From owner-freebsd-pf@freebsd.org Wed Dec 7 14:10:33 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 50334C6A465 for ; Wed, 7 Dec 2016 14:10:33 +0000 (UTC) (envelope-from zaphod@berentweb.com) Received: from mail-wm0-x241.google.com (mail-wm0-x241.google.com [IPv6:2a00:1450:400c:c09::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 09C6C1B3 for ; Wed, 7 Dec 2016 14:10:32 +0000 (UTC) (envelope-from zaphod@berentweb.com) Received: by mail-wm0-x241.google.com with SMTP id u144so28022506wmu.0 for ; Wed, 07 Dec 2016 06:10:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=berentweb-com.20150623.gappssmtp.com; s=20150623; h=sender:date:from:to:subject:message-id:mime-version :content-transfer-encoding; bh=J5B4voEUXsNMV0HyQn9wbMAMHepagR65RLnfKgO56ko=; b=fr2vUdlH2dV4L3x0C1RqJqdf1xSii7TBXrdzOr7Kc6oPUlDl5WTzAmNMnczdrQUUvh VHBZ9ltijla1p7g4JhsJ1Zk3qHg8oMYqUUnzis93dRI1eo+LSoX6kYiXs6eRXvsu+brd n/9TFlEk0ZYdmxOdqatOhDcEQUPAVFpnVXh1JPfKZ986oeVzYgfFgaeuFgTadOrxdwn6 6E0n5V8b14IofeTq17xlSQmnMRaF1OaWCoT0BVIAMRcwhKlhVLdIZ+cSyQQcYYzmQAuU Y5MetS7IDQzhBmJZSBZB6UVpfZTLC/ViMuso/W8jhtOPo4gMXw2fVrQuMkjTSZk+zlP8 t8aA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:date:from:to:subject:message-id :mime-version:content-transfer-encoding; bh=J5B4voEUXsNMV0HyQn9wbMAMHepagR65RLnfKgO56ko=; b=XMdCkd1ABlVXeTf8+As85SRlU+xLMsEPCo05jFYuj7cQ5TU2xeSODJdfG6MEy9NcFM MGOxqeILxrms2/V6sxfMWhFsNsUlYOmwC3kFOWxRedQ/3RyULDcjMdinmBtaZS9lECua rhioHqIURUNH3bQceZ8Z3IIPF2x5sNMK+smomZFoY3zcQ7+xoiuqbH05CfNiRLup6rqY 8hZuivaDUd/+Pc14iC+4ysGbRsL1Af8cneZfCR5c0Z57Cm7UeqTTLiAq0NGTF8s5GlaE 9qgER+kgL9HRfKU5V5g/CtUaTwFaMGrgonzJrjyqgpxTORTo8wSPLaa3hF2jmiW0/T1o YWIQ== X-Gm-Message-State: AKaTC02JBE+y4fDvnyfwUeslVreLmQOhTt4XxvzbavQlOyqJFc6RmZYEb/gOI+DGQMvEHQ== X-Received: by 10.28.213.74 with SMTP id m71mr2806151wmg.39.1481119830793; Wed, 07 Dec 2016 06:10:30 -0800 (PST) Received: from rsbsd.rsb ([85.107.15.216]) by smtp.gmail.com with ESMTPSA id d17sm31610302wjr.14.2016.12.07.06.10.29 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 07 Dec 2016 06:10:29 -0800 (PST) Sender: "Raif S. Berent" Date: Wed, 7 Dec 2016 17:10:21 +0300 From: Beeblebrox To: freebsd-pf@freebsd.org Subject: PF TAGged jail traffic fails pass rule on egress Message-ID: <20161207171021.607579ea@rsbsd.rsb> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Dec 2016 14:10:33 -0000 Hello, I have a PF problem with TAG evaluation and am completely stumped. It shoul= d be very straight forward, but it's not working. Here's what I'm trying to= do: * I have several jails on cloned lo2 * Allow only specified port traffic to and from each jail * Block all out-going traffic at egress interface (wan0) unless allowed (us= e tags here) I've tested with a very simplified PF ruleset, with consistent failure: nat on wan0 from !(wan0) -> wan0 ## Filters block drop log on wan0 all # tested with both combinations below block drop log on lo2 all \ # set skip on lo0 set skip on lo0 \ # block drop log on lo2 all ## Jail for Unbound + dns-crypt pass in quick on lo2 proto udp from any to port 53 tag TD pass out quick on lo2 proto udp from to any (or wan0) port {53,4= 43,2053} tag TD ## PASSING TAGGED PACKETS ## pass out quick on $ExtIf keep state tagged TD PF blocks outgoing traffic nevertheless. Rule 0 is "block drop log on wan0 = all" 15:47:35.270564 rule 0..16777216/0(match): block out on wan0: 192.168.1.10.= 51977 > 212.47.228.136.443: UDP, length 768 15:47:35.671076 rule 0..16777216/0(match): block out on wan0: 192.168.1.10.= 56347 > 178.216.201.222.2053: UDP, length 576 I tested a different jail with TCP packets, got same: 16:45:46.411698 rule 0..16777216/0(match): block out on wan0: 192.168.1.10.= 58367 > 192.168.1.1.80: Flags [S], seq 1720787324, win 65535, options [mss = 1460,nop,wscale 6,sackOK,TS[|tcp]> The only thing I can think of is that packets are not being tagged, so the = "pass out" rule is not evaluated (pfctl -s state confirms no state for thos= e packets). Is there an issue that packets traversing a cloned lo0 interfac= e cannot be tagged? Unfortunately tcpdump or such tools as I understand, cannot display the TAG= header so I'm unable to proceed with debugging. Any ideas? --=20 FreeBSD_amd64_11-Stable_RadeonKMS Please CC my email when responding, mail from list is not delivered.