Date: Sun, 13 Jan 2013 19:07:34 GMT From: Nikita <cnik87@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: amd64/175267: pf + tap keep state problem Message-ID: <201301131907.r0DJ7YNq032052@red.freebsd.org> Resent-Message-ID: <201301131910.r0DJA1lY096259@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 175267 >Category: amd64 >Synopsis: pf + tap keep state problem >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-amd64 >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Jan 13 19:10:01 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Nikita >Release: FreeBSD 9.0 RELEASE amd64 >Organization: >Environment: FreeBSD platforma.local 9.0-RELEASE FreeBSD 9.0-RELEASE #1: Sun Jan 13 21:36:47 ALMT 2013 root@platforma.local:/usr/obj/usr/src/sys/PLATFORMA amd64 >Description: I have problem with PF and tap interface, pf not correctly work with keep state rule. after opening ssh connection to ip routed to tap in /var/log/messages show this messages: Jan 14 01:03:03 platforma kernel: pf: loose state match: TCP in wire: 10.6.0.30:44862 192.168.7.11:22 stack: - [lo=1659601007 high=1659599728 win=4326 modulator=0] [lo=0 high=4326 win=1 modulator=0] 2:0 A seq=1659601007 (1659601007) ack=0 len=0 ackskew=0 pkts=12:1 dir=in,fwd Jan 14 01:03:03 platforma kernel: pf: loose state match: TCP out wire: 192.168.7.11:22 10.6.0.30:44862 stack: - [lo=1659601007 high=1659599728 win=4326 modulator=0] [lo=0 high=4326 win=1 modulator=0] 2:0 A seq=1659601007 (1659601007) ack=0 len=0 ackskew=0 pkts=12:0 dir=out,fwd Jan 14 01:03:03 platforma kernel: pf: BAD ICMP 5:1 10.6.0.1 -> 10.6.0.30 state: TCP in wire: 10.6.0.30:44862 192.168.7.11:22 stack: - [lo=1659601007 high=1659599728 win=4326 modulator=0] [lo=0 high=4326 win=1 modulator=0] 2:0 seq=1659601007 Jan 14 01:03:05 platforma kernel: pf: OK ICMP 5:1 10.6.0.1 -> 10.6.0.30 state: TCP in wire: 10.6.0.30:44892 192.168.7.11:22 stack: - [lo=3982164082 high=3982164084 win=2048 modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 seq=3982164082 pfctl -ss | grep 192.168.7.11 all tcp 192.168.7.11:22 <- 10.6.0.30:44892 CLOSED:SYN_SENT all tcp 10.6.0.30:44892 -> 192.168.7.11:22 SYN_SENT:CLOSED and connection with ssh closed after ~ 60 sec >How-To-Repeat: in pf.conf: vpn_if = "tap0" block on $vpn_if from any to any pass on $vpn_if from any to any keep state pass out on $vpn_if all keep state route cmd: route add 192.168.0.0/16 10.6.0.2 from 10.6.0.30 open TCP connection to 192.168.7.11:ssh >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201301131907.r0DJ7YNq032052>