From nobody@FreeBSD.org  Sat Sep 13 09:56:18 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 639DB106564A
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 13 Sep 2008 09:56:18 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 6D5648FC0A
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 13 Sep 2008 09:56:17 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m8D9uGeU058446
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 13 Sep 2008 09:56:16 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m8D9uGuZ058445;
	Sat, 13 Sep 2008 09:56:16 GMT
	(envelope-from nobody)
Message-Id: <200809130956.m8D9uGuZ058445@www.freebsd.org>
Date: Sat, 13 Sep 2008 09:56:16 GMT
From: Andrey Golenischev <work@megasid.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Problem with PF on FreeBSD7.0
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         127345
>Category:       kern
>Synopsis:       [pf] Problem with PF on FreeBSD7.0 [regression]
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-pf
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Sep 13 10:00:03 UTC 2008
>Closed-Date:    Sun Feb 19 19:37:56 UTC 2012
>Last-Modified:  Sun Feb 19 19:37:56 UTC 2012
>Originator:     Andrey Golenischev
>Release:        7.0-p4
>Organization:
Infocom
>Environment:
FreeBSD testbox 7.0-RELEASE-p4 FreeBSD 7.0-RELEASE-p4 #0: Fri Sep  5 14:51:15 EEST 2008     megasid@testbox:/usr/src/sys/i386/compile/TESTBOX  i386
>Description:
I upgraded this release from 6.2 (just buy a new hdd and install 7.0,
upgrade via freebsd-update and copy all configs). 7.0 is working pretty
good but i get strange problem with PF.

Look on this rules:

table <propusk> { 10.0.0.1, 10.0.1.1 }
block out on vlan0 from any to any
block out on vlan1 from any to any
block out on vlan2 from any to any
pass out on vlan0 from <propusk> to any
pass out on vlan1 from <propusk> to any
pass out on vlan2 from <propusk> to any


On FreeBSD 6.2 this scheme is working pretty good. Packets from 10.0.0.1
passed to this vlan-s without any problems. When I install 7.0 some clients
start to call me and ask that they pinging 10.0.0.1 and 10.0.1.1 from their
PC's but cannot connect by pptp to this hosts. I spend a lot of time to
monitor all my routers and switches about any access lists and so on. But
I do not think that something changes in PF algorithm. When I comment this
"block" lines in PF - clients can connect to pptp and all is good. Did
something changes in PF and if this is not a bug - how I should change a
syntax of this rules? If this is a bug - write my name somewhere on
FreeBSD board like "This man catch a bug in PF" :)
>How-To-Repeat:
Just make a scheme like I describe above.
>Fix:
Hmm.. temporary I start using ipfw for this scheme.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-pf 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sat Sep 13 10:04:14 UTC 2008 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=127345 
State-Changed-From-To: open->feedback 
State-Changed-By: mlaier 
State-Changed-When: Tue Mar 31 13:05:28 UTC 2009 
State-Changed-Why:  
It seems that you are affected by the change of pf default behavior as 
described in UPDATING.  "keep state" is now the default and this doesn't 
play well with multiple pptp sessions.  You can add "no state" to your 
rules to mitigate that. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=127345 
State-Changed-From-To: feedback->closed 
State-Changed-By: linimon 
State-Changed-When: Sun Feb 19 19:37:08 UTC 2012 
State-Changed-Why:  
It appears no feedback was ever received on this PR.  Please let us 
know if it is still a problem. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=127345 
>Unformatted:
