NetBSD Problem Report #48790

From www@NetBSD.org  Wed May  7 06:02:14 2014
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 275BFA5818
	for <gnats-bugs@gnats.NetBSD.org>; Wed,  7 May 2014 06:02:14 +0000 (UTC)
Message-Id: <20140507060212.9D516A5830@mollari.NetBSD.org>
Date: Wed,  7 May 2014 06:02:12 +0000 (UTC)
From: jan.m.danielsson@gmail.com
Reply-To: jan.m.danielsson@gmail.com
To: gnats-bugs@NetBSD.org
Subject: pf sometimes blocks incoming udp
X-Send-Pr-Version: www-1.0

>Number:         48790
>Category:       kern
>Synopsis:       pf sometimes blocks incoming udp
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed May 07 06:05:00 +0000 2014
>Originator:     Jan Danielsson
>Release:        netbsd-6
>Organization:
La Cosa Nostra
>Environment:
NetBSD aria.lan 6.1_STABLE NetBSD 6.1_STABLE (ARIA) #0: Mon Sep 30 11:17:43 CEST 2013  jan@aria.lan:/home/jan/sysbuild/obj.amd64/usr/src/sys/arch/amd64/compile/ARIA amd64
>Description:
I have a router which uses pf to block incoming traffic. The router runs miniupnpd in order to allow a PS3 on the inside to open up ports (using UPnP).

The problem is that port forwarding only works sometimes; miniupnpd always gets the request from the PS3, and it always succeeds in setting up the rules (pfctl lists the rules properly), but pf doesn't actually allow packets to pass through. This issue has only been observed with udp so far. Inspecting pflog0 when the problem has triggered shows that pf is simply blocking the packets, as if the forwarding rule wasn't there.

When the router is freshly booted the problem is almost always there. I have a static port forwarding rule set up in pf which forwards torrent traffic to another machine on the network. Sometimes if I "provoke" the router a little but by starting a bunch of torrents, pf will suddenly start honoring the forwarding rule. Once the rule works, it typically stays in the working state for as long as the rule exists. (I.e. when UPnP removes the rule, it might be troublesome getting it working again).
>How-To-Repeat:
1) Set up miniupnpd on a router which uses pf.

2) Make miniupnpd open up a port forward for udp.

3) From the outside, send packets to the router's forwarded udp-port.

4) Watch pflog0 and note that pf is blocking the packets. (Though not always).
>Fix:
npf support in miniupnpd? :)
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.