From owner-freebsd-pf@FreeBSD.ORG Mon Feb 10 11:06:52 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7F9E5138 for ; Mon, 10 Feb 2014 11:06:52 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 696481FE2 for ; Mon, 10 Feb 2014 11:06:52 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id s1AB6qFG080145 for ; Mon, 10 Feb 2014 11:06:52 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s1AB6pcc080143 for freebsd-pf@FreeBSD.org; Mon, 10 Feb 2014 11:06:51 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 10 Feb 2014 11:06:51 GMT Message-Id: <201402101106.s1AB6pcc080143@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Feb 2014 11:06:52 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/182401 pf [pf] pf state for some IPs reaches 4294967295 suspicou o kern/182350 pf [pf] core dump with packet filter -- pf_overlad_task o kern/179392 pf [pf] [ip6] Incorrect TCP checksums in rdr return packe o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176268 pf [pf] [patch] synproxy not working with route-to o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/87074 pf [pf] pf does not log dropped packets when max-* statef a kern/86752 pf [pf] pf does not use default timeouts when reloading c o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 55 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Feb 11 01:30:01 2014 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 275DE7CD for ; Tue, 11 Feb 2014 01:30:01 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 1200A109E for ; Tue, 11 Feb 2014 01:30:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id s1B1U0ee068330 for ; Tue, 11 Feb 2014 01:30:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s1B1U0nL068328; Tue, 11 Feb 2014 01:30:00 GMT (envelope-from gnats) Date: Tue, 11 Feb 2014 01:30:00 GMT Message-Id: <201402110130.s1B1U0nL068328@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org Cc: From: David Thiel Subject: Re: kern/179392: [pf] [ip6] Incorrect TCP checksums in rdr return packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: David Thiel List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Feb 2014 01:30:01 -0000 The following reply was made to PR kern/179392; it has been noted by GNATS. From: David Thiel To: bug-followup@FreeBSD.org, paul@semiocast.com Cc: Subject: Re: kern/179392: [pf] [ip6] Incorrect TCP checksums in rdr return packets Date: Mon, 10 Feb 2014 17:23:49 -0800 I've replicated this issue as well, on 10.0-RELEASE, amd64. With jails running on a cloned lo1, outbound IPv6 works fine, but pf redirect traffic gets results in incorrect checksums and traffic being dropped. Loopback interfaces no longer seem to support the -txcsum6 or -rxcsum6 flags. Would love to have a fix for this, as it kind of breaks the "service jail" model for IPv6. Cheers, David From owner-freebsd-pf@FreeBSD.ORG Tue Feb 11 08:30:18 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7522A808; Tue, 11 Feb 2014 08:30:18 +0000 (UTC) Received: from mail.vx.sk (mail.vx.sk [176.9.45.25]) by mx1.freebsd.org (Postfix) with ESMTP id 125F11694; Tue, 11 Feb 2014 08:30:17 +0000 (UTC) Received: from mail.vx.sk (localhost [127.0.0.1]) by mail.vx.sk (Postfix) with ESMTP id 36DEFBCF4; Tue, 11 Feb 2014 09:30:11 +0100 (CET) X-Virus-Scanned: amavisd-new at mail.vx.sk Received: from mail.vx.sk by mail.vx.sk (amavisd-new, unix socket) with LMTP id UsUymfCUkl2K; Tue, 11 Feb 2014 09:30:10 +0100 (CET) Received: from [192.168.2.103] (dslb-094-223-160-133.pools.arcor-ip.net [94.223.160.133]) by mail.vx.sk (Postfix) with ESMTPSA id 74480BCEB; Tue, 11 Feb 2014 09:30:10 +0100 (CET) Message-ID: <52F9DF91.5080903@FreeBSD.org> Date: Tue, 11 Feb 2014 09:30:09 +0100 From: Martin Matuska User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org Subject: CFR: VIMAGE + pf bugfix X-Enigmail-Version: 1.5.2 Content-Type: multipart/mixed; boundary="------------020103000302000908070302" Cc: Adrian Chadd , Marko Zec X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Feb 2014 08:30:18 -0000 This is a multi-part message in MIME format. --------------020103000302000908070302 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hi, please review my attached patch. It fixes two panics and makes PF usable with VIMAGE (inside host system only). http://people.freebsd.org/~mm/patches/pf_mtag_taskq.patch The patch does the following: a) devirtualizes the UMA zone for pf_mtag b) adds vnet information to pf_overload_task Thank you, mm --------------020103000302000908070302 Content-Type: text/x-patch; name="pf_mtag_taskq.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="pf_mtag_taskq.patch" Index: sys/netpfil/pf/pf.c =================================================================== --- sys/netpfil/pf/pf.c (revision 261741) +++ sys/netpfil/pf/pf.c (working copy) @@ -172,7 +172,10 @@ struct pf_overload_entry { struct pf_rule *rule; }; -SLIST_HEAD(pf_overload_head, pf_overload_entry); +struct pf_overload_head { + SLIST_HEAD(, pf_overload_entry) head; + struct vnet *vnet; +}; static VNET_DEFINE(struct pf_overload_head, pf_overloadqueue); #define V_pf_overloadqueue VNET(pf_overloadqueue) static VNET_DEFINE(struct task, pf_overloadtask); @@ -187,8 +190,7 @@ struct mtx pf_unlnkdrules_mtx; static VNET_DEFINE(uma_zone_t, pf_sources_z); #define V_pf_sources_z VNET(pf_sources_z) -static VNET_DEFINE(uma_zone_t, pf_mtag_z); -#define V_pf_mtag_z VNET(pf_mtag_z) +uma_zone_t pf_mtag_z; VNET_DEFINE(uma_zone_t, pf_state_z); VNET_DEFINE(uma_zone_t, pf_state_key_z); @@ -510,7 +512,7 @@ pf_src_connlimit(struct pf_state **state) pfoe->rule = (*state)->rule.ptr; pfoe->dir = (*state)->direction; PF_OVERLOADQ_LOCK(); - SLIST_INSERT_HEAD(&V_pf_overloadqueue, pfoe, next); + SLIST_INSERT_HEAD(&V_pf_overloadqueue.head, pfoe, next); PF_OVERLOADQ_UNLOCK(); taskqueue_enqueue(taskqueue_swi, &V_pf_overloadtask); @@ -527,11 +529,13 @@ pf_overload_task(void *c, int pending) PF_OVERLOADQ_LOCK(); queue = *(struct pf_overload_head *)c; - SLIST_INIT((struct pf_overload_head *)c); + SLIST_INIT(&((struct pf_overload_head *)c)->head); PF_OVERLOADQ_UNLOCK(); + CURVNET_SET(queue.vnet); + bzero(&p, sizeof(p)); - SLIST_FOREACH(pfoe, &queue, next) { + SLIST_FOREACH(pfoe, &queue.head, next) { V_pf_status.lcounters[LCNT_OVERLOAD_TABLE]++; if (V_pf_status.debug >= PF_DEBUG_MISC) { printf("%s: blocking address ", __func__); @@ -563,16 +567,18 @@ pf_overload_task(void *c, int pending) /* * Remove those entries, that don't need flushing. */ - SLIST_FOREACH_SAFE(pfoe, &queue, next, pfoe1) + SLIST_FOREACH_SAFE(pfoe, &queue.head, next, pfoe1) if (pfoe->rule->flush == 0) { - SLIST_REMOVE(&queue, pfoe, pf_overload_entry, next); + SLIST_REMOVE(&queue.head, pfoe, pf_overload_entry, next); free(pfoe, M_PFTEMP); } else V_pf_status.lcounters[LCNT_OVERLOAD_FLUSH]++; /* If nothing to flush, return. */ - if (SLIST_EMPTY(&queue)) + if (SLIST_EMPTY(&queue.head)) { + CURVNET_RESTORE(); return; + } for (int i = 0; i <= V_pf_hashmask; i++) { struct pf_idhash *ih = &V_pf_idhash[i]; @@ -582,7 +588,7 @@ pf_overload_task(void *c, int pending) PF_HASHROW_LOCK(ih); LIST_FOREACH(s, &ih->states, entry) { sk = s->key[PF_SK_WIRE]; - SLIST_FOREACH(pfoe, &queue, next) + SLIST_FOREACH(pfoe, &queue.head, next) if (sk->af == pfoe->af && ((pfoe->rule->flush & PF_FLUSH_GLOBAL) || pfoe->rule == s->rule.ptr) && @@ -597,10 +603,12 @@ pf_overload_task(void *c, int pending) } PF_HASHROW_UNLOCK(ih); } - SLIST_FOREACH_SAFE(pfoe, &queue, next, pfoe1) + SLIST_FOREACH_SAFE(pfoe, &queue.head, next, pfoe1) free(pfoe, M_PFTEMP); if (V_pf_status.debug >= PF_DEBUG_MISC) printf("%s: %u states killed", __func__, killed); + + CURVNET_RESTORE(); } /* @@ -790,14 +798,16 @@ pf_initialize() V_pf_altqs_inactive = &V_pf_altqs[1]; /* Mbuf tags */ - V_pf_mtag_z = uma_zcreate("pf mtags", sizeof(struct m_tag) + - sizeof(struct pf_mtag), NULL, NULL, pf_mtag_init, NULL, - UMA_ALIGN_PTR, 0); + if (IS_DEFAULT_VNET(curvnet)) + pf_mtag_z = uma_zcreate("pf mtags", sizeof(struct m_tag) + + sizeof(struct pf_mtag), NULL, NULL, pf_mtag_init, NULL, + UMA_ALIGN_PTR, 0); /* Send & overload+flush queues. */ STAILQ_INIT(&V_pf_sendqueue); - SLIST_INIT(&V_pf_overloadqueue); + SLIST_INIT(&V_pf_overloadqueue.head); TASK_INIT(&V_pf_overloadtask, 0, pf_overload_task, &V_pf_overloadqueue); + V_pf_overloadqueue.vnet = curvnet; mtx_init(&pf_sendqueue_mtx, "pf send queue", NULL, MTX_DEF); mtx_init(&pf_overloadqueue_mtx, "pf overload/flush queue", NULL, MTX_DEF); @@ -844,7 +854,8 @@ pf_cleanup() mtx_destroy(&pf_overloadqueue_mtx); mtx_destroy(&pf_unlnkdrules_mtx); - uma_zdestroy(V_pf_mtag_z); + if (IS_DEFAULT_VNET(curvnet)) + uma_zdestroy(pf_mtag_z); uma_zdestroy(V_pf_sources_z); uma_zdestroy(V_pf_state_z); uma_zdestroy(V_pf_state_key_z); @@ -868,7 +879,7 @@ static void pf_mtag_free(struct m_tag *t) { - uma_zfree(V_pf_mtag_z, t); + uma_zfree(pf_mtag_z, t); } struct pf_mtag * @@ -879,7 +890,7 @@ pf_get_mtag(struct mbuf *m) if ((mtag = m_tag_find(m, PACKET_TAG_PF, NULL)) != NULL) return ((struct pf_mtag *)(mtag + 1)); - mtag = uma_zalloc(V_pf_mtag_z, M_NOWAIT); + mtag = uma_zalloc(pf_mtag_z, M_NOWAIT); if (mtag == NULL) return (NULL); bzero(mtag + 1, sizeof(struct pf_mtag)); @@ -1679,7 +1690,7 @@ pf_purge_unlinked_rules() * an already unlinked rule. */ PF_OVERLOADQ_LOCK(); - if (!SLIST_EMPTY(&V_pf_overloadqueue)) { + if (!SLIST_EMPTY(&V_pf_overloadqueue.head)) { PF_OVERLOADQ_UNLOCK(); return; } --------------020103000302000908070302-- From owner-freebsd-pf@FreeBSD.ORG Tue Feb 11 11:12:02 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C7DD43D7; Tue, 11 Feb 2014 11:12:02 +0000 (UTC) Received: from mail.fer.hr (mail.fer.hr [161.53.72.233]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 58ACC15A6; Tue, 11 Feb 2014 11:12:02 +0000 (UTC) Received: from x23 (161.53.63.210) by MAIL.fer.hr (161.53.72.233) with Microsoft SMTP Server (TLS) id 14.2.342.3; Tue, 11 Feb 2014 12:12:00 +0100 Date: Tue, 11 Feb 2014 12:12:40 +0100 From: Marko Zec To: Martin Matuska Subject: Re: CFR: VIMAGE + pf bugfix Message-ID: <20140211121240.4e05bfce@x23> In-Reply-To: <52F9DF91.5080903@FreeBSD.org> References: <52F9DF91.5080903@FreeBSD.org> Organization: FER X-Mailer: Claws Mail 3.9.2 (GTK+ 2.24.19; amd64-portbld-freebsd9.1) MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Originating-IP: [161.53.63.210] Cc: Adrian Chadd , Marko Zec , freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Feb 2014 11:12:02 -0000 On Tue, 11 Feb 2014 09:30:09 +0100 Martin Matuska wrote: > Hi, > > please review my attached patch. It fixes two panics and makes PF > usable with VIMAGE (inside host system only). > > http://people.freebsd.org/~mm/patches/pf_mtag_taskq.patch > > The patch does the following: > a) devirtualizes the UMA zone for pf_mtag > b) adds vnet information to pf_overload_task Looks fine to me (haven't tested this though). Marko From owner-freebsd-pf@FreeBSD.ORG Tue Feb 11 11:45:26 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5DBA58F9; Tue, 11 Feb 2014 11:45:26 +0000 (UTC) Received: from melon.pingpong.net (melon.pingpong.net [79.136.116.200]) by mx1.freebsd.org (Postfix) with ESMTP id 1CD22182A; Tue, 11 Feb 2014 11:45:25 +0000 (UTC) Received: from [172.17.208.165] (w193-11-200-82.eduroam.sunet.se [193.11.200.82]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by melon.pingpong.net (Postfix) with ESMTPSA id B977733568; Tue, 11 Feb 2014 12:45:16 +0100 (CET) References: <52F9DF91.5080903@FreeBSD.org> <20140211121240.4e05bfce@x23> Mime-Version: 1.0 (1.0) In-Reply-To: <20140211121240.4e05bfce@x23> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: X-Mailer: iPhone Mail (11B554a) From: Palle Girgensohn Subject: Re: CFR: VIMAGE + pf bugfix Date: Tue, 11 Feb 2014 12:45:15 +0100 To: Marko Zec Cc: Adrian Chadd , Marko Zec , "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Feb 2014 11:45:26 -0000 > 11 feb 2014 kl. 12:12 skrev Marko Zec : > > On Tue, 11 Feb 2014 09:30:09 +0100 > Martin Matuska wrote: > >> Hi, >> >> please review my attached patch. It fixes two panics and makes PF >> usable with VIMAGE (inside host system only). >> >> http://people.freebsd.org/~mm/patches/pf_mtag_taskq.patch >> >> The patch does the following: >> a) devirtualizes the UMA zone for pf_mtag >> b) adds vnet information to pf_overload_task > > Looks fine to me (haven't tested this though). > > Marko I'm testing, let's give it a couple of days. Palle From owner-freebsd-pf@FreeBSD.ORG Tue Feb 11 15:38:26 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3098B7BC for ; Tue, 11 Feb 2014 15:38:26 +0000 (UTC) Received: from mx.lissyara.su (mx.lissyara.su [91.227.18.11]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id D35B11F5A for ; Tue, 11 Feb 2014 15:38:25 +0000 (UTC) Received: from [195.234.69.50] (port=50269 helo=[10.5.5.55]) by mx.lissyara.su with esmtpsa (TLSv1:DHE-RSA-CAMELLIA256-SHA:256) (Exim 4.82 (FreeBSD)) (envelope-from ) id 1WDEvk-000LUs-PB for freebsd-pf@freebsd.org; Tue, 11 Feb 2014 19:07:24 +0400 Message-ID: <52FA3CA9.30806@lissyara.su> Date: Tue, 11 Feb 2014 17:07:21 +0200 From: "skeletor@lissyara.su" User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: pf block IP immediately Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Description: if spam count > 60 - this is spam X-Spam-Count: 0 X-Spam-Description: if spam count > 60 - this is spam X-Spam-Count: 0 X-Descriptions: powered by www.lissyara.su X-Bounce-ID: mx.lissyara.su X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Feb 2014 15:38:26 -0000 Hello. I have a FreeBSD 9.2 amd64 with pf (build in kernel). Can pf block some IP (sessions) immediately? Next rule can block only new sessions, but currect open sessions stay open as long as they open by IP block quick from X.X.X.X to any block quick from any to X.X.X.X Also, I can do pfctl -F sessions, but it flushes all sessions of all users. tcpdrop not shown this sessions, because this is a nat sessions. Thanks. From owner-freebsd-pf@FreeBSD.ORG Tue Feb 11 15:47:54 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7E8BFA35 for ; Tue, 11 Feb 2014 15:47:54 +0000 (UTC) Received: from unsane.co.uk (unsane-pt.tunnel.tserv5.lon1.ipv6.he.net [IPv6:2001:470:1f08:110::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 0E90E105D for ; Tue, 11 Feb 2014 15:47:53 +0000 (UTC) Received: from vhoffman.lon.namesco.net (lon.namesco.net [195.7.254.102]) (authenticated bits=0) by unsane.co.uk (8.14.7/8.14.6) with ESMTP id s1BFlpxk064307 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Tue, 11 Feb 2014 15:47:51 GMT (envelope-from vince@unsane.co.uk) Message-ID: <52FA4627.8090308@unsane.co.uk> Date: Tue, 11 Feb 2014 15:47:51 +0000 From: Vincent Hoffman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Re: pf block IP immediately References: <52FA3CA9.30806@lissyara.su> In-Reply-To: <52FA3CA9.30806@lissyara.su> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Feb 2014 15:47:54 -0000 On 11/02/2014 15:07, skeletor@lissyara.su wrote: > Hello. > I have a FreeBSD 9.2 amd64 with pf (build in kernel). > Can pf block some IP (sessions) immediately? Next rule can block only > new sessions, but currect open sessions stay open as long as they open > by IP > > block quick from X.X.X.X to any > block quick from any to X.X.X.X > > Also, I can do pfctl -F sessions, but it flushes all sessions of all > users. > > tcpdrop not shown this sessions, because this is a nat sessions. pfctl -k or -K looks like what you need. The pfctl(8) man page seems to cover it quite well. Vince > > Thanks. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Tue Feb 11 16:58:27 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 033295F5 for ; Tue, 11 Feb 2014 16:58:27 +0000 (UTC) Received: from mailout1-111.xing.com (mailout1-111.xing.com [109.233.152.111]) by mx1.freebsd.org (Postfix) with ESMTP id 7499A16B3 for ; Tue, 11 Feb 2014 16:58:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; d=xing.com; s=main; c=relaxed/simple; q=dns/txt; i=@xing.com; t=1392136698; h=From:Subject:Date:To:MIME-Version:Content-Type; bh=0MJfPovfKaT7OdCiWDFjXGHBrOfflPGgGV1PYMYmGks=; b=cyRiiOUCu4vqN1D/1c4/SWftwrTt3iesLCZFY37i0O1I9EMcP7eUWOnW4MQBctan nsZuynpqANtZ6c3yerrC9pImDcLurQMgP2dad4g8oQqkpNTd1BaPTMU7cab6S47b GwQXAT1JMuCX2THXp62j6U6xmJwZd4ZcmLxFqAOJMzU=; X-MSFBL: ZnJlZWJzZC1wZkBmcmVlYnNkLm9yZ0BtYWlsb3V0MS0xMTFAbWFpbG91dDEteGlu Z0A= Received: from [10.8.34.9] ([10.8.34.9:34444] helo=perl-5.worker.fra2.xing.com) by node-2.mail.fra1.xing.com (envelope-from ) (ecelerity 3.6.2.33829 r(MessageSystems/Momo-dev:f7d0cbf5b012)) with ESMTP id 5D/44-14716-AF15AF25; Tue, 11 Feb 2014 17:38:18 +0100 Received: by perl-5.worker.fra2.xing.com (Postfix, from userid 1000) id 2975B200AEAD; Tue, 11 Feb 2014 17:38:17 +0100 (CET) From: "NORHANID TONGKOL " To: "" Subject: Invitation to my XING network X-UBounce: U2FsdGVkX18MoQKgiMZZSxTlVnTxzfxMoXQBMvCYMtqN1WhrQqrITch-49zXGo6x| X-UBounceID: 45982290.bf0a0e MIME-Version: 1.0 Message-Id: <20140211163818.2975B200AEAD@perl-5.worker.fra2.xing.com> Date: Tue, 11 Feb 2014 17:38:17 +0100 (CET) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: No reply List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Feb 2014 16:58:27 -0000 Hi, I'd like to add you as a contact on XING, an online business community that allows you to build up networks. I'd really appreciate it if you joined my network as it's a great way for us to stay in touch with one another. Sincerely, NORHANID TONGKOL ----------------------------------------------------------------------- NORHANID TONGKOL is inviting you to become a member of the XING network: http://www.xing.com/go/inv/45982290.c735a6?reagent=systemmail%2finvite I no longer wish to receive invitations to XING: http://www.xing.com/go/opt_out_invite/U2FsdGVkX1_AOhxXaUrJBIhfVsyKfMsIG0prW-AXN8mE2y2HDSWDJ1nHLa8HafyL From owner-freebsd-pf@FreeBSD.ORG Tue Feb 11 17:59:04 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3B63678 for ; Tue, 11 Feb 2014 17:59:04 +0000 (UTC) Received: from skapet.bsdly.net (unknown [IPv6:2001:16d8:ff00:1a9::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E2AD71CE8 for ; Tue, 11 Feb 2014 17:59:03 +0000 (UTC) Received: from [192.168.103.44] (helo=deeperthought.bsdly.net) by skapet.bsdly.net with esmtp (Exim 4.80.1) (envelope-from ) id 1WDHba-00046d-SO; Tue, 11 Feb 2014 18:58:48 +0100 To: freebsd-pf@freebsd.org Subject: Re: pf block IP immediately References: <52FA3CA9.30806@lissyara.su> From: peter@bsdly.net (Peter N. M. Hansteen) Date: Tue, 11 Feb 2014 18:58:40 +0100 In-Reply-To: <52FA3CA9.30806@lissyara.su> (skeletor@lissyara.su's message of "Tue, 11 Feb 2014 17:07:21 +0200") Message-ID: <877g91tttb.fsf@deeperthought.bsdly.net> User-Agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.4.22 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Feb 2014 17:59:04 -0000 "skeletor@lissyara.su" writes: > I have a FreeBSD 9.2 amd64 with pf (build in kernel). > Can pf block some IP (sessions) immediately? Next rule can block only > new sessions, but currect open sessions stay open as long as they open by IP > > block quick from X.X.X.X to any > block quick from any to X.X.X.X > > Also, I can do pfctl -F sessions, but it flushes all sessions of all users. As already mentioned by others, you can kill state table entries with pfctl -k $host But that doesn't necessarily block outrighte. Df you want to block offenders based on some kind of identifiable behavior, you may want to look into setting up something with state tracking options and overload tables, much like the trap for rapid-fire brute force ssh groping (http://home.nuug.no/~peter/pf/en/bruteforce.html). But the technique is a general one and not limited to ssh or indeed to any specific protocol. Possible variations include setting up tiny queues, adding entries to the table of addresses you block manually, scripting the same based on parsing log files and probably a few more, limited only by your imagination. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. From owner-freebsd-pf@FreeBSD.ORG Wed Feb 12 07:11:50 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EFF266C7 for ; Wed, 12 Feb 2014 07:11:50 +0000 (UTC) Received: from mx.lissyara.su (mx.lissyara.su [91.227.18.11]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id A79FA1F72 for ; Wed, 12 Feb 2014 07:11:50 +0000 (UTC) Received: from [195.234.69.50] (port=39407 helo=[10.5.5.55]) by mx.lissyara.su with esmtpsa (TLSv1:DHE-RSA-CAMELLIA256-SHA:256) (Exim 4.82 (FreeBSD)) (envelope-from ) id 1WDTyy-00034A-MY for freebsd-pf@freebsd.org; Wed, 12 Feb 2014 11:11:44 +0400 Message-ID: <52FB1EAE.5050708@lissyara.su> Date: Wed, 12 Feb 2014 09:11:42 +0200 From: "skeletor@lissyara.su" User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Re: pf block IP immediately References: <52FA3CA9.30806@lissyara.su> <52FA4627.8090308@unsane.co.uk> In-Reply-To: <52FA4627.8090308@unsane.co.uk> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Description: if spam count > 60 - this is spam X-Spam-Count: 0 X-Descriptions: powered by www.lissyara.su X-Bounce-ID: mx.lissyara.su X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Feb 2014 07:11:51 -0000 11.02.2014 17:47, Vincent Hoffman пишет: > pfctl -k > or -K looks like what you need. > > The pfctl(8) man page seems to cover it quite well. > > > Vince > Yes, this is exactly what I need. From owner-freebsd-pf@FreeBSD.ORG Wed Feb 12 19:25:03 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6D107A81 for ; Wed, 12 Feb 2014 19:25:03 +0000 (UTC) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.69.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E620114D6 for ; Wed, 12 Feb 2014 19:25:01 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.8/8.14.8) with ESMTP id s1CJP0Yc027384 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 12 Feb 2014 23:25:00 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.8/8.14.8/Submit) id s1CJP0T9027383; Wed, 12 Feb 2014 23:25:00 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Wed, 12 Feb 2014 23:24:59 +0400 From: Gleb Smirnoff To: Robert Simmons Subject: Re: PF in FreeBSD 10.0 Blocking Some SSH Message-ID: <20140212192459.GD26785@FreeBSD.org> References: <20140127192048.GS66160@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.22 (2013-10-16) Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Feb 2014 19:25:03 -0000 On Mon, Jan 27, 2014 at 10:22:30PM -0500, Robert Simmons wrote: R> > On Sun, Jan 26, 2014 at 06:19:34PM -0500, Robert Simmons wrote: R> > R> Over the course of a few hours there are a handful of SSH packets that R> > R> are being blocked both in and out. This does not seem to affect the R> > R> SSH session, and all the blocked packets have certain flags set [FP.], R> > R> [R.], [P.], [.], [F.]. The following is my ruleset abbreviated to the R> > R> rules that apply to this problem: R> > R> R> > R> ext_if = "en0" R> > R> allowed = "{ 192.168.1.10 }" R> > R> std_tcp_in = "{ ssh }" R> > R> block in log R> > R> block out log (user) R> > R> pass in quick on $ext_if proto tcp from $allowed to ($ext_if) port R> > R> $std_tcp_in keep state R> > R> R> > R> Why are those packets being blocked? R> > R> > Do I understand you correct that the ssh sessions work well, but you R> > see blocked packets in the pflog? R> R> Yes, this is correct. I have not seen this in the logs since R> yesterday, so it may have been a network issue. That could be stray retransmits of data that already been received and acknowledged. pf keeps track of sequence numbers in tcp connections flowing through it. -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Sat Feb 15 23:39:51 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8F7F8C56; Sat, 15 Feb 2014 23:39:51 +0000 (UTC) Received: from melon.pingpong.net (melon.pingpong.net [79.136.116.200]) by mx1.freebsd.org (Postfix) with ESMTP id E8F2F144D; Sat, 15 Feb 2014 23:39:50 +0000 (UTC) Received: from [10.0.1.5] (h-43-145.a357.priv.bahnhof.se [79.136.43.145]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by melon.pingpong.net (Postfix) with ESMTPSA id 0FEE033E94; Sun, 16 Feb 2014 00:39:42 +0100 (CET) Content-Type: multipart/signed; boundary="Apple-Mail=_4DF00D67-5277-46FA-954B-1180C5A4C36A"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\)) Subject: Re: VIMAGE + PF crash in mbuf destructor From: Palle Girgensohn In-Reply-To: <52F42ECB.4050700@FreeBSD.org> Date: Sun, 16 Feb 2014 00:39:42 +0100 Message-Id: References: <51ED5308.3020008@gmx.com> <201307222338.09833.zec@fer.hr> <1389886004148-5876949.post@n5.nabble.com> <1391536059015-5882971.post@n5.nabble.com> <52F42ECB.4050700@FreeBSD.org> To: Martin Matuska X-Mailer: Apple Mail (2.1827) Cc: freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Feb 2014 23:39:51 -0000 --Apple-Mail=_4DF00D67-5277-46FA-954B-1180C5A4C36A Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 Theremight be different problems here, but my problem, where the system = crashes like a clock every nigth at four o'clock, it is still there even = with the patch. 7 feb 2014 kl. 01:54 skrev Martin Matuska : > I don't have objections - the patch was done with avg's help and does = its job, but we may consult someone first. >=20 > http://people.freebsd.org/~mm/patches/pf_mtag_taskq.patch >=20 > On 2014-02-07 00:37, Craig Rodrigues wrote: >>=20 >> On Tue, Feb 4, 2014 at 9:47 AM, mm wrote: >> Looks like I experience this panic, too. >>=20 >> To fix the mbuf and taskq problems, I use the following pach atm.: >> http://people.freebsd.org/~mm/patches/pf_mtag_taskq.patch >>=20 >>=20 >> Thanks for showing that patch. It looks good to me. Is it good = enough for commit?=20 >> This problem has been around for a while. >>=20 --Apple-Mail=_4DF00D67-5277-46FA-954B-1180C5A4C36A Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJS//q+AAoJEIhV+7FrxBJDRMMH/3XhcXnR5Ycphblh1kgsg8k/ zOajN6hbW+LMJ7nPNGRzC9o89YdAdNvDvzXfobl+hCwc2TUuiN5xkFBtLPGJePRB ZPROwmFCi/487OgPHFHwjAkXkCUw1JP2UswOoZLuq6tXSGo68iyI/co2lh3uqCy7 ISlPvgGu7EE3XdZGz8A7Ho/X579Gr2NyQwF/RAXODZwkZsn2i2tGYze6r4DVj5U1 DheE6x7YHtwP7BkhiAxpSXOk6EmOzKcdYeNUc4td48HHRKzBkHTP2/J+ePwlhJdo lVl7fJaQ5EPWiE0hwMGAU6Iqy1q5Gatr4Ggt1796q7+/jdhNcCVKshp1JK78/g4= =t2q1 -----END PGP SIGNATURE----- --Apple-Mail=_4DF00D67-5277-46FA-954B-1180C5A4C36A--