From nobody Tue Aug 6 09:27:25 2024 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WdSd93bj0z5T56L for ; Tue, 06 Aug 2024 09:27:25 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WdSd91shSz4FDn for ; Tue, 6 Aug 2024 09:27:25 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1722936445; a=rsa-sha256; cv=none; b=ki5km28EcF7xJVC4GeiM7Na9X645dvSEnH/j/rgCakLMqhNi0UazNoBV0sw8P6WR+gLRYH EiiuZDbiCDoJV2+AMX7rSGhVkWIqeKFSWsnrIRK80YDA3q7L0KNQ7wAmEkPDuxipVsI0ua QdRfh+vLcW/4qv2K72Ngl3TeKaSeaTPPlcVdiI5YmYRe9PV/dLB9URTdYSNmzSISHMKrch DOjjHcF3tFtdJ+C7bBwtBfgzDb2ztv+WVufto172UwRHZ/t54XSc24ZbsM0gIpb1uMDbCI bdQK5YQAYKrK4EfmDG85kHNvSAr8xyaMJL0DuWatpid0Ioi8BduEdvRnp20Z8w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1722936445; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=q+yQpnrPjcBCV9eoN/hancPpT+6xi9n5TfBY2xedlSg=; b=ZWJWyi3XrbbHCdocqNmQUtI2lNQnvY6ttj9Pgb7nGqEm8u1xe+/ks0SdSBeH3r/2xWSGMO Ff51J4DGIrKYXNmGX1K07Yqs0MfukiqEhlBdRhhxXClJWzpwB/zgE8wafqEYg/5Wyb697T MZ37bt9x4WDnR46blcXorFraDSmOlzF70ZhEpjY9BqBrbPWgoGLHzXuHyaG/FMNjkBM26/ T65cz2rOyElJAFaWcnYy0OIFNuWrpAPCIDEvt4J5UO9UvbPJhylw4Wyp15CB79gTWn2xQx T6fyDWIR7lRpsHZWrXymvZ6d1fOLP5g6PuiM6/eDa27FHOwBwIfKuzxxDt9DBw== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WdSd91MLZz122n for ; Tue, 6 Aug 2024 09:27:25 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 4769RPaW046719 for ; Tue, 6 Aug 2024 09:27:25 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 4769RPCq046718 for bugs@FreeBSD.org; Tue, 6 Aug 2024 09:27:25 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 280648] Traffic leak between fibs Date: Tue, 06 Aug 2024 09:27:25 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 14.1-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: banezmesm@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D280648 Bug ID: 280648 Summary: Traffic leak between fibs Product: Base System Version: 14.1-STABLE Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: banezmesm@gmail.com Hello everyone. I met a problem with my Freebsd configuration. I used two f= ibs fib0 for management and fib1 for traffic routing. When i tried to connect t= o my freebsd my ssh session was closed by timeout. This session passed fib1 then= it passed a switch and then this traffic came to mgmt interface in fib0. 1718370615708.png I checked pflog and found out that SYN was passed but SYN-ACK was blocked. 10:40:14.738757 rule 50/0(match): pass in on lagg0.3100: 192.168.1.10.39324= > 192.168.2.20.22: Flags [S , seq 3192491261, win 64240, options [mss 1460, [|tcp] 10:40:14.738823 rule 1/0(match): block in on lagg0.3101: 192.168.2.20.22 > 192.168.1.10.39324: Flags [S.], seq 3872911900, ack 3192491262, win 65535, options [mss 1460, [|tcp] 10:40:15.760558 rule 1/0(match): block in on lagg0.3101: 192.168.2.20.22 > 192.168.1.10.39324: Flags [S.], seq 3872911900, ack 3192491262, win 65535, options [mss 1460, [|tcp] 10:40:16.785316 rule 1/0(match): block in on lagg0.3101: 192.168.2.20.22 > 192.168.1.10.39324: Flags [S.], seq 3872911900, ack 3192491262, win 65535, options [mss 1460, [|tcp] 10:40:17.776546 rule 1/0(match): block in on lagg0.3101: 192.168.2.20.22 > 192.168.1.10.39324: Flags [S.], seq 3872911900, ack 3192491262, win 65535, options [mss 1460, [|tcp] 10:40:18.775315 rule 1/0(match): block in on lagg0.3101: 192.168.2.20.22 > 192.168.1.10.39324: Flags [S.], seq 3872911900, ack 3192491262, win 65535, options [mss 1460, [|tcp] 10:40:20.391522 rule 1/0(match): block in on lagg0.3101: 192.168.2.20.22 > 192.168.1.10.39324: Flags [S.], seq 3872911900, ack 3192491262, win 65535, options [mss 1460, [|tcp] 10:40:21.418648 rule 1/0(match): block in on lagg0.3101: 192.168.2.20.22 > 192.168.1.10.39324: Flags [S.], seq 3872911900, ack 3192491262, win 65535, options [mss 1460, [|tcp] Click to expand... Then i checked mgmt interface with tcpdump and there wasn't incoming traffi= c. The SYN packed was lost. admin@mypc:~ $ sudo tcpdump -nli mgmt host 192.168.2.20 and port 22 and host 192.168.1.10 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on mgmt, link-type EN10MB (Ethernet), snapshot length 262144 bytes 10:45:04.378916 IP 192.168.2.20.22 > 192.168.1.10.57788: Flags [S.], seq 1690518431, ack 2823437748, win 65535, options [mss 1460,nop,wscale 9,sackO= K,TS val 800362632 ecr 2768737784], length 0 10:45:05.382466 IP 192.168.2.20.22 > 192.168.1.10.57788: Flags [S.], seq 1690518431, ack 2823437748, win 65535, options [mss 1460,nop,wscale 9,sackO= K,TS val 800363638 ecr 2768737784], length 0 10:45:05.392406 IP 192.168.2.20.22 > 192.168.1.10.57788: Flags [S.], seq 1690518431, ack 2823437748, win 65535, options [mss 1460,nop,wscale 9,sackO= K,TS val 800363651 ecr 2768738798], length 0 10:45:06.390812 IP 192.168.2.20.22 > 192.168.1.10.57788: Flags [S.], seq 1690518431, ack 2823437748, win 65535, options [mss 1460,nop,wscale 9,sackO= K,TS val 800364642 ecr 2768738798], length 0 10:45:07.408389 IP 192.168.2.20.22 > 192.168.1.10.57788: Flags [S.], seq 1690518431, ack 2823437748, win 65535, options [mss 1460,nop,wscale 9,sackO= K,TS val 800365665 ecr 2768740814], length 0 10:45:08.425344 IP 192.168.2.20.22 > 192.168.1.10.57788: Flags [S.], seq 1690518431, ack 2823437748, win 65535, options [mss 1460,nop,wscale 9,sackO= K,TS val 800366684 ecr 2768740814], length 0 Click to expand... I checked interface out and there wasn't any SYN packet too. admin@mypc:~ $ sudo tcpdump -nli lagg0.3101 host 192.168.2.20 and port 22 a= nd host 192.168.1.10 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on lagg0.3101, link-type EN10MB (Ethernet), snapshot length 262144 bytes 12:06:11.070143 IP 192.168.2.20.22 > 192.168.1.10.54686: Flags [S.], seq 3117832771, ack 2273301168, win 65535, options [mss 1460,nop,wscale 9,sackO= K,TS val 3221841358 ecr 2773605130], length 0 12:06:12.073943 IP 192.168.2.20.22 > 192.168.1.10.54686: Flags [S.], seq 3117832771, ack 2273301168, win 65535, options [mss 1460,nop,wscale 9,sackO= K,TS val 3221842359 ecr 2773606134], length 0 12:06:13.110800 IP 192.168.2.20.22 > 192.168.1.10.54686: Flags [S.], seq 3117832771, ack 2273301168, win 65535, options [mss 1460,nop,wscale 9,sackO= K,TS val 3221843399 ecr 2773606134], length 0 12:06:14.090184 IP 192.168.2.20.22 > 192.168.1.10.54686: Flags [S.], seq 3117832771, ack 2273301168, win 65535, options [mss 1460,nop,wscale 9,sackO= K,TS val 3221844378 ecr 2773608150], length 0 Click to expand...It looked like route leaking and i checked routing table = but i didn't find any problem there. admin@mypc:~ $ sudo netstat -rn | grep 192.168.2 default 192.168.2.1 UGS mgmt 192.168.2.0/26 link#1 U mgmt 192.168.2.20 link#3 UHS lo0 admin@mypc:~ $ sudo setfib 1 netstat -rn | grep 192.168.2 192.168.2.0/24 10.222.253.101 UG1 lagg0.3101 192.168.2.0/24 10.222.253.102 UG1 lagg0.3101 My pf.conf # Port macros NET_MGMT =3D "192.168.2.0/26" JH_NOC =3D "192.168.1.10" # Tables table { $NET_MGMT } table { $JH_NOC } # Config set skip on lo0 set skip on mgmt set skip on vtnet1 set skip on pfsync0 set limit states 6000000 set limit src-nodes 6000000 # Scrub scrub in all # Firewall policy pass out all block in log all rtable 1 pass in log quick proto icmp rtable 1 pass in log quick proto { tcp, udp } from to rtable 1 pass in log quick proto { tcp, udp } from to rtable 1 Click to expand... I supposed that traffic somehow leaked from fib1 to fib0. Please help me to= fix it --=20 You are receiving this mail because: You are the assignee for the bug.=