Date: Sun, 23 Nov 2008 00:54:43 +0000 From: "Peter Maxwell" <peter@allicient.co.uk> To: freebsd-pf@freebsd.org Subject: Re: kern/129060: [pf] [tun] pf doesn't forget the old tun IP Message-ID: <7731938b0811221654m6d7fff30x3e6ac51fccd32eaa@mail.gmail.com> In-Reply-To: <200811231018.28601.darius@dons.net.au> References: <200811220225.mAM2Phuj038059@freefall.freebsd.org> <d64aa1760811221412h61747897u11c28686b39961f4@mail.gmail.com> <200811231018.28601.darius@dons.net.au>
next in thread | previous in thread | raw e-mail | index | archive | help
I have only skim read the bug report, however in report it says "every second connection" which sounds like what happens when you have outgoing connections from an interface that has two IPs assigned (had got bitten with this when using IPSec over an interface that had two IPs assigned). Except this time the first IP is ofcourse now not routable, which is consistent with the observed behaviour. So, while necessary, I would doubt clearing the state table would do anything other than (possibly) fix the existing connections - as any new conenctinos have a 50% chance of having their source IP as the old IP. I'm assuming that ALL incoming connections are processed fine? pf is obviously working with the ($ext/if) syntax as it sounds like its picking up the new IP. Looks like a bug to me. 2008/11/22 Daniel O'Connor <darius@dons.net.au>: > On Sunday 23 November 2008 08:42:48 Chris Buechler wrote: >> On Fri, Nov 21, 2008 at 9:25 PM, <linimon@freebsd.org> wrote: >> > Old Synopsis: pf doesn't forget the old tun IP >> > New Synopsis: [pf] [tun] pf doesn't forget the old tun IP >> >> This sounds like the expected behavior, not a bug. You have to kill >> your states when your WAN IP changes or else traffic will continue to >> be translated via the existing state. > > I have tried to use -k $oldip but it doesn't fix the problem :( > > Also, I don't think it is sensible behaviour - if my IP changes any > connections are going to die because the other ends of the link will be > sending traffic to the old IP. > > > -- > Daniel O'Connor software and network engineer > for Genesis Software - http://www.gsoft.com.au > "The nice thing about standards is that there > are so many of them to choose from." > -- Andrew Tanenbaum > GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7731938b0811221654m6d7fff30x3e6ac51fccd32eaa>