freebsd 6-beta2, pf, route-to, checksum errors

Peter van Dijk peter at dataloss.nl
Mon Aug 22 22:39:56 GMT 2005


Hi,

I recently upgraded my FreeBSD/sparc64 5.4 router at home to 6-BETA2,
without changing pf.conf. Since this upgrade, UDP packets redirected
with pf's route-to feature get the wrong checksum.

My complete ruleset:
root at onion# grep -v ^# /etc/pf.conf   
ext_if="hme0"   # replace with actual external interface name i.e., dc0
int_if="vlan2"  # replace with actual internal interface name i.e., dc1
virtix_if="vlan4"       # replace with actual internal interface name i.e., dc1
scrub in all
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat on $virtix_if from $int_if:network to any -> ($virtix_if)
pass out on $ext_if route-to ( $virtix_if 195.16.85.169 ) from $virtix_if:network to any

ifconfig snippets to understand :network above:
vlan2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 172.16.13.32 netmask 0xffffff00 broadcast 172.16.13.255
vlan4: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 195.16.85.170 netmask 0xfffffff8 broadcast 195.16.85.175


tcpdump output of a broken DNS request:
onion# tcpdump -n -i vlan4 -s 0 -v port 53
tcpdump: listening on vlan4, link-type EN10MB (Ethernet), capture size 65535 bytes
00:28:37.762481 IP (tos 0x0, ttl  56, id 0, offset 0, flags [DF], proto: UDP (17), length: 68) 83.160.178.78.32812 > 195.16.85.170.53: 31240+ A? onion.home.dataloss.nl. (40)
00:28:37.765844 IP (tos 0x0, ttl  64, id 37505, offset 0, flags [none], proto: UDP (17), length: 117, bad cksum 86f (->c94d)!) 195.16.85.170.53 > 83.160.178.78.32812:  31240*- 1/1/1 onion.home.dataloss.nl. A 195.16.85.170 (89)


Note the 'bad cksum'. When I set a route to this client IP
(83.160.178.78), thereby never matching the relevant pf rule, the
packet is fine and the answer arrives:

00:29:57.498780 IP (tos 0x0, ttl  64, id 38175, offset 0, flags [none], proto: UDP (17), length: 117) 195.16.85.170.53 > 83.160.178.78.32812:  33831*- 1/1/1 onion.home.dataloss.nl. A 195.16.85.170 (89)


Am I doing something wrong, did I miss a notice in upgrading, or have
I uncovered a bug?

Thank you for your time.

Cheers, Peter
-- 
peter at dataloss.nl        | ~ tonight tonight, what is this potion
http://blog.dataloss.nl/ | ~ that makes a fool of me
UnderNet/#clue           |     Wayfinder, fr-025 soundtrack


More information about the freebsd-current mailing list