From owner-freebsd-pf@freebsd.org Sun Dec 4 21:00:31 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 187CEC67E98 for ; Sun, 4 Dec 2016 21:00:31 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E7A581942 for ; Sun, 4 Dec 2016 21:00:30 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id uB4L01Bu021875 for ; Sun, 4 Dec 2016 21:00:30 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <201612042100.uB4L01Bu021875@kenobi.freebsd.org> From: bugzilla-noreply@FreeBSD.org To: freebsd-pf@FreeBSD.org Subject: Problem reports for freebsd-pf@FreeBSD.org that need special attention Date: Sun, 04 Dec 2016 21:00:30 +0000 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Dec 2016 21:00:31 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. From owner-freebsd-pf@freebsd.org Mon Dec 5 15:00:51 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B2CE4C68831; Mon, 5 Dec 2016 15:00:51 +0000 (UTC) (envelope-from cross+freebsd@distal.com) Received: from hydra.pix.net (hydra.pix.net [IPv6:2001:470:e254:11::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.pix.net", Issuer "Pix.Com Technologies LLC CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 6749C105B; Mon, 5 Dec 2016 15:00:51 +0000 (UTC) (envelope-from cross+freebsd@distal.com) Received: from mail.distal.com (mail.distal.com [IPv6:2001:470:e24c:200:0:0:0:ae25]) (authenticated bits=0) by hydra.pix.net (8.16.0.19/8.15.2) with ESMTPSA id uB5F0g7w064708 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 5 Dec 2016 10:00:49 -0500 (EST) (envelope-from cross+freebsd@distal.com) Received: from [IPv6:2001:420:2710:1330:1c50:4fac:e56a:5aab] ([IPv6:2001:420:2710:1330:1c50:4fac:e56a:5aab]) (authenticated bits=0) by mail.distal.com (8.15.2/8.15.2) with ESMTPSA id uB5F0cfU044602 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 5 Dec 2016 10:00:39 -0500 (EST) (envelope-from cross+freebsd@distal.com) From: Chris Ross Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Problems with FreeBSD (amd64 stable/11) router Date: Mon, 5 Dec 2016 10:00:33 -0500 Message-Id: <619F01C2-5A20-4E25-AB0B-4064B598239D@distal.com> Cc: Chris Ross To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Dec 2016 15:00:51 -0000 Hello all. I recently replaced my router with a FreeBSD/11 box = (stable/11 r308579). I am running a lagg device across two bce=E2=80=99s,= and 802.1q vlan interfaces atop lagg0. I=E2=80=99m using pf to = NAT/filter out through a single outside IP address. I=E2=80=99m having the following problem. Some devices appear to be = having trouble passing traffic. Of course, I first assumed I was doing = something wrong with my pf filters, but I believe now that=E2=80=99s not = the problem. One client machine (a TiVo Roamio) that produces a failure = reliably, so I=E2=80=99ve been using it for testing, is showing that = during a TCP session, which starts up fine, in the middle of a POST = operation to an outside server, there are 1500 byte packets. These = packets have the DF bit in the IP header, and then never show up on the = external interface (vlan0). Smaller packets in the same TCP stream do. = But, I=E2=80=99m also not seeing the ICMP from the router back to the = client telling it that it cannot send the packet. I have tried all sorts of changes to my pf rules, including now = allowing all ICMP unconditionally on all interfaces (pass out log quick = inet proto icmp all). I have packet traces during the failed = communication across pflog0, vlan0 (external network) and vlan7 = (internal network). I=E2=80=99d be happy to answer any questions, or = provide the traces off-list. Does anyone have any idea what I=E2=80=99ve missed? Thank you very = much for your help. - Chris From owner-freebsd-pf@freebsd.org Mon Dec 5 16:05:15 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D708CC67F17 for ; Mon, 5 Dec 2016 16:05:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C6EBD1650 for ; Mon, 5 Dec 2016 16:05:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id uB5G5FpT034754 for ; Mon, 5 Dec 2016 16:05:15 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 196314] pf nested inline anchors does not work Date: Mon, 05 Dec 2016 16:05:15 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 10.0-STABLE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: krichy@cflinux.hu X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Dec 2016 16:05:15 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D196314 --- Comment #6 from krichy@cflinux.hu --- Created attachment 177689 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D177689&action= =3Dedit more appropriate patch This patch removes dead code also. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Mon Dec 5 16:59:17 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 584DBC680E2; Mon, 5 Dec 2016 16:59:17 +0000 (UTC) (envelope-from rysto32@gmail.com) Received: from mail-io0-x236.google.com (mail-io0-x236.google.com [IPv6:2607:f8b0:4001:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 29B863E8; Mon, 5 Dec 2016 16:59:17 +0000 (UTC) (envelope-from rysto32@gmail.com) Received: by mail-io0-x236.google.com with SMTP id j65so605906637iof.0; Mon, 05 Dec 2016 08:59:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=McL7ihSJ0qfpWq7Zytf76208JOByI5ajsc5yqvIH3eI=; b=G6GNDOT65JEuU5FUrvRBdlGHC3/1+ayQwU2+5g+7zxk0Kz+/Hw5rQDXLJAx5SnGLTL ZzY/IHH6oj9OUVWPXpEws8FTC2OSMp25CmQIN1lJErXEdgnHTxdLWXTMhZFJJ/06NQ/X 6I2xDg3pBcW68joGV2gNOQ1yWC3DTDFHig+Xc+b6J25h/7EK2iQWPCnO5Vb8abQqsWtl yG/DH9zCmuQyD0T+DXtEubdc9IaCAUVEjhGOGKv9ZJRF6q6IqyJGHXqsF6GzkrVxZC7X lSkBESMd6nrDIH0/EJxxmuH1jxtUEMC+73zcvXPMyceygl2eIDR/DyNiB2InfklOqjbu fN7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=McL7ihSJ0qfpWq7Zytf76208JOByI5ajsc5yqvIH3eI=; b=IXsDJM5uz72hqULBJQLFVgrSQny3UuDtWsqeX9M1JoshpkpBNjeXGAGZdoiWflwhf+ dFE1R6Yf9JpRQe2oxduaxQwI9bqdHpds1onyea/35KClF/N/ynqE+IZNRQl5EcLOP4Z7 p6+F9VXJ9LFkvV0rbT1emgOI9RN5chTfYZXVQ3GC4fURVlE8uqTWbu+zmMvjC7l6Ehuc dbSsF4oib3AsxAk7t8u8WYsSOKVYUXkO2aD0i7pLllEPwD1wsdIAnoE77sdwum5pVTed BFu4AhQHvzIhdxnPM+y11qUQIitKq/R+X2MeLEO12AwSX40s+UW6ga6Y3bxNecZKXjET HMBw== X-Gm-Message-State: AKaTC02a2GhdF+h7LCYBK/mg+778cXC3ZeP871VRI7XlWZT5ItlqUQoG5QLgdZv4avNjr9CoIO4Vv4FQXJpO1w== X-Received: by 10.36.178.81 with SMTP id h17mr9204844iti.98.1480957156623; Mon, 05 Dec 2016 08:59:16 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.144.84 with HTTP; Mon, 5 Dec 2016 08:59:16 -0800 (PST) In-Reply-To: <619F01C2-5A20-4E25-AB0B-4064B598239D@distal.com> References: <619F01C2-5A20-4E25-AB0B-4064B598239D@distal.com> From: Ryan Stone Date: Mon, 5 Dec 2016 11:59:16 -0500 Message-ID: Subject: Re: Problems with FreeBSD (amd64 stable/11) router To: Chris Ross Cc: freebsd-net , freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Dec 2016 16:59:17 -0000 What's the MTU on the bce and vlan interfaces? Does the bce interface show VLAN_MTU option set (in ifconfig)? On Mon, Dec 5, 2016 at 10:00 AM, Chris Ross wrote: > > Hello all. I recently replaced my router with a FreeBSD/11 box > (stable/11 r308579). I am running a lagg device across two bce=E2=80=99s= , and > 802.1q vlan interfaces atop lagg0. I=E2=80=99m using pf to NAT/filter ou= t through > a single outside IP address. > > I=E2=80=99m having the following problem. Some devices appear to be hav= ing > trouble passing traffic. Of course, I first assumed I was doing somethin= g > wrong with my pf filters, but I believe now that=E2=80=99s not the proble= m. One > client machine (a TiVo Roamio) that produces a failure reliably, so I=E2= =80=99ve > been using it for testing, is showing that during a TCP session, which > starts up fine, in the middle of a POST operation to an outside server, > there are 1500 byte packets. These packets have the DF bit in the IP > header, and then never show up on the external interface (vlan0). Smalle= r > packets in the same TCP stream do. But, I=E2=80=99m also not seeing the = ICMP from > the router back to the client telling it that it cannot send the packet. > > I have tried all sorts of changes to my pf rules, including now allowing > all ICMP unconditionally on all interfaces (pass out log quick inet proto > icmp all). I have packet traces during the failed communication across > pflog0, vlan0 (external network) and vlan7 (internal network). I=E2=80= =99d be > happy to answer any questions, or provide the traces off-list. > > Does anyone have any idea what I=E2=80=99ve missed? Thank you very much= for your > help. > > - Chris > > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" From owner-freebsd-pf@freebsd.org Mon Dec 5 19:10:34 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4B856C67B31; Mon, 5 Dec 2016 19:10:34 +0000 (UTC) (envelope-from cross+freebsd@distal.com) Received: from hydra.pix.net (hydra.pix.net [IPv6:2001:470:e254:11::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.pix.net", Issuer "Pix.Com Technologies LLC CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 27F3A13D4; Mon, 5 Dec 2016 19:10:34 +0000 (UTC) (envelope-from cross+freebsd@distal.com) Received: from mail.distal.com (mail.distal.com [IPv6:2001:470:e24c:200:0:0:0:ae25]) (authenticated bits=0) by hydra.pix.net (8.16.0.19/8.15.2) with ESMTPSA id uB5JAPuP071545 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 5 Dec 2016 14:10:33 -0500 (EST) (envelope-from cross+freebsd@distal.com) Received: from [IPv6:2001:420:2710:1330:b88b:3986:94f1:729] ([IPv6:2001:420:2710:1330:b88b:3986:94f1:729]) (authenticated bits=0) by mail.distal.com (8.15.2/8.15.2) with ESMTPSA id uB5JAMK6046088 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 5 Dec 2016 14:10:22 -0500 (EST) (envelope-from cross+freebsd@distal.com) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: Problems with FreeBSD (amd64 stable/11) router From: Chris Ross In-Reply-To: Date: Mon, 5 Dec 2016 14:10:17 -0500 Cc: freebsd-net , freebsd-pf@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <8C636365-DD9D-4375-9418-D540D8D13C56@distal.com> References: <619F01C2-5A20-4E25-AB0B-4064B598239D@distal.com> To: Ryan Stone X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Dec 2016 19:10:34 -0000 > On Dec 5, 2016, at 11:59, Ryan Stone wrote: >=20 > What's the MTU on the bce and vlan interfaces? Does the bce interface = show VLAN_MTU option set (in ifconfig)? I had manually set these to try to work out the problem earlier in my = experimentation, but am now back (unless I missed something) to the = natural MTUs on all interfaces. The vlan=E2=80=99s all show 1496, and = the bee=E2=80=99s (and lagg0) show 1500. The options on each of the = bce=E2=80=99s show VLAN_MTU, and a few other VLAN_ options. - Chris > On Mon, Dec 5, 2016 at 10:00 AM, Chris Ross = wrote: >=20 > Hello all. I recently replaced my router with a FreeBSD/11 box = (stable/11 r308579). I am running a lagg device across two bce=E2=80=99s,= and 802.1q vlan interfaces atop lagg0. I=E2=80=99m using pf to = NAT/filter out through a single outside IP address. >=20 > I=E2=80=99m having the following problem. Some devices appear to be = having trouble passing traffic. Of course, I first assumed I was doing = something wrong with my pf filters, but I believe now that=E2=80=99s not = the problem. One client machine (a TiVo Roamio) that produces a failure = reliably, so I=E2=80=99ve been using it for testing, is showing that = during a TCP session, which starts up fine, in the middle of a POST = operation to an outside server, there are 1500 byte packets. These = packets have the DF bit in the IP header, and then never show up on the = external interface (vlan0). Smaller packets in the same TCP stream do. = But, I=E2=80=99m also not seeing the ICMP from the router back to the = client telling it that it cannot send the packet. >=20 > I have tried all sorts of changes to my pf rules, including now = allowing all ICMP unconditionally on all interfaces (pass out log quick = inet proto icmp all). I have packet traces during the failed = communication across pflog0, vlan0 (external network) and vlan7 = (internal network). I=E2=80=99d be happy to answer any questions, or = provide the traces off-list. >=20 > Does anyone have any idea what I=E2=80=99ve missed? Thank you very = much for your help. >=20 > - Chris >=20 > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >=20 From owner-freebsd-pf@freebsd.org Tue Dec 6 02:21:11 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 80192C682E4 for ; Tue, 6 Dec 2016 02:21:11 +0000 (UTC) (envelope-from boyd.yang@gmail.com) Received: from mail-yw0-x22d.google.com (mail-yw0-x22d.google.com [IPv6:2607:f8b0:4002:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 41FE81846 for ; Tue, 6 Dec 2016 02:21:11 +0000 (UTC) (envelope-from boyd.yang@gmail.com) Received: by mail-yw0-x22d.google.com with SMTP id r204so264761682ywb.0 for ; Mon, 05 Dec 2016 18:21:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=zXfV15Bz74lZ1Leju+0IGW+ltj6VrG3cWDtyvA+b17U=; b=ZXNHwPohZMOCCO90TIO4iBjxdR6gIx9D2+MoCTMCK58mN6dL01RyA1yZ6Voy+ug3RF sVZ8vObRgca5Z0bmoeM39rw8EPScAQOyPUdipeOOjM2C2No4wOMcvbPlMPKyTUs9MzNR HU+OksrczTmJp3rzPJaUvOCsKW/p4TSa5CfhYAMpiqsK27krrKdfN14VRpdkNmhdMblx 2bFpFvdU1QPtOpDfsUHYUE5vSIrAj1PUitcga8xkgGpHwJoKBJb8SDkkiN5w9QYPoRn/ /HlkY3cOfKQhdkrGn6bbQKRynAAcyy9DTGNKDUw8SpwiJfvZvzG+ItSoxnGxgHkYvy8v OvPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=zXfV15Bz74lZ1Leju+0IGW+ltj6VrG3cWDtyvA+b17U=; b=BVk3kpxGPcpjZq8yYDlcRXRw25Hrb2MWv7IvZ2gizoAWL4S08h3IozynEAr5dB5tWg /qJlCxZWn3WO4KTg4NCo+eCKWQsaoE9DqtbTM7XC4Hy+JGOhiBqHj/G487R3o9JtDmjB SbhBCAJVwbrdIiVgq60rskO1KsTQ93ZdwrXYksblMjH4b9HpBm0Ih7oECIk+U3E6hMP+ UDBl3ZFwv7Wa5bvti5ZHn3o6eyaNZte3pwWzB+OIjKWV+BY7zEXbCFobGn2razbBl5Fz AxxO3pZUBIZjdEb3cliDhadQ88PN83E0i3MHYrndKVSoPdQoiDjZ0pPHwrPIri97Q37O bOUQ== X-Gm-Message-State: AKaTC02vBMGr57+XXQUCgLgiADwUbkKtI8ohfMop/ZZe9V0ojk0pITaYm47sQFo5wRIC4tFW/IAMGrXcvl9dKQ== X-Received: by 10.13.230.198 with SMTP id p189mr57415957ywe.253.1480990870334; Mon, 05 Dec 2016 18:21:10 -0800 (PST) MIME-Version: 1.0 Received: by 10.83.33.137 with HTTP; Mon, 5 Dec 2016 18:21:10 -0800 (PST) From: boyd yang Date: Tue, 6 Dec 2016 10:21:10 +0800 Message-ID: Subject: How to make "divert-to" and "dirvet-reply" work To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Dec 2016 02:21:11 -0000 Hi All, The "divert-to" and "divert-reply" function seems wonderful in the document: man pf.conf divert-to port Used to redirect packets to a local socket bound to host and port. The packets will not be modified, so getsockname(2) on the socket will return the original destination address of the packet. divert-reply Used to receive replies for sockets that are bound to addresses which are not local to the machine. See setsockopt(2) for informa- tion on how to bind these sockets. But they do not work. Below two patches do not work either. https://lists.freebsd.org/pipermail/freebsd-net/2009-June/022166.html https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=188511 How to implement the two functions? My OS is FreeBSD 10.3 amd64. I want that binding not-local address socket can connect successfully to another server. But now the socket cannot get SYN ACK packet. From owner-freebsd-pf@freebsd.org Tue Dec 6 14:34:58 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F1927C69EF9; Tue, 6 Dec 2016 14:34:58 +0000 (UTC) (envelope-from rysto32@gmail.com) Received: from mail-io0-x235.google.com (mail-io0-x235.google.com [IPv6:2607:f8b0:4001:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B32511713; Tue, 6 Dec 2016 14:34:58 +0000 (UTC) (envelope-from rysto32@gmail.com) Received: by mail-io0-x235.google.com with SMTP id c21so605732647ioj.1; Tue, 06 Dec 2016 06:34:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=i+tl9Nxsfj9lnWvrPpCosHpKJa9fryseqJkDUdcmCBQ=; b=PsRrpgoOqFGkW4Y4rt4e9c9hVl5mU+WLR2sv5WQwSfffVhGEDfcbRcPZw33y5Ee8Wg fica3OBFU/Fwjv/jmlu5W330T7RFXHG2YCpwxV0SgrKz0nT/QUIvO69WAPMuXEMXLomO Rb+kgVZBu5pxDhSbWOGtHc2inicaeK+SBLK9DJGZoXFFfpqk8VEqgGOUA2Qen2AZPHOf Lz1g5E4TvvIPAtAumPZTAZNYAD3GNvNdKqF4rR3uJXiIClG50lUYZ9+XmA+Ft0X6fzvN 26Oo0lY3Qhh0Ru9zd27SBI8zmrsF3uHmlQsx66SF3DSNURJQWCZGzRIrcnIir/ePhd4v sLsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=i+tl9Nxsfj9lnWvrPpCosHpKJa9fryseqJkDUdcmCBQ=; b=Ih6IGeW+5grkcX4lUg+37I7Pr04gL0+UMl0x6IZSFW4A51DaKXps9M8MeWC71aemn7 76kyNQl62ui1JbKlUOuzUrDxQhtIxegORZb2/fesq/muWZllbUWRJtU4URWEFULn3ZYq Sul2wVsHm6WBGNKfuzvl8ef4vTmUHxmS3Z9A6q881K1C3Su9wSfzDPLlQfzijRcY2omT B/NOdpH42eX+Ga1VCLWDrFdgD1rfNFu0bMZiGzCrLsPmyEgufBCqGAoUqfCqHc1acsMQ 2rLQBW02B3cA2vzZgG4lTXE8Nj3me/zovExQHj8Sv48/6lZWN6XnTd0JsMQqKvlU7wW3 9VEA== X-Gm-Message-State: AKaTC01vsGmei3HZlS7zc0EQXl0MgtzzKquVF73BsygcZ8zaNbSRAVYXz15c8/0iGDXfCsABMeOs+hmKzX1FCQ== X-Received: by 10.36.245.9 with SMTP id k9mr1720013ith.65.1481034896021; Tue, 06 Dec 2016 06:34:56 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.144.84 with HTTP; Tue, 6 Dec 2016 06:34:55 -0800 (PST) In-Reply-To: <8C636365-DD9D-4375-9418-D540D8D13C56@distal.com> References: <619F01C2-5A20-4E25-AB0B-4064B598239D@distal.com> <8C636365-DD9D-4375-9418-D540D8D13C56@distal.com> From: Ryan Stone Date: Tue, 6 Dec 2016 09:34:55 -0500 Message-ID: Subject: Re: Problems with FreeBSD (amd64 stable/11) router To: Chris Ross Cc: freebsd-net , freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Dec 2016 14:34:59 -0000 Let me confirm I understand what's happening: 1) You want to use your router to vlan-tag traffic from your network, and then send it out of a lagg over bce interfaces. The bxe interfaces have their MTU set to 1500 and the vlan interface to 1496 2) The TiVo is sending packets with a payload size of 1500 and the DF bit set. If this is the case, then the problem is simply that when the packets are passed through the vlan interface, the payload of the packets exceeds the MTU, but as the DF bit is set, the packets cannot be fragmented. Your choices are either to use a 1500 byte MTU on the vlan interface (assuming that the network that you are routing to can accept 1518 byte packets), or only advertise a 1496 byte MTU in your internal network. On Mon, Dec 5, 2016 at 2:10 PM, Chris Ross wrote= : > > > On Dec 5, 2016, at 11:59, Ryan Stone wrote: > > > > What's the MTU on the bce and vlan interfaces? Does the bce interface > show VLAN_MTU option set (in ifconfig)? > > I had manually set these to try to work out the problem earlier in my > experimentation, but am now back (unless I missed something) to the natur= al > MTUs on all interfaces. The vlan=E2=80=99s all show 1496, and the bee=E2= =80=99s (and > lagg0) show 1500. The options on each of the bce=E2=80=99s show VLAN_MTU= , and a > few other VLAN_ options. > > - Chris > > > > On Mon, Dec 5, 2016 at 10:00 AM, Chris Ross > wrote: > > > > Hello all. I recently replaced my router with a FreeBSD/11 box > (stable/11 r308579). I am running a lagg device across two bce=E2=80=99s= , and > 802.1q vlan interfaces atop lagg0. I=E2=80=99m using pf to NAT/filter ou= t through > a single outside IP address. > > > > I=E2=80=99m having the following problem. Some devices appear to be h= aving > trouble passing traffic. Of course, I first assumed I was doing somethin= g > wrong with my pf filters, but I believe now that=E2=80=99s not the proble= m. One > client machine (a TiVo Roamio) that produces a failure reliably, so I=E2= =80=99ve > been using it for testing, is showing that during a TCP session, which > starts up fine, in the middle of a POST operation to an outside server, > there are 1500 byte packets. These packets have the DF bit in the IP > header, and then never show up on the external interface (vlan0). Smalle= r > packets in the same TCP stream do. But, I=E2=80=99m also not seeing the = ICMP from > the router back to the client telling it that it cannot send the packet. > > > > I have tried all sorts of changes to my pf rules, including now > allowing all ICMP unconditionally on all interfaces (pass out log quick > inet proto icmp all). I have packet traces during the failed communicati= on > across pflog0, vlan0 (external network) and vlan7 (internal network). I= =E2=80=99d > be happy to answer any questions, or provide the traces off-list. > > > > Does anyone have any idea what I=E2=80=99ve missed? Thank you very mu= ch for > your help. > > > > - Chris > > > > _______________________________________________ > > freebsd-net@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-net > > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > > > From owner-freebsd-pf@freebsd.org Tue Dec 6 16:37:44 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0AE3DC6A2F9; Tue, 6 Dec 2016 16:37:44 +0000 (UTC) (envelope-from cross+freebsd@distal.com) Received: from hydra.pix.net (hydra.pix.net [IPv6:2001:470:e254:11::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.pix.net", Issuer "Pix.Com Technologies LLC CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id BD5C1166F; Tue, 6 Dec 2016 16:37:43 +0000 (UTC) (envelope-from cross+freebsd@distal.com) Received: from mail.distal.com (mail.distal.com [IPv6:2001:470:e24c:200:0:0:0:ae25]) (authenticated bits=0) by hydra.pix.net (8.16.0.19/8.15.2) with ESMTPSA id uB6GbYpT010892 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 6 Dec 2016 11:37:42 -0500 (EST) (envelope-from cross+freebsd@distal.com) Received: from [IPv6:2001:420:2710:1330:5c30:fff7:412f:bf14] ([IPv6:2001:420:2710:1330:5c30:fff7:412f:bf14]) (authenticated bits=0) by mail.distal.com (8.15.2/8.15.2) with ESMTPSA id uB6GbWYX053157 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 6 Dec 2016 11:37:33 -0500 (EST) (envelope-from cross+freebsd@distal.com) Content-Type: multipart/signed; boundary="Apple-Mail=_EEED0B37-58D1-4216-8357-49C3F65A1E65"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: Problems with FreeBSD (amd64 stable/11) router From: Chris Ross In-Reply-To: Date: Tue, 6 Dec 2016 11:37:20 -0500 Cc: freebsd-net , freebsd-pf@freebsd.org Message-Id: References: <619F01C2-5A20-4E25-AB0B-4064B598239D@distal.com> <8C636365-DD9D-4375-9418-D540D8D13C56@distal.com> To: Ryan Stone X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Dec 2016 16:37:44 -0000 --Apple-Mail=_EEED0B37-58D1-4216-8357-49C3F65A1E65 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Dec 6, 2016, at 09:34, Ryan Stone wrote: >=20 > Let me confirm I understand what's happening: >=20 > 1) You want to use your router to vlan-tag traffic from your network, = and then send it out of a lagg over bce interfaces. The bxe interfaces = have their MTU set to 1500 and the vlan interface to 1496 I believe this is correct. All traffic is using vlan interfaces, = including the external network connection. But they are all over a lagg = on two bce=E2=80=99s. > 2) The TiVo is sending packets with a payload size of 1500 and the DF = bit set. >=20 > If this is the case, then the problem is simply that when the packets = are passed through the vlan interface, the payload of the packets = exceeds the MTU, but as the DF bit is set, the packets cannot be = fragmented. Your choices are either to use a 1500 byte MTU on the vlan = interface (assuming that the network that you are routing to can accept = 1518 byte packets), or only advertise a 1496 byte MTU in your internal = network. Perhaps I misunderstood, but I thought that the router should send an = ICMP in this case (that it cannot fragment the packets due to the DF = bit), which would then cause the TiVo to send smaller packets. But = passing that detail for now; You mention =E2=80=9Conly advertise a 1496 byte MTU in [my] internal = network.=E2=80=9D I tried doing this by setting an =E2=80=9Cinterface-mtu= =E2=80=9D option in the DHCP response to the device, but it didn=E2=80=99t= obey that option. Do you know of another way to =E2=80=9Cadvertise=E2=80= =9D MTU=E2=80=99s on the internal network? You also mention using a higher MTU on the network. I hadn=E2=80=99t = thought of this, but presume it would work. I would only need support = for that MTU on the bce=E2=80=99s, and in the ethernet switches, = correct? The ethernet switches I have are Dell PowerConnect 2724 and = 2824 switches, which claim to support jumbo frames. I=E2=80=99ll have = to find out if I have to _do_ anything to support that, but it should = work. Thanks for the suggestion, I=E2=80=99ll look into that=E2=80=A6 - Chris --Apple-Mail=_EEED0B37-58D1-4216-8357-49C3F65A1E65 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYRulHAAoJEPFBDnXvoNg0MMwP/jKDI2ObON879i5RkFXA9GmW rCipiwXItvgmWbXgVBhq7PuokSnsfIp//7yLke5ks6058/imCw9ib/hJTfyIy4uZ xFU73UROYb3iexuQa5FoCHnbSArhzPQyleEUxFBJ9GJ0fVwWD2O0gLTuEuC3ArvP 3t/pNoPuTjYfF54zrK94xuIls77q/Ot47PX7tTmX11xpkyigLeqU0ImlBdJQM+3C sHLoZ2rTSr2bhidWWglLG9TxfdztKCXpZ/DGQnS889t8zGe2lfVidLz4tv/hgb6r 7hBC4nAbT18Df6zQEdli6MmItYVnkbPquvpYcRW3uTs1hd1w32nEUMugHqDmObkA 1vfd/BlSSlp32umJShE2QuEycoK5yLpbBg9wirUrYvOe4K+8LszKrLX0AbszeP6y L8GRN9jYEG+xTjImAWhJcSnl1WQhUoNQReG4uprMjuFb1CMay3EiJO1q8RRJhCvy Duw79rLzFvN/YprQ7U89VHrvEy+TCD1UXKr2foXMPdb/27H97Jj8I3EyHg55Xre2 vabLZ3gPR7dbFnwQmUH0tZxTYvS/r6dRDB76svFtkew+m4B/X/CEBhzSoce6HKzm j4yaj4lPUqhSplrH1nbfW/jdELoGnm0klxGwC+BGRzKDm2gwMAkatZKEW7tdBClT 2iJ7khZ1RkMdiKlf6gaV =J15r -----END PGP SIGNATURE----- --Apple-Mail=_EEED0B37-58D1-4216-8357-49C3F65A1E65-- From owner-freebsd-pf@freebsd.org Wed Dec 7 14:10:33 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 50334C6A465 for ; Wed, 7 Dec 2016 14:10:33 +0000 (UTC) (envelope-from zaphod@berentweb.com) Received: from mail-wm0-x241.google.com (mail-wm0-x241.google.com [IPv6:2a00:1450:400c:c09::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 09C6C1B3 for ; Wed, 7 Dec 2016 14:10:32 +0000 (UTC) (envelope-from zaphod@berentweb.com) Received: by mail-wm0-x241.google.com with SMTP id u144so28022506wmu.0 for ; Wed, 07 Dec 2016 06:10:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=berentweb-com.20150623.gappssmtp.com; s=20150623; h=sender:date:from:to:subject:message-id:mime-version :content-transfer-encoding; bh=J5B4voEUXsNMV0HyQn9wbMAMHepagR65RLnfKgO56ko=; b=fr2vUdlH2dV4L3x0C1RqJqdf1xSii7TBXrdzOr7Kc6oPUlDl5WTzAmNMnczdrQUUvh VHBZ9ltijla1p7g4JhsJ1Zk3qHg8oMYqUUnzis93dRI1eo+LSoX6kYiXs6eRXvsu+brd n/9TFlEk0ZYdmxOdqatOhDcEQUPAVFpnVXh1JPfKZ986oeVzYgfFgaeuFgTadOrxdwn6 6E0n5V8b14IofeTq17xlSQmnMRaF1OaWCoT0BVIAMRcwhKlhVLdIZ+cSyQQcYYzmQAuU Y5MetS7IDQzhBmJZSBZB6UVpfZTLC/ViMuso/W8jhtOPo4gMXw2fVrQuMkjTSZk+zlP8 t8aA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:date:from:to:subject:message-id :mime-version:content-transfer-encoding; bh=J5B4voEUXsNMV0HyQn9wbMAMHepagR65RLnfKgO56ko=; b=XMdCkd1ABlVXeTf8+As85SRlU+xLMsEPCo05jFYuj7cQ5TU2xeSODJdfG6MEy9NcFM MGOxqeILxrms2/V6sxfMWhFsNsUlYOmwC3kFOWxRedQ/3RyULDcjMdinmBtaZS9lECua rhioHqIURUNH3bQceZ8Z3IIPF2x5sNMK+smomZFoY3zcQ7+xoiuqbH05CfNiRLup6rqY 8hZuivaDUd/+Pc14iC+4ysGbRsL1Af8cneZfCR5c0Z57Cm7UeqTTLiAq0NGTF8s5GlaE 9qgER+kgL9HRfKU5V5g/CtUaTwFaMGrgonzJrjyqgpxTORTo8wSPLaa3hF2jmiW0/T1o YWIQ== X-Gm-Message-State: AKaTC02JBE+y4fDvnyfwUeslVreLmQOhTt4XxvzbavQlOyqJFc6RmZYEb/gOI+DGQMvEHQ== X-Received: by 10.28.213.74 with SMTP id m71mr2806151wmg.39.1481119830793; Wed, 07 Dec 2016 06:10:30 -0800 (PST) Received: from rsbsd.rsb ([85.107.15.216]) by smtp.gmail.com with ESMTPSA id d17sm31610302wjr.14.2016.12.07.06.10.29 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 07 Dec 2016 06:10:29 -0800 (PST) Sender: "Raif S. Berent" Date: Wed, 7 Dec 2016 17:10:21 +0300 From: Beeblebrox To: freebsd-pf@freebsd.org Subject: PF TAGged jail traffic fails pass rule on egress Message-ID: <20161207171021.607579ea@rsbsd.rsb> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Dec 2016 14:10:33 -0000 Hello, I have a PF problem with TAG evaluation and am completely stumped. It shoul= d be very straight forward, but it's not working. Here's what I'm trying to= do: * I have several jails on cloned lo2 * Allow only specified port traffic to and from each jail * Block all out-going traffic at egress interface (wan0) unless allowed (us= e tags here) I've tested with a very simplified PF ruleset, with consistent failure: nat on wan0 from !(wan0) -> wan0 ## Filters block drop log on wan0 all # tested with both combinations below block drop log on lo2 all \ # set skip on lo0 set skip on lo0 \ # block drop log on lo2 all ## Jail for Unbound + dns-crypt pass in quick on lo2 proto udp from any to port 53 tag TD pass out quick on lo2 proto udp from to any (or wan0) port {53,4= 43,2053} tag TD ## PASSING TAGGED PACKETS ## pass out quick on $ExtIf keep state tagged TD PF blocks outgoing traffic nevertheless. Rule 0 is "block drop log on wan0 = all" 15:47:35.270564 rule 0..16777216/0(match): block out on wan0: 192.168.1.10.= 51977 > 212.47.228.136.443: UDP, length 768 15:47:35.671076 rule 0..16777216/0(match): block out on wan0: 192.168.1.10.= 56347 > 178.216.201.222.2053: UDP, length 576 I tested a different jail with TCP packets, got same: 16:45:46.411698 rule 0..16777216/0(match): block out on wan0: 192.168.1.10.= 58367 > 192.168.1.1.80: Flags [S], seq 1720787324, win 65535, options [mss = 1460,nop,wscale 6,sackOK,TS[|tcp]> The only thing I can think of is that packets are not being tagged, so the = "pass out" rule is not evaluated (pfctl -s state confirms no state for thos= e packets). Is there an issue that packets traversing a cloned lo0 interfac= e cannot be tagged? Unfortunately tcpdump or such tools as I understand, cannot display the TAG= header so I'm unable to proceed with debugging. Any ideas? --=20 FreeBSD_amd64_11-Stable_RadeonKMS Please CC my email when responding, mail from list is not delivered. From owner-freebsd-pf@freebsd.org Wed Dec 7 21:32:47 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 34076C6C216 for ; Wed, 7 Dec 2016 21:32:47 +0000 (UTC) (envelope-from ian.freislich@capeaugusta.com) Received: from mail-qk0-x235.google.com (mail-qk0-x235.google.com [IPv6:2607:f8b0:400d:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EA1961595 for ; Wed, 7 Dec 2016 21:32:46 +0000 (UTC) (envelope-from ian.freislich@capeaugusta.com) Received: by mail-qk0-x235.google.com with SMTP id n21so430436147qka.3 for ; Wed, 07 Dec 2016 13:32:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=capeaugusta-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to; bh=fFohBXFGU2I51fyfa1ZcpNzjLI52QMTWdkhAVQsLx/A=; b=oAlsycYU8h6HuUbBUpj8ueZnC5ZvMh6Sbeij0oV3J3be3iOcPeMCAyd+gP/r9gbXA4 ofu8uYbVncNDgESTEhxjsUE2inMsu+I+0CsuE2itIvZujRZq4tIUr2O4RKkGgTRrwcqY AdYhLGiYc91ZjNp0+LBn2GzK+RM2efxko4kDkAtZwrT6EBMv6E1thtPSHs7oseENicSO c81rgg/Cf347yqD6DWcZntcdFsNxKJLRswwpDTh0xgZUqruDHvpva/s01b9gDM3T17uK qCtdeQ4kOuBHjWDBGzDtTh8KDD/FtRm+zgTaSgw38KRT+a7yEoGCpYuG6kqvpaBHa9gZ IPXw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=fFohBXFGU2I51fyfa1ZcpNzjLI52QMTWdkhAVQsLx/A=; b=i7wqTBjaNpJ6DxBFUrmDn5JJDki2uGt6YVuq5ysJtK3Kuv+XAyp2tpUStjFbcdPyfS 44vWmYzd6jv6N+DqGbFoW8nXCaCqkBznGURrgVKpw5ZHTM6ndaApg4+SuBb0L0lpM1Co JYmUBiroZVmPuCTwaHhK3dUvnDptTibvlDLqJIE8tkAdO0BqLU/dAJ9M0gonEja6gw4g K7TrjYsR98wsxdQoYJDq8T1uVzWrstnG/GAhrSqKhZkvE0lXARdZCxl9vc4iC5bCFj0H vbuIjWgRn6zXFe35r7fqxmh+v54HcRVoYYnKAPR527YPrOt4C2wL2WaBMDbghATXKDv5 EAqw== X-Gm-Message-State: AKaTC01C5dzFLDoEuh3kc4914CCKFic5+nQNOMsmautcrpjZMNaX6Ysd10GWzvQ7/L+ZvDBGPIMvuQYFm7sWQHxlDiDASbNTLZAnN1m3j5eBpTssk3aswS/kD2Bicryz9X2S6XIO5TkfbaH+/wZOKhYx62uyrflX8GRagrESB2HksBTZH70iKYO3DHCDjBNSrmVSrg== X-Received: by 10.129.82.214 with SMTP id g205mr63452768ywb.73.1481146365378; Wed, 07 Dec 2016 13:32:45 -0800 (PST) Received: from zen.clue.co.za (c-73-20-181-123.hsd1.ga.comcast.net. [73.20.181.123]) by smtp.gmail.com with ESMTPSA id u18sm10707693ywf.28.2016.12.07.13.32.44 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Dec 2016 13:32:45 -0800 (PST) Subject: Re: PF TAGged jail traffic fails pass rule on egress To: freebsd-pf@freebsd.org References: <20161207171021.607579ea@rsbsd.rsb> From: Ian FREISLICH Message-ID: <36395078-e9fe-64ce-5506-7ddf82d63c48@capeaugusta.com> Date: Wed, 7 Dec 2016 16:32:44 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.5.0 MIME-Version: 1.0 In-Reply-To: <20161207171021.607579ea@rsbsd.rsb> Content-Type: text/plain; charset=windows-1252 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Dec 2016 21:32:47 -0000 On 12/07/16 09:10, Beeblebrox via freebsd-pf wrote: > Hello, > > I have a PF problem with TAG evaluation and am completely stumped. It should be very straight forward, but it's not working. Here's what I'm trying to do: > * I have several jails on cloned lo2 > * Allow only specified port traffic to and from each jail > * Block all out-going traffic at egress interface (wan0) unless allowed (use tags here) > > I've tested with a very simplified PF ruleset, with consistent failure: > > nat on wan0 from !(wan0) -> wan0 > ## Filters > block drop log on wan0 all > # tested with both combinations below > block drop log on lo2 all \ # set skip on lo0 > set skip on lo0 \ # block drop log on lo2 all > > ## Jail for Unbound + dns-crypt > pass in quick on lo2 proto udp from any to port 53 tag TD > pass out quick on lo2 proto udp from to any (or wan0) port {53,443,2053} tag TD > ## PASSING TAGGED PACKETS ## > pass out quick on $ExtIf keep state tagged TD You can add a log parameter to tag rules and watch your pflog0 for evidence of a match. You might find that the packets aren't actually received by the lo2 interface at all. > PF blocks outgoing traffic nevertheless. Rule 0 is "block drop log on wan0 all" > 15:47:35.270564 rule 0..16777216/0(match): block out on wan0: 192.168.1.10.51977 > 212.47.228.136.443: UDP, length 768 > 15:47:35.671076 rule 0..16777216/0(match): block out on wan0: 192.168.1.10.56347 > 178.216.201.222.2053: UDP, length 576 > > I tested a different jail with TCP packets, got same: > 16:45:46.411698 rule 0..16777216/0(match): block out on wan0: 192.168.1.10.58367 > 192.168.1.1.80: Flags [S], seq 1720787324, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS[|tcp]> > > The only thing I can think of is that packets are not being tagged, so the "pass out" rule is not evaluated (pfctl -s state confirms no state for those packets). Is there an issue that packets traversing a cloned lo0 interface cannot be tagged? > > Unfortunately tcpdump or such tools as I understand, cannot display the TAG header so I'm unable to proceed with debugging. > Any ideas? > -- Cape Augusta Digital Properties, LLC a Cape Augusta Company *Breach of confidentiality & accidental breach of confidentiality * This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From owner-freebsd-pf@freebsd.org Thu Dec 8 05:39:01 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 34CA6C6CB14 for ; Thu, 8 Dec 2016 05:39:01 +0000 (UTC) (envelope-from jamainarjoon007@gmail.com) Received: from mail-oi0-x242.google.com (mail-oi0-x242.google.com [IPv6:2607:f8b0:4003:c06::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F19649B for ; Thu, 8 Dec 2016 05:39:00 +0000 (UTC) (envelope-from jamainarjoon007@gmail.com) Received: by mail-oi0-x242.google.com with SMTP id u15so48822676oie.3 for ; Wed, 07 Dec 2016 21:39:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=wbbajS43xE2Fk2RE+gH06Kh6UAhxUD0mNeZWyaZ7Gl0=; b=GdlCGadGOHeFTiX1/DSNd0HxvXs87Z3eoJP/HMr6rz8WWsbhEMmTit0d5rhSDxWxRo giYTlMv6GehNLYs2clgwlIOefXllzoo50NrWvgEy2hnzAkBMiZsJmq0+km5ZIRuvA06Q 7NEZc8aKxcUeg6NMH61hmBJ8hOOQfJAwID4mfNm7BtsaeAISyjd/WkSyyNuvDw7Pd9S/ EKuUcUyQe7kSVb5z1/iL4DkDdyuO9POBfGczGt+4HChdjPA7gtWtU9KmyxpdkikQTN4B 3PpTCUP6+JySdsygZd56OvRvssbEqtzJeqLHKo+vS8+ZBahzcgufTtpZnMD5jtugI9Dv ycGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=wbbajS43xE2Fk2RE+gH06Kh6UAhxUD0mNeZWyaZ7Gl0=; b=BEmgXqqT8xoywIgU1Fdtj7BJSETupsKH0Hvnf018vu+A3HfbvTMMxAjdI1rG4LWYSU YfLT0peXDtz0BYQ10O7PMoMrsh2WZpdAKczrZBACWuLGPcGZ682C446xgwDTxCLHAmbq nrvhhisRZsYCPEeiPWgWQgQvrAG2gK0oaULD8XpG4Vkiwb2fW09xBu9hVXO+7RsmRaQQ WgmrJtzYsvuV3DAZ5uqc1eyRtTjBbALqPIo4AtK/XkLsZeB9NKKkvgHWPARDnhVte7uj R+tNmztokqtmkbed/cajbujBmQwOy96H/nB4WKqdEQjtJBl8y3UENKrmwg2R/RHrRWM+ kIrg== X-Gm-Message-State: AKaTC02EMM0mMiPRXnTBQDVfaLibJFFXr99akYDpwLOajbStFedSRW9ntAutrrQLY2EWGj9Ke52oVDYYR13Puw== X-Received: by 10.157.60.168 with SMTP id z37mr38420142otc.129.1481175540328; Wed, 07 Dec 2016 21:39:00 -0800 (PST) MIME-Version: 1.0 Received: by 10.157.1.119 with HTTP; Wed, 7 Dec 2016 21:38:59 -0800 (PST) Received: by 10.157.1.119 with HTTP; Wed, 7 Dec 2016 21:38:59 -0800 (PST) From: Jamain Arjoon Date: Wed, 7 Dec 2016 21:38:59 -0800 Message-ID: Subject: Ergent To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Dec 2016 05:39:01 -0000 Good day I'm interested in this offer please call me on 0716364737 From owner-freebsd-pf@freebsd.org Sat Dec 10 03:22:58 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2A2B0C6F06F for ; Sat, 10 Dec 2016 03:22:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1A01B1857 for ; Sat, 10 Dec 2016 03:22:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id uBA3MvEL061751 for ; Sat, 10 Dec 2016 03:22:57 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 215041] [pf] Handshake to certain (fixed) hosts is dropped Date: Sat, 10 Dec 2016 03:22:57 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Dec 2016 03:22:58 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D215041 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- CC|freebsd-amd64@FreeBSD.org | Assignee|freebsd-bugs@FreeBSD.org |freebsd-pf@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.=