From owner-freebsd-pf@FreeBSD.ORG Sun Aug 19 05:03:32 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AB66616A468 for ; Sun, 19 Aug 2007 05:03:28 +0000 (UTC) (envelope-from davidn04@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.238]) by mx1.freebsd.org (Postfix) with ESMTP id 5B29813C468 for ; Sun, 19 Aug 2007 05:03:28 +0000 (UTC) (envelope-from davidn04@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so824460wxd for ; Sat, 18 Aug 2007 22:03:27 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=Q69wsHZeblt6zo8NQexepKaxgi5j300RQQxh2RbgFTd2KT1BvMApbn9fmQ5ot1AcG4tNoikbjasPjclaKe646uyJAO+ukRf4PjFYo4pZ07VxqH8oI7L3pFrECwPFuT/H5mZifYXDexY0WEVFr2DzH3wOeP1oZgo4CVgR3jPXgwE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=cCwha0pFU75LpoAm8tah+VXM6A14xzmcQPD0K65yF5hqUVDgzFhGY5S4cMakkbajY4VzHBF3tGW4DS2dH5Is9ksPW7sus+rgIPrjJaEECM6urtBWiWzqM3icOI7/8D2zV6V425jZMr5Gx8jz04k85s0NlboW+Kq+F3KussdqB84= Received: by 10.90.73.7 with SMTP id v7mr229566aga.1187498308178; Sat, 18 Aug 2007 21:38:28 -0700 (PDT) Received: by 10.90.89.13 with HTTP; Sat, 18 Aug 2007 21:38:28 -0700 (PDT) Message-ID: <4d7dd86f0708182138x49da1b49le12461fbae2b6298@mail.gmail.com> Date: Sun, 19 Aug 2007 14:38:28 +1000 From: "David N" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Port Forwarding to different address X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Aug 2007 05:03:32 -0000 Hello, FreeBSD 6.2 I've been at this for an entire day and completely stumped. I'm trying to port forward from one port number to a different port number. I tried the normal port forwarding (same port number), that works. but when i try different ones it doesn't work. I know about the reflection problem, so I'm testing this via another remote machine. ext_if="ng0" int_if="re0" int_net="192.168.1.0/24" scrub in all nat on $ext_if from $int_net to any -> ($ext_if) rdr on $ext_if pro to tcp from any to any port 22011 -> 192.168.1.10 port 22 pass in all pass out all ---- Snip I've tried it with the same port, eg. rdr on $ext_if proto tcp from any to any port 22 -> 192.168.1.10 port 22 that works. But with the original rule i do ssh -p 22011 example.net ssh: connect to host example.net port 22011: Connection refused I've tried rdr on $ext_if pro to tcp from any to $ext_if port 22011 -> 192.168.1.10 port 22 with no luck as well I have net.inet.ip.forwarding: 1 I'm not quite sure what else to do. Regards David N From owner-freebsd-pf@FreeBSD.ORG Sun Aug 19 09:21:20 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A63A016A417 for ; Sun, 19 Aug 2007 09:21:20 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp1.bethere.co.uk (smtp1.betherenow.co.uk [87.194.0.68]) by mx1.freebsd.org (Postfix) with ESMTP id 7076613C442 for ; Sun, 19 Aug 2007 09:21:18 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from thebeast (87-194-161-158.bethere.co.uk [87.194.161.158]) by smtp1.bethere.co.uk (Postfix) with SMTP id 5D51098069; Sun, 19 Aug 2007 10:21:16 +0100 (BST) From: "Greg Hennessy" To: "'David N'" , References: <4d7dd86f0708182138x49da1b49le12461fbae2b6298@mail.gmail.com> In-Reply-To: <4d7dd86f0708182138x49da1b49le12461fbae2b6298@mail.gmail.com> Date: Sun, 19 Aug 2007 10:21:16 +0100 Message-ID: <000b01c7e242$4b76bc20$e2643460$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcfiIiFfCbSNvmu0SRuzWeltKKP6jgAG37nw Content-Language: en-gb X-Antivirus: avast! (VPS 000766-1, 17/08/2007), Outbound message X-Antivirus-Status: Clean Cc: Subject: RE: Port Forwarding to different address X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Aug 2007 09:21:20 -0000 [snip] > scrub in all > > nat on $ext_if from $int_net to any -> ($ext_if) > > rdr on $ext_if pro to tcp from any to any port 22011 -> 192.168.1.10 > port 22 > Add block log all here > pass in all > pass out all Replace these with explicitly coded ingress and egress rules using 'keep state flags S/SA'. In addition use tcpdump on the ingress and egress interfaces to determine if the redirect is working and to determine if the flow is transiting both interfaces. Greg > > ---- Snip > > I've tried it with the same port, eg. > rdr on $ext_if proto tcp from any to any port 22 -> 192.168.1.10 port > 22 > that works. > > But with the original rule i do > ssh -p 22011 example.net > ssh: connect to host example.net port 22011: Connection refused > > I've tried > rdr on $ext_if pro to tcp from any to $ext_if port 22011 -> > 192.168.1.10 port 22 > with no luck as well > > I have > net.inet.ip.forwarding: 1 > > I'm not quite sure what else to do. > > Regards > David N > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Mon Aug 20 01:09:19 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A689316A421 for ; Mon, 20 Aug 2007 01:09:19 +0000 (UTC) (envelope-from root@runemedia.net) Received: from runemedia.net (206-225-83-111.dedicated.abac.net [206.225.83.111]) by mx1.freebsd.org (Postfix) with ESMTP id 9529C13C491 for ; Mon, 20 Aug 2007 01:09:19 +0000 (UTC) (envelope-from root@runemedia.net) Received: (qmail 1218 invoked by uid 0); 19 Aug 2007 14:30:28 -0400 Date: 19 Aug 2007 14:30:28 -0400 Message-ID: <20070819183028.1214.qmail@runemedia.net> To: freebsd-pf@freebsd.org From: dating24 MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Your account on dating24.ro Enjoy! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2007 01:09:19 -0000 [1]www.dating24.ro - anunturi - prietenii - intalniri - matrimoniale - - chat privat - chat public - poze - [2]Intra si tu alaturi de prietenii tai in comunitatea dating24.ro Te asteptam! [3]Inregistreaza-te acum! _________________________________________________________________ Utilizatorii Yahoo, Gmail sau Hotmail! In cazul in care ati primit acest mesaj in Bulk va rugam sa adaugati adresa noreply@dating24.ro in Adress Book sau la Contacte Personale, dupa caz. Va multumim pentru intelegere si va uram succes in continuare. Echipa [4]dating24.ro References 1. http://www.dating24.ro/ 2. http://www.dating24.ro/ 3. http://www.dating24.ro/inregistrare_pas1.php 4. http://www.dating24.ro/ From owner-freebsd-pf@FreeBSD.ORG Mon Aug 20 11:08:30 2007 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 82FCD16A46C for ; Mon, 20 Aug 2007 11:08:30 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6F39F13C457 for ; Mon, 20 Aug 2007 11:08:30 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l7KB8Ucu087506 for ; Mon, 20 Aug 2007 11:08:30 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l7KB8TBs087502 for freebsd-pf@FreeBSD.org; Mon, 20 Aug 2007 11:08:29 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 20 Aug 2007 11:08:29 GMT Message-Id: <200708201108.l7KB8TBs087502@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2007 11:08:30 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf [pf] pf accepts nonexistent queue in rules o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d o kern/110174 pf [pf] pf pass route-to does not assign correct IP for t s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114567 pf [pf] LOR pf_ioctl.c + if.c 7 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Aug 20 13:28:25 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 933EC16A417 for ; Mon, 20 Aug 2007 13:28:25 +0000 (UTC) (envelope-from varga@stonehenge.sk) Received: from otana.stonehenge.sk (otana.stonehenge.sk [82.208.39.177]) by mx1.freebsd.org (Postfix) with SMTP id CD46B13C458 for ; Mon, 20 Aug 2007 13:28:22 +0000 (UTC) (envelope-from varga@stonehenge.sk) Received: (qmail 92858 invoked from network); 20 Aug 2007 13:01:31 -0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on otana.stonehenge.sk X-Spam-Level: X-Spam-Status: No, score=0.5 required=5.0 tests=RCVD_IN_PBL shortcircuit=no autolearn=disabled version=3.2.3 Received: from r6cb57.net.upc.cz (HELO ?10.0.100.2?) (secure@89.176.79.57) by otana.stonehenge.sk with SMTP; 20 Aug 2007 13:01:31 -0000 From: Michal Varga To: freebsd-pf@freebsd.org Content-Type: text/plain Organization: Stonehenge Date: Mon, 20 Aug 2007 15:01:30 +0200 Message-Id: <1187614890.35857.15.camel@xenon.stonehenge.sk> Mime-Version: 1.0 X-Mailer: Evolution 2.10.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Subject: CBQ borrow still broken? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2007 13:28:25 -0000 Guys, can anyone tell me what is the current status of this problem? - http://lists.freebsd.org/pipermail/freebsd-pf/2007-February/003018.html I've run into the same issues under FreeBSD 6.2-STABLE: Mon Aug 20 08:44:45 CEST 2007. Later in the thread, Max Laier wrote: "Is there a PR about the CBQ borrow issues? If not, could you file one? I won't get to it shortly." I did search the PR database and didn't find anything relevant, so, was this issue completely forgotten, or did I miss something? Or, at least, if this is somewhat unimportant bug and not to be fixed, does anyone know if the latest pf in -CURRENT behaves ok with cbq borrowing? regards, m. -- Michal Varga Stonehenge From owner-freebsd-pf@FreeBSD.ORG Mon Aug 20 14:21:05 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0854016A419 for ; Mon, 20 Aug 2007 14:21:05 +0000 (UTC) (envelope-from varga@stonehenge.sk) Received: from otana.stonehenge.sk (otana.stonehenge.sk [82.208.39.177]) by mx1.freebsd.org (Postfix) with SMTP id 2FCD813C458 for ; Mon, 20 Aug 2007 14:21:02 +0000 (UTC) (envelope-from varga@stonehenge.sk) Received: (qmail 94385 invoked from network); 20 Aug 2007 14:20:46 -0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on otana.stonehenge.sk X-Spam-Level: X-Spam-Status: No, score=0.5 required=5.0 tests=RCVD_IN_PBL shortcircuit=no autolearn=disabled version=3.2.3 Received: from r6cb57.net.upc.cz (HELO ?10.0.100.2?) (secure@89.176.79.57) by otana.stonehenge.sk with SMTP; 20 Aug 2007 14:20:46 -0000 From: Michal Varga To: freebsd-pf@freebsd.org In-Reply-To: <1187614890.35857.15.camel@xenon.stonehenge.sk> References: <1187614890.35857.15.camel@xenon.stonehenge.sk> Content-Type: text/plain Organization: Stonehenge Date: Mon, 20 Aug 2007 16:20:46 +0200 Message-Id: <1187619646.35971.44.camel@xenon.stonehenge.sk> Mime-Version: 1.0 X-Mailer: Evolution 2.10.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Subject: Re: CBQ borrow still broken? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2007 14:21:05 -0000 Ok, need to reply to myself: CBQ borrow does work, even though little strangely. For the record, here is what happened. Maybe someday will someone find this useful: For the last two hours before I wrote my previous email, I was running tens after tens of bandwidth tests, trying to fine-tune the queue configuration to find out why 'borrow' refuses to take even a bit of free bandwidth, but to no avail. After I got tired of executing every possible load and queue combinations without any effect, I tried to google out some solution. I stumbled upon a number of threads discussing CBQ borrowing issues, with very similiar setups and symptoms as was this one. After I wrote my "me too" email and was about to tear down the whole thing, I clicked for the last batch of tests on a nearby client and was struck with the results, with borrow clearly visible working. This was without any changes to the pf configuration or anything else. After that, I'm no longer able to reproduce the problem, borrow works pretty well with every *previously tried* combination I can remember and I can't force it to break again, even with hard reboots and wicked numbers. The only explanation I have is that something went stuck previously when I was building and tuning the whole pf setup and pf flushed it long after, as there was about half an hour "cooldown" after my previous email, before I get back to shut it down (and found that everything already works perfectly). That's all I can guess as I really don't see into pf internals. So, if you run into similiar issues, try to reboot the pf machine a few times just to be sure, it won't hurt anything. m. On Mon, 2007-08-20 at 15:01 +0200, Michal Varga wrote: > Guys, can anyone tell me what is the current status of this problem? - > http://lists.freebsd.org/pipermail/freebsd-pf/2007-February/003018.html > > I've run into the same issues under FreeBSD 6.2-STABLE: Mon Aug 20 > 08:44:45 CEST 2007. > > Later in the thread, Max Laier wrote: > "Is there a PR about the CBQ borrow issues? If not, could you file one? > I won't get to it shortly." > > I did search the PR database and didn't find anything relevant, so, was > this issue completely forgotten, or did I miss something? > > Or, at least, if this is somewhat unimportant bug and not to be fixed, > does anyone know if the latest pf in -CURRENT behaves ok with cbq > borrowing? > > regards, > m. > -- Michal Varga Stonehenge From owner-freebsd-pf@FreeBSD.ORG Tue Aug 21 11:12:41 2007 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3CC7116A503; Tue, 21 Aug 2007 11:12:41 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 1435E13C467; Tue, 21 Aug 2007 11:12:41 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l7LBCeCs085678; Tue, 21 Aug 2007 11:12:40 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l7LBCeoK085674; Tue, 21 Aug 2007 11:12:40 GMT (envelope-from linimon) Date: Tue, 21 Aug 2007 11:12:40 GMT Message-Id: <200708211112.l7LBCeoK085674@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/115640: [net] [pf] pfctl -k dont works X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Aug 2007 11:12:41 -0000 Synopsis: [net] [pf] pfctl -k dont works Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Tue Aug 21 11:12:08 UTC 2007 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=115640 From owner-freebsd-pf@FreeBSD.ORG Wed Aug 22 03:53:39 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4991F16A41A for ; Wed, 22 Aug 2007 03:53:39 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.234]) by mx1.freebsd.org (Postfix) with ESMTP id EE9A913C428 for ; Wed, 22 Aug 2007 03:53:38 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so41673wxd for ; Tue, 21 Aug 2007 20:53:38 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=JEgY+EJfHsBzKtgKXcQm38uSNMP25spyXQk6uZLuyH7VI3kwwr9/fZ9YecPecX1XGcSRvN6QFUj1o3AmujiccwWbIkx0vZdbV9xZq1wupJnAOHo0EdpViGr1q+0L4rRdVYUthwMF0M0eFJE1zumRMAUJOVP+cAj8maxIuOQR6Dc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=GKAR8NYghg8IgoCI6u2a0jGm1dYIqrCOXuDrgA/IGZdqgQy17dt+NW8GztjNEBYcLHSDjimnHVJMq3t3D05wDTb1GheDRMQBwat55AyVe79ujUs5vbfgs0BIx/UGicrrJO71n0pyJFzm005U8J/G5t+H49bJWFaUD/EU90gDhPc= Received: by 10.70.91.16 with SMTP id o16mr347968wxb.1187754817401; Tue, 21 Aug 2007 20:53:37 -0700 (PDT) Received: by 10.100.92.13 with HTTP; Tue, 21 Aug 2007 20:53:37 -0700 (PDT) Message-ID: <8e10486b0708212053w3769b68dxd33b90b7b906e5e9@mail.gmail.com> Date: Wed, 22 Aug 2007 00:53:37 -0300 From: "Alexandre Biancalana" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ifconfig carpdev X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Aug 2007 03:53:39 -0000 Hi guys ! Someone have news about ifconfig carpdev option implementation on FreeBSD ? I'm glad to test any patches! Kind Regards, Alexandre Biancalana From owner-freebsd-pf@FreeBSD.ORG Wed Aug 22 04:22:35 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AD6F416A419 for ; Wed, 22 Aug 2007 04:22:35 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.179]) by mx1.freebsd.org (Postfix) with ESMTP id 42F7213C442 for ; Wed, 22 Aug 2007 04:22:35 +0000 (UTC) (envelope-from max@love2party.net) Received: from dslb-088-064-182-170.pools.arcor-ip.net [88.64.182.170] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1INhjl2FXn-0004Pu; Wed, 22 Aug 2007 06:22:34 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 22 Aug 2007 06:22:19 +0200 User-Agent: KMail/1.9.7 References: <8e10486b0708212053w3769b68dxd33b90b7b906e5e9@mail.gmail.com> In-Reply-To: <8e10486b0708212053w3769b68dxd33b90b7b906e5e9@mail.gmail.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1738107.yCR0Tbj5Pi"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200708220622.28573.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+QULp/Q9+0KSLV6uqA0Gz3kn9cB84Zy0Bxk5T GA4PYgTzAOdjDztkEz50VhJLkJV5Nk5E7mISHUGh2HBoJIRCR7 A5IVly8yHI46K2hL0QWfWbv77xO9ba/GPj6zTwZOlg= Cc: Subject: Re: ifconfig carpdev X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Aug 2007 04:22:35 -0000 --nextPart1738107.yCR0Tbj5Pi Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 22 August 2007, Alexandre Biancalana wrote: > Someone have news about ifconfig carpdev option implementation on > FreeBSD ? I'm preoccupied with academia at the moment. I will do it after September= =20 10th. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1738107.yCR0Tbj5Pi Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBGy7oEXyyEoT62BG0RApDiAJ9rJmOVRi92zVsSq/F+KFFkw6MMDQCePLd4 IKsrJ+oPQwPm24iMEXf1fKM= =mjG+ -----END PGP SIGNATURE----- --nextPart1738107.yCR0Tbj5Pi-- From owner-freebsd-pf@FreeBSD.ORG Wed Aug 22 08:15:23 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B156516A41A for ; Wed, 22 Aug 2007 08:15:23 +0000 (UTC) (envelope-from magpasikat@yahoo.com) Received: from n8.bullet.re3.yahoo.com (n8.bullet.re3.yahoo.com [68.142.237.93]) by mx1.freebsd.org (Postfix) with SMTP id 62FAC13C46B for ; Wed, 22 Aug 2007 08:15:23 +0000 (UTC) (envelope-from magpasikat@yahoo.com) Received: from [68.142.230.29] by n8.bullet.re3.yahoo.com with NNFMP; 22 Aug 2007 08:01:45 -0000 Received: from [66.196.101.131] by t2.bullet.re2.yahoo.com with NNFMP; 22 Aug 2007 08:01:45 -0000 Received: from [127.0.0.1] by rrr2.mail.re1.yahoo.com with NNFMP; 22 Aug 2007 08:01:45 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 317843.24540.bm@rrr2.mail.re1.yahoo.com Received: (qmail 47919 invoked by uid 60001); 22 Aug 2007 08:01:44 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=GuoLbaJS3kHNatfninrOgNkKhRkbhpUTPQXhyeeoMjmIw1DTXBtwYP7nREfuFx5AwXecidsbl4Kz6yb0KTd/VZ2vfFjAYJsOl9c89PYeutLAFDam+39+d9KmQjoEeYac2dhYGfKnv9IiSTq2EKKb/g76Hpwv/icGIOMk9vKhaeU=; Received: from [58.71.34.138] by web44902.mail.sp1.yahoo.com via HTTP; Wed, 22 Aug 2007 01:01:44 PDT Date: Wed, 22 Aug 2007 01:01:44 -0700 (PDT) From: Martha Pasikatan To: freebsd-pf@freebsd.org MIME-Version: 1.0 Message-ID: <603779.42061.qm@web44902.mail.sp1.yahoo.com> X-Mailman-Approved-At: Wed, 22 Aug 2007 11:34:41 +0000 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: PF + ALTQ: how to properly tag packets to belong to a queue X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Aug 2007 08:15:23 -0000 Hi, Firstoff, can I ask if there is a way to provide QOS at layer 2 currently using PF and ALTQ? If there is, I would be very grateful to anyone who can point me in the right direction. Here's my problem, we are supposed to implement QOS for all subscribers (end to end). It's easy enough to implement using PF+ALTQ for the layer 3 protocols. But for those using layer 2 protocols such as L2TP, we are not able to implement QOS for them. So the packets end up going to the default queue which is not our ideal situation. Does anyone have a solution for this? Thanks, matt --------------------------------- Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search. --------------------------------- Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search. From owner-freebsd-pf@FreeBSD.ORG Wed Aug 22 12:01:34 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2376B16A420 for ; Wed, 22 Aug 2007 12:01:34 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.225]) by mx1.freebsd.org (Postfix) with ESMTP id C4F6B13C4CA for ; Wed, 22 Aug 2007 12:01:33 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so137000wxd for ; Wed, 22 Aug 2007 05:01:33 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=kYVY7VVSU4cbnEBydxhBe142VO1ZxiDUYaO4YRwsdvd4l2/7Ng8O9BTMlapWijpJEQm4s/O6zV7rFbUKxz/5xMeJU8PRw65CpvzUJK8zW41Ng7NV9CQYSz88UL1PTyt89nT3mOGaj+M7+U291Gb6WrvXrN6sI4Dl2XoD0gDPIzI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=civcNM3Da/ZE9u3r70hZGHViLNOG1XOFZjrFCJhlaWOH/anvHBt7qM6s46YFlT6EJbOYDjfgdj0MM/pNiHhl8PvsCB7ZKlG+vgMZIiEksJv0smi3b6HF//Swb+zFAcrGwRpw9jRTk6PMLceAW2PNYPegzVKgq7pV+aJ5D5edyHU= Received: by 10.90.34.3 with SMTP id h3mr4297092agh.1187784093385; Wed, 22 Aug 2007 05:01:33 -0700 (PDT) Received: by 10.100.92.13 with HTTP; Wed, 22 Aug 2007 05:01:33 -0700 (PDT) Message-ID: <8e10486b0708220501m6c2c5f2bn270b498c8cc01062@mail.gmail.com> Date: Wed, 22 Aug 2007 09:01:33 -0300 From: "Alexandre Biancalana" To: "Max Laier" In-Reply-To: <200708220622.28573.max@love2party.net> MIME-Version: 1.0 References: <8e10486b0708212053w3769b68dxd33b90b7b906e5e9@mail.gmail.com> <200708220622.28573.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: ifconfig carpdev X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Aug 2007 12:01:34 -0000 On 8/22/07, Max Laier wrote: > > On Wednesday 22 August 2007, Alexandre Biancalana wrote: > > Someone have news about ifconfig carpdev option implementation on > > FreeBSD ? > > I'm preoccupied with academia at the moment. I will do it after September > 10th. Great Max !! Thank you for the response. From owner-freebsd-pf@FreeBSD.ORG Wed Aug 22 15:32:23 2007 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9B6B816A469; Wed, 22 Aug 2007 15:32:23 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 53FEE13C529; Wed, 22 Aug 2007 15:32:23 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (remko@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l7MFWNu0087870; Wed, 22 Aug 2007 15:32:23 GMT (envelope-from remko@freefall.freebsd.org) Received: (from remko@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l7MFWN5h087866; Wed, 22 Aug 2007 15:32:23 GMT (envelope-from remko) Date: Wed, 22 Aug 2007 15:32:23 GMT Message-Id: <200708221532.l7MFWN5h087866@freefall.freebsd.org> To: remko@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: remko@FreeBSD.org Cc: Subject: Re: kern/115725: pf nat -> ($if) works only intermittently X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Aug 2007 15:32:23 -0000 Synopsis: pf nat -> ($if) works only intermittently Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: remko Responsible-Changed-When: Wed Aug 22 15:32:08 UTC 2007 Responsible-Changed-Why: Redirect to the PF team http://www.freebsd.org/cgi/query-pr.cgi?pr=115725 From owner-freebsd-pf@FreeBSD.ORG Wed Aug 22 20:11:42 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BAE0A16A473 for ; Wed, 22 Aug 2007 20:11:42 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.189]) by mx1.freebsd.org (Postfix) with ESMTP id 4005413C4A6 for ; Wed, 22 Aug 2007 20:11:41 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so249789nfb for ; Wed, 22 Aug 2007 13:11:39 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=tNjcpdPpnKNHp047Hi4G5CL9fagyScFoZ2ntD1Cgh623NC5suv5x8Zbjpkc3ZSa5lt172TIcCYJaXFsKF5BFSz8hcXnlR/Zb4aTUJ5ucr8wnPXXIqNF1vG4KJJLQ536L/AAY/GFA8gWu9syv1731rkTuvy3K7CorsG4pU5fPMvA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=dHJwoaSm/CprPrTLUz/qGsm3q2WplJzWY4q9aa+7d/EL9k6qBtBFxbCkrqUXjRP1V/UDZm2GaPw1S61dB8NolfLSgvB4dD7Z1oFjP3gsAYouSsVbVs7PGhx2J4cpr21GrH/zWJPRsoPy8/YKh23mYvgRII/RXzLTwUYx3TNRFOU= Received: by 10.78.147.6 with SMTP id u6mr689685hud.1187811746393; Wed, 22 Aug 2007 12:42:26 -0700 (PDT) Received: by 10.78.15.17 with HTTP; Wed, 22 Aug 2007 12:42:25 -0700 (PDT) Message-ID: <55e8a96c0708221242h2d5e7d15q847e6fac7cf60554@mail.gmail.com> Date: Wed, 22 Aug 2007 14:42:26 -0500 From: "Bill Marquette" To: "freebsd-pf@freebsd.org" MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: pfsync errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Aug 2007 20:11:42 -0000 For the last two days I've been troubleshooting a wierd issue where my secondary firewall in a pfsync/carp cluster isn't maintaining a state table similar in size to the primary - it's slowly increasing to the max size. I think I've finally tracked it down to ip_output() returning an error, but at this point I'm lost. The interfaces show no errors, this box happily ran OpenBSD for the last three years with no similar errors and has only started exhibiting this behavior after converting it. I'm seeing this on multiple boxes, but am spending my time troubleshooting just one. Any advice/assistance would be greatly appreciated, I'm at a loss and this is affecting my production environment. We're running RELENG_6_2, nics are Intel PRO/1000's (copper, but the cat-5e cable is a direct run to the 6513 switch one cabinet over - 15ft cable). This is a netstat from the primary machine, the secondary has been failed over to a couple times and looks similar (although interestingly the cluster seems to handle being on the secondary box better) # netstat -s -p pfsync pfsync: 409302985 packets received (IPv4) 0 packets received (IPv6) 0 packets discarded for bad interface 0 packets discarded for bad ttl 0 packets shorter than header 0 packets discarded for bad version 0 packets discarded for bad HMAC 0 packets discarded for bad action 0 packets discarded for short packet 0 states discarded for bad values 0 stale states 16980281 failed state lookup/inserts 1541416698 packets sent (IPv4) 0 packets sent (IPv6) 0 send failed due to mbuf memory error 182754275 send error # netstat -i -Iem2 Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll em2 1500 00:04:23:a6:b7:be 409328713 27 1359271127 0 0 em2 1500 192.168.100.2 l4dupfw140-sync 409327567 - 1359270884 - - Thanks --Bill From owner-freebsd-pf@FreeBSD.ORG Wed Aug 22 22:00:11 2007 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA39716A420 for ; Wed, 22 Aug 2007 22:00:11 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B4E2213C4A3 for ; Wed, 22 Aug 2007 22:00:11 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l7MM0Bge027235 for ; Wed, 22 Aug 2007 22:00:11 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l7MM0BIK027234; Wed, 22 Aug 2007 22:00:11 GMT (envelope-from gnats) Date: Wed, 22 Aug 2007 22:00:11 GMT Message-Id: <200708222200.l7MM0BIK027234@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Max Laier Cc: Subject: Re: kern/115725: pf nat -> ($if) works only intermittently X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Max Laier List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Aug 2007 22:00:11 -0000 The following reply was made to PR kern/115725; it has been noted by GNATS. From: Max Laier To: bug-followup@freebsd.org, kjelderg@gmail.com Cc: Subject: Re: kern/115725: pf nat -> ($if) works only intermittently Date: Wed, 22 Aug 2007 23:44:39 +0200 > nat pass on $ext_if from $freenx_jail_ip to any -> ($ext_if) > > When I then jexec a shell in the jail and try to do things on the > network, only 1 in 3 or so connections would work. Ideally they should > have all worked. This usually happens when you have aliases on $ext_if. In this case ($ext_if) expands to a round-robin pool with all addresses assigned to the interface. If you want to use the primary address on that interface you can use the "($ext_if:0)" syntax to exclude aliases. If the address you want to use is an alias, you have to specify it manually. -- Max From owner-freebsd-pf@FreeBSD.ORG Wed Aug 22 22:06:36 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1F7E016A420 for ; Wed, 22 Aug 2007 22:06:36 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id A3CA013C465 for ; Wed, 22 Aug 2007 22:06:35 +0000 (UTC) (envelope-from max@love2party.net) Received: from dslb-088-064-182-170.pools.arcor-ip.net [88.64.182.170] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis), id 0ML2xA-1INyLS1Uhe-0002HG; Thu, 23 Aug 2007 00:06:34 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 23 Aug 2007 00:06:16 +0200 User-Agent: KMail/1.9.7 References: <55e8a96c0708221242h2d5e7d15q847e6fac7cf60554@mail.gmail.com> In-Reply-To: <55e8a96c0708221242h2d5e7d15q847e6fac7cf60554@mail.gmail.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4352611.joD4R0DG9A"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200708230006.32294.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19Zm8B4HvZhGfOCmS4Al81aulCbO11k3P2sONL Ly+czjPMvnej0VC4UliED9S4NpmqC1FN6Hqyu6+L4dEvvEauOr DJqJR+aB6wUqo9R4tsasI533XA66CxUH6abF8Z1Pdo= Cc: Subject: Re: pfsync errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Aug 2007 22:06:36 -0000 --nextPart4352611.joD4R0DG9A Content-Type: multipart/mixed; boundary="Boundary-01=_ZNLzG1Tc2e5FeEr" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_ZNLzG1Tc2e5FeEr Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 22 August 2007, Bill Marquette wrote: > For the last two days I've been troubleshooting a wierd issue where my > secondary firewall in a pfsync/carp cluster isn't maintaining a state > table similar in size to the primary - it's slowly increasing to the > max size. I think I've finally tracked it down to ip_output() > returning an error, but at this point I'm lost. The interfaces show > no errors, this box happily ran OpenBSD for the last three years with > no similar errors and has only started exhibiting this behavior after > converting it. I'm seeing this on multiple boxes, but am spending my > time troubleshooting just one. Any advice/assistance would be greatly > appreciated, I'm at a loss and this is affecting my production > environment. > > We're running RELENG_6_2, nics are Intel PRO/1000's (copper, but the > cat-5e cable is a direct run to the 6513 switch one cabinet over - > 15ft cable). > > This is a netstat from the primary machine, the secondary has been > failed over to a couple times and looks similar (although > interestingly the cluster seems to handle being on the secondary box > better) > # netstat -s -p pfsync > pfsync: > 409302985 packets received (IPv4) > 0 packets received (IPv6) > 0 packets discarded for bad interface > 0 packets discarded for bad ttl > 0 packets shorter than header > 0 packets discarded for bad version > 0 packets discarded for bad HMAC > 0 packets discarded for bad action > 0 packets discarded for short packet > 0 states discarded for bad values > 0 stale states > 16980281 failed state lookup/inserts > 1541416698 packets sent (IPv4) > 0 packets sent (IPv6) > 0 send failed due to mbuf memory error > 182754275 send error There are two reasons why we increase the send error counter. Either the=20 internal deferred work queue is full or ip_output fails. Could you=20 locate "pfsyncstats.pfsyncs_oerrors++" in your source code and replace=20 either occurrence with a printf(). Maybe use the attached. This way we=20 will know what exactly fails and if it is ip_output, why. > # netstat -i -Iem2 > Name Mtu Network Address Ipkts Ierrs Opkts > Oerrs Coll em2 1500 00:04:23:a6:b7:be 409328713 27 > 1359271127 0 0 > em2 1500 192.168.100.2 l4dupfw140-sync 409327567 - 1359270884 > - - =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_ZNLzG1Tc2e5FeEr Content-Type: text/x-diff; charset="iso-8859-1"; name="pfsync_error.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="pfsync_error.diff" Index: if_pfsync.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/if_pfsync.c,v retrieving revision 1.19.2.5 diff -u -r1.19.2.5 if_pfsync.c =2D-- if_pfsync.c 19 Jan 2007 23:01:26 -0000 1.19.2.5 +++ if_pfsync.c 22 Aug 2007 22:05:04 -0000 @@ -1842,13 +1842,14 @@ { struct pfsync_softc *sc =3D (struct pfsync_softc *)arg; struct mbuf *m; + int error; =20 for(;;) { IF_DEQUEUE(&sc->sc_ifq, m); if (m =3D=3D NULL) break; =2D if (ip_output(m, NULL, NULL, IP_RAWOUTPUT, &sc->sc_imo, NULL)) =2D pfsyncstats.pfsyncs_oerrors++; + if ((error =3D ip_output(m, NULL, NULL, IP_RAWOUTPUT, &sc->sc_imo, NULL)= )) + printf("pfsync_senddef: ip_output %d\n", error); } } =20 --Boundary-01=_ZNLzG1Tc2e5FeEr-- --nextPart4352611.joD4R0DG9A Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBGzLNoXyyEoT62BG0RAumTAJ9vPlcsOSvv6Yk1MFJfCVSXexlshACePK7U CjFj//r6E77RGekurLnNOoc= =scAm -----END PGP SIGNATURE----- --nextPart4352611.joD4R0DG9A-- From owner-freebsd-pf@FreeBSD.ORG Wed Aug 22 22:11:13 2007 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8B72016A46B; Wed, 22 Aug 2007 22:11:13 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 628D513C4D3; Wed, 22 Aug 2007 22:11:13 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l7MMBDB2027590; Wed, 22 Aug 2007 22:11:13 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l7MMBC7T027586; Wed, 22 Aug 2007 22:11:12 GMT (envelope-from mlaier) Date: Wed, 22 Aug 2007 22:11:12 GMT Message-Id: <200708222211.l7MMBC7T027586@freefall.freebsd.org> To: kjelderg@gmail.com, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org From: mlaier@FreeBSD.org Cc: Subject: Re: kern/115725: pf nat -> ($if) works only intermittently X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Aug 2007 22:11:13 -0000 Synopsis: pf nat -> ($if) works only intermittently State-Changed-From-To: open->closed State-Changed-By: mlaier State-Changed-When: Wed Aug 22 22:10:23 UTC 2007 State-Changed-Why: Sollution confirmed by submitter. Thanks. http://www.freebsd.org/cgi/query-pr.cgi?pr=115725 From owner-freebsd-pf@FreeBSD.ORG Thu Aug 23 04:10:43 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B355816A41A for ; Thu, 23 Aug 2007 04:10:43 +0000 (UTC) (envelope-from davidn04@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.227]) by mx1.freebsd.org (Postfix) with ESMTP id 73BD413C468 for ; Thu, 23 Aug 2007 04:10:43 +0000 (UTC) (envelope-from davidn04@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so320950wxd for ; Wed, 22 Aug 2007 21:10:42 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ekqszv+pPnzLtPZIiTXmOFAiAVUeGc3WK0JvB4zenIHwIs1bk24rx33WlQuM0naThqRrF6n7td312YVgd5lIHbC2TCcAJTHgoIV19aCnNGF+4UWFJU/SYVxE4Uss6Kk9TzBkLuUuVZS6BiqzM5aDi8rrGzTcM1cV/ghFcQ9gtX0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=AASYEqlKA9mIh1aLsPQiNTeOAkRg93Ie8zjak14EGXqlkyWhVSYB/HZRaKPBBPT7dvSztu9nLT3HbC1PUqMG7rGNCpGnF1dxdgZUvyHew2C+jD6AxPmARKpfv81uoh6bv/tBXo8NGCP/gAIOzDW8l/Yuw7CVD//cY1xlnSMrNXo= Received: by 10.90.89.5 with SMTP id m5mr1246510agb.1187842242275; Wed, 22 Aug 2007 21:10:42 -0700 (PDT) Received: by 10.90.89.13 with HTTP; Wed, 22 Aug 2007 21:10:42 -0700 (PDT) Message-ID: <4d7dd86f0708222110r591877f7xb6c981f0d0bacf6f@mail.gmail.com> Date: Thu, 23 Aug 2007 14:10:42 +1000 From: "David N" To: "Greg Hennessy" In-Reply-To: <1080445460992559286@unknownmsgid> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <4d7dd86f0708182138x49da1b49le12461fbae2b6298@mail.gmail.com> <1080445460992559286@unknownmsgid> Cc: freebsd-pf@freebsd.org Subject: Re: Port Forwarding to different address X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Aug 2007 04:10:43 -0000 On 19/08/07, Greg Hennessy wrote: > [snip] > > > scrub in all > > > > nat on $ext_if from $int_net to any -> ($ext_if) > > > > rdr on $ext_if pro to tcp from any to any port 22011 -> 192.168.1.10 > > port 22 > > > > Add > > block log all > here > > > pass in all > > pass out all > > Replace these with explicitly coded ingress and egress rules using 'keep > state flags S/SA'. > > In addition use tcpdump on the ingress and egress interfaces to determine if > the redirect is working and to determine if the flow is transiting both > interfaces. > > > Greg > > > > > > > ---- Snip > > > > I've tried it with the same port, eg. > > rdr on $ext_if proto tcp from any to any port 22 -> 192.168.1.10 port > > 22 > > that works. > > > > But with the original rule i do > > ssh -p 22011 example.net > > ssh: connect to host example.net port 22011: Connection refused > > > > I've tried > > rdr on $ext_if pro to tcp from any to $ext_if port 22011 -> > > 192.168.1.10 port 22 > > with no luck as well > > > > I have > > net.inet.ip.forwarding: 1 > > > > I'm not quite sure what else to do. > > > > Regards > > David N > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > Thanks, did a block log all an from the remote side it still wouldn't let me connect, but didn't get a log either =) The remote host i was trying to connect from was blocking all out going connections. Changed hosts and all is working Regards David N From owner-freebsd-pf@FreeBSD.ORG Thu Aug 23 17:29:49 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA9A716A418 for ; Thu, 23 Aug 2007 17:29:49 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from mail.dawntempo.net (dawntempo.net [195.228.157.214]) by mx1.freebsd.org (Postfix) with ESMTP id 863D213C45A for ; Thu, 23 Aug 2007 17:29:49 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from localhost (jail.dawntempo.net [127.1.0.1]) by mail.dawntempo.net (Postfix) with ESMTP id 4540E3F400E for ; Thu, 23 Aug 2007 19:04:57 +0200 (CEST) X-Virus-Scanned: amavisd-new at mail.dawntempo.net Received: from mail.dawntempo.net ([127.1.0.1]) by localhost (jail.dawntempo.net [127.1.0.1]) (amavisd-new, port 10024) with ESMTP id ciMTXiRno+ii for ; Thu, 23 Aug 2007 19:04:54 +0200 (CEST) Received: from [192.168.0.5] (catv-5063546f.catv.broadband.hu [80.99.84.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.dawntempo.net (Postfix) with ESMTP id D43303F4007 for ; Thu, 23 Aug 2007 19:04:53 +0200 (CEST) Message-ID: <46CDBE22.3030806@gmail.com> Date: Thu, 23 Aug 2007 19:04:34 +0200 From: Istvan Szukacs User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <200708222211.l7MMBC7T027586@freefall.freebsd.org> In-Reply-To: <200708222211.l7MMBC7T027586@freefall.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: kern/115725: pf nat -> ($if) works only intermittently X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Aug 2007 17:29:49 -0000 hi guys! the problem is that the pf fails to recognize if an ip alias ______was_____ removed from the interface thereby it remains in the round robin pool thx, lix mlaier@FreeBSD.org wrote: > Synopsis: pf nat -> ($if) works only intermittently > > State-Changed-From-To: open->closed > State-Changed-By: mlaier > State-Changed-When: Wed Aug 22 22:10:23 UTC 2007 > State-Changed-Why: > Sollution confirmed by submitter. Thanks. > > http://www.freebsd.org/cgi/query-pr.cgi?pr=115725 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > From owner-freebsd-pf@FreeBSD.ORG Fri Aug 24 04:58:17 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC03B16A41A for ; Fri, 24 Aug 2007 04:58:17 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.184]) by mx1.freebsd.org (Postfix) with ESMTP id 70DBD13C4B0 for ; Fri, 24 Aug 2007 04:58:17 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so629343nfb for ; Thu, 23 Aug 2007 21:58:16 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=sG+yyM7dRGurhJ7tqK4wRg9pHGlJYxfeRTv4JskdjWiWYt4WgZTS5jznBNPRnKKz6RhHtYMd5hopJ5W2CThnrdo04PnRpLYxaKIsdJb+oRpsm0fMZKcCi3niU4nMSpsz70OPkwsKZNpZblrHfdvg1BbsKreUJx4gKLGGvfP90hg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Rz6QvNTd6OlCKgVqS90ewluwq8A5K9hfFCw1EcKr5drv33acDibhB54VpBOcRm0UoOkKQQN6IreE4rFRJGeX24GgNlrc7TX0KlYo0Xe/y6QyEBkzHZjcZC689o0NjKdO4yNqXEsrJccqPCsqKHfUYlswrvAh0YdG3xk1adNMQnY= Received: by 10.78.159.7 with SMTP id h7mr1686503hue.1187931495868; Thu, 23 Aug 2007 21:58:15 -0700 (PDT) Received: by 10.78.15.17 with HTTP; Thu, 23 Aug 2007 21:58:15 -0700 (PDT) Message-ID: <55e8a96c0708232158v378d62es60b71906f99ba9b8@mail.gmail.com> Date: Thu, 23 Aug 2007 23:58:15 -0500 From: "Bill Marquette" To: "Max Laier" In-Reply-To: <200708230006.32294.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <55e8a96c0708221242h2d5e7d15q847e6fac7cf60554@mail.gmail.com> <200708230006.32294.max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: pfsync errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Aug 2007 04:58:17 -0000 On 8/22/07, Max Laier wrote: > There are two reasons why we increase the send error counter. Either the > internal deferred work queue is full or ip_output fails. Could you > locate "pfsyncstats.pfsyncs_oerrors++" in your source code and replace > either occurrence with a printf(). Maybe use the attached. This way we > will know what exactly fails and if it is ip_output, why. Thanks, we'll give it a shot shortly. --Bill From owner-freebsd-pf@FreeBSD.ORG Fri Aug 24 08:50:13 2007 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D267C16A477 for ; Fri, 24 Aug 2007 08:50:13 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B071C13C468 for ; Fri, 24 Aug 2007 08:50:13 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l7O8oDXT062637 for ; Fri, 24 Aug 2007 08:50:13 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l7O8oDYW062636; Fri, 24 Aug 2007 08:50:13 GMT (envelope-from gnats) Date: Fri, 24 Aug 2007 08:50:13 GMT Message-Id: <200708240850.l7O8oDYW062636@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Daniel Hartmeier Cc: Subject: Re: kern/110698: nat rule of pf without "on" clause causes invalid packed chksum X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daniel Hartmeier List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Aug 2007 08:50:13 -0000 The following reply was made to PR kern/110698; it has been noted by GNATS. From: Daniel Hartmeier To: "Vladimir V. Kalashnikov" Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: kern/110698: nat rule of pf without "on" clause causes invalid packed chksum Date: Fri, 24 Aug 2007 10:45:44 +0200 On Fri, Mar 23, 2007 at 10:13:48AM +0200, Vladimir V. Kalashnikov wrote: > ###### S, cksum 0xee62 (incorrect (-> 0xfcc5), 3464239052:3464239052(0) > ###### here the effect ^^^^^^^^^^^^^^^^^^^^^^^ Can you make sure that packets with invalid checksums really go out on the wire, by tcpdumping from another host on the network? When tcpdumping on the endpoint, it's possible to see misleading 'incorrect' checksums due to hardware checksumming, i.e. the checksums get correctly set by the NIC and the packets on the wire have correct checksums. Daniel From owner-freebsd-pf@FreeBSD.ORG Fri Aug 24 08:54:41 2007 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3776416A419; Fri, 24 Aug 2007 08:54:41 +0000 (UTC) (envelope-from dhartmei@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 0B60513C442; Fri, 24 Aug 2007 08:54:41 +0000 (UTC) (envelope-from dhartmei@FreeBSD.org) Received: from freefall.freebsd.org (dhartmei@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l7O8sew9062744; Fri, 24 Aug 2007 08:54:40 GMT (envelope-from dhartmei@freefall.freebsd.org) Received: (from dhartmei@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l7O8seZh062740; Fri, 24 Aug 2007 08:54:40 GMT (envelope-from dhartmei) Date: Fri, 24 Aug 2007 08:54:40 GMT Message-Id: <200708240854.l7O8seZh062740@freefall.freebsd.org> To: volker@vwsoft.com, dhartmei@FreeBSD.org, freebsd-pf@FreeBSD.org From: dhartmei@FreeBSD.org Cc: Subject: Re: kern/103304: [pf] pf accepts nonexistent queue in rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Aug 2007 08:54:41 -0000 Synopsis: [pf] pf accepts nonexistent queue in rules State-Changed-From-To: open->closed State-Changed-By: dhartmei State-Changed-When: Fri Aug 24 08:54:05 UTC 2007 State-Changed-Why: not a bug http://www.freebsd.org/cgi/query-pr.cgi?pr=103304 From owner-freebsd-pf@FreeBSD.ORG Fri Aug 24 09:00:10 2007 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BDE5A16A419; Fri, 24 Aug 2007 09:00:10 +0000 (UTC) (envelope-from dhartmei@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 56BB813C4A6; Fri, 24 Aug 2007 09:00:10 +0000 (UTC) (envelope-from dhartmei@FreeBSD.org) Received: from freefall.freebsd.org (dhartmei@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l7O90Ars062975; Fri, 24 Aug 2007 09:00:10 GMT (envelope-from dhartmei@freefall.freebsd.org) Received: (from dhartmei@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l7O909Hd062967; Fri, 24 Aug 2007 09:00:09 GMT (envelope-from dhartmei) Date: Fri, 24 Aug 2007 09:00:09 GMT Message-Id: <200708240900.l7O909Hd062967@freefall.freebsd.org> To: t@dim.kiev.ua, dhartmei@FreeBSD.org, freebsd-pf@FreeBSD.org From: dhartmei@FreeBSD.org Cc: Subject: Re: kern/110174: [pf] pf pass route-to does not assign correct IP for the packets created on the same pf-host X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Aug 2007 09:00:10 -0000 Synopsis: [pf] pf pass route-to does not assign correct IP for the packets created on the same pf-host State-Changed-From-To: open->closed State-Changed-By: dhartmei State-Changed-When: Fri Aug 24 08:57:48 UTC 2007 State-Changed-Why: pf can't influence what address a socket gets bound to, the route-to happens much later in the process. you can use pf nat to translate the source address at this point. http://www.freebsd.org/cgi/query-pr.cgi?pr=110174