Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 5 Apr 2008 02:03:17 +1000 (EST)
From:      Ian Smith <smithi@nimnet.asn.au>
To:        Julian Elischer <julian@elischer.org>
Cc:        freebsd-net@freebsd.org, Ivan Voras <ivoras@freebsd.org>
Subject:   Re: Trouble with IPFW or TCP?
Message-ID:  <Pine.BSF.3.96.1080405010904.6611B-100000@gaia.nimnet.asn.au>
In-Reply-To: <47F5B17E.5000304@elischer.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 3 Apr 2008, Julian Elischer wrote:
 > Ian Smith wrote:
 > > On Thu, 3 Apr 2008, Julian Elischer wrote:
 > >  > Ivan Voras wrote:
 > >  > > Erik Trulsson wrote:
 > >  > >> On Fri, Apr 04, 2008 at 01:34:07AM +0200, Ivan Voras wrote:
 > >  > >>> In which case would an ipfw ruleset like this:
 > >  > >>>
 > >  > >>> 00100 114872026  40487887607 allow ip from any to any via lo0
 > >  > >>> 00200         0            0 deny ip from any to 127.0.0.0/8
 > >  > >>> 00300         0            0 deny ip from 127.0.0.0/8 to any
 > >  > >>> 00600      1585       112576 deny ip from table(0) to me
 > >  > >>> 01000     90279      7325972 allow icmp from any to any
 > >  > >>> 05000 475961039 334422494257 allow tcp from me to any setup keep-state
 > >  > >>> 05100    634155     65779377 allow udp from me to any keep-state
 > >  > >>> 06022    409604     69177326 allow tcp from any to me dst-port 22 
 > >  > >>> setup keep-state
 > >  > >>> 06080  52159025  43182548092 allow tcp from any to me dst-port 80 
 > >  > >>> setup keep-state
 > >  > >>> 06443   6392366   2043532158 allow tcp from any to me dst-port 443 
 > >  > >>> setup keep-state
 > >  > >>> 07020    517065    292377553 allow tcp from any to me dst-port 8080 
 > >  > >>> setup keep-state
 > >  > >>> 65400  12273387    629703212 deny log ip from any to any
 > >  > >>> 65535         0            0 deny ip from any to any
 > >  > >>
 > >  > >> If you are using 'keep-state' should there not also be some rule 
 > >  > >> containing
 > >  > >> 'check-state' ?
 > >  > > 
 > >  > > Not according to the ipfw(8) manual:
 > >  > > 
 > >  > > """
 > >  > >      These dynamic rules, which have a limited lifetime, are checked at the
 > >  > >      first occurrence of a check-state, keep-state or limit rule, and 
 > >  > > are typ-
 > >  > >      ically used to open the firewall on-demand to legitimate traffic only.
 > >  > >      See the STATEFUL FIREWALL and EXAMPLES Sections below for more 
 > >  > > informa-
 > >  > >      tion on the stateful behaviour of ipfw.
 > >  > > """
 > >  > > 
 > >  > > I read this to mean the dynamic rules are checked at rule #5000 from the 
 > >  > > above list. Is there an advantage to having an explicit check-state rule 
 > >  > > in simple rulesets like this one?
 > >  > 
 > >  > the docs are wrong then I think.
 > > 
 > > If so, they've been wrong since 4.something .. certainly before 4.8. 
 > > It's hard to imagine nobody else has ever relied on that doc behaviour,
 > > so perhaps the docs, if wrong, have become so at some more recent time?
 > 
 > Not that I have known... keep-state does not (and never has) include
 > an implicit check-state.

Sorry (and surprised!) to have to differ, but you MADE me read the code!

Bearing in mind I'm reading 5.5 sources - stop me if it's changed - but
starting with /usr/sbin/ipfw/ipfw2.c we see that adding check-state just
generates an O_CHECK_STATE, while adding keep-state or limit rules first
generate an initial O_PROBE_STATE opcode (ignored when listing rules):

        /*
         * Now copy stuff into the rule.
         * If we have a keep-state option, the first instruction
         * must be a PROBE_STATE (which is generated here).
         * If we have a LOG option, it was stored as the first command,
         * and now must be moved to the top of the action part.
         */
        dst = (ipfw_insn *)rule->cmd;
[..]
        /*
         * generate O_PROBE_STATE if necessary
         */
        if (have_state && have_state->opcode != O_CHECK_STATE) {
                fill_cmd(dst, O_PROBE_STATE, 0, 0);
                dst = next_cmd(dst);

then go on to generate the O_KEEP_STATE or O_LIMIT rule as appropriate. 

Now in /sys/netinet/ip_fw2.c in ipfw_chk circa line 2400 (@5.5) we have: 

                         * O_LIMIT and O_KEEP_STATE: these opcodes are
                         *   not real 'actions', and are stored right
                         *   before the 'action' part of the rule.
                         *   These opcodes try to install an entry in the
                         *   state tables; if successful, we continue with
                         *   the next opcode (match=1; break;), otherwise
                         *   the packet *   must be dropped
                         *   ('goto done' after setting retval);
                         *
                         * O_PROBE_STATE and O_CHECK_STATE: these opcodes
                         *   cause a lookup of the state table, and a jump
                         *   to the 'action' part of the parent rule
                         *   ('goto check_body') if an entry is found, or
                         *   (CHECK_STATE only) a jump to the next rule if
                         *   the entry is not found ('goto next_rule').
                         *   The result of the lookup is cached to make
                         *   further instances of these opcodes are
                         *   effectively NOPs.
                         */
                        case O_LIMIT:
                        case O_KEEP_STATE:
                                if (install_state(f,
                                    (ipfw_insn_limit *)cmd, args)) {
                                        retval = IP_FW_PORT_DENY_FLAG;
                                        goto done; /* error/limit violation */
                                }
                                match = 1;
                                break;

                        case O_PROBE_STATE:
                        case O_CHECK_STATE:
                                /*
                                 * dynamic rules are checked at the first
                                 * keep-state or check-state occurrence,
                                 * with the result being stored in dyn_dir.
                                 * The compiler introduces a PROBE_STATE
                                 * instruction for us when we have a
                                 * KEEP_STATE (because PROBE_STATE needs
                                 * to be run first).
                                 */
                                if (dyn_dir == MATCH_UNKNOWN &&
                                    (q = lookup_dyn_rule(&args->f_id,
                                     &dyn_dir, proto == IPPROTO_TCP ?
                                        L3HDR(struct tcphdr, ip) : NULL))
                                        != NULL) {
                                        /*
                                         * Found dynamic entry, update stats
                                         * and jump to the 'action' part of
                                         * the parent rule.
                                         */
                                        q->pcnt++;
                                        q->bcnt += pktlen;
                                        f = q->rule;
                                        cmd = ACTION_PTR(f);
                                        l = f->cmd_len - f->act_ofs;
                                        IPFW_DYN_UNLOCK();
                                        goto check_body;
                                }
                                /*
                                 * Dynamic entry not found. If CHECK_STATE,
                                 * skip to next rule, if PROBE_STATE just
                                 * ignore and continue with next opcode.
                                 */
                                if (cmd->opcode == O_CHECK_STATE)
                                        goto next_rule;
                                match = 1;
                                break;

So indeed each rule with keep-state or limit options does the same probe
as a check-state in the first opcode, before then installing or checking
state in the subsequent opcode.  Or so it reads to an ancient neophyte ..

 > I think the document is talking about the  lifetime.
 > Each time a keep-state or check-state or limit is hit,
 > the TTL is kicked.

That's pretty well described under keep-state and elsewhere.  Good ol'
ipfw(8) has yet to let me down, and like Ivan I recall keep-state rules
(albeit only for UDP) without any check-state working just fine.

Not that any of that helps solve Ivan's problem ..

cheers, Ian




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1080405010904.6611B-100000>