Date: Thu, 29 Sep 2022 18:01:42 +0200 From: Kristof Provost <kp@FreeBSD.org> To: "Lyndon Nerenberg (VE7TFX/VE6BBM)" <lyndon@orthanc.ca> Cc: FreeBSD pf <freebsd-pf@freebsd.org>, Eirik =?utf-8?q?=C3=98verby?= <eirik.overby@modirum.com> Subject: Re: RFC: enabling pf syncookies by default Message-ID: <451789B9-8490-43F5-A614-E55B90C08898@FreeBSD.org> In-Reply-To: <C6D440A0-3E9C-480C-8210-0D7D63D8EAA3@FreeBSD.org> References: <BF7E3C1C-CC06-4874-821E-2B3BBDC2F467@FreeBSD.org> <ba35872719a2d75e@orthanc.ca> <C6D440A0-3E9C-480C-8210-0D7D63D8EAA3@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 28 Sep 2022, at 11:44, Kristof Provost wrote: > Thanks for this update. Henning told me about the fast re-use issue dur= ing EuroBSD, and I had looking at that on my todo list. > So I=E2=80=99ve found a bit of time to look at this, and I think I unders= tand the problem now, and I=E2=80=99m also pretty sure it affects FreeBSD= too. Porting the OpenBSD fix to FreeBSD should be possible without too m= uch difficulty. That said, I=E2=80=99m going to try to build a test case for this first, = to make sure I actually understand the problem correctly. In the mean time, I=E2=80=99ll drop my notes-to-self here, in case anyone= else wants to play (or tell me I=E2=80=99m wrong): > Basic scenario: we have a closed connection (In TCPS_FIN_WAIT_2), and g= et a new connection (i.e. SYN) re-using the tuple. > Without syncookies we look at the SYN, and completely unlink the old, c= losed state on the SYN. > With syncookies we send a generated SYN|ACK back, and drop the SYN, nev= er looking at the state table. > So when the ACK turns up, as the last part of connection setup, we=E2=80= =99ve not actually removed the old state, so we find it, and don=E2=80=99= t do the syncookie dance, or allow the new connection to get set up. Best regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?451789B9-8490-43F5-A614-E55B90C08898>