NetBSD Problem Report #48377

From www@NetBSD.org  Wed Nov 13 13:54:27 2013
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 876FCA60ED
	for <gnats-bugs@gnats.NetBSD.org>; Wed, 13 Nov 2013 13:54:27 +0000 (UTC)
Message-Id: <20131113135426.15AB1A61BB@mollari.NetBSD.org>
Date: Wed, 13 Nov 2013 13:54:26 +0000 (UTC)
From: jdbaker@mylinuxisp.com
Reply-To: jdbaker@consolidated.net
To: gnats-bugs@NetBSD.org
Subject: pf "synproxy state" hangs connections to local services
X-Send-Pr-Version: www-1.0

>Number:         48377
>Notify-List:    jdbaker@consolidated.net
>Category:       kern
>Synopsis:       pf "synproxy state" hangs connections to local services
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Nov 13 13:55:00 +0000 2013
>Last-Modified:  Tue Jan 29 06:31:31 +0000 2019
>Originator:     John D. Baker
>Release:        NetBSD/i386-6.1_STABLE
>Organization:
>Environment:
NetBSD slab.technoskunk.fur 6.1_STABLE NetBSD 6.1_STABLE (SLAB) #0: Thu Nov  7 10:41:48 CST 2013  sysop@faye.technoskunk.fur:/d0/build/netbsd-6/obj/i386/sys/arch/i386/compile/SLAB i386

>Description:
This problem has actually been around ever since NetBSD added support
for OpenBSD's "pf" packet filter.  Actually first observed on
NetBSD/sparc-4.something, but certainly affects all ports.

Consider the following rule:

  pass in on $ext_if proto tcp to $ext_if port ssh synproxy state

Subsequent attempts to connect to said server host with SSH will hang
indefinitely.  The output of 'pfctl -s state' on the server host shows:

  local_addr:22 <- remote_addr:port  PROXY:DST

If the rule is used on a network firewall and SSH connections are
redirected to a host on another network, such as with:

  rdr on $ext_if proto tcp from !$ext_if to $ext_if port ssh \
    -> $ssh_host port ssh

then the connection succeeds.

SSH is just a convenient example, any local service using TCP would be
affected.
>How-To-Repeat:
Configure 'pf' with a rule allowing access to a service running on the
same host including the "synproxy state" clause.

Attempt to connect to said service.  Observe indefinite hang.  On the
service host, observe output of 'pfctl -s state' as it relates to the
service to which connection is attempted.
>Fix:
Workaround:  Don't use "synproxy state".  The "modulate state" clause
works, but is of questionably utility for inbound connections.  Or just
use "keep state" (which should be the default).

>Release-Note:

>Audit-Trail:
From: "John D. Baker" <jdbaker@mylinuxisp.com>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/48377: pf "synproxy state" hangs connections to local
 services
Date: Wed, 20 Nov 2013 13:59:54 -0600 (CST)

 Alternate workaround:  Redirect incoming connections to the local service
 to the loopback address and change filter rule to match.  Then "synproxy
 state" passes the connection through.

 Ideally, though such subterfuge should be unnecessary.

 -- 
 |/"\ John D. Baker, KN5UKS               NetBSD     Darwin/MacOS X
 |\ / jdbaker[snail]mylinuxisp[flyspeck]com    OpenBSD            FreeBSD
 | X  No HTML/proprietary data in email.   BSD just sits there and works!
 |/ \ GPGkeyID:  D703 4A7E 479F 63F8 D3F4  BD99 9572 8F23 E4AD 1645

From: "John D. Baker" <jdbaker@mylinuxisp.com>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/48377: pf "synproxy state" hangs connections to local
 services
Date: Thu, 15 Jan 2015 09:43:44 -0600 (CST)

 After some thought and reading 'pf' documentation, particularly the
 cautions about redirecting services to the default loopback address,
 I realized another solution.

 Define another looback interface, say "lo1", with an appropriate non-
 routable address (RFC1918) and redirect incoming connections for local
 services to this interface/address.

 Make sure local services bind either to a wildcard interface/address
 or specifically the "dummy" loopback interface/address.

 Filter rules can then use "synproxy state".

 -- 
 |/"\ John D. Baker, KN5UKS               NetBSD     Darwin/MacOS X
 |\ / jdbaker[snail]mylinuxisp[flyspeck]com    OpenBSD            FreeBSD
 | X  No HTML/proprietary data in email.   BSD just sits there and works!
 |/ \ GPGkeyID:  D703 4A7E 479F 63F8 D3F4  BD99 9572 8F23 E4AD 1645

>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.