From owner-freebsd-pf@FreeBSD.ORG Mon Jun 30 11:07:01 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B86A81065677 for ; Mon, 30 Jun 2008 11:07:01 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id A5CBD8FC1F for ; Mon, 30 Jun 2008 11:07:01 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m5UB71ht095833 for ; Mon, 30 Jun 2008 11:07:01 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m5UB71EO095829 for freebsd-pf@FreeBSD.org; Mon, 30 Jun 2008 11:07:01 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 30 Jun 2008 11:07:01 GMT Message-Id: <200806301107.m5UB71EO095829@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jun 2008 11:07:01 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented 6 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/118355 pf [pf] [patch] pfctl help message options order false -t o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o kern/121704 pf [pf] PF mangles loopback packets o kern/122773 pf [pf] pf doesn't log uid or pid when configured to 9 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Jul 1 06:42:50 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E7CEE1065681 for ; Tue, 1 Jul 2008 06:42:49 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.29]) by mx1.freebsd.org (Postfix) with ESMTP id A16FB8FC0C for ; Tue, 1 Jul 2008 06:42:49 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: by yw-out-2324.google.com with SMTP id 9so841971ywe.13 for ; Mon, 30 Jun 2008 23:42:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date :message-id:mime-version:content-type:x-mailer:thread-index :content-language; bh=fwF5dRrjOBIrjna4xNeqZ4bMCnnCtlhu7iYGd+cSNRE=; b=hKFkggv88/BH+89G56TClR6RgIcWEnfk4IiofR6YmXA1lR/CHOANzec6Ek4GHAI6MC NpC4xQ9skU3ACWjxN1lLK53MZ3aLLXvJEEXq1XOJ+w1SUaEuDKnSIQD1tfJtz7PJu3bC y65xarhNkm7oFndkD3+Is+3Bx8TL7brIe4iRc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:message-id:mime-version:content-type:x-mailer :thread-index:content-language; b=m00zk4hM+FRn9NPoo3YMz/ioXOmLb7KnnfwYP5nfL/AoYrgcpyXlSu97EmjdD0tWcV 5ynkJp3U2KCTjY/TENkgQLhBtlw1/nrsnGF5mPlpMJjsMX3+A0LC7rbpcBWhFkToVOm5 n8LaRYsOd6QHib7Swvf0okmW9KFMjBbmpSeNE= Received: by 10.151.150.13 with SMTP id c13mr10010334ybo.32.1214894564929; Mon, 30 Jun 2008 23:42:44 -0700 (PDT) Received: from ansarmm2 ( [206.248.190.95]) by mx.google.com with ESMTPS id k8sm4639766qba.5.2008.06.30.23.42.43 (version=SSLv3 cipher=RC4-MD5); Mon, 30 Jun 2008 23:42:44 -0700 (PDT) From: "Ansar Mohammed" To: Date: Tue, 1 Jul 2008 02:42:41 -0400 Message-ID: <001e01c8db45$aa6f0cd0$ff4d2670$@com> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcjbRajsnvVle62aQs6wtSkNHgeXSA== Content-Language: en-ca Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: authpf win32 client X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Jul 2008 06:42:50 -0000 Hello All, I am writing a small win32 tray icon client for authpf. If anyone is interested in assisting me with some testing can you please msg me offlist. From owner-freebsd-pf@FreeBSD.ORG Thu Jul 3 01:08:33 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4867A106567A; Thu, 3 Jul 2008 01:08:33 +0000 (UTC) (envelope-from stef-list@memberwebs.com) Received: from mx.npubs.com (mail.writemehere.com [209.66.100.224]) by mx1.freebsd.org (Postfix) with ESMTP id 208508FC23; Thu, 3 Jul 2008 01:08:32 +0000 (UTC) (envelope-from stef-list@memberwebs.com) Received: from mx.npubs.com (avhost [209.66.100.194]) by mx.npubs.com (Postfix) with ESMTP id 1F032F1816B; Thu, 3 Jul 2008 00:39:57 +0000 (UTC) Received: from northstar-srv2 (unknown [172.27.2.11]) by mx.npubs.com (Postfix) with ESMTP id 859BCF180C0; Thu, 3 Jul 2008 00:39:55 +0000 (UTC) From: Stef User-Agent: Thunderbird 2.0.0.14 (X11/20080505) MIME-Version: 1.0 To: Kian Mohageri References: <678A03F5-5E8A-4CF6-90DF-AA9A4F30FBE1@stromnet.se> <1211037564.6326.27.camel@porksoda> <679DB462-75D6-45CC-949C-1BE8E12C22CD@stromnet.se> <482FD877.6050707@infracaninophile.co.uk> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Message-Id: <20080703003955.859BCF180C0@mx.npubs.com> X-Virus-Scanned: ClamAV using ClamSMTP Date: Thu, 3 Jul 2008 00:39:57 +0000 (UTC) Cc: freebsd-stable , freebsd-net@freebsd.org, Matthew Seaman , freebsd-pf@freebsd.org, Alex Trull Subject: Re: connect(): Operation not permitted X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: stef@memberwebs.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Jul 2008 01:08:33 -0000 Kian Mohageri wrote: > On Sun, May 18, 2008 at 3:33 AM, Johan Ström wrote: >> On May 18, 2008, at 9:19 AM, Matthew Seaman wrote: >> >>> Johan Ström wrote: >>> >>>> drop all traffic)? A check with pfctl -vsr reveals that the actual rule >>>> inserted is "pass on lo0 inet from 123.123.123.123 to 123.123.123.123 flags >>>> S/SA keep state". Where did that "keep state" come from? >>> 'flags S/SA keep state' is the default now for tcp filter rules -- that >>> was new in 7.0 reflecting the upstream changes made between the 4.0 and >>> 4.1 >>> releases of OpenBSD. If you want a stateless rule, append 'no state'. >>> >>> http://www.openbsd.org/faq/pf/filter.html#state >> Thanks! I was actually looking around in the pf.conf manpage but failed to >> find it yesterday, but looking closer today I now saw it. >> Applied the no state (and quick) to the rule, and now no state is created. >> And the problem I had in the first place seems to have been resolved too >> now, even though it didn't look like a state problem.. (started to deny new >> connections much earlier than the states was full, altough maybee i wasnt >> looking for updates fast enough or something). >> > > I'd be willing to bet it's because you're reusing the source port on a > new connection before the old state expires. > > You'll know if you check the state-mismatch counter. > > Anyway, glad you found a resolution. I've been experiencing this "Operation not permitted" too. I've been trying to track down the problem for many months, but due to the complexity of my firewalls (scores of jails each with scores of rules), I wasn't brave enough to ask for help :) As a work around we started creating rules without state, whenever we would run into the problem. Thanks for the pointer about state-mismatch. The state-mismatch counter does is in fact high in my case (see below). How would I go about getting the pf state timeout and the reuse of ports for outbound connections to match? Or is this an intractable problem, that just needs to be worked around? Cheers, Stef Walter Status: Enabled for 13 days 23:55:25 Debug: Urgent Hostid: 0x38ae6776 State Table Total Rate current entries 65 searches 819507771 677.7/s inserts 1136670 0.9/s removals 1136605 0.9/s Counters match 787482855 651.2/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 748 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s From owner-freebsd-pf@FreeBSD.ORG Thu Jul 3 16:20:06 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1B1B41065685 for ; Thu, 3 Jul 2008 16:20:06 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from el-out-1112.google.com (el-out-1112.google.com [209.85.162.183]) by mx1.freebsd.org (Postfix) with ESMTP id B836B8FC0A for ; Thu, 3 Jul 2008 16:20:05 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by el-out-1112.google.com with SMTP id v27so126482ele.13 for ; Thu, 03 Jul 2008 09:20:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=kfeGtfjs08OEStUdSly5zk0y4nyRGWlIwufnWTZLZv4=; b=kIFYrNDOneF70sAVHJCvOv1+meGjLUZ/nT6vEtpI8VoPfv6f+UzQLfThZu2JfeWzF0 yZ5/uH0gBN3/ndvingpF1fRaiPgBzpFgYAuXCQvQnL/pQ1ND6tm2r4akGl50qNAXn8E/ cpYyzah+LZAzuM9r1SMmmjYXuLenKp1JA/EKQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=too0DqNKz9dPsh10Ysygzua+h8ZCOheEcqQKuq/gdB3b54JC6PYber/tEspVWfrP9U dIs4eQAs/nfcZA6hf0/F79VlEFoNYmHWJoOXkUzSUnKpfDopUCdk/uA1cGAvmtvkNhn6 pZHjN/ofFHJw64s2HkgxJziLmG3Qoj4a2+Las= Received: by 10.151.108.10 with SMTP id k10mr636595ybm.6.1215100521747; Thu, 03 Jul 2008 08:55:21 -0700 (PDT) Received: by 10.151.101.9 with HTTP; Thu, 3 Jul 2008 08:55:21 -0700 (PDT) Message-ID: Date: Thu, 3 Jul 2008 08:55:21 -0700 From: "Kian Mohageri" To: stef@memberwebs.com In-Reply-To: <20080703003955.859BCF180C0@mx.npubs.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: base64 Content-Disposition: inline References: <678A03F5-5E8A-4CF6-90DF-AA9A4F30FBE1@stromnet.se> <1211037564.6326.27.camel@porksoda> <679DB462-75D6-45CC-949C-1BE8E12C22CD@stromnet.se> <482FD877.6050707@infracaninophile.co.uk> <20080703003955.859BCF180C0@mx.npubs.com> Cc: freebsd-stable , freebsd-net@freebsd.org, Matthew Seaman , freebsd-pf@freebsd.org, Alex Trull Subject: Re: connect(): Operation not permitted X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Jul 2008 16:20:06 -0000 T24gV2VkLCBKdWwgMiwgMjAwOCBhdCA1OjM5IFBNLCBTdGVmIDxzdGVmLWxpc3RAbWVtYmVyd2Vi cy5jb20+IHdyb3RlOgo+IEtpYW4gTW9oYWdlcmkgd3JvdGU6Cj4+IE9uIFN1biwgTWF5IDE4LCAy MDA4IGF0IDM6MzMgQU0sIEpvaGFuIFN0csO2bSA8am9oYW5Ac3Ryb21uZXQuc2U+IHdyb3RlOgo+ Pj4gT24gTWF5IDE4LCAyMDA4LCBhdCA5OjE5IEFNLCBNYXR0aGV3IFNlYW1hbiB3cm90ZToKPj4+ Cj4+Pj4gSm9oYW4gU3Ryw7ZtIHdyb3RlOgo+Pj4+Cj4+Pj4+IGRyb3AgYWxsIHRyYWZmaWMpPyBB IGNoZWNrIHdpdGggcGZjdGwgLXZzciByZXZlYWxzIHRoYXQgdGhlIGFjdHVhbCBydWxlCj4+Pj4+ IGluc2VydGVkIGlzICJwYXNzIG9uIGxvMCBpbmV0IGZyb20gMTIzLjEyMy4xMjMuMTIzIHRvIDEy My4xMjMuMTIzLjEyMyBmbGFncwo+Pj4+PiBTL1NBIGtlZXAgc3RhdGUiLiBXaGVyZSBkaWQgdGhh dCAia2VlcCBzdGF0ZSIgY29tZSBmcm9tPwo+Pj4+ICdmbGFncyBTL1NBIGtlZXAgc3RhdGUnIGlz IHRoZSBkZWZhdWx0IG5vdyBmb3IgdGNwIGZpbHRlciBydWxlcyAtLSB0aGF0Cj4+Pj4gd2FzIG5l dyBpbiA3LjAgcmVmbGVjdGluZyB0aGUgdXBzdHJlYW0gY2hhbmdlcyBtYWRlIGJldHdlZW4gdGhl IDQuMCBhbmQKPj4+PiA0LjEKPj4+PiByZWxlYXNlcyBvZiBPcGVuQlNELiAgSWYgeW91IHdhbnQg YSBzdGF0ZWxlc3MgcnVsZSwgYXBwZW5kICdubyBzdGF0ZScuCj4+Pj4KPj4+PiBodHRwOi8vd3d3 Lm9wZW5ic2Qub3JnL2ZhcS9wZi9maWx0ZXIuaHRtbCNzdGF0ZQo+Pj4gVGhhbmtzISBJIHdhcyBh Y3R1YWxseSBsb29raW5nIGFyb3VuZCBpbiB0aGUgcGYuY29uZiBtYW5wYWdlIGJ1dCBmYWlsZWQg dG8KPj4+IGZpbmQgaXQgeWVzdGVyZGF5LCBidXQgbG9va2luZyBjbG9zZXIgdG9kYXkgSSBub3cg c2F3IGl0Lgo+Pj4gQXBwbGllZCB0aGUgbm8gc3RhdGUgKGFuZCBxdWljaykgdG8gdGhlIHJ1bGUs IGFuZCBub3cgbm8gc3RhdGUgaXMgY3JlYXRlZC4KPj4+IEFuZCB0aGUgcHJvYmxlbSBJIGhhZCBp biB0aGUgZmlyc3QgcGxhY2Ugc2VlbXMgdG8gaGF2ZSBiZWVuIHJlc29sdmVkIHRvbwo+Pj4gbm93 LCBldmVuIHRob3VnaCBpdCBkaWRuJ3QgbG9vayBsaWtlIGEgc3RhdGUgcHJvYmxlbS4uIChzdGFy dGVkIHRvIGRlbnkgbmV3Cj4+PiBjb25uZWN0aW9ucyBtdWNoIGVhcmxpZXIgdGhhbiB0aGUgc3Rh dGVzIHdhcyBmdWxsLCBhbHRvdWdoIG1heWJlZSBpIHdhc250Cj4+PiBsb29raW5nIGZvciB1cGRh dGVzIGZhc3QgZW5vdWdoIG9yIHNvbWV0aGluZykuCj4+Pgo+Pgo+PiBJJ2QgYmUgd2lsbGluZyB0 byBiZXQgaXQncyBiZWNhdXNlIHlvdSdyZSByZXVzaW5nIHRoZSBzb3VyY2UgcG9ydCBvbiBhCj4+ IG5ldyBjb25uZWN0aW9uIGJlZm9yZSB0aGUgb2xkIHN0YXRlIGV4cGlyZXMuCj4+Cj4+IFlvdSds bCBrbm93IGlmIHlvdSBjaGVjayB0aGUgc3RhdGUtbWlzbWF0Y2ggY291bnRlci4KPj4KPj4gQW55 d2F5LCBnbGFkIHlvdSBmb3VuZCBhIHJlc29sdXRpb24uCj4KPiBJJ3ZlIGJlZW4gZXhwZXJpZW5j aW5nIHRoaXMgIk9wZXJhdGlvbiBub3QgcGVybWl0dGVkIiB0b28uIEkndmUgYmVlbgo+IHRyeWlu ZyB0byB0cmFjayBkb3duIHRoZSBwcm9ibGVtIGZvciBtYW55IG1vbnRocywgYnV0IGR1ZSB0byB0 aGUKPiBjb21wbGV4aXR5IG9mIG15IGZpcmV3YWxscyAoc2NvcmVzIG9mIGphaWxzIGVhY2ggd2l0 aCBzY29yZXMgb2YgcnVsZXMpLAo+IEkgd2Fzbid0IGJyYXZlIGVub3VnaCB0byBhc2sgZm9yIGhl bHAgOikKPgo+IEFzIGEgd29yayBhcm91bmQgd2Ugc3RhcnRlZCBjcmVhdGluZyBydWxlcyB3aXRo b3V0IHN0YXRlLCB3aGVuZXZlciB3ZQo+IHdvdWxkIHJ1biBpbnRvIHRoZSBwcm9ibGVtLgo+Cj4g VGhhbmtzIGZvciB0aGUgcG9pbnRlciBhYm91dCBzdGF0ZS1taXNtYXRjaC4gVGhlIHN0YXRlLW1p c21hdGNoIGNvdW50ZXIKPiBkb2VzIGlzIGluIGZhY3QgaGlnaCBpbiBteSBjYXNlIChzZWUgYmVs b3cpLiBIb3cgd291bGQgSSBnbyBhYm91dAo+IGdldHRpbmcgdGhlIHBmIHN0YXRlIHRpbWVvdXQg YW5kIHRoZSByZXVzZSBvZiBwb3J0cyBmb3Igb3V0Ym91bmQKPiBjb25uZWN0aW9ucyB0byBtYXRj aD8gT3IgaXMgdGhpcyBhbiBpbnRyYWN0YWJsZSBwcm9ibGVtLCB0aGF0IGp1c3QgbmVlZHMKPiB0 byBiZSB3b3JrZWQgYXJvdW5kPwo+CgpNYWtlIHN1cmUgeW91ciBzdGF0ZS1taXNtYXRjaCBjb3Vu dGVyIGlzIGluY3JlYXNpbmcgYXQgdGhlIHNhbWUgdGltZXMKeW91IGV4cGVyaWVuY2UgdGhlIHBy b2JsZW0gKGFuZCBpc24ndCBqdXN0IGhpZ2ggZnJvbSBzb21lIHVucmVsYXRlZAppc3N1ZSkuCgpB IHNpbWlsYXIvcmVsYXRlZCBwcm9ibGVtIHdhcyBhZGRyZXNzZWQgaW4gT3BlbkJTRCA0LjMKKGh0 dHA6Ly93d3cub3BlbmJzZC5vcmcvcGx1czQzLmh0bWwpLgoKICAqIEluIHBmKDQpLCBhbGxvdyBz dGF0ZSByZXVzZSBpZiBib3RoIHNpZGVzIGFyZSBpbiBGSU5fV0FJVF8yIGFuZCBhCm5ldyBTWU4g YXJyaXZlcy4KCkknbSBub3Qgc3VyZSBpZiBpdCdzIGJlZW4gaW1wb3J0ZWQgeWV0LiAgSWYgbm90 LCB5b3UgY291bGQgdHJ5IHR1bmluZwp5b3VyIHRpbWVvdXQgdmFsdWVzIChzZWUgcGYuY29uZig1 KSkuCgpUaGUgc3BlY2lmaWMgaXNzdWUgSSB3YXMgZXhwZXJpZW5jZWQgd2FzIHNvbHZlZCBieSBz aG9ydGVuaW5nCnRjcC5jbG9zZWQsIElJUkMuICBJdCdzIGJlZW4gYSB3aGlsZSB0aG91Z2guCgot S2lhbgo= From owner-freebsd-pf@FreeBSD.ORG Fri Jul 4 11:32:14 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 74D13106567E; Fri, 4 Jul 2008 11:32:14 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 597A98FC1C; Fri, 4 Jul 2008 11:32:14 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id EAE391CC073; Fri, 4 Jul 2008 04:32:13 -0700 (PDT) Date: Fri, 4 Jul 2008 04:32:13 -0700 From: Jeremy Chadwick To: Kian Mohageri Message-ID: <20080704113213.GA13586@eos.sc1.parodius.com> References: <678A03F5-5E8A-4CF6-90DF-AA9A4F30FBE1@stromnet.se> <1211037564.6326.27.camel@porksoda> <679DB462-75D6-45CC-949C-1BE8E12C22CD@stromnet.se> <482FD877.6050707@infracaninophile.co.uk> <20080703003955.859BCF180C0@mx.npubs.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-stable , stef@memberwebs.com, freebsd-net@freebsd.org, Matthew Seaman , freebsd-pf@freebsd.org, Alex Trull Subject: Re: connect(): Operation not permitted X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Jul 2008 11:32:14 -0000 On Thu, Jul 03, 2008 at 08:55:21AM -0700, Kian Mohageri wrote: > On Wed, Jul 2, 2008 at 5:39 PM, Stef wrote: > > Kian Mohageri wrote: > >> On Sun, May 18, 2008 at 3:33 AM, Johan Ström wrote: > >>> On May 18, 2008, at 9:19 AM, Matthew Seaman wrote: > >>> > >>>> Johan Ström wrote: > >>>> > >>>>> drop all traffic)? A check with pfctl -vsr reveals that the actual rule > >>>>> inserted is "pass on lo0 inet from 123.123.123.123 to 123.123.123.123 flags > >>>>> S/SA keep state". Where did that "keep state" come from? > >>>> 'flags S/SA keep state' is the default now for tcp filter rules -- that > >>>> was new in 7.0 reflecting the upstream changes made between the 4.0 and > >>>> 4.1 > >>>> releases of OpenBSD. If you want a stateless rule, append 'no state'. > >>>> > >>>> http://www.openbsd.org/faq/pf/filter.html#state > >>> Thanks! I was actually looking around in the pf.conf manpage but failed to > >>> find it yesterday, but looking closer today I now saw it. > >>> Applied the no state (and quick) to the rule, and now no state is created. > >>> And the problem I had in the first place seems to have been resolved too > >>> now, even though it didn't look like a state problem.. (started to deny new > >>> connections much earlier than the states was full, altough maybee i wasnt > >>> looking for updates fast enough or something). > >>> > >> > >> I'd be willing to bet it's because you're reusing the source port on a > >> new connection before the old state expires. > >> > >> You'll know if you check the state-mismatch counter. > >> > >> Anyway, glad you found a resolution. > > > > I've been experiencing this "Operation not permitted" too. I've been > > trying to track down the problem for many months, but due to the > > complexity of my firewalls (scores of jails each with scores of rules), > > I wasn't brave enough to ask for help :) > > > > As a work around we started creating rules without state, whenever we > > would run into the problem. > > > > Thanks for the pointer about state-mismatch. The state-mismatch counter > > does is in fact high in my case (see below). How would I go about > > getting the pf state timeout and the reuse of ports for outbound > > connections to match? Or is this an intractable problem, that just needs > > to be worked around? > > Make sure your state-mismatch counter is increasing at the same times > you experience the problem (and isn't just high from some unrelated > issue). > > A similar/related problem was addressed in OpenBSD 4.3 > (http://www.openbsd.org/plus43.html). > > * In pf(4), allow state reuse if both sides are in FIN_WAIT_2 and a > new SYN arrives. > > I'm not sure if it's been imported yet. If not, you could try tuning > your timeout values (see pf.conf(5)). > > The specific issue I was experienced was solved by shortening > tcp.closed, IIRC. It's been a while though. When administrators see state-mismatch increasing, they get concerned. The common scapegoat is tcp.closed, which people don't even bother to describe (pf has an internal value of 10 seconds applied to that value, e.g. tcp.closed=5 means 15 seconds). You can set tcp.closed as low as you want, but chances are random Internet users will have equipment with IP stacks that re-use outbound sockets which haven't fully closed down within the aforementioned interval. pf cannot fix this. For example, on our production/hosting systems, we see state-mismatch increase fairly often. I just pfctl -F info'd our main webserver, and within about 15 minutes, state-mismatch was up to 22. We use tcp.closed of 5 (which means 15 seconds). Workarounds such as "no state" suffice, but if you use rdr rules, you MUST track state, which means there's no way of winning in that case. For sake of example, OpenBSD spamd requires the use of rdr rules. Administrators then ask 3 questions: 1) How do I determine whether or not state-mismatch increasing is a sign of bad things, or due to peoples' broken IP stacks, 2) What happens to packets which cause state-mismatch to increment, e.g. are they blocked, passed, or what? 3) Why isn't state-mismatch described in detail in the documentation? Finally, the fix in OpenBSD 4.3 should really be backported to FreeBSD ASAP. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Fri Jul 4 12:10:50 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AEA6B106567F; Fri, 4 Jul 2008 12:10:50 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 896208FC1B; Fri, 4 Jul 2008 12:10:50 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 4D7EC1CC081; Fri, 4 Jul 2008 05:10:50 -0700 (PDT) Date: Fri, 4 Jul 2008 05:10:50 -0700 From: Jeremy Chadwick To: Kian Mohageri Message-ID: <20080704121050.GA14604@eos.sc1.parodius.com> References: <678A03F5-5E8A-4CF6-90DF-AA9A4F30FBE1@stromnet.se> <1211037564.6326.27.camel@porksoda> <679DB462-75D6-45CC-949C-1BE8E12C22CD@stromnet.se> <482FD877.6050707@infracaninophile.co.uk> <20080703003955.859BCF180C0@mx.npubs.com> <20080704113213.GA13586@eos.sc1.parodius.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080704113213.GA13586@eos.sc1.parodius.com> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-stable , stef@memberwebs.com, freebsd-net@freebsd.org, Matthew Seaman , freebsd-pf@freebsd.org, Alex Trull Subject: Re: connect(): Operation not permitted X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Jul 2008 12:10:50 -0000 On Fri, Jul 04, 2008 at 04:32:13AM -0700, Jeremy Chadwick wrote: > On Thu, Jul 03, 2008 at 08:55:21AM -0700, Kian Mohageri wrote: > > A similar/related problem was addressed in OpenBSD 4.3 > > (http://www.openbsd.org/plus43.html). > > > > * In pf(4), allow state reuse if both sides are in FIN_WAIT_2 and a > > new SYN arrives. The OpenBSD diff: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c.diff?r2=1.559&r1=1.558&f=H I've submit a FreeBSD PR to get the above backported into RELENG_7 and RELENG_6: http://www.freebsd.org/cgi/query-pr.cgi?pr=125261 -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Fri Jul 4 13:11:03 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC233106567F; Fri, 4 Jul 2008 13:11:03 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B17698FC14; Fri, 4 Jul 2008 13:11:03 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m64DAwXI071294; Fri, 4 Jul 2008 13:10:58 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m64DAwuE071290; Fri, 4 Jul 2008 13:10:58 GMT (envelope-from linimon) Date: Fri, 4 Jul 2008 13:10:58 GMT Message-Id: <200807041310.m64DAwuE071290@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/125261: [pf] [patch] Backport OpenBSD 4.3 patch for pf re-using state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Jul 2008 13:11:04 -0000 Old Synopsis: Backport OpenBSD 4.3 patch for pf re-using state New Synopsis: [pf] [patch] Backport OpenBSD 4.3 patch for pf re-using state Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Fri Jul 4 13:10:36 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=125261 From owner-freebsd-pf@FreeBSD.ORG Fri Jul 4 15:18:52 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B30B91065677; Fri, 4 Jul 2008 15:18:52 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 88D278FC1B; Fri, 4 Jul 2008 15:18:52 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m64FIqXv082345; Fri, 4 Jul 2008 15:18:52 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m64FIqpl082341; Fri, 4 Jul 2008 15:18:52 GMT (envelope-from mlaier) Date: Fri, 4 Jul 2008 15:18:52 GMT Message-Id: <200807041518.m64FIqpl082341@freefall.freebsd.org> To: mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org, mlaier@FreeBSD.org From: mlaier@FreeBSD.org Cc: Subject: Re: kern/125261: [pf] [patch] Backport OpenBSD 4.3 patch for pf re-using state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Jul 2008 15:18:52 -0000 Synopsis: [pf] [patch] Backport OpenBSD 4.3 patch for pf re-using state Responsible-Changed-From-To: freebsd-pf->mlaier Responsible-Changed-By: mlaier Responsible-Changed-When: Fri Jul 4 15:17:48 UTC 2008 Responsible-Changed-Why: I'll take a look at this. While here I'll also try to get the missing diffs for SACK vs. modulate state imported. http://www.freebsd.org/cgi/query-pr.cgi?pr=125261 From owner-freebsd-pf@FreeBSD.ORG Fri Jul 4 21:30:57 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A4E311065683 for ; Fri, 4 Jul 2008 21:30:57 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.31]) by mx1.freebsd.org (Postfix) with ESMTP id 4B73E8FC14 for ; Fri, 4 Jul 2008 21:30:57 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by yw-out-2324.google.com with SMTP id 9so548933ywe.13 for ; Fri, 04 Jul 2008 14:30:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=6pXem0cLxaszFpgTAhj7jAyaMMKuIqyurj4g7QOQ6pg=; b=gX0akhlXbmduCIy8Zi5jUuSlb5E7/zzjtYnRQCljoh0ISXTk3EXL3/O7x0+WywiArv KBch6xH2nPku0sB6uv5Nh6LWzQS9HxDVAHJm6jd731r4oBXTje7fgVnfJWSohIjcr/iW rdd0syFIPLeO22/6UO+s1q2Ab68x1rltPhEXA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=YdFJY7oeCyzYRRB+wq/zgWKyyLqvIDVlo2GXRhctegXpXI2+gLs72DGUcNiq1E556T FAONduwyjX1+QgVzUMPpozsTMFBSe5wJMlXW75HAzVRl5+DpqVzQjhakr0mQfTpfyGur R9ermhvzPpOTgeHNT0GRzgFDglHHyPQjc9B8w= Received: by 10.150.153.3 with SMTP id a3mr140529ybe.84.1215207048951; Fri, 04 Jul 2008 14:30:48 -0700 (PDT) Received: by 10.151.101.9 with HTTP; Fri, 4 Jul 2008 14:30:48 -0700 (PDT) Message-ID: Date: Fri, 4 Jul 2008 14:30:48 -0700 From: "Kian Mohageri" To: "Jeremy Chadwick" In-Reply-To: <20080704113213.GA13586@eos.sc1.parodius.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: base64 Content-Disposition: inline References: <678A03F5-5E8A-4CF6-90DF-AA9A4F30FBE1@stromnet.se> <1211037564.6326.27.camel@porksoda> <679DB462-75D6-45CC-949C-1BE8E12C22CD@stromnet.se> <482FD877.6050707@infracaninophile.co.uk> <20080703003955.859BCF180C0@mx.npubs.com> <20080704113213.GA13586@eos.sc1.parodius.com> Cc: freebsd-stable , stef@memberwebs.com, freebsd-net@freebsd.org, Matthew Seaman , freebsd-pf@freebsd.org, Alex Trull Subject: Re: connect(): Operation not permitted X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Jul 2008 21:30:57 -0000 T24gRnJpLCBKdWwgNCwgMjAwOCBhdCA0OjMyIEFNLCBKZXJlbXkgQ2hhZHdpY2sgPGtvaXRzdUBm cmVlYnNkLm9yZz4gd3JvdGU6Cj4gT24gVGh1LCBKdWwgMDMsIDIwMDggYXQgMDg6NTU6MjFBTSAt MDcwMCwgS2lhbiBNb2hhZ2VyaSB3cm90ZToKPj4gT24gV2VkLCBKdWwgMiwgMjAwOCBhdCA1OjM5 IFBNLCBTdGVmIDxzdGVmLWxpc3RAbWVtYmVyd2Vicy5jb20+IHdyb3RlOgo+PiA+IEtpYW4gTW9o YWdlcmkgd3JvdGU6Cj4+ID4+IE9uIFN1biwgTWF5IDE4LCAyMDA4IGF0IDM6MzMgQU0sIEpvaGFu IFN0csO2bSA8am9oYW5Ac3Ryb21uZXQuc2U+IHdyb3RlOgo+PiA+Pj4gT24gTWF5IDE4LCAyMDA4 LCBhdCA5OjE5IEFNLCBNYXR0aGV3IFNlYW1hbiB3cm90ZToKPj4gPj4+Cj4+ID4+Pj4gSm9oYW4g U3Ryw7ZtIHdyb3RlOgo+PiA+Pj4+Cj4+ID4+Pj4+IGRyb3AgYWxsIHRyYWZmaWMpPyBBIGNoZWNr IHdpdGggcGZjdGwgLXZzciByZXZlYWxzIHRoYXQgdGhlIGFjdHVhbCBydWxlCj4+ID4+Pj4+IGlu c2VydGVkIGlzICJwYXNzIG9uIGxvMCBpbmV0IGZyb20gMTIzLjEyMy4xMjMuMTIzIHRvIDEyMy4x MjMuMTIzLjEyMyBmbGFncwo+PiA+Pj4+PiBTL1NBIGtlZXAgc3RhdGUiLiBXaGVyZSBkaWQgdGhh dCAia2VlcCBzdGF0ZSIgY29tZSBmcm9tPwo+PiA+Pj4+ICdmbGFncyBTL1NBIGtlZXAgc3RhdGUn IGlzIHRoZSBkZWZhdWx0IG5vdyBmb3IgdGNwIGZpbHRlciBydWxlcyAtLSB0aGF0Cj4+ID4+Pj4g d2FzIG5ldyBpbiA3LjAgcmVmbGVjdGluZyB0aGUgdXBzdHJlYW0gY2hhbmdlcyBtYWRlIGJldHdl ZW4gdGhlIDQuMCBhbmQKPj4gPj4+PiA0LjEKPj4gPj4+PiByZWxlYXNlcyBvZiBPcGVuQlNELiAg SWYgeW91IHdhbnQgYSBzdGF0ZWxlc3MgcnVsZSwgYXBwZW5kICdubyBzdGF0ZScuCj4+ID4+Pj4K Pj4gPj4+PiBodHRwOi8vd3d3Lm9wZW5ic2Qub3JnL2ZhcS9wZi9maWx0ZXIuaHRtbCNzdGF0ZQo+ PiA+Pj4gVGhhbmtzISBJIHdhcyBhY3R1YWxseSBsb29raW5nIGFyb3VuZCBpbiB0aGUgcGYuY29u ZiBtYW5wYWdlIGJ1dCBmYWlsZWQgdG8KPj4gPj4+IGZpbmQgaXQgeWVzdGVyZGF5LCBidXQgbG9v a2luZyBjbG9zZXIgdG9kYXkgSSBub3cgc2F3IGl0Lgo+PiA+Pj4gQXBwbGllZCB0aGUgbm8gc3Rh dGUgKGFuZCBxdWljaykgdG8gdGhlIHJ1bGUsIGFuZCBub3cgbm8gc3RhdGUgaXMgY3JlYXRlZC4K Pj4gPj4+IEFuZCB0aGUgcHJvYmxlbSBJIGhhZCBpbiB0aGUgZmlyc3QgcGxhY2Ugc2VlbXMgdG8g aGF2ZSBiZWVuIHJlc29sdmVkIHRvbwo+PiA+Pj4gbm93LCBldmVuIHRob3VnaCBpdCBkaWRuJ3Qg bG9vayBsaWtlIGEgc3RhdGUgcHJvYmxlbS4uIChzdGFydGVkIHRvIGRlbnkgbmV3Cj4+ID4+PiBj b25uZWN0aW9ucyBtdWNoIGVhcmxpZXIgdGhhbiB0aGUgc3RhdGVzIHdhcyBmdWxsLCBhbHRvdWdo IG1heWJlZSBpIHdhc250Cj4+ID4+PiBsb29raW5nIGZvciB1cGRhdGVzIGZhc3QgZW5vdWdoIG9y IHNvbWV0aGluZykuCj4+ID4+Pgo+PiA+Pgo+PiA+PiBJJ2QgYmUgd2lsbGluZyB0byBiZXQgaXQn cyBiZWNhdXNlIHlvdSdyZSByZXVzaW5nIHRoZSBzb3VyY2UgcG9ydCBvbiBhCj4+ID4+IG5ldyBj b25uZWN0aW9uIGJlZm9yZSB0aGUgb2xkIHN0YXRlIGV4cGlyZXMuCj4+ID4+Cj4+ID4+IFlvdSds bCBrbm93IGlmIHlvdSBjaGVjayB0aGUgc3RhdGUtbWlzbWF0Y2ggY291bnRlci4KPj4gPj4KPj4g Pj4gQW55d2F5LCBnbGFkIHlvdSBmb3VuZCBhIHJlc29sdXRpb24uCj4+ID4KPj4gPiBJJ3ZlIGJl ZW4gZXhwZXJpZW5jaW5nIHRoaXMgIk9wZXJhdGlvbiBub3QgcGVybWl0dGVkIiB0b28uIEkndmUg YmVlbgo+PiA+IHRyeWluZyB0byB0cmFjayBkb3duIHRoZSBwcm9ibGVtIGZvciBtYW55IG1vbnRo cywgYnV0IGR1ZSB0byB0aGUKPj4gPiBjb21wbGV4aXR5IG9mIG15IGZpcmV3YWxscyAoc2NvcmVz IG9mIGphaWxzIGVhY2ggd2l0aCBzY29yZXMgb2YgcnVsZXMpLAo+PiA+IEkgd2Fzbid0IGJyYXZl IGVub3VnaCB0byBhc2sgZm9yIGhlbHAgOikKPj4gPgo+PiA+IEFzIGEgd29yayBhcm91bmQgd2Ug c3RhcnRlZCBjcmVhdGluZyBydWxlcyB3aXRob3V0IHN0YXRlLCB3aGVuZXZlciB3ZQo+PiA+IHdv dWxkIHJ1biBpbnRvIHRoZSBwcm9ibGVtLgo+PiA+Cj4+ID4gVGhhbmtzIGZvciB0aGUgcG9pbnRl ciBhYm91dCBzdGF0ZS1taXNtYXRjaC4gVGhlIHN0YXRlLW1pc21hdGNoIGNvdW50ZXIKPj4gPiBk b2VzIGlzIGluIGZhY3QgaGlnaCBpbiBteSBjYXNlIChzZWUgYmVsb3cpLiBIb3cgd291bGQgSSBn byBhYm91dAo+PiA+IGdldHRpbmcgdGhlIHBmIHN0YXRlIHRpbWVvdXQgYW5kIHRoZSByZXVzZSBv ZiBwb3J0cyBmb3Igb3V0Ym91bmQKPj4gPiBjb25uZWN0aW9ucyB0byBtYXRjaD8gT3IgaXMgdGhp cyBhbiBpbnRyYWN0YWJsZSBwcm9ibGVtLCB0aGF0IGp1c3QgbmVlZHMKPj4gPiB0byBiZSB3b3Jr ZWQgYXJvdW5kPwo+Pgo+PiBNYWtlIHN1cmUgeW91ciBzdGF0ZS1taXNtYXRjaCBjb3VudGVyIGlz IGluY3JlYXNpbmcgYXQgdGhlIHNhbWUgdGltZXMKPj4geW91IGV4cGVyaWVuY2UgdGhlIHByb2Js ZW0gKGFuZCBpc24ndCBqdXN0IGhpZ2ggZnJvbSBzb21lIHVucmVsYXRlZAo+PiBpc3N1ZSkuCj4+ Cj4+IEEgc2ltaWxhci9yZWxhdGVkIHByb2JsZW0gd2FzIGFkZHJlc3NlZCBpbiBPcGVuQlNEIDQu Mwo+PiAoaHR0cDovL3d3dy5vcGVuYnNkLm9yZy9wbHVzNDMuaHRtbCkuCj4+Cj4+ICAgKiBJbiBw Zig0KSwgYWxsb3cgc3RhdGUgcmV1c2UgaWYgYm90aCBzaWRlcyBhcmUgaW4gRklOX1dBSVRfMiBh bmQgYQo+PiBuZXcgU1lOIGFycml2ZXMuCj4+Cj4+IEknbSBub3Qgc3VyZSBpZiBpdCdzIGJlZW4g aW1wb3J0ZWQgeWV0LiAgSWYgbm90LCB5b3UgY291bGQgdHJ5IHR1bmluZwo+PiB5b3VyIHRpbWVv dXQgdmFsdWVzIChzZWUgcGYuY29uZig1KSkuCj4+Cj4+IFRoZSBzcGVjaWZpYyBpc3N1ZSBJIHdh cyBleHBlcmllbmNlZCB3YXMgc29sdmVkIGJ5IHNob3J0ZW5pbmcKPj4gdGNwLmNsb3NlZCwgSUlS Qy4gIEl0J3MgYmVlbiBhIHdoaWxlIHRob3VnaC4KPgo+IFdoZW4gYWRtaW5pc3RyYXRvcnMgc2Vl IHN0YXRlLW1pc21hdGNoIGluY3JlYXNpbmcsIHRoZXkgZ2V0IGNvbmNlcm5lZC4KPiBUaGUgY29t bW9uIHNjYXBlZ29hdCBpcyB0Y3AuY2xvc2VkLCB3aGljaCBwZW9wbGUgZG9uJ3QgZXZlbiBib3Ro ZXIgdG8KPiBkZXNjcmliZSAocGYgaGFzIGFuIGludGVybmFsIHZhbHVlIG9mIDEwIHNlY29uZHMg YXBwbGllZCB0byB0aGF0IHZhbHVlLAo+IGUuZy4gdGNwLmNsb3NlZD01IG1lYW5zIDE1IHNlY29u ZHMpLgo+Cj4gWW91IGNhbiBzZXQgdGNwLmNsb3NlZCBhcyBsb3cgYXMgeW91IHdhbnQsIGJ1dCBj aGFuY2VzIGFyZSByYW5kb20KPiBJbnRlcm5ldCB1c2VycyB3aWxsIGhhdmUgZXF1aXBtZW50IHdp dGggSVAgc3RhY2tzIHRoYXQgcmUtdXNlIG91dGJvdW5kCj4gc29ja2V0cyB3aGljaCBoYXZlbid0 IGZ1bGx5IGNsb3NlZCBkb3duIHdpdGhpbiB0aGUgYWZvcmVtZW50aW9uZWQKPiBpbnRlcnZhbC4g IHBmIGNhbm5vdCBmaXggdGhpcy4KPgo+IEZvciBleGFtcGxlLCBvbiBvdXIgcHJvZHVjdGlvbi9o b3N0aW5nIHN5c3RlbXMsIHdlIHNlZSBzdGF0ZS1taXNtYXRjaAo+IGluY3JlYXNlIGZhaXJseSBv ZnRlbi4gIEkganVzdCBwZmN0bCAtRiBpbmZvJ2Qgb3VyIG1haW4gd2Vic2VydmVyLCBhbmQKPiB3 aXRoaW4gYWJvdXQgMTUgbWludXRlcywgc3RhdGUtbWlzbWF0Y2ggd2FzIHVwIHRvIDIyLiAgV2Ug dXNlIHRjcC5jbG9zZWQKPiBvZiA1ICh3aGljaCBtZWFucyAxNSBzZWNvbmRzKS4KPgo+IFdvcmth cm91bmRzIHN1Y2ggYXMgIm5vIHN0YXRlIiBzdWZmaWNlLCBidXQgaWYgeW91IHVzZSByZHIgcnVs ZXMsIHlvdQo+IE1VU1QgdHJhY2sgc3RhdGUsIHdoaWNoIG1lYW5zIHRoZXJlJ3Mgbm8gd2F5IG9m IHdpbm5pbmcgaW4gdGhhdCBjYXNlLgo+IEZvciBzYWtlIG9mIGV4YW1wbGUsIE9wZW5CU0Qgc3Bh bWQgcmVxdWlyZXMgdGhlIHVzZSBvZiByZHIgcnVsZXMuCj4KPiBBZG1pbmlzdHJhdG9ycyB0aGVu IGFzayAzIHF1ZXN0aW9uczoKPgoKRm9yIHRoZSBzYWtlIG9mIGEgaGVscGZ1bCBhcmNoaXZlLi4u Cgo+IDEpIEhvdyBkbyBJIGRldGVybWluZSB3aGV0aGVyIG9yIG5vdCBzdGF0ZS1taXNtYXRjaCBp bmNyZWFzaW5nIGlzIGEKPiAgIHNpZ24gb2YgYmFkIHRoaW5ncywgb3IgZHVlIHRvIHBlb3BsZXMn IGJyb2tlbiBJUCBzdGFja3MsCgpZb3UgY2FuJ3QuICBPbmx5IHdheSB5b3Uga25vdyBpcyBwcm9i YWJseSB3aGVuIHBlb3BsZSBjb21wbGFpbiwgb3IgeW91Cm5vdGljZSBzY3JpcHRzL3BhZ2UgbG9h ZHMgZmFpbGluZy4KCj4gMikgV2hhdCBoYXBwZW5zIHRvIHBhY2tldHMgd2hpY2ggY2F1c2Ugc3Rh dGUtbWlzbWF0Y2ggdG8gaW5jcmVtZW50LAo+ICAgZS5nLiBhcmUgdGhleSBibG9ja2VkLCBwYXNz ZWQsIG9yIHdoYXQ/CgpEcm9wcGVkLiAgSW4gdGhlIGNhc2Ugb2YgYSBzdGF0ZS1taXNtYXRjaCBk dXJpbmcgVENQIGhhbmRzaGFrZSwgYW4gUlNUCmlzIHNlbnQuICBUaGF0J3Mgd2h5IHRoZSBmYWls dXJlIGhhcHBlbnMgaW1tZWRpYXRlbHkuCgo+IDMpIFdoeSBpc24ndCBzdGF0ZS1taXNtYXRjaCBk ZXNjcmliZWQgaW4gZGV0YWlsIGluIHRoZSBkb2N1bWVudGF0aW9uPwo+CgpHb29kIHF1ZXN0aW9u LiAgSSBndWVzcyBiZWNhdXNlIGl0IHdvdWxkIGJlIGRpZmZpY3VsdCB0byBkb2N1bWVudCBhbGwK b2YgdGhlIHJlYXNvbnMgYSBzdGF0ZSB3b3VsZG4ndCBtYXRjaC4gIEl0IHdvdWxkIGJlIGVhc2ll ciB0byBzaW1wbHkKZG9jdW1lbnQgd2hhdCBhIHN0YXRlIF9pc18sIGJ1dCB0aGF0J3MgYWxyZWFk eSBpbiB0aGUgYXJjaGl2ZXMuCgotS2lhbgo=