From owner-freebsd-pf@FreeBSD.ORG Sun Oct 26 10:35:03 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D3F8E1065681 for ; Sun, 26 Oct 2008 10:35:03 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id A537A8FC1B for ; Sun, 26 Oct 2008 10:35:03 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1Ku2hI-0001kG-Ji for freebsd-pf@freebsd.org; Sun, 26 Oct 2008 03:18:12 -0700 Message-ID: <20171926.post@talk.nabble.com> Date: Sun, 26 Oct 2008 03:18:12 -0700 (PDT) From: 7charlie To: freebsd-pf@freebsd.org In-Reply-To: <15260126.post@talk.nabble.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: melissa-nabble@littlebluecar.co.uk References: <15260126.post@talk.nabble.com> Subject: Re: altq: dynamic queues X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Oct 2008 10:35:03 -0000 cnupm wrote: > > My English is no good, so I tried to describe what I want at this example: > > ### /etc/pf.conf > altq on bge0 bandwidth 10Mb hfsc queue { u1_in, u1_out, u2_in, u2_out...} > anchor users_queues > > block all > anchor users_rules > > ### When user connected - teke parameter $x from DB (for example) and > execute: > echo "queue u1_in bandwidth 1Kb hfsc (upperlimit $xKb)" | pfctl -a > user_queues:u1_in -f - > echo "queue u1_out bandwidth 1Kb hfsc (upperlimit $xKb)" | pfctl -a > user_queues:u1_out -f - > *** ... users_rules... *** > > I know: it doesn't works - it's simplest way (with my English) to explain > what I wont. > How to dynamicly create/delete queues? > I worked around this by telling PF to only reload the queue section of the file. I generate the queues from a mysql database, writing into /etc/pf.conf. I put the "pass" rules that assign the queue into an anchor called classify_rules. then execute: pfctl -A -f /etc/pf.conf pfctl -a classify_rules -f /etc/pf-classify.conf This doesn't reload any of the main rules, and doesn't reset counters except in the anchor and for the queues. Quoted from: http://www.nabble.com/altq%3A-dynamic-queues-tp15260126p15260126.html -- View this message in context: http://www.nabble.com/altq%3A-dynamic-queues-tp15260126p20171926.html Sent from the freebsd-pf mailing list archive at Nabble.com. From owner-freebsd-pf@FreeBSD.ORG Mon Oct 27 11:07:18 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C99A410656A5 for ; Mon, 27 Oct 2008 11:07:18 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B67738FC2D for ; Mon, 27 Oct 2008 11:07:18 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id m9RB7IPd002054 for ; Mon, 27 Oct 2008 11:07:18 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id m9RB7IRk002050 for freebsd-pf@FreeBSD.org; Mon, 27 Oct 2008 11:07:18 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 27 Oct 2008 11:07:18 GMT Message-Id: <200810271107.m9RB7IRk002050@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2008 11:07:18 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 24 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Oct 28 15:36:09 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 86C9D106566C for ; Tue, 28 Oct 2008 15:36:09 +0000 (UTC) (envelope-from niekdekker@gmail.com) Received: from smtp-2.orange.nl (smtp-2.orange.nl [193.252.22.242]) by mx1.freebsd.org (Postfix) with ESMTP id 23BC38FC22 for ; Tue, 28 Oct 2008 15:36:09 +0000 (UTC) (envelope-from niekdekker@gmail.com) Received: from smtp-2.orange.nl (mwinf6109 [172.22.153.39]) by mwinf6105.online.nl (SMTP Server) with ESMTP id 90B762001045 for ; Tue, 28 Oct 2008 16:10:43 +0100 (CET) Received: from me-wanadoo.net (localhost [127.0.0.1]) by mwinf6109.online.nl (SMTP Server) with ESMTP id A59BF7000089 for ; Tue, 28 Oct 2008 16:10:41 +0100 (CET) Received: from [192.168.250.2] (s5591888a.adsl.wanadoo.nl [85.145.136.138]) by mwinf6109.online.nl (SMTP Server) with ESMTP id 732EA7000088 for ; Tue, 28 Oct 2008 16:10:41 +0100 (CET) X-ME-UUID: 20081028151041471.732EA7000088@mwinf6109.online.nl Message-ID: <49072B6A.7010305@gmail.com> Date: Tue, 28 Oct 2008 16:10:34 +0100 From: Niek Dekker Organization: Bureau Digitekst User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl-NL; rv:1.8.1.17) Gecko/20080829 SeaMonkey/1.1.12 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Pf: packets on lo0 blocked in spite of pass rule X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Oct 2008 15:36:09 -0000 Hi, I upgraded recently from 6.2 to 7.0 release p5 (i386) and I'm using pf. After the upgrade connection problems arised on lo0, for java > mysql and apache > tomcat. The network interfaces are all in default setup. Here is the output of pfctl -sr, cleaned from network numbers. scrub in all fragment reassemble block drop in log all block drop in log quick on fxp0 from to any block drop out log quick on fxp0 from any to block drop in log quick on fxp0 from to any pass in on fxp0 inet proto tcp from any to ext_if port = smtp flags S/SA keep state pass in on fxp0 inet proto tcp from any to ext_if port = http flags S/SA keep state pass in on fxp0 inet proto tcp from any to ext_if port = ssh flags S/SA keep state pass out on fxp0 proto tcp all flags S/SA keep state pass out on fxp0 proto udp all keep state pass on lo0 proto tcp all flags S/SA keep state pass on lo0 proto udp all keep state block drop in on ! fxp0 inet from ext_network/25 to any block drop in inet from ext_if to any Since the upgrade to 7.0, some packets on lo0 are being blocked nevertheless. Apache httpd is connecting to Tomcat ajp on port 8009. Some, but not all of these packets are blocked. For example (pflog): 627926 rule 0/0(match): block in on lo0: 127.0.0.1.57243 > 127.0.0.1.8009: P 0:719(719) ack 1 win 8960 In some of these lines, there is mention of "[bad hdr length 0 - too short, < 20]" BUT NOT IN ALL. The state table isn't full by far (78). There is some 123 'state mismatch' in the output of pfctl -s all. I have "set skip on lo0" to prevent the problem, but it seems to me there is an issue to address here. I am likely to submit a PR, unless someone comes up with a solution. Niek From owner-freebsd-pf@FreeBSD.ORG Tue Oct 28 16:19:20 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9519F106569C for ; Tue, 28 Oct 2008 16:19:20 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA05.emeryville.ca.mail.comcast.net (qmta05.emeryville.ca.mail.comcast.net [76.96.30.48]) by mx1.freebsd.org (Postfix) with ESMTP id 6E5368FC08 for ; Tue, 28 Oct 2008 16:19:20 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA11.emeryville.ca.mail.comcast.net ([76.96.30.36]) by QMTA05.emeryville.ca.mail.comcast.net with comcast id YB4D1a0080mlR8UA5GKKmy; Tue, 28 Oct 2008 16:19:19 +0000 Received: from koitsu.dyndns.org ([69.181.141.110]) by OMTA11.emeryville.ca.mail.comcast.net with comcast id YGKF1a00f2P6wsM8XGKFNn; Tue, 28 Oct 2008 16:19:16 +0000 X-Authority-Analysis: v=1.0 c=1 a=5GIPbqUJOtMA:10 a=1VUKu0V4V_8A:10 a=QycZ5dHgAAAA:8 a=J8049eXnqdZtPwSUjlsA:9 a=bU9shV-1noW9-YhsJrIA:7 a=a8v7MZYp0SRoZssFt6U1Q47hNtMA:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id 8F23EC941E; Tue, 28 Oct 2008 09:19:15 -0700 (PDT) Date: Tue, 28 Oct 2008 09:19:15 -0700 From: Jeremy Chadwick To: Niek Dekker Message-ID: <20081028161915.GA53560@icarus.home.lan> References: <49072B6A.7010305@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <49072B6A.7010305@gmail.com> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf@freebsd.org Subject: Re: Pf: packets on lo0 blocked in spite of pass rule X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Oct 2008 16:19:20 -0000 On Tue, Oct 28, 2008 at 04:10:34PM +0100, Niek Dekker wrote: > Hi, > > I upgraded recently from 6.2 to 7.0 release p5 (i386) and I'm using pf. > After the upgrade connection problems arised on lo0, for java > mysql > and apache > tomcat. > The network interfaces are all in default setup. > > Here is the output of pfctl -sr, cleaned from network numbers. > > scrub in all fragment reassemble > block drop in log all > block drop in log quick on fxp0 from to any > block drop out log quick on fxp0 from any to > block drop in log quick on fxp0 from to any > pass in on fxp0 inet proto tcp from any to ext_if port = smtp flags S/SA > keep state > pass in on fxp0 inet proto tcp from any to ext_if port = http flags S/SA > keep state > pass in on fxp0 inet proto tcp from any to ext_if port = ssh flags S/SA > keep state > pass out on fxp0 proto tcp all flags S/SA keep state > pass out on fxp0 proto udp all keep state > pass on lo0 proto tcp all flags S/SA keep state > pass on lo0 proto udp all keep state > block drop in on ! fxp0 inet from ext_network/25 to any > block drop in inet from ext_if to any > > Since the upgrade to 7.0, some packets on lo0 are being blocked > nevertheless. Apache httpd is connecting to Tomcat ajp on port 8009. > Some, but not all of these packets are blocked. For example (pflog): > > 627926 rule 0/0(match): block in on lo0: 127.0.0.1.57243 > > 127.0.0.1.8009: P 0:719(719) ack 1 win 8960 132868137> I'm betting money this is a rule order problem. I *highly* recommend you stop with the "lo0" rules and use "set skip lo0" like you mention later on. This is a good idea for performance reasons as well; don't waste cycles having pf(4) parse packets for lo0, as nothing can talk to that interface except local stuff anyway. Also, because you're using FreeBSD 7.x, you do not need "keep state" or "flags S/SA" on any of your rules. Only 6.x and below need this, or explicit situations where you're using a mix of "no state" and other things. > In some of these lines, there is mention of "[bad hdr length 0 - too > short, < 20]" BUT NOT IN ALL. That's because you're using tcpdump against a pflog interface. You need to increase the snaplen from 68 bytes to something larger; try -s 256 and that message will go away. It's harmless. > The state table isn't full by far (78). > There is some 123 'state mismatch' in the output of pfctl -s all. Probably normal. Consider upgrading to 7.1-PRERELEASE, which contains a fix for re-use of sockets in some situations (I can point you to a PR if you want to read it). "state mismatch" is also normal depending upon the circumstances; I wouldn't worry too much about it. For example, our production webserver running RELENG_6 with the aforementioned fix: Status: Enabled for 25 days 04:49:53 Debug: Urgent Counters state-mismatch 53454 0.0/s This number was significantly higher prior to the fix being committed. > I have "set skip on lo0" to prevent the problem, but it seems to me > there is an issue to address here. I am likely to submit a PR, unless > someone comes up with a solution. You *should* be using "set skip on lo0". You're gaining nothing (in your setup) by applying firewall rules to loopback. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Tue Oct 28 16:39:01 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 15EDC1065680 for ; Tue, 28 Oct 2008 16:39:01 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id 9D7928FC0A for ; Tue, 28 Oct 2008 16:39:00 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-021-121.pools.arcor-ip.net [88.66.21.121]) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis) id 0MKwpI-1Kurat0YdX-0001FN; Tue, 28 Oct 2008 17:38:59 +0100 Received: (qmail 80582 invoked from network); 28 Oct 2008 16:38:58 -0000 Received: from fbsd8.laiers.local (192.168.4.151) by router.laiers.local with SMTP; 28 Oct 2008 16:38:58 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Tue, 28 Oct 2008 17:38:57 +0100 User-Agent: KMail/1.10.1 (FreeBSD/8.0-CURRENT; KDE/4.1.1; i386; ; ) References: <49072B6A.7010305@gmail.com> <20081028161915.GA53560@icarus.home.lan> In-Reply-To: <20081028161915.GA53560@icarus.home.lan> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200810281738.57767.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/Bm/ZhjM754GoRX4gJT+Fxk5ZB/2ilzzb7yYM yvY3T7+SrtbD5TEtu4JkwwlFbiqyeQJaF1QhpanYbGv25jJXhW HPfAXPnEbVgnuulyDi34Q== Cc: Niek Dekker Subject: Re: Pf: packets on lo0 blocked in spite of pass rule X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Oct 2008 16:39:01 -0000 On Tuesday 28 October 2008 17:19:15 Jeremy Chadwick wrote: > On Tue, Oct 28, 2008 at 04:10:34PM +0100, Niek Dekker wrote: > > Hi, > > > > I upgraded recently from 6.2 to 7.0 release p5 (i386) and I'm using pf. > > After the upgrade connection problems arised on lo0, for java > mysql > > and apache > tomcat. > > The network interfaces are all in default setup. > > > > Here is the output of pfctl -sr, cleaned from network numbers. > > > > scrub in all fragment reassemble > > block drop in log all > > block drop in log quick on fxp0 from to any > > block drop out log quick on fxp0 from any to > > block drop in log quick on fxp0 from to any > > pass in on fxp0 inet proto tcp from any to ext_if port = smtp flags S/SA > > keep state > > pass in on fxp0 inet proto tcp from any to ext_if port = http flags S/SA > > keep state > > pass in on fxp0 inet proto tcp from any to ext_if port = ssh flags S/SA > > keep state > > pass out on fxp0 proto tcp all flags S/SA keep state > > pass out on fxp0 proto udp all keep state > > pass on lo0 proto tcp all flags S/SA keep state > > pass on lo0 proto udp all keep state > > block drop in on ! fxp0 inet from ext_network/25 to any > > block drop in inet from ext_if to any > > > > Since the upgrade to 7.0, some packets on lo0 are being blocked > > nevertheless. Apache httpd is connecting to Tomcat ajp on port 8009. > > Some, but not all of these packets are blocked. For example (pflog): > > > > 627926 rule 0/0(match): block in on lo0: 127.0.0.1.57243 > > > 127.0.0.1.8009: P 0:719(719) ack 1 win 8960 > 132868137> > > I'm betting money this is a rule order problem. I *highly* recommend > you stop with the "lo0" rules and use "set skip lo0" like you mention > later on. This is a good idea for performance reasons as well; don't > waste cycles having pf(4) parse packets for lo0, as nothing can talk > to that interface except local stuff anyway. Indeed. In fact, "set skip on" was especially made for this case. The problem is that lo0 is special. The packet direction and the fact that on lo0 127.0.0.1 talks to itself, greatly confuse the state checking. Hence the option to skip an interface completely. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News