kern/125467: pf keep state bug while handling sessions between vlan
trunk
randy
randy723 at gmail.com
Thu Jul 10 08:20:02 UTC 2008
>Number: 125467
>Category: kern
>Synopsis: pf keep state bug while handling sessions between vlan trunk
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jul 10 08:20:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: randy
>Release: freebsd 6.2, 6.3, 7.0
>Organization:
>Environment:
FreeBSD host.a.b.com 6.2-STABLE FreeBSD 6.2-STABLE #7: Wed Apr 25 15:16:51 CST 2007 root at bsd.a.b.com:/usr/obj/usr/src/sys/kern i386
>Description:
i use 802.1q protocol to trunk 2 vlans on NIC fxp0, the sub-interface is fxp0.100 and fxp0.200, and pf has been used to filter traffic, rules as follow
block in log all
pass in quick on fxp0.100 proto icmp from any to any icmp-type echoreq keep state
pass in quick on fxp0.200 proto icmp from any to any icmp-type echoreq keep state
the icmp packet can flow between vlans when pf disabled, but it's been blocked when pf enabled. theres are icmp states in state table indeed, but the icmp reply packet seems don't match the state. i've tested freebsd 7.0 release, the same situation.
>How-To-Repeat:
# kldload if_vlan
# kldload pf
# sysctl net.inet.ip.forwarding=1
# ifconfig fxp0 up
# ifconfig fxp0.100 create
# ifconfig fxp0.200 create
# ifconfig fxp0.100 inet 100.100.100.1/24 up
# ifconfig fxp0.200 inet 200.200.200.1/24 up
icmp packet can flow between vlans.
load pf rules as follow :
block in log all
pass in quick on fxp0.100 proto icmp from any to any icmp-type echoreq keep state
pass in quick on fxp0.200 proto icmp from any to any icmp-type echoreq keep state
# tcpdump -ni pflog0 icmp
pf drop the icmp packets
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list