NetBSD Problem Report #45846

From hauke@Espresso.Rhein-Neckar.DE  Mon Jan 16 20:29:55 2012
Return-Path: <hauke@Espresso.Rhein-Neckar.DE>
Received: from ( [])
	by (Postfix) with ESMTP id B0C2C63B84C
	for <>; Mon, 16 Jan 2012 20:29:55 +0000 (UTC)
Message-Id: <>
Date: Mon, 16 Jan 2012 21:22:49 +0100 (CET)
From: Hauke Fath <hauke@Espresso.Rhein-Neckar.DE>
Reply-To: Hauke Fath <hauke@Espresso.Rhein-Neckar.DE>
Cc: Hauke Fath <hauke@Espresso.Rhein-Neckar.DE>
Subject: pf(4) re-directs broken 
X-Send-Pr-Version: 3.95

>Number:         45846
>Category:       kern
>Synopsis:       pf(4) re-directs broken
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jan 16 20:30:00 +0000 2012
>Originator:     Hauke Fath
>Release:        NetBSD 5.99.60
Falling Raindrops

System: NetBSD 5.99.60 NetBSD 5.99.60 (PIZZA_UP_PF) #0: Mon Jan 16 14:13:03 CET 2012 hf@Hochstuhl:/var/obj/netbsd-builds/developer/sparc/sys/arch/sparc/compile/PIZZA_UP_PF sparc
Architecture: sparc
Machine: sparc

	After upgrading my router from netbsd-4 to HEAD, I found the
	re-directs I had set up for smtp access towards the router's
	sendmail and http access towards the local squid were
	broken. With rules the shape of

pass out proto tcp all modulate state flags S/SA
pass out proto { udp icmp } all keep state

# Redirect all smtp to 130.83.xx.yy to pizza's sendmail
rdr log on $lan_if proto tcp from $lan_if:network to port smtp \
	-> port smtp


pass in log on $lan_if proto tcp from $lan_if:network to \
	port smtp flags S/SA keep state

the incoming connection is logged,

2012-01-16 20:57:04.795504 rule 61/0(match): pass in on hme2: > Flags [S], seq 2630112150, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 125415267 ecr 0,sackOK,eol], length 0

then - silence. Eventually, the MUA times out.

Same happens for web access (transparently) re-directed through squid.


	Set up a pf(4) based router on a -current machine, add rules
	that re-direct traffic to local daemons. Find they do not work.

	Before NetBSD 6, please, but you guessed that one.


NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD:,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.