On 14 Oct 2020, at 18:52, J David wrote:
On 12 Oct 2020, at 23:48, Andreas Longwitz wrote:
pf gives this messages in debug mode (pfctl -x loud).
Yes, with that setting I'm also seeing those messages.
On Tue, Oct 13, 2020 at 5:35 PM Kristof Provost <k...@freebsd.org>
wrote:
I see the same ‘stack key attach failed’ error message. My
current
thinking is that we’re hitting a state collision, because post-RDR
our
connection information is the same (192.168.14.10:23456
192.168.14.100:12345). That means we can’t create a new state, and
the
packet gets dropped.
This is probably a dumb question because I know less than nothing
about pf internals, but why wouldn't it match the existing state?
“It’s complicated”.
In essence, pf tracks both the pre- and post-translation tuple, so what
we’re seeing here is one of those conflicting with an existing session
and that’s causing the failure.
There’s good reason to do this, as we have to be able to match state
on both the pre-translation side (when processing LAN -> WAN traffic)
and post-translation (WAN -> LAN).
Best regards,
Kristof
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
