From owner-freebsd-pf@FreeBSD.ORG Mon Nov 25 11:06:54 2013 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 55BD059A for ; Mon, 25 Nov 2013 11:06:54 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 255292F50 for ; Mon, 25 Nov 2013 11:06:54 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id rAPB6rGD089950 for ; Mon, 25 Nov 2013 11:06:53 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id rAPB6rtA089948 for freebsd-pf@FreeBSD.org; Mon, 25 Nov 2013 11:06:53 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 25 Nov 2013 11:06:53 GMT Message-Id: <201311251106.rAPB6rtA089948@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Nov 2013 11:06:54 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/182401 pf [pf] pf state for some IPs reaches 4294967295 suspicou o kern/182350 pf [pf] core dump with packet filter -- pf_overlad_task o kern/179392 pf [pf] [ip6] Incorrect TCP checksums in rdr return packe o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176268 pf [pf] [patch] synproxy not working with route-to o kern/173659 pf [pf] PF fatal trap on 9.1 (taskq fatal trap on pf_test o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/87074 pf [pf] pf does not log dropped packets when max-* statef a kern/86752 pf [pf] pf does not use default timeouts when reloading c o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 56 problems total. From owner-freebsd-pf@FreeBSD.ORG Fri Nov 29 12:28:45 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1820CA8A for ; Fri, 29 Nov 2013 12:28:45 +0000 (UTC) Received: from mail-wi0-f176.google.com (mail-wi0-f176.google.com [209.85.212.176]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id A4D97134A for ; Fri, 29 Nov 2013 12:28:44 +0000 (UTC) Received: by mail-wi0-f176.google.com with SMTP id hq4so2006482wib.15 for ; Fri, 29 Nov 2013 04:28:37 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:subject:from:date:message-id; bh=sTH5fGYM1gYTWt9bJ4JOAnBEq6Zlp27RZaKcfVBXnwg=; b=hfIPWlveBI/GmCNZn75oPAjA9R1aArRq40Ag1OPZvosF7TzCa7BjapiMB3mmkHEPLI VkMp4TDjshIywhSBLEJ1bh2eAufjmAy7euwkRq43d4mmeZSxxCD81XBo032If7SyyzwC KIEaUl5BG1f3nnjH/u6vZAz3uREBuOOJqMq2rKLOWRlPLUhYt+zpT8MXwEHmCDrC6F7y tT4+5QDbmGAR2tGM86+RE3T+tqk8JJnJmlRdT4ZgLmz8f3kOBYmweHNMn85MT0SiAmXN A6DECHt6tcP2KmVl+X+aptjU1YCsELSymF7J3YIabT2jrll4X5T1kgz/ARTLhj9fzClE rMVg== X-Gm-Message-State: ALoCoQkccyWrHQYeju6y2yuGLO7C0QPnPkvsprfNsnRvDdWm4Su3sun7fpuSJNJcTCFYT8+RBzL2 X-Received: by 10.180.208.4 with SMTP id ma4mr6538511wic.43.1385728116910; Fri, 29 Nov 2013 04:28:36 -0800 (PST) Received: from clue.co.za (ti-224-139-249.telkomadsl.co.za. [105.224.139.249]) by mx.google.com with ESMTPSA id hv5sm91226980wib.2.2013.11.29.04.28.33 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 29 Nov 2013 04:28:35 -0800 (PST) Received: from localhost ([127.0.0.1] helo=zen) by clue.co.za with esmtp (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1VmNBM-00019a-4U for freebsd-pf@freebsd.org; Fri, 29 Nov 2013 14:28:28 +0200 To: freebsd-pf@freebsd.org Subject: icmp-type echoreq not matching resulting ttl exceeded From: "Ian FREISLICH" X-Attribution: BOFH Date: Fri, 29 Nov 2013 14:28:27 +0200 Message-Id: X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Nov 2013 12:28:45 -0000 Hi At some point this stopped working. I was able to use traceroute -I This rule let the echo request out and the resulting TTL exceeded was matched and allowed back in. pass out inet proto icmp from to any icmp-type echoreq I've had to change the rule to the following to keep traceroute going: pass out inet proto icmp from to any Ian -- Ian Freislich From owner-freebsd-pf@FreeBSD.ORG Fri Nov 29 13:13:03 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 15C29756 for ; Fri, 29 Nov 2013 13:13:03 +0000 (UTC) Received: from mail-pd0-x229.google.com (mail-pd0-x229.google.com [IPv6:2607:f8b0:400e:c02::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id DF6071638 for ; Fri, 29 Nov 2013 13:13:02 +0000 (UTC) Received: by mail-pd0-f169.google.com with SMTP id v10so13859009pde.14 for ; Fri, 29 Nov 2013 05:13:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=29pY75UqLypMF1gVEe9ShB/Z+nGH61DK2kSmCanaMI0=; b=INa6lrnlLIQl94eQL1W8iN/I24/VU4kM6s9ZMRAC9C/xy9+UNK4W7H/JQkJuQ7Kx7O 7OmORNJaLUro82yyKIwK4F3/WFe4tTgcMJN/uBMskMW+UIZiCKA3wJC4kK1YGxC1JDUO JgwEUsqOgYixJNyCltrRdj4jFm2FkPpGcCr4B93PlJoqNEjj3TUT1rzGqddoqcZ06xa6 2XMSC/XSXWdsZMeBqIhPozyPf+MTz35WmuaGa2Mx18MEcSefk0T1apzMqaRBIT7/inth lHRe5/7XD8kfbwwjnqW6BAQcXp/ZBI84PESwI/3Jz6qTXdc33vaAWkQ1Dh5qWR9C/duk oxIQ== MIME-Version: 1.0 X-Received: by 10.68.160.69 with SMTP id xi5mr16170532pbb.168.1385730781832; Fri, 29 Nov 2013 05:13:01 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.70.4.163 with HTTP; Fri, 29 Nov 2013 05:13:01 -0800 (PST) In-Reply-To: References: Date: Fri, 29 Nov 2013 14:13:01 +0100 X-Google-Sender-Auth: tKU302IIcmtcw2tHfOtmRRanYnQ Message-ID: Subject: Re: icmp-type echoreq not matching resulting ttl exceeded From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Ian FREISLICH Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.16 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Nov 2013 13:13:03 -0000 On Fri, Nov 29, 2013 at 1:28 PM, Ian FREISLICH wrote: > Hi > > At some point this stopped working. I was able to use traceroute -I > This rule let the echo request out and the resulting TTL exceeded > was matched and allowed back in. > > Which freeBSD version you are testing this? Normally it should just work unless the reply src ip is different from your sent dstip. > pass out inet proto icmp from to any icmp-type echoreq I've had to change the rule to the following to keep traceroute going: > > pass out inet proto icmp from to any > > Ian > > -- > Ian Freislich > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Ermal From owner-freebsd-pf@FreeBSD.ORG Fri Nov 29 15:23:30 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 59309A30 for ; Fri, 29 Nov 2013 15:23:30 +0000 (UTC) Received: from mail-pb0-x232.google.com (mail-pb0-x232.google.com [IPv6:2607:f8b0:400e:c01::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 2CD231CC1 for ; Fri, 29 Nov 2013 15:23:30 +0000 (UTC) Received: by mail-pb0-f50.google.com with SMTP id rr13so14533043pbb.23 for ; Fri, 29 Nov 2013 07:23:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=ZMePWYcQ9okCvWaGvWYDg5fE3idC7tHxgijwzn6UpGw=; b=ttxxdh+VSlDPrtEqqOinqGFAFS2CVwnU/Fy9SUbPGh8oIMUl9ytyxvNY5otLgR0/bZ WqhdXPrlocVRt/jtrlr9mykU1WQmlLGu5KKztfPDN1o9gkIDWsMNQGV72vLrF8oA3QNo O7tA9LKcy+c/EMd5oSGNsMr8UdXiSpYxrfn3l4Y/mqTycysBueZ94KWYyyCYpGl41Wfr AN66UgrLiEKP4rOthk4aui76oeogq8HbqTFhLLgjInSuYsJ+ZHGI781/wgVhcoS7MXUx YBp1Sq5R/pzsc0EObBiGt3emTp+cyAG0nO0R1TaWEqtBmPEEMAb4y9YYTCbqAt7h7BuS Adpg== MIME-Version: 1.0 X-Received: by 10.66.216.129 with SMTP id oq1mr53969690pac.75.1385738609709; Fri, 29 Nov 2013 07:23:29 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.70.4.163 with HTTP; Fri, 29 Nov 2013 07:23:29 -0800 (PST) In-Reply-To: References: Date: Fri, 29 Nov 2013 16:23:29 +0100 X-Google-Sender-Auth: SpZo1KtBomZ3lKJuZZ_YXxFcSsY Message-ID: Subject: Re: icmp-type echoreq not matching resulting ttl exceeded From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Ian FREISLICH Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.16 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Nov 2013 15:23:30 -0000 On Fri, Nov 29, 2013 at 2:53 PM, Ian FREISLICH wrote: > =?ISO-8859-1?Q?Ermal_Lu=E7i?= wrote: > > On Fri, Nov 29, 2013 at 1:28 PM, Ian FREISLICH wrote: > > > At some point this stopped working. I was able to use traceroute -I > > > This rule let the echo request out and the resulting TTL exceeded > > > was matched and allowed back in. > > > > Which freeBSD version you are testing this? > > Normally it should just work unless the reply src ip is different from > your > > sent dstip. > > I'm using 11.0-CURRENT #41 r258736 and if bound state. This doesn't > work from the host or from a host on any interface that has the > rule: > You tried if relaxing the if-bound rule it succeeds. Other than that the code is similar there on all pf versions for matching icmp state based on these specific returns. > > pass out inet proto icmp from to any icmp-type echoreq > > All interfaces have 'pass in all' > > So for instance a host on vlan21 cannot traceroute to a host off vlan23: > > [rv1.jnb1] ~ $ traceroute -w1 -I router.lsn102 > traceroute to router.lsn102.gp-online.net (41.154.14.81), 64 hops max, 72 > byte packets > 1 firewall1.vlan21.jnb1.gp-online.net (41.154.0.58) 0.195 ms 0.152 ms > 0.169 ms > 2 * * * > 3 * * * > 4 * * * > 5 * * * > 6 * * * > 7 bridge1.router.lsn102.gp-online.net (41.154.14.81) 4.080 ms 5.859 > ms 6.832 ms > > However, the traffic is not being denied, or at least it's not being > logged and all my block rules log. > > When the source interface does not have the rule > pass out inet proto icmp from to any icmp-type echoreq > then the traceroute is successful. > > Ian > > -- > Ian Freislich > -- Ermal