Date: Fri, 12 Apr 2013 17:30:51 +0200 From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: freebsd-pf@freebsd.org Subject: issues with counting packets dropped by accepting rules Message-ID: <201304121730.51925.vegeta@tuxpowered.net>
next in thread | raw e-mail | index | archive | help
I'd like to point out some things I find unclear when packets traveling through pf are counted. Currently per-rule counting is performed only for packets that are accepted by any rule or any packets matched by a droping rule. Counting on per-interface basis is perfomed properly. There are some possibilities for a packet do be dropped by an accepting rule: 1. SYN/SYN+ACK/ACK packets going through synproxy are dropped with PF_SYNPROXY_DROP action. Therefore a storm of SYNs hitting a synproxy rule will not be visible on per-rule (/label) statistics. SYN+ACKs sent back by this rule to client will also not be visible at all. 2. Creation of a state or a src-node might fail due to memory or per-rule state limits. The packet is told to "not match this rule" according to manual. This is not fully true, have a look on: http://www.freebsd.org/cgi/query-pr.cgi?pr=177808 With the fix or without (so forwarded or not), if state limit is hit, the packet is not counted. I'm now thinking how this should be really fixed. Original code is: 7093 if (action == PF_PASS || r->action == PF_DROP) An easy fix that addesses both aforementioned problems is: 7093 if ( action == PF_PASS || /* Matched and passed by a rule. */ 7094 action == PF_LIMIT_DROP || /* Dropped by a rule because of internal errors. */ 7095 action == PF_SYNPROXY_DROP || /* Dropped due to synproxy. */ 7096 r->action == PF_DROP /* Matched by a drop rule. */ 7097 ) { PF_LIMIT_DROP is my addition, returned by pf_create_state in case of failure instead of PF_DROP. It could also be (action==PF_DROP && r->action==PF_PASS). Are there any other combinations of action and r->action possible? Maybe the aforementioned test is not necessary at all? Grepping the code shows that other possibilities in "enum { PF_PASS,..." are used for rule action, not result action. I assume that for synproxy rules it would also make sense to count packets sent out by synproxy, after original incoming packet was dropped. -- | pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------'
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201304121730.51925.vegeta>