From owner-freebsd-pf@FreeBSD.ORG Sun Nov 25 10:28:21 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 666AC16A468 for ; Sun, 25 Nov 2007 10:28:21 +0000 (UTC) (envelope-from jordi.espasa@opengea.org) Received: from mail.opengea.org (234.pool85-48-253.static.orange.es [85.48.253.234]) by mx1.freebsd.org (Postfix) with ESMTP id 0E80B13C458 for ; Sun, 25 Nov 2007 10:28:19 +0000 (UTC) (envelope-from jordi.espasa@opengea.org) Received: from localhost (tartarus [127.0.0.1]) by mail.opengea.org (Opengea.org Project MailServer) with ESMTP id 4FF11D50056 for ; Sun, 25 Nov 2007 11:02:01 +0100 (CET) X-Virus-Scanned: amavisd-new at opengea.org Received: from mail.opengea.org ([127.0.0.1]) by localhost (mail.opengea.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id b9jAH9E9pp8j for ; Sun, 25 Nov 2007 11:02:01 +0100 (CET) Received: from ares.my.domain (17.Red-88-25-64.staticIP.rima-tde.net [88.25.64.17]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jordi.espasa@opengea.org) by mail.opengea.org (Opengea.org Project MailServer) with ESMTP id 5F221D50054 for ; Sun, 25 Nov 2007 11:01:59 +0100 (CET) Message-ID: <474948BE.1000704@opengea.org> Date: Sun, 25 Nov 2007 11:04:46 +0100 From: Jordi Espasa Clofent User-Agent: Thunderbird 2.0.0.6 (X11/20070818) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: Transparent FW: PF+briging mode X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Nov 2007 10:28:21 -0000 Hi all, I'm planning to build a transparent FW using PF+bridging mode; the network arquitecture will be: [Internet] <-> ( xl0 ) ( xl2 ) <-> ( switchs ) <-> (clients with /23 public IPs ) I've read a lot in this list and other places about some problems with bridging mode and PF; but I don't understand exactly where is the problem. Maybe it's an old problem solved at present moment, because these post were is 2004/2005 and related to 5.x: http://lists.freebsd.org/mailman/htdig/freebsd-pf/2005-August/001369.html http://lists.freebsd.org/mailman/htdig/freebsd-pf/2005-January/000745.html http://lists.freebsd.org/pipermail/freebsd-pf/2005-November/001697.html My questions are: ¿Is possible to build the commented arquitecture with _ALL_ pf features available? ¿Can the FW (pf) inspect and act on the packets which pass through the bridge with clients as final destination? ¿Are there differences related to this problem in using 6.x or 7.x branches? -- Thanks Jordi Espasa Clofent From owner-freebsd-pf@FreeBSD.ORG Mon Nov 26 11:07:04 2007 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2B3B416A477 for ; Mon, 26 Nov 2007 11:07:04 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 1A9C513C461 for ; Mon, 26 Nov 2007 11:07:04 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id lAQB73sl025518 for ; Mon, 26 Nov 2007 11:07:03 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id lAQB73J7025514 for freebsd-pf@FreeBSD.org; Mon, 26 Nov 2007 11:07:03 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 26 Nov 2007 11:07:03 GMT Message-Id: <200711261107.lAQB73J7025514@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Nov 2007 11:07:04 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid o bin/116610 pf [patch] teach tcpdump(1) to cope with the new-style pf o kern/117827 pf [pf] kernel panic with pf and ng 5 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c f kern/116645 pf [RFE] pfctl -k does not work in securelevel 3 7 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Nov 27 00:17:54 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 62FDE16A417 for ; Tue, 27 Nov 2007 00:17:54 +0000 (UTC) (envelope-from flo@kasimir.com) Received: from kasimir.com (kasimir.com [85.214.51.166]) by mx1.freebsd.org (Postfix) with ESMTP id 80F6913C442 for ; Tue, 27 Nov 2007 00:17:53 +0000 (UTC) (envelope-from flo@kasimir.com) Received: (qmail 94675 invoked from network); 27 Nov 2007 00:51:11 +0100 Received: from unknown (HELO nibbler-osx.local) (89.244.124.232) by moob-y.de with SMTP; 27 Nov 2007 00:51:10 +0100 Message-ID: <474B5BD0.6040004@kasimir.com> Date: Tue, 27 Nov 2007 00:50:40 +0100 From: Florian Smeets User-Agent: Thunderbird 2.0.0.10pre (Macintosh/20071126) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: 7-STABLE panic: mtx_lock() of spin mutex %s @ %s:%d X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Nov 2007 00:17:54 -0000 Hi i was able to reproduce a hang on a 7-STABLE (csuped just after Scotts critical section MFC) firewall which runs mpd4 from ports and uses pf for packet filtering. Sometimes when i restart mpd4 the box just hangs. I have a up-script which calls /sbin/pfctl -f /etc/pf.conf. After adding witness and invariants instead of the hang i get this LOR: Nov 26 18:06:39 fw-a kernel: lock order reversal: Nov 26 18:06:39 fw-a kernel: 1st 0xc0762a8c pf task mtx (pf task mtx) @ /usr/src/sys/contrib/pf/net/pf_ioctl.c:1304 Nov 26 18:06:39 fw-a kernel: 2nd 0xc07c470c ifnet (ifnet) @ /usr/src/sys/net/if.c:1494 Nov 26 18:06:39 fw-a kernel: KDB: stack backtrace: Nov 26 18:06:39 fw-a kernel: db_trace_self_wrapper(c0707544,ccdb7a3c,c054c0ae,c07098ff,c07c470c,...) at db_trace_self_wrapper+0x26 Nov 26 18:06:39 fw-a kernel: kdb_backtrace(c07098ff,c07c470c,c0710de4,c0710de4,c0710c3d,...) at kdb_backtrace+0x29 Nov 26 18:06:39 fw-a kernel: witness_checkorder(c07c470c,9,c0710c3d,5d6,0,...) at witness_checkorder+0x6de Nov 26 18:06:39 fw-a kernel: _mtx_lock_flags(c07c470c,0,c0710c3d,5d6,c205e520,...) at _mtx_lock_flags+0xbc Nov 26 18:06:39 fw-a kernel: ifunit(c205e520,0,c06f5a82,518,ccdb7ab8,...) at ifunit+0x2f Nov 26 18:06:39 fw-a kernel: pfioctl(c1d82600,c0104414,c205e520,3,c224da50,...) at pfioctl+0x2341 Nov 26 18:06:39 fw-a kernel: devfs_ioctl_f(c1e55ca8,c0104414,c205e520,c1c97c00,c224da50,...) at devfs_ioctl_f+0xc9 Nov 26 18:06:39 fw-a kernel: kern_ioctl(c224da50,3,c0104414,c205e520,1000000,...) at kern_ioctl+0x243 Nov 26 18:06:39 fw-a kernel: ioctl(c224da50,ccdb7cfc,c,c072bdfe,c0739810,...) at ioctl+0x134 Nov 26 18:06:39 fw-a kernel: syscall(ccdb7d38) at syscall+0x2b3 Nov 26 18:06:39 fw-a kernel: Xint0x80_syscall() at Xint0x80_syscall+0x20 Nov 26 18:06:39 fw-a kernel: --- syscall (54, FreeBSD ELF32, ioctl), eip = 0x281a6d43, esp = 0xbfbfde4c, ebp = 0xbfbfde78 --- and shortly after that this page fault: Fatal trap 12: page fault while in kernel mode fault virtual address = 0xdeadc0de fault code = supervisor read, page not present instruction pointer = 0x20:0xc059e4a8 stack pointer = 0x28:0xccd41890 frame pointer = 0x28:0xccd41890 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 1474 (pfctl) Physical memory: 245 MB Dumping 60 MB: 45 29 13 #0 doadump () at pcpu.h:195 195 pcpu.h: No such file or directory. in pcpu.h (kgdb) list *0xc059e4a8 0xc059e4a8 is in strlen (/usr/src/sys/libkern/strlen.c:41). 36 strlen(str) 37 const char *str; 38 { 39 register const char *s; 40 41 for (s = str; *s; ++s); 42 return(s - str); 43 } 44 (kgdb) bt #0 doadump () at pcpu.h:195 #1 0xc046dc59 in db_fncall (dummy1=-858515768, dummy2=0, dummy3=12, dummy4=0xccd41634 "") at /usr/src/sys/ddb/db_command.c:486 #2 0xc046e1c5 in db_command_loop () at /usr/src/sys/ddb/db_command.c:401 #3 0xc046f935 in db_trap (type=12, code=0) at /usr/src/sys/ddb/db_main.c:222 #4 0xc053bbe4 in kdb_trap (type=12, code=0, tf=0xccd41850) at /usr/src/sys/kern/subr_kdb.c:502 #5 0xc06d02df in trap_fatal (frame=0xccd41850, eva=3735929054) at /usr/src/sys/i386/i386/trap.c:863 #6 0xc06d0513 in trap_pfault (frame=0xccd41850, usermode=0, eva=3735929054) at /usr/src/sys/i386/i386/trap.c:785 #7 0xc06d0eb5 in trap (frame=0xccd41850) at /usr/src/sys/i386/i386/trap.c:463 #8 0xc06b970b in calltrap () at /usr/src/sys/i386/i386/exception.s:139 #9 0xc059e4a8 in strlen (str=0xdeadc0de
) at /usr/src/sys/libkern/strlen.c:41 #10 0xc053e4e5 in kvprintf (fmt=0xc0703a1c " @ %s:%d", func=0xc053d9a0 , arg=0xccd419d0, radix=10, ap=0xccd41a0c " Mo??\001") at /usr/src/sys/kern/subr_prf.c:750 #11 0xc053ed2b in vsnprintf (str=0xc0779380 "mtx_lock() of spin mutex ", size=256, format=0xc0703a01 "mtx_lock() of spin mutex %s @ %s:%d", ap=0xccd41a08 "???? Mo??\001") at /usr/src/sys/kern/subr_prf.c:483 #12 0xc05152f3 in panic (fmt=0xc0703a01 "mtx_lock() of spin mutex %s @ %s:%d") at /usr/src/sys/kern/kern_shutdown.c:530 #13 0xc0509eba in _mtx_lock_flags (m=0xc1d3ad0c, opts=0, file=0xc06f4d20 "/usr/src/sys/contrib/altq/altq/altq_priq.c", line=416) at /usr/src/sys/kern/kern_mutex.c:180 #14 0xc0437b83 in priq_class_destroy (cl=0xc22138c0) at /usr/src/sys/contrib/altq/altq/altq_priq.c:416 #15 0xc0437c7d in priq_remove_altq (a=0xc2048a80) at /usr/src/sys/contrib/altq/altq/altq_priq.c:252 #16 0xc0438635 in altq_remove (a=0xc2048a80) at /usr/src/sys/contrib/altq/altq/altq_subr.c:650 #17 0xc04508ee in pf_commit_altq (ticket=5) at /usr/src/sys/contrib/pf/net/pf_ioctl.c:867 #18 0xc0456341 in pfioctl (dev=0xc1d82600, cmd=3222029394, addr=0xc22d32e0 "\a", flags=3, td=0xc2014a50) at /usr/src/sys/contrib/pf/net/pf_ioctl.c:3170 #19 0xc04bcfe9 in devfs_ioctl_f (fp=0xc20270d8, com=3222029394, data=0xc22d32e0, cred=0xc200bd00, td=0xc2014a50) at /usr/src/sys/fs/devfs/devfs_vnops.c:494 #20 0xc054d563 in kern_ioctl (td=0xc2014a50, fd=3, com=3222029394, data=0xc22d32e0 "\a") at file.h:266 #21 0xc054d6c4 in ioctl (td=0xc2014a50, uap=0xccd41cfc) at /usr/src/sys/kern/sys_generic.c:570 #22 0xc06d07f3 in syscall (frame=0xccd41d38) at /usr/src/sys/i386/i386/trap.c:1008 #23 0xc06b9770 in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:196 #24 0x00000033 in ?? () Previous frame inner to this frame (corrupt stack?) (kgdb) frame 13 #13 0xc0509eba in _mtx_lock_flags (m=0xc1d3ad0c, opts=0, file=0xc06f4d20 "/usr/src/sys/contrib/altq/altq/altq_priq.c", line=416) at /usr/src/sys/kern/kern_mutex.c:180 180 KASSERT(LOCK_CLASS(&m->lock_object) == &lock_class_mtx_sleep, (kgdb) list 175 { 176 177 MPASS(curthread != NULL); 178 KASSERT(m->mtx_lock != MTX_DESTROYED, 179 ("mtx_lock() of destroyed mutex @ %s:%d", file, line)); 180 KASSERT(LOCK_CLASS(&m->lock_object) == &lock_class_mtx_sleep, 181 ("mtx_lock() of spin mutex %s @ %s:%d", m->lock_object.lo_name, 182 file, line)); 183 WITNESS_CHECKORDER(&m->lock_object, opts | LOP_NEWORDER | LOP_EXCLUSIVE, 184 file, line); (kgdb) As the panic/page fault seems to be connected to the altq/priq rules i have added the definition of the altq part altq on $ext_if priq bandwidth 960Kb qlimit 250 queue { std_out, smtp_out, ssh_out, tcp_ack_out } queue smtp_out priq(default) qlimit 250 queue std_out priority 2 qlimit 250 queue ssh_out priority 5 qlimit 250 queue tcp_ack_out priority 6 qlimit 250 And of course there are some pass rules which add packets to the queues. Is there anything else needed from the core dump? Cheers Florian From owner-freebsd-pf@FreeBSD.ORG Tue Nov 27 00:30:09 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E48BF16A4A9 for ; Tue, 27 Nov 2007 00:30:09 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.174]) by mx1.freebsd.org (Postfix) with ESMTP id 6100D13C458 for ; Tue, 27 Nov 2007 00:30:09 +0000 (UTC) (envelope-from max@love2party.net) Received: from amd64.laiers.local (dslb-088-066-040-177.pools.arcor-ip.net [88.66.40.177]) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis) id 0ML2xA-1IwoL12TRL-0006ME; Tue, 27 Nov 2007 01:30:07 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Tue, 27 Nov 2007 01:29:54 +0100 User-Agent: KMail/1.9.7 References: <474B5BD0.6040004@kasimir.com> In-Reply-To: <474B5BD0.6040004@kasimir.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4415305.DFEz4RlB8O"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200711270130.01165.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+j+MtNEiJb75v9K8R6AxnvUFYTjvghjaOnJZf po2Y4HBGJXxyduzqPv6jWu8Ete8g7Pb8BvJ2LacEZLvz0g0FYW 17q0aaz49jCVq+B1JnSVsX4cqAzeaOOpJMoVw9ULLs= Cc: Subject: Re: 7-STABLE panic: mtx_lock() of spin mutex %s @ %s:%d X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Nov 2007 00:30:10 -0000 --nextPart4415305.DFEz4RlB8O Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 27 November 2007, Florian Smeets wrote: > Hi > > i was able to reproduce a hang on a 7-STABLE (csuped just after Scotts > critical section MFC) firewall which runs mpd4 from ports and uses pf > for packet filtering. Sometimes when i restart mpd4 the box just hangs. > I have a up-script which calls /sbin/pfctl -f /etc/pf.conf. It's an ALTQ problem, really. I don't know if there is a down-script that= =20 runs before the interface is destroyed, but if there is - adding=20 pfctl -Fq there should work around your problem. I did have some patches=20 to have ALTQ working with dynamic interfaces, but I must have dropped=20 them. I'll see what I can dig up in the next few days. In short: altq on foo0 ... ifconfig foo0 destroy -> BOOM! mpd has the unfortunate habit of destroying it's interface on session=20 restart - there might be ways to change that, though. > After adding witness and invariants instead of the hang i get this LOR: > > Nov 26 18:06:39 fw-a kernel: lock order reversal: > Nov 26 18:06:39 fw-a kernel: 1st 0xc0762a8c pf task mtx (pf task mtx) @ > /usr/src/sys/contrib/pf/net/pf_ioctl.c:1304 > Nov 26 18:06:39 fw-a kernel: 2nd 0xc07c470c ifnet (ifnet) @ > /usr/src/sys/net/if.c:1494 > Nov 26 18:06:39 fw-a kernel: KDB: stack backtrace: > Nov 26 18:06:39 fw-a kernel: > db_trace_self_wrapper(c0707544,ccdb7a3c,c054c0ae,c07098ff,c07c470c,...) > at db_trace_self_wrapper+0x26 > Nov 26 18:06:39 fw-a kernel: > kdb_backtrace(c07098ff,c07c470c,c0710de4,c0710de4,c0710c3d,...) at > kdb_backtrace+0x29 > Nov 26 18:06:39 fw-a kernel: > witness_checkorder(c07c470c,9,c0710c3d,5d6,0,...) at > witness_checkorder+0x6de > Nov 26 18:06:39 fw-a kernel: > _mtx_lock_flags(c07c470c,0,c0710c3d,5d6,c205e520,...) at > _mtx_lock_flags+0xbc > Nov 26 18:06:39 fw-a kernel: > ifunit(c205e520,0,c06f5a82,518,ccdb7ab8,...) at ifunit+0x2f > Nov 26 18:06:39 fw-a kernel: > pfioctl(c1d82600,c0104414,c205e520,3,c224da50,...) at pfioctl+0x2341 > Nov 26 18:06:39 fw-a kernel: > devfs_ioctl_f(c1e55ca8,c0104414,c205e520,c1c97c00,c224da50,...) at > devfs_ioctl_f+0xc9 > Nov 26 18:06:39 fw-a kernel: > kern_ioctl(c224da50,3,c0104414,c205e520,1000000,...) at > kern_ioctl+0x243 Nov 26 18:06:39 fw-a kernel: > ioctl(c224da50,ccdb7cfc,c,c072bdfe,c0739810,...) at ioctl+0x134 > Nov 26 18:06:39 fw-a kernel: syscall(ccdb7d38) at syscall+0x2b3 > Nov 26 18:06:39 fw-a kernel: Xint0x80_syscall() at > Xint0x80_syscall+0x20 Nov 26 18:06:39 fw-a kernel: --- syscall (54, > FreeBSD ELF32, ioctl), eip =3D 0x281a6d43, esp =3D 0xbfbfde4c, ebp =3D > 0xbfbfde78 --- > > > and shortly after that this page fault: > > Fatal trap 12: page fault while in kernel mode > fault virtual address =3D 0xdeadc0de > fault code =3D supervisor read, page not present > instruction pointer =3D 0x20:0xc059e4a8 > stack pointer =3D 0x28:0xccd41890 > frame pointer =3D 0x28:0xccd41890 > code segment =3D base 0x0, limit 0xfffff, type 0x1b > =3D DPL 0, pres 1, def32 1, gran 1 > processor eflags =3D interrupt enabled, resume, IOPL =3D 0 > current process =3D 1474 (pfctl) > Physical memory: 245 MB > Dumping 60 MB: 45 29 13 > > #0 doadump () at pcpu.h:195 > 195 pcpu.h: No such file or directory. > in pcpu.h > (kgdb) list *0xc059e4a8 > 0xc059e4a8 is in strlen (/usr/src/sys/libkern/strlen.c:41). > 36 strlen(str) > 37 const char *str; > 38 { > 39 register const char *s; > 40 > 41 for (s =3D str; *s; ++s); > 42 return(s - str); > 43 } > 44 > (kgdb) bt > #0 doadump () at pcpu.h:195 > #1 0xc046dc59 in db_fncall (dummy1=3D-858515768, dummy2=3D0, dummy3=3D12, > dummy4=3D0xccd41634 "") at /usr/src/sys/ddb/db_command.c:486 > #2 0xc046e1c5 in db_command_loop () at > /usr/src/sys/ddb/db_command.c:401 #3 0xc046f935 in db_trap (type=3D12, > code=3D0) at > /usr/src/sys/ddb/db_main.c:222 > #4 0xc053bbe4 in kdb_trap (type=3D12, code=3D0, tf=3D0xccd41850) at > /usr/src/sys/kern/subr_kdb.c:502 > #5 0xc06d02df in trap_fatal (frame=3D0xccd41850, eva=3D3735929054) at > /usr/src/sys/i386/i386/trap.c:863 > #6 0xc06d0513 in trap_pfault (frame=3D0xccd41850, usermode=3D0, > eva=3D3735929054) at /usr/src/sys/i386/i386/trap.c:785 > #7 0xc06d0eb5 in trap (frame=3D0xccd41850) at > /usr/src/sys/i386/i386/trap.c:463 > #8 0xc06b970b in calltrap () at /usr/src/sys/i386/i386/exception.s:139 > #9 0xc059e4a8 in strlen (str=3D0xdeadc0de
bounds>) at /usr/src/sys/libkern/strlen.c:41 > #10 0xc053e4e5 in kvprintf (fmt=3D0xc0703a1c " @ %s:%d", func=3D0xc053d9a0 > , arg=3D0xccd419d0, radix=3D10, ap=3D0xccd41a0c " Mo??\001= ") > at /usr/src/sys/kern/subr_prf.c:750 > #11 0xc053ed2b in vsnprintf (str=3D0xc0779380 "mtx_lock() of spin mutex > ", size=3D256, format=3D0xc0703a01 "mtx_lock() of spin mutex %s @ %s:%d", > ap=3D0xccd41a08 "???? Mo??\001") at /usr/src/sys/kern/subr_prf.c:483 #12 > 0xc05152f3 in panic (fmt=3D0xc0703a01 "mtx_lock() of spin mutex %s @ > %s:%d") at /usr/src/sys/kern/kern_shutdown.c:530 > #13 0xc0509eba in _mtx_lock_flags (m=3D0xc1d3ad0c, opts=3D0, > file=3D0xc06f4d20 "/usr/src/sys/contrib/altq/altq/altq_priq.c", line=3D41= 6) > at > /usr/src/sys/kern/kern_mutex.c:180 > #14 0xc0437b83 in priq_class_destroy (cl=3D0xc22138c0) at > /usr/src/sys/contrib/altq/altq/altq_priq.c:416 > #15 0xc0437c7d in priq_remove_altq (a=3D0xc2048a80) at > /usr/src/sys/contrib/altq/altq/altq_priq.c:252 > #16 0xc0438635 in altq_remove (a=3D0xc2048a80) at > /usr/src/sys/contrib/altq/altq/altq_subr.c:650 > #17 0xc04508ee in pf_commit_altq (ticket=3D5) at > /usr/src/sys/contrib/pf/net/pf_ioctl.c:867 > #18 0xc0456341 in pfioctl (dev=3D0xc1d82600, cmd=3D3222029394, > addr=3D0xc22d32e0 "\a", flags=3D3, td=3D0xc2014a50) at > /usr/src/sys/contrib/pf/net/pf_ioctl.c:3170 > #19 0xc04bcfe9 in devfs_ioctl_f (fp=3D0xc20270d8, com=3D3222029394, > data=3D0xc22d32e0, cred=3D0xc200bd00, td=3D0xc2014a50) at > /usr/src/sys/fs/devfs/devfs_vnops.c:494 > #20 0xc054d563 in kern_ioctl (td=3D0xc2014a50, fd=3D3, com=3D3222029394, > data=3D0xc22d32e0 "\a") at file.h:266 > #21 0xc054d6c4 in ioctl (td=3D0xc2014a50, uap=3D0xccd41cfc) at > /usr/src/sys/kern/sys_generic.c:570 > #22 0xc06d07f3 in syscall (frame=3D0xccd41d38) at > /usr/src/sys/i386/i386/trap.c:1008 > #23 0xc06b9770 in Xint0x80_syscall () at > /usr/src/sys/i386/i386/exception.s:196 > #24 0x00000033 in ?? () > Previous frame inner to this frame (corrupt stack?) > (kgdb) frame 13 > #13 0xc0509eba in _mtx_lock_flags (m=3D0xc1d3ad0c, opts=3D0, > file=3D0xc06f4d20 "/usr/src/sys/contrib/altq/altq/altq_priq.c", line=3D41= 6) > at > /usr/src/sys/kern/kern_mutex.c:180 > 180 KASSERT(LOCK_CLASS(&m->lock_object) =3D=3D &lock_class_mtx_sleep, > (kgdb) list > 175 { > 176 > 177 MPASS(curthread !=3D NULL); > 178 KASSERT(m->mtx_lock !=3D MTX_DESTROYED, > 179 ("mtx_lock() of destroyed mutex @ %s:%d", file, line)); > 180 KASSERT(LOCK_CLASS(&m->lock_object) =3D=3D &lock_class_mtx_sleep, > 181 ("mtx_lock() of spin mutex %s @ %s:%d", > m->lock_object.lo_name, 182 file, line)); > 183 WITNESS_CHECKORDER(&m->lock_object, opts | LOP_NEWORDER | > LOP_EXCLUSIVE, > 184 file, line); > (kgdb) > > > As the panic/page fault seems to be connected to the altq/priq rules i > have added the definition of the altq part > > altq on $ext_if priq bandwidth 960Kb qlimit 250 queue { std_out, > smtp_out, ssh_out, tcp_ack_out } > > queue smtp_out priq(default) qlimit 250 > queue std_out priority 2 qlimit 250 > queue ssh_out priority 5 qlimit 250 > queue tcp_ack_out priority 6 qlimit 250 > > And of course there are some pass rules which add packets to the > queues. > > Is there anything else needed from the core dump? =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart4415305.DFEz4RlB8O Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBHS2UJXyyEoT62BG0RAlGPAJ9uC/UGsCpXtyYqA64Lgo+Wm5F9TACfdOeP HfdPJuYSHoADzXhD1BYxzfw= =rWc7 -----END PGP SIGNATURE----- --nextPart4415305.DFEz4RlB8O-- From owner-freebsd-pf@FreeBSD.ORG Tue Nov 27 09:30:11 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B53FF16A418 for ; Tue, 27 Nov 2007 09:30:11 +0000 (UTC) (envelope-from flo@kasimir.com) Received: from kasimir.com (kasimir.com [85.214.51.166]) by mx1.freebsd.org (Postfix) with ESMTP id 05C9713C459 for ; Tue, 27 Nov 2007 09:30:10 +0000 (UTC) (envelope-from flo@kasimir.com) Received: (qmail 1273 invoked from network); 27 Nov 2007 10:30:09 +0100 Received: from relay3.vistream.de (HELO nibbler.vistream.local) (87.139.10.28) by greenplay.de with SMTP; 27 Nov 2007 10:30:09 +0100 Message-ID: <474BE383.6050905@kasimir.com> Date: Tue, 27 Nov 2007 10:29:39 +0100 From: Florian Smeets User-Agent: Thunderbird 2.0.0.10pre (Macintosh/20071126) MIME-Version: 1.0 To: Max Laier References: <474B5BD0.6040004@kasimir.com> <200711270130.01165.max@love2party.net> In-Reply-To: <200711270130.01165.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: 7-STABLE panic: mtx_lock() of spin mutex %s @ %s:%d X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Nov 2007 09:30:11 -0000 Max Laier wrote: > On Tuesday 27 November 2007, Florian Smeets wrote: >> Hi >> >> i was able to reproduce a hang on a 7-STABLE (csuped just after Scotts >> critical section MFC) firewall which runs mpd4 from ports and uses pf >> for packet filtering. Sometimes when i restart mpd4 the box just hangs. >> I have a up-script which calls /sbin/pfctl -f /etc/pf.conf. > > It's an ALTQ problem, really. I don't know if there is a down-script that > runs before the interface is destroyed, but if there is - adding > pfctl -Fq there should work around your problem. I did have some patches > to have ALTQ working with dynamic interfaces, but I must have dropped > them. I'll see what I can dig up in the next few days. > That would be great. I have a second non productive box where i can reproduce the problem. I'll be glad to test any patches. Cheers Florian From owner-freebsd-pf@FreeBSD.ORG Tue Nov 27 15:55:55 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E424716A46E for ; Tue, 27 Nov 2007 15:55:55 +0000 (UTC) (envelope-from novel@FreeBSD.org) Received: from viefep34-int.chello.at (viefep18-int.chello.at [213.46.255.22]) by mx1.freebsd.org (Postfix) with ESMTP id 218D913C4EF for ; Tue, 27 Nov 2007 15:55:54 +0000 (UTC) (envelope-from novel@FreeBSD.org) Received: from novel.renet.ru ([82.116.33.234]) by viefep23-int.chello.at (InterMail vM.7.08.02.00 201-2186-121-20061213) with ESMTP id <20071127153858.VDZY26761.viefep23-int.chello.at@novel.renet.ru> for ; Tue, 27 Nov 2007 16:38:58 +0100 Date: Tue, 27 Nov 2007 18:41:14 +0300 From: Roman Bogorodskiy To: freebsd-pf@freebsd.org Message-ID: <20071127154114.GA12469@underworld.novel.ru> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Dxnq1zWXvFF0Q93v" Content-Disposition: inline X-PGP: http://people.freebsd.org/~novel/novel.key.asc Subject: weird nested anchors behaviour X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Nov 2007 15:55:56 -0000 --Dxnq1zWXvFF0Q93v Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, I have a weird problem with pf nested anchors. (18:31) novel@novel:~ %> sudo pfctl -s Anchors 0001 clients (18:31) novel@novel:~ %> sudo pfctl -a "clients/test" -f rule (18:32) novel@novel:~ %> sudo pfctl -s Anchors 0001 clients test (18:32) novel@novel:~ %> sudo pfctl -s Anchors -a clients clients/0001 clients/foobar clients/test (18:32) novel@novel:~ %> cat rule=20 pass in quick on tun0 from 172.22.7.7 to label "st:4:test2@foo= :2:1:foo:in" pass out quick on tun0 from to 172.22.7.7 label "st:4:test2@foo= :2:1:foo:out" (18:32) novel@novel:~ %> Why goes it create global anchor 'test' while it should create just a nested anchor 'clients/test'? I noticed this happens only if I use tables in rules for the nested anchor. However it doesn't matter if these tables are local or global, defined or not, it doesn't make any difference. Moreover, I cannot flush anchors created that way (usually "pfctl -a anchor -F all" removes anchors from the list, but it doesn't happen for the anchors created that way). Is it expected behaviour or maybe I'm missing something? I've tested it on two boxes, both are 6.2-STABLE, one i386 and another is amd64. Roman Bogorodskiy --Dxnq1zWXvFF0Q93v Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iQCVAwUBR0w6loB0WzgdqspGAQKxygQAheCwYdaREX1sa7twieNGT8FCit46aguF CeqRXAaEGUVuJZ1XXW8gznWJ+t7bqXuEmEiWSAirMB6VocHWB+77Ii5Q/Hzz6+e6 EN8pDsh4ERpw66DTyrYV4mG2yvAqJ/kVnsePvsxFKVDuTZX7Uie6+sxv8+67fHVd MkngJhya/cg= =QDJF -----END PGP SIGNATURE----- --Dxnq1zWXvFF0Q93v-- From owner-freebsd-pf@FreeBSD.ORG Tue Nov 27 20:44:03 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A49B116A420 for ; Tue, 27 Nov 2007 20:44:03 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id 1EB4C13C468 for ; Tue, 27 Nov 2007 20:44:03 +0000 (UTC) (envelope-from max@love2party.net) Received: from amd64.laiers.local (dslb-088-066-037-165.pools.arcor-ip.net [88.66.37.165]) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis) id 0MKwpI-1Ix7Hj0rJ7-0004Tz; Tue, 27 Nov 2007 21:44:01 +0100 From: Max Laier Organization: FreeBSD To: Florian Smeets Date: Tue, 27 Nov 2007 21:44:46 +0100 User-Agent: KMail/1.9.7 References: <474B5BD0.6040004@kasimir.com> <200711270130.01165.max@love2party.net> <474BE383.6050905@kasimir.com> In-Reply-To: <474BE383.6050905@kasimir.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2168564.eTSo7kHDG8"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200711272144.52511.max@love2party.net> X-Provags-ID: V01U2FsdGVkX185LrNKNPXiPDofBsFgeev/o7ceKj6g7/CQHJv NJYIOzNFVCNpUqkXLCY2IYD/jnBVJU07hJgfcFmDWMVsK1vXxw 5E1cPJccoX/QZMlBjjlMK8tlv2Q3PTBFM8dEh8l4AI= Cc: freebsd-pf@freebsd.org Subject: ALTQ for dynamic interfaces [Re: 7-STABLE panic: mtx_lock() of spin mutex %s @ %s:%d] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Nov 2007 20:44:03 -0000 --nextPart2168564.eTSo7kHDG8 Content-Type: multipart/mixed; boundary="Boundary-01=_/GITHJDfvfmxyCv" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_/GITHJDfvfmxyCv Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 27 November 2007, Florian Smeets wrote: > Max Laier wrote: > > On Tuesday 27 November 2007, Florian Smeets wrote: > >> Hi > >> > >> i was able to reproduce a hang on a 7-STABLE (csuped just after > >> Scotts critical section MFC) firewall which runs mpd4 from ports and > >> uses pf for packet filtering. Sometimes when i restart mpd4 the box > >> just hangs. I have a up-script which calls /sbin/pfctl -f > >> /etc/pf.conf. > > > > It's an ALTQ problem, really. I don't know if there is a down-script > > that runs before the interface is destroyed, but if there is - adding > > pfctl -Fq there should work around your problem. I did have some > > patches to have ALTQ working with dynamic interfaces, but I must have > > dropped them. I'll see what I can dig up in the next few days. > > That would be great. I have a second non productive box where i can > reproduce the problem. I'll be glad to test any patches. Okay ... try this. Not final yet, but should be functional. With this=20 you should be able to: 1) Safely remove an interface with active queues 2) Re-add the interface and *magically* get the queues back 3) Write queue rules for non-existing interfaces - Note that we will assume an MTU of 1500 and you have to specify a=20 fixed bandwidth as we don't know the interface's native speed - Obviously these queues will be activated as soon as a matching=20 interface is created. BUGS: Doesn't print queues on removed interfaces at all. Should be=20 changed to something like "queue foo on bar0 (N/A) ...", but it seems I=20 was too strict with the local_flags. The error handling might need some=20 work in order to avoid panic if something goes wrong while we de-activate=20 queues. I'd like to hear back from you in order to see if I at least got the basic= =20 workings right enough so you can survive the mpd interface destroy. =20 Could you - in addition to you current setup w/ if-up script - also test=20 the magic part? i.e. load the ruleset before loading mpd. This should=20 now be possible as long as you don't put "set loginterface" or fixed=20 interface-to-address src/dst in it \o/ =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_/GITHJDfvfmxyCv Content-Type: text/x-diff; charset="iso-8859-1"; name="pf.dyn_altq.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="pf.dyn_altq.diff" diff --git a/contrib/pf/pfctl/pfctl_altq.c b/contrib/pf/pfctl/pfctl_altq.c index 9104f5a..d2a21c8 100644 =2D-- a/contrib/pf/pfctl/pfctl_altq.c +++ b/contrib/pf/pfctl/pfctl_altq.c @@ -154,6 +154,10 @@ print_altq(const struct pf_altq *a, unsigned level, st= ruct node_queue_bw *bw, } =20 printf("altq on %s ", a->ifname); +#ifdef __FreeBSD__ + if (a->local_flags) + printf("N/A "); +#endif =20 switch (a->scheduler) { case ALTQT_CBQ: @@ -1145,7 +1149,11 @@ getifmtu(char *ifname) sizeof(ifr.ifr_name)) errx(1, "getifmtu: strlcpy"); if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) =3D=3D -1) +#ifdef __FreeBSD__ + ifr.ifr_mtu =3D 1500; +#else err(1, "SIOCGIFMTU"); +#endif if (shutdown(s, SHUT_RDWR) =3D=3D -1) err(1, "shutdown"); if (close(s)) diff --git a/contrib/pf/pfctl/pfctl_qstats.c b/contrib/pf/pfctl/pfctl_qstat= s.c index 3eb2987..15695cb 100644 =2D-- a/contrib/pf/pfctl/pfctl_qstats.c +++ b/contrib/pf/pfctl/pfctl_qstats.c @@ -157,7 +157,11 @@ pfctl_update_qstats(int dev, struct pf_altq_node **roo= t) warn("DIOCGETALTQ"); return (-1); } +#ifdef __FreeBSD__ + if (pa.altq.qid > 0 && !pa.altq.local_flags) { +#else if (pa.altq.qid > 0) { +#endif pq.nr =3D nr; pq.ticket =3D pa.ticket; pq.buf =3D &qstats.data; diff --git a/sys/contrib/pf/net/pf_if.c b/sys/contrib/pf/net/pf_if.c index 74e9dcb..8b09cc3 100644 =2D-- a/sys/contrib/pf/net/pf_if.c +++ b/sys/contrib/pf/net/pf_if.c @@ -893,6 +893,9 @@ pfi_attach_ifnet_event(void *arg __unused, struct ifnet= *ifp) { PF_LOCK(); pfi_attach_ifnet(ifp); +#ifdef ALTQ + pf_altq_ifnet_event(ifp, 0); +#endif PF_UNLOCK(); } =20 @@ -901,6 +904,9 @@ pfi_detach_ifnet_event(void *arg __unused, struct ifnet= *ifp) { PF_LOCK(); pfi_detach_ifnet(ifp); +#ifdef ALTQ + pf_altq_ifnet_event(ifp, 1); +#endif PF_UNLOCK(); } =20 diff --git a/sys/contrib/pf/net/pf_ioctl.c b/sys/contrib/pf/net/pf_ioctl.c index 136e710..0681abf 100644 =2D-- a/sys/contrib/pf/net/pf_ioctl.c +++ b/sys/contrib/pf/net/pf_ioctl.c @@ -787,7 +787,11 @@ pf_begin_altq(u_int32_t *ticket) /* Purge the old altq list */ while ((altq =3D TAILQ_FIRST(pf_altqs_inactive)) !=3D NULL) { TAILQ_REMOVE(pf_altqs_inactive, altq, entries); +#ifdef __FreeBSD__ + if (altq->qname[0] =3D=3D 0 && altq->local_flags =3D=3D 0) { +#else if (altq->qname[0] =3D=3D 0) { +#endif /* detach and destroy the discipline */ error =3D altq_remove(altq); } else @@ -812,7 +816,11 @@ pf_rollback_altq(u_int32_t ticket) /* Purge the old altq list */ while ((altq =3D TAILQ_FIRST(pf_altqs_inactive)) !=3D NULL) { TAILQ_REMOVE(pf_altqs_inactive, altq, entries); +#ifdef __FreeBSD__ + if (altq->qname[0] =3D=3D 0 && altq->local_flags =3D=3D 0) { +#else if (altq->qname[0] =3D=3D 0) { +#endif /* detach and destroy the discipline */ error =3D altq_remove(altq); } else @@ -842,7 +850,11 @@ pf_commit_altq(u_int32_t ticket) =20 /* Attach new disciplines */ TAILQ_FOREACH(altq, pf_altqs_active, entries) { +#ifdef __FreeBSD__ + if (altq->qname[0] =3D=3D 0 && altq->local_flags =3D=3D 0) { +#else if (altq->qname[0] =3D=3D 0) { +#endif /* attach the discipline */ error =3D altq_pfattach(altq); if (error =3D=3D 0 && pf_altq_running) @@ -857,7 +869,11 @@ pf_commit_altq(u_int32_t ticket) /* Purge the old altq list */ while ((altq =3D TAILQ_FIRST(pf_altqs_inactive)) !=3D NULL) { TAILQ_REMOVE(pf_altqs_inactive, altq, entries); +#ifdef __FreeBSD__ + if (altq->qname[0] =3D=3D 0 && altq->local_flags =3D=3D 0) { +#else if (altq->qname[0] =3D=3D 0) { +#endif /* detach and destroy the discipline */ if (pf_altq_running) error =3D pf_disable_altq(altq); @@ -943,6 +959,91 @@ pf_disable_altq(struct pf_altq *altq) =20 return (error); } + +#ifdef __FreeBSD__ +void +pf_altq_ifnet_event(struct ifnet *ifp, int remove) +{ + struct ifnet *ifp1; + struct pf_altq *a1, *a2, *a3; + u_int32_t ticket; + int error =3D 0; + + DPFPRINTF(PF_DEBUG_MISC, ("altq: ifnet event %p %d\n", ifp, remove)); + /* Interrupt userland queue modifications */ + if (altqs_inactive_open) { + DPFPRINTF(PF_DEBUG_MISC, + ("altq: detach event preempted userland\n")); + pf_rollback_altq(ticket_altqs_inactive); + } + + /* Start new altq ruleset */ + if (pf_begin_altq(&ticket)) { + DPFPRINTF(PF_DEBUG_MISC, ("altq: pf_begin_altq failed\n")); + PF_UNLOCK(); + return; + } + /* Copy the current active set */ + TAILQ_FOREACH(a1, pf_altqs_active, entries) { + a2 =3D pool_get(&pf_altq_pl, PR_NOWAIT); + if (a2 =3D=3D NULL) { + error =3D ENOMEM; + break; + } + bcopy(a1, a2, sizeof(struct pf_altq)); + + DPFPRINTF(PF_DEBUG_MISC, ("altq: copy %s.%s\n", a2->ifname, + a2->qname)); + if (a2->qname[0] !=3D 0) { + if ((a2->qid =3D pf_qname2qid(a2->qname)) =3D=3D 0) { + error =3D EBUSY; + pool_put(&pf_altq_pl, a2); + break; + } + a2->altq_disc =3D NULL; + TAILQ_FOREACH(a3, pf_altqs_inactive, entries) { + if (strncmp(a3->ifname, a2->ifname, + IFNAMSIZ) =3D=3D 0 && a3->qname[0] =3D=3D 0) { + a2->altq_disc =3D a3->altq_disc; + break; + } + } + } + /* Deactivate the interface in question */ + a2->local_flags =3D 0; + if ((ifp1 =3D ifunit(a2->ifname)) =3D=3D NULL || + (remove && ifp1 =3D=3D ifp)) { + a2->local_flags |=3D PFALTQ_FLAG_IF_REMOVED; + DPFPRINTF(PF_DEBUG_MISC, + ("altq: no interface for %s.%s\n", a2->ifname, + a2->qname)); + } else { + PF_UNLOCK(); + error =3D altq_add(a2); + PF_LOCK(); + + if (ticket !=3D ticket_altqs_inactive) + error =3D EBUSY; + + if (error) { + pool_put(&pf_altq_pl, a2); + break; + } + } + DPFPRINTF(PF_DEBUG_MISC, ("altq: adding %s.%s\n", a2->ifname, + a2->qname)); + + TAILQ_INSERT_TAIL(pf_altqs_inactive, a2, entries); + } + + if (error !=3D 0) { + DPFPRINTF(PF_DEBUG_MISC, ("altq: copy failed %d\n", error)); + pf_rollback_altq(ticket); + } else { + pf_commit_altq(ticket); + } +} +#endif #endif /* ALTQ */ =20 int @@ -2273,7 +2374,12 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int fla= gs, struct proc *p) =20 /* enable all altq interfaces on active list */ TAILQ_FOREACH(altq, pf_altqs_active, entries) { +#ifdef __FreeBSD__ + if (altq->qname[0] =3D=3D 0 && + altq->local_flags =3D=3D 0) { +#else if (altq->qname[0] =3D=3D 0) { +#endif error =3D pf_enable_altq(altq); if (error !=3D 0) break; @@ -2290,7 +2396,12 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int fla= gs, struct proc *p) =20 /* disable all altq interfaces on active list */ TAILQ_FOREACH(altq, pf_altqs_active, entries) { +#ifdef __FreeBSD__ + if (altq->qname[0] =3D=3D 0 && + altq->local_flags =3D=3D 0) { +#else if (altq->qname[0] =3D=3D 0) { +#endif error =3D pf_disable_altq(altq); if (error !=3D 0) break; @@ -2316,6 +2427,9 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flag= s, struct proc *p) break; } bcopy(&pa->altq, altq, sizeof(struct pf_altq)); +#ifdef __FreeBSD__ + altq->local_flags =3D 0; +#endif =20 /* * if this is for a queue, find the discipline and @@ -2327,6 +2441,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flag= s, struct proc *p) pool_put(&pf_altq_pl, altq); break; } + altq->altq_disc =3D NULL; TAILQ_FOREACH(a, pf_altqs_inactive, entries) { if (strncmp(a->ifname, altq->ifname, IFNAMSIZ) =3D=3D 0 && a->qname[0] =3D=3D 0) { @@ -2337,11 +2452,17 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int fl= ags, struct proc *p) } =20 #ifdef __FreeBSD__ =2D PF_UNLOCK(); + struct ifnet *ifp; + + if ((ifp =3D ifunit(altq->ifname)) =3D=3D NULL) { + altq->local_flags |=3D PFALTQ_FLAG_IF_REMOVED; + } else { + PF_UNLOCK(); #endif =09 error =3D altq_add(altq); #ifdef __FreeBSD__ =2D PF_LOCK(); + PF_LOCK(); + } #endif if (error) { pool_put(&pf_altq_pl, altq); @@ -2414,6 +2535,10 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int fla= gs, struct proc *p) break; } #ifdef __FreeBSD__ + if (altq->local_flags !=3D 0) { + error =3D ENXIO; + break; + } PF_UNLOCK(); #endif error =3D altq_getqstats(altq, pq->buf, &nbytes); diff --git a/sys/contrib/pf/net/pfvar.h b/sys/contrib/pf/net/pfvar.h index fbc87e3..8673594 100644 =2D-- a/sys/contrib/pf/net/pfvar.h +++ b/sys/contrib/pf/net/pfvar.h @@ -1247,6 +1247,11 @@ struct pf_altq { u_int32_t parent_qid; /* parent queue id */ u_int32_t bandwidth; /* queue bandwidth */ u_int8_t priority; /* priority */ +#ifdef __FreeBSD__ + u_int8_t local_flags; /* dynamic interface */ +#define PFALTQ_FLAG_IF_REMOVED 0x01 +#define PFALTQ_FLAG_BW_UNKNOWN 0x02 +#endif u_int16_t qlimit; /* queue size limit */ u_int16_t flags; /* misc flags */ union { @@ -1574,6 +1579,9 @@ extern void pf_tbladdr_remove(struct pf_addr_wrap = *); extern void pf_tbladdr_copyout(struct pf_addr_wrap *); extern void pf_calc_skip_steps(struct pf_rulequeue *); #ifdef __FreeBSD__ +#ifdef ALTQ +extern void pf_altq_ifnet_event(struct ifnet *, int); +#endif extern uma_zone_t pf_src_tree_pl, pf_rule_pl; extern uma_zone_t pf_state_pl, pf_altq_pl, pf_pooladdr_pl; extern uma_zone_t pfr_ktable_pl, pfr_kentry_pl, pfr_kentry_pl2; --Boundary-01=_/GITHJDfvfmxyCv-- --nextPart2168564.eTSo7kHDG8 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBHTIHEXyyEoT62BG0RAg2RAJ9wdmOOzrXb7eQ/20TFk10RE/5jCQCfdR15 24jLZrm/1wWmZJGt8T8sGcU= =aSkr -----END PGP SIGNATURE----- --nextPart2168564.eTSo7kHDG8-- From owner-freebsd-pf@FreeBSD.ORG Tue Nov 27 23:02:36 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7D52416A468 for ; Tue, 27 Nov 2007 23:02:36 +0000 (UTC) (envelope-from flo@kasimir.com) Received: from kasimir.com (kasimir.com [85.214.51.166]) by mx1.freebsd.org (Postfix) with ESMTP id DAC3113C448 for ; Tue, 27 Nov 2007 23:02:35 +0000 (UTC) (envelope-from flo@kasimir.com) Received: (qmail 11735 invoked from network); 28 Nov 2007 00:02:34 +0100 Received: from unknown (HELO nibbler-osx.local) (89.244.126.115) by solomo.org with SMTP; 28 Nov 2007 00:02:33 +0100 Message-ID: <474CA1EB.3020601@kasimir.com> Date: Wed, 28 Nov 2007 00:02:03 +0100 From: Florian Smeets User-Agent: Thunderbird 2.0.0.10pre (Macintosh/20071127) MIME-Version: 1.0 To: Max Laier References: <474B5BD0.6040004@kasimir.com> <200711270130.01165.max@love2party.net> <474BE383.6050905@kasimir.com> <200711272144.52511.max@love2party.net> In-Reply-To: <200711272144.52511.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: ALTQ for dynamic interfaces [Re: 7-STABLE panic: mtx_lock() of spin mutex %s @ %s:%d] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Nov 2007 23:02:36 -0000 Max Laier wrote: > > Okay ... try this. Not final yet, but should be functional. With this > you should be able to: > > 1) Safely remove an interface with active queues > 2) Re-add the interface and *magically* get the queues back > 3) Write queue rules for non-existing interfaces > - Note that we will assume an MTU of 1500 and you have to specify a > fixed bandwidth as we don't know the interface's native speed > - Obviously these queues will be activated as soon as a matching > interface is created. > > BUGS: Doesn't print queues on removed interfaces at all. Should be > changed to something like "queue foo on bar0 (N/A) ...", but it seems I > was too strict with the local_flags. The error handling might need some > work in order to avoid panic if something goes wrong while we de-activate > queues. > > I'd like to hear back from you in order to see if I at least got the basic > workings right enough so you can survive the mpd interface destroy. Ok, it survives 20 consecutive restarts now without problems. I didn't test more as i'm not 100% sure what my provider will do otherwise... N.B. This is 8-CURRENT but it had the same problem as the 7-STABLE box. > Could you - in addition to you current setup w/ if-up script - also test > the magic part? i.e. load the ruleset before loading mpd. This should > now be possible as long as you don't put "set loginterface" or fixed > interface-to-address src/dst in it \o/ > Yes, the *magic* seems to work (without up-script): root@fw-pri:~ > pfctl -sq queue std_out on ng0 qlimit 250 priq( default ) queue tcp_ack_out on ng0 priority 6 qlimit 250 root@fw-pri:~ > /usr/local/etc/rc.d/mpd4 stop Stopping mpd4. Waiting for PIDS: 1824. root@fw-pri:~ > pfctl -sq root@fw-pri:~ > /usr/local/etc/rc.d/mpd4 start Starting mpd4. root@fw-pri:~ > pfctl -sq queue std_out on ng0 qlimit 250 priq( default ) queue tcp_ack_out on ng0 priority 6 qlimit 250 Max, thanks a lot! Keep up the great work you are doing on pf4freebsd. Cheers Florian From owner-freebsd-pf@FreeBSD.ORG Thu Nov 29 10:19:26 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 176E316A418 for ; Thu, 29 Nov 2007 10:19:26 +0000 (UTC) (envelope-from rajkumars@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.232]) by mx1.freebsd.org (Postfix) with ESMTP id DFC3913C442 for ; Thu, 29 Nov 2007 10:19:25 +0000 (UTC) (envelope-from rajkumars@gmail.com) Received: by wr-out-0506.google.com with SMTP id 68so1408757wra for ; Thu, 29 Nov 2007 02:19:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=L9/Qjnb2b5rRgJx2J91kd6kcWToD2qLgRAfLVPX9Xws=; b=g5ScndrSS898SKyF6BoVrtW4WGL0ARqffROYoWwI3GHkaQ6jPg7jihVylPtg5LLr4BtvkxGZFMQpR4h06rpQxKvGwk6ryC/epdmxEBb6YJNkbCyl+ISVoUuKpUnO+9dyMRt1uxZAnR7YYPH1dFEOHjz8RPym/cNaqA8U7xLQ1fk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=RPqGXbk+WOhXp/YbwUnu9p8+5Dn2AM5jHfKOE28iSYWVKey8r5hMueBFti5SanvhZcM7I7/CUub7DK1CXvIspwvxuYbl9W+cKb4Csiulu4fdAmPDbZcOpzje4m5OILfutujlQhRpEGA8M63vLfaaDoDe9HCxWmfTHVQnJvTwnl0= Received: by 10.142.73.8 with SMTP id v8mr1797943wfa.1196329959177; Thu, 29 Nov 2007 01:52:39 -0800 (PST) Received: by 10.142.109.9 with HTTP; Thu, 29 Nov 2007 01:52:39 -0800 (PST) Message-ID: <64de5c8b0711290152n7a4728e3paacc7a6ff0b3a844@mail.gmail.com> Date: Thu, 29 Nov 2007 15:22:39 +0530 From: "Rajkumar S" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Sharing total bandwidth equally between ips X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Nov 2007 10:19:26 -0000 Hi, I have a requirement where I want to share the available internet bandwidth _equally_ between all active ips in the LAN. For example if I have 2 mbps and only 4 ips are active, they all should get 512, but if 4 more ips become active, every one should get 256kbps. This should work even if one of them is using a download manager and has multiple connections to server. Can such a requirement be met with pf? I would be happy with an approximation of this requirement. The underlying philosophy of this requirements is that "smart" people using download accelerators should not overwhelm moms and pops. Thanks, raj From owner-freebsd-pf@FreeBSD.ORG Fri Nov 30 08:48:41 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 705E416A473 for ; Fri, 30 Nov 2007 08:48:41 +0000 (UTC) (envelope-from myninku@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.226]) by mx1.freebsd.org (Postfix) with ESMTP id 18C6F13C458 for ; Fri, 30 Nov 2007 08:48:40 +0000 (UTC) (envelope-from myninku@gmail.com) Received: by nz-out-0506.google.com with SMTP id l8so1631800nzf for ; Fri, 30 Nov 2007 00:48:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; bh=ffSWHGt0sBptbW6tbegT1Isyo4+lD1cr34rsBdRXMPE=; b=puPPmLh1ZowTIJE8l3VqY7NNKxhTTdbxTp7ZZKj6b4g4I/N8svEXV4AJblC4aZ4wN7MTEI4rn+EoQisIfXz1btr0y+dP8hZ8shfgrrtHD0mPaViWKak9xSi+sxf7KWunS7CheZKlek/U/mvDnFx/JNeh70EJdCcfOr+CytkTqsI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=received:message-id:date:from:to:subject:mime-version:content-type; b=iaumiu5l4ZWKMXqEL+p0BrgRtzVaL41Cl4zMA/Ratg+v4vrtCekMvoG1f0sJ5RDWSiwpICmJqaYhyGKkDW3u3ixwwAHU5/3pszctzVmy4k93YHZW/6u2F4Rv16rnOdKDFMAao10gfpdhH6Hp/jDzqEGwi0MBM+WykA5bDQ6dlr0= Received: by 10.143.37.20 with SMTP id p20mr546618wfj.1196412519757; Fri, 30 Nov 2007 00:48:39 -0800 (PST) Received: by 10.142.11.18 with HTTP; Fri, 30 Nov 2007 00:48:39 -0800 (PST) Message-ID: Date: Fri, 30 Nov 2007 15:48:39 +0700 From: sukaca To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: loadbalance weird with freebsd client X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Nov 2007 08:48:41 -0000 i'm using freebsd 6.1 for balancing. after balancing server it has server as transparent proxy and gateway. this is the diagram balance ---proxy/gw(using linux)----client. the problem is.whan i use this configuration. balance---proxy---pfsense----client. this is the result of traceroute 192.168.20.1 (192.168.20.1) 10.396 ms 7.525 ms 8.708 ms 2 192.168.1.222 (192.168.1.222) 4.327 ms 8.627 ms 4.925 ms 3 192.168.3.1 (192.168.3.1) 9.981 ms 192.168.5.1 (192.168.5.1) 10.025 ms 192.168.3.1 (192.168.3.1) 10.594 ms thereis 3.1,4.1,5.1 and 6.1 as dsl modem ip. that one reason why proxy/gw is using linux. because whan i using freebsd it has the same result of traceroute. trace by linux 192.168.20.1 (192.168.20.1) 10.396 ms 7.525 ms 8.708 ms 2 192.168.1.222 (192.168.1.222) 4.327 ms 8.627 ms 4.925 ms 3 192.168.3.1 (192.168.3.1) 9.981 ms 4 203.77.212.20 (internet) thank you for advance regard vicky From owner-freebsd-pf@FreeBSD.ORG Fri Nov 30 21:05:54 2007 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8B97F16A419; Fri, 30 Nov 2007 21:05:54 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6804C13C4DD; Fri, 30 Nov 2007 21:05:54 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id lAUL5sm0074463; Fri, 30 Nov 2007 21:05:54 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id lAUL5sQt074459; Fri, 30 Nov 2007 21:05:54 GMT (envelope-from linimon) Date: Fri, 30 Nov 2007 21:05:54 GMT Message-Id: <200711302105.lAUL5sQt074459@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/118355: [pf] [patch] pfctl help message options order false -t must before -T X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Nov 2007 21:05:54 -0000 Old Synopsis: pfctl help message options order false -t must before -T New Synopsis: [pf] [patch] pfctl help message options order false -t must before -T Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Fri Nov 30 21:05:03 UTC 2007 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=118355