[Bug 282496] PF source tracking counter wrapping around
Date: Sat, 02 Nov 2024 16:56:01 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=282496
Bug ID: 282496
Summary: PF source tracking counter wrapping around
Product: Base System
Version: 14.1-RELEASE
Hardware: amd64
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: misc
Assignee: bugs@FreeBSD.org
Reporter: mkrzewicki@gmail.com
Hi,
I have a pf firewall with some rules limiting the number of coonnections and
tracking per host like this:
pass in quick on igb0 from <holy> to any flags S/SA keep state (source-track
rule) label "holy"
pass in on igb0 inet from any to ! 10.0.0.0/20 flags S/SA keep state
(source-track rule, max-src-states 200, max-src-conn 400) label "slow"
dnpipe(2, 1)
now from time to time I got complaints from users of no connectivity. I noticed
that 'pfctl -sS' sometimes reports a number of connections close to int_max so
I started monitoring that with a simple cron job:
* * * * * pfctl -sS|awk '{print $1 " " $8}'|tr ',' ' '|while read addr conn; do
echo $conn >> /root/pfconntrack/$addr; done
it looks like the counter is sometimes decreased below 0 and being an unsigned
int wraps around to int_max; looks like a race condition like maybe there are a
few threads decreasing this counter without a check or lock(?) as the large
number always follows a low number of connections and after a while it gets
back up to a small integer value (close to zero) - below an example of such a
sequence minute by minute for one of the hosts:
10
3
4294967292
4294967292
4294967291
4294967293
4294967292
4294967290
4294967290
1
2
4294967294
2
4
of course the time when the counter is high my users complain as the rule
happily stops matching for their hosts.
I have asked about this in the forums but it seems nobody knows what to do
about this there.
So the question is: is it a bug or am I doing something wrong and this
behaviour is expected?
thanks,
--
You are receiving this mail because:
You are the assignee for the bug.