git: pf - Fix a few edge cases when the state table gets big

Matthew Dillon dillon at crater.dragonflybsd.org
Fri Oct 25 16:14:58 PDT 2019


commit fe19674c9eaf9592c9163742b7cf4db60a0567e7
Author: Matthew Dillon <dillon at apollo.backplane.com>
Date:   Fri Oct 25 15:57:16 2019 -0700

    pf - Fix a few edge cases when the state table gets big
    
    * Currently when the state table gets big the state timeout can
      be reduced all the way to 0.  This can totally mess up legitimate
      connections.
    
      Change the algorithm.  First calculate a reduction in the timeout
      from 0% to 100%, then claw-back up to 50% of the reduction based on
      the number of packets impacting the state.  This gives the system
      the chance to reject bad state over good state or otherwise requires
      an attacker to DOS the state table based on packet rate, which is
      much harder to do.
    
    * When sloppy state tracking is specified use a timeout of
      PFTM_TCP_FIRST_PACKET instead of PFTM_TCP_ESTABLISHED for any tcp
      state that has only received SYN or SYN+ACK packets.  That is, do not
      use the full PFTM_TCP_ESTABLISHED timeout until some data actually flows.
    
      This reduces state bloat from redirect traffic where PF might see SYN
      or SYN+ACK and then never sees a packet again while in SLOPPY mode.

Summary of changes:
 sys/net/pf/pf.c    | 51 +++++++++++++++++++++++++++++++++++++++++++++++----
 sys/net/pf/pfvar.h |  4 ++--
 2 files changed, 49 insertions(+), 6 deletions(-)

http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/fe19674c9eaf9592c9163742b7cf4db60a0567e7


-- 
DragonFly BSD source repository


More information about the Commits mailing list