From owner-freebsd-pf@freebsd.org Mon May 16 12:13:20 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 76404B3DD17 for ; Mon, 16 May 2016 12:13:20 +0000 (UTC) (envelope-from melissa-freebsd@littlebluecar.co.uk) Received: from filter.blacknosugar.com (filter.blacknosugar.com [212.13.204.214]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3F1FF1DFE for ; Mon, 16 May 2016 12:13:20 +0000 (UTC) (envelope-from melissa-freebsd@littlebluecar.co.uk) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=littlebluecar.co.uk; s=dkim; h=Subject:To:References:Message-Id: Content-Transfer-Encoding:Date:In-Reply-To:From:Mime-Version:Content-Type: Sender:Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=wKzm13KILe+lzzjNaD21FMLbLYfFKIsOp+AYO2rs39g=; b=j+y4Ln7oymfw+yU1MP0NDfdklF gY1qlIZICpJJM/P+n6rUiSfpwJbucssm73o728Yp7+2BnuaMNnZcFruygE2Cd99bMcykuQgrNvW8v VT1s01xxsSSxfSDrrKF33Zdv7; Received: from [212.250.79.109] (helo=[192.168.6.19]) by filter.blacknosugar.com with esmtpsa (TLSv1:ECDHE-RSA-AES256-SHA:256) (Exim 4.87 (FreeBSD)) (envelope-from ) id 1b2H5q-000Gzi-K4 for freebsd-pf@freebsd.org; Mon, 16 May 2016 12:53:51 +0100 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) From: Melissa Jenkins In-Reply-To: Date: Mon, 16 May 2016 12:53:43 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: References: To: freebsd-pf@freebsd.org X-Mailer: Apple Mail (2.3124) X-SA-Exim-Connect-IP: 212.250.79.109 X-SA-Exim-Mail-From: melissa-freebsd@littlebluecar.co.uk X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on filter.blacknosugar.com X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham autolearn_force=no version=3.4.1 Subject: Re: Can pf simultaneously redirect to multiple, internal hosts X-SA-Exim-Version: 4.2 X-SA-Exim-Scanned: Yes (on filter.blacknosugar.com) X-Testing: Hello! X-Testing: Hello! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 May 2016 12:13:20 -0000 >=20 > Sorry for not being more concise. Yes, I am looking at scenario = number > 1. Reading up on ng_tee, looks interesting. Thank you for the > recommendation. >=20 > On Thu, May 12, 2016 at 7:47 PM, Peter Jeremy = wrote: >=20 >> On 2016-May-12 11:09:57 -0700, J Green = wrote: >>> Can pf simultaneously redirect to multiple, internal hosts? >>>=20 >>> Source -> UDP traffic -> pf (redirection) -> Host1 >>> -> Host2 >>> -> Host3 >>=20 from man pf.conf: dup-to The dup-to option creates a duplicate of the packet and = routes it like route-to. The original packet gets routed as it = normally would. Not sure if that would do it but sounds promising. (Ie , I've not tried = it but have used route-to) From owner-freebsd-pf@freebsd.org Mon May 16 18:32:45 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D815BB3DC7D for ; Mon, 16 May 2016 18:32:45 +0000 (UTC) (envelope-from corpengineer@gmail.com) Received: from mail-oi0-x234.google.com (mail-oi0-x234.google.com [IPv6:2607:f8b0:4003:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 976E91980 for ; Mon, 16 May 2016 18:32:45 +0000 (UTC) (envelope-from corpengineer@gmail.com) Received: by mail-oi0-x234.google.com with SMTP id x19so281415664oix.2 for ; Mon, 16 May 2016 11:32:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=kkHdQgt2lKuWAxyrCEEJnvcpMUjnbgxWHmDApps93k4=; b=Nfp3XGeufU+7DQT99RzaAPyqHcFOibvvVijBP7JejxcFx+R897J57qRLyifZcW1hxI ped5I1uQ3HtVNNOeeSjWYWKJ7KIEgpMLV15NabRW/n5amRfA/V7N2pyi1Wfwl5UIuAfp 0lX2r+wAu4wnHcKcThHq9isEdbAKc5OajUteEX5wEwiIW/Ub/GYg/fIyPF7Y9Bh8S1gN odRWuZWmuIDtqBIXORKNnUiOa8Ld16wXDgSMbsZ/qMkNBQo0R89ejweN8A3BPcVGTHFg QVljztoT7vdbbkpsyRQNacK0o8S039jzlLe/A/DYc/hyppxlKDGIotSCYlhWMxPuy9RS FC/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=kkHdQgt2lKuWAxyrCEEJnvcpMUjnbgxWHmDApps93k4=; b=N64WztRALXEyBxcMazw8mH2lu3Gpo+mq6x9NYMaduQ+zJqn1yAxNgPnQ5yZZYAoXvn CX+Y6T22izEkTmSE7TVaX5jObXYnLyCm6Kseh6JebgZktsNMz+SyYNxVeahdTYZiG1fv oIv3KxKFig+wb6mT2DrxcvWnpzRyHTv9HQ/gHi4TIg1FloRmT7HZJNXCGEQHw57yE2FP ISK/9+UOylJOLOnogLcxbqrem837sl40Q0Bqc1aA0mu4hyUrqWPH4wanHz51gJSM/XdA uDAarOo6iVM277H9rXpmtJWAEMk6eRYn1bpu0JFDa5AAQlJniNFx6ZNT+jBJH9XCYGex saYQ== X-Gm-Message-State: AOPr4FUEQRvm+UULWOzlp44gky8Frw3Xi+iYwOArxNjYO2jTtvuc57+Q4rzCp/9ZiaHFwz6taQG0yc2in9CCEA== MIME-Version: 1.0 X-Received: by 10.157.56.1 with SMTP id i1mr14264821otc.62.1463423565027; Mon, 16 May 2016 11:32:45 -0700 (PDT) Received: by 10.157.25.203 with HTTP; Mon, 16 May 2016 11:32:44 -0700 (PDT) In-Reply-To: References: Date: Mon, 16 May 2016 11:32:44 -0700 Message-ID: Subject: Re: Can pf simultaneously redirect to multiple, internal hosts From: J Green To: Melissa Jenkins Cc: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 May 2016 18:32:45 -0000 That looks like it could do what I am trying to accomplish. Thank you. On Mon, May 16, 2016 at 4:53 AM, Melissa Jenkins < melissa-freebsd@littlebluecar.co.uk> wrote: > > > > > Sorry for not being more concise. Yes, I am looking at scenario number > > 1. Reading up on ng_tee, looks interesting. Thank you for the > > recommendation. > > > > On Thu, May 12, 2016 at 7:47 PM, Peter Jeremy > wrote: > > > >> On 2016-May-12 11:09:57 -0700, J Green wrote: > >>> Can pf simultaneously redirect to multiple, internal hosts? > >>> > >>> Source -> UDP traffic -> pf (redirection) -> Host1 > >>> -> Host2 > >>> -> Host3 > >> > > from man pf.conf: > > dup-to > The dup-to option creates a duplicate of the packet and routes > it > like route-to. The original packet gets routed as it normally > would. > > Not sure if that would do it but sounds promising. (Ie , I've not tried > it but have used route-to) > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@freebsd.org Wed May 18 07:24:11 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 582BDB40254; Wed, 18 May 2016 07:24:11 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: from box-fra-01.niklaas.eu (box-fra-01.niklaas.eu [IPv6:2a00:c98:2200:af07:6::1]) by mx1.freebsd.org (Postfix) with ESMTP id 280BB1E65; Wed, 18 May 2016 07:24:11 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: by box-fra-01.niklaas.eu (Postfix, from userid 1001) id A510861FC4; Wed, 18 May 2016 09:24:09 +0200 (CEST) Date: Wed, 18 May 2016 09:24:09 +0200 From: Niklaas Baudet von Gersdorff To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org Subject: `echo | pfctl -mf -` overriding instead of modifying Message-ID: <20160518072409.GD99839@box-fra-01.niklaas.eu> Mail-Followup-To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 May 2016 07:24:11 -0000 Note: crossposting in freebsd-questions and freebsd-pf On a 10.3-RELEASE system, in my `/etc/pf.conf` I have the following lines: ext_if="vtnet0" ... rdr-anchor "jails/*" on $ext_if inet to $ext_if In my `/etc/jail.conf` I have the following lines for some jail: exec.poststart += "echo 'rdr pass on vtnet0 inet proto { udp tcp } to vtnet0 port domain -> $private_ip4' | pfctl -a 'jails/$name' -f -"; exec.poststart += "echo 'rdr pass on vtnet0 inet6 proto { udp tcp } to vtnet0 port domain -> $private_ip6' | pfctl -a 'jails/$name' -mf -"; Nonetheless, if I start the jail, only the inet6 rules will stay in the appropriate anchor. The inet rules will be overridden. Initially, I only used the `-f -` flags for pfctl (instead of `-mf -`) and realised that making changes to the anchor overrides existing rules. So I read pfctl(8) where it says -m Merge in explicitly given options without resetting those which are omitted. Allows single options to be modified without disturbing the others: # echo "set loginterface fxp0" | pfctl -mf - So I thought that adding `-m` to the rule in the second `exec.poststart` will include (instead of replace) the rules into the anchor. But this is not the case. What am I doing wrong? Do I misunderstand `-m`? Niklaas From owner-freebsd-pf@freebsd.org Wed May 18 07:47:29 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 775CEB40010; Wed, 18 May 2016 07:47:29 +0000 (UTC) (envelope-from dewaynegeraghty@gmail.com) Received: from mail-lb0-x230.google.com (mail-lb0-x230.google.com [IPv6:2a00:1450:4010:c04::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id ED2A61BC5; Wed, 18 May 2016 07:47:28 +0000 (UTC) (envelope-from dewaynegeraghty@gmail.com) Received: by mail-lb0-x230.google.com with SMTP id h1so14306651lbj.3; Wed, 18 May 2016 00:47:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=KHpulO9K1HCMdAdOJgTq7E/yTfhfciGmuf12gAOInyw=; b=gmda+kAjbsX9bYy/eOWy7BJ9ZRMhtV5+2jZj08Fvbnqe8mVdq8KLaAUHjLEGmQeM+2 NCWdx7Yrgtw8393kSaCTfNNWS3VVH3RE+7deADYITTOH5z/pCJiUe1Odbx4sTqeT4UWr c6RX3dVCBS5wQcYhHa6SmbCkXabFDm0vHFw0T279FPdOreyRsZ+F/rka7EgShHOYjQIb jys94n9w00NZGD2nwYSJfzXL2Hjnm9tYf9uNTGqPwIRJ28U4ZxSCpD5akd5bM2aqyHRB AYduvGpUKnBgkr2/zyRtSLRPw3utYHO+JAlfkdWco4DrD7QfpP7mi/Yu9f43LKX5oDXV nUxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=KHpulO9K1HCMdAdOJgTq7E/yTfhfciGmuf12gAOInyw=; b=ZJza/qBhYwJrkdkj+WJUcIyjJxPBUOjXo4I/CFRseJZ86MFpDdco6weiytD4LmCffu AC8Xw9nFS5/tSPB0nN0aRxEGRhhsfOoiXouJ7PmRLeUQN4VW6SX5IPojcmRweYYAtmUE pv/52xtiyoZMXzm8uxfDsaZdF9Ya2M4IGKQKXtO1pq2wt15NYle9/KVhchCSylgjAvmZ t8hUVf+VByeHJZZQu7JgP7VKQgxT+TZ0OKp0zCGg0m6mgNVa6jB8DWRaUQQqU5b0Ydcj 9Z/V/FTDLNERVOp/OJkiGCQTOPvmofm6hxNk09pIO0KeLGP/Fy54KjsTvGhs3MxL5+Mb NjIQ== X-Gm-Message-State: AOPr4FWNMxyXjyqavQ9/fwTM0YejIfErvTDVeHIK8o2IZrwdCjyfxxX+rFimOMpk2vCLCTS6O//+O/h2Cn+VZw== X-Received: by 10.112.126.70 with SMTP id mw6mr2070637lbb.68.1463557646567; Wed, 18 May 2016 00:47:26 -0700 (PDT) MIME-Version: 1.0 Received: by 10.25.131.70 with HTTP; Wed, 18 May 2016 00:46:56 -0700 (PDT) In-Reply-To: <20160518072409.GD99839@box-fra-01.niklaas.eu> References: <20160518072409.GD99839@box-fra-01.niklaas.eu> From: Dewayne Geraghty Date: Wed, 18 May 2016 17:46:57 +1000 Message-ID: Subject: Re: `echo | pfctl -mf -` overriding instead of modifying To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 May 2016 07:47:29 -0000 Niklaus, Would you please reverse the order and advise? That is try: exec.poststart += "echo 'rdr pass on vtnet0 inet6 proto { udp tcp } to vtnet0 port domain -> $private_ip6' | pfctl -a 'jails/$name' -mf -"; exec.poststart += "echo 'rdr pass on vtnet0 inet proto { udp tcp } to vtnet0 port domain -> $private_ip4' | pfctl -a 'jails/$name' -f -"; Regards, Dewayne. From owner-freebsd-pf@freebsd.org Wed May 18 08:23:39 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C4AAEB40F4D; Wed, 18 May 2016 08:23:39 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: from box-fra-01.niklaas.eu (box-fra-01.niklaas.eu [IPv6:2a00:c98:2200:af07:6::1]) by mx1.freebsd.org (Postfix) with ESMTP id 9298B172A; Wed, 18 May 2016 08:23:39 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: by box-fra-01.niklaas.eu (Postfix, from userid 1001) id 0B71861FE5; Wed, 18 May 2016 10:23:32 +0200 (CEST) Date: Wed, 18 May 2016 10:23:32 +0200 From: Niklaas Baudet von Gersdorff To: freebsd-pf@freebsd.org, freebsd-questions@freebsd.org Subject: Re: `echo | pfctl -mf -` overriding instead of modifying Message-ID: <20160518082331.GE99839@box-fra-01.niklaas.eu> Mail-Followup-To: freebsd-pf@freebsd.org, freebsd-questions@freebsd.org References: <20160518072409.GD99839@box-fra-01.niklaas.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 May 2016 08:23:39 -0000 Dewayne Geraghty [2016-05-18 17:46 +1000] : > Niklaus, > Would you please reverse the order and advise? That is try: > exec.poststart += "echo 'rdr pass on vtnet0 inet6 proto { udp tcp } to > vtnet0 port domain -> $private_ip6' | pfctl -a 'jails/$name' -mf -"; > exec.poststart += "echo 'rdr pass on vtnet0 inet proto { udp tcp } to > vtnet0 port domain -> $private_ip4' | pfctl -a 'jails/$name' -f -"; If I reverse th order, it is only the last redirect that is applied (in this case inet). The same things happen if I use `-mf -` for the second entry in the example above. Niklaas From owner-freebsd-pf@freebsd.org Thu May 19 05:19:38 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3935FB4113A for ; Thu, 19 May 2016 05:19:38 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2A0681690 for ; Thu, 19 May 2016 05:19:38 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4J5JcJh029774 for ; Thu, 19 May 2016 05:19:38 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Thu, 19 May 2016 05:19:38 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: emz@norma.perm.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 May 2016 05:19:38 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #2 from emz@norma.perm.ru --- Sorry it took that long (I was kinda overwhelmed by the amount of work). So, same setup: A <---gre/ipsec---> B <---gre/ipsec---> C. 1) ipsec removed between A and B. The issue persists. 2) pf disabled on B. The issue is no more. 3) ipsec added on B, pf still disabled. The issue is no more. 4) ipsec still on, pf enabled on B. The issue is back. 5) ipsec enabled, pf enabled, the following line removed from pf on B: scrub on $oif from ! fragment reassemble The issue persists. 6) Line from previous point added back, removed the line scrub on gre0 max-mss 1360 where gre0 is the B <---> C tunnel and the issue is gone. But I don't understand how the MSS enforcing can affect the ICMP packets, w= hile it should only affect TCP. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Thu May 19 09:49:43 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0929BB422ED for ; Thu, 19 May 2016 09:49:43 +0000 (UTC) (envelope-from radek.krejca@starnet.cz) Received: from EXCHANGE.mail.starnet.cz (exchange.mail.starnet.cz [92.62.224.72]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "EXCHANGE.mail.starnet.cz", Issuer "STARNET" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 9AFB811B8 for ; Thu, 19 May 2016 09:49:42 +0000 (UTC) (envelope-from radek.krejca@starnet.cz) Received: from EXCHANGE.mail.starnet.cz ([fe80::d017:9e72:12a5:7bb4]) by EXCHANGE.mail.starnet.cz ([fe80::d017:9e72:12a5:7bb4%14]) with mapi; Thu, 19 May 2016 11:48:29 +0200 From: =?iso-8859-2?Q?Radek_Krej=E8a?= To: "'freebsd-pf@freebsd.org'" Date: Thu, 19 May 2016 11:48:28 +0200 Subject: Traffic shaping incomming traffic for all vlans Thread-Topic: Traffic shaping incomming traffic for all vlans Thread-Index: AdGxs5sNwLjWEXZPRmyC7twTqX2FmA== Message-ID: <262ED41F8198C0409ACB79946570FFCD1AA134055F@EXCHANGE.mail.starnet.cz> Accept-Language: cs-CZ Content-Language: cs-CZ X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: cs-CZ Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 May 2016 09:49:43 -0000 Hello, I have freebsd router with pf for NAT and firewall. There are 2 NICs, one f= or incomming traffic from internet and second for traffic to clients. On in= ternal NIC are a lot of vlans. I need to make traffic shaping for all users based on src ip from internet.= But I have problem, it doesnt work. Working rule for block all traffic is: block quick proto { tcp, udp } from 192.168.52.0/24=20 but the same rule with externa nic dosnt match: block quick on $ext_if prot= o { tcp, udp } from 192.168.52.0/24 Why? And second problem - how to set up (on which interface) altq queues? Thank you very much. Radek From owner-freebsd-pf@freebsd.org Thu May 19 14:40:25 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 70E1DB4272C for ; Thu, 19 May 2016 14:40:25 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from mx.als.nnov.ru (mx.als.nnov.ru [95.79.102.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 347D71504 for ; Thu, 19 May 2016 14:40:21 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from [10.4.1.100] by mx.als.nnov.ru with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.86_2 (FreeBSD)) (envelope-from ) id 1b3OnB-000995-TT for freebsd-pf@FreeBSD.org; Thu, 19 May 2016 17:19:13 +0300 From: Max Subject: fragments processing To: freebsd-pf@FreeBSD.org Message-ID: <93ccf602-31d6-fe36-4ccc-96ab1a1e2cc1@als.nnov.ru> Date: Thu, 19 May 2016 17:19:13 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 May 2016 14:40:25 -0000 Hello. I have an issue with pf in FreeBSD 10.3-RELEASE-p2. Looks like there is a problem with fragment expiring. It all began with kernel messages "PF frag entries limit reached". # sh -c "while true ; do date; { vmstat -z; pfctl -si; } | sed -n '1p;/frag/p'; echo; sleep 5; done" Thu May 19 11:41:43 MSK 2016 ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf frags: 120, 0, 1577, 304, 256222, 0, 0 pf frag entries: 40, 5000, 1577, 723, 515862, 0, 0 fragment 4919 0.0/s Thu May 19 11:41:48 MSK 2016 ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf frags: 120, 0, 1577, 304, 256222, 0, 0 pf frag entries: 40, 5000, 1577, 723, 515862, 0, 0 fragment 4919 0.0/s ... Thu May 19 14:15:20 MSK 2016 ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf frags: 120, 0, 1578, 303, 256284, 0, 0 pf frag entries: 40, 5000, 1578, 722, 515986, 0, 0 fragment 4920 0.0/s Thu May 19 14:15:25 MSK 2016 ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf frags: 120, 0, 1578, 303, 256284, 0, 0 pf frag entries: 40, 5000, 1578, 722, 515986, 0, 0 fragment 4920 0.0/s ... The number of used frags (almost) never decreases. I don't have enough experience in programming. But I guess that the problem may be in "frag->fr_timeout = time_second;" in pf_fillup_fragment() (pf_norm.c). It should be "frag->fr_timeout = time_uptime;". Actually, I don't now the difference between those variables. So, correct me if I'm wrong. P.S. It would be nice to be able to check frags status, like pfctl -ss. P.P.S. I confirm the bug https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201519. From owner-freebsd-pf@freebsd.org Thu May 19 14:52:56 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8551CB42BBE for ; Thu, 19 May 2016 14:52:56 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com [24.113.41.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 68E1012D7 for ; Thu, 19 May 2016 14:52:55 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from ultimatedns.net (localhost [127.0.0.1]) by udns.ultimatedns.net (8.14.9/8.14.9) with ESMTP id u4JEqrGB029431 for ; Thu, 19 May 2016 07:53:00 -0700 (PDT) (envelope-from bsd-lists@bsdforge.com) To: In-Reply-To: <262ED41F8198C0409ACB79946570FFCD1AA134055F@EXCHANGE.mail.starnet.cz> References: <262ED41F8198C0409ACB79946570FFCD1AA134055F@EXCHANGE.mail.starnet.cz> From: "Chris H" Subject: Re: Traffic shaping incomming traffic for all vlans Date: Thu, 19 May 2016 07:53:00 -0700 Content-Type: text/plain; charset=UTF-8; format=fixed MIME-Version: 1.0 Message-id: <45be7d98e5354bd4e299479c15d944f0@ultimatedns.net> Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 May 2016 14:52:56 -0000 On Thu, 19 May 2016 11:48:28 +0200 Radek Krejča wrote > Hello, > > I have freebsd router with pf for NAT and firewall. There are 2 NICs, one for > incomming traffic from internet and second for traffic to clients. On > internal NIC are a lot of vlans. > > I need to make traffic shaping for all users based on src ip from internet. > But I have problem, it doesnt work. > > Working rule for block all traffic is: > > block quick proto { tcp, udp } from 192.168.52.0/24 > > but the same rule with externa nic dosnt match: block quick on $ext_if proto > { tcp, udp } from 192.168.52.0/24 Why? > > And second problem - how to set up (on which interface) altq queues? Hello, Radek. I think better context is needed here, before anyone can provide a reasonably intelligent answer/solution for you. In other words, can you provide at *least* the relevant sections of your configuration(s)? --Chris From owner-freebsd-pf@freebsd.org Thu May 19 15:26:05 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 586E2B413FF for ; Thu, 19 May 2016 15:26:05 +0000 (UTC) (envelope-from ian.freislich@capeaugusta.com) Received: from mail-qg0-x236.google.com (mail-qg0-x236.google.com [IPv6:2607:f8b0:400d:c04::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 19F0B1454 for ; Thu, 19 May 2016 15:26:04 +0000 (UTC) (envelope-from ian.freislich@capeaugusta.com) Received: by mail-qg0-x236.google.com with SMTP id f92so45223218qgf.0 for ; Thu, 19 May 2016 08:26:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=capeaugusta-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to; bh=vVFeexzD3qteXOvMvpTwIXiziNDulv/sCWVk9Cu45bc=; b=KR4o5RS+xUX3rT5frMNh21uZ49r/bbJiL0yPRdRQS7I8xvXdCTXTCSY4+h87KkYJLS NTYLeKGyCraSqQZ2ot5HPstivQ05wmUxWmwujxPHoQ7iUBZa2L+8nfhzzcVb+E1TuOEG Yn0pxoob6HZUYc0i8ZS3ZIZ6svJPIROx3uG7ijI2bFfj2pyZeIIlvKgrPgZv/X7UdzIb TnaBdrTgeo87lYcX+g7JqchGaW+ICxDAQ++cFktqhMx5bMrJxK5c3rSCWrG0MB8y1afo GaoenjCoX2wCiT3saSq358dv8eb74N6TUL7qWCrxHykSdi1flM9IdFVcSHW7QcBP4Z+6 QLaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=vVFeexzD3qteXOvMvpTwIXiziNDulv/sCWVk9Cu45bc=; b=UwjiHUQM4lMDDD2he3vNW7vCLI/OiKzwRxVFKiEsQBSbLN0QMYHf8U4f0qlzZikE0k 4n5fNPJDrOegYhJ8fRbMOdzgOaWCNCGBLrRf5SWzPS96SLtwcKIE8fc1sxw6heN5QMkM AB4/XOARV4r8MK2alC9q1WizhBkbQXEQAw/TCw+NTFJImla+uSYtA297M0kdAZN9CAla OnU+z/FFRm9jVDT6uuJteuIxTUle+wOseTabbj9+bU2W8EKXsj7pmOGZkdenv5I9fyZt 7uAM84+zxQn2UVnQjpgJX5sb8Zaj0u+9WHU3eKEhJiG/nihXVHaKkJA4lptkcgJpOqLo HDxA== X-Gm-Message-State: AOPr4FVxRgnx5f/BWxQ1FqeVjGvFpNROTrrE/8BOmTcxDGvQIBT27Pa2JxpxzSyvq0aJrmT5kP+LqP9KUwDmH0idNGuOry+cJslH7TKb0giD6KroICwtR86kKfi+YgI9e41viXCIm1F2OLAAzFE17w3sQSncffAzksh98+4lbvi9KFMRoR+/nSbuXq4Y6RRjOH7hOQ== X-Received: by 10.140.87.116 with SMTP id q107mr14164581qgd.61.1463671563522; Thu, 19 May 2016 08:26:03 -0700 (PDT) Received: from zen.clue.co.za ([64.53.114.172]) by smtp.gmail.com with ESMTPSA id e11sm6775875qkb.39.2016.05.19.08.26.02 for (version=TLSv1/SSLv3 cipher=OTHER); Thu, 19 May 2016 08:26:02 -0700 (PDT) Subject: Re: Traffic shaping incomming traffic for all vlans To: freebsd-pf@freebsd.org References: <262ED41F8198C0409ACB79946570FFCD1AA134055F@EXCHANGE.mail.starnet.cz> From: Ian FREISLICH Message-ID: Date: Thu, 19 May 2016 11:26:02 -0400 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 In-Reply-To: <262ED41F8198C0409ACB79946570FFCD1AA134055F@EXCHANGE.mail.starnet.cz> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 May 2016 15:26:05 -0000 On 05/19/16 05:48, Radek Krej=C4=8Da wrote: > I have freebsd router with pf for NAT and firewall. There are 2 NICs, one= for incomming traffic from internet and second for traffic to clients. On = internal NIC are a lot of vlans. > > I need to make traffic shaping for all users based on src ip from interne= t. But I have problem, it doesnt work. > > Working rule for block all traffic is: > > block quick proto { tcp, udp } from 192.168.52.0/24=20 > > but the same rule with externa nic dosnt match: block quick on $ext_if pr= oto { tcp, udp } from 192.168.52.0/24 > Why? Remember that with PF the *last* rule to match wins and that the state table is checked *before* rules are evaluated. If there is a state, rules won't be checked. If there is a later rule that allows the traffic that rule will be used. The quick modifier prevents further evaluation of rules, but if you're using quick all over the place perhaps an earlier rule allows the traffic. Unless you set 'state-policy if-bound' the default state-policy of floating will apply and then any rule that matches allowing traffic into an interface will result in matching state that will allow the traffic out of another interface without the rules being checked. > And second problem - how to set up (on which interface) altq queues? The trouble with pf's bandwidth management is that it relies on state to apply traffic flows to a queue. While this is nice in some respects I've always had trouble implementing traffic rates in specific directions. What happens is that you can only assign a rate to a class of traffic, ie www gets 10Mbps total for traffic in both directions. In the end I used PF for packet filtering and ipfw + dummynet for bandwidth management. I'd suggest to carefully read the 'QUEUEING' section in pf.conf(5) and if you can't make it work post your rules. Ian --=20 Ian Freislich --=20 =20 Cape Augusta Digital Properties, LLC a Cape Augusta Company *Breach of confidentiality & accidental breach of confidentiality * This email and any files transmitted with it are confidential and intended= =20 solely for the use of the individual or entity to whom they are addressed.= =20 If you have received this email in error please notify the system manager.= =20 This message contains confidential information and is intended only for the= =20 individual named. If you are not the named addressee you should not=20 disseminate, distribute or copy this e-mail. Please notify the sender=20 immediately by e-mail if you have received this e-mail by mistake and=20 delete this e-mail from your system. If you are not the intended recipient= =20 you are notified that disclosing, copying, distributing or taking any=20 action in reliance on the contents of this information is strictly=20 prohibited. From owner-freebsd-pf@freebsd.org Thu May 19 16:02:03 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7EF39B41E91 for ; Thu, 19 May 2016 16:02:03 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from mx.als.nnov.ru (mx.als.nnov.ru [95.79.102.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 411141AF1 for ; Thu, 19 May 2016 16:02:02 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from [10.4.1.100] by mx.als.nnov.ru with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.86_2 (FreeBSD)) (envelope-from ) id 1b3QOY-000LDC-N3 for freebsd-pf@freebsd.org; Thu, 19 May 2016 19:01:54 +0300 Subject: Re: Traffic shaping incomming traffic for all vlans To: freebsd-pf@freebsd.org References: <262ED41F8198C0409ACB79946570FFCD1AA134055F@EXCHANGE.mail.starnet.cz> From: Max Message-ID: <3eefc0f5-eb68-dd8e-6fee-aef8d1edbd37@als.nnov.ru> Date: Thu, 19 May 2016 19:01:54 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 In-Reply-To: <262ED41F8198C0409ACB79946570FFCD1AA134055F@EXCHANGE.mail.starnet.cz> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 May 2016 16:02:03 -0000 19.05.2016 12:48, Radek Krejča пишет: > Hello, > > I have freebsd router with pf for NAT and firewall. There are 2 NICs, one for incomming traffic from internet and second for traffic to clients. On internal NIC are a lot of vlans. > > I need to make traffic shaping for all users based on src ip from internet. But I have problem, it doesnt work. > > Working rule for block all traffic is: > > block quick proto { tcp, udp } from 192.168.52.0/24 > > but the same rule with externa nic dosnt match: block quick on $ext_if proto { tcp, udp } from 192.168.52.0/24 > Why? Is there any nat rule? > > And second problem - how to set up (on which interface) altq queues? You should use outgoing interface. > > Thank you very much. > Radek > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@freebsd.org Thu May 19 19:50:54 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 907A3B3FD27 for ; Thu, 19 May 2016 19:50:54 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from mx.als.nnov.ru (mx.als.nnov.ru [95.79.102.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4510312FE for ; Thu, 19 May 2016 19:50:53 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from [10.4.1.100] by mx.als.nnov.ru with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.86_2 (FreeBSD)) (envelope-from ) id 1b3Txv-000Mi4-MD for freebsd-pf@freebsd.org; Thu, 19 May 2016 22:50:39 +0300 Subject: Re: fragments processing To: freebsd-pf@freebsd.org References: <93ccf602-31d6-fe36-4ccc-96ab1a1e2cc1@als.nnov.ru> From: Max Message-ID: <9e8a524a-3775-8c4b-d125-55595bbdcd83@als.nnov.ru> Date: Thu, 19 May 2016 22:50:39 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 In-Reply-To: <93ccf602-31d6-fe36-4ccc-96ab1a1e2cc1@als.nnov.ru> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 May 2016 19:50:54 -0000 The value of "time_second" is a number of seconds since 1970, if I understand correctly. It means that then condition "if (frag->fr_timeout > expire)" in pf_purge_expired_fragments() should always evaluated to "true" and hence there is no expiring happens. The problem exists since 10.2. From owner-freebsd-pf@freebsd.org Thu May 19 20:16:25 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 00A8AB424F3 for ; Thu, 19 May 2016 20:16:25 +0000 (UTC) (envelope-from radek.krejca@starnet.cz) Received: from EXCHANGE.mail.starnet.cz (exchange.mail.starnet.cz [92.62.224.72]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "EXCHANGE.mail.starnet.cz", Issuer "STARNET" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 952EE186F for ; Thu, 19 May 2016 20:16:23 +0000 (UTC) (envelope-from radek.krejca@starnet.cz) Received: from EXCHANGE.mail.starnet.cz ([fe80::d017:9e72:12a5:7bb4]) by EXCHANGE.mail.starnet.cz ([fe80::d017:9e72:12a5:7bb4%14]) with mapi; Thu, 19 May 2016 22:16:21 +0200 From: =?utf-8?B?UmFkZWsgS3JlasSNYQ==?= To: "'freebsd-pf@freebsd.org'" Date: Thu, 19 May 2016 22:16:20 +0200 Subject: RE: Traffic shaping incomming traffic for all vlans Thread-Topic: Traffic shaping incomming traffic for all vlans Thread-Index: AdGx59C+Tq8s3CS1RXyWXS+lWli0YgAIkbeQ Message-ID: <262ED41F8198C0409ACB79946570FFCD1AA1340594@EXCHANGE.mail.starnet.cz> References: <262ED41F8198C0409ACB79946570FFCD1AA134055F@EXCHANGE.mail.starnet.cz> <3eefc0f5-eb68-dd8e-6fee-aef8d1edbd37@als.nnov.ru> In-Reply-To: <3eefc0f5-eb68-dd8e-6fee-aef8d1edbd37@als.nnov.ru> Accept-Language: cs-CZ Content-Language: cs-CZ X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: cs-CZ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 May 2016 20:16:25 -0000 b24gJGV4dF9pZiBwcm90byB7IHRjcCwgdWRwIH0gZnJvbSAxOTIuMTY4LjUyLjAvMjQNCj4gV2h5 Pw0KSXMgdGhlcmUgYW55IG5hdCBydWxlPw0KDQo+DQo+IEFuZCBzZWNvbmQgcHJvYmxlbSAtIGhv dyB0byBzZXQgdXAgKG9uIHdoaWNoIGludGVyZmFjZSkgYWx0cSBxdWV1ZXM/DQpZb3Ugc2hvdWxk IHVzZSBvdXRnb2luZyBpbnRlcmZhY2UuDQoNCg0KSGVsbG8sDQp0aGVyZSBpcyByZWxldmFudCBw YXJ0IG9mIG15IHBmLmNvbmYNCg0KZXh0X2lmICAgICAgICAgID0gICAgICAgImV4dDAiDQppbnRf aWYgICAgICAgICAgPSAgICAgICAiaW50MCINCg0Kc2NydWIgYWxsIGZyYWdtZW50IHJlYXNzZW1i bGUgbm8tZGYNCg0KYWx0cSBvbiAkZXh0X2lmIGNicSBiYW5kd2lkdGggMUdiIHF1ZXVlIHsgXA0K ICAgIHBva3VzLCAgICAgICAgICBcDQogICAgcG9rdXNfZGVmYXVsdCAgICAgICAgXA0KfQ0KDQpx dWV1ZSBwb2t1cyBiYW5kd2lkdGggMTBNYiBjYnEgKHJlZCkNCnF1ZXVlIHBva3VzX2RlZmF1bHQg YmFuZHdpZHRoIDYwME1iIGNicSAoZGVmYXVsdCwgYm9ycm93LCByZWQpDQoNCm5hdCBvbiAkZXh0 X2lmIGZyb20gIjE5Mi4xNjguMTUwLjAvMjQiICAgICAtPiAkZXh0X2FkZHINCg0KIyBUaGlzIGlz IHdvcmtpbmcgcnVsZQ0KI2Jsb2NrIHF1aWNrIHByb3RvIHsgdGNwLCB1ZHAgfSBmcm9tIDE5Mi4x NjguNTIuMC8yNA0KDQojIFRoaXMgaXMgbm90IHdvcmtpbmcNCnBhc3MgaW4gcXVpY2sgb24gJGV4 dF9pZiBmcm9tIDE5Mi4xNjguNTIuMC8yNCBxdWV1ZSBwb2t1cw0KDQojIFRoaXMgZG9lc250IG1h dGNoIHRvDQojIGJsb2NrIHF1aWNrIG9uICRleHRfaWYgcHJvdG8geyB0Y3AsIHVkcCB9IGZyb20g MTkyLjE2OC41Mi4wLzI0DQoNCk9uIHRoaXMgQlNEIGJveCBhcmUgNzQgdmxhbnMgb24gaW50X2lm IGFuZCBJIG5lZWQgdG8gc2hhcGUgdHJhZmZpYyBmb3IgYWxsIG9mIHRoZW0uDQoNClRoYW5rIHlv dSB2ZXJ5IG11Y2guDQpSYWRlaw0K From owner-freebsd-pf@freebsd.org Fri May 20 04:59:16 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4AF63B43AB9 for ; Fri, 20 May 2016 04:59:16 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from mx.als.nnov.ru (mx.als.nnov.ru [95.79.102.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0DAAE1EAA for ; Fri, 20 May 2016 04:59:15 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from [10.4.1.100] by mx.als.nnov.ru with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.86_2 (FreeBSD)) (envelope-from ) id 1b3cWk-0003Pm-0u for freebsd-pf@freebsd.org; Fri, 20 May 2016 07:59:10 +0300 Subject: Re: Traffic shaping incomming traffic for all vlans To: freebsd-pf@freebsd.org References: <262ED41F8198C0409ACB79946570FFCD1AA134055F@EXCHANGE.mail.starnet.cz> <3eefc0f5-eb68-dd8e-6fee-aef8d1edbd37@als.nnov.ru> <262ED41F8198C0409ACB79946570FFCD1AA1340594@EXCHANGE.mail.starnet.cz> From: Max Message-ID: <75067e1b-650a-ba5b-8fa1-998ceaab7903@als.nnov.ru> Date: Fri, 20 May 2016 07:59:09 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 In-Reply-To: <262ED41F8198C0409ACB79946570FFCD1AA1340594@EXCHANGE.mail.starnet.cz> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 May 2016 04:59:16 -0000 19.05.2016 23:16, Radek Krejča пишет: > on $ext_if proto { tcp, udp } from 192.168.52.0/24 >> Why? > Is there any nat rule? > >> And second problem - how to set up (on which interface) altq queues? > You should use outgoing interface. > > > Hello, > there is relevant part of my pf.conf > > ext_if = "ext0" > int_if = "int0" > > scrub all fragment reassemble no-df > > altq on $ext_if cbq bandwidth 1Gb queue { \ > pokus, \ > pokus_default \ > } > > queue pokus bandwidth 10Mb cbq (red) > queue pokus_default bandwidth 600Mb cbq (default, borrow, red) > > nat on $ext_if from "192.168.150.0/24" -> $ext_addr > > # This is working rule > #block quick proto { tcp, udp } from 192.168.52.0/24 > > # This is not working > pass in quick on $ext_if from 192.168.52.0/24 queue pokus > > # This doesnt match to > # block quick on $ext_if proto { tcp, udp } from 192.168.52.0/24 Incoming traffic flow: state table -> rdr rules -> filter rules. Outgoing traffic flow: state table -> nat rules -> filter rules. I assume your "int_if" has 192.168.52.0/24 net confidured. If so, nat rule changes source address and your filter rule should be: pass out quick on $ext_if from $ext_addr ... Or you could change nat rule: nat *pass* on $ext_if from 192.168.150.0/24 -> $ext_addr > > On this BSD box are 74 vlans on int_if and I need to shape traffic for all of them. > > Thank you very much. > Radek > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@freebsd.org Fri May 20 08:08:15 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 880F7B4217F for ; Fri, 20 May 2016 08:08:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 78C1B151D for ; Fri, 20 May 2016 08:08:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4K88EBf034581 for ; Fri, 20 May 2016 08:08:15 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 209475] pf didn't check if enough free RAM for net.pf.states_hashsize Date: Fri, 20 May 2016 08:08:14 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 May 2016 08:08:15 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D209475 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|freebsd-bugs@FreeBSD.org |freebsd-pf@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Fri May 20 08:53:52 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E6F08B43ABF for ; Fri, 20 May 2016 08:53:52 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B68321FBC for ; Fri, 20 May 2016 08:53:52 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [192.168.228.1] (unknown [45.113.64.253]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id 639C29736; Fri, 20 May 2016 10:53:47 +0200 (CEST) From: "Kristof Provost" To: Max Cc: freebsd-pf@FreeBSD.org Subject: Re: fragments processing Date: Fri, 20 May 2016 14:23:42 +0530 Message-ID: <0ED6BC86-1DDF-4C80-9C05-6ED19049AB92@FreeBSD.org> In-Reply-To: <93ccf602-31d6-fe36-4ccc-96ab1a1e2cc1@als.nnov.ru> References: <93ccf602-31d6-fe36-4ccc-96ab1a1e2cc1@als.nnov.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailer: MailMate Trial (1.9.4r5234) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 May 2016 08:53:53 -0000 Hi Max, On 19 May 2016, at 19:49, Max wrote: > The number of used frags (almost) never decreases. I don't have enough > experience in programming. But I guess that the problem may be in > "frag->fr_timeout = time_second;" in pf_fillup_fragment() (pf_norm.c). > It should be "frag->fr_timeout = time_uptime;". Actually, I don't now > the difference between those variables. So, correct me if I'm wrong. > I think you’re right. If I’m reading the code right time_second is unix time, but time_uptime is the number of seconds the system has been up. Either one should work, but we have to be consistent. The rest of the code seems to use time_uptime, so this untested patch should fix your problem. diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c index a2841a2..dbc8818 100644 --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -374,7 +374,7 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct pf_frent *frent, } *(struct pf_fragment_cmp *)frag = *key; - frag->fr_timeout = time_second; + frag->fr_timeout = time_uptime; frag->fr_maxlen = frent->fe_len; TAILQ_INIT(&frag->fr_queue); > P.P.S. I confirm the bug > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201519. It’s on my list, but unfortunately it’s a very long list. Regards, Kristof From owner-freebsd-pf@freebsd.org Fri May 20 13:27:50 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 99E59B4340B for ; Fri, 20 May 2016 13:27:50 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from mx.als.nnov.ru (mx.als.nnov.ru [95.79.102.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5BEA61B46; Fri, 20 May 2016 13:27:49 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from [10.4.1.100] by mx.als.nnov.ru with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.86_2 (FreeBSD)) (envelope-from ) id 1b3kSq-000ABb-Qh; Fri, 20 May 2016 16:27:40 +0300 Subject: Re: fragments processing To: freebsd-pf@FreeBSD.org References: <93ccf602-31d6-fe36-4ccc-96ab1a1e2cc1@als.nnov.ru> <0ED6BC86-1DDF-4C80-9C05-6ED19049AB92@FreeBSD.org> From: Max Message-ID: <856294d7-a71c-811b-cc3e-31b81af2d79c@als.nnov.ru> Date: Fri, 20 May 2016 16:27:40 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 In-Reply-To: <0ED6BC86-1DDF-4C80-9C05-6ED19049AB92@FreeBSD.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 May 2016 13:27:50 -0000 Hello, Kristof. 20.05.2016 11:53, Kristof Provost пишет: > Hi Max, > > > On 19 May 2016, at 19:49, Max wrote: >> The number of used frags (almost) never decreases. I don't have >> enough experience in programming. But I guess that the problem may be >> in "frag->fr_timeout = time_second;" in pf_fillup_fragment() >> (pf_norm.c). It should be "frag->fr_timeout = time_uptime;". >> Actually, I don't now the difference between those variables. So, >> correct me if I'm wrong. >> > I think you’re right. If I’m reading the code right time_second is > unix time, > but time_uptime is the number of seconds the system has been up. > > Either one should work, but we have to be consistent. > The rest of the code seems to use time_uptime, so this untested patch > should fix your problem. > > diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c > index a2841a2..dbc8818 100644 > --- a/sys/netpfil/pf/pf_norm.c > +++ b/sys/netpfil/pf/pf_norm.c > @@ -374,7 +374,7 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, > struct pf_frent *frent, > } > > *(struct pf_fragment_cmp *)frag = *key; > - frag->fr_timeout = time_second; > + frag->fr_timeout = time_uptime; > frag->fr_maxlen = frent->fe_len; > TAILQ_INIT(&frag->fr_queue); > I rebuilt the kernel. It seems the problem is gone. >> P.P.S. I confirm the bug >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201519. > > It’s on my list, but unfortunately it’s a very long list. I'll wait for the patch. Thank you. > > Regards, > Kristof Here are some statistics: # sh -c "while true ; do date; { vmstat -z; pfctl -si; } | sed -n '1p;/frag/p'; echo; sleep 5; done" Fri May 20 13:07:11 MSK 2016 ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf frags: 120, 0, 0, 132, 71, 0, 0 pf frag entries: 40, 5000, 0, 600, 147, 0, 0 fragment 4 0.0/s ... Fri May 20 16:07:16 MSK 2016 ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf frags: 120, 0, 0, 132, 761, 0, 0 pf frag entries: 40, 5000, 0, 600, 1531, 0, 0 fragment 4 0.0/s Fri May 20 16:07:21 MSK 2016 ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf frags: 120, 0, 1, 131, 771, 0, 0 pf frag entries: 40, 5000, 1, 599, 1551, 0, 0 fragment 5 0.0/s ... Fri May 20 16:07:56 MSK 2016 ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf frags: 120, 0, 1, 131, 771, 0, 0 pf frag entries: 40, 5000, 1, 599, 1551, 0, 0 fragment 5 0.0/s Fri May 20 16:08:01 MSK 2016 ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf frags: 120, 0, 0, 132, 771, 0, 0 pf frag entries: 40, 5000, 0, 600, 1551, 0, 0 fragment 5 0.0/s ... Fri May 20 16:11:12 MSK 2016 ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf frags: 120, 0, 0, 132, 771, 0, 0 pf frag entries: 40, 5000, 0, 600, 1551, 0, 0 fragment 5 0.0/s Fri May 20 16:11:17 MSK 2016 ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf frags: 120, 0, 1, 131, 781, 0, 0 pf frag entries: 40, 5000, 1, 599, 1571, 0, 0 fragment 6 0.0/s ... Fri May 20 16:11:42 MSK 2016 ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf frags: 120, 0, 1, 131, 781, 0, 0 pf frag entries: 40, 5000, 1, 599, 1571, 0, 0 fragment 6 0.0/s Fri May 20 16:11:47 MSK 2016 ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf frags: 120, 0, 0, 132, 781, 0, 0 pf frag entries: 40, 5000, 0, 600, 1571, 0, 0 fragment 6 0.0/s From owner-freebsd-pf@freebsd.org Fri May 20 15:43:05 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 92564B440C4 for ; Fri, 20 May 2016 15:43:05 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6174B17DE for ; Fri, 20 May 2016 15:43:05 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [12.12.12.124] (unknown [45.113.64.253]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id C57289DEB; Fri, 20 May 2016 17:43:02 +0200 (CEST) From: "Kristof Provost" To: Max Cc: freebsd-pf@FreeBSD.org Subject: Re: fragments processing Date: Fri, 20 May 2016 21:13:01 +0530 Message-ID: <1D01E770-1FE5-4CCF-9D5F-91FB8ADE955D@FreeBSD.org> In-Reply-To: <856294d7-a71c-811b-cc3e-31b81af2d79c@als.nnov.ru> References: <93ccf602-31d6-fe36-4ccc-96ab1a1e2cc1@als.nnov.ru> <0ED6BC86-1DDF-4C80-9C05-6ED19049AB92@FreeBSD.org> <856294d7-a71c-811b-cc3e-31b81af2d79c@als.nnov.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailer: MailMate Trial (1.9.4r5234) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 May 2016 15:43:05 -0000 On 20 May 2016, at 18:57, Max wrote: > 20.05.2016 11:53, Kristof Provost пишет: >> On 19 May 2016, at 19:49, Max wrote: >>> The number of used frags (almost) never decreases. I don't have >>> enough experience in programming. But I guess that the problem may >>> be in "frag->fr_timeout = time_second;" in pf_fillup_fragment() >>> (pf_norm.c). It should be "frag->fr_timeout = time_uptime;". >>> Actually, I don't now the difference between those variables. So, >>> correct me if I'm wrong. >>> >> I think you’re right. If I’m reading the code right time_second >> is unix time, >> but time_uptime is the number of seconds the system has been up. > > I rebuilt the kernel. It seems the problem is gone. > Awesome, thanks for testing. I’ve committed the fix, and will merge it back to stable/10 in a couple of days. Regards, Kristof From owner-freebsd-pf@freebsd.org Sat May 21 19:24:30 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E31FEB44D3A for ; Sat, 21 May 2016 19:24:30 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from mx.als.nnov.ru (mx.als.nnov.ru [95.79.102.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A7DFE180A for ; Sat, 21 May 2016 19:24:30 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from [10.4.1.100] by mx.als.nnov.ru with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.86_2 (FreeBSD)) (envelope-from ) id 1b4CVL-00053b-5P for freebsd-pf@freebsd.org; Sat, 21 May 2016 22:24:07 +0300 To: freebsd-pf@freebsd.org From: Max Subject: Bug 201519 Message-ID: Date: Sat, 21 May 2016 22:24:06 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 May 2016 19:24:31 -0000 Hello, I have patched and tested "case IPPROTO_UDP". It works. Other cases should work too I think. It's against releng/10.3 --- sys/netpfil/pf/pf.c.orig 2016-05-21 17:57:29.420602000 +0300 +++ sys/netpfil/pf/pf.c 2016-05-21 18:01:09.119724000 +0300 @@ -4866,8 +4866,7 @@ pf_test_state_icmp(struct pf_state **sta &nk->addr[pd2.didx], pd2.af) || nk->port[pd2.didx] != uh.uh_dport) pf_change_icmp(pd2.dst, &uh.uh_dport, - NULL, /* XXX Inbound NAT? */ - &nk->addr[pd2.didx], + saddr, &nk->addr[pd2.didx], nk->port[pd2.didx], &uh.uh_sum, pd2.ip_sum, icmpsum, pd->ip_sum, 1, pd2.af); Before: # tcpdump -vni em1 'vlan and src net 10.0.0.0/8' tcpdump: WARNING: em1: no IPv4 address assigned tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes 18:26:53.523646 IP (tos 0x0, ttl 63, id 36181, offset 0, flags [none], proto ICMP (1), length 56) 10.1.0.3 > AA.AA.AA.AA: ICMP XX.XX.XX.XX udp port 65501 unreachable, length 36 IP (tos 0x0, ttl 61, id 27788, offset 0, flags [none], proto UDP (17), length 150) AA.AA.AA.AA.53 > XX.XX.XX.XX.65501: [|domain] 18:26:53.523657 IP (tos 0x0, ttl 63, id 36182, offset 0, flags [none], proto ICMP (1), length 56) 10.1.0.3 > AA.AA.AA.AA: ICMP XX.XX.XX.XX udp port 51397 unreachable, length 36 IP (tos 0x0, ttl 61, id 27789, offset 0, flags [none], proto UDP (17), length 150) AA.AA.AA.AA.53 > XX.XX.XX.XX.51397: [|domain] 18:26:56.629648 IP (tos 0x0, ttl 63, id 36456, offset 0, flags [none], proto ICMP (1), length 56) 10.1.0.3 > CC.CC.CC.CC: ICMP YY.YY.YY.YY udp port 65254 unreachable, length 36 IP (tos 0x88, ttl 62, id 13875, offset 0, flags [none], proto UDP (17), length 137) CC.CC.CC.CC.53 > YY.YY.YY.YY.65254: [|domain] 18:27:27.746093 IP (tos 0x0, ttl 63, id 38864, offset 0, flags [none], proto ICMP (1), length 56) 10.1.0.3 > BB.BB.BB.BB: ICMP XX.XX.XX.XX udp port 62079 unreachable, length 36 IP (tos 0x0, ttl 61, id 429, offset 0, flags [none], proto UDP (17), length 150) BB.BB.BB.BB.53 > XX.XX.XX.XX.62079: [|domain] 18:27:27.746104 IP (tos 0x0, ttl 63, id 38865, offset 0, flags [none], proto ICMP (1), length 56) 10.1.0.3 > BB.BB.BB.BB: ICMP XX.XX.XX.XX udp port 51628 unreachable, length 36 IP (tos 0x0, ttl 61, id 428, offset 0, flags [none], proto UDP (17), length 150) BB.BB.BB.BB.53 > XX.XX.XX.XX.51628: [|domain] 18:29:19.805568 IP (tos 0x0, ttl 63, id 42754, offset 0, flags [none], proto ICMP (1), length 56) 10.1.0.3 > CC.CC.CC.CC: ICMP YY.YY.YY.YY udp port 52016 unreachable, length 36 IP (tos 0x88, ttl 62, id 13974, offset 0, flags [none], proto UDP (17), length 151) CC.CC.CC.CC.53 > YY.YY.YY.YY.52016: [|domain] After: # date ; tcpdump -vni em1 'vlan and src net 10.0.0.0/8' ; date Sat May 21 18:40:08 MSK 2016 tcpdump: WARNING: em1: no IPv4 address assigned tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes ^C 0 packets captured 80373 packets received by filter 0 packets dropped by kernel Sat May 21 18:54:53 MSK 2016 # tcpdump -vni em1 'vlan and icmp[icmptype] = icmp-unreach' tcpdump: WARNING: em1: no IPv4 address assigned tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes 19:11:39.539336 IP (tos 0x0, ttl 63, id 46008, offset 0, flags [none], proto ICMP (1), length 56) YY.YY.YY.YY > BB.BB.BB.BB: ICMP YY.YY.YY.YY udp port 51264 unreachable, length 36 IP (tos 0x88, ttl 62, id 15144, offset 0, flags [none], proto UDP (17), length 463) BB.BB.BB.BB.53 > YY.YY.YY.YY.51264: [|domain] 19:11:40.063673 IP (tos 0x0, ttl 63, id 46031, offset 0, flags [none], proto ICMP (1), length 56) YY.YY.YY.YY > BB.BB.BB.BB: ICMP YY.YY.YY.YY udp port 54326 unreachable, length 36 IP (tos 0x88, ttl 62, id 15145, offset 0, flags [none], proto UDP (17), length 463) BB.BB.BB.BB.53 > YY.YY.YY.YY.54326: [|domain] 19:12:13.830491 IP (tos 0x0, ttl 63, id 47980, offset 0, flags [none], proto ICMP (1), length 56) XX.XX.XX.XX > AA.AA.AA.AA: ICMP XX.XX.XX.XX udp port 50234 unreachable, length 36 IP (tos 0x0, ttl 61, id 14958, offset 0, flags [none], proto UDP (17), length 152) AA.AA.AA.AA.53 > XX.XX.XX.XX.50234: [|domain] 19:12:13.830502 IP (tos 0x0, ttl 63, id 47981, offset 0, flags [none], proto ICMP (1), length 56) XX.XX.XX.XX > AA.AA.AA.AA: ICMP XX.XX.XX.XX udp port 56144 unreachable, length 36 IP (tos 0x0, ttl 61, id 14959, offset 0, flags [none], proto UDP (17), length 141) AA.AA.AA.AA.53 > XX.XX.XX.XX.56144: [|domain] 19:12:13.830512 IP (tos 0x0, ttl 63, id 47982, offset 0, flags [none], proto ICMP (1), length 56) XX.XX.XX.XX > AA.AA.AA.AA: ICMP XX.XX.XX.XX udp port 51648 unreachable, length 36 IP (tos 0x0, ttl 61, id 14960, offset 0, flags [none], proto UDP (17), length 152) AA.AA.AA.AA.53 > XX.XX.XX.XX.51648: [|domain] 19:13:01.643129 IP (tos 0x0, ttl 63, id 50328, offset 0, flags [none], proto ICMP (1), length 56) YY.YY.YY.YY > CC.CC.CC.CC: ICMP YY.YY.YY.YY udp port 57306 unreachable, length 36 IP (tos 0x88, ttl 62, id 15226, offset 0, flags [none], proto UDP (17), length 152) CC.CC.CC.CC.53 > YY.YY.YY.YY.57306: [|domain] 19:13:31.672915 IP (tos 0x0, ttl 63, id 51139, offset 0, flags [none], proto ICMP (1), length 56) YY.YY.YY.YY > CC.CC.CC.CC: ICMP YY.YY.YY.YY udp port 60908 unreachable, length 36 IP (tos 0x88, ttl 62, id 15253, offset 0, flags [none], proto UDP (17), length 154) CC.CC.CC.CC.53 > YY.YY.YY.YY.60908: [|domain] 19:13:32.115936 IP (tos 0x0, ttl 63, id 51186, offset 0, flags [none], proto ICMP (1), length 56) YY.YY.YY.YY > CC.CC.CC.CC: ICMP YY.YY.YY.YY udp port 54767 unreachable, length 36 IP (tos 0x88, ttl 62, id 15254, offset 0, flags [none], proto UDP (17), length 154) CC.CC.CC.CC.53 > YY.YY.YY.YY.54767: [|domain] 19:13:32.995098 IP (tos 0x0, ttl 63, id 51209, offset 0, flags [none], proto ICMP (1), length 56) YY.YY.YY.YY > BB.BB.BB.BB: ICMP YY.YY.YY.YY udp port 58573 unreachable, length 36 IP (tos 0x88, ttl 62, id 15258, offset 0, flags [none], proto UDP (17), length 149) BB.BB.BB.BB.53 > YY.YY.YY.YY.58573: [|domain] From owner-freebsd-pf@freebsd.org Sat May 21 19:53:31 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BC9ECB45261 for ; Sat, 21 May 2016 19:53:31 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AD3521709 for ; Sat, 21 May 2016 19:53:31 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4LJrVq0020981 for ; Sat, 21 May 2016 19:53:31 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 201519] pf NAT translates ICMP type 3 packects incorrectly Date: Sat, 21 May 2016 19:53:31 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: pi@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 May 2016 19:53:31 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D201519 Kurt Jaeger changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pi@FreeBSD.org --- Comment #2 from Kurt Jaeger --- See https://lists.freebsd.org/pipermail/freebsd-pf/2016-May/008047.html for a patch. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Sat May 21 19:54:05 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4F255B452AB for ; Sat, 21 May 2016 19:54:05 +0000 (UTC) (envelope-from lists@opsec.eu) Received: from home.opsec.eu (home.opsec.eu [IPv6:2001:14f8:200::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 180C81760 for ; Sat, 21 May 2016 19:54:05 +0000 (UTC) (envelope-from lists@opsec.eu) Received: from pi by home.opsec.eu with local (Exim 4.87 (FreeBSD)) (envelope-from ) id 1b4CyM-000ArX-F0; Sat, 21 May 2016 21:54:06 +0200 Date: Sat, 21 May 2016 21:54:06 +0200 From: Kurt Jaeger To: Max Cc: freebsd-pf@freebsd.org Subject: Re: Bug 201519 Message-ID: <20160521195406.GO15034@home.opsec.eu> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 May 2016 19:54:05 -0000 Hi! > I have patched and tested "case IPPROTO_UDP". It works. Other cases > should work too I think. > > It's against releng/10.3 > --- sys/netpfil/pf/pf.c.orig 2016-05-21 17:57:29.420602000 +0300 > +++ sys/netpfil/pf/pf.c 2016-05-21 18:01:09.119724000 +0300 > @@ -4866,8 +4866,7 @@ pf_test_state_icmp(struct pf_state **sta > &nk->addr[pd2.didx], pd2.af) || > nk->port[pd2.didx] != uh.uh_dport) > pf_change_icmp(pd2.dst, > &uh.uh_dport, > - NULL, /* XXX Inbound NAT? */ > - &nk->addr[pd2.didx], > + saddr, &nk->addr[pd2.didx], > nk->port[pd2.didx], &uh.uh_sum, > pd2.ip_sum, icmpsum, > pd->ip_sum, 1, pd2.af); > Can you add this patch to the PR you mention ? -- pi@opsec.eu +49 171 3101372 4 years to go ! From owner-freebsd-pf@freebsd.org Sat May 21 20:20:21 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 620E0B4570A for ; Sat, 21 May 2016 20:20:21 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from mx.als.nnov.ru (mx.als.nnov.ru [95.79.102.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1EA2411F7 for ; Sat, 21 May 2016 20:20:20 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from [10.4.1.100] by mx.als.nnov.ru with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.86_2 (FreeBSD)) (envelope-from ) id 1b4DNi-000BuM-33; Sat, 21 May 2016 23:20:18 +0300 Subject: Re: Bug 201519 To: freebsd-pf@freebsd.org References: <20160521195406.GO15034@home.opsec.eu> From: Max Message-ID: <8412061b-2bd3-0cc0-fc9f-99b81c653aae@als.nnov.ru> Date: Sat, 21 May 2016 23:20:17 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 In-Reply-To: <20160521195406.GO15034@home.opsec.eu> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 May 2016 20:20:21 -0000 Hi, Kurt. It`s incomplete. I have tested only the case when inner packet is UDP. Other cases should be tested I think. Actually the patch was mentioned in Alexey's message (http://openbsd-archive.7691.n7.nabble.com/system-6564-pf-not-nating-does-not-see-icmp4-port-unreachable-packets-from-machine-behind-pf-td187997.html). Someone with more experience (then me) should review this patch. 21.05.2016 22:54, Kurt Jaeger пишет: > Hi! > >> I have patched and tested "case IPPROTO_UDP". It works. Other cases >> should work too I think. >> >> It's against releng/10.3 >> --- sys/netpfil/pf/pf.c.orig 2016-05-21 17:57:29.420602000 +0300 >> +++ sys/netpfil/pf/pf.c 2016-05-21 18:01:09.119724000 +0300 >> @@ -4866,8 +4866,7 @@ pf_test_state_icmp(struct pf_state **sta >> &nk->addr[pd2.didx], pd2.af) || >> nk->port[pd2.didx] != uh.uh_dport) >> pf_change_icmp(pd2.dst, >> &uh.uh_dport, >> - NULL, /* XXX Inbound NAT? */ >> - &nk->addr[pd2.didx], >> + saddr, &nk->addr[pd2.didx], >> nk->port[pd2.didx], &uh.uh_sum, >> pd2.ip_sum, icmpsum, >> pd->ip_sum, 1, pd2.af); >> > Can you add this patch to the PR you mention ? > From owner-freebsd-pf@freebsd.org Sat May 21 20:44:12 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BA423B45E07 for ; Sat, 21 May 2016 20:44:12 +0000 (UTC) (envelope-from lists@opsec.eu) Received: from home.opsec.eu (home.opsec.eu [IPv6:2001:14f8:200::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 82970106A for ; Sat, 21 May 2016 20:44:12 +0000 (UTC) (envelope-from lists@opsec.eu) Received: from pi by home.opsec.eu with local (Exim 4.87 (FreeBSD)) (envelope-from ) id 1b4Dkt-000Aw6-8O; Sat, 21 May 2016 22:44:15 +0200 Date: Sat, 21 May 2016 22:44:15 +0200 From: Kurt Jaeger To: Max Cc: freebsd-pf@freebsd.org Subject: Re: Bug 201519 Message-ID: <20160521204415.GA41922@home.opsec.eu> References: <20160521195406.GO15034@home.opsec.eu> <8412061b-2bd3-0cc0-fc9f-99b81c653aae@als.nnov.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <8412061b-2bd3-0cc0-fc9f-99b81c653aae@als.nnov.ru> X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 May 2016 20:44:12 -0000 Hi! > It`s incomplete. I have tested only the case when inner packet is UDP. > Other cases should be tested I think. Yes. > Actually the patch was mentioned in Alexey's message > (http://openbsd-archive.7691.n7.nabble.com/system-6564-pf-not-nating-does-not-see-icmp4-port-unreachable-packets-from-machine-behind-pf-td187997.html). > Someone with more experience (then me) should review this patch. Yes, but it's easier to review a patch as attachment to the relevant PR than one posted on one of the lists. If you did the patch for an 10month-old bug, it's a sign that there aren't that many 'more experienced' people looking at it 8-) So get over your modesty and add it to the PR 8-} -- pi@opsec.eu +49 171 3101372 4 years to go ! From owner-freebsd-pf@freebsd.org Sat May 21 22:18:34 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6E325B44FE3 for ; Sat, 21 May 2016 22:18:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4D7681753 for ; Sat, 21 May 2016 22:18:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4LMIYYa077827 for ; Sat, 21 May 2016 22:18:34 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 201519] pf NAT translates ICMP type 3 packects incorrectly Date: Sat, 21 May 2016 22:18:34 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 May 2016 22:18:34 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D201519 Max changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |maximos@als.nnov.ru --- Comment #3 from Max --- This patch is not fully tested. releng/10.3. --- sys/netpfil/pf/pf.c.orig 2016-05-21 17:57:29.420602000 +0300 +++ sys/netpfil/pf/pf.c 2016-05-22 00:54:16.043961000 +0300 @@ -4793,8 +4793,7 @@ pf_test_state_icmp(struct pf_state **sta &nk->addr[pd2.didx], pd2.af) || nk->port[pd2.didx] !=3D th.th_dport) pf_change_icmp(pd2.dst, &th.th_dpor= t, - NULL, /* XXX Inbound NAT? */ - &nk->addr[pd2.didx], + saddr, &nk->addr[pd2.didx], nk->port[pd2.didx], NULL, pd2.ip_sum, icmpsum, pd->ip_sum, 0, pd2.af); @@ -4866,8 +4865,7 @@ pf_test_state_icmp(struct pf_state **sta &nk->addr[pd2.didx], pd2.af) || nk->port[pd2.didx] !=3D uh.uh_dport) pf_change_icmp(pd2.dst, &uh.uh_dpor= t, - NULL, /* XXX Inbound NAT? */ - &nk->addr[pd2.didx], + saddr, &nk->addr[pd2.didx], nk->port[pd2.didx], &uh.uh_sum, pd2.ip_sum, icmpsum, pd->ip_sum, 1, pd2.af); @@ -4934,8 +4932,7 @@ pf_test_state_icmp(struct pf_state **sta &nk->addr[pd2.didx], pd2.af) || nk->port[pd2.didx] !=3D iih.icmp_id) pf_change_icmp(pd2.dst, &iih.icmp_i= d, - NULL, /* XXX Inbound NAT? */ - &nk->addr[pd2.didx], + saddr, &nk->addr[pd2.didx], nk->port[pd2.didx], NULL, pd2.ip_sum, icmpsum, pd->ip_sum, 0, AF_INET); @@ -4987,8 +4984,7 @@ pf_test_state_icmp(struct pf_state **sta &nk->addr[pd2.didx], pd2.af) || nk->port[pd2.didx] !=3D iih.icmp6_id) pf_change_icmp(pd2.dst, &iih.icmp6_= id, - NULL, /* XXX Inbound NAT? */ - &nk->addr[pd2.didx], + saddr, &nk->addr[pd2.didx], nk->port[pd2.didx], NULL, pd2.ip_sum, icmpsum, pd->ip_sum, 0, AF_INET6); @@ -5027,8 +5023,7 @@ pf_test_state_icmp(struct pf_state **sta if (PF_ANEQ(pd2.dst, &nk->addr[pd2.didx], pd2.af)) - pf_change_icmp(pd2.src, NULL, - NULL, /* XXX Inbound NAT? */ + pf_change_icmp(pd2.dst, NULL, saddr, &nk->addr[pd2.didx], 0, NULL, pd2.ip_sum, icmpsum, pd->ip_sum, 0, pd2.af); --=20 You are receiving this mail because: You are the assignee for the bug.=