From owner-freebsd-pf@FreeBSD.ORG Mon May 21 16:50:40 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 12E4D1065673 for ; Mon, 21 May 2012 16:50:40 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id 325D08FC14 for ; Mon, 21 May 2012 16:50:38 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id q4LGob9Y023260 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Mon, 21 May 2012 18:50:37 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id q4LGobeJ025532; Mon, 21 May 2012 18:50:37 +0200 (MEST) Date: Mon, 21 May 2012 18:50:37 +0200 From: Daniel Hartmeier To: Joerg Pulz Message-ID: <20120521165037.GA29536@insomnia.benzedrine.cx> References: <201205211420.q4LEK4ds039516@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201205211420.q4LEK4ds039516@freefall.freebsd.org> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: kern/168190: [pf] panic when using pf and route-to (maybe: bad fragment handling?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 May 2012 16:50:40 -0000 On Mon, May 21, 2012 at 02:20:04PM +0000, Joerg Pulz wrote: > ext_if="bge0" > int_if="bge1" > vpn_net="10.1.1.0/24" > srv_net="172.16.1.0/24" > gw_addr="172.16.1.254" > > scrub in all > > pass out on $ext_if route-to ($int_if $gw_addr) from $vpn_net to any keep state > pass out on $int_if route-to ($int_if $gw_addr) from $vpn_net to $srv_net keep state So something from $vpn_net comes in, gets routed to the default gateway (on $ext_if side), attempts to pass out on $ext_if, matches the first rule, route-to applies, packet gets re-routed to $gw_addr, passes out on $int_if, matches the second rule, double route-to. All you need to do is prevent the second rule from applying for packets where the first rule matched, like with tags: pass out on $ext_if route-to ($int_if $gw_addr) from $vpn_net to any keep state tag from_vpn pass out on $int_if route-to ($int_if $gw_addr) from $vpn_net to $srv_net keep state pass out on $int_if from $vpn_net to $srv_net keep state tagged from_vpn i.e. you add 'tag from_vpn' to the first rule, so packets matching it get tagged, then you add a third rule without route-to that applies to tagged packets, which wins last-match for such packets. Or, instead of adding a third rule, add '! tagged from_vpn' to the second rule, if tagged packets can still pass out on $int_if by another rule. Kind regards, Daniel