From nobody Sun Jul 11 10:28:01 2021 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 8C04812A43A4 for ; Sun, 11 Jul 2021 10:28:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GN34x3D25z4WvZ for ; Sun, 11 Jul 2021 10:28:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4BB3B1A104 for ; Sun, 11 Jul 2021 10:28:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 16BAS1H2093340 for ; Sun, 11 Jul 2021 10:28:01 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 16BAS1Ip093339 for bugs@FreeBSD.org; Sun, 11 Jul 2021 10:28:01 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 257106] [pf] Local-origin connections matching 'pass out' rules with 'route-to' fail Date: Sun, 11 Jul 2021 10:28:01 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 12.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: fbsd@peralex.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D257106 Bug ID: 257106 Summary: [pf] Local-origin connections matching 'pass out' rules with 'route-to' fail Product: Base System Version: 12.2-STABLE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: fbsd@peralex.com Running FreeBSD 12-stable, I'm running into a problem with commit 369643 (41063b40168b69b38e92d8da3af3b45e58fd98ca) and later from Subversion, which appears to have been. The previous revision (369642 in SVN) works fine. I have a rule that says: pass out log (all) quick route-to (em1 172.29.29.2) inet proto tcp from 172.29.29.1 to any flags S/SA keep state This is to route traffic that originates on the local machine, with a source address of 172.29.29.1, to the router at 172.29.29.2 My particular use-cas= e is to divide local traffic between WAN connections based on their source addresses. Note that this, while similar, differs from the case mentioned in 8ca8248886af583fa2010badfe03e472d8505db8 (r369645) in that the matched connections originate locally rather than remotely, so the rule is an OUT r= ule rather than an IN rule. Connections that match this rule get established and exchange a bit of data, but then stall. The corresponding state gets stuck as follows: all tcp 172.29.29.1:25564 -> 172.67.29.179:443 ESTABLISHED:SYN_SENT The address 172.67.29.179 is an arbitrary remote address. The remote end n= ever goes to ESTABLISHED. Replies from the remote end are matching the rule and correctly and getting logged, until the connection stalls. This is the if() statement that changed in 41063b40168b69b38e92d8da3af3b45e58fd98ca. It seems to make sense that this would break with packets that only go out? if (dir =3D=3D PF_IN) { if (pf_test(PF_OUT, 0, ifp, &m0, inp) !=3D PF_PASS) goto bad; The tests in route_to.sh from r369646 (8ca8248886af583fa2010badfe03e472d8505db8) pass. sys/netpfil/pf/route_to:multiwan -> passed [0.109s] sys/netpfil/pf/route_to:v4 -> passed [3.045s] sys/netpfil/pf/route_to:v6 -> passed [3.105s] I should be able to conjure up an updated route_to.sh test script to test f= or the local-origin + route-to scenario, which I'll attach in due course. I'm happy to test fixes, provide packet dumps, etc. Thanks Mark --=20 You are receiving this mail because: You are the assignee for the bug.=