tech-net: NetBSD pf, route-to and checksum errors

Subject: NetBSD pf, route-to and checksum errors
To: None <tech-net@NetBSD.org>
From: iMil <imil@home.imil.net>
List: tech-net
Date: 01/03/2006 10:43:48
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

I've been playing a bit with pf's route-to feature and i noticed some 
strange behaviours.

I'd like to use PF's route-to option to route traffic through a tunnel
(tun0) interface for certain ports only.

- From what i read here: http://www.openbsd.org/faq/pf/pools.html, here:
http://www.monkey.org/openbsd/archive/misc/0311/msg00640.html and here
http://www.benzedrine.cx/pf/msg04941.html, these rules should do the trick 
:

- --[snip]--

nat on $ext_if from $lan_net to any -> $ext_if
nat on $tun_if from $lan_net to any -> $tun_if

pass in quick on $int_if route-to ($tun_if $tun_gw) \
         proto tcp from $lan_net to any port 25 keep state

- --[snip]--

but they doesn't. Here's a tcpdump log :

some.lan_net.machine$ telnet target 25

target.machine# tcpdump -vv -i sis0 dst port 25
tcpdump: listening on sis0, link-type EN10MB (Ethernet), capture size 96
bytes
14:30:16.594788 IP (tos 0x10, ttl  59, id 50921, offset 0, flags [DF],
proto: TCP (6), length: 60) tunnel.interface.1635 > target.smtp:
S, cksum 0xf540 (incorrect (-> 0xca86), 4250289696:4250289696(0) win 5840
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
<mss 1460,sackOK,timestamp 598704329 0,nop,wscale 2>

the target is effectively reached by the good tunnelized host but the
reply nevers comes back. And yes, the tunnel works, routing by default
over it is ok.

I tried the same kind of configuration on a FreeBSD machine and 1. there's 
no checksum error, 2. the reply comes back.

Am i missing something or is there any known problem with the route-to 
feature in NetBSD's pf ?

Kind regards

- -------------------------
iMil <imil@home.imil.net>                                                 _
      http://gcu-squad.org                          ASCII ribbon campaign ( )
                                                     - against HTML email  X
                                                                 & vCards / \
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (NetBSD)

iD8DBQFDukdWFG3BlGWyzUIRAgVTAJ9zhjTIiDMa/OzRKQ/U/MkMmDET1wCeNR8V
7ty42G9Nf22I8QWc2jvwiJU=
=QA90
-----END PGP SIGNATURE-----