PF, bridge, states and window scaling problem

Alupului Costin costin.alupului at gmail.com
Mon Nov 12 12:32:43 PST 2007 

Hello all,

I seem to have quite a problem with PF. I have set up a bridge to
shape my upstream traffic. I use ALTQ with hfsc discipline; but that's
not really important. My problem comes with the filter rules. I have
to use keep state because of the speed benefits (really I don't have a
choice), but PF has a problem when the clients passing traffic through
the bridge use TCP window scaling. Here is an example of four filter
rules that I thought should work to pass the traffic from one client
through the bridge and create a state:

pass in quick on vlan0 from any to anIP/32
pass out quick on vlan0 from anIP/32 to any keep state queue ul_client
pass in quick on vlan1 from anIP/32 to any
pass out quick on vlan1 from any to anIP/32 keep state queue dl_client

The above rules generate state-mismatches. I thought that would be
because pf doesn't see the SYN packet, although it does (one of the
out rules) and should create the state then... I tried writing all the
rules with keep state (even the inbound ones) but then nothing would
work at all. My intention was to create if-bound states, but I
switched back to floating states in the hope that pf would associate
the state created by an outbound rule with the traffic returning on
another interface of the bridge; still didn't work.

I have read the man page for if_bridge and set the following sysctl variables:

net.link.bridge.pfil_onlyip: 1
net.link.bridge.pfil_bridge: 0
net.link.bridge.pfil_member: 1

I have also read some posts on the web that said that pf simply
doesn't have all the hooks necesary to do the filtering inbound and
outbound, but reading the pfil man page I seem to disaggree with that.

Has anyone encountered the same problem? And, more important: if i
give up the bridge setup and switch to routing, would that have any
effect? I.E: will I then be able to use keep state with the inbound
rules?

Any help at all would be hugely appreciated as I am trying for about a
week to sort out this problem and can't seem to get any closer. The
only solution was to kindly ask my clients using TCP window scaling
(Vista mostly) to turn off this feature... Now I am seriously
considering bumping my bridge to a router but I am not sure that the
problem will be solved then.

Oh, here is the setup of the bridge from rc.conf, although there
shouldn't be any problems there (the bridge works fine without pf, or
with pf stateless):

#
# Core:         em2 -> vlan1
# Border:       em1 -> vlan0
# Bridge0       vlan0 -><- vlan1
#
cloned_interfaces="bridge0 vlan0 vlan1"
ifconfig_em0="up"
ifconfig_em1="up"
ifconfig_em2="up"
ifconfig_vlan0="vlan 132 vlandev em1 up"
ifconfig_vlan1="vlan 132 vlandev em2 up"
ifconfig_bridge0="addm vlan0 addm vlan1 up"
# Admin iface
ifconfig_em0="inet adminIP netmask 255.255.255.0"


Regards,
Costin Alupului

More information about the freebsd-questions mailing list