From owner-freebsd-pf@freebsd.org Sun Sep 25 07:25:18 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 26C43BE9B8D for ; Sun, 25 Sep 2016 07:25:18 +0000 (UTC) (envelope-from msbook@web98.ukraine.com.ua) Received: from mx25.ukraine.com.ua (mx25.ukraine.com.ua [91.222.136.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A92D1B2F for ; Sun, 25 Sep 2016 07:25:17 +0000 (UTC) (envelope-from msbook@web98.ukraine.com.ua) Received: from web98.ukraine.com.ua (web98.ukraine.com.ua [91.206.201.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx25.ukraine.com.ua (Postfix) with ESMTPS id B126B20288C for ; Sun, 25 Sep 2016 10:15:35 +0300 (EEST) Received: from web98.ukraine.com.ua (localhost [127.0.0.1]) by web98.ukraine.com.ua (8.14.4/8.14.4) with ESMTP id u8P7FZmp578450 for ; Sun, 25 Sep 2016 10:15:35 +0300 Received: (from msbook@localhost) by web98.ukraine.com.ua (8.14.4/8.14.4/Submit) id u8P7FYeE578446; Sun, 25 Sep 2016 10:15:34 +0300 To: freebsd-pf@freebsd.org Subject: Unable to deliver your item, #00000757789 Date: Sun, 25 Sep 2016 10:15:34 +0300 From: "FedEx SmartPost" Reply-To: "FedEx SmartPost" Message-ID: <6ee27a098195c5823af36f013be2e498@msbook.com.ua> X-Priority: 3 MIME-Version: 1.0 X-Delta-Virus-Check: ok X-Delta-Spam-Symbols: Symbols: ONCE_RECEIVED(1.00), BAYES_SPAM(4.42)(0.88); X-Delta-Spam-Score: 5,42 Content-Type: text/plain; charset=us-ascii X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Sep 2016 07:25:18 -0000 Dear Customer, We could not deliver your item. Please, open email attachment to print shipment label. Thank you for choosing FedEx, Jessie Rogers, Operation Manager. From owner-freebsd-pf@freebsd.org Sun Sep 25 21:00:45 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EFE1CBE8EB8 for ; Sun, 25 Sep 2016 21:00:45 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CE911DE2 for ; Sun, 25 Sep 2016 21:00:45 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u8PL01rR001807 for ; Sun, 25 Sep 2016 21:00:45 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <201609252100.u8PL01rR001807@kenobi.freebsd.org> From: bugzilla-noreply@FreeBSD.org To: freebsd-pf@FreeBSD.org Subject: Problem reports for freebsd-pf@FreeBSD.org that need special attention Date: Sun, 25 Sep 2016 21:00:45 +0000 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Sep 2016 21:00:46 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. From owner-freebsd-pf@freebsd.org Wed Sep 28 11:53:59 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 911B3BEBF79 for ; Wed, 28 Sep 2016 11:53:59 +0000 (UTC) (envelope-from franco@opnsense.org) Received: from mail.opnsense.org (mail.opnsense.org [37.48.77.141]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6031A1ADB for ; Wed, 28 Sep 2016 11:53:58 +0000 (UTC) (envelope-from franco@opnsense.org) Received: from localhost (localhost [127.0.0.1]) by mail.opnsense.org (Postfix) with ESMTP id 19BAF1808E85 for ; Wed, 28 Sep 2016 13:56:39 +0200 (CEST) From: Franco Fichtner Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: pf fastroute tag removal reviewers needed Message-Id: <022E4530-A6DF-452B-8978-43A9B10DA726@opnsense.org> Date: Wed, 28 Sep 2016 13:53:47 +0200 To: freebsd-pf@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Sep 2016 11:53:59 -0000 Hi all, The review can be found here: https://reviews.freebsd.org/D8058 The larger motivation is to start work to align pf with pfil packet flow in order to make pf and ipfw more useful in combination with each other as e.g. pf offers powerful policy- routing and ipfw offers a multitude of dummynet algorithms. The main culprit of pfil not working correctly is pf's route-to and reply-to (and the tag formerly known as fastroute) as they would call if_output directly on the ifnet and consume their packets this way. That transmit code is also copied from if_output() and should likely not be called from within pf, especially when there is a pfil hook chain to go through. The next targets after this review will be M_IP_NEXTHOP and M_IP6_NEXTHOP, which ipfw uses to redirect packets by adhering to the pfil hook chain. Cheers, Franco From owner-freebsd-pf@freebsd.org Wed Sep 28 13:36:36 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 650EAC008B3 for ; Wed, 28 Sep 2016 13:36:36 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 33D6F1A09 for ; Wed, 28 Sep 2016 13:36:36 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [192.168.228.1] (vega.codepro.be [IPv6:2a01:4f8:162:1127::3]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id D591036CDF; Wed, 28 Sep 2016 15:36:33 +0200 (CEST) From: "Kristof Provost" To: "Franco Fichtner" Cc: freebsd-pf@freebsd.org Subject: Re: pf fastroute tag removal reviewers needed Date: Wed, 28 Sep 2016 15:36:34 +0200 Message-ID: In-Reply-To: <022E4530-A6DF-452B-8978-43A9B10DA726@opnsense.org> References: <022E4530-A6DF-452B-8978-43A9B10DA726@opnsense.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailer: MailMate (2.0BETAr6056) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Sep 2016 13:36:36 -0000 On 28 Sep 2016, at 13:53, Franco Fichtner wrote: > The main culprit of pfil not working correctly is pf's > route-to and reply-to (and the tag formerly known as fastroute) > as they would call if_output directly on the ifnet and consume > their packets this way. That transmit code is also copied from > if_output() and should likely not be called from within pf, > especially when there is a pfil hook chain to go through. Agreed, but there’s another culprit: the v6 fragment handling code. It needs to call ip6_output()/ip6_forward() because it generates multiple output packets. Dealing with that has been on my todo list for a while now, but I’ve not even found the time to make a start at it. Regards, Kristof From owner-freebsd-pf@freebsd.org Sat Oct 1 09:43:19 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 96C5DC04CF9 for ; Sat, 1 Oct 2016 09:43:19 +0000 (UTC) (envelope-from franco@opnsense.org) Received: from mail.opnsense.org (mail.opnsense.org [37.48.77.141]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 647AE1CE2; Sat, 1 Oct 2016 09:43:19 +0000 (UTC) (envelope-from franco@opnsense.org) Received: from localhost (localhost [127.0.0.1]) by mail.opnsense.org (Postfix) with ESMTP id 0532A1808FAB; Sat, 1 Oct 2016 11:46:03 +0200 (CEST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: pf fastroute tag removal reviewers needed From: Franco Fichtner In-Reply-To: Date: Sat, 1 Oct 2016 11:43:08 +0200 Cc: freebsd-pf@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <022E4530-A6DF-452B-8978-43A9B10DA726@opnsense.org> To: Kristof Provost X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Oct 2016 09:43:19 -0000 Hi Kristof, > On 28 Sep 2016, at 3:36 PM, Kristof Provost wrote: >=20 > On 28 Sep 2016, at 13:53, Franco Fichtner wrote: >> The main culprit of pfil not working correctly is pf's >> route-to and reply-to (and the tag formerly known as fastroute) >> as they would call if_output directly on the ifnet and consume >> their packets this way. That transmit code is also copied from >> if_output() and should likely not be called from within pf, >> especially when there is a pfil hook chain to go through. >=20 > Agreed, but there=E2=80=99s another culprit: the v6 fragment handling = code. It needs to > call ip6_output()/ip6_forward() because it generates multiple output = packets. >=20 > Dealing with that has been on my todo list for a while now, but I=E2=80=99= ve not even > found the time to make a start at it. Right, that also has some issues, but at least the pfil out hook is invoked with this. I see that ipfw also has some of those netinet code spots, which undermine the integrity of pfil. Would it make sense to take it to another mailing list to raise awareness the issue to at least not get any new code added that does this? Thanks, Franco=