133732 – [pf] max-src-conn issue

Bug 133732 - [pf] max-src-conn issue

Summary: [pf] max-src-conn issue

Status:	Open

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	8.0-CURRENT
Hardware:	Any Any

Importance:	Normal Affects Only Me
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-04-14 19:50 UTC by citrin
Modified:	2018-01-03 05:16 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description citrin 2009-04-14 19:50:02 UTC

In pf number of connections from one source ip can be limited using
max-src-conn state option.

When we have already max-src-conn connections and some new connections is open:
 - OpenBSD 4.1, 4.4 drop packets from new connection, matched by rule with
   max-src-conn, and new state is not created
 - FreeBSD 7, 8 - new state is not created, but packets matched by rule is passed

Because of syn packed pass, new connections in SYN_RCVD state can be created
without limit, even if connections should be limited by max-src-conn.

How-To-Repeat: 1. add rules on host with pf:

$ pfctl -s rule
pass in quick on re0 proto tcp from any to any port = ssh flags S/SA keep state (source-track rule, max-src-conn 3)
block drop in quick on re0 proto tcp from any to any port = ssh

2. open 3 ssh connection from same IP

$ pfctl -s state
all tcp 81.19.90.176:22 <- 81.19.64.101:62770       ESTABLISHED:ESTABLISHED
all tcp 81.19.90.176:22 <- 81.19.64.101:51209       ESTABLISHED:ESTABLISHED
all tcp 81.19.90.176:22 <- 81.19.64.101:51240       ESTABLISHED:ESTABLISHED

$ netstat -n -p tcp
Active Internet connections
Proto Recv-Q Send-Q  Local Address          Foreign Address       (state)
tcp4       0      0 81.19.90.176.22        81.19.64.101.51240     ESTABLISHED
tcp4       0      0 81.19.90.176.22        81.19.64.101.51209     ESTABLISHED
tcp4       0      0 81.19.90.176.22        81.19.64.101.62770     ESTABLISHED

$ pfctl -z

On remote host:
ssh 81.19.90.176

New state is not created:
$ pfctl -s state
all tcp 81.19.90.176:22 <- 81.19.64.101:62770       ESTABLISHED:ESTABLISHED
all tcp 81.19.90.176:22 <- 81.19.64.101:51209       ESTABLISHED:ESTABLISHED
all tcp 81.19.90.176:22 <- 81.19.64.101:51240       ESTABLISHED:ESTABLISHED

$ pfctl -s rule -v
pass in quick on re0 proto tcp from any to any port = ssh flags S/SA keep state (source-track rule, max-src-conn 3)
  [ Evaluations: 97        Packets: 169       Bytes: 15772       States: 3     ]
  [ Inserted: uid 0 pid 29869 ]
block drop in quick on re0 proto tcp from any to any port = ssh
  [ Evaluations: 3         Packets: 3         Bytes: 156         States: 0     ]
  [ Inserted: uid 0 pid 29869 ]

But syn, syn-ack packets is passed:
$ netstat -n -p tcp
Active Internet connections
Proto Recv-Q Send-Q  Local Address          Foreign Address       (state)
tcp4       0      0 81.19.90.176.22        81.19.64.101.51722     SYN_RCVD
tcp4       0      0 81.19.90.176.22        81.19.64.101.51240     ESTABLISHED
tcp4       0      0 81.19.90.176.22        81.19.64.101.51209     ESTABLISHED
tcp4       0      0 81.19.90.176.22        81.19.64.101.62770     ESTABLISHED

With more connection attempts, netstat show more connections in SYN_RCVD state

(all messages about disabled ALTQ is skipped)

Comment 1 Mark Linimon freebsd_committer

2009-04-14 22:35:00 UTC

Responsible Changed
From-To: freebsd-bugs->freebsd-pf

Over to maintainer(s).

Comment 2 Eitan Adler freebsd_committer

2017-12-31 08:01:00 UTC

For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped