[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-bugs
Subject:    Re: Natted, keep-alive UDP connections not killed on PPPoE address change
From:       Stuart Henderson <sthen () openbsd ! org>
Date:       2014-10-14 22:19:11
Message-ID: 20141014221910.GQ16505 () symphytum ! spacehopper ! org
[Download RAW message or body]

On 2014/10/14 23:36, Yann Hamon wrote:
> The reason I posted this on bugs@ is because OpenBSD keeps UDP connections
> natted to an IP address that has been changed, which doesn't seem
> straightforward according to this documentation:
> http://www.openbsd.org/faq/pf/nat.html which states:
> 
> "This tells PF to update the rule if the IP address(es) on the named
> interface changes"
> 
> I would have expected that once the address on my interface changes, new
> packets coming from my phone would have been natted to the new IP address.
> But maybe this is expected behaviour - I am fine with the workaround.

The problem is that those packets match the existing state table entry,
they don't hit the ruleset again until the state entry times out, which
won't happen if the phone keeps on sending packets at an interval lower
than the state timeout interval - it is probably doing this *specifically*
to avoid letting NAT states time out ;-)

I've been wondering if there might be other ways to handle this in pf
but haven't come up with anything that would actually work without
either being horrendously complex (some sort of super-if-bound that
also checks IP addresses on the interface? yeeuw) or breaking other
situations (if an interface bounces but keeps the same address,
invalidating the states would be bad)..

[prev in list] [next in list] [prev in thread] [next in thread]