From nobody@FreeBSD.org  Thu Jul  1 12:47:18 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C005D106567B
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  1 Jul 2010 12:47:18 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 7A70A8FC21
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  1 Jul 2010 12:47:18 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o61ClIHm075731
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 1 Jul 2010 12:47:18 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o61ClIFZ075730;
	Thu, 1 Jul 2010 12:47:18 GMT
	(envelope-from nobody)
Message-Id: <201007011247.o61ClIFZ075730@www.freebsd.org>
Date: Thu, 1 Jul 2010 12:47:18 GMT
From: Simon "Saimoun" Lasnier <saimoun82@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: "sticky-address" option of Packet Filter (PF) blocks connection
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         148290
>Category:       kern
>Synopsis:       [pf] "sticky-address" option of Packet Filter (PF) blocks connection
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-pf
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 01 12:50:03 UTC 2010
>Closed-Date:    
>Last-Modified:  Mon Dec 13 11:10:08 UTC 2010
>Originator:     Simon "Saimoun" Lasnier
>Release:        8.0-RELEASE
>Organization:
C2B
>Environment:
FreeBSD lb-Stemp.c2bsa.local 8.0-RELEASE FreeBSD 8.0-RELEASE #1: Wed Jun 30 14:39:04 UTC 2010
root@lb-Stemp.c2bsa.local:/usr/obj/usr/src/sys/SOEKRIS  i386

>Description:
When using Packet Filter (PF) for load-balancing outgoing connections with 2 addresses in the pool, the connection take randomly one of the two connections.
If we want that each source address takes always the same way, we need to put the keyword "sticky-address" in the pass rule in pf.conf.
In a computer where the LAN is "vr1" and two WAN are "vr2" and "vr3", this rule is used :

pass in log on vr1 route-to {(vr2 $vr2_gw),(vr3 $vr3_gw)} \
    sticky-address from <lan> to !<lan>

But this option seems to allow only one computer for each connection.
When one computer is already connected with one of the two WAN, if another computer want to access the same WAN, it cannot. But in the pflog0, pf says that it has passed the connection, on the right rule (the one which has a route-to).
>How-To-Repeat:
Install FreeBSD on a computer  (called "FreeBSD-PC") which has at least 3 interfaces (called vr1 vr2 vr3).

We supposed that there are one LAN on 192.168.0.0/24 connected to vr1 and two WANs which gateways are 81.42.133.1 and 146.43.222.34 connected respectively to vr2 and vr3.

Create /etc/pf.conf and put that lines in :

pass in log on vr1 route-to { (vr2 81.42.133.1), (vr3 146.43.222.34) } \
    sticky-address from 192.168.0.0/24 to !192.168.0.0/24

Launch PF :
prompt# pfctl -e
prompt# pfctl -F all -f /etc/pf.conf

Now connect two other computers to FreeBSD-PC, configure their Ethernet interface with the network 192.168.0.0/24, and add in their route table a default route to the FreeBSD-PC (for example "route add default 192.168.0.1" if 192.168.0.1 is the address of the FreeBSD-PC in the vr1 interface).

Then, if you tried to access to the Internet (through one of the two WAN) with the two computers, sometimes it will work (with a good "sticky", that is to say one computer takes always the same WAN), but sometimes one of the two computers is blocked, packets never reach the gateway, whereas we can see "pass" in the pflog0 interface.
>Fix:
Don't know.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-pf 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sat Jul 3 11:16:43 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=148290 

From: "Emil Smolenski" <am@raisa.eu.org>
To: bug-followup@freebsd.org, saimoun82@gmail.com
Cc:  
Subject: Re: kern/148290: [pf] "sticky-address" option of Packet Filter (PF)
 blocks connection
Date: Fri, 10 Dec 2010 16:12:07 +0100

 I can confirm this issue. I have the same problem on FreeBSD  
 8.1-RELEASE-p2 amd64.
 
 Additionally, whenever this problem occurs, I can see following messages  
 in dmesg:
 
 arpresolve: can't allocate llinfo for <$gw1_ad>
 arpresolve: can't allocate llinfo for <$gw2_ad>
 
 -- 
 am

From: "Emil Smolenski" <am@raisa.eu.org>
To: bug-followup@freebsd.org, saimoun82@gmail.com
Cc:  
Subject: Re: kern/148290: [pf] "sticky-address" option of Packet Filter (PF)
 blocks connection
Date: Mon, 13 Dec 2010 12:07:03 +0100

 Same problem on FreeBSD 8.2-PRERELEASE #2: Fri Dec 10 20:11:14 CET 2010.
 
 -- 
 am
>Unformatted:
