Hi,
here is a patch which fixes an integer overflow in the computation of
adaptive timeouts. The effect of this integer overflow is that
depending on timeout values, legitimate established connection states
can be evicted immediately (although other states with shorter
timeouts would be available but that's irrelevant).
Examples of such values would be:
timeout tcp.established 86400s (default)
limit states 200000
leads to a computed timeout of exactly 0 when the number of states is
140579.
While this condition is true, if the flush routine stumbles upon an
established connection, it is immediately dropped. This is not
guaranteed to happen because the flush routine checks only
(100/interval)% of the states each second.
Here are values for a lower number of states in order to help
reproduce the problem:
timeout tcp.established 1048576s
limit states 6830
the 4100th state may lead to the eviction of an established connection.
We tried to provide the least intrusive patch and it works for us;
feel free to use it.
Regards,
Mathieu
--- sys/net/pf.c Mon Jul 18 15:17:44 2016
+++ sys/net/pf.c Fri Jan 20 13:10:04 2017
@@ -1223,7 +1223,7 @@
if (states >= end)
return (0);
- timeout = timeout * (end - states) / (end - start);
+ timeout = (u_int64_t) timeout * (end - states) / (end - start);
}
return (state->expire + timeout);
EOF
