git: pf - Fix a few edge cases when the state table gets big
Matthew Dillon
dillon at crater.dragonflybsd.org
Fri Oct 25 16:14:58 PDT 2019
commit fe19674c9eaf9592c9163742b7cf4db60a0567e7
Author: Matthew Dillon <dillon at apollo.backplane.com>
Date: Fri Oct 25 15:57:16 2019 -0700
pf - Fix a few edge cases when the state table gets big
* Currently when the state table gets big the state timeout can
be reduced all the way to 0. This can totally mess up legitimate
connections.
Change the algorithm. First calculate a reduction in the timeout
from 0% to 100%, then claw-back up to 50% of the reduction based on
the number of packets impacting the state. This gives the system
the chance to reject bad state over good state or otherwise requires
an attacker to DOS the state table based on packet rate, which is
much harder to do.
* When sloppy state tracking is specified use a timeout of
PFTM_TCP_FIRST_PACKET instead of PFTM_TCP_ESTABLISHED for any tcp
state that has only received SYN or SYN+ACK packets. That is, do not
use the full PFTM_TCP_ESTABLISHED timeout until some data actually flows.
This reduces state bloat from redirect traffic where PF might see SYN
or SYN+ACK and then never sees a packet again while in SLOPPY mode.
Summary of changes:
sys/net/pf/pf.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++----
sys/net/pf/pfvar.h | 4 ++--
2 files changed, 49 insertions(+), 6 deletions(-)
http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/fe19674c9eaf9592c9163742b7cf4db60a0567e7
--
DragonFly BSD source repository
More information about the Commits
mailing list