Date: Fri, 13 Jan 2017 22:54:40 +0100 From: "Kristof Provost" <kp@FreeBSD.org> To: "Marek Zarychta" <zarychtam@plan-b.pwste.edu.pl> Cc: freebsd-pf@freebsd.org Subject: Re: udp - weird behavior of reply-to Message-ID: <FA66629D-C9F8-4466-B91A-78652294F340@FreeBSD.org> In-Reply-To: <20170109172519.GA62580@plan-b.pwste.edu.pl> References: <20170108145532.GA17695@plan-b.pwste.edu.pl> <E8BB68F1-4784-474A-B5ED-1E861B2975A8@FreeBSD.org> <20170109172519.GA62580@plan-b.pwste.edu.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On 9 Jan 2017, at 18:25, Marek Zarychta wrote: > On Sun, Jan 08, 2017 at 07:08:10PM +0100, Kristof Provost wrote: >> On 8 Jan 2017, at 15:55, Marek Zarychta wrote: >> The problem description doesn’t ring any bells with me, but I’m >> also >> not sure >> I’ve fully understood it. Can you document a minimal reproduction >> scenario, >> with a pf.conf and perhaps network captures documenting the problem? >> >> There’s certainly not been a conscious decision to break UDP >> reply-to. >> > > Let me apologize, the problem wasn't previously properly identified. > It > seems to be more problem of UDP protocol implementation than PF issue. > UDP sockets are opened and bound to address of the outgoing interface > (interface which has a route to the client). Because the socket is not > bound to the incoming interface, the PF reply-to rules couldn't be > evaluated. By the way, TCP sockets are bound to the interface where > the > traffic arrives and everything works fine. > This machine is i386 running 11.0-STABLE r311772 > > The problem remains unresolved. Are there any corresponding sysctls > correcting this behavior and enabling the opportunity to use PF > assisted > symmetric routing scenario again? > Thinking about this a bit more, I think the behaviour you see is entirely correct and expected. We’re talking about datagram sockets, and as far as the kernel is concerned there’s no relationship between the packet you’ve just received from address X and the packet you send to host X. There’s no established connection. As a result it’s entirely free to choose its source address: you’re simply telling the kernel “Send this data to X”, you’re not adding “it’s from Y”. If you want this to behave differently I think you’ll have to convince your application to open a socket per interface (binding it to that interface), and reply using the correct socket. Regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FA66629D-C9F8-4466-B91A-78652294F340>