From citrin@citrin.park.rambler.ru  Tue Apr 14 18:44:40 2009
Return-Path: <citrin@citrin.park.rambler.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B9226106564A
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 14 Apr 2009 18:44:40 +0000 (UTC)
	(envelope-from citrin@citrin.park.rambler.ru)
Received: from mailsupport.rambler.ru (mailsupport.rambler.ru [81.19.66.129])
	by mx1.freebsd.org (Postfix) with ESMTP id 477E78FC12
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 14 Apr 2009 18:44:39 +0000 (UTC)
	(envelope-from citrin@citrin.park.rambler.ru)
Received: from citrin.park.rambler.ru (unknown [81.19.90.176])
	by mailsupport.rambler.ru (Postfix) with ESMTPS id E4D70F7
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 14 Apr 2009 22:44:37 +0400 (MSD)
Received: from citrin.park.rambler.ru (localhost [127.0.0.1])
	by citrin.park.rambler.ru (8.14.3/8.14.3) with ESMTP id n3EIibLR030208
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 14 Apr 2009 22:44:37 +0400 (MSD)
	(envelope-from citrin@citrin.park.rambler.ru)
Received: (from citrin@localhost)
	by citrin.park.rambler.ru (8.14.3/8.14.3/Submit) id n3EIibcZ030207;
	Tue, 14 Apr 2009 22:44:37 +0400 (MSD)
	(envelope-from citrin)
Message-Id: <200904141844.n3EIibcZ030207@citrin.park.rambler.ru>
Date: Tue, 14 Apr 2009 22:44:37 +0400 (MSD)
From: Anton Yuzhaninov <citrin@citrin.ru>
Reply-To: Anton Yuzhaninov <citrin@citrin.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [pf] max-src-conn issue
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         133732
>Category:       kern
>Synopsis:       [pf] max-src-conn issue
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-pf
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 14 18:50:02 UTC 2009
>Closed-Date:    
>Last-Modified:  Tue Apr 14 21:35:11 UTC 2009
>Originator:     Anton Yuzhaninov
>Release:        FreeBSD 8.0-CURRENT amd64
>Organization:
Rambler
>Environment:
System: FreeBSD citrin.park.rambler.ru 8.0-CURRENT FreeBSD 8.0-CURRENT #0: Wed Apr 8 05:31:05 MSD 2009 citrin@citrin.park.rambler.ru:/usr/obj/usr/src/sys/GENERIC amd64

>Description:
In pf number of connections from one source ip can be limited using
max-src-conn state option.

When we have already max-src-conn connections and some new connections is open:
 - OpenBSD 4.1, 4.4 drop packets from new connection, matched by rule with
   max-src-conn, and new state is not created
 - FreeBSD 7, 8 - new state is not created, but packets matched by rule is passed

Because of syn packed pass, new connections in SYN_RCVD state can be created
without limit, even if connections should be limited by max-src-conn.

>How-To-Repeat:
1. add rules on host with pf:

$ pfctl -s rule
pass in quick on re0 proto tcp from any to any port = ssh flags S/SA keep state (source-track rule, max-src-conn 3)
block drop in quick on re0 proto tcp from any to any port = ssh

2. open 3 ssh connection from same IP

$ pfctl -s state
all tcp 81.19.90.176:22 <- 81.19.64.101:62770       ESTABLISHED:ESTABLISHED
all tcp 81.19.90.176:22 <- 81.19.64.101:51209       ESTABLISHED:ESTABLISHED
all tcp 81.19.90.176:22 <- 81.19.64.101:51240       ESTABLISHED:ESTABLISHED

$ netstat -n -p tcp
Active Internet connections
Proto Recv-Q Send-Q  Local Address          Foreign Address       (state)
tcp4       0      0 81.19.90.176.22        81.19.64.101.51240     ESTABLISHED
tcp4       0      0 81.19.90.176.22        81.19.64.101.51209     ESTABLISHED
tcp4       0      0 81.19.90.176.22        81.19.64.101.62770     ESTABLISHED

$ pfctl -z

On remote host:
ssh 81.19.90.176

New state is not created:
$ pfctl -s state
all tcp 81.19.90.176:22 <- 81.19.64.101:62770       ESTABLISHED:ESTABLISHED
all tcp 81.19.90.176:22 <- 81.19.64.101:51209       ESTABLISHED:ESTABLISHED
all tcp 81.19.90.176:22 <- 81.19.64.101:51240       ESTABLISHED:ESTABLISHED

$ pfctl -s rule -v
pass in quick on re0 proto tcp from any to any port = ssh flags S/SA keep state (source-track rule, max-src-conn 3)
  [ Evaluations: 97        Packets: 169       Bytes: 15772       States: 3     ]
  [ Inserted: uid 0 pid 29869 ]
block drop in quick on re0 proto tcp from any to any port = ssh
  [ Evaluations: 3         Packets: 3         Bytes: 156         States: 0     ]
  [ Inserted: uid 0 pid 29869 ]

But syn, syn-ack packets is passed:
$ netstat -n -p tcp
Active Internet connections
Proto Recv-Q Send-Q  Local Address          Foreign Address       (state)
tcp4       0      0 81.19.90.176.22        81.19.64.101.51722     SYN_RCVD
tcp4       0      0 81.19.90.176.22        81.19.64.101.51240     ESTABLISHED
tcp4       0      0 81.19.90.176.22        81.19.64.101.51209     ESTABLISHED
tcp4       0      0 81.19.90.176.22        81.19.64.101.62770     ESTABLISHED

With more connection attempts, netstat show more connections in SYN_RCVD state

(all messages about disabled ALTQ is skipped)
>Fix:

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-pf 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Tue Apr 14 21:35:00 UTC 2009 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=133732 
>Unformatted:
