From owner-freebsd-pf@FreeBSD.ORG Sun Nov 23 00:54:44 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 14FF31065677 for ; Sun, 23 Nov 2008 00:54:44 +0000 (UTC) (envelope-from allicient3141@googlemail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.227]) by mx1.freebsd.org (Postfix) with ESMTP id DA91C8FC14 for ; Sun, 23 Nov 2008 00:54:43 +0000 (UTC) (envelope-from allicient3141@googlemail.com) Received: by rv-out-0506.google.com with SMTP id b25so1487146rvf.43 for ; Sat, 22 Nov 2008 16:54:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references :x-google-sender-auth; bh=lGKWmPOd7BHO9F1QtTc3R1qAZqQeMjTqio28LMHJUV8=; b=KNPek5z4NWrNoOiOMQ4GeC6Dfo+fFpXVtT+2aetO+7lfelYuTvqJHEV588y1RISEVp TfgnwL69kRt0csneYbiASwTIESoL1SdNXvNaPPuKSVUnQAe+F4NoAWwYX/oINxEskLa9 hy9Wkuufd6y/eUV2BGeCTzoGkz6xDjQqt5yC8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=message-id:date:from:sender:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references:x-google-sender-auth; b=AvF5hpjNTS9VF3ykYsnxs5011RDKJSCyhzeB6YCQUyFG/JoD8amFelfqtkpPHr+u6F sNN3C3zcCYJnp4sjDdFxUFlbsAqfYLCNUwJzgIEHEyF6ZstMcocQbw7CdNN3TTEyUzD2 j1gsCzLLAP/5sRjRBTGubEo9k0FDTBDrUL3NE= Received: by 10.142.173.14 with SMTP id v14mr979251wfe.20.1227401683681; Sat, 22 Nov 2008 16:54:43 -0800 (PST) Received: by 10.142.215.18 with HTTP; Sat, 22 Nov 2008 16:54:43 -0800 (PST) Message-ID: <7731938b0811221654m6d7fff30x3e6ac51fccd32eaa@mail.gmail.com> Date: Sun, 23 Nov 2008 00:54:43 +0000 From: "Peter Maxwell" Sender: allicient3141@googlemail.com To: freebsd-pf@freebsd.org In-Reply-To: <200811231018.28601.darius@dons.net.au> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200811220225.mAM2Phuj038059@freefall.freebsd.org> <200811231018.28601.darius@dons.net.au> X-Google-Sender-Auth: 71ee7ea077117876 Subject: Re: kern/129060: [pf] [tun] pf doesn't forget the old tun IP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Nov 2008 00:54:44 -0000 I have only skim read the bug report, however in report it says "every second connection" which sounds like what happens when you have outgoing connections from an interface that has two IPs assigned (had got bitten with this when using IPSec over an interface that had two IPs assigned). Except this time the first IP is ofcourse now not routable, which is consistent with the observed behaviour. So, while necessary, I would doubt clearing the state table would do anything other than (possibly) fix the existing connections - as any new conenctinos have a 50% chance of having their source IP as the old IP. I'm assuming that ALL incoming connections are processed fine? pf is obviously working with the ($ext/if) syntax as it sounds like its picking up the new IP. Looks like a bug to me. 2008/11/22 Daniel O'Connor : > On Sunday 23 November 2008 08:42:48 Chris Buechler wrote: >> On Fri, Nov 21, 2008 at 9:25 PM, wrote: >> > Old Synopsis: pf doesn't forget the old tun IP >> > New Synopsis: [pf] [tun] pf doesn't forget the old tun IP >> >> This sounds like the expected behavior, not a bug. You have to kill >> your states when your WAN IP changes or else traffic will continue to >> be translated via the existing state. > > I have tried to use -k $oldip but it doesn't fix the problem :( > > Also, I don't think it is sensible behaviour - if my IP changes any > connections are going to die because the other ends of the link will be > sending traffic to the old IP. > > > -- > Daniel O'Connor software and network engineer > for Genesis Software - http://www.gsoft.com.au > "The nice thing about standards is that there > are so many of them to choose from." > -- Andrew Tanenbaum > GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C >