From nobody@FreeBSD.org  Thu Jul 10 08:18:22 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B98121065676
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 10 Jul 2008 08:18:22 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id A5A188FC1B
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 10 Jul 2008 08:18:22 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m6A8IMlG063838
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 10 Jul 2008 08:18:22 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m6A8IM8w063836;
	Thu, 10 Jul 2008 08:18:22 GMT
	(envelope-from nobody)
Message-Id: <200807100818.m6A8IM8w063836@www.freebsd.org>
Date: Thu, 10 Jul 2008 08:18:22 GMT
From: randy <randy723@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: pf keep state bug while handling sessions between vlan trunk
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         125467
>Category:       kern
>Synopsis:       [pf] pf keep state bug while handling sessions between vlan trunk
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-pf
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 10 08:20:01 UTC 2008
>Closed-Date:    
>Last-Modified:  Thu Jul 10 09:23:27 UTC 2008
>Originator:     randy
>Release:        freebsd 6.2, 6.3, 7.0
>Organization:
>Environment:
FreeBSD host.a.b.com 6.2-STABLE FreeBSD 6.2-STABLE #7: Wed Apr 25 15:16:51 CST 2007     root@bsd.a.b.com:/usr/obj/usr/src/sys/kern  i386

>Description:
i use 802.1q protocol to trunk 2 vlans on NIC fxp0, the sub-interface is
fxp0.100 and fxp0.200, and pf has been used to filter traffic, rules as follow

block in log all
pass in quick on fxp0.100 proto icmp from any to any icmp-type echoreq keep state
pass in quick on fxp0.200 proto icmp from any to any icmp-type echoreq keep state

the icmp packet can flow between vlans when pf disabled, but it's been
blocked when pf enabled. theres are icmp states in state table indeed,
but the icmp reply packet seems don't match the state. i've tested
freebsd 7.0 release, the same situation.
>How-To-Repeat:
# kldload if_vlan
# kldload pf
# sysctl net.inet.ip.forwarding=1
# ifconfig fxp0 up
# ifconfig fxp0.100 create
# ifconfig fxp0.200 create
# ifconfig fxp0.100 inet 100.100.100.1/24 up
# ifconfig fxp0.200 inet 200.200.200.1/24 up

icmp packet can flow between vlans.

load pf rules as follow :
block in log all
pass in quick on fxp0.100 proto icmp from any to any icmp-type echoreq keep state
pass in quick on fxp0.200 proto icmp from any to any icmp-type echoreq keep state

# tcpdump -ni pflog0 icmp
pf drop the icmp packets

>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-pf 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Jul 10 09:22:47 UTC 2008 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=125467 
>Unformatted:
