From owner-freebsd-pf@freebsd.org Sun Mar 11 04:40:53 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7F4DBF2BB39 for ; Sun, 11 Mar 2018 04:40:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1F7707765D for ; Sun, 11 Mar 2018 04:40:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 462C623D72 for ; Sun, 11 Mar 2018 04:40:52 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w2B4eqOo022650 for ; Sun, 11 Mar 2018 04:40:52 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w2B4eqKS022649 for freebsd-pf@FreeBSD.org; Sun, 11 Mar 2018 04:40:52 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 226411] PF does not properly keep state with GRE in IPSec Date: Sun, 11 Mar 2018 04:40:51 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Mar 2018 04:40:53 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D226411 Kristof Provost changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kp@freebsd.org --- Comment #1 from Kristof Provost --- Can you add your network and pf configuration? Ideally minimised to the smallest reproducing test-case. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Sun Mar 11 21:00:23 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5BD81F4E73B for ; Sun, 11 Mar 2018 21:00:23 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D1E2A7E926 for ; Sun, 11 Mar 2018 21:00:22 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 104E64ABF for ; Sun, 11 Mar 2018 21:00:22 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w2BL0LUD098141 for ; Sun, 11 Mar 2018 21:00:21 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w2BL0LuK098136 for freebsd-pf@FreeBSD.org; Sun, 11 Mar 2018 21:00:21 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <201803112100.w2BL0LuK098136@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: freebsd-pf@FreeBSD.org Subject: Problem reports for freebsd-pf@FreeBSD.org that need special attention Date: Sun, 11 Mar 2018 21:00:21 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Mar 2018 21:00:23 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. From owner-freebsd-pf@freebsd.org Mon Mar 12 13:27:52 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C130BF460D2 for ; Mon, 12 Mar 2018 13:27:52 +0000 (UTC) (envelope-from info@rickvanderzwet.nl) Received: from aardbei.vanderzwet.net (aardbei.vanderzwet.net [IPv6:2001:984:ac89:1:1234:5678:30:1]) by mx1.freebsd.org (Postfix) with ESMTP id 6610F7B579 for ; Mon, 12 Mar 2018 13:27:51 +0000 (UTC) (envelope-from info@rickvanderzwet.nl) Received: from rickvanderzwet.nl (aardbei.vanderzwet.net [80.127.152.30]) by aardbei.vanderzwet.net (Postfix) with ESMTP id 10CA4A6C8483 for ; Mon, 12 Mar 2018 13:27:44 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Mon, 12 Mar 2018 14:27:43 +0100 From: Rick van der Zwet To: freebsd-pf@freebsd.org Subject: NAT possible with single interface box? Message-ID: X-Sender: info@rickvanderzwet.nl User-Agent: Roundcube Webmail/1.3.3 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Mar 2018 13:27:52 -0000 Hi, Could NAT translation be done with a single interface system without the use of VLANs? I have ,a rather odd, (simplified) network configuration: - single interface system (Router) which has two private IP addresses 172.16.0.10/24 and 192.168.1.10/24. - The gateway (to the internet) is found at 192.168.1.1 - The Client with IP 172.16.0.20/24 The Client (cannot be modified) is supposed to connect to the internet via the Router. My pf rules on Router are: nat on sis0 inet proto tcp from 172.16.0.0/24 to !172.16.0.0/24 -> 192.168.1.10 Router is configured to allow routing: net.inet.ip.forwarding=1 pf.conf(5) tell me it will do translation on pass through packets: Translation rules apply only to packets that pass through the specified interface, and if no interface is specified, translation is applied to packets on all interfaces. Looking at tcpdump of the router I do not see packages been translated yet only being forwarded, which leaves me wondering could this be done at all? Best regards, -Rick From owner-freebsd-pf@freebsd.org Mon Mar 12 14:33:08 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 49AE6F4AEFF for ; Mon, 12 Mar 2018 14:33:08 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: from mail-lf0-x232.google.com (mail-lf0-x232.google.com [IPv6:2a00:1450:4010:c07::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B3A347E2AA for ; Mon, 12 Mar 2018 14:33:07 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: by mail-lf0-x232.google.com with SMTP id m69-v6so23553316lfe.8 for ; Mon, 12 Mar 2018 07:33:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=tijQckUsZmI3IlCUhKye6koRV6xzEjLo2PZgw5fzQhw=; b=acs7/W0wq1H0zRlxLf/YjPMInwmabtJpBUBGNprp9KJ6X6EBEgyhEl9YkmZBxxpFDE 0IOan+AXCTWTMproC0K8hIFcHoekXZJWHKlAhQiodO/eWa+nq6ar56PiYpOQzt5S4R7K dTfy40ov0uOBGRl7U00K3epYCJ/yG3gtuTlDz19Npv+R0VwO5IHiElKpfXdNXrEKT00P +9Hg+9kk3Za+XZOE1vj4wgENk/7u9fjp6YFyVa8I5QY9DNnvxJ68Mpj/XxNTW25zDQh1 vds5/tZsprklYj937uz1wougDLFckuePEIja1fnTsgECQf2N+YNF/hfUi4IhEshM6nEQ t/Mw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tijQckUsZmI3IlCUhKye6koRV6xzEjLo2PZgw5fzQhw=; b=Ac2b4jfEvAjto/Yn9Rs327V2Om+kuMOF6Pp8JINKS8sil+mFCWsHqvDpJTX84I2Oia oTu4Gd+2aJxzVmRF10wU6cxlwT7RsyREYyfzp3LiUe/MyIStxg2soa4Ea+XiSVE+VTj7 99/sx5mYFvuZqIGzfUcxonb0j9j8hSx/9C9L3FQQ5RL1I0e+6xTMKpWh5TeVEXbSa+fG heh42FMWs/lQCwd/ZvC8gFX0caP2OP2yagCMgQSo4DWa2GC7DdN0t6BUX1C2cG/8OE0W dc2TWich2EkG7bLQUSQYnQk1NnpFOr1jsey8ZXi7g8SmszOEbQrYOsuHanmdNuL3URAB /xYg== X-Gm-Message-State: AElRT7FBykEmv0z59GFTBdCzZFmZtZdac2jD06tOiCy2RinQh/vBgwf8 J8IFj3j87N4yPVBde6iPnlYfXA4v4Y+dWAiGdKCH5A== X-Google-Smtp-Source: AG47ELsvmiYi8an4WAYlaZAaE5FxBlILzvKyT+3ofoqzMAvRm4Fv3I7UB44uH9JDXrG6ayMLTjWtNdBgOh6fEEQV0sQ= X-Received: by 10.46.7.26 with SMTP id 26mr5624154ljh.122.1520865186327; Mon, 12 Mar 2018 07:33:06 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Ultima Date: Mon, 12 Mar 2018 14:32:52 +0000 Message-ID: Subject: Re: NAT possible with single interface box? To: Rick van der Zwet Cc: freebsd-pf@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Mar 2018 14:33:08 -0000 Please provide netstat -nr. If you have more in pf.conf, please provide this too. On Mon, Mar 12, 2018, 6:28 AM Rick van der Zwet wrote: > Hi, > > Could NAT translation be done with a single interface system without the > use of VLANs? > > I have ,a rather odd, (simplified) network configuration: > - single interface system (Router) which has two private IP addresses > 172.16.0.10/24 and 192.168.1.10/24. > - The gateway (to the internet) is found at 192.168.1.1 > - The Client with IP 172.16.0.20/24 > The Client (cannot be modified) is supposed to connect to the internet > via the Router. > > > My pf rules on Router are: > nat on sis0 inet proto tcp from 172.16.0.0/24 to !172.16.0.0/24 -> > 192.168.1.10 > > > Router is configured to allow routing: > net.inet.ip.forwarding=1 > > > pf.conf(5) tell me it will do translation on pass through packets: > Translation rules apply only to packets that pass through the > specified > interface, and if no interface is specified, translation is > applied > to > packets on all interfaces. > > > Looking at tcpdump of the router I do not see packages been translated > yet only being forwarded, which leaves me wondering could this be done > at all? > > Best regards, > -Rick > > > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@freebsd.org Mon Mar 12 22:50:51 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 43211F52386 for ; Mon, 12 Mar 2018 22:50:51 +0000 (UTC) (envelope-from info@rickvanderzwet.nl) Received: from aardbei.vanderzwet.net (aardbei.vanderzwet.net [80.127.152.30]) by mx1.freebsd.org (Postfix) with ESMTP id DBFB978D56 for ; Mon, 12 Mar 2018 22:50:50 +0000 (UTC) (envelope-from info@rickvanderzwet.nl) Received: from rickvanderzwet.nl (aardbei.vanderzwet.net [80.127.152.30]) by aardbei.vanderzwet.net (Postfix) with ESMTP id C3F6EA6C8483; Mon, 12 Mar 2018 22:50:49 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Mon, 12 Mar 2018 23:50:49 +0100 From: Rick van der Zwet To: Ultima Cc: freebsd-pf@freebsd.org Subject: Re: NAT possible with single interface box? In-Reply-To: References: Message-ID: <03f0b2ceb5197171f20500982ad18a40@rickvanderzwet.nl> X-Sender: info@rickvanderzwet.nl User-Agent: Roundcube Webmail/1.3.3 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Mar 2018 22:50:51 -0000 On 2018-03-12 15:32, Ultima wrote: > Please provide netstat -nr. If you have more in pf.conf, please provide > this too. Thanks for the suggestion, it made me thing again. I recreated the setup with different network settings for more easy testing: - em0 instead of sis0 - 192.168.178.181/24 instead of 192.168.1.10/24 - gateway 192.168.178.1 instead of 192.168.1.1 root@vbsd11:~ # uname -a FreeBSD vbsd11.vanderzwet.net 11.0-RELEASE-p9 FreeBSD 11.0-RELEASE-p9 #0: Tue Apr 11 08:42:58 UTC 2017 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 root@vbsd11:~ # netstat -nr -f inet Routing tables Internet: Destination Gateway Flags Netif Expire default 192.168.178.1 UGS em0 127.0.0.1 link#2 UH lo0 172.16.0.0/24 link#1 U em0 172.16.0.1 link#1 UHS lo0 192.168.178.0/24 link#1 U em0 192.168.178.181 link#1 UHS lo0 root@vbsd11:~ # cat /etc/pf.conf nat on em0 inet from 172.16.0.0/24 to !172.16.0.0/24 -> 192.168.178.181 root@vbsd11:~ # cat /etc/rc.conf hostname="vbsd11.vanderzwet.net" sshd_enable="YES" ntpd_enable="YES" ifconfig_em0="192.168.178.181/24" ifconfig_em0_alias0="172.16.0.1/24" defaultrouter="192.168.178.1" gateway_enable="YES" pf_enable="YES" pf_rules="/etc/pf.conf" Looking at tcpdump of the router I now see packages been translated: root@vbsd11:~ # tcpdump -ni em0 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes 00:11:25.758323 IP 172.16.0.10 > 192.168.178.1: ICMP echo request, id 6976, seq 96, length 64 00:11:25.758435 IP 192.168.178.181 > 192.168.178.1: ICMP echo request, id 57418, seq 96, length 64 00:11:25.758880 IP 192.168.178.1 > 192.168.178.181: ICMP echo reply, id 57418, seq 96, length 64 00:11:25.758950 IP 192.168.178.1 > 172.16.0.10: ICMP echo reply, id 6976, seq 96, length 64 Looking in hindsight the simplified example was instead working, the problem was caused by blocking firewall rules further down the script. Best regards, -Rick From owner-freebsd-pf@freebsd.org Tue Mar 13 01:05:55 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C90D8A7DD71 for ; Tue, 13 Mar 2018 01:05:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6231E7D7EE for ; Tue, 13 Mar 2018 01:05:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 8E38C1B5CD for ; Tue, 13 Mar 2018 01:05:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w2D15sBD015996 for ; Tue, 13 Mar 2018 01:05:54 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w2D15sJu015995 for freebsd-pf@FreeBSD.org; Tue, 13 Mar 2018 01:05:54 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 226411] PF does not properly keep state with GRE in IPSec Date: Tue, 13 Mar 2018 01:05:53 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: eric@edombroski.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Mar 2018 01:05:56 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D226411 --- Comment #2 from Eric Dombroski --- ################# HOST 1 - ROUTER ################################### root@fbsd12test1:~ # cat /etc/rc.conf hostname=3D"fbsd12test1" ifconfig_vmx0=3D"inet 10.10.10.1 netmask 255.255.255.0" ifconfig_vmx1=3D"inet 10.6.0.1 netmask 255.255.254.0" #lan is a /23 cloned_interfaces=3D"gre0" ifconfig_gre0=3D"inet 10.1.0.1 10.1.0.2 netmask 255.255.255.252 tunnel 10.1= 0.10.1 10.10.10.2 link0 up" gateway_enable=3D"YES" pf_enable=3D"YES" pflog_enable=3D"YES" sshd_enable=3D"YES" # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable dumpdev=3D"AUTO" strongswan_enable=3D"YES" root@fbsd12test1:~ # cat /etc/pf.conf set block-policy drop set loginterface egress set skip on lo0 set skip on gre0 ### has no apparent effect? ### #default block rules block log all # allow in from other host pass in quick on vmx0 from 10.10.10.0/24 # allow all in from lan subnet pass in quick from 10.6.0.0/23 # pass all output packets pass out quick root@fbsd12test1:~ # cat /usr/local/etc/ipsec.conf config setup uniqueids =3D yes conn bypasslan leftsubnet =3D 10.6.0.0/23 rightsubnet =3D 10.6.0.0/23 authby =3D never type =3D passthrough auto =3D route conn con1 fragmentation =3D yes keyexchange =3D ike reauth =3D yes forceencaps =3D no mobike =3D no rekey =3D yes installpolicy =3D yes type =3D transport dpdaction =3D restart dpddelay =3D 10s dpdtimeout =3D 60s auto =3D route left =3D 10.10.10.1 right =3D 10.10.10.2 leftid =3D 10.10.10.1 ikelifetime =3D 28800s lifetime =3D 3600s ike =3D aes256-sha256-modp4096! esp =3D aes256-sha256-modp4096! leftauth =3D psk rightauth =3D psk rightid =3D 10.10.10.2 aggressive =3D no rightsubnet =3D 10.10.10.2 leftsubnet =3D 10.10.10.1 root@fbsd12test1:~ # cat /usr/local/etc/ipsec.secrets # ipsec.secrets - strongSwan IPsec secrets file %any 10.10.10.2 : PSK "testingtestingtesting" ################# HOST 2 - CLIENT ################################### root@fbsd12test2:~ # cat /etc/rc.conf hostname=3D"fbsd12test2" ifconfig_vmx0=3D"inet 10.10.10.2 netmask 255.255.255.0" cloned_interfaces=3D"gre0" ifconfig_gre0=3D"inet 10.1.0.2 10.1.0.1 netmask 255.255.255.252 tunnel 10.1= 0.10.2 10.10.10.1 link0 up" pf_enable=3D"NO" sshd_enable=3D"YES" # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable dumpdev=3D"AUTO" strongswan_enable=3D"YES" root@fbsd12test2:~ # cat /usr/local/etc/ipsec.conf config setup uniqueids =3D yes conn con1 fragmentation =3D yes keyexchange =3D ike reauth =3D yes forceencaps =3D no mobike =3D no rekey =3D yes installpolicy =3D yes type =3D transport dpdaction =3D restart dpddelay =3D 10s dpdtimeout =3D 60s auto =3D route left =3D 10.10.10.2 right =3D 10.10.10.1 leftid =3D 10.10.10.2 ikelifetime =3D 28800s lifetime =3D 3600s ike =3D aes256-sha256-modp4096! esp =3D aes256-sha256-modp4096! leftauth =3D psk rightauth =3D psk rightid =3D 10.10.10.1 aggressive =3D no rightsubnet =3D 10.10.10.1 leftsubnet =3D 10.10.10.2 root@fbsd12test2:~ # cat /usr/local/etc/ipsec.secrets # ipsec.secrets - strongSwan IPsec secrets file %any 10.10.10.1 : PSK "testingtestingtesting" root@fbsd12test2:~ # route add -net 10.6.0.0/23 10.1.0.2 Test tcp connection to host on 10.6.0.0/23 (for instance, 10.6.0.10). SYN packet gets through to, ACK doesn't get back. Also, ICMP traffic let throu= gh even if you remove the pass rules that let it go through. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Tue Mar 13 10:20:37 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B252AF36C5C for ; Tue, 13 Mar 2018 10:20:36 +0000 (UTC) (envelope-from Steven@stream-technologies.com) Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on0072.outbound.protection.outlook.com [104.47.2.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "Microsoft IT TLS CA 4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CA98975174 for ; Tue, 13 Mar 2018 10:20:35 +0000 (UTC) (envelope-from Steven@stream-technologies.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=streamtechnologiesuk.onmicrosoft.com; s=selector1-streamtechnologies-com01e; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=AuQXsfGKLkXri5x1xmb8iBNMjmztXxJplXyZdosrht8=; b=hGUOwQV04cyqnFt+oFfY7l9LpHGvAr1kvqtdqUmiIxfMIXQq2EQVf32tNRsS1VIk0xpUGPTpJzNlpTC11odq4wmVyK3ihlFEMKvsMdMtfMfsGviVMt3h/dHCy/aFt75VBuep0Xk3s4F/su/w7lNgcFmoZzBygHOcfYF+Gy3G3nE= Received: from AM4PR07MB3186.eurprd07.prod.outlook.com (10.171.188.151) by AM4PR07MB1443.eurprd07.prod.outlook.com (10.165.248.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.588.7; Tue, 13 Mar 2018 10:20:32 +0000 Received: from AM4PR07MB3186.eurprd07.prod.outlook.com ([fe80::d8fc:407:e8c0:e56c]) by AM4PR07MB3186.eurprd07.prod.outlook.com ([fe80::d8fc:407:e8c0:e56c%6]) with mapi id 15.20.0588.013; Tue, 13 Mar 2018 10:20:32 +0000 From: Steven Crangle To: "freebsd-pf@freebsd.org" Subject: Kernel page fault when attempting to call PF_RULES_LOCK() Thread-Topic: Kernel page fault when attempting to call PF_RULES_LOCK() Thread-Index: AQHTurHBLAzRDkltV0qbudgBhikZ1g== Date: Tue, 13 Mar 2018 10:20:32 +0000 Message-ID: Accept-Language: en-GB, en-US Content-Language: en-GB X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [212.250.79.109] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; AM4PR07MB1443; 7:ExwT9sjYk4h/ZAyR1RNI/TA32ZH3ll0kKlDeODRYntR7hgWeQ1eRlJ1nEqGdCn7i7wRWBz8yJ+utQQz9nxb5gPIdZHlenBsHyHGAxuPebmuGZAppj7YcrHR24N2HHJZzb879Eoz1O7oSHeQAV31vqVRF0/pI8OkHEHaCvFyuSb5wyHw7n+QiOnLgBPMv15RFZvj30Q3AgYoS8d/H3crKQTMvsAKI/BHYIawBSg1uOHxH5KvuNMw+7rPNQYmjZyY0 x-ms-exchange-antispam-srfa-diagnostics: SOS; x-ms-office365-filtering-correlation-id: 853fde9a-4d16-4f88-1e08-08d588cc0da5 x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(49563074)(7193020); SRVR:AM4PR07MB1443; x-ms-traffictypediagnostic: AM4PR07MB1443: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(173395976512846); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040522)(2401047)(8121501046)(5005006)(3002001)(93006095)(93001095)(10201501046)(3231221)(944501244)(52105095)(6041310)(20161123560045)(20161123564045)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(6072148)(201708071742011); SRVR:AM4PR07MB1443; BCL:0; PCL:0; RULEID:; SRVR:AM4PR07MB1443; x-forefront-prvs: 0610D16BBE x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(376002)(346002)(366004)(39840400004)(39380400002)(111735001)(189003)(199004)(8936002)(86362001)(99286004)(6116002)(3846002)(236005)(2900100001)(3280700002)(3660700001)(5640700003)(6606003)(105586002)(6346003)(54556002)(26005)(186003)(81166006)(102836004)(7736002)(5660300001)(9686003)(53936002)(74316002)(2906002)(6506007)(7696005)(54896002)(6306002)(81156014)(6916009)(99936001)(5890100001)(14454004)(733005)(6436002)(861006)(2501003)(8676002)(66066001)(33656002)(55016002)(5250100002)(80792005)(68736007)(478600001)(316002)(606006)(19627405001)(106356001)(2351001)(966005)(97736004)(25786009)(72206003)(16866105001)(2812255003); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR07MB1443; H:AM4PR07MB3186.eurprd07.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: stream-technologies.com does not designate permitted sender hosts) authentication-results: spf=none (sender IP is ) smtp.mailfrom=Steven@stream-technologies.com; x-microsoft-antispam-message-info: 45wa98x/0+YkOGD+ujrU/k0MqCcCDEYbRVvGDdsXXxXOKcSdascrf1JK0qH+N50wk1CA8FXsmaGW6jtBgSSwigrHe+Ep08U7qGTVGfOn3ii9AHL8OQloBmG1J3MXZDVwV/pxlKRIksbA/jOb5e4XK+L9ovIAL7yhvrPupt3sEZChjlYPVYantKTCk3ED7juXkBiazlyNZUIc+RE6azhGTJg8aWGPoLhoD22CTmIjvKIT6hpKuYvOzweRNzy6N3wTGaaWyMOOIuAm6l5cZAxLqORLE/m+8gXZPQzXhF3YPKpsWi+nrUvidM/u6fIwkkyMiHazzjbRXxfCL07Ymchhfg== spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: stream-technologies.com X-MS-Exchange-CrossTenant-Network-Message-Id: 853fde9a-4d16-4f88-1e08-08d588cc0da5 X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Mar 2018 10:20:32.4872 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 720fa073-5781-43bf-bc14-7bef2603ed21 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR07MB1443 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Mar 2018 10:20:37 -0000 Hi, I seem to be experiencing a strange kernel panic when using pf on 11.1 Rele= ase. I have attached an image I managed to take at the point of panic, as for so= me reason the box didn't dump the kernel into /var/crash for inspection. http://oi66.tinypic.com/6tiyht.jpg At the point of panic the box had been up for 1 day and 20 hours and had ab= out 68000 active firewall states. I'm currently trying to reproduce the issue and get a proper kernel dump th= at I can look at/post. The kernel is compiled is GENERIC with the following= extra options: options KDB options KDB_TRACE options GDB options DDB options BREAK_TO_DEBUGGER options INVARIANTS options INVARIANT_SUPPORT options WITNESS options WITNESS_SKIPSPIN [https://www.stream-technologies.com/img/IoT-X_Stream_white_2017.png] Steven Crangle Infrastructure Developer | Stream Technologies Ltd New Address: Suite 4A, Skypark 5, 45 Finnieston Street, Glasgow, G3 8JU [https://www.stream-technologies.com/img/mobile.png] +44 (0) 7000 000000 [https://www.stream-technologies.com/img/phone.png] +44 (0) 844 800 8520 [https://www.stream-technologies.com/img/mouse.png] www.stream-technologies.com [http://www.stream-technologies.com/img/we-have-moved.jpg] From owner-freebsd-pf@freebsd.org Tue Mar 13 10:54:46 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7C08FF3C0FC for ; Tue, 13 Mar 2018 10:54:46 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1A94376B77 for ; Tue, 13 Mar 2018 10:54:46 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 4D1A1207D2 for ; Tue, 13 Mar 2018 10:54:45 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w2DAsjRj022347 for ; Tue, 13 Mar 2018 10:54:45 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w2DAsjP8022345 for freebsd-pf@FreeBSD.org; Tue, 13 Mar 2018 10:54:45 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 226411] PF does not properly keep state with GRE in IPSec Date: Tue, 13 Mar 2018 10:54:44 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: dani-bsd@fws.fr X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Mar 2018 10:54:46 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D226411 --- Comment #3 from Daniel B. --- Just for reference, here's the downstream bug: https://redmine.pfsense.org/issues/4479 --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Tue Mar 13 18:17:34 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AFCDCF3D8AA for ; Tue, 13 Mar 2018 18:17:33 +0000 (UTC) (envelope-from paul.g.webster@googlemail.com) Received: from mail-qt0-x229.google.com (mail-qt0-x229.google.com [IPv6:2607:f8b0:400d:c0d::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E58B96D0D1 for ; Tue, 13 Mar 2018 18:17:32 +0000 (UTC) (envelope-from paul.g.webster@googlemail.com) Received: by mail-qt0-x229.google.com with SMTP id v90so606892qte.12 for ; Tue, 13 Mar 2018 11:17:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/9IV58sCiOnqzd0cEFEFhxDNfFvWprEnm+gliC5itv0=; b=EvOB5nhCZLV9CqnEjB5U9T/SekT+pY74izFt+dwGIZLBV1IPgzSVlPDs+xmZmh497H 5S7H1e4ooZhKU3uniUWTBeKhhelhLkt25eXMIpK4X83fGTJb3l97u44BbZfJk88id4+E e3SA/VbT6d9yTFjPIYC8C7+o9MAExR/hrdABSyVUM4PAc5/btWGslyszz3giY3YmgexU HZIsUk+w1Z6dIKiMyCGZJbr2+vrU/DPnH4xg9MmCIUtjHch6/PU7qXhLKo/NUo0Eip2J h/TTX1nyyIy6eTQI7Pb0V5/K7RqwCz/QNmmgfeAXpFD8R+x1/MjfKmomYcUNj8WJJ2aN OdVA== X-Gm-Message-State: AElRT7FjrRYhDrALaL/u+kI/SNC2w7h+Lytub+Of1lL+tQ/CIaAbq+YV s9qgCejk1m0OmKw0XFDNWIDKqWpSbgX4n+ofJXs= X-Google-Smtp-Source: AG47ELv7Ov+J8ESuFgNHz3GXGDilfgqhXrSLePUOjMBOwYrY/D3TbFMzKxsfj4URQWs7uA39+ksKUC/cIK2lEIsdbs4= X-Received: by 10.200.40.70 with SMTP id 6mr2587040qtr.285.1520965052080; Tue, 13 Mar 2018 11:17:32 -0700 (PDT) MIME-Version: 1.0 Received: by 10.12.171.88 with HTTP; Tue, 13 Mar 2018 11:17:31 -0700 (PDT) In-Reply-To: <03f0b2ceb5197171f20500982ad18a40@rickvanderzwet.nl> References: <03f0b2ceb5197171f20500982ad18a40@rickvanderzwet.nl> From: Paul Webster Date: Tue, 13 Mar 2018 18:17:31 +0000 Message-ID: Subject: Re: NAT possible with single interface box? To: Rick van der Zwet Cc: Ultima , freebsd-pf@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Mar 2018 18:17:34 -0000 Depending what you need an easy hack for it would be running an openvpn or other vpn server, then you can just nat out from that On 12 March 2018 at 22:50, Rick van der Zwet wrote: > On 2018-03-12 15:32, Ultima wrote: > >> Please provide netstat -nr. If you have more in pf.conf, please provide >> this too. >> > > Thanks for the suggestion, it made me thing again. > > I recreated the setup with different network settings for more easy > testing: > - em0 instead of sis0 > - 192.168.178.181/24 instead of 192.168.1.10/24 > - gateway 192.168.178.1 instead of 192.168.1.1 > > > root@vbsd11:~ # uname -a > FreeBSD vbsd11.vanderzwet.net 11.0-RELEASE-p9 FreeBSD 11.0-RELEASE-p9 #0: > Tue Apr 11 08:42:58 UTC 2017 root@amd64-builder.daemonology.net: > /usr/obj/usr/src/sys/GENERIC i386 > > > root@vbsd11:~ # netstat -nr -f inet > Routing tables > > Internet: > Destination Gateway Flags Netif Expire > default 192.168.178.1 UGS em0 > 127.0.0.1 link#2 UH lo0 > 172.16.0.0/24 link#1 U em0 > 172.16.0.1 link#1 UHS lo0 > 192.168.178.0/24 link#1 U em0 > 192.168.178.181 link#1 UHS lo0 > > > root@vbsd11:~ # cat /etc/pf.conf > nat on em0 inet from 172.16.0.0/24 to !172.16.0.0/24 -> 192.168.178.181 > > > root@vbsd11:~ # cat /etc/rc.conf > hostname="vbsd11.vanderzwet.net" > sshd_enable="YES" > ntpd_enable="YES" > > ifconfig_em0="192.168.178.181/24" > ifconfig_em0_alias0="172.16.0.1/24" > > defaultrouter="192.168.178.1" > gateway_enable="YES" > > pf_enable="YES" > pf_rules="/etc/pf.conf" > > > Looking at tcpdump of the router I now see packages been translated: > root@vbsd11:~ # tcpdump -ni em0 icmp > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes > 00:11:25.758323 IP 172.16.0.10 > 192.168.178.1: ICMP echo request, id > 6976, seq 96, length 64 > 00:11:25.758435 IP 192.168.178.181 > 192.168.178.1: ICMP echo request, id > 57418, seq 96, length 64 > 00:11:25.758880 IP 192.168.178.1 > 192.168.178.181: ICMP echo reply, id > 57418, seq 96, length 64 > 00:11:25.758950 IP 192.168.178.1 > 172.16.0.10: ICMP echo reply, id 6976, > seq 96, length 64 > > > Looking in hindsight the simplified example was instead working, the > problem was caused by blocking firewall rules further down the script. > > Best regards, > -Rick > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@freebsd.org Tue Mar 13 20:00:55 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 68F79F4B8B7 for ; Tue, 13 Mar 2018 20:00:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0148771851 for ; Tue, 13 Mar 2018 20:00:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 44844251B9 for ; Tue, 13 Mar 2018 20:00:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w2DK0s88022049 for ; Tue, 13 Mar 2018 20:00:54 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w2DK0sTg022048 for freebsd-pf@FreeBSD.org; Tue, 13 Mar 2018 20:00:54 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 226411] PF does not properly keep state with GRE in IPSec Date: Tue, 13 Mar 2018 20:00:53 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: eric@edombroski.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Mar 2018 20:00:55 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D226411 --- Comment #4 from Eric Dombroski --- Correction/clarification: Setting "set skip on gre0" indeed allows the traffic to go through, but doe= sn't allow any control of traffic over the tunnel.=20=20 The following /etc/pf.conf configuration does NOT work as expected: set block-policy drop set loginterface egress set skip on lo0 #default block rules block log all # allow in from other host pass in quick on vmx0 from 10.10.10.0/24 # pass in from gre0 pass in quick on gre0 to 10.6.0.0/23 # allow all in from lan subnet pass in quick from 10.6.0.0/23 # pass all output packets pass out quick --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed Mar 14 17:30:07 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F2EF4F2D06D for ; Wed, 14 Mar 2018 17:30:06 +0000 (UTC) (envelope-from Steven@stream-technologies.com) Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0060.outbound.protection.outlook.com [104.47.1.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "Microsoft IT TLS CA 4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4E0716C84E for ; Wed, 14 Mar 2018 17:30:05 +0000 (UTC) (envelope-from Steven@stream-technologies.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=streamtechnologiesuk.onmicrosoft.com; s=selector1-streamtechnologies-com01e; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=fOo9r0om9AWHmR55BtrWxERBV6G11zWskTZJdeRPQJM=; b=sAvsT9KOn/4y4B6+xH3Y3Vihd9w+/+iXunOhe985Vdf5JY0sCOooZ8ufrrE1B5vD2NAIQ7q1fOOr/qd6CyZat5mEoCSavUviYimJ+z3YH8T0BcyRoAf1hOClSkcJrbyg713/X8eeD5mMuiAV+a7eG/nGxEjCM0QZUB1MzNyGMfM= Received: from AM4PR07MB3186.eurprd07.prod.outlook.com (10.171.188.151) by AM4PR07MB1236.eurprd07.prod.outlook.com (10.164.81.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.588.7; Wed, 14 Mar 2018 17:30:02 +0000 Received: from AM4PR07MB3186.eurprd07.prod.outlook.com ([fe80::d8fc:407:e8c0:e56c]) by AM4PR07MB3186.eurprd07.prod.outlook.com ([fe80::d8fc:407:e8c0:e56c%6]) with mapi id 15.20.0588.013; Wed, 14 Mar 2018 17:30:02 +0000 From: Steven Crangle To: "freebsd-pf@freebsd.org" Subject: Required modification for round robin napt with ip address prefixes Thread-Topic: Required modification for round robin napt with ip address prefixes Thread-Index: AQHTu7fDX4eUYNklBkma7Tav5LLNJA== Date: Wed, 14 Mar 2018 17:30:02 +0000 Message-ID: Accept-Language: en-GB, en-US Content-Language: en-GB X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Steven@stream-technologies.com; x-originating-ip: [212.250.79.109] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; AM4PR07MB1236; 6:D6vaOqVibqQpw/44bOKmjlSSP0bBvDhEoL5IR6cEfwB8CklkHFBKrd2CbIsXMGLwKWClGkMBUlDcWN7GmCtM3LiEG/vJFloB9xAjohFO+lmOZg4xrL0uhO+pNmgkpsUawLCpqtsZG5F5wlmPEXd3GlhDt30SQkTL4eIpSiRp/8uxBaIkwO7kTXjFOqVcUm7N7Bixv+dWwczuSl2fZTyRdqTYQQhzSrsvIxvAMazYwnjykxjdwNKM7ih6clvnxEqoBeEQR192IwNj8KVkmpHHX913bN9n/R9le25zxDuLMTwhrrLP+Id4IrXDzeKM2qQhl93+cBb2jgXlpHL5HsajBcypEz/4eBvi5bD33jy42axHLng/ndGu8lAeiwu1ZmIf; 5:uG/rDYTtZLO0wjxs3rQ2wrS6A2CQyWLmaiREuczGkvjySUHwWxM05BHspV29lTnmSlKA/R9vu0FSRaq1qnPD9SjQnB3nSS4xAtj6zHxbp/auKBuN8bK0iSHO6xXVDBflZWo9Dj1Tz8p/pogmkHAMgT0kOQoj18hgX+8USPb7U1E=; 24:g7TXnxVaES6grnRKkgSt6AXIOqEb+9CmlAf6SAxWqXSUs4NfIZ+TVCxP9X77b9O0awaHkGwn5JNfgPXXFOd0sdGw92UIZFmSWZ7CWjcsVIU=; 7:DjAnoKXsRt9v69/Tam5mydFJQWVy0IxV+COaTCukDgowvFbFrPwPzNa4o9oNVOTv6DBex2zHOLZ38YH4eEMHSEX55klhsBRMScyP3AKJy8oKjjiqQ7azx0YJHRzZbzW+k+/S8JJBgNivSs/fZp2fjR1reR0OVWdufWW81f/vEOiLEUZrVEP29787mJRV4rUBwPo+U5pyqMYeUTTyJ80Pwr8wdv8baPLGQzhppIsPTzh62p9TD/XyLWaxG60QHKb5 x-ms-exchange-antispam-srfa-diagnostics: SOS; x-ms-office365-filtering-correlation-id: 7d355e43-3643-4b77-2411-08d589d13848 x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:AM4PR07MB1236; x-ms-traffictypediagnostic: AM4PR07MB1236: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(10201501046)(93006095)(93001095)(3002001)(3231221)(944501244)(52105095)(6041310)(201703131423095)(201703011903075)(201702281528075)(20161123555045)(201703061421075)(20161123562045)(20161123560045)(20161123564045)(20161123558120)(6072148)(201708071742011); SRVR:AM4PR07MB1236; BCL:0; PCL:0; RULEID:; SRVR:AM4PR07MB1236; x-forefront-prvs: 0611A21987 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(7966004)(396003)(39380400002)(366004)(376002)(346002)(39850400004)(189003)(199004)(8936002)(54896002)(9686003)(86362001)(6916009)(72206003)(68736007)(508600001)(81166006)(81156014)(55016002)(106356001)(6606003)(53936002)(186003)(102836004)(6506007)(7736002)(80792005)(8676002)(316002)(74316002)(5660300001)(59450400001)(7696005)(26005)(97736004)(33656002)(5250100002)(6116002)(2501003)(14454004)(2906002)(66066001)(105586002)(3280700002)(3660700001)(99286004)(19627405001)(2900100001)(3846002)(25786009)(2351001)(6436002)(5640700003); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR07MB1236; H:AM4PR07MB3186.eurprd07.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: stream-technologies.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: uDO3udia8lDcClXJq3sYFg6wQJ7g1/wMyubxsnc+8ptwTWnK5V1AuWlIdQ8MzdSCNsc1zhWP0m2fOhOxG68a/JgLFBIgc/sMCbhnvzyOt8PZeukyLaWiLnnW99zVB5iQuvhrZyTHXeNmZc2M0NO9LuG2AWOx81RKUH9hJFI1q47BWHu+Lsz1fvryeuaQZHkHE8UYwn36hf/jm9WTy8zzxX3lwWvfQRclxKXPmPUwaQYKtc9nIu7dSrl1JMccNbAF33XtmLgvPIsrr6OSwjmxf23qM1e5ps0tM+0uaDCDvlpEClG3wsAd3QL7RJQCxeJhWEYkHG4D9vhwdKnD7UxohQ== spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: stream-technologies.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7d355e43-3643-4b77-2411-08d589d13848 X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Mar 2018 17:30:02.7905 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 720fa073-5781-43bf-bc14-7bef2603ed21 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR07MB1236 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Mar 2018 17:30:07 -0000 Hi, I was looking for some advice on the type of locking required to stop a box= panicking that utilises both napt and ip address prefixes. My colleague made a post a while ago, and we ended up getting distracted fi= xing other panics that showed up. But we've now returned to try and figure = out the issue. The relevant code is in pf_lb.c : 424 Currently, I've tried adding a PF_RULES_WLOCK() around the sections of code= in the round robin code path that call pfr_pool_get(). In order to do this= I had to add in a few Macros so that I could upgrade the already held read= lock to a write lock. I then wasn't sure whether to return (1), or keep t= rying to obtain the write lock. The latter results in a crashed box (guessi= ng it could never obtain the lock), and I'm unsure of the implications of r= eturning a failure code so frequently from that code path, I'd imagine it w= ould result in napt not working correctly. The second solution suggested the use of atomics, which I'm going to try ne= xt. I just wanted to confirm that the correct area to look at would be with= in pfr_pool_get() ? I can see that pidx is being modified within there, an= d counter also seems to be being used. I also might well be looking in completely the wrong direction! Thanks for any help Steven From owner-freebsd-pf@freebsd.org Thu Mar 15 19:50:24 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 986D3F4D987 for ; Thu, 15 Mar 2018 19:50:24 +0000 (UTC) (envelope-from srs0=ylaz=gf=sigsegv.be=kristof@codepro.be) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 33A2D7495D for ; Thu, 15 Mar 2018 19:50:23 +0000 (UTC) (envelope-from srs0=ylaz=gf=sigsegv.be=kristof@codepro.be) Received: from [10.0.2.164] (ptr-8ripyyfm83ivzb6penw.18120a2.ip6.access.telenet.be [IPv6:2a02:1811:2419:4e02:502c:15e7:1d57:d87c]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id 705D624A43; Thu, 15 Mar 2018 20:50:22 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sigsegv.be; s=mail; t=1521143422; bh=euMEk7PPCPi2MuMNKVm6+F4SpwjCKRe8OkVqvNzuE0E=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=BCD6//MPpi8EekMTQcMPeW6LcRtf4FehStPJ506198m1gVYa5ZSJzPFslcc2Fsbbh 9YJB7MDSoGQuemn7CjkP+CfSBNlHqmp71coWZpwdGgdAbpILEXgDLyO7JzQHlCt9Vg s251Ckayv+Rew/vIl17/1EmHwl1eCDet4YcrS4y8= From: "Kristof Provost" To: "Steven Crangle" Cc: freebsd-pf@freebsd.org Subject: Re: Required modification for round robin napt with ip address prefixes Date: Thu, 15 Mar 2018 20:50:45 +0100 X-Mailer: MailMate (2.0BETAr6106) Message-ID: <8AE55F12-E53E-40BE-A99A-CB8D9B306806@sigsegv.be> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Mar 2018 19:50:24 -0000 On 14 Mar 2018, at 18:30, Steven Crangle wrote: > I was looking for some advice on the type of locking required to stop > a box panicking that utilises both napt and ip address prefixes. > > My colleague made a post a while ago, and we ended up getting > distracted fixing other panics that showed up. But we've now returned > to try and figure out the issue. > > > The relevant code is in pf_lb.c : 424 > I’d recommend talking to glebius@. He did the locking code and wrote the comment block discussing the locking choices around PF_POOL_ROUNDROBIN. I suspect it’s a bit more complicated that a straightforward PF_RULES_WLOCK() would fix. The locking model for pf is pretty complex. I’ve not had the time to really dig into this, so I can’t give more advice right now. Regards, Kristof From owner-freebsd-pf@freebsd.org Fri Mar 16 09:33:17 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CCEDAF5F02A for ; Fri, 16 Mar 2018 09:33:16 +0000 (UTC) (envelope-from Steven@stream-technologies.com) Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40061.outbound.protection.outlook.com [40.107.4.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "Microsoft IT TLS CA 4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1CCA975413; Fri, 16 Mar 2018 09:33:15 +0000 (UTC) (envelope-from Steven@stream-technologies.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=streamtechnologiesuk.onmicrosoft.com; s=selector1-streamtechnologies-com01e; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=5yNYOpjahYEtp2MO0DX8HoLJZhW/9uWROPnaDiNvdXk=; b=gRrcxViWNLgWB/boxxGg/XxXNJDrU8jQMv+MWqwXhYEcagtYhUS6mboXJbvU3rVJA24qAfvGRluP9w8dYxQBO3XBdebglzz6lXNvjB0WAAeHPfECAukyJUwhrsgQVLXlwmnycEz5kwaBv9lIR9LQ//LyJuK16mCtT9lvgJU2hgQ= Received: from AM4PR07MB3186.eurprd07.prod.outlook.com (10.171.188.151) by AM4PR07MB1347.eurprd07.prod.outlook.com (10.164.82.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.609.6; Fri, 16 Mar 2018 09:33:12 +0000 Received: from AM4PR07MB3186.eurprd07.prod.outlook.com ([fe80::d8fc:407:e8c0:e56c]) by AM4PR07MB3186.eurprd07.prod.outlook.com ([fe80::d8fc:407:e8c0:e56c%6]) with mapi id 15.20.0609.006; Fri, 16 Mar 2018 09:33:12 +0000 From: Steven Crangle To: Kristof Provost CC: "freebsd-pf@freebsd.org" , "eri@freebsd.org" Subject: Re: Required modification for round robin napt with ip address prefixes Thread-Topic: Required modification for round robin napt with ip address prefixes Thread-Index: AQHTu7fDX4eUYNklBkma7Tav5LLNJKPRtmCAgADkAvE= Date: Fri, 16 Mar 2018 09:33:12 +0000 Message-ID: References: , <8AE55F12-E53E-40BE-A99A-CB8D9B306806@sigsegv.be> In-Reply-To: <8AE55F12-E53E-40BE-A99A-CB8D9B306806@sigsegv.be> Accept-Language: en-GB, en-US Content-Language: en-GB X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Steven@stream-technologies.com; x-originating-ip: [212.250.79.109] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; AM4PR07MB1347; 7:HLKO75pk4MizI0uVARgc3Jw3DeyWwb0fX3BIjtmkaiITtlrhzzslLPbhpK8cFfJFrGwe8QKdt3NUo2srZNlK+/qew/+VSyNVA18ES7j0ciI4rb5VJccuLF3HLp2Rbq/pJTApWhDQZgVm5fUBCXkbb2UNbRZMZmrQruJbgfnOOryFYo67OQGDxplww5ePV4kyPsV1jJo+MsEbJAjTf8N+6BXkoH0ivoLdldA22EObc52Mz7UeMYRQyZ/RZ/eT5GnR x-ms-exchange-antispam-srfa-diagnostics: SOS; x-ms-office365-filtering-correlation-id: b9cc3e3a-fcab-4771-412f-08d58b20f002 x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:AM4PR07MB1347; x-ms-traffictypediagnostic: AM4PR07MB1347: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(155532106045638); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(10201501046)(3002001)(3231221)(944501244)(52105095)(93006095)(93001095)(6041310)(20161123562045)(20161123564045)(20161123558120)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:AM4PR07MB1347; BCL:0; PCL:0; RULEID:; SRVR:AM4PR07MB1347; x-forefront-prvs: 0613912E23 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(346002)(39380400002)(396003)(376002)(39840400004)(189003)(199004)(66066001)(19627405001)(53936002)(25786009)(9686003)(105586002)(8936002)(6246003)(7696005)(68736007)(76176011)(33656002)(106356001)(2900100001)(2950100002)(4326008)(5660300001)(74316002)(478600001)(6916009)(7736002)(3280700002)(72206003)(6606003)(6436002)(6116002)(3846002)(14454004)(81166006)(81156014)(8676002)(55016002)(5250100002)(229853002)(54896002)(316002)(97736004)(26005)(2906002)(53546011)(86362001)(80792005)(6506007)(102836004)(54906003)(3660700001)(186003)(99286004); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR07MB1347; H:AM4PR07MB3186.eurprd07.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: stream-technologies.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: blU+Nwo2uAzq25o3kU/VV69DTmWpZoUPd427b7c4vWqyHSEWSFswiwAF8XbEwu95BszMbvqJeVdsWHyYErKHtmRpv7J6qs26HK76N/7OTrifSL9seLkd6OC1uXmFiFhaRjIy9tl78bxmY11fPzzOL6zQkj63jfEXvPXt6y8/fCm7Qmq4zmXfpL4F/3e7cvFCCkGTTjp3d81G0x5cuF7fmmtq1YHloFwQwV6s0m3+ZvhXkmotikLPcP6biLZoLJySp+EnvRJZFYtM5grIUQj9TwNE+Ra04REFJT3LqqRIWQGKiJl5IkCWAKGakngzud44xRL0+cZDXywKvO40XlTw8Q== spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: stream-technologies.com X-MS-Exchange-CrossTenant-Network-Message-Id: b9cc3e3a-fcab-4771-412f-08d58b20f002 X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Mar 2018 09:33:12.3136 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 720fa073-5781-43bf-bc14-7bef2603ed21 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR07MB1347 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Mar 2018 09:33:17 -0000 Hi, Thanks to both of you for your responses. I'm currently working on a reduce= d test case that will hopefully reproduce the issue. I'll also reach out to glebius@ too, as it would be great to get a bit more= insight into how to approach a fix for the issue. Hopefully they can point me in the right direction and I can work on a fix! Regards Steven ________________________________ From: Kristof Provost Sent: 15 March 2018 19:50:45 To: Steven Crangle Cc: freebsd-pf@freebsd.org Subject: Re: Required modification for round robin napt with ip address pre= fixes On 14 Mar 2018, at 18:30, Steven Crangle wrote: > I was looking for some advice on the type of locking required to stop > a box panicking that utilises both napt and ip address prefixes. > > My colleague made a post a while ago, and we ended up getting > distracted fixing other panics that showed up. But we've now returned > to try and figure out the issue. > > > The relevant code is in pf_lb.c : 424 > I=92d recommend talking to glebius@. He did the locking code and wrote the comment block discussing the locking choices around PF_POOL_ROUNDROBIN. I suspect it=92s a bit more complicated that a straightforward PF_RULES_WLOCK() would fix. The locking model for pf is pretty complex. I=92ve not had the time to really dig into this, so I can=92t give more advice right now. Regards, Kristof