From owner-freebsd-pf@freebsd.org Sun Nov 13 21:00:32 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0A9F6C40972 for ; Sun, 13 Nov 2016 21:00:32 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D66E916CA for ; Sun, 13 Nov 2016 21:00:31 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id uADL01nt024834 for ; Sun, 13 Nov 2016 21:00:31 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <201611132100.uADL01nt024834@kenobi.freebsd.org> From: bugzilla-noreply@FreeBSD.org To: freebsd-pf@FreeBSD.org Subject: Problem reports for freebsd-pf@FreeBSD.org that need special attention Date: Sun, 13 Nov 2016 21:00:31 +0000 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Nov 2016 21:00:32 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. From owner-freebsd-pf@freebsd.org Mon Nov 14 22:31:01 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C2913C41676; Mon, 14 Nov 2016 22:31:01 +0000 (UTC) (envelope-from spankthespam@gmail.com) Received: from mail-qt0-x22e.google.com (mail-qt0-x22e.google.com [IPv6:2607:f8b0:400d:c0d::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 80E101E4C; Mon, 14 Nov 2016 22:31:01 +0000 (UTC) (envelope-from spankthespam@gmail.com) Received: by mail-qt0-x22e.google.com with SMTP id n6so57283030qtd.1; Mon, 14 Nov 2016 14:31:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=p9EJBkZgsjKuOfkMwDcwhLAyqOFcr5tA/TVIdq52bYg=; b=bYJlttYMVNG4oPc12J6AiOErNctf+G4UxtpDCC06btUcvxNBZn5Ac4C+MfXJVsAWO1 qItTmivcnLuUFGZ0Kt2A4JmoUZxBte1VS6NAFEnCA+3HF9rkEwJCSF9+/MamNoQcrUqZ 8U8ESqWsEb57bx0FDc5izj2laOAwV4+Z2XMoFPgnB1b0hNl7QCgFTnIqQJbJln7my8Ry dHnK7u2iRa9qavoiB8X8ZOFfUVo0qxNshdXiGbJTvOgf+01Y3kx1nFU4oO3pSRY3vOem rneKBwZsCdG0ajH+5f36E7iteIcHU96fRB8nb5JLMKsNsf2NOPLcpQIJ22+6jzSn5S6l +lsg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=p9EJBkZgsjKuOfkMwDcwhLAyqOFcr5tA/TVIdq52bYg=; b=F4emqiVg5IYIrEmXJYc3ylwbTE4SgR0C91FF1XgnruluWVrHtjBNOmpNVDKEpUjB+M fbP+SWr/4Dfz5NU7YVsdrFjoiSVkw65uMzP0By9bi8c8eYBdRxcWfBdJUz6q3dKXgCmX D6aDWUrxWfDGo3P6Vi1jow9eqfFyXwOF5w3/DH5d+uWQt+DiRjM9wL5DE022awNm5BtW sjr0V9EZdXLF9mMRzKC2PmA7vXfbD3QiHi2uy5AH4pJuyW9J3LPeD3EH1LNgPuO5L0fM zJdGCRNr7gdFtu7Huoi+Gw/wWovCqglB+S8KK+MjVt5LN1p1RZ3p7UX0BEAMbOWc06am Qlyw== X-Gm-Message-State: ABUngvfK0bD9ljt91R3oiZvzv6tKpkRYVU3bSACInYd1wJCbkXEI+872B7F9rCd/HXA7223tPgm+yxg5z9n3Nw== X-Received: by 10.237.32.70 with SMTP id 64mr8017675qta.163.1479162660356; Mon, 14 Nov 2016 14:31:00 -0800 (PST) MIME-Version: 1.0 Received: by 10.237.58.231 with HTTP; Mon, 14 Nov 2016 14:30:59 -0800 (PST) From: Big Lebowski Date: Mon, 14 Nov 2016 22:30:59 +0000 Message-ID: Subject: NAT Reflection rules for FreeBSD PF To: freebsd-pf@freebsd.org, freebsd-net@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Nov 2016 22:31:01 -0000 Hi, I am trying to set up a 11.0-R PF based NAT for group of jails that needs to be able to talk to services on other jails, just as if they'd be clients from outside of the network. Apparently, this is called 'NAT reflection' and I was able to find examples for OpenBSD PF here: https://www.openbsd.org/faq/pf/rdr.html (bottom of the page). Obviously, their syntax doesn't work on FreeBSD PF, so how to achieve the same thing? How to allow jails NAT'd on $ext_if (xn0) coming from $jails_net (192.168.0.0/24 aliased on lo0) to talk to each other, via the $ext_if external IP? Regards, BL From owner-freebsd-pf@freebsd.org Tue Nov 15 11:47:12 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CD7A4C41573; Tue, 15 Nov 2016 11:47:12 +0000 (UTC) (envelope-from lists@peter.de.com) Received: from elsa.gfuzz.de (elsa.gfuzz.de [78.46.164.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8BB0E18A2; Tue, 15 Nov 2016 11:47:12 +0000 (UTC) (envelope-from lists@peter.de.com) Received: from localhost (localhost [127.0.0.1]) by elsa.gfuzz.de (Postfix) with ESMTP id 83E01FFCA9; Tue, 15 Nov 2016 12:37:08 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=peter.de.com; s=mail; t=1479209828; bh=L9HdwGY5etYoe/ZH5aVtMvcQ81nKAlfyPQVL3+X7jqs=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=CwvtcpFNSZ+hzJ5rWZvdr0l3fy05bKiTJL9XpQlnDkdGicAncDc/ECew8VbWDn2OV m5jgKzpvSfAb+olkIoQZFSJYayZMKYHgInh8FU4DRrFortAUcDFcBaTxeCJssT2lAu GvBJ9zgf+PxzRutMSdEc5Z11eSitw16xZgjF2esM= X-Virus-Scanned: Debian amavisd-new at elsa.gfuzz.de Received: from elsa.gfuzz.de ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5bjgXp0VkF2A; Tue, 15 Nov 2016 12:37:07 +0100 (CET) Received: from mail.opdns.de (ipbcc19187.dynamic.kabel-deutschland.de [188.193.145.135]) (Authenticated sender: oliver@gfuzz.de) by elsa.gfuzz.de (Postfix) with ESMTPSA id ABB00FFC9A; Tue, 15 Nov 2016 12:37:07 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=peter.de.com; s=mail; t=1479209827; bh=L9HdwGY5etYoe/ZH5aVtMvcQ81nKAlfyPQVL3+X7jqs=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=lCC8MofJnw5mj67lSxypD/2URzTsQrJDp7t/lVcMPhbe7EOYjYLl7IClnuc8y8LIx +feBmggimQqueAF5aFwopCufUOVdo5rXIt9Rp+yZ7ulHTOSTDBLdMg7g7idFdLWGt3 eOeGyCe/tXWr2SgJCQwqsMwBmACF9b5AItUQI7zE= Date: Tue, 15 Nov 2016 12:37:06 +0100 From: Oliver Peter To: Big Lebowski Cc: freebsd-pf@freebsd.org, freebsd-net@freebsd.org Subject: Re: NAT Reflection rules for FreeBSD PF Message-ID: <20161115113705.GB1675@mail.opdns.de> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="cvVnyQ+4j833TQvp" Content-Disposition: inline In-Reply-To: X-Operating-System: Linux 4.4.21-1-pve x86_64 User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Nov 2016 11:47:12 -0000 --cvVnyQ+4j833TQvp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable El duderino, On Mon, Nov 14, 2016 at 10:30:59PM +0000, Big Lebowski wrote: >=20 > I am trying to set up a 11.0-R PF based NAT for group of jails that needs > to be able to talk to services on other jails, just as if they'd be clien= ts > from outside of the network. Apparently, this is called 'NAT reflection' > and I was able to find examples for OpenBSD PF here: > https://www.openbsd.org/faq/pf/rdr.html (bottom of the page). >=20 > Obviously, their syntax doesn't work on FreeBSD PF, so how to achieve the > same thing? How to allow jails NAT'd on $ext_if (xn0) coming from > $jails_net (192.168.0.0/24 aliased on lo0) to talk to each other, via the > $ext_if external IP? We did something similar in a customer setup a while ago: nat on $int_if from $jail_host to any -> $int_ip rdr pass on $int_if proto { tcp, udp } from $jail_host to $ext_if port{ $s= ervice1, service2 } -> $int_lb Cheers --=20 Oliver PETER oliver@gfuzz.de 0x456D688F --cvVnyQ+4j833TQvp Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlgq82EACgkQ6LH/IUVtaI+zTwCgq0aICUrq/ZwQjI422E+0Av5C mtMAnRFEK1s1QWtGs6UehOuPZW7KozSt =dzYI -----END PGP SIGNATURE----- --cvVnyQ+4j833TQvp-- From owner-freebsd-pf@freebsd.org Tue Nov 15 13:03:55 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C5A2BC43D98; Tue, 15 Nov 2016 13:03:55 +0000 (UTC) (envelope-from spankthespam@gmail.com) Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 80D559FE; Tue, 15 Nov 2016 13:03:55 +0000 (UTC) (envelope-from spankthespam@gmail.com) Received: by mail-qk0-x22a.google.com with SMTP id n21so133687410qka.3; Tue, 15 Nov 2016 05:03:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=rM0X/zTUnQfV6+5MqK2FrXEofV/gjiwD3ivgZNRZU58=; b=y6b6sfvM4BLj3G3IuJ8gaPdfJ979dXnP2MPlJW2PZgDmC0oXTG8CFiSj/TYOq53sGn z8quAd6yivAz+z9YkkFhEzrMnzqSOTaQBMrG+oqW/ex2Mf9yAObbdjovYbS7thgkGUpo SnDwegrYEwS3vFh+HS7rg/cCSRdqlpidPDu2bylPyx0TmLtZw6FuWJ/WTnhtNN+sc76O Q6sMByB8Lu+Rx2x91mNyBENkcSKMIp/IotOIXKjIawmwzoqHkE8IqC+32VHk7+NLEf+E HP3Id0W/7DzMY4AcGAeYpcPnxdZEgpTGNjq9vdO8bxQfKBJQggaP6SWZBNkk11TE0EIQ 6Ryg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=rM0X/zTUnQfV6+5MqK2FrXEofV/gjiwD3ivgZNRZU58=; b=PIF/lATP4A7QKEuw6l/+EvwOh7+LMauaDewQpZUdpj9ukwi0VHJOSWD9Yrz6ToxSvf 3G2rr3BFe6kJPrkfeT+y6Js9TwCYvMP/jjjvF7wpQ+EjD1ReMfFIMyPTAjyO2yWC+n41 m+BwL27+OMYc1ealX1ssdFRPkxu+U0yEK4MUNNCo/G5uoz7Q77jIedl8o89C9oLIxtwH hFKyt6gPi74/m3Kv1tEoev0bWqyn8d8n34y5ck0EVVErgU+VsVy2lJFz8CFQHXp4Akv2 g7SlmI/aK1AQe2n/NNwMyw3obyy2GF0Dh9+o8lR/tJIAXZ5peVeoD7U/bZGorsc2me7K 39yQ== X-Gm-Message-State: AKaTC01P/amTQSnFrRdZpxII78GSyu+TXOFAKon4r/8I0XZTpRJbziw9eRvIGGz5G4V+yCKhmnhJLbTZbw9JjA== X-Received: by 10.55.93.68 with SMTP id r65mr4390395qkb.84.1479215034698; Tue, 15 Nov 2016 05:03:54 -0800 (PST) MIME-Version: 1.0 Received: by 10.237.58.231 with HTTP; Tue, 15 Nov 2016 05:03:54 -0800 (PST) In-Reply-To: <20161115113705.GB1675@mail.opdns.de> References: <20161115113705.GB1675@mail.opdns.de> From: Big Lebowski Date: Tue, 15 Nov 2016 13:03:54 +0000 Message-ID: Subject: Re: NAT Reflection rules for FreeBSD PF To: Oliver Peter Cc: freebsd-pf@freebsd.org, freebsd-net@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Nov 2016 13:03:55 -0000 On Tue, Nov 15, 2016 at 11:37 AM, Oliver Peter wrote: > El duderino, > > On Mon, Nov 14, 2016 at 10:30:59PM +0000, Big Lebowski wrote: > > > > I am trying to set up a 11.0-R PF based NAT for group of jails that needs > > to be able to talk to services on other jails, just as if they'd be > clients > > from outside of the network. Apparently, this is called 'NAT reflection' > > and I was able to find examples for OpenBSD PF here: > > https://www.openbsd.org/faq/pf/rdr.html (bottom of the page). > > > > Obviously, their syntax doesn't work on FreeBSD PF, so how to achieve the > > same thing? How to allow jails NAT'd on $ext_if (xn0) coming from > > $jails_net (192.168.0.0/24 aliased on lo0) to talk to each other, via > the > > $ext_if external IP? > > We did something similar in a customer setup a while ago: > > nat on $int_if from $jail_host to any -> $int_ip > rdr pass on $int_if proto { tcp, udp } from $jail_host to $ext_if > port{ $service1, service2 } -> $int_lb > > Cheers Thanks for your response Olivier! Would you mind elaborating on it a bit more? I don't understand what you're trying to achieve here, since the NAT doesn't happen on $int_if (lo0) but instead on $ext_if (xn0). The $int_if only holds the jail's IP addresses from the $jail_net range. How does that compare? Regards, BL From owner-freebsd-pf@freebsd.org Tue Nov 15 13:26:18 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8B51BC43233; Tue, 15 Nov 2016 13:26:18 +0000 (UTC) (envelope-from lists@peter.de.com) Received: from elsa.gfuzz.de (elsa.gfuzz.de [78.46.164.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3A00A1302; Tue, 15 Nov 2016 13:26:17 +0000 (UTC) (envelope-from lists@peter.de.com) Received: from localhost (localhost [127.0.0.1]) by elsa.gfuzz.de (Postfix) with ESMTP id F2158FFCA9; Tue, 15 Nov 2016 14:26:14 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=peter.de.com; s=mail; t=1479216374; bh=crfbysknwe+Ts/vgrpMylzWZd9kh6dmcquuO5t1xgI8=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=dazRBtSdUEFggqXUBpb/1XZ5zbLWWUgNMGo5spioKCxLBfy0cCFPe6V9LcBG8oc6j rrwPB5XGGYBUHJkqRdith53CYLilXOZLzsgODP3VTrg2jLL7OH0wQCchs0ZnjUUQmM DXHMGEtgJeampunCq3Qjxtg8zcVEccUljr6c61NI= X-Virus-Scanned: Debian amavisd-new at elsa.gfuzz.de Received: from elsa.gfuzz.de ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OPONx5ylO3g1; Tue, 15 Nov 2016 14:26:14 +0100 (CET) Received: from mail.opdns.de (ipbcc19187.dynamic.kabel-deutschland.de [188.193.145.135]) (Authenticated sender: oliver@gfuzz.de) by elsa.gfuzz.de (Postfix) with ESMTPSA id E304CFFC9E; Tue, 15 Nov 2016 14:26:13 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=peter.de.com; s=mail; t=1479216374; bh=crfbysknwe+Ts/vgrpMylzWZd9kh6dmcquuO5t1xgI8=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=dazRBtSdUEFggqXUBpb/1XZ5zbLWWUgNMGo5spioKCxLBfy0cCFPe6V9LcBG8oc6j rrwPB5XGGYBUHJkqRdith53CYLilXOZLzsgODP3VTrg2jLL7OH0wQCchs0ZnjUUQmM DXHMGEtgJeampunCq3Qjxtg8zcVEccUljr6c61NI= Date: Tue, 15 Nov 2016 14:26:09 +0100 From: Oliver Peter To: Big Lebowski Cc: Oliver Peter , freebsd-pf@freebsd.org, freebsd-net@freebsd.org Subject: Re: NAT Reflection rules for FreeBSD PF Message-ID: <20161115132609.GC1675@mail.opdns.de> References: <20161115113705.GB1675@mail.opdns.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="0vzXIDBeUiKkjNJl" Content-Disposition: inline In-Reply-To: X-Operating-System: Linux 4.4.21-1-pve x86_64 User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Nov 2016 13:26:18 -0000 --0vzXIDBeUiKkjNJl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 15, 2016 at 01:03:54PM +0000, Big Lebowski wrote: > On Tue, Nov 15, 2016 at 11:37 AM, Oliver Peter wrote: >=20 > > El duderino, > > > > On Mon, Nov 14, 2016 at 10:30:59PM +0000, Big Lebowski wrote: > > > > > > I am trying to set up a 11.0-R PF based NAT for group of jails that n= eeds > > > to be able to talk to services on other jails, just as if they'd be > > clients > > > from outside of the network. Apparently, this is called 'NAT reflecti= on' > > > and I was able to find examples for OpenBSD PF here: > > > https://www.openbsd.org/faq/pf/rdr.html (bottom of the page). > > > > > > Obviously, their syntax doesn't work on FreeBSD PF, so how to achieve= the > > > same thing? How to allow jails NAT'd on $ext_if (xn0) coming from > > > $jails_net (192.168.0.0/24 aliased on lo0) to talk to each other, via > > the > > > $ext_if external IP? > > > > We did something similar in a customer setup a while ago: > > > > nat on $int_if from $jail_host to any -> $int_ip > > rdr pass on $int_if proto { tcp, udp } from $jail_host to $ext_= if > > port{ $service1, service2 } -> $int_lb > > > > Cheers >=20 > Thanks for your response Olivier! Would you mind elaborating on it a bit > more? I don't understand what you're trying to achieve here, since the NAT > doesn't happen on $int_if (lo0) but instead on $ext_if (xn0). The $int_if > only holds the jail's IP addresses from the $jail_net range. How does that > compare? Ah, it could be that this is a bit different since you only have a single machine, our example was a gateway with two interfaces (ext/int) doing NAT for some machines behind. Since your packets are created on lo0 and routed to xn0 it might be different. Another idea would be to re-route the packets between the two interfaces: pass out quick on $ext_if route-to $int_if from ($int_if:network) to $ext_= if:network This might interfere with your regular outgoing traffic; maybe the "to" part needs a bit tuning. Furthermore I'm not sure about the source addresses... We have this in production to route some DNS traffic via VPN. Split horizon DNS is no option? Sorry for not being very helpful. --=20 Oliver PETER oliver@gfuzz.de 0x456D688F --0vzXIDBeUiKkjNJl Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlgrDPEACgkQ6LH/IUVtaI8zBACfeEc/PVrUMFjpRlXd3kTIDwwb GvMAn18PeLgqisfez8deS3U34YmsxjRR =crGi -----END PGP SIGNATURE----- --0vzXIDBeUiKkjNJl-- From owner-freebsd-pf@freebsd.org Tue Nov 15 14:49:20 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2E588C42F37; Tue, 15 Nov 2016 14:49:20 +0000 (UTC) (envelope-from spankthespam@gmail.com) Received: from mail-qt0-x22f.google.com (mail-qt0-x22f.google.com [IPv6:2607:f8b0:400d:c0d::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E5F5B1FC4; Tue, 15 Nov 2016 14:49:19 +0000 (UTC) (envelope-from spankthespam@gmail.com) Received: by mail-qt0-x22f.google.com with SMTP id c47so73299355qtc.2; Tue, 15 Nov 2016 06:49:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=YoyZdHLXjvjQcyRTdwxo5YbIQmEHYGkWo1Tv/Yfb6uc=; b=byiNRbTZ2AwGYyjseVsK7i5+bXZVUNSwOxC4/ggS3d0DsEPqgFbwtaHkHtOcGjZ+jb xnVAxepMkZlTFcEPDQ2veJ7VA+V+fc9xHavTmLnrbQepWfUp5UPaGAfIGYYSTneQKwX8 hqGPAg80z8RdfNLODUQOS6VmgctQS4aEW8GVB3dHy+AaIzq/MYwcK+bEABBPTm1a5aS2 LGKDmFmV0HTnhbOrc+DplUhFP+AD3eT1BnC2bYpbmADBj6tky4IgKA2W/Iwod7y9nnqN y6i1JkXPw6054krEoEiqBPCN2KWGepM8Yfi1jgyjqQH81Y7QiyXzBD/PYDK24A9mDTb0 VWZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=YoyZdHLXjvjQcyRTdwxo5YbIQmEHYGkWo1Tv/Yfb6uc=; b=QTN7jtMuCoM/93f28DjIaKfJZJX6rZ7GPEVYwDf3LuiAYxwQc1Ljb49vUDcS51zoqW 9IxiwFUpy7nfquZiY9UHOo7aBbw0UXce0ub90yTmgYCIt3a0lECr2NjHu40LOtDbxtHH 18Y+OxgxE48ItZGUt+Rm2b5TtCFBm5eRh7jv11094pq8IpMdXS0K9YZUF2tyZkAbY7Bu IeXTdIyizWzKLV0TnMPFaMR8tU+vkoW8rlcnLY7npCNo78mqluUh8YK5uDghhHy7h4mb FodRfnyR8KQlolxaOvEz60q5JvUzOXMhAOasNBWxLbFuOo+5zlBRChvqPfVlNaAM5gCD +O3g== X-Gm-Message-State: ABUngvdZxE+U00c/DuKFp1ViZQGpdN1UoIfJ5aTBA2WLkzY6q5yiDyjshB7pkH45IfSnqKiUaNusukzJh1NpVA== X-Received: by 10.200.48.44 with SMTP id f41mr13891039qte.94.1479221359053; Tue, 15 Nov 2016 06:49:19 -0800 (PST) MIME-Version: 1.0 Received: by 10.237.58.231 with HTTP; Tue, 15 Nov 2016 06:49:18 -0800 (PST) In-Reply-To: <20161115132609.GC1675@mail.opdns.de> References: <20161115113705.GB1675@mail.opdns.de> <20161115132609.GC1675@mail.opdns.de> From: Big Lebowski Date: Tue, 15 Nov 2016 14:49:18 +0000 Message-ID: Subject: Re: NAT Reflection rules for FreeBSD PF To: Oliver Peter Cc: freebsd-pf@freebsd.org, freebsd-net@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Nov 2016 14:49:20 -0000 On Tue, Nov 15, 2016 at 1:26 PM, Oliver Peter wrote: > On Tue, Nov 15, 2016 at 01:03:54PM +0000, Big Lebowski wrote: > > On Tue, Nov 15, 2016 at 11:37 AM, Oliver Peter > wrote: > > > > > El duderino, > > > > > > On Mon, Nov 14, 2016 at 10:30:59PM +0000, Big Lebowski wrote: > > > > > > > > I am trying to set up a 11.0-R PF based NAT for group of jails that > needs > > > > to be able to talk to services on other jails, just as if they'd be > > > clients > > > > from outside of the network. Apparently, this is called 'NAT > reflection' > > > > and I was able to find examples for OpenBSD PF here: > > > > https://www.openbsd.org/faq/pf/rdr.html (bottom of the page). > > > > > > > > Obviously, their syntax doesn't work on FreeBSD PF, so how to > achieve the > > > > same thing? How to allow jails NAT'd on $ext_if (xn0) coming from > > > > $jails_net (192.168.0.0/24 aliased on lo0) to talk to each other, > via > > > the > > > > $ext_if external IP? > > > > > > We did something similar in a customer setup a while ago: > > > > > > nat on $int_if from $jail_host to any -> $int_ip > > > rdr pass on $int_if proto { tcp, udp } from $jail_host to > $ext_if > > > port{ $service1, service2 } -> $int_lb > > > > > > Cheers > > > > Thanks for your response Olivier! Would you mind elaborating on it a bit > > more? I don't understand what you're trying to achieve here, since the > NAT > > doesn't happen on $int_if (lo0) but instead on $ext_if (xn0). The $int_if > > only holds the jail's IP addresses from the $jail_net range. How does > that > > compare? > > Ah, it could be that this is a bit different since you only have a single > machine, our example was a gateway with two interfaces (ext/int) doing NAT > for some machines behind. Since your packets are created on lo0 and > routed to xn0 it might be different. > Another idea would be to re-route the packets between the two interfaces: > pass out quick on $ext_if route-to $int_if from ($int_if:network) > to $ext_if:network > > This might interfere with your regular outgoing traffic; maybe the "to" > part needs a bit tuning. Furthermore I'm not sure about the source > addresses... We have this in production to route some DNS traffic via > VPN. > > Split horizon DNS is no option? > Sorry for not being very helpful. No worries, you've been most helpful so far :) The host has two interfaces, I simply chose lo0 for jails, because I wasn't aware it would matter, so, if needs be, I can migrate jails IP's from lo0 to xn1 - would it make difference in that I'd now be able to implement the reflection somehow, or would I need to get the jails out of the host entirely and make the host to provide gatefway functionality only? Regards, BL From owner-freebsd-pf@freebsd.org Wed Nov 16 11:05:30 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C1288C44362; Wed, 16 Nov 2016 11:05:30 +0000 (UTC) (envelope-from lists@peter.de.com) Received: from elsa.gfuzz.de (elsa.gfuzz.de [78.46.164.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6E34611D2; Wed, 16 Nov 2016 11:05:30 +0000 (UTC) (envelope-from lists@peter.de.com) Received: from localhost (localhost [127.0.0.1]) by elsa.gfuzz.de (Postfix) with ESMTP id 7EE30FFF68; Wed, 16 Nov 2016 12:05:27 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=peter.de.com; s=mail; t=1479294327; bh=ZkY+HEF3f0SCEzPq9+dPMCCyOH5RMBgIel1ES52xbJ0=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=JLBZvjEPyUpNupy73kWHDaAcPG7hOr5sC0Pos47B8ywY1L1m+rHpmYe0IeRb78/N5 8f0PBrgs4RyYdUwPB9ji1focGkjJweNBSh+1xyBUCH8gk+5ct993bYCTvSRf7aXbcQ Z9nY3X2CfR+zXeJhMTIrBvd+hS+xoJGP3ymaAzqM= X-Virus-Scanned: Debian amavisd-new at elsa.gfuzz.de Received: from elsa.gfuzz.de ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zAjf72CVEYPt; Wed, 16 Nov 2016 12:05:26 +0100 (CET) Received: from mail.opdns.de (unknown [188.193.145.135]) (Authenticated sender: oliver@gfuzz.de) by elsa.gfuzz.de (Postfix) with ESMTPSA id 3C3CAFFEE7; Wed, 16 Nov 2016 12:05:26 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=peter.de.com; s=mail; t=1479294326; bh=ZkY+HEF3f0SCEzPq9+dPMCCyOH5RMBgIel1ES52xbJ0=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=iMvqIfNecCWHH5v2ean0xcbIXDMrw4sClbg8bkcfofkKPUqyyCfDCmYrOm77JMoj/ ij4rs4QinRTWQKUjODzln5R36JXRjCUBz5B6RcTzqMiEwlZGH8RSAyqJ+T5oUYuwds zhu2ryZopmQVLShuyZsS9u0zWfEFdIQwX+N8xXpA= Date: Wed, 16 Nov 2016 12:05:22 +0100 From: Oliver Peter To: Big Lebowski Cc: Oliver Peter , freebsd-pf@freebsd.org, freebsd-net@freebsd.org Subject: Re: NAT Reflection rules for FreeBSD PF Message-ID: <20161116110522.GD1675@mail.opdns.de> References: <20161115113705.GB1675@mail.opdns.de> <20161115132609.GC1675@mail.opdns.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="zS7rBR6csb6tI2e1" Content-Disposition: inline In-Reply-To: X-Operating-System: Linux 4.4.21-1-pve x86_64 User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Nov 2016 11:05:30 -0000 --zS7rBR6csb6tI2e1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 15, 2016 at 02:49:18PM +0000, Big Lebowski wrote: > On Tue, Nov 15, 2016 at 1:26 PM, Oliver Peter wrote: >=20 > > On Tue, Nov 15, 2016 at 01:03:54PM +0000, Big Lebowski wrote: > > > On Tue, Nov 15, 2016 at 11:37 AM, Oliver Peter > > wrote: > > > > > > > El duderino, > > > > > > > > On Mon, Nov 14, 2016 at 10:30:59PM +0000, Big Lebowski wrote: > > > > > > > > > > I am trying to set up a 11.0-R PF based NAT for group of jails th= at > > needs > > > > > to be able to talk to services on other jails, just as if they'd = be > > > > clients > > > > > from outside of the network. Apparently, this is called 'NAT > > reflection' > > > > > and I was able to find examples for OpenBSD PF here: > > > > > https://www.openbsd.org/faq/pf/rdr.html (bottom of the page). > > > > > > > > > > Obviously, their syntax doesn't work on FreeBSD PF, so how to > > achieve the > > > > > same thing? How to allow jails NAT'd on $ext_if (xn0) coming from > > > > > $jails_net (192.168.0.0/24 aliased on lo0) to talk to each other, > > via > > > > the > > > > > $ext_if external IP? > > > > > > > > We did something similar in a customer setup a while ago: > > > > > > > > nat on $int_if from $jail_host to any -> $int_ip > > > > rdr pass on $int_if proto { tcp, udp } from $jail_host to > > $ext_if > > > > port{ $service1, service2 } -> $int_lb > > > > > > > > Cheers > > > > > > Thanks for your response Olivier! Would you mind elaborating on it a = bit > > > more? I don't understand what you're trying to achieve here, since the > > NAT > > > doesn't happen on $int_if (lo0) but instead on $ext_if (xn0). The $in= t_if > > > only holds the jail's IP addresses from the $jail_net range. How does > > that > > > compare? > > > > Ah, it could be that this is a bit different since you only have a sing= le > > machine, our example was a gateway with two interfaces (ext/int) doing = NAT > > for some machines behind. Since your packets are created on lo0 and > > routed to xn0 it might be different. > > Another idea would be to re-route the packets between the two interface= s: > > pass out quick on $ext_if route-to $int_if from ($int_if:networ= k) > > to $ext_if:network > > > > This might interfere with your regular outgoing traffic; maybe the "to" > > part needs a bit tuning. Furthermore I'm not sure about the source > > addresses... We have this in production to route some DNS traffic via > > VPN. > > > > Split horizon DNS is no option? > > Sorry for not being very helpful. >=20 >=20 > No worries, you've been most helpful so far :) >=20 > The host has two interfaces, I simply chose lo0 for jails, because I wasn= 't > aware it would matter, so, if needs be, I can migrate jails IP's from lo0 > to xn1 - would it make difference in that I'd now be able to implement the > reflection somehow, or would I need to get the jails out of the host > entirely and make the host to provide gatefway functionality only? Well, you made me curious about this so I created two jails on a 11-RELEASE test machine with a single external address. jail0 is on lo0 jail1 is on lo1 For outgoing service I have: nat on em0 from lo0:network to any -> ($ext_if) nat on em0 from lo1:network to any -> ($ext_if) The interesting thing here is that /all/ traffic happens on lo0 - even for jail1 which sits on lo1 only - which I don't understand. Furthermore it seems that since the target machine is also the source machine and does not need any routing the packets are not translated but directly routed, I tested this with: rdr pass on lo0 proto tcp from lo1:network to $ext_ip port 2224 -> $jail0 = port 22 jail0 only sees the internal IP since we do not route here. I was thinking about a mixture of PF and IPFW but this is getting nasty now. --=20 Oliver PETER oliver@gfuzz.de 0x456D688F --zS7rBR6csb6tI2e1 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlgsPXEACgkQ6LH/IUVtaI/LIACdHdPwKXl0GLm91Kp7pRXEw+Mn ofUAn1ow+dsoP6cEuf565fcdSSGAQ2HM =8pJP -----END PGP SIGNATURE----- --zS7rBR6csb6tI2e1-- From owner-freebsd-pf@freebsd.org Wed Nov 16 16:14:38 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1FF62C458DF; Wed, 16 Nov 2016 16:14:38 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: from mx.box-hlm-03.niklaas.eu (mx.box-hlm-03.niklaas.eu [84.22.110.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DA70BE48; Wed, 16 Nov 2016 16:14:37 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: from len-t420.klaas (p200300752F20A37545D3B68A610820A4.dip0.t-ipconnect.de [IPv6:2003:75:2f20:a375:45d3:b68a:6108:20a4]) by mx.box-hlm-03.niklaas.eu (Postfix) with ESMTPSA id AA8CE4F99FA; Wed, 16 Nov 2016 17:14:28 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=niklaas.eu; s=default; t=1479312868; bh=9+Tp8nwwsyCnvDBUYBWpDKjRFN/m4nEuWnvPkK1EG6U=; h=Date:From:To:Subject:Reply-To:References:In-Reply-To; b=czC1T8owx+zyw1AWaT+T/BsLoGbohU3g1DHuIh84TGRJiDaEu3TTKFQvbDolsKlHs SB6J221BKY4Mo4fbNDEjqOYqHLBD80p0WFMpYOWP5tAKvkv6zZ9swCSNAZer1JgrXr o784LjE2ht+xlIHMSzUABOtcQ1VC9YrbhpAiOLgY= Date: Wed, 16 Nov 2016 17:14:26 +0100 From: Niklaas Baudet von Gersdorff To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Re: NAT Reflection rules for FreeBSD PF Message-ID: <20161116161426.dxciogunrchqcddm@len-t420.klaas> Reply-To: stdin@niklaas.eu Mail-Followup-To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org References: <20161115113705.GB1675@mail.opdns.de> <20161115132609.GC1675@mail.opdns.de> <20161116110522.GD1675@mail.opdns.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="rmyy7ev4fhptnqf3" Content-Disposition: inline In-Reply-To: <20161116110522.GD1675@mail.opdns.de> User-Agent: NeoMutt/20161014 (1.7.1) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Nov 2016 16:14:38 -0000 --rmyy7ev4fhptnqf3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Oliver Peter [2016-11-16 12:05 +0100] : > The interesting thing here is that /all/ traffic happens on lo0 - even for > jail1 which sits on lo1 only - which I don't understand. I had been wondering about the same thing some while ago: http://marc.info/?l=freebsd-questions&m=147049889417893&w=2 Unfortunately, on the list we never really clarified why all jail traffic goes through lo0 and whether that is "a feature or a bug", as Bjoern stated. Niklaas --rmyy7ev4fhptnqf3 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAABCAAGBQJYLIXcAAoJEJArKu48GaI6X/oP/2UNHb4cMF+f0o8enHCbayij TeVpyEeqmzX6pVy2j3nMHZ7PJU6sfe6tFHAuifiJiPjEky3hsXBjsYyU8trxzA8T vcsSMntPxf3f2i5IpmRF80ZNf7JaF8C1+OP9pMWpjBSJfM+LjTzOknjUrkF92oJH beTZc1w7ETFzGKe4/VxfdWUATSekEaLKH3Zjarwe0Z4CsV9e/J8UROhgozJorXfg gE/gT9P+DIWRebHPmUlV3wttMuLP39CJoKAfk6mcVkGnUtXwPilWO/usQ+bW22al rqoMlHc3paqxsnM1o2sRU0pca0kg+HsTG1D2E/JnLbY9GYQxQ5y1ps7fP7dDJSIt xFtQTFv9EXsdrpYlASQySzZn3/ai5gMegKimi2yvnAW7MS7tjWy6lLiOu3Rt5HuM 9p6LPQLJ3+EI06KJ46BSGTqIEJ3sKSfNOcsOdllbHemJv8wC6vpz61jwyBkaFNng pbKTAI+7Nt+gxg6M/AX2cHtDIncyIsRHcTIBnOWxL2X+1fiA/iv2kesJYAHp9Fuj i4xnW2D64Kaa8WQiXUgwcOMR3GhuzwsDUOGaK6buP4ZSgD2M9AN9lVX13UgEQXTZ hpHbfC1K++pQitpVOd8P6XhdBEzxluFJfNvhOYJDU1ZL23eLdA92hox2kltqlekS wf+IYvV7Rlol0Efc+7RH =Pfhm -----END PGP SIGNATURE----- --rmyy7ev4fhptnqf3-- From owner-freebsd-pf@freebsd.org Fri Nov 18 10:53:43 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 27ED6C48752 for ; Fri, 18 Nov 2016 10:53:43 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 17801146E for ; Fri, 18 Nov 2016 10:53:43 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id uAIArgxw055314 for ; Fri, 18 Nov 2016 10:53:42 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 214613] Reloading pf rules breaks connections on lo0 Date: Fri, 18 Nov 2016 10:53:43 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 10.3-STABLE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to keywords Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Nov 2016 10:53:43 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D214613 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|freebsd-bugs@FreeBSD.org |freebsd-pf@FreeBSD.org Keywords| |patch --=20 You are receiving this mail because: You are the assignee for the bug.=