From owner-freebsd-bugs@FreeBSD.ORG Tue Apr 14 18:50:03 2009 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 55EC61065679 for ; Tue, 14 Apr 2009 18:50:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 2B6858FC14 for ; Tue, 14 Apr 2009 18:50:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n3EIo3vF094509 for ; Tue, 14 Apr 2009 18:50:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n3EIo3lU094508; Tue, 14 Apr 2009 18:50:03 GMT (envelope-from gnats) Resent-Date: Tue, 14 Apr 2009 18:50:03 GMT Resent-Message-Id: <200904141850.n3EIo3lU094508@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Anton Yuzhaninov Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B9226106564A for ; Tue, 14 Apr 2009 18:44:40 +0000 (UTC) (envelope-from citrin@citrin.park.rambler.ru) Received: from mailsupport.rambler.ru (mailsupport.rambler.ru [81.19.66.129]) by mx1.freebsd.org (Postfix) with ESMTP id 477E78FC12 for ; Tue, 14 Apr 2009 18:44:39 +0000 (UTC) (envelope-from citrin@citrin.park.rambler.ru) Received: from citrin.park.rambler.ru (unknown [81.19.90.176]) by mailsupport.rambler.ru (Postfix) with ESMTPS id E4D70F7 for ; Tue, 14 Apr 2009 22:44:37 +0400 (MSD) Received: from citrin.park.rambler.ru (localhost [127.0.0.1]) by citrin.park.rambler.ru (8.14.3/8.14.3) with ESMTP id n3EIibLR030208 for ; Tue, 14 Apr 2009 22:44:37 +0400 (MSD) (envelope-from citrin@citrin.park.rambler.ru) Received: (from citrin@localhost) by citrin.park.rambler.ru (8.14.3/8.14.3/Submit) id n3EIibcZ030207; Tue, 14 Apr 2009 22:44:37 +0400 (MSD) (envelope-from citrin) Message-Id: <200904141844.n3EIibcZ030207@citrin.park.rambler.ru> Date: Tue, 14 Apr 2009 22:44:37 +0400 (MSD) From: Anton Yuzhaninov To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: kern/133732: [pf] max-src-conn issue X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Anton Yuzhaninov List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Apr 2009 18:50:03 -0000 >Number: 133732 >Category: kern >Synopsis: [pf] max-src-conn issue >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Apr 14 18:50:02 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Anton Yuzhaninov >Release: FreeBSD 8.0-CURRENT amd64 >Organization: Rambler >Environment: System: FreeBSD citrin.park.rambler.ru 8.0-CURRENT FreeBSD 8.0-CURRENT #0: Wed Apr 8 05:31:05 MSD 2009 citrin@citrin.park.rambler.ru:/usr/obj/usr/src/sys/GENERIC amd64 >Description: In pf number of connections from one source ip can be limited using max-src-conn state option. When we have already max-src-conn connections and some new connections is open: - OpenBSD 4.1, 4.4 drop packets from new connection, matched by rule with max-src-conn, and new state is not created - FreeBSD 7, 8 - new state is not created, but packets matched by rule is passed Because of syn packed pass, new connections in SYN_RCVD state can be created without limit, even if connections should be limited by max-src-conn. >How-To-Repeat: 1. add rules on host with pf: $ pfctl -s rule pass in quick on re0 proto tcp from any to any port = ssh flags S/SA keep state (source-track rule, max-src-conn 3) block drop in quick on re0 proto tcp from any to any port = ssh 2. open 3 ssh connection from same IP $ pfctl -s state all tcp 81.19.90.176:22 <- 81.19.64.101:62770 ESTABLISHED:ESTABLISHED all tcp 81.19.90.176:22 <- 81.19.64.101:51209 ESTABLISHED:ESTABLISHED all tcp 81.19.90.176:22 <- 81.19.64.101:51240 ESTABLISHED:ESTABLISHED $ netstat -n -p tcp Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 81.19.90.176.22 81.19.64.101.51240 ESTABLISHED tcp4 0 0 81.19.90.176.22 81.19.64.101.51209 ESTABLISHED tcp4 0 0 81.19.90.176.22 81.19.64.101.62770 ESTABLISHED $ pfctl -z On remote host: ssh 81.19.90.176 New state is not created: $ pfctl -s state all tcp 81.19.90.176:22 <- 81.19.64.101:62770 ESTABLISHED:ESTABLISHED all tcp 81.19.90.176:22 <- 81.19.64.101:51209 ESTABLISHED:ESTABLISHED all tcp 81.19.90.176:22 <- 81.19.64.101:51240 ESTABLISHED:ESTABLISHED $ pfctl -s rule -v pass in quick on re0 proto tcp from any to any port = ssh flags S/SA keep state (source-track rule, max-src-conn 3) [ Evaluations: 97 Packets: 169 Bytes: 15772 States: 3 ] [ Inserted: uid 0 pid 29869 ] block drop in quick on re0 proto tcp from any to any port = ssh [ Evaluations: 3 Packets: 3 Bytes: 156 States: 0 ] [ Inserted: uid 0 pid 29869 ] But syn, syn-ack packets is passed: $ netstat -n -p tcp Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 81.19.90.176.22 81.19.64.101.51722 SYN_RCVD tcp4 0 0 81.19.90.176.22 81.19.64.101.51240 ESTABLISHED tcp4 0 0 81.19.90.176.22 81.19.64.101.51209 ESTABLISHED tcp4 0 0 81.19.90.176.22 81.19.64.101.62770 ESTABLISHED With more connection attempts, netstat show more connections in SYN_RCVD state (all messages about disabled ALTQ is skipped) >Fix: >Release-Note: >Audit-Trail: >Unformatted: