Date: Thu, 22 Dec 2005 22:17:26 +0100 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: connections weirdness Message-ID: <200512222217.32015.max@love2party.net> In-Reply-To: <43AAFA9A.3070808@dequim.ist.utl.pt> References: <43AAFA9A.3070808@dequim.ist.utl.pt>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1210089.sRISiil66U Content-Type: multipart/mixed; boundary="Boundary-01=_nfxqDZypwSBtytm" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_nfxqDZypwSBtytm Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 22 December 2005 20:12, Bruno Afonso wrote: > Hey guys (and gals!), > > I'm hitting what seems to be a bug on PF @ FreeBSD 6-stable: > > 6.0-STABLE FreeBSD 6.0-STABLE #0: Sun Nov 20 05:14:34 WET 2005 > > If I do a pfct -vvsS | grep connetions I get some lines like this: > > 10.10.11.208 -> 0.0.0.0 ( states 3, connections 4294967295, rate 0.0/0s ) > 10.10.13.213 -> 0.0.0.0 ( states 2, connections 4294967294, rate 0.0/0s ) > > 10.10.14.236 -> 0.0.0.0 ( states 96, connections 4294967013, rate 0.0/0s ) > 10.10.12.238 -> 0.0.0.0 ( states 9, connections 4294967281, rate 0.0/0s ) > > I also get a normal number of connections, like 2, 10, 20, 30, etc. Now, > this number is completely insane, specially if we take into account the > rule that creates it: > > ala# pfctl -vvsS |grep 10.10.11.208 -A1 > 10.10.11.208 -> 0.0.0.0 ( states 1, connections 1, rate 0.0/0s ) > age 02:22:00, 657 pkts, 39752 bytes, filter rule 171 > -- > 10.10.11.208 -> 0.0.0.0 ( states 1, connections 4294967295, rate 0.0/0s ) > age 02:22:15, 618 pkts, 52535 bytes, filter rule 148 > > ala# pfctl -vvsr |grep @148 -A1 > @148 pass in log on fxp0 from <torre_privados_nat:7> to any keep state > (max 5000, source-track rule, max-src-states 120, max-src-conn 100) > queue p2p > [ Evaluations: 43699 Packets: 353469 Bytes: 122287213 > States: 210 ] > > > I have been seeing this on rules in which I use max-src-conn but not on > others. So, what might be happening here? hasn't no one seen this > before? Also notice how similar the connections are, with the first 7 > numbers equal. This is a underflow of the connection counter which is fixed in OpenBSD's p= f.c=20 rev. 1.499. Unfortunately, the fix involves breaking ABI and thus is not=20 easily imported. Here is a local fix - please try and report back. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_nfxqDZypwSBtytm Content-Type: text/x-diff; charset="iso-8859-1"; name="pf_state_conn.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="pf_state_conn.diff" Index: pf.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf.c,v retrieving revision 1.39 diff -u -r1.39 pf.c =2D-- pf.c 20 Dec 2005 00:33:33 -0000 1.39 +++ pf.c 22 Dec 2005 21:15:53 -0000 @@ -742,6 +742,9 @@ int bad =3D 0; =20 (*state)->src_node->conn++; +#ifdef __FreeBSD__ + (*state)->local_flags |=3D PFSTATE_SRC_CONN; +#endif pf_add_threshold(&(*state)->src_node->conn_rate); =20 if ((*state)->rule.ptr->max_src_conn && @@ -1074,8 +1077,12 @@ =20 if (s->src_node !=3D NULL) { if (s->proto =3D=3D IPPROTO_TCP) { +#ifdef __FreeBSD__ + if (s->local_flags & PFSTATE_SRC_CONN) +#else if (s->src.state =3D=3D PF_TCPS_PROXY_DST || s->timeout >=3D PFTM_TCP_ESTABLISHED) +#endif --s->src_node->conn; } if (--s->src_node->states <=3D 0) { Index: pfvar.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pfvar.h,v retrieving revision 1.13 diff -u -r1.13 pfvar.h =2D-- pfvar.h 20 Dec 2005 00:33:33 -0000 1.13 +++ pfvar.h 22 Dec 2005 21:13:34 -0000 @@ -793,6 +793,7 @@ #ifdef __FreeBSD__ u_int8_t local_flags; #define PFSTATE_EXPIRING 0x01 +#define PFSTATE_SRC_CONN 0x02 #else u_int8_t pad; #endif --Boundary-01=_nfxqDZypwSBtytm-- --nextPart1210089.sRISiil66U Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDqxfsXyyEoT62BG0RAn71AJ90xUpIphSCUMyXNdfCSMH3PCr3/wCcCrqW I2ABA1+GEdnvyBo1PsRkkik= =0Osp -----END PGP SIGNATURE----- --nextPart1210089.sRISiil66U--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200512222217.32015.max>