From owner-freebsd-pf@FreeBSD.ORG Sun Sep 25 10:09:19 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 91515106566C for ; Sun, 25 Sep 2011 10:09:19 +0000 (UTC) (envelope-from s.khanchi@gmail.com) Received: from mail-yi0-f54.google.com (mail-yi0-f54.google.com [209.85.218.54]) by mx1.freebsd.org (Postfix) with ESMTP id 1A4248FC0A for ; Sun, 25 Sep 2011 10:09:18 +0000 (UTC) Received: by yia13 with SMTP id 13so4629022yia.13 for ; Sun, 25 Sep 2011 03:09:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:from:date:x-google-sender-auth:message-id :subject:to:content-type; bh=xEmtC4V5C2IKnY4bT8TtvaTa6Pa11UXzOuzOAWkyoF0=; b=efhDeu9wAJxpW58LTbt0iqLiD6k56abJSIjJjAoxKImJcjyHCb7PdIau1Iz19LVHZg FOLWY6GzKmLs4CzBwYX65V89ysGp+6PWFVyfbiGPTLgKdgcdcBpUp78D/toSek0K/MeN gB/ymagxcqeTV4H6nbDl9sdK+6MQMusoMsYAM= Received: by 10.68.27.231 with SMTP id w7mr11719473pbg.42.1316945358089; Sun, 25 Sep 2011 03:09:18 -0700 (PDT) MIME-Version: 1.0 Sender: s.khanchi@gmail.com Received: by 10.143.139.1 with HTTP; Sun, 25 Sep 2011 03:08:58 -0700 (PDT) From: h bagade Date: Sun, 25 Sep 2011 13:38:58 +0330 X-Google-Sender-Auth: dflkBlbjXYGfoQQLH0VYBPtB88s Message-ID: To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: problem in defining pool ip addresses in the round robin manner X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Sep 2011 10:09:19 -0000 Hi all, I've noticed that there is no way to define pool addresses in the format of networks when it is in the mode of round robin? Is this true? I want to nat IP addresses in to a range of IP addresses in a round robin manner. In the case of round robin I should try the ip addresses one by one on the right side of nat rule which is not optimal in compare with if it could be defined in network addresses! for instance, I want to nat ip addresses from 192.168.0.0/24 network to the range of 10.10.10.1- 10.10.20.20 ip addresses in round robin. In pf rule I should list the ip addresses in range one by one like this: nat on $ext_if from { 192.168.0.0/24} to any -> {10.10.10.1, 10.10.10.2, ...., 10.10.10.254, 10.10.11.1, ...., 10.10.20.20} which number of ip addresses on the right side is more that 2550 which could be reduced extremely by defining network addresses {e.g. 10.10.10.0/24, 10.10.11.0/24, ... }. Is my understanding true or there is a more simple solution for this situation? Any comments or hints are appreciated. From owner-freebsd-pf@FreeBSD.ORG Sun Sep 25 10:15:48 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A73EF106566C for ; Sun, 25 Sep 2011 10:15:48 +0000 (UTC) (envelope-from s.khanchi@gmail.com) Received: from mail-gx0-f182.google.com (mail-gx0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id 6BED98FC0A for ; Sun, 25 Sep 2011 10:15:48 +0000 (UTC) Received: by gxk26 with SMTP id 26so3612115gxk.13 for ; Sun, 25 Sep 2011 03:15:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:from:date:x-google-sender-auth:message-id :subject:to:content-type; bh=jjp88CQkntaXwg2mcNdlhfI8y4ogXHv7KtzvwYk9lM8=; b=pi8ejkuZA8l6pCxMCh7Ue1GQ65jNtvynZm0w7Fqyixhl7NbVh3P8S6N3NnDqhmbTs7 y9akpQC453L5MUFf+dGSeTyPPuhypIRqQ/Q9n5WIlGozwWu6NZrSl2ISsArzJVfV3O4w mbiOkfJ8b69md3I83WBvkvDTj+zwPbytvp4Cs= Received: by 10.68.8.71 with SMTP id p7mr21863710pba.110.1316945747298; Sun, 25 Sep 2011 03:15:47 -0700 (PDT) MIME-Version: 1.0 Sender: s.khanchi@gmail.com Received: by 10.143.139.1 with HTTP; Sun, 25 Sep 2011 03:15:27 -0700 (PDT) From: h bagade Date: Sun, 25 Sep 2011 13:45:27 +0330 X-Google-Sender-Auth: yBrARzZwcjdrU8-6Lh-3fJsgQ2E Message-ID: To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: dynamic loading of pf rules? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Sep 2011 10:15:48 -0000 Hello everybody, Is there any way to dynamically load pf rules? I mean each part of pf rules could be loaded and deleted without interruptions to the other parts(e.g. loading nat rules first then add only altq rules then delete filter rules). From owner-freebsd-pf@FreeBSD.ORG Sun Sep 25 10:23:21 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D73221065673 for ; Sun, 25 Sep 2011 10:23:21 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 700C58FC15 for ; Sun, 25 Sep 2011 10:23:21 +0000 (UTC) Received: by wyj26 with SMTP id 26so2778315wyj.13 for ; Sun, 25 Sep 2011 03:23:20 -0700 (PDT) Received: by 10.227.197.76 with SMTP id ej12mr4320725wbb.102.1316946200356; Sun, 25 Sep 2011 03:23:20 -0700 (PDT) Received: from [192.168.0.10] (did75-17-88-165-130-96.fbx.proxad.net. [88.165.130.96]) by mx.google.com with ESMTPS id l40sm10785655wbm.10.2011.09.25.03.23.18 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 25 Sep 2011 03:23:19 -0700 (PDT) References: In-Reply-To: Mime-Version: 1.0 (iPhone Mail 8J2) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Message-Id: <27DA1CE5-7DAE-41DE-8DD0-1F5CB4B84ACD@my.gd> X-Mailer: iPhone Mail (8J2) From: Damien Fleuriot Date: Sun, 25 Sep 2011 12:23:11 +0200 To: h bagade Cc: "freebsd-pf@freebsd.org" Subject: Re: dynamic loading of pf rules? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Sep 2011 10:23:21 -0000 On 25 Sep 2011, at 12:15, h bagade wrote: > Hello everybody, >=20 > Is there any way to dynamically load pf rules? I mean each part of pf rule= s > could be loaded and deleted without interruptions to the other parts(e.g. > loading nat rules first then add only altq rules then delete filter rules)= . > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" You may want to have a look at PF's anchors which may be a solution to your q= uestion. From owner-freebsd-pf@FreeBSD.ORG Sun Sep 25 19:08:26 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DBDDC106566B for ; Sun, 25 Sep 2011 19:08:26 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id 979B68FC20 for ; Sun, 25 Sep 2011 19:08:26 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 53C1528423; Sun, 25 Sep 2011 20:52:19 +0200 (CEST) Received: from [192.168.1.2] (ip-86-49-61-235.net.upcbroadband.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 5E33328422; Sun, 25 Sep 2011 20:52:18 +0200 (CEST) Message-ID: <4E7F7861.9070804@quip.cz> Date: Sun, 25 Sep 2011 20:52:17 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: h bagade References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: problem in defining pool ip addresses in the round robin manner X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Sep 2011 19:08:26 -0000 h bagade wrote: [...] > for instance, I want to nat ip addresses from 192.168.0.0/24 network to the > range of 10.10.10.1- 10.10.20.20 ip addresses in round robin. In pf rule I > should list the ip addresses in range one by one like this: > > nat on $ext_if from { 192.168.0.0/24} to any -> {10.10.10.1, 10.10.10.2, > ...., 10.10.10.254, 10.10.11.1, ...., 10.10.20.20} According to pf.conf manpage, you can use network range on the right side od the "nat" definition. There is example from manpage: # NAT LOAD BALANCE # Translate outgoing packets' source addresses using an address pool. # A given source address is always translated to the same pool address by # using the source-hash keyword. nat on $ext_if inet from any to any -> 192.0.2.16/28 source-hash So I think you can use the same syntax with round-robin instead of source-hash > which number of ip addresses on the right side is more that 2550 which could > be reduced extremely by defining network addresses {e.g. 10.10.10.0/24, > 10.10.11.0/24, ... }. There is grammar syntax for pf.conf at the end of the manpage: nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ] [ "on" ifspec ] [ af ] [ protospec ] hosts [ "tag" string ] [ "tagged" string ] [ "->" ( redirhost | "{" redirhost-list "}" ) [ portspec ] [ pooltype ] [ "static-port" ] ] So you can use redirhost or redirhost-list on the right side. redirhost = address [ "/" mask-bits ] redirhost-list = redirhost [ [ "," ] redirhost-list ] I did not try it on the real, but fast syntax check is correct for the following example: nat on bge0 inet from any to any -> { 10.1.1.0/24, 10.1.1.1/24, 10.1.1.2/24 } round-robin You can test it like this # echo 'nat on bge0 inet from any to any -> { 10.1.1.0/24, 10.1.1.1/24, 10.1.1.2/24 } round-robin' | pfctl -nvvf - No syntax error message was printed. Let us know if it works for you. Miroslav Lachman From owner-freebsd-pf@FreeBSD.ORG Mon Sep 26 11:07:08 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 06535106566B for ; Mon, 26 Sep 2011 11:07:08 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E05178FC26 for ; Mon, 26 Sep 2011 11:07:07 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p8QB77JD088227 for ; Mon, 26 Sep 2011 11:07:07 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p8QB77ZZ088225 for freebsd-pf@FreeBSD.org; Mon, 26 Sep 2011 11:07:07 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 26 Sep 2011 11:07:07 GMT Message-Id: <201109261107.p8QB77ZZ088225@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Sep 2011 11:07:08 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/159390 pf [pf] [panic] mutex pf task mtx owned at /usr/src/sys/c o kern/159029 pf [pf] [panic] m_copym, offset > size of mbuf chain when o kern/158873 pf [pf] [panic] When I launch pf daemon, I have a kernel o kern/158636 pf [pf] if_pfsync.c fails to build when NBPFILTER == 0 o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 51 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Sep 27 12:30:13 2011 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 78BB2106564A for ; Tue, 27 Sep 2011 12:30:13 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 690EE8FC18 for ; Tue, 27 Sep 2011 12:30:13 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p8RCUDvq026859 for ; Tue, 27 Sep 2011 12:30:13 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p8RCUDKH026854; Tue, 27 Sep 2011 12:30:13 GMT (envelope-from gnats) Date: Tue, 27 Sep 2011 12:30:13 GMT Message-Id: <201109271230.p8RCUDKH026854@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Christian Laursen Cc: Subject: Re: kern/146832: [pf] "(self)" not always matching all local IPv6 addresses X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Christian Laursen List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Sep 2011 12:30:13 -0000 The following reply was made to PR kern/146832; it has been noted by GNATS. From: Christian Laursen To: bug-followup@FreeBSD.org, xi@borderworlds.dk Cc: Subject: Re: kern/146832: [pf] "(self)" not always matching all local IPv6 addresses Date: Tue, 27 Sep 2011 14:21:51 +0200 The patch Kenneth has submitted does not fix my case, unfortunately. However, the following patch seems to work for me. --- nd6_rtr.c.orig 2011-09-24 20:24:25.000000000 +0200 +++ nd6_rtr.c 2011-09-24 20:20:57.000000000 +0200 @@ -1303,6 +1303,8 @@ * XXX: what if address duplication happens? */ pfxlist_onlink_check(); + + EVENTHANDLER_INVOKE(ifaddr_event, ifp); } else { /* just set an error. do not bark here. */ error = EADDRNOTAVAIL; /* XXX: might be unused. */ -- Christian Laursen From owner-freebsd-pf@FreeBSD.ORG Fri Sep 30 10:28:21 2011 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4BE6C106566B; Fri, 30 Sep 2011 10:28:21 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 253428FC08; Fri, 30 Sep 2011 10:28:21 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p8UASLCU097663; Fri, 30 Sep 2011 10:28:21 GMT (envelope-from bz@freefall.freebsd.org) Received: (from bz@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p8UASLje097659; Fri, 30 Sep 2011 10:28:21 GMT (envelope-from bz) Date: Fri, 30 Sep 2011 10:28:21 GMT Message-Id: <201109301028.p8UASLje097659@freefall.freebsd.org> To: bz@FreeBSD.org, freebsd-pf@FreeBSD.org, bz@FreeBSD.org From: bz@FreeBSD.org Cc: Subject: Re: kern/146832: [pf] "(self)" not always matching all local IPv6 addresses X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Sep 2011 10:28:21 -0000 Synopsis: [pf] "(self)" not always matching all local IPv6 addresses Responsible-Changed-From-To: freebsd-pf->bz Responsible-Changed-By: bz Responsible-Changed-When: Fri Sep 30 10:28:02 UTC 2011 Responsible-Changed-Why: Try to look at over the weekend. http://www.freebsd.org/cgi/query-pr.cgi?pr=146832