcoholism. REFORM, v. A thing that mostly satisfies reformers opposed to reformation. Experience is the name everyone gives to their mistakes. From owner-freebsd-pf@FreeBSD.ORG Thu Dec 22 19:12:26 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E52C16A41F for ; Thu, 22 Dec 2005 19:12:26 +0000 (GMT) (envelope-from brunomiguel@dequim.ist.utl.pt) Received: from gecea.ist.utl.pt (gecea.ist.utl.pt [193.136.140.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3EACB43D72 for ; Thu, 22 Dec 2005 19:12:18 +0000 (GMT) (envelope-from brunomiguel@dequim.ist.utl.pt) Received: from [10.10.59.5] (bl4-179-165.dsl.telepac.pt [81.193.179.165]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by gecea.ist.utl.pt (Postfix) with ESMTP id E5D5C40CE for ; Thu, 22 Dec 2005 19:12:14 +0000 (WET) Message-ID: <43AAFA9A.3070808@dequim.ist.utl.pt> Date: Thu, 22 Dec 2005 19:12:26 +0000 From: Bruno Afonso User-Agent: Thunderbird 1.5 (Macintosh/20051201) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: connections weirdness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2005 19:12:26 -0000 Hey guys (and gals!), I'm hitting what seems to be a bug on PF @ FreeBSD 6-stable: 6.0-STABLE FreeBSD 6.0-STABLE #0: Sun Nov 20 05:14:34 WET 2005 If I do a pfct -vvsS | grep connetions I get some lines like this: 10.10.11.208 -> 0.0.0.0 ( states 3, connections 4294967295, rate 0.0/0s ) 10.10.13.213 -> 0.0.0.0 ( states 2, connections 4294967294, rate 0.0/0s ) 10.10.14.236 -> 0.0.0.0 ( states 96, connections 4294967013, rate 0.0/0s ) 10.10.12.238 -> 0.0.0.0 ( states 9, connections 4294967281, rate 0.0/0s ) I also get a normal number of connections, like 2, 10, 20, 30, etc. Now, this number is completely insane, specially if we take into account the rule that creates it: ala# pfctl -vvsS |grep 10.10.11.208 -A1 10.10.11.208 -> 0.0.0.0 ( states 1, connections 1, rate 0.0/0s ) age 02:22:00, 657 pkts, 39752 bytes, filter rule 171 -- 10.10.11.208 -> 0.0.0.0 ( states 1, connections 4294967295, rate 0.0/0s ) age 02:22:15, 618 pkts, 52535 bytes, filter rule 148 ala# pfctl -vvsr |grep @148 -A1 @148 pass in log on fxp0 from to any keep state (max 5000, source-track rule, max-src-states 120, max-src-conn 100) queue p2p [ Evaluations: 43699 Packets: 353469 Bytes: 122287213 States: 210 ] I have been seeing this on rules in which I use max-src-conn but not on others. So, what might be happening here? hasn't no one seen this before? Also notice how similar the connections are, with the first 7 numbers equal. BA From owner-freebsd-pf@FreeBSD.ORG Thu Dec 22 21:17:28 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 99D2516A459 for ; Thu, 22 Dec 2005 21:17:28 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2750A43D46 for ; Thu, 22 Dec 2005 21:17:26 +0000 (GMT) (envelope-from max@love2party.net) Received: from [84.163.250.1] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1EpXoO3akE-0002nT; Thu, 22 Dec 2005 22:17:21 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 22 Dec 2005 22:17:26 +0100 User-Agent: KMail/1.8.3 References: <43AAFA9A.3070808@dequim.ist.utl.pt> In-Reply-To: <43AAFA9A.3070808@dequim.ist.utl.pt> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1210089.sRISiil66U"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200512222217.32015.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: connections weirdness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2005 21:17:28 -0000 --nextPart1210089.sRISiil66U Content-Type: multipart/mixed; boundary="Boundary-01=_nfxqDZypwSBtytm" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_nfxqDZypwSBtytm Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 22 December 2005 20:12, Bruno Afonso wrote: > Hey guys (and gals!), > > I'm hitting what seems to be a bug on PF @ FreeBSD 6-stable: > > 6.0-STABLE FreeBSD 6.0-STABLE #0: Sun Nov 20 05:14:34 WET 2005 > > If I do a pfct -vvsS | grep connetions I get some lines like this: > > 10.10.11.208 -> 0.0.0.0 ( states 3, connections 4294967295, rate 0.0/0s ) > 10.10.13.213 -> 0.0.0.0 ( states 2, connections 4294967294, rate 0.0/0s ) > > 10.10.14.236 -> 0.0.0.0 ( states 96, connections 4294967013, rate 0.0/0s ) > 10.10.12.238 -> 0.0.0.0 ( states 9, connections 4294967281, rate 0.0/0s ) > > I also get a normal number of connections, like 2, 10, 20, 30, etc. Now, > this number is completely insane, specially if we take into account the > rule that creates it: > > ala# pfctl -vvsS |grep 10.10.11.208 -A1 > 10.10.11.208 -> 0.0.0.0 ( states 1, connections 1, rate 0.0/0s ) > age 02:22:00, 657 pkts, 39752 bytes, filter rule 171 > -- > 10.10.11.208 -> 0.0.0.0 ( states 1, connections 4294967295, rate 0.0/0s ) > age 02:22:15, 618 pkts, 52535 bytes, filter rule 148 > > ala# pfctl -vvsr |grep @148 -A1 > @148 pass in log on fxp0 from to any keep state > (max 5000, source-track rule, max-src-states 120, max-src-conn 100) > queue p2p > [ Evaluations: 43699 Packets: 353469 Bytes: 122287213 > States: 210 ] > > > I have been seeing this on rules in which I use max-src-conn but not on > others. So, what might be happening here? hasn't no one seen this > before? Also notice how similar the connections are, with the first 7 > numbers equal. This is a underflow of the connection counter which is fixed in OpenBSD's p= f.c=20 rev. 1.499. Unfortunately, the fix involves breaking ABI and thus is not=20 easily imported. Here is a local fix - please try and report back. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_nfxqDZypwSBtytm Content-Type: text/x-diff; charset="iso-8859-1"; name="pf_state_conn.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="pf_state_conn.diff" Index: pf.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf.c,v retrieving revision 1.39 diff -u -r1.39 pf.c =2D-- pf.c 20 Dec 2005 00:33:33 -0000 1.39 +++ pf.c 22 Dec 2005 21:15:53 -0000 @@ -742,6 +742,9 @@ int bad =3D 0; =20 (*state)->src_node->conn++; +#ifdef __FreeBSD__ + (*state)->local_flags |=3D PFSTATE_SRC_CONN; +#endif pf_add_threshold(&(*state)->src_node->conn_rate); =20 if ((*state)->rule.ptr->max_src_conn && @@ -1074,8 +1077,12 @@ =20 if (s->src_node !=3D NULL) { if (s->proto =3D=3D IPPROTO_TCP) { +#ifdef __FreeBSD__ + if (s->local_flags & PFSTATE_SRC_CONN) +#else if (s->src.state =3D=3D PF_TCPS_PROXY_DST || s->timeout >=3D PFTM_TCP_ESTABLISHED) +#endif --s->src_node->conn; } if (--s->src_node->states <=3D 0) { Index: pfvar.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pfvar.h,v retrieving revision 1.13 diff -u -r1.13 pfvar.h =2D-- pfvar.h 20 Dec 2005 00:33:33 -0000 1.13 +++ pfvar.h 22 Dec 2005 21:13:34 -0000 @@ -793,6 +793,7 @@ #ifdef __FreeBSD__ u_int8_t local_flags; #define PFSTATE_EXPIRING 0x01 +#define PFSTATE_SRC_CONN 0x02 #else u_int8_t pad; #endif --Boundary-01=_nfxqDZypwSBtytm-- --nextPart1210089.sRISiil66U Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDqxfsXyyEoT62BG0RAn71AJ90xUpIphSCUMyXNdfCSMH3PCr3/wCcCrqW I2ABA1+GEdnvyBo1PsRkkik= =0Osp -----END PGP SIGNATURE----- --nextPart1210089.sRISiil66U-- From owner-freebsd-pf@FreeBSD.ORG Thu Dec 22 21:55:10 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AED0916A41F for ; Thu, 22 Dec 2005 21:55:10 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B2D243D58 for ; Thu, 22 Dec 2005 21:55:09 +0000 (GMT) (envelope-from max@love2party.net) Received: from [84.163.250.1] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis), id 0MKwtQ-1EpYOu1ipJ-0000cI; Thu, 22 Dec 2005 22:55:04 +0100 From: Max Laier Organization: FreeBSD To: Bruno Afonso Date: Thu, 22 Dec 2005 22:55:08 +0100 User-Agent: KMail/1.8.3 References: <43AAFA9A.3070808@dequim.ist.utl.pt> <200512222217.32015.max@love2party.net> <43AB1E68.1070007@dequim.ist.utl.pt> In-Reply-To: <43AB1E68.1070007@dequim.ist.utl.pt> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3020436.RZrodsV6nC"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200512222255.15385.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: freebsd-pf@freebsd.org Subject: Re: connections weirdness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2005 21:55:10 -0000 --nextPart3020436.RZrodsV6nC Content-Type: multipart/mixed; boundary="Boundary-01=_9CyqD8SV+wWyjKB" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_9CyqD8SV+wWyjKB Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 22 December 2005 22:45, Bruno Afonso wrote: > Is it supposed to cleanly apply to -stable? pfvar.h didn't apply cleanly. If you are on RELENG_6, please use this one instead - including the fix for= =20 the other problem from Andrew earlier. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_9CyqD8SV+wWyjKB Content-Type: text/x-diff; charset="iso-8859-1"; name="pf_state_conn.RELENG_6.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="pf_state_conn.RELENG_6.diff" Index: pf.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf.c,v retrieving revision 1.34.2.2 diff -u -r1.34.2.2 pf.c =2D-- pf.c 12 Sep 2005 11:25:17 -0000 1.34.2.2 +++ pf.c 22 Dec 2005 21:53:07 -0000 @@ -726,6 +726,9 @@ int bad =3D 0; =20 (*state)->src_node->conn++; +#ifdef __FreeBSD__ + (*state)->local_flags |=3D PFSTATE_SRC_CONN; +#endif pf_add_threshold(&(*state)->src_node->conn_rate); =20 if ((*state)->rule.ptr->max_src_conn && @@ -1058,8 +1061,12 @@ =20 if (s->src_node !=3D NULL) { if (s->proto =3D=3D IPPROTO_TCP) { +#ifdef __FreeBSD__ + if (s->local_flags & PFSTATE_SRC_CONN) +#else if (s->src.state =3D=3D PF_TCPS_PROXY_DST || s->timeout >=3D PFTM_TCP_ESTABLISHED) +#endif --s->src_node->conn; } if (--s->src_node->states <=3D 0) { @@ -1086,9 +1093,9 @@ pf_purge_expired_state(struct pf_state *cur) { #ifdef __FreeBSD__ =2D if (cur->sync_flags & PFSTATE_EXPIRING) + if (cur->local_flags & PFSTATE_EXPIRING) return; =2D cur->sync_flags |=3D PFSTATE_EXPIRING; + cur->local_flags |=3D PFSTATE_EXPIRING; #endif if (cur->src.state =3D=3D PF_TCPS_PROXY_DST) pf_send_tcp(cur->rule.ptr, cur->af, Index: pfvar.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pfvar.h,v retrieving revision 1.11.2.1 diff -u -r1.11.2.1 pfvar.h =2D-- pfvar.h 6 Aug 2005 01:52:35 -0000 1.11.2.1 +++ pfvar.h 22 Dec 2005 21:51:26 -0000 @@ -791,9 +791,12 @@ #define PFSTATE_FROMSYNC 0x02 #define PFSTATE_STALE 0x04 #ifdef __FreeBSD__ =2D#define PFSTATE_EXPIRING 0x10 =2D#endif + u_int8_t local_flags; +#define PFSTATE_EXPIRING 0x01 +#define PFSTATE_SRC_CONN 0x02 +#else u_int8_t pad; +#endif }; =20 TAILQ_HEAD(pf_rulequeue, pf_rule); --Boundary-01=_9CyqD8SV+wWyjKB-- --nextPart3020436.RZrodsV6nC Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDqyDDXyyEoT62BG0RAs9BAJ9Z5ip61AsfNUxbe1Ol1I/mVinVAwCcC7Jg JpzZGStVfrlhCap8RVf9EKU= =OpHy -----END PGP SIGNATURE----- --nextPart3020436.RZrodsV6nC--