issues with counting packets dropped by accepting rules

Kajetan Staszkiewicz vegeta at tuxpowered.net
Fri Apr 12 15:30:56 UTC 2013 

I'd like to point out some things I find unclear when packets traveling through 
pf are counted.

Currently per-rule counting is performed only for packets that are accepted by 
any rule or any packets matched by a droping rule. Counting on per-interface 
basis is perfomed properly.

There are some possibilities for a packet do be dropped by an accepting rule:

1. SYN/SYN+ACK/ACK packets going through synproxy are dropped with 
PF_SYNPROXY_DROP action. Therefore a storm of SYNs hitting a synproxy rule will 
not be visible on per-rule (/label) statistics. SYN+ACKs sent back by this rule 
to client will also not be visible at all.

2. Creation of a state or a src-node might fail due to memory or per-rule state 
limits. The packet is told to "not match this rule" according to manual. This 
is not fully true, have a look on:
http://www.freebsd.org/cgi/query-pr.cgi?pr=177808

With the fix or without (so forwarded or not), if state limit is hit, the 
packet is not counted.

I'm now thinking how this should be really fixed.

Original code is:
7093         if (action == PF_PASS || r->action == PF_DROP)

An easy fix that addesses both aforementioned problems is:

7093         if ( action == PF_PASS || /* Matched and passed by a rule. */
7094              action == PF_LIMIT_DROP || /* Dropped by a rule because of 
internal errors. */ 
7095              action == PF_SYNPROXY_DROP || /* Dropped due to synproxy. */
7096              r->action == PF_DROP /* Matched by a drop rule. */
7097            ) { 

PF_LIMIT_DROP is my addition, returned by pf_create_state in case of failure 
instead of PF_DROP. It could also be (action==PF_DROP && r->action==PF_PASS).

Are there any other combinations of action and r->action possible? Maybe the 
aforementioned test is not necessary at all? Grepping the code shows that other 
possibilities in "enum { PF_PASS,..." are used for rule action, not result 
action.

I assume that for synproxy rules it would also make sense to count packets sent 
out by synproxy, after original incoming packet was dropped.

-- 
| pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD |
|  Kajetan Staszkiewicz  | jabber,email: vegeta()tuxpowered net  |
|        Vegeta          | www: http://vegeta.tuxpowered.net     |
`------------------------^---------------------------------------'

More information about the freebsd-pf mailing list