From owner-freebsd-pf@FreeBSD.ORG Sun Apr 8 17:12:21 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 34AB116A400 for ; Sun, 8 Apr 2007 17:12:21 +0000 (UTC) (envelope-from drew@mykitchentable.net) Received: from qsmtp3.mc.surewest.net (qsmtp.mc.surewest.net [66.60.130.145]) by mx1.freebsd.org (Postfix) with SMTP id 1B1B113C448 for ; Sun, 8 Apr 2007 17:12:20 +0000 (UTC) (envelope-from drew@mykitchentable.net) Received: (qmail 18411 invoked from network); 8 Apr 2007 10:12:20 -0700 Received: by simscan 1.1.0 ppid: 18393, pid: 18395, t: 4.2029s scanners: regex: 1.1.0 attach: 1.1.0 clamav: 0.84/m:42/d:2665 spam: 3.0.3 Received: from unknown (HELO blacklamb.mykitchentable.net) (66.205.146.210) by qsmtp3 with SMTP; 8 Apr 2007 10:12:16 -0700 Received: from [192.168.1.3] (bigdaddy.mykitchentable.net [192.168.1.3]) by blacklamb.mykitchentable.net (Postfix) with ESMTP id 10981164AF4 for ; Sun, 8 Apr 2007 10:12:15 -0700 (PDT) Message-ID: <4619226E.1030105@mykitchentable.net> Date: Sun, 08 Apr 2007 10:12:14 -0700 From: Drew Tomlinson User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on qsmtp3.surewest.net X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=AWL,BAYES_00, RCVD_IN_SORBS_DUL autolearn=no version=3.0.3 Subject: pf and ALTQ - I Don't Understand X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Apr 2007 17:12:21 -0000 I am struggling to get pf set up correctly. Specifically I don't understand why I don't see any packets in the "pfctl -vs queue" output for a queue I named "voip_out". I see the packets matching rule 61 & rule 62 when viewing the log with "tcpdump -netttti pflog0": 2007-04-08 09:54:25.392552 rule 61/0(match): pass in on dc0: 192.168.1.7.5060 > 72.165.163.9.5060: SIP, length: 394 2007-04-08 09:54:54.580693 rule 62/0(match): pass in on dc0: 192.168.1.7 > 192.168.1.2: ICMP echo request, id 16724, seq 43514, length 40 2007-04-08 09:55:13.532744 rule 61/0(match): pass in on dc0: 192.168.1.7.5060 > 72.165.163.9.5060: SIP, length: 394 Rules 61 & 62 are: @61 pass log quick inet proto udp from 192.168.1.7 to any keep state queue voip_out [ Evaluations: 7237 Packets: 44 Bytes: 18502 States: 1 ] @62 pass log quick inet proto icmp from 192.168.1.7 to any keep state queue voip_out [ Evaluations: 331 Packets: 142 Bytes: 8520 States: 1 ] Yet here is the "pfctl -vs queue" output: queue voip_out bandwidth 175Kb priority 6 hfsc( realtime 140Kb ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] I have rules to prioritize http traffic and queuing works as expected there. Can anyone please explain to me why I am seeing this behavior? And is there some way to actually watch traffic passing through the queues? Thanks, Drew -- Be a Great Magician! Visit The Alchemist's Warehouse http://www.alchemistswarehouse.com From owner-freebsd-pf@FreeBSD.ORG Sun Apr 8 17:56:45 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6780416A400 for ; Sun, 8 Apr 2007 17:56:45 +0000 (UTC) (envelope-from jay.sibbald@gmail.com) Received: from ik-out-1112.google.com (ik-out-1112.google.com [66.249.90.176]) by mx1.freebsd.org (Postfix) with ESMTP id F3B3C13C45A for ; Sun, 8 Apr 2007 17:56:44 +0000 (UTC) (envelope-from jay.sibbald@gmail.com) Received: by ik-out-1112.google.com with SMTP id c21so966137ika for ; Sun, 08 Apr 2007 10:56:43 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=e4ehTE3FArcuWsUvr86Pvhw9ZAMRfylqa2P1OXw8Kf7EilOWjy/5r0X/rMSl+cE+z+KZgFd7xk/J5nW/Q9ENIC1cvEQBXOonMwkRpEDOZQ3J1KjZfs1KU8ZVzcih6JzHC7iJkinrSVXnBcV/aVaYFBkcLx7YXuXa1GVVwuxmkhg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=iN+kSlJZ2024TseEL/HIsZCyPMSXpFD6ABVgQ8VH3IDgYvulOuQ6GDGCPvzOdkN4QA7ViX1IVHiHGLbKL/xQzib+/B2RTgJ5ObxofQdE0unIxQ2K4Y8YsNRExUQVAYks1ukQdDT6QppE/7EAg0p/oLbzGmhm2pjF6jrbKvewL9U= Received: by 10.78.176.20 with SMTP id y20mr771636hue.1176053379580; Sun, 08 Apr 2007 10:29:39 -0700 (PDT) Received: by 10.78.200.14 with HTTP; Sun, 8 Apr 2007 10:29:39 -0700 (PDT) Message-ID: Date: Sun, 8 Apr 2007 10:29:39 -0700 From: "Jay Sibbald" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Possible to use RBLDNSD data with SPAMD+PF integration? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Apr 2007 17:56:45 -0000 Hi, I've successfully installed PF on FreeBSD 6.2 RELEASE. Following notes at benzedrine.cx, SPAMD & RELAYDB are also installed. I understand how to have SPAMD use available CIDR lists -- external http-accessible, local file-based, and those created by RELAYDB. I also have BIND9 & RBLDNSD running locally. Using them, I've published a local blacklist, "black.domain.rbl", composed of an aggregate of a bunch of sources, that responds correctly to DNS queries. Can SPAMD use the data available via the "black.domain.rbl" list? It's NOT in the required list format -- If I unuderstand correctly, it doesn't even exist as a single file. Rather it's a 'virtual' list, creted by RBLDNSD. I'd like to have only ONE instance of the data in "black.domain.rbl" lying around, and have the SPAMD -> SPAMD-SETUP -> PF integration "use" it. I'm just not clear on how. Any ideas or suggestions? Thanks, Jay From owner-freebsd-pf@FreeBSD.ORG Sun Apr 8 18:12:46 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1F3F316A408 for ; Sun, 8 Apr 2007 18:12:46 +0000 (UTC) (envelope-from drew@mykitchentable.net) Received: from qsmtp1.mc.surewest.net (qsmtp.mc.surewest.net [66.60.130.145]) by mx1.freebsd.org (Postfix) with SMTP id 0535913C455 for ; Sun, 8 Apr 2007 18:12:45 +0000 (UTC) (envelope-from drew@mykitchentable.net) Received: (qmail 32669 invoked from network); 8 Apr 2007 11:12:45 -0700 Received: by simscan 1.1.0 ppid: 32658, pid: 32660, t: 4.2256s scanners: regex: 1.1.0 attach: 1.1.0 clamav: 0.84/m:42/d:2665 spam: 3.0.3 Received: from unknown (HELO blacklamb.mykitchentable.net) (66.205.146.210) by qsmtp1 with SMTP; 8 Apr 2007 11:12:41 -0700 Received: from [192.168.1.3] (bigdaddy.mykitchentable.net [192.168.1.3]) by blacklamb.mykitchentable.net (Postfix) with ESMTP id D017E16495E for ; Sun, 8 Apr 2007 11:12:40 -0700 (PDT) Message-ID: <46193097.2040303@mykitchentable.net> Date: Sun, 08 Apr 2007 11:12:39 -0700 From: Drew Tomlinson User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <4619226E.1030105@mykitchentable.net> In-Reply-To: <4619226E.1030105@mykitchentable.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on qsmtp1.surewest.net X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=AWL,BAYES_00, RCVD_IN_SORBS_DUL autolearn=no version=3.0.3 Subject: Re: pf and ALTQ - I Don't Understand X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Apr 2007 18:12:46 -0000 On 4/8/2007 10:12 AM Drew Tomlinson said the following: > I am struggling to get pf set up correctly. Specifically I don't > understand why I don't see any packets in the "pfctl -vs queue" output > for a queue I named "voip_out". I see the packets matching rule 61 & > rule 62 when viewing the log with "tcpdump -netttti pflog0": > > 2007-04-08 09:54:25.392552 rule 61/0(match): pass in on dc0: > 192.168.1.7.5060 > 72.165.163.9.5060: SIP, length: 394 > 2007-04-08 09:54:54.580693 rule 62/0(match): pass in on dc0: > 192.168.1.7 > 192.168.1.2: ICMP echo request, id 16724, seq 43514, > length 40 > 2007-04-08 09:55:13.532744 rule 61/0(match): pass in on dc0: > 192.168.1.7.5060 > 72.165.163.9.5060: SIP, length: 394 > > Rules 61 & 62 are: > > @61 pass log quick inet proto udp from 192.168.1.7 to any keep state > queue voip_out > [ Evaluations: 7237 Packets: 44 Bytes: 18502 > States: 1 ] > @62 pass log quick inet proto icmp from 192.168.1.7 to any keep state > queue voip_out > [ Evaluations: 331 Packets: 142 Bytes: 8520 > States: 1 ] > > Yet here is the "pfctl -vs queue" output: > > queue voip_out bandwidth 175Kb priority 6 hfsc( realtime 140Kb ) > [ pkts: 0 bytes: 0 dropped pkts: 0 > bytes: 0 ] > [ qlength: 0/ 50 ] > [ measured: 0.0 packets/s, 0 b/s ] > > I have rules to prioritize http traffic and queuing works as expected > there. Can anyone please explain to me why I am seeing this > behavior? And is there some way to actually watch traffic passing > through the queues? OK, I've done some more digging and maybe I understand now. I was missing the fact that NAT occurs BEFORE filtering (yes, now I see where it's written in the OpenBSD PF FAQ). :) So with this in mind, is there a way to write a rule to put traffic from a node on the internal network in a specific queue? For example, I want my VoIP phone (192.168.1.7) device to have outbound priority over all other traffic. My network is configured like this: internal network ----- dc0 - FBSD router - dc1 ----- Internet So what's happening is that the traffic from the VoIP device enters the router via dc0 and matches rule 61 as listed above. But then NAT occurs and now the packet is no longer from 192.168.1.7 but my public IP and thus it doesn't match rule 61. It matches rule 75 which is: @75 pass log-all quick inet proto udp from 66.205.146.210 to any keep state queue(std_out, ack_out) I can also see via tcpdump that the destination ports are either 5060 or 5200 so I guess I could filter on that. But I really don't want to prioritize traffic to 5060 or 5200 from ALL nodes on my internal network, just from 192.168.1.7. Plus what about the case where a destination port might be random? Then how would one filter? Thanks, Drew -- Be a Great Magician! Visit The Alchemist's Warehouse http://www.alchemistswarehouse.com From owner-freebsd-pf@FreeBSD.ORG Sun Apr 8 21:15:51 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EF6FD16A400 for ; Sun, 8 Apr 2007 21:15:51 +0000 (UTC) (envelope-from kes-kes@yandex.ru) Received: from smtp3.yandex.ru (smtp3.yandex.ru [213.180.200.14]) by mx1.freebsd.org (Postfix) with ESMTP id E801313C4BB for ; Sun, 8 Apr 2007 21:15:50 +0000 (UTC) (envelope-from kes-kes@yandex.ru) Received: from 166-101-124-91.pool.ukrtel.net ([91.124.101.166]:5636 "EHLO 166-101-124-91.pool.ukrtel.net" smtp-auth: "kes-kes" TLS-CIPHER: TLS-PEER-CN1: ) by mail.yandex.ru with ESMTP id S3588115AbXDHVPn (ORCPT ); Mon, 9 Apr 2007 01:15:43 +0400 X-Comment: RFC 2476 MSA function at smtp3.yandex.ru logged sender identity as: kes-kes Date: Mon, 9 Apr 2007 00:15:52 +0300 From: KES X-Mailer: The Bat! (v3.62.12) Professional Organization: SaftTen X-Priority: 3 (Normal) Message-ID: <15810312978.20070409001552@yandex.ru> To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: ipfw pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: KES List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Apr 2007 21:15:52 -0000 What coming first: ipfw or pf? -->rl0-->ipfw-->pf-->kernel-->pf--->ipfw or -->rl0-->pf-->ipfw-->kernel-->ipfw--->pf ? From owner-freebsd-pf@FreeBSD.ORG Mon Apr 9 01:28:27 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2192A16A400 for ; Mon, 9 Apr 2007 01:28:27 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.freebsd.org (Postfix) with ESMTP id AB9F913C44C for ; Mon, 9 Apr 2007 01:28:26 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.185.1] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis), id 0ML2xA-1HaigB3NLq-0007YK; Mon, 09 Apr 2007 03:28:23 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org, KES Date: Mon, 9 Apr 2007 03:28:17 +0200 User-Agent: KMail/1.9.5 References: <15810312978.20070409001552@yandex.ru> In-Reply-To: <15810312978.20070409001552@yandex.ru> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1331892.aWnR98lHvb"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200704090328.22746.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/8wKC/meBci/7UKVUPLyTuwqPVR8S42jb5Vly y1DIE62Y3oPvtvkrVXeEc0tDGquQDXY8EEvVJ2deHXw+Vvjs50 FSuuH6fj6kWHbNDwZW0uw== Cc: Subject: Re: ipfw pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Apr 2007 01:28:27 -0000 --nextPart1331892.aWnR98lHvb Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 08 April 2007 23:15, KES wrote: > What coming first: ipfw or pf? > -->rl0-->ipfw-->pf-->kernel-->pf--->ipfw > or > -->rl0-->pf-->ipfw-->kernel-->ipfw--->pf > ? Unfortunately you can't tell right now. It depends on when/how you enable= =20 the components. I did have some patches to allow for pfil reordering,=20 but they were interchanged with locking changes that were not such a good=20 idea. I intend to provide a mechanism to set the order via sysctl once=20 we have a final plan for pfil locking. Sorry. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1331892.aWnR98lHvb Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBGGZa2XyyEoT62BG0RAiOmAJsGsIn5vEJL5TxKdbp/UzTYt4UGugCeK0AO O7auX091nmn9x/J8Hk+wcm4= =E/0C -----END PGP SIGNATURE----- --nextPart1331892.aWnR98lHvb-- From owner-freebsd-pf@FreeBSD.ORG Mon Apr 9 09:55:36 2007 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D162216A401 for ; Mon, 9 Apr 2007 09:55:36 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 2EA6413C459 for ; Mon, 9 Apr 2007 09:55:36 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=Pi7USqbpCFBIFyBe/cBfRNQxZ1NxNhVlv/BU36tbLcqRjCbqnPSA12bpAw6/b3PV1DsFYirrZEr01EnbWFG+JJ4TOMTRfy1siTlXca/tC0NQ+BgIoNosljUQtHxsEUv2m3WFGJFfOsYjYy6NeN17vnSSzygp5px8XVjslxrWT80=; Received: from codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1HaqMB-000517-7d; Mon, 09 Apr 2007 13:40:16 +0400 Date: Mon, 9 Apr 2007 13:40:10 +0400 From: Eygene Ryabinkin To: nate@root.org Message-ID: <20070409094010.GL26348@codelabs.ru> References: <4617D3A6.8000201@root.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="TD8GDToEDw0WLGOL" Content-Disposition: inline In-Reply-To: <4617D3A6.8000201@root.org> Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-2.1 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_50 Cc: freebsd-current@freebsd.org, pf@freebsd.org Subject: Re: call for testers: altq in current X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Apr 2007 09:55:36 -0000 --TD8GDToEDw0WLGOL Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Nate, good day. Mon, Apr 09, 2007 at 05:56:14AM +0000, nate@root.org wrote: > A few weeks ago, I committed a change to ALTQ that I was only able to > compile-test. What I need is someone with a laptop or other > cpufreq-capable system that is also using ALTQ to verify that with > powerd running, the queuing timing is now reliable. I see no difference between the -CURRENT from today and from 30th March (I see that your commit was made at 26th of March, but I am not sure that mu current was updated after it for the -CURRENT compiled at 30th of March). The bad news are that the ALTQ behaves wrong: when the CPU frequency is changed the bandwidth changes too. Either I am doing something wrong, or your commit should be polished a bit. My environment is: Asus A2D running AMD Mobile XP, iwi (Intel 2915ABG) and 7-CURRENT. The pf rules were: ----- altq on iwi0 bandwidth 3Kb cbq queue { dflt } queue dflt bandwidth 100% cbq(default) pass out quick log on iwi0 proto tcp from $my_ip to any flags S/AUSPF \ keep state queue dflt ----- The interface is running at 22 Mbit/sec most of the time. No polling was enabled. The bandwidth was measured by the ifstat, powerd was disabled and I had changed the frequency via sysctl. Four frequencies were used: 400, 800, 1600 and 2200. The kernel config included the following ALTQ options: ----- options ALTQ options ALTQ_CBQ options ALTQ_RED options ALTQ_RIO options ALTQ_HFSC options ALTQ_CDNR options ALTQ_PRIQ ----- Basically, I made two tests: WAN and LAN downloading over FTP and HTTP. WAN test was done for the old and new -CURRENTs and LAN test was done just for the new -CURRENT. All tests were done in the following manner: ifstat was spawned with the delay of 3 seconds, files were downloaded by fetch and I manually changed the CPU frequency via sysctl. First two logs, ifstat.bw3Kb.old.wan.log and ifstat.bw3Kb.new.wan.log do show the WAN results. The 100 Kbps corresponds to 400 MHz, 200 Kbps -- to 800 MHz, 410 Kbps -- to 1600 MHz and 560 Kbps -- to 2200 MHz CPU speed. I thought that I was bounded by the WAN link here. ifstat.bw3Kb.new.local-net.log shows the behaviour for the LAN link (machines are sitting on the same switch, so only L2 devices are on the network path): just the same figures and bandwidth is still changing with the CPU. ifstat.fullbw.new.local-net.log shows the behaviour for the 100% bandwidth, but with the ALTQ rules enabled (the '3K' were just changed to '100%' in the pf.conf). The speed is pretty stable flying around 20 Mbit/sec. And ifstat.new.local-net.altq-disabled.log shows the behaviour of interface bandwidth for pf.conf without any ALTQ rules. The same as above: 20 Mbit/sec, the interface bound. -- Eygene --TD8GDToEDw0WLGOL Content-Type: text/plain; charset=koi8-r Content-Disposition: attachment; filename="ifstat.bw3Kb.old.wan.log" FreeBSD 7.0-CURRENT #10: Sat Mar 31 16:23:39 MSD 2007 iwi0 Kbps in Kbps out 98.57 2.92 94.94 2.75 95.01 2.75 98.88 2.92 94.77 2.75 94.77 2.75 99.53 2.92 94.61 2.75 193.16 5.67 189.38 5.50 196.02 5.67 264.11 7.73 216.82 6.19 189.22 5.67 193.32 5.67 193.16 5.67 189.87 5.50 387.80 11.17 287.93 8.59 382.54 11.17 382.54 11.17 387.32 11.34 iwi0 Kbps in Kbps out 382.87 11.17 382.71 11.17 287.77 8.42 386.95 11.34 576.18 16.67 477.31 14.09 575.86 16.84 572.09 16.50 568.15 16.50 568.15 16.50 568.15 16.50 552.38 15.98 489.14 14.26 473.20 13.75 94.61 2.75 96.58 2.75 94.61 2.75 189.38 5.50 94.61 2.75 94.61 2.75 94.77 2.75 94.77 2.75 iwi0 Kbps in Kbps out 95.11 2.75 94.61 2.75 94.94 2.75 95.09 2.75 95.44 2.75 95.44 2.75 378.60 11.00 568.65 16.50 567.65 16.50 568.05 16.50 568.64 16.50 567.81 16.50 473.54 13.75 568.13 16.50 567.81 16.50 567.98 16.50 567.81 16.50 473.20 13.75 94.61 2.75 95.11 2.75 95.99 2.75 94.61 2.75 iwi0 Kbps in Kbps out 94.61 2.75 189.88 5.50 95.26 2.75 94.94 2.75 95.61 2.75 94.94 2.75 98.96 2.92 99.72 2.92 95.11 2.75 95.44 2.75 99.05 2.92 94.94 2.75 95.59 3.95 1187.37 4.30 1916.14 2.92 1671.74 2.99 169.67 1.65 4.75 0.45 4.11 0.22 0.00 0.89 32.20 5.46 13.63 0.34 iwi0 Kbps in Kbps out 2.44 0.89 114.65 3.27 170.51 4.98 102.66 2.92 103.33 2.92 102.83 3.09 106.60 3.09 106.60 3.98 87.06 2.58 87.06 2.41 98.72 2.92 103.31 2.92 103.16 3.09 103.32 2.92 520.85 15.12 568.45 16.50 564.04 16.33 564.54 16.50 560.26 16.15 564.04 16.50 559.93 16.15 560.58 16.50 iwi0 Kbps in Kbps out 555.99 16.15 536.61 16.53 544.00 15.98 509.18 14.95 576.03 16.84 576.16 16.84 564.34 16.50 496.69 19.28 106.43 4.06 789.57 23.03 567.81 16.50 563.87 16.33 567.81 16.50 563.87 16.33 565.00 16.50 563.87 16.33 564.04 16.33 559.93 16.33 563.70 16.33 560.26 16.33 557.64 16.33 536.61 15.81 iwi0 Kbps in Kbps out 572.25 16.67 485.53 15.15 576.20 16.67 572.55 16.84 556.16 16.15 501.45 14.78 575.87 16.84 576.20 16.84 564.86 16.50 493.08 14.43 575.87 16.84 576.20 16.84 572.26 16.67 485.36 14.26 575.53 16.84 576.55 17.06 478.19 14.98 576.20 16.84 576.52 16.84 481.59 14.68 490.23 17.81 509.23 16.35 iwi0 Kbps in Kbps out 513.38 19.82 328.16 13.75 414.63 15.89 408.68 14.60 482.49 16.88 406.24 17.22 221.26 10.70 199.30 11.75 263.46 13.36 0.33 0.00 1.18 0.52 0.67 0.00 0.50 0.00 0.17 0.00 0.50 0.00 0.83 0.00 0.67 0.00 1.60 0.89 0.57 0.00 0.67 0.00 1.15 0.00 --TD8GDToEDw0WLGOL Content-Type: text/plain; charset=koi8-r Content-Disposition: attachment; filename="ifstat.bw3Kb.new.wan.log" iwi0 Kbps in Kbps out 197.44 5.67 209.09 6.01 205.46 6.01 205.94 6.01 202.09 5.84 207.80 5.84 100.50 2.92 107.10 3.09 98.88 2.92 99.05 2.92 106.77 3.09 95.01 2.75 108.22 5.48 91.96 4.67 8.94 0.92 1.30 0.00 311.93 9.34 378.43 15.42 575.70 16.67 569.13 16.50 556.32 16.15 587.36 17.18 iwi0 Kbps in Kbps out 568.61 16.50 560.26 16.33 567.98 16.50 564.76 16.33 565.65 16.33 564.99 16.50 560.10 16.15 568.15 16.50 560.43 16.33 565.18 16.33 555.99 19.04 209.26 9.36 347.54 10.14 91.96 3.31 96.80 7.25 28.81 1.20 27.76 1.20 20.21 0.52 87.22 2.58 102.99 2.92 106.93 3.09 103.33 3.09 iwi0 Kbps in Kbps out 106.60 3.09 102.83 2.92 104.58 2.92 102.90 3.09 108.06 3.09 103.95 2.92 107.17 3.09 106.43 3.09 256.56 7.39 414.41 12.03 410.13 12.03 414.24 12.03 382.37 11.89 411.34 12.03 412.26 12.75 387.53 11.17 406.84 11.86 410.80 11.86 378.60 11.89 414.08 12.03 406.19 11.86 398.88 12.40 iwi0 Kbps in Kbps out 165.90 8.20 324.06 12.03 398.64 12.58 403.40 11.69 412.21 11.86 419.14 12.20 411.02 12.75 378.43 11.00 406.19 11.86 418.02 12.03 410.47 12.03 411.28 11.86 410.63 11.86 406.36 11.86 379.72 11.89 411.26 11.86 405.83 16.14 51.82 2.78 525.88 15.29 414.08 12.20 374.66 11.72 414.08 12.03 iwi0 Kbps in Kbps out 411.28 12.03 407.52 11.88 399.34 11.88 410.80 11.86 414.41 12.03 412.00 11.86 411.42 12.03 411.11 11.86 406.69 12.75 382.54 11.00 408.02 11.86 399.14 11.51 414.74 13.00 170.01 10.53 363.81 10.48 415.20 12.03 56.57 1.72 612.23 18.04 418.02 12.03 413.91 12.03 423.17 12.37 410.78 12.76 iwi0 Kbps in Kbps out 21.17 1.44 0.00 0.89 1.71 0.00 3.30 0.00 --TD8GDToEDw0WLGOL Content-Type: text/plain; charset=koi8-r Content-Disposition: attachment; filename="ifstat.bw3Kb.new.local-net.log" iwi0 Kbps in Kbps out 2.62 0.00 589.57 18.09 18669.92 13.40 31489.68 11.69 19202.29 9.37 190.63 5.50 424.35 12.03 431.53 12.54 426.72 12.37 387.22 12.06 413.91 12.03 417.85 12.20 410.54 11.86 556.81 17.04 541.17 15.81 568.45 16.50 563.87 16.33 564.28 16.33 565.48 16.50 569.33 16.50 561.39 16.15 564.37 16.50 iwi0 Kbps in Kbps out 564.20 16.33 563.87 16.33 564.04 16.50 560.26 16.15 564.54 16.50 560.81 16.15 140.06 4.12 104.19 2.92 99.99 2.92 106.93 3.09 99.68 2.75 103.81 3.09 99.18 2.75 107.23 3.09 106.60 3.09 102.66 2.92 102.83 2.92 103.64 3.09 103.30 2.92 99.94 2.92 107.49 3.09 99.05 2.75 iwi0 Kbps in Kbps out 103.40 3.09 99.68 2.75 106.77 3.09 193.83 5.67 209.26 6.19 203.98 5.84 206.66 5.84 202.17 5.84 206.74 6.01 211.44 6.01 205.15 5.84 205.78 6.01 205.15 6.01 201.04 5.84 201.21 5.84 209.26 6.01 205.63 5.84 205.48 6.01 202.42 5.84 206.35 6.01 207.78 5.84 207.24 6.01 iwi0 Kbps in Kbps out 201.28 5.84 209.40 6.01 201.04 5.84 201.21 5.84 7112.54 6.01 8487.54 5.84 8393.33 5.84 8445.70 5.84 8480.12 5.84 8570.78 5.84 8711.31 6.01 8810.97 5.84 8708.77 5.84 8787.04 5.84 8839.44 5.84 8893.75 6.01 9145.30 5.84 8945.83 5.89 5648.75 3.61 4420.10 2.92 4353.61 2.92 4439.81 2.92 iwi0 Kbps in Kbps out 4423.31 2.92 4588.47 3.09 4655.13 2.92 4463.51 2.92 4474.83 2.92 4411.42 2.92 4572.88 2.92 4495.80 2.92 4519.39 2.92 4617.73 2.92 4558.00 2.92 4593.08 2.92 10817.43 6.70 26451.77 16.15 26857.64 16.15 1926.78 7.58 601.27 17.36 581.12 16.84 573.23 16.67 571.88 16.67 568.39 16.50 569.68 16.50 iwi0 Kbps in Kbps out 568.53 16.50 563.87 16.33 564.52 16.33 276.27 8.08 106.60 3.98 83.26 3.30 91.07 2.58 79.34 2.41 96.53 3.64 88.35 2.58 87.44 2.41 99.12 2.92 107.42 3.98 98.88 2.92 71.12 2.06 106.60 3.09 110.07 3.09 99.36 2.92 106.77 3.09 99.72 2.75 198.10 5.67 206.20 6.90 iwi0 Kbps in Kbps out 175.15 4.98 206.78 6.01 201.88 5.84 205.32 6.01 205.65 5.84 209.43 7.08 174.45 4.98 201.54 5.84 205.56 6.01 207.41 6.73 190.67 5.67 191.25 5.50 198.26 5.67 373.05 10.83 563.71 16.33 559.93 16.33 565.42 16.33 562.34 16.33 564.37 16.33 560.26 16.33 564.04 16.33 533.15 16.36 iwi0 Kbps in Kbps out 557.28 16.15 562.44 16.33 536.68 16.53 560.26 16.15 555.82 16.15 15098.33 17.04 23273.85 15.98 23727.56 16.15 24137.17 16.15 24568.05 16.15 24973.92 16.15 25396.29 16.15 25545.56 16.15 26112.10 16.23 26352.10 16.15 26865.67 16.15 26691.50 16.15 22682.73 16.15 27160.39 16.15 17929.82 10.31 10356.76 6.01 10569.55 5.84 iwi0 Kbps in Kbps out 10552.96 5.84 10455.15 5.84 10620.86 5.84 10584.75 5.84 10663.57 6.01 10876.81 5.84 10774.22 5.84 5885.04 3.26 5220.96 2.92 5251.64 2.92 5192.73 2.92 5248.51 2.92 --TD8GDToEDw0WLGOL Content-Type: text/plain; charset=koi8-r Content-Disposition: attachment; filename="ifstat.fullbw.new.local-net.log" iwi0 Kbps in Kbps out 17874.62 526.99 23139.55 672.77 22008.85 640.29 21506.04 625.00 16845.20 495.46 22987.15 668.98 15448.84 462.19 21059.47 611.94 21071.57 612.97 23056.71 670.19 22773.81 597.32 18978.01 475.50 15760.53 488.32 22992.68 693.77 22533.94 659.02 21991.65 637.08 21969.94 572.66 15235.27 471.71 22158.33 668.46 22052.44 653.18 22534.01 658.35 24180.43 620.35 iwi0 Kbps in Kbps out 23684.54 589.61 22871.69 550.65 23550.85 566.99 24192.72 619.14 23872.93 585.78 21579.28 544.24 13398.41 414.89 22848.66 679.93 22521.29 654.87 22364.32 650.79 22541.13 579.47 24268.71 610.73 23082.19 547.84 16677.39 407.69 22040.23 641.35 23204.82 675.03 22222.01 646.30 22394.81 623.11 23877.52 583.23 18443.01 455.58 --TD8GDToEDw0WLGOL Content-Type: text/plain; charset=koi8-r Content-Disposition: attachment; filename="ifstat.new.local-net.altq-disabled.log" iwi0 Kbps in Kbps out 18452.19 538.41 22437.78 652.48 22666.98 659.72 22761.46 659.17 23260.17 628.45 22853.19 601.63 23300.97 617.59 22731.39 598.72 23684.27 630.67 22761.93 598.88 23364.54 618.81 22943.07 605.23 23006.05 609.19 23527.58 622.76 23861.80 629.98 23270.16 615.71 23893.09 633.93 23682.24 625.18 23577.58 623.45 22686.82 599.73 24120.59 635.98 23561.94 621.39 iwi0 Kbps in Kbps out 23581.51 625.68 22498.29 592.53 23637.41 627.23 22781.75 600.08 17779.97 493.71 21691.01 631.55 23329.52 678.61 22423.02 651.46 22474.24 635.99 22651.61 598.88 23822.15 630.50 22990.18 607.98 22954.60 605.92 22231.79 586.15 18601.94 512.59 22273.46 648.53 9592.99 281.78 0.50 0.00 1.48 0.00 --TD8GDToEDw0WLGOL-- From owner-freebsd-pf@FreeBSD.ORG Mon Apr 9 11:10:41 2007 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 72EF016A4F1 for ; Mon, 9 Apr 2007 11:10:41 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 523E213C4B9 for ; Mon, 9 Apr 2007 11:10:41 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l39BAfdZ060226 for ; Mon, 9 Apr 2007 11:10:41 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l39BAc6M059944 for freebsd-pf@FreeBSD.org; Mon, 9 Apr 2007 11:10:38 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 9 Apr 2007 11:10:38 GMT Message-Id: <200704091110.l39BAc6M059944@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Apr 2007 11:10:41 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf nat rule of pf without "on" clause causes invalid pack 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- f conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf [pf] pf accepts nonexistent queue in rules o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d o kern/110174 pf [pf] pf pass route-to does not assign correct IP for t o conf/110838 pf tagged parameter on nat not working o conf/111225 pf [pfsync]: missing option "syncpeer" in pfsync startup 8 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Apr 10 16:43:33 2007 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DAD2C16A403; Tue, 10 Apr 2007 16:43:33 +0000 (UTC) (envelope-from keramida@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id B16D813C4AD; Tue, 10 Apr 2007 16:43:33 +0000 (UTC) (envelope-from keramida@FreeBSD.org) Received: from freefall.freebsd.org (keramida@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l3AGhXad074631; Tue, 10 Apr 2007 16:43:33 GMT (envelope-from keramida@freefall.freebsd.org) Received: (from keramida@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l3AGhXk6074627; Tue, 10 Apr 2007 16:43:33 GMT (envelope-from keramida) Date: Tue, 10 Apr 2007 16:43:33 GMT From: Giorgos Keramidas Message-Id: <200704101643.l3AGhXk6074627@freefall.freebsd.org> To: bas@tobin.nl, keramida@FreeBSD.org, freebsd-pf@FreeBSD.org, keramida@FreeBSD.org Cc: Subject: Re: conf/111225: [pfsync]: missing option "syncpeer" in pfsync startup script X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Apr 2007 16:43:33 -0000 Synopsis: [pfsync]: missing option "syncpeer" in pfsync startup script State-Changed-From-To: open->patched State-Changed-By: keramida State-Changed-When: Tue Apr 10 16:42:26 UTC 2007 State-Changed-Why: A slightly improved patch (with a suggestion from simon@ for using a "local" function variable), has been committed to the HEAD of the CVS tree. Thank you for noticing this in the first place and filing a PR with us. Responsible-Changed-From-To: freebsd-pf->keramida Responsible-Changed-By: keramida Responsible-Changed-When: Tue Apr 10 16:42:26 UTC 2007 Responsible-Changed-Why: I'll take care of MFC'ing this. http://www.freebsd.org/cgi/query-pr.cgi?pr=111225 From owner-freebsd-pf@FreeBSD.ORG Wed Apr 11 01:07:35 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EC25416A403 for ; Wed, 11 Apr 2007 01:07:35 +0000 (UTC) (envelope-from dmehler26@woh.rr.com) Received: from ms-smtp-04.ohiordc.rr.com (ms-smtp-04.ohiordc.rr.com [65.24.5.138]) by mx1.freebsd.org (Postfix) with ESMTP id B8FAD13C480 for ; Wed, 11 Apr 2007 01:07:35 +0000 (UTC) (envelope-from dmehler26@woh.rr.com) Received: from satellite (cpe-71-64-129-15.woh.res.rr.com [71.64.129.15]) by ms-smtp-04.ohiordc.rr.com (8.13.6/8.13.6) with SMTP id l3B17Yda006922 for ; Tue, 10 Apr 2007 21:07:34 -0400 (EDT) Message-ID: <000301c77bd5$ded6ad50$0200a8c0@satellite> From: "Dave" To: Date: Tue, 10 Apr 2007 21:08:08 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: issues with ftp from windows X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dave List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Apr 2007 01:07:36 -0000 Hello, I'm having issues with getting ftp to work on Windows boxes, specifically xpsp2 protected by a pf firewall. I'm running pftpx on FreeBSD 6.2. Unix clients can ftp fine, I do have occational issues with not being able to list directory contents but overall it works fine. Windows clients i get a can not find file messageeverytime, i've tried both active and passive mode in explorer ie6 to be specific no good. Here's the relevant portions of my config: # define the two network interfaces ext_if = "rl0" int_if = "xl0" # gateway ftp, user restricted passive or active # I had to do this so that the firewall box could ftp ftp_users="{root, proxy}" scrub all reassemble tcp no-df random-id max-mss 1400 nat on $ext_if from 192.168.1.0/24 to any -> ($ext_if) nat-anchor "pftpx/*" rdr-anchor "pftpx/*" rdr pass on $int_if inet proto tcp from 192.168.1.0/24 to any port ftp -> 127.0.0.1 port 8021 block log all anchor "pftpx/*" pass out quick on $ext_if inet proto tcp from ($ext_if) to any port { ftp-data, ftp } keep state pass in quick on $int_if inet proto tcp from 192.168.1.0/24 to any port { ftp-data, ftp } keep state # These were also needed to allow ftp from the router # Allow ftp control and passive data connections outbound pass quick inet proto tcp from ($ext_if) to any user proxy keep state # Allow ftp active data connections inbound pass quick inet proto tcp from any to ($ext_if) user proxy keep state # Passive mode connection? pass quick inet proto tcp from port 20 to any user proxy keep state # For FTP servers that violate RFC 959? pass quick inet proto tcp from any to $int_if user proxy keep state I've tried doing a tcpdump on the pflog0 interface while a windows box is trying to ftp, i'm not getting any output at all. Trying the same command on the internal interface of the router, floods me with arp and again i see nothing useful. Any help appreciated. Thanks. Dave. From owner-freebsd-pf@FreeBSD.ORG Thu Apr 12 04:23:44 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E0E8D16A401 for ; Thu, 12 Apr 2007 04:23:44 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.232]) by mx1.freebsd.org (Postfix) with ESMTP id A3AD813C458 for ; Thu, 12 Apr 2007 04:23:44 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: by wx-out-0506.google.com with SMTP id s18so401515wxc for ; Wed, 11 Apr 2007 21:23:44 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:from:to:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=lOWF6ZMHq3JMQttfzTVJp5IevJ4MXYlF2RhWlGauCK9HaGC1bt0I1AocWCwe6vMHxEnoccCC4k0Mb3habaN0FZVyXMS6AGl/yD+6HZQYqdQNZkqQdcldcZN7yWbmn97j9zhA+9CLICbrCIxivEnNBma+B5tXw00LMHPzmTxiabo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:from:to:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=Iep3aTRS9hvFdKF85E4ydjcvt788/58QaxnNDZTdi+MpPZwSP9hs8W7MYut4Wekz5KCa/jDx79eDzsFynEJkiQotqvC4whbD+0IAc13mKse9M2ZLWEVOQT+j8VQ06YsXw5hsazrTp601aGtSFT1v1IVmpVy4j2qhzsgUwNba34s= Received: by 10.70.99.9 with SMTP id w9mr2541475wxb.1176351824109; Wed, 11 Apr 2007 21:23:44 -0700 (PDT) Received: from d600 ( [72.73.17.59]) by mx.google.com with ESMTP id h39sm522689wxd.2007.04.11.21.23.43; Wed, 11 Apr 2007 21:23:43 -0700 (PDT) Message-ID: <004a01c77cba$5480ffd0$0610a8c0@chepkov.lan> From: "Vadym Chepkov" To: Date: Thu, 12 Apr 2007 00:23:31 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="Windows-1252"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Subject: DMZ problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Apr 2007 04:23:45 -0000 Hello everyone, I earlier asked a question about Amanda, still hasn't solved it, but it seems I have a bigger problem, I obviously doing something wrong here, maybe by fixing this issue I will be able to fix it as well. I discovered my secondary DNS server, which is located outside of our network, is not able to transfer zone file from the primary DNS server, which is located in our DMZ. My DMZ rules are build on "inversed" logic, since I want to limit access to it from all interfaces (we have many of them), so I don't want to duplicate "in" rules on all other interfaces for the DMZ. I reduced my pf.conf to the bare minimum, and yes, if I disable pf, I am able axfr zone right away. This is the actual pf.conf that I am testing with, and it doesn't work. And what is very frustrated, pflog is silent. I don't see anything being dropped ----------------------------- dmz_if="em0" wan_if="bge0" set optimization normal set block-policy return set skip on lo scrub in block in log on $wan_if pass out on $wan_if from { $wan_if $dmz_if:network } keep state # DMZ has it's own rules pass in on $wan_if to $dmz_if:network # SSH so I can login back pass in quick on $wan_if proto tcp to port ssh flags S/SA keep state # DMZ block out log on $dmz_if pass in on $dmz_if keep state pass out quick on $dmz_if proto tcp to port domain flags S/SA keep state pass out quick on $dmz_if proto udp to port domain keep state -------------------------------- Could you tell me what is wrong with these rules, please Thank you, Vadym Chepkov From owner-freebsd-pf@FreeBSD.ORG Thu Apr 12 22:42:19 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 25EAE16A407 for ; Thu, 12 Apr 2007 22:42:19 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-defer01.adhost.com (mail-defer01.adhost.com [216.211.128.150]) by mx1.freebsd.org (Postfix) with ESMTP id F349313C48A for ; Thu, 12 Apr 2007 22:42:18 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-in08.adhost.com (mail-in08.adhost.com [10.211.128.141]) by mail-defer01.adhost.com (Postfix) with ESMTP id EAB10ED415 for ; Thu, 12 Apr 2007 15:09:46 -0700 (PDT) (envelope-from mksmith@adhost.com) Received: from ad-exh01.adhost.lan (unknown [216.211.143.69]) by mail-in08.adhost.com (Postfix) with ESMTP id A9D878FC3C; Thu, 12 Apr 2007 15:09:46 -0700 (PDT) (envelope-from mksmith@adhost.com) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-class: urn:content-classes:message Date: Thu, 12 Apr 2007 15:09:39 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.5 Message-ID: <17838240D9A5544AAA5FF95F8D52031601E22854@ad-exh01.adhost.lan> In-Reply-To: <004a01c77cba$5480ffd0$0610a8c0@chepkov.lan> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: DMZ problem Thread-Index: Acd8umuXIla38PFoQjayZvMccvFDJgAk+6lA References: <004a01c77cba$5480ffd0$0610a8c0@chepkov.lan> From: "Michael K. Smith - Adhost" To: "Vadym Chepkov" , Cc: Subject: RE: DMZ problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Apr 2007 22:42:19 -0000 Hello Vadym: > -----Original Message----- > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd- > pf@freebsd.org] On Behalf Of Vadym Chepkov > Sent: Wednesday, April 11, 2007 9:24 PM > To: freebsd-pf@freebsd.org > Subject: DMZ problem >=20 > Hello everyone, >=20 > I earlier asked a question about Amanda, still hasn't solved it, but it > seems I have a bigger problem, I obviously doing something wrong here, > maybe > by fixing this issue I will be able to fix it as well. >=20 > I discovered my secondary DNS server, which is located outside of our > network, is not able to transfer zone file from the primary DNS server, > which is located in our DMZ. My DMZ rules are build on "inversed" > logic, > since I want to limit access to it from all interfaces (we have many of > them), so I don't want to duplicate "in" rules on all other interfaces > for > the DMZ. > I reduced my pf.conf to the bare minimum, and yes, if I disable pf, I > am > able axfr zone right away. > This is the actual pf.conf that I am testing with, and it doesn't work. > And > what is very frustrated, pflog is silent. I don't see anything being > dropped >=20 > ----------------------------- > dmz_if=3D"em0" > wan_if=3D"bge0" >=20 > set optimization normal > set block-policy return > set skip on lo > scrub in >=20 > block in log on $wan_if > pass out on $wan_if from { $wan_if $dmz_if:network } keep state > # DMZ has it's own rules > pass in on $wan_if to $dmz_if:network >=20 > # SSH so I can login back > pass in quick on $wan_if proto tcp to port ssh flags S/SA keep state >=20 > # DMZ > block out log on $dmz_if > pass in on $dmz_if keep state > pass out quick on $dmz_if proto tcp to port domain flags S/SA keep > state > pass out quick on $dmz_if proto udp to port domain keep state >=20 > -------------------------------- >=20 You might want to try: pass out log quick on $dmz_if prot udp from any to any port 53 keep state pass out log quick on $wan_if prot udp from any to any port 53 keep state You could also ratchet down the source and destination IP addresses instead of using the interfaces if you wanted to be more granular. Mike From owner-freebsd-pf@FreeBSD.ORG Fri Apr 13 20:42:49 2007 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B314116A4E1; Fri, 13 Apr 2007 20:42:49 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 65CC313C458; Fri, 13 Apr 2007 20:42:49 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=KAJjG3tggy7529bsv8XNyeDspWbShrA7+HN2ODqB0PVZOMGnZY8y4P+YZriuLlR7BXfzYO5115Rmo4dJY2ZpGmchbXy/sO9/bYz5pv+UAFq86N2/Zo68d5Bn8BDfEmoNR6hdEPmyTg8QSFlw6wp5CBDkL8qinStk3yPr9h7YFC0=; Received: from codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1HcSbS-000Lpo-Mq; Sat, 14 Apr 2007 00:42:43 +0400 Date: Sat, 14 Apr 2007 00:42:38 +0400 From: Eygene Ryabinkin To: Nate Lawson Message-ID: <20070413204237.GG49158@codelabs.ru> References: <4617D3A6.8000201@root.org> <20070409094010.GL26348@codelabs.ru> <461FDD28.6030502@root.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <461FDD28.6030502@root.org> Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-2.6 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_05 Cc: freebsd-current@freebsd.org, pf@freebsd.org Subject: Re: call for testers: altq in current X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Apr 2007 20:42:49 -0000 Nate, good day! Fri, Apr 13, 2007 at 12:42:32PM -0700, Nate Lawson wrote: > > I see no difference between the -CURRENT from today and from 30th > > March (I see that your commit was made at 26th of March, but I am > > not sure that mu current was updated after it for the -CURRENT > > compiled at 30th of March). > > > > The bad news are that the ALTQ behaves wrong: when the CPU frequency > > is changed the bandwidth changes too. Either I am doing something > > wrong, or your commit should be polished a bit. > > First, add a printf at line 915 (end of function tsc_freq_changed() in > sys/contrib/altq/altq/altq_subr.c): > printf("machclk_freq now %d\n", machclk_freq); ^^ Should be %lu, I believe? > Does it trigger when you change the cpu freq? Is the number printent > correct (i.e. 400 million for 400 Mhz)? Yes, the numbers are perfectly correct. I will try to redo the tests on Monday (when I will be able to use the LAN link) and will watch for this debug information. Any other recommendations are, of course, welcome. > > First two logs, ifstat.bw3Kb.old.wan.log and ifstat.bw3Kb.new.wan.log > > do show the WAN results. The 100 Kbps corresponds to 400 MHz, 200 > > Kbps -- to 800 MHz, 410 Kbps -- to 1600 MHz and 560 Kbps -- to 2200 > > MHz CPU speed. I thought that I was bounded by the WAN link here. > > What was the CPU speed on bootup? 2200 MHz. -- Eygene From owner-freebsd-pf@FreeBSD.ORG Fri Apr 13 20:54:18 2007 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7B3B416A400 for ; Fri, 13 Apr 2007 20:54:18 +0000 (UTC) (envelope-from nate@root.org) Received: from root.org (root.org [67.118.192.226]) by mx1.freebsd.org (Postfix) with ESMTP id 5D06913C45D for ; Fri, 13 Apr 2007 20:54:18 +0000 (UTC) (envelope-from nate@root.org) Received: (qmail 61528 invoked from network); 13 Apr 2007 19:42:38 -0000 Received: from ppp-71-139-28-99.dsl.snfc21.pacbell.net (HELO ?10.0.0.235?) (nate-mail@71.139.28.99) by root.org with ESMTPA; 13 Apr 2007 19:42:38 -0000 Message-ID: <461FDD28.6030502@root.org> Date: Fri, 13 Apr 2007 12:42:32 -0700 From: Nate Lawson User-Agent: Thunderbird 1.5.0.7 (X11/20061027) MIME-Version: 1.0 To: Eygene Ryabinkin References: <4617D3A6.8000201@root.org> <20070409094010.GL26348@codelabs.ru> In-Reply-To: <20070409094010.GL26348@codelabs.ru> X-Enigmail-Version: 0.94.1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-current@freebsd.org, pf@freebsd.org Subject: Re: call for testers: altq in current X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Apr 2007 20:54:18 -0000 Eygene Ryabinkin wrote: > Nate, good day. > > Mon, Apr 09, 2007 at 05:56:14AM +0000, nate@root.org wrote: >> A few weeks ago, I committed a change to ALTQ that I was only able to >> compile-test. What I need is someone with a laptop or other >> cpufreq-capable system that is also using ALTQ to verify that with >> powerd running, the queuing timing is now reliable. > > I see no difference between the -CURRENT from today and from 30th > March (I see that your commit was made at 26th of March, but I am > not sure that mu current was updated after it for the -CURRENT > compiled at 30th of March). > > The bad news are that the ALTQ behaves wrong: when the CPU frequency > is changed the bandwidth changes too. Either I am doing something > wrong, or your commit should be polished a bit. First, add a printf at line 915 (end of function tsc_freq_changed() in sys/contrib/altq/altq/altq_subr.c): printf("machclk_freq now %d\n", machclk_freq); Does it trigger when you change the cpu freq? Is the number printent correct (i.e. 400 million for 400 Mhz)? > My environment is: Asus A2D running AMD Mobile XP, iwi (Intel > 2915ABG) and 7-CURRENT. The pf rules were: > ----- > altq on iwi0 bandwidth 3Kb cbq queue { dflt } > queue dflt bandwidth 100% cbq(default) > pass out quick log on iwi0 proto tcp from $my_ip to any flags S/AUSPF \ > keep state queue dflt > ----- > > The interface is running at 22 Mbit/sec most of the time. No polling > was enabled. The bandwidth was measured by the ifstat, powerd was > disabled and I had changed the frequency via sysctl. Four frequencies > were used: 400, 800, 1600 and 2200. The kernel config included the > following ALTQ options: > ----- > options ALTQ > options ALTQ_CBQ > options ALTQ_RED > options ALTQ_RIO > options ALTQ_HFSC > options ALTQ_CDNR > options ALTQ_PRIQ > ----- > Basically, I made two tests: WAN and LAN downloading over FTP and > HTTP. WAN test was done for the old and new -CURRENTs and LAN test > was done just for the new -CURRENT. All tests were done in the > following manner: ifstat was spawned with the delay of 3 seconds, > files were downloaded by fetch and I manually changed the CPU > frequency via sysctl. > > First two logs, ifstat.bw3Kb.old.wan.log and ifstat.bw3Kb.new.wan.log > do show the WAN results. The 100 Kbps corresponds to 400 MHz, 200 > Kbps -- to 800 MHz, 410 Kbps -- to 1600 MHz and 560 Kbps -- to 2200 > MHz CPU speed. I thought that I was bounded by the WAN link here. What was the CPU speed on bootup? -- Nate From owner-freebsd-pf@FreeBSD.ORG Fri Apr 13 21:14:42 2007 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A41B816A419 for ; Fri, 13 Apr 2007 21:14:42 +0000 (UTC) (envelope-from nate@root.org) Received: from root.org (root.org [67.118.192.226]) by mx1.freebsd.org (Postfix) with ESMTP id 8928613C46A for ; Fri, 13 Apr 2007 21:14:42 +0000 (UTC) (envelope-from nate@root.org) Received: (qmail 69828 invoked from network); 13 Apr 2007 20:56:20 -0000 Received: from ppp-71-139-28-99.dsl.snfc21.pacbell.net (HELO ?10.0.0.235?) (nate-mail@71.139.28.99) by root.org with ESMTPA; 13 Apr 2007 20:56:20 -0000 Message-ID: <461FEE6D.4030201@root.org> Date: Fri, 13 Apr 2007 13:56:13 -0700 From: Nate Lawson User-Agent: Thunderbird 1.5.0.7 (X11/20061027) MIME-Version: 1.0 To: Eygene Ryabinkin References: <4617D3A6.8000201@root.org> <20070409094010.GL26348@codelabs.ru> <461FDD28.6030502@root.org> <20070413204237.GG49158@codelabs.ru> In-Reply-To: <20070413204237.GG49158@codelabs.ru> X-Enigmail-Version: 0.94.1.0 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit Cc: freebsd-current@freebsd.org, pf@freebsd.org Subject: Re: call for testers: altq in current X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Apr 2007 21:14:42 -0000 Eygene Ryabinkin wrote: > Nate, good day! > > Fri, Apr 13, 2007 at 12:42:32PM -0700, Nate Lawson wrote: >>> I see no difference between the -CURRENT from today and from 30th >>> March (I see that your commit was made at 26th of March, but I am >>> not sure that mu current was updated after it for the -CURRENT >>> compiled at 30th of March). >>> >>> The bad news are that the ALTQ behaves wrong: when the CPU frequency >>> is changed the bandwidth changes too. Either I am doing something >>> wrong, or your commit should be polished a bit. >> First, add a printf at line 915 (end of function tsc_freq_changed() in >> sys/contrib/altq/altq/altq_subr.c): >> printf("machclk_freq now %d\n", machclk_freq); > ^^ > Should be %lu, I believe? Sure, whatever's right. >> Does it trigger when you change the cpu freq? Is the number printent >> correct (i.e. 400 million for 400 Mhz)? > > Yes, the numbers are perfectly correct. I will try to redo the > tests on Monday (when I will be able to use the LAN link) and > will watch for this debug information. Any other recommendations > are, of course, welcome. Ok, that is good to know the code is running and the freq values are correct. Can you verify through some other cpu benchmark test that the freq actually did change to the value printed? Also, make sure you're not using the TSC timecounter. sysctl kern.timecounter >>> First two logs, ifstat.bw3Kb.old.wan.log and ifstat.bw3Kb.new.wan.log >>> do show the WAN results. The 100 Kbps corresponds to 400 MHz, 200 >>> Kbps -- to 800 MHz, 410 Kbps -- to 1600 MHz and 560 Kbps -- to 2200 >>> MHz CPU speed. I thought that I was bounded by the WAN link here. >> What was the CPU speed on bootup? > > 2200 MHz. I don't understand those values. Didn't you setup a constant 3 Kb/sec link? so why would you be getting even 100 Kbps at 400 Mhz? On the new code but without loading cpufreq and leaving the freq at 2200 Mhz, do you get the right numbers? Are they constant? -- Nate From owner-freebsd-pf@FreeBSD.ORG Fri Apr 13 21:27:50 2007 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7822A16A406; Fri, 13 Apr 2007 21:27:50 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 2AAC513C48C; Fri, 13 Apr 2007 21:27:50 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=eFRBqezfLbmUh0D4aD5QC7ObF/JnJRqalbYYbNob8Pg1R3KVeMPZDJA4WG00ojdkDbdmY+GewbrY8GXrNWmb2I8CwT97GUIroa91kaZGsOkzdcQMQQAn2LCtyT4lUL7XjgdBhtTuGPRNxnRpCMsoeFzLD8g9F4HBr2nUWQSxPqY=; Received: from codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1HcTJ5-000Lsw-QA; Sat, 14 Apr 2007 01:27:49 +0400 Date: Sat, 14 Apr 2007 01:27:43 +0400 From: Eygene Ryabinkin To: Nate Lawson Message-ID: <20070413212742.GH49158@codelabs.ru> References: <4617D3A6.8000201@root.org> <20070409094010.GL26348@codelabs.ru> <461FDD28.6030502@root.org> <20070413204237.GG49158@codelabs.ru> <461FEE6D.4030201@root.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <461FEE6D.4030201@root.org> Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-3.4 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_00 Cc: freebsd-current@freebsd.org, pf@freebsd.org Subject: Re: call for testers: altq in current X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Apr 2007 21:27:50 -0000 Nate, Fri, Apr 13, 2007 at 01:56:13PM -0700, Nate Lawson wrote: > > Yes, the numbers are perfectly correct. I will try to redo the > > tests on Monday (when I will be able to use the LAN link) and > > will watch for this debug information. Any other recommendations > > are, of course, welcome. > > Ok, that is good to know the code is running and the freq values are > correct. Can you verify through some other cpu benchmark test that the > freq actually did change to the value printed? Will try, but it is changing to 2200 MHz while I am doing the CPU-intensive tasks (compilation of something big) and the debug printf's are telling about 2200 MHz as well. Not so good benchmark, but at least something. > Also, make sure you're not using the TSC timecounter. sysctl > kern.timecounter I am just using the defaults for the -CURRENT. Can not verify them now -- my -CURRENT is crashing with the modem link, so I am either writing mails or doing the tests, sorry. > >>> First two logs, ifstat.bw3Kb.old.wan.log and ifstat.bw3Kb.new.wan.log > >>> do show the WAN results. The 100 Kbps corresponds to 400 MHz, 200 > >>> Kbps -- to 800 MHz, 410 Kbps -- to 1600 MHz and 560 Kbps -- to 2200 > >>> MHz CPU speed. I thought that I was bounded by the WAN link here. > >> What was the CPU speed on bootup? > > > > 2200 MHz. > > I don't understand those values. Didn't you setup a constant 3 Kb/sec > link? so why would you be getting even 100 Kbps at 400 Mhz? Yep, that was the constant 3Kbps. I do not understand the measured values too. > On the new code but without loading cpufreq and leaving the freq at 2200 > Mhz, do you get the right numbers? Are they constant? Monday will reveal the things. Will post an update. Thank you! -- Eygene From owner-freebsd-pf@FreeBSD.ORG Sat Apr 14 14:10:54 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6D27316A41B for ; Sat, 14 Apr 2007 14:10:54 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.238]) by mx1.freebsd.org (Postfix) with ESMTP id EE24D13C4BB for ; Sat, 14 Apr 2007 14:10:53 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: by wx-out-0506.google.com with SMTP id s18so1089815wxc for ; Sat, 14 Apr 2007 07:10:52 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:from:to:cc:references:subject:date:mime-version:content-type:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=jGrtlHPXQ/FDZiRs7glTRs4vdpB1AsSCD/uMmg/MULA2Ax39NKjmBZqiA9l/8HFNQyFj5vpdUihgvuA5ffcRdfa4aJFkRdU8KYewAFiELdON7nvEWKYB8De+NBpuMGi+IOv5zoL85rF/SbTTR6mN/DHuO/PXIRJPKak2b1AdYz0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:from:to:cc:references:subject:date:mime-version:content-type:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=r6wcEuCoA/kAG2H9UJzPYK+zeKD9t3876WrpVKFZNAt99ZCRJoFPTE+9a3R7DQs28SH5LuvRZ7V3HtD/bhZpvUZprKPMfGeRnaFdu+yPN1QHXADn2gMqpYMSFMqB6JGgzcoElNOR88XJFnYlPz7a7x99YaFIe71XzsJSZdXvp/I= Received: by 10.70.91.16 with SMTP id o16mr7440313wxb.1176559851832; Sat, 14 Apr 2007 07:10:51 -0700 (PDT) Received: from xp ( [72.73.19.2]) by mx.google.com with ESMTP id i34sm6873580wxd.2007.04.14.07.10.50; Sat, 14 Apr 2007 07:10:50 -0700 (PDT) Message-ID: <001f01c77e9e$b4d6ff70$050a0a0a@chepkov.lan> From: "Vadym Chepkov" To: References: <00d901c773e7$b20218f0$0610a8c0@chepkov.lan> <87648dgubi.fsf@delta.meridian-enviro.com> Date: Sat, 14 Apr 2007 10:10:50 -0400 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Scrub problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Apr 2007 14:10:54 -0000 Hi, I finally figured out the issue, but now I honestly don't know what to = do with it. The problem is with fragmented UDP packets from Amanda server I have the scrub directive set: # pfctl -sr | head -1 scrub in all fragment reassemble These packets are getting out from Amanda server: 08:27:13.259450 00:30:48:27:ea:80 > 00:30:48:5c:27:ad, ethertype IPv4 = (0x0800), length 163: 192.168.17.2.858 > 192.168.160.2.amanda: UDP, = length 121 08:27:13.268607 00:30:48:5c:27:ad > 00:30:48:27:ea:80, ethertype IPv4 = (0x0800), length 92: 192.168.160.2.amanda > 192.168.17.2.858: UDP, = length 50 08:27:13.269355 00:30:48:5c:27:ad > 00:30:48:27:ea:80, ethertype IPv4 = (0x0800), length 129: 192.168.160.2.amanda > 192.168.17.2.858: UDP, = length 87 08:27:13.276096 00:30:48:27:ea:80 > 00:30:48:5c:27:ad, ethertype IPv4 = (0x0800), length 92: 192.168.17.2.858 > 192.168.160.2.amanda: UDP, = length 50 08:27:13.277424 00:30:48:27:ea:80 > 00:30:48:5c:27:ad, ethertype IPv4 = (0x0800), length 1514: 192.168.17.2.858 > 192.168.160.2.amanda: UDP, = length 1894 08:27:13.277434 00:30:48:27:ea:80 > 00:30:48:5c:27:ad, ethertype IPv4 = (0x0800), length 456: 192.168.17.2 > 192.168.160.2: udp 08:27:23.529888 00:30:48:27:ea:80 > 00:30:48:5c:27:ad, ethertype IPv4 = (0x0800), length 1514: 192.168.17.2.858 > 192.168.160.2.amanda: UDP, = length 1894 08:27:23.529895 00:30:48:27:ea:80 > 00:30:48:5c:27:ad, ethertype IPv4 = (0x0800), length 456: 192.168.17.2 > 192.168.160.2: udp 08:27:33.527287 00:30:48:27:ea:80 > 00:30:48:5c:27:ad, ethertype IPv4 = (0x0800), length 1514: 192.168.17.2.858 > 192.168.160.2.amanda: UDP, = length 1894 08:27:33.527293 00:30:48:27:ea:80 > 00:30:48:5c:27:ad, ethertype IPv4 = (0x0800), length 456: 192.168.17.2 > 192.168.160.2: udp pf silently (no log entries) drops last packets, because they never = reach the client: 08:27:13.259532 00:0e:0c:c3:42:b4 > 00:30:48:43:32:c8, ethertype IPv4 = (0x0800), length 163: 192.168.17.2.858 > 192.168.160.2.amanda: UDP, = length 121 08:27:13.268356 00:30:48:43:32:c8 > 00:0e:0c:c3:42:b4, ethertype IPv4 = (0x0800), length 92: 192.168.160.2.amanda > 192.168.17.2.858: UDP, = length 50 08:27:13.269021 00:30:48:43:32:c8 > 00:0e:0c:c3:42:b4, ethertype IPv4 = (0x0800), length 129: 192.168.160.2.amanda > 192.168.17.2.858: UDP, = length 87 08:27:13.276140 00:0e:0c:c3:42:b4 > 00:30:48:43:32:c8, ethertype IPv4 = (0x0800), length 92: 192.168.17.2.858 > 192.168.160.2.amanda: UDP, = length 50 I tried to add no-df option to the scrub rule, but it didn't make any = effect But I am 100% positive this is the issue, since when I turn off = scrubbing and add the rule pass in quick proto udp from $amanda_server fragment everything works fine. I am a little confused why size of the first part the fragment is 1514 = bytes, since MTU on the interface is 1500, could it be something to do = with it? I suspect this is happenning with some other packets as well, since it's = nothing to do with amanda per se, so any help is highly appreciated. Thank you, Vadym Chepkov ----- Original Message -----=20 From: "Douglas K. Rand" To: "Vadym Chepkov" Cc: Sent: Tuesday, April 03, 2007 2:57 PM Subject: Re: packet filter and amanda > Vadym> Hello everybody, >=20 > Hello >=20 > Vadym> I have a router with FreeBSD 6.2-RELEASE-p1 with custom buld = kernel: >=20 > Vadym> device pf # PF OpenBSD packet-filter = firewall > Vadym> device pflog # logging support interface for = PF >=20 > Vadym> I am using amanda to backup a client which is behind router > Vadym> with pf running amanda server - FreeBSD pf - amanda client >=20 > Vadym> I compiled amanda with tcp/udp port ranges but I can get that = far. >=20 > We use the knobs in /etc/make.conf to control which ports Amanda uses: >=20 > AMANDA_PORTRANGE =3D 50001,50099 > AMANDA_UDPPORTRANGE =3D 801,899 >=20 > Please note that recent versions of Amanda were not correctly > respecting the AMANDA_PORTRANGE knob. You need a ports tree that is > post PR 110687. >=20 > It was unclear to me if you are trying to backup your firewall or > systems on the other side of your firewall. For backups of the actual > firewall you need to allow traffic from your Amanda server from any > arbitrary UDP port to port 10080 on your firewall. You also need to > allow TCP connections from any port on your Amanda server to your > firewall in the range defined by AMANDA_PORTRANGE. And lastly, your > firewall needs to allow UDP traffic originating from port 10080 from > itself heading back to the Amanda server destined for ports in > AMANDA_UDPPORTRANGE. >=20 > The reference on Amanda FAQ is at >=20 > = http://amanda.sourceforge.net/cgi-bin/fom?_highlightWords=3D10080&file=3D= 139 >=20 > Snippets of our ruleset: >=20 > int_amanda=3D"{ 10.10.10.26/32, 67.134.74.26/32 }" > amanda_tcp=3D"50000:50100" > amanda_udp=3D"800:900" > [...] > pass in log quick inet proto tcp from $int_amanda to port = $amanda_tcp flags S/SARF keep state (no-sync) > pass in log quick inet proto udp from $int_amanda to $int port = amanda keep state (no-sync) > [...] > pass out log quick on $int inet proto udp from $int to $int_amanda = port $amanda_udp keep state (no-sync) > [...] > pass log quick inet proto udp from port =3D amanda to = $int_amanda port $amanda_udp >=20 >=20 > And on a DMZ host we have: >=20 > amanda=3D"67.134.74.26" > amandatcpports=3D"50000:50100" > amandaudpports=3D"800:900" > [...] > pass in log quick inet proto tcp from $amanda to $lan port = $amandatcpports flags S/SARF keep state > pass in log quick inet proto udp from $amanda to $lan port amanda = keep state > [...] > pass out log quick inet proto udp from $lan port amanda to $amanda = port $amandaudpports keep state >=20 > Hope this helps. From owner-freebsd-pf@FreeBSD.ORG Sat Apr 14 19:41:10 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 43C4916A401 for ; Sat, 14 Apr 2007 19:41:10 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout2.email.verio.net (dfw-smtpout2.email.verio.net [129.250.36.42]) by mx1.freebsd.org (Postfix) with ESMTP id 1AD2013C45B for ; Sat, 14 Apr 2007 19:41:10 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.64] (helo=dfw-mmp4.email.verio.net) by dfw-smtpout2.email.verio.net with esmtp id 1Hco7R-0005Na-Ix for freebsd-pf@freebsd.org; Sat, 14 Apr 2007 19:41:09 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp4.email.verio.net with esmtp id 1Hco7R-0006zo-Fa for freebsd-pf@freebsd.org; Sat, 14 Apr 2007 19:41:09 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id E68178E131; Sat, 14 Apr 2007 14:41:08 -0500 (CDT) Date: Sat, 14 Apr 2007 14:41:08 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20070414194108.GA31298@verio.net> References: <00d901c773e7$b20218f0$0610a8c0@chepkov.lan> <87648dgubi.fsf@delta.meridian-enviro.com> <001f01c77e9e$b4d6ff70$050a0a0a@chepkov.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <001f01c77e9e$b4d6ff70$050a0a0a@chepkov.lan> User-Agent: Mutt/1.5.9i Subject: Re: Scrub problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Apr 2007 19:41:10 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vadym Chepkov wrote: > > The problem is with fragmented UDP packets from Amanda server > I have the scrub directive set: > > scrub in all fragment reassemble > > pf silently (no log entries) drops last packets, because they never reach the client: > > 08:27:13.259532 00:0e:0c:c3:42:b4 > 00:30:48:43:32:c8, ethertype IPv4 (0x0800), length 163: 192.168.17.2.858 > 192.168.160.2.amanda: UDP, length 121 > 08:27:13.268356 00:30:48:43:32:c8 > 00:0e:0c:c3:42:b4, ethertype IPv4 (0x0800), length 92: 192.168.160.2.amanda > 192.168.17.2.858: UDP, length 50 > 08:27:13.269021 00:30:48:43:32:c8 > 00:0e:0c:c3:42:b4, ethertype IPv4 (0x0800), length 129: 192.168.160.2.amanda > 192.168.17.2.858: UDP, length 87 > 08:27:13.276140 00:0e:0c:c3:42:b4 > 00:30:48:43:32:c8, ethertype IPv4 (0x0800), length 92: 192.168.17.2.858 > 192.168.160.2.amanda: UDP, length 50 Did you notice that not neither the larger nor the smaller segment of the fragmented packets are arriving at the client? Is it possible that the fragments are not being transmitted on the sending side? You did not say whether the trace you took was on the inside or the outside interface of the PF router. > I tried to add no-df option to the scrub rule, but it didn't make any effect None of your packets have DF set, so there is no DF flag to be cleared by such a rule. > I am a little confused why size of the first part the fragment is 1514 > bytes, since MTU on the interface is 1500, could it be something to do > with it? No, 1514 is just the physical size of the IP datagram when transmitted via ethernet. Ethernet adds 6 bytes each for src mac, dst mac, and 2 bytes for ethertype ipv4. 1500 + 6 + 6 + 2 = 1514. > pf silently (no log entries) drops last packets, because they never > reach the client: Maybe PF does not log the packets via pflog0 interface, but does it log anything via dmesg? Did you try setting a higher debug level via 'pfctl - -x loud' for example? - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGIS5UFSrKRjX5eCoRAt2oAJ9GFQ9lH4T6oIRkyWdI70UOO1lZvACfTLia y4Oy/ip00P6djB4s9f5QM4U= =vA8k -----END PGP SIGNATURE-----