From owner-freebsd-pf@FreeBSD.ORG Sun Jun 17 09:58:14 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A7ACE16A41F for ; Sun, 17 Jun 2007 09:58:14 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 5D8E513C4AD for ; Sun, 17 Jun 2007 09:58:14 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=QQutZ/76FMaDWkz3kyq5JQLLeKuwJwRvJD883GTGDCz2jhwck09pEyJkgy2thZDNkT5otSQxyKdG+50s4TQ8iWbXKn0lvjyY2lQmdDceWWYjAOOL9bmo/labj7TsPmaIWZkrhNo4rJc08XCvKAKcWzKNhe/OHlk9U9VJ5w2C6fo=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1HzrGF-0007h7-CS; Sun, 17 Jun 2007 13:41:31 +0400 Date: Sun, 17 Jun 2007 13:41:26 +0400 From: Eygene Ryabinkin To: Max Laier Message-ID: <20070617094126.GT3779@void.codelabs.ru> References: <200706160347.33331.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <200706160347.33331.max@love2party.net> Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-2.8 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_00 Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf 4.1 Update available for testing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jun 2007 09:58:14 -0000 Max, good day. Sat, Jun 16, 2007 at 03:47:24AM +0200, Max Laier wrote: > $subject at: http://people.freebsd.org/~mlaier/PF41/ I glanced over the new code and found that no changes were introduced to the altq_subr.c. And there was rather old issue I found in April: non-initialised callback due to Nate Lawson's changes in handling the changing CPU frequencies. Looks like it is still living in the code. My original posting is at http://lists.freebsd.org/pipermail/freebsd-current/2007-April/071652.html Could you please take a look? Thank you! -- Eygene From owner-freebsd-pf@FreeBSD.ORG Sun Jun 17 11:11:02 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 93E1816A4AB for ; Sun, 17 Jun 2007 11:11:02 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 2D13913C483 for ; Sun, 17 Jun 2007 11:11:01 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7c94.q.ppp-pool.de [89.53.124.148]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 61C35128844; Sun, 17 Jun 2007 13:10:55 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 978973F51A; Sun, 17 Jun 2007 13:09:22 +0200 (CEST) Message-ID: <46751668.8070307@vwsoft.com> Date: Sun, 17 Jun 2007 13:09:28 +0200 From: Volker User-Agent: Thunderbird 2.0.0.4 (X11/20070615) MIME-Version: 1.0 To: Max Laier References: <20070417153357.GA1335@seekingfire.com> <200704182213.50663.max@love2party.net> <20070418214855.GQ1225@seekingfire.com> <200706061629.21923.max@love2party.net> In-Reply-To: <200706061629.21923.max@love2party.net> X-Enigmail-Version: 0.95.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: USER/GROUP rules on the chopping Block X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jun 2007 11:11:02 -0000 > On 06/06/07 16:29, Max Laier wrote: >> After several attempts to fix user/group rules which ended like the most >> recent one - cited below - with *ZERO* feedback, I won't waste anymore >> effort. Either somebody steps up, does proper testing and reports back, >> or user/group rules go! End of story! > > ... > Before trying to check your fixes, I've set up a plain (recently > csup'ed) -CURRENT system w/o your patch. Unfortunately while trying > hard to get that box into an LOR, I'm unable to do so easy. As I need > to verify an unpatched against a patched system, I need to find a > _reliable_ way to get the box LORing. > ... > > What am I doing wrong? How do I get the (unpatched) system reliable > into an LOR and being able to verify that with a patched system? > ... > Can you help me to find a reliable way to get that LOR and proof your > patch? Anybody else having any comments on this? Max & all, I don't suspect my request has been unclear, as it's written 3 times within one posting. After getting no response (from anyone) for more than a week, I don't think it makes sense to me to wait any longer and hope or pray for a hint. Max, you may safely drop uid/gid support from pf as I'm unable to test your patches and it seems like I'm the only one who cares. On the other side, the next time a message like 'if nobody tests patches...' pops up, I'll be the first one to contradict (no Max, this is not against you). Probably I should give the same level of support to others as it's been given to me (sad to say, which will then be zero). Volker From owner-freebsd-pf@FreeBSD.ORG Sun Jun 17 13:19:29 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D151116A400 for ; Sun, 17 Jun 2007 13:19:29 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.239]) by mx1.freebsd.org (Postfix) with ESMTP id 8068C13C4AE for ; Sun, 17 Jun 2007 13:19:29 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by wx-out-0506.google.com with SMTP id h28so1092812wxd for ; Sun, 17 Jun 2007 06:19:29 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition; b=eg2IDMInVCDT2VWsaPKPf32ye3Xv3ARBD0BHrUxujzerU/vo1dPXca3p95Dse/IyVLUmQePToMCC9sVA30mum1MU1GM/CX4SRgKBczj+2Avea1rXDjIK7RG6Ipg5HFiSTEuDSVuzZ62J4exhcpfqaci9ABBdxUtyxAfiohA2cgY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition; b=pv5HztLsrrKFdbSYniSROh2EthGkT3JMUt/LEQm7cYDVXL00wS2NzoOCZ3irZxq/TpKFlCnoFzgJPYusva6X5DmZ2ptVPjY528dCYWRnagvO0Ej1TUzCKN+lyA/TmKaHsiAitpzMgRyRSKDPP4lwn91riAiRl2XPMsGCPD4p8xs= Received: by 10.70.46.1 with SMTP id t1mr7917510wxt.1182086368951; Sun, 17 Jun 2007 06:19:28 -0700 (PDT) Received: by 10.70.117.6 with HTTP; Sun, 17 Jun 2007 06:19:28 -0700 (PDT) Message-ID: <9a542da30706170619x52a3df36q62b3825449f4df19@mail.gmail.com> Date: Sun, 17 Jun 2007 15:19:28 +0200 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: volker@vwsoft.com Subject: Re: filtering bridges [was: PF error message looping on screen] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jun 2007 13:19:29 -0000 > On 06/16/07 21:29, Adam McDougall wrote: > > On Sat, Jun 16, 2007 at 05:20:39PM +0200, Volker wrote: > ... > > > If that doesn't help, I recommend rewriting your rules a bit and use > > 'set state-policy if-bound' (which I'm using most as I find it better > > to administer). Unfortunately I don't have experience with > > state-policy if-bound in a bridged environment (just a little warning). > > > > I was thinking the same thing regarding if-bound. I use if-bound in production > > on a pf bridge and found it avoids lots of loose state match and other state > > confusion. Also, I have found using pf loud debugging tends to deadlock the > > console after not too long if I have more than one cpu enabled, so I avoid > > using it in production. After much testing, I feel comfortable without it, > > however interesting it is. > > Adam, > > Thanks for your hint. I wasn't quite sure if if-bound works on bridges > as I don't have much bridge experiences. > > On a bridge, does it make sense to filter on bridge0 or is it > generally better to filter on it's member interfaces? > > Using a quick google search, I found some problems when filtering on > the bridge interface in the past but if I would be in need of setting > up a bridge, it would be the first thing for me to filter on the > bridge interface and not on the member interfaces. What's the big > reason for either? The reason is that you will see the same packets twice with different directions on the same interface(bridge#). Since it passes the bridge twice, one entering it with direction 'in', and then when living it with direction 'out'. So it gets really tricky to create rulesets in such conditions unless you know what you're doing. Hence, the solution filtering on members which will see only once a packet and aviod complexity. > > Thanks > > Volker > > Ermali From owner-freebsd-pf@FreeBSD.ORG Sun Jun 17 14:12:42 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6D0DF16A41F for ; Sun, 17 Jun 2007 14:12:42 +0000 (UTC) (envelope-from dalibor.gudzic@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.224]) by mx1.freebsd.org (Postfix) with ESMTP id 17E0413C45A for ; Sun, 17 Jun 2007 14:12:41 +0000 (UTC) (envelope-from dalibor.gudzic@gmail.com) Received: by wr-out-0506.google.com with SMTP id 70so866984wra for ; Sun, 17 Jun 2007 07:12:41 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=q2gLdW0m8EekLMCXdmj8gpjuCqRvpLGCqkGePLysnsQbuaO8PHYcna+PSfzY9EwwSQpMgijwx7K2XpEXZYdpm9a2rCznnFRs+IUooj1axgPdp1ruwROeLfPJPfcnkXsDlpYjfkQspT8VXLOuml+uRboLAQlBWodt3yF8TUBbygQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=ddlF2ze7SF8dBd70H1R7etBBFI2TaVSOX8iNqennMBYxyI+sy1Poi+TvRdtEDH669qHDouVoO465hQg/j1+fNH7nDGYbI2vZfqC0S1Z/LJmVMf0/2L84me0MjrSGOpiOVKXRZ3gnQZ8AlduJx/Zfb/E07q68TBu6KaA1LLF9Vsc= Received: by 10.90.89.5 with SMTP id m5mr3329780agb.1182087815872; Sun, 17 Jun 2007 06:43:35 -0700 (PDT) Received: by 10.90.87.8 with HTTP; Sun, 17 Jun 2007 06:43:35 -0700 (PDT) Message-ID: <866fa9520706170643t7996f5e0nec896798724bc48@mail.gmail.com> Date: Sun, 17 Jun 2007 15:43:35 +0200 From: "Dalibor Gudzic" To: "Max Laier" In-Reply-To: <200706152112.51383.max@love2party.net> MIME-Version: 1.0 References: <8142b02f0706151122s2775911fme30e79f67e4da625@mail.gmail.com> <200706152112.51383.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: pf version 3.7 on freebsd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jun 2007 14:12:42 -0000 On 6/15/07, Max Laier wrote: > > Yes, FreeBSD RELENG_6's pf is based on OpenBSD 3.7. > I don't want to bore everyone with this but I was wondering whether it's possible to know what exactly is "available" in FreeBSD's pf in comparison with OpenBSD's ( 3.7) pf? I've read the details on http://pf4freebsd.love2party.net/ but the status details there are outdated. FreeBSD Handbook referring to pf isn't helping much either. So my question is: is it possible to keep track of what options are available (and which are not) in pf/ALTQ port of FreeBSD? Something like info on: http://people.freebsd.org/~mlaier/PF41/README.txt I understand the purpose of this mailing list but I just wondered whether it's possible to keep things in one place. There is also an update to OpenBSD 4.1 code available from > http://people.freebsd.org/~mlaier/PF41/for testing. > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News Great work, will definitely update to give it a try. Regards P.S. Sorry Max if I sent out 2 messages. From owner-freebsd-pf@FreeBSD.ORG Mon Jun 18 08:07:56 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 21C7E16A400 for ; Mon, 18 Jun 2007 08:07:56 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id ACE0613C45A for ; Mon, 18 Jun 2007 08:07:55 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.62.32] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis), id 0ML21M-1I0CHC1h0R-00014u; Mon, 18 Jun 2007 10:07:54 +0200 From: Max Laier Organization: FreeBSD To: "Dalibor Gudzic" Date: Sun, 17 Jun 2007 17:24:14 +0200 User-Agent: KMail/1.9.6 References: <8142b02f0706151122s2775911fme30e79f67e4da625@mail.gmail.com> <200706152112.51383.max@love2party.net> <866fa9520706170643t7996f5e0nec896798724bc48@mail.gmail.com> In-Reply-To: <866fa9520706170643t7996f5e0nec896798724bc48@mail.gmail.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4462388.MXNXxHpEFH"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706171724.20635.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+e42Ke6+eQTOS6aLMIdxnZIRv83jpq+5RjqXi 46V7UQ6S0TG7JtLkA5+pjTfYM6pMfBseT90UJ13KNL/tDTAbLb cRTaQ3MoLd7BF62o2UBlwgJEo/2mOmKqILJD9qvm24= Cc: freebsd-pf@freebsd.org Subject: Re: pf version 3.7 on freebsd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jun 2007 08:07:56 -0000 --nextPart4462388.MXNXxHpEFH Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 17 June 2007, Dalibor Gudzic wrote: > On 6/15/07, Max Laier wrote: > > Yes, FreeBSD RELENG_6's pf is based on OpenBSD 3.7. > > I don't want to bore everyone with this but I was wondering whether > it's possible to know what exactly is "available" in FreeBSD's pf in > comparison with OpenBSD's ( 3.7) pf? Everything except route tags. > I've read the details on http://pf4freebsd.love2party.net/ but the > status details there are outdated. FreeBSD Handbook referring to pf > isn't helping much either. Yeah, I have been slacking in that department. I think we should take it=20 to the wiki instead. Volunteers welcome! > So my question is: is it possible to keep track of what options are > available (and which are not) in pf/ALTQ port of FreeBSD? Something > like info on: http://people.freebsd.org/~mlaier/PF41/README.txt > > > I understand the purpose of this mailing list but I just wondered > whether it's possible to keep things in one place. As I said above, a wiki page might be in order, but I don't do much wiki=20 or doc work in general - lazy me. > > There is also an update to OpenBSD 4.1 code available from > > http://people.freebsd.org/~mlaier/PF41/ for testing. > > Great work, will definitely update to give it a try. Thanks, please do provide feedback! =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart4462388.MXNXxHpEFH Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGdVIkXyyEoT62BG0RAt15AJ49aU7bfVed0zk7bQEPBtwF+w/puwCfbBOz dQqiTIoQwMOr9mv1FShlr4s= =UXHx -----END PGP SIGNATURE----- --nextPart4462388.MXNXxHpEFH-- From owner-freebsd-pf@FreeBSD.ORG Mon Jun 18 08:07:59 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DE2D816A400 for ; Mon, 18 Jun 2007 08:07:59 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id 77C3E13C447 for ; Mon, 18 Jun 2007 08:07:59 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.62.32] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis), id 0ML21M-1I0CHB3SxR-00014u; Mon, 18 Jun 2007 10:07:54 +0200 From: Max Laier Organization: FreeBSD To: Eygene Ryabinkin Date: Sun, 17 Jun 2007 17:17:14 +0200 User-Agent: KMail/1.9.6 References: <200706160347.33331.max@love2party.net> <20070617094126.GT3779@void.codelabs.ru> In-Reply-To: <20070617094126.GT3779@void.codelabs.ru> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<%}*_BD U_or=\mOZf764&nYj=JYbR1PW0ud>|!~, , CPC.1-D$FG@0h3#'5"k{V]a~. Content-Type: multipart/signed; boundary="nextPart2770025.HxdRS7eVgv"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit X-Provags-ID: V01U2FsdGVkX18qyN6z5lCtu/DIokpVsToA1z0WtMkKJxr7Ise YBji29kgSKS8MtXA7BbDRE5YtEAqEuC7MO1HR3QK/QXC9ZbewN cWybshlBt2gncA0SSWRq8XClJvO6zSkJnIXmXA7gvg= Cc: nate@root.org, freebsd-pf@freebsd.org Subject: Re: pf 4.1 Update available for testing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jun 2007 08:08:00 -0000 --nextPart2770025.HxdRS7eVgv Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 17 June 2007, Eygene Ryabinkin wrote: > Max, good day. > > Sat, Jun 16, 2007 at 03:47:24AM +0200, Max Laier wrote: > > $subject at: http://people.freebsd.org/~mlaier/PF41/ > > I glanced over the new code and found that no changes were > introduced to the altq_subr.c. And there was rather old issue > I found in April: non-initialised callback due to Nate Lawson's > changes in handling the changing CPU frequencies. > > Looks like it is still living in the code. My original posting > is at >http://lists.freebsd.org/pipermail/freebsd-current/2007-April/071652.html > > Could you please take a look? Are you saying that the patch in that mail fixes things for you? I recall= =20 the discussion vaguely, but somehow dropped out of it - sorry. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2770025.HxdRS7eVgv Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGdVCBXyyEoT62BG0RAlN5AJ9qlLb9T1hM6vK6vsPINP110h/pUACfUPGa fTvmrrhvSPufhpmZoqlkMNM= =XLTM -----END PGP SIGNATURE----- --nextPart2770025.HxdRS7eVgv-- From owner-freebsd-pf@FreeBSD.ORG Mon Jun 18 11:08:37 2007 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0D71E16A41F for ; Mon, 18 Jun 2007 11:08:37 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id EDD3713C44B for ; Mon, 18 Jun 2007 11:08:36 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l5IB8aoJ017715 for ; Mon, 18 Jun 2007 11:08:36 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l5IB8Xq8017707 for freebsd-pf@FreeBSD.org; Mon, 18 Jun 2007 11:08:33 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 18 Jun 2007 11:08:33 GMT Message-Id: <200706181108.l5IB8Xq8017707@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jun 2007 11:08:37 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf [pf] pf accepts nonexistent queue in rules o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d o kern/110174 pf [pf] pf pass route-to does not assign correct IP for t s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 6 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jun 18 18:48:48 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F35C816A469 for ; Mon, 18 Jun 2007 18:48:47 +0000 (UTC) (envelope-from dalibor.gudzic@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.229]) by mx1.freebsd.org (Postfix) with ESMTP id 867AF13C4B8 for ; Mon, 18 Jun 2007 18:48:47 +0000 (UTC) (envelope-from dalibor.gudzic@gmail.com) Received: by wx-out-0506.google.com with SMTP id h28so1380366wxd for ; Mon, 18 Jun 2007 11:48:47 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=mfwYxlt9/MLO842hCldXx//netGV8yxa27lfRujGUCraNUxgoGhE9p/8YghE9QlPut2VUiw9fZy8euVyyK7jxTn9iQhvFoLd8+xoz8NnQQDuVP3V0CjencgMHN/SNHgcW4rZRMa3caFaK0MDfnGM1FekaAdGQjLB0wOhk5QDurg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=F8Kw+CAi8/ksEB/N/Fh2hG2IKaHgIGw72mTVs8JTm9LwsfijgW8R4iH2AbjB6Bkb5AzlDvRXsTCO2UMo2B4rirU/zglwYhJLNqedDdAH5tioROB/foesBBkBAb5WGSJatZg1dHEqVjgFj004qCg6s2yrClGk481A3xZzj5L5xNc= Received: by 10.90.89.5 with SMTP id m5mr4263415agb.1182192526948; Mon, 18 Jun 2007 11:48:46 -0700 (PDT) Received: by 10.90.87.8 with HTTP; Mon, 18 Jun 2007 11:48:46 -0700 (PDT) Message-ID: <866fa9520706181148w5fc192b9i18d64ec4c8ee6047@mail.gmail.com> Date: Mon, 18 Jun 2007 20:48:46 +0200 From: "Dalibor Gudzic" To: "Max Laier" In-Reply-To: <200706171724.20635.max@love2party.net> MIME-Version: 1.0 References: <8142b02f0706151122s2775911fme30e79f67e4da625@mail.gmail.com> <200706152112.51383.max@love2party.net> <866fa9520706170643t7996f5e0nec896798724bc48@mail.gmail.com> <200706171724.20635.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: pf version 3.7 on freebsd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jun 2007 18:48:48 -0000 On 6/17/07, Max Laier wrote: > > Yeah, I have been slacking in that department. I think we should take it > to the wiki instead. Volunteers welcome! OK, what exactly is needed? Someone to keep the things up to date on wiki, someone to setup a wiki somewhere or something else? From owner-freebsd-pf@FreeBSD.ORG Mon Jun 18 19:15:27 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D774D16A46B for ; Mon, 18 Jun 2007 19:15:27 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 9872713C44B for ; Mon, 18 Jun 2007 19:15:27 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d3c.q.ppp-pool.de [89.53.125.60]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 3761C12883F; Mon, 18 Jun 2007 21:15:21 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 9F2B63F51A; Mon, 18 Jun 2007 21:14:13 +0200 (CEST) Message-ID: <4676D98A.2@vwsoft.com> Date: Mon, 18 Jun 2007 21:14:18 +0200 From: Volker User-Agent: Thunderbird 2.0.0.4 (X11/20070615) MIME-Version: 1.0 To: Dalibor Gudzic References: <8142b02f0706151122s2775911fme30e79f67e4da625@mail.gmail.com> <200706152112.51383.max@love2party.net> <866fa9520706170643t7996f5e0nec896798724bc48@mail.gmail.com> <200706171724.20635.max@love2party.net> <866fa9520706181148w5fc192b9i18d64ec4c8ee6047@mail.gmail.com> In-Reply-To: <866fa9520706181148w5fc192b9i18d64ec4c8ee6047@mail.gmail.com> X-Enigmail-Version: 0.95.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: pf version 3.7 on freebsd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jun 2007 19:15:27 -0000 On 06/18/07 20:48, Dalibor Gudzic wrote: > On 6/17/07, Max Laier wrote: > >> >> Yeah, I have been slacking in that department. I think we should take it >> to the wiki instead. Volunteers welcome! > > > > OK, what exactly is needed? Someone to keep the things up to date on wiki, > someone to setup a wiki somewhere or something else? IMHO the only appropriate location: http://wiki.freebsd.org From owner-freebsd-pf@FreeBSD.ORG Tue Jun 19 07:41:58 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1E7A116A400 for ; Tue, 19 Jun 2007 07:41:58 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id C366113C44B for ; Tue, 19 Jun 2007 07:41:57 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:Subject; b=AoC95VB/xZ35wDZfQcpfiu8oQyq2Ft/Sxn5Vq29TLV3/xavKr71Qxj8V3FfE8RP3O1hqsc+czerlumfb9CybCozNTehTnC29W6SE/R8/pm8b3s4RgHvoxnwGOMJRmzySNVbMwLzaTNrkIBpdzBwjmRyMChjLV+0eGt3LZx9yuCE=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1I0YLb-0005Dt-5z; Tue, 19 Jun 2007 11:41:55 +0400 Date: Tue, 19 Jun 2007 11:41:50 +0400 From: Eygene Ryabinkin To: Max Laier Message-ID: <20070619074150.GC26920@void.codelabs.ru> References: <200706160347.33331.max@love2party.net> <20070617094126.GT3779@void.codelabs.ru> <200706171717.21585.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <200706171717.21585.max@love2party.net> Sender: rea-fbsd@codelabs.ru Cc: nate@root.org, freebsd-pf@freebsd.org Subject: Re: pf 4.1 Update available for testing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jun 2007 07:41:58 -0000 Max, good day. Sun, Jun 17, 2007 at 05:17:14PM +0200, Max Laier wrote: > > I glanced over the new code and found that no changes were > > introduced to the altq_subr.c. And there was rather old issue > > I found in April: non-initialised callback due to Nate Lawson's > > changes in handling the changing CPU frequencies. > > > > Looks like it is still living in the code. My original posting > > is at > >http://lists.freebsd.org/pipermail/freebsd-current/2007-April/071652.html > > > > Could you please take a look? > > Are you saying that the patch in that mail fixes things for you? I recall > the discussion vaguely, but somehow dropped out of it - sorry. Yes, the patch fixed the kernel crash for me. Just tested on the -CURRENT that is about a week old without my patch: it crashes. The easiest way to test it is to start the machine without ALTQ statements in the pf.conf, wait a while for the CPU frequency change and then to enable ALTQ in the pf.conf. The only needed statements are the 'altq' for the acrtive interface, one does not need any altq-related statements for the filtering rules. This sequence provokes the ALTQ's cpufreq handler to be invoked and the machclk_freq to be initialized to some value. When ALTQ will be enabled, the callback won't be initialized. And I am almost immediately catching the kernel fault in the softclock, due to the bad callback. With my patch the problem goes away. Just checked ;)) -- Eygene From owner-freebsd-pf@FreeBSD.ORG Tue Jun 19 11:51:14 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 83CBE16A46B for ; Tue, 19 Jun 2007 11:51:14 +0000 (UTC) (envelope-from rob@techniumcast.com) Received: from smtp.techniumcast.net (smtp.techniumcast.net [194.74.204.204]) by mx1.freebsd.org (Postfix) with ESMTP id 5302513C457 for ; Tue, 19 Jun 2007 11:51:14 +0000 (UTC) (envelope-from rob@techniumcast.com) Received: from [10.1.32.11] (penguin.techniumcast.net [10.1.32.11]) by smtp.techniumcast.net (Postfix) with ESMTP id BF99D120B8F for ; Tue, 19 Jun 2007 12:34:34 +0100 (BST) Message-ID: <4677BF4A.8000601@techniumcast.com> Date: Tue, 19 Jun 2007 12:34:34 +0100 From: Rob Shepherd User-Agent: Thunderbird 2.0.0.0 (X11/20070423) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: firewalling and ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jun 2007 11:51:14 -0000 Dear freebsd firewallers, I've just installed FreeBSD with a view to making a traffic shaping, or essentially transfer capacity limiting device. This must sit on bridged interfaces between org and edge outers. I'm having some difficulty working out which bits I need, which packet filter to use and how to get started. The appears to be 3 packet filters pf,ipf,ipfw is this right? ALTQ works with each? additionaly, I don't seem to have any /dev/ entries croesor# pfctl -v pfctl: /dev/pf: No such file or directory croesor# ipfstat open(IPSTATE_NAME): No such file or directory croesor# ipf -V ipf: IP Filter: v4.1.13 (528) open device: No such file or directory I'd like some pointers to get me on track please. There are many tutorials, but It's impossible to know what is the current supported filter package, what works best with bridging and ALTQ and how to test them when there's bit's missing. Cheers Rob -- Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd Technium CAST | LL57 4HJ | http://www.techniumcast.com rob@techniumcast.com | 01248 675024 | 077988 72480 From owner-freebsd-pf@FreeBSD.ORG Tue Jun 19 11:57:24 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A68CB16A421 for ; Tue, 19 Jun 2007 11:57:24 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.freebsd.org (Postfix) with ESMTP id 3711A13C44B for ; Tue, 19 Jun 2007 11:57:24 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from localhost (marvin-mail [192.168.0.2]) by marvin.harmless.hu (Postfix) with ESMTP id 248BF7C109C; Tue, 19 Jun 2007 13:57:31 +0200 (CEST) X-Virus-Scanned: by amavisd-new-2.4.2 (20060627) (Debian) at harmless.hu Received: from marvin.harmless.hu ([192.168.0.2]) by localhost (marvin.harmless.hu [192.168.0.2]) (amavisd-new, port 10024) with ESMTP id ik7jLV9jI4B4; Tue, 19 Jun 2007 13:57:30 +0200 (CEST) Received: from marvin.harmless.hu (localhost [127.0.0.1]) by marvin.harmless.hu (Postfix) with ESMTP id 9DE647C104F; Tue, 19 Jun 2007 13:57:15 +0200 (CEST) Date: Tue, 19 Jun 2007 13:57:15 +0200 From: Gergely CZUCZY To: Rob Shepherd Message-ID: <20070619115715.GA96740@harmless.hu> References: <4677BF4A.8000601@techniumcast.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=x-unknown; protocol="application/pgp-signature"; boundary="J2SCkAp4GZ/dPZZf" Content-Disposition: inline In-Reply-To: <4677BF4A.8000601@techniumcast.com> User-Agent: mutt-ng/devel-r804 (FreeBSD) Cc: freebsd-pf@freebsd.org Subject: Re: firewalling and ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jun 2007 11:57:24 -0000 --J2SCkAp4GZ/dPZZf Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jun 19, 2007 at 12:34:34PM +0100, Rob Shepherd wrote: > Dear freebsd firewallers, >=20 > I've just installed FreeBSD with a view to making a traffic shaping, or e= ssentially transfer capacity limiting device. >=20 > This must sit on bridged interfaces between org and edge outers. >=20 > I'm having some difficulty working out which bits I need, which packet fi= lter to use and how to get started. >=20 > The appears to be 3 packet filters >=20 > pf,ipf,ipfw >=20 > is this right? ALTQ works with each? >=20 > additionaly, I don't seem to have any /dev/ entries >=20 > croesor# pfctl -v > pfctl: /dev/pf: No such file or directory > croesor# ipfstat > open(IPSTATE_NAME): No such file or directory > croesor# ipf -V > ipf: IP Filter: v4.1.13 (528) > open device: No such file or directory >=20 > I'd like some pointers to get me on track please. >=20 > There are many tutorials, but It's impossible to know what is the current= supported filter package, what works best with bridging and ALTQ and how= =20 > to test them when there's bit's missing. >=20 > Cheers >=20 > Rob Please read the handbook's section on all the firewalls. It's explained the= re what do you need to make them work. And the handbook should be your primary source of information along with the manuals, and definitely not some googled tutorials or howtos. http://www.freebsd.org/handbook and look for "firewall" Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu --=20 Weenies test. Geniuses solve problems that arise. --J2SCkAp4GZ/dPZZf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) owGNVb9vHEUUNomgGClFSrqnAEoi357vnGAnhy6JnV8ySoJJTkSIAs3uvr0dvDuz zMze5tIhUVC4QFCmiUSNBFL+BCQ6JLoglJ4aiYIG8c3cnWMaFMln2TNv3vve933v 3denTq6dOP3LD88+WT/85slr379xmK7Xrfd6mtTSzpROhoPBMLm8tX1xkGwnW8NL lwdyuLU9yId5OixudT89uW60Z+2TybzhEXl+5DeaSir9HmWltI79uPVFckms4m4o 1xinvDJ6REpXSvPR3cRK7Qq2yU2dmVzp6Yg+b43nPGms0l6mFQvxgaZJyz16v9U0 vNyjzcFgm6Sn4ebowkX87N+l9QFg9+i+SelByU3JNqfOItFIXKEbLC0Vljl1ORXK cieriq3riSvjzQEC9s7OmD5rnQc858NlTrcQv/vgBnXKlyRpprgjb6iWB0CJA29l UaiMXCkbnPTIWOKxcA5tKaSYh4jYG2WykZnyc6pUDRrwPOeZyri/qj8plaM61AdN ZDSlVuVTgAAFbAuZsaOUfcesUQbVdU6MADIt7l3/ZR81lXIWKjhTM+UqQGwrlO6M jcDxgrpSZSWlyjvaI82c95ZHgHnAHhSNRYXEod/WcSxXmtj+FNdgyEKhY+gR0jQg 2YWQlOnCy0whj1tFNkVPLT7d6giN+9C9VdPSX6WdO5MPI1a3IJ5lVl5dxco8jy6S 1bwH5LnRZ4GGuQ5l0XdAOqcNkLtBUMEqPqqcWcPO2LcAIfMVJbOIBn+OFvFNMaJ7 hlwLFgCag5o5nJJ5Y+fH3wM7+vc4Mg3rc3v7DyY7k5uf3tu5e/P8q6eg5KPQe6i6 t0+3Iksjml3sD/vDC3Tu3c1L55cVllb539Qr8XMY7IAX0jcmesetRMMRfAVLZgfU VCzdcfexBXX41IE/3yIrHOx6lMIse/6sI1Vjgp3CNIZ8Bxpm6EpMYFSPKWutBeFj AYhNY4I7ltJHI8gp9xbxC2VThtOjvNHncZ5gsag9rdw2Fgt0qOdDPOrUSAJGfMAL UDAwftcKwPT0qJvrJR9zHBaC2I/tkmWZR7QlKqTGHOCxA4UwVKAGIxtvV/vB9Ret 86O43Di+HQuwFDoRuaG5aeP0LNcCLyGixb4QO/q/xbAnTFvlYTrwDrxYhX07h1it zaBNgVkvjK1lxCMrA1ICRSIkgS5tFCRwk3OhtPKMDaONX6g9NWYaltaRdsEhINEb LAdRet+MNja6rusvt2AfW2RjBU2ErFXACAB0ZkXAGSF259wT4jbbaah2/XGbPZ6L WkJZM4Kr4nE/i8fXsPrrip3rl60QSRLof4h9hRmM+vXpNv7BNgHppsKoNtbATnUw EIwhrQqO/OrqydfXwnfM6gvq9Inb19aeHv768R93novnu3/+9fuPb9/3L+rv/l57 +u2prebhl8mzw/Sfp1+s/fbmi5/foX8B =aRp8 -----END PGP SIGNATURE----- --J2SCkAp4GZ/dPZZf-- From owner-freebsd-pf@FreeBSD.ORG Tue Jun 19 12:00:15 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3689916A484 for ; Tue, 19 Jun 2007 12:00:15 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.freebsd.org (Postfix) with ESMTP id C59B213C44B for ; Tue, 19 Jun 2007 12:00:14 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.47.193] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1I0cNZ2R1z-0002sJ; Tue, 19 Jun 2007 14:00:13 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Tue, 19 Jun 2007 14:01:45 +0200 User-Agent: KMail/1.9.6 References: <4677BF4A.8000601@techniumcast.com> In-Reply-To: <4677BF4A.8000601@techniumcast.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1206709.vNetvt28k8"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706191401.56528.max@love2party.net> X-Provags-ID: V01U2FsdGVkX18QVuNWEyCJvsTcxZgxuz7l4hJO5qASbRa55cr jN8pjn5Yny3Qk5PFyCppIXs9vwldhKDf2XhzaRKkLAh0onbmGJ JRbpQbV/YZAEt6YCLZtdWAJTa9c3TcrHUYUvNRCYpw= Cc: Subject: Re: firewalling and ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jun 2007 12:00:15 -0000 --nextPart1206709.vNetvt28k8 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 19 June 2007, Rob Shepherd wrote: > I've just installed FreeBSD with a view to making a traffic shaping, or > essentially transfer capacity limiting device. > > This must sit on bridged interfaces between org and edge outers. It can be difficult to wrap one's head around traffic shaping on bridges=20 because of the ambiguous of IN/OUT on a bridge. Be sure to filter on the=20 member interfaces instead and apply queueing there. > I'm having some difficulty working out which bits I need, which packet > filter to use and how to get started. > > The appears to be 3 packet filters > > pf,ipf,ipfw > > is this right? ALTQ works with each? ALTQ works with pf and can be used from ipfw, too. You will need pf=20 support regardless. ipf does not support the ALTQ version available in=20 =46reeBSD at this time (afaik). IPFW has dummynet, which can do traffic=20 shaping, too. > additionaly, I don't seem to have any /dev/ entries kldload pf / ipf / ipfw ... or use the rc.d scripts. e.g. "etc/rc.d/pf=20 forcestart" later automate the process by flipping the right switches in=20 rc.conf(5). You can also build the firewalls into your kernel, see the=20 handbook for details. Note, that ALTQ can *not* be loaded as a module=20 and requires a custom kernel instead. > There are many tutorials, but It's impossible to know what is the > current supported filter package, what works best with bridging and > ALTQ and how to test them when there's bit's missing. =46eel free to write down your lessons learned and publish them ;) =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1206709.vNetvt28k8 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGd8W0XyyEoT62BG0RAhpWAJwMsOGicyNcT5o2exOOppOdi3bOugCdH5N4 g2PmDnpTzlX9RG3GQbQj/kE= =rPJM -----END PGP SIGNATURE----- --nextPart1206709.vNetvt28k8-- From owner-freebsd-pf@FreeBSD.ORG Tue Jun 19 12:58:36 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EBD0816A469 for ; Tue, 19 Jun 2007 12:58:36 +0000 (UTC) (envelope-from flo@kasimir.com) Received: from config.solomo.org (kasimir.com [85.214.51.166]) by mx1.freebsd.org (Postfix) with ESMTP id 4641813C487 for ; Tue, 19 Jun 2007 12:58:36 +0000 (UTC) (envelope-from flo@kasimir.com) Received: (qmail 79971 invoked from network); 19 Jun 2007 14:31:54 +0200 Received: from relay3.vistream.de (HELO nibbler.vistream.local) (87.139.10.28) by sugnet.de with SMTP; 19 Jun 2007 14:31:54 +0200 Message-ID: <4677CC9A.2000306@kasimir.com> Date: Tue, 19 Jun 2007 14:31:22 +0200 From: "Florian C. Smeets" User-Agent: Thunderbird 2.0.0.5pre (Macintosh/20070618) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <200706160347.33331.max@love2party.net> In-Reply-To: <200706160347.33331.max@love2party.net> X-Enigmail-Version: 0.95.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org Subject: Re: pf 4.1 Update available for testing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jun 2007 12:58:37 -0000 Also send this to the list(s) so people can see that the patches actually work ;-) Max Laier wrote: > On Tuesday 19 June 2007, you wrote: >> Max Laier wrote: >>> On Wednesday 13 June 2007, you wrote: >>>> Just as a data point. Will be happy to test altq as soon as it works >>>> ;-) >>> Just sent an update to the list - ALTQ should be working now. >> Yes, works fine. No ill effects observed. >> >> This is a "pleas get this into 7.0" from me if that's is still >> possible... > > I'm planning on it, but sending this to the list as well would help, too. > It will also get others to test - I hope. > From owner-freebsd-pf@FreeBSD.ORG Tue Jun 19 15:08:29 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D961116A468 for ; Tue, 19 Jun 2007 15:08:29 +0000 (UTC) (envelope-from rmiranda@digitalrelay.ca) Received: from wrdsl02.terago.ca (wrdsl02.terago.ca [207.54.102.194]) by mx1.freebsd.org (Postfix) with ESMTP id 96DD213C45A for ; Tue, 19 Jun 2007 15:08:29 +0000 (UTC) (envelope-from rmiranda@digitalrelay.ca) Received: from [192.168.0.12] (unknown [64.201.181.165]) by wrdsl02.terago.ca (Postfix) with ESMTP id 27C3786E7A; Tue, 19 Jun 2007 10:08:28 -0500 (CDT) From: Roger Miranda Organization: Digital Relay Inc. To: Volker Date: Tue, 19 Jun 2007 10:09:12 -0500 User-Agent: KMail/1.9.4 References: <200706140833.50583.rmiranda@digitalrelay.ca> <200706160826.16372.rmiranda@digitalrelay.ca> <4673FFC7.2030904@vwsoft.com> In-Reply-To: <4673FFC7.2030904@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200706191009.12737.rmiranda@digitalrelay.ca> Cc: freebsd-pf@freebsd.org Subject: Re: PF error message looping on screen. System Locked. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jun 2007 15:08:30 -0000 Thanks for everyone's help, it has been insightful. I did make the following changes to: rdr on $int_if inet proto tcp from any to any port www -> \ =A0127.0.0.1 port 3128 pass in log quick on $int_if inet proto tcp from any to \ =A0any port 3128 flags S/SA keep state Just now it looks like the rdr line is not redirecting anything to squid on= =20 port 3128. Could line be more for a NAT environment? Any suggestions? On Saturday 16 June 2007 10:20, Volker wrote: > On 06/16/07 15:26, Roger Miranda wrote: > > On Thursday 14 June 2007 10:19, Volker wrote: > >> [re-added cc:pf to have a wider audience, please keep this] > >> > >> On 06/14/07 16:21, Roger Miranda wrote: > >>>> I remember a discussion about your machine in stable@ some time ago. > >>> > >>> Yes. I have come a bit further. Generally I would get nothing on the > >>> screen. I just started getting this. > >>> > >>>>> We have transfered 150GB (+/-) > >>>> > >>>> Using sftp, ftp, http or ...? > >>> > >>> http / NFS / SMB > >>> > >>>> Are you by any chance being able to get a photopicture (with fast > >>>> shutter time) of the debug messages? Do you have anything in > >>>> /var/log/debug.log /var/log/messages which might be useful? > >>> > >>> I do not have nothing with that fast of a shutter. I looked in the > >>> logs the message the loops is not there. But I did find the follwoin= g: > >>> > >>> Jun 13 10:22:32 kernel: pf: dropping packet with ip options > >>> Jun 13 10:22:33 last message repeated 5 times > >> > >> Roger, > >> > >> I don't think this message is related to your trouble. I think you can > >> also avoid these messages by adding 'no scrub' to your pf.conf (I'm > >> currently not aware of any side effects by adding this). > >> > >> Probably Max has some more suggestions on not scrubbing packets. > >> > >> You should get a debugger into your kernel (like Max suggested) and > >> probably also use `pfctl -x loud' or `pfctl -x misc' to get more > >> messages out of pf. If these messages are popping up again, break the > >> system into the debugger and look for the messages (using 'scroll > >> lock' to scroll back some pages), ps and a backtrace. > >> > >> HTH > >> > >> Volker > > > > Alright, I have encoutered the loop messages again today. > > I have debug set to loud and "no scrub" is in pf.conf. > > > > I managed to get a 5 sec. video of the loop. Get it at: > > http://64.201.181.165:82/pfloop.avi > > > > Any help would be appreciated. > > > > Roger > > Roger, > > watched your video (the next time, please mix some nice music in... > just kidding). > > I've seen tons of 'pf: loose state match' messages. After seen this, I > took again a look at your rules and am wondering about this one: > > rdr on $int_if inet proto tcp from any to any port www -> \ > 127.0.0.1 port 3128 > pass in log on $int_if route-to lo0 inet proto tcp from any to \ > any port 3128 keep state > > I've never tried a combination like that but I think it might be > dangerous. When a packet arrives your $int_if with a destination port > 80, the rdr rule will replace the destination address to 127.0.0.1 > port 3128. The pass rule will route that packet to lo0. I think you > can safely avoid that extra step. > > Try it just like: > > rdr on $int_if inet proto tcp from any to any port www -> \ > 127.0.0.1 port 3128 > pass in log quick on $int_if inet proto tcp from any to \ > any port 3128 flats S/SA keep state > > and see if you still see error messages. (Please note the missing > 'route-to' statement, an added quick statement and the added 'flags > S/SA' option) > > If that doesn't help, I recommend rewriting your rules a bit and use > 'set state-policy if-bound' (which I'm using most as I find it better > to administer). Unfortunately I don't have experience with > state-policy if-bound in a bridged environment (just a little warning). > > HTH > > Volker =2D-=20 Roger Miranda rmiranda@digitalrelay.ca Cell: 204.228.2032 Digital Relay Inc.=20 1130 Wall Street Winnipeg, MB =A0 =A0 R3E 2R9 Phone: 204.480.1234 =46ax: 204.480.3866 www.digitalrelay.ca From owner-freebsd-pf@FreeBSD.ORG Wed Jun 20 00:05:11 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6D3B116A474 for ; Wed, 20 Jun 2007 00:05:11 +0000 (UTC) (envelope-from nate@root.org) Received: from root.org (root.org [67.118.192.226]) by mx1.freebsd.org (Postfix) with ESMTP id 508C913C448 for ; Wed, 20 Jun 2007 00:05:11 +0000 (UTC) (envelope-from nate@root.org) Received: (qmail 46818 invoked from network); 19 Jun 2007 16:06:31 -0000 Received: from ppp-71-139-42-13.dsl.snfc21.pacbell.net (HELO ?10.0.0.15?) (nate-mail@71.139.42.13) by root.org with ESMTPA; 19 Jun 2007 16:06:31 -0000 Message-ID: <4677FF00.4060506@root.org> Date: Tue, 19 Jun 2007 09:06:24 -0700 From: Nate Lawson User-Agent: Thunderbird 2.0.0.0 (X11/20070511) MIME-Version: 1.0 To: Eygene Ryabinkin References: <200706160347.33331.max@love2party.net> <20070617094126.GT3779@void.codelabs.ru> <200706171717.21585.max@love2party.net> <20070619074150.GC26920@void.codelabs.ru> In-Reply-To: <20070619074150.GC26920@void.codelabs.ru> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: pf 4.1 Update available for testing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jun 2007 00:05:11 -0000 Eygene Ryabinkin wrote: > Max, good day. > > Sun, Jun 17, 2007 at 05:17:14PM +0200, Max Laier wrote: >>> I glanced over the new code and found that no changes were >>> introduced to the altq_subr.c. And there was rather old issue >>> I found in April: non-initialised callback due to Nate Lawson's >>> changes in handling the changing CPU frequencies. >>> >>> Looks like it is still living in the code. My original posting >>> is at >>> http://lists.freebsd.org/pipermail/freebsd-current/2007-April/071652.html >>> >>> Could you please take a look? >> Are you saying that the patch in that mail fixes things for you? I recall >> the discussion vaguely, but somehow dropped out of it - sorry. > > Yes, the patch fixed the kernel crash for me. Just tested on the > -CURRENT that is about a week old without my patch: it crashes. > The easiest way to test it is to start the machine without ALTQ > statements in the pf.conf, wait a while for the CPU frequency change > and then to enable ALTQ in the pf.conf. The only needed statements > are the 'altq' for the acrtive interface, one does not need any > altq-related statements for the filtering rules. This sequence > provokes the ALTQ's cpufreq handler to be invoked and the machclk_freq > to be initialized to some value. When ALTQ will be enabled, the > callback won't be initialized. And I am almost immediately catching > the kernel fault in the softclock, due to the bad callback. > > With my patch the problem goes away. Just checked ;)) If this works for you, I'm ok with Max committing it. -- Nate From owner-freebsd-pf@FreeBSD.ORG Wed Jun 20 08:40:50 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A277D16A421 for ; Wed, 20 Jun 2007 08:40:50 +0000 (UTC) (envelope-from rob@techniumcast.com) Received: from smtp.techniumcast.net (smtp.techniumcast.net [194.74.204.204]) by mx1.freebsd.org (Postfix) with ESMTP id 6CD2A13C457 for ; Wed, 20 Jun 2007 08:40:50 +0000 (UTC) (envelope-from rob@techniumcast.com) Received: from [10.1.32.11] (penguin.techniumcast.net [10.1.32.11]) by smtp.techniumcast.net (Postfix) with ESMTP id B9B1E120B8F for ; Wed, 20 Jun 2007 09:40:44 +0100 (BST) Message-ID: <4678E80C.5010502@techniumcast.com> Date: Wed, 20 Jun 2007 09:40:44 +0100 From: Rob Shepherd User-Agent: Thunderbird 2.0.0.0 (X11/20070423) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: logging and graphing pf + altq statistics X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jun 2007 08:40:50 -0000 Dear freebsd pf'ers, Thanks for your help yesterday, from a number of you. I have altq and pf in a test setup for further evaluation and it looks promising. I will have a number of customers, each with a number of IP addresses. The IP numbers are grouped nicely in pf queues. I would very much like to generate graphs of data rate for each customer. I.e. Each IP group, or queue. Can this be achieved by attaching some software to pf ? many thanks and kindest regards Rob -- Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd Technium CAST | LL57 4HJ | http://www.techniumcast.com From owner-freebsd-pf@FreeBSD.ORG Wed Jun 20 12:49:27 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6040C16A468 for ; Wed, 20 Jun 2007 12:49:27 +0000 (UTC) (envelope-from iggdawg@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.182]) by mx1.freebsd.org (Postfix) with ESMTP id 3D81813C4B0 for ; Wed, 20 Jun 2007 12:49:27 +0000 (UTC) (envelope-from iggdawg@gmail.com) Received: by wa-out-1112.google.com with SMTP id j37so97952waf for ; Wed, 20 Jun 2007 05:49:27 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=IpQb6s4pa8CRkPZYMMyF9wY31dVsm9rGc8/Vw6C31Xvjrn1BOGTMuXxwCttZReFzmCg0xH+y3Kiv0p35b4gjIAoAKBLi/utV04GYHXg3WXU/V4A+k1o/RoEr0NfqnTFDTM7w0u1iZyY5ECi6Ei5gSyvO7Aqk6wNqcVM0mxMVnH4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=NH0mtflk7eUJpws/dRd2ncLT2IR7/n76fV6f/qlLKPrmibfZEJ2HTvlYfXyezomblpjd36Y85YGuY78+jY8lIRhMWIXKq/fp1UBnSWzudy5igRzO+U9E2aYzz0iUpz7C6Qclr2zcUR7lbZTbIWnuvt7fJYOwxOMkN04AYxI7j0k= Received: by 10.114.175.16 with SMTP id x16mr253442wae.1182342208348; Wed, 20 Jun 2007 05:23:28 -0700 (PDT) Received: by 10.141.85.4 with HTTP; Wed, 20 Jun 2007 05:23:28 -0700 (PDT) Message-ID: Date: Wed, 20 Jun 2007 08:23:28 -0400 From: iggdawg@gmail.com To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: RE: logging and graphing pf + altq statistics X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jun 2007 12:49:27 -0000 Daniel has a great site with a sample config and example graphs here: http://www.benzedrine.cx/pfstat.html It's as drop-in as he makes it sound. I run pfstat on my firewall (the mighty PipBoy) with very little variation from his pfstat.conf , just a few values here and there. you can check out my site if you'd like a second set of graphs to digest. second from the bottom is queues on both pages. http://www.iggdawg.com/stats/pfstat/index.html Hope this helps -Igg > Dear freebsd pf'ers, > > Thanks for your help yesterday, from a number of you. > > I have altq and pf in a test setup for further evaluation and it looks > promising. > > I will have a number of customers, each with a number of IP addresses. > The IP numbers are grouped nicely in pf queues. > > I would very much like to generate graphs of data rate for each > customer. I.e. Each IP group, or queue. > > Can this be achieved by attaching some software to pf ? > > many thanks and kindest regards > > Rob > -- > Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd > Technium CAST | LL57 4HJ | http://www.techniumcast.com > > > ------------------------------ > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > End of freebsd-pf Digest, Vol 143, Issue 3 > ****************************************** > From owner-freebsd-pf@FreeBSD.ORG Wed Jun 20 15:26:18 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1DE1916A400 for ; Wed, 20 Jun 2007 15:26:18 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id C0AC413C447 for ; Wed, 20 Jun 2007 15:26:17 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=I7dUbI2G7J6OyPDxLAZl+QSjvQoifUhRN62SGPzyHePzQ01pRGZ5PkRFxfkDblNkuFYBG3x+rcbDgyQY0HWFRaLbOOm0FHp6QdwiTYs2YHk2Dgs8cAlKvC9KpVop/EHTbdSVTbVt+80p+0co5x3ERSC5/wR1Kp1mcspeEPYPszc=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1I124U-0007Uc-57; Wed, 20 Jun 2007 19:26:14 +0400 Date: Wed, 20 Jun 2007 19:26:09 +0400 From: Eygene Ryabinkin To: Nate Lawson Message-ID: <20070620152609.GD26920@void.codelabs.ru> References: <200706160347.33331.max@love2party.net> <20070617094126.GT3779@void.codelabs.ru> <200706171717.21585.max@love2party.net> <20070619074150.GC26920@void.codelabs.ru> <4677FF00.4060506@root.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <4677FF00.4060506@root.org> Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-2.9 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_00 Cc: freebsd-pf@freebsd.org Subject: Re: pf 4.1 Update available for testing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jun 2007 15:26:18 -0000 Nate, good day. Tue, Jun 19, 2007 at 09:06:24AM -0700, Nate Lawson wrote: > > With my patch the problem goes away. Just checked ;)) > > If this works for you, I'm ok with Max committing it. Fine, thanks! So, you're happy with the way the problem was fixed? I see that another function that uses tbr_callout is tbr_timeout, but it will not be called before tbr_set. So it seems to me that callout initialisation only in tbr_set is enough. But maybe I am missing something? Thank you. -- Eygene From owner-freebsd-pf@FreeBSD.ORG Wed Jun 20 19:04:30 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 423CC16A469 for ; Wed, 20 Jun 2007 19:04:30 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id C72E113C447 for ; Wed, 20 Jun 2007 19:04:29 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=kCm9zH5j6nsyyfM1zsuul84H7aFfQIv0LOxCMo8yEnV2B60SRX5SIaQj7dE2o5knENoL2tkM+1sMzi+asRVgUqPPAUZdDctI9Wh5S3KtgWA2Sp3L9655JFloeuevsNEzAd6njkTHSvhqU4naihyJResbeotSGRHFvxBdfZirZ2E=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1I15Tg-0007hV-9f; Wed, 20 Jun 2007 23:04:29 +0400 Date: Wed, 20 Jun 2007 23:04:23 +0400 From: Eygene Ryabinkin To: Nate Lawson , Max Laier Message-ID: <20070620190423.GH26920@void.codelabs.ru> References: <200706160347.33331.max@love2party.net> <20070617094126.GT3779@void.codelabs.ru> <200706171717.21585.max@love2party.net> <20070619074150.GC26920@void.codelabs.ru> <4677FF00.4060506@root.org> <20070620152609.GD26920@void.codelabs.ru> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="ew6BAiZeqk4r7MaW" Content-Disposition: inline In-Reply-To: <20070620152609.GD26920@void.codelabs.ru> Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-2.9 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_00 Cc: freebsd-pf@freebsd.org Subject: Re: pf 4.1 Update available for testing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jun 2007 19:04:30 -0000 --ew6BAiZeqk4r7MaW Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Nate, Max, good day. Wed, Jun 20, 2007 at 07:26:09PM +0400, Eygene Ryabinkin wrote: > Fine, thanks! So, you're happy with the way the problem was fixed? > I see that another function that uses tbr_callout is tbr_timeout, > but it will not be called before tbr_set. So it seems to me that > callout initialisation only in tbr_set is enough. But maybe I am > missing something? After some thinking I came to the idea that one more patch must be applied. The variables machclk_usepcc and machclk_per_tick can be left uninitialised following the same codepath as for tbr_callout: tsc_freq_changed() touches only machclk_freq, but init_machclk touches all three variables. This error can potentially be responsible to the weird bandwidth values I am having with the altq on my notebook. The issue is described on the thread http://lists.freebsd.org/pipermail/freebsd-current/2007-April/070730.html Basically, I am setting one BW limit in pf.conf and seeing another one (much lower) via the ifstat utility. I was able only to test the compilation of the new patched kernel. No bandwidth tests were done: I have no access to the fast LAN link up to the Monday, 24th, sorry. May be I will be able to setup ng_eiface and test with it, but I am not fluent with the netgraph. Will post an update if tests will be carried. But I am pretty sure that the altq_subr.c should be patched to properly handle the initialization of these two variables. The only question is how to do it: via my patch or using some different strategy. No more words, the patch is attached. Comments are welcome! -- Eygene --ew6BAiZeqk4r7MaW Content-Type: text/plain; charset=koi8-r Content-Disposition: attachment; filename="altq-fix-2.diff" diff --git a/sys/contrib/altq/altq/altq_subr.c b/sys/contrib/altq/altq/altq_subr.c index 0c6e485..0ca01db 100644 --- a/sys/contrib/altq/altq/altq_subr.c +++ b/sys/contrib/altq/altq/altq_subr.c @@ -129,6 +129,28 @@ static struct ip4_frag *ip4f_alloc(void); static void ip4f_free(struct ip4_frag *); #endif /* ALTQ3_CLFIER_COMPAT */ +static inline void +machclk_set_freq(u_int32_t _newfreq); +static inline void +machclk_init_pcc(void); +/* + * We do machclk_init_pcc() here because machclk_freq can be + * already initialized by tsc_freq_changed() or simular, but + * machclk_usepcc will not be properly initialized then. + * We could call machclk_init_pcc() from the tsc_freq_changed(), + * but the then calls to the machclk_init_pcc() will be more + * frequent. It is microoptimisation and it can be dropped + * in favor of the more clean code. + */ +#define INIT_MACHCLK \ + do { \ + if (machclk_freq == 0) \ + init_machclk(); \ + else \ + machclk_init_pcc(); \ + } while(0) + + /* * alternate queueing support routines */ @@ -384,8 +406,7 @@ tbr_set(ifq, profile) tbr_dequeue_ptr = tbr_dequeue; tbr_callout_init(); - if (machclk_freq == 0) - init_machclk(); + INIT_MACHCLK; if (machclk_freq == 0) { printf("tbr_set: no cpu clock available!\n"); return (ENXIO); @@ -599,8 +620,7 @@ altq_add(struct pf_altq *a) if (a->qname[0] != 0) return (altq_add_queue(a)); - if (machclk_freq == 0) - init_machclk(); + INIT_MACHCLK; if (machclk_freq == 0) panic("altq_add: no cpu clock"); @@ -912,7 +932,7 @@ tsc_freq_changed(void *arg, const struct cf_level *level, int status) return; /* Total setting for this level gives the new frequency in MHz. */ - machclk_freq = level->total_set.freq * 1000000; + machclk_set_freq(level->total_set.freq * 1000000); } EVENTHANDLER_DEFINE(cpufreq_post_change, tsc_freq_changed, NULL, EVENTHANDLER_PRI_ANY); @@ -935,9 +955,14 @@ tbr_callout_init(void) } #endif /* __FreeBSD_version >= 600000 */ -void -init_machclk(void) +static inline void +machclk_init_pcc(void) { + static int called = 0; + + if (called) + return; + machclk_usepcc = 1; #if (!defined(__i386__) && !defined(__alpha__)) || defined(ALTQ_NOPCC) @@ -955,11 +980,24 @@ init_machclk(void) tsc_is_broken)) machclk_usepcc = 0; #endif + called = 1; +} + +static inline void +machclk_set_freq(u_int32_t newfreq) +{ + machclk_freq = newfreq; + machclk_per_tick = machclk_freq / hz; +} + +void +init_machclk(void) +{ + machclk_init_pcc(); if (machclk_usepcc == 0) { /* emulate 256MHz using microtime() */ - machclk_freq = 1000000 << MACHCLK_SHIFT; - machclk_per_tick = machclk_freq / hz; + machclk_set_freq(1000000 << MACHCLK_SHIFT); #ifdef ALTQ_DEBUG printf("altq: emulate %uHz cpu clock\n", machclk_freq); #endif @@ -1011,7 +1049,7 @@ init_machclk(void) machclk_freq = (u_int)((end - start) * 1000000 / diff); } - machclk_per_tick = machclk_freq / hz; + machclk_set_freq(machclk_freq); #ifdef ALTQ_DEBUG printf("altq: CPU clock: %uHz\n", machclk_freq); --ew6BAiZeqk4r7MaW-- From owner-freebsd-pf@FreeBSD.ORG Wed Jun 20 20:22:46 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2656E16A421 for ; Wed, 20 Jun 2007 20:22:46 +0000 (UTC) (envelope-from nate@root.org) Received: from root.org (root.org [67.118.192.226]) by mx1.freebsd.org (Postfix) with ESMTP id E521013C484 for ; Wed, 20 Jun 2007 20:22:45 +0000 (UTC) (envelope-from nate@root.org) Received: (qmail 83608 invoked from network); 20 Jun 2007 17:36:36 -0000 Received: from ppp-71-139-42-13.dsl.snfc21.pacbell.net (HELO ?10.0.0.15?) (nate-mail@71.139.42.13) by root.org with ESMTPA; 20 Jun 2007 17:36:36 -0000 Message-ID: <4679659D.7050506@root.org> Date: Wed, 20 Jun 2007 10:36:29 -0700 From: Nate Lawson User-Agent: Thunderbird 2.0.0.0 (X11/20070511) MIME-Version: 1.0 To: Eygene Ryabinkin References: <200706160347.33331.max@love2party.net> <20070617094126.GT3779@void.codelabs.ru> <200706171717.21585.max@love2party.net> <20070619074150.GC26920@void.codelabs.ru> <4677FF00.4060506@root.org> <20070620152609.GD26920@void.codelabs.ru> In-Reply-To: <20070620152609.GD26920@void.codelabs.ru> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: pf 4.1 Update available for testing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jun 2007 20:22:46 -0000 Eygene Ryabinkin wrote: > Nate, good day. > > Tue, Jun 19, 2007 at 09:06:24AM -0700, Nate Lawson wrote: >>> With my patch the problem goes away. Just checked ;)) >> If this works for you, I'm ok with Max committing it. > > Fine, thanks! So, you're happy with the way the problem was fixed? > I see that another function that uses tbr_callout is tbr_timeout, > but it will not be called before tbr_set. So it seems to me that > callout initialisation only in tbr_set is enough. But maybe I am > missing something? > > Thank you. If you want to trigger the call to callout_init() differently, you could use a SYSINIT that runs before all of altq. Then you would be sure it's always initialized before anything else can run. -- Nate From owner-freebsd-pf@FreeBSD.ORG Thu Jun 21 01:51:22 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6754716A468 for ; Thu, 21 Jun 2007 01:51:22 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.freebsd.org (Postfix) with ESMTP id 012EE13C468 for ; Thu, 21 Jun 2007 01:51:21 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.184.67] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu3) with ESMTP (Nemesis), id 0MKxQS-1I1BpK2m5A-0008KE; Thu, 21 Jun 2007 03:51:21 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 21 Jun 2007 03:52:32 +0200 User-Agent: KMail/1.9.6 References: <200706160347.33331.max@love2party.net> In-Reply-To: <200706160347.33331.max@love2party.net> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1685993.yMID7r8Pf9"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706210352.38282.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19wLaUNQp15aIbR7Rm9nHTtaprgjzIp9VBNSQY Mh7AcCN8BRw8anNntnOqwBGbf777hcNaBP8Hl/0ny/8S7KGRzD KsYfLv3+0+ty7Uh4bhELfYtN/bd63MpcvSkMWf+akE= Subject: Re: pf 4.1 Update available for testing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jun 2007 01:51:22 -0000 --nextPart1685993.yMID7r8Pf9 Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 16 June 2007, Max Laier wrote: > $subject at: http://people.freebsd.org/~mlaier/PF41/ New drop (20070621) out. Much better tested - thanks to qemu (which I finally got working w/ carp=20 [use the re nics and twiddle vlanhwtag after the carp interfaces are up]. = =20 Now I only need a bit more ram *hint* *hint* *hint* ;) =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1685993.yMID7r8Pf9 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGednmXyyEoT62BG0RAquTAJ9ZCBjl2XGkr6up2iQsnUXk2bd/IACbB1uJ HTJFMODWKPUYG8gHpizLDVc= =ybA+ -----END PGP SIGNATURE----- --nextPart1685993.yMID7r8Pf9-- From owner-freebsd-pf@FreeBSD.ORG Thu Jun 21 08:59:55 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5ED5116A468 for ; Thu, 21 Jun 2007 08:59:55 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 12EAE13C484 for ; Thu, 21 Jun 2007 08:59:55 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=mvMtlLXxMmeKqh4iIZWV2VP6V+VvbAxuhnfRwRJ9TWsCBl46nwgmHKB5qc9sk838ggtF6CqMAIub6skNRCv3b9PKVuoAJoS4ka5/NnuyyZbVg87m+vR1k7yE6zWcRz4443M/Dw0j1HynZjArN+FTk2Swq0ChJmlzc1rJhLbU0F4=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1I1IW8-0008gn-4e; Thu, 21 Jun 2007 12:59:52 +0400 Date: Thu, 21 Jun 2007 12:59:46 +0400 From: Eygene Ryabinkin To: Nate Lawson Message-ID: <20070621085946.GI26920@void.codelabs.ru> References: <200706160347.33331.max@love2party.net> <20070617094126.GT3779@void.codelabs.ru> <200706171717.21585.max@love2party.net> <20070619074150.GC26920@void.codelabs.ru> <4677FF00.4060506@root.org> <20070620152609.GD26920@void.codelabs.ru> <4679659D.7050506@root.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <4679659D.7050506@root.org> Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-2.9 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_00 Cc: freebsd-pf@freebsd.org Subject: Re: pf 4.1 Update available for testing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jun 2007 08:59:55 -0000 Nate, good day. Wed, Jun 20, 2007 at 10:36:29AM -0700, Nate Lawson wrote: > > > > Fine, thanks! So, you're happy with the way the problem was fixed? > > I see that another function that uses tbr_callout is tbr_timeout, > > but it will not be called before tbr_set. So it seems to me that > > callout initialisation only in tbr_set is enough. But maybe I am > > missing something? > > > > Thank you. > > If you want to trigger the call to callout_init() differently, you could > use a SYSINIT that runs before all of altq. Then you would be sure it's > always initialized before anything else can run. Good alternative. I will try it, thank you! -- Eygene