From owner-freebsd-bugs@FreeBSD.ORG Sat Sep 13 10:00:04 2008 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 723FB1065672 for ; Sat, 13 Sep 2008 10:00:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4565D8FC19 for ; Sat, 13 Sep 2008 10:00:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m8DA042d009562 for ; Sat, 13 Sep 2008 10:00:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m8DA04iv009561; Sat, 13 Sep 2008 10:00:04 GMT (envelope-from gnats) Resent-Date: Sat, 13 Sep 2008 10:00:04 GMT Resent-Message-Id: <200809131000.m8DA04iv009561@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Andrey Golenischev Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 639DB106564A for ; Sat, 13 Sep 2008 09:56:18 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 6D5648FC0A for ; Sat, 13 Sep 2008 09:56:17 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m8D9uGeU058446 for ; Sat, 13 Sep 2008 09:56:16 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.2/8.14.1/Submit) id m8D9uGuZ058445; Sat, 13 Sep 2008 09:56:16 GMT (envelope-from nobody) Message-Id: <200809130956.m8D9uGuZ058445@www.freebsd.org> Date: Sat, 13 Sep 2008 09:56:16 GMT From: Andrey Golenischev To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: kern/127345: Problem with PF on FreeBSD7.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Sep 2008 10:00:04 -0000 >Number: 127345 >Category: kern >Synopsis: Problem with PF on FreeBSD7.0 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Sep 13 10:00:03 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Andrey Golenischev >Release: 7.0-p4 >Organization: Infocom >Environment: FreeBSD testbox 7.0-RELEASE-p4 FreeBSD 7.0-RELEASE-p4 #0: Fri Sep 5 14:51:15 EEST 2008 megasid@testbox:/usr/src/sys/i386/compile/TESTBOX i386 >Description: I upgraded this release from 6.2 (just buy a new hdd and install 7.0, upgrade via freebsd-update and copy all configs). 7.0 is working pretty good but i get strange problem with PF. Look on this rules: table { 10.0.0.1, 10.0.1.1 } block out on vlan0 from any to any block out on vlan1 from any to any block out on vlan2 from any to any pass out on vlan0 from to any pass out on vlan1 from to any pass out on vlan2 from to any On FreeBSD 6.2 this scheme is working pretty good. Packets from 10.0.0.1 passed to this vlan-s without any problems. When i install 7.0 some clients start to call me and ask that they pinging 10.0.0.1 and 10.0.1.1 from their PC's but cannot connect by pptp to this hosts. I spend a lot of time to monitor all my routers and switches about any access lists and so on. But i do not think that something changes in PF algorithm. When i comment this "block" lines in PF - clients can connect to pptp and all is good. Did something changes in PF and if this is not a bug - how i should change a syntax of this rules? If this is a bug - write my name somewhere on FreeBSD board like "This man catch a bug in PF" :) >How-To-Repeat: Just make a scheme like i describe above. >Fix: Hmm.. temporary i start using ipfw for this scheme. >Release-Note: >Audit-Trail: >Unformatted: