Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 04 Dec 2016 12:37:47 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-amd64@FreeBSD.org
Subject:   [Bug 215041] [pf] Handshake to certain (fixed) hosts is dropped
Message-ID:  <bug-215041-6@https.bugs.freebsd.org/bugzilla/>

next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D215041

            Bug ID: 215041
           Summary: [pf] Handshake to certain (fixed) hosts is dropped
           Product: Base System
           Version: 11.0-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: bsd@ddh.de1.cc
                CC: freebsd-amd64@FreeBSD.org
                CC: freebsd-amd64@FreeBSD.org

Created attachment 177653
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D177653&action=
=3Dedit
Captures from internal interfaces, external interface, and PF

(The same behavior was observed on 10.3-RELEASE, but remained unchanged aft=
er
upgrading to 11-RELEASE)

I am running a bridge configured as follows:

cloned_interfaces=3D"bridge0"
ifconfig_bridge0=3D"addm em0 addm re0 SYNCDHCP"
ifconfig_em0=3D"up -tso" # Internal interface
ifconfig_re0=3D"up -tso" # External interface, connecting to NAT router

And this extremely minimal firewall config:

pass log all

The issue is that while PF is running, a host connected to the internal
interface attempting to connect to 185.60.115.40:443 (something related to =
the
login of Blizzard's battle.net service), will not receive a response to the
initial SYN packet, see em0.pcap in the attached zip. However, on the exter=
nal
interface (see re0.pcap) the SYN/ACKs do plainly show up, both for the init=
ial
SYN an the retries. The logs of PF itself align with the view of the intern=
al
interface, the SYN/ACKs do not show up at all:

00:00:00.000000 rule 0..16777216/0(match): pass in on re0: 192.168.0.186.56=
465
> 185.60.115.40.443: Flags [S], seq 1914506337, win 8192, options [mss
1460,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.000058 rule 0..16777216/0(match): pass out on bridge0:
192.168.0.186.56465 > 185.60.115.40.443: Flags [S], seq 1914506337, win 819=
2,
options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.250999 rule 0..16777216/0(match): pass in on re0: 192.168.0.186.56=
467
> 185.60.115.40.443: Flags [S], seq 2119186033, win 8192, options [mss
1460,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.000059 rule 0..16777216/0(match): pass out on bridge0:
192.168.0.186.56467 > 185.60.115.40.443: Flags [S], seq 2119186033, win 819=
2,
options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0#

Disabling PF via "pfctl -d" instantly makes the problem disappear, "pfctl -=
e"
makes it reappear just as reliably, so the issue definitely seems to be lin=
ked
to PF and not a general networking or hardware/driver problem.

--=20
You are receiving this mail because:
You are on the CC list for the bug.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-215041-6>