From owner-freebsd-bugs@FreeBSD.ORG  Tue Nov 20 17:30:03 2007
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 343E316A41A
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 20 Nov 2007 17:30:03 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 273C513C45B
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 20 Nov 2007 17:30:03 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id lAKHU2IP033794
	for <freebsd-bugs@freefall.freebsd.org>; Tue, 20 Nov 2007 17:30:02 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.1/8.14.1/Submit) id lAKHU2MR033793;
	Tue, 20 Nov 2007 17:30:02 GMT (envelope-from gnats)
Resent-Date: Tue, 20 Nov 2007 17:30:02 GMT
Resent-Message-Id: <200711201730.lAKHU2MR033793@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Jan Srzednicki <w@wrzask.pl>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id ED65F16A418
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue, 20 Nov 2007 17:21:57 +0000 (UTC) (envelope-from winfried@oak.pl)
Received: from mx.oak.pl (mx.oak.pl [217.96.108.251])
	by mx1.freebsd.org (Postfix) with ESMTP id B396113C469
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue, 20 Nov 2007 17:21:57 +0000 (UTC) (envelope-from winfried@oak.pl)
Received: by oak.pl (Postfix, from userid 1002)
	id 0AA511CCDC; Tue, 20 Nov 2007 18:04:50 +0100 (CET)
Message-Id: <20071120170450.0AA511CCDC@oak.pl>
Date: Tue, 20 Nov 2007 18:04:50 +0100 (CET)
From: Jan Srzednicki <w@wrzask.pl>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: daniel@benzedrine.cx
Subject: kern/118154: pf(4) uses invalid timeout values for half-closed
	connections (fix included)
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Nov 2007 17:30:03 -0000


>Number:         118154
>Category:       kern
>Synopsis:       pf(4) uses invalid timeout values for half-closed connections (fix included)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov 20 17:30:01 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator:     Jan Srzednicki
>Release:        FreeBSD 6.2-STABLE i386
>Organization:
No, nay, never
>Environment:
System: FreeBSD oak.pl 6.2-STABLE FreeBSD 6.2-STABLE #12: Tue Jul 31 20:37:10 CEST 2007 root@oak.pl:/usr/obj/usr/src/sys/MISTLETOE i386

pf(4) from base system.

>Description:

The pf(4) packet filter in the RELENG_6 tree (this also affects 6.2-R and older releases)
contains a long-fixed in OpenBSD bug, which causes half-closed TCP connections (after
one side sends a FIN) to be timeouted by the "tcp.closed" timeout, instead of
"tcp.closing". This causes any subsequent packets to fall into "state mismatch", after
the "tcp.closing" timeout has passed.

HEAD has this thing fixed. OpenBSD had this fixed more than 2 years ago:

http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c.diff?r1=1.493&r2=1.494&f=h

It would be good to have that fixed before 6.3-RELEASE is out.

Thanks to Daniel Hartmeier for helping me figuring the thing out.

>How-To-Repeat:

Set "tcp.closed" timeout to a very small value (eg. 5 seconds) and create a half-closed
connection. The connection will get cut off after the timeout.

>Fix:

--- src/sys/contrib/pf/net/pf.c.orig       Tue Nov 20 11:33:15 2007
+++ src/sys/contrib/pf/net/pf.c    Tue Nov 20 11:33:40 2007
@@ -4634,8 +4634,8 @@
                if (src->state >= TCPS_FIN_WAIT_2 &&
                    dst->state >= TCPS_FIN_WAIT_2)
                        (*state)->timeout = PFTM_TCP_CLOSED;
-               else if (src->state >= TCPS_FIN_WAIT_2 ||
-                   dst->state >= TCPS_FIN_WAIT_2)
+               else if (src->state >= TCPS_CLOSING &&
+                   dst->state >= TCPS_CLOSING)
                        (*state)->timeout = PFTM_TCP_FIN_WAIT;
                else if (src->state < TCPS_ESTABLISHED ||
                    dst->state < TCPS_ESTABLISHED)


>Release-Note:
>Audit-Trail:
>Unformatted: