Bug 135948 - [pf] [gre] pf not natting gre protocol
Summary: [pf] [gre] pf not natting gre protocol
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 7.2-RELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-pf (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-06-23 06:20 UTC by Alexander
Modified: 2018-05-28 20:11 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander 2009-06-23 06:20:01 UTC 
7.2 release updated by src (from 7.1prerelease)

i'm trying connect from local network to external pptp server. Phase checking login and password is stoped by timeout.
pf not worked with multiplie connections gre, i know. But on this server running one mpd pptp client to another server1. And from local i try connect to external server2. killall mpd5, has no results. Protocol outed from me not natted.
Also i'm tryed rebuild kernel without IPFIREWALL - no results

tcpdump and my configs:

kernel changed options:
kernel-config
#options        INET6
#options        SCTP 
device pf
device pfsync
device pflog
options IPFIREWALL
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT
options DUMMYNET
options NETGRAPH
options NETGRAPH_VJC
options NETGRAPH_PPP
options NETGRAPH_SOCKET
options NETGRAPH_CISCO
options NETGRAPH_ECHO
options NETGRAPH_FRAME_RELAY
options NETGRAPH_HOLE
options NETGRAPH_KSOCKET
options NETGRAPH_LMI
options NETGRAPH_RFC1490
options NETGRAPH_TTY
options NETGRAPH_ASYNC
options NETGRAPH_ETHER
options NETGRAPH_IFACE
options NETGRAPH_TEE
options NETGRAPH_UI
options NETGRAPH_PPTPGRE
options NETGRAPH_PPPOE
options NETGRAPH_MPPC_ENCRYPTION
options NETGRAPH_BPF

/etc/pf.conf
tomsk_if="rl0"
tomsk_gw="192.168.22.11"
tomsk_ip="192.168.22.22"
scrub in all
nat on $tomsk_if from 172.22.3.3 to any -> ($tomsk_if)
nat on $tomsk_if proto gre from any to any -> ($tomsk_if)
pass in quick
pass out quick

tcpdump -ni rl0
11:49:43.247209 IP 192.168.22.22.52676 > 213.183.96.29.1723: S 2598945743:2598945743(0) win 65535 <mss 1260,nop,nop,sackOK>
11:49:43.272521 IP 213.183.96.29.1723 > 192.168.22.22.52676: S 3289213647:3289213647(0) ack 2598945744 win 65535 <mss 1260,sackOK,eol>
11:49:43.272793 IP 192.168.22.22.52676 > 213.183.96.29.1723: P 1:157(156) ack 1 win 65535: pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(2600) [|pptp]
11:49:43.291500 IP 213.183.96.29.1723 > 192.168.22.22.52676: P 1:157(156) ack 157 win 65535: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1) ERR_CODE(0) FRAME_CAP(AS) BEARER_CAP(DA) MAX_CHAN(0) FIRM_REV(257) [|pptp]
11:49:43.291654 IP 192.168.22.22.52676 > 213.183.96.29.1723: P 157:325(168) ack 157 win 65379: pptp CTRL_MSGTYPE=OCRQ CALL_ID(32768) CALL_SER_NUM(60053) MIN_BPS(300) MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E) RECV_WIN(64) PROC_DELAY(0) PHONE_NO_LEN(0) [|pptp]
11:49:43.310932 IP 213.183.96.29.1723 > 192.168.22.22.52676: P 157:189(32) ack 325 win 65535: pptp CTRL_MSGTYPE=OCRP CALL_ID(62486) PEER_CALL_ID(32768) RESULT_CODE(1) ERR_CODE(0) CAUSE_CODE(0) CONN_SPEED(64000) RECV_WIN(16) PROC_DELAY(1) PHY_CHAN_ID(131072)
11:49:43.311393 IP 213.183.96.29 > 192.168.22.22: GREv1, call 32768, seq 0, length 39: LCP, Conf-Request (0x01), id 1, length 25
11:49:43.315766 IP 192.168.22.22.52676 > 213.183.96.29.1723: P 325:349(24) ack 189 win 65347: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(62486) SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff)
11:49:43.319020 IP 172.22.3.3 > 213.183.96.29: GREv1, call 62486, seq 0, length 37: LCP, Conf-Request (0x01), id 0, length 23
11:49:43.335801 IP 213.183.96.29 > 192.168.22.22: GREv1, call 32768, seq 1, ack 0, length 27: LCP, Conf-Reject (0x04), id 0, length 9
11:49:43.434641 IP 213.183.96.29.1723 > 192.168.22.22.52676: . ack 349 win 65535
11:49:45.304695 IP 172.22.3.3 > 213.183.96.29: GREv1, call 62486, seq 1, length 37: LCP, Conf-Request (0x01), id 1, length 23


sorry for my english language
if this problem not solved? where is im reading official document for IPFIREWALL NAT in kernel mode.

i'm use second freebsd 7.2 server and try connect on him, but so no result.
p.s. server two not using mpd and any other vpn connections. But i try connect pptp client from local and 10% connections successed, not change config and 90% gre not natted. What is this. I read reports for multiplie connectinos and trying use frickin pptp proxy, but no result so.
i think gre not aver using pf rules or pf ignore him :(

How-To-Repeat: allways
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2009-06-25 08:29:00 UTC 
Responsible Changed
From-To: freebsd-bugs->freebsd-pf

Over to maintainer(s).
Comment 2 cmb 2015-12-12 05:08:51 UTC 
pf NATs GRE fine on all current supported FreeBSD versions (within the limitations inherent in its NAT implementation with GRE). Safe to close this.
Comment 3 Kristof Provost freebsd_committer freebsd_triage 2015-12-12 12:34:17 UTC 
Closing based on the report in comment #2.
Comment 4 Eitan Adler freebsd_committer freebsd_triage 2018-05-28 19:48:33 UTC 
batch change:

For bugs that match the following
-  Status Is In progress 
AND
- Untouched since 2018-01-01.
AND
- Affects Base System OR Documentation

DO:

Reset to open status.


Note:
I did a quick pass but if you are getting this email it might be worthwhile to double check to see if this bug ought to be closed.