NetBSD-SoC: A tool to dump / restore pf state table

Technical description of state handling in pf

Data structures used to manipulate state

There are 4 different structure which are manipulated in pf to handle the different state. Each one is defined in pf.c (and referenced in pfvar.h).

pf_statetbl_lan_ext : it is used to search for states in the PF_OUT case
pf_statetbl_ext_gwy : it is used to search for states in the PF_IN case
tree_id
state_list : it contains the list of all current state, not in a particular order

Data flow for a packet

Pf integration in NetBSD is done via the pfil(9) interface. The associated wrapper are implemented in pf_ioctl.c, in the two function pfil{4,6}_wrapper. It is more or less only a wrapper to pf_test{,6} which are the "core" pf function.

Pf_test and pf_test6 are quite the same, I only describe the pf_test part. The data flow is the following :

normalizing_ip using pf_normalize_ip
handle fragment not handled by previous method using pf_test_fragment
after that, we handle the L4 protocol and for each different protocol
- normalize the L4 layer
- checking if we have some state for this packet flow using pf_test_state_proto
- if we don't get any state for this packet flow, we check for a rules using pf_test_rules
Handle the action computed by the previous function

The important function (in the concern about state table), the important function are pf_test_state_proto and pf_test_rules.

To look for a state, the different function pf_test_state_proto use the macro STATE_LOOKUP . The macro modifies *state and in some case take a decision. If no state are found, *state is set to NULL and action to PF_DROP. In the case of the state is found, the state is modified (in most of the code path). The idea here is to modify STATE_LOOKUP to just set *state to NULL if the state table is locked to avoid any modification in pf_test_state_proto.

If state is NULL, pf_test_rules is called. There is globaly two parts in the function :

in the first one, we try to found a matching rules
in the secund one, we handle the different thing related to the rules, in particular, we will create state if keep_state is set. In the case of state table is locked, we need to drop the packet

So to handle the situation where table state is locked, I propose the following modification :

in STATE_LOOKUP, if the lock is set, just set *state to NULL and return PF_DROP
in pf_test_rule, once we get the right rule, check if we need to keep_state, and if it is the case, just drop the packet

Other functions which can modify states table

The function pf_src_connlimit can modify the states table, but it is only called by pf_test_state_tcp. With the proposed modification, you can't enter in this code path if the pf state table is locked.

The thread associed to the function pf_purge_thread can modify the pf state table. The thread is used to purge the expired states using the function pf_purge_expired_states. The easiest solution is to not call the function is the states table is locked.

A few number of ioctl modifies directly the states table too, but I don't think I will take care about it. We will need to add states even if the states table is locked (when we restore the state table for example). And of course, admin must know what it does :) (yes root must always be able to shoot himself :D)). Of course, this point can be discuted

Arnaud Degroote <degroote@NetBSD.org>

$Id: pf_state_tech.html,v 1.1 2009/06/27 21:50:41 zul_ Exp $