Packets passed by pf don't make it out?
Kristof Provost
kp at FreeBSD.org
Wed Oct 14 17:59:18 UTC 2020
On 14 Oct 2020, at 18:52, J David wrote:
> On 12 Oct 2020, at 23:48, Andreas Longwitz wrote:
>> pf gives this messages in debug mode (pfctl -x loud).
>
> Yes, with that setting I'm also seeing those messages.
>
> On Tue, Oct 13, 2020 at 5:35 PM Kristof Provost <kp at freebsd.org>
> wrote:
>> I see the same ‘stack key attach failed’ error message. My
>> current
>> thinking is that we’re hitting a state collision, because post-RDR
>> our
>> connection information is the same (192.168.14.10:23456
>> 192.168.14.100:12345). That means we can’t create a new state, and
>> the
>> packet gets dropped.
>
> This is probably a dumb question because I know less than nothing
> about pf internals, but why wouldn't it match the existing state?
>
“It’s complicated”.
In essence, pf tracks both the pre- and post-translation tuple, so what
we’re seeing here is one of those conflicting with an existing session
and that’s causing the failure.
There’s good reason to do this, as we have to be able to match state
on both the pre-translation side (when processing LAN -> WAN traffic)
and post-translation (WAN -> LAN).
Best regards,
Kristof
More information about the freebsd-pf
mailing list