Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 7 Dec 2016 17:10:21 +0300
From:      Beeblebrox <zaphod@berentweb.com>
To:        freebsd-pf@freebsd.org
Subject:   PF TAGged jail traffic fails pass rule on egress
Message-ID:  <20161207171021.607579ea@rsbsd.rsb>
next in thread | raw e-mail | index | archive | help 
Hello,

I have a PF problem with TAG evaluation and am completely stumped. It shoul=
d be very straight forward, but it's not working. Here's what I'm trying to=
 do:
* I have several jails on cloned lo2
* Allow only specified port traffic to and from each jail
* Block all out-going traffic at egress interface (wan0) unless allowed (us=
e tags here)

I've tested with a very simplified PF ruleset, with consistent failure:

 nat on wan0 from !(wan0) -> wan0
    ## Filters
 block drop log on wan0 all
 # tested with both combinations below
 block drop log on lo2 all \ # set skip on lo0
 set skip on lo0 \ # block drop log on lo2 all

   ## Jail for Unbound + dns-crypt
 pass in quick on lo2 proto udp from any to <jail-ip> port 53 tag TD
 pass out quick on lo2 proto udp from <jail-ip> to any (or wan0) port {53,4=
43,2053} tag TD
    ## PASSING TAGGED PACKETS ##
 pass out quick on $ExtIf keep state tagged TD

PF blocks outgoing traffic nevertheless. Rule 0 is "block drop log on wan0 =
all"
15:47:35.270564 rule 0..16777216/0(match): block out on wan0: 192.168.1.10.=
51977 > 212.47.228.136.443: UDP, length 768
15:47:35.671076 rule 0..16777216/0(match): block out on wan0: 192.168.1.10.=
56347 > 178.216.201.222.2053: UDP, length 576

I tested a different jail with TCP packets, got same:
16:45:46.411698 rule 0..16777216/0(match): block out on wan0: 192.168.1.10.=
58367 > 192.168.1.1.80: Flags [S], seq 1720787324, win 65535, options [mss =
1460,nop,wscale 6,sackOK,TS[|tcp]>

The only thing I can think of is that packets are not being tagged, so the =
"pass out" rule is not evaluated (pfctl -s state confirms no state for thos=
e packets). Is there an issue that packets traversing a cloned lo0 interfac=
e cannot be tagged?

Unfortunately tcpdump or such tools as I understand, cannot display the TAG=
 header so I'm unable to proceed with debugging.
Any ideas?

--=20
FreeBSD_amd64_11-Stable_RadeonKMS
Please CC my email when responding, mail from list is not delivered.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20161207171021.607579ea>