Date: Wed, 14 Oct 2020 15:16:21 -0400 From: J David <j.david.lists@gmail.com> To: Kristof Provost <kp@freebsd.org> Cc: Andreas Longwitz <longwitz@incore.de>, freebsd-pf@freebsd.org Subject: Re: Packets passed by pf don't make it out? Message-ID: <CABXB=RRiksXT8g34jqQx61MaRhOHMzpasmuw4_w=3x4_6EhxXw@mail.gmail.com> In-Reply-To: <F8EE4AB3-FA3F-4B79-A054-7D885141E3F6@FreeBSD.org> References: <CABXB=RSO2UDx2=LWx7W5SigYgJcaZ3vUTR0%2BVTDJUx2QezHK1Q@mail.gmail.com> <CABXB=RQE74yggCj6=Zizb2rQjtCi=hg155J0_u=NRK2Q3QHmqg@mail.gmail.com> <5F8336C7.5020709@incore.de> <CABXB=RRdbDYyKfXUtyc9eW-P8eoX2nUb1A1Tn46MHWv5YNjT0g@mail.gmail.com> <5F84CF18.1040905@incore.de> <0072D8A9-6ACE-47D0-AE94-124C4F955735@FreeBSD.org> <CABXB=RRYSn6eXCnkhjNKuzDPTsefEUVKEQ1vZMxYfLBromW4Nw@mail.gmail.com> <F8EE4AB3-FA3F-4B79-A054-7D885141E3F6@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 14, 2020 at 1:59 PM Kristof Provost <kp@freebsd.org> wrote: > There=E2=80=99s good reason to do this, as we have to be able to match st= ate > on both the pre-translation side (when processing LAN -> WAN traffic) > and post-translation (WAN -> LAN). So, basically, pf would need separate states for each pre-redirect destination address in order to have the information needed to map the reply packet back to the original destination address. But even if pf did that, the problem does not go away. It just moves to the reply packet coming back with only the post-redirect info. That info matches multiple states, leaving pf no way to pick the right one. Is that about right? Thanks!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CABXB=RRiksXT8g34jqQx61MaRhOHMzpasmuw4_w=3x4_6EhxXw>