Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 20 Nov 2007 18:04:50 +0100 (CET)
From:      Jan Srzednicki <w@wrzask.pl>
To:        FreeBSD-gnats-submit@FreeBSD.org
Cc:        daniel@benzedrine.cx
Subject:   kern/118154: pf(4) uses invalid timeout values for half-closed connections (fix included)
Message-ID:  <20071120170450.0AA511CCDC@oak.pl>
Resent-Message-ID: <200711201730.lAKHU2MR033793@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         118154
>Category:       kern
>Synopsis:       pf(4) uses invalid timeout values for half-closed connections (fix included)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov 20 17:30:01 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator:     Jan Srzednicki
>Release:        FreeBSD 6.2-STABLE i386
>Organization:
No, nay, never
>Environment:
System: FreeBSD oak.pl 6.2-STABLE FreeBSD 6.2-STABLE #12: Tue Jul 31 20:37:10 CEST 2007 root@oak.pl:/usr/obj/usr/src/sys/MISTLETOE i386

pf(4) from base system.

>Description:

The pf(4) packet filter in the RELENG_6 tree (this also affects 6.2-R and older releases)
contains a long-fixed in OpenBSD bug, which causes half-closed TCP connections (after
one side sends a FIN) to be timeouted by the "tcp.closed" timeout, instead of
"tcp.closing". This causes any subsequent packets to fall into "state mismatch", after
the "tcp.closing" timeout has passed.

HEAD has this thing fixed. OpenBSD had this fixed more than 2 years ago:

http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c.diff?r1=1.493&r2=1.494&f=h

It would be good to have that fixed before 6.3-RELEASE is out.

Thanks to Daniel Hartmeier for helping me figuring the thing out.

>How-To-Repeat:

Set "tcp.closed" timeout to a very small value (eg. 5 seconds) and create a half-closed
connection. The connection will get cut off after the timeout.

>Fix:

--- src/sys/contrib/pf/net/pf.c.orig       Tue Nov 20 11:33:15 2007
+++ src/sys/contrib/pf/net/pf.c    Tue Nov 20 11:33:40 2007
@@ -4634,8 +4634,8 @@
                if (src->state >= TCPS_FIN_WAIT_2 &&
                    dst->state >= TCPS_FIN_WAIT_2)
                        (*state)->timeout = PFTM_TCP_CLOSED;
-               else if (src->state >= TCPS_FIN_WAIT_2 ||
-                   dst->state >= TCPS_FIN_WAIT_2)
+               else if (src->state >= TCPS_CLOSING &&
+                   dst->state >= TCPS_CLOSING)
                        (*state)->timeout = PFTM_TCP_FIN_WAIT;
                else if (src->state < TCPS_ESTABLISHED ||
                    dst->state < TCPS_ESTABLISHED)


>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071120170450.0AA511CCDC>