From owner-freebsd-pf@FreeBSD.ORG Mon Apr 8 11:06:50 2013 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 32F9D230 for ; Mon, 8 Apr 2013 11:06:50 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 23846361 for ; Mon, 8 Apr 2013 11:06:50 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r38B6ohS057333 for ; Mon, 8 Apr 2013 11:06:50 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r38B6naV057331 for freebsd-pf@FreeBSD.org; Mon, 8 Apr 2013 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 8 Apr 2013 11:06:49 GMT Message-Id: <201304081106.r38B6naV057331@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Apr 2013 11:06:50 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/176763 pf [pf] [patch] Removing pf Source entries locks kernel. o kern/176268 pf [pf] [patch] synproxy not working with route-to o kern/173659 pf [pf] PF fatal trap on 9.1 (taskq fatal trap on pf_test o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 50 problems total. From owner-freebsd-pf@FreeBSD.ORG Fri Apr 12 15:30:56 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 256A6B8 for ; Fri, 12 Apr 2013 15:30:56 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: from mail-bk0-x22a.google.com (mail-bk0-x22a.google.com [IPv6:2a00:1450:4008:c01::22a]) by mx1.freebsd.org (Postfix) with ESMTP id AFF15DFD for ; Fri, 12 Apr 2013 15:30:55 +0000 (UTC) Received: by mail-bk0-f42.google.com with SMTP id jc3so1439268bkc.29 for ; Fri, 12 Apr 2013 08:30:53 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:subject:date:user-agent:mime-version :content-type:content-transfer-encoding:message-id :x-gm-message-state; bh=YhO0oQYiuC87cw+Tg0gySTGel1bfFH7+0nIq6OtE5K0=; b=cAAgQmWqSbd+GiEUhPK8oM2c39IDiRj7vvvXeFJyiMMDDDdJP1gswWGfkNPMZTYgCw Kf0wHcmydiymInoECBMbyekzBH2chCq2Zc1S/GQm7aUPpFv+Ff/LGAXLQz1PVqJzKDWY ciW1eqOARF0IHGM4cMwZL12BxlcsWLhsavfKM0Ql+lXndwoE00dumpzfjl4GIJ/oY84Z PWbiFLPNZ7hutPaQRc7+csf2i+4Epy9dLAbaCeE5CXhb3+JrpWHz9CGy6cD6jf0ljLgv iDU+8dyfIF+lxLHlClipqq/t2q7YTGn89ZdEmsrCHI0sAIeXd/a/rVMlZel5uSoxfSR+ zHPg== X-Received: by 10.205.96.69 with SMTP id cf5mr4268564bkc.132.1365780653462; Fri, 12 Apr 2013 08:30:53 -0700 (PDT) Received: from zvezda.localnet ([212.48.107.10]) by mx.google.com with ESMTPS id 2sm4104498bki.19.2013.04.12.08.30.52 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 12 Apr 2013 08:30:52 -0700 (PDT) From: Kajetan Staszkiewicz To: freebsd-pf@freebsd.org Subject: issues with counting packets dropped by accepting rules Date: Fri, 12 Apr 2013 17:30:51 +0200 User-Agent: KMail/1.13.5 (Linux/3.6.6-vegeta.1; KDE/4.4.5; x86_64; ; ) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <201304121730.51925.vegeta@tuxpowered.net> X-Gm-Message-State: ALoCoQnFQEvgpfMOaU765RBQeUiQaQ8kdxKQZJ2VXQms4BchD35oje79G4BSkqt/lQZn4tv2K8WK X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Apr 2013 15:30:56 -0000 I'd like to point out some things I find unclear when packets traveling through pf are counted. Currently per-rule counting is performed only for packets that are accepted by any rule or any packets matched by a droping rule. Counting on per-interface basis is perfomed properly. There are some possibilities for a packet do be dropped by an accepting rule: 1. SYN/SYN+ACK/ACK packets going through synproxy are dropped with PF_SYNPROXY_DROP action. Therefore a storm of SYNs hitting a synproxy rule will not be visible on per-rule (/label) statistics. SYN+ACKs sent back by this rule to client will also not be visible at all. 2. Creation of a state or a src-node might fail due to memory or per-rule state limits. The packet is told to "not match this rule" according to manual. This is not fully true, have a look on: http://www.freebsd.org/cgi/query-pr.cgi?pr=177808 With the fix or without (so forwarded or not), if state limit is hit, the packet is not counted. I'm now thinking how this should be really fixed. Original code is: 7093 if (action == PF_PASS || r->action == PF_DROP) An easy fix that addesses both aforementioned problems is: 7093 if ( action == PF_PASS || /* Matched and passed by a rule. */ 7094 action == PF_LIMIT_DROP || /* Dropped by a rule because of internal errors. */ 7095 action == PF_SYNPROXY_DROP || /* Dropped due to synproxy. */ 7096 r->action == PF_DROP /* Matched by a drop rule. */ 7097 ) { PF_LIMIT_DROP is my addition, returned by pf_create_state in case of failure instead of PF_DROP. It could also be (action==PF_DROP && r->action==PF_PASS). Are there any other combinations of action and r->action possible? Maybe the aforementioned test is not necessary at all? Grepping the code shows that other possibilities in "enum { PF_PASS,..." are used for rule action, not result action. I assume that for synproxy rules it would also make sense to count packets sent out by synproxy, after original incoming packet was dropped. -- | pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' From owner-freebsd-pf@FreeBSD.ORG Fri Apr 12 23:56:19 2013 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id B3E034A7; Fri, 12 Apr 2013 23:56:19 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 8CE3239C; Fri, 12 Apr 2013 23:56:19 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r3CNuJuJ007965; Fri, 12 Apr 2013 23:56:19 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r3CNuJQe007964; Fri, 12 Apr 2013 23:56:19 GMT (envelope-from linimon) Date: Fri, 12 Apr 2013 23:56:19 GMT Message-Id: <201304122356.r3CNuJQe007964@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: kern/177808: [pf] [patch] route-to rule forwarding traffic inspite of state limit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Apr 2013 23:56:19 -0000 Old Synopsis: route-to rule forwarding traffic inspite of state limit New Synopsis: [pf] [patch] route-to rule forwarding traffic inspite of state limit Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Fri Apr 12 23:56:00 UTC 2013 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=177808 From owner-freebsd-pf@FreeBSD.ORG Fri Apr 12 23:57:31 2013 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 4B944548; Fri, 12 Apr 2013 23:57:31 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 25A7C3D6; Fri, 12 Apr 2013 23:57:31 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r3CNvV3x008040; Fri, 12 Apr 2013 23:57:31 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r3CNvUV8008039; Fri, 12 Apr 2013 23:57:30 GMT (envelope-from linimon) Date: Fri, 12 Apr 2013 23:57:30 GMT Message-Id: <201304122357.r3CNvUV8008039@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: kern/177810: [pf] traffic dropped by accepting rules is not counted X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Apr 2013 23:57:31 -0000 Old Synopsis: traffic dropped by accepting rules is not counted New Synopsis: [pf] traffic dropped by accepting rules is not counted Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Fri Apr 12 23:56:30 UTC 2013 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=177810