From owner-freebsd-pf@FreeBSD.ORG Sun Jun 13 23:59:07 2010 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8D5661065678; Sun, 13 Jun 2010 23:59:07 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 648A58FC0C; Sun, 13 Jun 2010 23:59:07 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o5DNx7ME058397; Sun, 13 Jun 2010 23:59:07 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o5DNx7As058393; Sun, 13 Jun 2010 23:59:07 GMT (envelope-from linimon) Date: Sun, 13 Jun 2010 23:59:07 GMT Message-Id: <201006132359.o5DNx7As058393@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-amd64@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/147789: [pf] Firewall PF no longer drops connections by sending TCP RST packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jun 2010 23:59:07 -0000 Old Synopsis: Firewall PF no longer drops connections by sending TCP RST packets New Synopsis: [pf] Firewall PF no longer drops connections by sending TCP RST packets Responsible-Changed-From-To: freebsd-amd64->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Sun Jun 13 23:58:37 UTC 2010 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=147789 From owner-freebsd-pf@FreeBSD.ORG Mon Jun 14 11:06:58 2010 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 66944106571D for ; Mon, 14 Jun 2010 11:06:58 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 1786A8FC15 for ; Mon, 14 Jun 2010 11:06:57 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o5EB6uoQ078599 for ; Mon, 14 Jun 2010 11:06:56 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o5EB6uAe078597 for freebsd-pf@FreeBSD.org; Mon, 14 Jun 2010 11:06:56 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 14 Jun 2010 11:06:56 GMT Message-Id: <201006141106.o5EB6uAe078597@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jun 2010 11:06:59 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/144311 pf [pf] [icmp] massive ICMP storm on lo0 occurs when usin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 45 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed Jun 16 16:29:01 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 63A49106566B for ; Wed, 16 Jun 2010 16:29:01 +0000 (UTC) (envelope-from Aleksej.Spenst@harman.com) Received: from exprod6og115.obsmtp.com (exprod6og115.obsmtp.com [64.18.1.35]) by mx1.freebsd.org (Postfix) with SMTP id AE53B8FC0A for ; Wed, 16 Jun 2010 16:29:00 +0000 (UTC) Received: from source ([194.121.90.173]) (using TLSv1) by exprod6ob115.postini.com ([64.18.5.12]) with SMTP ID DSNKTBj7yzZ2tN6RfiR+zcJPKrSGmHvsLa0L@postini.com; Wed, 16 Jun 2010 09:29:00 PDT Received: from HIKAWSEX01.ad.harman.com ([fe80::f023:31d4:f809:b22e]) by HIKAWSEX03.ad.harman.com ([::1]) with mapi; Wed, 16 Jun 2010 18:28:57 +0200 From: "Spenst, Aleksej" To: "'freebsd-pf@freebsd.org'" Date: Wed, 16 Jun 2010 18:28:57 +0200 Thread-Topic: route-to with altq problem Thread-Index: Acr4KNIB3ISmGErhR32Td5+QACOQmwAhzsAwBS7c0nA= Message-ID: <20290C577F743240B5256C89EFA753810C3CC9FE72@HIKAWSEX01.ad.harman.com> References: <20290C577F743240B5256C89EFA753810C3CC9FE54@HIKAWSEX01.ad.harman.com> In-Reply-To: <20290C577F743240B5256C89EFA753810C3CC9FE54@HIKAWSEX01.ad.harman.com> Accept-Language: de-DE, en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: de-DE, en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: route-to with altq problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Jun 2010 16:29:01 -0000 =20 Hi all, I have the problem that after redirecting the packets with 'route-to' keywo= rd to the external interface $ext_if, the packets are not queued at $ext_if= but directly go out. The problem is that I have configured queues (ALTQ) a= t $ext_if to make prioritization of traffic, but queues are ignored as pack= ets are not queued. Below is my pf.conf without queue configuration, which is not relevant here= . The last rule is never matched!!! --- pf.conf ---- nat on lo0 proto tcp tag PRIQ5 -> ($ext_if) pass out on lo0 route-to $ext_if tagged PRIQ5 keep state pass out on $ext_if tagged PRIQ5 queue q5 keep state ---------------- Thanks a lot for any suggestion about how to force packets to go to queues = at $ext_if after 'nat'. Aleksej. From owner-freebsd-pf@FreeBSD.ORG Wed Jun 16 16:34:06 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 638B01065673 for ; Wed, 16 Jun 2010 16:34:06 +0000 (UTC) (envelope-from Aleksej.Spenst@harman.com) Received: from exprod6og105.obsmtp.com (exprod6og105.obsmtp.com [64.18.1.189]) by mx1.freebsd.org (Postfix) with SMTP id C5DDC8FC19 for ; Wed, 16 Jun 2010 16:34:05 +0000 (UTC) Received: from source ([194.121.90.173]) (using TLSv1) by exprod6ob105.postini.com ([64.18.5.12]) with SMTP ID DSNKTBj8/Oh+XewhntDJwxrLUq+rYRzqQ1ZH@postini.com; Wed, 16 Jun 2010 09:34:05 PDT Received: from HIKAWSEX01.ad.harman.com ([fe80::f023:31d4:f809:b22e]) by HIKAWSEX03.ad.harman.com ([::1]) with mapi; Wed, 16 Jun 2010 18:34:03 +0200 From: "Spenst, Aleksej" To: "'freebsd-pf@freebsd.org'" Date: Wed, 16 Jun 2010 18:34:01 +0200 Thread-Topic: route-to with altq problem Thread-Index: Acr4KNIB3ISmGErhR32Td5+QACOQmwAhzsAwBS7c0nAAAX4LIA== Message-ID: <20290C577F743240B5256C89EFA753810C3CC9FE75@HIKAWSEX01.ad.harman.com> References: <20290C577F743240B5256C89EFA753810C3CC9FE54@HIKAWSEX01.ad.harman.com> <20290C577F743240B5256C89EFA753810C3CC9FE72@HIKAWSEX01.ad.harman.com> In-Reply-To: <20290C577F743240B5256C89EFA753810C3CC9FE72@HIKAWSEX01.ad.harman.com> Accept-Language: de-DE, en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: de-DE, en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: AW: route-to with altq problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Jun 2010 16:34:06 -0000 Below are the rules written in a better way ;) > The last rule is never matched!!! > >--- pf.conf ---- >nat on lo0 proto tcp tag PRIQ5 -> ($ext_if) pass out on lo0=20 >route-to $ext_if tagged PRIQ5 keep state pass out on $ext_if=20 >tagged PRIQ5 queue q5 keep state >---------------- >-----Urspr=FCngliche Nachricht----- >Von: owner-freebsd-pf@freebsd.org=20 >[mailto:owner-freebsd-pf@freebsd.org] Im Auftrag von Spenst, Aleksej >Gesendet: Mittwoch, 16. Juni 2010 18:29 >An: 'freebsd-pf@freebsd.org' >Betreff: route-to with altq problem > >=20 >Hi all, > >I have the problem that after redirecting the packets with=20 >'route-to' keyword to the external interface $ext_if, the=20 >packets are not queued at $ext_if but directly go out. The=20 >problem is that I have configured queues (ALTQ) at $ext_if to=20 >make prioritization of traffic, but queues are ignored as=20 >packets are not queued. > >Below is my pf.conf without queue configuration, which is not=20 >relevant here. >The last rule is never matched!!! > >--- pf.conf ---- >nat on lo0 proto tcp tag PRIQ5 -> ($ext_if) pass out on lo0=20 >route-to $ext_if tagged PRIQ5 keep state pass out on $ext_if=20 >tagged PRIQ5 queue q5 keep state >---------------- > >Thanks a lot for any suggestion about how to force packets to=20 >go to queues at $ext_if after 'nat'. > >Aleksej. > > >_______________________________________________ >freebsd-pf@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-pf >To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >= From owner-freebsd-pf@FreeBSD.ORG Thu Jun 17 08:05:02 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5D998106566C for ; Thu, 17 Jun 2010 08:05:02 +0000 (UTC) (envelope-from Aleksej.Spenst@harman.com) Received: from exprod6og101.obsmtp.com (exprod6og101.obsmtp.com [64.18.1.181]) by mx1.freebsd.org (Postfix) with SMTP id BE46D8FC15 for ; Thu, 17 Jun 2010 08:05:01 +0000 (UTC) Received: from source ([194.121.90.173]) (using TLSv1) by exprod6ob101.postini.com ([64.18.5.12]) with SMTP ID DSNKTBnXLNDM2FpxvzD89gNJQ3LVv4mJFRtz@postini.com; Thu, 17 Jun 2010 01:05:01 PDT Received: from HIKAWSEX01.ad.harman.com ([fe80::f023:31d4:f809:b22e]) by HIKAWSEX02.ad.harman.com ([::1]) with mapi; Thu, 17 Jun 2010 10:04:59 +0200 From: "Spenst, Aleksej" To: "'freebsd-pf@freebsd.org'" Date: Thu, 17 Jun 2010 10:04:58 +0200 Thread-Topic: route-to with altq problem Thread-Index: Acr4KNIB3ISmGErhR32Td5+QACOQmwAhzsAwBS7c0nAAH6khcA== Message-ID: <20290C577F743240B5256C89EFA753810C3CC9FE76@HIKAWSEX01.ad.harman.com> References: <20290C577F743240B5256C89EFA753810C3CC9FE54@HIKAWSEX01.ad.harman.com> <20290C577F743240B5256C89EFA753810C3CC9FE72@HIKAWSEX01.ad.harman.com> In-Reply-To: <20290C577F743240B5256C89EFA753810C3CC9FE72@HIKAWSEX01.ad.harman.com> Accept-Language: de-DE, en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: de-DE, en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: AW: route-to with altq problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jun 2010 08:05:02 -0000 Sorry for spam again, but I have already figured it out. instead of: nat on lo0 proto tcp tag PRIQ5 -> ($ext_if) pass out on lo0 route-to $ext_if tagged PRIQ5 keep state pass out on $ext_if tagged PRIQ5 queue q5 keep state it should be: nat on lo0 proto tcp tag PRIQ5 -> ($ext_if) pass out on lo0 route-to $ext_if tagged PRIQ5 keep state queue q5 Where the queue q5 belongs to $ext_if and not to lo0, which was not very cl= ear to me before... =20 >-----Urspr=FCngliche Nachricht----- >Von: owner-freebsd-pf@freebsd.org=20 >[mailto:owner-freebsd-pf@freebsd.org] Im Auftrag von Spenst, Aleksej >Gesendet: Mittwoch, 16. Juni 2010 18:29 >An: 'freebsd-pf@freebsd.org' >Betreff: route-to with altq problem > >=20 >Hi all, > >I have the problem that after redirecting the packets with=20 >'route-to' keyword to the external interface $ext_if, the=20 >packets are not queued at $ext_if but directly go out. The=20 >problem is that I have configured queues (ALTQ) at $ext_if to=20 >make prioritization of traffic, but queues are ignored as=20 >packets are not queued. > >Below is my pf.conf without queue configuration, which is not=20 >relevant here. >The last rule is never matched!!! > >--- pf.conf ---- >nat on lo0 proto tcp tag PRIQ5 -> ($ext_if) pass out on lo0=20 >route-to $ext_if tagged PRIQ5 keep state pass out on $ext_if=20 >tagged PRIQ5 queue q5 keep state >---------------- > >Thanks a lot for any suggestion about how to force packets to=20 >go to queues at $ext_if after 'nat'. > >Aleksej. > > >_______________________________________________ >freebsd-pf@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-pf >To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >=