From owner-freebsd-pf@freebsd.org Tue Jan 10 03:01:24 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 73FB2CA845B for ; Tue, 10 Jan 2017 03:01:24 +0000 (UTC) (envelope-from ian.freislich@capeaugusta.com) Received: from mail-yw0-x230.google.com (mail-yw0-x230.google.com [IPv6:2607:f8b0:4002:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 361501A38 for ; Tue, 10 Jan 2017 03:01:23 +0000 (UTC) (envelope-from ian.freislich@capeaugusta.com) Received: by mail-yw0-x230.google.com with SMTP id w75so44693296ywg.1 for ; Mon, 09 Jan 2017 19:01:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=capeaugusta-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=oghQnEitylGCxv0vXNwDelLoUTSyIlwQy91EW/TxlKM=; b=RSpw265f41MPWK/oJGYk5WgtFn171HPV9Dwrcy3nBlqPIXM/knJgEwljnBXpoR3ikw ntT/GNG7W9HwW9WQnYRBMQmRqluLlP+cv5TitKiGAZ6VIf3f+qCQu0b098HlWbVXKBkb uZwwOSFuKwjaXZ4bMuYFyhACJBUcNP6cwZpr/etjLYAV57xgPdBBRO2bc5V5tVSQXVIV CsQU4u4Tq1P92s456GqAcdF+dMQ6a/kFs8MAiVofQjs3ERvnGLoCVnGheZL0UdM/AYIZ Jt8x8X27AWpgyLlhH7eW2MCu6cla8Qv+w15VDGJs/bgeNsPjnQnq2tj26olUqZNssmk2 7CGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=oghQnEitylGCxv0vXNwDelLoUTSyIlwQy91EW/TxlKM=; b=epIXn2SQ2RwWRf8PArWuAm2oWoN1Tzzgc/ErXcRjyKqlKGZaN8xiUf2vHRBcS47sRX fqLfsBqT2Zdm2voKXMSJ2A0LzqRMK/3qk+3ipvrDOWE9YD6pqW1bVdhZRlUJtllTMpWB mIZoD1q9rZjXY5WEA7uZN9MYYRd6A0eFOueQ3CdUYpz2y8rE6DqEf2gMutDB5PHKYGCR aKwv6czfwew9Wy1+1xaDkv7UaGoBrKDjYMIAIvMcQURcwGqynS4OQefTeQWhG4BgSrAY yPejipJyqi6q2yqLX/oNASZcn/8Dgi8xBADMfSRSBNdz4fo4cHMQfuM/5EmExmJaqkIY z5xw== X-Gm-Message-State: AIkVDXLQYtpYpQvMSXHhc2ItiFx3zPM1e7aVAT7bxuMOnFlWmg9Pawi93qNtiwZVmygwwkxZD5cwxfwItue1cjaE4887aJgSAPAQWVYZGskstlbOw0Kr13mJHHKOtRoWIzgEhJ9Wxgl191rTtoau0s25tQT5izuzvO3/aZI5bvlA5AqNEgBsN/v8TXrLbTulEg6KzA== X-Received: by 10.129.137.194 with SMTP id z185mr934687ywf.159.1484017282413; Mon, 09 Jan 2017 19:01:22 -0800 (PST) Received: from zen.clue.co.za (c-73-217-184-74.hsd1.ga.comcast.net. [73.217.184.74]) by smtp.gmail.com with ESMTPSA id p1sm266544ywh.52.2017.01.09.19.01.21 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 09 Jan 2017 19:01:21 -0800 (PST) Subject: Re: udp - weird behavior of reply-to To: freebsd-pf@freebsd.org References: <20170108145532.GA17695@plan-b.pwste.edu.pl> <20170109172519.GA62580@plan-b.pwste.edu.pl> <20170109221712.GA49594@plan-b.pwste.edu.pl> From: Ian FREISLICH Message-ID: <1397ba00-3ebf-28fb-4f06-f026899865bb@capeaugusta.com> Date: Mon, 9 Jan 2017 22:01:21 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.6.0 MIME-Version: 1.0 In-Reply-To: <20170109221712.GA49594@plan-b.pwste.edu.pl> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jan 2017 03:01:24 -0000 On 01/09/17 17:17, Marek Zarychta wrote: > On Mon, Jan 09, 2017 at 09:58:38PM +0100, Kristof Provost wrote: >> On 9 Jan 2017, at 18:25, Marek Zarychta wrote: >>> On Sun, Jan 08, 2017 at 07:08:10PM +0100, Kristof Provost wrote: >>>> On 8 Jan 2017, at 15:55, Marek Zarychta wrote: >>>> The problem description doesn=E2=80=99t ring any bells with me, but I= =E2=80=99m >>>> also >>>> not sure > >> I=E2=80=99ve fully understood it. Can you document a mi= nimal reproduction >>>> scenario, >>>> with a pf.conf and perhaps network captures documenting the problem? >>>> >>>> There=E2=80=99s certainly not been a conscious decision to break UDP >>>> reply-to. >>>> >>> Let me apologize, the problem wasn't previously properly identified. >>> It >>> seems to be more problem of UDP protocol implementation than PF issue. >>> UDP sockets are opened and bound to address of the outgoing interface >>> (interface which has a route to the client). Because the socket is not >>> bound to the incoming interface, the PF reply-to rules couldn't be >>> evaluated. By the way, TCP sockets are bound to the interface where >>> the >>> traffic arrives and everything works fine. >>> This machine is i386 running 11.0-STABLE r311772 >>> >>> The problem remains unresolved. Are there any corresponding sysctls >>> correcting this behavior and enabling the opportunity to use PF >>> assisted >>> symmetric routing scenario again? >>> >> How are your UDP listen sockets set up? >> Are they bound to a specific interface, or are they listening on >> 0.0.0.0? > Yes, socket is listening on 0.0.0.0, the client from outside network is > initiating connection and initiating packet arrives on interface B, > which is supposed only to communicate with devices on its own network > (no additional routes go via this interface), so normally the reply > would be passed via interface A having default gateway in scope and > communication would fail. > With the assistance of PF reply-to rule, TCP services are able to pass > reply from interface B via other, second gateway: reply-to (B GW2). Are you saying that your network looks approximately like this and there=20 is no route to the client network where X resides on your server: iface-A----GW1 iface-B--_local network_--GW2--_client X_ Client X originates a UDP "connection" to B and that return traffic to X=20 leaves interface A despite your reply-to rule. I would be very interested to know: 1. whether the reply-to rule actually matches on the inbound traffic. =20 You can make the rule log and tcpdump on the pflog0 interface. I=20 believe the -e option to tcpdump will show the rule that matched. 2. the output of "pfctl -s sta |grep IP_of_X" 3. what software you're using for your UDP server. I can try to=20 reproduce your issue. Ian > This functionality is currently broken for any UDP service, because UDP > sockets are always opened on supposed_to_be_outgoing interface A and > bound to the address of this interface, which is considered good from > routing table perspective, but silently breaks PF reply-to for UDP. > > When the machine was running 9-STABLE reply-to had successfully been > used to assist both TCP and UDP driven services. > > Is anyone reading this list still using reply-to rule for routing UDP > traffic back via incoming interface? > > Maybe currently, the better place to discuss this questions would be > freebsd-net, but the thread was initiated here. > >> I=E2=80=99m afraid I=E2=80=99m still struggling to understand what your = setup is, >> what you=E2=80=99re >> expecting to see and what you=E2=80=99re seeing instead. >> >> Regards, >> Kristof > > --=20 =20 Cape Augusta Digital Properties, LLC a Cape Augusta Company *Breach of confidentiality & accidental breach of confidentiality * This email and any files transmitted with it are confidential and intended= =20 solely for the use of the individual or entity to whom they are addressed.= =20 If you have received this email in error please notify the system manager.= =20 This message contains confidential information and is intended only for the= =20 individual named. If you are not the named addressee you should not=20 disseminate, distribute or copy this e-mail. Please notify the sender=20 immediately by e-mail if you have received this e-mail by mistake and=20 delete this e-mail from your system. If you are not the intended recipient= =20 you are notified that disclosing, copying, distributing or taking any=20 action in reliance on the contents of this information is strictly=20 prohibited.