Wed, 24 Oct 2018 21:42:00 +0300 - "Andrey V. Elsukov" <bu7c...@yandex.ru>:
> On 24.10.2018 19:22, Ole wrote: > > # ipfw -d list > > (...) > > 01510 allow tcp from any to xx.xx.xx.xx 6514 out via epair0b setup > > keep-state :default (...) > > ## Dynamic rules (1 152): > > 01510 STATE tcp yy.yy.yy.yy 54451 <-> xx.xx.xx.xx 6514 :default > > > > # ipfw -q flush > > > > # ipfw -d list > > 65535 allow ip from any to any > > ## Dynamic rules (2 288): > > Segmentation fault (core dumped) > This problem is related to named states, the kernel doesn't dump list > of known states names, and this is the cause of SIGSEGV. Ok, I got a little bit confused. I was searching for a workaround. So I changed the rules from $cmd 01610 allow tcp from vpn.example.org to me 22 in via $pif setup limit src-addr 50 to $cmd 01610 allow tcp from vpn.example.org to me 22 in via $pif keep-state In my understanding of the IPFW(8) the 'setup' command puts new entries to the dynamic table if there " Matches TCP packets that have the SYN bit set but no ACK bit." So if there new TCP connection establishment. That is the reason why connections get broken after reload. (inkluding flush) My idea was just to use 'keep-state'. Because this also puts new entries to the dynamic table. But for every package. " Upon a match, the firewall will create a dynamic rule, whose default behaviour is to match bidirectional traffic between source and destination IP/port using the same protocol." But after reload. The dynamic rules are gone, and they will not get updated. TCP connections get broken. Intresting: if I set 'sysctl net.inet.ip.fw.dyn_keep_states=1' the firewall behaves like I expected above. But not because dynamic rules got recreated. The don't get flushed: # ipfw -da list (...) 01610 223 26457 (282s) STATE tcp xx.xx.xx.xx 36955 <-> xx.xx.xx.xx 22 :default (...) # service ipfw restart Firewall rules loaded. # ipfw -da list (...) 01610 223 26457 (278s) STATE tcp xx.xx.xx.xx 36955 <-> xx.xx.xx.xx 22 :default (...) So do you think the bug is only related to 'setup' and not to 'keep-state' rules? Or is this just a coincidence? Im reloading rules now for 1h each minute, and a ssh connection is still stable. > I have the WIP patch https://people.freebsd.org/~ae/keep_states.diff > It fixes this problem and also add support for all rule actions. > Also it adds new -D flag, that allows to show only states and delete > only states. I have tested it basically, but it probably needs some > work related to "limit" dynamic states. > So if you want to test some patches, you can try :) > I tried to apply the patch and observed that stable/11 has a small > difference in UMA code, so you need to use this patch: > https://people.freebsd.org/~ae/keep_states11.diff > > Again, I did not yet teseted it widely, and on stable/11 did not > tested at all. Great, thanks I will give it a try in a testing setup! regards Ole
pgpDLC9ctgu8q.pgp
Description: Digitale Signatur von OpenPGP