LOR with pf + synproxy state

Volker volker at vwsoft.com
Mon Aug 18 22:39:02 UTC 2008 

Hi!

Last week I discovered an LOR on 7-STABLE (last build: 2008-Aug-17,
RELENG_7).

I can easily recreate the problem when running a synproxy state rule for
incoming tcp connections and ssh'ing to my box.

W/o using synproxy state (keep'ing state instead), no LOR takes place.


 lock order reversal:
 1st 0xc575c92c pf task mtx (pf task mtx) @
/usr/src/sys/modules/pf/../../contrib/pf/net/pf.c:6774
 2nd 0xc521777c radix node head (radix node head) @
/usr/src/sys/net/route.c:278
 KDB: stack backtrace:
 db_trace_self_wrapper(c0a2fa65,e557b890,c075f315,c0a30e10,c521777c,...)
at db_trace_self_wrapper+0x26
 kdb_backtrace(c0a30e10,c521777c,c0a31129,c0a31129,c0a374a0,...) at
kdb_backtrace+0x29
 witness_checkorder(c521777c,9,c0a374a0,116,c507d000,...) at
witness_checkorder+0x5e5
 _mtx_lock_flags(c521777c,0,c0a374a0,116,c5fe9a00,...) at
_mtx_lock_flags+0x34
 rtalloc1_fib(e557b998,1,100,0,e557b994,...) at rtalloc1_fib+0x76
 rtalloc_ign_fib(e557b994,100,0,e557b9b4,c5734a38,...) at
rtalloc_ign_fib+0xad
 in_rtalloc_ign(e557b994,100,0,692a1600,5b47f56,...) at in_rtalloc_ign+0x1f
 pf_calc_mss(c62a881c,2,5b4,2,e557bb4c,...) at pf_calc_mss+0x88
 pf_test_tcp(e557bb68,e557bb64,1,c56e9400,c5fe9a00,...) at pf_test_tcp+0xdf6
 pf_test(1,c507d000,e557bbc4,0,0,...) at pf_test+0x1028
 pf_check_in(0,e557bbc4,c507d000,1,0,...) at pf_check_in+0x39
 pfil_run_hooks(c0b79ec0,e557bc18,c507d000,1,0,...) at pfil_run_hooks+0x78
 ip_input(c5fe9a00,14e,800,c507d000,800,...) at ip_input+0x265
 netisr_dispatch(2,c5fe9a00,10,3,0,...) at netisr_dispatch+0x55
 ether_demux(c507d000,c5fe9a00,3,0,3,...) at ether_demux+0x1c1
 ether_input(c507d000,c5fe9a00,c0a0391b,c57,c507d000,...) at
ether_input+0x323
 bge_intr(c5084000,0,c0a2b122,4b6,c4ef84e8,...) at bge_intr+0x77a
 ithread_loop(c50814f0,e557bd38,c0a2af4a,305,c508cad0,...) at
ithread_loop+0x155
 fork_exit(c07102d0,c50814f0,e557bd38) at fork_exit+0x94
 fork_trampoline() at fork_trampoline+0x8
 --- trap 0, eip = 0, esp = 0xe557bd70, ebp = 0 ---
 KDB: enter: witness_checkorder
 exclusive sleep mutex pf task mtx r = 0 (0xc575c92c) locked @
/usr/src/sys/modules/pf/../../contrib/pf/net/pf.c:6774
 shared rw PFil hook read/write mutex r = 0 (0xc0b79ed8) locked @
/usr/src/sys/net/pfil.c:73
 exclusive sx so_rcv_sx r = 0 (0xc5db208c) locked @
/usr/src/sys/kern/uipc_sockbuf.c:148
 exclusive sx so_rcv_sx r = 0 (0xc551f22c) locked @
/usr/src/sys/kern/uipc_sockbuf.c:148
 exclusive sleep mutex pf task mtx r = 0 (0xc575c92c) locked @
/usr/src/sys/modules/pf/../../contrib/pf/net/pf.c:6774
 shared rw PFil hook read/write mutex r = 0 (0xc0b79ed8) locked @
/usr/src/sys/net/pfil.c:73


pf rules used:
## Macros
TCPSYN="S/SA"

if_lan = "bge0"
if_wlan = "ndis0"
if_ipsec = "enc"

###########################
tcp_in = "{ ssh http mdns 9102 49101 5900 }"
udp_in = "{ mdns snmp 5029 }"

passicmp = "{ 3 4 6 9 10 11 12 17 18 }"

samba_tcp = "{ 139 445 }"
samba_udp = "{ 137 1434 }"

######################################################
table <rfcnoroute> { 127/8 10/8 172.16/12 192.168/16 }
table <multicast> { 224/8 239/8 }


######################################################
## GLOBAL OPTIONS
set block-policy drop
set fingerprints "/etc/pf.os"
set state-policy if-bound
set skip on lo0
set optimization conservative

###########################
## TRAFFIC NORMALIZATION
scrub all random-id fragment reassemble reassemble tcp

###########################
## TRANSLATION RULES (NAT)
nat on $if_lan -> ($if_lan)
nat on $if_wlan -> ($if_wlan)

######################################################
## FILTER RULES

block quick on lo0 proto {tcp udp} from any to any port biff
pass quick on lo0 all
antispoof log quick for { $if_lan $if_wlan }

block drop log all
block return in quick proto { tcp udp } from any to any port auth

###########################
# IPSEC VPN
###########################
pass log quick on {$if_lan $if_wlan} proto udp from any \
	to any port isakmp keep state
pass log quick on {$if_lan $if_wlan} proto udp from any \
	to any port isakmp keep state
pass quick log on {$if_lan $if_wlan} proto { ah, esp } from any \
	to any keep state
pass quick log on {$if_lan $if_wlan} proto { ah, esp } from any \
	to any keep state
pass quick log on $if_ipsec from any to any keep state


###########################
# ICMP
###########################
pass quick log on {$if_lan $if_wlan} proto icmp from any to any \
	tag PASSOK keep state
pass quick log inet proto icmp all icmp-type $passicmp keep state  \
	(max 2, max-src-states 1, max-src-nodes 1, source-track rule )
pass in quick log on {$if_lan $if_wlan} proto icmp from any to any \
	keep state probability 50%

###########################
# out traffic
###########################
pass out log quick on {$if_lan $if_wlan} all flags $TCPSYN keep state

###########################
# in traffic
###########################
# allow broadcasts + samba - don't log
pass quick on $if_lan from any to ($if_lan:broadcast)
pass quick on $if_wlan from any to ($if_wlan:broadcast)
pass quick on {$if_lan $if_wlan} from any to 255.255.255.255

pass in log on {$if_lan $if_wlan} proto tcp \
	from any to any port $tcp_in \
	flags $TCPSYN synproxy state
# change to 'keep state' here to avoid LOR
pass in log on {$if_lan $if_wlan} proto tcp from any port $tcp_in \
	to any flags $TCPSYN synproxy state
# change to 'keep state' here to avoid LOR
pass in log on {$if_lan $if_wlan} proto udp from any \
	to any port $udp_in keep state
pass in log on {$if_lan $if_wlan} proto udp from any port $udp_in \
	to any keep state

pass quick on {$if_lan $if_wlan} from any to <multicast>
# EOF

That LOR may be the same as reported here before (2007-12) - haven't
checked the old sources (will verify if it's worth the time to confirm):
http://unix.derkeiler.com/Mailing-Lists/FreeBSD/net/2007-12/msg00150.html

`uname -a`:
FreeBSD cesar.sz.vwsoft.com 7.0-STABLE FreeBSD 7.0-STABLE #38: Sun Aug
17 15:12:10 CEST 2008
root at cesar.sz.vwsoft.com:/usr/obj/usr/src/sys/CESAR  i386

Volker

More information about the freebsd-pf mailing list