PF "synproxy state" doesn't work on CARP IPs

Ermal Luçi eri at freebsd.org
Fri May 18 10:56:26 UTC 2012 

On Wed, May 16, 2012 at 2:15 PM, Adam Strohl
<adams-freebsd at ateamsystems.com> wrote:
> Hello,
>
> I've noticed that when I use "synproxy state" on a rule and a connection
> comes in to an IP on a CARP interface the connection opens but never gets
> passed on to the process as it should.
>
> For example:
>
> pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy
> state
>
> Will work fine if I come in to a non-CARP IP.  The connection is accepted
> and then brokered to SSHd.
>
> However on the same machine with the same rule if I come in to a CARP'd IP
> it connects but hangs (not passed on to SSHd).
>
> If I remove the "synproxy state" portion the CARP test case works.
>
> I've done a bunch of flipping and testing and it seems that CARP IP + PF
> rule with "synproxy state" doesn't work -- the connection will be accepted
> but not passed on like it should.
>
> Is this known behaviour?  Is there a work around?  Anything else anyone
> wants to know?
>

Yeah its known behaviour though i am not sure there is a PR related to it.
I might have a solution but not sure when i can produce a patch for this.

Which FreeBSD version are you on, i thought that with carp(4)
rearangment of not using ifnets this solved itself?

> I've noticed this too: the physical interface seems to "include" the CARP
> interfaces associated with it.  That above rule I pasted applies to the CARP
> interface even though its specifying "bce0" as the value for $ext_if (vs. a
> rule for "carp1", etc) Is that normal/expected?
>
> I did notice in the docs that "synproxy state" doesn't work with bridge
> interfaces, is a CARP interface maybe falling into this category?
>
> Any input/thoughts appreciated!
>
> P.S.
> Please be sure to CC me, I am not subscribed to the PF mailing list.
>
> --
>
> Adam Strohl
> A-Team Systems
> http://ateamsystems.com/
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"



-- 
Ermal

More information about the freebsd-pf mailing list