From nobody@FreeBSD.org  Fri Aug 30 18:54:33 2013
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by hub.freebsd.org (Postfix) with ESMTP id 15CAC4BB
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 30 Aug 2013 18:54:33 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from oldred.freebsd.org (oldred.freebsd.org [8.8.178.121])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.freebsd.org (Postfix) with ESMTPS id E6644283C
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 30 Aug 2013 18:54:32 +0000 (UTC)
Received: from oldred.freebsd.org ([127.0.1.6])
	by oldred.freebsd.org (8.14.5/8.14.7) with ESMTP id r7UIsWBM063550
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 30 Aug 2013 18:54:32 GMT
	(envelope-from nobody@oldred.freebsd.org)
Received: (from nobody@localhost)
	by oldred.freebsd.org (8.14.5/8.14.5/Submit) id r7UIsWxe063549;
	Fri, 30 Aug 2013 18:54:32 GMT
	(envelope-from nobody)
Message-Id: <201308301854.r7UIsWxe063549@oldred.freebsd.org>
Date: Fri, 30 Aug 2013 18:54:32 GMT
From: Olivier Cochard-Labbe <olivier@cochard.me>
To: freebsd-gnats-submit@FreeBSD.org
Subject: patch that fix pf "NAT proxy port allocation"
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         181690
>Category:       kern
>Synopsis:       [patch] fix pf "NAT proxy port allocation"
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    glebius
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 30 19:00:00 UTC 2013
>Closed-Date:    Wed Jan 22 09:40:54 UTC 2014
>Last-Modified:  Wed Jan 22 09:40:54 UTC 2014
>Originator:     Olivier Cochard-Labbe
>Release:        9.2-RC3
>Organization:
BSD Router Project
>Environment:
FreeBSD bsdrp2.orange.bsdrp.net 9.2-RC3 FreeBSD 9.2-RC3 #0 r255043M: Fri Aug 30 18:57:21 CEST 2013     root@orange.bsdrp.net:/usr/obj/BSDRP.amd64/usr/local/BSDRP/BSDRP/FreeBSD/src/sys/amd64  amd64
>Description:
I've got some UDP packet loss with pf configured with NAT.

Here is my pf.conf:
ext_if = "igb3"
set skip on lo0
set debug loud
nat on $ext_if inet from any to any -> $ext_if port 50000:50003
pass

=> The NAT range port is limited to 4 port for an easy reproduction of this problem.

Then I generate 4 parallel UDP flow (with 4 netblast), but when I start the 3th flow I've got theses log message:
kernel: pf: wire key attach failed on all: UDP out wire: 2.2.2.3:4123 2.2.2.2:50003 1:0, existing: UDP out wire: 2.2.2.3:4123 2.2.2.2
kernel: :50003 stack: 2.2.2.3:4123 1.1.1.1:39749 1:0

I've found this same error message regarding OpenBSD 4.6 here:
http://openbsd.7691.n7.nabble.com/kernel-6300-PF-NAT-UDP-port-reuse-wire-key-attach-failed-td195274.html

From this thread, it seems that "pf_get_sport() was failing to notice that the ports were in-use" and there is a proposed patch.
I've adapted this patch to FreeBSD (9.2) and do a try: No more "wire key attach failed", I've got this message in place:
Aug 30 19:40:37 bsdrp2 kernel: pf: NAT proxy port allocation (50000-50003) failed

Regards
>How-To-Repeat:
Use the pf.conf example file given on my full description, and try to generate more than 3 or 4 UDP flows that match the NAT condition.

>Fix:
By applying this patch.
>Release-Note:
>Audit-Trail:
State-Changed-From-To: patched->closed 
State-Changed-By: glebius 
State-Changed-When: Wed Jan 22 09:37:03 UTC 2014 
State-Changed-Why:  
Fixed in 10.0-RELEASE. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=181690 
>Unformatted:
