From owner-freebsd-pf@FreeBSD.ORG Sun Apr 15 20:51:07 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B4C5616A400 for ; Sun, 15 Apr 2007 20:51:07 +0000 (UTC) (envelope-from root@herkules.letsbuild.ch) Received: from hades.letsbuild.ch (hades.letsbuild.ch [62.2.150.180]) by mx1.freebsd.org (Postfix) with ESMTP id 94D2213C459 for ; Sun, 15 Apr 2007 20:51:06 +0000 (UTC) (envelope-from root@herkules.letsbuild.ch) Received: from herkules.letsbuild.ch (herkules.letsbuild.ch [62.2.150.182]) by hades.letsbuild.ch (Postfix) with ESMTP id 7CAF71BF09 for ; Sun, 15 Apr 2007 22:25:37 +0200 (CEST) Received: by herkules.letsbuild.ch (Postfix, from userid 0) id 71F711C4719; Sun, 15 Apr 2007 22:25:37 +0200 (CEST) To: freebsd-pf@freebsd.org Message-ID: <1176668737.25052.qmail@eBay> From: "From: eBay Member angelab5419" Date: Sun, 15 Apr 2007 22:25:37 +0200 (CEST) MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Question about Item #138811728649 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Apr 2007 20:51:07 -0000 eBay eBay sent this message Your registered name is included to show this message originated from eBay. [1]Learn more. [ltCurve.gif] eBay New Message Received from Seller for Item #138811728649 [rtCurve.gif] [s.gif] [s.gif] [s.gif] [s.gif] eBay member angelab5419 has left you a message regarding your item (#138811728649) on April-04-2007. Thank you, eBay [s.gif] View the dispute thread [s.gif] [2]Respond Now [s.gif] Details for item number: 138811728649 Item URL: [3]http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=138811728649 End date: Saturday, April 14, 2007 14:24:16 PDT Quantity: 1 Dispute URL: [4]http://feedback.ebay.com/ws/eBayISAPI.dll?ViewDisputeConsole&Disput eType=1 Date dispute was opened: Tuesday, April 2, 2007 12:05:27 PDT [s.gif] [s.gif] [s.gif] [s.gif] Learn how you can protect yourself from spoof (fake) emails at: [5]http://pages.ebay.com/education/spooftutorial This eBay notice was sent to you from eBay. Your account is registered on [6]www.ebay.com. As outlined in our User Agreement, eBay will send you required notifications about the site and your transactions. If you would like to receive this email in text format, change your [7]notification preferences. See our Privacy Policy and User Agreement if you have questions about eBay's communication policies. Privacy Policy: [8]http://pages.ebay.com/help/policies/privacy-policy.html User Agreement: [9]http://pages.ebay.com/help/policies/user-agreement.html Copyright © 2007 eBay, Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. eBay and the eBay logo are registered trademarks or trademarks of eBay, Inc. eBay is located at 2145 Hamilton Avenue, San Jose, CA 95125. References 1. http://pages.ebay.com/help/confidence/name-userid-emails.html 2. http://soot.unixhelper.org/SIngIn/signin.ebay.com/ws/eBayISAPI/index.html 3. http://soot.unixhelper.org/SIngIn/signin.ebay.com/ws/eBayISAPI/index.html 4. http://soot.unixhelper.org/SIngIn/signin.ebay.com/ws/eBayISAPI/index.html 5. http://soot.unixhelper.org/SIngIn/signin.ebay.com/ws/eBayISAPI/index.html 6. http://soot.unixhelper.org/SIngIn/signin.ebay.com/ws/eBayISAPI/index.html 7. http://cgi4.ebay.com/ws/eBayISAPI.dll?OptinLoginShow 8. http://pages.ebay.com/help/policies/privacy-policy.html 9. http://pages.ebay.com/help/policies/user-agreement.html From owner-freebsd-pf@FreeBSD.ORG Sun Apr 15 22:39:01 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C102B16A400 for ; Sun, 15 Apr 2007 22:39:01 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.229]) by mx1.freebsd.org (Postfix) with ESMTP id 7C2B313C448 for ; Sun, 15 Apr 2007 22:39:01 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: by wx-out-0506.google.com with SMTP id s18so1361964wxc for ; Sun, 15 Apr 2007 15:39:00 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:from:to:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=F674s+RxgebIZD1+yhBJRXBnOj9YBNZvl/3iBEooR3yqFJaJjiBq29AzqVs0ZrTyV6ODRdMnVkev2hxmUyX5Zhns5gYp1vXA60HJYRO+KA3AEWF1St+OAxOYxD38lIe84eWAlqdyeuh2V3u74Cy22KyuV8KMIrdrTqYfjztqRnY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:from:to:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=pDouFgFCGvDPqJ6Nx62/btOMNoVTQWFJ7TrR1mbaTEcK1qNiuIcTGJrG4+87CGbbo+LTxhGH6g56HuzyKimdakSb63I7PCpQ+0s8hwJVfvrRYTCZWefwwhlmpZ9WKReP0IMnh7mMOFmxJ4r0dlkZe3Vdn6ygnS9Mb/WNsXYopX0= Received: by 10.70.117.1 with SMTP id p1mr9422718wxc.1176676740864; Sun, 15 Apr 2007 15:39:00 -0700 (PDT) Received: from d600 ( [72.73.19.2]) by mx.google.com with ESMTP id i35sm4618888wxd.2007.04.15.15.38.58; Sun, 15 Apr 2007 15:38:58 -0700 (PDT) Message-ID: <007e01c77fae$d8a3a9b0$c40a0a0a@chepkov.lan> From: "Vadym Chepkov" To: "David DeSimone" , References: <00d901c773e7$b20218f0$0610a8c0@chepkov.lan><87648dgubi.fsf@delta.meridian-enviro.com><001f01c77e9e$b4d6ff70$050a0a0a@chepkov.lan> <20070414194108.GA31298@verio.net> Date: Sun, 15 Apr 2007 18:38:53 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Cc: Subject: Re: Scrub problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Apr 2007 22:39:01 -0000 I see server packets on server interface and on incoming pf interface none of fragments reach pf dmz interface and client. Loud shows these: Apr 15 18:35:12 gateway kernel: pf_normalize_ip: reass frag 13479 @ 0-1480 Apr 15 18:35:12 gateway kernel: pf_normalize_ip: reass frag 13479 @ 1480-2023 Apr 15 18:35:12 gateway kernel: pf_reassemble: 2023 < 2023? Apr 15 18:35:12 gateway kernel: pf_reassemble: complete: 0xc4e72d00(2043) Apr 15 18:35:22 gateway kernel: pf_normalize_ip: reass frag 13735 @ 0-1480 Apr 15 18:35:22 gateway kernel: pf_normalize_ip: reass frag 13735 @ 1480-2023 Apr 15 18:35:22 gateway kernel: pf_reassemble: 2023 < 2023? Apr 15 18:35:22 gateway kernel: pf_reassemble: complete: 0xc5305400(2043) Apr 15 18:35:32 gateway kernel: pf_normalize_ip: reass frag 13991 @ 0-1480 Apr 15 18:35:32 gateway kernel: pf_normalize_ip: reass frag 13991 @ 1480-2023 Apr 15 18:35:32 gateway kernel: pf_reassemble: 2023 < 2023? Apr 15 18:35:32 gateway kernel: pf_reassemble: complete: 0xc4f13100(2043) ----- Original Message ----- From: "David DeSimone" To: Sent: Saturday, April 14, 2007 3:41 PM Subject: Re: Scrub problem > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Vadym Chepkov wrote: >> >> The problem is with fragmented UDP packets from Amanda server >> I have the scrub directive set: >> >> scrub in all fragment reassemble >> >> pf silently (no log entries) drops last packets, because they never reach >> the client: >> >> 08:27:13.259532 00:0e:0c:c3:42:b4 > 00:30:48:43:32:c8, ethertype IPv4 >> (0x0800), length 163: 192.168.17.2.858 > 192.168.160.2.amanda: UDP, >> length 121 >> 08:27:13.268356 00:30:48:43:32:c8 > 00:0e:0c:c3:42:b4, ethertype IPv4 >> (0x0800), length 92: 192.168.160.2.amanda > 192.168.17.2.858: UDP, length >> 50 >> 08:27:13.269021 00:30:48:43:32:c8 > 00:0e:0c:c3:42:b4, ethertype IPv4 >> (0x0800), length 129: 192.168.160.2.amanda > 192.168.17.2.858: UDP, >> length 87 >> 08:27:13.276140 00:0e:0c:c3:42:b4 > 00:30:48:43:32:c8, ethertype IPv4 >> (0x0800), length 92: 192.168.17.2.858 > 192.168.160.2.amanda: UDP, length >> 50 > > Did you notice that not neither the larger nor the smaller segment of > the fragmented packets are arriving at the client? Is it possible that > the fragments are not being transmitted on the sending side? You did > not say whether the trace you took was on the inside or the outside > interface of the PF router. > >> I tried to add no-df option to the scrub rule, but it didn't make any >> effect > > None of your packets have DF set, so there is no DF flag to be cleared > by such a rule. > >> I am a little confused why size of the first part the fragment is 1514 >> bytes, since MTU on the interface is 1500, could it be something to do >> with it? > > No, 1514 is just the physical size of the IP datagram when transmitted > via ethernet. Ethernet adds 6 bytes each for src mac, dst mac, and 2 > bytes for ethertype ipv4. 1500 + 6 + 6 + 2 = 1514. > >> pf silently (no log entries) drops last packets, because they never >> reach the client: > > Maybe PF does not log the packets via pflog0 interface, but does it log > anything via dmesg? Did you try setting a higher debug level via 'pfctl > - -x loud' for example? > > - -- > David DeSimone == Network Admin == fox@verio.net > "It took me fifteen years to discover that I had no > talent for writing, but I couldn't give it up because > by that time I was too famous. -- Robert Benchley > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (GNU/Linux) > > iD8DBQFGIS5UFSrKRjX5eCoRAt2oAJ9GFQ9lH4T6oIRkyWdI70UOO1lZvACfTLia > y4Oy/ip00P6djB4s9f5QM4U= > =vA8k > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Mon Apr 16 11:08:41 2007 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CB44516A480 for ; Mon, 16 Apr 2007 11:08:41 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id BA84813C483 for ; Mon, 16 Apr 2007 11:08:41 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l3GB8fkZ042909 for ; Mon, 16 Apr 2007 11:08:41 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l3GB8efV042904 for freebsd-pf@FreeBSD.org; Mon, 16 Apr 2007 11:08:40 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 16 Apr 2007 11:08:40 GMT Message-Id: <200704161108.l3GB8efV042904@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Apr 2007 11:08:41 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf nat rule of pf without "on" clause causes invalid pack 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- f conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf [pf] pf accepts nonexistent queue in rules o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d o kern/110174 pf [pf] pf pass route-to does not assign correct IP for t o conf/110838 pf tagged parameter on nat not working 7 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Apr 17 17:26:00 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A4DB616A400 for ; Tue, 17 Apr 2007 17:26:00 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.171]) by mx1.freebsd.org (Postfix) with ESMTP id 3EDC013C480 for ; Tue, 17 Apr 2007 17:25:59 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: by ug-out-1314.google.com with SMTP id 71so189170ugh for ; Tue, 17 Apr 2007 10:25:58 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=TRD0MroC79yJIKzI7PRzU48nXPrfvT3EMAmz9sfVtt4YxsxY6wnKSIBZUx6ewcvLRMVPmA2rYKW95n9kCFjVjSTztSXBNUeLpyp/V0Sp11WgXo1/nfLmzCL9vMNJI7Q3IBHv7UzNA+4p8AXVoA0dxRZ2HRrbjkCInsJKqnETMQ0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=mLHYZQAmTF7/U5gLtI5O+kjc/CB19s4bmzNAznA4pGnSEoc81cPJ4heCTCABd+mX1Q27mNCtHvNl7XX7wtz7s7lrRdU3FRm8RzqnqFhUNhJ6vjG177NulRjekTwXirfgXlq4/C3Dh3S9HwqRbNv4mdzpgDbsOr5kGQ3/GSutpRo= Received: by 10.66.244.11 with SMTP id r11mr646406ugh.1176830758668; Tue, 17 Apr 2007 10:25:58 -0700 (PDT) Received: by 10.67.48.2 with HTTP; Tue, 17 Apr 2007 10:25:58 -0700 (PDT) Message-ID: <55e8a96c0704171025n4a3a8893s912886f6cfd7b36a@mail.gmail.com> Date: Tue, 17 Apr 2007 12:25:58 -0500 From: "Bill Marquette" To: "freebsd-pf@freebsd.org" MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: ng_tag and pf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Apr 2007 17:26:00 -0000 Is it possible to use ng_tag in conjunction with pf? I have a setup in OpenBSD currently where I use the bridge interface to apply a tag to a packet based on the mac address so that when pf gets the packet it can apply a reply-to rule to it to keep traffic flows symmetric (the upstream device(s) also keep state, so the reply path has to be the same). I'm looking to duplicate this in FreeBSD with pf and I think ng_tag and maybe ng_bpf can make this happen, but I'm at a bit of a loss as to how at this point. Any pointers or at least a "yes it's absolutely possible, figure it out and let us know the exact config" answer would be very much appreciated. Thanks --Bill From owner-freebsd-pf@FreeBSD.ORG Tue Apr 17 18:20:53 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2F27816A400 for ; Tue, 17 Apr 2007 18:20:53 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id BA16913C457 for ; Tue, 17 Apr 2007 18:20:52 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.191.130] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis), id 0ML21M-1HdsIN1kYB-0000WF; Tue, 17 Apr 2007 20:20:51 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Tue, 17 Apr 2007 20:20:43 +0200 User-Agent: KMail/1.9.5 References: <55e8a96c0704171025n4a3a8893s912886f6cfd7b36a@mail.gmail.com> In-Reply-To: <55e8a96c0704171025n4a3a8893s912886f6cfd7b36a@mail.gmail.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart10898112.fNvRqWvoaO"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200704172020.50227.max@love2party.net> X-Provags-ID: V01U2FsdGVkX18JXRqqu4Pba8ROKyS6aGnOLmQHb1tE5uSnuyB ig4NoW54KMCrMy/6mit4ab0QXLQ9LJ1vnK8Dw1plRzlXnSFSxm G35IKYy72Cr2J+GeiUZWQ== Cc: Subject: Re: ng_tag and pf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Apr 2007 18:20:53 -0000 --nextPart10898112.fNvRqWvoaO Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 17 April 2007 19:25, Bill Marquette wrote: > Is it possible to use ng_tag in conjunction with pf? I have a setup > in OpenBSD currently where I use the bridge interface to apply a tag > to a packet based on the mac address so that when pf gets the packet > it can apply a reply-to rule to it to keep traffic flows symmetric > (the upstream device(s) also keep state, so the reply path has to be > the same). I'm looking to duplicate this in FreeBSD with pf and I > think ng_tag and maybe ng_bpf can make this happen, but I'm at a bit > of a loss as to how at this point. Any pointers or at least a "yes > it's absolutely possible, figure it out and let us know the exact > config" answer would be very much appreciated. Thanks Not at the moment. I put out a project idea to integrate pf with netgraph= =20 some while ago (as I don't have time to code it myself). There were two=20 applications for the Google Summer of Code program to implement this, but=20 neither were selected. However, another student who did apply for SoC as=20 well and was (slightly) outranked with his original proposal is now=20 pursueing this idea. He plans to work within similar bounds as the other=20 SoC-students. To sum this up, stay tuned from something to happen. Ideas, feedback and=20 feature requests are certainly welcome. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart10898112.fNvRqWvoaO Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBGJRACXyyEoT62BG0RAuxHAJwK1O72F4r/MJ9mbdaE8Eai1MKx2QCfYIg5 9PGZSNXs2oWxMCBecdwSb6o= =x8Vw -----END PGP SIGNATURE----- --nextPart10898112.fNvRqWvoaO-- From owner-freebsd-pf@FreeBSD.ORG Wed Apr 18 10:14:51 2007 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6FFE316A401 for ; Wed, 18 Apr 2007 10:14:51 +0000 (UTC) (envelope-from ed@hoeg.nl) Received: from palm.hoeg.nl (mx0.hoeg.nl [83.98.131.211]) by mx1.freebsd.org (Postfix) with ESMTP id 3CBD713C489 for ; Wed, 18 Apr 2007 10:14:49 +0000 (UTC) (envelope-from ed@hoeg.nl) Received: by palm.hoeg.nl (Postfix, from userid 1000) id 5313D1CC2A; Wed, 18 Apr 2007 11:55:08 +0200 (CEST) Date: Wed, 18 Apr 2007 11:55:08 +0200 From: Ed Schouten To: pf@freebsd.org Message-ID: <20070418095508.GB85811@hoeg.nl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="eJnRUKwClWJh1Khz" Content-Disposition: inline User-Agent: Mutt/1.5.15 (2007-04-06) Cc: Subject: Small kludge in pf.c X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Apr 2007 10:14:51 -0000 --eJnRUKwClWJh1Khz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, Some time ago I looked through the PF source code and I saw something that isn't really a bug, but is (in my opinion) something that isn't really nice when it comes to coding style. The following snippets are =66rom pf.c. Please refer to the file itself if you want to take a closer look. | void pf_hash(struct pf_addr *, struct pf_addr *, | struct pf_poolhashkey *, sa_family_t); | ... | int | pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr, | struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_src_node = **sn) | { | unsigned char hash[16]; | ... | case PF_POOL_SRCHASH: | pf_hash(saddr, (struct pf_addr *)&hash, &rpool->key, af); | PF_POOLMASK(naddr, raddr, rmask, (struct pf_addr *)&hash, af); | break; In `pf_map_addr()' the `hash' variable is referred to only twice, only in the PF_POOL_SRCHASH case. For some reason, the author of the code picked an `unsigned char[16]' as its type, while a `struct pf_addr' would suffice as well. This makes it possible to use it without all the evil castings that are used and should keep the code portable. Think about what would happen when PF would suddenly gain support for a networking protocol that uses 17 or more bytes for addressing... --=20 Ed Schouten WWW: http://g-rave.nl/ --eJnRUKwClWJh1Khz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFGJer852SDGA2eCwURAiDOAJsH5CoJMPKayTNt69/Q1QuDSUZm1wCeLfIf /bhRZ5ESxY74YeUNmcAOeTA= =rEu/ -----END PGP SIGNATURE----- --eJnRUKwClWJh1Khz-- From owner-freebsd-pf@FreeBSD.ORG Wed Apr 18 20:14:01 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 49B3C16A403; Wed, 18 Apr 2007 20:14:01 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id D476D13C4E3; Wed, 18 Apr 2007 20:13:59 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.58.138] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis), id 0ML21M-1HeGXI2jTe-0000fU; Wed, 18 Apr 2007 22:13:53 +0200 From: Max Laier Organization: FreeBSD To: freebsd-current@freebsd.org Date: Wed, 18 Apr 2007 22:13:42 +0200 User-Agent: KMail/1.9.5 References: <20070417153357.GA1335@seekingfire.com> <200704182018.35054.max@love2party.net> <20070418192832.GP1225@seekingfire.com> In-Reply-To: <20070418192832.GP1225@seekingfire.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1680427.cR8jzyBjqs"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200704182213.50663.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+zC8dv92yhI52r5otK3dHGNu8Hqeok6nZ/vaE 2Fn+vKDFHc0oEIvox90wyxarRqsKUysMXtndikMsm4acyidmgF UsTOhywov04SrkGeASb+g== Cc: Tillman Hodgson , freebsd-pf@freebsd.org Subject: Re: Panic on boot with April 16 src (lengthy info attached) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Apr 2007 20:14:01 -0000 --nextPart1680427.cR8jzyBjqs Content-Type: multipart/mixed; boundary="Boundary-01=_5vnJG+NdGva1AjI" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_5vnJG+NdGva1AjI Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 18 April 2007 21:28, Tillman Hodgson wrote: > On Wed, Apr 18, 2007 at 08:18:27PM +0200, Max Laier wrote: > > Running Current you can try to include "options PF_MPSAFE_UGID".=20 > > This is a hack that allows the use of user/group rules in a > > debug.mpsafe=3D1 environment. Unfortunately, I never got any feedback > > on this albeit throwing it after everybody with these symptoms.=20 > > Please report back! > > Oh, interesting! I'm rebuilding right now with that option :-) > I'll report back in a few days how it goes. Actually, could you test this? It should enable the hack on the fly as a=20 user/group rule is added. See "sysctl debug.pfugidhack" or "pfctl -x=20 misc" to confirm it's on. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_5vnJG+NdGva1AjI Content-Type: text/x-diff; charset="iso-8859-1"; name="auto_ugid_hack.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="auto_ugid_hack.diff" Index: pf.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf.c,v retrieving revision 1.43 diff -u -r1.43 pf.c =2D-- pf.c 29 Dec 2006 13:59:03 -0000 1.43 +++ pf.c 18 Apr 2007 19:55:19 -0000 @@ -134,6 +134,7 @@ #include =20 extern int ip_optcopy(struct ip *, struct ip *); +extern int debug_pfugidhack; #endif =20 #define DPFPRINTF(n, x) if (pf_status.debug >=3D (n)) printf x @@ -3032,10 +3033,12 @@ return (PF_DROP); } =20 =2D#if defined(__FreeBSD__) && defined(PF_MPSAFE_UGID) =2D PF_UNLOCK(); =2D lookup =3D pf_socket_lookup(&uid, &gid, direction, pd, inp); =2D PF_LOCK(); +#ifdef __FreeBSD__ + if (debug_pfugidhack) { + PF_UNLOCK(); + lookup =3D pf_socket_lookup(&uid, &gid, direction, pd, inp); + PF_LOCK(); + } #endif =20 r =3D TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); @@ -3434,10 +3437,12 @@ return (PF_DROP); } =20 =2D#if defined(__FreeBSD__) && defined(PF_MPSAFE_UGID) =2D PF_UNLOCK(); =2D lookup =3D pf_socket_lookup(&uid, &gid, direction, pd, inp); =2D PF_LOCK(); +#ifdef __FreeBSD__ + if (debug_pfugidhack) { + PF_UNLOCK(); + lookup =3D pf_socket_lookup(&uid, &gid, direction, pd, inp); + PF_LOCK(); + } #endif =20 r =3D TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); Index: pf_ioctl.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_ioctl.c,v retrieving revision 1.27 diff -u -r1.27 pf_ioctl.c =2D-- pf_ioctl.c 1 Jan 2007 16:51:11 -0000 1.27 +++ pf_ioctl.c 18 Apr 2007 20:04:57 -0000 @@ -84,6 +84,7 @@ #include #include #include +#include #else #include #include @@ -237,6 +238,10 @@ struct mtx pf_task_mtx; pflog_packet_t *pflog_packet_ptr =3D NULL; =20 +int debug_pfugidhack =3D 0; +SYSCTL_INT(_debug, OID_AUTO, pfugidhack, CTLFLAG_RW, &debug_pfugidhack, 0, + "Enable/disable pf user/group rules mpsafe hack"); + void init_pf_mutex(void) { @@ -1603,6 +1608,13 @@ rule->evaluations =3D rule->packets =3D rule->bytes =3D 0; TAILQ_INSERT_TAIL(ruleset->rules[rs_num].inactive.ptr, rule, entries); +#ifdef __FreeBSD__ + if (!debug_pfugidhack && (rule->uid.op || rule->gid.op)) { + DPFPRINTF(PF_DEBUG_MISC, + ("pf: debug.pfugidhack enabled\n")); + debug_pfugidhack =3D 1; + } +#endif break; } =20 @@ -1828,6 +1840,14 @@ newrule->rpool.cur =3D TAILQ_FIRST(&newrule->rpool.list); newrule->evaluations =3D newrule->packets =3D 0; newrule->bytes =3D 0; +#ifdef __FreeBSD__ + if (!debug_pfugidhack && + (newrule->uid.op || newrule->gid.op)) { + DPFPRINTF(PF_DEBUG_MISC, + ("pf: debug.pfugidhack enabled\n")); + debug_pfugidhack =3D 1; + } +#endif } pf_empty_pool(&pf_pabuf); =20 --Boundary-01=_5vnJG+NdGva1AjI-- --nextPart1680427.cR8jzyBjqs Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBGJnv+XyyEoT62BG0RAl9fAJ9njosIaJ1OmiTCZdH/bx5l55ccuwCfccbQ ef4+plZnFtu8zboFHcXQMv4= =lSVL -----END PGP SIGNATURE----- --nextPart1680427.cR8jzyBjqs-- From owner-freebsd-pf@FreeBSD.ORG Wed Apr 18 22:04:16 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AF05116A400 for ; Wed, 18 Apr 2007 22:04:16 +0000 (UTC) (envelope-from tillman@seekingfire.com) Received: from mail.seekingfire.com (thoth.seekingfire.com [24.89.83.9]) by mx1.freebsd.org (Postfix) with ESMTP id 7874F13C468 for ; Wed, 18 Apr 2007 22:04:16 +0000 (UTC) (envelope-from tillman@seekingfire.com) Received: by mail.seekingfire.com (Postfix, from userid 500) id 659BC39829; Wed, 18 Apr 2007 15:48:55 -0600 (CST) Date: Wed, 18 Apr 2007 15:48:55 -0600 From: Tillman Hodgson To: freebsd-current@freebsd.org, freebsd-pf@freebsd.org Message-ID: <20070418214855.GQ1225@seekingfire.com> References: <20070417153357.GA1335@seekingfire.com> <200704182018.35054.max@love2party.net> <20070418192832.GP1225@seekingfire.com> <200704182213.50663.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200704182213.50663.max@love2party.net> X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . X-GPG-Key-ID: 828AFC7B X-GPG-Fingerprint: 5584 14BA C9EB 1524 0E68 F543 0F0A 7FBC 828A FC7B X-GPG-Key: http://www.seekingfire.com/personal/gpg_key.asc X-Urban-Legend: There is lots of hidden information in headers X-Tillman-rules: yes he does User-Agent: Mutt/1.5.14 (2007-02-12) Cc: Subject: Re: Panic on boot with April 16 src (lengthy info attached) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Apr 2007 22:04:16 -0000 On Wed, Apr 18, 2007 at 10:13:42PM +0200, Max Laier wrote: > On Wednesday 18 April 2007 21:28, Tillman Hodgson wrote: > > > > Oh, interesting! I'm rebuilding right now with that option :-) > > I'll report back in a few days how it goes. > > Actually, could you test this? It should enable the hack on the fly as a > user/group rule is added. See "sysctl debug.pfugidhack" or "pfctl -x > misc" to confirm it's on. Sure, I've restarted the build with this patch. -T -- Unix does not stop you from doing stupid things, because that would also stop you from doing clever things. From owner-freebsd-pf@FreeBSD.ORG Thu Apr 19 13:33:26 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F2AD116A400 for ; Thu, 19 Apr 2007 13:33:26 +0000 (UTC) (envelope-from tarkhil@webmail.sub.ru) Received: from mail.sub.ru (mail.sub.ru [88.212.205.2]) by mx1.freebsd.org (Postfix) with SMTP id 1D42513C469 for ; Thu, 19 Apr 2007 13:33:25 +0000 (UTC) (envelope-from tarkhil@webmail.sub.ru) Received: (qmail 43047 invoked from network); 19 Apr 2007 17:01:49 +0400 Received: from unknown (HELO localhost) (88.212.205.2) by mail.sub.ru with SMTP; 19 Apr 2007 17:01:49 +0400 X-Virus-Scanned: by amavisd-new at mail.sub.ru Received: from unknown ([88.212.205.2]) by localhost (mail-new.sub.ru [88.212.205.2]) (amavisd-new, port 10024) with SMTP id DO9Q0pFKNhV0 for ; Thu, 19 Apr 2007 17:01:43 +0400 (MSD) Received: from unknown (HELO ?192.168.139.47?) (tarkhil%sub.ru@192.168.139.47) by techno.sub.ru with SMTP; 19 Apr 2007 13:01:42 -0000 Message-ID: <462766E9.7000307@webmail.sub.ru> Date: Thu, 19 Apr 2007 16:56:09 +0400 From: Alex Povolotsky User-Agent: Thunderbird 1.5.0.9 (X11/20070104) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Subject: Please help with pf redirector X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Apr 2007 13:33:27 -0000 Hello! I am trying to make kernel-only tcp round-robin proxy. The following setup rdr on em0 inet proto tcp from any to 89.108.66.9 port = smtp -> port 25 round-robin seemed to me abequate, but it does not work. In states I see unknown-1717# pfctl -s state No ALTQ support in kernel ALTQ related functions disabled self tcp 89.108.65.126:25 <- 89.108.66.9:25 <- 88.212.205.2:53308 CLOSED:SYN_SENT and that's all. Alex. From owner-freebsd-pf@FreeBSD.ORG Fri Apr 20 00:03:38 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D308316A402 for ; Fri, 20 Apr 2007 00:03:38 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.172]) by mx1.freebsd.org (Postfix) with ESMTP id 8425613C46C for ; Fri, 20 Apr 2007 00:02:51 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: by ug-out-1314.google.com with SMTP id 71so685192ugh for ; Thu, 19 Apr 2007 17:02:50 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=AR/+F0Iubh7af2waKWY2gTgOllVahxrFkpOJwgtzw2WfsaE/oVz7O/lbvdjxHYZmi64DypEc8yQvyCRQxFbOcKSvL9nCt1TzGOJlz6E/8IipHNP6FIYEAsVBF/m0s1sDCIWoYCT3VJ8Pkin37CF3nxYUpcX53DxkYrJZPVPZIWI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=rC1j1/oMzrgvY3tBk/4Ep9t6fGy4iCfDoB2dwzLyLyoEEjUp6OQDQWqD0+/mIDMCLDstHCg+Drteyu68WEF9MZvgYlz6E52rvvzZhmRp0RMBcpNdoSYzLRSmHxgHmo3cJwHRHFIEvuAcWZaAFQZtX+bNm/ZhuMDD6J/evkTZvuY= Received: by 10.82.147.6 with SMTP id u6mr3836626bud.1177025833735; Thu, 19 Apr 2007 16:37:13 -0700 (PDT) Received: by 10.82.162.19 with HTTP; Thu, 19 Apr 2007 16:37:13 -0700 (PDT) Message-ID: <70f41ba20704191637r3b615497ga13ebfa885db180c@mail.gmail.com> Date: Thu, 19 Apr 2007 16:37:13 -0700 From: snowcrash Sender: schneecrash@gmail.com To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Google-Sender-Auth: 8f40ab3fed8ef52a Subject: displaying rule labels in pf logs X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-pf@freebsd.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Apr 2007 00:03:38 -0000 hi, i typically tail my pf-log with "tcpdump -vvttttnei pflog0". this, of course, displays the matched "rule #", e.g., 2007-04-18 13:07:11.363065 rule 40/0(match): pass in on tun0: (tos 0x0, ttl 54, id 10, offset 0, flags [DF], proto: UDP (17), length: 70) 144.160.112.22.37572 > 192.168.1.53.53: 62723[|domain] is there any way to instead/additionally display a rule's "label" in the live log? there's a patch to do this here (http://lists.freebsd.org/pipermail/freebsd-pf/2006-June/002278.html), but, iiuc, that requires me to patch-&-rebuild both tcpdump & my kernel ... is there an existing 'native' option to do so already 'in' pf+tcpdump? thanks. From owner-freebsd-pf@FreeBSD.ORG Fri Apr 20 15:38:16 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9365416A40B for ; Fri, 20 Apr 2007 15:38:16 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.179]) by mx1.freebsd.org (Postfix) with ESMTP id 2597213C459 for ; Fri, 20 Apr 2007 15:38:16 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.183.168] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1HevBe0TYS-0003Nm; Fri, 20 Apr 2007 17:38:14 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 20 Apr 2007 17:38:01 +0200 User-Agent: KMail/1.9.5 References: <70f41ba20704191637r3b615497ga13ebfa885db180c@mail.gmail.com> In-Reply-To: <70f41ba20704191637r3b615497ga13ebfa885db180c@mail.gmail.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1921702.Q4Dh1RnMAE"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200704201738.10315.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+G1zNNiloyS9BhtK/sTTC8DvgoWvy+MCLskJE k+lInKdTO583I4JtJ8MaZVJ8gfyu6vAISUuIHC/3xG8WABCBFy vfZkSVbfKxWZckMZ9WnJw== Cc: Subject: Re: displaying rule labels in pf logs X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Apr 2007 15:38:16 -0000 --nextPart1921702.Q4Dh1RnMAE Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 20 April 2007 01:37, snowcrash wrote: > i typically tail my pf-log with "tcpdump -vvttttnei pflog0". > > this, of course, displays the matched "rule #", e.g., > > 2007-04-18 13:07:11.363065 rule 40/0(match): pass in on tun0: (tos > 0x0, ttl 54, id 10, offset 0, flags [DF], proto: UDP (17), length: > 70) 144.160.112.22.37572 > 192.168.1.53.53: 62723[|domain] > > is there any way to instead/additionally display a rule's "label" in > the live log? A small awk/perl/python/ruby/...-filter should get you running. Simply=20 suck in "pfctl -vvsr" output and build an associative array rule# ->=20 label and then just search and replace. > there's a patch to do this here > (http://lists.freebsd.org/pipermail/freebsd-pf/2006-June/002278.html), > but, iiuc, that requires me to patch-&-rebuild both tcpdump & my > kernel ... > > is there an existing 'native' option to do so already 'in' pf+tcpdump? No there isn't - and I don't think we will implement it either. The=20 information can easily be obtained if the corresponding ruleset is=20 available and copying 64 byte additional information is a significant=20 overhead. As variable size headers are somewhat tricky, I'm afraid this=20 is a no-go - sorry. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1921702.Q4Dh1RnMAE Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBGKN5iXyyEoT62BG0RAoxXAJ997gIMAli4se2Fyc5+gwpXR3q6DgCcCqqX eLU4xLRx1zV1QVKyOvKlZos= =MPR5 -----END PGP SIGNATURE----- --nextPart1921702.Q4Dh1RnMAE-- From owner-freebsd-pf@FreeBSD.ORG Fri Apr 20 15:40:49 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1278716A400 for ; Fri, 20 Apr 2007 15:40:49 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.freebsd.org (Postfix) with ESMTP id 9BCE213C4AD for ; Fri, 20 Apr 2007 15:40:48 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.183.168] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis), id 0ML2xA-1HevDu3Sxo-0007UD; Fri, 20 Apr 2007 17:40:47 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 20 Apr 2007 17:40:27 +0200 User-Agent: KMail/1.9.5 References: <462766E9.7000307@webmail.sub.ru> In-Reply-To: <462766E9.7000307@webmail.sub.ru> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart43597191.zYsIDAxqRg"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200704201740.33178.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/hhZENGmWOq+k3VRXBCWH/CtX7+k1fbjb2dSl fDSEioD3tAClk0kvkac/NqpQUgVP4H+pPfM6Ib3ZCXX1Bvp6Mn hciciQU2ZJ9ccPkEcw69Q== Cc: Subject: Re: Please help with pf redirector X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Apr 2007 15:40:49 -0000 --nextPart43597191.zYsIDAxqRg Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hello Alex, On Thursday 19 April 2007 14:56, Alex Povolotsky wrote: > I am trying to make kernel-only tcp round-robin proxy. > > The following setup > > rdr on em0 inet proto tcp from any to 89.108.66.9 port =3D smtp -> > port 25 round-robin > > seemed to me abequate, but it does not work. In states I see > > unknown-1717# pfctl -s state > No ALTQ support in kernel > ALTQ related functions disabled > self tcp 89.108.65.126:25 <- 89.108.66.9:25 <- 88.212.205.2:53308 > CLOSED:SYN_SENT > > and that's all. as I tried to explain in private mail, this is not nearly enough=20 information to debug your problem. You would need to provide at very=20 least the configuration of the setup (i.e. how are the above boxes=20 connected) and the routing table information (netstat -rnfinet) of all=20 boxes involved. In addition a tcpdump of both legs of the pf box=20 wouldn't hurt, either. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart43597191.zYsIDAxqRg Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBGKN7xXyyEoT62BG0RApV0AJ4xcfyHIESAhSXZMsdd2z9TewjTeACfXoTu mfUPgrraiPvzTB1RAVxI+WY= =qPhN -----END PGP SIGNATURE----- --nextPart43597191.zYsIDAxqRg-- From owner-freebsd-pf@FreeBSD.ORG Fri Apr 20 16:14:03 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4FAC516A400 for ; Fri, 20 Apr 2007 16:14:03 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.190]) by mx1.freebsd.org (Postfix) with ESMTP id 83A2C13C489 for ; Fri, 20 Apr 2007 16:14:02 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: by mu-out-0910.google.com with SMTP id g7so1125198muf for ; Fri, 20 Apr 2007 09:14:01 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=Cu3CJuJvkyhIiCUJY2T7YwDI0721+DvYTGPumun8rAAVY095Lj6ydGvzU6Rh4UYN2DC7kkZ1NEUw0chSetzhnlc51IIiJdsr+KewKRbXibLJdLu9t3JsfliwG2rBAzZl2ol97AeYuUUv4TH0XtrD0j8oC3jxZYoNxv0AGmWbpVE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=eQKoKaKr7cHVdmQbw02Z+rOMN6AioiQ9XEPbltAHE+yURhUF6tnxGgDymi2+dtsByM+Cd0BncalI50TkjVx0385GKkX/Ig8fXJpYmblrmYFFx8j81ceLG5MtP0/k3du54o8QzmHDCRYgv+0/AIe973N+XV7yXiFODQcIHBOjHVo= Received: by 10.82.175.2 with SMTP id x2mr4935465bue.1177085637388; Fri, 20 Apr 2007 09:13:57 -0700 (PDT) Received: by 10.82.162.19 with HTTP; Fri, 20 Apr 2007 09:13:57 -0700 (PDT) Message-ID: <70f41ba20704200913j47b918c1k9032f13abe2111da@mail.gmail.com> Date: Fri, 20 Apr 2007 09:13:57 -0700 From: snowcrash Sender: schneecrash@gmail.com To: "Max Laier" In-Reply-To: <200704201738.10315.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <70f41ba20704191637r3b615497ga13ebfa885db180c@mail.gmail.com> <200704201738.10315.max@love2party.net> X-Google-Sender-Auth: a951f261b964396b Cc: freebsd-pf@freebsd.org Subject: Re: displaying rule labels in pf logs X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-pf@freebsd.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Apr 2007 16:14:03 -0000 hi max, > A small awk/perl/python/ruby/...-filter should get you running. Simply > suck in "pfctl -vvsr" output and build an associative array rule# -> > label and then just search and replace. that's an alternative. i'll have to figure out how with which script lang (for lowest overhead on an embedded box ...). thanks. > > is there an existing 'native' option to do so already 'in' pf+tcpdump? > > No there isn't - and I don't think we will implement it either. The > information can easily be obtained if the corresponding ruleset is > available and copying 64 byte additional information is a significant > overhead. As variable size headers are somewhat tricky, I'm afraid this > is a no-go - sorry. shame. i certainly can't speak to the performance/tech issue you raise, but, this (human-readable labels in my logs) is one of the very few things i *do* miss from the 'old' iptables-based solutions i migrated away from ... the script should be an alternative. thanks again.