Bug #2699

pf(4) pass rule not beeing applied

Added by ftigeot about 2 years ago. Updated over 1 year ago.

Status:ClosedStart date:07/10/2014
Priority:NormalDue date:
Assignee:-% Done:


Target version:4.2.x


My pf.conf contains a pass rule intended to allow email to flow between two servers.
Very simplified configuration:

[server1]<===>[PF box]<====>[server2]

pf.conf looks like this:

table <server2> {2001:x:y:z:t }
pass in on $ext_if proto tcp from $server1 to <server2> port 25 keep state

I have recently updated my pf firewall to the new multiprocessor-enabled version
in DragonFly 3.9 and since then, TCP connections from server1 are blocked by the
PF machine.
They do not show up in a tcpdump on the PF box/server2 network interface

If I replace the <server2> table by a simple $server2 variable, traffic flows as

Associated revisions

Revision f059a200
Added by dillon about 2 years ago

kernel - Fix table problem w/IPV6 matching with PF

* Zero the sin6 structure before initializing it for passing to rn_match().
rn_match() is not structurally aware so pad space in the structure must
be zero'd.

* Fixes IPV6 table matching problem with PF.

Reported-by: ftigeot
Testing-by: ftigeot


#1 Updated by dillon about 2 years ago

Try this patch. It could be structural filler that is not being initialized, which rn_match() could barf on:



#2 Updated by ftigeot about 2 years ago

  • Status changed from New to In Progress

The patch appears to have fixed the issue.
My first server can now send mails to the second one.

#3 Updated by tuxillo over 1 year ago

  • Category set to Networking
  • Status changed from In Progress to Closed
  • Target version set to 4.2.x

Also available in: Atom PDF