From owner-freebsd-pf@FreeBSD.ORG Mon Aug 28 11:09:56 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C404716A51A for ; Mon, 28 Aug 2006 11:09:56 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7F5AF43D9B for ; Mon, 28 Aug 2006 11:08:25 +0000 (GMT) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k7SB8EMH071598 for ; Mon, 28 Aug 2006 11:08:14 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k7SB8Dik071594 for freebsd-pf@FreeBSD.org; Mon, 28 Aug 2006 11:08:13 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 28 Aug 2006 11:08:13 GMT Message-Id: <200608281108.k7SB8Dik071594@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Aug 2006 11:09:56 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency f kern/86072 pf [pf] Packet Filter rule not working properly (with SYN o kern/92949 pf [pf] PF + ALTQ problems with latency o sparc/93530 pf Incorrect checksums when using pf's route-to on sparc6 4 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o kern/93825 pf [pf] pf reply-to doesn't work o kern/94992 pf [pf] [patch] pfctl complains about ALTQ missing 3 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Aug 28 15:07:46 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 13FE116A4DA for ; Mon, 28 Aug 2006 15:07:46 +0000 (UTC) (envelope-from zope@2012.vi) Received: from mail.dunhill.ws (network191-36.wctc.net [209.94.191.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 684D143D45 for ; Mon, 28 Aug 2006 15:07:43 +0000 (GMT) (envelope-from zope@2012.vi) Received: from [10.0.0.172] (244puntacana97.codetel.net.do [200.88.97.244]) by mail.dunhill.ws (Weasel v1.73) for ; 28 Aug 2006 11:07:39 -0400 Message-ID: <44F306B4.3090103@2012.vi> Date: Mon, 28 Aug 2006 11:07:32 -0400 From: beno User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Exceeded Allotted Memory X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Aug 2006 15:07:46 -0000 Hi; In trying to enable/run my pf ruleset with a rather large table I get an error that states that table is too large to load into memory. What memory? What do I need to free up? TIA, beno From owner-freebsd-pf@FreeBSD.ORG Mon Aug 28 19:22:05 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 73DFB16A4DF for ; Mon, 28 Aug 2006 19:22:05 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB2D843D7C for ; Mon, 28 Aug 2006 19:22:01 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: by nz-out-0102.google.com with SMTP id 13so1014371nzn for ; Mon, 28 Aug 2006 12:22:01 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=sHSvrMx72eJMzaJpvyqYptmmVQd9hLMkfbrs6aGLDbufiC+2JkDOBZSQxSuvcx82kOpuHxS0eS9pfe5XLn3zRQ9InJ1npZEZ2uV+n6k10eXIZwg1aNg3uZl/cg713HOX8/IzpwNxqCv/JUqiFP2eP7jcM87As1zeBN8KIRWfTLQ= Received: by 10.35.117.5 with SMTP id u5mr13056377pym; Mon, 28 Aug 2006 12:22:01 -0700 (PDT) Received: by 10.35.131.17 with HTTP; Mon, 28 Aug 2006 12:22:00 -0700 (PDT) Message-ID: <55e8a96c0608281222p7928076evb279ceccc7b135cf@mail.gmail.com> Date: Mon, 28 Aug 2006 14:22:00 -0500 From: "Bill Marquette" To: beno In-Reply-To: <44F306B4.3090103@2012.vi> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44F306B4.3090103@2012.vi> Cc: freebsd-pf@freebsd.org Subject: Re: Exceeded Allotted Memory X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Aug 2006 19:22:05 -0000 On 8/28/06, beno wrote: > Hi; > In trying to enable/run my pf ruleset with a rather large table > I get an error that states that table is too large to load into memory. What's your definition of "rather large"? > What memory? What do I need to free up? System memory and who knows until we know system specs and what "rather large" is defined as. As has been pointed out in some of your previous threads, you need to provide more information for people to help you. --Bill From owner-freebsd-pf@FreeBSD.ORG Tue Aug 29 13:48:41 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C39516A4DD for ; Tue, 29 Aug 2006 13:48:41 +0000 (UTC) (envelope-from zope@2012.vi) Received: from mail.dunhill.ws (network191-36.wctc.net [209.94.191.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7F25A43D46 for ; Tue, 29 Aug 2006 13:48:34 +0000 (GMT) (envelope-from zope@2012.vi) Received: from [10.0.0.172] (77puntacana97.codetel.net.do [200.88.97.77]) by mail.dunhill.ws (Weasel v1.73); 29 Aug 2006 09:48:29 -0400 Message-ID: <44F445A3.4040900@2012.vi> Date: Tue, 29 Aug 2006 09:48:19 -0400 From: beno User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: Bill Marquette , freebsd-pf@freebsd.org References: <44F306B4.3090103@2012.vi> <55e8a96c0608281222p7928076evb279ceccc7b135cf@mail.gmail.com> In-Reply-To: <55e8a96c0608281222p7928076evb279ceccc7b135cf@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: Exceeded Allotted Memory X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Aug 2006 13:48:41 -0000 Bill Marquette wrote: > On 8/28/06, beno wrote: >> Hi; >> In trying to enable/run my pf ruleset with a rather large table >> I get an error that states that table is too large to load into memory. > > What's your definition of "rather large"? 1093632 bytes > >> What memory? What do I need to free up? > > System memory and who knows until we know system specs and what > "rather large" is defined as. As has been pointed out in some of your > previous threads, you need to provide more information for people to > help you. I wish I could say you're the only people to have pointed that out . I suppose some people are better equipped for computer programming than others, just like some are better equipped for basketball than others, and this is my Achilles Heel. Not by way of excuse, just by way of waking up to the same problem repeatedly. At any rate, what info do you need? server167# df Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/mirror/gm0s1a 75481758 64151300 5291918 92% / devfs 1 1 0 100% /dev devfs 1 1 0 100% /var/named/dev server167# du -s /etc/ 5536 /etc/ OS: FreeBSD 6.1 TIA, beno From owner-freebsd-pf@FreeBSD.ORG Tue Aug 29 15:46:25 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E1FF16A4DD for ; Tue, 29 Aug 2006 15:46:25 +0000 (UTC) (envelope-from mime@traveller.cz) Received: from ss.eunet.cz (ss.eunet.cz [193.85.228.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id B9CB643D46 for ; Tue, 29 Aug 2006 15:46:24 +0000 (GMT) (envelope-from mime@traveller.cz) Received: from localhost.i.cz (ss.eunet.cz [193.85.228.13]) by ss.eunet.cz (8.13.6/8.13.6) with ESMTP id k7TFkFcx017543 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Tue, 29 Aug 2006 17:46:18 +0200 (CEST) (envelope-from mime@traveller.cz) From: Michal Mertl To: beno In-Reply-To: <44F445A3.4040900@2012.vi> References: <44F306B4.3090103@2012.vi> <55e8a96c0608281222p7928076evb279ceccc7b135cf@mail.gmail.com> <44F445A3.4040900@2012.vi> Content-Type: text/plain Date: Tue, 29 Aug 2006 17:46:13 +0200 Message-Id: <1156866373.30520.24.camel@genius.i.cz> Mime-Version: 1.0 X-Mailer: Evolution 2.6.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Exceeded Allotted Memory X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Aug 2006 15:46:25 -0000 beno wrote: > Bill Marquette wrote: > > On 8/28/06, beno wrote: > >> Hi; > >> In trying to enable/run my pf ruleset with a rather large table > >> I get an error that states that table is too large to load into memory. Please always post the exact command you run and the output you get. I can't find anything similar to the error you describe anywhere. > > What's your definition of "rather large"? > 1093632 bytes If it were size of a file with IP addresses it is going to be pretty big list (in range of tens of thousands of entries) but I have just tested (512MB memory, FreeBSD CURRENT) that I can fill that large a table with both a series of 'pfctl -t aaa -T add $ip' and pf.conf line 'table file "/file/name"' without problem and I can also create thousands of tables. Michal From owner-freebsd-pf@FreeBSD.ORG Tue Aug 29 16:48:40 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D3D516A4DD; Tue, 29 Aug 2006 16:48:40 +0000 (UTC) (envelope-from steinex@nognu.de) Received: from shodan.nognu.de (shodan.nognu.de [85.14.216.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E2DD43D45; Tue, 29 Aug 2006 16:48:40 +0000 (GMT) (envelope-from steinex@nognu.de) Received: by shodan.nognu.de (Postfix, from userid 1002) id 46B72B828; Tue, 29 Aug 2006 18:48:39 +0200 (CEST) Date: Tue, 29 Aug 2006 18:48:39 +0200 From: Frank Steinborn To: Max Laier Mail-Followup-To: Max Laier , freebsd-pf@freebsd.org, Daniel Hartmeier , gnn@freebsd.org References: <20060801142925.54F5CB828@shodan.nognu.de> <200608021802.45589.max@love2party.net> <20060824180126.DA797B828@shodan.nognu.de> <200608251849.30631.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200608251849.30631.max@love2party.net> User-Agent: mutt-ng/devel-r804 (FreeBSD) Message-Id: <20060829164839.46B72B828@shodan.nognu.de> Cc: gnn@freebsd.org, freebsd-pf@freebsd.org Subject: Re: I'm getting sick - Problems filtering IPv6. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Aug 2006 16:48:40 -0000 Max Laier wrote: > On Thursday 24 August 2006 20:01, Frank Steinborn wrote: > > Max Laier wrote: > > > [please do not cut the audit trail from your replys - it really helps > > > to have all information in one email] > > > > > > Short recap for everybody: Using pf stateful rules for inet6 fails > > > for connections originating from the firewall itself to a service > > > running on the same box. Culprit seems to be interface selection in > > > inet6 (switching between the interface that has the address > > > configured and lo0). See below. > > > > Something new on that? I searched for a PR, and couldn't fine one > > so i just wanted to ask. > > > > I could file a PR if neccessary. > > Please do and let me know the PR#. I almost forgot, but will look at it > over the weekend as I find time. Thanks for the reminder. Sorry for the delay, I was a bit busy the last days. PR#: 102647 Frank From owner-freebsd-pf@FreeBSD.ORG Tue Aug 29 22:40:53 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 19DF616A4DA; Tue, 29 Aug 2006 22:40:53 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C43A943D45; Tue, 29 Aug 2006 22:40:52 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k7TMeqnD020334; Tue, 29 Aug 2006 22:40:52 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k7TMeqp5020329; Tue, 29 Aug 2006 22:40:52 GMT (envelope-from linimon) Date: Tue, 29 Aug 2006 22:40:52 GMT From: Mark Linimon Message-Id: <200608292240.k7TMeqp5020329@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Aug 2006 22:40:53 -0000 Synopsis: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Tue Aug 29 22:40:14 UTC 2006 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=102647 From owner-freebsd-pf@FreeBSD.ORG Wed Aug 30 00:51:52 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E189A16A4DA for ; Wed, 30 Aug 2006 00:51:52 +0000 (UTC) (envelope-from snb@threerings.net) Received: from smtp.earth.threerings.net (mail.threerings.net [64.127.109.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id B041043D46 for ; Wed, 30 Aug 2006 00:51:52 +0000 (GMT) (envelope-from snb@threerings.net) Received: from [192.168.54.42] (chukchi.sea.earth.threerings.net [192.168.54.42]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.earth.threerings.net (Postfix) with ESMTP id 2F8B562A5 for ; Tue, 29 Aug 2006 17:51:52 -0700 (PDT) Message-ID: <44F4E12A.2010304@threerings.net> Date: Tue, 29 Aug 2006 17:51:54 -0700 From: Nick Barkas User-Agent: Thunderbird 1.5.0.5 (Macintosh/20060719) MIME-Version: 1.0 To: freebsd-pf@freebsd.org X-Enigmail-Version: 0.94.1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: setting carp device state with ifconfig(8) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Aug 2006 00:51:53 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi- I submitted a PR about a month ago with a patch to make ifconfig(8) able to manually set a carp(4) device's state (to either MASTER or BACKUP). I haven't received any feedback on the PR or patch, and just noticed that the PR was sent off initially to freebsd-bugs@. Perhaps some of you on this list might be more interested in this patch. Here's the PR: http://www.freebsd.org/cgi/query-pr.cgi?pr=100956 Nick -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE9OEq44NxFgGs4RMRCgsFAKCSBVa/KosNlDYhOJwT17+rAByExQCg2dkh NeLy9/wyY7HtsQyadLNdqWU= =kkh2 -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Wed Aug 30 01:13:42 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8548316A4DD; Wed, 30 Aug 2006 01:13:42 +0000 (UTC) (envelope-from suz@alaxala.net) Received: from pc1.alaxala.net (pc1.alaxala.net [203.178.142.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0AE8A43D45; Wed, 30 Aug 2006 01:13:41 +0000 (GMT) (envelope-from suz@alaxala.net) Received: from localhost (localhost [127.0.0.1]) by pc1.alaxala.net (Postfix) with ESMTP id 69596B990; Wed, 30 Aug 2006 10:13:40 +0900 (JST) X-Virus-Scanned: amavisd-new at alaxala.net Received: from pc1.alaxala.net ([127.0.0.1]) by localhost (pc1.alaxala.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UE24zyYpnT3U; Wed, 30 Aug 2006 10:13:36 +0900 (JST) Received: from flora220.uki-uki.net (pc2.alaxala.net [203.178.142.163]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pc1.alaxala.net (Postfix) with ESMTP id 0CC6CB8C5; Wed, 30 Aug 2006 10:13:35 +0900 (JST) Date: Wed, 30 Aug 2006 10:13:32 +0900 Message-ID: From: SUZUKI Shinsuke To: steinex@nognu.de, freebsd-pf@FreeBSD.org X-cite: xcite 1.33 In-Reply-To: <200608291637.k7TGbNxd002409@www.freebsd.org> References: <200608291637.k7TGbNxd002409@www.freebsd.org> User-Agent: Wanderlust/2.15.1 (Almost Unreal) Emacs/22.0 Mule/5.0 (SAKAKI) Organization: Networking Technology Development Dept., ALAXALA Networks Corporation MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: multipart/mixed; boundary="Multipart_Wed_Aug_30_10:13:32_2006-1" Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Aug 2006 01:13:42 -0000 --Multipart_Wed_Aug_30_10:13:32_2006-1 Content-Type: text/plain; charset=US-ASCII Hi, >>>>> On Tue, 29 Aug 2006 16:37:23 GMT >>>>> steinex@nognu.de(Frank Steinborn) said: > Thanks to Max Laier for examining this, I'll just paste him: > > Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on the same box. Culprit seems to be interface selection in inet6 (switching between the interface that has the address configured and lo0). > > tcpdump on pflog0 shows that the initial SYN is coming from bge0 (See below for ruleset used). The reply then comes via lo0 and matches the state (if state-policy is floating). The third packet (again via bge0) then does no longer match the state - however: > >How-To-Repeat: > Use this ruleset: > > pass quick on lo0 all > pass quick on bge0 inet all > block drop log all > pass in log-all on bge0 inet6 proto tcp from any to 3000::1 port = ssh flags S/SA keep state > > Then try to open an inet6-connection to a service running on the > firewall itself from the firewall itself. Could you please try the attached patch for kernel? Using this patch, PF regards the initial SYN (and the third packet) is coming from lo0, instead of bge0. (There was a similar bug-report regarding PF for looped-back IPv6 packet, and this patch fixed the problem) If it seems okay from the PF's point of view, I'll commit it to -current. Thanks, ---- SUZUKI, Shinsuke @ KAME Project --Multipart_Wed_Aug_30_10:13:32_2006-1 Content-Type: text/plain; charset=US-ASCII Index: ip6_input.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/ip6_input.c,v retrieving revision 1.88 diff -u -u -r1.88 ip6_input.c --- ip6_input.c 4 Aug 2006 21:27:39 -0000 1.88 +++ ip6_input.c 30 Aug 2006 00:49:48 -0000 @@ -407,7 +407,18 @@ if (!PFIL_HOOKED(&inet6_pfil_hook)) goto passin; - if (pfil_run_hooks(&inet6_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN, NULL)) + /* + * When the packet loops back from the host itself, m_pkthdr.rcvif points + * to the lo0 in case of IPv4. Whereas in case of IPv6, it points to the + * interface with the destination IPv6 address, to support IPv6 scoped + * address. + * To keep the legacy assumption in filter configuration (looped-back + * packet comes from lo0), explicitly passes lo0 as the incoming interface + * of a looped-back packet. + */ + if (pfil_run_hooks(&inet6_pfil_hook, &m, + m->m_flags & M_LOOP ? &loif[0] : m->m_pkthdr.rcvif, + PFIL_IN, NULL)) return; if (m == NULL) /* consumed by filter */ return; --Multipart_Wed_Aug_30_10:13:32_2006-1-- From owner-freebsd-pf@FreeBSD.ORG Wed Aug 30 01:20:32 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B92BC16A4DD for ; Wed, 30 Aug 2006 01:20:32 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7951643D45 for ; Wed, 30 Aug 2006 01:20:32 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k7U1KWwT033761 for ; Wed, 30 Aug 2006 01:20:32 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k7U1KWjU033760; Wed, 30 Aug 2006 01:20:32 GMT (envelope-from gnats) Date: Wed, 30 Aug 2006 01:20:32 GMT Message-Id: <200608300120.k7U1KWjU033760@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: SUZUKI Shinsuke Cc: Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: SUZUKI Shinsuke List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Aug 2006 01:20:32 -0000 The following reply was made to PR kern/102647; it has been noted by GNATS. From: SUZUKI Shinsuke To: steinex@nognu.de, freebsd-pf@FreeBSD.org Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box Date: Wed, 30 Aug 2006 10:13:32 +0900 --Multipart_Wed_Aug_30_10:13:32_2006-1 Content-Type: text/plain; charset=US-ASCII Hi, >>>>> On Tue, 29 Aug 2006 16:37:23 GMT >>>>> steinex@nognu.de(Frank Steinborn) said: > Thanks to Max Laier for examining this, I'll just paste him: > > Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on the same box. Culprit seems to be interface selection in inet6 (switching between the interface that has the address configured and lo0). > > tcpdump on pflog0 shows that the initial SYN is coming from bge0 (See below for ruleset used). The reply then comes via lo0 and matches the state (if state-policy is floating). The third packet (again via bge0) then does no longer match the state - however: > >How-To-Repeat: > Use this ruleset: > > pass quick on lo0 all > pass quick on bge0 inet all > block drop log all > pass in log-all on bge0 inet6 proto tcp from any to 3000::1 port = ssh flags S/SA keep state > > Then try to open an inet6-connection to a service running on the > firewall itself from the firewall itself. Could you please try the attached patch for kernel? Using this patch, PF regards the initial SYN (and the third packet) is coming from lo0, instead of bge0. (There was a similar bug-report regarding PF for looped-back IPv6 packet, and this patch fixed the problem) If it seems okay from the PF's point of view, I'll commit it to -current. Thanks, ---- SUZUKI, Shinsuke @ KAME Project --Multipart_Wed_Aug_30_10:13:32_2006-1 Content-Type: text/plain; charset=US-ASCII Index: ip6_input.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/ip6_input.c,v retrieving revision 1.88 diff -u -u -r1.88 ip6_input.c --- ip6_input.c 4 Aug 2006 21:27:39 -0000 1.88 +++ ip6_input.c 30 Aug 2006 00:49:48 -0000 @@ -407,7 +407,18 @@ if (!PFIL_HOOKED(&inet6_pfil_hook)) goto passin; - if (pfil_run_hooks(&inet6_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN, NULL)) + /* + * When the packet loops back from the host itself, m_pkthdr.rcvif points + * to the lo0 in case of IPv4. Whereas in case of IPv6, it points to the + * interface with the destination IPv6 address, to support IPv6 scoped + * address. + * To keep the legacy assumption in filter configuration (looped-back + * packet comes from lo0), explicitly passes lo0 as the incoming interface + * of a looped-back packet. + */ + if (pfil_run_hooks(&inet6_pfil_hook, &m, + m->m_flags & M_LOOP ? &loif[0] : m->m_pkthdr.rcvif, + PFIL_IN, NULL)) return; if (m == NULL) /* consumed by filter */ return; --Multipart_Wed_Aug_30_10:13:32_2006-1-- From owner-freebsd-pf@FreeBSD.ORG Wed Aug 30 08:19:56 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 23C5C16A4F0 for ; Wed, 30 Aug 2006 08:19:56 +0000 (UTC) (envelope-from prvs=astraserg/03974b54b8@proc.ru) Received: from mail.proc.ru (mail.proc.ru [217.117.112.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3076C43D73 for ; Wed, 30 Aug 2006 08:18:29 +0000 (GMT) (envelope-from prvs=astraserg/03974b54b8@proc.ru) Received: from uranium.proc.ru ([217.117.127.77]) by mail.proc.ru with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (envelope-from ) id 1GILHF-000Kmj-B8 for freebsd-pf@freebsd.org; Wed, 30 Aug 2006 12:18:27 +0400 From: AstraSerg Organization: Proc.ru To: freebsd-pf@freebsd.org Date: Wed, 30 Aug 2006 12:18:24 +0400 User-Agent: KMail/1.9.3 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200608301218.24674.astraserg@proc.ru> Subject: Migrating from ipfw to pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: astraserg@proc.ru List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Aug 2006 08:19:56 -0000 Good day How can I configure pf in case with 2 external interfaces? There is no binding to interface at all in ipfw. I just divert 42345 ip from 192.168.0.0/16 to any fwd 194.185.178.126 ip from 194.185.178.125 to any divert 42345 ip from any to 194.185.178.125 In pf I have to set external interface, like this nat on sk0 inet from 192.168.0.0/16 to any -> 194.185.178.125 But traffic by default go to another interface - em1 -- Wed Aug 30 11:40:23 MSD 2006 From owner-freebsd-pf@FreeBSD.ORG Wed Aug 30 11:39:50 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B4C6A16A4E8; Wed, 30 Aug 2006 11:39:50 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id C29BE43D4C; Wed, 30 Aug 2006 11:39:49 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.189.160] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis), id 0ML25U-1GIOQ525HC-0007gV; Wed, 30 Aug 2006 13:39:46 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 30 Aug 2006 13:39:34 +0200 User-Agent: KMail/1.9.3 References: <200608291637.k7TGbNxd002409@www.freebsd.org> In-Reply-To: X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1732840.TuzD54aPQf"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200608301339.42374.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: SUZUKI Shinsuke , freebsd-gnats-submit@freebsd.org Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Aug 2006 11:39:50 -0000 --nextPart1732840.TuzD54aPQf Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline SUZUKI-san, since you are looking at this already could I interest you in a related=20 problem? On Wednesday 30 August 2006 03:13, SUZUKI Shinsuke wrote: > Hi, > > >>>>> On Tue, 29 Aug 2006 16:37:23 GMT > >>>>> steinex@nognu.de(Frank Steinborn) said: > > > > Thanks to Max Laier for examining this, I'll just paste him: > > > > Using pf stateful rules for inet6 fails for connections originating > > from the firewall itself to a service running on the same box.=20 > > Culprit seems to be interface selection in inet6 (switching between > > the interface that has the address configured and lo0). > > > > tcpdump on pflog0 shows that the initial SYN is coming from bge0 (See=20 > > below for ruleset used). The reply then comes via lo0 and matches the= =20 > > state (if state-policy is floating). The third packet (again via=20 > > bge0) then does no longer match the state - however: =20 > > >How-To-Repeat: > > > > Use this ruleset: > > > > pass quick on lo0 all > > pass quick on bge0 inet all > > block drop log all > > pass in log-all on bge0 inet6 proto tcp from any to 3000::1 port =3D > > ssh flags S/SA keep state > > > > Then try to open an inet6-connection to a service running on the > > firewall itself from the firewall itself. > > Could you please try the attached patch for kernel? > > Using this patch, PF regards the initial SYN (and the third packet) is > coming from lo0, instead of bge0. (There was a similar bug-report > regarding PF for looped-back IPv6 packet, and this patch fixed the > problem) > > If it seems okay from the PF's point of view, I'll commit it to > -current. Your patch looks good for the problem reported, there is - however -=20 another problem that maybe related. The bottom line is that packets to=20 or from local addresses never show up on bpf as they are not processed by=20 lo0's input/output routines. Do you have any idea how to address this? =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1732840.TuzD54aPQf Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBE9Xj+XyyEoT62BG0RAimwAJ4s0elYgCMVPOUEtzk8jjS/hSQmLACfakuq ueTEDz/pV8klfRGbVhNiS1U= =C21O -----END PGP SIGNATURE----- --nextPart1732840.TuzD54aPQf-- From owner-freebsd-pf@FreeBSD.ORG Wed Aug 30 11:40:41 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C804B16A657 for ; Wed, 30 Aug 2006 11:40:41 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5938043D79 for ; Wed, 30 Aug 2006 11:40:31 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k7UBeQAi084914 for ; Wed, 30 Aug 2006 11:40:26 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k7UBeQAT084913; Wed, 30 Aug 2006 11:40:26 GMT (envelope-from gnats) Date: Wed, 30 Aug 2006 11:40:26 GMT Message-Id: <200608301140.k7UBeQAT084913@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Max Laier Cc: Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Max Laier List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Aug 2006 11:40:42 -0000 The following reply was made to PR kern/102647; it has been noted by GNATS. From: Max Laier To: freebsd-pf@freebsd.org Cc: SUZUKI Shinsuke , steinex@nognu.de, freebsd-gnats-submit@freebsd.org Subject: Re: kern/102647: Using pf stateful rules for inet6 fails =?iso-8859-6?q?for=09connections_originating_from_the_firewall_itself_to_a?= =?iso-8859-6?q?_service=09running_on_thesame?= box Date: Wed, 30 Aug 2006 13:39:34 +0200 --nextPart1732840.TuzD54aPQf Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline SUZUKI-san, since you are looking at this already could I interest you in a related=20 problem? On Wednesday 30 August 2006 03:13, SUZUKI Shinsuke wrote: > Hi, > > >>>>> On Tue, 29 Aug 2006 16:37:23 GMT > >>>>> steinex@nognu.de(Frank Steinborn) said: > > > > Thanks to Max Laier for examining this, I'll just paste him: > > > > Using pf stateful rules for inet6 fails for connections originating > > from the firewall itself to a service running on the same box.=20 > > Culprit seems to be interface selection in inet6 (switching between > > the interface that has the address configured and lo0). > > > > tcpdump on pflog0 shows that the initial SYN is coming from bge0 (See=20 > > below for ruleset used). The reply then comes via lo0 and matches the= =20 > > state (if state-policy is floating). The third packet (again via=20 > > bge0) then does no longer match the state - however: =20 > > >How-To-Repeat: > > > > Use this ruleset: > > > > pass quick on lo0 all > > pass quick on bge0 inet all > > block drop log all > > pass in log-all on bge0 inet6 proto tcp from any to 3000::1 port =3D > > ssh flags S/SA keep state > > > > Then try to open an inet6-connection to a service running on the > > firewall itself from the firewall itself. > > Could you please try the attached patch for kernel? > > Using this patch, PF regards the initial SYN (and the third packet) is > coming from lo0, instead of bge0. (There was a similar bug-report > regarding PF for looped-back IPv6 packet, and this patch fixed the > problem) > > If it seems okay from the PF's point of view, I'll commit it to > -current. Your patch looks good for the problem reported, there is - however -=20 another problem that maybe related. The bottom line is that packets to=20 or from local addresses never show up on bpf as they are not processed by=20 lo0's input/output routines. Do you have any idea how to address this? =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1732840.TuzD54aPQf Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBE9Xj+XyyEoT62BG0RAimwAJ4s0elYgCMVPOUEtzk8jjS/hSQmLACfakuq ueTEDz/pV8klfRGbVhNiS1U= =C21O -----END PGP SIGNATURE----- --nextPart1732840.TuzD54aPQf-- From owner-freebsd-pf@FreeBSD.ORG Thu Aug 31 06:47:20 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F328016A4E1; Thu, 31 Aug 2006 06:47:19 +0000 (UTC) (envelope-from suz@alaxala.net) Received: from mail4.hitachi.co.jp (mail4.hitachi.co.jp [133.145.228.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 19A1443D49; Thu, 31 Aug 2006 06:47:18 +0000 (GMT) (envelope-from suz@alaxala.net) Received: from mlsv5.hitachi.co.jp (unknown [133.145.228.16]) by mail4.hitachi.co.jp (Postfix) with ESMTP id B32DC33CC5; Thu, 31 Aug 2006 15:47:17 +0900 (JST) Received: from mfilter-s5.hitachi.co.jp by mlsv5.hitachi.co.jp (8.12.10/8.12.10) id k7V6lHa4009097; Thu, 31 Aug 2006 15:47:17 +0900 Received: from vshuts4.hitachi.co.jp (unverified) by mfilter-s5.hitachi.co.jp (Content Technologies SMTPRS 4.3.17) with SMTP id ; Thu, 31 Aug 2006 15:47:17 +0900 Received: from gmml16.itg.hitachi.co.jp ([158.213.165.46]) by vshuts4.hitachi.co.jp with SMTP id M2006083115471706974; Thu, 31 Aug 2006 15:47:17 +0900 Received: from flora220.uki-uki.net by gmml16.itg.hitachi.co.jp (AIX5.2/8.11.6p2/8.11.0) id k7V6lDZ2715718; Thu, 31 Aug 2006 15:47:13 +0900 Date: Thu, 31 Aug 2006 15:47:13 +0900 Message-ID: From: SUZUKI Shinsuke To: max@love2party.net X-cite: xcite 1.33 In-Reply-To: <200608301339.42374.max@love2party.net> References: <200608291637.k7TGbNxd002409@www.freebsd.org> <200608301339.42374.max@love2party.net> User-Agent: Wanderlust/2.15.1 (Almost Unreal) Emacs/22.0 Mule/5.0 (SAKAKI) Organization: Networking Technology Development Dept., ALAXALA Networks Corporation MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset="us-ascii" Cc: suz@freebsd.org, freebsd-gnats-submit@freebsd.org, freebsd-pf@freebsd.org Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Aug 2006 06:47:20 -0000 Hi, Max. >>>>> On Wed, 30 Aug 2006 13:39:34 +0200 >>>>> max@love2party.net(Max Laier) said: > another problem that maybe related. The bottom line is that packets > to or from local addresses never show up on bpf as they are not > processed by lo0's input/output routines. Do you have any idea how > to address this? It is a spec (bug?) of if_simloop() (net/if_loop.c), not regarding this problem. - The BPF of the physical interface, instead of lo0, detects the packet. % ping6 fe80::20c:29ff:fe54:6378%lnc2 16 bytes from fe80::20c:29ff:fe54:6378%lnc2, icmp_seq=0 hlim=64 time=2.857 ms % tcpdump -X -ni lnc2 3a:40:fe:80:00:00 > 60:00:00:00:00:10 Null Information, send seq 1, rcv seq 6, Flags [Command], length 42 0x0000: 0000 020c 29ff fe54 6378 fe80 0000 0000 ....)..Tcx...... 0x0010: 0000 020c 29ff fe54 6378 8000 3c25 0bfe ....)..Tcx..<%.. 0x0020: 0000 44f6 81de 0004 5806 ..D.....X. 3a:40:fe:80:00:00 > 60:00:00:00:00:10 Null Information, send seq 1, rcv seq 6, Flags [Command], length 42 0x0000: 0000 020c 29ff fe54 6378 fe80 0000 0000 ....)..Tcx...... 0x0010: 0000 020c 29ff fe54 6378 8100 3b25 0bfe ....)..Tcx..;%.. 0x0020: 0000 44f6 81de 0004 5806 ..D.....X. - if_simloop() just passes the received mbuf to the BPF of the physical interface in case of IPv6. (please see the following code) if (ifp->if_bpf) { if (ifp->if_bpf->bif_dlt == DLT_NULL) { u_int32_t af1 = af; /* XXX beware sizeof(af) != 4 */ bpf_mtap2(ifp->if_bpf, &af1, sizeof(af1), m); <= this one is called in case of IPv4, since ifp=lo0 } else bpf_mtap(ifp->if_bpf, m); <= this one is normally called in case of IPv6, since ifp=physical I/F and physical I/F's DLT is normally DLT_EN10MB } - However, due to a lack of correct layer2 header information, the BPF cannot display the packet correctly. (A dummy padding can partly solve the problem. But it would be problematic in terms of BPF filtering based on layer-2 information...) Thanks, ---- SUZUKI, Shinsuke @ KAME Project From owner-freebsd-pf@FreeBSD.ORG Thu Aug 31 06:50:22 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3FE3E16A4DD for ; Thu, 31 Aug 2006 06:50:22 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id DF4A743D45 for ; Thu, 31 Aug 2006 06:50:21 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k7V6oLL8003385 for ; Thu, 31 Aug 2006 06:50:21 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k7V6oLrB003384; Thu, 31 Aug 2006 06:50:21 GMT (envelope-from gnats) Date: Thu, 31 Aug 2006 06:50:21 GMT Message-Id: <200608310650.k7V6oLrB003384@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: SUZUKI Shinsuke Cc: Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: SUZUKI Shinsuke List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Aug 2006 06:50:22 -0000 The following reply was made to PR kern/102647; it has been noted by GNATS. From: SUZUKI Shinsuke To: max@love2party.net Cc: freebsd-pf@freebsd.org, suz@freebsd.org, steinex@nognu.de, freebsd-gnats-submit@freebsd.org Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box Date: Thu, 31 Aug 2006 15:47:13 +0900 Hi, Max. >>>>> On Wed, 30 Aug 2006 13:39:34 +0200 >>>>> max@love2party.net(Max Laier) said: > another problem that maybe related. The bottom line is that packets > to or from local addresses never show up on bpf as they are not > processed by lo0's input/output routines. Do you have any idea how > to address this? It is a spec (bug?) of if_simloop() (net/if_loop.c), not regarding this problem. - The BPF of the physical interface, instead of lo0, detects the packet. % ping6 fe80::20c:29ff:fe54:6378%lnc2 16 bytes from fe80::20c:29ff:fe54:6378%lnc2, icmp_seq=0 hlim=64 time=2.857 ms % tcpdump -X -ni lnc2 3a:40:fe:80:00:00 > 60:00:00:00:00:10 Null Information, send seq 1, rcv seq 6, Flags [Command], length 42 0x0000: 0000 020c 29ff fe54 6378 fe80 0000 0000 ....)..Tcx...... 0x0010: 0000 020c 29ff fe54 6378 8000 3c25 0bfe ....)..Tcx..<%.. 0x0020: 0000 44f6 81de 0004 5806 ..D.....X. 3a:40:fe:80:00:00 > 60:00:00:00:00:10 Null Information, send seq 1, rcv seq 6, Flags [Command], length 42 0x0000: 0000 020c 29ff fe54 6378 fe80 0000 0000 ....)..Tcx...... 0x0010: 0000 020c 29ff fe54 6378 8100 3b25 0bfe ....)..Tcx..;%.. 0x0020: 0000 44f6 81de 0004 5806 ..D.....X. - if_simloop() just passes the received mbuf to the BPF of the physical interface in case of IPv6. (please see the following code) if (ifp->if_bpf) { if (ifp->if_bpf->bif_dlt == DLT_NULL) { u_int32_t af1 = af; /* XXX beware sizeof(af) != 4 */ bpf_mtap2(ifp->if_bpf, &af1, sizeof(af1), m); <= this one is called in case of IPv4, since ifp=lo0 } else bpf_mtap(ifp->if_bpf, m); <= this one is normally called in case of IPv6, since ifp=physical I/F and physical I/F's DLT is normally DLT_EN10MB } - However, due to a lack of correct layer2 header information, the BPF cannot display the packet correctly. (A dummy padding can partly solve the problem. But it would be problematic in terms of BPF filtering based on layer-2 information...) Thanks, ---- SUZUKI, Shinsuke @ KAME Project From owner-freebsd-pf@FreeBSD.ORG Thu Aug 31 08:31:20 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B08216A4DA for ; Thu, 31 Aug 2006 08:31:20 +0000 (UTC) (envelope-from tohajime@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F09A43D45 for ; Thu, 31 Aug 2006 08:31:20 +0000 (GMT) (envelope-from tohajime@gmail.com) Received: by nz-out-0102.google.com with SMTP id 13so285847nzn for ; Thu, 31 Aug 2006 01:31:19 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=GhiJm3RNYHpw85cJSG+lLF3VPp9i+LMZOOwUlQB9s4eep2vPsTRyvDDCwAQjtIwFvMPYQgdtVaKJGl0koHoQ1f7PO9qd9eTr9/grWH0PlXh1JCJozoJNjyoOVIYcvz5dNLjfimC14bTrvkP9X+lLXawncBK2wKpxiy4R0ahMlYI= Received: by 10.65.139.9 with SMTP id r9mr696752qbn; Thu, 31 Aug 2006 01:31:19 -0700 (PDT) Received: by 10.64.209.13 with HTTP; Thu, 31 Aug 2006 01:31:19 -0700 (PDT) Message-ID: Date: Thu, 31 Aug 2006 15:31:19 +0700 From: Hajime To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: pf+altq (all traffic are in queue default) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Aug 2006 08:31:20 -0000 Hello, I want to implement a pf+altq for traffic shaping with freebsd 5.4-Release. I have done kernel compilation in my freebsd box for those pf and altq. Then, my scenario is like this : My network : external-network-----------------------rl0-FreeBSD-xl0-----------------------internal-network 192.168.0.0/24 10.2.0.0/16 I want each http, ssh and ftp traffic going from external-network to internal-network get 25% from total available bandwidth in xl0. This is my pf.conf : #Root Queue altq on xl0 cbq bandwidth 10Mb queue { www, ftp, ssh, std } #Child Queue queue www bandwidth 25% priority 2 cbq(borrow) queue ftp bandwidth 25% priority 2 cbq(borrow) queue ssh bandwidth 25% { ssh_login, ssh_bulk } queue ssh_login bandwidth 25% priority 4 cbq(ecn) queue ssh_bulk bandwidth 75% cbq(ecn) queue std bandwidth 25% priority 3 cbq(default borrow) #Macros ext_net = "192.168.0.0/24" int_net = "10.2.0.0/16" #Filter rule pass out on xl0 proto tcp from $ext_net to $int_net port 80 queue www pass out on xl0 proto tcp from $ext_net to $int_net port { 21, 20 } queue ftp pass out on xl0 proto tcp from any to any port 22 queue(ssh_bulk, ssh_login) Then i test this configuration by generate traffic http, ftp, ssh, etc (the traffic is going from external-network to internal-network). I saw pf status with command "pfctl -vs all", all the traffic are in queue default, not in the each queue ( for ftp, http, ssh etc). Is there any mistake in my pf.conf? please help me. Thx From owner-freebsd-pf@FreeBSD.ORG Thu Aug 31 18:31:58 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C7E116A4DE for ; Thu, 31 Aug 2006 18:31:58 +0000 (UTC) (envelope-from msgs_for_me@mail.ru) Received: from f65.mail.ru (f65.mail.ru [194.67.57.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id F165F43D5D for ; Thu, 31 Aug 2006 18:31:57 +0000 (GMT) (envelope-from msgs_for_me@mail.ru) Received: from mail by f65.mail.ru with local id 1GIrKW-000Hm0-00 for freebsd-pf@freebsd.org; Thu, 31 Aug 2006 22:31:56 +0400 Received: from [82.114.107.37] by win.mail.ru with HTTP; Thu, 31 Aug 2006 22:31:56 +0400 From: =?koi8-r?Q?=F7=CC=C1=C4=C9=CD=C9=D2_=EB=C1=D0=D5=D3=D4=C9=CE?= To: freebsd-pf@freebsd.org Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: [82.114.107.37] Date: Thu, 31 Aug 2006 22:31:56 +0400 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: Subject: PF & VLAN parent interface? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?koi8-r?Q?=F7=CC=C1=C4=C9=CD=C9=D2_=EB=C1=D0=D5=D3=D4=C9=CE?= List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Aug 2006 18:31:58 -0000 I have FreeBsd router with 6 Ethernet ports & many VLANs For optimization purposes i want to separate the rules by interfaces, but separation by VLAN interfaces makes config vrey huge and complex, that's why i want to separate rules by parent interfaces. The question is - Would the rules related to parent interfaces affects on cloned ones? From owner-freebsd-pf@FreeBSD.ORG Thu Aug 31 19:05:52 2006 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BFFF816A4DA for ; Thu, 31 Aug 2006 19:05:52 +0000 (UTC) (envelope-from johan@stromnet.org) Received: from pne-smtpout2-sn2.hy.skanova.net (pne-smtpout2-sn2.hy.skanova.net [81.228.8.164]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1FF2D43D46 for ; Thu, 31 Aug 2006 19:05:51 +0000 (GMT) (envelope-from johan@stromnet.org) Received: from elfi.stromnet.org (213.67.205.103) by pne-smtpout2-sn2.hy.skanova.net (7.2.075) id 44F2F2F70011D889 for pf@freebsd.org; Thu, 31 Aug 2006 21:05:51 +0200 Received: from localhost (localhost [127.0.0.1]) by elfi.stromnet.org (Postfix) with ESMTP id C50FF61D85 for ; Thu, 31 Aug 2006 21:05:49 +0200 (CEST) X-Virus-Scanned: amavisd-new at stromnet.org Received: from elfi.stromnet.org ([127.0.0.1]) by localhost (elfi.stromnet.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3z76T2J9EcFO for ; Thu, 31 Aug 2006 21:05:48 +0200 (CEST) Received: from [IPv6:2001:16d8:ff20:2:217:f2ff:fe41:3f1b] (jstrom-mb.wlan.v6.stromnet.org [IPv6:2001:16d8:ff20:2:217:f2ff:fe41:3f1b]) by elfi.stromnet.org (Postfix) with ESMTP id 2C3DB61D84 for ; Thu, 31 Aug 2006 21:05:48 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v752.2) Content-Transfer-Encoding: quoted-printable Message-Id: Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed To: pf@freebsd.org From: =?ISO-8859-1?Q?Johan_Str=F6m?= Date: Thu, 31 Aug 2006 21:05:10 +0200 X-Mailer: Apple Mail (2.752.2) Cc: Subject: carp + IPv6 not working at all X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Aug 2006 19:05:52 -0000 Hi I'm trying to get carp working with IPv6. For regular IPv4 it works =20 like a charm, but I cannot get it working with inet6. For the moment =20 I've only tested inet6 with a single box: fxp0: flags=3D8943 mtu =20= 1500 options=3D8 inet6 fe80::202:55ff:feb1:ff5a%fxp0 prefixlen 64 scopeid 0x1 inet 172.28.1.250 netmask 0xffffff00 broadcast 172.28.1.255 inet6 2001:16d8:ff20:1:202:55ff:feb1:ff5a prefixlen 64 autoconf inet6 2001:16d8:ff20:1::98 prefixlen 64 ether 00:02:55:b1:ff:5a media: Ethernet autoselect (100baseTX ) status: active carp1: flags=3D49 mtu 1500 inet6 2001:16d8:ff20:1::99 prefixlen 64 carp: MASTER vhid 2 advbase 1 advskew 100 Pinging 2001:16d8:ff20:1::98 (fxp0 addr) from other box works fine. =20 However, when i try to ping 2001:16d8:ff20:1::99 (carp1), it does not =20= realy work: carpbox# tcpdump -i fxp0 -nveev ip6 tcpdump: listening on fxp0, link-type EN10MB (Ethernet), capture size =20= 96 bytes 19:36:58.150282 00:a0:cc:77:35:ff > 33:33:ff:00:00:99, ethertype IPv6 =20= (0x86dd), length 86: (hlim 255, next-header: ICMPv6 (58), length: 32) =20= 2001:16d8:ff20:1::1 > ff02::1:ff00:99: [icmp6 sum ok] ICMP6, neighbor =20= solicitation, length 32, who has 2001:16d8:ff20:1::99 source link-address option (1), length 8 (1): 00:a0:cc:=20 77:35:ff 0x0000: 00a0 cc77 35ff 19:36:58.150393 00:00:5e:00:01:02 > 00:a0:cc:77:35:ff, ethertype IPv6 =20= (0x86dd), length 86: (hlim 255, next-header: ICMPv6 (58), length: 32) =20= 2001:16d8:ff20:1::98 > 2001:16d8:ff20:1::1: [icmp6 sum ok] ICMP6, =20 neighbor advertisment, length 32, tgt is 2001:16d8:ff20:1::99, Flags =20 [solicited, override] destination link-address option (2), length 8 (1): =20 00:00:5e:00:01:02 0x0000: 0000 5e00 0102 19:36:58.150642 00:a0:cc:77:35:ff > 00:00:5e:00:01:02, ethertype IPv6 =20= (0x86dd), length 70: (hlim 64, next-header: ICMPv6 (58), length: 16) =20 2001:16d8:ff20:1::1 > 2001:16d8:ff20:1::99: [icmp6 sum ok] ICMP6, =20 echo request, length 16, seq 0 19:36:59.150566 00:a0:cc:77:35:ff > 00:00:5e:00:01:02, ethertype IPv6 =20= (0x86dd), length 70: (hlim 64, next-header: ICMPv6 (58), length: 16) =20 2001:16d8:ff20:1::1 > 2001:16d8:ff20:1::99: [icmp6 sum ok] ICMP6, =20 echo request, length 16, seq 1 19:37:00.150360 00:a0:cc:77:35:ff > 00:00:5e:00:01:02, ethertype IPv6 =20= (0x86dd), length 70: (hlim 64, next-header: ICMPv6 (58), length: 16) =20 2001:16d8:ff20:1::1 > 2001:16d8:ff20:1::99: [icmp6 sum ok] ICMP6, =20 echo request, length 16, seq 2 ^C The other box sends neighbor solicitation "who has", and the carp box =20= successfully responds with a "tgt is" with correct MAC/IP etc (btw, =20 what is the carp MAC based on?). After the other box has recieved the adv, it starts to send icmp6 =20 packets.. But for some reason the carpbox does not seem to react to =20 these at all? PF is disabled and I dont use ipfw. FreeBSD carpbox.stromnet.org 6.1-RELEASE-p5 FreeBSD 6.1-RELEASE-p5 =20 #2: Wed Aug 30 10:22:54 CEST 2006 johan@ carpbox.stromnet.org:/=20 usr/obj/usr/src/sys/DEVBOX i386 (GENERIC + carp+pfsync kernel) Have I missed something? The same setup works fine with IPv4. Maybe =20 this is related to kern/98622, but I dont see these symptoms =20 described there... Also, I see no ip6 multicast trafik from the box =20 (advertisements), but ip4 is fully visible. Thanks for any help, carp (at leat for ipv4 :P) rocks! :) Johan Str=F6m johan@stromnet.org From owner-freebsd-pf@FreeBSD.ORG Fri Sep 1 19:23:02 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 054CE16A4E0; Fri, 1 Sep 2006 19:23:02 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C3B243D46; Fri, 1 Sep 2006 19:23:00 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.191.14] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis), id 0ML25U-1GJEbN2wef-0007jk; Fri, 01 Sep 2006 21:22:53 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 1 Sep 2006 21:22:45 +0200 User-Agent: KMail/1.9.3 References: <200608291637.k7TGbNxd002409@www.freebsd.org> In-Reply-To: X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart8266172.WiydWlPtKC"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200609012122.53206.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: SUZUKI Shinsuke , freebsd-gnats-submit@freebsd.org Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Sep 2006 19:23:02 -0000 --nextPart8266172.WiydWlPtKC Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 30 August 2006 03:13, SUZUKI Shinsuke wrote: > Hi, > > >>>>> On Tue, 29 Aug 2006 16:37:23 GMT > >>>>> steinex@nognu.de(Frank Steinborn) said: > > > > Thanks to Max Laier for examining this, I'll just paste him: > > > > Using pf stateful rules for inet6 fails for connections originating > > from the firewall itself to a service running on the same box.=20 > > Culprit seems to be interface selection in inet6 (switching between > > the interface that has the address configured and lo0). > > > > tcpdump on pflog0 shows that the initial SYN is coming from bge0 (See=20 > > below for ruleset used). The reply then comes via lo0 and matches the= =20 > > state (if state-policy is floating). The third packet (again via=20 > > bge0) then does no longer match the state - however: =20 > > >How-To-Repeat: > > > > Use this ruleset: > > > > pass quick on lo0 all > > pass quick on bge0 inet all > > block drop log all > > pass in log-all on bge0 inet6 proto tcp from any to 3000::1 port =3D > > ssh flags S/SA keep state > > > > Then try to open an inet6-connection to a service running on the > > firewall itself from the firewall itself. > > Could you please try the attached patch for kernel? > > Using this patch, PF regards the initial SYN (and the third packet) is > coming from lo0, instead of bge0. (There was a similar bug-report > regarding PF for looped-back IPv6 packet, and this patch fixed the > problem) > > If it seems okay from the PF's point of view, I'll commit it to > -current. Thinking about this for a bit we might want to use the patch below=20 instead. i.e. do the fixup locally in the pfil wrapper instead. This=20 way other filters don't break if they have adapted to the new world=20 order. Thoughts? Please test and report back, either way. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News Index: pf_ioctl.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_ioctl.c,v retrieving revision 1.25 diff -u -r1.25 pf_ioctl.c =2D-- pf_ioctl.c 21 Jul 2006 09:48:13 -0000 1.25 +++ pf_ioctl.c 1 Sep 2006 19:19:49 -0000 @@ -3442,7 +3442,8 @@ */ int chk; =20 =2D chk =3D pf_test6(PF_IN, ifp, m, NULL, inp); + chk =3D pf_test6(PF_IN, (*m)->m_flags & M_LOOP ? &loif[0] : ifp, m, + NULL, inp); if (chk && *m) { m_freem(*m); *m =3D NULL; --nextPart8266172.WiydWlPtKC Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBE+IiNXyyEoT62BG0RAkzdAJ4ihqjT9VOrWXhRRO1//iZpP1ogvwCfYzRs 4StEPzlMg/h1KOUA2tpGKA4= =gyfj -----END PGP SIGNATURE----- --nextPart8266172.WiydWlPtKC-- From owner-freebsd-pf@FreeBSD.ORG Fri Sep 1 19:30:24 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B16C16A5A2 for ; Fri, 1 Sep 2006 19:30:24 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B10F143D5F for ; Fri, 1 Sep 2006 19:30:23 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k81JUNPT046543 for ; Fri, 1 Sep 2006 19:30:23 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k81JUNOA046542; Fri, 1 Sep 2006 19:30:23 GMT (envelope-from gnats) Date: Fri, 1 Sep 2006 19:30:23 GMT Message-Id: <200609011930.k81JUNOA046542@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Max Laier Cc: Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Max Laier List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Sep 2006 19:30:24 -0000 The following reply was made to PR kern/102647; it has been noted by GNATS. From: Max Laier To: freebsd-pf@freebsd.org Cc: SUZUKI Shinsuke , steinex@nognu.de, freebsd-gnats-submit@freebsd.org Subject: Re: kern/102647: Using pf stateful rules for inet6 fails =?iso-8859-6?q?for=09connections_originating_from_the_firewall_itself_to_a?= =?iso-8859-6?q?_service=09running_on_thesame?= box Date: Fri, 1 Sep 2006 21:22:45 +0200 --nextPart8266172.WiydWlPtKC Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 30 August 2006 03:13, SUZUKI Shinsuke wrote: > Hi, > > >>>>> On Tue, 29 Aug 2006 16:37:23 GMT > >>>>> steinex@nognu.de(Frank Steinborn) said: > > > > Thanks to Max Laier for examining this, I'll just paste him: > > > > Using pf stateful rules for inet6 fails for connections originating > > from the firewall itself to a service running on the same box.=20 > > Culprit seems to be interface selection in inet6 (switching between > > the interface that has the address configured and lo0). > > > > tcpdump on pflog0 shows that the initial SYN is coming from bge0 (See=20 > > below for ruleset used). The reply then comes via lo0 and matches the= =20 > > state (if state-policy is floating). The third packet (again via=20 > > bge0) then does no longer match the state - however: =20 > > >How-To-Repeat: > > > > Use this ruleset: > > > > pass quick on lo0 all > > pass quick on bge0 inet all > > block drop log all > > pass in log-all on bge0 inet6 proto tcp from any to 3000::1 port =3D > > ssh flags S/SA keep state > > > > Then try to open an inet6-connection to a service running on the > > firewall itself from the firewall itself. > > Could you please try the attached patch for kernel? > > Using this patch, PF regards the initial SYN (and the third packet) is > coming from lo0, instead of bge0. (There was a similar bug-report > regarding PF for looped-back IPv6 packet, and this patch fixed the > problem) > > If it seems okay from the PF's point of view, I'll commit it to > -current. Thinking about this for a bit we might want to use the patch below=20 instead. i.e. do the fixup locally in the pfil wrapper instead. This=20 way other filters don't break if they have adapted to the new world=20 order. Thoughts? Please test and report back, either way. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News Index: pf_ioctl.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_ioctl.c,v retrieving revision 1.25 diff -u -r1.25 pf_ioctl.c =2D-- pf_ioctl.c 21 Jul 2006 09:48:13 -0000 1.25 +++ pf_ioctl.c 1 Sep 2006 19:19:49 -0000 @@ -3442,7 +3442,8 @@ */ int chk; =20 =2D chk =3D pf_test6(PF_IN, ifp, m, NULL, inp); + chk =3D pf_test6(PF_IN, (*m)->m_flags & M_LOOP ? &loif[0] : ifp, m, + NULL, inp); if (chk && *m) { m_freem(*m); *m =3D NULL; --nextPart8266172.WiydWlPtKC Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBE+IiNXyyEoT62BG0RAkzdAJ4ihqjT9VOrWXhRRO1//iZpP1ogvwCfYzRs 4StEPzlMg/h1KOUA2tpGKA4= =gyfj -----END PGP SIGNATURE----- --nextPart8266172.WiydWlPtKC-- From owner-freebsd-pf@FreeBSD.ORG Sat Sep 2 07:36:00 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 953D816A4E0 for ; Sat, 2 Sep 2006 07:36:00 +0000 (UTC) (envelope-from tohajime@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id AEA9443D4C for ; Sat, 2 Sep 2006 07:35:59 +0000 (GMT) (envelope-from tohajime@gmail.com) Received: by py-out-1112.google.com with SMTP id o67so1597328pye for ; Sat, 02 Sep 2006 00:35:59 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=FoSEW17HABC1JY+hMrfRwZCFyhur7Wkxq87BQf2ANNIfOn+GSiP+Rx/a1nq0u6hwgpSY5rFo07OVaC0pEFsrTIgDr48TKuf1eihovxDRCwJyvN5tGExb5HBvtnNlAKkQaZ6CcQX2UCbLtLoS4zdeyme1fd43YLDBeQAnLrryVdo= Received: by 10.65.240.17 with SMTP id s17mr3652029qbr; Sat, 02 Sep 2006 00:35:58 -0700 (PDT) Received: by 10.64.209.13 with HTTP; Sat, 2 Sep 2006 00:35:58 -0700 (PDT) Message-ID: Date: Sat, 2 Sep 2006 14:35:58 +0700 From: Hajime To: freebsd-pf@freebsd.org In-Reply-To: MIME-Version: 1.0 References: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: pf+altq (all traffic are in queue default) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Sep 2006 07:36:00 -0000 Hello, I want to implement a pf+altq for traffic shaping with freebsd 5.4-Release. I have done kernel compilation in my freebsd box for those pf and altq. Then, my scenario is like this : My network : external-network-----------------------rl0-FreeBSD-xl0-----------------------internal-network 192.168.0.0/24 10.2.0.0/16 I want each http, ssh and ftp traffic going from external-network to internal-network get 25% from total available bandwidth in xl0. This is my pf.conf : #Root Queue altq on xl0 cbq bandwidth 10Mb queue { www, ftp, ssh, std } #Child Queue queue www bandwidth 25% priority 2 cbq(borrow) queue ftp bandwidth 25% priority 2 cbq(borrow) queue ssh bandwidth 25% { ssh_login, ssh_bulk } queue ssh_login bandwidth 25% priority 4 cbq(ecn) queue ssh_bulk bandwidth 75% cbq(ecn) queue std bandwidth 25% priority 3 cbq(default borrow) #Macros ext_net = "192.168.0.0/24" int_net = "10.2.0.0/16" #Filter rule pass out on xl0 proto tcp from $ext_net to $int_net port 80 queue www pass out on xl0 proto tcp from $ext_net to $int_net port { 21, 20 } queue ftp pass out on xl0 proto tcp from any to any port 22 queue(ssh_bulk, ssh_login) Then i test this configuration by generate traffic http, ftp, ssh, etc (the traffic is going from external-network to internal-network). I saw pf status with command "pfctl -vs all", all the traffic are in queue default, not in the each queue ( for ftp, http, ssh etc). Is there any mistake in my pf.conf? please help me. Thx Regards, M. Toha S