From nobody Mon Jan 02 13:28:53 2023 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NlxXP5k8gz2pRVQ for ; Mon, 2 Jan 2023 13:28:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NlxXP3PyKz4GRQ for ; Mon, 2 Jan 2023 13:28:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1672666133; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=jCdcal6YWxt203quiqAQ7KIQYdTo4+kSkLWsq2LYdWg=; b=oC4HOzCnRxYjz2S2OWAv8dm9zih4DEwkVoo1G8unsWeqduf1y8YbbBz4j2QnqK2h/izPM0 LFV984kbeD7RbZcsByndiYudkJMdBIfPtQnc9PmHhUlLW/eBFpUGISlpeNyOB16/DJC3+D dV6shlUV2b0FmOAIqwc6iNANPQKPDdvfQ2lu77m9eMM3ElvQz/X9WY91f8hHv7kQrKapmR pUYwgv5h4Sp7Idyx+dj70hG+46svgRlEFfYaXDRi4JINjS2fDqYfw6CU2lTeYUcuZY1Ag8 1+nkIYwx/RsTPkdhL50iXzOv4UgmK2KguJFDPm/snWbDYqI+7wfmG7YFa9ouag== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1672666133; a=rsa-sha256; cv=none; b=IuihS9nK44KWiZDu0aZAEpceIrLowJwFxf+i27ZEdjWW37hRQe9Xzpdd1VaVe9GIya0zn8 h/E5P8gM1P7gddgUETIWYq1JP1V+5zG7RUJ6yJV+2R1gguoWQLMa0Ivox/ZZBxbJF+XCmw hKakvvPqiCFf51lqjD0H4svluDzb8ywK0vy/xvFPR6UrcVk+aTxSC4R50P2OeAkloRtIly qgKMqBJYBrwhJolm+FFsLe0qrpfYUTqjZuveeC+sLxNKjwUzOf4l0VQvyfb3gAGzOoaU6x PBYETUxsfLeT5bagS0q3nB8Xy1glPaVqtSFyGbC3VZXOqdZfjZ+bqBMwUsbt/g== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NlxXP2NK3z17p8 for ; Mon, 2 Jan 2023 13:28:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 302DSr1K016519 for ; Mon, 2 Jan 2023 13:28:53 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 302DSreU016517 for bugs@FreeBSD.org; Mon, 2 Jan 2023 13:28:53 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 268717] [pf] rdr rules don't work for traffic originating at localhost Date: Mon, 02 Jan 2023 13:28:53 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: dfr@rabson.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268717 Bug ID: 268717 Summary: [pf] rdr rules don't work for traffic originating at localhost Product: Base System Version: 13.1-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: dfr@rabson.org Created attachment 239212 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D239212&action= =3Dedit Script to setup a test. Run this, then try 'telnet 10.123.0.1 8080' I am using rules that look like this: rdr log (all) inet proto tcp from any to ! 10.123.0.2 port =3D 8080 -> 10.1= 23.0.2 port 80 to allow access to workloads running in jails/containers which is a common pattern for container runtimes like containerd or podman. Typically, a work= load (e.g. nginx) runs in a container on its usual port and is 'published' to the host by mapping a host port to the container's address and port. In the exa= mple above, the container is in a vnet jail with address 10.123.0.2 and the intention is to publish the container's port 80 as the host's port 8080. This type of rule works well for traffic originating on some other machine = with destination set to the host's IP and port 8080 but when traffic originates = on the host itself, the rule matches but traffic doesn't flow. As far as I can tell, the pf rule matches outgoing packets (e.g. SYN for new connections) as being 'received' by lo0 where the packet is rewritten to the container IP/p= ort and travels to the container. The return packet (e.g. SYN+ACK) is not recei= ved and packet traces show the host rejecting with RST. My hypothesis is that a state entry is created for the outgoing packet and registed with lo0 but the reply is received on a different interface (in my case a bridge) and the reverse translation is not performed. --=20 You are receiving this mail because: You are the assignee for the bug.=