From owner-freebsd-pf@FreeBSD.ORG  Mon Jun 12 08:40:23 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C9E1816A41B
	for <freebsd-pf@freebsd.org>; Mon, 12 Jun 2006 08:40:23 +0000 (UTC)
	(envelope-from lk@tempest.sk)
Received: from mailgw.dgrp.sk (mailgw.dgrp.sk [195.28.127.4])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A688D43D46
	for <freebsd-pf@freebsd.org>; Mon, 12 Jun 2006 08:40:22 +0000 (GMT)
	(envelope-from lk@tempest.sk)
Received: by mailgw.dgrp.sk (Postfix, from userid 1003)
	id 098E134A5A2; Mon, 12 Jun 2006 10:40:19 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on mailgw.dgrp.sk
X-Spam-Level: 
X-Spam-Status: No, score=-2.5 required=4.0 tests=AWL,BAYES_00 
	autolearn=unavailable version=3.1.1
Received: from webmail.tempest.sk (domino1.tempest.sk [195.28.100.38])
	by mailgw.dgrp.sk (Postfix) with ESMTP id 1CDF434A5A8
	for <freebsd-pf@freebsd.org>; Mon, 12 Jun 2006 10:40:05 +0200 (CEST)
Received: from lk107.tempest.sk ([195.28.109.37])
	by webmail.tempest.sk (Lotus Domino Release 6.5.5)
	with ESMTP id 2006061210400380-1461 ;
	Mon, 12 Jun 2006 10:40:03 +0200 
Received: from localhost (localhost [127.0.0.1])
	by lk107.tempest.sk (8.13.6/8.13.4) with ESMTP id k5C8eDrR031160
	for <freebsd-pf@freebsd.org>; Mon, 12 Jun 2006 10:40:14 +0200 (CEST)
	(envelope-from lk@tempest.sk)
To: freebsd-pf@freebsd.org
From: Ludovit Koren <lk@tempest.sk>
X-Mailer: Mew version 4.2 on Emacs 21.3 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Message-ID: <20060612.104013.74757673.lk@tempest.sk>
Date: Mon, 12 Jun 2006 10:40:13 +0200
X-MIMETrack: Itemize by SMTP Server on Domino1/DGRP(Release 6.5.5|November 30,
	2005) at 12.06.2006 10:40:03,
	Serialize by Router on Domino1/DGRP(Release 6.5.5|November 30, 2005) at
	12.06.2006 10:40:05, Serialize complete at 12.06.2006 10:40:05
Content-Transfer-Encoding: 7bit
Content-Type: Text/Plain; charset=us-ascii
Subject: FreeBSD 6.1-RELEASE + PF
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jun 2006 08:40:24 -0000



Hi,

I have problem to set up PIM and IGMP communication with pf on FreeBSD
6.1-RELEASE. 

# pfctl -s state
self igmp 195.28.109.40 -> 224.0.0.2       SINGLE:NO_TRAFFIC
self igmp 195.28.109.40 -> 224.0.0.13       SINGLE:NO_TRAFFIC
self igmp 224.0.0.1 <- 195.28.109.25       NO_TRAFFIC:SINGLE
self igmp 224.0.0.2 <- 195.28.109.40       NO_TRAFFIC:SINGLE
self igmp 224.0.0.13 <- 195.28.109.40       NO_TRAFFIC:SINGLE
self tcp 195.28.109.40:22 -> 195.28.109.37:58349       ESTABLISHED:ESTABLISHED
self udp 255.255.255.255:8225 <- 195.28.109.29:1025       NO_TRAFFIC:SINGLE
self pim 195.28.109.40 -> 224.0.0.13       SINGLE:NO_TRAFFIC
self pim 224.0.0.13 <- 195.28.109.25       NO_TRAFFIC:SINGLE
self pim 224.0.0.13 <- 195.28.109.40       NO_TRAFFIC:SINGLE
self pfsync 195.28.109.40 -> 0.0.0.0       SINGLE:NO_TRAFFIC


xorp immediately starts to give the following message:
[ 2006/06/09 17:13:24 WARNING xorp_fea XrlMfeaTarget ] Handling method for mfea/0.1/send_protocol_message4 failed: XrlCmdError 102 Command failed Cannot send PIMSM_4 protocol message from 195.28.109.40 to 224.0.0.13 on vif em0: sendmsg(proto 103 size 34 from 195.28.109.40 to 224.0.0.13 on vif em0) failed: Operation not permitted
[ 2006/06/09 17:13:24  ERROR xorp_pimsm4:18051 PIM +2623 xrl_pim_node.cc mfea_client_send_protocol_message_cb ] Cannot send a protocol message: 102 Command failed Cannot send PIMSM_4 protocol message from 195.28.109.40 to 224.0.0.13 on vif em0: sendmsg(proto 103 size 34 from 195.28.109.40 to 224.0.0.13 on vif em0) failed: Operation not permitted

# pfctl -s rules
scrub in all fragment reassemble
block drop in log all
pass in on xl0 inet from <quadia> to 195.28.126.13 keep state
pass out on xl0 inet from 195.28.126.13 to <quadia> keep state queue dflt
pass out on xl0 inet from 195.28.126.13 to any keep state queue dflt
pass out on em0 inet all keep state queue dfltem
pass out on em1 inet all keep state queue dfltem1
pass in proto tcp from any to any port = ssh keep state
pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port = 5060 keep state
pass in on em0 inet proto udp from 195.28.109.0/24 port = 8000 to 195.28.109.40 keep state
pass in on em0 inet proto udp from 195.28.109.0/24 port = 8001 to 195.28.109.40 keep state
pass in on em0 inet proto tcp from 195.28.109.36 to 195.28.109.40 port = nut keep state
pass in on em0 inet proto tcp from 195.28.109.37 to 195.28.109.40 port = http keep state
pass in on em0 inet proto tcp from 195.28.109.37 to 195.28.109.40 port = 4445 keep state
pass in on em0 inet proto tcp from 195.28.109.88 to 195.28.109.40 port = http keep state
pass in on em0 inet proto tcp from 195.28.109.88 to 195.28.109.40 port = 4445 keep state
pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port 9999:20001 keep state
pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port = domain keep state
pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port = 4520 keep state
pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port = 4569 keep state
pass in on em0 all keep state
pass in on em1 all keep state

when I disable the firewall xorp runs as expected. It does not matter
if I add specific rule for PIM and IGMP or general, i.e. let all
traffic go through.

Is it a bug in the pf or am I doing something wrong? Any help appreciated.

Regards,

lk