HEADS UP - full build recommended for master, PF comments
Matthew Dillon
dillon at apollo.backplane.com
Mon Sep 1 14:10:35 PDT 2014
I've made some commits to the PF code in master. A full buildworld
and buildkernel is recommended. If you wish to do an incremental build
then I suggest:
a full buildkernel
cp /usr/src/sys/net/pf/pfvar.h /usr/include/net/pf/
cd /usr/src/usr.sbin/pfctl; make clean; make obj; make all install
This is because the pf state reporting (pfctl -s state) structure
has changed size.
--
Anyone using RDR rules in PF needs to be cognizant of how RDR rules
work. The RDR rule will match and create state on the packet input
path (NAT rules in contrast match and create state on the packet
output path). Any packets coming from the original direction will
then match that state on the input path. However, *return* packets
coming from the other side will match the state on the packet output
path.
This means that in the forward direction the packet can still match a
PASS OUT rule in the output path and in the reverse direction the
packet can still match a PASS IN rule in the input path without
conflicting with or matching the established RDR state at those points
in the filter.
If you have a PF configuration using RDR and also have PASS rules
as described above, the PASS rules will only see one side of the
tcp connection (because the RDR eats the other side). Thus, any
such PASS rules must be sure to either not specify a 'keep state'
clause and thus use the default keep state (which is 'pickups' and
'sloppy'), or if they do specify a 'keep state' clause they must be sure
to specify the 'pickups' and 'sloppy' option to prevent those states
from doing full-duplex tcp sequence spcae checks and RSTing the
connection.
This shouldn't effect too many configurations since the default keep
state is 'pickups' and 'sloppy'.
--
It's unclear what the designers intended for this sort of combination
of rules in terms of TCP stateful checking, or if the designers intended
the PASS rules to not establish any PASS state at all. But in reading
various implementations I don't see how PASS state would not be
established. It's harmless as long as it doesn't do full tcp state
checking, but I dunno.
-Matt
Matthew Dillon
<dillon at backplane.com>
More information about the Users
mailing list