From owner-freebsd-pf@FreeBSD.ORG Mon Apr 7 11:07:05 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3CCC81065672 for ; Mon, 7 Apr 2008 11:07:05 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 2C9D88FC24 for ; Mon, 7 Apr 2008 11:07:05 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m37B75vF048872 for ; Mon, 7 Apr 2008 11:07:05 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m37B74M8048868 for freebsd-pf@FreeBSD.org; Mon, 7 Apr 2008 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 7 Apr 2008 11:07:04 GMT Message-Id: <200804071107.m37B74M8048868@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2008 11:07:05 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/116610 pf [patch] teach tcpdump(1) to cope with the new-style pf f kern/117827 pf [pf] [panic] kernel panic with pf and ng o kern/120281 pf [request] lost returning packets to PF for a rdr rule o kern/122014 pf [panic] FreeBSD 6.2 panic in pf 6 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work f kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c f kern/116645 pf [request] pfctl -k does not work in securelevel 3 o kern/118355 pf [pf] [patch] pfctl help message options order false -t f kern/119661 pf [pf] "queue (someq, empy_acks)" doesn't work o kern/120057 pf [patch] Allow proper settings of ALTQ_HFSC. The check o kern/121704 pf [pf] PF mangles loopback packets 11 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Apr 7 22:00:57 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E59A71065675 for ; Mon, 7 Apr 2008 22:00:56 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: from mailhost.cnc-london.net (mailhost.cnc-london.net [209.44.113.194]) by mx1.freebsd.org (Postfix) with ESMTP id 6117C8FC16 for ; Mon, 7 Apr 2008 22:00:55 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: (qmail 92642 invoked by uid 90); 7 Apr 2008 22:58:39 +0100 Received: from 78.105.9.127 (postmaster@78.105.9.127) by mailhost.cnc-london.net (envelope-from , uid 89) with qmail-scanner-2.01st (clamdscan: 0.91.2/5269. spamassassin: 3.2.3. perlscan: 2.01st. Clear:RC:1(78.105.9.127):. Processed in 0.032421 secs); 07 Apr 2008 21:58:39 -0000 Received: from 78-105-9-127.zone3.bethere.co.uk (HELO torstendev) (postmaster@78.105.9.127) by mailhost.cnc-london.net with SMTP; 7 Apr 2008 22:58:39 +0100 From: "Torsten @ CNC-LONDON" To: Date: Mon, 7 Apr 2008 23:02:33 +0100 Message-ID: <003801c898fb$16a897a0$43f9c6e0$@net> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 12.0 Content-Language: en-gb Thread-Index: AciY+xTo5o+7l/ckRRmIwZlQfDsMdw== Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: SSH Session disconnecting with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2008 22:00:57 -0000 Hi All I'm running FreeBSD stable6.2 on all my servers and in the past one year I notices a random disconnection of persistent sessions to and from servers with is running as PF the firewall At first I was blaming internet connectivity issues for this and try to sell this as a as good as it gets Of course at first I noticed it at SSH connections and later on with ftp NOOP connections and so on. This dropping causes SSH to be reconnected and ftp to stall indefinitely until new login. All people starting to get quiet spooky about it, especially SSH users because of interrupted sessions And tunneling I tried to find the reason for this Any help would be very appreciated Regards Torsten All kernels are compiled with: **************************************** #pf firewall start device pf device pflog device pfsync options ALTQ options ALTQ_CBQ # Class Bases Queuing (CBQ) options ALTQ_RED # Random Early Detection (RED) options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) options ALTQ_PRIQ # Priority Queuing (PRIQ) options ALTQ_NOPCC # Required for SMP build # PF firewall end options SMP options QUOTA **************************************** All other options are left alone My pf.conf looks like this (sorry, changed ext IP address because I don't trust mysrlf of having done the right thing) ***************************** ###MACROS ext_if = "em0" int_if = "vr0" ext_ip = "{0.0.0.1, 0.0.0.2, 0.0.0.3, 0.0.0.4, 0.0.0.5}" loop_if="lo0" SYN_ONLY="S/FSRA" icmp_types = "echoreq" office_ip="{ 1.0.0.1, 1.0.0.2, 1.0.0.4, 1.0.0.4 , 1.0.0.5, 1.0.0.6, 1.0.0.7 }" public_services = "{ 13, 20, 21, 25, 37, 53, 80, 110, 443, 465, 993, 995, 8025}" PassiveFTP = "{ 55000 >< 59000 }" ##TABLES #private IP address spaces table { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16 } # blacklist host table persist file "/usr/local/etc/pf/pf.blacklist" ## GLOBAL OPTIONS set block-policy return set loginterface $ext_if set optimization normal set skip on lo0 ## TRAFFIC NORMALIZATION scrub in all no-df scrub out all no-df ## FILTER RULES # in general block all connections and allow later below block in # allow all on loop interface pass quick on $loop_if # block all private ip addresses block in quick on $ext_if from { } # allow any connection from the server to go out pass out keep state #allow tcp/udp connections to the above ports from external pass in log on $ext_if inet proto tcp from any to ($ext_if) port $public_services flags $SYN_ONLY keep state pass in log on $ext_if inet proto udp from any to ($ext_if) port $public_services keep state #allow ping request from anywhere but filter it pass in log inet proto icmp all icmp-type $icmp_types keep state #allow any connection from managemet IP's pass in log quick on $ext_if proto udp from $office_ip to $ext_if keep state pass in log quick on $ext_if proto tcp from $office_ip to $ext_if flags $SYN_ONLY keep state # blacklist spam networks and so on block log quick from to any block log quick from any to #ftp proxy rubbish for passive ftp pass in log on $ext_if inet proto tcp from any to any port $PassiveFTP keep state pass in log on $ext_if inet proto udp from any to any port $PassiveFTP keep state pass quick on $int_if **************************** From owner-freebsd-pf@FreeBSD.ORG Mon Apr 7 23:07:50 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B901F106564A for ; Mon, 7 Apr 2008 23:07:50 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id A5FFC8FC21 for ; Mon, 7 Apr 2008 23:07:50 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 690C61CC033; Mon, 7 Apr 2008 16:07:50 -0700 (PDT) Date: Mon, 7 Apr 2008 16:07:50 -0700 From: Jeremy Chadwick To: "Torsten @ CNC-LONDON" Message-ID: <20080407230750.GA15720@eos.sc1.parodius.com> References: <003801c898fb$16a897a0$43f9c6e0$@net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <003801c898fb$16a897a0$43f9c6e0$@net> User-Agent: Mutt/1.5.17 (2007-11-01) Cc: freebsd-pf@freebsd.org Subject: Re: SSH Session disconnecting with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2008 23:07:50 -0000 On Mon, Apr 07, 2008 at 11:02:33PM +0100, Torsten @ CNC-LONDON wrote: > I'm running FreeBSD stable6.2 on all my servers and in the past one year I > notices a random disconnection of persistent sessions to and from servers > with is running as PF the firewall The big problem with your rules looks to be how you're determining SYN, and how you're using keep state. Below are some comments. > SYN_ONLY="S/FSRA" This is very, very wrong, and probably the cause of your issues. This should be S/SA. > # allow all on loop interface > > pass quick on $loop_if You don't need this -- you're using "set skip on lo0", which causes pf to ignore that interface. You can remove $loop_if as well. > # block all private ip addresses > > block in quick on $ext_if from { } Use the "antispoof" directive for this, it'll work better. :-) > # allow any connection from the server to go out > > pass out keep state This is also incorrect. It'll work fine for ICMP and UDP packets, but for TCP you'll be creating a new state table for every packet regardless of flags, which is liable to break things. For TCP you want to keep state only on initiate connections being made, so you should be using: pass out quick proto tcp all flags S/SA keep state pass out quick proto udp all keep state pass out quick proto icmp all keep state You can, of course, replace "flags S/SA" with $SYN_ONLY once you address the issue above. > #allow tcp/udp connections to the above ports from external > > pass in log on $ext_if inet proto tcp from any to ($ext_if) port $public_services flags $SYN_ONLY keep state > pass in log on $ext_if inet proto udp from any to ($ext_if) port $public_services keep state You can remove the parenthesis in "($ext_if)". > #allow ping request from anywhere but filter it > > pass in log inet proto icmp all icmp-type $icmp_types keep state The pf.conf comment here doesn't make any sense. Also, be aware ICMP is actually quite important, so you don't want to block all ICMP protocols and just permit echoreq. There are documents online which discuss what blocking all ICMP types can do. > #ftp proxy rubbish for passive ftp > > pass in log on $ext_if inet proto tcp from any to any port $PassiveFTP keep state > pass in log on $ext_if inet proto udp from any to any port $PassiveFTP keep state FTP is actually a TCP-based protocol, despite what you see in /etc/services for ports. > pass quick on $int_if Consider using "set skip on $int_if" instead, if this is really what you want. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Mon Apr 7 23:17:17 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BFAA7106564A for ; Mon, 7 Apr 2008 23:17:17 +0000 (UTC) (envelope-from elliott@c7.ca) Received: from mail.c7.ca (mail.c7.ca [66.207.198.232]) by mx1.freebsd.org (Postfix) with ESMTP id 7F8C78FC13 for ; Mon, 7 Apr 2008 23:17:17 +0000 (UTC) (envelope-from elliott@c7.ca) Received: (qmail 29769 invoked by uid 89); 7 Apr 2008 23:17:16 -0000 Received: by simscan 1.2.0 ppid: 29757, pid: 29766, t: 0.1442s scanners: clamav: 0.90.1/m:43 Received: from unknown (HELO ?66.207.210.10?) (elliott@c7.ca@66.207.210.10) by 10.1.1.32 with ESMTPA; 7 Apr 2008 23:17:16 -0000 From: Elliott Perrin To: freebsd-pf@freebsd.org In-Reply-To: <003801c898fb$16a897a0$43f9c6e0$@net> References: <003801c898fb$16a897a0$43f9c6e0$@net> Content-Type: text/plain Date: Mon, 07 Apr 2008 19:14:49 -0400 Message-Id: <1207610089.32218.140.camel@kensho.c7.ca> Mime-Version: 1.0 X-Mailer: Evolution 2.22.0 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Subject: Re: SSH Session disconnecting with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: elliott@c7.ca List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2008 23:17:17 -0000 On Mon, 2008-04-07 at 23:02 +0100, Torsten @ CNC-LONDON wrote: > Hi All > > I'm running FreeBSD stable6.2 on all my servers and in the past one year I > notices a random disconnection of persistent sessions to and from servers > with is running as PF the firewall > > > > At first I was blaming internet connectivity issues for this and try to sell > this as a as good as it gets > > Of course at first I noticed it at SSH connections and later on with ftp > NOOP connections and so on. > > This dropping causes SSH to be reconnected and ftp to stall indefinitely > until new login. > > All people starting to get quiet spooky about it, especially SSH users > because of interrupted sessions > > And tunneling > > I tried to find the reason for this > > > > Any help would be very appreciated > > > > Regards > > Torsten > > > > All kernels are compiled with: > > **************************************** > > #pf firewall start > > device pf > > device pflog > > device pfsync > > options ALTQ > > options ALTQ_CBQ # Class Bases Queuing (CBQ) > > options ALTQ_RED # Random Early Detection (RED) > > options ALTQ_RIO # RED In/Out > > options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) > > options ALTQ_PRIQ # Priority Queuing (PRIQ) > > options ALTQ_NOPCC # Required for SMP build > > # PF firewall end > > > > options SMP > > options QUOTA > > **************************************** > > All other options are left alone > > > > My pf.conf looks like this (sorry, changed ext IP address because I don't > trust mysrlf of having done the right thing) > > > > ***************************** > > ###MACROS > > ext_if = "em0" > > int_if = "vr0" > > ext_ip = "{0.0.0.1, 0.0.0.2, 0.0.0.3, 0.0.0.4, 0.0.0.5}" > > loop_if="lo0" > > SYN_ONLY="S/FSRA" > > icmp_types = "echoreq" > > office_ip="{ 1.0.0.1, 1.0.0.2, 1.0.0.4, 1.0.0.4 , 1.0.0.5, 1.0.0.6, > 1.0.0.7 }" > > public_services = "{ 13, 20, 21, 25, 37, 53, 80, 110, 443, 465, 993, > 995, 8025}" > > PassiveFTP = "{ 55000 >< 59000 }" > > > > ##TABLES > > #private IP address spaces > > table { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, > 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16 } > > > > # blacklist host > > table persist file "/usr/local/etc/pf/pf.blacklist" > > > > ## GLOBAL OPTIONS > > set block-policy return > > set loginterface $ext_if > > set optimization normal > > set skip on lo0 > > > > ## TRAFFIC NORMALIZATION > > scrub in all no-df > > scrub out all no-df > > > > ## FILTER RULES > > # in general block all connections and allow later below > > block in > > > > # allow all on loop interface > > pass quick on $loop_if > > > > # block all private ip addresses > > block in quick on $ext_if from { } > > > > # allow any connection from the server to go out > > pass out keep state > This is your problem right here. Try pass out quick proto tcp flags S/SA keep state pass out quick proto udp keep state pass out quick proto icmp keep state You can keep your flags as S/SFRA as it is more restrictive than S/SA, but you should be examining flags for outbound TCP in order to keep state. I imagine you may be filling your state table with the way this rule is currently written > > > #allow tcp/udp connections to the above ports from external > > pass in log on $ext_if inet proto tcp from any to ($ext_if) port > $public_services flags $SYN_ONLY keep state > > pass in log on $ext_if inet proto udp from any to ($ext_if) port > $public_services keep state > > > > #allow ping request from anywhere but filter it > > pass in log inet proto icmp all icmp-type $icmp_types keep state > > > > #allow any connection from managemet IP's > > pass in log quick on $ext_if proto udp from $office_ip to $ext_if > keep state > > pass in log quick on $ext_if proto tcp from $office_ip to $ext_if > flags $SYN_ONLY keep state > > > > # blacklist spam networks and so on > > block log quick from to any > > block log quick from any to > > > > #ftp proxy rubbish for passive ftp > > pass in log on $ext_if inet proto tcp from any to any port > $PassiveFTP keep state > > pass in log on $ext_if inet proto udp from any to any port > $PassiveFTP keep state > > > > pass quick on $int_if > > > > **************************** > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Mon Apr 7 23:19:50 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C90AE106566C for ; Mon, 7 Apr 2008 23:19:50 +0000 (UTC) (envelope-from elliott@c7.ca) Received: from mail.c7.ca (mail.c7.ca [66.207.198.232]) by mx1.freebsd.org (Postfix) with ESMTP id 667D98FC19 for ; Mon, 7 Apr 2008 23:19:50 +0000 (UTC) (envelope-from elliott@c7.ca) Received: (qmail 29991 invoked by uid 89); 7 Apr 2008 23:19:50 -0000 Received: by simscan 1.2.0 ppid: 29986, pid: 29988, t: 0.0793s scanners: clamav: 0.90.1/m:43 Received: from unknown (HELO ?66.207.210.10?) (elliott@c7.ca@66.207.210.10) by 10.1.1.32 with ESMTPA; 7 Apr 2008 23:19:49 -0000 From: Elliott Perrin To: freebsd-pf@freebsd.org In-Reply-To: <20080407230750.GA15720@eos.sc1.parodius.com> References: <003801c898fb$16a897a0$43f9c6e0$@net> <20080407230750.GA15720@eos.sc1.parodius.com> Content-Type: text/plain Date: Mon, 07 Apr 2008 19:17:29 -0400 Message-Id: <1207610249.32218.143.camel@kensho.c7.ca> Mime-Version: 1.0 X-Mailer: Evolution 2.22.0 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Subject: Re: SSH Session disconnecting with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: elliott@c7.ca List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2008 23:19:50 -0000 See Below On Mon, 2008-04-07 at 16:07 -0700, Jeremy Chadwick wrote: > On Mon, Apr 07, 2008 at 11:02:33PM +0100, Torsten @ CNC-LONDON wrote: > > I'm running FreeBSD stable6.2 on all my servers and in the past one year I > > notices a random disconnection of persistent sessions to and from servers > > with is running as PF the firewall > > The big problem with your rules looks to be how you're determining SYN, > and how you're using keep state. > > Below are some comments. > > > SYN_ONLY="S/FSRA" > > This is very, very wrong, and probably the cause of your issues. This > should be S/SA. That is not very very wrong. Any TCP session starting up should only have the SYN flag set out of SYN FIN ACK RST. As a matter of fact this is in theory a more secure setting than S/SA (SYN out of SYN ACK). Cheers, Elliott Perrin elliott@c7.ca From owner-freebsd-pf@FreeBSD.ORG Mon Apr 7 23:36:02 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3F678106566B for ; Mon, 7 Apr 2008 23:36:02 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: from mailhost.cnc-london.net (mailhost.cnc-london.net [209.44.113.194]) by mx1.freebsd.org (Postfix) with ESMTP id D88E08FC1B for ; Mon, 7 Apr 2008 23:36:01 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: (qmail 98306 invoked by uid 90); 8 Apr 2008 00:33:45 +0100 Received: from 78.105.9.127 (postmaster@78.105.9.127) by mailhost.cnc-london.net (envelope-from , uid 89) with qmail-scanner-2.01st (clamdscan: 0.91.2/5269. spamassassin: 3.2.3. perlscan: 2.01st. Clear:RC:1(78.105.9.127):. Processed in 0.020584 secs); 07 Apr 2008 23:33:45 -0000 Received: from 78-105-9-127.zone3.bethere.co.uk (HELO torstendev) (postmaster@78.105.9.127) by mailhost.cnc-london.net with SMTP; 8 Apr 2008 00:33:45 +0100 From: "Torsten @ CNC-LONDON" To: References: <003801c898fb$16a897a0$43f9c6e0$@net> <20080407230750.GA15720@eos.sc1.parodius.com> <1207610249.32218.143.camel@kensho.c7.ca> In-Reply-To: <1207610249.32218.143.camel@kensho.c7.ca> Date: Tue, 8 Apr 2008 00:37:41 +0100 Message-ID: <004201c89908$5fe06a30$1fa13e90$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Content-Language: en-gb Thread-Index: AciZBZcpA0GyQADXSuOMAbhxnjkuAQAAa0Ew Subject: RE: SSH Session disconnecting with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2008 23:36:02 -0000 Hi All Thank you very much for the comments. This may explain some VPN issues I had in the past as well. Regards Torsten -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Elliott Perrin Sent: 08 April 2008 00:17 To: freebsd-pf@freebsd.org Subject: Re: SSH Session disconnecting with pf See Below On Mon, 2008-04-07 at 16:07 -0700, Jeremy Chadwick wrote: > On Mon, Apr 07, 2008 at 11:02:33PM +0100, Torsten @ CNC-LONDON wrote: > > I'm running FreeBSD stable6.2 on all my servers and in the past one year I > > notices a random disconnection of persistent sessions to and from servers > > with is running as PF the firewall > > The big problem with your rules looks to be how you're determining SYN, > and how you're using keep state. > > Below are some comments. > > > SYN_ONLY="S/FSRA" > > This is very, very wrong, and probably the cause of your issues. This > should be S/SA. That is not very very wrong. Any TCP session starting up should only have the SYN flag set out of SYN FIN ACK RST. As a matter of fact this is in theory a more secure setting than S/SA (SYN out of SYN ACK). Cheers, Elliott Perrin elliott@c7.ca _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Tue Apr 8 00:05:58 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AEF4A106566B for ; Tue, 8 Apr 2008 00:05:58 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 9A9388FC18 for ; Tue, 8 Apr 2008 00:05:58 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 5F27E1CC033; Mon, 7 Apr 2008 17:05:58 -0700 (PDT) Date: Mon, 7 Apr 2008 17:05:58 -0700 From: Jeremy Chadwick To: Elliott Perrin Message-ID: <20080408000558.GA18044@eos.sc1.parodius.com> References: <003801c898fb$16a897a0$43f9c6e0$@net> <20080407230750.GA15720@eos.sc1.parodius.com> <1207610249.32218.143.camel@kensho.c7.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1207610249.32218.143.camel@kensho.c7.ca> User-Agent: Mutt/1.5.17 (2007-11-01) Cc: freebsd-pf@freebsd.org Subject: Re: SSH Session disconnecting with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2008 00:05:58 -0000 On Mon, Apr 07, 2008 at 07:17:29PM -0400, Elliott Perrin wrote: > On Mon, 2008-04-07 at 16:07 -0700, Jeremy Chadwick wrote: > > On Mon, Apr 07, 2008 at 11:02:33PM +0100, Torsten @ CNC-LONDON wrote: > > > I'm running FreeBSD stable6.2 on all my servers and in the past one year I > > > notices a random disconnection of persistent sessions to and from servers > > > with is running as PF the firewall > > > > The big problem with your rules looks to be how you're determining SYN, > > and how you're using keep state. > > > > Below are some comments. > > > > > SYN_ONLY="S/FSRA" > > > > This is very, very wrong, and probably the cause of your issues. This > > should be S/SA. > > That is not very very wrong. > > Any TCP session starting up should only have the SYN flag set out of SYN > FIN ACK RST. As a matter of fact this is in theory a more secure setting > than S/SA (SYN out of SYN ACK). You're correct, and it was I who was very wrong. :-) Thank you for correcting me. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Tue Apr 8 02:50:46 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 307D6106567B for ; Tue, 8 Apr 2008 02:50:46 +0000 (UTC) (envelope-from elliott@c7.ca) Received: from mail.c7.ca (mail.c7.ca [66.207.198.232]) by mx1.freebsd.org (Postfix) with ESMTP id D576B8FC27 for ; Tue, 8 Apr 2008 02:50:44 +0000 (UTC) (envelope-from elliott@c7.ca) Received: (qmail 50965 invoked by uid 89); 8 Apr 2008 02:50:43 -0000 Received: by simscan 1.2.0 ppid: 50960, pid: 50962, t: 0.0925s scanners: clamav: 0.90.1/m:43 Received: from unknown (HELO ?66.207.210.10?) (elliott@c7.ca@66.207.210.10) by 10.1.1.32 with ESMTPA; 8 Apr 2008 02:50:43 -0000 From: Elliott Perrin To: freebsd-pf@freebsd.org In-Reply-To: <20080408000558.GA18044@eos.sc1.parodius.com> References: <003801c898fb$16a897a0$43f9c6e0$@net> <20080407230750.GA15720@eos.sc1.parodius.com> <1207610249.32218.143.camel@kensho.c7.ca> <20080408000558.GA18044@eos.sc1.parodius.com> Content-Type: text/plain Date: Mon, 07 Apr 2008 22:48:21 -0400 Message-Id: <1207622901.32218.146.camel@kensho.c7.ca> Mime-Version: 1.0 X-Mailer: Evolution 2.22.0 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Subject: Re: SSH Session disconnecting with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: elliott@c7.ca List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2008 02:50:48 -0000 On Mon, 2008-04-07 at 17:05 -0700, Jeremy Chadwick wrote: > On Mon, Apr 07, 2008 at 07:17:29PM -0400, Elliott Perrin wrote: > > On Mon, 2008-04-07 at 16:07 -0700, Jeremy Chadwick wrote: > > > On Mon, Apr 07, 2008 at 11:02:33PM +0100, Torsten @ CNC-LONDON wrote: > > > > I'm running FreeBSD stable6.2 on all my servers and in the past one year I > > > > notices a random disconnection of persistent sessions to and from servers > > > > with is running as PF the firewall > > > > > > The big problem with your rules looks to be how you're determining SYN, > > > and how you're using keep state. > > > > > > Below are some comments. > > > > > > > SYN_ONLY="S/FSRA" > > > > > > This is very, very wrong, and probably the cause of your issues. This > > > should be S/SA. > > > > That is not very very wrong. > > > > Any TCP session starting up should only have the SYN flag set out of SYN > > FIN ACK RST. As a matter of fact this is in theory a more secure setting > > than S/SA (SYN out of SYN ACK). > > You're correct, and it was I who was very wrong. :-) Thank you for > correcting me. No apology necessary... especially with all the help you provide to people on the list. Cheers, ~e From owner-freebsd-pf@FreeBSD.ORG Tue Apr 8 13:52:18 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7E6811065674 for ; Tue, 8 Apr 2008 13:52:18 +0000 (UTC) (envelope-from dalibor.gudzic@gmail.com) Received: from ti-out-0910.google.com (ti-out-0910.google.com [209.85.142.190]) by mx1.freebsd.org (Postfix) with ESMTP id 018BD8FC16 for ; Tue, 8 Apr 2008 13:52:17 +0000 (UTC) (envelope-from dalibor.gudzic@gmail.com) Received: by ti-out-0910.google.com with SMTP id j2so729560tid.3 for ; Tue, 08 Apr 2008 06:52:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; bh=bm/V+TmzLBMrEJtWHDOzGjDUbm9edxRK8LmXdkJTME0=; b=PsqEb2n30ExIQmTAIeM/O6Xm5b5jVeeeznghkt/jXBUwizV9UTOup2MeQPBrjX4gMerT9WuPbb+LXdEgOBFNYuglp9tQe3WIxtpe29IsGUdmJEoKOgDPDV8+bTorXuIMoJ4i9YadJ18RQp9DzAXI0ZOJn8Fx+/iL8rAAwwp2Nxo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=Q4s9gUzIbP5J2LHAPtD7zMcCJEYtZTAsqVZ4hIJzZnt+kGJgeYQ+7vI7np9fAqBD1posLQJNvXDo1H6D8kHFXXu5VqlX6jAlya7itbjX3g+KNcVXoJPWVJKrZDYvFUmdL0QZz1kkeMaYRABkrvgR5rgKVjQ6ABC9HlKmmtf4QVs= Received: by 10.150.91.20 with SMTP id o20mr595434ybb.24.1207662734904; Tue, 08 Apr 2008 06:52:14 -0700 (PDT) Received: by 10.150.228.11 with HTTP; Tue, 8 Apr 2008 06:52:14 -0700 (PDT) Message-ID: <866fa9520804080652r3dfd473ma4c3c4c074242845@mail.gmail.com> Date: Tue, 8 Apr 2008 15:52:14 +0200 From: "Dalibor Gudzic" To: torsten@cnc-london.net In-Reply-To: <1207622901.32218.146.camel@kensho.c7.ca> MIME-Version: 1.0 References: <003801c898fb$16a897a0$43f9c6e0$@net> <20080407230750.GA15720@eos.sc1.parodius.com> <1207610249.32218.143.camel@kensho.c7.ca> <20080408000558.GA18044@eos.sc1.parodius.com> <1207622901.32218.146.camel@kensho.c7.ca> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: SSH Session disconnecting with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2008 13:52:18 -0000 Torsten @ CNC-LONDON Hi All I'm running FreeBSD stable6.2 on all my servers and in the past one ye... 12:02 AM (15 hours ago) Torsten @ CNC-LONDONLoading... 12:02 AM (15 hours ago) I also see you said you use FreeBSD 6.2, consider this: http://lists.freebsd.org/pipermail/freebsd-security/2008-April/004699.html All the best From owner-freebsd-pf@FreeBSD.ORG Wed Apr 9 23:26:16 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F10671065670 for ; Wed, 9 Apr 2008 23:26:16 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from mail.gibfest.dk (tyknet.dk [80.160.141.33]) by mx1.freebsd.org (Postfix) with ESMTP id 9122C8FC14 for ; Wed, 9 Apr 2008 23:26:16 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from mail.gibfest.dk (localhost [127.0.0.1]) by mail.gibfest.dk (Postfix) with ESMTP id 0C7EDB8AA for ; Thu, 10 Apr 2008 01:27:11 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on doobie.tyknet.cn.dom X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.2.4 Received: from [10.10.1.199] (tykling.tyknet.cn.dom [10.10.1.199]) by mail.gibfest.dk (Postfix) with ESMTP id EF397B831 for ; Thu, 10 Apr 2008 01:27:10 +0200 (CEST) Message-ID: <47FD5090.8060901@gibfest.dk> Date: Thu, 10 Apr 2008 01:26:08 +0200 From: Thomas Rasmussen User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <47F1735B.9060707@gibfest.dk><200804011642.40992.silver@ultrasoft.ee><47F2507A.1000407@gibfest.dk> <200804011715.41522.max@love2party.net> <47F34123.1000301@nviz.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: pftop 0.7 in ports ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2008 23:26:17 -0000 >> >> >>> When can we expect to see this in ports ? >>> >>> >> went in seconds before you hit send ;) >> >> > I am thoroughly enjoying the new filtering feature :), but I have a couple of questions: The 'rate' column stops updating when I add a filter like say "port 80". If I am watching a download and then decide to filter that connection only, the rate column freezes at the value it was at when I applied the filter. Any way to fix this ? And a minor annoyance: It seems that when I want to remove a filter I can only delete it using the delete key as opposed to the backspace key. This is counter intuitive but it works for me with my PC keyboard. My colleagues Macbook doesn't have a delete key so you have to exit pftop and start it again to remove the filter. I also have a third question, not specific to 0.7 though, but I'll sneak it in anyway: Long running sessions seem to give wrong Rate calculations quite consistently, for example at the moment i have an udp state which is an openvpn tunnel. pftop says the age is 218 hours and it has transferred close to 40 gigabytes. The rate currently says "36864M" which is obviously wrong :) It isn't stable there, sometimes is goes down to ~7000M and stays there for a bit. Anyway, this tunnel is over an ADSL so I wish.. I also noticed this with 0.6, so as I said, this isn't specific to pftop 0.7. I don't have access to an OpenBSD machine so I can't check if these problems are FreeBSD specific. Thanks! Thomas From owner-freebsd-pf@FreeBSD.ORG Thu Apr 10 11:48:50 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5CE6D1065670 for ; Thu, 10 Apr 2008 11:48:50 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id EAD218FC16 for ; Thu, 10 Apr 2008 11:48:49 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-064-176-092.pools.arcor-ip.net [88.64.176.92]) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis) id 0MKwpI-1JjvGm3dQt-0001Wc; Thu, 10 Apr 2008 13:48:48 +0200 Received: (qmail 43583 invoked from network); 10 Apr 2008 11:47:36 -0000 Received: from myhost.laiers.local (192.168.4.151) by laiers.local with SMTP; 10 Apr 2008 11:47:36 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 10 Apr 2008 13:45:52 +0200 User-Agent: KMail/1.9.9 References: <47F1735B.9060707@gibfest.dk> <47FD5090.8060901@gibfest.dk> In-Reply-To: <47FD5090.8060901@gibfest.dk> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200804101345.52500.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+cccoFSYNi2Ugbf5fMAXkKseQ5ZVltZZgF9G5 uQspFppHhgXtYJUZXJlFQHhpLeyoj1y966NXDwDTb0eYkWX5TC mT5m4+TtGb+jLnHs7DjcA== Cc: Subject: Re: pftop 0.7 in ports ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2008 11:48:50 -0000 On Thursday 10 April 2008 01:26:08 Thomas Rasmussen wrote: > >>> When can we expect to see this in ports ? > >> > >> went in seconds before you hit send ;) > > I am thoroughly enjoying the new filtering feature :), but I have a > couple of questions: > The 'rate' column stops updating when I add a filter like say "port > 80". If I am watching > a download and then decide to filter that connection only, the rate > column freezes at the > value it was at when I applied the filter. Any way to fix this ? I don't know, but it seems to be a problem with OpenBSD as well. Please report with the original author. > And a minor annoyance: > It seems that when I want to remove a filter I can only delete it using > the delete key as > opposed to the backspace key. This is counter intuitive but it works > for me with my PC > keyboard. My colleagues Macbook doesn't have a delete key so you have > to exit pftop > and start it again to remove the filter. Works for me. I suspect this is a problem with your console / terminal settings. > I also have a third question, not specific to 0.7 though, but I'll > sneak it in anyway: > Long running sessions seem to give wrong Rate calculations quite > consistently, for > example at the moment i have an udp state which is an openvpn tunnel. > pftop says the age > is 218 hours and it has transferred close to 40 gigabytes. The rate > currently says "36864M" > which is obviously wrong :) It isn't stable there, sometimes is goes > down to ~7000M and > stays there for a bit. Anyway, this tunnel is over an ADSL so I wish.. > I also noticed this with 0.6, so as I said, this isn't specific to > pftop 0.7. I don't have such a long lived connection around to verify, but again this seems like a cross platform problem and you should contact the original author. > I don't have access to an OpenBSD machine so I can't check if these > problems are FreeBSD > specific. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Thu Apr 10 13:29:54 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0C4571065670 for ; Thu, 10 Apr 2008 13:29:54 +0000 (UTC) (envelope-from iskander@apple-park.kiev.ua) Received: from smtp.apple-park.kiev.ua (smtp.apple-park.kiev.ua [212.82.221.1]) by mx1.freebsd.org (Postfix) with ESMTP id B8C9E8FC13 for ; Thu, 10 Apr 2008 13:29:53 +0000 (UTC) (envelope-from iskander@apple-park.kiev.ua) Received: from [10.1.0.20] (sysadmin.itdep.smk [10.1.0.20]) by smtp.apple-park.kiev.ua (Postfix) with ESMTP id CCC6C50FBF for ; Thu, 10 Apr 2008 16:10:34 +0300 (EEST) Mime-Version: 1.0 (Apple Message framework v753) Content-Transfer-Encoding: 7bit Message-Id: Content-Type: text/plain; charset=US-ASCII; format=flowed To: freebsd-pf@freebsd.org From: Alexander Vyrlanovich Date: Thu, 10 Apr 2008 16:10:33 +0300 X-Mailer: Apple Mail (2.753) Subject: carpdev X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2008 13:29:54 -0000 Hi list! Does anybody know about carpdev implementation status on FreeBSD? Is it safe to use Max's patch from 10 January 2008 in production? Thanks, Alexander Vyrlanovich From owner-freebsd-pf@FreeBSD.ORG Thu Apr 10 15:35:25 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C0AE7106566C for ; Thu, 10 Apr 2008 15:35:25 +0000 (UTC) (envelope-from elliott@c7.ca) Received: from mail.c7.ca (mail.c7.ca [66.207.198.232]) by mx1.freebsd.org (Postfix) with ESMTP id 393A88FC1D for ; Thu, 10 Apr 2008 15:35:24 +0000 (UTC) (envelope-from elliott@c7.ca) Received: (qmail 61266 invoked by uid 89); 10 Apr 2008 15:35:23 -0000 Received: by simscan 1.2.0 ppid: 61261, pid: 61263, t: 0.1012s scanners: clamav: 0.90.1/m:43 Received: from unknown (HELO ?66.207.210.10?) (elliott@c7.ca@66.207.210.10) by 10.1.1.32 with ESMTPA; 10 Apr 2008 15:35:23 -0000 From: Elliott Perrin To: freebsd-pf@freebsd.org In-Reply-To: References: Content-Type: text/plain; charset=UTF-8 Date: Thu, 10 Apr 2008 11:32:55 -0400 Message-Id: <1207841575.1433.44.camel@kensho.c7.ca> Mime-Version: 1.0 X-Mailer: Evolution 2.22.0 FreeBSD GNOME Team Port Content-Transfer-Encoding: 8bit Subject: Re: carpdev X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: elliott@c7.ca List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2008 15:35:25 -0000 On Thu, 2008-04-10 at 16:10 +0300, Alexander Vyrlanovich wrote: > Hi list! > > Does anybody know about carpdev implementation status on FreeBSD? > > Is it safe to use Max's patch from 10 January 2008 in production? > I do not know of the specific patch at this moment, but I use carp devices on every one of my FreeBSD firewalls. I have used CARP as the basis for clusters of web / db / mail / NFS etc. servers combined with devd and some other unique concepts. I have had no problems with CARP at all for over 2 years now on both the 6-STABLE and 7-CURRENT / 7-STABLE branches. Tested firewall fail over with my configs using CARP when we started pulling Ethernet plugs resulted in, at most, negligible packet loss while pinging. From the application layer perspective, no sessions experienced any interruption while fail over testing all systems I run CARP on. Cheers, Elliott Perrin elliott@c7.ca From owner-freebsd-pf@FreeBSD.ORG Fri Apr 11 06:07:07 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 094F5106564A for ; Fri, 11 Apr 2008 06:07:07 +0000 (UTC) (envelope-from iskander@apple-park.kiev.ua) Received: from smtp.apple-park.kiev.ua (smtp.apple-park.kiev.ua [212.82.221.1]) by mx1.freebsd.org (Postfix) with ESMTP id B64E78FC12 for ; Fri, 11 Apr 2008 06:07:06 +0000 (UTC) (envelope-from iskander@apple-park.kiev.ua) Received: from [10.1.0.20] (sysadmin.itdep.smk [10.1.0.20]) by smtp.apple-park.kiev.ua (Postfix) with ESMTP id 312F751068; Fri, 11 Apr 2008 09:07:04 +0300 (EEST) In-Reply-To: <1207841575.1433.44.camel@kensho.c7.ca> References: <1207841575.1433.44.camel@kensho.c7.ca> Mime-Version: 1.0 (Apple Message framework v753) Content-Type: text/plain; charset=KOI8-R; delsp=yes; format=flowed Message-Id: <5DB9929A-C27D-482D-B4DF-BD55621E94BF@apple-park.kiev.ua> Content-Transfer-Encoding: quoted-printable From: Alexander Vyrlanovich Date: Fri, 11 Apr 2008 09:07:03 +0300 To: elliott@c7.ca X-Mailer: Apple Mail (2.753) Cc: freebsd-pf@freebsd.org Subject: Re: carpdev X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Apr 2008 06:07:07 -0000 I mean ifconfig carp0 carpdev iface to attach carp pseudo-device to iface. The goals is to have physical iface and attached carp device configured in different IP subnets like OpenBSD can do. (for example if ISP assign /30 subnet to me, where only two IPs can be located) On 10 =C1=D0=D2. 2008, at 18:32, Elliott Perrin wrote: > On Thu, 2008-04-10 at 16:10 +0300, Alexander Vyrlanovich wrote: >> Hi list! >> >> Does anybody know about carpdev implementation status on FreeBSD? >> >> Is it safe to use Max's patch from 10 January 2008 in production? >> > > I do not know of the specific patch at this moment, but I use carp > devices on every one of my FreeBSD firewalls. I have used CARP as the > basis for clusters of web / db / mail / NFS etc. servers combined with > devd and some other unique concepts. I have had no problems with =20 > CARP at > all for over 2 years now on both the 6-STABLE and 7-CURRENT / 7-STABLE > branches. > > Tested firewall fail over with my configs using CARP when we started > pulling Ethernet plugs resulted in, at most, negligible packet loss > while pinging. =46rom the application layer perspective, no sessions > experienced any interruption while fail over testing all systems I run > CARP on. > > Cheers, > Elliott Perrin > elliott@c7.ca > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Fri Apr 11 14:17:20 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1A3E2106564A for ; Fri, 11 Apr 2008 14:17:20 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.176]) by mx1.freebsd.org (Postfix) with ESMTP id BEC258FC2D for ; Fri, 11 Apr 2008 14:17:19 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: by py-out-1112.google.com with SMTP id u52so747823pyb.10 for ; Fri, 11 Apr 2008 07:17:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=4qJumbNZKxSMfX/FOS6O8Hup74PeOsL2xvgHwNJyGQ0=; b=fEITNUeQZ5/d11Wlkifxqb5iIXUv2SBHEzVYlkmV7di9tjlD3x1WD+xF4ajHox/0sJEW0hUS7blppkHpNQ7cDLMYbPO1D6ZyRKqCt2EKncKJaGv9iAH8vfOWimKEzy/xS97LJ5k6wWzYQjn6TC6ln/Yt3KWb5cpQOE8uoPVVJHk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=apswIpBF198QdgAKznsWdhA2ZbR5f7ORWSAUNBIBcTyP0h6dGik4vO/JVqUcmNuhCbYT/4f3gEPtDOqaYbFzU8ni8Y4f2bMg2eueyxMb8E9h/GIi3PJ3xclrfcsEd+2GEwJRarY84cleFXS2fEkTLKeueUehZKnAeIpgJmWvhIg= Received: by 10.64.179.11 with SMTP id b11mr5420626qbf.24.1207921680530; Fri, 11 Apr 2008 06:48:00 -0700 (PDT) Received: by 10.64.184.9 with HTTP; Fri, 11 Apr 2008 06:48:00 -0700 (PDT) Message-ID: <8e10486b0804110648q398a0835h1aa2278a5443f10a@mail.gmail.com> Date: Fri, 11 Apr 2008 10:48:00 -0300 From: "Alexandre Biancalana" To: "Alexander Vyrlanovich" In-Reply-To: <5DB9929A-C27D-482D-B4DF-BD55621E94BF@apple-park.kiev.ua> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <1207841575.1433.44.camel@kensho.c7.ca> <5DB9929A-C27D-482D-B4DF-BD55621E94BF@apple-park.kiev.ua> Cc: freebsd-pf@freebsd.org Subject: Re: carpdev X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Apr 2008 14:17:20 -0000 On 4/11/08, Alexander Vyrlanovich wrote: > I mean ifconfig carp0 carpdev iface > to attach carp pseudo-device to iface. > > The goals is to have physical iface and attached carp device > configured in different IP subnets like OpenBSD can do. > (for example if ISP assign /30 subnet to me, where only two IPs > can be located) This is not native. There is a patch the implement this feature. I use this on 2 setups and I've no problem at all. Look the archives. From owner-freebsd-pf@FreeBSD.ORG Sat Apr 12 18:30:03 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D663B106564A for ; Sat, 12 Apr 2008 18:30:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id ADF908FC16 for ; Sat, 12 Apr 2008 18:30:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m3CIU3E3030037 for ; Sat, 12 Apr 2008 18:30:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m3CIU35d030034; Sat, 12 Apr 2008 18:30:03 GMT (envelope-from gnats) Date: Sat, 12 Apr 2008 18:30:03 GMT Message-Id: <200804121830.m3CIU35d030034@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: dfilter@FreeBSD.ORG (dfilter service) Cc: Subject: Re: kern/106400: commit references a PR X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfilter service List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2008 18:30:03 -0000 The following reply was made to PR kern/106400; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/106400: commit references a PR Date: Sat, 12 Apr 2008 18:26:58 +0000 (UTC) mlaier 2008-04-12 18:26:48 UTC FreeBSD src repository Modified files: (Branch: RELENG_7) contrib/pf/pfctl pfctl_altq.c pfctl_qstats.c sys/contrib/pf/net pf_if.c pf_ioctl.c pfvar.h Log: MFC: Make ALTQ cope with disappearing interfaces (particularly common with mpd and netgraph in gernal). This also allows to add queues for an interface that is not yet existing (you have to provide the bandwidth for the interface, however). PR: kern/106400, kern/117827 Tested by: Florian Smeets, Boris S. Revision Changes Path 1.9.2.1 +13 -1 src/contrib/pf/pfctl/pfctl_altq.c 1.6.10.1 +27 -1 src/contrib/pf/pfctl/pfctl_qstats.c 1.11.2.3 +7 -1 src/sys/contrib/pf/net/pf_if.c 1.28.2.2 +117 -3 src/sys/contrib/pf/net/pf_ioctl.c 1.16.2.1 +8 -1 src/sys/contrib/pf/net/pfvar.h _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Sat Apr 12 18:30:07 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0624B106566B for ; Sat, 12 Apr 2008 18:30:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D4BD88FC17 for ; Sat, 12 Apr 2008 18:30:06 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m3CIU66V030274 for ; Sat, 12 Apr 2008 18:30:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m3CIU6tE030269; Sat, 12 Apr 2008 18:30:06 GMT (envelope-from gnats) Date: Sat, 12 Apr 2008 18:30:06 GMT Message-Id: <200804121830.m3CIU6tE030269@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: dfilter@FreeBSD.ORG (dfilter service) Cc: Subject: Re: kern/117827: commit references a PR X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfilter service List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2008 18:30:07 -0000 The following reply was made to PR kern/117827; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/117827: commit references a PR Date: Sat, 12 Apr 2008 18:26:58 +0000 (UTC) mlaier 2008-04-12 18:26:48 UTC FreeBSD src repository Modified files: (Branch: RELENG_7) contrib/pf/pfctl pfctl_altq.c pfctl_qstats.c sys/contrib/pf/net pf_if.c pf_ioctl.c pfvar.h Log: MFC: Make ALTQ cope with disappearing interfaces (particularly common with mpd and netgraph in gernal). This also allows to add queues for an interface that is not yet existing (you have to provide the bandwidth for the interface, however). PR: kern/106400, kern/117827 Tested by: Florian Smeets, Boris S. Revision Changes Path 1.9.2.1 +13 -1 src/contrib/pf/pfctl/pfctl_altq.c 1.6.10.1 +27 -1 src/contrib/pf/pfctl/pfctl_qstats.c 1.11.2.3 +7 -1 src/sys/contrib/pf/net/pf_if.c 1.28.2.2 +117 -3 src/sys/contrib/pf/net/pf_ioctl.c 1.16.2.1 +8 -1 src/sys/contrib/pf/net/pfvar.h _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Sat Apr 12 20:00:13 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A16701065670 for ; Sat, 12 Apr 2008 20:00:13 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6F5968FC14 for ; Sat, 12 Apr 2008 20:00:13 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m3CK0DZk039850 for ; Sat, 12 Apr 2008 20:00:13 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m3CK0DXW039849; Sat, 12 Apr 2008 20:00:13 GMT (envelope-from gnats) Date: Sat, 12 Apr 2008 20:00:13 GMT Message-Id: <200804122000.m3CK0DXW039849@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: dfilter@FreeBSD.ORG (dfilter service) Cc: Subject: Re: kern/106400: commit references a PR X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfilter service List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2008 20:00:13 -0000 The following reply was made to PR kern/106400; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/106400: commit references a PR Date: Sat, 12 Apr 2008 19:52:24 +0000 (UTC) mlaier 2008-04-12 19:52:13 UTC FreeBSD src repository Modified files: (Branch: RELENG_6) contrib/pf/pfctl pfctl_altq.c pfctl_qstats.c sys/contrib/pf/net pf_if.c pf_ioctl.c pfvar.h Log: MFC: Make ALTQ cope with disappearing interfaces (particularly common with mpd and netgraph in gernal). This also allows to add queues for an interface that is not yet existing (you have to provide the bandwidth for the interface, however). PR: kern/106400, kern/117827 Tested by: Florian Smeets, Boris S. Revision Changes Path 1.7.2.2 +13 -1 src/contrib/pf/pfctl/pfctl_altq.c 1.6.2.1 +27 -1 src/contrib/pf/pfctl/pfctl_qstats.c 1.10.2.1 +7 -1 src/sys/contrib/pf/net/pf_if.c 1.20.2.6 +117 -3 src/sys/contrib/pf/net/pf_ioctl.c 1.11.2.3 +8 -1 src/sys/contrib/pf/net/pfvar.h _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Sat Apr 12 20:00:15 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8439F1065671 for ; Sat, 12 Apr 2008 20:00:15 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5843C8FC17 for ; Sat, 12 Apr 2008 20:00:15 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m3CK0FPh039866 for ; Sat, 12 Apr 2008 20:00:15 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m3CK0F10039865; Sat, 12 Apr 2008 20:00:15 GMT (envelope-from gnats) Date: Sat, 12 Apr 2008 20:00:15 GMT Message-Id: <200804122000.m3CK0F10039865@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: dfilter@FreeBSD.ORG (dfilter service) Cc: Subject: Re: kern/117827: commit references a PR X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfilter service List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2008 20:00:15 -0000 The following reply was made to PR kern/117827; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/117827: commit references a PR Date: Sat, 12 Apr 2008 19:52:24 +0000 (UTC) mlaier 2008-04-12 19:52:13 UTC FreeBSD src repository Modified files: (Branch: RELENG_6) contrib/pf/pfctl pfctl_altq.c pfctl_qstats.c sys/contrib/pf/net pf_if.c pf_ioctl.c pfvar.h Log: MFC: Make ALTQ cope with disappearing interfaces (particularly common with mpd and netgraph in gernal). This also allows to add queues for an interface that is not yet existing (you have to provide the bandwidth for the interface, however). PR: kern/106400, kern/117827 Tested by: Florian Smeets, Boris S. Revision Changes Path 1.7.2.2 +13 -1 src/contrib/pf/pfctl/pfctl_altq.c 1.6.2.1 +27 -1 src/contrib/pf/pfctl/pfctl_qstats.c 1.10.2.1 +7 -1 src/sys/contrib/pf/net/pf_if.c 1.20.2.6 +117 -3 src/sys/contrib/pf/net/pf_ioctl.c 1.11.2.3 +8 -1 src/sys/contrib/pf/net/pfvar.h _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Sat Apr 12 20:06:26 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E55291065671; Sat, 12 Apr 2008 20:06:26 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id A0A188FC1E; Sat, 12 Apr 2008 20:06:26 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m3CK6Qw8039991; Sat, 12 Apr 2008 20:06:26 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m3CK6QP4039987; Sat, 12 Apr 2008 20:06:26 GMT (envelope-from mlaier) Date: Sat, 12 Apr 2008 20:06:26 GMT Message-Id: <200804122006.m3CK6QP4039987@freefall.freebsd.org> To: bst2006@dva.dyndns.org, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org From: mlaier@FreeBSD.org Cc: Subject: Re: kern/106400: [pf] fatal trap 12 at restart of PF with ALTQ if ng0 device has detached X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2008 20:06:27 -0000 Synopsis: [pf] fatal trap 12 at restart of PF with ALTQ if ng0 device has detached State-Changed-From-To: feedback->closed State-Changed-By: mlaier State-Changed-When: Sat Apr 12 20:05:46 UTC 2008 State-Changed-Why: Committed to RELENG_6 and _7. Thanks for testing. http://www.freebsd.org/cgi/query-pr.cgi?pr=106400 From owner-freebsd-pf@FreeBSD.ORG Sat Apr 12 20:07:16 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 967BF1065676; Sat, 12 Apr 2008 20:07:16 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 51C478FC19; Sat, 12 Apr 2008 20:07:16 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m3CK7Gsr040043; Sat, 12 Apr 2008 20:07:16 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m3CK7Gcv040039; Sat, 12 Apr 2008 20:07:16 GMT (envelope-from mlaier) Date: Sat, 12 Apr 2008 20:07:16 GMT Message-Id: <200804122007.m3CK7Gcv040039@freefall.freebsd.org> To: dimanenator@gmail.com, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org From: mlaier@FreeBSD.org Cc: Subject: Re: kern/117827: [pf] [panic] kernel panic with pf and ng X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2008 20:07:16 -0000 Synopsis: [pf] [panic] kernel panic with pf and ng State-Changed-From-To: feedback->closed State-Changed-By: mlaier State-Changed-When: Sat Apr 12 20:06:42 UTC 2008 State-Changed-Why: Commited to RELENG_6 and _7. Thanks for testing. http://www.freebsd.org/cgi/query-pr.cgi?pr=117827