Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 01 Nov 2023 14:07:24 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 274850] Packets are disappearing when both PF "divert-to" and "Dnpipe" rules are activated simultaneously
Message-ID:  <bug-274850-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D274850

            Bug ID: 274850
           Summary: Packets are disappearing when both PF "divert-to" and
                    "Dnpipe" rules are activated simultaneously
           Product: Base System
           Version: 14.0-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: burak.sn@outlook.com
                CC: pf@FreeBSD.org

I am in the process of transitioning from IPFW's 'divert-to' to PF's
'divert-to.' Initially, I encountered a 'divert-to' loop problem, bug #2727=
70,
which has recently been resolved by @igor.ostapenko and @kp. Thanks for your
work.
I manually applied your 'fix pf divert-to' loop patch to FreeBSD 14.0 RC2, =
as
shown below:

https://reviews.freebsd.org/rGfabf705f4b5aff2fa2dc997c2d0afd62a6927e68
https://reviews.freebsd.org/rGc1146e6ad67fb866c2472a1cbe5609fd939fd5ef

When I loaded only the 'divert' rules shown below, everything worked as
expected, and traffic flowed smoothly without any issues:

# divert rules
pass in log quick proto udp from any to port { 53 } divert-to 127.0.0.1 port
1234
pass in log quick proto tcp from any to port { 80 443 } divert-to 127.0.0.1
port 1234

However, when I added the 'dnpipe' rules below and reloaded the pf.conf usi=
ng
'pfctl -e -f /etc/pf.conf,' all traffic related to ports 53, 80, and 443
disappeared. Subsequently, when I removed 'dnpipe 1001' and 'dnpipe 1' from=
 the
'dnpipe' rules and reloaded the pf.conf, traffic began to flow as expected.

Thanks for your assistance in this matter.

# dnpipe limiter rules
ether pass in quick from ac:bc:aa:9c:32:09 l3 all tag captiveportal_auth_ig=
b3
dnpipe 1001
ether pass out quick to ac:bc:aa:9c:32:09 l3 all tag captiveportal_auth_igb3
dnpipe 1

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-274850-227>