From darius@midget.dons.net.au  Sat Nov 22 01:31:46 2008
Return-Path: <darius@midget.dons.net.au>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3EA9B1065670
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 22 Nov 2008 01:31:46 +0000 (UTC)
	(envelope-from darius@midget.dons.net.au)
Received: from ipmail01.adl6.internode.on.net (ipmail01.adl6.internode.on.net [203.16.214.146])
	by mx1.freebsd.org (Postfix) with ESMTP id 7A1A68FC08
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 22 Nov 2008 01:31:45 +0000 (UTC)
	(envelope-from darius@midget.dons.net.au)
Received: from ppp121-45-35-47.lns10.adl2.internode.on.net (HELO midget.dons.net.au) ([121.45.35.47])
  by ipmail01.adl6.internode.on.net with ESMTP; 22 Nov 2008 11:46:26 +1030
Received: from midget.dons.net.au (localhost [127.0.0.1])
	by midget.dons.net.au (8.14.3/8.14.3) with ESMTP id mAM1GJOD075029
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 22 Nov 2008 11:46:20 +1030 (CST)
	(envelope-from darius@midget.dons.net.au)
Received: (from darius@localhost)
	by midget.dons.net.au (8.14.3/8.14.3/Submit) id mAM1GJRI075028;
	Sat, 22 Nov 2008 11:46:19 +1030 (CST)
	(envelope-from darius)
Message-Id: <200811220116.mAM1GJRI075028@midget.dons.net.au>
Date: Sat, 22 Nov 2008 11:46:19 +1030 (CST)
From: "Daniel J. O'Connor" <darius@dons.net.au>
Reply-To: "Daniel J. O'Connor" <darius@dons.net.au>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: pf doesn't forget the old tun IP
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         129060
>Category:       kern
>Synopsis:       [pf] [tun] pf doesn't forget the old tun IP
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-pf
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Nov 22 01:40:01 UTC 2008
>Closed-Date:    Tue Mar 31 12:53:57 UTC 2009
>Last-Modified:  Wed Apr  1 01:10:00 UTC 2009
>Originator:     Daniel J. O'Connor
>Release:        FreeBSD 7.1-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD midget.dons.net.au 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #2: Sun Oct 12 18:17:04 CST 2008 darius@midget.dons.net.au:/data/obj/data/src/sys/GENERIC i386


>Description:
If I use ppp to run my PPPoE connection (over my ADSL modem running in bridged
mode) and the connection drops out pf does not seem to forget the old IP. When
I make new connections every second one doesn't work. The existing SIP
connection my ATA uses remains broken as it gets mapped to the old address.

If I switch to using mpd then this problem doesn't happen, however I find that
applications get "device not configured" errors when trying to send traffic!
This only happens infrequently but it seems to "stick" on and restarting mpd
doesn't always fix it..
eg
Nov 18 19:19:53 midget named[338]: /data/src/lib/bind/isc/../../../contrib/bind9/lib/isc/unix/socket.c:1179: unexpected error:
Nov 18 19:19:53 midget kernel: Nov 18 19:19:53 midget named[338]: /data/src/lib/bind/isc/../../../contrib/bind9/lib/isc/unix/socket.c:1179: unexpected error:
Nov 18 19:19:53 midget named[338]: internal_send: 192.231.203.132#53: Device not configured

My pf.conf is below..
### macros
int_if = "em0"
ext_if = "tun0"

# Incoming TCP services we provide
tcp_services = "{ www, https, 6881:6899 }"

tcp_services_limited = "{ ssh, imap, imaps, smtp, smtps, pop3, pop3s, \
		  ftp, ftp-data }"

steam_ports = "{27030, 27031}"
steam_ips = "{202.136.100.227, 202.72.191.174, 203.24.101.93, 203.34.186.14, 203.46.104.7, 203.46.104.8, 150.101.135.1}"

# Game ports
game_ports = "{27015}"

# ICMP we want to allow
icmp_types = "{ echoreq, trace }"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

### Tables
table <abusive> persist

### Options
set block-policy return
#set loginterface $ext_if

set timeout src.track 10

# Scrub
#scrub in all

# NAT
nat on $ext_if from $int_if:network to any -> ($ext_if) static-port

rdr pass on $ext_if inet proto tcp to port 8000 -> 10.0.2.73 port 80

#rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

# UPnPd rdr anchor
rdr-anchor "miniupnpd"

# filter rules

# Exempt loopback
pass quick on lo0

# Default to blocking
block log all

# Deny from any known abusive host
block in quick from <abusive>

# Block all STEAM...
#block out quick on $ext_if proto {tcp, udp} from any to any port $steam_ports
#block in quick on $ext_if proto {tcp, udp} from any to any port $steam_ports
# Except 'node
#pass out quick on $ext_if proto {tcp, udp} from any to $steam_ips port $steam_ports keep state
#pass in quick on $ext_if proto {tcp, udp} from $steam_ips port $steam_ports to any keep state

# Deny from any host in the PG list
#block return in quick proto { tcp, udp } from <peerguardian> to any port 6800:6900

# Drop any internal nets appearing from the outside
#antispoof for { $ext_if, $int_if, lo0 }

# Or this?
#block drop in  quick on $ext_if from $priv_nets to any
#block drop out quick on $ext_if from any to $priv_nets

# uPnPd
anchor "miniupnpd"

# Allow our services in
#pass in on $ext_if inet proto tcp from any to ($ext_if) \
#   port $tcp_services flags S/SA keep state

#pass in proto ipv6 from any to any keep state
#pass out proto ipv6 from any to any keep state

#pass in proto ipv6-icmp from any to any keep state
#pass out proto ipv6-icmp from any to any keep state

# Multicast for miniupnpd
pass out on $int_if from any to 239.0.0.0/8 keep state 
pass in on $int_if from any to 239.0.0.0/8 keep state 

# Telnet for Alex
pass in on $ext_if proto tcp from 203.5.217.4 to ($ext_if) \
   port 23 flags S/SA keep state

# Rate limited TCP services
pass in on $ext_if proto tcp from any to ($ext_if) \
   port $tcp_services_limited flags S/SA keep state \
   (max-src-conn-rate 5/4, overload <abusive> flush global)

# Unlimited TCP services
pass in on $ext_if proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state

#pass in on $ext_if proto udp from any to ($ext_if) port 12345 keep state
#pass in on $ext_if proto udp from any to ($ext_if) port 15345 keep state

# Allow ICMP echo
pass in inet proto icmp all icmp-type $icmp_types keep state

# Allow packets on internal network
pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

# Track outgoing TCP connection state
pass out on $ext_if proto tcp all flags S/SA keep state

# Normal TCP traffic and ACKs/no payload
pass out on $ext_if proto tcp from any keep state

# DNS queries
pass out on $ext_if proto udp from any to any port 53 keep state

# Track outgoing UDP state
pass out on $ext_if proto udp all keep state

# Game traffic
pass out on $ext_if proto udp from any to any port $game_ports keep state

# Track outgoing ICMP state
pass out on $ext_if proto icmp all keep state

>How-To-Repeat:
>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-pf 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sat Nov 22 02:25:23 UTC 2008 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=129060 

From: Max Laier <max@love2party.net>
To: bug-followup@freebsd.org,
 darius@dons.net.au
Cc:  
Subject: Re: kern/129060: [pf] [tun] pf doesn't forget the old tun IP
Date: Sun, 23 Nov 2008 02:20:57 +0100

 This is a known bug in pppd.  You can work around this by using "(tun0:0)" 
 instead of just "(tun0)" whenever you refer to the interface's address.
 
 -- 
 Max

From: "Daniel O'Connor" <darius@dons.net.au>
To: Max Laier <max@love2party.net>
Cc: bug-followup@freebsd.org
Subject: Re: kern/129060: [pf] [tun] pf doesn't forget the old tun IP
Date: Mon, 24 Nov 2008 13:34:15 +1030

 --nextPart34103142.i1CJtADx0V
 Content-Type: text/plain;
   charset="iso-8859-1"
 Content-Transfer-Encoding: quoted-printable
 Content-Disposition: inline
 
 On Sunday 23 November 2008 11:50:57 Max Laier wrote:
 > This is a known bug in pppd.  You can work around this by using "(tun0:0)"
 > instead of just "(tun0)" whenever you refer to the interface's address.
 
 OK, I've mangled my PF rules, fingers crossed :)
 
 What is the actual bug with PPP?
 
 =2D-=20
 Daniel O'Connor software and network engineer
 for Genesis Software - http://www.gsoft.com.au
 "The nice thing about standards is that there
 are so many of them to choose from."
   -- Andrew Tanenbaum
 GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
 
 --nextPart34103142.i1CJtADx0V
 Content-Type: application/pgp-signature; name=signature.asc 
 Content-Description: This is a digitally signed message part.
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.6 (GNU/Linux)
 
 iD8DBQBJKhm75ZPcIHs/zowRAqApAJ9TymAWVg7czROjD8uoIExiMLYudACfYyZ0
 g3HWLxngK+Y1FErYB1gigCs=
 =c48z
 -----END PGP SIGNATURE-----
 
 --nextPart34103142.i1CJtADx0V--
State-Changed-From-To: open->closed 
State-Changed-By: mlaier 
State-Changed-When: Tue Mar 31 12:53:23 UTC 2009 
State-Changed-Why:  
Not a pf bug and workaround is available - close this one. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=129060 

From: "Daniel O'Connor" <darius@dons.net.au>
To: bug-followup@freebsd.org, darius@dons.net.au
Cc:  
Subject: Re: kern/129060: [pf] [tun] pf doesn't forget the old tun IP
Date: Wed, 1 Apr 2009 11:01:37 +1030

 It's still _a_ bug.
 Is it a tun bug? Can it be reassigned so someone who groks tun can have a look 
 at it?
 
 While there is a work around available it isn't documented anywhere except the 
 lists.
 
 -- 
 Daniel O'Connor software and network engineer
 for Genesis Software - http://www.gsoft.com.au
 "The nice thing about standards is that there
 are so many of them to choose from."
   -- Andrew Tanenbaum
 GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
 
>Unformatted:
