From owner-freebsd-pf@FreeBSD.ORG Mon Aug 9 11:07:01 2010 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A13C91065674 for ; Mon, 9 Aug 2010 11:07:01 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8F73A8FC1E for ; Mon, 9 Aug 2010 11:07:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o79B718h049089 for ; Mon, 9 Aug 2010 11:07:01 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o79B71JK049087 for freebsd-pf@FreeBSD.org; Mon, 9 Aug 2010 11:07:01 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 9 Aug 2010 11:07:01 GMT Message-Id: <201008091107.o79B71JK049087@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Aug 2010 11:07:01 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/144311 pf [pf] [icmp] massive ICMP storm on lo0 occurs when usin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 47 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed Aug 11 23:07:58 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7E72E106564A for ; Wed, 11 Aug 2010 23:07:58 +0000 (UTC) (envelope-from xindigo@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 186268FC19 for ; Wed, 11 Aug 2010 23:07:56 +0000 (UTC) Received: by wwb13 with SMTP id 13so805171wwb.31 for ; Wed, 11 Aug 2010 16:07:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:from:date :message-id:subject:to:content-type; bh=Ad3JOiVYnkBQnTQzgXsAteA6j2L18A5EMB8fokuMoeQ=; b=fZdfTKZGc5EkUFHMpxb926g/n71W8L7TYmAzWrdk0/C//FTO9RlU1t04bDWUCa8bug fARCKn3ONEh08xDyUlF95vvEQUS5g2dRUK1THFJrU2h/jBmLG3B49ypaGjj02u+4EXx6 /IiElctWRw881cityeFIM4q1/dJO7fPX6kpWw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; b=Ty9KRVIR2OVtEAEzaObWk2+pvfA5RO4/H7JgPnoDnBXuI6gBG4TjrE9yVxVQPiKaf3 9xTBIL4k6AyOMqiUoiGsMqm0MN2X1/YbKUM0jg8w/SpXOe2aat+LYNbkBrN71YUhm65I i4avZKviCgHYrT9jQLObXvlzmGBLF7PM4oimA= Received: by 10.216.188.20 with SMTP id z20mr5883970wem.51.1281566178531; Wed, 11 Aug 2010 15:36:18 -0700 (PDT) MIME-Version: 1.0 Received: by 10.216.212.34 with HTTP; Wed, 11 Aug 2010 15:35:56 -0700 (PDT) From: Serguey Parkhomovsky Date: Wed, 11 Aug 2010 15:35:56 -0700 Message-ID: To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Subject: pf doesn't honor net.inet.ip.forwarding? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Aug 2010 23:07:58 -0000 Hello, pf seems to do NAT forwarding whether or not net.inet.ip.forwarding is enabled. I set up a NAT between my webserver jail on lo1 and my external interface on em0, and it works even when this setting is disabled. Here is the relevant part of my pf.conf: nat on em0 from lo1 to any -> (em0) Why does this work? Shouldn't pf be unable to forward packets when net.inet.ip.forwarding=0? - Serguey From owner-freebsd-pf@FreeBSD.ORG Thu Aug 12 23:37:26 2010 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 73C491065694; Thu, 12 Aug 2010 23:37:26 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4A0348FC0C; Thu, 12 Aug 2010 23:37:26 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o7CNbQpF083849; Thu, 12 Aug 2010 23:37:26 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o7CNbPeQ083845; Thu, 12 Aug 2010 23:37:25 GMT (envelope-from linimon) Date: Thu, 12 Aug 2010 23:37:25 GMT Message-Id: <201008122337.o7CNbPeQ083845@freefall.freebsd.org> To: me@tuupic.org.ru, linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/143808: [pf] pf does not work inside jail X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Aug 2010 23:37:26 -0000 Old Synopsis: pf does not work inside jail New Synopsis: [pf] pf does not work inside jail State-Changed-From-To: closed->suspended State-Changed-By: linimon State-Changed-When: Thu Aug 12 23:34:40 UTC 2010 State-Changed-Why: Change state to reflect that we know that this doesn't work yet. Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Thu Aug 12 23:34:40 UTC 2010 Responsible-Changed-Why: http://www.freebsd.org/cgi/query-pr.cgi?pr=143808 From owner-freebsd-pf@FreeBSD.ORG Thu Aug 12 23:40:07 2010 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 312AE106566C for ; Thu, 12 Aug 2010 23:40:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 064918FC0A for ; Thu, 12 Aug 2010 23:40:07 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o7CNe69I084173 for ; Thu, 12 Aug 2010 23:40:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o7CNe6I7084164; Thu, 12 Aug 2010 23:40:06 GMT (envelope-from gnats) Date: Thu, 12 Aug 2010 23:40:06 GMT Message-Id: <201008122340.o7CNe6I7084164@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Mark Linimon Cc: Subject: Re: kern/143808: pf does not work inside jail X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Mark Linimon List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Aug 2010 23:40:07 -0000 The following reply was made to PR kern/143808; it has been noted by GNATS. From: Mark Linimon To: Brett Burley Cc: bug-followup@FreeBSD.org Subject: Re: kern/143808: pf does not work inside jail Date: Thu, 12 Aug 2010 18:38:29 -0500 On Thu, Aug 12, 2010 at 09:00:11PM +0000, Brett Burley wrote: > I was wondering if you could suggest someone to contact with respect to > resolving this issue. AFAIK there is no one working on the problem at the present time. (fwiw, please avoid the use of HTML in email Cc:ed to GNATS. Thanks.) mcl From owner-freebsd-pf@FreeBSD.ORG Sat Aug 14 14:00:33 2010 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D52E41065670; Sat, 14 Aug 2010 14:00:33 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id ACB398FC08; Sat, 14 Aug 2010 14:00:33 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o7EE0XWZ039930; Sat, 14 Aug 2010 14:00:33 GMT (envelope-from bz@freefall.freebsd.org) Received: (from bz@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o7EE0Xae039918; Sat, 14 Aug 2010 14:00:33 GMT (envelope-from bz) Date: Sat, 14 Aug 2010 14:00:33 GMT Message-Id: <201008141400.o7EE0Xae039918@freefall.freebsd.org> To: bz@FreeBSD.org, freebsd-pf@FreeBSD.org, freebsd-virtualization@FreeBSD.org From: bz@FreeBSD.org Cc: Subject: Re: kern/143808: [pf] pf does not work inside jail X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Aug 2010 14:00:33 -0000 Synopsis: [pf] pf does not work inside jail Responsible-Changed-From-To: freebsd-pf->freebsd-virtualization Responsible-Changed-By: bz Responsible-Changed-When: Sat Aug 14 13:59:55 UTC 2010 Responsible-Changed-Why: It's a VIMAGE specific issue and not a pf issue. http://www.freebsd.org/cgi/query-pr.cgi?pr=143808