PF pf rule not working after upgrade to 14.0

[Grauwolf]

Hello everyone,
I upgraded my 13.2 server to 14.0 and my pf ruleset, that worked on 13.2, does not work on 14.0.

the relevant parts of my pf.conf:

ext_if="em0"
int_if="bridge0"
loc_if="bridge1"

ext_nat_ip="192.168.0.2"

set block-policy return
set skip on lo0

scrub in fragment reassemble

table <local4> { 192.168.168.0/24 }
table <global4> { 192.168.0.0/24 }
table <local6> { 2a02:abcd:abcd:abcd::b:0/80 }
table <global6> { 2a02:abcd:abcd:abcd::/64 }

nat on $int_if from <local4> to any -> $ext_nat_ip

pass out quick all keep state
block in log all

pass in quick proto tcp from any to any port 22

pass in quick from <local4> to <local4>
pass in quick from <global4> to <global4>
pass in quick from <local6> to <local6>
pass in quick from <global6> to <global6>

pass in quick on $loc_if from <local4> to any
pass in quick on $int_if from <local4> to any
pass in quick on $int_if from <global4> to any
pass in quick on $int_if from <local6> to any
pass in quick proto {icmp,icmp6} all

pass in quick on $int_if proto udp from any port 68 to any port 67

# permit from reverse-proxy
pass in quick proto { tcp, udp } from 2a01:cafe:cafe:cafe::1 to 2a02:abcd:abcd:abcd::b:13 port { 80, 443 }

the last line does not work on freebsd 14.
output of tcpdump -eni pflog0:

08:26:58.464596 rule 1/0(match): block in on bridge0: (flowlabel 0x7585f, hlim 64, next-header TCP (6) payload length: 40) 2a02:abcd:abcd:abcd::b:13.443 > 2a01:cafe:cafe:cafe::1.33938: Flags [S.], cksum 0xc0cd (correct), seq 3902232671, ack 1010581279, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 2104420701 ecr 2820431685], length 0
08:26:59.203884 rule 1/0(match): block in on bridge0: (flowlabel 0xb59b6, hlim 64, next-header TCP (6) payload length: 40) 2a02:abcd:abcd:abcd::b:13.443 > 2a01:cafe:cafe:cafe::1.55643: Flags [S.], cksum 0xa838 (correct), seq 25909686, ack 437341616, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 4033301218 ecr 2418040799], length 0
08:26:59.204546 rule 1/0(match): block in on bridge0: (flowlabel 0x1363a, hlim 64, next-header TCP (6) payload length: 40) 2a02:abcd:abcd:abcd::b:13.443 > 2a01:cafe:cafe:cafe::1.34303: Flags [S.], cksum 0x3b5e (correct), seq 2381395514, ack 1194391136, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 2791648540 ecr 371049255], length 0

 

[Eric A. Borisch]

The the direction of packets in the tcpdump (in from 2a02:*.443 to a destination in 20a1:*) is opposite the rule you've got.

There were some changes noted in the release notes for 14.0 wrt. pf and bridge filters. Not sure if that would explain 13/14 differences here, but it's in the neighborhood.

 

[Grauwolf]

The the direction of packets in the tcpdump (in from 2a02:*.443 to a destination in 20a1:*) is opposite the rule you've got.

This is the part I didn't understand. The rule and direction should be correct. The tcpdump shows that it is the other direction that is blocked. I tried to adding another rule for the other direction but it didn't make any a difference.

There were some changes noted in the release notes for 14.0 wrt. pf and bridge filters. Not sure if that would explain 13/14 differences here, but it's in the neighborhood.

Thanks for pointing that out. Despite reading the release notes, I somehow missed it. A

sysctl net.link.bridge.pfil_bridge=1

made it work again.

 

[Eric A. Borisch]

made it work again.

Glad to hear it!

Please flag this thread as “solved” when you have a chance.