[Bug 274850] Packets are disappearing when both PF "divert-to" and "Dnpipe" rules are activated simultaneously
Date: Wed, 01 Nov 2023 14:07:24 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274850
Bug ID: 274850
Summary: Packets are disappearing when both PF "divert-to" and
"Dnpipe" rules are activated simultaneously
Product: Base System
Version: 14.0-RELEASE
Hardware: amd64
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: bugs@FreeBSD.org
Reporter: burak.sn@outlook.com
CC: pf@FreeBSD.org
I am in the process of transitioning from IPFW's 'divert-to' to PF's
'divert-to.' Initially, I encountered a 'divert-to' loop problem, bug #272770,
which has recently been resolved by @igor.ostapenko and @kp. Thanks for your
work.
I manually applied your 'fix pf divert-to' loop patch to FreeBSD 14.0 RC2, as
shown below:
https://reviews.freebsd.org/rGfabf705f4b5aff2fa2dc997c2d0afd62a6927e68
https://reviews.freebsd.org/rGc1146e6ad67fb866c2472a1cbe5609fd939fd5ef
When I loaded only the 'divert' rules shown below, everything worked as
expected, and traffic flowed smoothly without any issues:
# divert rules
pass in log quick proto udp from any to port { 53 } divert-to 127.0.0.1 port
1234
pass in log quick proto tcp from any to port { 80 443 } divert-to 127.0.0.1
port 1234
However, when I added the 'dnpipe' rules below and reloaded the pf.conf using
'pfctl -e -f /etc/pf.conf,' all traffic related to ports 53, 80, and 443
disappeared. Subsequently, when I removed 'dnpipe 1001' and 'dnpipe 1' from the
'dnpipe' rules and reloaded the pf.conf, traffic began to flow as expected.
Thanks for your assistance in this matter.
# dnpipe limiter rules
ether pass in quick from ac:bc:aa:9c:32:09 l3 all tag captiveportal_auth_igb3
dnpipe 1001
ether pass out quick to ac:bc:aa:9c:32:09 l3 all tag captiveportal_auth_igb3
dnpipe 1
--
You are receiving this mail because:
You are the assignee for the bug.