Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 13 Oct 2020 23:35:29 +0200
From:      "Kristof Provost" <kp@FreeBSD.org>
To:        "Andreas Longwitz" <longwitz@incore.de>
Cc:        "J David" <j.david.lists@gmail.com>, freebsd-pf@freebsd.org
Subject:   Re: Packets passed by pf don't make it out?
Message-ID:  <0072D8A9-6ACE-47D0-AE94-124C4F955735@FreeBSD.org>
In-Reply-To: <5F84CF18.1040905@incore.de>
References:  <CABXB=RSO2UDx2=LWx7W5SigYgJcaZ3vUTR0%2BVTDJUx2QezHK1Q@mail.gmail.com> <CABXB=RQE74yggCj6=Zizb2rQjtCi=hg155J0_u=NRK2Q3QHmqg@mail.gmail.com> <5F8336C7.5020709@incore.de> <CABXB=RRdbDYyKfXUtyc9eW-P8eoX2nUb1A1Tn46MHWv5YNjT0g@mail.gmail.com> <5F84CF18.1040905@incore.de>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 12 Oct 2020, at 23:48, Andreas Longwitz wrote:
> Hello,
>
> now I can confirm (on FreeBSD 10 Stable) what you see on fb2 when your
> program udp_client is running on fb1. pf creates a state for the first
> packet only, for the other packets pf failes to create a state with
> messages like
>
> pf: stack key attach failed on re0: UDP in wire: 192.168.14.10:23456
> 172.16.0.2:12345 stack: 192.168.14.10:23456
> 192.168.14.100:12345 1:0, existing: UDP in wire: 192.168.14.10:23456
> 172.16.0.1:12345 stack: 192.168.14.10:23456 192.168.14.100:12345 1:0
>
> pf gives this messages in debug mode (pfctl -x loud).
>
> I do not know if we see a bug in pf or if your program udp_client does
> something illegal, I think Kristof can tell us.
>
Your confidence is both flattering and misplaced :)

I think I can reproduce the problem on CURRENT and with VNET jails, 
which is convenient.

I see the same ‘stack key attach failed’ error message. My current 
thinking is that we’re hitting a state collision, because post-RDR our 
connection information is the same (192.168.14.10:23456 
192.168.14.100:12345). That means we can’t create a new state, and the 
packet gets dropped.

It’s a little unusual for a client to keep re-using src ports like 
that, but it’s not actually wrong.
I’m not sure how we can fix this.

Best,
Kristof

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0072D8A9-6ACE-47D0-AE94-124C4F955735>