From owner-freebsd-pf@freebsd.org Mon May 23 12:41:55 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F123BB4611C for ; Mon, 23 May 2016 12:41:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E21D516CC for ; Mon, 23 May 2016 12:41:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4NCftHr013644 for ; Mon, 23 May 2016 12:41:55 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 201519] pf NAT translates ICMP type 3 packects incorrectly Date: Mon, 23 May 2016 12:41:55 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: commit-hook@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 May 2016 12:41:56 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D201519 --- Comment #4 from commit-hook@freebsd.org --- A commit references this bug: Author: kp Date: Mon May 23 12:41:29 UTC 2016 New revision: 300501 URL: https://svnweb.freebsd.org/changeset/base/300501 Log: pf: Fix ICMP translation Fix ICMP source address rewriting in rdr scenarios. PR: 201519 Submitted by: Max MFC after: 1 week Changes: head/sys/netpfil/pf/pf.c --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Mon May 23 12:42:38 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 132C2B4618B for ; Mon, 23 May 2016 12:42:38 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 044381865 for ; Mon, 23 May 2016 12:42:38 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4NCgbFX035061 for ; Mon, 23 May 2016 12:42:37 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 201519] pf NAT translates ICMP type 3 packects incorrectly Date: Mon, 23 May 2016 12:42:38 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 May 2016 12:42:38 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D201519 Kristof Provost changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kp@freebsd.org --- Comment #5 from Kristof Provost --- (In reply to Max from comment #3) Awesome work Max! I'll try to MFC this to stable/10 next week. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Mon May 23 13:01:45 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3A6ADB4670A for ; Mon, 23 May 2016 13:01:45 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2B56617FD for ; Mon, 23 May 2016 13:01:45 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4ND1jHH049114 for ; Mon, 23 May 2016 13:01:45 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 201519] pf NAT translates ICMP type 3 packects incorrectly Date: Mon, 23 May 2016 13:01:45 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 May 2016 13:01:45 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D201519 --- Comment #6 from Max --- (In reply to Kristof Provost from comment #5) https://svnweb.freebsd.org/base/head/sys/netpfil/pf/pf.c?annotate=3D300501&= pathrev=3D300501#l5017 should be "pf_change_icmp(pd2.dst, NULL, saddr,", not "pf_change_icmp(pd2.s= rc, NULL, saddr," --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Mon May 23 14:00:05 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3088FB4691C for ; Mon, 23 May 2016 14:00:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1FA691BFB for ; Mon, 23 May 2016 14:00:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4NE04F5086918 for ; Mon, 23 May 2016 14:00:04 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 201519] pf NAT translates ICMP type 3 packects incorrectly Date: Mon, 23 May 2016 14:00:05 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: commit-hook@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 May 2016 14:00:05 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D201519 --- Comment #7 from commit-hook@freebsd.org --- A commit references this bug: Author: kp Date: Mon May 23 13:59:49 UTC 2016 New revision: 300508 URL: https://svnweb.freebsd.org/changeset/base/300508 Log: pf: Fix more ICMP mistranslation In the default case fix the substitution of the destination address. PR: 201519 Submitted by: Max MFC after: 1 week Changes: head/sys/netpfil/pf/pf.c --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Mon May 23 18:20:18 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AB169B47D9E for ; Mon, 23 May 2016 18:20:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9BFB31FDD for ; Mon, 23 May 2016 18:20:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4NIKIf9065974 for ; Mon, 23 May 2016 18:20:18 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Mon, 23 May 2016 18:20:18 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 May 2016 18:20:18 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 Max changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |maximos@als.nnov.ru --- Comment #3 from Max --- I have reproduced the problem. I think we shouldn't use scrub rule without "in" option. I.e. rule should be scrub *in* on gre0 ... Without "in" this rule is triggered twice ("B" <--> "C"): for outgoing *fragmented* echo request and for incoming fragmented echo reply. As a resu= lt, the length of the received echo request exceeds the MTU on "C" box. I think= it is not good. PF.CONF(5): "Traffic normalization is used to sanitize packet content in su= ch a way that there are no ambiguities in packet interpretation on the receiving side. The normalizer does IP fragment reassembly to prevent attacks that confuse intrusion detection systems by sending overlapping IP fragments." Do we really need "max-mss 1360" on outgoing flow? However, appearance of "Destination Host Unreachable" remains unclear to me= . It is routing stuff. Need to do some research. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Mon May 23 18:42:23 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E380CB47242 for ; Mon, 23 May 2016 18:42:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D48541D32 for ; Mon, 23 May 2016 18:42:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4NIgNRR013439 for ; Mon, 23 May 2016 18:42:23 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Mon, 23 May 2016 18:42:24 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 May 2016 18:42:24 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #4 from Max --- It seems that scrubbing on both tunnels eliminates the problem. scrub on gre0 max-mss 1360 scrub on gre1 max-mss 1360 --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Tue May 24 06:49:41 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5A26EB4893D for ; Tue, 24 May 2016 06:49:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3CEFB1A8C for ; Tue, 24 May 2016 06:49:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4O6ncMU051747 for ; Tue, 24 May 2016 06:49:41 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Tue, 24 May 2016 06:49:39 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 May 2016 06:49:41 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #5 from Kristof Provost --- (In reply to Max from comment #3) Scrubbing in both directions should be safe, even with fragment reassemble. In IPv4 it's OK for a frame to not fit in the MTU. The router will fragment. (There's special casing in pf to handle the IPv6 scenario, but that doesn't seem to be relevant here.) It's also very strange that the mss setting has an influence on ICMP packet= s. I'd only expect that to affect TCP streams. It'd be interesting to get packet captures here (tcpdump -n -i = -s0 -w output.pcap) of both the ICMP echo request and the ICMP error packets. Ideally capture on an interface outside the GRE tunnel (so we get the GRE headers too). --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Tue May 24 08:25:00 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E86C3B4813C for ; Tue, 24 May 2016 08:25:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D90E71A96 for ; Tue, 24 May 2016 08:25:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4O8P0Mq060762 for ; Tue, 24 May 2016 08:25:00 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Tue, 24 May 2016 08:25:00 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 May 2016 08:25:01 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #6 from Max --- Created attachment 170591 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D170591&action= =3Dedit dumps (In reply to Kristof Provost from comment #5) Host "A" config: cloned_interfaces=3D"gre0" ifconfig_em0=3D"inet 192.168.10.1/24" defaultrouter=3D"192.168.10.254" ifconfig_gre0=3D"inet 10.10.1.1 10.10.2.1 tunnel 192.168.10.1 192.168.10.25= 4" static_routes=3D"rb rc" route_rb=3D"10.10.2.0/24 10.10.2.1" route_rc=3D"10.10.3.0/24 10.10.2.1" pf disabled. Host "C" config: cloned_interfaces=3D"gre0" ifconfig_em0=3D"inet 192.168.30.1/24" defaultrouter=3D"192.168.30.254" ifconfig_gre0=3D"inet 10.10.3.1 10.10.2.1 tunnel 192.168.30.1 192.168.30.25= 4" static_routes=3D"ra rb" route_ra=3D"10.10.1.0/24 10.10.2.1" route_rb=3D"10.10.2.0/24 10.10.2.1" pf disabled. Host "B" config: cloned_interfaces=3D"gre0 gre1" ifconfig_em0=3D"inet 192.168.10.254/24" ifconfig_em2=3D"inet 192.168.30.254/24" ifconfig_gre0=3D"inet 10.10.2.1 10.10.1.1 tunnel 192.168.10.254 192.168.10.= 1" ifconfig_gre1=3D"inet 10.10.2.1 10.10.3.1 tunnel 192.168.30.254 192.168.30.= 1" static_routes=3D"ra rc" route_ra=3D"10.10.1.0/24 10.10.1.1" route_rc=3D"10.10.3.0/24 10.10.3.1" pf.conf: set skip on lo #scrub on gre0 max-mss 1360 scrub on gre1 max-mss 1360 pass all pfctl -x misc gre MTU is 1476. So, 1476-28=3D1448 bytes sholud fit MTU. First, on host "A": ping -s 1450 -c 1 10.10.3.1 Then, on host "C": ping -s 1450 -c 1 10.10.1.1 Kernel log on host "B": May 24 10:57:38 isp kernel: em0: promiscuous mode enabled May 24 10:57:39 isp kernel: em2: promiscuous mode enabled May 24 10:58:13 isp kernel: pf_normalize_ip: reass frag 56321 @ 0-1456 May 24 10:58:13 isp kernel: pf_fillup_fragment: reass frag 56321 @ 0-1456pf_normalize_ip: reass frag 56321 @ 1456-1458 May 24 10:58:13 isp kernel: pf_fillup_fragment: reass frag 56321 @ 1456-1458pf_isfull_fragment: 1458 < 1458?pf_reassemble: complete: 0xfffff8001f4aa300(1478) May 24 10:58:13 isp kernel: pf_normalize_ip: reass frag 30208 @ 0-1456 May 24 10:58:13 isp kernel: pf_fillup_fragment: reass frag 30208 @ 0-1456pf_normalize_ip: reass frag 30208 @ 1456-1458 May 24 10:58:13 isp kernel: pf_fillup_fragment: reass frag 30208 @ 1456-1458pf_isfull_fragment: 1458 < 1458?pf_reassemble: complete: 0xfffff8001f662000(1478) May 24 10:58:39 isp kernel: pf_normalize_ip: reass frag 30464 @ 0-1456 May 24 10:58:39 isp kernel: pf_fillup_fragment: reass frag 30464 @ 0-1456pf_normalize_ip: reass frag 30464 @ 1456-1458 May 24 10:58:39 isp kernel: pf_fillup_fragment: reass frag 30464 @ 1456-1458pf_isfull_fragment: 1458 < 1458?pf_reassemble: complete: 0xfffff8001f661d00(1478) May 24 10:58:39 isp kernel: pf_normalize_ip: reass frag 57601 @ 0-1456 May 24 10:58:39 isp kernel: pf_fillup_fragment: reass frag 57601 @ 0-1456pf_normalize_ip: reass frag 57601 @ 1456-1458 May 24 10:58:39 isp kernel: pf_fillup_fragment: reass frag 57601 @ 1456-1458pf_isfull_fragment: 1458 < 1458?pf_reassemble: complete: 0xfffff8001f4aa100(1478) May 24 10:58:56 isp kernel: em0: promiscuous mode disabled May 24 10:58:57 isp kernel: em2: promiscuous mode disabled --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Tue May 24 13:26:12 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AE8CEB4878D for ; Tue, 24 May 2016 13:26:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9F7371F4B for ; Tue, 24 May 2016 13:26:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4ODQC0k004215 for ; Tue, 24 May 2016 13:26:12 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Tue, 24 May 2016 13:26:12 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: emz@norma.perm.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 May 2016 13:26:12 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #7 from emz@norma.perm.ru --- I confirm, adding "in" on scrubbing for TCP MSS fixes the issue. Although t= he relation between TCP MSS fixing and the ICMP still seems bogus to me. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Tue May 24 13:54:35 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 46690B48FC9 for ; Tue, 24 May 2016 13:54:35 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 36FB51198 for ; Tue, 24 May 2016 13:54:35 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4ODsYvN066079 for ; Tue, 24 May 2016 13:54:35 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Tue, 24 May 2016 13:54:34 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 May 2016 13:54:35 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #8 from Max --- (In reply to emz from comment #7) fragment reassemble Using scrub rules, fragments can be reassembled by normalization. In this case, fragments are buffered until they form a complete packet, and only the completed packet is passed on to the filter. ... This is the default behavior of a scrub rule if no fragmentation modifier is supplied. Thus the rule=20 1. reassembles and fixes mss of tcp packets 2. reassembles other packets I think "scrub in proto tcp ..." should affect tcp packets only. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Tue May 24 18:23:10 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 75CA5B49200 for ; Tue, 24 May 2016 18:23:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5AA311BE6 for ; Tue, 24 May 2016 18:23:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4OINAmV054194 for ; Tue, 24 May 2016 18:23:10 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Tue, 24 May 2016 18:23:10 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 May 2016 18:23:10 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #9 from Max --- pflog output: 21:20:52.521232 rule 0..16777216/0(match): pass in on em0: 192.168.10.1 > 192.168.10.254: GREv0, proto IPv4 (0x0800), length 1480: 10.10.1.1 > 10.10.= 3.1: ICMP echo request, id 24585, seq 0, length 1456 21:20:52.521241 rule 0..16777216/0(match): pass in on gre0: 10.10.1.1 > 10.10.3.1: ICMP echo request, id 24585, seq 0, length 1456 21:20:52.521256 rule 0..16777216/0(match): pass out on gre0: 10.10.2.1 > 10.10.1.1: ICMP host 10.10.3.1 unreachable, length 36 21:20:52.521262 rule 0..16777216/0(match): pass out on em0: 192.168.10.254 > 192.168.10.1: GREv0, proto IPv4 (0x0800), length 60: 10.10.2.1 > 10.10.1.1: ICMP host 10.10.3.1 unreachable, length 36 21:20:52.521282 rule 0..16777216/0(match): pass in on em0: 192.168.10.1 > 192.168.10.254: GREv0, proto IPv4 (0x0800), length 26: 10.10.1.1 > 10.10.3.= 1: ip-proto-1 21:20:52.521286 rule 0..16777216/0(match): pass in on gre0: 10.10.1.1 > 10.10.3.1: ip-proto-1 21:20:52.521288 rule 0..16777216/0(match): pass out on gre1: 10.10.1.1 > 10.10.3.1: ICMP echo request, id 24585, seq 0, length 1458 21:20:52.521316 rule 0..16777216/0(match): pass out on em2: 192.168.30.254 > 192.168.30.1: GREv0, proto IPv4 (0x0800), length 1482: 10.10.1.1 > 10.10.3.= 1: ICMP echo request, id 24585, seq 0, length 1458 21:20:52.521598 rule 0..16777216/0(match): pass in on em2: 192.168.30.1 > 192.168.30.254: GREv0, proto IPv4 (0x0800), length 1480: 10.10.3.1 > 10.10.= 1.1: ICMP echo reply, id 24585, seq 0, length 1456 21:20:52.521614 rule 0..16777216/0(match): pass in on em2: 192.168.30.1 > 192.168.30.254: GREv0, proto IPv4 (0x0800), length 26: 10.10.3.1 > 10.10.1.= 1: ip-proto-1 21:20:52.521619 rule 0..16777216/0(match): pass in on gre1: 10.10.3.1 > 10.10.1.1: ICMP echo reply, id 24585, seq 0, length 1458 21:20:52.521624 rule 0..16777216/0(match): pass out on gre0: 10.10.3.1 > 10.10.1.1: ICMP echo reply, id 24585, seq 0, length 1458 21:20:52.521630 rule 0..16777216/0(match): pass out on em0: 192.168.10.254 > 192.168.10.1: GREv0, proto IPv4 (0x0800), length 1480: 10.10.3.1 > 10.10.1.= 1: ICMP echo reply, id 24585, seq 0, length 1456 21:20:52.521646 rule 0..16777216/0(match): pass out on em0: 192.168.10.254 > 192.168.10.1: GREv0, proto IPv4 (0x0800), length 26: 10.10.3.1 > 10.10.1.1: ip-proto-1 --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Tue May 24 18:38:28 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EE704B494E7 for ; Tue, 24 May 2016 18:38:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D4D7D1049 for ; Tue, 24 May 2016 18:38:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4OIcSb1081484 for ; Tue, 24 May 2016 18:38:28 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Tue, 24 May 2016 18:38:28 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 May 2016 18:38:29 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #10 from Max --- scrub on gre1 proto tcp max-mss 1360 (there is no "host unreachable" messag= e). 21:28:54.220629 rule 0..16777216/0(match): pass in on em0: 192.168.10.1 > 192.168.10.254: GREv0, proto IPv4 (0x0800), length 1480: 10.10.1.1 > 10.10.= 3.1: ICMP echo request, id 30473, seq 0, length 1456 21:28:54.220641 rule 0..16777216/0(match): pass in on gre0: 10.10.1.1 > 10.10.3.1: ICMP echo request, id 30473, seq 0, length 1456 21:28:54.220650 rule 0..16777216/0(match): pass out on gre1: 10.10.1.1 > 10.10.3.1: ICMP echo request, id 30473, seq 0, length 1456 21:28:54.220656 rule 0..16777216/0(match): pass out on em2: 192.168.30.254 > 192.168.30.1: GREv0, proto IPv4 (0x0800), length 1480: 10.10.1.1 > 10.10.3.= 1: ICMP echo request, id 30473, seq 0, length 1456 21:28:54.220700 rule 0..16777216/0(match): pass in on em0: 192.168.10.1 > 192.168.10.254: GREv0, proto IPv4 (0x0800), length 26: 10.10.1.1 > 10.10.3.= 1: ip-proto-1 21:28:54.220704 rule 0..16777216/0(match): pass in on gre0: 10.10.1.1 > 10.10.3.1: ip-proto-1 21:28:54.220710 rule 0..16777216/0(match): pass out on gre1: 10.10.1.1 > 10.10.3.1: ip-proto-1 21:28:54.220716 rule 0..16777216/0(match): pass out on em2: 192.168.30.254 > 192.168.30.1: GREv0, proto IPv4 (0x0800), length 26: 10.10.1.1 > 10.10.3.1: ip-proto-1 21:28:54.220824 rule 0..16777216/0(match): pass in on em2: 192.168.30.1 > 192.168.30.254: GREv0, proto IPv4 (0x0800), length 1480: 10.10.3.1 > 10.10.= 1.1: ICMP echo reply, id 30473, seq 0, length 1456 21:28:54.220829 rule 0..16777216/0(match): pass in on gre1: 10.10.3.1 > 10.10.1.1: ICMP echo reply, id 30473, seq 0, length 1456 21:28:54.220835 rule 0..16777216/0(match): pass out on gre0: 10.10.3.1 > 10.10.1.1: ICMP echo reply, id 30473, seq 0, length 1456 21:28:54.220840 rule 0..16777216/0(match): pass out on em0: 192.168.10.254 > 192.168.10.1: GREv0, proto IPv4 (0x0800), length 1480: 10.10.3.1 > 10.10.1.= 1: ICMP echo reply, id 30473, seq 0, length 1456 21:28:54.220880 rule 0..16777216/0(match): pass in on em2: 192.168.30.1 > 192.168.30.254: GREv0, proto IPv4 (0x0800), length 26: 10.10.3.1 > 10.10.1.= 1: ip-proto-1 21:28:54.220886 rule 0..16777216/0(match): pass in on gre1: 10.10.3.1 > 10.10.1.1: ip-proto-1 21:28:54.220892 rule 0..16777216/0(match): pass out on gre0: 10.10.3.1 > 10.10.1.1: ip-proto-1 21:28:54.220899 rule 0..16777216/0(match): pass out on em0: 192.168.10.254 > 192.168.10.1: GREv0, proto IPv4 (0x0800), length 26: 10.10.3.1 > 10.10.1.1: ip-proto-1 --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Tue May 24 19:14:10 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BD69EB49DBB for ; Tue, 24 May 2016 19:14:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AE71C18C5 for ; Tue, 24 May 2016 19:14:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4OJEAW2093710 for ; Tue, 24 May 2016 19:14:10 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Tue, 24 May 2016 19:14:10 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 May 2016 19:14:10 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #11 from Max --- Could it be gre issue (when packets dropped by kernel)? --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Tue May 24 19:29:43 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 156C0B48133 for ; Tue, 24 May 2016 19:29:43 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E08C21173 for ; Tue, 24 May 2016 19:29:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4OJTfFc021366 for ; Tue, 24 May 2016 19:29:42 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Tue, 24 May 2016 19:29:42 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 May 2016 19:29:43 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #12 from Max --- And the last one... I'm sorry for these listings... scrub on gre0 max-mss 1360 scrub on gre1 max-mss 1360 (there is no "host unreachable") 22:22:56.728057 rule 0..16777216/0(match): pass in on em0: 192.168.10.1 > 192.168.10.254: GREv0, proto IPv4 (0x0800), length 1480: 10.10.1.1 > 10.10.= 3.1: ICMP echo request, id 60681, seq 0, length 1456 22:22:56.728069 rule 0..16777216/0(match): pass in on em0: 192.168.10.1 > 192.168.10.254: GREv0, proto IPv4 (0x0800), length 26: 10.10.1.1 > 10.10.3.= 1: ip-proto-1 22:22:56.728078 rule 0..16777216/0(match): pass in on gre0: 10.10.1.1 > 10.10.3.1: ICMP echo request, id 60681, seq 0, length 1458 22:22:56.728089 rule 0..16777216/0(match): pass out on gre1: 10.10.1.1 > 10.10.3.1: ICMP echo request, id 60681, seq 0, length 1458 22:22:56.728097 rule 0..16777216/0(match): pass out on em2: 192.168.30.254 > 192.168.30.1: GREv0, proto IPv4 (0x0800), length 1480: 10.10.1.1 > 10.10.3.= 1: ICMP echo request, id 60681, seq 0, length 1456 22:22:56.728140 rule 0..16777216/0(match): pass out on em2: 192.168.30.254 > 192.168.30.1: GREv0, proto IPv4 (0x0800), length 26: 10.10.1.1 > 10.10.3.1: ip-proto-1 22:22:56.728266 rule 0..16777216/0(match): pass in on em2: 192.168.30.1 > 192.168.30.254: GREv0, proto IPv4 (0x0800), length 1480: 10.10.3.1 > 10.10.= 1.1: ICMP echo reply, id 60681, seq 0, length 1456 22:22:56.728273 rule 0..16777216/0(match): pass in on em2: 192.168.30.1 > 192.168.30.254: GREv0, proto IPv4 (0x0800), length 26: 10.10.3.1 > 10.10.1.= 1: ip-proto-1 22:22:56.728278 rule 0..16777216/0(match): pass in on gre1: 10.10.3.1 > 10.10.1.1: ICMP echo reply, id 60681, seq 0, length 1458 22:22:56.728283 rule 0..16777216/0(match): pass out on gre0: 10.10.3.1 > 10.10.1.1: ICMP echo reply, id 60681, seq 0, length 1458 22:22:56.728288 rule 0..16777216/0(match): pass out on em0: 192.168.10.254 > 192.168.10.1: GREv0, proto IPv4 (0x0800), length 1480: 10.10.3.1 > 10.10.1.= 1: ICMP echo reply, id 60681, seq 0, length 1456 22:22:56.728325 rule 0..16777216/0(match): pass out on em0: 192.168.10.254 > 192.168.10.1: GREv0, proto IPv4 (0x0800), length 26: 10.10.3.1 > 10.10.1.1: ip-proto-1 --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed May 25 11:30:44 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D7002B4931B for ; Wed, 25 May 2016 11:30:44 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C7FBC141A for ; Wed, 25 May 2016 11:30:44 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4PBUgs0088561 for ; Wed, 25 May 2016 11:30:44 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Wed, 25 May 2016 11:30:43 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 May 2016 11:30:44 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #13 from Kristof Provost --- I'm wondering if the 'max-mss' thing isn't a red herring. Can you try 'scrub on gre0', 'scrub on gre1' (so without the max-mss)? --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed May 25 11:40:16 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7DDB7B495F2 for ; Wed, 25 May 2016 11:40:16 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 645A21ADF for ; Wed, 25 May 2016 11:40:16 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4PBeF4J010118 for ; Wed, 25 May 2016 11:40:16 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Wed, 25 May 2016 11:40:16 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 May 2016 11:40:16 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #14 from Max --- scrub on gre1 14:35:43.641169 rule 0..16777216/0(match): pass in on em0: 192.168.10.1 > 192.168.10.254: GREv0, proto IPv4 (0x0800), length 1480: 10.10.1.1 > 10.10.= 3.1: ICMP echo request, id 44806, seq 0, length 1456 14:35:43.641178 rule 0..16777216/0(match): pass in on gre0: 10.10.1.1 > 10.10.3.1: ICMP echo request, id 44806, seq 0, length 1456 14:35:43.641194 rule 0..16777216/0(match): pass out on gre0: 10.10.2.1 > 10.10.1.1: ICMP host 10.10.3.1 unreachable, length 36 14:35:43.641200 rule 0..16777216/0(match): pass out on em0: 192.168.10.254 > 192.168.10.1: GREv0, proto IPv4 (0x0800), length 60: 10.10.2.1 > 10.10.1.1: ICMP host 10.10.3.1 unreachable, length 36 14:35:43.641218 rule 0..16777216/0(match): pass in on em0: 192.168.10.1 > 192.168.10.254: GREv0, proto IPv4 (0x0800), length 26: 10.10.1.1 > 10.10.3.= 1: ip-proto-1 14:35:43.641223 rule 0..16777216/0(match): pass in on gre0: 10.10.1.1 > 10.10.3.1: ip-proto-1 14:35:43.641230 rule 0..16777216/0(match): pass out on gre1: 10.10.1.1 > 10.10.3.1: ICMP echo request, id 44806, seq 0, length 1458 14:35:43.641237 rule 0..16777216/0(match): pass out on em2: 192.168.30.254 > 192.168.30.1: GREv0, proto IPv4 (0x0800), length 1482: 10.10.1.1 > 10.10.3.= 1: ICMP echo request, id 44806, seq 0, length 1458 14:35:43.641421 rule 0..16777216/0(match): pass in on em2: 192.168.30.1 > 192.168.30.254: GREv0, proto IPv4 (0x0800), length 1480: 10.10.3.1 > 10.10.= 1.1: ICMP echo reply, id 44806, seq 0, length 1456 14:35:43.641428 rule 0..16777216/0(match): pass in on em2: 192.168.30.1 > 192.168.30.254: GREv0, proto IPv4 (0x0800), length 26: 10.10.3.1 > 10.10.1.= 1: ip-proto-1 14:35:43.641434 rule 0..16777216/0(match): pass in on gre1: 10.10.3.1 > 10.10.1.1: ICMP echo reply, id 44806, seq 0, length 1458 14:35:43.641439 rule 0..16777216/0(match): pass out on gre0: 10.10.3.1 > 10.10.1.1: ICMP echo reply, id 44806, seq 0, length 1458 14:35:43.641479 rule 0..16777216/0(match): pass out on em0: 192.168.10.254 > 192.168.10.1: GREv0, proto IPv4 (0x0800), length 1480: 10.10.3.1 > 10.10.1.= 1: ICMP echo reply, id 44806, seq 0, length 1456 14:35:43.641497 rule 0..16777216/0(match): pass out on em0: 192.168.10.254 > 192.168.10.1: GREv0, proto IPv4 (0x0800), length 26: 10.10.3.1 > 10.10.1.1: ip-proto-1 --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed May 25 11:41:00 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 14631B49647 for ; Wed, 25 May 2016 11:41:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E119F1B9D for ; Wed, 25 May 2016 11:40:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4PBex32011217 for ; Wed, 25 May 2016 11:40:59 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Wed, 25 May 2016 11:41:00 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 May 2016 11:41:00 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #15 from Max --- scrub on gre0 scrub on gre1 14:39:39.127649 rule 0..16777216/0(match): pass in on em0: 192.168.10.1 > 192.168.10.254: GREv0, proto IPv4 (0x0800), length 1480: 10.10.1.1 > 10.10.= 3.1: ICMP echo request, id 47622, seq 0, length 1456 14:39:39.127666 rule 0..16777216/0(match): pass in on em0: 192.168.10.1 > 192.168.10.254: GREv0, proto IPv4 (0x0800), length 26: 10.10.1.1 > 10.10.3.= 1: ip-proto-1 14:39:39.127672 rule 0..16777216/0(match): pass in on gre0: 10.10.1.1 > 10.10.3.1: ICMP echo request, id 47622, seq 0, length 1458 14:39:39.127681 rule 0..16777216/0(match): pass out on gre1: 10.10.1.1 > 10.10.3.1: ICMP echo request, id 47622, seq 0, length 1458 14:39:39.127689 rule 0..16777216/0(match): pass out on em2: 192.168.30.254 > 192.168.30.1: GREv0, proto IPv4 (0x0800), length 1480: 10.10.1.1 > 10.10.3.= 1: ICMP echo request, id 47622, seq 0, length 1456 14:39:39.127734 rule 0..16777216/0(match): pass out on em2: 192.168.30.254 > 192.168.30.1: GREv0, proto IPv4 (0x0800), length 26: 10.10.1.1 > 10.10.3.1: ip-proto-1 14:39:39.127857 rule 0..16777216/0(match): pass in on em2: 192.168.30.1 > 192.168.30.254: GREv0, proto IPv4 (0x0800), length 1480: 10.10.3.1 > 10.10.= 1.1: ICMP echo reply, id 47622, seq 0, length 1456 14:39:39.127865 rule 0..16777216/0(match): pass in on em2: 192.168.30.1 > 192.168.30.254: GREv0, proto IPv4 (0x0800), length 26: 10.10.3.1 > 10.10.1.= 1: ip-proto-1 14:39:39.127869 rule 0..16777216/0(match): pass in on gre1: 10.10.3.1 > 10.10.1.1: ICMP echo reply, id 47622, seq 0, length 1458 14:39:39.127875 rule 0..16777216/0(match): pass out on gre0: 10.10.3.1 > 10.10.1.1: ICMP echo reply, id 47622, seq 0, length 1458 14:39:39.127880 rule 0..16777216/0(match): pass out on em0: 192.168.10.254 > 192.168.10.1: GREv0, proto IPv4 (0x0800), length 1480: 10.10.3.1 > 10.10.1.= 1: ICMP echo reply, id 47622, seq 0, length 1456 14:39:39.127917 rule 0..16777216/0(match): pass out on em0: 192.168.10.254 > 192.168.10.1: GREv0, proto IPv4 (0x0800), length 26: 10.10.3.1 > 10.10.1.1: ip-proto-1 --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed May 25 11:44:45 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EFCB9B497C8 for ; Wed, 25 May 2016 11:44:45 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E0C7D1E72 for ; Wed, 25 May 2016 11:44:45 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4PBijLh023466 for ; Wed, 25 May 2016 11:44:45 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Wed, 25 May 2016 11:44:45 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 May 2016 11:44:46 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #16 from Kristof Provost --- So if I understand this correctly the problem is still there with only 'scr= ub on gre1' (so without the MSS clamping), but it's not there if scrubbing is = done on both interfaces? --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed May 25 11:51:33 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C6CC2B498B3 for ; Wed, 25 May 2016 11:51:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AC9A21038 for ; Wed, 25 May 2016 11:51:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4PBpX8n038193 for ; Wed, 25 May 2016 11:51:33 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Wed, 25 May 2016 11:51:33 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 May 2016 11:51:33 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #17 from Max --- (In reply to Kristof Provost from comment #16) Absolutely. ICMP-unreach generated when the first fragment of echo request is dropped by pf, I think. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed May 25 12:03:24 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 32EF8B492E9 for ; Wed, 25 May 2016 12:03:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 17D4B1B9D for ; Wed, 25 May 2016 12:03:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4PC3Na6022809 for ; Wed, 25 May 2016 12:03:23 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Wed, 25 May 2016 12:03:24 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 May 2016 12:03:24 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #18 from Max --- no scrub on gre1 proto icmp scrub on gre1 There is no "host unreachable". 14:58:34.741461 rule 0..16777216/0(match): pass in on em0: 192.168.10.1 > 192.168.10.254: GREv0, proto IPv4 (0x0800), length 1480: 10.10.1.1 > 10.10.= 3.1: ICMP echo request, id 59142, seq 0, length 1456 14:58:34.741471 rule 0..16777216/0(match): pass in on gre0: 10.10.1.1 > 10.10.3.1: ICMP echo request, id 59142, seq 0, length 1456 14:58:34.741479 rule 0..16777216/0(match): pass out on gre1: 10.10.1.1 > 10.10.3.1: ICMP echo request, id 59142, seq 0, length 1456 14:58:34.741486 rule 0..16777216/0(match): pass out on em2: 192.168.30.254 > 192.168.30.1: GREv0, proto IPv4 (0x0800), length 1480: 10.10.1.1 > 10.10.3.= 1: ICMP echo request, id 59142, seq 0, length 1456 14:58:34.741542 rule 0..16777216/0(match): pass in on em0: 192.168.10.1 > 192.168.10.254: GREv0, proto IPv4 (0x0800), length 26: 10.10.1.1 > 10.10.3.= 1: ip-proto-1 14:58:34.741571 rule 0..16777216/0(match): pass in on gre0: 10.10.1.1 > 10.10.3.1: ip-proto-1 14:58:34.741576 rule 0..16777216/0(match): pass out on gre1: 10.10.1.1 > 10.10.3.1: ip-proto-1 14:58:34.741580 rule 0..16777216/0(match): pass out on em2: 192.168.30.254 > 192.168.30.1: GREv0, proto IPv4 (0x0800), length 26: 10.10.1.1 > 10.10.3.1: ip-proto-1 14:58:34.741648 rule 0..16777216/0(match): pass in on em2: 192.168.30.1 > 192.168.30.254: GREv0, proto IPv4 (0x0800), length 1480: 10.10.3.1 > 10.10.= 1.1: ICMP echo reply, id 59142, seq 0, length 1456 14:58:34.741654 rule 0..16777216/0(match): pass in on gre1: 10.10.3.1 > 10.10.1.1: ICMP echo reply, id 59142, seq 0, length 1456 14:58:34.741659 rule 0..16777216/0(match): pass out on gre0: 10.10.3.1 > 10.10.1.1: ICMP echo reply, id 59142, seq 0, length 1456 14:58:34.741665 rule 0..16777216/0(match): pass out on em0: 192.168.10.254 > 192.168.10.1: GREv0, proto IPv4 (0x0800), length 1480: 10.10.3.1 > 10.10.1.= 1: ICMP echo reply, id 59142, seq 0, length 1456 14:58:34.741682 rule 0..16777216/0(match): pass in on em2: 192.168.30.1 > 192.168.30.254: GREv0, proto IPv4 (0x0800), length 26: 10.10.3.1 > 10.10.1.= 1: ip-proto-1 14:58:34.741686 rule 0..16777216/0(match): pass in on gre1: 10.10.3.1 > 10.10.1.1: ip-proto-1 14:58:34.741691 rule 0..16777216/0(match): pass out on gre0: 10.10.3.1 > 10.10.1.1: ip-proto-1 14:58:34.741696 rule 0..16777216/0(match): pass out on em0: 192.168.10.254 > 192.168.10.1: GREv0, proto IPv4 (0x0800), length 26: 10.10.3.1 > 10.10.1.1: ip-proto-1 --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed May 25 18:54:47 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A8CF3B4A378 for ; Wed, 25 May 2016 18:54:47 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7FB611F12 for ; Wed, 25 May 2016 18:54:47 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4PIsl5E025965 for ; Wed, 25 May 2016 18:54:47 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Wed, 25 May 2016 18:54:47 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 May 2016 18:54:47 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #19 from Max --- I've never read FreeBSD sources, except pf's last week... probably I'm wron= g. ip_input()->ip_forward()->ip_output()->ip_output_pfil()->pfil_run_hooks()->= pf_test(). If ip_output() returns any error, then in ip_forward(): error =3D ip_output(...); ... switch (error) { case 0: /* forwarded, but need redirect */ /* type, code set above */ break; ... default: type =3D ICMP_UNREACH; code =3D ICMP_UNREACH_HOST; break; ... icmp_error(...); So, we have incoming fragment of echo request. There are two options: 1. pf returns PF_PASS -> ip_output() returns 0 -> everything is OK 2. pf returns PF_DROP -> ip_output() returns nonzero value -> we have icmp-unreach message. pf returns PF_DROP when we have (implicit) "scrub out on...". Please, correct me if I missing something. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Thu May 26 11:46:48 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D1FF9B4A245; Thu, 26 May 2016 11:46:48 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: from box-fra-01.niklaas.eu (box-fra-01.niklaas.eu [IPv6:2a00:c98:2200:af07:6::1]) by mx1.freebsd.org (Postfix) with ESMTP id 9E96C1988; Thu, 26 May 2016 11:46:48 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: by box-fra-01.niklaas.eu (Postfix, from userid 1001) id 7EB0D61FE7; Thu, 26 May 2016 13:46:45 +0200 (CEST) Date: Thu, 26 May 2016 13:46:45 +0200 From: Niklaas Baudet von Gersdorff To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org Subject: Re: `echo | pfctl -mf -` overriding instead of modifying Message-ID: <20160526114645.GB49239@box-fra-01.niklaas.eu> Mail-Followup-To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org References: <20160518072409.GD99839@box-fra-01.niklaas.eu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="eAbsdosE1cNLO4uF" Content-Disposition: inline In-Reply-To: <20160518072409.GD99839@box-fra-01.niklaas.eu> User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 May 2016 11:46:48 -0000 --eAbsdosE1cNLO4uF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Niklaas Baudet von Gersdorff [2016-05-18 09:24 +0200] : [...] > Initially, I only used the `-f -` flags for pfctl (instead of `-mf -`) and > realised that making changes to the anchor overrides existing rules. So > I read pfctl(8) where it says >=20 > -m Merge in explicitly given options without resetting those > which are omitted. Allows single options to be modified without > disturbing the others: >=20 > # echo "set loginterface fxp0" | pfctl -mf - >=20 > So I thought that adding `-m` to the rule in the second `exec.poststart` > will include (instead of replace) the rules into the anchor. But this is > not the case. What am I doing wrong? Do I misunderstand `-m`? I clearly misunderstood -m. It says that it merges "given *options* without resetting those which are omitted" i.e., options and not rules. No wonder that it's not working. I will recheck pfctl(8) but I assume that there is no other way than inserting the rules in questions in a one-liner -- or using different anchors like jails/$name-ipv4 and jails/$name-ipv6. Niklaas --eAbsdosE1cNLO4uF Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXRuIfAAoJEG2fODeJrIU/TywP/i8KIXlxjj0Sfq6WoSqSRhBK KrKRT0wI02zTfIabaz/XrNLM/aolgCHMpOKoHOK2gkbCAp0Wqxg8asPGRoGNu0G6 rz1HZzWCMHSTpLUdTX5iot4r8l7vj7L4HxD4ZIgQJ58q7qA95HD5DlJhpDnvJzBX /6QK8UeLE+09h+Nw6kHtGUSQ8fAahPoAAMf6vac1TpW4RcLm19GUSuhgafuA15s9 qihg3l0NIYSFtor53Hjg65lBUKwC8HDgQxjcSt6wh2fQuIFhlLNSWQjNxKmquyGH 1RHcvBdtGfsmV0bdpTzYIPda0LpSWt2yaHxRuPq7iKtPf/++ueZmwfIaFDo2+Zv3 c1PgQm60AveALrgHudVeSZikiLC1bIakEnR1gowL7ETgoInI/kS9mgVLjHIL8/FM uHJXVQDK7Hc8bCTwIW6xfPPXg/6kYYyt1pb57hfG6j6t2roSoWP0c8L209J7E6kE PxjhtM0h4WfleqxAT9kFt9LHx5RmksfhtwoqsPiWgE7zMdFjiJ0I6FyzRmpMXsxr HgCrGT3q26ZEPk9hvyyNbbce3rFAYjoUjfCZYIaui+82RyIS8bkBhNAeZSWpWf6I 0t5Oe/2m0e5PoDAoLS52I05PvosOq5KfEWO4l9tnRbMavaMyJSHHlaDfGuhWUo/2 p70aepvzh+Bpqh+QqC9g =Tg5N -----END PGP SIGNATURE----- --eAbsdosE1cNLO4uF-- From owner-freebsd-pf@freebsd.org Thu May 26 12:29:09 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0EA15B4993E for ; Thu, 26 May 2016 12:29:09 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from mx.als.nnov.ru (mx.als.nnov.ru [95.79.102.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C6047181A for ; Thu, 26 May 2016 12:29:08 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from [10.4.1.100] by mx.als.nnov.ru with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.86_2 (FreeBSD)) (envelope-from ) id 1b5uPJ-000HL6-Ed for freebsd-pf@freebsd.org; Thu, 26 May 2016 15:28:57 +0300 Subject: Re: `echo | pfctl -mf -` overriding instead of modifying To: freebsd-pf@freebsd.org References: <20160518072409.GD99839@box-fra-01.niklaas.eu> <20160526114645.GB49239@box-fra-01.niklaas.eu> From: Max Message-ID: Date: Thu, 26 May 2016 15:28:57 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 In-Reply-To: <20160526114645.GB49239@box-fra-01.niklaas.eu> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 May 2016 12:29:09 -0000 Hello, Niklaas. Can you try something like exec.poststart = "/bin/sh /path/to/pf-config.sh $name $private_ip4 $private_ip6" where pf-config.sh contains #!/bin/sh echo "rdr pass on vtnet0 inet proto { udp tcp } to vtnet0 port domain -> $2 rdr pass on vtnet0 inet6 proto { udp tcp } to vtnet0 port domain -> $3" | pfctl -a "jails/$1" -Nf - 26.05.2016 14:46, Niklaas Baudet von Gersdorff пишет: > Niklaas Baudet von Gersdorff [2016-05-18 09:24 +0200] : > > [...] >> Initially, I only used the `-f -` flags for pfctl (instead of `-mf -`) and >> realised that making changes to the anchor overrides existing rules. So >> I read pfctl(8) where it says >> >> -m Merge in explicitly given options without resetting those >> which are omitted. Allows single options to be modified without >> disturbing the others: >> >> # echo "set loginterface fxp0" | pfctl -mf - >> >> So I thought that adding `-m` to the rule in the second `exec.poststart` >> will include (instead of replace) the rules into the anchor. But this is >> not the case. What am I doing wrong? Do I misunderstand `-m`? > I clearly misunderstood -m. It says that it merges "given *options* > without resetting those which are omitted" i.e., options and not rules. > No wonder that it's not working. > > I will recheck pfctl(8) but I assume that there is no other way than > inserting the rules in questions in a one-liner -- or using different > anchors like jails/$name-ipv4 and jails/$name-ipv6. > > Niklaas From owner-freebsd-pf@freebsd.org Thu May 26 17:30:32 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6DDC5B4A9DF for ; Thu, 26 May 2016 17:30:32 +0000 (UTC) (envelope-from daemon-user@freebsd.org) Received: from reviews.nyi.freebsd.org (reviews.nyi.freebsd.org [IPv6:2610:1c1:1:607c::16:b]) by mx1.freebsd.org (Postfix) with ESMTP id 3CEB3147A for ; Thu, 26 May 2016 17:30:32 +0000 (UTC) (envelope-from daemon-user@freebsd.org) Received: by reviews.nyi.freebsd.org (Postfix, from userid 1346) id ACBCA9AD4; Thu, 26 May 2016 17:30:31 +0000 (UTC) Date: Thu, 26 May 2016 17:30:31 +0000 To: freebsd-pf@freebsd.org From: "bz (Bjoern A. Zeeb)" Reply-to: D1944+331+90181aefda88703e@reviews.freebsd.org Subject: [Differential] D1944: PF and VIMAGE fixes Message-ID: <83e175f3ed03395b10d81722ea4b7040@localhost.localdomain> X-Priority: 3 X-Phabricator-Sent-This-Message: Yes X-Mail-Transport-Agent: MetaMTA X-Auto-Response-Suppress: All X-Phabricator-Mail-Tags: , Thread-Topic: D1944: PF and VIMAGE fixes X-Herald-Rules: none X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: Precedence: bulk In-Reply-To: References: Thread-Index: NDc2NzM0MzY4OTdiYThiNTU1MjY2ZDZmMTJiIFdHMrc= MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 May 2016 17:30:32 -0000 From owner-freebsd-pf@freebsd.org Thu May 26 17:31:25 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D464DB4AADE for ; Thu, 26 May 2016 17:31:25 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C5465179E for ; Thu, 26 May 2016 17:31:25 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4QHVOZJ059576 for ; Thu, 26 May 2016 17:31:25 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 205743] null pointer dereference in PF running a vimage jail Date: Thu, 26 May 2016 17:31:25 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: vimage X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: bz@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bz@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_status assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 May 2016 17:31:25 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D205743 Bjoern A. Zeeb changed: What |Removed |Added ---------------------------------------------------------------------------- Status|New |Open Assignee|freebsd-pf@FreeBSD.org |bz@FreeBSD.org --- Comment #15 from Bjoern A. Zeeb --- Trying to get pf VNET stabler the next days. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Thu May 26 19:50:55 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 372A0B4B4A2 for ; Thu, 26 May 2016 19:50:55 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: from box-fra-01.niklaas.eu (box-fra-01.niklaas.eu [46.165.253.68]) by mx1.freebsd.org (Postfix) with ESMTP id EE3321E3F for ; Thu, 26 May 2016 19:50:54 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: by box-fra-01.niklaas.eu (Postfix, from userid 1001) id 3F70D61FED; Thu, 26 May 2016 21:50:52 +0200 (CEST) Date: Thu, 26 May 2016 21:50:52 +0200 From: Niklaas Baudet von Gersdorff To: freebsd-pf@freebsd.org Subject: Re: `echo | pfctl -mf -` overriding instead of modifying Message-ID: <20160526195052.GI49239@box-fra-01.niklaas.eu> Mail-Followup-To: freebsd-pf@freebsd.org References: <20160518072409.GD99839@box-fra-01.niklaas.eu> <20160526114645.GB49239@box-fra-01.niklaas.eu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="VkVuOCYP9O7H3CXI" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 May 2016 19:50:55 -0000 --VkVuOCYP9O7H3CXI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Max [2016-05-26 15:28 +0300] : > Can you try something like > exec.poststart =3D "/bin/sh /path/to/pf-config.sh $name $private_ip4=20 > $private_ip6" >=20 > where pf-config.sh contains > #!/bin/sh > echo "rdr pass on vtnet0 inet proto { udp tcp } to vtnet0 port domain=20 > -> $2 > rdr pass on vtnet0 inet6 proto { udp tcp } to vtnet0 port domain -> =20 > $3" | pfctl -a "jails/$1" -Nf - Thanks a lot for your input. I guess that would work but I managed to solve it the following way: exec.poststart +=3D "echo 'rdr pass on vtnet0 inet6 proto { udp tcp } t= o vtnet0 port domain -> $private_ip6' | pfctl -a 'jails/$name-ipv6' -f -"; exec.poststart +=3D "echo 'rdr pass on vtnet0 inet proto { udp tcp } t= o vtnet0 port domain -> $private_ip4' | pfctl -a 'jails/$name-ipv4' -f -"; exec.poststop +=3D "pfctl -a jails/$name-ipv6 -F all"; exec.poststop +=3D "pfctl -a jails/$name-ipv4 -F all"; The trick is to use two anchors. This way no rules are replaced and both stay active. Niklaas --VkVuOCYP9O7H3CXI Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXR1OcAAoJEG2fODeJrIU/oogP/jbiuw9NW6mN6Xpvn/JT0n7v fieynKqfLElR5JlmFJX9NWmNZfXTNuSlkkvw5SxuZsqQLAxNuOLKTU6bZK6z6JWr 4tPEz4i7bgDagbffjY5BsYvnwFGAHfkhhMvMSLoCLXrC8GminmxC7BZig93A79GA TAaEptNvmvsmKAiKrGtSNMvRXE31gyMFx51Bfzzq5nRlMQT5SuNpY336eVd2tyz1 1FkpYiyDmKdV2nVrPHUpZgMzZ5V+fA3iUnqsVDN3xN4lPKD+z+tpDkJtF7Pbk5zE UXiTXCTLsNkkOsR5E5Oj3JtapEJLLzOCrHZTUBGn3eLiXJmpijM78Z1wB7UdXymw tbyyWH6Ja5NRFxGfrI6uK/7AGxmdTg8O6viA5KzzdAmL9tUCRkH1rbrQ1LL8zXps PWyMrukZhr+cX5RJmhV+pd8Xjy7P4eDAn8LbT8Kzl2Z07syYklvfibYZ/kso8ZAI Xgeh3sQROBwkC6fw4xuw2fF/ChCmszEO9TI3U12H6eveDSX98QB3poyUJ+GBymir 648tPmVvCi1biRBBLTeJxQua4NUtOkm7x7F8rZYM6ApsLoDhJCr+o4NDlc2wEl8Y QnbhCz4IAaHoNoprO57rt7D2qjjVSLGvBfEEBPpAuNrMkI2nVKsmwAYzPfKkS1xa 2LaiyeX7MMMj93XwY7Kv =ORDN -----END PGP SIGNATURE----- --VkVuOCYP9O7H3CXI-- From owner-freebsd-pf@freebsd.org Sat May 28 11:17:15 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1C6C2B4D0A9 for ; Sat, 28 May 2016 11:17:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0D45C1A94 for ; Sat, 28 May 2016 11:17:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4SBHCAl046870 for ; Sat, 28 May 2016 11:17:14 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Sat, 28 May 2016 11:17:13 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 May 2016 11:17:15 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #20 from Kristof Provost --- Created attachment 170747 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D170747&action= =3Dedit pf_frag_pass patch (In reply to Max from comment #19) You may be on to something there. pf_reassemble() actually returns PF_PASS, but it's turned back into PF_DROP later on. It actually looks like this'd be a problem for IPv6 too. Can you give the attached patch a try? I'm not completely happy with it, bu= t it should fix the problem. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Sat May 28 13:01:45 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8B952B4D7B2 for ; Sat, 28 May 2016 13:01:45 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7CBD41E3D for ; Sat, 28 May 2016 13:01:45 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4SD1jhF052298 for ; Sat, 28 May 2016 13:01:45 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Sat, 28 May 2016 13:01:45 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 May 2016 13:01:45 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #21 from Max --- (In reply to Kristof Provost from comment #20) Hello, Kristof. This patch works. But there is another problem: pass log (all) all block drop out log (all) on gre1 proto icmp In this case icmp-unreach still presents. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Sat May 28 13:20:23 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AD75EB4E2F3 for ; Sat, 28 May 2016 13:20:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9E1A31D56 for ; Sat, 28 May 2016 13:20:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4SDKNBO003648 for ; Sat, 28 May 2016 13:20:23 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Sat, 28 May 2016 13:20:23 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 May 2016 13:20:23 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #22 from Kristof Provost --- (In reply to Max from comment #21) Yeah, I guess that makes sense. After all, the rules tell PF to drop the IC= MP packet, which it does. It tells the network stack that the packet was dropp= ed, so it generates an 'ICMP destination unreachable' error. In this case that's correct, because the destination really is unreachable. Arguably that error should be under the control of the firewall, but I'm not sure this is really wrong. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Sat May 28 13:36:13 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D98ADB4E7BF for ; Sat, 28 May 2016 13:36:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CA9621795 for ; Sat, 28 May 2016 13:36:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4SDaDdR043765 for ; Sat, 28 May 2016 13:36:13 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Sat, 28 May 2016 13:36:13 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 May 2016 13:36:13 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #23 from Max --- (In reply to Kristof Provost from comment #22) I agree. But should we send any ICMP if we have "block drop ..." rule, not "block return ..."? --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Sat May 28 13:59:34 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BEA19B4EC60 for ; Sat, 28 May 2016 13:59:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AF95312BF for ; Sat, 28 May 2016 13:59:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4SDxY8K099088 for ; Sat, 28 May 2016 13:59:34 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Sat, 28 May 2016 13:59:34 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 May 2016 13:59:34 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #24 from Kristof Provost --- (In reply to Max from comment #23) Yeah, that's certainly a valid point. Arguably the network stack shouldn't send errors if the firewall drops a packet, instead leaving it to the firewall to send an error. Or perhaps we should extend the netpfil interface to support both scenarios. Either way, this change will affect more than just pf, so it'd have to be d= one very carefully. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Sat May 28 14:32:23 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 61621B4D58C for ; Sat, 28 May 2016 14:32:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4E4D716C2 for ; Sat, 28 May 2016 14:32:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4SEWNmJ016892 for ; Sat, 28 May 2016 14:32:23 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Sat, 28 May 2016 14:32:23 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 May 2016 14:32:23 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #25 from Max --- (In reply to Kristof Provost from comment #24) That's why I've reviewed ip_input.c and ip_output.c. It's not just a routing issue... Can you discuss this problem with responsible developers? --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Sat May 28 21:40:22 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B925FB4E6A6 for ; Sat, 28 May 2016 21:40:22 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A9E6711A1 for ; Sat, 28 May 2016 21:40:22 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4SLeLqx090176 for ; Sat, 28 May 2016 21:40:22 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Sat, 28 May 2016 21:40:22 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 May 2016 21:40:22 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #26 from Max --- Does it look reasonable? We should use consistent return values in pf_reassemble(), I think. --- pf_norm.c.orig 2016-05-28 23:40:52.171196000 +0300 +++ pf_norm.c 2016-05-28 23:50:39.912093000 +0300 @@ -623,7 +623,7 @@ pf_reassemble(struct mbuf **m0, struct i m =3D *m0 =3D NULL; if (!pf_isfull_fragment(frag)) - return (PF_PASS); /* drop because *m0 is NULL, no error */ + return (PF_DROP); /* We have all the data */ frent =3D TAILQ_FIRST(&frag->fr_queue); @@ -1284,8 +1284,6 @@ pf_normalize_ip(struct mbuf **m0, int di return (PF_DROP); m =3D *m0; - if (m =3D=3D NULL) - return (PF_DROP); /* use mtag from concatenated mbuf chain */ pd->pf_mtag =3D pf_find_mtag(m); IPv6 versions should be fixed too. --=20 You are receiving this mail because: You are the assignee for the bug.=