From nobody Thu Sep 29 16:01:42 2022
X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MddQj1FyNz4ddCV
	for <freebsd-pf@mlmmj.nyi.freebsd.org>; Thu, 29 Sep 2022 16:01:49 +0000 (UTC)
	(envelope-from kp@FreeBSD.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4MddQj0rHkz40TY;
	Thu, 29 Sep 2022 16:01:49 +0000 (UTC)
	(envelope-from kp@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1664467309;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=iMUakl7Ta6tyEWEh7zkYpnIyBmk9WxBSU2mlbe6Xgbc=;
	b=UARpDYgsw6Fb8MI2PSdt6z37VSXwL4+B2pquWCb2dzWF67RiTcuUnVAY7lLMDk6ChiuNUN
	oVf+VxFRIPJb3BsJQx/AFJ3JhV/h1gkHtiCJf1brHqr9olsMKvUfmTdAt4iwOPpNhuM8RJ
	s4PwtW7DIV6aAn/Z29uYdRn3lvzCrDBhjHA90LI016c89kzpl493Pl60J3f3zEx2eXVmpG
	Q9luwww/VBDmVryAmuy9svd5KP7/5hSi6EccfCGXG0ubDGElzUthTUrA9oeJJN7eVTz7Qc
	I1phwmtIAwL9B1r5rgrYzBYb5RmcgRc4Q13YH4ZHQ1okcMLctGISd7G4E2vHfw==
Received: from venus.codepro.be (venus.codepro.be [5.9.86.228])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mx1.codepro.be", Issuer "R3" (verified OK))
	(Authenticated sender: kp)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4MddQh6KVrzxQv;
	Thu, 29 Sep 2022 16:01:48 +0000 (UTC)
	(envelope-from kp@FreeBSD.org)
Received: by venus.codepro.be (Postfix, authenticated sender kp)
 id E59DF3ABD7;
	Thu, 29 Sep 2022 18:01:46 +0200 (CEST)
From: Kristof Provost <kp@FreeBSD.org>
To: "Lyndon Nerenberg (VE7TFX/VE6BBM)" <lyndon@orthanc.ca>
Cc: FreeBSD pf <freebsd-pf@freebsd.org>,
 Eirik =?utf-8?q?=C3=98verby?= <eirik.overby@modirum.com>
Subject: Re: RFC: enabling pf syncookies by default
Date: Thu, 29 Sep 2022 18:01:42 +0200
X-Mailer: MailMate (1.14r5852)
Message-ID: <451789B9-8490-43F5-A614-E55B90C08898@FreeBSD.org>
In-Reply-To: <C6D440A0-3E9C-480C-8210-0D7D63D8EAA3@FreeBSD.org>
References: <BF7E3C1C-CC06-4874-821E-2B3BBDC2F467@FreeBSD.org>
 <ba35872719a2d75e@orthanc.ca>
 <C6D440A0-3E9C-480C-8210-0D7D63D8EAA3@FreeBSD.org>
List-Id: Technical discussion and general questions about packet filter (pf) <freebsd-pf.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-pf
List-Help: <mailto:pf+help@freebsd.org>
List-Post: <mailto:pf@freebsd.org>
List-Subscribe: <mailto:pf+subscribe@freebsd.org>
List-Unsubscribe: <mailto:pf+unsubscribe@freebsd.org>
Sender: owner-freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1664467309;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=iMUakl7Ta6tyEWEh7zkYpnIyBmk9WxBSU2mlbe6Xgbc=;
	b=NDQOWK3/0ZoxasHKBwK55Pt5XrOkfVtXMysfy1XD1PO7iYej6f6lMtX6c1TvSU6Bcsgkvd
	TRvFLkwxx3IeHPPaVFnivMO9Orecsj2INjknNP/KDSYxl91zV+1emQ3X6+ckSS4v/bQFc7
	/QIkJb49F06BxmFZuUQ/L0K+H9h9o+Wgwoase7gPMnI5BGWx/7PyIhIdkx3cjOfAxwka/Z
	A5FTQPmOv7ufFZpFXoDBu7Yoo/3STP/7IgbVrjdfR5xe+SbWxtP2Ll4Ywl9MSFVJqEAo9K
	Rs7Ov9iyMCfw6YtijnibTb92/oFQct2ssQonQG6gyW9U22OfbStko2KkFlXkMw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1664467309; a=rsa-sha256; cv=none;
	b=qHgS3EKSblb6jlnkUan6SZeZMGvMRUnyBjy6Pri7+9pZAmHgkZBinmwL175a+viRTwqJmz
	aWpvu77RVoW9ON8ciCAyEZizTDyWvuyWjXW6KT8kHEKbY/R5Hj1uuPWQiTkQTtIWmHNDPV
	qlrpT57zwhejFxm6rJOs00lDn0t9BxQGWbgxWuzqVqmJx5URbN3rqA8v/XZMmrPcs6TD4k
	SS7L7piorsu5MCDxJHwdzGlzlFD5fIWooKzjxARu5Y9yfyXOry8gsAum4gYwTg4jPif1TV
	hlHmNtrwEp59av7JnuYBVcPuEqRjglUFYJi5cpG9Ap/9s52q1De0DwI0P8sEcQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

On 28 Sep 2022, at 11:44, Kristof Provost wrote:
> Thanks for this update. Henning told me about the fast re-use issue dur=
ing EuroBSD, and I had looking at that on my todo list.
>
So I=E2=80=99ve found a bit of time to look at this, and I think I unders=
tand the problem now, and I=E2=80=99m also pretty sure it affects FreeBSD=
 too. Porting the OpenBSD fix to FreeBSD should be possible without too m=
uch difficulty.

That said, I=E2=80=99m going to try to build a test case for this first, =
to make sure I actually understand the problem correctly.

In the mean time, I=E2=80=99ll drop my notes-to-self here, in case anyone=
 else wants to play (or tell me I=E2=80=99m wrong):

> Basic scenario: we have a closed connection (In TCPS_FIN_WAIT_2), and g=
et a new connection (i.e. SYN) re-using the tuple.

> Without syncookies we look at the SYN, and completely unlink the old, c=
losed state on the SYN.
> With syncookies we send a generated SYN|ACK back, and drop the SYN, nev=
er looking at the state table.
> So when the ACK turns up, as the last part of connection setup, we=E2=80=
=99ve not actually removed the old state, so we find it, and don=E2=80=99=
t do the syncookie dance, or allow the new connection to get set up.

Best regards,
Kristof