kern/148290: "sticky-address" option of Packet Filter (PF) blocks connection

Simon Saimoun Lasnier saimoun82 at gmail.com
Thu Jul 1 12:50:04 UTC 2010 

>Number:         148290
>Category:       kern
>Synopsis:       "sticky-address" option of Packet Filter (PF) blocks connection
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 01 12:50:03 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Simon "Saimoun" Lasnier
>Release:        8.0-RELEASE
>Organization:
C2B
>Environment:
FreeBSD lb-Stemp.c2bsa.local 8.0-RELEASE FreeBSD 8.0-RELEASE #1: Wed Jun 30 14:39:04 UTC 2010
root at lb-Stemp.c2bsa.local:/usr/obj/usr/src/sys/SOEKRIS  i386

>Description:
When using Packet Filter (PF) for load-balancing outgoing connections with 2 addresses in the pool, the connection take randomly one of the two connections.
If we want that each source address takes always the same way, we need to put the keyword "sticky-address" in the pass rule in pf.conf.
In a computer where the LAN is "vr1" and two WAN are "vr2" and "vr3", this rule is used :

pass in log on vr1 route-to {(vr2 $vr2_gw),(vr3 $vr3_gw)} \
    sticky-address from <lan> to !<lan>

But this option seems to allow only one computer for each connection.
When one computer is already connected with one of the two WAN, if another computer want to access the same WAN, it cannot. But in the pflog0, pf says that it has passed the connection, on the right rule (the one which has a route-to).
>How-To-Repeat:
Install FreeBSD on a computer  (called "FreeBSD-PC") which has at least 3 interfaces (called vr1 vr2 vr3).

We supposed that there are one LAN on 192.168.0.0/24 connected to vr1 and two WANs which gateways are 81.42.133.1 and 146.43.222.34 connected respectively to vr2 and vr3.

Create /etc/pf.conf and put that lines in :

pass in log on vr1 route-to { (vr2 81.42.133.1), (vr3 146.43.222.34) } \
    sticky-address from 192.168.0.0/24 to !192.168.0.0/24

Launch PF :
prompt# pfctl -e
prompt# pfctl -F all -f /etc/pf.conf

Now connect two other computers to FreeBSD-PC, configure their Ethernet interface with the network 192.168.0.0/24, and add in their route table a default route to the FreeBSD-PC (for example "route add default 192.168.0.1" if 192.168.0.1 is the address of the FreeBSD-PC in the vr1 interface).

Then, if you tried to access to the Internet (through one of the two WAN) with the two computers, sometimes it will work (with a good "sticky", that is to say one computer takes always the same WAN), but sometimes one of the two computers is blocked, packets never reach the gateway, whereas we can see "pass" in the pflog0 interface.
>Fix:
Don't know.

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list