kern/121668: connect randomly fails with EPERM with some pf rules

Remko Lodder remko at elvandar.org
Fri Mar 14 09:30:04 UTC 2008


>  It does not seems possible to set tcp.closed to 0 on a per rule basis :
>  This is accepted :
>  pass out quick on lo0 proto tcp from any to any port 9 flags S/SA keep
> state ( tcp.closing 30 , tcp.closed 0 )
>
>  But pfctl -srules -vvv prints :
>  @0 pass out quick on lo0 proto tcp from any to any port = discard flags
>  S/SA keep state (tcp.closing 30)
>    [ Evaluations: 1         Packets: 0         Bytes: 0           States:
> 0     ]
>    [ Inserted: uid 0 pid 51151 ]
>
>  the tcp.closed seems to be ignored
>
>  It works with tcp.closed set to 1
>

Why are you filtering on your local IP stack anyway? filtering on lo0 is
not that common, or at least in my point of view not used often and
presents problems all the way.

Just a random reply to something I feel -strange-.

Thanks,
remko

-- 
/"\   Best regards,                      | remko at FreeBSD.org
\ /   Remko Lodder                       | remko at EFnet
 X    http://www.evilcoder.org/          |
/ \   ASCII Ribbon Campaign              | Against HTML Mail and News




More information about the freebsd-pf mailing list