From owner-freebsd-pf@FreeBSD.ORG Mon Nov 19 11:07:09 2007 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8B92B16A420 for ; Mon, 19 Nov 2007 11:07:09 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 7F46B13C4AC for ; Mon, 19 Nov 2007 11:07:09 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id lAJB79hd040847 for ; Mon, 19 Nov 2007 11:07:09 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id lAJB78fW040843 for freebsd-pf@FreeBSD.org; Mon, 19 Nov 2007 11:07:08 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 19 Nov 2007 11:07:08 GMT Message-Id: <200711191107.lAJB78fW040843@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Nov 2007 11:07:09 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid o bin/116610 pf [patch] teach tcpdump(1) to cope with the new-style pf o kern/117827 pf [pf] kernel panic with pf and ng 5 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/115640 pf [net] [pf] pfctl -k dont works f kern/116645 pf [RFE] pfctl -k does not work in securelevel 3 8 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Nov 19 20:37:14 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A20C116A420; Mon, 19 Nov 2007 20:37:14 +0000 (UTC) (envelope-from w@wrzask.pl) Received: from mx.oak.pl (mx.oak.pl [217.96.108.251]) by mx1.freebsd.org (Postfix) with ESMTP id 6223613C46A; Mon, 19 Nov 2007 20:37:14 +0000 (UTC) (envelope-from w@wrzask.pl) Received: by oak.pl (Postfix, from userid 1002) id 9299D1CD15; Mon, 19 Nov 2007 21:21:42 +0100 (CET) Date: Mon, 19 Nov 2007 21:21:42 +0100 From: Jan Srzednicki To: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Message-ID: <20071119202142.GI2045@oak.pl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.16 (2007-06-09) Cc: Subject: pf(4) using inapropriate timeout values, 6.2-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Nov 2007 20:37:14 -0000 Hello, I'm running pf(4) on a 6.2-RELEASE system. The problem occurs when on a TCP connection, one side sends a FIN (by issuing shutdown(SHUT_WR) on the socket), which is then ACK-ed properly. According to pf.conf(5), the connection should then be subject to tcp.closing timeout: tcp.closing The state after the first FIN has been sent. But, after testing, I have discovered that the connection is timeouted after tcp.finwait value: tcp.finwait The state after both FINs have been exchanged and the connec- tion is closed. Some hosts (notably web servers on Solaris) send TCP packets even after closing the connection. Increas- ing tcp.finwait (and possibly tcp.closing) can prevent block- ing of such packets. I'm positively sure it's precisely this value that timeouts this conection (which later on get state mismatches). Default tcp.closing value is quite big (15 minutes), while tcp.finwait ain't, and I have tuned tcp.finwait to a small value due to excesive number of short-lived connections I have running. This happens both with "keep state" and "modulate state". Is it some kind of a known issue? Is there any fix avalaible? I didn't test it on any other system than 6.2-R. -- Jan Srzednicki :: http://wrzask.pl/ "Remember, remember, the fifth of November" -- V for Vendetta From owner-freebsd-pf@FreeBSD.ORG Tue Nov 20 06:53:38 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F3F8816A417; Tue, 20 Nov 2007 06:53:37 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [IPv6:2001:6f8:1098::2]) by mx1.freebsd.org (Postfix) with ESMTP id 798E013C46A; Tue, 20 Nov 2007 06:53:36 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id lAK6rYYU032279 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Tue, 20 Nov 2007 07:53:34 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id lAK6rY4N003488; Tue, 20 Nov 2007 07:53:34 +0100 (MET) Date: Tue, 20 Nov 2007 07:53:34 +0100 From: Daniel Hartmeier To: Jan Srzednicki Message-ID: <20071120065334.GJ29432@insomnia.benzedrine.cx> References: <20071119202142.GI2045@oak.pl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20071119202142.GI2045@oak.pl> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf(4) using inapropriate timeout values, 6.2-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2007 06:53:38 -0000 On Mon, Nov 19, 2007 at 09:21:42PM +0100, Jan Srzednicki wrote: > I'm positively sure it's precisely this value that timeouts this > conection (which later on get state mismatches). What does pfctl -vvss show for such a state entry, in particular the right-most part of the first line ("ESTABLISHED:ESTABLISHED" while the connection is still fully established, etc.)? Does it matter which side of the connection (the client or the server) half-closes the connection? It's possible that there's a bug in mapping the timeout, I'll check. Daniel From owner-freebsd-pf@FreeBSD.ORG Tue Nov 20 09:50:52 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 05BB516A46C; Tue, 20 Nov 2007 09:50:52 +0000 (UTC) (envelope-from w@wrzask.pl) Received: from mx.oak.pl (mx.oak.pl [217.96.108.251]) by mx1.freebsd.org (Postfix) with ESMTP id B50C113C4BE; Tue, 20 Nov 2007 09:50:51 +0000 (UTC) (envelope-from w@wrzask.pl) Received: by oak.pl (Postfix, from userid 1002) id C1DAE1CCCC; Tue, 20 Nov 2007 10:50:41 +0100 (CET) Date: Tue, 20 Nov 2007 10:50:41 +0100 From: Jan Srzednicki To: Daniel Hartmeier Message-ID: <20071120095041.GJ2045@oak.pl> References: <20071119202142.GI2045@oak.pl> <20071120065334.GJ29432@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20071120065334.GJ29432@insomnia.benzedrine.cx> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf(4) using inapropriate timeout values, 6.2-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2007 09:50:52 -0000 On Tue, Nov 20, 2007 at 07:53:34AM +0100, Daniel Hartmeier wrote: > On Mon, Nov 19, 2007 at 09:21:42PM +0100, Jan Srzednicki wrote: > > > I'm positively sure it's precisely this value that timeouts this > > conection (which later on get state mismatches). > > What does pfctl -vvss show for such a state entry, in particular the > right-most part of the first line ("ESTABLISHED:ESTABLISHED" while the > connection is still fully established, etc.)? OK, here it comes. This is the connection before sending the one-side FIN: self tcp MY_IP_HERE:12525 <- MY_IP_HERE:64829 ESTABLISHED:ESTABLISHED [390096685 + 66608] wscale 1 [3173293905 + 65537] wscale 1 age 00:00:00, expires in 24:00:00, 2:1 pkts, 116:64 bytes, rule 30 id: 47207d980002e600 creatorid: 082298e6 self tcp MY_IP_HERE:64829 -> MY_IP_HERE:12525 ESTABLISHED:ESTABLISHED [3173293905 + 65537] wscale 1 [390096685 + 66608] wscale 1 age 00:00:00, expires in 24:00:00, 2:1 pkts, 116:64 bytes, rule 30 id: 47207d980002e5ff creatorid: 082298e6 (they're both on the same host) Now the client sends FIN: 10:39:30.008969 IP MY_IP_HERE.64829 > MY_IP_HERE.12525: F 222:222(0) ack 1 win 33304 10:39:30.009008 IP MY_IP_HERE.12525 > MY_IP_HERE.64829: . ack 223 win 33304 And the state becomes: self tcp MY_IP_HERE:12525 <- MY_IP_HERE:64829 ESTABLISHED:FIN_WAIT_2 [390096685 + 66608] wscale 1 [3173294128 + 66608] wscale 1 age 00:00:04, expires in 00:00:05, 4:3 pkts, 441:168 bytes, rule 30 id: 47207d980002e600 creatorid: 082298e6 self tcp MY_IP_HERE:64829 -> MY_IP_HERE:12525 FIN_WAIT_2:ESTABLISHED [3173294128 + 66608] wscale 1 [390096685 + 66608] wscale 1 age 00:00:04, expires in 00:00:05, 4:3 pkts, 441:168 bytes, rule 30 id: 47207d980002e5ff creatorid: 082298e6 Timeout values: # pfctl -s timeout No ALTQ support in kernel ALTQ related functions disabled tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 5s tcp.closed 10s tcp.tsdiff 30s udp.first 60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 0 states adaptive.end 0 states src.track 0s > Does it matter which side of the connection (the client or the server) > half-closes the connection? Nope, this happens on both sides. > It's possible that there's a bug in mapping the timeout, I'll check. Thx. -- Jan Srzednicki :: http://wrzask.pl/ "Remember, remember, the fifth of November" -- V for Vendetta From owner-freebsd-pf@FreeBSD.ORG Tue Nov 20 10:20:59 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8C67116A418; Tue, 20 Nov 2007 10:20:59 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [IPv6:2001:6f8:1098::2]) by mx1.freebsd.org (Postfix) with ESMTP id D2E9413C455; Tue, 20 Nov 2007 10:20:57 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id lAKAKunG009271 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Tue, 20 Nov 2007 11:20:56 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id lAKAKuF6004999; Tue, 20 Nov 2007 11:20:56 +0100 (MET) Date: Tue, 20 Nov 2007 11:20:56 +0100 From: Daniel Hartmeier To: Jan Srzednicki Message-ID: <20071120102056.GK29432@insomnia.benzedrine.cx> References: <20071119202142.GI2045@oak.pl> <20071120065334.GJ29432@insomnia.benzedrine.cx> <20071120095041.GJ2045@oak.pl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20071120095041.GJ2045@oak.pl> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf(4) using inapropriate timeout values, 6.2-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2007 10:20:59 -0000 On Tue, Nov 20, 2007 at 10:50:41AM +0100, Jan Srzednicki wrote: > And the state becomes: > > self tcp MY_IP_HERE:12525 <- MY_IP_HERE:64829 ESTABLISHED:FIN_WAIT_2 > [390096685 + 66608] wscale 1 [3173294128 + 66608] wscale 1 > age 00:00:04, expires in 00:00:05, 4:3 pkts, 441:168 bytes, rule 30 > id: 47207d980002e600 creatorid: 082298e6 > self tcp MY_IP_HERE:64829 -> MY_IP_HERE:12525 FIN_WAIT_2:ESTABLISHED > [3173294128 + 66608] wscale 1 [390096685 + 66608] wscale 1 > age 00:00:04, expires in 00:00:05, 4:3 pkts, 441:168 bytes, rule 30 > id: 47207d980002e5ff creatorid: 082298e6 That's fine so far, ESTABLISHED:FIN_WAIT_2 is correct in this case. Look at your /usr/src/sys/contrib/pf/net/pf.c, in pf_test_state_tcp() there's a section like /* update expire time */ (*state)->expire = time_second; if (src->state >= TCPS_FIN_WAIT_2 && dst->state >= TCPS_FIN_WAIT_2) (*state)->timeout = PFTM_TCP_CLOSED; else if (src->state >= TCPS_CLOSING && dst->state >= TCPS_CLOSING) (*state)->timeout = PFTM_TCP_FIN_WAIT; else if (src->state < TCPS_ESTABLISHED || dst->state < TCPS_ESTABLISHED) (*state)->timeout = PFTM_TCP_OPENING; else if (src->state >= TCPS_CLOSING || dst->state >= TCPS_CLOSING) (*state)->timeout = PFTM_TCP_CLOSING; else (*state)->timeout = PFTM_TCP_ESTABLISHED; In 6.2-release this was, according to http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf.c?rev=1.34.2.4;content-type=text%2Fplain /* update expire time */ (*state)->expire = time_second; if (src->state >= TCPS_FIN_WAIT_2 && dst->state >= TCPS_FIN_WAIT_2) (*state)->timeout = PFTM_TCP_CLOSED; else if (src->state >= TCPS_FIN_WAIT_2 || dst->state >= TCPS_FIN_WAIT_2) (*state)->timeout = PFTM_TCP_FIN_WAIT; else if (src->state < TCPS_ESTABLISHED || dst->state < TCPS_ESTABLISHED) (*state)->timeout = PFTM_TCP_OPENING; else if (src->state >= TCPS_CLOSING || dst->state >= TCPS_CLOSING) (*state)->timeout = PFTM_TCP_CLOSING; else (*state)->timeout = PFTM_TCP_ESTABLISHED; Note the slight difference, which explains your observations. It looks like this change was never backported/merged to RELENG_6. Try the newer (first) version, it should resolve your problem. Daniel From owner-freebsd-pf@FreeBSD.ORG Tue Nov 20 10:25:21 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8CC7416A41A; Tue, 20 Nov 2007 10:25:21 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [IPv6:2001:6f8:1098::2]) by mx1.freebsd.org (Postfix) with ESMTP id A3CA813C4C4; Tue, 20 Nov 2007 10:25:20 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id lAKAPKF6027516 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Tue, 20 Nov 2007 11:25:20 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id lAKAPKAC006000; Tue, 20 Nov 2007 11:25:20 +0100 (MET) Date: Tue, 20 Nov 2007 11:25:20 +0100 From: Daniel Hartmeier To: Jan Srzednicki Message-ID: <20071120102520.GL29432@insomnia.benzedrine.cx> References: <20071119202142.GI2045@oak.pl> <20071120065334.GJ29432@insomnia.benzedrine.cx> <20071120095041.GJ2045@oak.pl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20071120095041.GJ2045@oak.pl> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf(4) using inapropriate timeout values, 6.2-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2007 10:25:21 -0000 The specific change in the OpenBSD tree was Revision 1.494 Mon Jul 4 08:28:04 2005 UTC (2 years, 4 months ago) by markus Branch: MAIN Changes since 1.493: +3 -3 lines restrict the tcp.finwait timeout (45s) to state combinations where we have seen a FIN from both sides (whether ACKed or not) and use tcp.closing (900s) for half closed connections. otherwise half closed connections will time out within 45s. ok dhartmei, henning. http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c.diff?r1=1.493&r2=1.494&f=h Index: pf.c =================================================================== RCS file: /cvs/src/sys/net/pf.c,v retrieving revision 1.493 retrieving revision 1.494 diff -u -r1.493 -r1.494 --- pf.c 13 Jun 2005 20:17:25 -0000 1.493 +++ pf.c 4 Jul 2005 08:28:04 -0000 1.494 @@ -4273,8 +4273,8 @@ if (src->state >= TCPS_FIN_WAIT_2 && dst->state >= TCPS_FIN_WAIT_2) (*state)->timeout = PFTM_TCP_CLOSED; - else if (src->state >= TCPS_FIN_WAIT_2 || - dst->state >= TCPS_FIN_WAIT_2) + else if (src->state >= TCPS_CLOSING && + dst->state >= TCPS_CLOSING) (*state)->timeout = PFTM_TCP_FIN_WAIT; else if (src->state < TCPS_ESTABLISHED || dst->state < TCPS_ESTABLISHED) Daniel From owner-freebsd-pf@FreeBSD.ORG Tue Nov 20 10:50:43 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 02B5B16A468; Tue, 20 Nov 2007 10:50:43 +0000 (UTC) (envelope-from w@wrzask.pl) Received: from mx.oak.pl (mx.oak.pl [217.96.108.251]) by mx1.freebsd.org (Postfix) with ESMTP id 4461113C46A; Tue, 20 Nov 2007 10:50:41 +0000 (UTC) (envelope-from w@wrzask.pl) Received: by oak.pl (Postfix, from userid 1002) id 3BFDF1CD3A; Tue, 20 Nov 2007 11:50:32 +0100 (CET) Date: Tue, 20 Nov 2007 11:50:32 +0100 From: Jan Srzednicki To: Daniel Hartmeier Message-ID: <20071120105032.GK2045@oak.pl> References: <20071119202142.GI2045@oak.pl> <20071120065334.GJ29432@insomnia.benzedrine.cx> <20071120095041.GJ2045@oak.pl> <20071120102056.GK29432@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20071120102056.GK29432@insomnia.benzedrine.cx> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf(4) using inapropriate timeout values, 6.2-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2007 10:50:43 -0000 On Tue, Nov 20, 2007 at 11:20:56AM +0100, Daniel Hartmeier wrote: > On Tue, Nov 20, 2007 at 10:50:41AM +0100, Jan Srzednicki wrote: > > Note the slight difference, which explains your observations. > > It looks like this change was never backported/merged to RELENG_6. > > Try the newer (first) version, it should resolve your problem. Yeah, that solves the thing, thanks. Shoul I submit a PR to get that fix merged into RELENG_6? It seems worth fixing before 6.3-RELEASE is out. -- Jan Srzednicki :: http://wrzask.pl/ "Remember, remember, the fifth of November" -- V for Vendetta From owner-freebsd-pf@FreeBSD.ORG Tue Nov 20 17:47:36 2007 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1C93C16A420; Tue, 20 Nov 2007 17:47:36 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 08ADB13C455; Tue, 20 Nov 2007 17:47:36 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (remko@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id lAKHlZVC035244; Tue, 20 Nov 2007 17:47:35 GMT (envelope-from remko@freefall.freebsd.org) Received: (from remko@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id lAKHlZbW035240; Tue, 20 Nov 2007 17:47:35 GMT (envelope-from remko) Date: Tue, 20 Nov 2007 17:47:35 GMT Message-Id: <200711201747.lAKHlZbW035240@freefall.freebsd.org> To: remko@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: remko@FreeBSD.org Cc: Subject: Re: kern/118154: pf(4) uses invalid timeout values for half-closed connections (fix included) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2007 17:47:36 -0000 Synopsis: pf(4) uses invalid timeout values for half-closed connections (fix included) Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: remko Responsible-Changed-When: Tue Nov 20 17:47:23 UTC 2007 Responsible-Changed-Why: reassign to maintaining group. http://www.freebsd.org/cgi/query-pr.cgi?pr=118154 From owner-freebsd-pf@FreeBSD.ORG Wed Nov 21 06:27:50 2007 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D3EAC16A41A; Wed, 21 Nov 2007 06:27:50 +0000 (UTC) (envelope-from dhartmei@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B2F6613C45D; Wed, 21 Nov 2007 06:27:50 +0000 (UTC) (envelope-from dhartmei@FreeBSD.org) Received: from freefall.freebsd.org (dhartmei@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id lAL6RnnK068601; Wed, 21 Nov 2007 06:27:49 GMT (envelope-from dhartmei@freefall.freebsd.org) Received: (from dhartmei@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id lAL6RmFr068597; Wed, 21 Nov 2007 06:27:48 GMT (envelope-from dhartmei) Date: Wed, 21 Nov 2007 06:27:48 GMT Message-Id: <200711210627.lAL6RmFr068597@freefall.freebsd.org> To: w@wrzask.pl, dhartmei@FreeBSD.org, freebsd-pf@FreeBSD.org From: dhartmei@FreeBSD.org Cc: Subject: Re: kern/118154: pf(4) uses invalid timeout values for half-closed connections (fix included) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Nov 2007 06:27:50 -0000 Synopsis: pf(4) uses invalid timeout values for half-closed connections (fix included) State-Changed-From-To: open->closed State-Changed-By: dhartmei State-Changed-When: Wed Nov 21 06:27:00 UTC 2007 State-Changed-Why: Commited to RELENG_6 with re@ approval, thank you! http://www.freebsd.org/cgi/query-pr.cgi?pr=118154 From owner-freebsd-pf@FreeBSD.ORG Wed Nov 21 14:00:09 2007 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F0BB816A417 for ; Wed, 21 Nov 2007 14:00:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id DEEF413C467 for ; Wed, 21 Nov 2007 14:00:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id lALE09Bt090680 for ; Wed, 21 Nov 2007 14:00:09 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id lALE09PM090679; Wed, 21 Nov 2007 14:00:09 GMT (envelope-from gnats) Date: Wed, 21 Nov 2007 14:00:09 GMT Message-Id: <200711211400.lALE09PM090679@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: dfilter@FreeBSD.org (dfilter service) Cc: Subject: Re: kern/118154: commit references a PR X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfilter service List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Nov 2007 14:00:10 -0000 The following reply was made to PR kern/118154; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/118154: commit references a PR Date: Wed, 21 Nov 2007 13:52:16 +0000 (UTC) dhartmei 2007-11-21 13:52:04 UTC FreeBSD src repository Modified files: (Branch: RELENG_6) sys/contrib/pf/net pf.c Log: forced commit (no change) to fix PR number PR: kern/118154 Approved by: re (obrien) Revision Changes Path 1.34.2.8 +1 -1 src/sys/contrib/pf/net/pf.c _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Wed Nov 21 16:16:38 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D2D2416A494 for ; Wed, 21 Nov 2007 16:16:38 +0000 (UTC) (envelope-from test@ns1.gakki.ne.jp) Received: from ns1.gakki.ne.jp (ns1.gakki.ne.jp [211.18.219.66]) by mx1.freebsd.org (Postfix) with ESMTP id 76FB613C44B for ; Wed, 21 Nov 2007 16:16:38 +0000 (UTC) (envelope-from test@ns1.gakki.ne.jp) Received: from ns1.gakki.ne.jp (ns1.gakki.ne.jp [127.0.0.1]) by ns1.gakki.ne.jp (Postfix) with ESMTP id D27F328623 for ; Thu, 22 Nov 2007 01:07:53 +0900 (JST) Received: (from test@localhost) by ns1.gakki.ne.jp (8.13.4/8.13.4/Submit) id lALG7rOt028882; Thu, 22 Nov 2007 01:07:53 +0900 Date: Thu, 22 Nov 2007 01:07:53 +0900 Message-Id: <200711211607.lALG7rOt028882@ns1.gakki.ne.jp> To: freebsd-pf@freebsd.org From: TotalMP3Converter.Offerts@ns1.gakki.ne.jp MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: New OFFERT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Nov 2007 16:16:38 -0000 TOTAL MP3 CONVERTER... THIS WEEK FOR FREE!!! The best just got better. Now you can appreciate our new product at its true value! MP3 Converter is a high quality product. Those who ever tried any other tool from Softplicity know that. Program features and advantages in comparison with similar programs: * Source formats are MP3, RA, APL, MPC, MP+, M4A, MP4, TTA, OFR, SPX, WAV, OGG, WMA, FLAC, CDA, AAC, APE, MPP, WV, XM, IT, S3M, MOD, MTM, UMX. This one could help me feel like normal user, not a fool!!! The only drawback is that its a trial version. But i think its definitely worth the money , This Program makes the best TOP QUALITY. Mp3's from wav's better than highly publicized. It just works :) Copyright © 1998-2007 [1]Total MP3 Converter. All rights reserved. [all-to-mp3.png] [2]FREE Download References 1. mailto:support@TotalConverter.com 2. http://h1.ripway.com/totaldownloads/TotalMP3Converter.exe From owner-freebsd-pf@FreeBSD.ORG Wed Nov 21 22:23:31 2007 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D5F5716A41A; Wed, 21 Nov 2007 22:23:31 +0000 (UTC) (envelope-from pav@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9D98B13C43E; Wed, 21 Nov 2007 22:23:31 +0000 (UTC) (envelope-from pav@FreeBSD.org) Received: from freefall.freebsd.org (pav@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id lALMNVNV013627; Wed, 21 Nov 2007 22:23:31 GMT (envelope-from pav@freefall.freebsd.org) Received: (from pav@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id lALMNUPG013623; Wed, 21 Nov 2007 22:23:30 GMT (envelope-from pav) Date: Wed, 21 Nov 2007 22:23:30 GMT Message-Id: <200711212223.lALMNUPG013623@freefall.freebsd.org> To: hsn@netmag.cz, pav@FreeBSD.org, freebsd-pf@FreeBSD.org From: pav@FreeBSD.org Cc: Subject: Re: kern/115640: [net] [pf] pfctl -k dont works X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Nov 2007 22:23:32 -0000 Synopsis: [net] [pf] pfctl -k dont works State-Changed-From-To: open->closed State-Changed-By: pav State-Changed-When: Wed Nov 21 22:23:10 UTC 2007 State-Changed-Why: Submitter reports the bugs are fixed in 7.0-PRE. http://www.freebsd.org/cgi/query-pr.cgi?pr=115640 From owner-freebsd-pf@FreeBSD.ORG Thu Nov 22 08:44:14 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2608016A419 for ; Thu, 22 Nov 2007 08:44:14 +0000 (UTC) (envelope-from pawciobiel@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188]) by mx1.freebsd.org (Postfix) with ESMTP id 42CF113C502 for ; Thu, 22 Nov 2007 08:44:13 +0000 (UTC) (envelope-from pawciobiel@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so2448711nfb for ; Thu, 22 Nov 2007 00:44:12 -0800 (PST) Received: by 10.86.25.17 with SMTP id 17mr7850076fgy.1195689559219; Wed, 21 Nov 2007 15:59:19 -0800 (PST) Received: by 10.86.89.20 with HTTP; Wed, 21 Nov 2007 15:59:19 -0800 (PST) Message-ID: <2e420cc20711211559r46d374e6n23f75710415cede2@mail.gmail.com> Date: Wed, 21 Nov 2007 23:59:19 +0000 From: "P Bielecki" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: How to set up a queue for each host in the network? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Nov 2007 08:44:14 -0000 Hi all, I share 2048Kbit SDSL line in a medium size network; every machine in the network have 256Kbit of bandwidth. (45 teacher's laptops + 19 * 19 pupil's PC's); I use ipfw and dummynet (with NATd and proxy Squid) but decided to try PF and ALTQ. In the last year user's demands had grown up and now, understandably, they want to have "faster internet". Unfortunately my budget is not big enough to pay for leased line. I need an advice on how to set up a queue for each host in the local network so the host can have 256Kbit queue and it could borrow bandwidth from its parent as well. What would be the best way to set up a queue for each machine? Is there are way that I could use "addr/masklen" with queues like I used to do with ipfw dummynet pipes? I think I could parse dhcpd.conf and/or do a loop to create queue_list with all IP addresses but is this the only way? I understand that I can use list/table/macro to assigning traffic to a queue but can I use them for configuring queues too? And last one, is it possible to specify how much the queue can borrow from its parent? Please let me know your thoughts. Thanks in advance Paul From owner-freebsd-pf@FreeBSD.ORG Thu Nov 22 12:17:34 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3DF3E16A419 for ; Thu, 22 Nov 2007 12:17:32 +0000 (UTC) (envelope-from myninku@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.239]) by mx1.freebsd.org (Postfix) with ESMTP id F058813C4E3 for ; Thu, 22 Nov 2007 12:17:31 +0000 (UTC) (envelope-from myninku@gmail.com) Received: by nz-out-0506.google.com with SMTP id l8so2189595nzf for ; Thu, 22 Nov 2007 04:17:24 -0800 (PST) Received: by 10.142.226.2 with SMTP id y2mr2285204wfg.1195704294784; Wed, 21 Nov 2007 20:04:54 -0800 (PST) Received: by 10.142.179.4 with HTTP; Wed, 21 Nov 2007 20:04:54 -0800 (PST) Message-ID: Date: Wed, 21 Nov 2007 20:04:54 -0800 From: sukaca To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: disable nat on ip client X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Nov 2007 12:17:34 -0000 dear all is it imposible to make ip that distributed to my client is can't be natting again(can't be sharing with masquerade). i'm work in ISP with cheaper one with one pc aplied.so i hope whan my custumer apply one pcconnection they can not sharing again with other pc. thanks for advance. regard vicky