From owner-freebsd-pf@FreeBSD.ORG Sun Jul 20 18:12:28 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 08D4BE9E for ; Sun, 20 Jul 2014 18:12:28 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E4B1E2CE5 for ; Sun, 20 Jul 2014 18:12:27 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s6KICRij075521 for ; Sun, 20 Jul 2014 18:12:27 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 191916] pflogd(8) eats cpu and hangs with net.bpf.zerocopy_enable=0 Date: Sun, 20 Jul 2014 18:12:27 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: Needs Triage X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to short_desc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Jul 2014 18:12:28 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191916 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|freebsd-bugs@FreeBSD.org |freebsd-pf@FreeBSD.org Summary|pflogd eat cpu and hang |pflogd(8) eats cpu and |with |hangs with |net.bpf.zerocopy_enable=0 |net.bpf.zerocopy_enable=0 --- Comment #2 from Mark Linimon --- Over to maintainers. -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@FreeBSD.ORG Mon Jul 21 08:44:04 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 449C2D1B for ; Mon, 21 Jul 2014 08:44:04 +0000 (UTC) Received: from smtp.new-ukraine.org (smtp.new-ukraine.org [148.251.53.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.new-ukraine.org", Issuer "smtp.new-ukraine.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id C14D228CF for ; Mon, 21 Jul 2014 08:44:02 +0000 (UTC) Received: from new-ukraine.org (smtp.new-ukraine.org [148.251.53.51]) by smtp.new-ukraine.org with ESMTP id s6L8gvL6007300 for ; Mon, 21 Jul 2014 11:42:58 +0300 (EEST) Message-ID: <20140721114257.7299@smtp.new-ukraine.org> Date: Mon, 21 Jul 2014 11:42:57 +0300 From: "Zeus Panchenko" To: cc: Subject: nat lan to tun (nat before vpn) Organization: I.B.S. LLC Reply-To: "Zeus Panchenko" X-Attribution: zeus Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAFVBMVEWxsbGdnZ3U1NQTExN cXFzx8fG/v7+f8hyWAAACXUlEQVQ4jUWSwXYiIRBFi4yyhtjtWpmRdTL0ZC3TJOukDa6Rc+T/P2F eFepwtFvr8upVFVDua8mLWw6La4VIKTuMdAPOebdU55sQs3n/D1xFFPFGVGh4AHKttr5K0bS6g7N ZCge7qpVLB+f1Z2WAj2OKXwIWt/bXpdXSiu8KXbviWkHxF5td9+lg2e3xlI2SCvatK8YLfHyh9lw 15yrad8Va5eXg4Llr7QmAaC+dL9sDt9iad/DX3OKvLMBf+dm0A0QuMrTvYIevSik1IaSVvgjIHt5 lSCG2ynNRpEcBZ8cgDWk+Ns99qzsYYV3MZoppWzGtYlTO9+meG6m/g92iNO9LfQB2JZsMpoJs7QG ku2KtabRK0bZRwDLyBDvwlxTm6ZlP7qyOqLcfqtLexpDSB4M0H3I/PQy1emvjjzgK+A0LmMKl6Lq zlqzh0VGAw440F6MJd8cY0nI7wiF/fVIBGY7UNCAXy6DmfYGCLLI0wtDbVcDUMqtJLmAhLqODQAe riERAxXJ1/QYGpa0ymqyytpKC19MNXHjvFmEsfcHIrncFR4xdbYWgmfEGLCcZokpGbGj1egMR+6M 1BkNX1pDdhPcOXpAnAeLQUwQLYepgQoZVNGS61yaE8CYA7gYAcWKzwGstACY2HTFvvOwk4FXAG/a mKHni/EcA/GkOk7I0IK7UMIf3+SahU8/FJdiE7KcuWdM3MFocUDEEIX9LfJoo4xV5tnNKc3jJuSs SZWgnnhepgU1zN4Hii18yW4RwDX52CXUtk0Hqz6cHOIUkWaX8fDcB+J7y1y2xDHwjv/8Buu8Ekz6 7tXQAAAAASUVORK5CYII= X-Mailer: MH-E 8.3.1; GNU Mailutils 2.99.98; GNU Emacs 24.3.1 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jul 2014 08:44:04 -0000 =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi, just was stumbled on the subject ... please, may somebody advise what am I missing? I have: FreeBSD 10.0-STABLE #0 r261303 BoxA: LAN: 192.168.0.1/24 TUN (OpenVPN): 172.16.10.1=20 with route to 172.16/12 set via tun BoxB: LAN: 192.168.0.2/24 with route to 172.16/12 set via boxA lan I need: to give access to 172.16/12 for boxB via nat on boxA in boxA pf.conf: nat on tun1 from 192.168.0.2 to 172.16/12 -> 172.16.10.1 pass in log on tun1 pass in log (all) on $if_lan inet proto { tcp udp } from 192.168.0.2 when I spawn traffic to 172.16/12 from boxB I can see packets on lan boxA but nothin is on boxA tun ... so, can I do that this way or I need something yet? is it nat-before-vpn case which is not implemented in FreeBSD pf yet (at last it was so)? =2D --=20 Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlPM0pEACgkQr3jpPg/3oyoSvwCg3XKMmYZ+i4Hewv/Lyde/pzZ3 uvYAoNkplMMP4+C9r/PP4Jw/Zg9JQJXo =3DH//M =2D----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Mon Jul 21 09:18:56 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D9761952 for ; Mon, 21 Jul 2014 09:18:56 +0000 (UTC) Received: from ns1.ogris.net (ns1.ogris.net [IPv6:2a00:1348::17:0:0:1]) by mx1.freebsd.org (Postfix) with ESMTP id A14BD2BBD for ; Mon, 21 Jul 2014 09:18:56 +0000 (UTC) Received: from fjo-mbp.dts-systeme.intra (fjo-mbp.dts.de [81.89.251.80]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ns1.ogris.net (Postfix) with ESMTPSA id CD6BA2C1799; Mon, 21 Jul 2014 11:18:46 +0200 (CEST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: Re: nat lan to tun (nat before vpn) From: "Felix J. Ogris" In-Reply-To: <20140721114257.7299@smtp.new-ukraine.org> Date: Mon, 21 Jul 2014 11:18:45 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <833017AA-8EF0-4FE1-88CA-F8CCF5B9FEDA@ogris.de> References: <20140721114257.7299@smtp.new-ukraine.org> To: Zeus Panchenko X-Mailer: Apple Mail (2.1878.6) Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jul 2014 09:18:56 -0000 On 21 Jul 2014, at 10:42, Zeus Panchenko wrote: > hi, >=20 > just was stumbled on the subject ... please, may somebody advise what = am > I missing? Is net.inet.ip.forwarding set to 1? > I have: >=20 > FreeBSD 10.0-STABLE #0 r261303 >=20 > BoxA: > LAN: 192.168.0.1/24 > TUN (OpenVPN): 172.16.10.1 >=20 > with route to 172.16/12 set via tun >=20 > BoxB: > LAN: 192.168.0.2/24 >=20 > with route to 172.16/12 set via boxA lan >=20 > I need: > to give access to 172.16/12 for boxB via nat on boxA >=20 > in boxA pf.conf: >=20 > nat on tun1 from 192.168.0.2 to 172.16/12 -> 172.16.10.1 > pass in log on tun1 Should be "pass out" or just "pass" Is the OpenVPN tunnel up? Do you have a rule on the underlying interface = to pass out udp to port 1194? > pass in log (all) on $if_lan inet proto { tcp udp } from 192.168.0.2 >=20 > when I spawn traffic to 172.16/12 from boxB I can see packets on lan > boxA but nothin is on boxA tun ... >=20 > so, can I do that this way or I need something yet? is it = nat-before-vpn > case which is not implemented in FreeBSD pf yet (at last it was so)? >=20 > -- > Zeus V. Panchenko jid:zeus@im.ibs.dn.ua > IT Dpt., I.B.S. LLC GMT+2 (EET) >=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Thu Jul 24 04:22:32 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5A09F1B8 for ; Thu, 24 Jul 2014 04:22:32 +0000 (UTC) Received: from mail-ie0-f177.google.com (mail-ie0-f177.google.com [209.85.223.177]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2C4382097 for ; Thu, 24 Jul 2014 04:22:31 +0000 (UTC) Received: by mail-ie0-f177.google.com with SMTP id at20so1822971iec.36 for ; Wed, 23 Jul 2014 21:22:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=2/eAsmoSGDZUl+ERbKi8+P3HsybxptH0ts4VsvTwREw=; b=W6YuYM/wehUw9Wfxj+MKIpESrnqgXX710rH337RpQqXI6tVMMOUAqCFjY8kv3q+0kA YmzA4Y5cZWaKqp7wRXrmT4wYzAPeZiMF1tYJQ0tOg1qd4y9w6NLPrcw+4BI66QxES8tz 20rXNvz/i7dJ7oOODYvwaj8KhPiTc9ZjGujy1OTStXhkqo85GgjK1Mn0vWZOE1aBwtac Neuk45lGLu/by8faGkjJIIUfUY/PfUdBgLEBk7e3LVVszajFvAz7Qkyy+CUoqE57XynY W0jnE24Wiv2qC2GkgJXCCmOWlj4WTwkRmp5xGmDpg4AT/FvrrAUzJ9kG2HdFkDUfylA4 GD9A== X-Gm-Message-State: ALoCoQmnuWWAuhjUf1JbPt1Q3q4Xlrn16ljDPVY2Ht6bzjJRedYsyi8RTux+p0+1dd5tzq1BLoXZ MIME-Version: 1.0 X-Received: by 10.50.152.40 with SMTP id uv8mr35074809igb.40.1406175745521; Wed, 23 Jul 2014 21:22:25 -0700 (PDT) Received: by 10.64.54.225 with HTTP; Wed, 23 Jul 2014 21:22:25 -0700 (PDT) Date: Wed, 23 Jul 2014 23:22:25 -0500 Message-ID: Subject: pflow? From: Matthew Raspberry To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jul 2014 04:22:32 -0000 Does FreeBSD have the pflow interface available? I don't see a man page for it in 10.0-RELEASE. If not is there another way to collect netflow data from pf on FreeBSD? From owner-freebsd-pf@FreeBSD.ORG Thu Jul 24 10:02:30 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B3FB6353 for ; Thu, 24 Jul 2014 10:02:30 +0000 (UTC) Received: from unsane.co.uk (unsane-pt.tunnel.tserv5.lon1.ipv6.he.net [IPv6:2001:470:1f08:110::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "unsane.co.uk", Issuer "unsane.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4AFEF2D5B for ; Thu, 24 Jul 2014 10:02:30 +0000 (UTC) Received: from vhoffman-macbooklocal.local (lon.namesco.net [195.7.254.102]) (authenticated bits=0) by unsane.co.uk (8.14.9/8.14.8) with ESMTP id s6OA2RLE069394 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Thu, 24 Jul 2014 11:02:28 +0100 (BST) (envelope-from vince@unsane.co.uk) Message-ID: <53D0D9B2.9040704@unsane.co.uk> Date: Thu, 24 Jul 2014 11:02:26 +0100 From: Vincent Hoffman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: Matthew Raspberry , freebsd-pf@freebsd.org Subject: Re: pflow? References: In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jul 2014 10:02:30 -0000 On 24/07/2014 05:22, Matthew Raspberry wrote: > Does FreeBSD have the pflow interface available? I don't see a man page for > it in 10.0-RELEASE. If not is there another way to collect netflow data > from pf on FreeBSD? I think you want net/pfflowd in ports Info: Convert pfsync states to NetFlow datagrams Vince > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Thu Jul 24 19:00:09 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2EA28A69 for ; Thu, 24 Jul 2014 19:00:09 +0000 (UTC) Received: from mail-ig0-f176.google.com (mail-ig0-f176.google.com [209.85.213.176]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F1CE52C37 for ; Thu, 24 Jul 2014 19:00:08 +0000 (UTC) Received: by mail-ig0-f176.google.com with SMTP id hn18so6839270igb.15 for ; Thu, 24 Jul 2014 12:00:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=bNktXQXGK6fN8P5cztplAIYVdf9vKl5eCU3tfwLFPgE=; b=bWMNYQfkLXSQ4XDEzjg9DP5GnS/J+lI5EQ8CRbaQu5Y9w7zvhvMLv7PPTIyaf7mtRq D4EuOuKIFVFslETmB6k5dc6CxAv7dmJ95dyM5yb+VYJu8S1gfUq5HoJvVANxlQvSUcco P2exHoK1nbJF9oNgvXOeMuROA/UbQTFiOQ1Uzg+sM0FKCOs4GKgJtFy64HbBUcBib5eP 7VeZXX2nkk2E97xVFXFfMgXKaGjMWyd6b7aiycoVm4G8h9tdovRVgvmEQtFu03lpLR2P BB93hFX9fx82f/42/tWY7R6Jn/tSctbmYNFefQiILGOvdtvfLHvRadtq5NgtbYa5jCrw /I8A== X-Gm-Message-State: ALoCoQn+AECgF8mOM1QxlHIMNMEbubElouLsbSwJalqaAyFHqpGrj7/FCwA8AlXd5U8JNBbUNa/d MIME-Version: 1.0 X-Received: by 10.50.66.179 with SMTP id g19mr42376729igt.34.1406228402345; Thu, 24 Jul 2014 12:00:02 -0700 (PDT) Received: by 10.107.11.37 with HTTP; Thu, 24 Jul 2014 12:00:02 -0700 (PDT) In-Reply-To: <53D0D9B2.9040704@unsane.co.uk> References: <53D0D9B2.9040704@unsane.co.uk> Date: Thu, 24 Jul 2014 14:00:02 -0500 Message-ID: Subject: Re: pflow? From: Matthew Raspberry To: Vincent Hoffman Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jul 2014 19:00:09 -0000 On Thu, Jul 24, 2014 at 5:02 AM, Vincent Hoffman wrote: > > On 24/07/2014 05:22, Matthew Raspberry wrote: > > Does FreeBSD have the pflow interface available? I don't see a man page > for > > it in 10.0-RELEASE. If not is there another way to collect netflow data > > from pf on FreeBSD? > I think you want net/pfflowd in ports > Info: Convert pfsync states to NetFlow datagrams > > > Vince > _______________________________________________ > > > Thanks for the info. Appreciate the help