From owner-freebsd-pf@freebsd.org Wed Oct 14 19:16:35 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0BC24440A8C for ; Wed, 14 Oct 2020 19:16:35 +0000 (UTC) (envelope-from jdavidlists@gmail.com) Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CBMbQ4XGDz4N0q; Wed, 14 Oct 2020 19:16:34 +0000 (UTC) (envelope-from jdavidlists@gmail.com) Received: by mail-lj1-x22b.google.com with SMTP id y16so646182ljk.1; Wed, 14 Oct 2020 12:16:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=vftaGn+tPlqwowMoe7wChVgW8Lz/FH36O5dpIp2JjjM=; b=TlO/26w7twGNZ45Ze+VhipRvr03PPhwk/w2Z/lEliOhgRolFIHFu0QLhW4tZCf9UXq Pqt5EdsfwhJh3dJ5FWBLRTPkurxnpzaDUWIgA2FazMmTS1XyT0EGso+9pP2/bU+d6EbA CuApC8203BxP5QS6dxmZ0GImDwGa5JdKIHjrqYxcRS6TqQUlCOA54gq/L3QJDRCMTnUG LuAXeeE/jJojUGBTkaGpZXOQvmoEZe9Sx0opSNio5VV096ozO4XV/hzwjBSaLDOrWFUn XNFrkb8SmQq2j4sR/hLndpyMWjmMnuvGjGSpJyCyJ4DbmrzEBmZlrPMJUfAdBVyIDULW bjqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=vftaGn+tPlqwowMoe7wChVgW8Lz/FH36O5dpIp2JjjM=; b=r3SgR1CzfUUiYdHINdjX2fWsIphbsc+RPzzL62FxPwxAAeuew1gGpZE3BjFA4AhWhV Qnsv7yZd17bkpALY9upaIBFoOcr4OrsZx/24VdeAWajNki+bJT0eOcnDoMj9h9qlVHqM f/szeTDEe3dZFG9qVHgt2Ae6E+L9/mhHwvSzxTev2X8xYmR+ASJn3U1zGetaP0fKcKU3 IlRYsPI/AOQIvm55gdJ0eklm09r4Yw89Tpl1BFtF+fWeAcWJpsbOEZsDrfhhz2z4i9nq AOPtMxKWSN/YCkzMfyemqUcefVMSQa3jlIudGujbdFZTFNZ/6Y7w3YfGpos0z8T8NDoB 8kxw== X-Gm-Message-State: AOAM5316gGOspH8Qfbq+ziISkjj77nIBjodLCfjENzK7ENvXh2SVx4lF udKwM7afWT+qGpNMt64PWZHE4YzFAZSI27Nlv/RxR6l3 X-Google-Smtp-Source: ABdhPJySjyEWzJ8efL+3x7xH1U+/JhB1XBss445qJpDhExDoftqbqqrct6HujJ78qGQPLpcCS2FjLj9QvIhCL39Nawo= X-Received: by 2002:a2e:8599:: with SMTP id b25mr56034lji.107.1602702992554; Wed, 14 Oct 2020 12:16:32 -0700 (PDT) MIME-Version: 1.0 References: <5F8336C7.5020709@incore.de> <5F84CF18.1040905@incore.de> <0072D8A9-6ACE-47D0-AE94-124C4F955735@FreeBSD.org> In-Reply-To: From: J David Date: Wed, 14 Oct 2020 15:16:21 -0400 Message-ID: Subject: Re: Packets passed by pf don't make it out? To: Kristof Provost Cc: Andreas Longwitz , freebsd-pf@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4CBMbQ4XGDz4N0q X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; TAGGED_FROM(0.00)[]; REPLY(-4.00)[] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Oct 2020 19:16:35 -0000 On Wed, Oct 14, 2020 at 1:59 PM Kristof Provost wrote: > There=E2=80=99s good reason to do this, as we have to be able to match st= ate > on both the pre-translation side (when processing LAN -> WAN traffic) > and post-translation (WAN -> LAN). So, basically, pf would need separate states for each pre-redirect destination address in order to have the information needed to map the reply packet back to the original destination address. But even if pf did that, the problem does not go away. It just moves to the reply packet coming back with only the post-redirect info. That info matches multiple states, leaving pf no way to pick the right one. Is that about right? Thanks!