pf eates syn packet?

Frank Behrens frank at pinky.sax.de
Wed Oct 31 03:48:01 PDT 2007 

Although this is an old thread, the problem is still present. Lets remember: As I wrote in
http://lists.freebsd.org/pipermail/freebsd-pf/2007-August/003642.html
and related mails I want to do policy based routing with pf.
The basic rules are

nat inet from !tun2-address to any port = http -> tun2-address
nat on tun0 inet from <intern> to any -> tun0-address
....
pass out quick on tun0 route-to (tun2 tun2-peer) inet from tun2-address to any keep state
pass out quick on tun2 route-to (tun0 tun0-peer) inet from tun0-address to any keep state


I see the result, that the 1st syn packet can not pass the pf firewall, because a state insertion 
fails. Now I tried to debug this state handling and inserted some debug print statements in 
pf.c. A typical session (with associated packets) is

09:44:29 pfdbg: insert_state TCP 192.168.50.02:1948 84.182.202.81:57560 192.109.108.33:80 [lo=3608055223 high=3608055225 win=32768 modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 rule: 0 nat_rule: 0
09:44:29 pfdbg: insert_state TCP 84.182.202.81:57560 84.182.202.81:57560 192.109.108.33:80 [lo=3608055223 high=3608055225 win=32768 modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 rule: 2
09:44:29 pf: state insert failed: tree_ext_gwy lan: 84.182.202.81:57560 gwy: 84.182.202.81:57560 ext: 192.109.108.33:80
09:44:29.475380 IP (tos 0x0, ttl 128, id 51971, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.50.02.1948 > 192.109.108.33.80: S, cksum 0x010e (correct), 3608055223:3608055223(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK>
09:44:32.573436 IP (tos 0x0, ttl 128, id 51988, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.50.02.1948 > 192.109.108.33.80: S, cksum 0x010e (correct), 3608055223:3608055223(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK>

The repeated SYN after 3 seconds passes the firewall and the tcp session continues without 
any problems.

The debug messages are created on pf.c (v1.45 2007/07/03) with
@@ -892,6 +892,16 @@
 int
 pf_insert_state(struct pfi_kif *kif, struct pf_state *state)
 {
+       if (pf_status.debug >= PF_DEBUG_MISC) {
+               printf("pfdbg: insert_state ");
+               pf_print_state(state);
+               if (state->rule.ptr)
+                       printf(" rule: %x", (int)state->rule.ptr->nr);
+               if (state->nat_rule.ptr)
+                       printf(" nat_rule: %x", (int)state->nat_rule.ptr->nr);
+               printf("\n");
+       }
+

Now my questions:
1. Is my setup correct or should I use other rules?
2. Is it right, that pf tries to insert an additional state entry with lan and gwy addresses being 
the same, although a NAT entry is already inserted?

Regards,
    Frank
-- 
Frank Behrens, Osterwieck, Germany
PGP-key 0x5B7C47ED on public servers available.

More information about the freebsd-pf mailing list