From owner-freebsd-pf@FreeBSD.ORG Mon Nov 12 11:06:49 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1F4BEA4F for ; Mon, 12 Nov 2012 11:06:49 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id EF9638FC1D for ; Mon, 12 Nov 2012 11:06:48 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id qACB6m2v000452 for ; Mon, 12 Nov 2012 11:06:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id qACB6mAK000450 for freebsd-pf@FreeBSD.org; Mon, 12 Nov 2012 11:06:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 12 Nov 2012 11:06:48 GMT Message-Id: <201211121106.qACB6mAK000450@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Nov 2012 11:06:49 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 47 problems total. From owner-freebsd-pf@FreeBSD.ORG Fri Nov 16 14:40:41 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A368FD51 for ; Fri, 16 Nov 2012 14:40:41 +0000 (UTC) (envelope-from peter@aoeu.ca) Received: from hapkido.dreamhost.com (hapkido.dreamhost.com [66.33.216.122]) by mx1.freebsd.org (Postfix) with ESMTP id 7470C8FC17 for ; Fri, 16 Nov 2012 14:40:41 +0000 (UTC) Received: from homiemail-a56.g.dreamhost.com (caibbdcaaaaf.dreamhost.com [208.113.200.5]) by hapkido.dreamhost.com (Postfix) with ESMTP id 18DA6F93DA for ; Fri, 16 Nov 2012 06:40:35 -0800 (PST) Received: from homiemail-a56.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a56.g.dreamhost.com (Postfix) with ESMTP id 74B8FFE065 for ; Fri, 16 Nov 2012 06:40:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=aoeu.ca; h=mime-version :date:message-id:subject:from:to:content-type; s=aoeu.ca; bh=CvU jyS6iMxPl0jCYhiRDmniBHUQ=; b=NkGEfHdl59ehBH2fTFf4skb0AWLNAZxJaH0 0rfzzX1gpHdeNbIaJWkP/NK9RH+G7aB1FLPsJTuvO7EjK3YBDjrEmujLqgZhIdcO VbGq9aGDsnC68e5gOqUIQYN7kWkg81dH5dzYBKVvXLs8zA9cRXttYuOpxLN083PQ syca8q2Q= Received: from mail-ob0-f182.google.com (mail-ob0-f182.google.com [209.85.214.182]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: peter@aoeu.ca) by homiemail-a56.g.dreamhost.com (Postfix) with ESMTPSA id 53DF5FE05B for ; Fri, 16 Nov 2012 06:40:13 -0800 (PST) Received: by mail-ob0-f182.google.com with SMTP id 16so3553318obc.13 for ; Fri, 16 Nov 2012 06:40:28 -0800 (PST) MIME-Version: 1.0 Received: by 10.182.177.100 with SMTP id cp4mr4040462obc.71.1353076828209; Fri, 16 Nov 2012 06:40:28 -0800 (PST) Received: by 10.60.7.202 with HTTP; Fri, 16 Nov 2012 06:40:28 -0800 (PST) Date: Fri, 16 Nov 2012 09:40:28 -0500 Message-ID: Subject: Routing return NAT traffic based on interface From: Peter McAlpine To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Nov 2012 14:40:41 -0000 Hello, I am having trouble with routing via pf and would appreciate any help that can be provided. My router has a tunnel interface, and an external (internet) interface. I'd like to NAT any traffic that arrives on the tunnel out to the internet via the external interface. Any traffic that arrives on the external interface that is not specifically for the external interface's address should be sent down the tunnel. Here's my config: data_if = "tap3" ext_if = "em0" set skip on lo0 nat on $ext_if from !$ext_if:network to any -> ($ext_if) pass in on $ext_if route-to $data_if from any to !$ext_if:network My motivation is that I am completely unaware of the networks that exist beyond the tunnel and want to be able to add additional interfaces with RFC1918 addresses to my router without worrying about whether my IP is colliding with the IPs past the tunnel. Further, I want the traffic that arrives on the tunnel to remain in its original state until it leaves on the external interface. The issue I'm having is that the 'pass' rule is not being matched (or even evaluated?). My default gateway on the router is the ext_if and return traffic is being reverse-translated and then the routing table is sending it back out ext_if instead of down data_if where I want it to go. I have also tried rebuilding my kernel and using different routing tables but I can't get any pass rule to be evaluated for returning NAT traffic. Thanks in advance for any help you can provide. -Peter From owner-freebsd-pf@FreeBSD.ORG Fri Nov 16 15:21:22 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9D11CE6E for ; Fri, 16 Nov 2012 15:21:22 +0000 (UTC) (envelope-from kevin.wilcox@gmail.com) Received: from mail-da0-f54.google.com (mail-da0-f54.google.com [209.85.210.54]) by mx1.freebsd.org (Postfix) with ESMTP id 6DF578FC08 for ; Fri, 16 Nov 2012 15:21:22 +0000 (UTC) Received: by mail-da0-f54.google.com with SMTP id z9so1273586dad.13 for ; Fri, 16 Nov 2012 07:21:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=d9THt60Nklt8sc/qvFb6hLNEhv26TD7ubn47yijlbvg=; b=vBfur2AJ2LsD1/l4dYC/oQ1N72vIQGv5/wG9AUmCxCyatgKl4Y6yosiJYGcfP/oFHL zQ7W+HDhId7bnxLnBP+V5W2l6EOUlp8r1KL4NtI/fJb6bpQdQRCBpS6iN3OQZ9dDRYGU IHRBKnnFA12ZIHMkUWjeJq32Asb/2zfXRrsceD+O4wrP6i863spuYeKaRC6hpba3nkSI G3Wu1DsVJOrkLdG6nTB1KsBoRMFf5ZX5oQ1CjIK4PGHs6Bf0VNbEE6AqKb7FL/5ovlfW LKKNderXwzru5yfsdSBpN1KnJNVHJt0vJxX2je4W7h5DKUlYSIfhNSdtA7ihsIg6Tb7w MTww== MIME-Version: 1.0 Received: by 10.68.225.70 with SMTP id ri6mr5172104pbc.41.1353079281892; Fri, 16 Nov 2012 07:21:21 -0800 (PST) Received: by 10.68.8.2 with HTTP; Fri, 16 Nov 2012 07:21:21 -0800 (PST) In-Reply-To: References: Date: Fri, 16 Nov 2012 10:21:21 -0500 Message-ID: Subject: Re: Routing return NAT traffic based on interface From: Kevin Wilcox To: Peter McAlpine Content-Type: text/plain; charset=UTF-8 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Nov 2012 15:21:22 -0000 On 16 November 2012 09:40, Peter McAlpine wrote: > data_if = "tap3" > ext_if = "em0" > set skip on lo0 > nat on $ext_if from !$ext_if:network to any -> ($ext_if) > pass in on $ext_if route-to $data_if from any to !$ext_if:network > The issue I'm having is that the 'pass' rule is not being matched (or > even evaluated?). My default gateway on the router is the ext_if and > return traffic is being reverse-translated and then the routing table > is sending it back out ext_if instead of down data_if where I want it > to go. That's because that's what your NAT rule is telling it to do. Your rule says "if I see traffic on the external interface that isn't on the same network as the external interface, NAT it back out the external interface" Your pass rule should never be used. Your external interface should never see traffic coming into it that isn't destined for it. pf is smart enough to handle the return NAT traffic. I think you may have a misunderstanding of how NAT works. For simplicity sake, I'll use a fake internal network of 10.10.10.0/24 and an outside Internet IP address of 4.4.4.4. Let's pretend the internal interface has an IP of 10.10.10.254 and is the gateway for the 10.10.10.0/24 network and that we will NAT their outbound traffic. Now let's pretend there is a web-server at 25.25.25.25. When a computer inside my internal network, let's say 10.10.10.10, wants to get to 25.25.25.25, it hits the gateway of 10.10.10.254. That router then NATs the traffic. 25.25.25.25 sees a connection request from 4.4.4.4. It sends back a reply. The router at 4.4.4.4 sees the return traffic and pf checks its state table. It then changes the destination for that traffic to be 10.10.10.10 and passes it out the 10.10.10.254 interface. The whole point of RFC-1918 is that anyone can re-use those IPs internally without conflicting with anyone else because the IP seen by everyone else on the Internet is the *outside* IP. A pf configuration to do that would look something like: ================== int_if=tun0 ext_if=em0 set skip on lo nat on $ext_if from $int_if:network to any -> $ext_if pass in on $int_if from $int_if:network to any keep state pass out on $ext_if from any to any keep state ================== Yes, that is being overly verbose and uses a little older syntax (keep state, from any to any ) but it works on both OpenBSD and FreeBSD, and it works on every release within the last few years (I still have early 4.x OpenBSD routers and 7.x FreeBSD routers). Keep in mind that that configuration is *wide open*. kmw From owner-freebsd-pf@FreeBSD.ORG Fri Nov 16 18:18:47 2012 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E4F4773E; Fri, 16 Nov 2012 18:18:47 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id B0A508FC15; Fri, 16 Nov 2012 18:18:47 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id qAGIIlLM084395; Fri, 16 Nov 2012 18:18:47 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id qAGIIlBM084391; Fri, 16 Nov 2012 18:18:47 GMT (envelope-from linimon) Date: Fri, 16 Nov 2012 18:18:47 GMT Message-Id: <201211161818.qAGIIlBM084391@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: kern/173659: [pf] PF fatal trap on 9.1 (taskq fatal trap on pf_test_rule) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Nov 2012 18:18:48 -0000 Old Synopsis: PF fatal trap on 9.1 (taskq fatal trap on pf_test_rule) New Synopsis: [pf] PF fatal trap on 9.1 (taskq fatal trap on pf_test_rule) Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Fri Nov 16 18:18:38 UTC 2012 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=173659