State gets created, but traffic still gets dropped by "default deny"
-
Possibly due to asymmetric routing, PF is dropping the TCP SYN-ACK packet even though it's creating state for it:
> sudo pfctl -s states | grep 10.254 | grep 5900
re2 tcp 10.254.254.1:60421 <- 192.168.255.21:5900 ESTABLISHED:ESTABLISHEDHere are the rules that are supposed to allow this traffic (despite asymmetric routing, note the "flags any" and "sloppy"):
@122(1445718212) pass in quick on re2 inet proto tcp from any to tunnel:1flags any keep state (sloppy) label "USER_RULE: Allow any 'any flags' TCP back to tunnel"
[ Evaluations: 1003 Packets: 206 Bytes: 14588 States: 0 ]
[ Inserted: pid 28997 State Creations: 18446735279115379024]
@123(1436237525) pass in quick on re2 inet from tunnel:1to any flags S/SA keep state (sloppy) label "USER_RULE: Allow tunnel to any"
[ Evaluations: 994 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: pid 28997 State Creations: 18446735279115379048]
@124(1436237528) pass in quick on re2 inet from any to tunnel:1flags S/SA keep state (sloppy) label "USER_RULE: Allow any back to tunnel"
[ Evaluations: 994 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: pid 28997 State Creations: 18446735279115379072]where the tunnel network is defined as:
table <tunnel>{ 10.254.254.0/24 }
tunnel = "<tunnel>"but "tcpdump -nevvttt -i pflog0" is telling me rule 10 is dropping the traffic, where that is the default drop rule:
@10(1000000104) block drop out log inet all label "Default deny rule IPv4"
[ Evaluations: 3619 Packets: 64 Bytes: 3664 States: 0 ]
[ Inserted: pid 28997 State Creations: 18446735279425450504]and filterlog confirms that it's rule 10 indeed:
Oct 24 14:39:04 netgate filterlog: 10,16777216,,1000000104,re2,match,block,out,4,0x0,,63,58543,0,DF,6,tcp,64,192.168.255.21,10.254.254.1,5900,60421,0,SA,1904620622,4004541663,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
I'm almost certain that this used to work fine prior to 2.2.4-RELEASE.
In case it helps, I'm on 2.2.4-RELEASE (amd64) built on Sat Jul 25 19:59:52 CDT 2015 FreeBSD 10.1-RELEASE-p15.
Any thoughts on how to fix this?</tunnel></tunnel></tunnel:1></tunnel:1></tunnel:1>