kern/48377: pf "synproxy state" hangs connections to local services

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/48377: pf "synproxy state" hangs connections to local services
From: jdbaker%mylinuxisp.com@localhost
Date: Wed, 13 Nov 2013 13:55:00 +0000 (UTC)

>Number:         48377
>Category:       kern
>Synopsis:       pf "synproxy state" hangs connections to local services
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Nov 13 13:55:00 +0000 2013
>Originator:     John D. Baker
>Release:        NetBSD/i386-6.1_STABLE
>Organization:
>Environment:
NetBSD slab.technoskunk.fur 6.1_STABLE NetBSD 6.1_STABLE (SLAB) #0: Thu Nov  7 
10:41:48 CST 2013  
sysop%faye.technoskunk.fur@localhost:/d0/build/netbsd-6/obj/i386/sys/arch/i386/compile/SLAB
 i386

>Description:
This problem has actually been around ever since NetBSD added support
for OpenBSD's "pf" packet filter.  Actually first observed on
NetBSD/sparc-4.something, but certainly affects all ports.

Consider the following rule:

  pass in on $ext_if proto tcp to $ext_if port ssh synproxy state

Subsequent attempts to connect to said server host with SSH will hang
indefinitely.  The output of 'pfctl -s state' on the server host shows:

  local_addr:22 <- remote_addr:port  PROXY:DST

If the rule is used on a network firewall and SSH connections are
redirected to a host on another network, such as with:

  rdr on $ext_if proto tcp from !$ext_if to $ext_if port ssh \
    -> $ssh_host port ssh

then the connection succeeds.

SSH is just a convenient example, any local service using TCP would be
affected.
>How-To-Repeat:
Configure 'pf' with a rule allowing access to a service running on the
same host including the "synproxy state" clause.

Attempt to connect to said service.  Observe indefinite hang.  On the
service host, observe output of 'pfctl -s state' as it relates to the
service to which connection is attempted.
>Fix:
Workaround:  Don't use "synproxy state".  The "modulate state" clause
works, but is of questionably utility for inbound connections.  Or just
use "keep state" (which should be the default).

Prev by Date: NetBSD Nightly Trouble Ticket Report
Next by Date: kern/48378: LFS can't mount FS newfs_lfs created
Previous by Thread: Re: lib/48376 (ceill() not in libm)
Next by Thread: Re: kern/48377: pf "synproxy state" hangs connections to local services
Indexes:

Home | Main Index | Thread Index | Old Index