From owner-freebsd-pf@FreeBSD.ORG Sun Jun 26 02:09:24 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 444A916A41C for ; Sun, 26 Jun 2005 02:09:24 +0000 (GMT) (envelope-from sascha@rincewind.c4inet.net) Received: from rincewind.c4inet.net (rincewind.c4inet.net [193.120.144.209]) by mx1.FreeBSD.org (Postfix) with ESMTP id 76E6043D1D for ; Sun, 26 Jun 2005 02:09:23 +0000 (GMT) (envelope-from sascha@rincewind.c4inet.net) Received: (qmail 45997 invoked by uid 1000); 26 Jun 2005 02:08:25 -0000 Date: Sun, 26 Jun 2005 03:08:25 +0100 From: Sascha Luck To: freebsd-pf@freebsd.org Message-ID: <20050626020825.GA45376@saoirse.c4inet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Operating-System: FreeBSD 5.4-RELEASE-p1 User-Agent: Mutt/1.5.6i Subject: pfsync / 6-CURRENT-amd64 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Jun 2005 02:09:24 -0000 Hi, I've built a redundant firewall setup with pf / CARP / pfsync on CURRENT. pf and CARP are working well, the traffic fails over without problems. pfsyc, however, seems not to work at all. There is no traffic on the sync interface, the states are (obviously) not being synced. The NICs are all Intel 1000MT dual-port cards (btw, I can confirm that fail-over on VLAN interfaces on em NICs does work on CURRENT) CURRENT kernel versions: FreeBSD 6.0-CURRENT #0: Sun Jun 26 02:10:42 IST 2005 pf, pflog and pfsync are built into the kernel. both pfsync interfaces are up and connected to the syncif, they are connected by xover cable: cwi010# ifconfig pfsync0 pfsync0: flags=41 mtu 1348 pfsync: syncdev: em5 maxupd: 128 em5: flags=8843 mtu 1500 options=4b inet 10.10.255.2 netmask 0xffffff00 broadcast 10.10.255.255 inet6 fe80::211:43ff:fee5:8377%em5 prefixlen 64 scopeid 0x6 ether 00:11:43:e5:83:77 media: Ethernet autoselect (1000baseTX ) status: active Has anyone seen similar effects? Is this connected to the network interface changes as of Jun 9? cheers, s. From owner-freebsd-pf@FreeBSD.ORG Sun Jun 26 02:11:32 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8D2516A41C for ; Sun, 26 Jun 2005 02:11:32 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 77EA243D1D for ; Sun, 26 Jun 2005 02:11:32 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by rproxy.gmail.com with SMTP id r35so1040400rna for ; Sat, 25 Jun 2005 19:11:31 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=BCanDoTqXJeYRjvI34LHHUhsQxoPX/8gGYmTn2eo8sWNLUdJd9YSewCQs09Qa4cI+LR1+AHz3Vr8V0J4lkhorjjcJiOTfrahfMYoYhM5jFrpnHPbtP3wb4hPSwVcLYmrA7gnOzfgvYGyPDcI1+iEFYSi6wE6zsICIVxpLv1qUw4= Received: by 10.38.67.10 with SMTP id p10mr466304rna; Sat, 25 Jun 2005 19:11:31 -0700 (PDT) Received: by 10.38.207.79 with HTTP; Sat, 25 Jun 2005 19:11:31 -0700 (PDT) Message-ID: Date: Sat, 25 Jun 2005 22:11:31 -0400 From: Scott Ullrich To: Sascha Luck In-Reply-To: <20050626020825.GA45376@saoirse.c4inet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20050626020825.GA45376@saoirse.c4inet.net> Cc: freebsd-pf@freebsd.org Subject: Re: pfsync / 6-CURRENT-amd64 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Scott Ullrich List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Jun 2005 02:11:32 -0000 On 6/25/05, Sascha Luck wrote: > Hi, >=20 > I've built a redundant firewall setup with pf / CARP / pfsync on > CURRENT. pf and CARP are working well, the traffic fails over > without problems. > pfsyc, however, seems not to work at all. There is no traffic on > the sync interface, the states are (obviously) not being synced. >=20 > The NICs are all Intel 1000MT dual-port cards (btw, I can confirm > that fail-over on VLAN interfaces on em NICs does work on CURRENT) >=20 > CURRENT kernel versions: > FreeBSD 6.0-CURRENT #0: Sun Jun 26 02:10:42 IST 2005 >=20 > pf, pflog and pfsync are built into the kernel. both pfsync > interfaces are up and connected to the syncif, they are connected > by xover cable: >=20 > cwi010# ifconfig pfsync0 > pfsync0: flags=3D41 mtu 1348 > pfsync: syncdev: em5 maxupd: 128 >=20 > em5: flags=3D8843 mtu 1500 > options=3D4b > inet 10.10.255.2 netmask 0xffffff00 broadcast 10.10.255.255 > inet6 fe80::211:43ff:fee5:8377%em5 prefixlen 64 scopeid 0x6 > ether 00:11:43:e5:83:77 > media: Ethernet autoselect (1000baseTX ) > status: active >=20 > Has anyone seen similar effects? Is this connected to the network > interface changes as of Jun 9? For what it's worth we are also seeing this same problem on pfSense with from what I can tell is all NICS. Let me know if you need any more information. It seems to have broken around the 10th. Regards, Scott From owner-freebsd-pf@FreeBSD.ORG Sun Jun 26 02:18:58 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D45B16A41C for ; Sun, 26 Jun 2005 02:18:58 +0000 (GMT) (envelope-from sascha@rincewind.c4inet.net) Received: from rincewind.c4inet.net (rincewind.c4inet.net [193.120.144.209]) by mx1.FreeBSD.org (Postfix) with ESMTP id ECDB143D1D for ; Sun, 26 Jun 2005 02:18:57 +0000 (GMT) (envelope-from sascha@rincewind.c4inet.net) Received: (qmail 46069 invoked by uid 1000); 26 Jun 2005 02:18:00 -0000 Date: Sun, 26 Jun 2005 03:18:00 +0100 From: Sascha Luck To: Scott Ullrich Message-ID: <20050626021800.GB45376@saoirse.c4inet.net> References: <20050626020825.GA45376@saoirse.c4inet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 5.4-RELEASE-p1 User-Agent: Mutt/1.5.6i Cc: freebsd-pf@freebsd.org Subject: Re: pfsync / 6-CURRENT-amd64 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Jun 2005 02:18:58 -0000 On Sat, Jun 25, 2005 at 10:11:31PM -0400, Scott Ullrich wrote: > It seems to have broken around the 10th. That seems to confirm my suspicion that Brooks Davis' networking changes have something to do with it. IIRC, he committed them around that time. > Scott s. From owner-freebsd-pf@FreeBSD.ORG Sun Jun 26 14:48:30 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8C2116A41C for ; Sun, 26 Jun 2005 14:48:30 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4EE3F43D1D for ; Sun, 26 Jun 2005 14:48:30 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3CA1A.dip.t-dialin.net [84.163.202.26] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML25U-1DmYQt42iE-0005lX; Sun, 26 Jun 2005 16:48:27 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Sun, 26 Jun 2005 16:48:31 +0200 User-Agent: KMail/1.8 References: <20050626020825.GA45376@saoirse.c4inet.net> <20050626021800.GB45376@saoirse.c4inet.net> In-Reply-To: <20050626021800.GB45376@saoirse.c4inet.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1333771.dJi5A6kIMu"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200506261648.38553.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: pfsync / 6-CURRENT-amd64 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Jun 2005 14:48:30 -0000 --nextPart1333771.dJi5A6kIMu Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 26 June 2005 04:18, Sascha Luck wrote: > On Sat, Jun 25, 2005 at 10:11:31PM -0400, Scott Ullrich wrote: > > It seems to have broken around the 10th. > > That seems to confirm my suspicion that Brooks Davis' networking > changes have something to do with it. IIRC, he committed them > around that time. Can you verify that it breaks with if_pfsync.c,rev. 1.16? Unfortunately, r= ev.=20 1.17 happend just one hour after 1.16 and also includes serious changes to= =20 pfsync. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1333771.dJi5A6kIMu Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBCvsBGXyyEoT62BG0RAl0aAJ49r/OjgfXhKRH8vTnHYASo2ECEyACfThC4 CKUuW+o33JjR/xgwgfDcFlc= =NXNJ -----END PGP SIGNATURE----- --nextPart1333771.dJi5A6kIMu-- From owner-freebsd-pf@FreeBSD.ORG Sun Jun 26 15:03:06 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C7D6116A41C for ; Sun, 26 Jun 2005 15:03:06 +0000 (GMT) (envelope-from sascha@rincewind.c4inet.net) Received: from rincewind.c4inet.net (rincewind.c4inet.net [193.120.144.209]) by mx1.FreeBSD.org (Postfix) with ESMTP id 053D643D1F for ; Sun, 26 Jun 2005 15:03:05 +0000 (GMT) (envelope-from sascha@rincewind.c4inet.net) Received: (qmail 49849 invoked by uid 1000); 26 Jun 2005 15:02:06 -0000 Date: Sun, 26 Jun 2005 16:02:06 +0100 From: Sascha Luck To: Max Laier Message-ID: <20050626150206.GA46138@saoirse.c4inet.net> References: <20050626020825.GA45376@saoirse.c4inet.net> <20050626021800.GB45376@saoirse.c4inet.net> <200506261648.38553.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200506261648.38553.max@love2party.net> X-Operating-System: FreeBSD 5.4-RELEASE-p1 User-Agent: Mutt/1.5.6i Cc: freebsd-pf@freebsd.org Subject: Re: pfsync / 6-CURRENT-amd64 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Jun 2005 15:03:06 -0000 Hi Max, On Sun, Jun 26, 2005 at 04:48:31PM +0200, Max Laier wrote: > Can you verify that it breaks with if_pfsync.c,rev. 1.16? Unfortunately, rev. > 1.17 happend just one hour after 1.16 and also includes serious changes to > pfsync. I've updated last night, the current revision is 1.18, and no change in behaviour from the previous. rgds, s. From owner-freebsd-pf@FreeBSD.ORG Sun Jun 26 15:30:13 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 412E616A41C for ; Sun, 26 Jun 2005 15:30:13 +0000 (GMT) (envelope-from terry@twopeasinabucket.com) Received: from outbound4.mail.tds.net (outbound4.mail.tds.net [216.170.230.94]) by mx1.FreeBSD.org (Postfix) with ESMTP id F32A143D49 for ; Sun, 26 Jun 2005 15:30:12 +0000 (GMT) (envelope-from terry@twopeasinabucket.com) Received: from tj (vrnawibas01-pool4-a241.vrnawi.tds.net [69.128.144.241]) by outbound4.mail.tds.net (8.13.4/8.12.2) with ESMTP id j5QFUBZU007706 for ; Sun, 26 Jun 2005 10:30:12 -0500 (CDT) Message-Id: <200506261530.j5QFUBZU007706@outbound4.mail.tds.net> From: "Ninneman, TJ" To: Date: Sun, 26 Jun 2005 10:30:11 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: AcV6YnJzs7QgMSFgQYCwVzm7Vll0MAAAESgQAABJmCA= Subject: Outbound SSH problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Jun 2005 15:30:13 -0000 >Yes, RTFMP , with a default policy of block, there is no need for specific >rules to stop things like outbound ssh traffic. > >Logging will tell you the rest. Yes, I'm compromised or yes, I'm misreading the output? Like I said in my original post, logging isn't telling me anything; just the daily security run or /var/log/pf.today. While a default to deny policy will stop outbound ssh, you'll notice in my ruleset that I am allowing everything out on this server so that rule is necessary. I just really would like to know if these outbound ssh packets are nothing or if I have a problem on my hands. Thanks for the help! Terry J. Ninneman From owner-freebsd-pf@FreeBSD.ORG Sun Jun 26 15:49:17 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D10A616A41C for ; Sun, 26 Jun 2005 15:49:17 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 666B043D55 for ; Sun, 26 Jun 2005 15:49:17 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3CA1A.dip.t-dialin.net [84.163.202.26] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKwpI-1DmZNe0ypZ-0004HI; Sun, 26 Jun 2005 17:49:10 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Sun, 26 Jun 2005 17:49:01 +0200 User-Agent: KMail/1.8 References: <200506251645.j5PGjoRb028520@outbound1.mail.tds.net> In-Reply-To: <200506251645.j5PGjoRb028520@outbound1.mail.tds.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1362967.UoEKuS5aSD"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200506261749.08529.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: Outbound SSH problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Jun 2005 15:49:17 -0000 --nextPart1362967.UoEKuS5aSD Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 25 June 2005 18:45, Ninneman, TJ wrote: > I'm having some trouble on both my 5.3 and 5.4 FreeBSD servers running PF. > My ruleset explicitly blocks outbound ssh from my servers to prevent > attacks on other servers in the event that one of my servers is > compromised. The problem is that I have noticed (after a few days of the > server being up) my daily run output showing both TCP and UDP packets bei= ng > dropped outbound: > > block drop out quick on em0 proto tcp from any to any port =3D ssh [ > Evaluations: 437 Packets: 0 Bytes: 0 States: 0 ] ~~~~~~~~~~~ ^ ^ > > block drop out quick on em0 proto udp from any to any port =3D ssh [ > Evaluations: 1505 Packets: 0 Bytes: 0 States: 0 ] ~~~~~~~~~~~ ^ ^ > My question is, are my servers compromised or am I misreading the run > output? You are misreading the output. The "Evaluations" counter only shows that a= =20 packet was checked against the rule, unless Packets and Bytes are not=20 increased, the packet didn't match. You could check that yourself: Just try to make a ssh connection from the= =20 server in question and see how the Packets/Bytes counter increase. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1362967.UoEKuS5aSD Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBCvs50XyyEoT62BG0RAorhAJ0c14oPBJV3tY5J+VBOHwkB+BTNwgCfV+Fm lSyvKaKRric7pNqVWTt8Te0= =MCBZ -----END PGP SIGNATURE----- --nextPart1362967.UoEKuS5aSD-- From owner-freebsd-pf@FreeBSD.ORG Sun Jun 26 15:53:48 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6870516A41C for ; Sun, 26 Jun 2005 15:53:48 +0000 (GMT) (envelope-from sascha@rincewind.c4inet.net) Received: from rincewind.c4inet.net (rincewind.c4inet.net [193.120.144.209]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C7FB43D49 for ; Sun, 26 Jun 2005 15:53:47 +0000 (GMT) (envelope-from sascha@rincewind.c4inet.net) Received: (qmail 50091 invoked by uid 1000); 26 Jun 2005 15:52:48 -0000 Date: Sun, 26 Jun 2005 16:52:48 +0100 From: Sascha Luck To: Max Laier Message-ID: <20050626155248.GB46138@saoirse.c4inet.net> References: <20050626020825.GA45376@saoirse.c4inet.net> <20050626021800.GB45376@saoirse.c4inet.net> <200506261648.38553.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200506261648.38553.max@love2party.net> X-Operating-System: FreeBSD 5.4-RELEASE-p1 User-Agent: Mutt/1.5.6i Cc: freebsd-pf@freebsd.org Subject: Re: pfsync / 6-CURRENT-amd64 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Jun 2005 15:53:48 -0000 On Sun, Jun 26, 2005 at 04:48:31PM +0200, Max Laier wrote: > Can you verify that it breaks with if_pfsync.c,rev. 1.16? Unfortunately, rev. > 1.17 happend just one hour after 1.16 and also includes serious changes to > pfsync. I've rebuilt both with 1.16 and there now is pfsync traffic. Yep, and state tables are being synchronised again too. :) rgds, s. From owner-freebsd-pf@FreeBSD.ORG Sun Jun 26 16:17:26 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7732316A41C for ; Sun, 26 Jun 2005 16:17:26 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id ED05843D53 for ; Sun, 26 Jun 2005 16:17:25 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3CA1A.dip.t-dialin.net [84.163.202.26] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKwh2-1DmZox1GpB-0004z4; Sun, 26 Jun 2005 18:17:23 +0200 From: Max Laier To: Sascha Luck Date: Sun, 26 Jun 2005 18:17:14 +0200 User-Agent: KMail/1.8 References: <20050626020825.GA45376@saoirse.c4inet.net> <200506261648.38553.max@love2party.net> <20050626155248.GB46138@saoirse.c4inet.net> In-Reply-To: <20050626155248.GB46138@saoirse.c4inet.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2196370.YaKSGLIlAi"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200506261817.21799.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: freebsd-pf@freebsd.org Subject: Re: pfsync / 6-CURRENT-amd64 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Jun 2005 16:17:26 -0000 --nextPart2196370.YaKSGLIlAi Content-Type: multipart/mixed; boundary="Boundary-01=_MUtvCG+GhVzFdtp" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_MUtvCG+GhVzFdtp Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 26 June 2005 17:52, Sascha Luck wrote: > On Sun, Jun 26, 2005 at 04:48:31PM +0200, Max Laier wrote: > > Can you verify that it breaks with if_pfsync.c,rev. 1.16? Unfortunatel= y, > > rev. 1.17 happend just one hour after 1.16 and also includes serious > > changes to pfsync. > > I've rebuilt both with 1.16 and there now is pfsync traffic. Yep, and sta= te > tables are being synchronised again too. :) Can you try the attached patch, please? I forgot to initialize ifq_maxlen,= it=20 seems :-\ =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_MUtvCG+GhVzFdtp Content-Type: text/x-diff; charset="iso-8859-1"; name="fix_pfsync.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="fix_pfsync.diff" Index: if_pfsync.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/if_pfsync.c,v retrieving revision 1.18 diff -u -r1.18 if_pfsync.c =2D-- if_pfsync.c 12 Jun 2005 16:46:20 -0000 1.18 +++ if_pfsync.c 26 Jun 2005 16:15:49 -0000 @@ -224,6 +224,7 @@ callout_init(&sc->sc_bulk_tmo, NET_CALLOUT_MPSAFE); callout_init(&sc->sc_bulkfail_tmo, NET_CALLOUT_MPSAFE); callout_init(&sc->sc_send_tmo, NET_CALLOUT_MPSAFE); + &sc->sc_ifq.ifq_maxlen =3D 64; mtx_init(&sc->sc_ifq.ifq_mtx, ifp->if_xname, "pfsync send queue", MTX_DEF); if_attach(ifp); @@ -1797,7 +1798,7 @@ =20 pfsyncstats.pfsyncs_opackets++; #ifdef __FreeBSD__ =2D if (IF_HANDOFF(&sc->sc_ifq, m, NULL)) + if (!IF_HANDOFF(&sc->sc_ifq, m, NULL)) pfsyncstats.pfsyncs_oerrors++; callout_reset(&sc->sc_send_tmo, 1, pfsync_senddef, sc); #else --Boundary-01=_MUtvCG+GhVzFdtp-- --nextPart2196370.YaKSGLIlAi Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBCvtURXyyEoT62BG0RAt8mAJ9EwYVUhDwEwl8Lj8rQdOs/xMLdHACdGaz/ QWXKxtK5l0gMVljPdPfvKsY= =uNb1 -----END PGP SIGNATURE----- --nextPart2196370.YaKSGLIlAi-- From owner-freebsd-pf@FreeBSD.ORG Sun Jun 26 16:41:23 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C8CDF16A41C for ; Sun, 26 Jun 2005 16:41:23 +0000 (GMT) (envelope-from sascha@rincewind.c4inet.net) Received: from rincewind.c4inet.net (rincewind.c4inet.net [193.120.144.209]) by mx1.FreeBSD.org (Postfix) with ESMTP id 04EB343D1F for ; Sun, 26 Jun 2005 16:41:22 +0000 (GMT) (envelope-from sascha@rincewind.c4inet.net) Received: (qmail 50340 invoked by uid 1000); 26 Jun 2005 16:40:23 -0000 Date: Sun, 26 Jun 2005 17:40:23 +0100 From: Sascha Luck To: Max Laier Message-ID: <20050626164023.GC46138@saoirse.c4inet.net> References: <20050626020825.GA45376@saoirse.c4inet.net> <200506261648.38553.max@love2party.net> <20050626155248.GB46138@saoirse.c4inet.net> <200506261817.21799.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200506261817.21799.max@love2party.net> X-Operating-System: FreeBSD 5.4-RELEASE-p1 User-Agent: Mutt/1.5.6i Cc: freebsd-pf@freebsd.org Subject: Re: pfsync / 6-CURRENT-amd64 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Jun 2005 16:41:23 -0000 On Sun, Jun 26, 2005 at 06:17:14PM +0200, Max Laier wrote: > Can you try the attached patch, please? I forgot to initialize ifq_maxlen, it > seems :-\ That breaks: cc -c -O2 -frename-registers -pipe -fno-strict-aliasing -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -fformat-extensions -std=c99 -nostdinc -I- -I. -I../../.. -I../../../contrib/dev/acpica -I../../../contrib/altq -I../../../contrib /ipfilter -I../../../contrib/pf -I../../../contrib/dev/ath -I../../.. /contrib/dev/ath/freebsd -I../../../contrib/ngatm -I../../../dev/twa -D_KERNEL -include opt_global.h -fno-common -finline-limit=8000 --param inline-unit-growth=100 --param large-function-growth=1000 -mcmodel=kernel -mno-red-zone -mfpmath=387 -mno-sse -mno-sse2 -mno-mmx -mno-3dnow -msoft-float -fno-asynchronous-unwind-tables -ffreestanding -Werror ../../../contrib/pf/net/if_pfsync.c ../../../contrib/pf/net/if_pfsync.c: In function `pfsync_clone_create': ../../../contrib/pf/net/if_pfsync.c:227: error: invalid lvalue in assignment *** Error code 1 cheers, s. From owner-freebsd-pf@FreeBSD.ORG Sun Jun 26 17:50:09 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 06CD916A41C for ; Sun, 26 Jun 2005 17:50:09 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8758643D1F for ; Sun, 26 Jun 2005 17:50:08 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3CA1A.dip.t-dialin.net [84.163.202.26] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML29c-1DmbGf05vx-0005Aa; Sun, 26 Jun 2005 19:50:05 +0200 From: Max Laier To: Sascha Luck Date: Sun, 26 Jun 2005 19:49:54 +0200 User-Agent: KMail/1.8 References: <20050626020825.GA45376@saoirse.c4inet.net> <200506261817.21799.max@love2party.net> <20050626164023.GC46138@saoirse.c4inet.net> In-Reply-To: <20050626164023.GC46138@saoirse.c4inet.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart7321637.bxlDe907FS"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200506261950.00884.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: freebsd-pf@freebsd.org Subject: Re: pfsync / 6-CURRENT-amd64 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Jun 2005 17:50:09 -0000 --nextPart7321637.bxlDe907FS Content-Type: multipart/mixed; boundary="Boundary-01=_EruvCW2jzQMxWLU" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_EruvCW2jzQMxWLU Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 26 June 2005 18:40, Sascha Luck wrote: > On Sun, Jun 26, 2005 at 06:17:14PM +0200, Max Laier wrote: > > Can you try the attached patch, please? I forgot to initialize > > ifq_maxlen, it seems :-\ > > That breaks: > > cc -c -O2 -frename-registers -pipe -fno-strict-aliasing -Wall > -Wredundant-decls -Wnested-externs -Wstrict-prototypes=20 > -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual=20 > -fformat-extensions -std=3Dc99 -nostdinc -I- -I. -I../../.. > -I../../../contrib/dev/acpica -I../../../contrib/altq -I../../../contrib > /ipfilter -I../../../contrib/pf -I../../../contrib/dev/ath -I../../.. > /contrib/dev/ath/freebsd -I../../../contrib/ngatm -I../../../dev/twa > -D_KERNEL -include opt_global.h -fno-common -finline-limit=3D8000 --param > inline-unit-growth=3D100 --param large-function-growth=3D1000 -mcmodel= =3Dkernel > -mno-red-zone -mfpmath=3D387 -mno-sse -mno-sse2 -mno-mmx -mno-3dnow=20 > -msoft-float -fno-asynchronous-unwind-tables -ffreestanding -Werror=20 > ../../../contrib/pf/net/if_pfsync.c ../../../contrib/pf/net/if_pfsync.c: = In > function `pfsync_clone_create': ../../../contrib/pf/net/if_pfsync.c:227: > error: invalid lvalue in assignment *** Error code 1 It's just one of these days, I guess ... please use this patch instead or=20 remove the "&" in line 227. Sorry. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_EruvCW2jzQMxWLU Content-Type: text/x-diff; charset="iso-8859-1"; name="fix_pfsync.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="fix_pfsync.diff" Index: if_pfsync.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/if_pfsync.c,v retrieving revision 1.18 diff -u -r1.18 if_pfsync.c =2D-- if_pfsync.c 12 Jun 2005 16:46:20 -0000 1.18 +++ if_pfsync.c 26 Jun 2005 16:15:49 -0000 @@ -224,6 +224,7 @@ callout_init(&sc->sc_bulk_tmo, NET_CALLOUT_MPSAFE); callout_init(&sc->sc_bulkfail_tmo, NET_CALLOUT_MPSAFE); callout_init(&sc->sc_send_tmo, NET_CALLOUT_MPSAFE); + sc->sc_ifq.ifq_maxlen =3D 64; mtx_init(&sc->sc_ifq.ifq_mtx, ifp->if_xname, "pfsync send queue", MTX_DEF); if_attach(ifp); @@ -1797,7 +1798,7 @@ =20 pfsyncstats.pfsyncs_opackets++; #ifdef __FreeBSD__ =2D if (IF_HANDOFF(&sc->sc_ifq, m, NULL)) + if (!IF_HANDOFF(&sc->sc_ifq, m, NULL)) pfsyncstats.pfsyncs_oerrors++; callout_reset(&sc->sc_send_tmo, 1, pfsync_senddef, sc); #else --Boundary-01=_EruvCW2jzQMxWLU-- --nextPart7321637.bxlDe907FS Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBCvurIXyyEoT62BG0RAoHkAJ4iQ1Lp4p1SS76hqvkECs2moB4KNACfTFht 19EdoTGKOQqPOFjCETk4WOM= =Tuyz -----END PGP SIGNATURE----- --nextPart7321637.bxlDe907FS-- From owner-freebsd-pf@FreeBSD.ORG Sun Jun 26 20:44:45 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3FE2C16A41C for ; Sun, 26 Jun 2005 20:44:45 +0000 (GMT) (envelope-from sascha@rincewind.c4inet.net) Received: from rincewind.c4inet.net (rincewind.c4inet.net [193.120.144.209]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB17043D1D for ; Sun, 26 Jun 2005 20:44:44 +0000 (GMT) (envelope-from sascha@rincewind.c4inet.net) Received: (qmail 51617 invoked by uid 1000); 26 Jun 2005 20:43:44 -0000 Date: Sun, 26 Jun 2005 21:43:44 +0100 From: Sascha Luck To: Max Laier Message-ID: <20050626204344.GA50599@saoirse.c4inet.net> References: <20050626020825.GA45376@saoirse.c4inet.net> <200506261817.21799.max@love2party.net> <20050626164023.GC46138@saoirse.c4inet.net> <200506261950.00884.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200506261950.00884.max@love2party.net> X-Operating-System: FreeBSD 5.4-RELEASE-p1 User-Agent: Mutt/1.5.6i Cc: freebsd-pf@freebsd.org Subject: Re: pfsync / 6-CURRENT-amd64 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Jun 2005 20:44:45 -0000 On Sun, Jun 26, 2005 at 07:49:54PM +0200, Max Laier wrote: > It's just one of these days, I guess ... please use this patch instead or > remove the "&" in line 227. Sorry. Yep, that works fine. Cheers :) s. From owner-freebsd-pf@FreeBSD.ORG Mon Jun 27 11:01:54 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF52416A41C for ; Mon, 27 Jun 2005 11:01:54 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D34E43D48 for ; Mon, 27 Jun 2005 11:01:54 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j5RB1rMD043107 for ; Mon, 27 Jun 2005 11:01:53 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j5RB1rEw043101 for freebsd-pf@freebsd.org; Mon, 27 Jun 2005 11:01:53 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 27 Jun 2005 11:01:53 GMT Message-Id: <200506271101.j5RB1rEw043101@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2005 11:01:54 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/19] ia64/81284 pf Unaligned Reference with pf on 5.4/IA64 o [2005/06/15] kern/82271 pf cbq scheduler cause bad latency 2 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- f [2005/02/09] kern/77308 pf ALTQ doesn't seem to be working on tun0 o [2005/05/15] conf/81042 pf /etc/pf.os doesn't match FreeBSD 5.3->5.4 2 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jun 27 17:09:19 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 24CA216A41C for ; Mon, 27 Jun 2005 17:09:19 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id A437843D1F for ; Mon, 27 Jun 2005 17:09:18 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3D2EF.dip.t-dialin.net [84.163.210.239] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML25U-1Dmx6j0vJs-0008LH; Mon, 27 Jun 2005 19:09:17 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Mon, 27 Jun 2005 19:09:10 +0200 User-Agent: KMail/1.8 References: <20050626020825.GA45376@saoirse.c4inet.net> <20050626164023.GC46138@saoirse.c4inet.net> <200506261950.00884.max@love2party.net> In-Reply-To: <200506261950.00884.max@love2party.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1543243.pZoXuWD906"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200506271909.15739.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: pfsync / 6-CURRENT-amd64 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2005 17:09:19 -0000 --nextPart1543243.pZoXuWD906 Content-Type: multipart/mixed; boundary="Boundary-01=_3KDwCcwYGeHKbPf" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_3KDwCcwYGeHKbPf Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline All, here is a patch for RELENG_5 to try. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_3KDwCcwYGeHKbPf Content-Type: text/x-diff; charset="iso-8859-6"; name="pfsync_r5.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="pfsync_r5.diff" Index: if_pfsync.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/if_pfsync.c,v retrieving revision 1.11.2.2 diff -u -r1.11.2.2 if_pfsync.c =2D-- if_pfsync.c 19 May 2005 10:59:22 -0000 1.11.2.2 +++ if_pfsync.c 27 Jun 2005 17:00:20 -0000 @@ -130,6 +130,7 @@ =20 static void pfsync_clone_destroy(struct ifnet *); static int pfsync_clone_create(struct if_clone *, int); +static void pfsync_senddef(void *); #else void pfsyncattach(int); #endif @@ -170,6 +171,8 @@ callout_stop(&sc->sc_bulk_tmo); callout_stop(&sc->sc_bulkfail_tmo); =20 + callout_stop(&sc->sc_send_tmo); + #if NBPFILTER > 0 bpfdetach(ifp); #endif @@ -208,14 +211,13 @@ ifp->if_baudrate =3D IF_Mbps(100); ifp->if_softc =3D sc; pfsync_setmtu(sc, MCLBYTES); =2D /* =2D * XXX =2D * The 2nd arg. 0 to callout_init(9) shoule be set to CALLOUT_MPSAFE =2D * if Gaint lock is removed from the network stack. =2D */ =2D callout_init(&sc->sc_tmo, 0); =2D callout_init(&sc->sc_bulk_tmo, 0); =2D callout_init(&sc->sc_bulkfail_tmo, 0); + callout_init(&sc->sc_tmo, NET_CALLOUT_MPSAFE); + callout_init(&sc->sc_bulk_tmo, NET_CALLOUT_MPSAFE); + callout_init(&sc->sc_bulkfail_tmo, NET_CALLOUT_MPSAFE); + callout_init(&sc->sc_send_tmo, NET_CALLOUT_MPSAFE); + sc->sc_ifq.ifq_maxlen =3D ifqmaxlen; + mtx_init(&sc->sc_ifq.ifq_mtx, ifp->if_xname, "pfsync send queue", + MTX_DEF); if_attach(&sc->sc_if); =20 LIST_INSERT_HEAD(&pfsync_list, sc, sc_next); @@ -913,6 +915,7 @@ if (pfsyncr.pfsyncr_maxupdates > 255) return (EINVAL); #ifdef __FreeBSD__ + callout_drain(&sc->sc_send_tmo); PF_LOCK(); #endif sc->sc_maxupdates =3D pfsyncr.pfsyncr_maxupdates; @@ -1634,15 +1637,13 @@ #endif =20 pfsyncstats.pfsyncs_opackets++; =2D #ifdef __FreeBSD__ =2D PF_UNLOCK(); =2D#endif + if (!IF_HANDOFF(&sc->sc_ifq, m, NULL)) + pfsyncstats.pfsyncs_oerrors++; + callout_reset(&sc->sc_send_tmo, 1, pfsync_senddef, sc); +#else if (ip_output(m, NULL, NULL, IP_RAWOUTPUT, &sc->sc_imo, NULL)) pfsyncstats.pfsyncs_oerrors++; =2D =2D#ifdef __FreeBSD__ =2D PF_LOCK(); #endif } else m_freem(m); @@ -1650,8 +1651,22 @@ return (0); } =20 =2D #ifdef __FreeBSD__ +static void +pfsync_senddef(void *arg) +{ + struct pfsync_softc *sc =3D (struct pfsync_softc *)arg; + struct mbuf *m; + + for(;;) { + IF_DEQUEUE(&sc->sc_ifq, m); + if (m =3D=3D NULL) + break; + if (ip_output(m, NULL, NULL, IP_RAWOUTPUT, &sc->sc_imo, NULL)) + pfsyncstats.pfsyncs_oerrors++; + } +} + static int pfsync_modevent(module_t mod, int type, void *data) { Index: if_pfsync.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/if_pfsync.h,v retrieving revision 1.4 diff -u -r1.4 if_pfsync.h =2D-- if_pfsync.h 16 Jun 2004 23:24:00 -0000 1.4 +++ if_pfsync.h 27 Jun 2005 17:00:40 -0000 @@ -158,8 +158,12 @@ struct timeout sc_bulkfail_tmo; #endif struct in_addr sc_sendaddr; =2D struct mbuf *sc_mbuf; /* current cummulative mbuf */ =2D struct mbuf *sc_mbuf_net; /* current cummulative mbuf */ + struct mbuf *sc_mbuf; /* current cumulative mbuf */ + struct mbuf *sc_mbuf_net; /* current cumulative mbuf */ +#ifdef __FreeBSD__ + struct ifqueue sc_ifq; + struct callout sc_send_tmo; +#endif union sc_statep sc_statep; union sc_statep sc_statep_net; u_int32_t sc_ureq_received; --Boundary-01=_3KDwCcwYGeHKbPf-- --nextPart1543243.pZoXuWD906 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBCwDK7XyyEoT62BG0RAqGkAJwMB122QzVr7Uh4U1yQLzwiNEYUZQCdHg5d AWPudli8LORHRWw2lLqxi6U= =KnYI -----END PGP SIGNATURE----- --nextPart1543243.pZoXuWD906-- From owner-freebsd-pf@FreeBSD.ORG Mon Jun 27 17:13:00 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AEA4F16A41C for ; Mon, 27 Jun 2005 17:13:00 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6EFA043D4C for ; Mon, 27 Jun 2005 17:13:00 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by rproxy.gmail.com with SMTP id r35so1544545rna for ; Mon, 27 Jun 2005 10:13:00 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=cuf7kCGWg5l4wtrepSMYVNaY4FL9SFgdOSJtI/3ia0tj8hdFCSop+jEob4Ty2fhi22Is/yENCv0ExF7ch82a4wxhLf2vM1GeQu/GPsI5opaHj81dAvPN2QChiDs2u+NDALVSUfD90z7kknFhPlKAZcJViGbeA6Am3O/+RILq8+o= Received: by 10.39.1.5 with SMTP id d5mr528587rni; Mon, 27 Jun 2005 10:12:59 -0700 (PDT) Received: by 10.38.207.79 with HTTP; Mon, 27 Jun 2005 10:12:58 -0700 (PDT) Message-ID: Date: Mon, 27 Jun 2005 13:12:58 -0400 From: Scott Ullrich To: Max Laier In-Reply-To: <200506271909.15739.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20050626020825.GA45376@saoirse.c4inet.net> <20050626164023.GC46138@saoirse.c4inet.net> <200506261950.00884.max@love2party.net> <200506271909.15739.max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: pfsync / 6-CURRENT-amd64 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Scott Ullrich List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2005 17:13:00 -0000 On 6/27/05, Max Laier wrote: > All, >=20 > here is a patch for RELENG_5 to try. FYI: everything has been working great on -CURRENT since your commit yester= day. Scott From owner-freebsd-pf@FreeBSD.ORG Tue Jun 28 16:25:27 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2441316A41C; Tue, 28 Jun 2005 16:25:27 +0000 (GMT) (envelope-from MGrooms@seton.org) Received: from mx1-out.seton.org (mx1-out.seton.org [207.193.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B31543D4C; Tue, 28 Jun 2005 16:25:25 +0000 (GMT) (envelope-from MGrooms@seton.org) Received: from localhost (unknown [127.0.0.1]) by mx1-out.seton.org (Postfix) with ESMTP id B6ADBF00091F; Tue, 28 Jun 2005 11:25:24 -0500 (CDT) Received: from mx1-out.seton.org ([10.21.254.249]) by localhost (mx1 [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 26316-37; Tue, 28 Jun 2005 11:25:24 -0500 (CDT) Received: from ausexfe01.seton.org (unknown [10.20.10.183]) by mx1-out.seton.org (Postfix) with ESMTP id 9C3DCF0008EF; Tue, 28 Jun 2005 11:25:24 -0500 (CDT) Received: from AUSEX2VS1.seton.org ([10.20.10.74]) by ausexfe01.seton.org with Microsoft SMTPSVC(6.0.3790.211); Tue, 28 Jun 2005 11:25:36 -0500 X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Tue, 28 Jun 2005 11:25:23 -0500 Message-ID: <28FCC7CB4CF6EA43AF83BCA2096E97D013E572@AUSEX2VS1.seton.org> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: pf performance issues ... thread-index: AcV7/fvtGGyIsAFDToG93FXpxH/KrA== From: "Grooms, Matthew" To: X-OriginalArrivalTime: 28 Jun 2005 16:25:36.0951 (UTC) FILETIME=[04089C70:01C57BFE] X-Virus-Scanned: by amavisd-new at seton.org Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: rwatson@freebsd.org, IS-Network Subject: pf performance issues ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2005 16:25:27 -0000 I am seeing some pretty severe performance issues with pf+pfsync on = FreeBSD 5.4-REMEASE and would like to get some advice on tuning for a = largish environment. I have had some traffic moving across these = firewalls for a few weeks without issue but had not pointed our default = route to it until this morning. =20 Although processor utilitzation was very low ( 2-5% ), throughput = on the firewall was very very poor. TCP connections were in some cases = taking 15-30 seconds to setup and in other cases never did. We had to = revert our default route to an older firewall to keep operations going. =20 This is a dual 3GHz amd64 box ( UP kernel at the moment ), with 4 = gigs of ram and 6x em interfaces. It is mostly a stock kernel with = pf,pfsync,carp and altq ( but no altq rules ) support compiled in and = ipv6 disabled ( config attached ). =20 Am I running into a limit on some kernel tunable? After a few = minutes of routing traffic to pf setup, the state table had approx 10000 = entries in it. Are there some global pf limits to tweak or should it = scale well out of the box? The internet connection is only 7Mbit so I am = at a loss. Is there a cache or buffer limit somewhere I should watch? = Any ideas? =20 Thanks in advance, =20 Matthew Grooms From owner-freebsd-pf@FreeBSD.ORG Tue Jun 28 16:29:24 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDA6C16A41C for ; Tue, 28 Jun 2005 16:29:24 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E73A43D1F for ; Tue, 28 Jun 2005 16:29:24 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by rproxy.gmail.com with SMTP id r35so1797263rna for ; Tue, 28 Jun 2005 09:29:24 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=EvKCJl6HDLv/7Otzvj3beSP/9WzxYqB1F/BNq2Vej7XDj0G51n+fvBEQfSn/CFsa9d6yxDn3VncmuyTxrfwNUNuOqVhibjgAjWR4bG7RNLIN8/R5T1gJOQ4VcfoboGC5b/0sxa3dcGuZ9YJXsnEHIXdZDEAznz5uy6VpTjvRk2g= Received: by 10.38.10.59 with SMTP id 59mr1653996rnj; Tue, 28 Jun 2005 09:29:23 -0700 (PDT) Received: by 10.38.207.79 with HTTP; Tue, 28 Jun 2005 09:29:23 -0700 (PDT) Message-ID: Date: Tue, 28 Jun 2005 12:29:23 -0400 From: Scott Ullrich To: "Grooms, Matthew" In-Reply-To: <28FCC7CB4CF6EA43AF83BCA2096E97D013E572@AUSEX2VS1.seton.org> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <28FCC7CB4CF6EA43AF83BCA2096E97D013E572@AUSEX2VS1.seton.org> Cc: IS-Network , rwatson@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf performance issues ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Scott Ullrich List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2005 16:29:25 -0000 On 6/28/05, Grooms, Matthew wrote: [snip] > This is a dual 3GHz amd64 box ( UP kernel at the moment ), with 4 gi= gs of ram and 6x em interfaces. It is mostly a stock kernel with pf,pfsync,= carp and altq ( but no altq rules ) support compiled in and ipv6 disabled (= config attached ). Is this running natively as 64 bit or i386 32bit? =20 > Am I running into a limit on some kernel tunable? After a few minute= s of routing traffic to pf setup, the state table had approx 10000 entries = in it. Are there some global pf limits to tweak or should it scale well out= of the box? The internet connection is only 7Mbit so I am at a loss. Is th= ere a cache or buffer limit somewhere I should watch? Any ideas? I believe the default state limit size is 10,000. Could you be hitting this number and then noticing the slowdown because your out of state entries? Scott From owner-freebsd-pf@FreeBSD.ORG Tue Jun 28 16:30:02 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A48F16A41C; Tue, 28 Jun 2005 16:30:02 +0000 (GMT) (envelope-from MGrooms@seton.org) Received: from mx2-out.seton.org (mx2-out.seton.org [65.118.63.241]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9173143D58; Tue, 28 Jun 2005 16:30:00 +0000 (GMT) (envelope-from MGrooms@seton.org) Received: from localhost (unknown [127.0.0.1]) by mx2-out.seton.org (Postfix) with ESMTP id 5CF209C8; Tue, 28 Jun 2005 11:30:00 -0500 (CDT) Received: from mx2-out.seton.org ([10.21.254.241]) by localhost (mx2 [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 32165-29; Tue, 28 Jun 2005 11:29:59 -0500 (CDT) Received: from ausexfe02.seton.org (unknown [10.20.10.186]) by mx2-out.seton.org (Postfix) with ESMTP id A2692968; Tue, 28 Jun 2005 11:29:59 -0500 (CDT) Received: from AUSEX2VS1.seton.org ([10.20.10.74]) by ausexfe02.seton.org with Microsoft SMTPSVC(6.0.3790.211); Tue, 28 Jun 2005 11:30:00 -0500 X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 References: <28FCC7CB4CF6EA43AF83BCA2096E97D013E572@AUSEX2VS1.seton.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----_=_NextPart_001_01C57BFE.9FF9E4DA" Content-class: urn:content-classes:message Date: Tue, 28 Jun 2005 11:28:43 -0500 Message-ID: <28FCC7CB4CF6EA43AF83BCA2096E97D013E573@AUSEX2VS1.seton.org> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: pf performance issues ... thread-index: AcV7/fvtGGyIsAFDToG93FXpxH/KrAAAHdLv From: "Grooms, Matthew" To: "Grooms, Matthew" , X-OriginalArrivalTime: 28 Jun 2005 16:30:00.0638 (UTC) FILETIME=[A1340DE0:01C57BFE] X-Virus-Scanned: by amavisd-new at seton.org X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: rwatson@freebsd.org, IS-Network Subject: RE: pf performance issues ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2005 16:30:02 -0000 This is a multi-part message in MIME format. ------_=_NextPart_001_01C57BFE.9FF9E4DA Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Forgot the kernel config ... =20 Matthew Grooms ------_=_NextPart_001_01C57BFE.9FF9E4DA Content-Type: text/plain; name="CUSTOM" Content-Transfer-Encoding: base64 Content-Description: CUSTOM Content-Disposition: attachment; filename="CUSTOM" IwojIEdFTkVSSUMgLS0gR2VuZXJpYyBrZXJuZWwgY29uZmlndXJhdGlvbiBmaWxlIGZvciBGcmVl QlNEL2FtZDY0CiMKIyBGb3IgbW9yZSBpbmZvcm1hdGlvbiBvbiB0aGlzIGZpbGUsIHBsZWFzZSBy ZWFkIHRoZSBoYW5kYm9vayBzZWN0aW9uIG9uCiMgS2VybmVsIENvbmZpZ3VyYXRpb24gRmlsZXM6 CiMKIyAgICBodHRwOi8vd3d3LkZyZWVCU0Qub3JnL2RvYy9lbl9VUy5JU084ODU5LTEvYm9va3Mv aGFuZGJvb2sva2VybmVsY29uZmlnLWNvbmZpZy5odG1sCiMKIyBUaGUgaGFuZGJvb2sgaXMgYWxz byBhdmFpbGFibGUgbG9jYWxseSBpbiAvdXNyL3NoYXJlL2RvYy9oYW5kYm9vawojIGlmIHlvdSd2 ZSBpbnN0YWxsZWQgdGhlIGRvYyBkaXN0cmlidXRpb24sIG90aGVyd2lzZSBhbHdheXMgc2VlIHRo ZQojIEZyZWVCU0QgV29ybGQgV2lkZSBXZWIgc2VydmVyIChodHRwOi8vd3d3LkZyZWVCU0Qub3Jn LykgZm9yIHRoZQojIGxhdGVzdCBpbmZvcm1hdGlvbi4KIwojIEFuIGV4aGF1c3RpdmUgbGlzdCBv ZiBvcHRpb25zIGFuZCBtb3JlIGRldGFpbGVkIGV4cGxhbmF0aW9ucyBvZiB0aGUKIyBkZXZpY2Ug bGluZXMgaXMgYWxzbyBwcmVzZW50IGluIHRoZSAuLi8uLi9jb25mL05PVEVTIGFuZCBOT1RFUyBm aWxlcy4KIyBJZiB5b3UgYXJlIGluIGRvdWJ0IGFzIHRvIHRoZSBwdXJwb3NlIG9yIG5lY2Vzc2l0 eSBvZiBhIGxpbmUsIGNoZWNrIGZpcnN0CiMgaW4gTk9URVMuCiMKIyAkRnJlZUJTRDogc3JjL3N5 cy9hbWQ2NC9jb25mL0dFTkVSSUMsdiAxLjQyMS4yLjExLjIuMSAyMDA1LzA0LzA5IDE3OjI4OjM3 IGtlbnNtaXRoIEV4cCAkCgptYWNoaW5lCQlhbWQ2NApjcHUJCUhBTU1FUgppZGVudAkJQ1VTVE9N CgojIFRvIHN0YXRpY2FsbHkgY29tcGlsZSBpbiBkZXZpY2Ugd2lyaW5nIGluc3RlYWQgb2YgL2Jv b3QvZGV2aWNlLmhpbnRzCiNoaW50cwkJIkdFTkVSSUMuaGludHMiCQkjIERlZmF1bHQgcGxhY2Vz IHRvIGxvb2sgZm9yIGRldmljZXMuCgpvcHRpb25zIAlTQ0hFRF80QlNECQkjIDRCU0Qgc2NoZWR1 bGVyCm9wdGlvbnMgCUlORVQJCQkjIEludGVyTkVUd29ya2luZwojb3B0aW9ucyAJSU5FVDYJCQkj IElQdjYgY29tbXVuaWNhdGlvbnMgcHJvdG9jb2xzCm9wdGlvbnMgCUZGUwkJCSMgQmVya2VsZXkg RmFzdCBGaWxlc3lzdGVtCm9wdGlvbnMgCVNPRlRVUERBVEVTCQkjIEVuYWJsZSBGRlMgc29mdCB1 cGRhdGVzIHN1cHBvcnQKb3B0aW9ucyAJVUZTX0FDTAkJCSMgU3VwcG9ydCBmb3IgYWNjZXNzIGNv bnRyb2wgbGlzdHMKb3B0aW9ucyAJVUZTX0RJUkhBU0gJCSMgSW1wcm92ZSBwZXJmb3JtYW5jZSBv biBiaWcgZGlyZWN0b3JpZXMKb3B0aW9ucyAJTURfUk9PVAkJCSMgTUQgaXMgYSBwb3RlbnRpYWwg cm9vdCBkZXZpY2UKb3B0aW9ucyAJTkZTQ0xJRU5UCQkjIE5ldHdvcmsgRmlsZXN5c3RlbSBDbGll bnQKb3B0aW9ucyAJTkZTU0VSVkVSCQkjIE5ldHdvcmsgRmlsZXN5c3RlbSBTZXJ2ZXIKb3B0aW9u cyAJTkZTX1JPT1QJCSMgTkZTIHVzYWJsZSBhcyAvLCByZXF1aXJlcyBORlNDTElFTlQKb3B0aW9u cyAJTlRGUwkJCSMgTlQgRmlsZSBTeXN0ZW0Kb3B0aW9ucyAJTVNET1NGUwkJCSMgTVNET1MgRmls ZXN5c3RlbQpvcHRpb25zIAlDRDk2NjAJCQkjIElTTyA5NjYwIEZpbGVzeXN0ZW0Kb3B0aW9ucyAJ UFJPQ0ZTCQkJIyBQcm9jZXNzIGZpbGVzeXN0ZW0gKHJlcXVpcmVzIFBTRVVET0ZTKQpvcHRpb25z IAlQU0VVRE9GUwkJIyBQc2V1ZG8tZmlsZXN5c3RlbSBmcmFtZXdvcmsKb3B0aW9ucyAJR0VPTV9H UFQJCSMgR1VJRCBQYXJ0aXRpb24gVGFibGVzLgpvcHRpb25zIAlDT01QQVRfNDMJCSMgTmVlZGVk IGJ5IENPTVBBVF9MSU5VWDMyCm9wdGlvbnMgCUNPTVBBVF9JQTMyCQkjIENvbXBhdGlibGUgd2l0 aCBpMzg2IGJpbmFyaWVzCm9wdGlvbnMgCUNPTVBBVF9GUkVFQlNENAkJIyBDb21wYXRpYmxlIHdp dGggRnJlZUJTRDQKb3B0aW9ucyAJQ09NUEFUX0xJTlVYMzIJCSMgQ29tcGF0aWJsZSB3aXRoIGkz ODYgbGludXggYmluYXJpZXMgCm9wdGlvbnMgCVNDU0lfREVMQVk9MTUwMDAJIyBEZWxheSAoaW4g bXMpIGJlZm9yZSBwcm9iaW5nIFNDU0kKb3B0aW9ucyAJS1RSQUNFCQkJIyBrdHJhY2UoMSkgc3Vw cG9ydApvcHRpb25zIAlTWVNWU0hNCQkJIyBTWVNWLXN0eWxlIHNoYXJlZCBtZW1vcnkKb3B0aW9u cyAJU1lTVk1TRwkJCSMgU1lTVi1zdHlsZSBtZXNzYWdlIHF1ZXVlcwpvcHRpb25zIAlTWVNWU0VN CQkJIyBTWVNWLXN0eWxlIHNlbWFwaG9yZXMKb3B0aW9ucyAJX0tQT1NJWF9QUklPUklUWV9TQ0hF RFVMSU5HICMgUE9TSVggUDEwMDNfMUIgcmVhbC10aW1lIGV4dGVuc2lvbnMKb3B0aW9ucyAJS0JE X0lOU1RBTExfQ0RFVgkjIGluc3RhbGwgYSBDREVWIGVudHJ5IGluIC9kZXYKb3B0aW9ucyAJQUhD X1JFR19QUkVUVFlfUFJJTlQJIyBQcmludCByZWdpc3RlciBiaXRmaWVsZHMgaW4gZGVidWcKCQkJ CQkjIG91dHB1dC4gIEFkZHMgfjEyOGsgdG8gZHJpdmVyLgpvcHRpb25zIAlBSERfUkVHX1BSRVRU WV9QUklOVAkjIFByaW50IHJlZ2lzdGVyIGJpdGZpZWxkcyBpbiBkZWJ1ZwoJCQkJCSMgb3V0cHV0 LiAgQWRkcyB+MjE1ayB0byBkcml2ZXIuCm9wdGlvbnMgCUFEQVBUSVZFX0dJQU5UCQkjIEdpYW50 IG11dGV4IGlzIGFkYXB0aXZlLgoKIyBXb3JrYXJvdW5kcyBmb3Igc29tZSBrbm93bi10by1iZS1i cm9rZW4gY2hpcHNldHMgKG5WaWRpYSBuRm9yY2UzLVBybzE1MCkKZGV2aWNlCQlhdHBpYwkJIyA4 MjU5QSBjb21wYXRhYmlsaXR5CgojIEVuYWJsaW5nIE5PX01JWEVEX01PREUgZ2l2ZXMgYSBwZXJm b3JtYW5jZSBpbXByb3ZlbWVudCBvbiBzb21lIG1vdGhlcmJvYXJkcwojIGJ1dCBkb2VzIG5vdCB3 b3JrIHdpdGggc29tZSBib2FyZHMgKG1vc3RseSBuVmlkaWEgY2hpcHNldCBiYXNlZCkuCm9wdGlv bnMgCU5PX01JWEVEX01PREUJIyBEb24ndCBwZW5hbGl6ZSB3b3JraW5nIGNoaXBzZXRzCgojIExp bnV4IDMyLWJpdCBBQkkgc3VwcG9ydApvcHRpb25zIAlMSU5QUk9DRlMJCSMgQ2Fubm90IGJlIGEg bW9kdWxlIHlldC4KCiMgQnVzIHN1cHBvcnQuICBEbyBub3QgcmVtb3ZlIGlzYSwgZXZlbiBpZiB5 b3UgaGF2ZSBubyBpc2Egc2xvdHMKZGV2aWNlCQlhY3BpCmRldmljZQkJaXNhCmRldmljZQkJcGNp CgojIEZsb3BweSBkcml2ZXMKZGV2aWNlCQlmZGMKCiMgQVRBIGFuZCBBVEFQSSBkZXZpY2VzCmRl dmljZQkJYXRhCmRldmljZQkJYXRhZGlzawkJIyBBVEEgZGlzayBkcml2ZXMKZGV2aWNlCQlhdGFy YWlkCQkjIEFUQSBSQUlEIGRyaXZlcwpkZXZpY2UJCWF0YXBpY2QJCSMgQVRBUEkgQ0RST00gZHJp dmVzCmRldmljZQkJYXRhcGlmZAkJIyBBVEFQSSBmbG9wcHkgZHJpdmVzCmRldmljZQkJYXRhcGlz dAkJIyBBVEFQSSB0YXBlIGRyaXZlcwpvcHRpb25zIAlBVEFfU1RBVElDX0lECSMgU3RhdGljIGRl dmljZSBudW1iZXJpbmcKCiMgU0NTSSBDb250cm9sbGVycwpkZXZpY2UJCWFoYwkJIyBBSEEyOTQw IGFuZCBvbmJvYXJkIEFJQzd4eHggZGV2aWNlcwpkZXZpY2UJCWFoZAkJIyBBSEEzOTMyMC8yOTMy MCBhbmQgb25ib2FyZCBBSUM3OXh4IGRldmljZXMKZGV2aWNlCQlhbWQJCSMgQU1EIDUzQzk3NCAo VGVrcmFtIERDLTM5MChUKSkKZGV2aWNlCQlpc3AJCSMgUWxvZ2ljIGZhbWlseQojZGV2aWNlIAlp c3BmdwkJIyBGaXJtd2FyZSBmb3IgUUxvZ2ljIEhCQXMtIG5vcm1hbGx5IGEgbW9kdWxlCmRldmlj ZQkJbXB0CQkjIExTSS1Mb2dpYyBNUFQtRnVzaW9uCiNkZXZpY2UJCW5jcgkJIyBOQ1IvU3ltYmlv cyBMb2dpYwpkZXZpY2UJCXN5bQkJIyBOQ1IvU3ltYmlvcyBMb2dpYyAobmV3ZXIgY2hpcHNldHMg KyB0aG9zZSBvZiBgbmNyJykKZGV2aWNlCQl0cm0JCSMgVGVrcmFtIERDMzk1VS9VVy9GIERDMzE1 VSBhZGFwdGVycwoKZGV2aWNlCQlhZHYJCSMgQWR2YW5zeXMgU0NTSSBhZGFwdGVycwpkZXZpY2UJ CWFkdwkJIyBBZHZhbnN5cyB3aWRlIFNDU0kgYWRhcHRlcnMKZGV2aWNlCQlhaWMJCSMgQWRhcHRl YyAxNVswMTJdeCBTQ1NJIGFkYXB0ZXJzLCBBSUMtNlsyM102MC4KZGV2aWNlCQlidAkJIyBCdXNs b2dpYy9NeWxleCBNdWx0aU1hc3RlciBTQ1NJIGFkYXB0ZXJzCgoKIyBTQ1NJIHBlcmlwaGVyYWxz CmRldmljZQkJc2NidXMJCSMgU0NTSSBidXMgKHJlcXVpcmVkIGZvciBTQ1NJKQpkZXZpY2UJCWNo CQkjIFNDU0kgbWVkaWEgY2hhbmdlcnMKZGV2aWNlCQlkYQkJIyBEaXJlY3QgQWNjZXNzIChkaXNr cykKZGV2aWNlCQlzYQkJIyBTZXF1ZW50aWFsIEFjY2VzcyAodGFwZSBldGMpCmRldmljZQkJY2QJ CSMgQ0QKZGV2aWNlCQlwYXNzCQkjIFBhc3N0aHJvdWdoIGRldmljZSAoZGlyZWN0IFNDU0kgYWNj ZXNzKQpkZXZpY2UJCXNlcwkJIyBTQ1NJIEVudmlyb25tZW50YWwgU2VydmljZXMgKGFuZCBTQUYt VEUpCgojIFJBSUQgY29udHJvbGxlcnMgaW50ZXJmYWNlZCB0byB0aGUgU0NTSSBzdWJzeXN0ZW0K ZGV2aWNlCQlhbXIJCSMgQU1JIE1lZ2FSQUlECmRldmljZQkJYXJjbXNyCQkjIEFyZWNhIFNBVEEg SUkgUkFJRApkZXZpY2UJCWNpc3MJCSMgQ29tcGFxIFNtYXJ0IFJBSUQgNSoKZGV2aWNlCQlkcHQJ CSMgRFBUIFNtYXJ0Y2FjaGUgSUlJLCBJViAtIFNlZSBOT1RFUyBmb3Igb3B0aW9ucwpkZXZpY2UJ CWlpcgkJIyBJbnRlbCBJbnRlZ3JhdGVkIFJBSUQKZGV2aWNlCQlpcHMJCSMgSUJNIChBZGFwdGVj KSBTZXJ2ZVJBSUQKZGV2aWNlCQltbHkJCSMgTXlsZXggQWNjZWxlUkFJRC9lWHRyZW1lUkFJRApk ZXZpY2UJCXR3YQkJIyAzd2FyZSA5MDAwIHNlcmllcyBQQVRBL1NBVEEgUkFJRAoKIyBSQUlEIGNv bnRyb2xsZXJzCmRldmljZQkJYWFjCQkjIEFkYXB0ZWMgRlNBIFJBSUQKZGV2aWNlCQlhYWNwCQkj IFNDU0kgcGFzc3Rocm91Z2ggZm9yIGFhYyAocmVxdWlyZXMgQ0FNKQpkZXZpY2UJCWlkYQkJIyBD b21wYXEgU21hcnQgUkFJRApkZXZpY2UJCW1seAkJIyBNeWxleCBEQUM5NjAgZmFtaWx5CiNYWFgg cG9pbnRlci9pbnQgd2FybmluZ3MKI2RldmljZQkJcHN0CQkjIFByb21pc2UgU3VwZXJ0cmFrIFNY NjAwMApkZXZpY2UJCXR3ZQkJIyAzd2FyZSBBVEEgUkFJRAoKIyBhdGtiZGMwIGNvbnRyb2xzIGJv dGggdGhlIGtleWJvYXJkIGFuZCB0aGUgUFMvMiBtb3VzZQpkZXZpY2UJCWF0a2JkYwkJIyBBVCBr ZXlib2FyZCBjb250cm9sbGVyCmRldmljZQkJYXRrYmQJCSMgQVQga2V5Ym9hcmQKZGV2aWNlCQlw c20JCSMgUFMvMiBtb3VzZQoKZGV2aWNlCQl2Z2EJCSMgVkdBIHZpZGVvIGNhcmQgZHJpdmVyCgpk ZXZpY2UJCXNwbGFzaAkJIyBTcGxhc2ggc2NyZWVuIGFuZCBzY3JlZW4gc2F2ZXIgc3VwcG9ydAoK IyBzeXNjb25zIGlzIHRoZSBkZWZhdWx0IGNvbnNvbGUgZHJpdmVyLCByZXNlbWJsaW5nIGFuIFND TyBjb25zb2xlCmRldmljZQkJc2MKCiMgUENDQVJEIChQQ01DSUEpIHN1cHBvcnQKIyBQQ01DSUEg YW5kIGNhcmRidXMgYnJpZGdlIHN1cHBvcnQKZGV2aWNlCQljYmIJCSMgY2FyZGJ1cyAoeWVudGEp IGJyaWRnZQpkZXZpY2UJCXBjY2FyZAkJIyBQQyBDYXJkICgxNi1iaXQpIGJ1cwpkZXZpY2UJCWNh cmRidXMJCSMgQ2FyZEJ1cyAoMzItYml0KSBidXMKCiMgU2VyaWFsIChDT00pIHBvcnRzCmRldmlj ZQkJc2lvCQkjIDgyNTAsIDE2WzQ1XTUwIGJhc2VkIHNlcmlhbCBwb3J0cwoKIyBQYXJhbGxlbCBw b3J0CmRldmljZQkJcHBjCmRldmljZQkJcHBidXMJCSMgUGFyYWxsZWwgcG9ydCBidXMgKHJlcXVp cmVkKQpkZXZpY2UJCWxwdAkJIyBQcmludGVyCmRldmljZQkJcGxpcAkJIyBUQ1AvSVAgb3ZlciBw YXJhbGxlbApkZXZpY2UJCXBwaQkJIyBQYXJhbGxlbCBwb3J0IGludGVyZmFjZSBkZXZpY2UKI2Rl dmljZQkJdnBvCQkjIFJlcXVpcmVzIHNjYnVzIGFuZCBkYQoKIyBJZiB5b3UndmUgZ290IGEgImR1 bWIiIHNlcmlhbCBvciBwYXJhbGxlbCBQQ0kgY2FyZCB0aGF0IGlzCiMgc3VwcG9ydGVkIGJ5IHRo ZSBwdWMoNCkgZ2x1ZSBkcml2ZXIsIHVuY29tbWVudCB0aGUgZm9sbG93aW5nCiMgbGluZSB0byBl bmFibGUgaXQgKGNvbm5lY3RzIHRvIHRoZSBzaW8gYW5kL29yIHBwYyBkcml2ZXJzKToKI2Rldmlj ZQkJcHVjCgojIFBDSSBFdGhlcm5ldCBOSUNzLgpkZXZpY2UJCWRlCQkjIERFQy9JbnRlbCBEQzIx eDR4IChgYFR1bGlwJycpCmRldmljZQkJZW0JCSMgSW50ZWwgUFJPLzEwMDAgYWRhcHRlciBHaWdh Yml0IEV0aGVybmV0IENhcmQKZGV2aWNlCQlpeGdiCQkjIEludGVsIFBSTy8xMEdiRSBFdGhlcm5l dCBDYXJkCmRldmljZQkJdHhwCQkjIDNDb20gM2NSOTkwIChgYFR5cGhvb24nJykKZGV2aWNlCQl2 eAkJIyAzQ29tIDNjNTkwLCAzYzU5NSAoYGBWb3J0ZXgnJykKCiMgUENJIEV0aGVybmV0IE5JQ3Mg dGhhdCB1c2UgdGhlIGNvbW1vbiBNSUkgYnVzIGNvbnRyb2xsZXIgY29kZS4KIyBOT1RFOiBCZSBz dXJlIHRvIGtlZXAgdGhlICdkZXZpY2UgbWlpYnVzJyBsaW5lIGluIG9yZGVyIHRvIHVzZSB0aGVz ZSBOSUNzIQpkZXZpY2UJCW1paWJ1cwkJIyBNSUkgYnVzIHN1cHBvcnQKZGV2aWNlCQliZmUJCSMg QnJvYWRjb20gQkNNNDQweCAxMC8xMDAgRXRoZXJuZXQKZGV2aWNlCQliZ2UJCSMgQnJvYWRjb20g QkNNNTcweHggR2lnYWJpdCBFdGhlcm5ldApkZXZpY2UJCWRjCQkjIERFQy9JbnRlbCAyMTE0MyBh bmQgdmFyaW91cyB3b3JrYWxpa2VzCmRldmljZQkJZnhwCQkjIEludGVsIEV0aGVyRXhwcmVzcyBQ Uk8vMTAwQiAoODI1NTcsIDgyNTU4KQpkZXZpY2UJCWxnZQkJIyBMZXZlbCAxIExYVDEwMDEgZ2ln YWJpdCBFdGhlcm5ldApkZXZpY2UJCW5nZQkJIyBOYXRTZW1pIERQODM4MjAgZ2lnYWJpdCBFdGhl cm5ldApkZXZpY2UJCXBjbgkJIyBBTUQgQW03OUM5N3ggUENJIDEwLzEwMCAocHJlY2VkZW5jZSBv dmVyICdsbmMnKQpkZXZpY2UJCXJlCQkjIFJlYWxUZWsgODEzOUMrLzgxNjkvODE2OVMvODExMFMK ZGV2aWNlCQlybAkJIyBSZWFsVGVrIDgxMjkvODEzOQpkZXZpY2UJCXNmCQkjIEFkYXB0ZWMgQUlD LTY5MTUgKGBgU3RhcmZpcmUnJykKZGV2aWNlCQlzaXMJCSMgU2lsaWNvbiBJbnRlZ3JhdGVkIFN5 c3RlbXMgU2lTIDkwMC9TaVMgNzAxNgpkZXZpY2UJCXNrCQkjIFN5c0tvbm5lY3QgU0stOTg0eCAm IFNLLTk4MnggZ2lnYWJpdCBFdGhlcm5ldApkZXZpY2UJCXN0ZQkJIyBTdW5kYW5jZSBTVDIwMSAo RC1MaW5rIERGRS01NTBUWCkKZGV2aWNlCQl0aQkJIyBBbHRlb24gTmV0d29ya3MgVGlnb24gSS9J SSBnaWdhYml0IEV0aGVybmV0CmRldmljZQkJdGwJCSMgVGV4YXMgSW5zdHJ1bWVudHMgVGh1bmRl ckxBTgpkZXZpY2UJCXR4CQkjIFNNQyBFdGhlclBvd2VyIElJICg4M2MxNzAgYGBFUElDJycpCmRl dmljZQkJdmdlCQkjIFZJQSBWVDYxMnggZ2lnYWJpdCBFdGhlcm5ldApkZXZpY2UJCXZyCQkjIFZJ QSBSaGluZSwgUmhpbmUgSUkKZGV2aWNlCQl3YgkJIyBXaW5ib25kIFc4OUM4NDBGCmRldmljZQkJ eGwJCSMgM0NvbSAzYzkweCAoYGBCb29tZXJhbmcnJywgYGBDeWNsb25lJycpCgojIElTQSBFdGhl cm5ldCBOSUNzLiAgcGNjYXJkIE5JQ3MgaW5jbHVkZWQuCmRldmljZQkJY3MJCSMgQ3J5c3RhbCBT ZW1pY29uZHVjdG9yIENTODl4MCBOSUMKIyAnZGV2aWNlIGVkJyByZXF1aXJlcyAnZGV2aWNlIG1p aWJ1cycKIyBYWFgga3Z0b3AgYnJva2VubmVzcywgcG9pbnRlci9pbnQgd2FybmluZ3MKI2Rldmlj ZQkJZWQJCSMgTkVbMTJdMDAwLCBTTUMgVWx0cmEsIDNjNTAzLCBEUzgzOTAgY2FyZHMKZGV2aWNl CQlleAkJIyBJbnRlbCBFdGhlckV4cHJlc3MgUHJvLzEwIGFuZCBQcm8vMTArCmRldmljZQkJZXAJ CSMgRXRoZXJsaW5rIElJSSBiYXNlZCBjYXJkcwpkZXZpY2UJCWZlCQkjIEZ1aml0c3UgTUI4Njk2 eCBiYXNlZCBjYXJkcwojIFhYWCBrdnRvcCBicm9rZW5uZXNzLCBwb2ludGVyL2ludCB3YXJuaW5n cwojZGV2aWNlCQlsbmMJCSMgTkUyMTAwLCBORTMyLVZMIExhbmNlIEV0aGVybmV0IGNhcmRzCmRl dmljZQkJc24JCSMgU01DJ3MgOTAwMCBzZXJpZXMgb2YgRXRoZXJuZXQgY2hpcHMKZGV2aWNlCQl4 ZQkJIyBYaXJjb20gcGNjYXJkIEV0aGVybmV0CgojIFdpcmVsZXNzIE5JQyBjYXJkcwpkZXZpY2UJ CXdsYW4JCSMgODAyLjExIHN1cHBvcnQKZGV2aWNlCQlhbgkJIyBBaXJvbmV0IDQ1MDAvNDgwMCA4 MDIuMTEgd2lyZWxlc3MgTklDcy4KZGV2aWNlCQlhd2kJCSMgQmF5U3RhY2sgNjYwIGFuZCBvdGhl cnMKZGV2aWNlCQl3aQkJIyBXYXZlTEFOL0ludGVyc2lsL1N5bWJvbCA4MDIuMTEgd2lyZWxlc3Mg TklDcy4KCiMgUHNldWRvIGRldmljZXMuCmRldmljZQkJbG9vcAkJIyBOZXR3b3JrIGxvb3BiYWNr CmRldmljZQkJbWVtCQkjIE1lbW9yeSBhbmQga2VybmVsIG1lbW9yeSBkZXZpY2VzCmRldmljZQkJ aW8JCSMgSS9PIGRldmljZQpkZXZpY2UJCXJhbmRvbQkJIyBFbnRyb3B5IGRldmljZQpkZXZpY2UJ CWV0aGVyCQkjIEV0aGVybmV0IHN1cHBvcnQKZGV2aWNlCQlzbAkJIyBLZXJuZWwgU0xJUApkZXZp Y2UJCXBwcAkJIyBLZXJuZWwgUFBQCmRldmljZQkJdHVuCQkjIFBhY2tldCB0dW5uZWwuCmRldmlj ZQkJcHR5CQkjIFBzZXVkby10dHlzICh0ZWxuZXQgZXRjKQpkZXZpY2UJCW1kCQkjIE1lbW9yeSAi ZGlza3MiCmRldmljZQkJZ2lmCQkjIElQdjYgYW5kIElQdjQgdHVubmVsaW5nCiNkZXZpY2UJCWZh aXRoCQkjIElQdjYtdG8tSVB2NCByZWxheWluZyAodHJhbnNsYXRpb24pCgojIFRoZSBgYnBmJyBk ZXZpY2UgZW5hYmxlcyB0aGUgQmVya2VsZXkgUGFja2V0IEZpbHRlci4KIyBCZSBhd2FyZSBvZiB0 aGUgYWRtaW5pc3RyYXRpdmUgY29uc2VxdWVuY2VzIG9mIGVuYWJsaW5nIHRoaXMhCiMgTm90ZSB0 aGF0ICdicGYnIGlzIHJlcXVpcmVkIGZvciBESENQLgpkZXZpY2UJCWJwZgkJIyBCZXJrZWxleSBw YWNrZXQgZmlsdGVyCgojIFVTQiBzdXBwb3J0CiNkZXZpY2UJCXVoY2kJCSMgVUhDSSBQQ0ktPlVT QiBpbnRlcmZhY2UKI2RldmljZQkJb2hjaQkJIyBPSENJIFBDSS0+VVNCIGludGVyZmFjZQojZGV2 aWNlCQllaGNpCQkjIEVIQ0kgUENJLT5VU0IgaW50ZXJmYWNlIChVU0IgMi4wKQojZGV2aWNlCQl1 c2IJCSMgVVNCIEJ1cyAocmVxdWlyZWQpCiNkZXZpY2UJCXVkYnAJCSMgVVNCIERvdWJsZSBCdWxr IFBpcGUgZGV2aWNlcwojZGV2aWNlCQl1Z2VuCQkjIEdlbmVyaWMKI2RldmljZQkJdWhpZAkJIyAi SHVtYW4gSW50ZXJmYWNlIERldmljZXMiCiNkZXZpY2UJCXVrYmQJCSMgS2V5Ym9hcmQKI2Rldmlj ZQkJdWxwdAkJIyBQcmludGVyCiNkZXZpY2UJCXVtYXNzCQkjIERpc2tzL01hc3Mgc3RvcmFnZSAt IFJlcXVpcmVzIHNjYnVzIGFuZCBkYQojZGV2aWNlCQl1bXMJCSMgTW91c2UKI2RldmljZQkJdXJp bwkJIyBEaWFtb25kIFJpbyA1MDAgTVAzIHBsYXllcgojZGV2aWNlCQl1c2Nhbm5lcgkjIFNjYW5u ZXJzCiMgVVNCIEV0aGVybmV0LCByZXF1aXJlcyBtaWkKI2RldmljZQkJYXVlCQkjIEFETXRlayBV U0IgRXRoZXJuZXQKI2RldmljZQkJYXhlCQkjIEFTSVggRWxlY3Ryb25pY3MgVVNCIEV0aGVybmV0 CiNkZXZpY2UJCWNkY2UJCSMgR2VuZXJpYyBVU0Igb3ZlciBFdGhlcm5ldAojZGV2aWNlCQljdWUJ CSMgQ0FUQyBVU0IgRXRoZXJuZXQKI2RldmljZQkJa3VlCQkjIEthd2FzYWtpIExTSSBVU0IgRXRo ZXJuZXQKI2RldmljZQkJcnVlCQkjIFJlYWxUZWsgUlRMODE1MCBVU0IgRXRoZXJuZXQKCiMgRmly ZVdpcmUgc3VwcG9ydAojZGV2aWNlCQlmaXJld2lyZQkjIEZpcmVXaXJlIGJ1cyBjb2RlCiNkZXZp Y2UJCXNicAkJIyBTQ1NJIG92ZXIgRmlyZVdpcmUgKFJlcXVpcmVzIHNjYnVzIGFuZCBkYSkKI2Rl dmljZQkJZndlCQkjIEV0aGVybmV0IG92ZXIgRmlyZVdpcmUgKG5vbi1zdGFuZGFyZCEpCgojIFNN UAojb3B0aW9ucyBTTVAKCiMgUGFja2V0IEZpbHRlcgpkZXZpY2UJCXBmCmRldmljZQkJcGZsb2cK ZGV2aWNlCQlwZnN5bmMKZGV2aWNlCQljYXJwCgojIFBhY2tldCBTY2hlZHVsZXIKb3B0aW9ucwkJ QUxUUQpvcHRpb25zCQlBTFRRX0NCUQpvcHRpb25zCQlBTFRRX1JFRApvcHRpb25zCQlBTFRRX1JJ TwpvcHRpb25zCQlBTFRRX0hGU0MKb3B0aW9ucwkJQUxUUV9DRE5SCm9wdGlvbnMJCUFMVFFfUFJJ UQoKIyBEZWJ1ZyBPcHRpb25zCiNtYWtlb3B0aW9ucwlERUJVRz0tZwojb3B0aW9ucwkJRERCCiNv cHRpb25zCQlLREIKI29wdGlvbnMJCUJSRUFLX1RPX0RFQlVHR0VSCiNvcHRpb25zCQlJTlZBUklB TlRfU1VQUE9SVAojb3B0aW9ucwkJSU5WQVJJQU5UUwojb3B0aW9ucwkJV0lUTkVTUwojb3B0aW9u cwkJV0lUTkVTU19LREIKI29wdGlvbnMJCVdJVE5FU1NfU0tJUFNQSU4gCg== ------_=_NextPart_001_01C57BFE.9FF9E4DA-- From owner-freebsd-pf@FreeBSD.ORG Tue Jun 28 16:55:18 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50E7516A41C; Tue, 28 Jun 2005 16:55:18 +0000 (GMT) (envelope-from MGrooms@seton.org) Received: from mx1-out.seton.org (mx1-out.seton.org [207.193.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0823C43D49; Tue, 28 Jun 2005 16:55:17 +0000 (GMT) (envelope-from MGrooms@seton.org) Received: from localhost (unknown [127.0.0.1]) by mx1-out.seton.org (Postfix) with ESMTP id 823CAF0008AE; Tue, 28 Jun 2005 11:55:17 -0500 (CDT) Received: from mx1-out.seton.org ([10.21.254.249]) by localhost (mx1 [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 01081-30; Tue, 28 Jun 2005 11:55:17 -0500 (CDT) Received: from ausexfe01.seton.org (unknown [10.20.10.183]) by mx1-out.seton.org (Postfix) with ESMTP id 67B12F000919; Tue, 28 Jun 2005 11:55:17 -0500 (CDT) Received: from AUSEX2VS1.seton.org ([10.20.10.74]) by ausexfe01.seton.org with Microsoft SMTPSVC(6.0.3790.211); Tue, 28 Jun 2005 11:55:28 -0500 X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Tue, 28 Jun 2005 11:55:16 -0500 Message-ID: <28FCC7CB4CF6EA43AF83BCA2096E97D013E575@AUSEX2VS1.seton.org> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: pf performance issues ... thread-index: AcV7/ovjf7FUJ0CpSG6uaur4mGDDwwAAk3nj From: "Grooms, Matthew" To: "Scott Ullrich" X-OriginalArrivalTime: 28 Jun 2005 16:55:28.0191 (UTC) FILETIME=[2FB224F0:01C57C02] X-Virus-Scanned: by amavisd-new at seton.org Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: IS-Network , rwatson@freebsd.org, freebsd-pf@freebsd.org Subject: RE: pf performance issues ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2005 16:55:18 -0000 I am running a native 64 bit kernel. I thought it might be somthing = like that but couldn't find anythign in the documentation that said it = defaulted to 10000 entries. I just figured out how to view the limit in = pfctl. I will increase it and see if that makes the issue go away. =20 Thanks very much for the suggestion, =20 -Matthew =20 ________________________________ From: Scott Ullrich [mailto:sullrich@gmail.com] Sent: Tue 6/28/2005 11:29 AM To: Grooms, Matthew Cc: freebsd-pf@freebsd.org; rwatson@freebsd.org; IS-Network Subject: Re: pf performance issues ... On 6/28/05, Grooms, Matthew wrote: [snip] > This is a dual 3GHz amd64 box ( UP kernel at the moment ), with 4 = gigs of ram and 6x em interfaces. It is mostly a stock kernel with = pf,pfsync,carp and altq ( but no altq rules ) support compiled in and = ipv6 disabled ( config attached ). Is this running natively as 64 bit or i386 32bit? > Am I running into a limit on some kernel tunable? After a few = minutes of routing traffic to pf setup, the state table had approx 10000 = entries in it. Are there some global pf limits to tweak or should it = scale well out of the box? The internet connection is only 7Mbit so I am = at a loss. Is there a cache or buffer limit somewhere I should watch? = Any ideas? I believe the default state limit size is 10,000. Could you be hitting this number and then noticing the slowdown because your out of state entries? Scott From owner-freebsd-pf@FreeBSD.ORG Tue Jun 28 20:20:20 2005 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E2F1D16A41C for ; Tue, 28 Jun 2005 20:20:20 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B8C7A43D49 for ; Tue, 28 Jun 2005 20:20:20 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j5SKKKfd059266 for ; Tue, 28 Jun 2005 20:20:20 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j5SKKKwc059265; Tue, 28 Jun 2005 20:20:20 GMT (envelope-from gnats) Date: Tue, 28 Jun 2005 20:20:20 GMT Message-Id: <200506282020.j5SKKKwc059265@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Andrew Thompson Cc: Subject: Re: ia64/81284: Unaligned Reference with pf on 5.4/IA64 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Andrew Thompson List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2005 20:20:21 -0000 The following reply was made to PR ia64/81284; it has been noted by GNATS. From: Andrew Thompson To: bug-followup@FreeBSD.org Cc: Subject: Re: ia64/81284: Unaligned Reference with pf on 5.4/IA64 Date: Wed, 29 Jun 2005 08:19:12 +1200 Here is a patch for if_bridge that ensures it passes aligned packets up to the higher levels (packet filtering). The alignment checks and fixups are straight from NetBSD, this code was in the original implementation that was ported from NetBSD but was removed in our version due to the missing alignment routines. The code has been in NetBSD for two years since r1.9 Two macros are added that check that the IP header is 4 byte aligned, they can be changed for different architectures and IP v[46] alignment requirements. m_copyup() does the actual alignment and has been in the tree for three months (uipc_mbuf.c r1.147) IP_HDR_ALIGNED_P() IP6_HDR_ALIGNED_P() The macros are compile time dependant on __NO_STRICT_ALIGNMENT, and if defined they are always true. This is set for i386 and amd64 where alignment isn't needed so we wont pay the cost. These macros can also be used in other parts of the networking code, for example ieee80211_input.c. Alignment checks also need to be added to bridge.c http://people.freebsd.org/~thompsa/if_bridge.align.diff --- Index: sys/amd64/include/_types.h =================================================================== RCS file: /home/ncvs/src/sys/amd64/include/_types.h,v retrieving revision 1.8 diff -u -r1.8 _types.h --- sys/amd64/include/_types.h 11 Mar 2005 22:16:09 -0000 1.8 +++ sys/amd64/include/_types.h 22 Jun 2005 04:15:38 -0000 @@ -43,6 +43,8 @@ #error this file needs sys/cdefs.h as a prerequisite #endif +#define __NO_STRICT_ALIGNMENT + /* * Basic types upon which most other types are built. */ Index: sys/i386/include/_types.h =================================================================== RCS file: /home/ncvs/src/sys/i386/include/_types.h,v retrieving revision 1.11 diff -u -r1.11 _types.h --- sys/i386/include/_types.h 2 Mar 2005 21:33:26 -0000 1.11 +++ sys/i386/include/_types.h 22 Jun 2005 04:15:13 -0000 @@ -43,6 +43,8 @@ #error this file needs sys/cdefs.h as a prerequisite #endif +#define __NO_STRICT_ALIGNMENT + /* * Basic types upon which most other types are built. */ Index: sys/net/if_bridge.c =================================================================== RCS file: /home/ncvs/src/sys/net/if_bridge.c,v retrieving revision 1.7 diff -u -r1.7 if_bridge.c --- sys/net/if_bridge.c 10 Jun 2005 23:52:01 -0000 1.7 +++ sys/net/if_bridge.c 27 Jun 2005 23:40:28 -0000 @@ -2249,7 +2249,28 @@ m_adj(*mp, sizeof(struct llc)); } + /* + * Check the IP header for alignment and errors + */ + if (dir == PFIL_IN) { + switch (ether_type) { + case ETHERTYPE_IP: + error = bridge_ip_checkbasic(mp); + break; +# ifdef INET6 + case ETHERTYPE_IPV6: + error = bridge_ip6_checkbasic(mp); + break; +# endif /* INET6 */ + default: + error = 0; + } + if (error) + goto bad; + } + if (IPFW_LOADED && pfil_ipfw != 0 && dir == PFIL_OUT) { + error = -1; args.rule = ip_dn_claim_rule(*mp); if (args.rule != NULL && fw_one_pass) goto ipfwpass; /* packet already partially processed */ @@ -2286,26 +2307,22 @@ } ipfwpass: + error = 0; + /* - * Check basic packet sanity and run pfil through pfil. + * Run the packet through pfil */ switch (ether_type) { case ETHERTYPE_IP : - error = (dir == PFIL_IN) ? bridge_ip_checkbasic(mp) : 0; /* * before calling the firewall, swap fields the same as * IP does. here we assume the header is contiguous */ - if (error == 0) { - ip = mtod(*mp, struct ip *); + ip = mtod(*mp, struct ip *); - ip->ip_len = ntohs(ip->ip_len); - ip->ip_off = ntohs(ip->ip_off); - } else { - error = -1; - break; - } + ip->ip_len = ntohs(ip->ip_len); + ip->ip_off = ntohs(ip->ip_off); /* * Run pfil on the member interface and the bridge, both can @@ -2314,21 +2331,21 @@ * Keep the order: * in_if -> bridge_if -> out_if */ - if (error == 0 && pfil_bridge && dir == PFIL_OUT) + if (pfil_bridge && dir == PFIL_OUT) error = pfil_run_hooks(&inet_pfil_hook, mp, bifp, dir, NULL); - if (*mp == NULL) /* filter may consume */ + if (*mp == NULL || error != 0) /* filter may consume */ break; - if (error == 0 && pfil_member) + if (pfil_member) error = pfil_run_hooks(&inet_pfil_hook, mp, ifp, dir, NULL); - if (*mp == NULL) /* filter may consume */ + if (*mp == NULL || error != 0) /* filter may consume */ break; - if (error == 0 && pfil_bridge && dir == PFIL_IN) + if (pfil_bridge && dir == PFIL_IN) error = pfil_run_hooks(&inet_pfil_hook, mp, bifp, dir, NULL); @@ -2342,23 +2359,21 @@ break; # ifdef INET6 case ETHERTYPE_IPV6 : - error = (dir == PFIL_IN) ? bridge_ip6_checkbasic(mp) : 0; - - if (error == 0 && pfil_bridge && dir == PFIL_OUT) + if (pfil_bridge && dir == PFIL_OUT) error = pfil_run_hooks(&inet6_pfil_hook, mp, bifp, dir, NULL); - if (*mp == NULL) /* filter may consume */ + if (*mp == NULL || error != 0) /* filter may consume */ break; - if (error == 0 && pfil_member) + if (pfil_member) error = pfil_run_hooks(&inet6_pfil_hook, mp, ifp, dir, NULL); - if (*mp == NULL) /* filter may consume */ + if (*mp == NULL || error != 0) /* filter may consume */ break; - if (error == 0 && pfil_bridge && dir == PFIL_IN) + if (pfil_bridge && dir == PFIL_IN) error = pfil_run_hooks(&inet6_pfil_hook, mp, bifp, dir, NULL); break; @@ -2421,7 +2436,14 @@ if (*mp == NULL) return -1; - if (__predict_false(m->m_len < sizeof (struct ip))) { + if (IP_HDR_ALIGNED_P(mtod(m, caddr_t)) == 0) { + if ((m = m_copyup(m, sizeof(struct ip), + (max_linkhdr + 3) & ~3)) == NULL) { + /* XXXJRT new stat, please */ + ipstat.ips_toosmall++; + goto bad; + } + } else if (__predict_false(m->m_len < sizeof (struct ip))) { if ((m = m_pullup(m, sizeof (struct ip))) == NULL) { ipstat.ips_toosmall++; goto bad; @@ -2509,18 +2531,17 @@ * mbuf with space for link headers, in the event we forward * it. Otherwise, if it is aligned, make sure the entire base * IPv6 header is in the first mbuf of the chain. - + */ if (IP6_HDR_ALIGNED_P(mtod(m, caddr_t)) == 0) { struct ifnet *inifp = m->m_pkthdr.rcvif; if ((m = m_copyup(m, sizeof(struct ip6_hdr), (max_linkhdr + 3) & ~3)) == NULL) { - * XXXJRT new stat, please * + /* XXXJRT new stat, please */ ip6stat.ip6s_toosmall++; in6_ifstat_inc(inifp, ifs6_in_hdrerr); goto bad; } - } else */ - if (__predict_false(m->m_len < sizeof(struct ip6_hdr))) { + } else if (__predict_false(m->m_len < sizeof(struct ip6_hdr))) { struct ifnet *inifp = m->m_pkthdr.rcvif; if ((m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { ip6stat.ip6s_toosmall++; Index: sys/netinet/ip_var.h =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_var.h,v retrieving revision 1.94 diff -u -r1.94 ip_var.h --- sys/netinet/ip_var.h 7 Jan 2005 01:45:44 -0000 1.94 +++ sys/netinet/ip_var.h 22 Jun 2005 03:25:31 -0000 @@ -136,6 +136,12 @@ /* mbuf flag used by ip_fastfwd */ #define M_FASTFWD_OURS M_PROTO1 /* changed dst to local */ +#ifdef __NO_STRICT_ALIGNMENT +#define IP_HDR_ALIGNED_P(ip) 1 +#else +#define IP_HDR_ALIGNED_P(ip) ((((intptr_t) (ip)) & 3) == 0) +#endif + struct ip; struct inpcb; struct route; Index: sys/netinet6/ip6_var.h =================================================================== RCS file: /home/ncvs/src/sys/netinet6/ip6_var.h,v retrieving revision 1.29 diff -u -r1.29 ip6_var.h --- sys/netinet6/ip6_var.h 7 Jan 2005 02:30:34 -0000 1.29 +++ sys/netinet6/ip6_var.h 22 Jun 2005 03:43:06 -0000 @@ -282,6 +282,12 @@ #define IPV6_FORWARDING 0x02 /* most of IPv6 header exists */ #define IPV6_MINMTU 0x04 /* use minimum MTU (IPV6_USE_MIN_MTU) */ +#ifdef __NO_STRICT_ALIGNMENT +#define IP6_HDR_ALIGNED_P(ip) 1 +#else +#define IP6_HDR_ALIGNED_P(ip) ((((intptr_t) (ip)) & 3) == 0) +#endif + extern struct ip6stat ip6stat; /* statistics */ extern int ip6_defhlim; /* default hop limit */ extern int ip6_defmcasthlim; /* default multicast hop limit */ From owner-freebsd-pf@FreeBSD.ORG Tue Jun 28 21:00:37 2005 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D3A1116A41C for ; Tue, 28 Jun 2005 21:00:37 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id BEE6B43D49 for ; Tue, 28 Jun 2005 21:00:37 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j5SL0bhV063765 for ; Tue, 28 Jun 2005 21:00:37 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j5SL0bmv063764; Tue, 28 Jun 2005 21:00:37 GMT (envelope-from gnats) Date: Tue, 28 Jun 2005 21:00:37 GMT Message-Id: <200506282100.j5SL0bmv063764@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Andrew Thompson Cc: Subject: Re: ia64/81284: Unaligned Reference with pf on 5.4/IA64 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Andrew Thompson List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2005 21:00:37 -0000 The following reply was made to PR ia64/81284; it has been noted by GNATS. From: Andrew Thompson To: bug-followup@FreeBSD.org Cc: Subject: Re: ia64/81284: Unaligned Reference with pf on 5.4/IA64 Date: Wed, 29 Jun 2005 08:50:18 +1200 A complementary patch for bridge.c using the same macros and routines as if_bridge. As far as I can tell ipv6 isn't filtered. Index: bridge.c =================================================================== RCS file: /home/ncvs/src/sys/net/bridge.c,v retrieving revision 1.92 diff -u -r1.92 bridge.c --- bridge.c 10 Jun 2005 16:49:18 -0000 1.92 +++ bridge.c 28 Jun 2005 20:44:10 -0000 @@ -1026,6 +1026,19 @@ m_adj(m0, ETHER_HDR_LEN); /* temporarily strip header */ /* + * Check that the IP header is aligned before passing up to the packet + * filter. + */ + if (ntohs(save_eh.ether_type) == ETHERTYPE_IP && + IP_HDR_ALIGNED_P(mtod(m0, caddr_t)) == 0) { + if ((m = m_copyup(m0, sizeof(struct ip), + (max_linkhdr + 3) & ~3)) == NULL) { + bdg_dropped++; + return NULL; + } + } + + /* * NetBSD-style generic packet filter, pfil(9), hooks. * Enables ipf(8) in bridging. */ From owner-freebsd-pf@FreeBSD.ORG Wed Jun 29 02:11:41 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 894FF16A41C for ; Wed, 29 Jun 2005 02:11:41 +0000 (GMT) (envelope-from yongari@rndsoft.co.kr) Received: from rndsoft.co.kr (michelle.rndsoft.co.kr [211.32.202.209]) by mx1.FreeBSD.org (Postfix) with ESMTP id E5AC743D55 for ; Wed, 29 Jun 2005 02:11:40 +0000 (GMT) (envelope-from yongari@rndsoft.co.kr) Received: by simscan 1.1.0 ppid: 65106, pid: 65107, t: 1.2081s scanners:none Received: from unknown (HELO michelle.rndsoft.co.kr) (192.168.5.90) by 0 with SMTP; 29 Jun 2005 02:06:13 +0900 Received: from michelle.rndsoft.co.kr (localhost.rndsoft.co.kr [127.0.0.1]) by michelle.rndsoft.co.kr (8.13.1/8.13.1) with ESMTP id j5T2BUq0009131 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 29 Jun 2005 11:11:30 +0900 (KST) (envelope-from yongari@rndsoft.co.kr) Received: (from yongari@localhost) by michelle.rndsoft.co.kr (8.13.1/8.13.1/Submit) id j5T2BUBm009130; Wed, 29 Jun 2005 11:11:30 +0900 (KST) (envelope-from yongari@rndsoft.co.kr) Date: Wed, 29 Jun 2005 11:11:30 +0900 From: Pyun YongHyeon To: Andrew Thompson Message-ID: <20050629021130.GA8832@rndsoft.co.kr> References: <200506282100.j5SL0bmv063764@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200506282100.j5SL0bmv063764@freefall.freebsd.org> User-Agent: Mutt/1.4.2.1i X-Spam-Checker-Version: SpamDetector 1.00 (2004-01-11) on Cc: freebsd-pf@freebsd.org Subject: Re: ia64/81284: Unaligned Reference with pf on 5.4/IA64 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: yongari@rndsoft.co.kr List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2005 02:11:41 -0000 On Tue, Jun 28, 2005 at 09:00:37PM +0000, Andrew Thompson wrote: > The following reply was made to PR ia64/81284; it has been noted by GNATS. > > From: Andrew Thompson > To: bug-followup@FreeBSD.org > Cc: > Subject: Re: ia64/81284: Unaligned Reference with pf on 5.4/IA64 > Date: Wed, 29 Jun 2005 08:50:18 +1200 > > A complementary patch for bridge.c using the same macros and routines as > if_bridge. As far as I can tell ipv6 isn't filtered. > I think your patch will work for bridge/if_bridge case. But it would not fix other handlers that run at IP layer. I guess it would also panic in pf/ipf/ipfw at IPv4/IPv6 pfil handler when it was not processed by bridge/if_bridge. I believe developers already know how to fix this specific issue but it's matter of how to handle this kind of unaligned access efficiently. I guess the root cause of the unaligned access comes from ethernet driver. Most ethernet drivers(except em(4)) had aligned received packet on architectures with strict alignment(em(4) with JUMBO frames passes unaligned packet data to upper layer). So aligning the packet data was one of big pain for driver writers on hardwares that have DMA limitations. Using m_copyup(9) would greatly decrease the burden on driver layer. In addition it wouldn't give additional penalty on architectures that allows non-aligned access. However it requires all packet handlers(bridge, pf/ipf/ipfw, netgraph, IPv4, IPv6 etc) should check alignment right before accessing the data. That would increase code size and duplication. Personally I prefer handling of alignment in driver or ethernet layer due to simplicity. Other developers may have different views. -- Regards, Pyun YongHyeon http://www.kr.freebsd.org/~yongari | yongari@freebsd.org From owner-freebsd-pf@FreeBSD.ORG Thu Jun 30 04:38:02 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F325E16A41C for ; Thu, 30 Jun 2005 04:38:01 +0000 (GMT) (envelope-from chris@gliq.com) Received: from home.mazdamiata.net (dyn-153-112-163.myactv.net [24.153.112.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id B50DB43D55 for ; Thu, 30 Jun 2005 04:38:01 +0000 (GMT) (envelope-from chris@gliq.com) Received: from [192.168.1.100] (unknown [192.168.1.100]) by home.mazdamiata.net (Postfix) with ESMTP id D131160E4 for ; Thu, 30 Jun 2005 00:38:00 -0400 (EDT) Mime-Version: 1.0 (Apple Message framework v622) Content-Transfer-Encoding: 7bit Message-Id: <91d20eb3c8f5e9cda446c23954436f73@gliq.com> Content-Type: text/plain; charset=US-ASCII; format=flowed To: freebsd-pf@freebsd.org From: Chris McGee Date: Thu, 30 Jun 2005 00:37:59 -0400 X-Mailer: Apple Mail (2.622) Subject: Carp master problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jun 2005 04:38:02 -0000 I have to machines in a test environment, the carp0 interface on the machines will not become master. The config is as follows: test1# ifconfig em0: flags=8943 mtu 1500 options=b inet 192.168.1.252 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::230:48ff:fe82:a77c%em0 prefixlen 64 scopeid 0x1 ether 00:30:48:82:a7:7c media: Ethernet autoselect (100baseTX ) status: active em1: flags=8943 mtu 1500 options=b inet 10.10.10.2 netmask 0xfffffff8 broadcast 10.10.10.7 inet6 fe80::230:48ff:fe82:a77d%em1 prefixlen 64 scopeid 0x2 ether 00:30:48:82:a7:7d media: Ethernet autoselect (100baseTX ) status: active carp0: flags=41 mtu 1500 inet 192.168.1.10 netmask 0xffffff00 carp: BACKUP vhid 1 advbase 1 advskew 0 carp1: flags=41 mtu 1500 inet 10.10.10.1 netmask 0xfffffff8 carp: MASTER vhid 2 advbase 1 advskew 0 em0: flags=8943 mtu 1500 options=b inet 192.168.1.253 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::230:48ff:fe80:21bc%em0 prefixlen 64 scopeid 0x1 ether 00:30:48:80:21:bc media: Ethernet autoselect (100baseTX ) status: active em1: flags=8943 mtu 1500 options=b inet 10.10.10.3 netmask 0xfffffff8 broadcast 10.10.10.7 inet6 fe80::230:48ff:fe80:21bd%em1 prefixlen 64 scopeid 0x2 ether 00:30:48:80:21:bd media: Ethernet autoselect (100baseTX ) status: active carp0: flags=41 mtu 1500 inet 192.168.1.10 netmask 0xffffff00 carp: BACKUP vhid 1 advbase 1 advskew 100 carp1: flags=41 mtu 1500 inet 10.10.10.1 netmask 0xfffffff8 carp: BACKUP vhid 2 advbase 1 advskew 100 both test1 and test2 have these sysctl variables: net.inet.carp.allow: 1 net.inet.carp.preempt: 1 net.inet.carp.log: 1 net.inet.carp.arpbalance: 0 If I down the carp1 interface on either box the other box becomes master. If I down the carp0 interface on either box, the other stays backup. Both carp0 interfaces stay backup all the time and therefore I can't access 192.168.1.10. Thanks, Chris From owner-freebsd-pf@FreeBSD.ORG Thu Jun 30 07:49:47 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F33EB16A41C for ; Thu, 30 Jun 2005 07:49:46 +0000 (GMT) (envelope-from bconstant@be.tiauto.com) Received: from smtp.eu.tiauto.com (smtp.eu.tiauto.com [195.127.176.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 80ADA43D1D for ; Thu, 30 Jun 2005 07:49:46 +0000 (GMT) (envelope-from bconstant@be.tiauto.com) Received: by euex01.resource.tiauto.com with Internet Mail Service (5.5.2657.72) id ; Thu, 30 Jun 2005 09:49:40 +0200 Message-ID: From: "Constant, Benjamin" To: 'Chris McGee' Date: Thu, 30 Jun 2005 09:49:38 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain Cc: freebsd-pf@freebsd.org Subject: RE: Carp master problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jun 2005 07:49:47 -0000 Simple questions but do you see multicast traffic on em0? Are there firewall rules on em0 that can prevent such traffic? Regards, Benjamin Constant TI Automotive > -----Original Message----- > From: owner-freebsd-pf@freebsd.org > [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Chris McGee > Sent: jeudi 30 juin 2005 6:38 > To: freebsd-pf@freebsd.org > Subject: Carp master problem > > I have to machines in a test environment, the carp0 interface > on the machines will not become master. The config is as follows: > > test1# ifconfig > em0: > flags=8943 mtu 1500 > options=b > inet 192.168.1.252 netmask 0xffffff00 broadcast 192.168.1.255 > inet6 fe80::230:48ff:fe82:a77c%em0 prefixlen 64 scopeid 0x1 > ether 00:30:48:82:a7:7c > media: Ethernet autoselect (100baseTX ) > status: active > em1: > flags=8943 mtu 1500 > options=b > inet 10.10.10.2 netmask 0xfffffff8 broadcast 10.10.10.7 > inet6 fe80::230:48ff:fe82:a77d%em1 prefixlen 64 scopeid 0x2 > ether 00:30:48:82:a7:7d > media: Ethernet autoselect (100baseTX ) > status: active > carp0: flags=41 mtu 1500 > inet 192.168.1.10 netmask 0xffffff00 > carp: BACKUP vhid 1 advbase 1 advskew 0 > carp1: flags=41 mtu 1500 > inet 10.10.10.1 netmask 0xfffffff8 > carp: MASTER vhid 2 advbase 1 advskew 0 > > em0: > flags=8943 mtu 1500 > options=b > inet 192.168.1.253 netmask 0xffffff00 broadcast 192.168.1.255 > inet6 fe80::230:48ff:fe80:21bc%em0 prefixlen 64 scopeid 0x1 > ether 00:30:48:80:21:bc > media: Ethernet autoselect (100baseTX ) > status: active > em1: > flags=8943 mtu 1500 > options=b > inet 10.10.10.3 netmask 0xfffffff8 broadcast 10.10.10.7 > inet6 fe80::230:48ff:fe80:21bd%em1 prefixlen 64 scopeid 0x2 > ether 00:30:48:80:21:bd > media: Ethernet autoselect (100baseTX ) > status: active > carp0: flags=41 mtu 1500 > inet 192.168.1.10 netmask 0xffffff00 > carp: BACKUP vhid 1 advbase 1 advskew 100 > carp1: flags=41 mtu 1500 > inet 10.10.10.1 netmask 0xfffffff8 > carp: BACKUP vhid 2 advbase 1 advskew 100 > > both test1 and test2 have these sysctl variables: > net.inet.carp.allow: 1 > net.inet.carp.preempt: 1 > net.inet.carp.log: 1 > net.inet.carp.arpbalance: 0 > > If I down the carp1 interface on either box the other box > becomes master. If I down the carp0 interface on either box, > the other stays backup. Both carp0 interfaces stay backup > all the time and therefore I can't access 192.168.1.10. > > Thanks, > Chris > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. This communication is from TI Automotive. From owner-freebsd-pf@FreeBSD.ORG Thu Jun 30 09:29:36 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 68DDA16A41C; Thu, 30 Jun 2005 09:29:36 +0000 (GMT) (envelope-from isy@infoweapons.com) Received: from ws2.infoweapons.com (ws2.infoweapons.com [203.177.161.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5491943D1F; Thu, 30 Jun 2005 09:29:34 +0000 (GMT) (envelope-from isy@infoweapons.com) Received: from [10.3.2.25] ([10.3.2.25]) by ws2.infoweapons.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Thu, 30 Jun 2005 17:29:16 +0800 Message-ID: <42C3BB6C.6060602@infoweapons.com> Date: Thu, 30 Jun 2005 17:29:16 +0800 From: "Ivan R. Sy Jr." User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050520) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org, mlaier@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 30 Jun 2005 09:29:16.0859 (UTC) FILETIME=[2F9090B0:01C57D56] Cc: Subject: Carp IPv6 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jun 2005 09:29:36 -0000 Hi all! I have carp working beautifully on two boxes carpbox0 and carpbox1. but only ipv4 is working, ipv6 is not working, can anyone see my configuration and advice me. thanks!.. ive disabled pf. here's tcpdump -i carp0 of carpbox0, this happens on both 17:19:33.365659 IP 10.3.2.28 > VRRP.MCAST.NET: VRRPv2, Advertisement, vrid 1, prio 1, authtype none, intvl 1s, length 36 17:19:33.365715 2001:a100:d299::ff28 > ff02:1::12: ip-proto-255 36 17:19:34.385670 IP 10.3.2.28 > VRRP.MCAST.NET: VRRPv2, Advertisement, vrid 1, prio 1, authtype none, intvl 1s, length 36 17:19:34.385706 2001:a100:d299::ff28 > ff02:1::12: ip-proto-255 36 17:19:35.405678 IP 10.3.2.28 > VRRP.MCAST.NET: VRRPv2, Advertisement, vrid 1, prio 1, authtype none, intvl 1s, length 36 17:19:35.405715 2001:a100:d299::ff28 > ff02:1::12: ip-proto-255 36 and /var/log/messages Jun 30 17:24:12 carpbox0 kernel: arp_rtrequest: bad gateway 10.3.2.30 (!AF_LINK) Jun 30 17:24:12 carpbox0 kernel: in6_ifloop_request: ADD operation failed for 2001:a100:d299::ff30 (errno=17) 2001:a100:d299::ff30 << this is the carp ipv6 address which doesnt work. carpbox0# ifconfig -a fxp0: flags=8943 mtu 1500 options=8 inet 10.3.2.28 netmask 0xff000000 broadcast 10.255.255.255 inet6 fe80::208:9bff:fe10:6a3%fxp0 prefixlen 64 scopeid 0x1 inet6 2001:a100:d299::ff28 prefixlen 64 ether 00:08:9b:10:06:a3 media: Ethernet autoselect (100baseTX ) status: active fxp1: flags=8843 mtu 1500 options=8 inet 192.168.1.28 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::208:9bff:fe1d:4321%fxp1 prefixlen 64 scopeid 0x2 inet6 fec0::28 prefixlen 64 ether 00:08:9b:1d:43:21 media: Ethernet autoselect (100baseTX ) status: active plip0: flags=108810 mtu 1500 lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xffffff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 pflog0: flags=0<> mtu 33208 pfsync0: flags=41 mtu 1348 pfsync: syncif: fxp1 maxupd: 128 carp0: flags=41 mtu 1500 inet 10.3.2.30 netmask 0xff000000 inet6 2001:a100:d299::ff30 prefixlen 64 carp: MASTER vhid 1 advbase 1 advskew 1 carpbox0# carpbox0# cat /etc/rc.conf hostname="carpbox0.test.org" ipv6_enable="YES" defaultrouter="10.0.0.1" ipv6_defaltrouter="2001:a100:d299:0::fff0" network_interfaces="lo0 fxp0 fxp1 carp0 pfsync0" ipv6_network_interfaces="lo0 fxp0 fxp1 carp0" ifconfig_fxp0="inet 10.3.2.28 netmask 255.0.0.0" ipv6_ifconfig_fxp0="2001:a100:d299:0::ff28 prefixlen 64" #address for pfsync ifconfig_fxp1="inet 192.168.1.28 netmask 255.255.255.0" ipv6_ifconfig_fxp1="fec0::28 prefixlen 64" ifconfig_pfsync0="inet 192.168.0.100 netmask 255.255.255.0" ifconfig_pfsync0="up syncif fxp1" #pf_enable="YES" #pflog_enable="YES" cloned_interfaces="carp0" ifconfig_carp0="inet 10.3.2.30 netmask 255.0.0.0 vhid 1 advskew 1 pass foo" ipv6_ifconfig_carp0="2001:a100:d299:0::ff30 prefixlen 64 vhid 1 advskew 1 pass foo" ifconfig_lo0="inet 127.0.0.1 netmask 255.255.255.0" ipv6_ifconfig_lo0="::1 prefixlen 128" nfs_client_enable="YES" sshd_enable="YES" named_enable="YES" sendmail_enable="none" carpbox0# carpbox0# cat /etc/sysctl.conf # $FreeBSD: src/etc/sysctl.conf,v 1.8 2003/03/13 18:43:50 mux Exp $ # net.inet.carp.allow=1 net.inet.carp.preempt=1 net.inet.carp.arpbalance=1 net.inet.carp.log=1 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= carpbox1# ifconfig -a fxp0: flags=8943 mtu 1500 options=8 inet 10.3.2.29 netmask 0xff000000 broadcast 10.255.255.255 inet6 fe80::208:9bff:fe10:73a%fxp0 prefixlen 64 scopeid 0x1 inet6 2001:a100:d299::ff29 prefixlen 64 ether 00:08:9b:10:07:3a media: Ethernet autoselect (100baseTX ) status: active fxp1: flags=8843 mtu 1500 options=8 inet 192.168.1.29 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::208:9bff:fe1d:43b7%fxp1 prefixlen 64 scopeid 0x2 inet6 fec0::29 prefixlen 64 ether 00:08:9b:1d:43:b7 media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xffffff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 pflog0: flags=0<> mtu 33208 pfsync0: flags=41 mtu 1348 pfsync: syncif: fxp1 maxupd: 128 carp0: flags=41 mtu 1500 inet 10.3.2.30 netmask 0xff000000 inet6 2001:a100:d299::ff30 prefixlen 64 carp: BACKUP vhid 1 advbase 1 advskew 100 carpbox1# carpbox1# cat /etc/rc.conf hostname="carpbox1.test.org" #the box inet4 address ifconfig_fxp0="inet 10.3.2.29 netmask 255.0.0.0" defaultrouter="10.0.0.1" #do the ipv6 ipv6_enable="YES" ipv6_defaultrouter="2001:a100:d299:0::fff0" ipv6_ifconfig_fxp0="2001:a100:d299:0::ff29 prefixlen 64" #address for pfsync ifconfig_fxp1="inet 192.168.1.29 netmask 255.255.255.0" ipv6_ifconfig_fxp1="fec0::29 prefixlen 64" #pf_enable="YES" #pflog_enable="YES" cloned_interfaces="carp0" ipv6_cloned_interface="carp0" network_interfaces="lo0 fxp0 fxp1 carp0 pfsync0" ipv6_network_interfaces="lo0 fxp0 fxp1 carp0" ifconfig_carp0="inet 10.3.2.30 netmask 255.0.0.0 vhid 1 advskew 100 pass foo" ipv6_ifconfig_carp0="2001:a100:d299:0::ff30 prefixlen 64 vhid 1 advskew 100 pass foo" ifconfig_pfsync0="inet 192.168.0.100 netmask 255.255.255.0" ifconfig_pfsync0="up syncif fxp1" ifconfig_lo0="inet 127.0.0.1 netmask 255.255.255.0" ipv6_ifconfig_lo0="::1 prefixlen 128" nfs_client_enable="YES" sshd_enable="YES" named_enable="YES" sendmail_enable="none" carpbox1# cat /etc/sysctl.conf net.inet.carp.allow=1 net.inet.carp.preempt=1 net.inet.carp.arpbalance=1 net.inet.carp.log=1 From owner-freebsd-pf@FreeBSD.ORG Thu Jun 30 14:32:28 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 182E516A41C for ; Thu, 30 Jun 2005 14:32:28 +0000 (GMT) (envelope-from brent.bolin@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id B391343D1D for ; Thu, 30 Jun 2005 14:32:27 +0000 (GMT) (envelope-from brent.bolin@gmail.com) Received: by wproxy.gmail.com with SMTP id i21so98801wra for ; Thu, 30 Jun 2005 07:32:27 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:references; b=GLX+Qj0FNelZ5fdkOTJR6snA/XwOFrEvx1xmAwP3vPx2grtKyz2GDqzphXzfQzYrNrdEWPfZnjPsC021Klm9t6ZwCxUF+aD3Dz669F994FtEBi8oEXJgtEQAVs+vsy2iy5VMSspo5TwFqcJ04cHSjzmq8ZCSHi/b8gCBS1oASEQ= Received: by 10.54.15.59 with SMTP id 59mr188975wro; Thu, 30 Jun 2005 07:32:27 -0700 (PDT) Received: by 10.54.69.16 with HTTP; Thu, 30 Jun 2005 07:32:27 -0700 (PDT) Message-ID: <787dcac205063007324170b6e4@mail.gmail.com> Date: Thu, 30 Jun 2005 09:32:27 -0500 From: BB To: freebsd-pf@freebsd.org In-Reply-To: <200506292155.j5TLt4cE008219@freefall.freebsd.org> Mime-Version: 1.0 References: <200506292155.j5TLt4cE008219@freefall.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Fwd: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-05:15.tcp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: BB List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jun 2005 14:32:28 -0000 I assume without upgrading the mighty pf would handle this ? ---------- Forwarded message ---------- From: FreeBSD Security Advisories Date: Jun 29, 2005 4:55 PM Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-05:15.tcp To: FreeBSD Security Advisories -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D FreeBSD-SA-05:15.tcp Security Advisory The FreeBSD Project Topic: TCP connection stall denial of service Category: core Module: inet Announced: 2005-06-29 Credits: Noritoshi Demizu Affects: All FreeBSD releases. Corrected: 2005-06-29 21:38:48 UTC (RELENG_5, 5.4-STABLE) 2005-06-29 21:41:03 UTC (RELENG_5_4, 5.4-RELEASE-p3) 2005-06-29 21:42:33 UTC (RELENG_5_3, 5.3-RELEASE-p17) 2005-06-29 21:43:42 UTC (RELENG_4, 4.11-STABLE) 2005-06-29 21:45:14 UTC (RELENG_4_11, 4.11-RELEASE-p11) 2005-06-29 21:46:15 UTC (RELENG_4_10, 4.10-RELEASE-p16) CVE Name: CAN-2005-0356, CAN-2005-2068 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. TCP timestamps are used to measure Round-Trip Time and in the Protect Against Wrapped Sequences (PAWS) algorithm. TCP packets with the SYN flag set are used during setup of new TCP connections. II. Problem Description Two problems have been discovered in the FreeBSD TCP stack. First, when a TCP packets containing a timestamp is received, inadequate checking of sequence numbers is performed, allowing an attacker to artificially increase the internal "recent" timestamp for a connection. Second, a TCP packet with the SYN flag set is accepted for established connections, allowing an attacker to overwrite certain TCP options. III. Impact Using either of the two problems an attacker with knowledge of the local and remote IP and port numbers associated with a connection can cause a denial of service situation by stalling the TCP connection. The stalled TCP connection my be closed after some time by the other host. IV. Workaround In some cases it may be possible to defend against these attacks by blocking the attack packets using a firewall. Packets used to effect either of these attacks would have spoofed source IP addresses. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, 5.3, and 5.4 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/tcp4.patch # fetch=20 ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/tcp4.patch.asc [FreeBSD 5.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/tcp.patch # fetch=20 ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/tcp.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/netinet/tcp_input.c 1.107.2.44 RELENG_4_11 src/UPDATING 1.73.2.91.2.12 src/sys/conf/newvers.sh 1.44.2.39.2.15 src/sys/netinet/tcp_input.c 1.107.2.41.4.3 RELENG_4_10 src/UPDATING 1.73.2.90.2.17 src/sys/conf/newvers.sh 1.44.2.34.2.18 src/sys/netinet/tcp_input.c 1.107.2.41.2.1 RELENG_5 src/sys/netinet/tcp_input.c 1.252.2.16 RELENG_5_4 src/UPDATING 1.342.2.24.2.12 src/sys/conf/newvers.sh 1.62.2.18.2.8 src/sys/netinet/tcp_input.c 1.252.2.14.2.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.20 src/sys/conf/newvers.sh 1.62.2.15.2.22 src/sys/netinet/tcp_input.c 1.252.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-0356 http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-2068 http://www.kb.cert.org/vuls/id/637934 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:15.tcp.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCwxe7FdaIBMps37IRAi39AJ9ss6PVEwloS4SlKEWi5S1hpHnzmACeJF7H rKmK2NtleJ98dTLWW4QLMn4=3D =3D6fBH -----END PGP SIGNATURE----- _______________________________________________ freebsd-announce@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Thu Jun 30 14:41:12 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC95116A41C for ; Thu, 30 Jun 2005 14:41:12 +0000 (GMT) (envelope-from chris@gliq.com) Received: from mss1.myactv.net (mss1.myactv.net [24.89.0.26]) by mx1.FreeBSD.org (Postfix) with SMTP id 66AF343D1F for ; Thu, 30 Jun 2005 14:41:11 +0000 (GMT) (envelope-from chris@gliq.com) Received: (qmail 25122 invoked from network); 30 Jun 2005 14:41:11 -0000 Received: from dyn-153-112-163.myactv.net (HELO ?192.168.1.105?) (24.153.112.163) by new.mss1.myactv.net with SMTP; 30 Jun 2005 14:41:11 -0000 Message-ID: <42C40486.3080907@gliq.com> Date: Thu, 30 Jun 2005 10:41:10 -0400 From: Chris McGee User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Constant, Benjamin" References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Carp master problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jun 2005 14:41:13 -0000 Constant, Benjamin wrote: >Simple questions but do you see multicast traffic on em0? Are there firewall >rules on em0 that can prevent such traffic? > >Regards, > >Benjamin Constant >TI Automotive > > > >>-----Original Message----- >>From: owner-freebsd-pf@freebsd.org >>[mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Chris McGee >>Sent: jeudi 30 juin 2005 6:38 >>To: freebsd-pf@freebsd.org >>Subject: Carp master problem >> >>I have to machines in a test environment, the carp0 interface >>on the machines will not become master. The config is as follows: >> >>test1# ifconfig >>em0: >>flags=8943 mtu 1500 >> options=b >> inet 192.168.1.252 netmask 0xffffff00 broadcast 192.168.1.255 >> inet6 fe80::230:48ff:fe82:a77c%em0 prefixlen 64 scopeid 0x1 >> ether 00:30:48:82:a7:7c >> media: Ethernet autoselect (100baseTX ) >> status: active >>em1: >>flags=8943 mtu 1500 >> options=b >> inet 10.10.10.2 netmask 0xfffffff8 broadcast 10.10.10.7 >> inet6 fe80::230:48ff:fe82:a77d%em1 prefixlen 64 scopeid 0x2 >> ether 00:30:48:82:a7:7d >> media: Ethernet autoselect (100baseTX ) >> status: active >>carp0: flags=41 mtu 1500 >> inet 192.168.1.10 netmask 0xffffff00 >> carp: BACKUP vhid 1 advbase 1 advskew 0 >>carp1: flags=41 mtu 1500 >> inet 10.10.10.1 netmask 0xfffffff8 >> carp: MASTER vhid 2 advbase 1 advskew 0 >> >>em0: >>flags=8943 mtu 1500 >> options=b >> inet 192.168.1.253 netmask 0xffffff00 broadcast 192.168.1.255 >> inet6 fe80::230:48ff:fe80:21bc%em0 prefixlen 64 scopeid 0x1 >> ether 00:30:48:80:21:bc >> media: Ethernet autoselect (100baseTX ) >> status: active >>em1: >>flags=8943 mtu 1500 >> options=b >> inet 10.10.10.3 netmask 0xfffffff8 broadcast 10.10.10.7 >> inet6 fe80::230:48ff:fe80:21bd%em1 prefixlen 64 scopeid 0x2 >> ether 00:30:48:80:21:bd >> media: Ethernet autoselect (100baseTX ) >> status: active >>carp0: flags=41 mtu 1500 >> inet 192.168.1.10 netmask 0xffffff00 >> carp: BACKUP vhid 1 advbase 1 advskew 100 >>carp1: flags=41 mtu 1500 >> inet 10.10.10.1 netmask 0xfffffff8 >> carp: BACKUP vhid 2 advbase 1 advskew 100 >> >>both test1 and test2 have these sysctl variables: >>net.inet.carp.allow: 1 >>net.inet.carp.preempt: 1 >>net.inet.carp.log: 1 >>net.inet.carp.arpbalance: 0 >> >>If I down the carp1 interface on either box the other box >>becomes master. If I down the carp0 interface on either box, >>the other stays backup. Both carp0 interfaces stay backup >>all the time and therefore I can't access 192.168.1.10. >> >>Thanks, >>Chris >> >>_______________________________________________ >>freebsd-pf@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >> >> > >The information contained in this transmission may contain privileged and >confidential information. It is intended only for the use of the >person(s) named above. If you are not the intended recipient, you are >hereby notified that any review, dissemination, distribution or >duplication of this communication is strictly prohibited. If you are not >the intended recipient, please contact the sender by reply email and >destroy all copies of the original message. This communication is from TI >Automotive. > > I see multicast advertisements going out on em0 on what should be the master (test1) and I see those advertisements on test2 also. The only firewall rules are the default, pass in all, and pass out all. No firewall rules have been setup yet since this is a test environment. Chris From owner-freebsd-pf@FreeBSD.ORG Thu Jun 30 14:56:02 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D52C716A41F for ; Thu, 30 Jun 2005 14:56:02 +0000 (GMT) (envelope-from chris@xecu.net) Received: from mss1.myactv.net (mss1.myactv.net [24.89.0.26]) by mx1.FreeBSD.org (Postfix) with SMTP id 821C843D53 for ; Thu, 30 Jun 2005 14:56:01 +0000 (GMT) (envelope-from chris@xecu.net) Received: (qmail 25120 invoked from network); 30 Jun 2005 14:56:00 -0000 Received: from dyn-153-112-163.myactv.net (HELO ?192.168.1.100?) (24.153.112.163) by new.mss1.myactv.net with SMTP; 30 Jun 2005 14:56:00 -0000 Mime-Version: 1.0 (Apple Message framework v622) Content-Transfer-Encoding: 7bit Message-Id: Content-Type: text/plain; charset=US-ASCII; format=flowed To: freebsd-pf@freebsd.org From: Chris McGee Date: Thu, 30 Jun 2005 10:55:59 -0400 X-Mailer: Apple Mail (2.622) Subject: Carp master problem (sorry for the duplicate) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jun 2005 14:56:03 -0000 Sorry to duplicate, but I had sent this from the wrong address. Hopefully I will get all the responses from this one. I have to machines in a test environment, the carp0 interface on the machines will not become master. The config is as follows: test1# ifconfig em0: flags=8943 mtu 1500 options=b inet 192.168.1.252 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::230:48ff:fe82:a77c%em0 prefixlen 64 scopeid 0x1 ether 00:30:48:82:a7:7c media: Ethernet autoselect (100baseTX ) status: active em1: flags=8943 mtu 1500 options=b inet 10.10.10.2 netmask 0xfffffff8 broadcast 10.10.10.7 inet6 fe80::230:48ff:fe82:a77d%em1 prefixlen 64 scopeid 0x2 ether 00:30:48:82:a7:7d media: Ethernet autoselect (100baseTX ) status: active carp0: flags=41 mtu 1500 inet 192.168.1.10 netmask 0xffffff00 carp: BACKUP vhid 1 advbase 1 advskew 0 carp1: flags=41 mtu 1500 inet 10.10.10.1 netmask 0xfffffff8 carp: MASTER vhid 2 advbase 1 advskew 0 em0: flags=8943 mtu 1500 options=b inet 192.168.1.253 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::230:48ff:fe80:21bc%em0 prefixlen 64 scopeid 0x1 ether 00:30:48:80:21:bc media: Ethernet autoselect (100baseTX ) status: active em1: flags=8943 mtu 1500 options=b inet 10.10.10.3 netmask 0xfffffff8 broadcast 10.10.10.7 inet6 fe80::230:48ff:fe80:21bd%em1 prefixlen 64 scopeid 0x2 ether 00:30:48:80:21:bd media: Ethernet autoselect (100baseTX ) status: active carp0: flags=41 mtu 1500 inet 192.168.1.10 netmask 0xffffff00 carp: BACKUP vhid 1 advbase 1 advskew 100 carp1: flags=41 mtu 1500 inet 10.10.10.1 netmask 0xfffffff8 carp: BACKUP vhid 2 advbase 1 advskew 100 both test1 and test2 have these sysctl variables: net.inet.carp.allow: 1 net.inet.carp.preempt: 1 net.inet.carp.log: 1 net.inet.carp.arpbalance: 0 If I down the carp1 interface on either box the other box becomes master. If I down the carp0 interface on either box, the other stays backup. Both carp0 interfaces stay backup all the time and therefore I can't access 192.168.1.10. The questions has been asked, do I see the the multicast traffic, and are their firewall rules that could be blocking it? I see multicast traffic out on em0 on test1 and I see multicast traffic from test1 on em0 of test2. The only firewall rules are pass in all and pass out all. Thanks, Chris From owner-freebsd-pf@FreeBSD.ORG Thu Jun 30 14:56:54 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5665816A41C for ; Thu, 30 Jun 2005 14:56:54 +0000 (GMT) (envelope-from bconstant@be.tiauto.com) Received: from smtp.eu.tiauto.com (smtp.eu.tiauto.com [195.127.176.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id CF0B043D1D for ; Thu, 30 Jun 2005 14:56:53 +0000 (GMT) (envelope-from bconstant@be.tiauto.com) Received: by euex01.resource.tiauto.com with Internet Mail Service (5.5.2657.72) id ; Thu, 30 Jun 2005 16:56:45 +0200 Message-ID: From: "Constant, Benjamin" To: 'Chris McGee' Date: Thu, 30 Jun 2005 16:56:44 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain Cc: freebsd-pf@freebsd.org Subject: RE: Carp master problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jun 2005 14:56:54 -0000 > I see multicast advertisements going out on em0 on what > should be the master (test1) and I see those advertisements > on test2 also. The only firewall rules are the default, pass > in all, and pass out all. No firewall rules have been setup > yet since this is a test environment. > > Chris > I don't know what is the problem, I've good experience with em driver and carp. Is the log showing up something? Is the carp ifconfig password the same on either boxes? It seems that carp0 interfaces are not communicating together. It works when you do ifconfig down carp1 because preemption force carp0 to failover. Benjamin Constant TI Automotive The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. This communication is from TI Automotive. From owner-freebsd-pf@FreeBSD.ORG Thu Jun 30 15:27:46 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8089416A41C for ; Thu, 30 Jun 2005 15:27:46 +0000 (GMT) (envelope-from chris@xecu.net) Received: from mss1.myactv.net (mss1.myactv.net [24.89.0.26]) by mx1.FreeBSD.org (Postfix) with SMTP id 198E043D1F for ; Thu, 30 Jun 2005 15:27:45 +0000 (GMT) (envelope-from chris@xecu.net) Received: (qmail 29526 invoked from network); 30 Jun 2005 15:27:45 -0000 Received: from dyn-153-112-163.myactv.net (HELO ?192.168.1.100?) (24.153.112.163) by new.mss1.myactv.net with SMTP; 30 Jun 2005 15:27:45 -0000 In-Reply-To: References: Mime-Version: 1.0 (Apple Message framework v622) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <48427759bea33b69566b2b974aca2abb@xecu.net> Content-Transfer-Encoding: 7bit From: Chris McGee Date: Thu, 30 Jun 2005 11:27:44 -0400 To: "Constant, Benjamin" X-Mailer: Apple Mail (2.622) Cc: freebsd-pf@freebsd.org Subject: Re: Carp master problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jun 2005 15:27:46 -0000 On Jun 30, 2005, at 10:56 AM, Constant, Benjamin wrote: > >> I see multicast advertisements going out on em0 on what >> should be the master (test1) and I see those advertisements >> on test2 also. The only firewall rules are the default, pass >> in all, and pass out all. No firewall rules have been setup >> yet since this is a test environment. >> >> Chris >> > > I don't know what is the problem, I've good experience with em driver > and > carp. > Is the log showing up something? Is the carp ifconfig password the > same on > either boxes? > It seems that carp0 interfaces are not communicating together. It > works when > you do ifconfig > down carp1 because preemption force carp0 to failover. > > Benjamin Constant > TI Automotive In /var/log/messages on both servers, I see this: Jun 30 11:13:32 test1 kernel: arp_rtrequest: bad gateway 192.168.1.10 (!AF_LINK) Jun 30 11:14:05 test1 last message repeated 11 times Here are the lines from /etc/rc.conf for the 2 servers. The passwords don't matter since they are just test boxes: test1: cloned_interfaces="carp0 carp1" ifconfig_carp0="vhid 1 pass monkey 192.168.1.10/24" ifconfig_carp1="vhid 2 pass monkey2 10.10.10.1/29" test2: cloned_interfaces="carp0 carp1" ifconfig_carp0="vhid 1 pass monkey advskew 100 192.168.1.10/24" ifconfig_carp1="vhid 2 pass monkey2 advskew 100 10.10.10.1/29" Is there another log for carp stuff? Chris From owner-freebsd-pf@FreeBSD.ORG Thu Jun 30 15:43:46 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B63E116A41C for ; Thu, 30 Jun 2005 15:43:46 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 47BBB43D49 for ; Thu, 30 Jun 2005 15:43:46 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3E725.dip.t-dialin.net [84.163.231.37] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML25U-1Do1CZ3Uxm-0007vV; Thu, 30 Jun 2005 17:43:43 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Thu, 30 Jun 2005 17:43:33 +0200 User-Agent: KMail/1.8 References: <48427759bea33b69566b2b974aca2abb@xecu.net> In-Reply-To: <48427759bea33b69566b2b974aca2abb@xecu.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1146044.vNUaPLeAjQ"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200506301743.41172.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: Carp master problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jun 2005 15:43:46 -0000 --nextPart1146044.vNUaPLeAjQ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 30 June 2005 17:27, Chris McGee wrote: > On Jun 30, 2005, at 10:56 AM, Constant, Benjamin wrote: > >> I see multicast advertisements going out on em0 on what > >> should be the master (test1) and I see those advertisements > >> on test2 also. The only firewall rules are the default, pass > >> in all, and pass out all. No firewall rules have been setup > >> yet since this is a test environment. > >> > >> Chris > > > > I don't know what is the problem, I've good experience with em driver > > and > > carp. > > Is the log showing up something? Is the carp ifconfig password the > > same on > > either boxes? > > It seems that carp0 interfaces are not communicating together. It > > works when > > you do ifconfig > > down carp1 because preemption force carp0 to failover. > > > > Benjamin Constant > > TI Automotive > > In /var/log/messages on both servers, I see this: > > Jun 30 11:13:32 test1 kernel: arp_rtrequest: bad gateway 192.168.1.10 > (!AF_LINK) > Jun 30 11:14:05 test1 last message repeated 11 times > > Here are the lines from /etc/rc.conf for the 2 servers. The passwords > don't matter since they are just test boxes: > > test1: > cloned_interfaces=3D"carp0 carp1" > ifconfig_carp0=3D"vhid 1 pass monkey 192.168.1.10/24" > ifconfig_carp1=3D"vhid 2 pass monkey2 10.10.10.1/29" > > test2: > cloned_interfaces=3D"carp0 carp1" > ifconfig_carp0=3D"vhid 1 pass monkey advskew 100 192.168.1.10/24" > ifconfig_carp1=3D"vhid 2 pass monkey2 advskew 100 10.10.10.1/29" > > Is there another log for carp stuff? What does "netstat -ssp carp" give you? =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1146044.vNUaPLeAjQ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBCxBMtXyyEoT62BG0RApjkAJ4gltlEhu6p6WFqBbU9GmiUdw9+fwCfYPL5 3k/Ola30bgj7aWJIBCbvODw= =QpW5 -----END PGP SIGNATURE----- --nextPart1146044.vNUaPLeAjQ-- From owner-freebsd-pf@FreeBSD.ORG Fri Jul 1 00:46:08 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D9BB16A41C for ; Fri, 1 Jul 2005 00:46:08 +0000 (GMT) (envelope-from tmas@dei.uc.pt) Received: from smtp.dei.uc.pt (smtp.dei.uc.pt [193.137.203.228]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2DCED43D48 for ; Fri, 1 Jul 2005 00:46:05 +0000 (GMT) (envelope-from tmas@dei.uc.pt) Received: from laptop (a81-84-46-171.cpe.netcabo.pt [81.84.46.171] (may be forged)) (authenticated bits=0) by smtp.dei.uc.pt (8.13.4/8.13.4) with ESMTP id j610ffmt009548 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Fri, 1 Jul 2005 01:42:44 +0100 Message-Id: <200507010042.j610ffmt009548@smtp.dei.uc.pt> From: "Tiago Sousa" To: Date: Fri, 1 Jul 2005 01:41:32 +0100 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 Thread-Index: AcV91aBKcXSuqJwuRcen0xcyPVhTXA== X-UC-FCT-DEI-MailScanner-Information: Please contact helpdesk@dei.uc.pt for more information X-UC-FCT-DEI-MailScanner: Found to be clean X-MailScanner-From: tmas@dei.uc.pt Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: snap-users@kame.net Subject: DiffServ with altq X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2005 00:46:08 -0000 Hello to all =20 I am using FreeBSD5.4 with the last snap of kame. My goal is to install the diffserv model in my test-bed. How can I do = it? As far as I know, at this moment, pf can do the work and is already integrated in freebsd kernel.=20 =20 The problem is that i=B4m trying to compile the kame kernel with the = altq options and, although no compilations error occurs, when I am = configuring the rc.conf options, namely, when I add the ipv6_enable or ipv6_gateway_enable options an error occurs: =20 in6_if2idlen:unknown link type (34)=20 in6_if2idlen:unknown link type (249) in6_if2idlen:unknown link type (244) =20 Anyone knows how can I solve this error? =20 After this step I just need to configure the pf.conf in order to have = the diffserv model? Is that correct? =20 I am a bit lost and I would appreciate dome help=85 Thanks, =20 Tiago Sousa =20 From owner-freebsd-pf@FreeBSD.ORG Fri Jul 1 11:01:09 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 706AF16A41C for ; Fri, 1 Jul 2005 11:01:09 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE00A43D1D for ; Fri, 1 Jul 2005 11:01:08 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id j61B16px024666 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 1 Jul 2005 13:01:07 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j61B16jf014480; Fri, 1 Jul 2005 13:01:06 +0200 (MEST) Date: Fri, 1 Jul 2005 13:01:05 +0200 From: Daniel Hartmeier To: BB Message-ID: <20050701110105.GS26761@insomnia.benzedrine.cx> References: <200506292155.j5TLt4cE008219@freefall.freebsd.org> <787dcac205063007324170b6e4@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <787dcac205063007324170b6e4@mail.gmail.com> User-Agent: Mutt/1.5.6i Cc: freebsd-pf@freebsd.org Subject: Re: Fwd: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-05:15.tcp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2005 11:01:09 -0000 On Thu, Jun 30, 2005 at 09:32:27AM -0500, BB wrote: > I assume without upgrading the mighty pf would handle this ? Yes. The unpatched vulnerability can be exploited (to stall a connection) by spoofing only four (4) small packets, by choosing random sequence and timestamp values and their integer opposites[1]. Hence, exploiting it is relatively cheap, quick, and reliable. If you have pf in front of a peer, the attacker would have to successfully guess the proper sequence and acknowledgment numbers within small windows, which requires sending so many packets, it's considered unfeasible. If he could efficiently guess those numbers, he could simply RST the connection, or worse, inject payload, etc, anyway. Of course, if the other peer is unprotected, the attacker would send his spoofs there, and achieve the same effect. But if both are protected, the vulnerability is not exploitable. Daniel [1] http://downloads.securityfocus.com/vulnerabilities/exploits/tcp_paws.c From owner-freebsd-pf@FreeBSD.ORG Fri Jul 1 11:15:10 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0361816A41C for ; Fri, 1 Jul 2005 11:15:10 +0000 (GMT) (envelope-from simon@eddie.nitro.dk) Received: from eddie.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id A9A4643D1F for ; Fri, 1 Jul 2005 11:15:09 +0000 (GMT) (envelope-from simon@eddie.nitro.dk) Received: by eddie.nitro.dk (Postfix, from userid 1000) id EB47D11EF9D; Fri, 1 Jul 2005 13:15:07 +0200 (CEST) Date: Fri, 1 Jul 2005 13:15:07 +0200 From: "Simon L. Nielsen" To: Daniel Hartmeier Message-ID: <20050701111506.GB45821@eddie.nitro.dk> References: <200506292155.j5TLt4cE008219@freefall.freebsd.org> <787dcac205063007324170b6e4@mail.gmail.com> <20050701110105.GS26761@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="WYTEVAkct0FjGQmd" Content-Disposition: inline In-Reply-To: <20050701110105.GS26761@insomnia.benzedrine.cx> User-Agent: Mutt/1.5.9i Cc: freebsd-pf@freebsd.org Subject: Re: Fwd: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-05:15.tcp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2005 11:15:10 -0000 --WYTEVAkct0FjGQmd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2005.07.01 13:01:05 +0200, Daniel Hartmeier wrote: > On Thu, Jun 30, 2005 at 09:32:27AM -0500, BB wrote: >=20 > > I assume without upgrading the mighty pf would handle this ? >=20 > Yes. >=20 > The unpatched vulnerability can be exploited (to stall a connection) by > spoofing only four (4) small packets, by choosing random sequence and > timestamp values and their integer opposites[1]. Hence, exploiting it is > relatively cheap, quick, and reliable. Note that there is also another vulnerability (addressed in the same advisory) here where there FreeBSD TCP stack accepted a SYN packet for an established connection. I would assume that pf's packet scrubbing would handle that and not let a SYN packet through for an established connection? --=20 Simon L. Nielsen --WYTEVAkct0FjGQmd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCxSW6h9pcDSc1mlERAiSHAJ9NsBnPMflWZl33gacJfI8McbdNBwCeLm5/ zO8WDRhFWHu4oO8VRjfe8bo= =wNpP -----END PGP SIGNATURE----- --WYTEVAkct0FjGQmd-- From owner-freebsd-pf@FreeBSD.ORG Fri Jul 1 13:51:17 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E896316A41F for ; Fri, 1 Jul 2005 13:51:17 +0000 (GMT) (envelope-from chris@xecu.net) Received: from mss1.myactv.net (mss1.myactv.net [24.89.0.26]) by mx1.FreeBSD.org (Postfix) with SMTP id 985DB43D55 for ; Fri, 1 Jul 2005 13:51:17 +0000 (GMT) (envelope-from chris@xecu.net) Received: (qmail 15054 invoked from network); 1 Jul 2005 13:51:16 -0000 Received: from dyn-153-112-163.myactv.net (HELO ?192.168.1.105?) (24.153.112.163) by new.mss1.myactv.net with SMTP; 1 Jul 2005 13:51:16 -0000 Message-ID: <42C54A55.3060200@xecu.net> Date: Fri, 01 Jul 2005 09:51:17 -0400 From: Christopher McGee User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Max Laier References: <48427759bea33b69566b2b974aca2abb@xecu.net> <200506301743.41172.max@love2party.net> In-Reply-To: <200506301743.41172.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Carp master problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2005 13:51:18 -0000 Max Laier wrote: >On Thursday 30 June 2005 17:27, Chris McGee wrote: > > >>On Jun 30, 2005, at 10:56 AM, Constant, Benjamin wrote: >> >> >>>>I see multicast advertisements going out on em0 on what >>>>should be the master (test1) and I see those advertisements >>>>on test2 also. The only firewall rules are the default, pass >>>>in all, and pass out all. No firewall rules have been setup >>>>yet since this is a test environment. >>>> >>>>Chris >>>> >>>> >>>I don't know what is the problem, I've good experience with em driver >>>and >>>carp. >>>Is the log showing up something? Is the carp ifconfig password the >>>same on >>>either boxes? >>>It seems that carp0 interfaces are not communicating together. It >>>works when >>>you do ifconfig >>>down carp1 because preemption force carp0 to failover. >>> >>>Benjamin Constant >>>TI Automotive >>> >>> >>In /var/log/messages on both servers, I see this: >> >>Jun 30 11:13:32 test1 kernel: arp_rtrequest: bad gateway 192.168.1.10 >>(!AF_LINK) >>Jun 30 11:14:05 test1 last message repeated 11 times >> >>Here are the lines from /etc/rc.conf for the 2 servers. The passwords >>don't matter since they are just test boxes: >> >>test1: >>cloned_interfaces="carp0 carp1" >>ifconfig_carp0="vhid 1 pass monkey 192.168.1.10/24" >>ifconfig_carp1="vhid 2 pass monkey2 10.10.10.1/29" >> >>test2: >>cloned_interfaces="carp0 carp1" >>ifconfig_carp0="vhid 1 pass monkey advskew 100 192.168.1.10/24" >>ifconfig_carp1="vhid 2 pass monkey2 advskew 100 10.10.10.1/29" >> >>Is there another log for carp stuff? >> >> > >What does "netstat -ssp carp" give you? > > > On test1(what should be master): >netstat -ssp carp carp: 40572 packets received (IPv4) 326 discarded for bad vhid 160550 packets sent (IPv4) On test2(the slave); > netstat -ssp carp carp: 134298 packets received (IPv4) And this is definitely still not working. From owner-freebsd-pf@FreeBSD.ORG Fri Jul 1 14:34:27 2005 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C15E616A41C; Fri, 1 Jul 2005 14:34:27 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 33B0043D1D; Fri, 1 Jul 2005 14:34:27 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id j61EYSJv006651 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 1 Jul 2005 16:34:28 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j61EYR4I014791; Fri, 1 Jul 2005 16:34:27 +0200 (MEST) Date: Fri, 1 Jul 2005 16:34:27 +0200 From: Daniel Hartmeier To: "Simon L. Nielsen" Message-ID: <20050701143427.GT26761@insomnia.benzedrine.cx> References: <200506292155.j5TLt4cE008219@freefall.freebsd.org> <787dcac205063007324170b6e4@mail.gmail.com> <20050701110105.GS26761@insomnia.benzedrine.cx> <20050701111506.GB45821@eddie.nitro.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050701111506.GB45821@eddie.nitro.dk> User-Agent: Mutt/1.5.6i Cc: freebsd-pf@FreeBSD.org Subject: Re: Fwd: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-05:15.tcp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2005 14:34:27 -0000 On Fri, Jul 01, 2005 at 01:15:07PM +0200, Simon L. Nielsen wrote: > Note that there is also another vulnerability (addressed in the same > advisory) here where there FreeBSD TCP stack accepted a SYN packet for > an established connection. > > I would assume that pf's packet scrubbing would handle that and not > let a SYN packet through for an established connection? I'm not sure, on first glance, it doesn't look like scrubbing removes the SYN or drops the packet, but I will check if this can be added. But pf will ensure that only packets with sequence numbers within narrow windows will pass, so it would have to be the real peer (or someone along the path between the peers, who can sniff) that can deliver such a SYN. Everyone else can't guess the right numbers, and their packets will get blocked by pf. Daniel