Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 15 Oct 2020 10:51:37 +0200
From:      "Kristof Provost" <kp@FreeBSD.org>
To:        "J David" <j.david.lists@gmail.com>
Cc:        "Andreas Longwitz" <longwitz@incore.de>, freebsd-pf@freebsd.org
Subject:   Re: Packets passed by pf don't make it out?
Message-ID:  <A541B35C-D5A3-4910-B7D0-1AFF3A778495@FreeBSD.org>
In-Reply-To: <CABXB=RQwZ0rKG5bvx3Qk8Ax_y1nUXhooNu5evLvY-Kw_TBYioA@mail.gmail.com>
References:  <CABXB=RSO2UDx2=LWx7W5SigYgJcaZ3vUTR0%2BVTDJUx2QezHK1Q@mail.gmail.com> <CABXB=RQE74yggCj6=Zizb2rQjtCi=hg155J0_u=NRK2Q3QHmqg@mail.gmail.com> <5F8336C7.5020709@incore.de> <CABXB=RRdbDYyKfXUtyc9eW-P8eoX2nUb1A1Tn46MHWv5YNjT0g@mail.gmail.com> <5F84CF18.1040905@incore.de> <0072D8A9-6ACE-47D0-AE94-124C4F955735@FreeBSD.org> <CABXB=RRYSn6eXCnkhjNKuzDPTsefEUVKEQ1vZMxYfLBromW4Nw@mail.gmail.com> <F8EE4AB3-FA3F-4B79-A054-7D885141E3F6@FreeBSD.org> <CABXB=RRiksXT8g34jqQx61MaRhOHMzpasmuw4_w=3x4_6EhxXw@mail.gmail.com> <66EA3FE1-598F-4D42-8464-5A3A5C75CD07@FreeBSD.org> <CABXB=RQwZ0rKG5bvx3Qk8Ax_y1nUXhooNu5evLvY-Kw_TBYioA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 14 Oct 2020, at 21:35, J David wrote:
> On Wed, Oct 14, 2020 at 3:20 PM Kristof Provost <kp@freebsd.org> 
> wrote:
>> I’ve not dug very deep yet, but I wonder if we shouldn’t have to
>> teach pf to change the source port to avoid conflicting states in the
>> first place.
>
> That was my first thought as well, framed mentally as some sort of
> port-only Frankenstein's binat because my level of understanding is
> clearly more cartoonish than yours. ;-)
>
> My second thought was to wonder if my approach is architecturally
> wrong.  Would it make sense for the many-to-many case to use route-to
> instead of rdr, leave the packet unmodified, and expect every machine
> in the server pool to catch all the public IPs?
>
> That might still be tricky.  Using rdr would presumably hit the same
> problem.  Maybe something gross like ifconfig'ing the public pool
> addresses as /32's on lo0, then binding on those, maybe?
>
I honestly don’t know. The pf NAT/RDR/… code is complex, and I 
certainly don’t understand all edge cases.
It may be worth experimenting with such options though, because this is 
unlikely to be fixed short-term.

Best regards,
Kristof

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A541B35C-D5A3-4910-B7D0-1AFF3A778495>