From owner-freebsd-pf@freebsd.org Sun Nov 1 06:26:22 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2345CA2359A; Sun, 1 Nov 2015 06:26:22 +0000 (UTC) (envelope-from sam.gh1986@gmail.com) Received: from mail-lb0-x22b.google.com (mail-lb0-x22b.google.com [IPv6:2a00:1450:4010:c04::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B0980184C; Sun, 1 Nov 2015 06:26:21 +0000 (UTC) (envelope-from sam.gh1986@gmail.com) Received: by lbjm5 with SMTP id m5so70245143lbj.3; Sat, 31 Oct 2015 23:26:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=bXTu94RECJA6RriNeTHrrC9wixzTE6FEmgcUP2qzAk4=; b=TA3dZdPO0HpwhZH0jV7vUR9foMBmhaVPgeD7Bc83C9J/DUnp75uWCKahxNBjNJdSsT 4NWVXizT/8ph36w/NlKKjqqiNB/98F5FODCBhgi4T2mfyP03RjpzxzJm1oK3+58djg7p QPrPjEgruzE8U5soo6Jv2fG8ZCSURdHBGnjzHtPkO4xiQd5rXViGVwdR8/2/wxCHkJyb FNKuibE+LkyD6PMO8kOvDnfweV/bNxbl6A8MgGqjNvJId11BddYh3feJZkZEapJxZGfU Ue1Y4wtd2tkVDcjQAtLnAZEISv4YmA9/AdUfHsDBpAWe9Qsjxo+XtqFhDpCcv36D/zHJ ciRw== MIME-Version: 1.0 X-Received: by 10.112.131.8 with SMTP id oi8mr5939864lbb.99.1446359179540; Sat, 31 Oct 2015 23:26:19 -0700 (PDT) Received: by 10.112.124.108 with HTTP; Sat, 31 Oct 2015 23:26:19 -0700 (PDT) Date: Sun, 1 Nov 2015 09:56:19 +0330 Message-ID: Subject: why pf nat two different ip address to one ip address with different port number? From: s m To: freebsd-pf , freebsd-questions Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Nov 2015 06:26:22 -0000 hello everybody i wanna nat my local addresses with pf but i have a strange problem. this is my pf.conf file: table <1> { 20.3.3.10 } nat on 'gbeth2' from { 10.3.3.0/24} to any -> <1> round-robin sticky-address i wanna have static nat with just one ip address(20.3.3.10). with these rules i expect the first system which send packet to my freebsd system, nat to 20.3.3.10 and the second system do not nat since we have no free ip address. but what is happened is totally different! the second one nat to the same ip address but with different port number like this: all icmp* 20.3.3.10:48401 * (10.3.3.2:27943) -> 20.3.3.1:48401 0:0 all icmp *20.3.3.10:58435 * (10.3.3.1:3706) -> 20.3.3.1:58435 0:0 would you please tell me what is wrong with my pf.conf rules? how can i prevent this? i want to nat just the first system which request for it and ignore the request from the second system. it should be possible, isn't it?? any comments or hints are appreciated. SAM From owner-freebsd-pf@freebsd.org Sun Nov 1 21:22:11 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6A77FA244F1 for ; Sun, 1 Nov 2015 21:22:11 +0000 (UTC) (envelope-from daemon-user@freebsd.org) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [IPv6:2001:4f8:3:ffe0:406a:0:50:2]) by mx1.freebsd.org (Postfix) with ESMTP id 50C471D00 for ; Sun, 1 Nov 2015 21:22:11 +0000 (UTC) (envelope-from daemon-user@freebsd.org) Received: by phabric-backend.isc.freebsd.org (Postfix, from userid 1346) id 4F2083320E65; Sun, 1 Nov 2015 21:22:11 +0000 (UTC) Date: Sun, 1 Nov 2015 21:22:11 +0000 To: freebsd-pf@freebsd.org From: "mmoll (Michael Moll)" Reply-to: D1944+331+90181aefda88703e@reviews.freebsd.org Subject: [Differential] [Commented On] D1944: PF and VIMAGE fixes Message-ID: <7a72c4e5b3e3e287e4e379ac63174ce2@localhost.localdomain> X-Priority: 3 X-Phabricator-Sent-This-Message: Yes X-Mail-Transport-Agent: MetaMTA X-Auto-Response-Suppress: All X-Phabricator-Mail-Tags: , Thread-Topic: D1944: PF and VIMAGE fixes X-Herald-Rules: none X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: Precedence: bulk In-Reply-To: References: Thread-Index: NDc2NzM0MzY4OTdiYThiNTU1MjY2ZDZmMTJiIFY2goM= MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="utf-8" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Nov 2015 21:22:11 -0000 mmoll added a subscriber: mmoll. mmoll added a comment. what's the status here? REVISION DETAIL https://reviews.freebsd.org/D1944 EMAIL PREFERENCES https://reviews.freebsd.org/settings/panel/emailpreferences/ To: nvass-gmx.com, bz, trociny, kristof, gnn, zec, rodrigc, glebius, eri Cc: mmoll, javier_ovi_yahoo.com, farrokhi, julian, robak, freebsd-virtualization-list, freebsd-pf-list, freebsd-net-list From owner-freebsd-pf@freebsd.org Sun Nov 1 23:37:18 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0D2C5A249A5 for ; Sun, 1 Nov 2015 23:37:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EC9B7128C for ; Sun, 1 Nov 2015 23:37:17 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id tA1NbHhu023589 for ; Sun, 1 Nov 2015 23:37:17 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 204186] Panic in pf_normalize_ip (netpfil/pf/pf_norm.c:1349) Date: Sun, 01 Nov 2015 23:37:18 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Nov 2015 23:37:18 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204186 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|freebsd-bugs@FreeBSD.org |freebsd-pf@FreeBSD.org -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@freebsd.org Mon Nov 2 21:07:41 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 98B65A24A0D for ; Mon, 2 Nov 2015 21:07:41 +0000 (UTC) (envelope-from daemon-user@freebsd.org) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [IPv6:2001:4f8:3:ffe0:406a:0:50:2]) by mx1.freebsd.org (Postfix) with ESMTP id 807A91017 for ; Mon, 2 Nov 2015 21:07:41 +0000 (UTC) (envelope-from daemon-user@freebsd.org) Received: by phabric-backend.isc.freebsd.org (Postfix, from userid 1346) id 7E147147B7E; Mon, 2 Nov 2015 21:07:41 +0000 (UTC) Date: Mon, 2 Nov 2015 21:07:41 +0000 To: freebsd-pf@freebsd.org From: "rodrigc (Craig Rodrigues)" Reply-to: D1944+331+90181aefda88703e@reviews.freebsd.org Subject: [Differential] [Commented On] D1944: PF and VIMAGE fixes Message-ID: X-Priority: 3 X-Phabricator-Sent-This-Message: Yes X-Mail-Transport-Agent: MetaMTA X-Auto-Response-Suppress: All X-Phabricator-Mail-Tags: Thread-Topic: D1944: PF and VIMAGE fixes X-Herald-Rules: none X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: Precedence: bulk In-Reply-To: References: Thread-Index: NDc2NzM0MzY4OTdiYThiNTU1MjY2ZDZmMTJiIFY30J0= MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="utf-8" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Nov 2015 21:07:41 -0000 rodrigc added a comment. @mmoll : It would be nice if @glebius could review this patch. He previously committed some patches I committed to FreeBSD which attempted to fix this problem, so he has an interest in this area. REVISION DETAIL https://reviews.freebsd.org/D1944 EMAIL PREFERENCES https://reviews.freebsd.org/settings/panel/emailpreferences/ To: nvass-gmx.com, bz, trociny, kristof, gnn, zec, rodrigc, glebius, eri Cc: mmoll, javier_ovi_yahoo.com, farrokhi, julian, robak, freebsd-virtualization-list, freebsd-pf-list, freebsd-net-list From owner-freebsd-pf@freebsd.org Wed Nov 4 16:42:24 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CA495A267C5 for ; Wed, 4 Nov 2015 16:42:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B677B137A for ; Wed, 4 Nov 2015 16:42:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id tA4GgO7b039430 for ; Wed, 4 Nov 2015 16:42:24 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 204248] PF Does not work nat in FreeBSD 10.2 Date: Wed, 04 Nov 2015 16:42:24 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Nov 2015 16:42:24 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204248 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|freebsd-bugs@FreeBSD.org |freebsd-pf@FreeBSD.org -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@freebsd.org Wed Nov 4 21:14:49 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 87681A26B65 for ; Wed, 4 Nov 2015 21:14:49 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7330C1119 for ; Wed, 4 Nov 2015 21:14:49 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id tA4LEnE2004731 for ; Wed, 4 Nov 2015 21:14:49 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 204248] PF Does not work nat in FreeBSD 10.2 Date: Wed, 04 Nov 2015 21:14:49 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Nov 2015 21:14:49 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204248 Kristof Provost changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kp@freebsd.org --- Comment #1 from Kristof Provost --- This might be bug #203630. Can you test the patch from that PR and/or test with ipfw? -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@freebsd.org Fri Nov 6 09:54:15 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 228A5A26DD5 for ; Fri, 6 Nov 2015 09:54:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0F7B51008 for ; Fri, 6 Nov 2015 09:54:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id tA69sENv049745 for ; Fri, 6 Nov 2015 09:54:14 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 204248] PF Does not work nat in FreeBSD 10.2 Date: Fri, 06 Nov 2015 09:54:15 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: kulikov51@gmail.com X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Nov 2015 09:54:15 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204248 --- Comment #2 from ilya kulikov --- Hi, I install new FreeBSD 10.2-RELEASE edited file /sys/dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c dell line packet->vlan_tci & 0xfff; } if (0 == m_head->m_pkthdr.csum_flags) { goto pre_send; } and add line packet->vlan_tci & 0xfff; } /* Ignore flags for checksum already calculated or valid */ if (0 == (m_head->m_pkthdr.csum_flags & 0xffffff)) { goto pre_send; } Further rebuilt kernel with options PF, the situation has not changed, may be i wrong to apply the patch. -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@freebsd.org Fri Nov 6 10:08:53 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D1D74A270C7 for ; Fri, 6 Nov 2015 10:08:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BEF4014C1 for ; Fri, 6 Nov 2015 10:08:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id tA6A8rUU010242 for ; Fri, 6 Nov 2015 10:08:53 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 204248] PF Does not work nat in FreeBSD 10.2 Date: Fri, 06 Nov 2015 10:08:53 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Nov 2015 10:08:53 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204248 --- Comment #3 from Kristof Provost --- It looks like you did that right. Can you attach network captures, made on the host machine on both hn0 and hn1 interfaces? I'd like to try to figure out what's happening (or not happening) to break the NAT. This should do the trick: tcpdump -n -i hn0 -s0 -w hn0.pcap & tcpdump -n -i hn1 -s0 -w -hn1.pcap & Then try to run a ping to 8.8.8.8 on the windows 7 machine. -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@freebsd.org Fri Nov 6 11:14:48 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 21886A27208 for ; Fri, 6 Nov 2015 11:14:48 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0E6E41DF7 for ; Fri, 6 Nov 2015 11:14:48 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id tA6BElLo095384 for ; Fri, 6 Nov 2015 11:14:47 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 204248] PF Does not work nat in FreeBSD 10.2 Date: Fri, 06 Nov 2015 11:14:48 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: kulikov51@gmail.com X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Nov 2015 11:14:48 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204248 --- Comment #4 from ilya kulikov --- Sorry I misunderstood created an internal virtual adapter (Use VLAN2), the problem is corrected. Your patch works. Thank you! -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@freebsd.org Sat Nov 7 20:36:29 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D968CA28D96 for ; Sat, 7 Nov 2015 20:36:29 +0000 (UTC) (envelope-from milosz.kaniewski@gmail.com) Received: from mail-vk0-x230.google.com (mail-vk0-x230.google.com [IPv6:2607:f8b0:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 946021DD8 for ; Sat, 7 Nov 2015 20:36:29 +0000 (UTC) (envelope-from milosz.kaniewski@gmail.com) Received: by vkex70 with SMTP id x70so35296458vke.3 for ; Sat, 07 Nov 2015 12:36:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=ACTsVSmhtUVNpIvEFCCk+oP2nB2EPFOOw4UAGNzggUU=; b=bzN+cSJpqoL/2jEHeX9OWlN+snsaWbFWGGgD3RhiuyLoFXPL3byCxcpDa40AshAwM4 YTRbUvZVs3EkJgykeAqI6+kfpAGACicKfy41GQi6PwuACxEVjJ2F6uXm4YBKmlCmATsA bTo3DF2j7fzWRY5jEbleTwR1AcP9ADdSDAYfkrr5o85ayIdSKXLSZpHtP9/MjUI8kjbt qU5MqrqpvCGh/GV1ADptzO+PSSlSsZYwNluuyGLM50SgQovFNhyK6bsn6fa7FgZ7w8KN CqpuQXaHmje9dbJeRRIPzXXX/8UpvGQlOHvi7ilMbJofUEYwwh1QZDeHQRsOYVsJMPRb I4dg== MIME-Version: 1.0 X-Received: by 10.31.173.214 with SMTP id w205mr21189678vke.95.1446928588481; Sat, 07 Nov 2015 12:36:28 -0800 (PST) Received: by 10.31.95.87 with HTTP; Sat, 7 Nov 2015 12:36:28 -0800 (PST) In-Reply-To: References: Date: Sat, 7 Nov 2015 21:36:28 +0100 Message-ID: Subject: Re: Creating span interface using 'dup-to' option From: =?UTF-8?Q?Mi=C5=82osz_Kaniewski?= To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Nov 2015 20:36:30 -0000 2015-10-12 16:28 GMT+02:00 David DeSimone : > The man page makes it clear that "dup-to" acts just like "route-to", > except that the original packet still routes the way it would have. The > implication being that "dup-to" needs to determine where to route the new > packet. > > This means that the more useful form of this is likely to be: > > pass out on em0 dup-to ( em2 X.X.X.X ) no state > > Where "X.X.X.X" is the IP of the host connected via em2 that will be > receiving the duplicated packet. > > The difference between using a bridge to accomplish this, vs. pf, is that > pf operates at layer 3 and will not preserve the layer 2 mac headers, > whereas bridge will preserve these. > > Hopefully this will fit your requirements. > > Hi, inspired by answer from David DeSimone I've decided to make some deeper research. And I found out that dup-to option is not broken, as I previously thought. It just works different than I initially expected. Its behaviour may be described in such way: 1. Original packet is caught by pf rule with dup-to option. 2. Original packet is send as it would normally be (through interface that is determined by looking into system routing table). 3. Duplicated packet is created. It is identical with original packet and it differ only by output interface that it should use to send packet. For duplicated packet this interface is specified in 'dup-to' rule (no system routing table is looked). 4. Now system know which interface use to send duplicated packet but doesn't know what destination MAC address it should use. So now two things can happen: A.) Lets say that our rule don't have next-hop parameter specified, e.g. pass out on em0 dup-to em2 Operating system will now send ARP request on dup-to interface (in this example it will be em2). IP address that ARP will ask about will be the destination IP address of duplicated packet. So in 99% cases there will be no ARP response for this ARP request on that interface. Why? Because any response would only came if this IP would by directly accessible through this interface. And in most situations duplicated packets will have destination IP addresses that is not directly accessible through 'dup-to' interface. If they would be directly accessible through this interface then using 'dup-to' wouldn't have any sense in my opinion. B.) Now lets say that our rule have next-hop IP specified, e.g. pass out on em0 dup-to (em2 10.0.0.1) This time operating system will try to find out MAC address of exactly this IP (10.0.0.1). So it will send ARP request for this IP address on 'dup-to' interface. And if this IP address will be accessible directly through this interface then ARP response would be received and finally 'dup-to' would start to properly duplicate packets. So my original post described situation A, and as I explained above it couldn't work. Using 'dup-to' with next-hop (as in example B) is the only way to make it works. But it has one disadvantage as it can only be used in situation when there is a computer with configured IP address directly accessible through 'dup-to' interface ('directly' mean that both computers are in the same subnetwork). However in some situations computer waiting for packets won't have any IP address configured. This is how many IDS/IPS systems works as they interfaces are set in promiscuous mode and no IP address is set on them. I think that bug 203715 I submitted before, can be now closed. 'dup-to' option works, only different than I expected. But I am not the only one who misunderstood how 'dup-to' works - I found several other posts on FreeBSD and OpenBSD mail lists where people have problem similar to mine. Maybe adding some more info to pf.conf(5) would be a good idea. ######## But unfortunately I still have a problem with 'dup-to' option. I hope you don't mind if I will describe it here, as it is still connected with network scheme I used in my first post. As I explained 'dup-to' option is useful only when it is used with next-hop parameter. So in my configuration from first post I made these changes: pass out on em0 dup-to (em2 10.0.0.1) no state pass out on em1 dup-to (em2 10.0.0.1) no state IP address 10.0.0.1 is accessible through em2 interface. And with that configuration everything works fine and duplicated packets are send through em2 interface without any problems. But I tried to make a little change and used one stateful rule: pass out on em1 dup-to (em2 10.0.0.1) And with that configuration something strange is happening. Packets are still duplicated and correctly sent through em2 interface but there are too much of them. It looks like some of the packets are duplicated to many times. Lets say I send ICMP ping that goes through em1. On em2 i should see two packets: ICMP request and ICMP reply. But I see two identical ICMP requests and one ICMP reply. So there are 3 packets instead of two. I don't want to fill bug report yet. First I would like to hear your opinion about this behaviour. And it would be great if someone would check similar situation and confirm that this problem really exists. Thanks for your help. Best regards.