From owner-freebsd-pf@FreeBSD.ORG Fri May 18 10:56:25 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E2A83106566B for ; Fri, 18 May 2012 10:56:25 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id 9B76B8FC14 for ; Fri, 18 May 2012 10:56:25 +0000 (UTC) Received: by yhgm50 with SMTP id m50so3397115yhg.13 for ; Fri, 18 May 2012 03:56:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=tHwjic015YH0VuCWnTdiqcdMIdQAAXl+gB60rMjNYVg=; b=jiQb/Z2gIB4O6TZ8YEGufXhx6/PClBqBEoL5Zc6IudWdJguVnsHKTJCHm5Uwz6TDjY R2ObplIxJq4AdPE0hecDeBm7Egk+UfE7CKHiu9cqjwE1E5VO/vO5rj/J7c9AVg3Qonj1 PAxkSLOf96m99Q2D9epMwDYh/9YLAmKGZn/FwJ5k5mfVsyvrstVeIy1Rp6ds1HTRWrLj mZvawMfn3sGJi+X8Lvywa+I4JFPrT5Wlu8xwYVlgKlTPNaPi/up+zoWY5o8wlcuU1TVZ x7WLEHACIf+hKbifxnSH0M8TZEUKxJ9hKhMX3KYm3aE7Fdef1uAPj/z8k/xCy2Yl0QxM hhvA== MIME-Version: 1.0 Received: by 10.50.179.105 with SMTP id df9mr154113igc.4.1337338578671; Fri, 18 May 2012 03:56:18 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.231.244.8 with HTTP; Fri, 18 May 2012 03:56:18 -0700 (PDT) In-Reply-To: <4FB39A69.2030706@ateamsystems.com> References: <4FB39A69.2030706@ateamsystems.com> Date: Fri, 18 May 2012 12:56:18 +0200 X-Google-Sender-Auth: T2AfjfLPNvXE02XVys7c5yY13u8 Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Adam Strohl Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: PF "synproxy state" doesn't work on CARP IPs X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2012 10:56:26 -0000 On Wed, May 16, 2012 at 2:15 PM, Adam Strohl wrote: > Hello, > > I've noticed that when I use "synproxy state" on a rule and a connection > comes in to an IP on a CARP interface the connection opens but never gets > passed on to the process as it should. > > For example: > > pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy > state > > Will work fine if I come in to a non-CARP IP. =A0The connection is accept= ed > and then brokered to SSHd. > > However on the same machine with the same rule if I come in to a CARP'd I= P > it connects but hangs (not passed on to SSHd). > > If I remove the "synproxy state" portion the CARP test case works. > > I've done a bunch of flipping and testing and it seems that CARP IP + PF > rule with "synproxy state" doesn't work -- the connection will be accepte= d > but not passed on like it should. > > Is this known behaviour? =A0Is there a work around? =A0Anything else anyo= ne > wants to know? > Yeah its known behaviour though i am not sure there is a PR related to it. I might have a solution but not sure when i can produce a patch for this. Which FreeBSD version are you on, i thought that with carp(4) rearangment of not using ifnets this solved itself? > I've noticed this too: the physical interface seems to "include" the CARP > interfaces associated with it. =A0That above rule I pasted applies to the= CARP > interface even though its specifying "bce0" as the value for $ext_if (vs.= a > rule for "carp1", etc) Is that normal/expected? > > I did notice in the docs that "synproxy state" doesn't work with bridge > interfaces, is a CARP interface maybe falling into this category? > > Any input/thoughts appreciated! > > P.S. > Please be sure to CC me, I am not subscribed to the PF mailing list. > > -- > > Adam Strohl > A-Team Systems > http://ateamsystems.com/ > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --=20 Ermal