[Bug 217997] [pf] orphaned entries in src-track

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217997

            Bug ID: 217997
           Summary: [pf] orphaned entries in src-track
           Product: Base System
           Version: 10.3-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: rs at bytecamp.net

There seems to be a flaw in the src-track cleanup code. This has been
discovered since 10.3.

pf.conf is (stripped down to the relevant parts):

-- 8< ------------------------

rdr proto tcp from any to $public-ip port http -> <www-pool> port http \
        round-robin sticky-address

table <www-pool> persist  { $www-addr, $www-addr2, $www-addr3 }

block in all
block out all

pass quick proto tcp from any to <www-pool> port 80 \
        keep state \
        ( source-track rule, max 8192, max-src-states 96, \
          tcp.closing 20, tcp.finwait 15 )

-- 8< ------------------------

The problem is, that src-track table grows until no more entries can be
inserted. Although there are no states from a sample ip-address in the state
table, there are still references in the src-track table:

# pfctl -vsS | grep -A1 $example-address
$example-address -> $www-addr ( states 4, connections 0, rate 0.0/0s )
   age 01:47:25, 4808 pkts, 1713437 bytes, rdr rule 0

# pfctl -sS | grep $example-address
(nothing shown)

To circumvent this problem, we have to parse pfctl output and kill over-aged
source tracking entries manually.

Maybe someone can track this down.

Regards,
Robert Schulze

-- 
You are receiving this mail because:
You are the assignee for the bug.