Date: Wed, 14 Oct 2020 21:20:23 +0200 From: "Kristof Provost" <kp@FreeBSD.org> To: "J David" <j.david.lists@gmail.com> Cc: "Andreas Longwitz" <longwitz@incore.de>, freebsd-pf@freebsd.org Subject: Re: Packets passed by pf don't make it out? Message-ID: <66EA3FE1-598F-4D42-8464-5A3A5C75CD07@FreeBSD.org> In-Reply-To: <CABXB=RRiksXT8g34jqQx61MaRhOHMzpasmuw4_w=3x4_6EhxXw@mail.gmail.com> References: <CABXB=RSO2UDx2=LWx7W5SigYgJcaZ3vUTR0%2BVTDJUx2QezHK1Q@mail.gmail.com> <CABXB=RQE74yggCj6=Zizb2rQjtCi=hg155J0_u=NRK2Q3QHmqg@mail.gmail.com> <5F8336C7.5020709@incore.de> <CABXB=RRdbDYyKfXUtyc9eW-P8eoX2nUb1A1Tn46MHWv5YNjT0g@mail.gmail.com> <5F84CF18.1040905@incore.de> <0072D8A9-6ACE-47D0-AE94-124C4F955735@FreeBSD.org> <CABXB=RRYSn6eXCnkhjNKuzDPTsefEUVKEQ1vZMxYfLBromW4Nw@mail.gmail.com> <F8EE4AB3-FA3F-4B79-A054-7D885141E3F6@FreeBSD.org> <CABXB=RRiksXT8g34jqQx61MaRhOHMzpasmuw4_w=3x4_6EhxXw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 14 Oct 2020, at 21:16, J David wrote: > On Wed, Oct 14, 2020 at 1:59 PM Kristof Provost <kp@freebsd.org> > wrote: >> There’s good reason to do this, as we have to be able to match >> state >> on both the pre-translation side (when processing LAN -> WAN traffic) >> and post-translation (WAN -> LAN). > > So, basically, pf would need separate states for each pre-redirect > destination address in order to have the information needed to map the > reply packet back to the original destination address. > > But even if pf did that, the problem does not go away. It just moves > to the reply packet coming back with only the post-redirect info. > That info matches multiple states, leaving pf no way to pick the right > one. > > Is that about right? > Pretty much, I think. I’ve not dug very deep yet, but I wonder if we shouldn’t have to teach pf to change the source port to avoid conflicting states in the first place. It’s a non-trivial problem in any case. Regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?66EA3FE1-598F-4D42-8464-5A3A5C75CD07>