From owner-freebsd-pf@freebsd.org  Sun Jan  8 20:47:25 2017
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9EC63CA5D24
 for <freebsd-pf@mailman.ysv.freebsd.org>; Sun,  8 Jan 2017 20:47:25 +0000 (UTC)
 (envelope-from zarychtam@plan-b.pwste.edu.pl)
Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [88.199.43.63])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "plan-b.pwste.edu.pl", Issuer "plan-b.pwste.edu.pl" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 1D8C31BCB;
 Sun,  8 Jan 2017 20:47:24 +0000 (UTC)
 (envelope-from zarychtam@plan-b.pwste.edu.pl)
Received: from plan-b.pwste.edu.pl (zarychtam@localhost [127.0.0.1])
 by plan-b.pwste.edu.pl (8.15.2/8.15.2) with ESMTPS id v08KlJU9079026
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Sun, 8 Jan 2017 21:47:19 +0100 (CET)
 (envelope-from zarychtam@plan-b.pwste.edu.pl)
Received: (from zarychtam@localhost)
 by plan-b.pwste.edu.pl (8.15.2/8.15.2/Submit) id v08KlJ04079025;
 Sun, 8 Jan 2017 21:47:19 +0100 (CET) (envelope-from zarychtam)
Date: Sun, 8 Jan 2017 21:47:19 +0100
From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
To: Kristof Provost <kp@FreeBSD.org>
Cc: freebsd-pf@freebsd.org
Subject: Re: udp - weird behavior of reply-to
Message-ID: <20170108204719.GA8598@plan-b.pwste.edu.pl>
References: <20170108145532.GA17695@plan-b.pwste.edu.pl>
 <E8BB68F1-4784-474A-B5ED-1E861B2975A8@FreeBSD.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="LpQ9ahxlCli8rRTG"
Content-Disposition: inline
In-Reply-To: <E8BB68F1-4784-474A-B5ED-1E861B2975A8@FreeBSD.org>
User-Agent: Mutt/1.7.2 (2016-11-26)
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Jan 2017 20:47:25 -0000


--LpQ9ahxlCli8rRTG
Content-Type: multipart/mixed; boundary="2oS5YaxWCcQjTEyO"
Content-Disposition: inline


--2oS5YaxWCcQjTEyO
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Jan 08, 2017 at 07:08:10PM +0100, Kristof Provost wrote:
> On 8 Jan 2017, at 15:55, Marek Zarychta wrote:
> The problem description doesn=E2=80=99t ring any bells with me, but I=E2=
=80=99m also=20
> not sure
> I=E2=80=99ve fully understood it.  Can you document a minimal reproductio=
n=20
> scenario,
> with a pf.conf and perhaps network captures documenting the problem?
>=20

Network captures taken with tcpdump are quite simple:

1st msg from client
20:20:38.726593 IP 62.133.x.y.38315 > 88.199.x.y.1197: UDP, length 21
2nd msg from client
20:20:45.105679 IP 62.133.x.y.38315 > 88.199.x.y.1197: UDP, length 21
20:20:45.106680 IP 88.199.x.y > 62.133.x.y: ICMP 88.199.x.y udp port
1197 unreachable, length 36
1st reply from service:=20
20:21:11.191630 IP 88.199.y.z.1197 > 62.133.x.y.38315: UDP, length 24
2nd reply from service:=20
20:21:44.838787 IP 88.199.y.z.1197 > 62.133.x.y.38315: UDP, length 37

Only one UDP datagram passes the firewall from client to server, the
rest is bounced. All the replies are sent via wrong interface.
When I start service with another fib, where the interface has default
gateway in scope, communication goes fine. It could be still possible to
run two instances of service, but this is not what reply-to was intended
for.

By the way, negotiation of TCP connection via second interface goes
sucessful:
20:23:52.143832 IP 62.133.x.y.42426 > 88.199.105.83.22: Flags [S], seq
3881242448, win 29200, options [mss 1412,sackOK,TS val 57770500 ecr
0,nop,wscale 7], length 0
20:23:52.143927 IP 88.199.x.y.22 > 62.133.x.y.42426: Flags [S.], seq
430799235, ack 3881242449, win 65535, options [mss 1412,nop,wscale
9,sackOK,TS val 615314394 ecr 57770500], length 0
20:23:52.163432 IP 62.133.x.y.42426 > 88.199.x.y.22: Flags [.], ack 1,
win 229, options [nop,nop,TS val 57770505 ecr 615314394], length 0

The minimal pf.conf for use in reproduction scenario is attached.=20


--2oS5YaxWCcQjTEyO
Content-Type: text/plain; charset=utf-8
Content-Disposition: attachment; filename="pf.conf.simple"
Content-Transfer-Encoding: quoted-printable

ext_if		=3D "em0" 	#  em0 is parent interface of vlan2
ext_if_2	=3D "vlan2"

ip_gw_1		=3D "88.199.p.q" 	# ip_gw_1 is default gateway=20
ip_gw_2		=3D "88.199.r.s" 	# ip_gw_2 is default gw for fib 1

# uslugi
tcp_services       =3D "{ 22, 50000:55000 }"
udp_services       =3D "{ 1194:1199 }"

TCP_OPTIONS 	=3D "flags S/SA keep state"
UDP_OPTIONS 	=3D "keep state"

set block-policy return
set loginterface $ext_if
set skip on { lo, tun }

scrub in on {$ext_if, $ext_if_2} all

# ----
# ICMP
# ----
  pass out quick on { $ext_if, $ext_if_2 } inet proto icmp all \
       icmp-type 8 code 0 keep state=20

  pass in quick on $ext_if inet proto icmp all \
       icmp-type 8 code 0 keep state=20

  pass in quick on $ext_if_2 reply-to ( $ext_if_2 $ip_gw_2 ) \
       inet proto icmp all \
       icmp-type 8 code 0 keep state

# ---
# UDP
# ---
  pass in quick on $ext_if inet proto udp \
       from any \
       to ($ext_if:0) port $udp_services \
       $UDP_OPTIONS=20
                      =20
  pass in quick on $ext_if_2 \
       reply-to ( $ext_if_2 $ip_gw_2 ) \
       inet proto udp \
       from any \
       to ($ext_if_2:0) port $udp_services \
       $UDP_OPTIONS=20

  pass out quick on {$ext_if, $ext_if_2} proto udp \
       all \
       $UDP_OPTIONS=20

# ---
# TCP
# ---
  pass in quick on $ext_if inet proto tcp \
       from any \
       to ($ext_if:0) port $tcp_services \
       $TCP_OPTIONS =20

  pass in quick on $ext_if_2 \
       reply-to ( $ext_if_2 $ip_gw_2 ) \
       inet proto tcp \
       from any \
       to ($ext_if_2:0) port $tcp_services \
       $TCP_OPTIONS =20

  pass out quick on {$ext_if, $ext_if_2} proto tcp \
       all \
       $TCP_OPTIONS=20


--2oS5YaxWCcQjTEyO--

--LpQ9ahxlCli8rRTG
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAABCAAdFiEEMOqvKm6wKvS1/ZeCdZ/s//1SjSwFAlhypVQACgkQdZ/s//1S
jSyzCggAm4qRbboi3nZ3duWpDCtNRgfFDGiCpleotj+g2wZ82uLyldx9l+jgGjCx
d43M8Plrv/LKFq/bCfpojnWZVdHFwZ7MlSNs6XpU9RLcjRP+TSlWfeZJi9OGfyLO
MRcaxQKzMCtg33NF9X2t80xktzQgrZbys+KIpwqd/iIRNcyz1KYhf2VPoyhEqOhV
tFcD57jMl0GEwr/+dTyWFXktWTtWh5VTQVT1w8BRmxJvCBm9DrZw3L4a+04tHvJr
lgzntxyl+sH018esYqos8Nx9HhF/eFbhSejX3QCYe5Mww6PwhxtWjKEjtKIZLkwj
50RGcPyHatAee50L1WLE0qRNCyxlNg==
=QIak
-----END PGP SIGNATURE-----

--LpQ9ahxlCli8rRTG--