From owner-freebsd-pf@FreeBSD.ORG Mon Apr 13 22:51:27 2015 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D4D284D9 for ; Mon, 13 Apr 2015 22:51:27 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A17617AF for ; Mon, 13 Apr 2015 22:51:27 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id t3DMpRks028979 for ; Mon, 13 Apr 2015 22:51:27 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 127814] [pf] The flush in pf_reload in /etc/rc.d/pf does not work as intended Date: Mon, 13 Apr 2015 22:51:27 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: longwitz@incore.de X-Bugzilla-Status: In Progress X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Apr 2015 22:51:27 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=127814 longwitz@incore.de changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |longwitz@incore.de --- Comment #2 from longwitz@incore.de --- I like to revise my proposal to fix pf_reload: Correct is pfctl -Fnat -Fqueue -Frules -FSources -Finfo -FTables -Fosfp works like pfctl -Fosfp. But instead of fixing this in pfctl or the pf script, this call of pfctl should be deleted completely. Otherwise running connections could be broken by pf_reload. In continuation of the patch given in PR 119874 I prefer now --- pf.orig 2015-03-13 12:00:34.000000000 +0100 +++ pf 2015-04-14 00:31:56.513032000 +0200 @@ -46,16 +46,13 @@ pf_check() { echo "Checking pf rules." - $pf_program -n -f "$pf_rules" + $pf_program -n -f "$pf_rules" $pf_flags } pf_reload() { echo "Reloading pf rules." - $pf_program -n -f "$pf_rules" || return 1 - # Flush everything but existing state entries that way when - # rules are read in, it doesn't break established connections. - $pf_program -Fnat -Fqueue -Frules -FSources -Finfo -FTables -Fosfp > /dev/null 2>&1 + $pf_program -n -f "$pf_rules" $pf_flags || return 1 $pf_program -f "$pf_rules" $pf_flags } Further we should avoid to break connections on skipped interfaces during reloading pf rules. The patch given in http://lists.freebsd.org/pipermail/freebsd-pf/2013-April/006994.html does this job and works in FreeBSD 10 too. -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@FreeBSD.ORG Tue Apr 14 14:30:51 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8B0F6A2B for ; Tue, 14 Apr 2015 14:30:51 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [IPv6:2001:4f8:3:ffe0:406a:0:50:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 673E59E4 for ; Tue, 14 Apr 2015 14:30:51 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [127.0.1.5]) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9) with ESMTP id t3EEUpMe014030 for ; Tue, 14 Apr 2015 14:30:51 GMT (envelope-from root@phabric-backend.isc.freebsd.org) Received: (from root@localhost) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9/Submit) id t3EEUpKF014029; Tue, 14 Apr 2015 14:30:51 GMT (envelope-from root) Date: Tue, 14 Apr 2015 14:30:51 +0000 To: freebsd-pf@freebsd.org From: "gnn (George Neville-Neil)" Subject: [Differential] [Updated] D1944: PF and VIMAGE fixes Message-ID: <54c5fe4b8b41ed66a1f34ab1a2f9ece4@localhost.localdomain> X-Priority: 3 Thread-Topic: D1944: PF and VIMAGE fixes X-Herald-Rules: none X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: In-Reply-To: References: Thread-Index: NDc2NzM0MzY4OTdiYThiNTU1MjY2ZDZmMTJiIFUtJJs= X-Phabricator-Sent-This-Message: Yes X-Mail-Transport-Agent: MetaMTA X-Auto-Response-Suppress: All X-Phabricator-Mail-Tags: , MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="utf-8" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Apr 2015 14:30:51 -0000 gnn added a comment. Any update on this? REVISION DETAIL https://reviews.freebsd.org/D1944 To: nvass-gmx.com, bz, zec, trociny, glebius, rodrigc, kristof, gnn Cc: freebsd-virtualization, freebsd-pf, freebsd-net From owner-freebsd-pf@FreeBSD.ORG Wed Apr 15 16:10:16 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1527A6B9 for ; Wed, 15 Apr 2015 16:10:16 +0000 (UTC) Received: from p3nlsmtp13.shr.prod.phx3.secureserver.net (p3nlsmtp13.shr.prod.phx3.secureserver.net [72.167.234.238]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client CN "Bizanga Labs SMTP Client Certificate", Issuer "Bizanga Labs CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id CF142775 for ; Wed, 15 Apr 2015 16:10:15 +0000 (UTC) Received: from P3NW8SHG380 ([50.63.197.202]) by p3nlsmtp13.shr.prod.phx3.secureserver.net with id GG9y1q0084NVf0201G9yXc; Wed, 15 Apr 2015 09:09:58 -0700 Subject: FREE, Shipment delivery problem #00476791 To: freebsd-pf@freebsd.org X-PHP-Originating-Id: [8167018] Date: Wed, 15 Apr 2015 09:10:08 -0700 From: "FedEx International Economy" Reply-To: "FedEx International Economy" Message-ID: <34fab2c2ce0f3f1d3dd3c27eb45e618b@p3nw8shg380.shr.prod.phx3.secureserver.net> X-Priority: 3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Apr 2015 16:10:16 -0000 Dear Free, Courier was unable to deliver the parcel to you. Shipment Label is attached to this email. Sincerely, Charles Bass, FedEx Operation Manager. From owner-freebsd-pf@FreeBSD.ORG Sat Apr 18 19:06:32 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9FCC1D5A for ; Sat, 18 Apr 2015 19:06:32 +0000 (UTC) Received: from tyche.gogi.eu (tyche.gogi.eu [IPv6:2001:8d8:8a9:3f20::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 68AB8384 for ; Sat, 18 Apr 2015 19:06:32 +0000 (UTC) Received: from paperino (p548F52A9.dip0.t-ipconnect.de [84.143.82.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by tyche.gogi.eu (Postfix) with ESMTPSA id 24EE61A0125 for ; Sat, 18 Apr 2015 19:06:26 +0000 (UTC) Date: Sat, 18 Apr 2015 20:57:58 +0200 From: Daniel Haid To: freebsd-pf@freebsd.org Subject: NAT fails to correctly translate udp port numbers embedded in certain ICMP error packets Message-ID: <20150418205758.6710b3bc@paperino> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Apr 2015 19:06:32 -0000 Hi, I think I found a bug in the NAT of the packet filter, but I am not sure. My setup is as follows. client (linux) | | bridge0, mtu=1500 | pfsense 2.2.2 (FreeBSD 10.1-RELEASE-p9) | | pppoe0, mtu=1492 | internet On the client, I run the following command: # nping --udp 8.8.8.8 -g 10000 -p 20000 --data-length 1472 --df This generates five UDP packets of IP length 1500, set the do not fragment option, and send them from source port 10000 to destination port 20000. I have verified by packet capture that this really happens. As the mtu of the pppoe link is 1492, the packets cannot reach their destination, so pfsense generates "ICMP fragmentation needed" error packets. I expect five such packets, and I indeed receive five, but the first one (!) seems to be corrupted, as I will now explain. I run the following command (with following output) on pfsense: # pfctl -s state | grep 10000 bridge0 udp 8.8.8.8:20000 <- 10.0.0.101:10000 NO_TRAFFIC:SINGLE pppoe0 udp 84.112.84.112:59518 (10.0.0.101:10000) -> 8.8.8.8:20000 SINGLE:NO_TRAFFIC Each of the five ICMP packets should have embedded the header of the respective offending 1500-byte packet. The NAT should appropriately map the port numbers. However, the first packet receieved from the client has source port 59518 (the untranslated one) in the UDP header embedded in the ICMP packet. The other four ICMP packets are fine (source port 10000, which is the correct, translated, value). Note that this only happens for ICMP error packets originating at the pfsense router itself. ICMP error packets of the same type but from a router in the public internet are always translated correctly (all five!) before being forwarded to the client. For reference, I have added the output of pfctl -s nat below. --DH no nat proto carp all nat-anchor "natearly/*" all nat-anchor "natrules/*" all nat on pppoe0 inet from 127.0.0.0/8 to any port = isakmp -> 84.112.84.112 static-port nat on pppoe0 inet from 10.0.0.0/24 to any port = isakmp -> 84.112.84.112 static-port nat on pppoe0 inet from 127.0.0.0/8 to any -> 84.112.84.112 port 1024:65535 nat on pppoe0 inet from 10.0.0.0/24 to any -> 84.112.84.112 port 1024:65535 no rdr proto carp all rdr-anchor "relayd/*" all rdr-anchor "tftp-proxy/*" all rdr-anchor "miniupnpd" all From owner-freebsd-pf@FreeBSD.ORG Sat Apr 18 20:01:29 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2CB34A83 for ; Sat, 18 Apr 2015 20:01:29 +0000 (UTC) Received: from tyche.gogi.eu (tyche.gogi.eu [IPv6:2001:8d8:8a9:3f20::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E7E75B54 for ; Sat, 18 Apr 2015 20:01:28 +0000 (UTC) Received: from paperino (p548F52A9.dip0.t-ipconnect.de [84.143.82.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by tyche.gogi.eu (Postfix) with ESMTPSA id 0687F1A0125 for ; Sat, 18 Apr 2015 20:01:25 +0000 (UTC) Date: Sat, 18 Apr 2015 21:52:58 +0200 From: Daniel Haid To: freebsd-pf@freebsd.org Subject: Re: NAT fails to correctly translate udp port numbers embedded in certain ICMP error packets Message-ID: <20150418215258.04ae6c8b@paperino> In-Reply-To: <20150418205758.6710b3bc@paperino> References: <20150418205758.6710b3bc@paperino> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Apr 2015 20:01:29 -0000 Hi, I have just seen that pfSense seems to significantly modify FreeBSD, including the packet filter, so that posting to this list is probably not appropriate. I have taken the issue to the pfSense bugtracker now. --DH