From owner-freebsd-pf@freebsd.org Sun Jan 8 15:05:33 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7E607CA5EE6 for ; Sun, 8 Jan 2017 15:05:33 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [88.199.43.63]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "plan-b.pwste.edu.pl", Issuer "plan-b.pwste.edu.pl" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 155801199 for ; Sun, 8 Jan 2017 15:05:32 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from plan-b.pwste.edu.pl (zarychtam@localhost [127.0.0.1]) by plan-b.pwste.edu.pl (8.15.2/8.15.2) with ESMTPS id v08EtXf1047767 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sun, 8 Jan 2017 15:55:33 +0100 (CET) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: (from zarychtam@localhost) by plan-b.pwste.edu.pl (8.15.2/8.15.2/Submit) id v08EtWHp047763 for freebsd-pf@freebsd.org; Sun, 8 Jan 2017 15:55:32 +0100 (CET) (envelope-from zarychtam) Date: Sun, 8 Jan 2017 15:55:32 +0100 From: Marek Zarychta To: freebsd-pf@freebsd.org Subject: udp - weird behavior of reply-to Message-ID: <20170108145532.GA17695@plan-b.pwste.edu.pl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="DocE+STaALJfprDB" Content-Disposition: inline User-Agent: Mutt/1.7.2 (2016-11-26) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jan 2017 15:05:33 -0000 --DocE+STaALJfprDB Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable For a long period of time, I have been using reply-to rules for a few TCP and one UDP service which had been introduced for HA reasons and are used quite rarely.=20 After upgrade to 11-STABLE the rules for TCP traffic work as expected, providing kind of symmetric routing, but UDP traffic ignores reply-to directive and UDP service is responding only partially via default gateway. Worse, only one UDP segment passes in one direction for UDP service. As a result, the whole communication is broken. PF states look like this: all udp 88.199.x.x:1197 <- 62.x.y.z:58781 NO_TRAFFIC:SINGLE all udp 88.199.y.y:1197 -> 62.x.y.z:58781 SINGLE:NO_TRAFFIC Similar rule for tcp traffic works flawlessly:=20 all tcp 88.199.x.x:50001 <- 62.x.y.z:56330 ESTABLISHED:ESTABLISHED It is not an underlying service issue, additional tests were performed using netcat. The rules weren't changed, at least since the machine was running 9-STABLE and then everything worked correctly. The machine is currently running 11.0-STABLE r311637 compiled for i386 arch. Is it a bug to be officially submitted or it will not be possible to use reply-to for UDP traffic anymore? --=20 Marek Zarychta --DocE+STaALJfprDB Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEEMOqvKm6wKvS1/ZeCdZ/s//1SjSwFAlhyUuEACgkQdZ/s//1S jSyz4AgAoICDnUaabnhlQTIs67CMXZD3XnZwmbdggVcr2VIC+kePF8Edyz9cr9bK 60zHxGuhFazWY5S2CqvtLEE2AEdwKmpo/IkSy+NG2MrCXKJj+mDMFYpB3/a3+f9S +BEL+S2cxZOedDS+MpIBGCUiS3dAdTTrplXDrSDuF32ykU4gmEFBx6tiAmWvPnD9 qMlkwKp5mWTPMpuiRIkyXJPmY01VWXWQahCY5M85mvxjmv7wkCmjg+7uwufV3MXm CIabbKy+F45kTWBMcZyDj9rbpQi7UQd9ThA0qsoS5BEUxmHKoJ5wigotdLHB9Qrs q4hfUPmz7C3H+Slfi2U0ZePXsvNr4w== =kb3f -----END PGP SIGNATURE----- --DocE+STaALJfprDB--