List Info

Thread: Re: kern/121668: connect randomly fails with EPERM with some pf rules
Re: kern/121668: connect randomly fails with EPERM with some pf rules
country flaguser name
United States		 2008-03-13 14:50:02 
The following reply was made to PR kern/121668; it has been
noted by GNATS.

From: Kian Mohageri <kianrestek.wwu.edu>
To: Laurent Frigault <lfrigaultagneau.org>
Cc: bug-followupFreeBSD.org
Subject: Re: kern/121668: connect randomly fails with EPERM
with some pf rules
Date: Thu, 13 Mar 2008 12:44:48 -0700

 This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
 --------------enig1FD5631B7DA864ECD09DF906
 Content-Type: text/plain; charset=ISO-8859-15
 Content-Transfer-Encoding: quoted-printable
 
 Laurent Frigault wrote:
 > On Thu, Mar 13, 2008 at 11:29:52AM -0700, Kian
Mohageri wrote:
 >> Does state-mismatch counter increase when this
happens (pfctl -si)?
 >=20
 > I re-run the teste and yes and the state-mismatch
counter increase is
 > exactly the number of connect failling with EPERM.
 >=20
 >> I remember similar behavior and it was caused by
source port reuse on
 >> the client (so the new connection caused a state
mismatch on an old
 >> state).
 >=20
 > The previous connection are closed.
 > If the source port can't be reused yet, then the
kernel should use an
 > other one for the new connection. If it can, then pf
should allow it.
 >=20
 > If the connect (SYN) does not match an existing state,
The pf rule
 > should create a new state.=20
 >=20
 
 It does "match" a state (source/dest is same),
which is the problem.
 Even though the connection is closed, the state hasn't yet
been purged.
  Refer to pf.conf(5) for how to adjust tcp.closed so the
state is purged
 sooner, or adjust the available dynamic port range (sysctl
 net.inet.ip.portrange).
 
 I don't know if this is intended behavior or not.  I've
never run into
 it on OpenBSD, but pf is integrated much more tightly into
their system
 obviously and I'm guessing their port reuse code is pretty
different too.=
 
 
 
 --------------enig1FD5631B7DA864ECD09DF906
 Content-Type: application/pgp-signature;
name="signature.asc"
 Content-Description: OpenPGP digital signature
 Content-Disposition: attachment;
filename="signature.asc"
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.8 (MingW32)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

 
 iEYEARECAAYFAkfZhDMACgkQfLazdIP7nIPoxwCcCpBWdXiAgDzZaVFoT0k
DXTu/
 8HkAn2PZMIDfks+DWYOxg26SMe3knOOO
 =uZ0y
 -----END PGP SIGNATURE-----
 
 --------------enig1FD5631B7DA864ECD09DF906--
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )