Subject: NetBSD pf, route-to and checksum errors
To: None <>
From: iMil <>
List: tech-net
Date: 01/03/2006 10:43:48
Hash: SHA1


I've been playing a bit with pf's route-to feature and i noticed some 
strange behaviours.

I'd like to use PF's route-to option to route traffic through a tunnel
(tun0) interface for certain ports only.

- From what i read here:, here: and here, these rules should do the trick 

- --[snip]--

nat on $ext_if from $lan_net to any -> $ext_if
nat on $tun_if from $lan_net to any -> $tun_if

pass in quick on $int_if route-to ($tun_if $tun_gw) \
         proto tcp from $lan_net to any port 25 keep state

- --[snip]--

but they doesn't. Here's a tcpdump log :

some.lan_net.machine$ telnet target 25

target.machine# tcpdump -vv -i sis0 dst port 25
tcpdump: listening on sis0, link-type EN10MB (Ethernet), capture size 96
14:30:16.594788 IP (tos 0x10, ttl  59, id 50921, offset 0, flags [DF],
proto: TCP (6), length: 60) tunnel.interface.1635 > target.smtp:
S, cksum 0xf540 (incorrect (-> 0xca86), 4250289696:4250289696(0) win 5840
<mss 1460,sackOK,timestamp 598704329 0,nop,wscale 2>

the target is effectively reached by the good tunnelized host but the
reply nevers comes back. And yes, the tunnel works, routing by default
over it is ok.

I tried the same kind of configuration on a FreeBSD machine and 1. there's 
no checksum error, 2. the reply comes back.

Am i missing something or is there any known problem with the route-to 
feature in NetBSD's pf ?

Kind regards

- -------------------------
iMil <>                                                 _                          ASCII ribbon campaign ( )
                                                     - against HTML email  X
                                                                 & vCards / \
Version: GnuPG v1.4.1 (NetBSD)