kern/48790: pf sometimes blocks incoming udp

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/48790: pf sometimes blocks incoming udp
From: jan.m.danielsson%gmail.com@localhost
Date: Wed, 7 May 2014 06:05:00 +0000 (UTC)

>Number:         48790
>Category:       kern
>Synopsis:       pf sometimes blocks incoming udp
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed May 07 06:05:00 +0000 2014
>Originator:     Jan Danielsson
>Release:        netbsd-6
>Organization:
La Cosa Nostra
>Environment:
NetBSD aria.lan 6.1_STABLE NetBSD 6.1_STABLE (ARIA) #0: Mon Sep 30 11:17:43 
CEST 2013  
jan%aria.lan@localhost:/home/jan/sysbuild/obj.amd64/usr/src/sys/arch/amd64/compile/ARIA
 amd64
>Description:
I have a router which uses pf to block incoming traffic. The router runs 
miniupnpd in order to allow a PS3 on the inside to open up ports (using UPnP).

The problem is that port forwarding only works sometimes; miniupnpd always gets 
the request from the PS3, and it always succeeds in setting up the rules (pfctl 
lists the rules properly), but pf doesn't actually allow packets to pass 
through. This issue has only been observed with udp so far. Inspecting pflog0 
when the problem has triggered shows that pf is simply blocking the packets, as 
if the forwarding rule wasn't there.

When the router is freshly booted the problem is almost always there. I have a 
static port forwarding rule set up in pf which forwards torrent traffic to 
another machine on the network. Sometimes if I "provoke" the router a little 
but by starting a bunch of torrents, pf will suddenly start honoring the 
forwarding rule. Once the rule works, it typically stays in the working state 
for as long as the rule exists. (I.e. when UPnP removes the rule, it might be 
troublesome getting it working again).
>How-To-Repeat:
1) Set up miniupnpd on a router which uses pf.

2) Make miniupnpd open up a port forward for udp.

3) From the outside, send packets to the router's forwarded udp-port.

4) Watch pflog0 and note that pf is blocking the packets. (Though not always).
>Fix:
npf support in miniupnpd? :)

Prev by Date: kern/48789: Sudden reboot; apparent crash in pf
Next by Date: PR/91 CVS commit: pkgsrc/devel/php-memcached
Previous by Thread: kern/48789: Sudden reboot; apparent crash in pf
Next by Thread: PR/91 CVS commit: pkgsrc/devel/php-memcached
Indexes:

Home | Main Index | Thread Index | Old Index