State gets created, but traffic still gets dropped by "default deny"



  • Possibly due to asymmetric routing, PF is dropping the TCP SYN-ACK packet even though it's creating state for it:

    > sudo pfctl -s states | grep 10.254 | grep 5900
        re2 tcp 10.254.254.1:60421 <- 192.168.255.21:5900      ESTABLISHED:ESTABLISHED

    Here are the rules that are supposed to allow this traffic (despite asymmetric routing, note the "flags any" and "sloppy"):

    @122(1445718212) pass in quick on re2 inet proto tcp from any to tunnel:1flags any keep state (sloppy) label "USER_RULE: Allow any 'any flags' TCP back to tunnel"
          [ Evaluations: 1003      Packets: 206      Bytes: 14588      States: 0    ]
          [ Inserted: pid 28997 State Creations: 18446735279115379024]
        @123(1436237525) pass in quick on re2 inet from tunnel:1to any flags S/SA keep state (sloppy) label "USER_RULE: Allow tunnel to any"
          [ Evaluations: 994      Packets: 0        Bytes: 0          States: 0    ]
          [ Inserted: pid 28997 State Creations: 18446735279115379048]
        @124(1436237528) pass in quick on re2 inet from any to tunnel:1flags S/SA keep state (sloppy) label "USER_RULE: Allow any back to tunnel"
          [ Evaluations: 994      Packets: 0        Bytes: 0          States: 0    ]
          [ Inserted: pid 28997 State Creations: 18446735279115379072]

    where the tunnel network is defined as:

    table <tunnel>{ 10.254.254.0/24 }
        tunnel = "<tunnel>"

    but "tcpdump -nevvttt -i pflog0" is telling me rule 10 is dropping the traffic, where that is the default drop rule:

    @10(1000000104) block drop out log inet all label "Default deny rule IPv4"
          [ Evaluations: 3619      Packets: 64        Bytes: 3664        States: 0    ]
          [ Inserted: pid 28997 State Creations: 18446735279425450504]

    and filterlog confirms that it's rule 10 indeed:

    Oct 24 14:39:04 netgate filterlog: 10,16777216,,1000000104,re2,match,block,out,4,0x0,,63,58543,0,DF,6,tcp,64,192.168.255.21,10.254.254.1,5900,60421,0,SA,1904620622,4004541663,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol

    I'm almost certain that this used to work fine prior to 2.2.4-RELEASE.

    In case it helps, I'm on 2.2.4-RELEASE (amd64) built on Sat Jul 25 19:59:52 CDT 2015 FreeBSD 10.1-RELEASE-p15.

    Any thoughts on how to fix this?</tunnel></tunnel></tunnel:1></tunnel:1></tunnel:1>


Log in to reply