PF, bridge, states and window scaling problem
j65nko at gmail.com
Tue Nov 13 04:58:46 PST 2007
On Nov 12, 2007 9:08 PM, Alupului Costin <costin.alupului at gmail.com> wrote:
> Hello all,
> I seem to have quite a problem with PF. I have set up a bridge to
> shape my upstream traffic. I use ALTQ with hfsc discipline; but that's
> not really important. My problem comes with the filter rules. I have
> to use keep state because of the speed benefits (really I don't have a
> choice), but PF has a problem when the clients passing traffic through
> the bridge use TCP window scaling. Here is an example of four filter
> rules that I thought should work to pass the traffic from one client
> through the bridge and create a state:
> pass in quick on vlan0 from any to anIP/32
> pass out quick on vlan0 from anIP/32 to any keep state queue ul_client
> pass in quick on vlan1 from anIP/32 to any
> pass out quick on vlan1 from any to anIP/32 keep state queue dl_client
> The above rules generate state-mismatches. I thought that would be
> because pf doesn't see the SYN packet, although it does (one of the
> out rules) and should create the state then... I tried writing all the
> rules with keep state (even the inbound ones) but then nothing would
> work at all. My intention was to create if-bound states, but I
> switched back to floating states in the hope that pf would associate
> the state created by an outbound rule with the traffic returning on
> another interface of the bridge; still didn't work.
> I have read the man page for if_bridge and set the following sysctl variables:
> net.link.bridge.pfil_onlyip: 1
> net.link.bridge.pfil_bridge: 0
> net.link.bridge.pfil_member: 1
> I have also read some posts on the web that said that pf simply
> doesn't have all the hooks necesary to do the filtering inbound and
> outbound, but reading the pfil man page I seem to disaggree with that.
> Has anyone encountered the same problem? And, more important: if i
> give up the bridge setup and switch to routing, would that have any
> effect? I.E: will I then be able to use keep state with the inbound
> Any help at all would be hugely appreciated as I am trying for about a
> week to sort out this problem and can't seem to get any closer. The
> only solution was to kindly ask my clients using TCP window scaling
> (Vista mostly) to turn off this feature... Now I am seriously
> considering bumping my bridge to a router but I am not sure that the
> problem will be solved then.
> Oh, here is the setup of the bridge from rc.conf, although there
> shouldn't be any problems there (the bridge works fine without pf, or
> with pf stateless):
> # Core: em2 -> vlan1
> # Border: em1 -> vlan0
> # Bridge0 vlan0 -><- vlan1
> cloned_interfaces="bridge0 vlan0 vlan1"
> ifconfig_vlan0="vlan 132 vlandev em1 up"
> ifconfig_vlan1="vlan 132 vlandev em2 up"
> ifconfig_bridge0="addm vlan0 addm vlan1 up"
> # Admin iface
> ifconfig_em0="inet adminIP netmask 255.255.255.0"
See "Create TCP states on the initial SYN packet" from
That paragraph explains nicely the necessity of pf to create state on
the first packet of the 3-way TCP handshake to prevent TCP window
More information about the freebsd-questions