Henning Brauer wrote:
* Bryan S. Leaman <[email protected]> [2009-11-13 01:12]:
I'm converting a pf ruleset to work with the new nat/rdr changes in 4.6
-current and I came across an issue that seems like a problem in the way
"tagged" rules are handled. It's breaking ftp-proxy with tagging when I
try to apply additional rules to the tagged packets. The result is that I
can login to an FTP server but the inbound data connection seems to get
lost--I don't get a passed or blocked packet in the pf log and the data
connection fails to establish.
If I remove my "tagged <TAGNAME>" rules, then everything works fine but
then I can't use the tags to do further processing of these packets.
Here are the anchor rules generated by ftp-proxy:
# pfctl -sA -v
ftp-proxy
ftp-proxy/16553.9
# pfctl -v -a ftp-proxy/16553.9 -sr
pass in log inet proto tcp from 192.168.99.237 to 192.168.99.234 port =
54237 flags S/SA keep state (max 1) tag FTPPROXY rtable 0 rdr-to 10.0.1.21
port 47008
[ Evaluations: 1 Packets: 0 Bytes: 0 States: 0
]
[ Inserted: uid 71 pid 16553 State Creations: 0 ]
pass out log inet proto tcp from 192.168.99.237 to 10.0.1.21 port = 47008
flags S/SA keep state (max 1) tag FTPPROXY rtable 0 nat-to 192.168.99.237
[ Evaluations: 1 Packets: 0 Bytes: 0 States: 0
]
[ Inserted: uid 71 pid 16553 State Creations: 0 ]
hrm. ftp-proxy would need to use match instead of pass in that case.
Can you please elaborate on this? I know the ftp-proxy code already
supresses the "quick" keyword when using the tagging option, so wouldn't
that be sufficient for pf to continue processing the packet with the
additional "tagged FTPPROXY" rule? In previous releases I was able to
use "pass out" and then later a "pass out quick" to match what was
passed by the previous rule. Is this handled differently with the new
nat/rdr changes in -current or am I misunderstanding something? It's
working for the first ftp-proxy rule (pass in), but not the second (pass
out). Thanks!
