Date: Tue, 14 Apr 2009 22:44:37 +0400 (MSD) From: Anton Yuzhaninov <citrin@citrin.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/133732: [pf] max-src-conn issue Message-ID: <200904141844.n3EIibcZ030207@citrin.park.rambler.ru> Resent-Message-ID: <200904141850.n3EIo3lU094508@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 133732 >Category: kern >Synopsis: [pf] max-src-conn issue >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Apr 14 18:50:02 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Anton Yuzhaninov >Release: FreeBSD 8.0-CURRENT amd64 >Organization: Rambler >Environment: System: FreeBSD citrin.park.rambler.ru 8.0-CURRENT FreeBSD 8.0-CURRENT #0: Wed Apr 8 05:31:05 MSD 2009 citrin@citrin.park.rambler.ru:/usr/obj/usr/src/sys/GENERIC amd64 >Description: In pf number of connections from one source ip can be limited using max-src-conn state option. When we have already max-src-conn connections and some new connections is open: - OpenBSD 4.1, 4.4 drop packets from new connection, matched by rule with max-src-conn, and new state is not created - FreeBSD 7, 8 - new state is not created, but packets matched by rule is passed Because of syn packed pass, new connections in SYN_RCVD state can be created without limit, even if connections should be limited by max-src-conn. >How-To-Repeat: 1. add rules on host with pf: $ pfctl -s rule pass in quick on re0 proto tcp from any to any port = ssh flags S/SA keep state (source-track rule, max-src-conn 3) block drop in quick on re0 proto tcp from any to any port = ssh 2. open 3 ssh connection from same IP $ pfctl -s state all tcp 81.19.90.176:22 <- 81.19.64.101:62770 ESTABLISHED:ESTABLISHED all tcp 81.19.90.176:22 <- 81.19.64.101:51209 ESTABLISHED:ESTABLISHED all tcp 81.19.90.176:22 <- 81.19.64.101:51240 ESTABLISHED:ESTABLISHED $ netstat -n -p tcp Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 81.19.90.176.22 81.19.64.101.51240 ESTABLISHED tcp4 0 0 81.19.90.176.22 81.19.64.101.51209 ESTABLISHED tcp4 0 0 81.19.90.176.22 81.19.64.101.62770 ESTABLISHED $ pfctl -z On remote host: ssh 81.19.90.176 New state is not created: $ pfctl -s state all tcp 81.19.90.176:22 <- 81.19.64.101:62770 ESTABLISHED:ESTABLISHED all tcp 81.19.90.176:22 <- 81.19.64.101:51209 ESTABLISHED:ESTABLISHED all tcp 81.19.90.176:22 <- 81.19.64.101:51240 ESTABLISHED:ESTABLISHED $ pfctl -s rule -v pass in quick on re0 proto tcp from any to any port = ssh flags S/SA keep state (source-track rule, max-src-conn 3) [ Evaluations: 97 Packets: 169 Bytes: 15772 States: 3 ] [ Inserted: uid 0 pid 29869 ] block drop in quick on re0 proto tcp from any to any port = ssh [ Evaluations: 3 Packets: 3 Bytes: 156 States: 0 ] [ Inserted: uid 0 pid 29869 ] But syn, syn-ack packets is passed: $ netstat -n -p tcp Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 81.19.90.176.22 81.19.64.101.51722 SYN_RCVD tcp4 0 0 81.19.90.176.22 81.19.64.101.51240 ESTABLISHED tcp4 0 0 81.19.90.176.22 81.19.64.101.51209 ESTABLISHED tcp4 0 0 81.19.90.176.22 81.19.64.101.62770 ESTABLISHED With more connection attempts, netstat show more connections in SYN_RCVD state (all messages about disabled ALTQ is skipped) >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200904141844.n3EIibcZ030207>