From owner-freebsd-pf@FreeBSD.ORG Mon Mar 1 11:07:06 2010 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AF2271065680 for ; Mon, 1 Mar 2010 11:07:06 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9C9278FC18 for ; Mon, 1 Mar 2010 11:07:06 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id o21B763T017878 for ; Mon, 1 Mar 2010 11:07:06 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id o21B76F2017876 for freebsd-pf@FreeBSD.org; Mon, 1 Mar 2010 11:07:06 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 1 Mar 2010 11:07:06 GMT Message-Id: <201003011107.o21B76F2017876@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Mar 2010 11:07:06 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/144311 pf [pf] [icmp] massive ICMP storm on lo0 occurs when usin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 43 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Mar 2 16:35:12 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 16C2510656BA for ; Tue, 2 Mar 2010 16:35:12 +0000 (UTC) (envelope-from Olivier.Thibault@lmpt.univ-tours.fr) Received: from mailhost.lmpt.univ-tours.fr (mailhost.lmpt.univ-tours.fr [193.52.212.1]) by mx1.freebsd.org (Postfix) with ESMTP id AC21B8FC3D for ; Tue, 2 Mar 2010 16:33:55 +0000 (UTC) Received: from mailhost.lmpt.univ-tours.fr (localhost [127.0.0.1]) by mailhost.lmpt.univ-tours.fr (Postfix) with ESMTP id C7428DB173 for ; Tue, 2 Mar 2010 17:33:53 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d= lmpt.univ-tours.fr; h=content-transfer-encoding:content-type :content-type:subject:subject:mime-version:user-agent:from:from :date:date:message-id:received:received; s=main; t=1267547631; bh=VMaGXE8jHJZcnCRyzWISxXMTO9Li+UId61JcfO4daeE=; b=ophNShnTYahD 4+geBLGyYTiBYpTSqvOWsBzEzhvJGUIQKH/tLYYxESBw5+fH/Z86BJpOKNPOHHwq aQMKajz3vYxIWb8FW7QVn3The4VPfg+E8pp//yCt3IzbwpRTdRjiBeJaqDq2mOPX k7CoBpIoI2PnqYpvldS1XhxXEol+3ZM= X-Virus-Scanned: amavisd-new at lmpt.univ-tours.fr Received: from mailhost.lmpt.univ-tours.fr ([127.0.0.1]) by mailhost.lmpt.univ-tours.fr (mailhost.lmpt.univ-tours.fr [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id gz-vudQ+5Nt5 for ; Tue, 2 Mar 2010 17:33:51 +0100 (CET) Received: from [10.68.5.128] (trinity.lmpt.priv [10.68.5.128]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mailhost.lmpt.univ-tours.fr (Postfix) with ESMTPSA id E8BEFDB144 for ; Tue, 2 Mar 2010 17:33:51 +0100 (CET) Message-ID: <4B8D3DEE.30802@lmpt.univ-tours.fr> Date: Tue, 02 Mar 2010 17:33:50 +0100 From: Olivier Thibault User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Subject: FIN packets blocked X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Mar 2010 16:35:12 -0000 Hello, I have a web server with apache+modproxy running FreeBSD 7.2-RELEASE-p7. I filter incoming and outgoing traffic with pf. I have some packets (about 20 per day) which are blocked and I don't unde= rstand why. My config is : Internet -> ServerA(modproxy) -> ServerB(apache). Here is the log for one blocked packet : 2010-03-02 15:40:29.573890 rule 7/0(match): block out on le0: serverA.622= 28 >=20 serverB.80: F 3525425568:3525425568(0) ack 459935989 win 8326 All logs are similar. Rule 7 is : block return out log all I have a rule allowing the traffic towards serverB : pass out quick on le0 inet proto tcp from serverA to serverB port =3D htt= p As the packet has the FIN flag, I change this rule to : pass out quick on le0 inet proto tcp from serverA to serverB port =3D htt= p flags=20 S/SA keep state (if-bound, tcp.finwait 90) but it doesn't change anything. I used tcpdump to dump all traffic between the 2 servers, and the convers= ation=20 outgoing from port 62228 (shown in the log of the blocked packet) ended a= t=20 15h22, and the packet is block at 15h40. I guess there is something I mis-understood, but I don't know what. Could you help me understand ? Best regards, --=20 Olivier THIBAULT Universit=E9 Fran=E7ois Rabelais - UFR Sciences et Techniques Laboratoire de Math=E9matiques et Physique Th=E9orique (UMR CNRS 6083) Service Informatique de l'UFR Parc de Grandmont 37200 Tours - France Email: olivier.thibault at lmpt.univ-tours.fr Tel: (33)(0)2 47 36 69 12 Fax: (33)(0)2 47 36 70 68 Mobile : (33)(0)6 62 60 80 44 From owner-freebsd-pf@FreeBSD.ORG Fri Mar 5 19:16:05 2010 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AC337106566B; Fri, 5 Mar 2010 19:16:05 +0000 (UTC) (envelope-from jim@sifferle.net) Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) by mx1.freebsd.org (Postfix) with ESMTP id 7D81F8FC2A; Fri, 5 Mar 2010 19:16:05 +0000 (UTC) Received: from oxusltgw09.schlund.de (oxusltgw09.lxa.perfora.net [172.19.206.11]) by mrelay.perfora.net (node=mrus3) with ESMTP (Nemesis) id 0M0yKl-1NZfix1wat-00v9yi; Fri, 05 Mar 2010 14:16:02 -0500 Date: Fri, 5 Mar 2010 14:16:00 -0500 (EST) From: "jim@sifferle.net" To: Julian Elischer , =?UTF-8?Q?=22Ermal_Lu=C3=A7i=22?= Message-ID: <900375163.294375.1267816560546.JavaMail.open-xchange@oxusltgw09.schlund.de> In-Reply-To: <9a542da31002230211k2fb5d99do7ed574a8cd94f4d9@mail.gmail.com> References: <1266739527.25137.519.camel@localhost> <4B80F076.5020109@elischer.org> <20100221084118.W27327@maildrop.int.zabbadoz.net> <4B8169EB.4030100@elischer.org> <9a542da31002230211k2fb5d99do7ed574a8cd94f4d9@mail.gmail.com> MIME-Version: 1.0 X-Priority: 3 X-Mailer: Open-Xchange Mailer v6.14.0-Rev14 X-Provags-ID: V01U2FsdGVkX1+3G1sMP5aNtQncp0v0ROWolHgvGQiD9CztqNH FQzGlCUUZPDx0DM0nfPHiVH69JEhC/xubnvA6JjtQSwi3oxl7C 2ONPVFFsTXC6uRWyem/bA== Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "Bjoern A. Zeeb" , FreeBSD virtualization mailing list , pf@freebsd.org Subject: Re: Network simulation using jails & vimage X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2010 19:16:05 -0000 On February 23, 2010 at 10:11 AM "Ermal Lu=C3=A7i" wrote: > On Sun, Feb 21, 2010 at 6:14 PM, Julian Elischer wro= te: > > > Bjoern A. Zeeb wrote: > > > >> On Sun, 21 Feb 2010, Julian Elischer wrote: > >> > >> Hi, > >> > >>=C2=A0 Jim Sifferle wrote: > >>> > >>>> Hi, > >>>> > >>>> Does any FreeBSD branch / vimage release combination support separat= e pf > >>>> AND ipfw configurations per jail?=C2=A0 I need ipfw+pf/altq for HFSC= queuing > >>> > >>> -current (9) should be close, with patches for pf supplied by ceri. > >> > >> s,ceri,eri,=C2=A0 (Ermal Lu=C3=A7i) > > > > it'd be nice if itcould get committed > > > > Ermal, is it ready? > > > It is usable look at http://svn.freebsd.org/base/user/eri/pf45/head/. > For vnet pfsync/pflow/pflog needs some fixes still. > I just now had some time to put together a CURRENT box for testing.=C2=A0 I= 'm getting a 'Fatal trap 12: page fault while in kernel mode' whenever I boot with pf_enable set to YES in rc.conf.=C2=A0 Here's my current setup: =C2=A0 - FreeBSD CURRENT cvs snapshot as of 2/25/10, running AMD64 kernel - GENERIC kernel compiled with ALTQ and VIMAGE options,=C2=A0invariants and= witness options disabled, plus Imunes patch for FreeBSD=C2=A08 RC3=C2=A0available h= ere: http://imunes.net/imunes-8.0-RC3.diff - pf loaded as module with very simple pass all pf.conf - ipfw not loaded =C2=A0 The Fatal trap seems to occur when pfctl is run. =C2=A0 I am recompiling my kernel with all debugging options turned on.=C2=A0 Hope= fully I can get a good kernel dump.=C2=A0 I will also try with fresh kernel sources= skipping the Imunes patch.=C2=A0 Anything else I should try? =C2=A0 Thanks for your help, =C2=A0 Jim From owner-freebsd-pf@FreeBSD.ORG Fri Mar 5 19:46:49 2010 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 47949106564A; Fri, 5 Mar 2010 19:46:49 +0000 (UTC) (envelope-from julian@elischer.org) Received: from out-0.mx.aerioconnect.net (out-0-20.mx.aerioconnect.net [216.240.47.80]) by mx1.freebsd.org (Postfix) with ESMTP id 1D1B68FC19; Fri, 5 Mar 2010 19:46:48 +0000 (UTC) Received: from idiom.com (postfix@mx0.idiom.com [216.240.32.160]) by out-0.mx.aerioconnect.net (8.13.8/8.13.8) with ESMTP id o25JYFt5011050; Fri, 5 Mar 2010 11:34:15 -0800 X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (h-67-100-89-137.snfccasy.static.covad.net [67.100.89.137]) by idiom.com (Postfix) with ESMTP id BDE2F2D6018; Fri, 5 Mar 2010 11:34:14 -0800 (PST) Message-ID: <4B915CB5.4070702@elischer.org> Date: Fri, 05 Mar 2010 11:34:13 -0800 From: Julian Elischer User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: "jim@sifferle.net" References: <1266739527.25137.519.camel@localhost> <4B80F076.5020109@elischer.org> <20100221084118.W27327@maildrop.int.zabbadoz.net> <4B8169EB.4030100@elischer.org> <9a542da31002230211k2fb5d99do7ed574a8cd94f4d9@mail.gmail.com> <900375163.294375.1267816560546.JavaMail.open-xchange@oxusltgw09.schlund.de> In-Reply-To: <900375163.294375.1267816560546.JavaMail.open-xchange@oxusltgw09.schlund.de> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.67 on 216.240.47.51 Cc: "Bjoern A. Zeeb" , FreeBSD virtualization mailing list , pf@freebsd.org Subject: Re: Network simulation using jails & vimage X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2010 19:46:49 -0000 jim@sifferle.net wrote: > > On February 23, 2010 at 10:11 AM "Ermal Luçi" wrote: > > > On Sun, Feb 21, 2010 at 6:14 PM, Julian Elischer > wrote: > > > > > Bjoern A. Zeeb wrote: > > > > > >> On Sun, 21 Feb 2010, Julian Elischer wrote: > > >> > > >> Hi, > > >> > > >> Jim Sifferle wrote: > > >>> > > >>>> Hi, > > >>>> > > >>>> Does any FreeBSD branch / vimage release combination support > separate pf > > >>>> AND ipfw configurations per jail? I need ipfw+pf/altq for HFSC > queuing > > >>> > > >>> -current (9) should be close, with patches for pf supplied by ceri. > > >> > > >> s,ceri,eri, (Ermal Luçi) > > > > > > it'd be nice if itcould get committed > > > > > > Ermal, is it ready? > > > > > It is usable look at http://svn.freebsd.org/base/user/eri/pf45/head/. > > For vnet pfsync/pflow/pflog needs some fixes still. > > > > I just now had some time to put together a CURRENT box for testing. I'm > getting a 'Fatal trap 12: page fault while in kernel mode' whenever I > boot with pf_enable set to YES in rc.conf. Here's my current setup: > > > > - FreeBSD CURRENT cvs snapshot as of 2/25/10, running AMD64 kernel > > - GENERIC kernel compiled with ALTQ and VIMAGE options, invariants and > witness options disabled, plus Imunes patch for FreeBSD 8 RC3 available > here: http://imunes.net/imunes-8.0-RC3.diff > > - pf loaded as module with very simple pass all pf.conf > > - ipfw not loaded > > > > The Fatal trap seems to occur when pfctl is run. This is unfortunately one for Ermal, as I wouldn't know a pfctl command if it came up and kicked me in the shins. :-) We really should try get the new pf stuff into -current so that it gets more testing. > > I am recompiling my kernel with all debugging options turned on. > Hopefully I can get a good kernel dump. I will also try with fresh > kernel sources skipping the Imunes patch. Anything else I should try? > > > > Thanks for your help, > > > > Jim > From owner-freebsd-pf@FreeBSD.ORG Fri Mar 5 20:15:40 2010 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 35F85106564A; Fri, 5 Mar 2010 20:15:40 +0000 (UTC) (envelope-from jim@sifferle.net) Received: from mout.perfora.net (mout.perfora.net [74.208.4.194]) by mx1.freebsd.org (Postfix) with ESMTP id 071B08FC08; Fri, 5 Mar 2010 20:15:39 +0000 (UTC) Received: from oxusltgw09.schlund.de (oxusltgw09.lxa.perfora.net [172.19.206.11]) by mrelay.perfora.net (node=mrus2) with ESMTP (Nemesis) id 0MXILt-1OANRd0luf-00WRCr; Fri, 05 Mar 2010 15:15:37 -0500 Date: Fri, 5 Mar 2010 15:15:36 -0500 (EST) From: "jim@sifferle.net" To: Julian Elischer Message-ID: <477684154.296223.1267820136159.JavaMail.open-xchange@oxusltgw09.schlund.de> In-Reply-To: <4B915CB5.4070702@elischer.org> References: <1266739527.25137.519.camel@localhost> <4B80F076.5020109@elischer.org> <20100221084118.W27327@maildrop.int.zabbadoz.net> <4B8169EB.4030100@elischer.org> <9a542da31002230211k2fb5d99do7ed574a8cd94f4d9@mail.gmail.com> <900375163.294375.1267816560546.JavaMail.open-xchange@oxusltgw09.schlund.de> <4B915CB5.4070702@elischer.org> MIME-Version: 1.0 X-Priority: 3 X-Mailer: Open-Xchange Mailer v6.14.0-Rev14 X-Provags-ID: V01U2FsdGVkX1/S/RCGitRvrghz0ugQetSejbH9P+R6lOdn4oJ R75PQjbySrxeDOM4fkZl9zUmKQaHLJ4iC/6e9QW2aRxVHHrilH 1bYJQBgSBFwW6a5u8snRQ== Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "Bjoern A. Zeeb" , FreeBSD virtualization mailing list , pf@freebsd.org Subject: Re: Network simulation using jails & vimage X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2010 20:15:40 -0000 On March 5, 2010 at 7:34 PM Julian Elischer wrote: > jim@sifferle.net wrote: > > > > I just now had some time to put together a CURRENT box for testing.=C2= =A0 I'm > > getting a 'Fatal trap 12: page fault while in kernel mode' whenever I > > boot with pf_enable set to YES in rc.conf.=C2=A0 Here's my current setu= p: > > > > This is unfortunately one for Ermal, as I wouldn't know a pfctl > command if it came up and kicked me in the shins.=C2=A0 :-) > > We really should try get the new pf stuff into -current so that > it gets more testing. > Thanks for your quick reply... =C2=A0 I think my first problem is I didn't pull the sources from the folder Ermal mentioned: http://svn.freebsd.org/base/user/eri/pf45/head/.=C2=A0 =C2=A0 I misunderstood and thought it had been put in CURRENT.=C2=A0 I will downlo= ad the=C2=A0correct sources and try again. =C2=A0 Regards, =C2=A0 Jim =C2=A0 =C2=A0 From owner-freebsd-pf@FreeBSD.ORG Sat Mar 6 08:04:45 2010 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7498F106568E; Sat, 6 Mar 2010 08:04:45 +0000 (UTC) (envelope-from jim@sifferle.net) Received: from mout.perfora.net (mout.perfora.net [74.208.4.194]) by mx1.freebsd.org (Postfix) with ESMTP id BD2968FC24; Sat, 6 Mar 2010 08:04:44 +0000 (UTC) Received: from [192.65.23.38] (c-71-59-131-234.hsd1.wa.comcast.net [71.59.131.234]) by mrelay.perfora.net (node=mrus2) with ESMTP (Nemesis) id 0LjZyK-1NGx5f37pg-00bexL; Sat, 06 Mar 2010 03:04:41 -0500 From: Jim Sifferle To: Ermal =?ISO-8859-1?Q?Lu=E7i?= , Julian Elischer In-Reply-To: <477684154.296223.1267820136159.JavaMail.open-xchange@oxusltgw09.schlund.de> References: <1266739527.25137.519.camel@localhost> <4B80F076.5020109@elischer.org> <20100221084118.W27327@maildrop.int.zabbadoz.net> <4B8169EB.4030100@elischer.org> <9a542da31002230211k2fb5d99do7ed574a8cd94f4d9@mail.gmail.com> <900375163.294375.1267816560546.JavaMail.open-xchange@oxusltgw09.schlund.de> <4B915CB5.4070702@elischer.org> <477684154.296223.1267820136159.JavaMail.open-xchange@oxusltgw09.schlund.de> Content-Type: text/plain; charset="UTF-8" Date: Sat, 06 Mar 2010 00:04:34 -0800 Message-ID: <1267862674.29050.25.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.28.2 (2.28.2-1.fc12) Content-Transfer-Encoding: 7bit X-Provags-ID: V01U2FsdGVkX19qibcLk1GLAd5pd4uP/ApsGK3QNf0PgjRQkih 2O6h2LJQ1wr3WKKZ5hbOAvXKDjFkJmEln3mHN2CmAsIMjY7O6u z3BqKvvymgZBHtIjVWqTA== Cc: "Bjoern A. Zeeb" , FreeBSD virtualization mailing list , pf@freebsd.org Subject: Re: Network simulation using jails & vimage X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Mar 2010 08:04:45 -0000 On Fri, 2010-03-05 at 15:15 -0500, jim@sifferle.net wrote: > On March 5, 2010 at 7:34 PM Julian Elischer wrote: > > > jim@sifferle.net wrote: > > > > > > I just now had some time to put together a CURRENT box for testing. I'm > > > getting a 'Fatal trap 12: page fault while in kernel mode' whenever I > > > boot with pf_enable set to YES in rc.conf. Here's my current setup: > > > > > > > This is unfortunately one for Ermal, as I wouldn't know a pfctl > > command if it came up and kicked me in the shins. :-) > > > > We really should try get the new pf stuff into -current so that > > it gets more testing. > > > Thanks for your quick reply... > > I think my first problem is I didn't pull the sources from the folder Ermal > mentioned: http://svn.freebsd.org/base/user/eri/pf45/head/. > > I misunderstood and thought it had been put in CURRENT. I will download > the correct > sources and try again. > Hi Ermal, Forgive my ignorance, but how would you recommend I build my system to test the new pf code? Here's what I tried earlier today: 1) Start with a CURRENT system with sources from 2/25 2) Download the new sources from svn using the link you provided na-lab-wan-3# svn info Path: . URL: http://svn.freebsd.org/base/user/eri/pf45/head Repository Root: http://svn.freebsd.org/base Repository UUID: ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f Revision: 204768 Node Kind: directory Schedule: normal Last Changed Author: eri Last Changed Rev: 204245 Last Changed Date: 2010-02-23 01:58:12 -0800 (Tue, 23 Feb 2010) 3) Build and install a new kernel with the updated sources. But, I could not compile with ALTQ support enabled. Is ALTQ available yet with the new pf, or is it still a work in progress like pflog and pfsync? cc -O2 -pipe -fno-strict-aliasing -Werror -D_KERNEL -DKLD_MODULE /usr/src_new/head/sys/modules/pf/../../contrib/pf/net/pf_ioctl.c: In function 'pf_begin_altq': /usr/src_new/head/sys/modules/pf/../../contrib/pf/net/pf_ioctl.c:894: error: 'altqs_inactive_open' undeclared (first use in this function) /usr/src_new/head/sys/modules/pf/../../contrib/pf/net/pf_ioctl.c:894: error: (Each undeclared identifier is reported only once /usr/src_new/head/sys/modules/pf/../../contrib/pf/net/pf_ioctl.c:894: error: for each function it appears in.) /usr/src_new/head/sys/modules/pf/../../contrib/pf/net/pf_ioctl.c: In function 'pf_rollback_altq': /usr/src_new/head/sys/modules/pf/../../contrib/pf/net/pf_ioctl.c:934: error: 'altqs_inactive_open' undeclared (first use in this function) /usr/src_new/head/sys/modules/pf/../../contrib/pf/net/pf_ioctl.c: In function 'pf_commit_altq': /usr/src_new/head/sys/modules/pf/../../contrib/pf/net/pf_ioctl.c:1024: error: 'altqs_inactive_open' undeclared (first use in this function) *** Error code 1 4) Reboot, load pf module, attempt to run pfctl -f /etc/pf.conf with this error: No ALTQ support in kernel ALTQ related functions disabled pfctl: DIOCADDRULE: Operation not supported by device 5) Attempt to rebuild pfctl from /usr/src_new/sbin/pfctl to deal with the 'Operation not supported by device' error. I get this error: cc -O2 -pipe -Wall -Wmissing-prototypes -Wno-uninitialized -Wstrict-prototypes -I/usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl -DENABLE_ALTQ -std=gnu99 -fstack-protector -Wsystem-headers -Werror -Wall -Wno-format-y2k -Wno-uninitialized -Wno-pointer-sign -c /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c cc1: warnings being treated as errors In file included from /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:64: /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.h:119: warning: 'struct pfsync_state_peer' declared inside parameter list /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.h:119: warning: its scope is only this definition or declaration, which is probably not what you want /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.h:120: warning: 'struct pfsync_state' declared inside parameter list /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c: In function 'pfctl_clear_states': /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:393: error: 'struct pfioc_state_kill' has no member named 'psk_killed' /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c: In function 'pfctl_kill_src_nodes': /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:532: error: 'struct pfioc_src_node_kill' has no member named 'psnk_killed' /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:538: error: 'struct pfioc_src_node_kill' has no member named 'psnk_killed' /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c: In function 'pfctl_net_kill_states': /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:638: error: 'struct pfioc_state_kill' has no member named 'psk_killed' /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:644: error: 'struct pfioc_state_kill' has no member named 'psk_killed' /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c: In function 'pfctl_label_kill_states': /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:670: error: 'struct pfioc_state_kill' has no member named 'psk_label' /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:670: error: 'struct pfioc_state_kill' has no member named 'psk_label' /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:671: error: 'struct pfioc_state_kill' has no member named 'psk_label' /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:678: error: 'struct pfioc_state_kill' has no member named 'psk_killed' /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c: In function 'pfctl_id_kill_states': /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:695: error: 'struct pfioc_state_kill' has no member named 'psk_pfcmp' /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:695: error: 'struct pfioc_state_kill' has no member named 'psk_pfcmp' /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:696: error: 'struct pfioc_state_kill' has no member named 'psk_pfcmp' /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:696: error: 'struct pfioc_state_kill' has no member named 'psk_pfcmp' /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:697: error: 'struct pfioc_state_kill' has no member named 'psk_pfcmp' /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:698: error: 'struct pfioc_state_kill' has no member named 'psk_pfcmp' /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:703: error: 'struct pfioc_state_kill' has no member named 'psk_pfcmp' /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:708: error: 'struct pfioc_state_kill' has no member named 'psk_pfcmp' /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:708: error: 'struct pfioc_state_kill' has no member named 'psk_pfcmp' /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:713: error: 'struct pfioc_state_kill' has no member named 'psk_killed' /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c: In function 'pfctl_print_rule_counters': /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:805: error: 'struct pf_rule' has no member named 'states_cur' /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:810: error: 'struct pf_rule' has no member named 'states_tot' /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c: In function 'pfctl_show_rules': /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:922: error: 'struct pf_rule' has no member named 'states_tot' /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c: In function 'pfctl_show_states': /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:1087: warning: assignment from incompatible pointer type /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:1088: error: dereferencing pointer to incomplete type /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:1088: error: increment of pointer to unknown structure /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:1088: error: arithmetic on pointer to an incomplete type /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:1088: warning: left-hand operand of comma expression has no effect /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:1089: error: dereferencing pointer to incomplete type /usr/src_new/head/sbin/pfctl/../../contrib/pf/pfctl/pfctl.c:1095: warning: passing argument 1 of 'print_state' from incompatible pointer type *** Error code 1 Thanks for any help you can provide... Jim