From owner-freebsd-pf@FreeBSD.ORG Sun Dec 5 01:29:24 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E8EBD16A4D2 for ; Sun, 5 Dec 2004 01:29:23 +0000 (GMT) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0E7D643D62 for ; Sun, 5 Dec 2004 01:29:23 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) iB51TDq7025101 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Sun, 5 Dec 2004 02:29:13 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.1/8.12.10/Submit) id iB51TCqv025104; Sun, 5 Dec 2004 02:29:12 +0100 (MET) Date: Sun, 5 Dec 2004 02:29:11 +0100 From: Daniel Hartmeier To: Bernhard Schmidt Message-ID: <20041205012911.GC32476@insomnia.benzedrine.cx> References: <20041204200312.GE32076@insomnia.benzedrine.cx> <1102191882.12613.39.camel@cholera> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1102191882.12613.39.camel@cholera> User-Agent: Mutt/1.4.1i cc: freebsd-pf@freebsd.org Subject: Re: IPv6 MLD packets blocked X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Dec 2004 01:29:24 -0000 Can you try the patch below? I was able to reproduce the problem and this solves it for me. Daniel Index: pf.c =================================================================== RCS file: /cvs/freebsd/src/sys/contrib/pf/net/pf.c,v retrieving revision 1.23 diff -u -r1.23 pf.c --- pf.c 24 Nov 2004 00:43:34 -0000 1.23 +++ pf.c 5 Dec 2004 01:29:17 -0000 @@ -6334,7 +6334,8 @@ goto done; } if (dir == PF_IN && pf_check_proto_cksum(m, off, - ntohs(h->ip6_plen), IPPROTO_TCP, AF_INET6)) { + ntohs(h->ip6_plen) - (off - sizeof(struct ip6_hdr)), + IPPROTO_TCP, AF_INET6)) { action = PF_DROP; goto done; } @@ -6372,7 +6373,8 @@ goto done; } if (dir == PF_IN && uh.uh_sum && pf_check_proto_cksum(m, - off, ntohs(h->ip6_plen), IPPROTO_UDP, AF_INET6)) { + off, ntohs(h->ip6_plen) - (off - sizeof(struct ip6_hdr)), + IPPROTO_UDP, AF_INET6)) { action = PF_DROP; goto done; } @@ -6411,7 +6413,8 @@ goto done; } if (dir == PF_IN && pf_check_proto_cksum(m, off, - ntohs(h->ip6_plen), IPPROTO_ICMPV6, AF_INET6)) { + ntohs(h->ip6_plen) - (off - sizeof(struct ip6_hdr)), + IPPROTO_ICMPV6, AF_INET6)) { action = PF_DROP; goto done; } From owner-freebsd-pf@FreeBSD.ORG Sun Dec 5 01:55:56 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6017916A4CF for ; Sun, 5 Dec 2004 01:55:56 +0000 (GMT) Received: from mx02.mucip.net (mx02.mucip.net [81.92.162.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id D7C7443D48 for ; Sun, 5 Dec 2004 01:55:55 +0000 (GMT) (envelope-from berni@birkenwald.de) Received: from localhost (localhost [127.0.0.1]) by mx02.mucip.net (Postfix) with ESMTP id 7888F5205; Sun, 5 Dec 2004 02:55:54 +0100 (CET) Received: from mx02.mucip.net ([127.0.0.1])10024) with ESMTP id 25089-01; Sun, 5 Dec 2004 02:55:53 +0100 (CET) Received: from cholera.birkenwald.intern (cholera.ipv6.birkenwald.de [IPv6:2001:a60:f001:1:2e0:18ff:fef4:5c37]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by mailout.mucip.net (Postfix) with ESMTP id B68FD5203; Sun, 5 Dec 2004 02:55:53 +0100 (CET) From: Bernhard Schmidt To: Daniel Hartmeier In-Reply-To: <20041205012911.GC32476@insomnia.benzedrine.cx> References: <20041204200312.GE32076@insomnia.benzedrine.cx> <1102191882.12613.39.camel@cholera> <20041205012911.GC32476@insomnia.benzedrine.cx> Content-Type: text/plain Date: Sun, 05 Dec 2004 02:55:53 +0100 Message-Id: <1102211753.13871.6.camel@cholera> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at mucip.net cc: freebsd-pf@freebsd.org Subject: Re: IPv6 MLD packets blocked X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Dec 2004 01:55:56 -0000 Hi Daniel, > Can you try the patch below? I was able to reproduce the problem and > this solves it for me. Bug fixes my problem, thanks a lot. Bernhard From owner-freebsd-pf@FreeBSD.ORG Sat Dec 4 23:08:37 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1199116A4CE for ; Sat, 4 Dec 2004 23:08:37 +0000 (GMT) Received: from mx02.mucip.net (mx02.mucip.net [81.92.162.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8AB6943D48 for ; Sat, 4 Dec 2004 23:08:36 +0000 (GMT) (envelope-from berni@birkenwald.de) Received: from localhost (localhost [127.0.0.1]) by mx02.mucip.net (Postfix) with ESMTP id E6EBC51FA; Sun, 5 Dec 2004 00:08:34 +0100 (CET) Received: from mx02.mucip.net ([127.0.0.1])10024) with ESMTP id 24486-01; Sun, 5 Dec 2004 00:08:33 +0100 (CET) Received: from cholera.birkenwald.intern (cholera.ipv6.birkenwald.de [IPv6:2001:a60:f001:1:2e0:18ff:fef4:5c37]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by mailout.mucip.net (Postfix) with ESMTP id C7FA3408D; Sun, 5 Dec 2004 00:08:32 +0100 (CET) From: Bernhard Schmidt To: Daniel Hartmeier In-Reply-To: <20041204200312.GE32076@insomnia.benzedrine.cx> References: <20041204200312.GE32076@insomnia.benzedrine.cx> Content-Type: text/plain Date: Sun, 05 Dec 2004 00:08:32 +0100 Message-Id: <1102201712.13533.6.camel@cholera> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at mucip.net X-Mailman-Approved-At: Sun, 05 Dec 2004 12:59:17 +0000 Subject: Re: IPv6 MLD packets blocked X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Dec 2004 23:08:37 -0000 Hi, > > http://www.birkenwald.de/~berni/tmp/mld.dump > The decoded packet looks sane: Just a quick guess, could this be the problem? > ip6_opt > > ip6o_type 0x05 (IP6OPT_ROUTER_ALERT) > ip6o_len 0x02 > ip6or_value 0x0000 (IP6_ALERT_MLD) IPv6 Router Alert option is apparently only used by three protocols (MLD, RSVP and so called "Active Networks message") according to RFC2711, with MLD being the most widespread application. Without looking at the code this is where I would look for it. Bernhard From owner-freebsd-pf@FreeBSD.ORG Mon Dec 6 00:17:08 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B86116A4F4 for ; Mon, 6 Dec 2004 00:17:08 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id C293E43D54 for ; Mon, 6 Dec 2004 00:17:07 +0000 (GMT) (envelope-from josh.kayse@gmail.com) Received: by wproxy.gmail.com with SMTP id 70so21343wra for ; Sun, 05 Dec 2004 16:17:07 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=nKK5EF60mxBbr58HIG18kU+nNIRebJn7R5ibmZ1lq8vF2WspYdBU6QOi+jijVLoXzHRHhueoUi620Q5YGJl87XA3SAWSHtswcPSt/CBOzqwuzsKmQrUwJvEgZZ47FQrS1QPKzsEqi+O0fVmssjlK5mtYTG/bnVS+LSuPabpALsQ= Received: by 10.54.30.59 with SMTP id d59mr1146535wrd; Sun, 05 Dec 2004 16:17:06 -0800 (PST) Received: by 10.54.23.33 with HTTP; Sun, 5 Dec 2004 16:17:05 -0800 (PST) Message-ID: <7c8f27920412051617123672bf@mail.gmail.com> Date: Sun, 5 Dec 2004 19:17:05 -0500 From: Josh Kayse To: yongari@kt-is.co.kr In-Reply-To: <20041202033920.GC12155@kt-is.co.kr> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <20041201045203.262D443D5C@mx1.FreeBSD.org> <20041201110912.GA9840@kt-is.co.kr> <7c8f27920412010523730447de@mail.gmail.com> <20041202033920.GC12155@kt-is.co.kr> cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD bridge + filtering, BIG problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: gtg062h@mail.gatech.edu List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Dec 2004 00:17:08 -0000 On Thu, 2 Dec 2004 12:39:20 +0900, Pyun YongHyeon wrote: > On Wed, Dec 01, 2004 at 08:23:39AM -0500, Josh Kayse wrote: > > [...] > > > > I know it's been touched on in the past, but can you explain why > > stateful inspection does not work in a bridged mode? And why it only > > filters for inbound traffic? Does ipfw suffer from the same feature? > > Thanks. > > > > Both pf/ipf should see inbound/outbound traffic in order to > create states. But in bridge(4), pfil(9) hook for outbound packet > is absent. ipfw can create states without seeing outbound packet. > Maybe it would be authors intention to reduce overhead by not > checking packets in both directions. > > I guess ipfw can't filter outbound packet in bridged setup too. > > Long time ago, I wrote a patch to add pfil(9) outbound hook > in bridge setup. The patch makes pf's scrub rule work too. > It wouldn't apply to 5.3R but you can see the point. > > http://www.kr.freebsd.org/~yongari/patches/bridge.patch > > > -josh > > > > -- > > Joshua Kayse > > Computer Engineering > > -- > > > Regards, > Pyun YongHyeon > http://www.kr.freebsd.org/~yongari | yongari@freebsd.org > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > I managed to get your patch to apply to FreeBSD RELENG_5. I have a question about the bridge_fragment function though. Would this prevent packets from linux NFS clients from working, the fragmented ones with the DF flag set? Thanks for any information. I'll post the patch later if anyone wants it. It hasn't been thoroughly tested but is currently running on a bridge setup in my test lab with my work machine behind it. -josh -- Joshua Kayse Computer Engineering From owner-freebsd-pf@FreeBSD.ORG Mon Dec 6 02:47:05 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A67DB16A4CE for ; Mon, 6 Dec 2004 02:47:05 +0000 (GMT) Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id A8F4743D48 for ; Mon, 6 Dec 2004 02:47:04 +0000 (GMT) (envelope-from yongari@kt-is.co.kr) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id iB62jBAh045042 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 6 Dec 2004 11:45:11 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.13.1/8.13.1) with ESMTP id iB62l2Tu000909 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 6 Dec 2004 11:47:02 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.13.1/8.13.1/Submit) id iB62l0Jw000908; Mon, 6 Dec 2004 11:47:00 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Date: Mon, 6 Dec 2004 11:47:00 +0900 From: Pyun YongHyeon To: gtg062h@mail.gatech.edu Message-ID: <20041206024700.GA744@kt-is.co.kr> References: <20041201045203.262D443D5C@mx1.FreeBSD.org> <20041201110912.GA9840@kt-is.co.kr> <7c8f27920412010523730447de@mail.gmail.com> <20041202033920.GC12155@kt-is.co.kr> <7c8f27920412051617123672bf@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7c8f27920412051617123672bf@mail.gmail.com> User-Agent: Mutt/1.4.2.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD bridge + filtering, BIG problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: yongari@kt-is.co.kr List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Dec 2004 02:47:05 -0000 On Sun, Dec 05, 2004 at 07:17:05PM -0500, Josh Kayse wrote: [...] > > I managed to get your patch to apply to FreeBSD RELENG_5. > > I have a question about the bridge_fragment function though. Would > this prevent packets from linux NFS clients from working, the > fragmented ones with the DF flag set? Thanks for any information. > I guess this has nothing to do with bridge. AFAIK, linux is known to generate fragmented packets with DF bit set. Normally, scrub rule of pf drops the fragmented packet that was told not to framgent(i.e. DF bit set) You may need an additional option "no-df" to pass the packet in scrub rule. > I'll post the patch later if anyone wants it. It hasn't been Great! I believe, your patch would be quite useful to FreeBSD pf/ipf users. > thoroughly tested but is currently running on a bridge setup in my > test lab with my work machine behind it. > One note, don't be fooled by "netstat -m" output after patching your system. Its statistics were broken on 5.3R. For instance, on my P3 SMP: 19926 mbufs in use 4294938777/19136 mbuf clusters in use (current/max) ^^^^^^^^^^^^^^^^ 0/4/5040 sfbufs in use (current/peak/max) 4142247 KBytes allocated to network ^^^^^^^^^^^^^^ 0 requests for sfbufs denied 0 requests for sfbufs delayed 0 requests for I/O initiated by sendfile 270 calls to protocol drain routines > -josh > > -- > Joshua Kayse > Computer Engineering -- Regards, Pyun YongHyeon http://www.kr.freebsd.org/~yongari | yongari@freebsd.org From owner-freebsd-pf@FreeBSD.ORG Mon Dec 6 14:23:16 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 85C4816A4CE for ; Mon, 6 Dec 2004 14:23:16 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9259E43D5E for ; Mon, 6 Dec 2004 14:23:15 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.162] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CbJlR-00086X-00; Mon, 06 Dec 2004 15:22:57 +0100 Received: from [217.227.154.210] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CbJl4-0001jv-00; Mon, 06 Dec 2004 15:22:34 +0100 From: Max Laier To: freebsd-pf@freebsd.org, yongari@kt-is.co.kr Date: Mon, 6 Dec 2004 15:23:09 +0100 User-Agent: KMail/1.7.1 References: <20041201045203.262D443D5C@mx1.FreeBSD.org> <7c8f27920412051617123672bf@mail.gmail.com> <20041206024700.GA744@kt-is.co.kr> In-Reply-To: <20041206024700.GA744@kt-is.co.kr> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2149442.7Z0pZl6GtG"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200412061523.21530.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: gtg062h@mail.gatech.edu Subject: Re: FreeBSD bridge + filtering, BIG problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Dec 2004 14:23:16 -0000 --nextPart2149442.7Z0pZl6GtG Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 06 December 2004 03:47, Pyun YongHyeon wrote: > On Sun, Dec 05, 2004 at 07:17:05PM -0500, Josh Kayse wrote: > > [...] > > > I managed to get your patch to apply to FreeBSD RELENG_5. > > > > I have a question about the bridge_fragment function though. Would > > this prevent packets from linux NFS clients from working, the > > fragmented ones with the DF flag set? Thanks for any information. > > I guess this has nothing to do with bridge. AFAIK, linux is known > to generate fragmented packets with DF bit set. Normally, scrub > rule of pf drops the fragmented packet that was told not to > framgent(i.e. DF bit set) > You may need an additional option "no-df" to pass the packet in > scrub rule. > > > I'll post the patch later if anyone wants it. It hasn't been > > Great! I believe, your patch would be quite useful to FreeBSD > pf/ipf users. > > > thoroughly tested but is currently running on a bridge setup in my > > test lab with my work machine behind it. > > One note, don't be fooled by "netstat -m" output after patching your > system. Its statistics were broken on 5.3R. For instance, on my P3 SMP: > > 19926 mbufs in use > 4294938777/19136 mbuf clusters in use (current/max) > ^^^^^^^^^^^^^^^^ > 0/4/5040 sfbufs in use (current/peak/max) > 4142247 KBytes allocated to network > ^^^^^^^^^^^^^^ > 0 requests for sfbufs denied > 0 requests for sfbufs delayed > 0 requests for I/O initiated by sendfile > 270 calls to protocol drain routines $vmstat -z | grep -i mbuf Has atomic counters that should[tm] be correct. So double-check with that=20 command. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2149442.7Z0pZl6GtG Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBtGtZXyyEoT62BG0RAu9TAJ4rqh2nhGBpj/cbifH+HivMcfEmnwCeOIjh zt7s2hjN+IXVtfYQF6osqEg= =i2tN -----END PGP SIGNATURE----- --nextPart2149442.7Z0pZl6GtG-- From owner-freebsd-pf@FreeBSD.ORG Mon Dec 6 19:51:55 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C220116A4CE for ; Mon, 6 Dec 2004 19:51:55 +0000 (GMT) Received: from mail.secureworks.net (mail.secureworks.net [209.101.212.155]) by mx1.FreeBSD.org (Postfix) with SMTP id 22E1C43D39 for ; Mon, 6 Dec 2004 19:51:55 +0000 (GMT) (envelope-from mdg@secureworks.net) Received: (qmail 47664 invoked from network); 6 Dec 2004 19:51:40 -0000 Received: from unknown (HELO ?192.168.8.243?) (209.101.212.253) by mail.secureworks.net with SMTP; 6 Dec 2004 19:51:40 -0000 Message-ID: <41B4B84B.1030504@secureworks.net> Date: Mon, 06 Dec 2004 14:51:39 -0500 From: Matthew George User-Agent: Mozilla Thunderbird 0.9 (X11/20041117) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Max Laier References: <200412032356.00086.max@love2party.net> In-Reply-To: <200412032356.00086.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-pf@freebsd.org Subject: Re: New CARP patchset X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Dec 2004 19:51:55 -0000 Max Laier wrote: > All, > > again I have put up a new CARP patchset. I have not made as much > progress as I > planned to, still there has been some progress and it's worth updating. > Esp. > if you are using it with IPv6. > > As always the patch is at: http://people.freebsd.org/~mlaier/CARP/ > > There are two (and a half) issues remaining: > - VLAN interfaces can't be used as parent interface. > - ifconfig carpX down/destroy doesn't completely cleanup the parent > interface (e.g. parent remains PROMISC) > - "arp_rtrequest: bad gateway ... (!AF_LINK)" > > Anything else? Please let me know! > I re-cvsup'd RELENG_5 and tried again (second attempt), but I get this with the new patch set: FIRST ISSUE: -------------------------- |diff -urP ../dist/sys/netinet/in_proto.c ./sys/netinet/in_proto.c |--- ../dist/sys/netinet/in_proto.c Sat Nov 6 21:01:08 2004 |+++ ./sys/netinet/in_proto.c Sat Nov 6 18:13:47 2004 -------------------------- Patching file ./sys/netinet/in_proto.c using Plan A... Hunk #1 succeeded at 36 (offset 1 line). Hunk #2 succeeded at 92 with fuzz 2 (offset 1 line). Hunk #3 failed at 243. Hunk #4 succeeded at 297 with fuzz 1 (offset -5 lines). 1 out of 4 hunks failed--saving rejects to ./sys/netinet/in_proto.c.rej Here's the reject: *************** *** 238,243 **** &rip_usrreqs }, #endif /* DEV_PFSYNC */ /* Spacer n-times for loadable protocols. */ IPPROTOSPACER, IPPROTOSPACER, --- 243,256 ---- &rip_usrreqs }, #endif /* DEV_PFSYNC */ + #ifdef DEV_CARP + { SOCK_RAW, &inetdomain, IPPROTO_CARP, PR_ATOMIC|PR_ADDR, + carp_input, (pr_output_t*)rip_output, 0, rip_ctloutput, + 0, + 0, 0, 0, 0, + &rip_usrreqs + }, + #endif /* DEV_CARP */ /* Spacer n-times for loadable protocols. */ IPPROTOSPACER, IPPROTOSPACER, I also see line offsets in the patch for sys/netinet/if_ether.c but the patch applies anyway. SECOND ISSUE: When I try to build the new ifconfig, it fails: mdg# cd /usr/src/sbin/ifconfig mdg# make clean all rm -f ifconfig ifconfig.o ifmedia.o ifvlan.o ifieee80211.o ifcarp.o ifmac.o ifpfsync.o ifconfig.8.gz ifconfig.8.cat.gz cc -O -pipe -DUSE_IF_MEDIA -DINET6 -DUSE_VLANS -DUSE_IEEE80211 -DUSE_CARP -DUSE_MAC -DUSE_PFSYNC -DNS -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wnested-externs -I.. -c /usr/src/sbin/ifconfig/ifconfig.c cc -O -pipe -DUSE_IF_MEDIA -DINET6 -DUSE_VLANS -DUSE_IEEE80211 -DUSE_CARP -DUSE_MAC -DUSE_PFSYNC -DNS -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wnested-externs -I.. -c /usr/src/sbin/ifconfig/ifmedia.c cc -O -pipe -DUSE_IF_MEDIA -DINET6 -DUSE_VLANS -DUSE_IEEE80211 -DUSE_CARP -DUSE_MAC -DUSE_PFSYNC -DNS -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wnested-externs -I.. -c /usr/src/sbin/ifconfig/ifvlan.c cc -O -pipe -DUSE_IF_MEDIA -DINET6 -DUSE_VLANS -DUSE_IEEE80211 -DUSE_CARP -DUSE_MAC -DUSE_PFSYNC -DNS -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wnested-externs -I.. -c /usr/src/sbin/ifconfig/ifieee80211.c cc -O -pipe -DUSE_IF_MEDIA -DINET6 -DUSE_VLANS -DUSE_IEEE80211 -DUSE_CARP -DUSE_MAC -DUSE_PFSYNC -DNS -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wnested-externs -I.. -c /usr/src/sbin/ifconfig/ifcarp.c /usr/src/sbin/ifconfig/ifcarp.c:222: error: redefinition of 'carp_states' /usr/src/sbin/ifconfig/ifcarp.c:53: error: previous definition of 'carp_states' was here /usr/src/sbin/ifconfig/ifcarp.c:226: error: redefinition of 'carp_status' /usr/src/sbin/ifconfig/ifcarp.c:57: error: previous definition of 'carp_status' was here /usr/src/sbin/ifconfig/ifcarp.c:253: error: redefinition of 'setcarp_passwd' /usr/src/sbin/ifconfig/ifcarp.c:84: error: previous definition of 'setcarp_passwd' was here /usr/src/sbin/ifconfig/ifcarp.c:273: error: redefinition of 'setcarp_vhid' /usr/src/sbin/ifconfig/ifcarp.c:104: error: previous definition of 'setcarp_vhid' was here /usr/src/sbin/ifconfig/ifcarp.c:298: error: redefinition of 'setcarp_advskew' /usr/src/sbin/ifconfig/ifcarp.c:129: error: previous definition of 'setcarp_advskew' was here /usr/src/sbin/ifconfig/ifcarp.c:320: error: redefinition of 'setcarp_advbase' /usr/src/sbin/ifconfig/ifcarp.c:151: error: previous definition of 'setcarp_advbase' was here /usr/src/sbin/ifconfig/ifcarp.c:391: error: redefinition of 'carp_states' /usr/src/sbin/ifconfig/ifcarp.c:222: error: previous definition of 'carp_states' was here /usr/src/sbin/ifconfig/ifcarp.c:391: error: redefinition of 'carp_states' /usr/src/sbin/ifconfig/ifcarp.c:222: error: previous definition of 'carp_states' was here /usr/src/sbin/ifconfig/ifcarp.c:395: error: redefinition of 'carp_status' /usr/src/sbin/ifconfig/ifcarp.c:226: error: previous definition of 'carp_status' was here /usr/src/sbin/ifconfig/ifcarp.c:395: error: redefinition of 'carp_status' /usr/src/sbin/ifconfig/ifcarp.c:226: error: previous definition of 'carp_status' was here /usr/src/sbin/ifconfig/ifcarp.c:422: error: redefinition of 'setcarp_passwd' /usr/src/sbin/ifconfig/ifcarp.c:253: error: previous definition of 'setcarp_passwd' was here /usr/src/sbin/ifconfig/ifcarp.c:422: error: redefinition of 'setcarp_passwd' /usr/src/sbin/ifconfig/ifcarp.c:253: error: previous definition of 'setcarp_passwd' was here /usr/src/sbin/ifconfig/ifcarp.c:442: error: redefinition of 'setcarp_vhid' /usr/src/sbin/ifconfig/ifcarp.c:273: error: previous definition of 'setcarp_vhid' was here /usr/src/sbin/ifconfig/ifcarp.c:442: error: redefinition of 'setcarp_vhid' /usr/src/sbin/ifconfig/ifcarp.c:273: error: previous definition of 'setcarp_vhid' was here /usr/src/sbin/ifconfig/ifcarp.c:467: error: redefinition of 'setcarp_advskew' /usr/src/sbin/ifconfig/ifcarp.c:298: error: previous definition of 'setcarp_advskew' was here /usr/src/sbin/ifconfig/ifcarp.c:467: error: redefinition of 'setcarp_advskew' /usr/src/sbin/ifconfig/ifcarp.c:298: error: previous definition of 'setcarp_advskew' was here /usr/src/sbin/ifconfig/ifcarp.c:489: error: redefinition of 'setcarp_advbase' /usr/src/sbin/ifconfig/ifcarp.c:320: error: previous definition of 'setcarp_advbase' was here /usr/src/sbin/ifconfig/ifcarp.c:489: error: redefinition of 'setcarp_advbase' /usr/src/sbin/ifconfig/ifcarp.c:320: error: previous definition of 'setcarp_advbase' was here /usr/src/sbin/ifconfig/ifcarp.c:560: error: redefinition of 'carp_states' /usr/src/sbin/ifconfig/ifcarp.c:391: error: previous definition of 'carp_states' was here /usr/src/sbin/ifconfig/ifcarp.c:560: error: redefinition of 'carp_states' /usr/src/sbin/ifconfig/ifcarp.c:222: error: previous definition of 'carp_states' was here /usr/src/sbin/ifconfig/ifcarp.c:564: error: redefinition of 'carp_status' /usr/src/sbin/ifconfig/ifcarp.c:395: error: previous definition of 'carp_status' was here /usr/src/sbin/ifconfig/ifcarp.c:564: error: redefinition of 'carp_status' /usr/src/sbin/ifconfig/ifcarp.c:226: error: previous definition of 'carp_status' was here /usr/src/sbin/ifconfig/ifcarp.c:591: error: redefinition of 'setcarp_passwd' /usr/src/sbin/ifconfig/ifcarp.c:422: error: previous definition of 'setcarp_passwd' was here /usr/src/sbin/ifconfig/ifcarp.c:591: error: redefinition of 'setcarp_passwd' /usr/src/sbin/ifconfig/ifcarp.c:253: error: previous definition of 'setcarp_passwd' was here /usr/src/sbin/ifconfig/ifcarp.c:611: error: redefinition of 'setcarp_vhid' /usr/src/sbin/ifconfig/ifcarp.c:442: error: previous definition of 'setcarp_vhid' was here /usr/src/sbin/ifconfig/ifcarp.c:611: error: redefinition of 'setcarp_vhid' /usr/src/sbin/ifconfig/ifcarp.c:273: error: previous definition of 'setcarp_vhid' was here /usr/src/sbin/ifconfig/ifcarp.c:636: error: redefinition of 'setcarp_advskew' /usr/src/sbin/ifconfig/ifcarp.c:467: error: previous definition of 'setcarp_advskew' was here /usr/src/sbin/ifconfig/ifcarp.c:636: error: redefinition of 'setcarp_advskew' /usr/src/sbin/ifconfig/ifcarp.c:298: error: previous definition of 'setcarp_advskew' was here /usr/src/sbin/ifconfig/ifcarp.c:658: error: redefinition of 'setcarp_advbase' /usr/src/sbin/ifconfig/ifcarp.c:489: error: previous definition of 'setcarp_advbase' was here /usr/src/sbin/ifconfig/ifcarp.c:658: error: redefinition of 'setcarp_advbase' /usr/src/sbin/ifconfig/ifcarp.c:320: error: previous definition of 'setcarp_advbase' was here {standard input}: Assembler messages: {standard input}:323: Error: symbol `carp_states' is already defined {standard input}:330: Error: symbol `carp_states' is already defined {standard input}:337: Error: symbol `carp_states' is already defined *** Error code 1 Stop in /usr/src/sbin/ifconfig. All of the patches for src/sbin/ifconfig reported success ... usr.bin/netstat compiles fine ... -- Matthew George SecureWorks Technical Operations 404.327.6339 From owner-freebsd-pf@FreeBSD.ORG Tue Dec 7 17:00:58 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B32416A4CE for ; Tue, 7 Dec 2004 17:00:58 +0000 (GMT) Received: from mail.secureworks.net (mail.secureworks.net [209.101.212.155]) by mx1.FreeBSD.org (Postfix) with SMTP id 2AD9F43D7C for ; Tue, 7 Dec 2004 17:00:56 +0000 (GMT) (envelope-from mdg@secureworks.net) Received: (qmail 65643 invoked from network); 7 Dec 2004 17:00:54 -0000 Received: from unknown (HELO ?192.168.8.243?) (209.101.212.253) by mail.secureworks.net with SMTP; 7 Dec 2004 17:00:54 -0000 Message-ID: <41B5E1C5.7080504@secureworks.net> Date: Tue, 07 Dec 2004 12:00:53 -0500 From: Matthew George User-Agent: Mozilla Thunderbird 0.9 (X11/20041117) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Matthew George References: <200412032356.00086.max@love2party.net> <41B4B84B.1030504@secureworks.net> In-Reply-To: <41B4B84B.1030504@secureworks.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-pf@freebsd.org Subject: Re: New CARP patchset X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Dec 2004 17:00:58 -0000 Matthew George wrote: > Max Laier wrote: > [...] >> Anything else? Please let me know! >> > > I re-cvsup'd RELENG_5 and tried again (second attempt), but I get this > with the new patch set: I rm'd all of the affected sources and re-cvsup'd to RELENG_5 as of the date of the patch (2004.12.03.23.59.59). I'm still seeing these issues. Is there something bogus on my end? > > FIRST ISSUE: > > -------------------------- > |diff -urP ../dist/sys/netinet/in_proto.c ./sys/netinet/in_proto.c > |--- ../dist/sys/netinet/in_proto.c Sat Nov 6 21:01:08 2004 > |+++ ./sys/netinet/in_proto.c Sat Nov 6 18:13:47 2004 > -------------------------- > Patching file ./sys/netinet/in_proto.c using Plan A... > Hunk #1 succeeded at 36 (offset 1 line). > Hunk #2 succeeded at 92 with fuzz 2 (offset 1 line). > Hunk #3 failed at 243. > Hunk #4 succeeded at 297 with fuzz 1 (offset -5 lines). > 1 out of 4 hunks failed--saving rejects to ./sys/netinet/in_proto.c.rej > > > Here's the reject: > > *************** > *** 238,243 **** > &rip_usrreqs > }, > #endif /* DEV_PFSYNC */ > /* Spacer n-times for loadable protocols. */ > IPPROTOSPACER, > IPPROTOSPACER, > --- 243,256 ---- > &rip_usrreqs > }, > #endif /* DEV_PFSYNC */ > + #ifdef DEV_CARP > + { SOCK_RAW, &inetdomain, IPPROTO_CARP, PR_ATOMIC|PR_ADDR, > + carp_input, (pr_output_t*)rip_output, 0, rip_ctloutput, > + 0, > + 0, 0, 0, 0, > + &rip_usrreqs > + }, > + #endif /* DEV_CARP */ > /* Spacer n-times for loadable protocols. */ > IPPROTOSPACER, > IPPROTOSPACER, > > > I also see line offsets in the patch for sys/netinet/if_ether.c but the > patch applies anyway. > > > SECOND ISSUE: > When I try to build the new ifconfig, it fails: > > mdg# cd /usr/src/sbin/ifconfig > mdg# make clean all > rm -f ifconfig ifconfig.o ifmedia.o ifvlan.o ifieee80211.o ifcarp.o > ifmac.o ifpfsync.o ifconfig.8.gz ifconfig.8.cat.gz > cc -O -pipe -DUSE_IF_MEDIA -DINET6 -DUSE_VLANS -DUSE_IEEE80211 > -DUSE_CARP -DUSE_MAC -DUSE_PFSYNC -DNS -Wall -Wmissing-prototypes > -Wcast-qual -Wwrite-strings -Wnested-externs -I.. -c > /usr/src/sbin/ifconfig/ifconfig.c > cc -O -pipe -DUSE_IF_MEDIA -DINET6 -DUSE_VLANS -DUSE_IEEE80211 > -DUSE_CARP -DUSE_MAC -DUSE_PFSYNC -DNS -Wall -Wmissing-prototypes > -Wcast-qual -Wwrite-strings -Wnested-externs -I.. -c > /usr/src/sbin/ifconfig/ifmedia.c > cc -O -pipe -DUSE_IF_MEDIA -DINET6 -DUSE_VLANS -DUSE_IEEE80211 > -DUSE_CARP -DUSE_MAC -DUSE_PFSYNC -DNS -Wall -Wmissing-prototypes > -Wcast-qual -Wwrite-strings -Wnested-externs -I.. -c > /usr/src/sbin/ifconfig/ifvlan.c > cc -O -pipe -DUSE_IF_MEDIA -DINET6 -DUSE_VLANS -DUSE_IEEE80211 > -DUSE_CARP -DUSE_MAC -DUSE_PFSYNC -DNS -Wall -Wmissing-prototypes > -Wcast-qual -Wwrite-strings -Wnested-externs -I.. -c > /usr/src/sbin/ifconfig/ifieee80211.c > cc -O -pipe -DUSE_IF_MEDIA -DINET6 -DUSE_VLANS -DUSE_IEEE80211 > -DUSE_CARP -DUSE_MAC -DUSE_PFSYNC -DNS -Wall -Wmissing-prototypes > -Wcast-qual -Wwrite-strings -Wnested-externs -I.. -c > /usr/src/sbin/ifconfig/ifcarp.c > /usr/src/sbin/ifconfig/ifcarp.c:222: error: redefinition of 'carp_states' > /usr/src/sbin/ifconfig/ifcarp.c:53: error: previous definition of > 'carp_states' was here > /usr/src/sbin/ifconfig/ifcarp.c:226: error: redefinition of 'carp_status' > /usr/src/sbin/ifconfig/ifcarp.c:57: error: previous definition of > 'carp_status' was here > /usr/src/sbin/ifconfig/ifcarp.c:253: error: redefinition of > 'setcarp_passwd' > /usr/src/sbin/ifconfig/ifcarp.c:84: error: previous definition of > 'setcarp_passwd' was here > /usr/src/sbin/ifconfig/ifcarp.c:273: error: redefinition of 'setcarp_vhid' > /usr/src/sbin/ifconfig/ifcarp.c:104: error: previous definition of > 'setcarp_vhid' was here > /usr/src/sbin/ifconfig/ifcarp.c:298: error: redefinition of > 'setcarp_advskew' > /usr/src/sbin/ifconfig/ifcarp.c:129: error: previous definition of > 'setcarp_advskew' was here > /usr/src/sbin/ifconfig/ifcarp.c:320: error: redefinition of > 'setcarp_advbase' > /usr/src/sbin/ifconfig/ifcarp.c:151: error: previous definition of > 'setcarp_advbase' was here > /usr/src/sbin/ifconfig/ifcarp.c:391: error: redefinition of 'carp_states' > /usr/src/sbin/ifconfig/ifcarp.c:222: error: previous definition of > 'carp_states' was here > /usr/src/sbin/ifconfig/ifcarp.c:391: error: redefinition of 'carp_states' > /usr/src/sbin/ifconfig/ifcarp.c:222: error: previous definition of > 'carp_states' was here > /usr/src/sbin/ifconfig/ifcarp.c:395: error: redefinition of 'carp_status' > /usr/src/sbin/ifconfig/ifcarp.c:226: error: previous definition of > 'carp_status' was here > /usr/src/sbin/ifconfig/ifcarp.c:395: error: redefinition of 'carp_status' > /usr/src/sbin/ifconfig/ifcarp.c:226: error: previous definition of > 'carp_status' was here > /usr/src/sbin/ifconfig/ifcarp.c:422: error: redefinition of > 'setcarp_passwd' > /usr/src/sbin/ifconfig/ifcarp.c:253: error: previous definition of > 'setcarp_passwd' was here > /usr/src/sbin/ifconfig/ifcarp.c:422: error: redefinition of > 'setcarp_passwd' > /usr/src/sbin/ifconfig/ifcarp.c:253: error: previous definition of > 'setcarp_passwd' was here > /usr/src/sbin/ifconfig/ifcarp.c:442: error: redefinition of 'setcarp_vhid' > /usr/src/sbin/ifconfig/ifcarp.c:273: error: previous definition of > 'setcarp_vhid' was here > /usr/src/sbin/ifconfig/ifcarp.c:442: error: redefinition of 'setcarp_vhid' > /usr/src/sbin/ifconfig/ifcarp.c:273: error: previous definition of > 'setcarp_vhid' was here > /usr/src/sbin/ifconfig/ifcarp.c:467: error: redefinition of > 'setcarp_advskew' > /usr/src/sbin/ifconfig/ifcarp.c:298: error: previous definition of > 'setcarp_advskew' was here > /usr/src/sbin/ifconfig/ifcarp.c:467: error: redefinition of > 'setcarp_advskew' > /usr/src/sbin/ifconfig/ifcarp.c:298: error: previous definition of > 'setcarp_advskew' was here > /usr/src/sbin/ifconfig/ifcarp.c:489: error: redefinition of > 'setcarp_advbase' > /usr/src/sbin/ifconfig/ifcarp.c:320: error: previous definition of > 'setcarp_advbase' was here > /usr/src/sbin/ifconfig/ifcarp.c:489: error: redefinition of > 'setcarp_advbase' > /usr/src/sbin/ifconfig/ifcarp.c:320: error: previous definition of > 'setcarp_advbase' was here > /usr/src/sbin/ifconfig/ifcarp.c:560: error: redefinition of 'carp_states' > /usr/src/sbin/ifconfig/ifcarp.c:391: error: previous definition of > 'carp_states' was here > /usr/src/sbin/ifconfig/ifcarp.c:560: error: redefinition of 'carp_states' > /usr/src/sbin/ifconfig/ifcarp.c:222: error: previous definition of > 'carp_states' was here > /usr/src/sbin/ifconfig/ifcarp.c:564: error: redefinition of 'carp_status' > /usr/src/sbin/ifconfig/ifcarp.c:395: error: previous definition of > 'carp_status' was here > /usr/src/sbin/ifconfig/ifcarp.c:564: error: redefinition of 'carp_status' > /usr/src/sbin/ifconfig/ifcarp.c:226: error: previous definition of > 'carp_status' was here > /usr/src/sbin/ifconfig/ifcarp.c:591: error: redefinition of > 'setcarp_passwd' > /usr/src/sbin/ifconfig/ifcarp.c:422: error: previous definition of > 'setcarp_passwd' was here > /usr/src/sbin/ifconfig/ifcarp.c:591: error: redefinition of > 'setcarp_passwd' > /usr/src/sbin/ifconfig/ifcarp.c:253: error: previous definition of > 'setcarp_passwd' was here > /usr/src/sbin/ifconfig/ifcarp.c:611: error: redefinition of 'setcarp_vhid' > /usr/src/sbin/ifconfig/ifcarp.c:442: error: previous definition of > 'setcarp_vhid' was here > /usr/src/sbin/ifconfig/ifcarp.c:611: error: redefinition of 'setcarp_vhid' > /usr/src/sbin/ifconfig/ifcarp.c:273: error: previous definition of > 'setcarp_vhid' was here > /usr/src/sbin/ifconfig/ifcarp.c:636: error: redefinition of > 'setcarp_advskew' > /usr/src/sbin/ifconfig/ifcarp.c:467: error: previous definition of > 'setcarp_advskew' was here > /usr/src/sbin/ifconfig/ifcarp.c:636: error: redefinition of > 'setcarp_advskew' > /usr/src/sbin/ifconfig/ifcarp.c:298: error: previous definition of > 'setcarp_advskew' was here > /usr/src/sbin/ifconfig/ifcarp.c:658: error: redefinition of > 'setcarp_advbase' > /usr/src/sbin/ifconfig/ifcarp.c:489: error: previous definition of > 'setcarp_advbase' was here > /usr/src/sbin/ifconfig/ifcarp.c:658: error: redefinition of > 'setcarp_advbase' > /usr/src/sbin/ifconfig/ifcarp.c:320: error: previous definition of > 'setcarp_advbase' was here > {standard input}: Assembler messages: > {standard input}:323: Error: symbol `carp_states' is already defined > {standard input}:330: Error: symbol `carp_states' is already defined > {standard input}:337: Error: symbol `carp_states' is already defined > *** Error code 1 > > Stop in /usr/src/sbin/ifconfig. > > > All of the patches for src/sbin/ifconfig reported success ... > usr.bin/netstat compiles fine ... > -- Matthew George SecureWorks Technical Operations 404.327.6339 From owner-freebsd-pf@FreeBSD.ORG Tue Dec 7 20:35:22 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 42BB516A4CE for ; Tue, 7 Dec 2004 20:35:22 +0000 (GMT) Received: from mail.secureworks.net (mail.secureworks.net [209.101.212.155]) by mx1.FreeBSD.org (Postfix) with SMTP id C747043D67 for ; Tue, 7 Dec 2004 20:35:21 +0000 (GMT) (envelope-from mdg@secureworks.net) Received: (qmail 89769 invoked from network); 7 Dec 2004 20:35:21 -0000 Received: from unknown (HELO ?192.168.8.243?) (209.101.212.253) by mail.secureworks.net with SMTP; 7 Dec 2004 20:35:21 -0000 Message-ID: <41B61408.7010104@secureworks.net> Date: Tue, 07 Dec 2004 15:35:20 -0500 From: Matthew George User-Agent: Mozilla Thunderbird 0.9 (X11/20041117) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Matthew George References: <200412032356.00086.max@love2party.net> <41B4B84B.1030504@secureworks.net> <41B5E1C5.7080504@secureworks.net> In-Reply-To: <41B5E1C5.7080504@secureworks.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-pf@freebsd.org Subject: Re: New CARP patchset X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Dec 2004 20:35:22 -0000 Matthew George wrote: > Matthew George wrote: > >> Max Laier wrote: >> > [...] > >>> Anything else? Please let me know! >>> >> I finally had the time to sit down and look at it. The ifconfig build issue I was having was because I had a previous version of ifcarp.c, so the patch appended (prepended?) another copy of the file to it. I *do* believe, however, that the first issue (failed hunk in sys/netinet/in_proto.c patch) is real. >> >> FIRST ISSUE: >> >> -------------------------- >> |diff -urP ../dist/sys/netinet/in_proto.c ./sys/netinet/in_proto.c >> |--- ../dist/sys/netinet/in_proto.c Sat Nov 6 21:01:08 2004 >> |+++ ./sys/netinet/in_proto.c Sat Nov 6 18:13:47 2004 >> -------------------------- >> Patching file ./sys/netinet/in_proto.c using Plan A... >> Hunk #1 succeeded at 36 (offset 1 line). >> Hunk #2 succeeded at 92 with fuzz 2 (offset 1 line). >> Hunk #3 failed at 243. >> Hunk #4 succeeded at 297 with fuzz 1 (offset -5 lines). >> 1 out of 4 hunks failed--saving rejects to ./sys/netinet/in_proto.c.rej >> >> >> Here's the reject: >> >> *************** >> *** 238,243 **** >> &rip_usrreqs >> }, >> #endif /* DEV_PFSYNC */ >> /* Spacer n-times for loadable protocols. */ >> IPPROTOSPACER, >> IPPROTOSPACER, >> --- 243,256 ---- >> &rip_usrreqs >> }, >> #endif /* DEV_PFSYNC */ >> + #ifdef DEV_CARP >> + { SOCK_RAW, &inetdomain, IPPROTO_CARP, PR_ATOMIC|PR_ADDR, >> + carp_input, (pr_output_t*)rip_output, 0, rip_ctloutput, >> + 0, >> + 0, 0, 0, 0, >> + &rip_usrreqs >> + }, >> + #endif /* DEV_CARP */ >> /* Spacer n-times for loadable protocols. */ >> IPPROTOSPACER, >> IPPROTOSPACER, >> >> >> I also see line offsets in the patch for sys/netinet/if_ether.c but >> the patch applies anyway. >> >> -- Matthew George SecureWorks Technical Operations From owner-freebsd-pf@FreeBSD.ORG Wed Dec 8 00:30:15 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6CA1916A4CE for ; Wed, 8 Dec 2004 00:30:15 +0000 (GMT) Received: from infidel.fajita.org (81-178-123-157.dsl.pipex.com [81.178.123.157]) by mx1.FreeBSD.org (Postfix) with ESMTP id 51C7943D75 for ; Wed, 8 Dec 2004 00:30:14 +0000 (GMT) (envelope-from lewiz@fajita.org) Received: from black.fajita.org (black.fajita.org [192.168.0.13]) by infidel.fajita.org (8.13.1/8.13.1) with ESMTP id iB80V78J027305 for ; Wed, 8 Dec 2004 00:31:07 GMT (envelope-from lewiz@fajita.org) Received: (from lewiz@localhost) by black.fajita.org (8.13.1/8.13.1/Submit) id iB80UBDI014087 for pf@freebsd.org; Wed, 8 Dec 2004 00:30:11 GMT (envelope-from lewiz) Date: Wed, 8 Dec 2004 00:30:11 +0000 From: Lewis Thompson To: pf@freebsd.org Message-ID: <20041208003011.GB12956@fajita.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="sdtB3X0nJg68CQEu" Content-Disposition: inline X-GPG-Fingerprint: 90A4 939E 3847 A3E4 8103 2A48 22DA B428 542F ED3F X-GPG-Info: http://www.lewiz.org/~lewiz/pgpkey / horowitz.surfnet.nl User-Agent: Mutt/1.5.6i Subject: pf/altq/nat with multiple interfaces. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Dec 2004 00:30:15 -0000 --sdtB3X0nJg68CQEu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, I've spent a good deal of time reading the OpenBSD pf FAQ but haven't figured out how to do altq with more than one interface. I have a tri-homed machine -- one wireless (ath0), one wired (sis0) and one Internet uplink (tun0): Internet --- tun0 | SERVER | sis0 (192.168.0.0/24) --- wired network | \____ | ath0 (192.168.1.1/24) --- wireless network I want to perform altq on my Internet connection, so that ssh/dns/acks, etc. have higher priority than bulk traffic. The pf FAQ has an example with two interfaces, where tun0 is limited to the uplink (256Kbps) and the wired interfaces is limited to the downstream (1Mbps, in my case). I *think* I could achieve this and still use 99Mbps for my wired network <-> server something like this: altq on sis0 cbq queue { internet, wired } queue internet bandwidth 1Mbps { internet_foo, internet_bar } queue internet_foo ... queue internet_bar ... queue wired bandwidth 99Mbps cbq(borrow) (that might not be entirely right, I'm just trying to convey the concept of what I had in mind) In theory I could do that for both sis0 and ath0 but I don't think that will work -- the sum ``downstream'' would be 2Mbps, which is more than I have, so problems will occur under certain circumstances (i.e. wired and wireless in use at the same time). I wondered if it might be possible to do something like this for traffic to the Internet: sis0 -> altq0 -> tun0 ath0 -> altq0 -> tun0 and then use altq on altq0 bandwidth 1Mbps. I really haven't managed to get much further than this. Is it possible? Am I missing the picture? Any suggestions would be greatly appreciated. Thanks a lot, -lewiz. --=20 I was so much older then, I'm younger than that now. --Bob Dylan, 1964. ------------------------------------------------------------------------ -| msn:lewiz@fajita.org | jabber:lewiz@jabber.org | url:www.lewiz.org |- --sdtB3X0nJg68CQEu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBtksTItq0KFQv7T8RAse/AJoC2qkFuo7IpaeSgmraeW5/T9iAmwCeLom1 53ozyJjoqDIJnyNT2q0fu8o= =evX0 -----END PGP SIGNATURE----- --sdtB3X0nJg68CQEu-- From owner-freebsd-pf@FreeBSD.ORG Wed Dec 8 02:11:01 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C277D16A4CE for ; Wed, 8 Dec 2004 02:11:01 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F35943D39 for ; Wed, 8 Dec 2004 02:11:01 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.162] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CbrI5-0002Oq-00; Wed, 08 Dec 2004 03:10:53 +0100 Received: from [84.128.135.121] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CbrI5-0004p3-00; Wed, 08 Dec 2004 03:10:53 +0100 From: Max Laier To: Matthew George Date: Wed, 8 Dec 2004 03:11:26 +0100 User-Agent: KMail/1.7.1 References: <200412032356.00086.max@love2party.net> <41B5E1C5.7080504@secureworks.net> <41B61408.7010104@secureworks.net> In-Reply-To: <41B61408.7010104@secureworks.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart8352681.3hGUWtFBAs"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200412080311.40522.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: freebsd-pf@freebsd.org Subject: Re: New CARP patchset X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Dec 2004 02:11:01 -0000 --nextPart8352681.3hGUWtFBAs Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 07 December 2004 21:35, Matthew George wrote: > Matthew George wrote: > > Matthew George wrote: > >> Max Laier wrote: > > > > [...] > > > >>> Anything else? Please let me know! > > I finally had the time to sit down and look at it. The ifconfig build > issue I was having was because I had a previous version of ifcarp.c, so > the patch appended (prepended?) another copy of the file to it. I *do* > believe, however, that the first issue (failed hunk in > sys/netinet/in_proto.c patch) is real. Just uploaded a new RELENG_5 patchset. Please make sure to get a *clean* co= py=20 before you start patchting. Enjoy! =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart8352681.3hGUWtFBAs Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBtmLcXyyEoT62BG0RAkGHAJwI4TFLwdxzIb1lRRFqSDeuDO+bGgCdESy2 FRinISqq5Os0CfZxYxZ+GVM= =06V6 -----END PGP SIGNATURE----- --nextPart8352681.3hGUWtFBAs-- From owner-freebsd-pf@FreeBSD.ORG Wed Dec 8 02:46:59 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8BE3E16A4CE; Wed, 8 Dec 2004 02:46:59 +0000 (GMT) Received: from vampextream.com (vampextream.com [65.102.125.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6782643D48; Wed, 8 Dec 2004 02:46:59 +0000 (GMT) (envelope-from whitevamp@vampextream.com) Received: from localhost (localhost.vampextream [127.0.0.1]) by vampextream.com (Postfix) with ESMTP id C670754A8; Tue, 7 Dec 2004 18:47:18 -0800 (PST) Received: from vampextream.com ([127.0.0.1]) by localhost (vampextream.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 13326-07; Tue, 7 Dec 2004 18:47:08 -0800 (PST) Received: from vampextream.com (localhost.vampextream [127.0.0.1]) by vampextream.com (Postfix) with ESMTP id 0E2AD54A5; Tue, 7 Dec 2004 18:47:08 -0800 (PST) From: "whitevamp" To: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Date: Tue, 7 Dec 2004 18:47:07 -0800 Message-Id: <20041208023428.M17241@vampextream.com> X-Mailer: Open WebMail 2.41 20040926 X-OriginatingIP: 65.102.125.195 (whitevamp@vampextream.com) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Subject: custom kern build X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Dec 2004 02:46:59 -0000 not sure if this is the right place to post this .. i am currently trying to buld a custom kern ( this in an upgrade from 4.9 to 5.3 ) and every time i goto build the kern i get an error saying something is an unknowen option and now im getting this one and i got this out of src/UPDATING option PFIL_HOOKS ( note that the kern make has complained about ,10 options so far that i have placed in the kern file ) so what would be causeing this error ? a bad cvs up ? or ? i did a cvs up to relang 5_3 mkdir -p /usr/obj/usr/src/sys -------------------------------------------------------------- >>> stage 1: configuring the kernel -------------------------------------------------------------- cd /usr/src/sys/i386/conf; PATH=/usr/obj/usr/src/i386/legacy/usr/sbin:/usr/obj/usr/src/i386/legacy/usr/bin:/usr/obj/usr/src/i386/legacy/usr/ga mes:/usr/obj/usr/src/i386/usr/sbin:/usr/obj/usr/src/i386/usr/bin:/usr/obj/usr/src/i386/usr/games:/sbin:/bin:/usr/sbin:/usr/bin config -d /usr /obj/usr/src/sys/VAMPEXTREAM /usr/src/sys/i386/conf/VAMPEXTREAM /usr/src/sys/i386/conf/VAMPEXTREAM: unknown option "PFIL_HOOKS" *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. If you play the WindowsXP CD backwards, you get a Satanic message . That's nothing. If you play it forwards, it installs WindowsXP! From owner-freebsd-pf@FreeBSD.ORG Wed Dec 8 02:50:54 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F23C16A4CE; Wed, 8 Dec 2004 02:50:54 +0000 (GMT) Received: from obsecurity.dyndns.org (CPE0050040655c8-CM00111ae02aac.cpe.net.cable.rogers.com [69.194.102.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7892143D64; Wed, 8 Dec 2004 02:50:54 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 98737512CB; Tue, 7 Dec 2004 18:57:13 -0800 (PST) Date: Tue, 7 Dec 2004 18:57:13 -0800 From: Kris Kennaway To: whitevamp Message-ID: <20041208025713.GA11341@xor.obsecurity.org> References: <20041208023428.M17241@vampextream.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="CE+1k2dSO48ffgeK" Content-Disposition: inline In-Reply-To: <20041208023428.M17241@vampextream.com> User-Agent: Mutt/1.4.2.1i cc: freebsd-stable@freebsd.org cc: freebsd-pf@freebsd.org Subject: Re: custom kern build X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Dec 2004 02:50:54 -0000 --CE+1k2dSO48ffgeK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Dec 07, 2004 at 06:47:07PM -0800, whitevamp wrote: > not sure if this is the right place to post this .. > i am currently trying to buld a custom kern ( this in an upgrade from 4.9= to > 5.3 ) and every time i goto build the kern i get an error saying somethin= g is > an unknowen option and now im getting this one and i got this out of > src/UPDATING option PFIL_HOOKS ( note that the kern make has complained = about > ,10 options so far that i have placed in the kern file ) >=20 > so what would be causeing this error ? a bad cvs up ? or ? i did a cvs up= to > relang 5_3=20 Bad kernel config; if you compare to GENERIC or NOTES (or read UPDATING) you'll see that the PFIL_HOOKS option was removed. It's best to stick to GENERIC unless you know what you're doing. Kris --CE+1k2dSO48ffgeK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBtm2JWry0BWjoQKURApaWAKCkMW5t7q+Qjf+NjBCGDOivjiXr0ACgg/zF RvMX95tU6BNEtCTi25paKDA= =meXY -----END PGP SIGNATURE----- --CE+1k2dSO48ffgeK-- From owner-freebsd-pf@FreeBSD.ORG Wed Dec 8 03:08:17 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 997B716A4CE; Wed, 8 Dec 2004 03:08:17 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id 278D443D46; Wed, 8 Dec 2004 03:08:17 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.205] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CbsBb-00052j-00; Wed, 08 Dec 2004 04:08:15 +0100 Received: from [84.128.135.121] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CbsBb-0002uy-00; Wed, 08 Dec 2004 04:08:15 +0100 From: Max Laier To: freebsd-stable@freebsd.org Date: Wed, 8 Dec 2004 04:08:54 +0100 User-Agent: KMail/1.7.1 References: <20041208023428.M17241@vampextream.com> <20041208025713.GA11341@xor.obsecurity.org> In-Reply-To: <20041208025713.GA11341@xor.obsecurity.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart38017013.28ohUi3WyH"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200412080409.02608.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: freebsd-pf@freebsd.org cc: Kris Kennaway Subject: Re: custom kern build X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Dec 2004 03:08:17 -0000 --nextPart38017013.28ohUi3WyH Content-Type: multipart/mixed; boundary="Boundary-01=_JBntBGiUg4lJHwv" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_JBntBGiUg4lJHwv Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 08 December 2004 03:57, Kris Kennaway wrote: > On Tue, Dec 07, 2004 at 06:47:07PM -0800, whitevamp wrote: > > not sure if this is the right place to post this .. > > i am currently trying to buld a custom kern ( this in an upgrade from 4= =2E9 > > to 5.3 ) and every time i goto build the kern i get an error saying > > something is an unknowen option and now im getting this one and i got=20 > > this out of src/UPDATING option PFIL_HOOKS ( note that the kern make h= as > > complained about ,10 options so far that i have placed in the kern file= ) > > > > so what would be causeing this error ? a bad cvs up ? or ? i did a cvs = up > > to relang 5_3 > > Bad kernel config; if you compare to GENERIC or NOTES (or read > UPDATING) you'll see that the PFIL_HOOKS option was removed. It's > best to stick to GENERIC unless you know what you're doing. This gets me wondering, might the attached diff be helpful? Is there any ru= le=20 to (not) remove outdated/expired entries? I know we tell people to really *READ* UPDATING and I really, really sugges= t=20 that to everybody. But we can still make it easier - right? Are there similar instances? RANDOM_IP_ID does only have the "was removed"= =20 note, AFAIR. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_JBntBGiUg4lJHwv Content-Type: text/x-diff; charset="iso-8859-1"; name="PFIL_HOOKS.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="PFIL_HOOKS.diff" Index: UPDATING =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/UPDATING,v retrieving revision 1.379 diff -u -r1.379 UPDATING =2D-- UPDATING 16 Nov 2004 21:18:41 -0000 1.379 +++ UPDATING 8 Dec 2004 03:04:32 -0000 @@ -198,9 +198,7 @@ IPFW has been converted to use PFIL_HOOKS. This change is transparent to userland and preserves the ipfw ABI. The ipfw core packet inspection and filtering functions have not been =2D changed, only how ipfw is invoked is different. Note that =2D "option PFIL_HOOKS" is required to use IPFIREWALL compiled =2D into the kernel or as KLD. + changed, only how ipfw is invoked is different. =20 20040814: The RANDOM_IP_ID option has been replaced by the sysctl @@ -423,8 +421,7 @@ sure to run mergemaster -p before installworld to create required user account ("proxy"). If you do not want to build pf with your system you can use the NO_PF knob in make.conf. =2D Also note that pf requires "options PFIL_HOOKS" in the kernel. The =2D pf system consists of the following three devices: + The pf system consists of the following three devices: device pf # required device pflog # optional device pfsync # optional @@ -580,13 +577,6 @@ kiconv(3) has been added. mount_msdosfs(8), mount_ntfs(8) and mount_cd9660(8) need to be in sync with kernel. =20 =2D20030925: =2D Configuring a system to use IPFILTER now requires that PFIL_HOOKS =2D also be explicitly configured. Previously this dependency was =2D magically handled through some cruft in net/pfil.h; but that has =2D been removed. Building a kernel with IPFILTER but not PFIL_HOOKS =2D will fail with obtuse errors in ip_fil.c. =2D 20030923: Fix a bug in arplookup(), whereby a hostile party on a locally attached network could exhaust kernel memory, and cause a system --Boundary-01=_JBntBGiUg4lJHwv-- --nextPart38017013.28ohUi3WyH Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBtnBOXyyEoT62BG0RAm0qAJsFM3LMf1OTRIAnlWvZRQt2A6XCqQCcCkuC NoOjaQ3HUlNnfChTxGF0Af4= =wohS -----END PGP SIGNATURE----- --nextPart38017013.28ohUi3WyH-- From owner-freebsd-pf@FreeBSD.ORG Wed Dec 8 03:15:07 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C16816A4CF; Wed, 8 Dec 2004 03:15:07 +0000 (GMT) Received: from obsecurity.dyndns.org (CPE0050040655c8-CM00111ae02aac.cpe.net.cable.rogers.com [69.194.102.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id DCACC43D58; Wed, 8 Dec 2004 03:15:06 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 60AA3512D1; Tue, 7 Dec 2004 19:21:26 -0800 (PST) Date: Tue, 7 Dec 2004 19:21:26 -0800 From: Kris Kennaway To: Max Laier Message-ID: <20041208032126.GA26703@xor.obsecurity.org> References: <20041208023428.M17241@vampextream.com> <20041208025713.GA11341@xor.obsecurity.org> <200412080409.02608.max@love2party.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="u3/rZRmxL6MmkK24" Content-Disposition: inline In-Reply-To: <200412080409.02608.max@love2party.net> User-Agent: Mutt/1.4.2.1i cc: Kris Kennaway cc: freebsd-stable@freebsd.org cc: freebsd-pf@freebsd.org Subject: Re: custom kern build X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Dec 2004 03:15:07 -0000 --u3/rZRmxL6MmkK24 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Dec 08, 2004 at 04:08:54AM +0100, Max Laier wrote: > On Wednesday 08 December 2004 03:57, Kris Kennaway wrote: > > On Tue, Dec 07, 2004 at 06:47:07PM -0800, whitevamp wrote: > > > not sure if this is the right place to post this .. > > > i am currently trying to buld a custom kern ( this in an upgrade from= 4.9 > > > to 5.3 ) and every time i goto build the kern i get an error saying > > > something is an unknowen option and now im getting this one and i got= =20 > > > this out of src/UPDATING option PFIL_HOOKS ( note that the kern make= has > > > complained about ,10 options so far that i have placed in the kern fi= le ) > > > > > > so what would be causeing this error ? a bad cvs up ? or ? i did a cv= s up > > > to relang 5_3 > > > > Bad kernel config; if you compare to GENERIC or NOTES (or read > > UPDATING) you'll see that the PFIL_HOOKS option was removed. It's > > best to stick to GENERIC unless you know what you're doing. >=20 > This gets me wondering, might the attached diff be helpful? Is there any = rule=20 > to (not) remove outdated/expired entries? >=20 > I know we tell people to really *READ* UPDATING and I really, really sugg= est=20 > that to everybody. But we can still make it easier - right? Looks good to me. Kris --u3/rZRmxL6MmkK24 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBtnM1Wry0BWjoQKURAiEcAKCmkZ8DGz6cNZ5y4sVsR1lh7qRtOwCdEqhf gFbvAEL0UIhllM+6ps9aMy8= =Y73O -----END PGP SIGNATURE----- --u3/rZRmxL6MmkK24-- From owner-freebsd-pf@FreeBSD.ORG Wed Dec 8 03:40:18 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F50816A4CE; Wed, 8 Dec 2004 03:40:18 +0000 (GMT) Received: from vampextream.com (vampextream.com [65.102.125.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4833B43D41; Wed, 8 Dec 2004 03:40:18 +0000 (GMT) (envelope-from whitevamp@vampextream.com) Received: from localhost (localhost.vampextream [127.0.0.1]) by vampextream.com (Postfix) with ESMTP id D58CE54A8; Tue, 7 Dec 2004 19:40:37 -0800 (PST) Received: from vampextream.com ([127.0.0.1]) by localhost (vampextream.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 78732-01; Tue, 7 Dec 2004 19:40:10 -0800 (PST) Received: from vampextream.com (localhost.vampextream [127.0.0.1]) by vampextream.com (Postfix) with ESMTP id 0E9EB54A5; Tue, 7 Dec 2004 19:40:07 -0800 (PST) From: "whitevamp" To: Kris Kennaway Date: Tue, 7 Dec 2004 19:40:07 -0800 Message-Id: <20041208033839.M86076@vampextream.com> In-Reply-To: <20041208025713.GA11341@xor.obsecurity.org> References: <20041208023428.M17241@vampextream.com> <20041208025713.GA11341@xor.obsecurity.org> X-Mailer: Open WebMail 2.41 20040926 X-OriginatingIP: 65.102.125.195 (whitevamp@vampextream.com) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 cc: freebsd-stable@freebsd.org cc: freebsd-pf@freebsd.org Subject: Re: custom kern build X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Dec 2004 03:40:18 -0000 On Tue, 7 Dec 2004 18:57:13 -0800, Kris Kennaway wrote > On Tue, Dec 07, 2004 at 06:47:07PM -0800, whitevamp wrote: > > not sure if this is the right place to post this .. > > i am currently trying to buld a custom kern ( this in an upgrade from 4.9 to > > 5.3 ) and every time i goto build the kern i get an error saying something is > > an unknowen option and now im getting this one and i got this out of > > src/UPDATING option PFIL_HOOKS ( note that the kern make has complained about > > ,10 options so far that i have placed in the kern file ) > > > > so what would be causeing this error ? a bad cvs up ? or ? i did a cvs up to > > relang 5_3 > > Bad kernel config; if you compare to GENERIC or NOTES (or read > UPDATING) you'll see that the PFIL_HOOKS option was removed. It's > best to stick to GENERIC unless you know what you're doing. > > Kris Thanks Kris and everyone else who responded to my quistion on this issue If you play the WindowsXP CD backwards, you get a Satanic message . That's nothing. If you play it forwards, it installs WindowsXP! From owner-freebsd-pf@FreeBSD.ORG Wed Dec 8 20:57:45 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B875616A4CE for ; Wed, 8 Dec 2004 20:57:45 +0000 (GMT) Received: from mail.secureworks.net (mail.secureworks.net [209.101.212.155]) by mx1.FreeBSD.org (Postfix) with SMTP id D6DC243D53 for ; Wed, 8 Dec 2004 20:57:44 +0000 (GMT) (envelope-from mdg@secureworks.net) Received: (qmail 54096 invoked from network); 8 Dec 2004 20:57:43 -0000 Received: from unknown (HELO ?192.168.8.243?) (209.101.212.253) by mail.secureworks.net with SMTP; 8 Dec 2004 20:57:43 -0000 Message-ID: <41B76AC7.9080907@secureworks.net> Date: Wed, 08 Dec 2004 15:57:43 -0500 From: Matthew George User-Agent: Mozilla Thunderbird 0.9 (X11/20041117) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: CARP implementation questions X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Dec 2004 20:57:45 -0000 First, I have a question regarding load balancing. From reading the description on how to configure arpbalance with CARP, I get the impression that it's an all or nothing proposition. Is that really the case? I have a project where I will need to enable CARP on a pair of multi-interface firewall/routers. Some of the connected networks make sense for arpbalance. If I turn it on, am I required to have a pair of carp interfaces configured for each physical interface? Can I use dual vhid's for some networks and single vhid's for others? Second, I'd like to know if anyone has set up CARP alongside a routing daemon of some sort (zebra, quagga, etc). I'm particularly interested in how the daemons handle things like OSPF/RIP updates. I should obviously be trying to set the gateway to the CARP address, but I'm not sure that's the easiest thing to do. Has anyone looked into this yet? -- Matthew George SecureWorks Technical Operations 404.327.6339 From owner-freebsd-pf@FreeBSD.ORG Thu Dec 9 00:41:22 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5543D16A4CE for ; Thu, 9 Dec 2004 00:41:22 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0798043D6D for ; Thu, 9 Dec 2004 00:41:22 +0000 (GMT) (envelope-from jarthel@gmail.com) Received: by rproxy.gmail.com with SMTP id q1so470496rnf for ; Wed, 08 Dec 2004 16:41:21 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=pw2D9gyqtQ2cbQLF+/HksiZ+3B6b3vXRQ63fVy0xYgAHCGLXNO3Yq81pkj4Zz2bdDUnPW7dSwaLwN+RphdQGIC3ddvvTWfoPC/+yEHIhxdPctwn1WMJOYGzoQ5EGvjosPhe1kzn51MHXDtdDDoWJuT10Ut5Yz8GdpHBvwje13HA= Received: by 10.38.97.75 with SMTP id u75mr1227021rnb; Wed, 08 Dec 2004 16:41:21 -0800 (PST) Received: by 10.39.3.24 with HTTP; Wed, 8 Dec 2004 16:41:21 -0800 (PST) Message-ID: Date: Thu, 9 Dec 2004 11:41:21 +1100 From: Jayel Villamin To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: PF and custom kernel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Jayel Villamin List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Dec 2004 00:41:22 -0000 Fresh install of FBSD 5.3 with cvsup to latest "RELENG_5_3" stable code. I have commented the "IPF" options in custom kernel file. I have inserted the ff: device pf device pflog device pfsync I then run cd /usr/src && make buildkernel KERNEL="customer_kernel_file_here" and it's producing a error which seems to be related to ipf. I got the impression it's related to ipf 'cause the file where the error occured starts like "ip_". Any ideas? Thank you for the replies. From owner-freebsd-pf@FreeBSD.ORG Thu Dec 9 01:00:55 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB41916A4CE for ; Thu, 9 Dec 2004 01:00:55 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5A1CA43D49 for ; Thu, 9 Dec 2004 01:00:55 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.162] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CcCfu-0008Ul-00; Thu, 09 Dec 2004 02:00:54 +0100 Received: from [84.128.137.142] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CcCfu-0004ht-00; Thu, 09 Dec 2004 02:00:54 +0100 From: Max Laier To: freebsd-pf@freebsd.org, Jayel Villamin Date: Thu, 9 Dec 2004 02:01:33 +0100 User-Agent: KMail/1.7.1 References: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3063272.LcACcSVi87"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200412090201.41292.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: PF and custom kernel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Dec 2004 01:00:56 -0000 --nextPart3063272.LcACcSVi87 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 09 December 2004 01:41, Jayel Villamin wrote: > Fresh install of FBSD 5.3 with cvsup to latest "RELENG_5_3" stable code. > > I have commented the "IPF" options in custom kernel file. I have > inserted the ff: > > device pf > device pflog > device pfsync > > I then run cd /usr/src && make buildkernel > KERNEL=3D"customer_kernel_file_here" and it's producing a error which > seems to be related to ipf. I got the impression it's related to ipf > 'cause the file where the error occured starts like "ip_". > > Any ideas? Yeah, you post the *complete* error message message, we help. The report ab= ove=20 is utterly useless - sorry. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3063272.LcACcSVi87 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBt6P1XyyEoT62BG0RAjJhAJ9LK/gbr9LQSdPTR9dqGj2YV5D5uQCfW777 dr+YAKGB1cVuCYsq+AMLX4o= =73q2 -----END PGP SIGNATURE----- --nextPart3063272.LcACcSVi87-- From owner-freebsd-pf@FreeBSD.ORG Thu Dec 9 01:04:18 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E10616A4CE for ; Thu, 9 Dec 2004 01:04:18 +0000 (GMT) Received: from mail.meangrape.com (mail.meangrape.com [209.223.7.159]) by mx1.FreeBSD.org (Postfix) with SMTP id DE05843D2F for ; Thu, 9 Dec 2004 01:04:17 +0000 (GMT) (envelope-from jay@meangrape.com) Received: (qmail 67762 invoked by uid 1002); 9 Dec 2004 01:04:39 -0000 Date: Wed, 8 Dec 2004 19:04:39 -0600 From: Jay To: Jayel Villamin Message-ID: <20041209010439.GB58318@mail.meangrape.com> Mail-Followup-To: Jay , Jayel Villamin , freebsd-pf@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.6i cc: freebsd-pf@freebsd.org Subject: Re: PF and custom kernel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Jay List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Dec 2004 01:04:18 -0000 On Thu, Dec 09, 2004 at 11:41:21AM +1100, Jayel Villamin wrote: > I then run cd /usr/src && make buildkernel > KERNEL="customer_kernel_file_here" and it's producing a error which > seems to be related to ipf. I got the impression it's related to ipf > 'cause the file where the error occured starts like "ip_". An accurate and complete copy of the error message would be a good start. You should probably try "make buildkernel KERNCONF=" instead of "make buildkernel KERNEL=" (see /usr/src/UPDATING). Try "make buildkernel KERNCONF='whatever' | tee /tmp/buildkernel.log". That will show you all of the output on the screen while saving it to a log file. If the build blows up, you can go to /tmp/buildkernel.log and extract the text of the error. Hope this helps. Jay. From owner-freebsd-pf@FreeBSD.ORG Thu Dec 9 03:12:54 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1310D16A4CE for ; Thu, 9 Dec 2004 03:12:54 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 543F243D45 for ; Thu, 9 Dec 2004 03:12:53 +0000 (GMT) (envelope-from jarthel@gmail.com) Received: by rproxy.gmail.com with SMTP id z35so268045rne for ; Wed, 08 Dec 2004 19:12:52 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=qua5bIEVJqOZ+B7umsOVAhE9UUL/+16usSCZmZkPl5ooXQrJG2XlomMrB2dyO9v+A14Ez0YGYxMt0vwDCvm8y89N8MZtFo/nKSuqP3EscICKQfHHOeU/TmRVnSQfZmrh3LO8fmfV9sEDiIkQW26APVJ+hGMR8uICgT46m3qogwc= Received: by 10.38.89.3 with SMTP id m3mr1290154rnb; Wed, 08 Dec 2004 19:12:52 -0800 (PST) Received: by 10.39.3.24 with HTTP; Wed, 8 Dec 2004 19:12:52 -0800 (PST) Message-ID: Date: Thu, 9 Dec 2004 14:12:52 +1100 From: Jayel Villamin To: Max Laier In-Reply-To: <200412090201.41292.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <200412090201.41292.max@love2party.net> cc: freebsd-pf@freebsd.org Subject: Re: PF and custom kernel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Jayel Villamin List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Dec 2004 03:12:54 -0000 I guess what I'm trying to find out are the other options/devices needed so that I can compile in pf into the kernel. I'm don't really care much for the error cause it's probably due to a missing option/device. Thanks ps. it'll be a bit hard posting the "complete" error since I am using the console (X is not installed at all) to compile this. I am "not sure" if I can copy and paste from the console. From owner-freebsd-pf@FreeBSD.ORG Thu Dec 9 04:27:40 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF5B016A4CE for ; Thu, 9 Dec 2004 04:27:40 +0000 (GMT) Received: from mail.meangrape.com (mail.meangrape.com [209.223.7.159]) by mx1.FreeBSD.org (Postfix) with SMTP id 40BD743D55 for ; Thu, 9 Dec 2004 04:27:40 +0000 (GMT) (envelope-from jay@meangrape.com) Received: (qmail 72994 invoked by uid 1002); 9 Dec 2004 04:28:01 -0000 Date: Wed, 8 Dec 2004 22:28:01 -0600 From: Jay To: Jayel Villamin Message-ID: <20041209042801.GC58318@mail.meangrape.com> Mail-Followup-To: Jay , Jayel Villamin , freebsd-pf@freebsd.org References: <200412090201.41292.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.6i cc: freebsd-pf@freebsd.org Subject: Re: PF and custom kernel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Jay List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Dec 2004 04:27:40 -0000 Hi, Jayel, On Thu, Dec 09, 2004 at 02:12:52PM +1100, Jayel Villamin wrote: > I guess what I'm trying to find out are the other options/devices > needed so that I can compile in pf into the kernel. I'm don't really > care much for the error cause it's probably due to a missing > option/device. Actually, the error could be caused by any number of things. Since we don't know what the complete error message is, there's no way to say what is causing it. Your assumption that it's "probably due to a missing option/device" may or may not be true. > ps. it'll be a bit hard posting the "complete" error since I am using > the console (X is not installed at all) to compile this. I am "not > sure" if I can copy and paste from the console. Finally, it's quite possible to write down the error message on paper and type it back in. If you want help, you have to provide the complete error message. If you're not going to do that, no one can help you. Jay. From owner-freebsd-pf@FreeBSD.ORG Thu Dec 9 08:51:50 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C44916A4CE for ; Thu, 9 Dec 2004 08:51:50 +0000 (GMT) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6881B43D53 for ; Thu, 9 Dec 2004 08:51:49 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) iB98pm4F010009 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Thu, 9 Dec 2004 09:51:48 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.1/8.12.10/Submit) id iB98pmO9026510; Thu, 9 Dec 2004 09:51:48 +0100 (MET) Date: Thu, 9 Dec 2004 09:51:48 +0100 From: Daniel Hartmeier To: Jayel Villamin Message-ID: <20041209085148.GG16307@insomnia.benzedrine.cx> References: <200412090201.41292.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i cc: freebsd-pf@freebsd.org Subject: Re: PF and custom kernel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Dec 2004 08:51:50 -0000 On Thu, Dec 09, 2004 at 02:12:52PM +1100, Jayel Villamin wrote: > ps. it'll be a bit hard posting the "complete" error since I am using > the console (X is not installed at all) to compile this. I am "not > sure" if I can copy and paste from the console. script(1) Daniel From owner-freebsd-pf@FreeBSD.ORG Thu Dec 9 10:11:17 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D371B16A4CE for ; Thu, 9 Dec 2004 10:11:17 +0000 (GMT) Received: from webmail-outgoing.us4.outblaze.com (webmail-outgoing.us4.outblaze.com [205.158.62.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8996E43D5F for ; Thu, 9 Dec 2004 10:11:17 +0000 (GMT) (envelope-from jarthel@operamail.com) Received: from wfilter.us4.outblaze.com (wfilter.us4.outblaze.com [205.158.62.180])77668180021E for ; Thu, 9 Dec 2004 10:11:17 +0000 (GMT) X-OB-Received: from unknown (205.158.62.133) by wfilter.us4.outblaze.com; 9 Dec 2004 10:11:17 -0000 Received: by ws5-3.us4.outblaze.com (Postfix, from userid 1001) id 65EC023CE8; Thu, 9 Dec 2004 10:11:17 +0000 (GMT) Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Received: from [220.245.160.138] by ws5-3.us4.outblaze.com with http for jarthel@operamail.com; Thu, 09 Dec 2004 19:11:17 +0900 From: "Jayel Villamin " To: freebsd-pf@freebsd.org Date: Thu, 09 Dec 2004 19:11:17 +0900 X-Originating-Ip: 220.245.160.138 X-Originating-Server: ws5-3.us4.outblaze.com Message-Id: <20041209101117.65EC023CE8@ws5-3.us4.outblaze.com> Subject: PF and custom kernel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Dec 2004 10:11:18 -0000 here's a gist of the error message ------------ if_pfsync.c: In function 'pfsync_sendout': if_pfsync.c:1532: unused variable 'ifp' ------------- Thanks --=20 _____________________________________________________________ Web-based SMS services available at http://www.operamail.com. =46rom your mailbox to local or overseas cell phones. Powered by Outblaze From owner-freebsd-pf@FreeBSD.ORG Thu Dec 9 10:41:13 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A82D16A4CE for ; Thu, 9 Dec 2004 10:41:13 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id A3F1C43D62 for ; Thu, 9 Dec 2004 10:41:12 +0000 (GMT) (envelope-from vladgalu@gmail.com) Received: by rproxy.gmail.com with SMTP id a41so594868rng for ; Thu, 09 Dec 2004 02:41:12 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=M04CZKTorV3UD/J9f8Q4ZgKUmE87zYtMcxFtQjfo9DMAOoyWc9oEkpd1ZSshl9ccMSWby8Vv3TamN+vo/dN+wwGyhVO+mDV4CLoeY9rwiKSEEkc5WKGokLMA1FMHyIpIsDukoBnLvU9/ZfOMiHrmkSmz5bzmX0bMze7vvkkrz9I= Received: by 10.38.162.30 with SMTP id k30mr602094rne; Thu, 09 Dec 2004 02:40:27 -0800 (PST) Received: by 10.38.149.25 with HTTP; Thu, 9 Dec 2004 02:40:27 -0800 (PST) Message-ID: <79722fad04120902403ce70902@mail.gmail.com> Date: Thu, 9 Dec 2004 12:40:27 +0200 From: Vlad GALU To: Jayel Villamin In-Reply-To: <79722fad041209023754aa3086@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <20041209101117.65EC023CE8@ws5-3.us4.outblaze.com> <79722fad041209023754aa3086@mail.gmail.com> cc: freebsd-pf@freebsd.org Subject: Re: PF and custom kernel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Vlad GALU List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Dec 2004 10:41:13 -0000 On Thu, 9 Dec 2004 12:37:19 +0200, Vlad GALU wrote: > On Thu, 09 Dec 2004 19:11:17 +0900, Jayel Villamin > wrote: > > here's a gist of the error message > > ------------ > > > > if_pfsync.c: In function 'pfsync_sendout': > > if_pfsync.c:1532: unused variable 'ifp' > > gcc is told to consider each warning as an error. In my version > of if_pfsync.c I notice that the pointer is now initialized: "struct > ifnet *ifp = &sc->sc_if;". You can do this yourself or upgrade to the > last version of the file. Or simply add support for bpf to your kernel :) > > > > > ------------- > > > > > > Thanks > > -- > > _____________________________________________________________ > > Web-based SMS services available at http://www.operamail.com. > > From your mailbox to local or overseas cell phones. > > > > Powered by Outblaze > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > > > -- > If it's there, and you can see it, it's real. > If it's not there, and you can see it, it's virtual. > If it's there, and you can't see it, it's transparent. > If it's not there, and you can't see it, you erased it. > -- If it's there, and you can see it, it's real. If it's not there, and you can see it, it's virtual. If it's there, and you can't see it, it's transparent. If it's not there, and you can't see it, you erased it. From owner-freebsd-pf@FreeBSD.ORG Thu Dec 9 13:03:13 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB32316A4CE for ; Thu, 9 Dec 2004 13:03:13 +0000 (GMT) Received: from as102.htnet.hr (as102.htnet.hr [195.29.150.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8017A43D1F for ; Thu, 9 Dec 2004 13:03:12 +0000 (GMT) (envelope-from dean@glasistre.hr) Received: from ls401.htnet.hr (ls401.htnet.hr [195.29.150.2]) by as102.htnet.hr (0.0.0/8.12.10) with ESMTP id iB9D3AXJ023600 for ; Thu, 9 Dec 2004 14:03:10 +0100 (CET) Received: from [10.0.2.140] (xgate.glasistre.hr [195.29.81.174] (may be forged)) by ls401.htnet.hr (0.0.0/8.12.10) with ESMTP id iB9D39kf029275 for ; Thu, 9 Dec 2004 14:03:10 +0100 Message-ID: <41B84D21.3090502@glasistre.hr> Date: Thu, 09 Dec 2004 14:03:29 +0100 From: Dean Benazic User-Agent: Mozilla Thunderbird 0.7.3 (X11/20041016) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Trace: as102.htnet.hr 1102597390 3504 195.29.150.2 (Thu, 09 Dec 2004 14:03:10 +0100) Subject: carp if setup - newbie X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Dec 2004 13:03:13 -0000 Hi I have Rebuild the kernels of my servers few times. The in the latest version I use the patch verison 2004/12/08 on FreeBSD-5.3-stable. the problem: srv1#ifconfig em1 em1: flags=8943 mtu 1500 inet 111.111.111.20 netmask 0xffffff00 broadcast 111.111.111.255 status: active srv2#ifconfig em1 em1: flags=8943 mtu 1500 inet 111.111.111.21 netmask 0xffffff00 broadcast 111.111.111.255 status: active ping works. on both servers I do: #ifconfig carp5 create #ifconfig carp5 vhid 125 111.111.111.25 netmask 255.255.255.255 vhid 1 pass xxx # sysctl -a | grep carp net.inet.carp.allow: 1 net.inet.carp.preempt: 1 net.inet.carp.log: 1 net.inet.carp.arpbalance: 1 when I do: srv2# ifconfig carp5 advskew 254 I does not go in BACKUP mode, why?? -------------------- ifconfig on OpenBSD i use 4 carp interfaces: #ifconfig carp4 inet 111.111.111.25 255.255.255.0 111.111.111.25 vhid 1 pass xxx and the carp interface is in the subnet of the phisical IF. when I try to do it on FreeBSD without the netmask keyword i get this: #carp5: flags=41 mtu 1500 inet 111.111.111.25 netmask 0xff000000 carp: MASTER vhid 125 advbase 1 advskew 0 netmask 0xff000000. when try to use the netmask keyword: #ifconfig carp5 vhid 125 111.111.111.25 netmask 255.255.255.0 ifconfig: ioctl (SIOCAIFADDR): File exists -------------------- rc.conf which is the right way to define carp interfaces in rc.conf?? i use: cloned_interfaces="carp0 carp1 carp2" ifconfig_carp2="inet 111.11.1.1 vhid 1 advskew 100 pass xxx" thanks, --- Dean Benazic www.glasistre.hr From owner-freebsd-pf@FreeBSD.ORG Thu Dec 9 15:23:42 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D36B516A4CE for ; Thu, 9 Dec 2004 15:23:42 +0000 (GMT) Received: from mail.secureworks.net (mail.secureworks.net [209.101.212.155]) by mx1.FreeBSD.org (Postfix) with SMTP id 4833A43D69 for ; Thu, 9 Dec 2004 15:23:42 +0000 (GMT) (envelope-from mdg@secureworks.net) Received: (qmail 59994 invoked from network); 9 Dec 2004 15:23:41 -0000 Received: from unknown (HELO ?192.168.8.243?) (209.101.212.253) by mail.secureworks.net with SMTP; 9 Dec 2004 15:23:41 -0000 Message-ID: <41B86DFD.30601@secureworks.net> Date: Thu, 09 Dec 2004 10:23:41 -0500 From: Matthew George User-Agent: Mozilla Thunderbird 0.9 (X11/20041117) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Daniel Hartmeier References: <200412090201.41292.max@love2party.net> <20041209085148.GG16307@insomnia.benzedrine.cx> In-Reply-To: <20041209085148.GG16307@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: Jayel Villamin cc: freebsd-pf@freebsd.org Subject: Re: PF and custom kernel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Dec 2004 15:23:42 -0000 Daniel Hartmeier wrote: > On Thu, Dec 09, 2004 at 02:12:52PM +1100, Jayel Villamin wrote: > > >>ps. it'll be a bit hard posting the "complete" error since I am using >>the console (X is not installed at all) to compile this. I am "not >>sure" if I can copy and paste from the console. > > > script(1) > > Daniel > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" or serial console ... or take a picture and post it somewhere ... -- Matthew George SecureWorks Technical Operations From owner-freebsd-pf@FreeBSD.ORG Fri Dec 10 00:34:38 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3BB4A16A4CE for ; Fri, 10 Dec 2004 00:34:38 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id E8DA343D5F for ; Fri, 10 Dec 2004 00:34:37 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.160] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CcYk1-0002L2-00 for freebsd-pf@freebsd.org; Fri, 10 Dec 2004 01:34:37 +0100 Received: from [217.83.2.154] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CcYk0-0002Dh-00 for freebsd-pf@freebsd.org; Fri, 10 Dec 2004 01:34:36 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Fri, 10 Dec 2004 01:35:16 +0100 User-Agent: KMail/1.7.1 MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1885262.FOCd2nOPxf"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200412100135.22900.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: New ifconfig -> new CARP patch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Dec 2004 00:34:38 -0000 --nextPart1885262.FOCd2nOPxf Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hi, no changes other than it build with the new - really nice - ifconfig: http://people.freebsd.org/~mlaier/CARP/20041210-carp.diff Enjoy. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1885262.FOCd2nOPxf Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBuO9KXyyEoT62BG0RAizYAJ4gDTpvDoL/zRsDyDT7Ztwki+DNbQCfaFUZ YFf6zrViGfa4iqH/nqizeWc= =6Vkl -----END PGP SIGNATURE----- --nextPart1885262.FOCd2nOPxf-- From owner-freebsd-pf@FreeBSD.ORG Fri Dec 10 00:41:36 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3313516A4CE for ; Fri, 10 Dec 2004 00:41:36 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id AFDB843D2D for ; Fri, 10 Dec 2004 00:41:35 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.162] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CcYqk-0007S0-00; Fri, 10 Dec 2004 01:41:34 +0100 Received: from [217.83.2.154] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CcYqk-0002to-00; Fri, 10 Dec 2004 01:41:34 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Fri, 10 Dec 2004 01:42:18 +0100 User-Agent: KMail/1.7.1 References: <41B84D21.3090502@glasistre.hr> In-Reply-To: <41B84D21.3090502@glasistre.hr> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart9943713.RBQ8lF0iti"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200412100142.19892.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: Dean Benazic Subject: Re: carp if setup - newbie X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Dec 2004 00:41:36 -0000 --nextPart9943713.RBQ8lF0iti Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 09 December 2004 14:03, Dean Benazic wrote: > when I do: > srv2# ifconfig carp5 advskew 254 > > I does not go in BACKUP mode, why?? Have to look at that, on my list now - thanks. > -------------------- > ifconfig > > on OpenBSD i use 4 carp interfaces: > #ifconfig carp4 inet 111.111.111.25 255.255.255.0 111.111.111.25 vhid 1 > pass xxx You list the IP twice, is this intentional? > and the carp interface is in the subnet of the phisical IF. > > > when I try to do it on FreeBSD without the netmask keyword i get this: > > #carp5: flags=3D41 mtu 1500 > inet 111.111.111.25 netmask 0xff000000 > carp: MASTER vhid 125 advbase 1 advskew 0 > > netmask 0xff000000. > > when try to use the netmask keyword: > #ifconfig carp5 vhid 125 111.111.111.25 netmask 255.255.255.0 > ifconfig: ioctl (SIOCAIFADDR): File exists Did you have the the interface configured already at that point? Can you ju= st=20 try to do a simple: #iconfig carp5 netmask 255.255.255.0 afterwards? Why don't you use an explicit netmask in FreeBSD as well -=20 supposing that the above error is from a "second attempt" - please tell me = if=20 that's not the case. Works correctly for me (with the latest patch and ifconfigNG, though - can'= t=20 go back easily. > -------------------- > rc.conf > > which is the right way to define carp interfaces in rc.conf?? > i use: > cloned_interfaces=3D"carp0 carp1 carp2" > ifconfig_carp2=3D"inet 111.11.1.1 vhid 1 advskew 100 pass xxx" Looks correct to me. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart9943713.RBQ8lF0iti Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBuPDrXyyEoT62BG0RApCcAJwIBFlyGJY1uCL5hc78+JV1TJqldgCfSO7L lDg1vWxNsp+VW/Inr6r05Pk= =k+Z+ -----END PGP SIGNATURE----- --nextPart9943713.RBQ8lF0iti-- From owner-freebsd-pf@FreeBSD.ORG Fri Dec 10 01:37:40 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4AA2116A4CE for ; Fri, 10 Dec 2004 01:37:40 +0000 (GMT) Received: from webmail-outgoing.us4.outblaze.com (webmail-outgoing.us4.outblaze.com [205.158.62.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id 18FBB43D3F for ; Fri, 10 Dec 2004 01:37:40 +0000 (GMT) (envelope-from jarthel@operamail.com) Received: from wfilter.us4.outblaze.com (wfilter.us4.outblaze.com [205.158.62.180])8389E18001D7 for ; Fri, 10 Dec 2004 01:37:39 +0000 (GMT) X-OB-Received: from unknown (205.158.62.133) by wfilter.us4.outblaze.com; 10 Dec 2004 01:37:39 -0000 Received: by ws5-3.us4.outblaze.com (Postfix, from userid 1001) id 08AA523CE8; Fri, 10 Dec 2004 01:37:39 +0000 (GMT) Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Received: from [128.184.148.125] by ws5-3.us4.outblaze.com with http for jarthel@operamail.com; Fri, 10 Dec 2004 10:37:38 +0900 From: "Jayel Villamin " To: "Vlad GALU" Date: Fri, 10 Dec 2004 10:37:38 +0900 X-Originating-Ip: 128.184.148.125 X-Originating-Server: ws5-3.us4.outblaze.com Message-Id: <20041210013739.08AA523CE8@ws5-3.us4.outblaze.com> cc: freebsd-pf@freebsd.org Subject: Re: PF and custom kernel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Dec 2004 01:37:40 -0000 struct ifnet *ifp =3D &sc->sc_if; -->> I also have this in my if_pfsync.c s= o I do not that is the problem. I would try bpf. maybe that'll work. But according to the pf page in the handbook (http://www.freebsd.org/doc/en= _US.ISO8859-1/books/handbook/firewalls-pf.html), BPF is not required for pf. ----- Original Message ----- From: "Vlad GALU" To: "Jayel Villamin" Subject: Re: PF and custom kernel Date: Thu, 9 Dec 2004 12:40:27 +0200 >=20 > On Thu, 9 Dec 2004 12:37:19 +0200, Vlad GALU wrote: > > On Thu, 09 Dec 2004 19:11:17 +0900, Jayel Villamin > > wrote: > > > here's a gist of the error message > > > ------------ > > > > > > if_pfsync.c: In function 'pfsync_sendout': > > > if_pfsync.c:1532: unused variable 'ifp' > > > > gcc is told to consider each warning as an error. In my version > > of if_pfsync.c I notice that the pointer is now initialized: "struct > > ifnet *ifp =3D &sc->sc_if;". You can do this yourself or upgrade to the > > last version of the file. >=20 > Or simply add support for bpf to your kernel :) >=20 >=20 > > > > > > > > ------------- > > > > > > > > > > Thanks > > > -- > > > _____________________________________________________________ > > > Web-based SMS services available at http://www.operamail.com. > > > From your mailbox to local or overseas cell phones. > > > > > > Powered by Outblaze > > > _______________________________________________ > > > freebsd-pf@freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > > > > > > > -- > > If it's there, and you can see it, it's real. > > If it's not there, and you can see it, it's virtual. > > If it's there, and you can't see it, it's transparent. > > If it's not there, and you can't see it, you erased it. > > >=20 >=20 > -- > If it's there, and you can see it, it's real. > If it's not there, and you can see it, it's virtual. > If it's there, and you can't see it, it's transparent. > If it's not there, and you can't see it, you erased it. --=20 _____________________________________________________________ Web-based SMS services available at http://www.operamail.com. =46rom your mailbox to local or overseas cell phones. Powered by Outblaze From owner-freebsd-pf@FreeBSD.ORG Fri Dec 10 01:50:44 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4579616A4CE for ; Fri, 10 Dec 2004 01:50:44 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D85043D53 for ; Fri, 10 Dec 2004 01:50:43 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.161] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CcZve-0003IP-00; Fri, 10 Dec 2004 02:50:42 +0100 Received: from [217.83.2.154] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CcZve-0007eu-00; Fri, 10 Dec 2004 02:50:42 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Fri, 10 Dec 2004 02:51:20 +0100 User-Agent: KMail/1.7.1 References: <20041210013739.08AA523CE8@ws5-3.us4.outblaze.com> In-Reply-To: <20041210013739.08AA523CE8@ws5-3.us4.outblaze.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1990793.YIPlogb4pN"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200412100251.28159.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: Jayel Villamin Subject: Re: PF and custom kernel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Dec 2004 01:50:44 -0000 --nextPart1990793.YIPlogb4pN Content-Type: multipart/mixed; boundary="Boundary-01=_aEQuBIqyZ58TYGk" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_aEQuBIqyZ58TYGk Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 10 December 2004 02:37, Jayel Villamin wrote: > struct ifnet *ifp =3D &sc->sc_if; -->> I also have this in my if_pfsync.c= so > I do not that is the problem. I would try bpf. maybe that'll work. Diff attached. > But according to the pf page in the handbook > (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.h= tm >l), BPF is not required for pf. Quote from that link: "device pflog enables the optional pflog(4) pseudo=20 network device which can be used to log traffic to a bpf(4) descriptor" pflog is utterly useless without bpf. > ----- Original Message ----- > From: "Vlad GALU" > To: "Jayel Villamin" > Subject: Re: PF and custom kernel > Date: Thu, 9 Dec 2004 12:40:27 +0200 > > > On Thu, 9 Dec 2004 12:37:19 +0200, Vlad GALU wrote: > > > On Thu, 09 Dec 2004 19:11:17 +0900, Jayel Villamin > > > > > > wrote: > > > > here's a gist of the error message > > > > ------------ > > > > > > > > if_pfsync.c: In function 'pfsync_sendout': > > > > if_pfsync.c:1532: unused variable 'ifp' > > > > > > gcc is told to consider each warning as an error. In my version > > > of if_pfsync.c I notice that the pointer is now initialized: "struct > > > ifnet *ifp =3D &sc->sc_if;". You can do this yourself or upgrade to t= he > > > last version of the file. > > > > Or simply add support for bpf to your kernel :) > > > > > > ------------- > > > > > > > > > > > > > > > > Thanks > > > > -- > > > > _____________________________________________________________ > > > > Web-based SMS services available at http://www.operamail.com. > > > > From your mailbox to local or overseas cell phones. > > > > > > > > Powered by Outblaze > > > > _______________________________________________ > > > > freebsd-pf@freebsd.org mailing list > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.or= g" > > > > > > -- > > > If it's there, and you can see it, it's real. > > > If it's not there, and you can see it, it's virtual. > > > If it's there, and you can't see it, it's transparent. > > > If it's not there, and you can't see it, you erased it. > > > > -- > > If it's there, and you can see it, it's real. > > If it's not there, and you can see it, it's virtual. > > If it's there, and you can't see it, it's transparent. > > If it's not there, and you can't see it, you erased it. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_aEQuBIqyZ58TYGk Content-Type: text/x-diff; charset="iso-8859-1"; name="pfsync_no_bpf.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="pfsync_no_bpf.diff" Index: if_pfsync.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/if_pfsync.c,v retrieving revision 1.11.2.1 diff -u -r1.11.2.1 if_pfsync.c =2D-- if_pfsync.c 20 Sep 2004 15:25:57 -0000 1.11.2.1 +++ if_pfsync.c 10 Dec 2004 01:45:44 -0000 @@ -1529,7 +1529,9 @@ pfsync_sendout(sc) struct pfsync_softc *sc; { +#if NBPFILTER > 0 struct ifnet *ifp =3D &sc->sc_if; +#endif struct mbuf *m; =20 #ifdef __FreeBSD__ --Boundary-01=_aEQuBIqyZ58TYGk-- --nextPart1990793.YIPlogb4pN Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBuQEgXyyEoT62BG0RAqZyAJ9IxAfMNbFSLMZhOHvkfpxqkXWexACcD+eF QHGfciNEVyQnpnhqF8ifYCM= =l7BV -----END PGP SIGNATURE----- --nextPart1990793.YIPlogb4pN-- From owner-freebsd-pf@FreeBSD.ORG Fri Dec 10 15:07:16 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E6B9516A4CE for ; Fri, 10 Dec 2004 15:07:16 +0000 (GMT) Received: from bsdfreaks.muntinternet.nl (bsdfreaks.zone1.muntinternet.net [81.173.4.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id B03EB43D1D for ; Fri, 10 Dec 2004 15:07:15 +0000 (GMT) (envelope-from rob@bsdfreaks.nl) Received: (qmail 89793 invoked by uid 89); 10 Dec 2004 15:10:16 -0000 Received: by simscan 1.0.7 ppid: 89777, pid: 89781, t: 2.0754s scanners: clamav: 0.80/m:28/d:615 spam: 3.0.1 Received: from unknown (HELO ?213.46.20.204?) (rob@bsdfreaks.nl@213.46.20.204) encrypted) SMTP; 10 Dec 2004 15:10:14 -0000 Message-ID: <41B9BB9A.7000300@bsdfreaks.nl> Date: Fri, 10 Dec 2004 16:07:06 +0100 From: Rob Lensen User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: multipart/mixed; boundary="------------040102010302040300030907" X-Spam-DCC: sgs_public_dcc_server: bsdfreaks.muntinternet.nl 1199; Body=1 Fuz1=1 Fuz2=1 X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on bsdfreaks.muntinternet.nl X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham version=3.0.1 X-Spam-Pyzor: Reported 0 times. Subject: Strange bridge problem with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Dec 2004 15:07:17 -0000 This is a multi-part message in MIME format. --------------040102010302040300030907 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hello, I have strange problem with pf on a bridged setup. Did read the previous thread about the pf problem with a bridge, since sysctl value of ipf bridge should be enabled. In the attached file the pf.conf is given. (fxp0 is the outside nic) The firewall is working for all machines behind the firewall except sf1, nothing seem to go this machine if the firewall is enanbled. If I look at the output of pfctl -sr I can see the rules for this machine are loaded: @7 pass in quick on fxp0 inet proto tcp from any to X.6 port = ssh flags S/SA keep state @16 pass in quick on fxp0 inet proto tcp from any to X.6 port = http flags S/SA keep state @17 pass in quick on fxp0 inet proto tcp from any to X.6 port = https flags S/SA keep state This should open the ports for ssh and http to machine X.6 (sf1), however no connection can be made. Nmap shows: 22/tcp open ssh 80/tcp open http #telnet X.6 22 gives a time out All other hosts are working fine. Doe anyone have any clue on this problem? Best Rob Lensen --------------040102010302040300030907 Content-Type: text/plain; name="pf.conf.new" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="pf.conf.new" outside="fxp0" ext_if="fxp0" inside="fxp1" local="rl0" ext_ip="" local_net ="X.0/24" # Tables: similar to macros, but more flexible for many addresses. table {127.0.0.0/8, 192.168.1.0/16, 172.16.0.0/12, 10.0.0.0/8 } set loginterface $outside set block-policy return # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. #scrub in all web_A_2 = "X.2" web_A_3 = "X.3" web_A_4 = "X.4" web_A_7 = "X.7" web_A_8 = "X.8" web_A_9 = "X.9" web_A_20 = "X.20" sf1 = "X.6" sf2 = "X.30" mysql2 = "X.14" extranet = "X.13" firewall = "X.254" sec_dns = "X" http_servers = "{" $web_A_2 $web_A_4 $sf1 $web_A_8 $web_A_9 $extranet "}" ssh_servers = "{" $web_A_2 $sf1 $sf2 $extranet $mysql2 $firewall "}" ftp_servers = "{" $web_A_2 $sf1 "}" mail_servers = "{" $extranet "}" samba_servers = "{" $extranet "}" dns_servers = "{" $web_A_3 "}" ssh_ports = "{ 22 }" http_ports = "{ 80 , 443 }" ftp_ports = "{ 20, 21 }" ftp_ports_pasv = "{ 65000:65500 }" snmp_ports = "{ 161 }" mysql_ports = "{ 3306 }" dns_ports = "{ 53 }" email_ports = "{ 25, 110, 143, 993, 995 }" samba_udp_ports = "{ 137, 138, 587 }" samba_tcp_ports = "{ 139, 445, 587 }" # filtering done on public side of bridge, so allow everything # on the protected side of things pass in quick on $inside all pass out quick on $inside all # block everything by default on bridge block in log on $outside all pass out on $outside all #block out log on $outside all pass in quick on $local all pass out quick on $local all ############ # IN RULES ############ #allow ssh to defined servers pass in quick on $outside proto tcp from any to $ssh_servers \ port $ssh_ports flags S/SA keep state #allow http for the defined servers pass in quick on $outside proto tcp from any to $http_servers \ port $http_ports flags S/SA keep state #allow ftp for defined servers pass in quick on $outside proto tcp from any to $ftp_servers \ port $ftp_ports #flags S/SA keep state pass in quick on $outside proto tcp from any to $ftp_servers \ port $ftp_ports_pasv #keep state #allow email for defined server pass in quick on $outside proto tcp from any to $mail_servers \ port $email_ports #flags S/SA keep state #allow samba for defined server pass in quick on $outside proto tcp from any to $samba_servers \ port $samba_tcp_ports #flags S/SA keep state pass in quick on $outside proto udp from any to $samba_servers \ port $samba_udp_ports #keep state #allow dns for defined server pass in quick on $outside proto { tcp, udp } from any to $dns_servers \ port domain keep state #snmp on firewall #pass in quick on $outside proto {tcp, udp } from any to $local_ip \ # port $snmp_ports #pass in quick on $local proto {tcp,udp } from any to $firewall_bridge \ # port $snmp_ports # Allow ICMP (ping) IN # pass out/in certain ICMP queries and keep state (ping) pass in on $outside inet proto icmp all icmp-type {0,3 ,8, 11} ############ # OUT RULES ############ # Allow ICMP (ping) OUT pass out on $outside inet proto icmp all icmp-type {0,3 ,8, 11} # Pass (Allow) all UDP/TCP OUT and keep state pass out on $outside proto udp all #keep state pass out on $outside proto tcp all --------------040102010302040300030907-- From owner-freebsd-pf@FreeBSD.ORG Sat Dec 11 14:22:51 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 97F0F16A4CE for ; Sat, 11 Dec 2004 14:22:51 +0000 (GMT) Received: from smtp-out.hotpop.com (smtp-out.hotpop.com [38.113.3.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5541D43D54 for ; Sat, 11 Dec 2004 14:22:51 +0000 (GMT) (envelope-from mastah@phreaker.net) Received: from phreaker.net (kubrick.hotpop.com [38.113.3.103]) by smtp-out.hotpop.com (Postfix) with SMTP id 0B534AE96FE for ; Sat, 11 Dec 2004 14:22:48 +0000 (UTC) Received: from master.phreaker.net (ts5-a137.Spb.dial.rol.ru [195.190.96.137]) by smtp-2.hotpop.com (Postfix) with ESMTP id 4E64DB4D528 for ; Sat, 11 Dec 2004 14:22:46 +0000 (UTC) Message-Id: <6.2.0.7.1.20041211171714.02128e78@pop.phreaker.net> X-Sender: mastah@phreaker.net@pop.phreaker.net X-Mailer: QUALCOMM Windows Eudora Version 6.2.0.7 (Beta) Date: Sat, 11 Dec 2004 17:22:38 +0300 To: freebsd-pf@freebsd.org From: Castl Troy Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-HotPOP: ----------------------------------------------- Sent By HotPOP.com FREE Email Get your FREE POP email at www.HotPOP.com ----------------------------------------------- Subject: ipfw vs ipfilter X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Dec 2004 14:22:51 -0000 Hello people, Can anybody help me with understanding the difference between ipfilter(ipf) and ipfirewall (ipfw). Any link to docs or info will greatly help me. I use FreeBSD for almost 5 years, but i used only ipfw for packet routing and never use ipfilter for this. I wonder is it "internal" packet routing mechanism or maybe it is just for compatibility with OpenBSD? Sorry if this question is so stupid, but i am really dont know what ipfilter is, man ipf did not help me with understanding the difference. Thanks. Sorry if i mistake list to wich i need send this. From owner-freebsd-pf@FreeBSD.ORG Sat Dec 11 17:27:00 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2593816A4CE for ; Sat, 11 Dec 2004 17:27:00 +0000 (GMT) Received: from mproxy.gmail.com (mproxy.gmail.com [216.239.56.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC53F43D54 for ; Sat, 11 Dec 2004 17:26:59 +0000 (GMT) (envelope-from mclone@gmail.com) Received: by mproxy.gmail.com with SMTP id x71so140975cwb for ; Sat, 11 Dec 2004 09:26:59 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=H0GjysL7+ZG3nKJW6+fEE6YdvDaSYS2WpQEFwawaLFSCrA6K6VJI7VIFNujgM4TXJhbkf/iLNoStd2xusr35hytD4gIJ1w7j07invG8wfVGlF3jv8fP9p8Q8h9f1dU/ivhIGu5PrfG2ggk2DgQZ3Go7jN7Kx4jGBKsVGQoB7E/E= Received: by 10.11.100.69 with SMTP id x69mr335088cwb; Sat, 11 Dec 2004 09:26:59 -0800 (PST) Received: by 10.11.98.55 with HTTP; Sat, 11 Dec 2004 09:26:59 -0800 (PST) Message-ID: <451cb3010412110926238827de@mail.gmail.com> Date: Sat, 11 Dec 2004 19:26:59 +0200 From: McLone the Great To: freebsd-pf@freebsd.org In-Reply-To: <451cb3010412110737382bf5d9@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <6.2.0.7.1.20041211171714.02128e78@pop.phreaker.net> <451cb3010412110737382bf5d9@mail.gmail.com> Subject: Re: ipfw vs ipfilter X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: McLone the Great List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Dec 2004 17:27:00 -0000 On Sat, 11 Dec 2004 17:22:38 +0300, Castl Troy wrote: > Can anybody help me with understanding the difference between > ipfilter(ipf) and ipfirewall (ipfw). the main differences is [imho] - ipf is last-match, ipfw is first-match filters - ipf runs on many unices, ipfw is FreeBSD project by last match i mean packet goes thru _all_ rules, and not exits processing chain after first successfull rule match like in ipchains/iptables > Any link to docs or info will greatly help me. obfuscation.org/ipf/ > I use FreeBSD for almost 5 years, but i used only ipfw for packet > routing and never use ipfilter for this. routing is done by kernel, not filter btw. > I wonder is it "internal" packet routing mechanism or maybe it is > just for compatibility with OpenBSD? as of 3.0 OpenBSD switched from ipf to PF (which i use on FreeBSD). Read openbsd.org/faq/pf/ - it's powerfull! -- wbr, |\ _,,,---,,_ dog bless ya! ` Zzz /,`.-'`' -. ;-;;,_ McLone at GMail dot com |,4- ) )-,_. ,\ ( `'-' net- and *BSD admin '---''(_/--' `-'\_) ...sorry for translit From owner-freebsd-pf@FreeBSD.ORG Sat Dec 11 17:27:54 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 244F016A4CE for ; Sat, 11 Dec 2004 17:27:54 +0000 (GMT) Received: from mproxy.gmail.com (mproxy.gmail.com [216.239.56.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE39843D45 for ; Sat, 11 Dec 2004 17:27:53 +0000 (GMT) (envelope-from mclone@gmail.com) Received: by mproxy.gmail.com with SMTP id x71so140994cwb for ; Sat, 11 Dec 2004 09:27:53 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=d4l/J8mJjNbo3hKTN8TUDGFIy94f2gNsShpv3OaBaH21B0t0RNEUANJJgDU4kvQ8wlKVcuOMZgkGjkv4IfVXGaVpc23nwHpV5KdHvJCfZE5YAHY0N+hzW25t/rpN9CoVvu5xzFvwSjUB3ya7U+UCsyKE2AN8wirFnH1Zf966Okk= Received: by 10.11.98.2 with SMTP id v2mr413329cwb; Sat, 11 Dec 2004 09:27:53 -0800 (PST) Received: by 10.11.98.55 with HTTP; Sat, 11 Dec 2004 09:27:50 -0800 (PST) Message-ID: <451cb30104121109271da347ac@mail.gmail.com> Date: Sat, 11 Dec 2004 19:27:50 +0200 From: McLone the Great To: freebsd-pf@freebsd.org In-Reply-To: <451cb3010412110924293082b7@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <6.2.0.7.1.20041211171714.02128e78@pop.phreaker.net> <451cb3010412110737382bf5d9@mail.gmail.com> <6.2.0.7.1.20041211191640.02134a60@pop.phreaker.net> <451cb3010412110924293082b7@mail.gmail.com> Subject: Re: ipfw vs ipfilter X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: McLone the Great List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Dec 2004 17:27:54 -0000 On Sat, 11 Dec 2004 19:22:28 +0300, Castl Troy wrote: > Is it normal behavior to have a rule like "pass ip from any to any" in > ipfw, and do the main firewalling in ipfilter? u can just disable ipfw or kldunload module - NAT in ipnat implemented better, imo; natd is a bitch to debug... > why && when you/me/other need to choose ipfilter instead of ipfirewall? you should dig some OpenBSD mail archives, in time when they switched from ipf to pf. That'll clear things about stability, reability and speed. > You say you use PF, i will read info on it. pf is self-suficient; I migrated from linux ipfw > linux ipchains > fbsd ipfw (not too long) > ipf > pf (on all BSDs). And, ALTQ/spamd/authpf [in PF] is a must. -- wbr, |\ _,,,---,,_ dog bless ya! ` Zzz /,`.-'`' -. ;-;;,_ McLone at GMail dot com |,4- ) )-,_. ,\ ( `'-' net- and *BSD admin '---''(_/--' `-'\_) ...sorry for translit From owner-freebsd-pf@FreeBSD.ORG Sat Dec 11 19:18:55 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1EEA216A4CE for ; Sat, 11 Dec 2004 19:18:55 +0000 (GMT) Received: from mproxy.gmail.com (mproxy.gmail.com [216.239.56.248]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0809543D48 for ; Sat, 11 Dec 2004 19:18:55 +0000 (GMT) (envelope-from mclone@gmail.com) Received: by mproxy.gmail.com with SMTP id x71so143130cwb for ; Sat, 11 Dec 2004 11:18:54 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=HtEgNdjdBP1t9vXScZiKAL2HUcC314sympzcm5/EdzuJlqo1mgCsHhCc9KZ9lGuCEfNOV0CeEXo8C6Oh1B+1zCsk/EaMzNZZAXSkxFki0f3X5fGgnR0JaViv+H5n6v24pDgl8IA7I++9C8un9SbJEYSlecPl5EhuGssHmo9kkUQ= Received: by 10.11.122.78 with SMTP id u78mr612148cwc; Sat, 11 Dec 2004 11:18:54 -0800 (PST) Received: by 10.11.98.55 with HTTP; Sat, 11 Dec 2004 11:18:54 -0800 (PST) Message-ID: <451cb3010412111118403fe713@mail.gmail.com> Date: Sat, 11 Dec 2004 21:18:54 +0200 From: McLone the Great To: freebsd-pf@freebsd.org In-Reply-To: <6.2.0.7.1.20041211215904.0219fca0@pop.phreaker.net> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <6.2.0.7.1.20041211171714.02128e78@pop.phreaker.net> <451cb3010412110737382bf5d9@mail.gmail.com> <6.2.0.7.1.20041211191640.02134a60@pop.phreaker.net> <451cb3010412110924293082b7@mail.gmail.com> <6.2.0.7.1.20041211215904.0219fca0@pop.phreaker.net> Subject: Fwd: ipfw vs ipfilter X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: McLone the Great List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Dec 2004 19:18:55 -0000 ---------- Forwarded message ---------- From: Castl Troy Date: Sat, 11 Dec 2004 21:59:44 +0300 Subject: Re: ipfw vs ipfilter To: McLone the Great Now i decide move to PF, after 5 years working with IPFW :) I liked it! -- wbr, |\ _,,,---,,_ dog bless ya! ` Zzz /,`.-'`' -. ;-;;,_ McLone at GMail dot com |,4- ) )-,_. ,\ ( `'-' net- and *BSD admin '---''(_/--' `-'\_) ...sorry for translit From owner-freebsd-pf@FreeBSD.ORG Sat Dec 11 19:26:37 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C7BAB16A4CE for ; Sat, 11 Dec 2004 19:26:37 +0000 (GMT) Received: from plouf.absolight.net (plouf.absolight.net [193.30.224.136]) by mx1.FreeBSD.org (Postfix) with ESMTP id 921DB43D39 for ; Sat, 11 Dec 2004 19:26:37 +0000 (GMT) (envelope-from mat@FreeBSD.org) Received: from pouet.in.mat.cc (pouet.in.mat.cc [193.30.224.122]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by plouf.absolight.net (Postfix) with ESMTP id 9B706A24001 for ; Sat, 11 Dec 2004 20:26:36 +0100 (CET) Date: Sat, 11 Dec 2004 20:26:29 +0100 From: Mathieu Arnold To: freebsd-pf@freebsd.org Message-ID: <5599FA52E9B4863293C1B5C0@[192.168.1.5]> X-Mailer: Mulberry/4.0.0a3 (Win32) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="==========04EF69CB01F4C976BE1F==========" Subject: Carp and port trunking X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Dec 2004 19:26:37 -0000 --==========04EF69CB01F4C976BE1F========== Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi, I've been wondering, would it be possible to use Carp on two routers in load balancing mode, connected to 2 trunked ports a switch ? -- Mathieu Arnold --==========04EF69CB01F4C976BE1F========== Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) iQEVAwUBQbtJ6VvROjYJ63c1AQJ7Nwf7BJjK5sCs/FsvteMcYZpVWtuoB8rmcfwa CiBYm+LbFIYbGzexebHcIdlS3m6n17eUJwYCFQI0As7o6JWfGKpjdCmE38HVz3ip 0P2csrfplXX6ILqGPFEkI8vICHEpFbW0o+17HXM71TTlZRiHwA9RNy7w0NT1MrMv WoIHkvG1831UOBXgqoYWB84k0/gnSrYub0UqWmROYE4H6yzC19tcUQZ5SUUzYcid 7/Q6Zyqk7aCGqR7dXM8aaDIbQkegWfoMQH4WoyIXF68vuWGDquOeeBdUYl8IaL2u /7yuG4Q+U9+YtcLyEY8WjkVFYQLSxKcoFnANfPQXoGxLmxXRUIlgHQ== =1esB -----END PGP SIGNATURE----- --==========04EF69CB01F4C976BE1F==========-- From owner-freebsd-pf@FreeBSD.ORG Sat Dec 11 19:47:23 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF1AB16A4CE; Sat, 11 Dec 2004 19:47:23 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id 90F7B43D39; Sat, 11 Dec 2004 19:47:23 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.162] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CdDD8-0000x7-00; Sat, 11 Dec 2004 20:47:22 +0100 Received: from [84.128.131.95] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CdDD8-0001zJ-00; Sat, 11 Dec 2004 20:47:22 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Sat, 11 Dec 2004 20:47:50 +0100 User-Agent: KMail/1.7.1 References: <5599FA52E9B4863293C1B5C0@[192.168.1.5]> In-Reply-To: <5599FA52E9B4863293C1B5C0@[192.168.1.5]> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1546388.1ZFFAldEsP"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200412112047.57337.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: Mathieu Arnold Subject: Re: Carp and port trunking X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Dec 2004 19:47:23 -0000 --nextPart1546388.1ZFFAldEsP Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 11 December 2004 20:26, Mathieu Arnold wrote: > Hi, > > I've been wondering, would it be possible to use Carp on two routers in > load balancing mode, connected to 2 trunked ports a switch ? Not entirely sure what you mean. Could you try to draw an ascii "art" of wh= at=20 you have in mind? =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1546388.1ZFFAldEsP Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBu07tXyyEoT62BG0RAqYdAJ4kV79dq8xAHyhKLJZyaVb3IxnrIACfeDNi uyb5ZiCW6Ucgp3Vcoh49Fdc= =DVtl -----END PGP SIGNATURE----- --nextPart1546388.1ZFFAldEsP-- From owner-freebsd-pf@FreeBSD.ORG Sat Dec 11 20:02:54 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1975016A4CE; Sat, 11 Dec 2004 20:02:54 +0000 (GMT) Received: from plouf.absolight.net (plouf.absolight.net [193.30.224.136]) by mx1.FreeBSD.org (Postfix) with ESMTP id D428543D39; Sat, 11 Dec 2004 20:02:53 +0000 (GMT) (envelope-from mat@FreeBSD.org) Received: from pouet.in.mat.cc (pouet.in.mat.cc [193.30.224.122]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by plouf.absolight.net (Postfix) with ESMTP id 85125A24056; Sat, 11 Dec 2004 21:02:52 +0100 (CET) Date: Sat, 11 Dec 2004 21:02:45 +0100 From: Mathieu Arnold To: Max Laier , freebsd-pf@freebsd.org Message-ID: In-Reply-To: <200412112047.57337.max@love2party.net> References: <5599FA52E9B4863293C1B5C0@[192.168.1.5]> <200412112047.57337.max@love2party.net> X-Mailer: Mulberry/4.0.0a3 (Win32) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="==========509BCE44887CE3119F3E==========" cc: Mathieu Arnold Subject: Re: Carp and port trunking X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Dec 2004 20:02:54 -0000 --==========509BCE44887CE3119F3E========== Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline +-Le 11/12/2004 20:47 +0100, Max Laier a dit : | On Saturday 11 December 2004 20:26, Mathieu Arnold wrote: |> Hi, |> |> I've been wondering, would it be possible to use Carp on two routers in |> load balancing mode, connected to 2 trunked ports a switch ? | | Not entirely sure what you mean. Could you try to draw an ascii "art" of | what you have in mind? Oh, hum, will that get you in what I have in mind outside | | +----+ +----+ | R1 |--pfsync--| R2 | +----+ +----+ \ Carp here / \ / \ / \ / \ / trunk on those 2 ports +-------------------+ | switch | +-------------------+ | | | | | | | | | | customers here In that case, both routers always work, the switch is sending packets to one or the other as the ports leading to them are trunked. Is that clear enough ? -- Mathieu Arnold --==========509BCE44887CE3119F3E========== Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) iQEVAwUBQbtSaVvROjYJ63c1AQJz7Af/X8gOvYNkSN5kB5IUyU4oTv71KpBhg635 C7eJV5AkVnT8K5NpdeAAsyf6sHHvy9KiI2DbUbQ4XGoMt3gX+d6v9BXca2p7IHQV KuLbUNaKjGjkWn2anqdH1g9NDDFmDhQ4vduA+jQC6c/siMhRuYUoijj6gJuxtjVY 3M3csJ2Cm6Lz1bf5XjPwn2TeLldquITEnOAc0/9XwRHkLfwgiWS8jz2uwLMNWdnV 1wbjEMgeaIcWUudfSgtytOmFrTHO9aHC4u4kAFnYCHwVUtTT+o5/UPZGVN98AEze qIZVAGGfzHRGCN/WJud3kHaxCud4QncZ/DiEkFRX2Wcumcol3kj9bA== =OhvQ -----END PGP SIGNATURE----- --==========509BCE44887CE3119F3E==========-- From owner-freebsd-pf@FreeBSD.ORG Sat Dec 11 21:56:15 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D957616A4CE; Sat, 11 Dec 2004 21:56:15 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 40B3C43D2D; Sat, 11 Dec 2004 21:56:15 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.206] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CdFDp-0001NA-00; Sat, 11 Dec 2004 22:56:13 +0100 Received: from [84.128.135.214] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CdFDq-0001sX-00; Sat, 11 Dec 2004 22:56:14 +0100 From: Max Laier To: Mathieu Arnold Date: Sat, 11 Dec 2004 22:56:52 +0100 User-Agent: KMail/1.7.1 References: <5599FA52E9B4863293C1B5C0@[192.168.1.5]> <200412112047.57337.max@love2party.net> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1226600.shx2Og53BT"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200412112256.58443.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: freebsd-pf@freebsd.org Subject: Re: Carp and port trunking X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Dec 2004 21:56:16 -0000 --nextPart1226600.shx2Og53BT Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 11 December 2004 21:02, Mathieu Arnold wrote: > +-Le 11/12/2004 20:47 +0100, Max Laier a dit : > | On Saturday 11 December 2004 20:26, Mathieu Arnold wrote: > |> Hi, > |> > |> I've been wondering, would it be possible to use Carp on two routers in > |> load balancing mode, connected to 2 trunked ports a switch ? > | > | Not entirely sure what you mean. Could you try to draw an ascii "art" of > | what you have in mind? > > Oh, hum, will that get you in what I have in mind > > outside > > +----+ +----+ > | R1 |--pfsync--| R2 | > +----+ +----+ > \ Carp here / > \ / > \ / > \ / > \ / trunk on those 2 ports > +-------------------+ > | switch | > +-------------------+ > > customers here > > > In that case, both routers always work, the switch is sending packets to > one or the other as the ports leading to them are trunked. > > Is that clear enough ? Yes. But I am afraid that this will not work. The CARP loadbalancing works= =20 based on client MAC address. On receive we calculate a hash and determine i= f=20 we or the other server is responsible and answer accordingly. With trunking= =20 it might happen that a request is send to the wrong server, which will not= =20 reply as it thinks the other one is responsible. Depending on the routing situation "above" your picture it might be possibl= e=20 to do it with pfsync alone - i.e. no CARP required, just let the trunking d= o=20 the load balance. Failover is not easily possible with trunking anyhow. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1226600.shx2Og53BT Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBu20qXyyEoT62BG0RAmIGAJsGYK+aPKIrcDOC5mifJOdLxdRoRACbBVjr UlmNacgzwpOFmvCmwqGefY8= =RL8H -----END PGP SIGNATURE----- --nextPart1226600.shx2Og53BT--