Hi OpenBSD community, I have been using OpenBSD for about two weeks. I switched from Linux because CRUX, my favorite distro, doesn't support i386 anymore and nearly all my hardware is 32-bit. So I am completely new to BSD systems.
Anyway, recently I installed OpenBSD 5.2 on a i386 box that is a gateway/firewall for my home network. I setup pf to forward some external ports to a Linux box in my local network with a rdr-to rule from only a number of trusted hosts. After a while I noticed warnings on the Linux box that said that it receives packets from an untrusted host. All of them had the same source IP 239.255.170.187 that might would have said something to some of you. Anyway, we will get back to it later. I googled this IP and found a couple of mail threads ([1] and [2]) referring to it and all of them were related to OpenBSD and unfortunately had no solution. (At least as far as switching to Debian isn't considered a solution :-) I've done some investigation with tcpdump and found out that about every fouth or so UDP packet from my SIP provider had its source IP address changed by the OpenBSD box and was forwarded to the Linux box. It surprised me a lot because OpenBSD has a very good reputation and such errors are impossible in it I thought. So I rechecked my pf rules over and over again in order to understand what I am doing wrong, but saw no mistakes there. Finally, I decided to take a look at the sources. Initially, I had no intention to become a BSD kernel hacker during the first month of using of the system but life is hard sometimes and I had to do it :-) Well, after two days of debugging I found out the root cause of the problem. It was in the function pf_state_key_attach() that under some circumstances returns its first parameter to a pool (pf.c, line 719), but at the same time up by stack this parameter (pf_state_key) is passed to the function pf_translate() (pf.c, line 3616) in order to override source address of the packet. I've done some fix, that works for me and is meant to be as small as possible. Again, as I am a newcomer to BSD the fix may be not perfect, but at least it should be enough to get the idea. Now I upgraded to 5.3 and the bug is still in place. So I rebased my changes for 5.3. The patch is attached. Lastly, as I promised to tell, the IP 239.255.170.187 is a value of the macro DEADBEEF1 for the i386 architecture that is used as a magic number for memory chunks returned to a pool. That guy in Mexico who has this IP must be a big lucky :-) Thanks! [1] http://www.mail-archive.com/[email protected]/msg09231.html [2] http://www.mail-archive.com/[email protected]/msg95116.html -- Vitaly Sinilin <[email protected]> [demime 1.01d removed an attachment of type application/octet-stream which had a name of pf_freed_sk_53.patch]
