From nobody@FreeBSD.org  Fri Mar 16 14:58:51 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 2848116A404
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 16 Mar 2007 14:58:51 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [69.147.83.33])
	by mx1.freebsd.org (Postfix) with ESMTP id 0CF9B13C465
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 16 Mar 2007 14:58:51 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id l2GEwoPm050644
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 16 Mar 2007 14:58:50 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id l2GEwofh050643;
	Fri, 16 Mar 2007 14:58:50 GMT
	(envelope-from nobody)
Message-Id: <200703161458.l2GEwofh050643@www.freebsd.org>
Date: Fri, 16 Mar 2007 14:58:50 GMT
From: Alejandro Gramajo<agramajo@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: parameter syncpeer only works if ip address is backwards
X-Send-Pr-Version: www-3.0

>Number:         110393
>Category:       kern
>Synopsis:       [pf] parameter syncpeer only works if ip address is backwards
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-pf
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar 16 15:00:15 GMT 2007
>Closed-Date:    Fri Mar 16 16:05:37 GMT 2007
>Last-Modified:  Fri Mar 16 16:05:37 GMT 2007
>Originator:     Alejandro Gramajo
>Release:        6.1-RELEASE
>Organization:
BAICOM Networks
>Environment:
FreeBSD fleni-fw2.fleni 6.1-RELEASE FreeBSD 6.1-RELEASE #2: Fri Sep 22 14:47:51 ART 2006     root@fleni-fw.16.1.27:/usr/src/sys/i386/compile/MYKERNEL  i386

>Description:
2 firewalls with 3 ethernet interfaces.
  - rl0 (wan / internet)
  - re0 (dmz) [ fw1: 172.21.0.101  fw2: 172.21.0.102 ]
  - re1 (lan)

2 virtual interfaces
  - carp0 (dmz gateway)
  - carp1 (lan gateway)

Pfsync
  - syncdev re0
  - for fw1 set syncpeer 172.21.0.102
  - for fw2 set syncpeer 172.21.0.101

When I set the syncpeer parameter of pfsync0, it is not work.
Because it's try to connect to the internet, to the backwards ip address

FW2 (the master)
# ifconfig pfsync0 syncdev re0 syncpeer 172.21.0.101
# ifconfig pfsync0
pfsync0: flags=0<> mtu 1348
        pfsync: syncdev: re0 syncpeer: 172.21.0.101 maxupd: 128

You can see the tcpdump's output (rl0 is the ethernet for wan connections)

# tcpdump -n -c 3 -i rl0 proto pfsync
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes
11:32:52.187251 IP 200.41.236.244 > 101.0.21.172:  pfsync 532
11:32:52.232685 IP 200.41.236.244 > 101.0.21.172:  pfsync 180
11:32:52.232696 IP 200.41.236.244 > 101.0.21.172:  pfsync 452
3 packets captured
198 packets received by filter
0 packets dropped by kernel

The FW1 has exactly the same behaviour. 

And another problem, that I observe here, is the psyncdev parameter. 
What parameter is more important to decide 
 
I only a found one reference to this apparently bug. And with no answer.
http://lists.freebsd.org/pipermail/freebsd-pf/2006-April/002084.html

>How-To-Repeat:
FW2:
# ifconfig pfsync0 syncdev re0 syncpeer 172.21.0.101
# ifconfig pfsync0
pfsync0: flags=0<> mtu 1348
        pfsync: syncdev: re0 syncpeer: 172.21.0.101 maxupd: 128

# tcpdump -n -c 3 -i rl0 proto pfsync
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes
11:32:52.187251 IP 200.41.236.244 > 101.0.21.172:  pfsync 532
11:32:52.232685 IP 200.41.236.244 > 101.0.21.172:  pfsync 180
11:32:52.232696 IP 200.41.236.244 > 101.0.21.172:  pfsync 452
3 packets captured
198 packets received by filter
0 packets dropped by kernel

>Fix:
Put the backwards ip address in syncpeer. ( 172.21.0.101 -> 101.0.21.172 )

FW2:
# ifconfig pfsync0 syncpeer 101.0.21.172 syncdev re0
# tcpdump -n -c 3 -i re0 proto pfsync
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on re0, link-type EN10MB (Ethernet), capture size 96 bytes
11:39:12.569303 IP 172.21.0.102 > 172.21.0.101:  pfsync 532
11:39:12.629316 IP 172.21.0.102 > 172.21.0.101:  pfsync 532
11:39:12.650105 IP 172.21.0.102 > 172.21.0.101:  pfsync 532
3 packets captured
122 packets received by filter
0 packets dropped by kernel

You can see now that packets are send via re0 interface correctly.
And everything seems to work fine.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-i386->freebsd-pf 
Responsible-Changed-By: remko 
Responsible-Changed-When: Fri Mar 16 15:10:02 UTC 2007 
Responsible-Changed-Why:  
This -looks- like this might be something for the PF people 

http://www.freebsd.org/cgi/query-pr.cgi?pr=110393 
State-Changed-From-To: open->closed 
State-Changed-By: mlaier 
State-Changed-When: Fri Mar 16 16:03:32 UTC 2007 
State-Changed-Why:  
This was fixed in revision 1.27 of if_pfsync.c and MFCed as rev. 1.19.2.4 
This is the branch point for 6.2, so it should be fixed there.  As a work- 
around exists, I don't think we need an errata for 6.1. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=110393 
>Unformatted:
