Date: Wed, 14 Oct 2020 19:59:15 +0200 From: "Kristof Provost" <kp@FreeBSD.org> To: "J David" <j.david.lists@gmail.com> Cc: "Andreas Longwitz" <longwitz@incore.de>, freebsd-pf@freebsd.org Subject: Re: Packets passed by pf don't make it out? Message-ID: <F8EE4AB3-FA3F-4B79-A054-7D885141E3F6@FreeBSD.org> In-Reply-To: <CABXB=RRYSn6eXCnkhjNKuzDPTsefEUVKEQ1vZMxYfLBromW4Nw@mail.gmail.com> References: <CABXB=RSO2UDx2=LWx7W5SigYgJcaZ3vUTR0%2BVTDJUx2QezHK1Q@mail.gmail.com> <CABXB=RQE74yggCj6=Zizb2rQjtCi=hg155J0_u=NRK2Q3QHmqg@mail.gmail.com> <5F8336C7.5020709@incore.de> <CABXB=RRdbDYyKfXUtyc9eW-P8eoX2nUb1A1Tn46MHWv5YNjT0g@mail.gmail.com> <5F84CF18.1040905@incore.de> <0072D8A9-6ACE-47D0-AE94-124C4F955735@FreeBSD.org> <CABXB=RRYSn6eXCnkhjNKuzDPTsefEUVKEQ1vZMxYfLBromW4Nw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 14 Oct 2020, at 18:52, J David wrote: > On 12 Oct 2020, at 23:48, Andreas Longwitz wrote: >> pf gives this messages in debug mode (pfctl -x loud). > > Yes, with that setting I'm also seeing those messages. > > On Tue, Oct 13, 2020 at 5:35 PM Kristof Provost <kp@freebsd.org> > wrote: >> I see the same ‘stack key attach failed’ error message. My >> current >> thinking is that we’re hitting a state collision, because post-RDR >> our >> connection information is the same (192.168.14.10:23456 >> 192.168.14.100:12345). That means we can’t create a new state, and >> the >> packet gets dropped. > > This is probably a dumb question because I know less than nothing > about pf internals, but why wouldn't it match the existing state? > “It’s complicated”. In essence, pf tracks both the pre- and post-translation tuple, so what we’re seeing here is one of those conflicting with an existing session and that’s causing the failure. There’s good reason to do this, as we have to be able to match state on both the pre-translation side (when processing LAN -> WAN traffic) and post-translation (WAN -> LAN). Best regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F8EE4AB3-FA3F-4B79-A054-7D885141E3F6>