From nobody Wed Oct 05 19:11:05 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MjPLT6PnGz4drpx for ; Wed, 5 Oct 2022 19:11:13 +0000 (UTC) (envelope-from lyndon@orthanc.ca) Received: from orthanc.ca (orthanc.ca [208.79.93.154]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4MjPLT0HlDz43Sg; Wed, 5 Oct 2022 19:11:12 +0000 (UTC) (envelope-from lyndon@orthanc.ca) Received: from orthanc.ca (localhost [127.0.0.1]) by orthanc.ca (OpenSMTPD) with ESMTP id b54834b2; Wed, 5 Oct 2022 12:11:05 -0700 (PDT) From: "Lyndon Nerenberg (VE7TFX/VE6BBM)" To: Kristof Provost cc: FreeBSD pf , Eirik =?utf-8?q?=C3=98verby?= Subject: Re: RFC: enabling pf syncookies by default In-reply-to: <58A14C48-3248-4D41-884C-93190AAFCD2C@FreeBSD.org> References: <58A14C48-3248-4D41-884C-93190AAFCD2C@FreeBSD.org> Comments: In-reply-to Kristof Provost message dated "Wed, 05 Oct 2022 17:41:44 +0100." List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <18663.1664997065.1@orthanc.ca> Date: Wed, 05 Oct 2022 12:11:05 -0700 Message-ID: X-Rspamd-Queue-Id: 4MjPLT0HlDz43Sg X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of lyndon@orthanc.ca designates 208.79.93.154 as permitted sender) smtp.mailfrom=lyndon@orthanc.ca X-Spamd-Result: default: False [-3.29 / 15.00]; NEURAL_HAM_LONG(-1.00)[-0.999]; NEURAL_HAM_MEDIUM(-1.00)[-0.996]; NEURAL_HAM_SHORT(-0.99)[-0.993]; R_SPF_ALLOW(-0.20)[+ip4:208.79.93.154]; MIME_GOOD(-0.10)[text/plain]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-pf@freebsd.org]; ASN(0.00)[asn:25795, ipnet:208.79.88.0/21, country:US]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; ARC_NA(0.00)[]; TO_DN_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; DMARC_NA(0.00)[orthanc.ca]; RCPT_COUNT_THREE(0.00)[3]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Kristof Provost writes: > That=E2=80=99s not ready to go in, because the bug it tests for isn=E2=80= > =99t fixed yet. I hope to port the openbsd fix tomorrow, but it=E2=80=99s= > the sort of thing that needs an hour or two of concentration, so .. mayb= > e, maybe not. Something to watch out for ... Henning's fix might not have completely solved the problem. A few weeks ago we deployed the "fixed" pf code into production. When we enabled global syncookies we immediately started receiving reports from customers about hung connections -- the same problem that motivated the initial fix. The customer complaints are predominantely coming from folks who enable Apple's Private Relay service. Private Relay tries hard to preserve your network geolocation, so they re-map addresses into small chunks of address space that originate from the same geographical location as the client. And that provokes the address:port reuse behaviour that first triggered the bug. In the short term we had to disable syncookies to get our customers back online. Right now I'm working on shuffling together enough hardware so we can try to reproduce the problem inhouse, and continue chasing down the bug. --lyndon