Packets passed by pf don't make it out?
Kristof Provost
kp at FreeBSD.org
Wed Oct 14 19:20:26 UTC 2020
On 14 Oct 2020, at 21:16, J David wrote:
> On Wed, Oct 14, 2020 at 1:59 PM Kristof Provost <kp at freebsd.org>
> wrote:
>> There’s good reason to do this, as we have to be able to match
>> state
>> on both the pre-translation side (when processing LAN -> WAN traffic)
>> and post-translation (WAN -> LAN).
>
> So, basically, pf would need separate states for each pre-redirect
> destination address in order to have the information needed to map the
> reply packet back to the original destination address.
>
> But even if pf did that, the problem does not go away. It just moves
> to the reply packet coming back with only the post-redirect info.
> That info matches multiple states, leaving pf no way to pick the right
> one.
>
> Is that about right?
>
Pretty much, I think.
I’ve not dug very deep yet, but I wonder if we shouldn’t have to
teach pf to change the source port to avoid conflicting states in the
first place.
It’s a non-trivial problem in any case.
Regards,
Kristof
More information about the freebsd-pf
mailing list