[NetBSD logo]    &    [Google logo]

NetBSD-SoC: A tool to dump / restore pf state table

Technical description of state handling in pf

Data structures used to manipulate state

There are 4 different structure which are manipulated in pf to handle the different state. Each one is defined in pf.c (and referenced in pfvar.h).

Data flow for a packet

Pf integration in NetBSD is done via the pfil(9) interface. The associated wrapper are implemented in pf_ioctl.c, in the two function pfil{4,6}_wrapper. It is more or less only a wrapper to pf_test{,6} which are the "core" pf function.

Pf_test and pf_test6 are quite the same, I only describe the pf_test part. The data flow is the following :

The important function (in the concern about state table), the important function are pf_test_state_proto and pf_test_rules.

To look for a state, the different function pf_test_state_proto use the macro STATE_LOOKUP . The macro modifies *state and in some case take a decision. If no state are found, *state is set to NULL and action to PF_DROP. In the case of the state is found, the state is modified (in most of the code path). The idea here is to modify STATE_LOOKUP to just set *state to NULL if the state table is locked to avoid any modification in pf_test_state_proto.

If state is NULL, pf_test_rules is called. There is globaly two parts in the function :

So to handle the situation where table state is locked, I propose the following modification :

Other functions which can modify states table

The function pf_src_connlimit can modify the states table, but it is only called by pf_test_state_tcp. With the proposed modification, you can't enter in this code path if the pf state table is locked.

The thread associed to the function pf_purge_thread can modify the pf state table. The thread is used to purge the expired states using the function pf_purge_expired_states. The easiest solution is to not call the function is the states table is locked.

A few number of ioctl modifies directly the states table too, but I don't think I will take care about it. We will need to add states even if the states table is locked (when we restore the state table for example). And of course, admin must know what it does :) (yes root must always be able to shoot himself :D)). Of course, this point can be discuted

Get NetBSD Summer of Code projects at SourceForge.net. Fast, secure and Free Open Source software downloads
Arnaud Degroote <degroote@NetBSD.org>
$Id: pf_state_tech.html,v 1.1 2009/06/27 21:50:41 zul_ Exp $