kern/133732: [pf] max-src-conn issue
Anton Yuzhaninov
citrin at citrin.ru
Tue Apr 14 11:50:03 PDT 2009
>Number: 133732
>Category: kern
>Synopsis: [pf] max-src-conn issue
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Apr 14 18:50:02 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Anton Yuzhaninov
>Release: FreeBSD 8.0-CURRENT amd64
>Organization:
Rambler
>Environment:
System: FreeBSD citrin.park.rambler.ru 8.0-CURRENT FreeBSD 8.0-CURRENT #0: Wed Apr 8 05:31:05 MSD 2009 citrin at citrin.park.rambler.ru:/usr/obj/usr/src/sys/GENERIC amd64
>Description:
In pf number of connections from one source ip can be limited using
max-src-conn state option.
When we have already max-src-conn connections and some new connections is open:
- OpenBSD 4.1, 4.4 drop packets from new connection, matched by rule with
max-src-conn, and new state is not created
- FreeBSD 7, 8 - new state is not created, but packets matched by rule is passed
Because of syn packed pass, new connections in SYN_RCVD state can be created
without limit, even if connections should be limited by max-src-conn.
>How-To-Repeat:
1. add rules on host with pf:
$ pfctl -s rule
pass in quick on re0 proto tcp from any to any port = ssh flags S/SA keep state (source-track rule, max-src-conn 3)
block drop in quick on re0 proto tcp from any to any port = ssh
2. open 3 ssh connection from same IP
$ pfctl -s state
all tcp 81.19.90.176:22 <- 81.19.64.101:62770 ESTABLISHED:ESTABLISHED
all tcp 81.19.90.176:22 <- 81.19.64.101:51209 ESTABLISHED:ESTABLISHED
all tcp 81.19.90.176:22 <- 81.19.64.101:51240 ESTABLISHED:ESTABLISHED
$ netstat -n -p tcp
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 81.19.90.176.22 81.19.64.101.51240 ESTABLISHED
tcp4 0 0 81.19.90.176.22 81.19.64.101.51209 ESTABLISHED
tcp4 0 0 81.19.90.176.22 81.19.64.101.62770 ESTABLISHED
$ pfctl -z
On remote host:
ssh 81.19.90.176
New state is not created:
$ pfctl -s state
all tcp 81.19.90.176:22 <- 81.19.64.101:62770 ESTABLISHED:ESTABLISHED
all tcp 81.19.90.176:22 <- 81.19.64.101:51209 ESTABLISHED:ESTABLISHED
all tcp 81.19.90.176:22 <- 81.19.64.101:51240 ESTABLISHED:ESTABLISHED
$ pfctl -s rule -v
pass in quick on re0 proto tcp from any to any port = ssh flags S/SA keep state (source-track rule, max-src-conn 3)
[ Evaluations: 97 Packets: 169 Bytes: 15772 States: 3 ]
[ Inserted: uid 0 pid 29869 ]
block drop in quick on re0 proto tcp from any to any port = ssh
[ Evaluations: 3 Packets: 3 Bytes: 156 States: 0 ]
[ Inserted: uid 0 pid 29869 ]
But syn, syn-ack packets is passed:
$ netstat -n -p tcp
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 81.19.90.176.22 81.19.64.101.51722 SYN_RCVD
tcp4 0 0 81.19.90.176.22 81.19.64.101.51240 ESTABLISHED
tcp4 0 0 81.19.90.176.22 81.19.64.101.51209 ESTABLISHED
tcp4 0 0 81.19.90.176.22 81.19.64.101.62770 ESTABLISHED
With more connection attempts, netstat show more connections in SYN_RCVD state
(all messages about disabled ALTQ is skipped)
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list