From owner-freebsd-pf@FreeBSD.ORG Mon Jan 2 11:07:08 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9C1451065701 for ; Mon, 2 Jan 2012 11:07:08 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 7F1AC8FC21 for ; Mon, 2 Jan 2012 11:07:08 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q02B78tb005197 for ; Mon, 2 Jan 2012 11:07:08 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q02B77i4005195 for freebsd-pf@FreeBSD.org; Mon, 2 Jan 2012 11:07:07 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 2 Jan 2012 11:07:07 GMT Message-Id: <201201021107.q02B77i4005195@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2012 11:07:08 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 46 problems total. From owner-freebsd-pf@FreeBSD.ORG Thu Jan 5 17:59:10 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 133C0106564A for ; Thu, 5 Jan 2012 17:59:10 +0000 (UTC) (envelope-from gabercorn@rambler.ru) Received: from mxb.rambler.ru (mxb.rambler.ru [81.19.66.14]) by mx1.freebsd.org (Postfix) with ESMTP id BDA478FC17 for ; Thu, 5 Jan 2012 17:59:09 +0000 (UTC) Received: from maile.rambler.ru (maile.rambler.ru [81.19.66.15]) by mxb.rambler.ru (Postfix) with ESMTP id 7A0F91C8DF7 for ; Thu, 5 Jan 2012 21:40:16 +0400 (MSK) Received: from [80.73.3.67] (unknown [80.73.3.67]) (Authenticated sender: gabercorn@rambler.ru) by maile.rambler.ru (Postfix) with ESMTP id 495EC1A2507A for ; Thu, 5 Jan 2012 21:40:14 +0400 (MSK) Message-ID: <4F05E060.7050103@rambler.ru> Date: Thu, 05 Jan 2012 19:39:44 +0200 From: =?UTF-8?B?0JzQuNGF0LDQuNC7INCT0LDQsdC10YDQutC+0YDQvQ==?= User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: NAT64 in PF. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jan 2012 17:59:10 -0000 Hi all! Anybody have a plan to port NAT64 feature from OpenBSD pf to FreeBSD pf? http://ecdysis.viagenie.ca/ thank you. From owner-freebsd-pf@FreeBSD.ORG Thu Jan 5 18:50:48 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2B0F61065676 for ; Thu, 5 Jan 2012 18:50:48 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id AEFEB8FC16 for ; Thu, 5 Jan 2012 18:50:47 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 5E32325D386D; Thu, 5 Jan 2012 18:50:46 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id A6543BD88B3; Thu, 5 Jan 2012 18:50:45 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id l4CM0hFpez8F; Thu, 5 Jan 2012 18:50:44 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 8702ABD88B1; Thu, 5 Jan 2012 18:50:42 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=utf-8 From: "Bjoern A. Zeeb" In-Reply-To: <4F05E060.7050103@rambler.ru> Date: Thu, 5 Jan 2012 18:50:41 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4F05E060.7050103@rambler.ru> To: =?utf-8?B?0JzQuNGF0LDQuNC7INCT0LDQsdC10YDQutC+0YDQvQ==?= X-Mailer: Apple Mail (2.1084) Cc: freebsd-pf@freebsd.org Subject: Re: NAT64 in PF. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jan 2012 18:50:48 -0000 On 5. Jan 2012, at 17:39 , =D0=9C=D0=B8=D1=85=D0=B0=D0=B8=D0=BB = =D0=93=D0=B0=D0=B1=D0=B5=D1=80=D0=BA=D0=BE=D1=80=D0=BD wrote: > Hi all! >=20 > Anybody have a plan to port NAT64 feature from OpenBSD pf to FreeBSD = pf? >=20 > http://ecdysis.viagenie.ca/ >=20 > thank you. I did the viagenie one in the past and had a patch for the new pf before = a lot of whitespace and all was fixed and nothing applied anymore. I am currently waiting (about a week) for someone else to finish some pf = changes and will then probably unifdef the code and add the final derived version as = went into OpenBSD. /bz --=20 Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do! From owner-freebsd-pf@FreeBSD.ORG Fri Jan 6 03:22:40 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E702E106564A for ; Fri, 6 Jan 2012 03:22:40 +0000 (UTC) (envelope-from gmnt99@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id AA1E98FC15 for ; Fri, 6 Jan 2012 03:22:40 +0000 (UTC) Received: by yhfq46 with SMTP id q46so519689yhf.13 for ; Thu, 05 Jan 2012 19:22:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=AhIlvjiTsCPnXkZJjtoFQv6m/3/U9tXQwwEkyBhlBKE=; b=cdlYDpI5T0F05O+eO7GQCzctH0iE1Pswtt26K/3atQ4gfScAgZGoVdJwtgiDUsV3GS vPdRyHwrDh5RGsxYl1ePEzMO9gfGWs36uCOmntqEDBtaJ2f2gaDuBnqRy/5mG4O41AXT Omy+VcZDMEumZtYonwGMWlD/nNCT7wf2MAcTQ= MIME-Version: 1.0 Received: by 10.236.145.230 with SMTP id p66mr4937519yhj.27.1325818267135; Thu, 05 Jan 2012 18:51:07 -0800 (PST) Received: by 10.100.88.15 with HTTP; Thu, 5 Jan 2012 18:51:07 -0800 (PST) Date: Fri, 6 Jan 2012 02:51:07 +0000 Message-ID: From: Gerald McNulty To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Basic transparent filtering with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jan 2012 03:22:41 -0000 Hello, I am trying to get a basic transparent proxy to work with pf under FreeBSD. By "transparent", I mean that the client IP address is presented to the destination server, not just that the proxy is accessed automatically through rdr rules. The proxy is written in C and works correctly in terminating the client -> proxy connection and the proxy -> server connection with no user intervention. Here is an example architecture, all IP addresses are valid routable, no RFC1918. client (100.100.100.5) <-> (100.100.100.1 $int_if) router/proxy (200.200.200.1 $ext_if) <--> {internet} <--> (50.50.50.50) server Initial pf.conf lines: rdr pass on $int_if inet proto tcp from any to any -> $int_if port 7890 pass in quick on $int_if pass in quick on $ext_if pass out keep state Step 1: Client initiates TCP connection to server. Proxy code on $int_if:7890 accept()'s connection, creates a new TCP connection between $ext_if and server. This works as expected - the server sees 200.200.200.1 ($ext_if) as the peer address while the client sees the true server's address (50.50.50.50) as the peer Step2: Update the outbound connection request with a setsockopt(fd, IPPROTO_IP, IP_BINDANY, &on, sizeof on)) and a bind() to the client's IP address (100.100.100.5), correctly retrieved with ioctl(DIOCNATLOOK). Now connect. The syn packet is sent, but the returning syn+ack is never answered and the proxy socket never receives any data. A tcpdump from the proxy is below: 02:01:31.457764 IP 100.100.100.5.26023 > 50.50.50.50.http: Flags [S], seq 2436001586, win 65535, options [mss 1460,sackOK,eol], length 0 02:01:31.570653 IP 50.50.50.50.http > 100.100.100.5.26023: Flags [S.], seq 2750220640, ack 2436001587, win 65535, options [mss 1460,nop,wscale 3,sackOK,eol], length 0 02:01:34.569454 IP 50.50.50.50.http > 100.100.100.5.26023: Flags [S.], seq 2750220640, ack 2436001587, win 65535, options [mss 1460,nop,wscale 3,sackOK,eol], length 0 02:01:40.568830 IP 50.50.50.50.http > 100.100.100.5.26023: Flags [S.], seq 2750220640, ack 2436001587, win 65535, options [mss 1460,nop,wscale 3,sackOK,eol], length 0 02:01:43.656081 IP 100.100.100.5.26023 > 50.50.50.50.http: Flags [S], seq 2436001586, win 65535, options [mss 1460,sackOK,eol], length 0 02:01:43.768978 IP 50.50.50.50.http > 100.100.100.5.26023: Flags [S.], seq 2750220640, ack 2436001587, win 65535, options [mss 1460,nop,wscale 3,sackOK,eol], length 0 02:01:46.768123 IP 50.50.50.50.http > 100.100.100.5.26023: Flags [S.], seq 2750220640, ack 2436001587, win 65535, options [mss 1460,nop,wscale 3,sackOK,eol], length 0 02:01:52.767514 IP 50.50.50.50.http > 100.100.100.5.26023: Flags [S.], seq 2750220640, ack 2436001587, win 65535, options [mss 1460,nop,wscale 3,sackOK,eol], length 0 02:02:04.766253 IP 50.50.50.50.http > 100.100.100.5.26023: Flags [S.], seq 2750220640, ack 2436001587, win 65535, options [mss 1460,nop,wscale 3,sackOK,eol], length 0 Is this something that requires further pf rules? Or something in the C code? Any guidance would be much appreciated. -- Gerald McNulty From owner-freebsd-pf@FreeBSD.ORG Fri Jan 6 07:53:02 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ADCA4106566B for ; Fri, 6 Jan 2012 07:53:02 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id 2A3F08FC13 for ; Fri, 6 Jan 2012 07:53:01 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id q067gQhV000454 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 6 Jan 2012 08:42:26 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id q067gQAB026818; Fri, 6 Jan 2012 08:42:26 +0100 (MET) Date: Fri, 6 Jan 2012 08:42:25 +0100 From: Daniel Hartmeier To: Gerald McNulty Message-ID: <20120106074225.GA24312@insomnia.benzedrine.cx> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: Basic transparent filtering with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jan 2012 07:53:02 -0000 On Fri, Jan 06, 2012 at 02:51:07AM +0000, Gerald McNulty wrote: > Is this something that requires further pf rules? Or something in the C > code? I think you're describing http://lists.freebsd.org/pipermail/freebsd-net/2011-March/028225.html With pf, you could try to reroute the replies to the loopback interface: pass out on $ext_if reply-to lo0 inet proto tcp user {uid} keep state Maybe first start by matching on a specific IP (e.g. 100.100.100.5) instead of the uid, as a test. HTH, Daniel From owner-freebsd-pf@FreeBSD.ORG Fri Jan 6 14:21:08 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4FF871065672 for ; Fri, 6 Jan 2012 14:21:08 +0000 (UTC) (envelope-from gmnt99@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id 0C4018FC18 for ; Fri, 6 Jan 2012 14:21:07 +0000 (UTC) Received: by yhfq46 with SMTP id q46so685438yhf.13 for ; Fri, 06 Jan 2012 06:21:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=rrSlID//veRA74QbLKz6MjAcfM8+Uw9RaCTHRWuO0f8=; b=tTWbePJfAgRB0xXbke5MCD0RRR0naR2lA8vbF5OBf6LHwe+shSFdg81ANUFOg4BV6a zB4nPPmn3eWD12yv80+k4meOPJ0EqilqXNf8zGqBWzcm2JYzCArD+pkzQcCG0cdVm9F+ uskPCa5zn3VgyIj04r13onXXkUVoHOsgpjuj8= MIME-Version: 1.0 Received: by 10.236.145.230 with SMTP id p66mr7209261yhj.27.1325859667376; Fri, 06 Jan 2012 06:21:07 -0800 (PST) Received: by 10.100.88.15 with HTTP; Fri, 6 Jan 2012 06:21:07 -0800 (PST) In-Reply-To: <20120106074225.GA24312@insomnia.benzedrine.cx> References: <20120106074225.GA24312@insomnia.benzedrine.cx> Date: Fri, 6 Jan 2012 14:21:07 +0000 Message-ID: From: Gerald McNulty To: Daniel Hartmeier Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: Basic transparent filtering with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jan 2012 14:21:08 -0000 Hello Daniel, That does seem to be similar to the issue I'm seeing, but sadly there was no solution there for pf and I was unable to get the ipfw psuedo configuration to work with pf. Re-routing to the loopback address as you suggest does not allow the TCP handshake to complete. I tried using "synproxy state", also to no avail. I don't understand how rerouting the the loopback address would solve this. There are 2 steps here - first the TCP handshake needs to be completed and then the kernel/pf needs to pass the packets to the correct socket. How is this supposed to work in pf? Or is this hidden/implicit in certain rule definitions? Thanks for looking at this. -- Gerald McNulty On Fri, Jan 6, 2012 at 7:42 AM, Daniel Hartmeier wrote: > On Fri, Jan 06, 2012 at 02:51:07AM +0000, Gerald McNulty wrote: > > > Is this something that requires further pf rules? Or something in the C > > code? > > I think you're describing > > http://lists.freebsd.org/pipermail/freebsd-net/2011-March/028225.html > > With pf, you could try to reroute the replies to the loopback interface: > > pass out on $ext_if reply-to lo0 inet proto tcp user {uid} keep state > > Maybe first start by matching on a specific IP (e.g. 100.100.100.5) instead > of the uid, as a test. > > HTH, > Daniel > From owner-freebsd-pf@FreeBSD.ORG Fri Jan 6 15:13:06 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0106C106566B for ; Fri, 6 Jan 2012 15:13:06 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id 253BF8FC12 for ; Fri, 6 Jan 2012 15:13:03 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id q06FD1Y0004887 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 6 Jan 2012 16:13:02 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id q06FD0Gm020624; Fri, 6 Jan 2012 16:13:00 +0100 (MET) Date: Fri, 6 Jan 2012 16:13:00 +0100 From: Daniel Hartmeier To: Gerald McNulty Message-ID: <20120106151300.GB24312@insomnia.benzedrine.cx> References: <20120106074225.GA24312@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: Basic transparent filtering with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jan 2012 15:13:06 -0000 On Fri, Jan 06, 2012 at 02:21:07PM +0000, Gerald McNulty wrote: > I don't understand how rerouting the the loopback address would solve this. > There are 2 steps here - first the TCP handshake needs to be completed and > then the kernel/pf needs to pass the packets to the correct socket. How is > this supposed to work in pf? Or is this hidden/implicit in certain rule > definitions? After looking at ip_input.c and searching for M_FASTFWD_OURS, I think this only works with ipfw. Forwarding to loopback and the uid lookup are just what triggers it in ipfw, pf never sets that mbuf tag. You can use pf and ipfw both at the same time, but for IP_BINDANY to do anything useful, you need that magic ipfw rule, to mark replies as belonging to a local socket (even though the destination address is non-local). Daniel From owner-freebsd-pf@FreeBSD.ORG Sat Jan 7 06:38:50 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9EDD9106566B for ; Sat, 7 Jan 2012 06:38:50 +0000 (UTC) (envelope-from jkkn@jkkn.dk) Received: from blackbird.jkkn.net (cl-7.cph-01.dk.sixxs.net [IPv6:2001:16d8:dd00:6::2]) by mx1.freebsd.org (Postfix) with ESMTP id 279C08FC18 for ; Sat, 7 Jan 2012 06:38:49 +0000 (UTC) Received: from [192.168.3.13] (lenovo.home.jkkn.net [192.168.3.13]) (authenticated bits=0) by blackbird.jkkn.net (envelope-from jkkn@jkkn.dk) (8.14.5/8.14.5) with ESMTP id q076clJM012290 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Sat, 7 Jan 2012 07:38:47 +0100 (CET) (envelope-from jkkn@jkkn.dk) Message-ID: <4F07E874.9010103@jkkn.dk> Date: Sat, 07 Jan 2012 07:38:44 +0100 From: =?ISO-8859-1?Q?Kristian_Kr=E6mmer_Nielsen?= User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1 MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org References: <201112190806.pBJ86jCg040177@freefall.freebsd.org> In-Reply-To: <201112190806.pBJ86jCg040177@freefall.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97.3 at blackbird.jkkn.net X-Virus-Status: Clean Cc: Subject: Re: kern/163208: [pf] PF state key linking mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Jan 2012 06:38:50 -0000 I am seeing the same errors on FreeBSD 9-STABLE using a tun-device. /K On 19-12-2011 09:06, linimon@FreeBSD.org wrote: > Old Synopsis: PF state key linking mismatch > New Synopsis: [pf] PF state key linking mismatch > > Responsible-Changed-From-To: freebsd-bugs->freebsd-pf > Responsible-Changed-By: linimon > Responsible-Changed-When: Mon Dec 19 08:06:19 UTC 2011 > Responsible-Changed-Why: > Over to maintainer(s). > > http://www.freebsd.org/cgi/query-pr.cgi?pr=163208 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"