From owner-freebsd-pf@FreeBSD.ORG Thu Sep 16 03:49:46 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 674) id 8AFDF16A4D4; Thu, 16 Sep 2004 03:49:46 +0000 (GMT) Delivered-To: mlaier@vampire.homelinux.org Received: (qmail 54266 invoked by uid 1005); 2 Sep 2003 13:15:54 -0000 Delivered-To: max@vampire.homelinux.org Received: (qmail 54263 invoked from network); 2 Sep 2003 13:15:54 -0000 Received: from moutng.kundenserver.de (212.227.126.171) by pd953010a.dip.t-dialin.net with SMTP; 2 Sep 2003 13:15:54 -0000 Received: from [212.227.126.147] (helo=mxng04.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 19uBts-0007Wv-00 for max@vampire.homelinux.org; Tue, 02 Sep 2003 16:12:52 +0200 Received: from [206.53.239.180] (helo=turing.freelists.org) by mxng04.kundenserver.de with esmtp (Exim 3.35 #1) id 19uBtq-0007Fb-00 for max@love2party.net; Tue, 02 Sep 2003 16:12:50 +0200 Received: from turing (localhost [127.0.0.1])ESMTP id 49D58390840; Tue, 2 Sep 2003 09:12:45 -0500 (EST) Received: with ECARTIS (v1.0.0; list pf4freebsd); Tue, 02 Sep 2003 09:12:40 -0500 (EST) Delivered-To: pf4freebsd@freelists.org Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.185])ESMTP id 338F8390771 for ; Tue, 2 Sep 2003 09:12:40 -0500 (EST) Received: from [212.227.126.155] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 19uBth-0006dA-00 for pf4freebsd@freelists.org; Tue, 02 Sep 2003 16:12:41 +0200 Received: from [217.83.1.10] (helo=max900) by mrelayng.kundenserver.de with asmtp (Exim 3.35 #1) id 19uBou-0006dZ-00 for pf4freebsd@freelists.org; Tue, 02 Sep 2003 16:07:44 +0200 Message-ID: <009001c3715b$d5840eb0$01000001@max900> From: "Max Laier" To: References: <200308262103.12394.alan@precisionautobody.com> <200308262247.46254.alan@precisionautobody.com> <01a901c36cee$09bd6810$01000001@max900> <200308271625.05235.alan@precisionautobody.com> <025801c36cfa$3e756290$01000001@max900> <1062074062.31217.14.camel@quark.avioc.org> <01ad01c370ab$a55b2bc0$01000001@max900> <1062509878.337.18.camel@quark.avioc.org> MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-archive-position: 137 X-ecartis-version: Ecartis v1.0.0 Sender: pf4freebsd-bounce@freelists.org Errors-To: pf4freebsd-bounce@freelists.org X-original-sender: max@love2party.net Precedence: normal X-list: pf4freebsd X-UID: 252 X-Length: 4597 X-Mailman-Approved-At: Thu, 16 Sep 2004 03:55:52 +0000 Subject: [pf4freebsd] Re: Bridging 2nd try and call for testers X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: pf4freebsd@freelists.org List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Thu, 16 Sep 2004 03:49:46 -0000 X-Original-Date: Tue, 2 Sep 2003 16:09:33 +0200 X-List-Received-Date: Thu, 16 Sep 2004 03:49:46 -0000 > > and try again to get pf running. Remember to set net.link.ether.bridge_ipf: > > 1 This time it should at least see some packets ... or get a panic, not sure > > about it ;) > > > > Excellent. My initial pass/block tests were successful. > > I will continue testing with a more realistic ruleset, however this is > quite promising. We came to the same conclusion, discovered some other problems and bring a new version of pf_freebsd to fix these issues: Version 1.64: http://pf4freebsd.love2party.net/pf_freebsd_1.64.tar.gz MD5 (pf_freebsd_1.64.tar.gz) = f198908a8d691617aa16aa047de7be03 If you are running version 1.63 and don't need bridge support there is no real need to update unless you often do kldload/unload on pf and have seen page faults in connection with that (There is a possible race on MOD_UNLOAD, which most likely does not cause trouble, but is fixed now). If you run versions prior 1.63 updateing is recommend! To get bridge working with pf you have to take a look into the newly created patches directory. There you'll find a patch to src/sys/net/bridge.c running against RELENG_5_1 and HEAD which are the same (RCS 1.67). You have to do the following: $patch /usr/src/sys/net/bridge.c < pf_freebsd_1.64/patches/bridge.c.patch rebuild your kernel with at least the following options: "options BRIDGE", "options PFIL_HOOKS", "options INET" reboot to the new kernel and set syctl "net.link.ether.bridge_ipf" to a non-zero value. Further information about this and comming patches can be found in patches/README. Things in there are for testing purpose and will be send-pr once we are certain that is helps and works. Thank you for further feedback on the issue, Max