-
Notifications
You must be signed in to change notification settings - Fork 158
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pf.conf - max state logging weirdness #222
Comments
This reminds me of opnsense/core#6800 where pflog just logs the wrong thing due to an implementation issue. We have an OpenBSD patch for the situation, but FreeBSD decided to do this differently, but never merged it to stable/14. So I don't know if this is another case that needs patching or if this works on FreeBSD main already. 🤷♂️ OpenBSD/OPNsense: 385d8a743 |
does the upstream patch fit on our end? The openbsd patch looks nice, but as the reason for a state deny doesn't change, it will mark as pass where in reality it was dropped. upstream version does seem to pass the proper reason in the logging. EDIT: what is strange by the way is that in openbsd the proper action seems to be in |
@AdSchellevis we can try the upstream one. I think the openbsd one may fix the original issue but maybe not all. All of this is a bit annoying because my first proposal was a different patch but that was ignored upstream, OpenBSD changed the approach, I changed it for upstream, it was ignored again and finally something was committed to "match" the OpenBSD patch. A bit of communication would have gone a long way. |
just dumping this here for my own understanding, when max states is reached, reason should be set on our end to Lines 4852 to 4855 in 6e45a8d
But since the rule number |
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
Not sure if it's a bug or a feature, but the upstream documentation doesn't seem to be very helpful on this subject.
When the maximum state limit is reached, packets are being logged as "pass", but in reality they are dropped.
To Reproduce
Consider a random (tcp) rule with a max state limit set to a destination address, for example:
When the first client opens a session, it passes and logs a rule like below:
The next client then tries the same, which will timeout, but logs the same in our pf log.
Expected behavior
I'm not sure, but I would expect that either the
action
orreason
would be different and help to distinguish between successful and unsuccessful connection attempts.Describe alternatives you considered
none
Environment
OPNsense 24.7.x (amd64)
The text was updated successfully, but these errors were encountered: