From owner-freebsd-pf@FreeBSD.ORG Mon Oct 17 11:07:08 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 955241065674 for ; Mon, 17 Oct 2011 11:07:08 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8228E8FC22 for ; Mon, 17 Oct 2011 11:07:08 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p9HB78nZ099300 for ; Mon, 17 Oct 2011 11:07:08 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p9HB77Qm099298 for freebsd-pf@FreeBSD.org; Mon, 17 Oct 2011 11:07:07 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 17 Oct 2011 11:07:07 GMT Message-Id: <201110171107.p9HB77Qm099298@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Oct 2011 11:07:08 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/159390 pf [pf] [panic] mutex pf task mtx owned at /usr/src/sys/c o kern/159029 pf [pf] [panic] m_copym, offset > size of mbuf chain when o kern/158873 pf [pf] [panic] When I launch pf daemon, I have a kernel o kern/158636 pf [pf] if_pfsync.c fails to build when NBPFILTER == 0 o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 49 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Oct 17 12:40:28 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9C4581065675; Mon, 17 Oct 2011 12:40:28 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 5BE608FC17; Mon, 17 Oct 2011 12:40:28 +0000 (UTC) Received: by iaky10 with SMTP id y10so7557708iak.13 for ; Mon, 17 Oct 2011 05:40:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=dL7XilGQPt0bpZidzRHgSle24PpGz+SXfLzi1Y5HrsA=; b=UARdHT8E9YH4lxMta7d/GgLgnvdVD07oPwMJnTC+d9yDKrQVwe0yPUVtCtKZpbhrst 9Ef6O4oB7mIG+T6NWwafoZTrYZauMEAWLlkThIbDAj7bzxNnpbR2OYY20J0H/KIWk/+A txC52ZIszGlgYKSuWm4yG/yKsaQ1eEge67ves= MIME-Version: 1.0 Received: by 10.231.66.85 with SMTP id m21mr8801804ibi.53.1318853918549; Mon, 17 Oct 2011 05:18:38 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.231.53.213 with HTTP; Mon, 17 Oct 2011 05:18:38 -0700 (PDT) In-Reply-To: <201110151420.p9FEKulv026435@freefall.freebsd.org> References: <201110151420.p9FEKulv026435@freefall.freebsd.org> Date: Mon, 17 Oct 2011 14:18:38 +0200 X-Google-Sender-Auth: z0m8YrafAc1zxGwByx6JDMh4L-c Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: glebius@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Cc: nerijus.ambrazas@ktu.lt, freebsd-pf@freebsd.org Subject: Re: kern/114095: [carp] carp+pf delay with high state limit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Oct 2011 12:40:28 -0000 On Sat, Oct 15, 2011 at 4:20 PM, wrote: > Synopsis: [carp] carp+pf delay with high state limit > > State-Changed-From-To: open->closed > State-Changed-By: glebius > State-Changed-When: Sat Oct 15 14:20:00 UTC 2011 > State-Changed-Why: > Not a bug. This is a feature. pfsync(4) suppresses carp(4) > preemption until new recently booted node downloads full > table of pf(4) states from its peer. > This is not true on FreeBSD. The issue might be from other reasons. > > http://www.freebsd.org/cgi/query-pr.cgi?pr=114095 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Ermal From owner-freebsd-pf@FreeBSD.ORG Mon Oct 17 13:16:59 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BEE501065675 for ; Mon, 17 Oct 2011 13:16:59 +0000 (UTC) (envelope-from emss.mail@gmail.com) Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com [209.85.215.182]) by mx1.freebsd.org (Postfix) with ESMTP id 3FE4A8FC16 for ; Mon, 17 Oct 2011 13:16:58 +0000 (UTC) Received: by eyd10 with SMTP id 10so3829264eyd.13 for ; Mon, 17 Oct 2011 06:16:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=sender:x-virus-scanned:to:subject:from:x-operating-system:date :message-id:user-agent:mime-version:content-type :content-transfer-encoding; bh=VSoo0iJGDnqO81cVYBC/oP1n2gupmjbfhI3XVBThL9s=; b=LomgxQDvQsFRqAZXLvTrswR6NROy6RiHJX0HD7wumMDu2lE08x4gZ0/6/3uV8smUmG fNy/Vs41tIPMdyurEP0MuOUBuRE1q/BrcOJ7lJ/XjRS7ptVvp/HLkVcOJQVDZPEd4Jsw kM1QCW2uwOUNzno53x73YIl2y4vuC3cgxT6E0= Received: by 10.216.14.206 with SMTP id d56mr4316665wed.33.1318855842060; Mon, 17 Oct 2011 05:50:42 -0700 (PDT) Received: from srvbsdfenssv.interne.associated-bears.org (LCaen-151-92-21-48.w217-128.abo.wanadoo.fr. [217.128.200.48]) by mx.google.com with ESMTPS id ek13sm30969721wbb.3.2011.10.17.05.50.39 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 17 Oct 2011 05:50:40 -0700 (PDT) Sender: Eric Masson Received: from srvbsdfenssv.interne.associated-bears.org (localhost [127.0.0.1]) by srvbsdfenssv.interne.associated-bears.org (Postfix) with ESMTP id 8C4A8CF424 for ; Mon, 17 Oct 2011 14:50:37 +0200 (CEST) X-Virus-Scanned: amavisd-new at interne.associated-bears.org Received: from srvbsdfenssv.interne.associated-bears.org ([127.0.0.1]) by srvbsdfenssv.interne.associated-bears.org (srvbsdfenssv.interne.associated-bears.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dV2Hgr36bBp8 for ; Mon, 17 Oct 2011 14:50:32 +0200 (CEST) Received: by srvbsdfenssv.interne.associated-bears.org (Postfix, from userid 1001) id 28403CF410; Mon, 17 Oct 2011 14:50:32 +0200 (CEST) To: Mailing List FreeBSD PF From: Eric Masson X-Operating-System: FreeBSD 8.2-RELEASE-p4 amd64 Date: Mon, 17 Oct 2011 14:50:31 +0200 Message-ID: <86botfu6i0.fsf@srvbsdfenssv.interne.associated-bears.org> User-Agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b28 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit Cc: Subject: PF & Inside NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Oct 2011 13:16:59 -0000 Hello, Does the PF 4.5 port present in -current & 9-STABLE support inside NAT please (somewhat like the reverse nat available with libalias) ? Kind Regards Éric Masson -- Je n'ai pas envie de perdre mon temps à leur APD à la con. Mais j'ai besoin du certificat qu'y est délivré, pour passer le permis. J'ai entendu qu'on le trouvait sur Internet. Quelqu'un aurait-il des infos? -+- DC in GNU : Neuneu s'achète une conduite -+- From owner-freebsd-pf@FreeBSD.ORG Mon Oct 17 13:17:44 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5844B106564A; Mon, 17 Oct 2011 13:17:44 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.64.117]) by mx1.freebsd.org (Postfix) with ESMTP id D539D8FC1E; Mon, 17 Oct 2011 13:17:43 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.4/8.14.4) with ESMTP id p9HDHg2b065431; Mon, 17 Oct 2011 17:17:42 +0400 (MSD) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.4/8.14.4/Submit) id p9HDHgIV065430; Mon, 17 Oct 2011 17:17:42 +0400 (MSD) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Mon, 17 Oct 2011 17:17:42 +0400 From: Gleb Smirnoff To: Ermal Lu?i Message-ID: <20111017131742.GC51949@glebius.int.ru> References: <201110151420.p9FEKulv026435@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: nerijus.ambrazas@ktu.lt, bug-followup@FreeBSD.org, freebsd-pf@FreeBSD.org Subject: Re: kern/114095: [carp] carp+pf delay with high state limit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Oct 2011 13:17:44 -0000 On Mon, Oct 17, 2011 at 02:18:38PM +0200, Ermal Lu?i wrote: E> On Sat, Oct 15, 2011 at 4:20 PM, wrote: E> > Synopsis: [carp] carp+pf delay with high state limit E> > E> > State-Changed-From-To: open->closed E> > State-Changed-By: glebius E> > State-Changed-When: Sat Oct 15 14:20:00 UTC 2011 E> > State-Changed-Why: E> > Not a bug. This is a feature. pfsync(4) suppresses carp(4) E> > preemption until new recently booted node downloads full E> > table of pf(4) states from its peer. E> E> This is not true on FreeBSD. E> The issue might be from other reasons. This is a surprise for me that this feature had been removed! It used to be in stable/6: http://fxr.watson.org/fxr/ident?v=FREEBSD60;i=carp_suppress_preempt And I always treated that variable in CARP as shared with pf. Why did they removed this feature from pfsync? P.S. Since PR is about 6.2-RELEASE, then I have closed it correctly. -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Mon Oct 17 13:20:07 2011 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 91921106566B for ; Mon, 17 Oct 2011 13:20:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 815E08FC0C for ; Mon, 17 Oct 2011 13:20:07 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p9HDK7aG025125 for ; Mon, 17 Oct 2011 13:20:07 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p9HDK7mW025124; Mon, 17 Oct 2011 13:20:07 GMT (envelope-from gnats) Date: Mon, 17 Oct 2011 13:20:07 GMT Message-Id: <201110171320.p9HDK7mW025124@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Gleb Smirnoff Cc: Subject: Re: kern/114095: [carp] carp+pf delay with high state limit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Gleb Smirnoff List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Oct 2011 13:20:07 -0000 The following reply was made to PR kern/114095; it has been noted by GNATS. From: Gleb Smirnoff To: Ermal Lu?i Cc: nerijus.ambrazas@ktu.lt, freebsd-pf@FreeBSD.org, bug-followup@FreeBSD.org Subject: Re: kern/114095: [carp] carp+pf delay with high state limit Date: Mon, 17 Oct 2011 17:17:42 +0400 On Mon, Oct 17, 2011 at 02:18:38PM +0200, Ermal Lu?i wrote: E> On Sat, Oct 15, 2011 at 4:20 PM, wrote: E> > Synopsis: [carp] carp+pf delay with high state limit E> > E> > State-Changed-From-To: open->closed E> > State-Changed-By: glebius E> > State-Changed-When: Sat Oct 15 14:20:00 UTC 2011 E> > State-Changed-Why: E> > Not a bug. This is a feature. pfsync(4) suppresses carp(4) E> > preemption until new recently booted node downloads full E> > table of pf(4) states from its peer. E> E> This is not true on FreeBSD. E> The issue might be from other reasons. This is a surprise for me that this feature had been removed! It used to be in stable/6: http://fxr.watson.org/fxr/ident?v=FREEBSD60;i=carp_suppress_preempt And I always treated that variable in CARP as shared with pf. Why did they removed this feature from pfsync? P.S. Since PR is about 6.2-RELEASE, then I have closed it correctly. -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Mon Oct 17 14:09:07 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 34773106564A for ; Mon, 17 Oct 2011 14:09:07 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-yx0-f177.google.com (mail-yx0-f177.google.com [209.85.213.177]) by mx1.freebsd.org (Postfix) with ESMTP id F05128FC13 for ; Mon, 17 Oct 2011 14:09:06 +0000 (UTC) Received: by yxk36 with SMTP id 36so3906097yxk.8 for ; Mon, 17 Oct 2011 07:09:06 -0700 (PDT) Received: by 10.100.233.33 with SMTP id f33mr4043457anh.123.1318860546208; Mon, 17 Oct 2011 07:09:06 -0700 (PDT) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id m3sm37133094ang.0.2011.10.17.07.09.04 (version=SSLv3 cipher=OTHER); Mon, 17 Oct 2011 07:09:05 -0700 (PDT) Message-ID: <4E9C36FF.2050508@my.gd> Date: Mon, 17 Oct 2011 16:09:03 +0200 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <86botfu6i0.fsf@srvbsdfenssv.interne.associated-bears.org> In-Reply-To: <86botfu6i0.fsf@srvbsdfenssv.interne.associated-bears.org> Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 8bit Subject: Re: PF & Inside NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Oct 2011 14:09:07 -0000 On 10/17/11 2:50 PM, Eric Masson wrote: > Hello, > > Does the PF 4.5 port present in -current & 9-STABLE support inside NAT > please (somewhat like the reverse nat available with libalias) ? > > Kind Regards > > Éric Masson > I totally did not understand whatever you're trying to say. En d'autres termes, j'ai rien compris. What do you call "inside nat" ? If you're referring to the mechanism where a client calls a public IP on your firewall, and PF rewrites it to an internal IP, what you want is the rdr mechanism. These will still work, seeing the new rules syntax for PF only appears in 4.7 From owner-freebsd-pf@FreeBSD.ORG Mon Oct 17 14:27:23 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 72BF1106564A for ; Mon, 17 Oct 2011 14:27:23 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id ACD018FC16 for ; Mon, 17 Oct 2011 14:27:22 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id F068225D3892; Mon, 17 Oct 2011 14:27:20 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 3D487BD3C51; Mon, 17 Oct 2011 14:27:20 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id zKznDh-MlOql; Mon, 17 Oct 2011 14:27:19 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id EDE70BD3C2B; Mon, 17 Oct 2011 14:27:18 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=iso-8859-1 From: "Bjoern A. Zeeb" In-Reply-To: <4E9C36FF.2050508@my.gd> Date: Mon, 17 Oct 2011 14:27:17 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: References: <86botfu6i0.fsf@srvbsdfenssv.interne.associated-bears.org> <4E9C36FF.2050508@my.gd> To: Damien Fleuriot X-Mailer: Apple Mail (2.1084) Cc: freebsd-pf@freebsd.org Subject: Re: PF & Inside NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Oct 2011 14:27:23 -0000 On 17. Oct 2011, at 14:09 , Damien Fleuriot wrote: > On 10/17/11 2:50 PM, Eric Masson wrote: >> Hello, >>=20 >> Does the PF 4.5 port present in -current & 9-STABLE support inside = NAT >> please (somewhat like the reverse nat available with libalias) ? >>=20 >> Kind Regards >>=20 >> =C9ric Masson >>=20 >=20 > I totally did not understand whatever you're trying to say. > En d'autres termes, j'ai rien compris. >=20 > What do you call "inside nat" ? >=20 > If you're referring to the mechanism where a client calls a public IP = on > your firewall, and PF rewrites it to an internal IP, what you want is > the rdr mechanism. >=20 > These will still work, seeing the new rules syntax for PF only appears > in 4.7 Inside NAT means when the packet arrives at the system rather than = leaving it, as in before any ipsec or routing decision; for long time pf had no = concept of this, and yes, the pf in FreeBSD still lacks it. /bz --=20 Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. From owner-freebsd-pf@FreeBSD.ORG Mon Oct 17 14:55:32 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0C597106564A for ; Mon, 17 Oct 2011 14:55:32 +0000 (UTC) (envelope-from emss.mail@gmail.com) Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com [209.85.215.182]) by mx1.freebsd.org (Postfix) with ESMTP id 88C958FC15 for ; Mon, 17 Oct 2011 14:55:31 +0000 (UTC) Received: by eyd10 with SMTP id 10so3971749eyd.13 for ; Mon, 17 Oct 2011 07:55:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=sender:x-virus-scanned:to:cc:subject:from:in-reply-to:references :x-operating-system:date:message-id:user-agent:mime-version :content-type:content-transfer-encoding; bh=FKLRkRhSi+7DhV9q/Sv5ruiGs+rIGRaHARGpWMkeoBk=; b=tjWMsgKrK2gN2Cr664teAa6JJU13Jr5KBDwSgLUC99Pp56z8/3MVkMPiqUGPx1nk3g WVdtueEENiNb4SSTJ/qJUVD8fFNniQezW7VYlXcyC+PZDHnDdSg88PMvNe3DhUOnI2k8 RaUxEZNqW2VoBoM8nhGz40FXRIJp7k5IjSOB4= Received: by 10.216.139.135 with SMTP id c7mr3978113wej.28.1318863330504; Mon, 17 Oct 2011 07:55:30 -0700 (PDT) Received: from srvbsdfenssv.interne.associated-bears.org (LCaen-151-92-21-48.w217-128.abo.wanadoo.fr. [217.128.200.48]) by mx.google.com with ESMTPS id ek13sm31559989wbb.3.2011.10.17.07.55.27 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 17 Oct 2011 07:55:28 -0700 (PDT) Sender: Eric Masson Received: from srvbsdfenssv.interne.associated-bears.org (localhost [127.0.0.1]) by srvbsdfenssv.interne.associated-bears.org (Postfix) with ESMTP id E1A93CF425; Mon, 17 Oct 2011 16:55:25 +0200 (CEST) X-Virus-Scanned: amavisd-new at interne.associated-bears.org Received: from srvbsdfenssv.interne.associated-bears.org ([127.0.0.1]) by srvbsdfenssv.interne.associated-bears.org (srvbsdfenssv.interne.associated-bears.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z6ZN4ZPXUgua; Mon, 17 Oct 2011 16:55:19 +0200 (CEST) Received: by srvbsdfenssv.interne.associated-bears.org (Postfix, from userid 1001) id CCD8FCF413; Mon, 17 Oct 2011 16:55:19 +0200 (CEST) To: Damien Fleuriot From: Eric Masson In-Reply-To: <4E9C36FF.2050508@my.gd> (Damien Fleuriot's message of "Mon, 17 Oct 2011 16:09:03 +0200") References: <86botfu6i0.fsf@srvbsdfenssv.interne.associated-bears.org> <4E9C36FF.2050508@my.gd> X-Operating-System: FreeBSD 8.2-RELEASE-p4 amd64 Date: Mon, 17 Oct 2011 16:55:19 +0200 Message-ID: <867h43u0q0.fsf@srvbsdfenssv.interne.associated-bears.org> User-Agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b28 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: PF & Inside NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Oct 2011 14:55:32 -0000 Damien Fleuriot writes: Hi Damien, > I totally did not understand whatever you're trying to say. > En d'autres termes, j'ai rien compris. Pas grave ;) > What do you call "inside nat" ? The ability to trigger nat via incoming packets (useful in a nat before vpn scenario), just like libalias does when a rule contains the reverse keyword (see ipfw(8)). Inside NAT is the name given on some ciscos for example. Seems Ermal was working on $subject a few months ago. Regards Éric Masson -- 70% de frjv sont des newbies ? Et une fois qu'ils ne le sont plus que font-ils ? Ils quittent frjv parce que c'est trop à chier ? Parce que s'ils y restent et gardent leur comportement, ça devient des neuneux. -+- XB in: - Tu seras un neuneu mon fils -+- From owner-freebsd-pf@FreeBSD.ORG Mon Oct 17 15:45:05 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9F3EE106567A for ; Mon, 17 Oct 2011 15:45:05 +0000 (UTC) (envelope-from emss.mail@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 13F648FC23 for ; Mon, 17 Oct 2011 15:45:04 +0000 (UTC) Received: by wwi18 with SMTP id 18so3288517wwi.31 for ; Mon, 17 Oct 2011 08:45:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=sender:x-virus-scanned:to:cc:subject:from:in-reply-to:references :x-operating-system:date:message-id:user-agent:mime-version :content-type:content-transfer-encoding; bh=/6/4+BCS9LuBKOCEwmSEsn074M5DX0EgtQF1BLJu0Hs=; b=wXEWZO4IBpMGetPadD0BCBrjpNH5hDmKYGWDWAu4iNyAcfF0DdeKI62pyACdSxNnsj rzGR4UNAYz7jP8x+dMaQXNDbf4o6lDKJ7FXMYG+PSqGk8XCsjKnzASKd3xdiCXABoNVU WHAzq8eT8d7e87Le7CMx4KnJZnusibAS83R/E= Received: by 10.216.159.201 with SMTP id s51mr4119580wek.70.1318866303939; Mon, 17 Oct 2011 08:45:03 -0700 (PDT) Received: from srvbsdfenssv.interne.associated-bears.org (LCaen-151-92-21-48.w217-128.abo.wanadoo.fr. [217.128.200.48]) by mx.google.com with ESMTPS id q30sm15991936wbn.17.2011.10.17.08.44.52 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 17 Oct 2011 08:45:00 -0700 (PDT) Sender: Eric Masson Received: from srvbsdfenssv.interne.associated-bears.org (localhost [127.0.0.1]) by srvbsdfenssv.interne.associated-bears.org (Postfix) with ESMTP id 245E8CF22D; Mon, 17 Oct 2011 17:44:30 +0200 (CEST) X-Virus-Scanned: amavisd-new at interne.associated-bears.org Received: from srvbsdfenssv.interne.associated-bears.org ([127.0.0.1]) by srvbsdfenssv.interne.associated-bears.org (srvbsdfenssv.interne.associated-bears.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SSlK9fZgE5hU; Mon, 17 Oct 2011 17:44:27 +0200 (CEST) Received: by srvbsdfenssv.interne.associated-bears.org (Postfix, from userid 1001) id 09340CF0CB; Mon, 17 Oct 2011 17:44:27 +0200 (CEST) To: "Bjoern A. Zeeb" From: Eric Masson In-Reply-To: (Bjoern A. Zeeb's message of "Mon, 17 Oct 2011 14:27:17 +0000") References: <86botfu6i0.fsf@srvbsdfenssv.interne.associated-bears.org> <4E9C36FF.2050508@my.gd> X-Operating-System: FreeBSD 8.2-RELEASE-p4 amd64 Date: Mon, 17 Oct 2011 17:44:26 +0200 Message-ID: <8639ertyg5.fsf@srvbsdfenssv.interne.associated-bears.org> User-Agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b28 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: PF & Inside NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Oct 2011 15:45:05 -0000 "Bjoern A. Zeeb" writes: Hello Bjoern, > of this, and yes, the pf in FreeBSD still lacks it. Ok. Thanks a lot for the answer. Regards Éric Masson -- ça reste finalement une décision personnelle, sans contraintes externes, puisqu'il n'y a rien à prouver dans ce domaine aux variables exogènes de contrôle -+- JPJ - - Neuneu se pousse du col -+- From owner-freebsd-pf@FreeBSD.ORG Mon Oct 17 18:47:33 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 93D24106566B; Mon, 17 Oct 2011 18:47:33 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-ww0-f42.google.com (mail-ww0-f42.google.com [74.125.82.42]) by mx1.freebsd.org (Postfix) with ESMTP id C68D78FC1A; Mon, 17 Oct 2011 18:47:32 +0000 (UTC) Received: by wwn22 with SMTP id 22so3916771wwn.1 for ; Mon, 17 Oct 2011 11:47:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=Vqbjst2usRRGYT+fJH2vTfZ9RzxffKz/VB9uiRz67f4=; b=HkUEJqzWi6PKFeaXXjqNFFVEjWNkPED1CzaKISUuUXCaFVivFMSQ9lRJNcG0BuOIdm M2R+INW9/1TPzZt1xEUecpL+nHRyN+iUqxrFnYxe/QeWJgHmfMgGdLsi4Y75BsJf87M1 J0KHfJcFsSisiDAzFb6Z0aVE/VeWxdYTZmQL0= MIME-Version: 1.0 Received: by 10.216.195.134 with SMTP id p6mr4223204wen.3.1318877251595; Mon, 17 Oct 2011 11:47:31 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.216.48.205 with HTTP; Mon, 17 Oct 2011 11:47:31 -0700 (PDT) In-Reply-To: <20111017131742.GC51949@glebius.int.ru> References: <201110151420.p9FEKulv026435@freefall.freebsd.org> <20111017131742.GC51949@glebius.int.ru> Date: Mon, 17 Oct 2011 20:47:31 +0200 X-Google-Sender-Auth: mzd_6rAC2S1lXVvSIaGGm19ZcNo Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Gleb Smirnoff Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: nerijus.ambrazas@ktu.lt, bug-followup@freebsd.org, freebsd-pf@freebsd.org Subject: Re: kern/114095: [carp] carp+pf delay with high state limit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Oct 2011 18:47:33 -0000 2011/10/17 Gleb Smirnoff : > On Mon, Oct 17, 2011 at 02:18:38PM +0200, Ermal Lu?i wrote: > E> On Sat, Oct 15, 2011 at 4:20 PM, =A0 wrote: > E> > Synopsis: [carp] carp+pf delay with high state limit > E> > > E> > State-Changed-From-To: open->closed > E> > State-Changed-By: glebius > E> > State-Changed-When: Sat Oct 15 14:20:00 UTC 2011 > E> > State-Changed-Why: > E> > Not a bug. This is a feature. pfsync(4) suppresses carp(4) > E> > preemption until new recently booted node downloads full > E> > table of pf(4) states from its peer. > E> > E> This is not true on FreeBSD. > E> The issue might be from other reasons. > > This is a surprise for me that this feature had been removed! > > It used to be in stable/6: > > http://fxr.watson.org/fxr/ident?v=3DFREEBSD60;i=3Dcarp_suppress_preempt > > And I always treated that variable in CARP as shared with pf. Why did > they removed this feature from pfsync? > OpenBSD has it but FreeBSD is SMP capable and global vars without synchronization do not work well. To support that you have to add cross-dependencies and synchronization between the two. Not only synchronization though even some housekeeping around.... I will probably give a look at this again after 9.0. > P.S. Since PR is about 6.2-RELEASE, then I have closed it correctly. > > -- > Totus tuus, Glebius. > --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Mon Oct 17 19:13:49 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E6775106566B; Mon, 17 Oct 2011 19:13:49 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.64.117]) by mx1.freebsd.org (Postfix) with ESMTP id 6ADDC8FC12; Mon, 17 Oct 2011 19:13:49 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.4/8.14.4) with ESMTP id p9HJDm4H067669; Mon, 17 Oct 2011 23:13:48 +0400 (MSD) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.4/8.14.4/Submit) id p9HJDmQT067668; Mon, 17 Oct 2011 23:13:48 +0400 (MSD) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Mon, 17 Oct 2011 23:13:48 +0400 From: Gleb Smirnoff To: Ermal Lu?i Message-ID: <20111017191348.GG51949@glebius.int.ru> References: <201110151420.p9FEKulv026435@freefall.freebsd.org> <20111017131742.GC51949@glebius.int.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: nerijus.ambrazas@ktu.lt, bug-followup@FreeBSD.org, freebsd-pf@FreeBSD.org Subject: Re: kern/114095: [carp] carp+pf delay with high state limit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Oct 2011 19:13:50 -0000 On Mon, Oct 17, 2011 at 08:47:31PM +0200, Ermal Lu?i wrote: E> > This is a surprise for me that this feature had been removed! E> > E> > It used to be in stable/6: E> > E> > http://fxr.watson.org/fxr/ident?v=FREEBSD60;i=carp_suppress_preempt E> > E> > And I always treated that variable in CARP as shared with pf. Why did E> > they removed this feature from pfsync? E> E> OpenBSD has it but FreeBSD is SMP capable and global vars without E> synchronization do not work well. E> To support that you have to add cross-dependencies and synchronization E> between the two. E> E> Not only synchronization though even some housekeeping around.... E> I will probably give a look at this again after 9.0. Well, a possible race when pfsync clears its increment to carp_suppress_preempt but the CPU where carp callout is running doesn't notice it doesn't see it due to cache is harmless. It just mean that preemption would happen not right after pfsync has finished downloading states, but a couple of seconds later. -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Mon Oct 17 19:20:10 2011 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 49FC4106566B for ; Mon, 17 Oct 2011 19:20:10 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 391D98FC17 for ; Mon, 17 Oct 2011 19:20:10 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p9HJKAea068655 for ; Mon, 17 Oct 2011 19:20:10 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p9HJKAwU068654; Mon, 17 Oct 2011 19:20:10 GMT (envelope-from gnats) Date: Mon, 17 Oct 2011 19:20:10 GMT Message-Id: <201110171920.p9HJKAwU068654@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= Cc: Subject: Re: kern/114095: [carp] carp+pf delay with high state limit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Oct 2011 19:20:10 -0000 The following reply was made to PR kern/114095; it has been noted by GNATS. From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Gleb Smirnoff Cc: nerijus.ambrazas@ktu.lt, freebsd-pf@freebsd.org, bug-followup@freebsd.org Subject: Re: kern/114095: [carp] carp+pf delay with high state limit Date: Mon, 17 Oct 2011 20:47:31 +0200 2011/10/17 Gleb Smirnoff : > On Mon, Oct 17, 2011 at 02:18:38PM +0200, Ermal Lu?i wrote: > E> On Sat, Oct 15, 2011 at 4:20 PM, =A0 wrote: > E> > Synopsis: [carp] carp+pf delay with high state limit > E> > > E> > State-Changed-From-To: open->closed > E> > State-Changed-By: glebius > E> > State-Changed-When: Sat Oct 15 14:20:00 UTC 2011 > E> > State-Changed-Why: > E> > Not a bug. This is a feature. pfsync(4) suppresses carp(4) > E> > preemption until new recently booted node downloads full > E> > table of pf(4) states from its peer. > E> > E> This is not true on FreeBSD. > E> The issue might be from other reasons. > > This is a surprise for me that this feature had been removed! > > It used to be in stable/6: > > http://fxr.watson.org/fxr/ident?v=3DFREEBSD60;i=3Dcarp_suppress_preempt > > And I always treated that variable in CARP as shared with pf. Why did > they removed this feature from pfsync? > OpenBSD has it but FreeBSD is SMP capable and global vars without synchronization do not work well. To support that you have to add cross-dependencies and synchronization between the two. Not only synchronization though even some housekeeping around.... I will probably give a look at this again after 9.0. > P.S. Since PR is about 6.2-RELEASE, then I have closed it correctly. > > -- > Totus tuus, Glebius. > --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Mon Oct 17 19:20:12 2011 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 192D5106564A for ; Mon, 17 Oct 2011 19:20:12 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 091418FC08 for ; Mon, 17 Oct 2011 19:20:12 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p9HJKBjj068663 for ; Mon, 17 Oct 2011 19:20:11 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p9HJKBEL068662; Mon, 17 Oct 2011 19:20:11 GMT (envelope-from gnats) Date: Mon, 17 Oct 2011 19:20:11 GMT Message-Id: <201110171920.p9HJKBEL068662@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Gleb Smirnoff Cc: Subject: Re: kern/114095: [carp] carp+pf delay with high state limit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Gleb Smirnoff List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Oct 2011 19:20:12 -0000 The following reply was made to PR kern/114095; it has been noted by GNATS. From: Gleb Smirnoff To: Ermal Lu?i Cc: nerijus.ambrazas@ktu.lt, freebsd-pf@FreeBSD.org, bug-followup@FreeBSD.org Subject: Re: kern/114095: [carp] carp+pf delay with high state limit Date: Mon, 17 Oct 2011 23:13:48 +0400 On Mon, Oct 17, 2011 at 08:47:31PM +0200, Ermal Lu?i wrote: E> > This is a surprise for me that this feature had been removed! E> > E> > It used to be in stable/6: E> > E> > http://fxr.watson.org/fxr/ident?v=FREEBSD60;i=carp_suppress_preempt E> > E> > And I always treated that variable in CARP as shared with pf. Why did E> > they removed this feature from pfsync? E> E> OpenBSD has it but FreeBSD is SMP capable and global vars without E> synchronization do not work well. E> To support that you have to add cross-dependencies and synchronization E> between the two. E> E> Not only synchronization though even some housekeeping around.... E> I will probably give a look at this again after 9.0. Well, a possible race when pfsync clears its increment to carp_suppress_preempt but the CPU where carp callout is running doesn't notice it doesn't see it due to cache is harmless. It just mean that preemption would happen not right after pfsync has finished downloading states, but a couple of seconds later. -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Tue Oct 18 17:12:00 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1D649106564A for ; Tue, 18 Oct 2011 17:12:00 +0000 (UTC) (envelope-from fw@f-ws.de) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id D97EB8FC14 for ; Tue, 18 Oct 2011 17:11:59 +0000 (UTC) Received: by ywm3 with SMTP id 3so1037860ywm.13 for ; Tue, 18 Oct 2011 10:11:59 -0700 (PDT) MIME-Version: 1.0 Received: by 10.236.73.130 with SMTP id v2mr4550877yhd.57.1318956296534; Tue, 18 Oct 2011 09:44:56 -0700 (PDT) Received: by 10.236.95.47 with HTTP; Tue, 18 Oct 2011 09:44:56 -0700 (PDT) X-Originating-IP: [212.48.107.10] Date: Tue, 18 Oct 2011 18:44:56 +0200 Message-ID: From: Florian Wilkemeyer To: freebsd-pf@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-1 Cc: Subject: PF NAT issue with 9.0-BETA3 and RELENG_9 'head' X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2011 17:12:00 -0000 Hello, i recently switched a router in our test-environment to FreeBSD 9.0-Beta3 (and after things didnt worked ... checked out the current RELENG_9 and recompiled kernel & world .. ) Problem: After 5 - 15 minutes NAT stops working (normal routing still works.) Network Utilization: about 40 MByte/second, which gets routed only a few kbit/s are getting natted (NTP Syncs and such ... ) When i took a look on the nat rules (via pfctl -vv -s nat) the rules gets evaluated; but nothing matches anymore... State Table helds about 9500 Entrys, Source Tracking Table about 300 Software / Configuration: pf, carp pf.conf: ==================================================== set limit src-nodes 550000 set limit frags 32000 set timeout { adaptive.start 530000 adaptive.end 540000 } set timeout src.track 600 set timeout frag 30 set skip on lo0 set skip on igb2 set skip on igb3 set skip on bce0 set skip on bce1 set skip on pfsync0 #set skip on internal #set skip on carp3internal nat on public from 10.5.0.0/16 to any -> { public } ==================================================== carp device holding the internal gateway ips (10.5.0.253 .. ), currently master - no slave /etc/sysctl.conf: ==================================================== net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 net.inet.ip.forwarding=1 net.inet.ip.fastforwarding=1 net.inet.icmp.icmplim_output=0 net.inet.icmp.icmplim=0 net.route.netisr_maxqlen=8192 kern.random.sys.harvest.interrupt=0 kern.random.sys.harvest.ethernet=0 kern.random.sys.harvest.point_to_point=0 net.inet.carp.preempt=1 ==================================================== /boot/loader.conf: ==================================================== net.isr.maxthreads="2" net.isr.defaultqlimit="4096" net.isr.maxqlimit="81920" net.isr.direct="1" net.isr.bindthreads="1" hw.igb.num_queues=2 hw.igb.enable_aim=1 hw.igb.txd=2048 hw.igb.rxd=2048 hw.igb.max_interrupt_rate=8000 hw.intr_storm_threshold=10000 kern.ipc.nmbclusters="262144" kern.hz=1000 ==================================================== # sysctl -a hw.igb hw.igb.rx_process_limit: 100 hw.igb.num_queues: 2 hw.igb.header_split: 0 hw.igb.max_interrupt_rate: 8000 hw.igb.enable_msix: 1 hw.igb.enable_aim: 1 hw.igb.txd: 2048 hw.igb.rxd: 2048 # sysctl -a dev.igb dev.igb.0.%desc: Intel(R) PRO/1000 Network Connection version - 2.2.5 dev.igb.0.%driver: igb dev.igb.0.%location: slot=0 function=0 dev.igb.0.%pnpinfo: vendor=0x8086 device=0x10e8 subvendor=0x8086 subdevice=0xa02c class=0x020000 dev.igb.0.%parent: pci5 dev.igb.0.nvm: -1 dev.igb.0.enable_aim: 1 dev.igb.0.fc: 65536003 dev.igb.0.rx_processing_limit: 100 dev.igb.0.link_irq: 2 dev.igb.0.dropped: 0 dev.igb.0.tx_dma_fail: 0 dev.igb.0.rx_overruns: 0 dev.igb.0.watchdog_timeouts: 0 dev.igb.0.device_control: 1086325313 dev.igb.0.rx_control: 67141634 dev.igb.0.interrupt_mask: 4 dev.igb.0.extended_int_mask: 2147483655 dev.igb.0.tx_buf_alloc: 0 dev.igb.0.rx_buf_alloc: 0 dev.igb.0.fc_high_water: 58976 dev.igb.0.fc_low_water: 58960 dev.igb.0.queue0.no_desc_avail: 0 dev.igb.0.queue0.tx_packets: 28167655 dev.igb.0.queue0.rx_packets: 942710 dev.igb.0.queue0.rx_bytes: 84905673 dev.igb.0.queue0.lro_queued: 0 dev.igb.0.queue0.lro_flushed: 0 dev.igb.0.queue1.no_desc_avail: 0 dev.igb.0.queue1.tx_packets: 27659961 dev.igb.0.queue1.rx_packets: 219218 dev.igb.0.queue1.rx_bytes: 34229378 dev.igb.0.queue1.lro_queued: 0 dev.igb.0.queue1.lro_flushed: 0 dev.igb.0.mac_stats.excess_coll: 0 dev.igb.0.mac_stats.single_coll: 0 dev.igb.0.mac_stats.multiple_coll: 0 dev.igb.0.mac_stats.late_coll: 0 dev.igb.0.mac_stats.collision_count: 0 dev.igb.0.mac_stats.symbol_errors: 0 dev.igb.0.mac_stats.sequence_errors: 0 dev.igb.0.mac_stats.defer_count: 0 dev.igb.0.mac_stats.missed_packets: 0 dev.igb.0.mac_stats.recv_no_buff: 0 dev.igb.0.mac_stats.recv_undersize: 0 dev.igb.0.mac_stats.recv_fragmented: 0 dev.igb.0.mac_stats.recv_oversize: 0 dev.igb.0.mac_stats.recv_jabber: 0 dev.igb.0.mac_stats.recv_errs: 0 dev.igb.0.mac_stats.crc_errs: 0 dev.igb.0.mac_stats.alignment_errs: 0 dev.igb.0.mac_stats.coll_ext_errs: 0 dev.igb.0.mac_stats.xon_recvd: 0 dev.igb.0.mac_stats.xon_txd: 0 dev.igb.0.mac_stats.xoff_recvd: 0 dev.igb.0.mac_stats.xoff_txd: 0 dev.igb.0.mac_stats.total_pkts_recvd: 1277070 dev.igb.0.mac_stats.good_pkts_recvd: 1161923 dev.igb.0.mac_stats.bcast_pkts_recvd: 101354 dev.igb.0.mac_stats.mcast_pkts_recvd: 714 dev.igb.0.mac_stats.rx_frames_64: 102154 dev.igb.0.mac_stats.rx_frames_65_127: 1015473 dev.igb.0.mac_stats.rx_frames_128_255: 6736 dev.igb.0.mac_stats.rx_frames_256_511: 10919 dev.igb.0.mac_stats.rx_frames_512_1023: 1719 dev.igb.0.mac_stats.rx_frames_1024_1522: 24922 dev.igb.0.mac_stats.good_octets_recvd: 123782443 dev.igb.0.mac_stats.good_octets_txd: 55500343847 dev.igb.0.mac_stats.total_pkts_txd: 55828073 dev.igb.0.mac_stats.good_pkts_txd: 55828073 dev.igb.0.mac_stats.bcast_pkts_txd: 5 dev.igb.0.mac_stats.mcast_pkts_txd: 1 dev.igb.0.mac_stats.tx_frames_64: 10267735 dev.igb.0.mac_stats.tx_frames_65_127: 4630167 dev.igb.0.mac_stats.tx_frames_128_255: 756857 dev.igb.0.mac_stats.tx_frames_256_511: 3548802 dev.igb.0.mac_stats.tx_frames_512_1023: 1936496 dev.igb.0.mac_stats.tx_frames_1024_1522: 34688016 dev.igb.0.mac_stats.tso_txd: 452 dev.igb.0.mac_stats.tso_ctx_fail: 0 dev.igb.0.interrupts.asserts: 22013222 dev.igb.0.interrupts.rx_pkt_timer: 1161904 dev.igb.0.interrupts.rx_abs_timer: 0 dev.igb.0.interrupts.tx_pkt_timer: 0 dev.igb.0.interrupts.tx_abs_timer: 1161923 dev.igb.0.interrupts.tx_queue_empty: 55827161 dev.igb.0.interrupts.tx_queue_min_thresh: 0 dev.igb.0.interrupts.rx_desc_min_thresh: 0 dev.igb.0.interrupts.rx_overrun: 0 dev.igb.0.host.breaker_tx_pkt: 0 dev.igb.0.host.host_tx_pkt_discard: 0 dev.igb.0.host.rx_pkt: 19 dev.igb.0.host.breaker_rx_pkts: 0 dev.igb.0.host.breaker_rx_pkt_drop: 0 dev.igb.0.host.tx_good_pkt: 912 dev.igb.0.host.breaker_tx_pkt_drop: 0 dev.igb.0.host.rx_good_bytes: 123782443 dev.igb.0.host.tx_good_bytes: 55500343847 dev.igb.0.host.length_errors: 0 dev.igb.0.host.serdes_violation_pkt: 0 dev.igb.0.host.header_redir_missed: 0 dev.igb.1.%desc: Intel(R) PRO/1000 Network Connection version - 2.2.5 dev.igb.1.%driver: igb dev.igb.1.%location: slot=0 function=1 dev.igb.1.%pnpinfo: vendor=0x8086 device=0x10e8 subvendor=0x8086 subdevice=0xa02c class=0x020000 dev.igb.1.%parent: pci5 dev.igb.1.nvm: -1 dev.igb.1.enable_aim: 1 dev.igb.1.fc: 65536003 dev.igb.1.rx_processing_limit: 100 dev.igb.1.link_irq: 2 dev.igb.1.dropped: 0 dev.igb.1.tx_dma_fail: 0 dev.igb.1.rx_overruns: 0 dev.igb.1.watchdog_timeouts: 0 dev.igb.1.device_control: 1086325313 dev.igb.1.rx_control: 67141658 dev.igb.1.interrupt_mask: 4 dev.igb.1.extended_int_mask: 2147483655 dev.igb.1.tx_buf_alloc: 0 dev.igb.1.rx_buf_alloc: 0 dev.igb.1.fc_high_water: 58976 dev.igb.1.fc_low_water: 58960 dev.igb.1.queue0.no_desc_avail: 0 dev.igb.1.queue0.tx_packets: 863716 dev.igb.1.queue0.rx_packets: 28455079 dev.igb.1.queue0.rx_bytes: 28046622063 dev.igb.1.queue0.lro_queued: 0 dev.igb.1.queue0.lro_flushed: 0 dev.igb.1.queue1.no_desc_avail: 0 dev.igb.1.queue1.tx_packets: 232166 dev.igb.1.queue1.rx_packets: 27840375 dev.igb.1.queue1.rx_bytes: 27298049141 dev.igb.1.queue1.lro_queued: 0 dev.igb.1.queue1.lro_flushed: 0 dev.igb.1.mac_stats.excess_coll: 0 dev.igb.1.mac_stats.single_coll: 0 dev.igb.1.mac_stats.multiple_coll: 0 dev.igb.1.mac_stats.late_coll: 0 dev.igb.1.mac_stats.collision_count: 0 dev.igb.1.mac_stats.symbol_errors: 0 dev.igb.1.mac_stats.sequence_errors: 0 dev.igb.1.mac_stats.defer_count: 0 dev.igb.1.mac_stats.missed_packets: 0 dev.igb.1.mac_stats.recv_no_buff: 0 dev.igb.1.mac_stats.recv_undersize: 0 dev.igb.1.mac_stats.recv_fragmented: 0 dev.igb.1.mac_stats.recv_oversize: 0 dev.igb.1.mac_stats.recv_jabber: 0 dev.igb.1.mac_stats.recv_errs: 0 dev.igb.1.mac_stats.crc_errs: 0 dev.igb.1.mac_stats.alignment_errs: 0 dev.igb.1.mac_stats.coll_ext_errs: 0 dev.igb.1.mac_stats.xon_recvd: 0 dev.igb.1.mac_stats.xon_txd: 0 dev.igb.1.mac_stats.xoff_recvd: 0 dev.igb.1.mac_stats.xoff_txd: 0 dev.igb.1.mac_stats.total_pkts_recvd: 56298320 dev.igb.1.mac_stats.good_pkts_recvd: 56295417 dev.igb.1.mac_stats.bcast_pkts_recvd: 100932 dev.igb.1.mac_stats.mcast_pkts_recvd: 109429 dev.igb.1.mac_stats.rx_frames_64: 10539600 dev.igb.1.mac_stats.rx_frames_65_127: 4789005 dev.igb.1.mac_stats.rx_frames_128_255: 758560 dev.igb.1.mac_stats.rx_frames_256_511: 3556870 dev.igb.1.mac_stats.rx_frames_512_1023: 1939210 dev.igb.1.mac_stats.rx_frames_1024_1522: 34712172 dev.igb.1.mac_stats.good_octets_recvd: 55569850268 dev.igb.1.mac_stats.good_octets_txd: 121738026 dev.igb.1.mac_stats.total_pkts_txd: 1095880 dev.igb.1.mac_stats.good_pkts_txd: 1095880 dev.igb.1.mac_stats.bcast_pkts_txd: 428 dev.igb.1.mac_stats.mcast_pkts_txd: 3494 dev.igb.1.mac_stats.tx_frames_64: 1961 dev.igb.1.mac_stats.tx_frames_65_127: 1037835 dev.igb.1.mac_stats.tx_frames_128_255: 17407 dev.igb.1.mac_stats.tx_frames_256_511: 12213 dev.igb.1.mac_stats.tx_frames_512_1023: 1853 dev.igb.1.mac_stats.tx_frames_1024_1522: 24611 dev.igb.1.mac_stats.tso_txd: 81 dev.igb.1.mac_stats.tso_ctx_fail: 0 dev.igb.1.interrupts.asserts: 22296050 dev.igb.1.interrupts.rx_pkt_timer: 56294394 dev.igb.1.interrupts.rx_abs_timer: 0 dev.igb.1.interrupts.tx_pkt_timer: 0 dev.igb.1.interrupts.tx_abs_timer: 56295417 dev.igb.1.interrupts.tx_queue_empty: 1095875 dev.igb.1.interrupts.tx_queue_min_thresh: 0 dev.igb.1.interrupts.rx_desc_min_thresh: 0 dev.igb.1.interrupts.rx_overrun: 0 dev.igb.1.host.breaker_tx_pkt: 0 dev.igb.1.host.host_tx_pkt_discard: 0 dev.igb.1.host.rx_pkt: 1023 dev.igb.1.host.breaker_rx_pkts: 0 dev.igb.1.host.breaker_rx_pkt_drop: 0 dev.igb.1.host.tx_good_pkt: 5 dev.igb.1.host.breaker_tx_pkt_drop: 0 dev.igb.1.host.rx_good_bytes: 55569850268 dev.igb.1.host.tx_good_bytes: 121738026 dev.igb.1.host.length_errors: 0 dev.igb.1.host.serdes_violation_pkt: 0 dev.igb.1.host.header_redir_missed: 0 (Port 2 && 3 stripped .. due to no connectivity/unused) The Hardware: Dell R410, Xeon E5640 6GByte Memory (DDR3..) Intel Quad Port GBit Adapter (82576) [igb..] Port.0 Used => public / provider Port.1 Used => internal network (servers) About 500 Machines behind this router. Has anything changed from 8.2 to 9.0 that i missed to consider in configuration? Thanks, Florian From owner-freebsd-pf@FreeBSD.ORG Tue Oct 18 18:25:50 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C37E21065738 for ; Tue, 18 Oct 2011 18:25:50 +0000 (UTC) (envelope-from flo@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B0F948FC0A; Tue, 18 Oct 2011 18:25:50 +0000 (UTC) Received: from nibbler-wlan.home.lan (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p9IIPnL7004448; Tue, 18 Oct 2011 18:25:50 GMT (envelope-from flo@FreeBSD.org) Message-ID: <4E9DC4AD.2040103@FreeBSD.org> Date: Tue, 18 Oct 2011 20:25:49 +0200 From: Florian Smeets User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: Florian Wilkemeyer References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@FreeBSD.org Subject: Re: PF NAT issue with 9.0-BETA3 and RELENG_9 'head' X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2011 18:25:50 -0000 On 18.10.11 18:44, Florian Wilkemeyer wrote: > Hello, > > i recently switched a router in our test-environment to FreeBSD 9.0-Beta3 > (and after things didnt worked ... checked out the current RELENG_9 > and recompiled kernel& world .. ) > > > > Problem: > After 5 - 15 minutes NAT stops working (normal routing still works.) > > Network Utilization: about 40 MByte/second, which gets routed > only a few kbit/s are getting natted (NTP Syncs and such ... ) > > When i took a look on the nat rules (via pfctl -vv -s nat) > the rules gets evaluated; but nothing matches anymore... > > State Table helds about 9500 Entrys, > Source Tracking Table about 300 > Hi, i guess you have pf compiled into your kernel? Try to use the module, that should be a workaround. This is a known problem and people are working on it. HTH, Florian From owner-freebsd-pf@FreeBSD.ORG Wed Oct 19 09:01:01 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 93CA5106566C for ; Wed, 19 Oct 2011 09:01:01 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id 4ACFF8FC20 for ; Wed, 19 Oct 2011 09:01:01 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 91C5C25D38A5 for ; Wed, 19 Oct 2011 09:01:00 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id C6E81BD3C55 for ; Wed, 19 Oct 2011 09:00:59 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id 4QWa-LOpfXWC for ; Wed, 19 Oct 2011 09:00:58 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id A1AC1BD3C65 for ; Wed, 19 Oct 2011 09:00:58 +0000 (UTC) From: "Bjoern A. Zeeb" Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Wed, 19 Oct 2011 09:00:58 +0000 References: <201110190857.p9J8vHBJ013030@svn.freebsd.org> To: freebsd-pf@freebsd.org Message-Id: Mime-Version: 1.0 (Apple Message framework v1084) X-Mailer: Apple Mail (2.1084) Subject: Fix for no state removal if compiled into kernel ... Fwd: svn commit: r226530 - head/sys/contrib/pf/net X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Oct 2011 09:01:01 -0000 Hi, for all of you. pfsync will be next. If you want to fetch the patch, = it's also here: http://people.freebsd.org/~bz/20111019-01-pf-state-removal.diff I'll make sure it'll be part of RC2. /bz Begin forwarded message: > From: "Bjoern A. Zeeb" > Date: 19. October 2011 08:57:17 GMT+00:00 > To: src-committers@freebsd.org, svn-src-all@freebsd.org, = svn-src-head@freebsd.org > Subject: svn commit: r226530 - head/sys/contrib/pf/net >=20 > Author: bz > Date: Wed Oct 19 08:57:17 2011 > New Revision: 226530 > URL: http://svn.freebsd.org/changeset/base/226530 >=20 > Log: > Fix a bug when NPFSYNC > 0 that on FreeBSD we would always return > and never remove state. >=20 > This fixes the problem some people are seeing that state is removed = when pf > is loaded as a module but not in situations when compiled into the = kernel. >=20 > Reported by: many on freebsd-pf > Tested by: flo > MFC after: 3 days >=20 > Modified: > head/sys/contrib/pf/net/pf.c >=20 > Modified: head/sys/contrib/pf/net/pf.c > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > --- head/sys/contrib/pf/net/pf.c Wed Oct 19 08:52:14 2011 = (r226529) > +++ head/sys/contrib/pf/net/pf.c Wed Oct 19 08:57:17 2011 = (r226530) > @@ -1626,8 +1626,8 @@ pf_free_state(struct pf_state *cur) >=20 > #if NPFSYNC > 0 > #ifdef __FreeBSD__ > - if (pfsync_state_in_use_ptr !=3D NULL) > - pfsync_state_in_use_ptr(cur); > + if (pfsync_state_in_use_ptr !=3D NULL && > + pfsync_state_in_use_ptr(cur)) > #else > if (pfsync_state_in_use(cur)) > #endif --=20 Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. From owner-freebsd-pf@FreeBSD.ORG Wed Oct 19 09:40:35 2011 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 05104106566B; Wed, 19 Oct 2011 09:40:35 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D17FC8FC12; Wed, 19 Oct 2011 09:40:34 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p9J9eYLc095578; Wed, 19 Oct 2011 09:40:34 GMT (envelope-from bz@freefall.freebsd.org) Received: (from bz@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p9J9eYJe095569; Wed, 19 Oct 2011 09:40:34 GMT (envelope-from bz) Date: Wed, 19 Oct 2011 09:40:34 GMT Message-Id: <201110190940.p9J9eYJe095569@freefall.freebsd.org> To: bz@FreeBSD.org, freebsd-pf@FreeBSD.org, bz@FreeBSD.org From: bz@FreeBSD.org Cc: Subject: Re: kern/159390: [pf] [panic] mutex pf task mtx owned at /usr/src/sys/contrib/pf/net/if_pfsync.c:2029 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Oct 2011 09:40:35 -0000 Synopsis: [pf] [panic] mutex pf task mtx owned at /usr/src/sys/contrib/pf/net/if_pfsync.c:2029 Responsible-Changed-From-To: freebsd-pf->bz Responsible-Changed-By: bz Responsible-Changed-When: Wed Oct 19 09:40:22 UTC 2011 Responsible-Changed-Why: Working on it. http://www.freebsd.org/cgi/query-pr.cgi?pr=159390 From owner-freebsd-pf@FreeBSD.ORG Wed Oct 19 11:39:14 2011 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B4895106564A; Wed, 19 Oct 2011 11:39:14 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8D3C18FC12; Wed, 19 Oct 2011 11:39:14 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p9JBdEs6011732; Wed, 19 Oct 2011 11:39:14 GMT (envelope-from bz@freefall.freebsd.org) Received: (from bz@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p9JBdEDh011728; Wed, 19 Oct 2011 11:39:14 GMT (envelope-from bz) Date: Wed, 19 Oct 2011 11:39:14 GMT Message-Id: <201110191139.p9JBdEDh011728@freefall.freebsd.org> To: bz@FreeBSD.org, freebsd-pf@FreeBSD.org, bz@FreeBSD.org From: bz@FreeBSD.org Cc: Subject: Re: kern/158873: [pf] [panic] When I launch pf daemon, I have a kernel panic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Oct 2011 11:39:14 -0000 Synopsis: [pf] [panic] When I launch pf daemon, I have a kernel panic Responsible-Changed-From-To: freebsd-pf->bz Responsible-Changed-By: bz Responsible-Changed-When: Wed Oct 19 11:38:23 UTC 2011 Responsible-Changed-Why: Take. Seen too late that here's another patch. http://www.freebsd.org/cgi/query-pr.cgi?pr=158873 From owner-freebsd-pf@FreeBSD.ORG Wed Oct 19 14:40:24 2011 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4988D1065672; Wed, 19 Oct 2011 14:40:24 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 21FF58FC19; Wed, 19 Oct 2011 14:40:24 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p9JEeN9B078973; Wed, 19 Oct 2011 14:40:23 GMT (envelope-from bz@freefall.freebsd.org) Received: (from bz@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p9JEeNBt078964; Wed, 19 Oct 2011 14:40:23 GMT (envelope-from bz) Date: Wed, 19 Oct 2011 14:40:23 GMT Message-Id: <201110191440.p9JEeNBt078964@freefall.freebsd.org> To: bz@FreeBSD.org, freebsd-pf@FreeBSD.org, bz@FreeBSD.org From: bz@FreeBSD.org Cc: Subject: Re: kern/158636: [pf] if_pfsync.c fails to build when NBPFILTER == 0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Oct 2011 14:40:24 -0000 Synopsis: [pf] if_pfsync.c fails to build when NBPFILTER == 0 Responsible-Changed-From-To: freebsd-pf->bz Responsible-Changed-By: bz Responsible-Changed-When: Wed Oct 19 14:40:15 UTC 2011 Responsible-Changed-Why: Take http://www.freebsd.org/cgi/query-pr.cgi?pr=158636 From owner-freebsd-pf@FreeBSD.ORG Wed Oct 19 21:29:00 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EEE7C106564A for ; Wed, 19 Oct 2011 21:29:00 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id A7C618FC14 for ; Wed, 19 Oct 2011 21:29:00 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id F308B25D386D for ; Wed, 19 Oct 2011 21:28:59 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 348B0BD3C4C for ; Wed, 19 Oct 2011 21:28:59 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id RJVbUubYljOr for ; Wed, 19 Oct 2011 21:28:58 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 69C2BBD3C31 for ; Wed, 19 Oct 2011 21:28:58 +0000 (UTC) From: "Bjoern A. Zeeb" Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Wed, 19 Oct 2011 21:28:57 +0000 Message-Id: <96FFF919-F33F-46FA-9249-92F2E6003ECF@lists.zabbadoz.net> To: freebsd-pf@freebsd.org Mime-Version: 1.0 (Apple Message framework v1084) X-Mailer: Apple Mail (2.1084) Subject: pfsync locking changes - please test X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Oct 2011 21:29:01 -0000 Hi, here's a combined patch of all but the one change I already posted earlier today. http://people.freebsd.org/~bz/20111019-03-pf-pfsync-locking.diff If you want to help testing on stable/9 apply both. Any feedback would be very appreciated. If you are running HEAD you can just update and recompile. It's not all pf fixes but all for today and I'd really feel better for MFCing them in a couple of days if I get a couple of success reports;) /bz -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. From owner-freebsd-pf@FreeBSD.ORG Fri Oct 21 11:11:40 2011 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 091DE106567C; Fri, 21 Oct 2011 11:11:40 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D3C958FC1C; Fri, 21 Oct 2011 11:11:39 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p9LBBdsI039836; Fri, 21 Oct 2011 11:11:39 GMT (envelope-from glebius@freefall.freebsd.org) Received: (from glebius@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p9LBBdAH039832; Fri, 21 Oct 2011 11:11:39 GMT (envelope-from glebius) Date: Fri, 21 Oct 2011 11:11:39 GMT Message-Id: <201110211111.p9LBBdAH039832@freefall.freebsd.org> To: pawel.biernacki@gmail.com, glebius@FreeBSD.org, freebsd-pf@FreeBSD.org, glebius@FreeBSD.org From: glebius@FreeBSD.org Cc: Subject: Re: kern/159029: [pf] [panic] m_copym, offset > size of mbuf chain when pfsync_enable="YES" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Oct 2011 11:11:40 -0000 Synopsis: [pf] [panic] m_copym, offset > size of mbuf chain when pfsync_enable="YES" State-Changed-From-To: open->patched State-Changed-By: glebius State-Changed-When: Fri Oct 21 11:10:16 UTC 2011 State-Changed-Why: Fixed in head/. Responsible-Changed-From-To: freebsd-pf->glebius Responsible-Changed-By: glebius Responsible-Changed-When: Fri Oct 21 11:10:16 UTC 2011 Responsible-Changed-Why: Working on this. http://www.freebsd.org/cgi/query-pr.cgi?pr=159029 From owner-freebsd-pf@FreeBSD.ORG Sat Oct 22 22:45:18 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B52BB1065670 for ; Sat, 22 Oct 2011 22:45:18 +0000 (UTC) (envelope-from jmg@h2.funkthat.com) Received: from h2.funkthat.com (gate.funkthat.com [70.36.235.232]) by mx1.freebsd.org (Postfix) with ESMTP id 9520C8FC0C for ; Sat, 22 Oct 2011 22:45:18 +0000 (UTC) Received: from h2.funkthat.com (localhost [127.0.0.1]) by h2.funkthat.com (8.14.3/8.14.3) with ESMTP id p9MM6sRH073385 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 22 Oct 2011 15:06:54 -0700 (PDT) (envelope-from jmg@h2.funkthat.com) Received: (from jmg@localhost) by h2.funkthat.com (8.14.3/8.14.3/Submit) id p9MM6s8m073384 for freebsd-pf@FreeBSD.org; Sat, 22 Oct 2011 15:06:54 -0700 (PDT) (envelope-from jmg) Date: Sat, 22 Oct 2011 15:06:54 -0700 From: John-Mark Gurney To: freebsd-pf@FreeBSD.org Message-ID: <20111022220654.GD25601@funkthat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 7.2-RELEASE i386 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.2 (h2.funkthat.com [127.0.0.1]); Sat, 22 Oct 2011 15:06:55 -0700 (PDT) Cc: Subject: panic loading/enabling pf on ARM RELENG_9 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Oct 2011 22:45:18 -0000 I'm trying to bring up an old Gateworks GW2348 board and get a panic when I have enabled pf and try to load rules at boot... The only modifications between the AVILA config file and mine is adding the pf, pflog and pfsync devices since AVILA doesn't have them enabled by default, nor does it build the modules... So I am trying to staticly build in pf... W/o pf, it boots fine. The entire set of boot messages is as follows: +No devices on IDE controller 0 Trying NPE-B...success. Using NPE-B with PHY 0. ... waiting for BOOTP information Ethernet eth0: MAC address 00:d0:12:02:47:33 IP: 192.168.0.31/255.255.255.0, Gateway: 192.168.0.14 Default server: 192.168.0.4 RedBoot(tm) bootstrap and debug environment [ROM] Gateworks certified release, version 2.02 - built 05:22:19, Mar 3 2006 Platform: Gateworks Avila GW234X (IXP42X 533MHz) BE Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc. Copyright (C) 2004, 2005 Gateworks Corporation RAM: 0x00000000-0x04000000, [0x000298b0-0x03fc1000] available FLASH: 0x50000000 - 0x51000000, 128 blocks of 0x00020000 bytes each. == Executing boot script in 1.000 seconds - enter ^C to abort RedBoot> load -b 0x200000 -h 192.168.0.4 kernel.avila Using default protocol (TFTP) Address offset = 0x40000000 Entry point: 0x00200100, address range: 0x00200000-0x0065c328 RedBoot> go KDB: debugger backends: ddb KDB: current backend: ddb Copyright (c) 1992-2011 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 9.0-RC1 #1 r226641: Mon Oct 10 11:13:06 PDT 2011 jmg@pcbsd-779:/usr/obj/arm.armeb/usr/src/sys/gate2 arm CPU: IXP425 533MHz rev 1 (ARMv5TE) (XScale core) DC enabled IC enabled WB enabled LABT branch prediction enabled 32KB/32B 32-way Instruction cache 32KB/32B 32-way write-back-locking Data cache real memory = 67108864 (64 MB) avail memory = 57380864 (54 MB) ixp0: on motherboard ixp0: 37fff pcib0: on ixp0 pci0: on pcib0 ixpclk0: on ixp0 ixpiic0: on ixp0 iicbb0: on ixpiic0 iicbus0: on iicbb0 master-only iic0: on iicbus0 ad74180: at addr 0x50 on iicbus0 ds1672_rtc0: at addr 0xd0 on iicbus0 ixpwdog0: on ixp0 uart0: on ixp0 uart0: console (115200,n,8,1) uart1: on ixp0 ixpqmgr0: on ixp0 npe0: on ixp0 npe0: MAC at 0xc8009000 npe0: MII at 0xc8009000 npe0: load fw image IXP425.NPE-B Func 0x2 Rev 2.1 miibus0: on npe0 ukphy0: PHY 0 on miibus0 ukphy0: none, 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto npe0: Ethernet address: 00:d0:12:02:47:33 npe1: on ixp0 npe1: MAC at 0xc800a000 npe1: MII at 0xc8009000 npe1: load fw image IXP425.NPE-C Func 0x5 Rev 2.1 miibus1: on npe1 ukphy1: PHY 1 on miibus1 ukphy1: none, 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto npe1: Ethernet address: 00:d0:12:12:47:33 cfi0: on ixp0 cfid0 on cfi0 ata_avila0: on ixp0 ata0: on ata_avila0 led_avila0: on ixp0 gpio_avila0: on ixp0 Timecounter "IXP4XX Timer" frequency 66666600 Hz quality 1000 Timecounters tick every 10.000 msec bootpc_init: wired to interface 'npe0' Sending DHCP Discover packet from interface npe0 (00:d0:12:02:47:33) npe0: link state changed to UP Received DHCP Offer packet on npe0 from 192.168.0.4 (accepted) (no root path) Sending DHCP Request packet from interface npe0 (00:d0:12:02:47:33) Received DHCP Ack packet on npe0 from 192.168.0.4 (accepted) (got root path) npe0 at 192.168.0.31 server 192.168.0.4 boot file kernel.avila subnet mask 255.255.255.0 router 192.168.0.14 rootfs 192.168.0.80:/home/jmg/armeb.xscale rootopts nolockd Adjusted interface npe0 RPC timeout for server 192.168.0.80 RPC timeout for server 192.168.0.80 RPC timeout for server 192.168.0.80 RPC timeout for server 192.168.0.80 RPC timeout for server 192.168.0.80 RPC timeout for server 192.168.0.80 RPC timeout for server 192.168.0.80 RPC timeout for server 192.168.0.80 RPC timeout for server 192.168.0.80 RPC timeout for server 192.168.0.80 RPC timeout for server 192.168.0.80 RPC timeout for server 192.168.0.80 RPC timeout for server 192.168.0.80 RPC timeout for server 192.168.0.80 RPC timeout for server 192.168.0.80 RPC timeout for server 192.168.0.80 RPC timeout for server 192.168.0.80 RPC timeout for server 192.168.0.80 RPC timeout for server 192.168.0.80 RPC timeout for server 192.168.0.80 hwpmc: XSCALE/4/32/0x1ff Trying to mount root from nfs: []... NFS ROOT: 192.168.0.80:/home/jmg/armeb.xscale Interface npe0 IP-Address 192.168.0.31 Broadcast 192.168.0.255 Setting hostuuid: 1d60d808-1dd2-11b2-9e5d-00d012024733. Setting hostid: 0x0181803e. Entropy harvesting: interrupts ethernet point_to_point kickstart. Starting file system checks: mount_nfs: can't update /var/db/mounttab for 192.168.0.80:/home/jmg/armeb.xscale Mounting local file systems:. Setting hostname: gate2.funkthat.com. npe1: ixpnpe_intr: status 0x60000 ifconfig: inet: bad value Starting Network: lo0 npe0 npe1. lo0: flags=8049 metric 0 mtu 16384 options=3 inet 127.0.0.1 netmask 0xff000000 npe0: flags=8843 metric 0 mtu 1500 options=80008 ether 00:d0:12:02:47:33 inet 192.168.0.31 netmask 0xffffff00 broadcast 192.168.0.255 media: Ethernet autoselect (100baseTX ) status: active npe1: flags=8843 metric 0 mtu 1500 options=80008 npe1: link state changed to DOWN ether 00:d0:12:12:47:33 media: Ethernet autoselect (none) status: no carrier Starting devd. DHCPDISCOVER on npe0 to 255.255.255.255 port 67 interval 7 DHCPOFFER from 192.168.0.4 DHCPREQUEST on npe0 to 255.255.255.255 port 67 DHCPACK from 192.168.0.4 bound to 192.168.0.31 -- renewal in 18000 seconds. Starting pflog. pflog0: promiscuous mode enabled Oct 22 15:01:00 pflogd[678]: [priv]: msg PRIV_OPEN_LOG received Enabling pfpanic: mutex pf task mtx owned at /usr/src/sys/contrib/pf/net/if_pfsync.c:3163 KDB: enter: panic [ thread pid 686 tid 100055 ] Stopped at kdb_enter+0x48: ldrb r15, [r15, r15, ror r15]! db> bt Tracing pid 686 tid 100055 td 0xc0ee3b80 kdb_enter() at kdb_enter+0xc scp=0xc03c2d90 rlv=0xc03931bc (panic+0xcc) rsp=0xc60bdbe0 rfp=0xc60bdbf4 r4=0x00000100 panic() at panic+0x10 scp=0xc0393100 rlv=0xc0383ae0 (_mtx_assert+0x134) rsp=0xc60bdc08 rfp=0xc60bdc18 _mtx_assert() at _mtx_assert+0xc scp=0xc03839b8 rlv=0xc021f2c8 (pfsync_send_plus+0xd8) rsp=0xc60bdc1c rfp=0xc60bdc40 r4=0x00000c50 pfsync_send_plus() at pfsync_send_plus+0xc scp=0xc021f1fc rlv=0xc021f41c (pfsync_clear_states+0x80) rsp=0xc60bdc44 rfp=0xc60bdc74 r10=0xc0ee3b80 r8=0xc0ee2800 r7=0x00000000 r6=0x9ce3bc1b r5=0xc0ee2878 r4=0xc60bdc44 pfsync_clear_states() at pfsync_clear_states+0xc scp=0xc021f3a8 rlv=0xc0235190 (pfioctl+0x1730) rsp=0xc60bdc78 rfp=0xc60bdd30 r6=0xc05814c8 r5=0x00000000 r4=0xc0ee2800 pfioctl() at pfioctl+0xc scp=0xc0233a6c rlv=0xc02fc224 (dev2udev+0x364) rsp=0xc60bdd34 rfp=0xc60bdd70 r10=0x00000000 r9=0xc60bdeac r8=0xc0de6c40 r7=0x00000000 r6=0xc0ee3b80 r5=0xc0ee2800 r4=0xc0cc4412 dev2udev() at dev2udev+0x27c scp=0xc02fc13c rlv=0xc03d78a0 (kern_ioctl+0x23c) rsp=0xc60bdd74 rfp=0xc60bdda4 r10=0xc0ee3b80 r9=0xc60bdeac r8=0x00000003 r7=0xc0dc5500 r6=0x00000000 r5=0xc0cc4412 r4=0xc0ee2800 kern_ioctl() at kern_ioctl+0xc scp=0xc03d7670 rlv=0xc03d7a24 (sys_ioctl+0x114) rsp=0xc60bdda8 rfp=0xc60bddd4 r10=0xc0ee3b80 r8=0xc0ee2800 r7=0xc60bde30 r6=0x00000000 r5=0x000000cc r4=0xc0cc4412 sys_ioctl() at sys_ioctl+0xc scp=0xc03d791c rlv=0xc0543fd0 (swi_handler+0x2f4) rsp=0xc60bddd8 rfp=0xc60bdea8 r10=0x00000000 r8=0xc0ee1000 r7=0xc0ee3b80 r6=0x00000004 r5=0x00000010 r4=0x00000003 swi_handler() at swi_handler+0xc scp=0xc0543ce8 rlv=0xc05355ec (swi_entry+0x40) rsp=0xc60bdeac rfp=0xbfffea10 r10=0x00000003 r9=0xbfffee7c r8=0x00000000 r7=0x00000000 r6=0x00000000 r5=0x00000003 r4=0x00000000 db> -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-pf@FreeBSD.ORG Sat Oct 22 22:54:52 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EFA1F1065670 for ; Sat, 22 Oct 2011 22:54:52 +0000 (UTC) (envelope-from flo@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id DF6E68FC08; Sat, 22 Oct 2011 22:54:52 +0000 (UTC) Received: from nibbler-wlan.home.lan (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p9MMspNq072112; Sat, 22 Oct 2011 22:54:52 GMT (envelope-from flo@FreeBSD.org) Message-ID: <4EA349BB.1030303@FreeBSD.org> Date: Sun, 23 Oct 2011 00:54:51 +0200 From: Florian Smeets User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: John-Mark Gurney References: <20111022220654.GD25601@funkthat.com> In-Reply-To: <20111022220654.GD25601@funkthat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@FreeBSD.org Subject: Re: panic loading/enabling pf on ARM RELENG_9 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Oct 2011 22:54:53 -0000 On 23.10.11 00:06, John-Mark Gurney wrote: > I'm trying to bring up an old Gateworks GW2348 board and get a > panic when I have enabled pf and try to load rules at boot... > > The only modifications between the AVILA config file and mine is > adding the pf, pflog and pfsync devices since AVILA doesn't have > them enabled by default, nor does it build the modules... So I am > trying to staticly build in pf... > > W/o pf, it boots fine. > > Oct 22 15:01:00 pflogd[678]: [priv]: msg PRIV_OPEN_LOG received > Enabling pfpanic: mutex pf task mtx owned at /usr/src/sys/contrib/pf/net/if_pfsync.c:3163 > KDB: enter: panic Please try the patches mentioned in this message http://docs.freebsd.org/cgi/mid.cgi?96FFF919-F33F-46FA-9249-92F2E6003ECF there are additional fixes from glebius in head r226609 and r226623. HTH, Florian