From owner-freebsd-pf@FreeBSD.ORG Wed Aug 1 12:33:27 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DECBA16A418 for ; Wed, 1 Aug 2007 12:33:27 +0000 (UTC) (envelope-from frank@pinky.sax.de) Received: from pinky.frank-behrens.de (unknown [IPv6:2a01:170:1023:0:211:2fff:fec9:c52d]) by mx1.freebsd.org (Postfix) with ESMTP id 2EFB713C428 for ; Wed, 1 Aug 2007 12:33:26 +0000 (UTC) (envelope-from frank@pinky.sax.de) Received: from [192.168.20.32] (sun.behrens [192.168.20.32]) by pinky.frank-behrens.de (8.14.1/8.14.1) with ESMTP-MSA id l71CX4Od082534 (version=TLSv1/SSLv3 cipher=DES-CBC3-SHA bits=168 verify=NO) for ; Wed, 1 Aug 2007 14:33:04 +0200 (CEST) (envelope-from frank@pinky.sax.de) Message-Id: <200708011233.l71CX4Od082534@pinky.frank-behrens.de> From: "Frank Behrens" To: freebsd-pf@freebsd.org Date: Wed, 01 Aug 2007 14:33:02 +0200 MIME-Version: 1.0 Priority: normal X-mailer: Pegasus Mail for Windows (4.31, DE v4.31 R1) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-Hashcash: 1:24:070801:freebsd-pf@freebsd.org::gR/FaAunG8jWRKbR:000000000002Mez0 Subject: pf eates syn packet? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2007 12:33:28 -0000 I've been using pf for some weeks (after some years with ipfw) without problems, but see a weird effect now - pf(4) seems to eat a tcp syn packet. ;-) This setup works without problems: - FreeBSD 6.2-STABLE-200705211513 i386 - acts as router, some internal interfaces, one WAN interface (tun0, DSL with pppoe) - NAT for WAN interface The problem appears when - additional WAN interface added (tun2, also DSL with pppoe) - policy based routing added (to test for http port only) # pfctl -s nat nat-anchor "iface2" all nat on tun0 inet from to any -> tun0-address # pfctl -a iface2 -s nat nat inet from !tun2-address to any port = http -> tun2-address pass out quick on tun0 route-to (tun2 tun2-peer) inet from tun2-address to any keep state pass out quick on tun2 route-to (tun0 tun0-peer) inet from tun0-address to any keep state When I try to connect from internal (NATed) host to an external address I see a delay, because the 1st SYN is resent (on internal interface): 13:55:30.256823 IP (tos 0x0, ttl 128, id 35958, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.50.02.2923 > 193.99.144.85.80: S, cksum 0x3f22 (correct), 1489020152:1489020152(0) win 65535 13:55:33.266554 IP (tos 0x0, ttl 128, id 35967, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.50.02.2923 > 193.99.144.85.80: S, cksum 0x3f22 (correct), 1489020152:1489020152(0) win 65535 13:55:33.325734 IP (tos 0x0, ttl 249, id 7928, offset 0, flags [DF], proto: TCP (6), length: 52) 193.99.144.85.80 > 192.168.50.02.2923: S, cksum 0xc2b3 (correct), 3368657865:3368657865(0) ack 1489020153 win 4320 13:55:33.325857 IP (tos 0x0, ttl 128, id 35968, offset 0, flags [DF], proto: TCP (6), length: 40) 192.168.50.02.2923 > 193.99.144.85.80: ., cksum 0x6b49 (correct), ack 1 win 43008 13:55:33.326854 IP (tos 0x0, ttl 128, id 35969, offset 0, flags [DF], proto: TCP (6), length: 137) 192.168.50.02.2923 > 193.99.144.85.80: P 1:98(97) ack 1 win 43008 then the traffic is normal, without any anomaly. On outgoing interface tun2 I see: 13:55:33.266603 IP (tos 0x0, ttl 127, id 35967, offset 0, flags [DF], proto: TCP (6), length: 52) 84.182.234.162.58104 > 193.99.144.85.80: S, cksum 0xfd03 (correct), 1489020152:148902015 2(0) win 65535 13:55:33.325695 IP (tos 0x0, ttl 250, id 7928, offset 0, flags [DF], proto: TCP (6), length: 52) 193.99.144.85.80 > 84.182.234.162.58104: S, cksum 0x8095 (correct), 3368657865:3368657865 (0) ack 1489020153 win 4320 13:55:33.325880 IP (tos 0x0, ttl 127, id 35968, offset 0, flags [DF], proto: TCP (6), length: 40) 84.182.234.162.58104 > 193.99.144.85.80: ., cksum 0x292b (correct), ack 1 win 43008 13:55:33.326872 IP (tos 0x0, ttl 127, id 35969, offset 0, flags [DF], proto: TCP (6), length: 137) 84.182.234.162.58104 > 193.99.144.85.80: P 1:98(97) ack 1 win 43008 So the 1st SYN packet seems to disappear, that creates an additional delay on every connection. Now I my questions come: 1. Does anybody know the reason, is there an error in my setup? 2. Do you believe it is pf(4) related or is it an network stack problem? 3. What can I do to solve the problem? Some more debug output? I can test patches or include some debug code in my kernel. Regards, Frank -- Frank Behrens, Osterwieck, Germany PGP-key 0x5B7C47ED on public servers available.