[Bug 215041] [pf] Handshake to certain (fixed) hosts is dropped

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sun Dec 4 12:37:48 UTC 2016 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=215041

            Bug ID: 215041
           Summary: [pf] Handshake to certain (fixed) hosts is dropped
           Product: Base System
           Version: 11.0-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: bsd at ddh.de1.cc
                CC: freebsd-amd64 at FreeBSD.org
                CC: freebsd-amd64 at FreeBSD.org

Created attachment 177653
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=177653&action=edit
Captures from internal interfaces, external interface, and PF

(The same behavior was observed on 10.3-RELEASE, but remained unchanged after
upgrading to 11-RELEASE)

I am running a bridge configured as follows:

cloned_interfaces="bridge0"
ifconfig_bridge0="addm em0 addm re0 SYNCDHCP"
ifconfig_em0="up -tso" # Internal interface
ifconfig_re0="up -tso" # External interface, connecting to NAT router

And this extremely minimal firewall config:

pass log all

The issue is that while PF is running, a host connected to the internal
interface attempting to connect to 185.60.115.40:443 (something related to the
login of Blizzard's battle.net service), will not receive a response to the
initial SYN packet, see em0.pcap in the attached zip. However, on the external
interface (see re0.pcap) the SYN/ACKs do plainly show up, both for the initial
SYN an the retries. The logs of PF itself align with the view of the internal
interface, the SYN/ACKs do not show up at all:

00:00:00.000000 rule 0..16777216/0(match): pass in on re0: 192.168.0.186.56465
> 185.60.115.40.443: Flags [S], seq 1914506337, win 8192, options [mss
1460,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.000058 rule 0..16777216/0(match): pass out on bridge0:
192.168.0.186.56465 > 185.60.115.40.443: Flags [S], seq 1914506337, win 8192,
options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.250999 rule 0..16777216/0(match): pass in on re0: 192.168.0.186.56467
> 185.60.115.40.443: Flags [S], seq 2119186033, win 8192, options [mss
1460,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.000059 rule 0..16777216/0(match): pass out on bridge0:
192.168.0.186.56467 > 185.60.115.40.443: Flags [S], seq 2119186033, win 8192,
options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0#

Disabling PF via "pfctl -d" instantly makes the problem disappear, "pfctl -e"
makes it reappear just as reliably, so the issue definitely seems to be linked
to PF and not a general networking or hardware/driver problem.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

More information about the freebsd-amd64 mailing list