PF PF synproxy broken in 11-STABLE

gustopn

Member

Thanks: 2
Messages: 48

#1
So, while updating lately to FreeBSD 11.2-STABLE #8 r336299: Sun Jul 15 03:39:01 CEST 2018
I noticed that I can reproduce synproxy failure. I see that they have been fiddeling around with this in 12 and that they seemed to fix it (MAYBE, I have not tested that yet).
Connections get stuck on PROXY : DST until they time out.
However, it luckily works some time, so that I could SSH into my server. And now I first am going to change that to keep state.

Looks like there was a bug report before:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229477
and of course the commit log:
https://freshbsd.org/commit/freebsd/r336275
 
OP
OP
gustopn

gustopn

Member

Thanks: 2
Messages: 48

#2
OK, I tested the latest 12, and synproxy seems to work now there, would be nice to move this changes to 11-stable.
 
OP
OP
gustopn

gustopn

Member

Thanks: 2
Messages: 48

#6
FreeBSD 11.2-STABLE #9 r336597
here, and can NOT confirm working synproxy.
seems to be still broken
furthermore set skip on lo does not work, needs set skip on lo0 for pf not to firewall on localhost.
 

mickey

Well-Known Member

Thanks: 63
Messages: 376

#7
furthermore set skip on lo does not work, needs set skip on lo0 for pf not to firewall on localhost.
I stumbled upon that one too. I had set skip on lo in my pf.conf for quite some time. Then after upgrading to releng 11.2 and rebooting the machine, I noticed there were packets dropped on the lo0 interface. This stopped when I manually reloaded the pf.conf, well at least until the next reboot. Ultimately I had to change set skip on lo to set skip on lo0.
 
OP
OP
gustopn

gustopn

Member

Thanks: 2
Messages: 48

#8
I stumbled upon that one too. I had set skip on lo in my pf.conf for quite some time. Then after upgrading to releng 11.2 and rebooting the machine, I noticed there were packets dropped on the lo0 interface. This stopped when I manually reloaded the pf.conf, well at least until the next reboot. Ultimately I had to change set skip on lo to set skip on lo0.
see
 
OP
OP
gustopn

gustopn

Member

Thanks: 2
Messages: 48

#9
Actually it is worse, because on 11-stable I can safely test it with turning set skip on lo0 and lo on and off, it drops on lo and doesn't filter on lo0.
 

mickey

Well-Known Member

Thanks: 63
Messages: 376

#10
Actually it is worse, because on 11-stable I can safely test it with turning set skip on lo0 and lo on and off, it drops on lo and doesn't filter on lo0.
With set skip on lo, which is the interface group, it is not supposed to perform filtering on any lo[0-9]+ interface.
 
OP
OP
gustopn

gustopn

Member

Thanks: 2
Messages: 48

#12
And this is still the case in 11.2-RELEASE-p4
There still pf fails to match groups when used on set skip on.
 

Kristof Provost

Member
Developer

Thanks: 16
Messages: 23

#13
Yes, that's right. The fix is on stable/11, but that was done after releng/11.2 was branched. That means the fix is not in 11.2 at any update level.
It'll be in 12.0 and 11.3 when that's created.
 
OP
OP
gustopn

gustopn

Member

Thanks: 2
Messages: 48

#14
Not quite right. I was just checking 11-STABLE and 12-BETA1 and maybe they fixed the SYNPROXY problem, but not the set skip on group.
Even 12-BETA1 is not able to do set skip on lo and must be written out with set skip on lo0 ... etc for each interface.
 

Kristof Provost

Member
Developer

Thanks: 16
Messages: 23

#15
PR 229241 lists it as fixed, and there's a test in /usr/tests/sys/netpfil/pf/set_skip.
If something's still broken a basic test case (ideally as a patch to the existing test) would be very helpful in getting that fixed.
 
OP
OP
gustopn

gustopn

Member

Thanks: 2
Messages: 48

#16
Well, my basic test is to put in "set skip on lo" and try to resolve a host over "host fb.com ::1" and it will fail, while with "set skip on lo0" it will work.
But it is also possible that "set skip on lo" works when pf gets enabled, while it surely does not work when reloaded (pfctl -f /etc/pf.conf).
 
OP
OP
gustopn

gustopn

Member

Thanks: 2
Messages: 48

#19
Heh, You are right, IT DOES NOT happen for PING6, however it DOES happen with UDP (I assume all of it) I am testing with unbound.
And YAY, I also got a CORE DUMP on 12-BETA2 !!! Care to see? Where can I upload it?
 
Top