From owner-freebsd-pf@FreeBSD.ORG Mon Apr 13 11:06:58 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AC09A1065679 for ; Mon, 13 Apr 2009 11:06:58 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 7E9BC8FC17 for ; Mon, 13 Apr 2009 11:06:58 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n3DB6wKf085035 for ; Mon, 13 Apr 2009 11:06:58 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n3DB6vID085031 for freebsd-pf@FreeBSD.org; Mon, 13 Apr 2009 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 13 Apr 2009 11:06:57 GMT Message-Id: <200904131106.n3DB6vID085031@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Apr 2009 11:06:59 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o kern/130977 pf [netgraph][pf] kernel panic trap 12 on user connect to o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 31 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Apr 13 19:08:23 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 46FE1106566B for ; Mon, 13 Apr 2009 19:08:23 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.freebsd.org (Postfix) with ESMTP id F17BD8FC21 for ; Mon, 13 Apr 2009 19:08:22 +0000 (UTC) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.14.3/8.14.3) with ESMTP id n3DIvV7C025975 for ; Mon, 13 Apr 2009 14:57:31 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <200904131857.n3DIvV7C025975@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Mon, 13 Apr 2009 14:58:14 -0400 To: freebsd-pf@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: OpenBSD/FreeBSD pf issue ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Apr 2009 19:08:23 -0000 ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/013_pf.patch http://helith.net/txt/openbsd_4.3-current_pf_null_pointer_dereference_kernel_panic.txt Not sure if this impacts FreeBSD or not ? ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-pf@FreeBSD.ORG Mon Apr 13 20:02:15 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F3D74106564A for ; Mon, 13 Apr 2009 20:02:14 +0000 (UTC) (envelope-from citrin@citrin.ru) Received: from mail-chaos.rambler.ru (mail-chaos.rambler.ru [81.19.68.130]) by mx1.freebsd.org (Postfix) with ESMTP id B1A638FC14 for ; Mon, 13 Apr 2009 20:02:14 +0000 (UTC) (envelope-from citrin@citrin.ru) Received: from [192.168.1.5] (unknown [81.19.90.156]) (Authenticated sender: citrin@citrin.ru) by mail-chaos.rambler.ru (Postfix) with ESMTPSA id AEE6A17039 for ; Mon, 13 Apr 2009 23:40:55 +0400 (MSD) Message-ID: <49E39547.201@citrin.ru> Date: Mon, 13 Apr 2009 23:40:55 +0400 From: Anton Yuzhaninov User-Agent: Thunderbird 2.0.0.21 (X11/20090321) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: max-src-conn issue X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Apr 2009 20:02:15 -0000 Hi All. It seems to be, that max-src-conn is broken under FreeBSD, and not useful to limit incoming connections. 1. I have added 2 rules: $ pfctl -s rule pass quick on re0 inet proto tcp from 81.19.90.0/23 to any port = ssh flags S/SA keep state (source-track rule, max-src-conn 3) block drop quick on re0 inet proto tcp from 81.19.90.0/23 to any port = ssh 2. Open 3 ssh connections: $ pfctl -s state all tcp 81.19.90.176:22 <- 81.19.90.156:47767 ESTABLISHED:ESTABLISHED all tcp 81.19.90.176:22 <- 81.19.90.156:47768 ESTABLISHED:ESTABLISHED all tcp 81.19.90.176:22 <- 81.19.90.156:47769 ESTABLISHED:ESTABLISHED $ netstat -n -p tcp Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 81.19.90.176.22 81.19.90.156.47769 ESTABLISHED tcp4 0 0 81.19.90.176.22 81.19.90.156.47768 ESTABLISHED tcp4 0 0 81.19.90.176.22 81.19.90.156.47767 ESTABLISHED 3. When I tried to open one more connections packets matched by first rule was passed, bat state was not created. $ pfctl -z On remote host: ssh 81.19.90.176 $ pfctl -v -s rule pass quick on re0 inet proto tcp from 81.19.90.0/23 to any port = ssh flags S/SA keep state (source-track rule, max-src-conn 3) [ Evaluations: 752 Packets: 2 Bytes: 120 States: 3 ] [ Inserted: uid 0 pid 98818 ] block drop quick on re0 inet proto tcp from 81.19.90.0/23 to any port = ssh [ Evaluations: 2 Packets: 2 Bytes: 128 States: 0 ] [ Inserted: uid 0 pid 98818 ] $ pfctl -s state all tcp 81.19.90.176:22 <- 81.19.90.156:47767 ESTABLISHED:ESTABLISHED all tcp 81.19.90.176:22 <- 81.19.90.156:47768 ESTABLISHED:ESTABLISHED all tcp 81.19.90.176:22 <- 81.19.90.156:47769 ESTABLISHED:ESTABLISHED $ netstat -np tcp Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 81.19.90.176.22 81.19.90.156.48149 SYN_RCVD tcp4 0 0 81.19.90.176.22 81.19.90.156.47769 ESTABLISHED tcp4 0 0 81.19.90.176.22 81.19.90.156.47768 ESTABLISHED tcp4 0 0 81.19.90.176.22 81.19.90.156.47767 ESTABLISHED New state not created, but packets matched first rule is passed, while should be dropped. Because of this new half-open connection is created (in SYN_RCVD state). This makes max-src-conn not very useful under FreeBSD - bad guys can eat as many sockets as they want on attacked host, even when number of connections is limited by pf. $ uname -psv FreeBSD FreeBSD 8.0-CURRENT #0: Wed Apr 8 05:31:05 MSD 2009 citrin@citrin.park.rambler.ru:/usr/obj/usr/src/sys/GENERIC amd64 I have tested same rules on OpenBSD 4.4 - they works as expected - when limit reached, packets matched by first rule dropped, and new state not created. -- Anton Yuzhaninov From owner-freebsd-pf@FreeBSD.ORG Mon Apr 13 20:19:29 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 64DAB1065672 for ; Mon, 13 Apr 2009 20:19:29 +0000 (UTC) (envelope-from aline@riseup.net) Received: from mail.gringo.nu (mail.gringo.nu [209.20.87.19]) by mx1.freebsd.org (Postfix) with ESMTP id 46EC18FC17 for ; Mon, 13 Apr 2009 20:19:29 +0000 (UTC) (envelope-from aline@riseup.net) Received: from ada-lovelace.local (unknown [189.62.209.80]) (Authenticated sender: aline@gringo.nu) by mail.gringo.nu (Postfix) with ESMTPA id 8874329C011 for ; Mon, 13 Apr 2009 20:19:28 +0000 (UTC) Message-ID: <49E39E4F.8020102@riseup.net> Date: Mon, 13 Apr 2009 17:19:27 -0300 From: Aline Freitas User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <200904131857.n3DIvV7C025975@lava.sentex.ca> In-Reply-To: <200904131857.n3DIvV7C025975@lava.sentex.ca> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: OpenBSD/FreeBSD pf issue ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Apr 2009 20:19:30 -0000 Mike Tancsa wrote: > > > ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/013_pf.patch > > http://helith.net/txt/openbsd_4.3-current_pf_null_pointer_dereference_kernel_panic.txt > > > > Not sure if this impacts FreeBSD or not ? > > ---Mike > > > -------------------------------------------------------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, mike@sentex.net > Providing Internet since 1994 www.sentex.net > Cambridge, Ontario Canada www.sentex.net/mike > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" FreeBSD is not affected: Affected OS : OpenBSD 4.{3,4,5}, OpenBSD-current http://helith.net/txt/openbsd_4.3-current_pf_null_pointer_dereference_kernel_panic.txt Warning: When browsing the PF FAQ, please keep in mind that different versions of FreeBSD contain different versions of PF: * FreeBSD 5.X -- PF is at OpenBSD 3.5 * FreeBSD 6.X -- PF is at OpenBSD 3.7 * FreeBSD 7.X -- PF is at OpenBSD 4.1 http://www.freebsd.org/doc/en/books/handbook/firewalls-pf.html []'s Aline From owner-freebsd-pf@FreeBSD.ORG Mon Apr 13 20:27:25 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 550E41065676 for ; Mon, 13 Apr 2009 20:27:25 +0000 (UTC) (envelope-from sebastian.tymkow@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.156]) by mx1.freebsd.org (Postfix) with ESMTP id DBD508FC20 for ; Mon, 13 Apr 2009 20:27:24 +0000 (UTC) (envelope-from sebastian.tymkow@gmail.com) Received: by fg-out-1718.google.com with SMTP id 13so600988fge.12 for ; Mon, 13 Apr 2009 13:27:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=/3fwSSD2iMT9lecyMHs2DuB6AAgZGbABP5sYXcDzGvE=; b=OsvN35msSZ5Tyfk4+xvVm9aDgPHVbNT+qoDbGpsBBdJqUr6lIaQ5x2HuPw2+pFA43J bBqeNu5gSKbBt4Ef9qI4EJe6rqaxEu6bNJpjiwr85PeMYp8Yy+Lss2AVDEqq8rwY7G0+ eAywaEJSoSR/ZDTk1aKhIVIoxLZrMo/12Gbk0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=GBZBDBxYK17GYwFKbIGM6qZzCkofSwCHDimxDfZwPsOrAEsH+j1ib8Co5BsZnzddbP hunakwQhFxNToE/yIvP71lldzZO7p1RCi43+1gJwv6c31IgARZ39mzvVjHB99FTTkGsA 7AeQU9+hPeDXJJxzSnCd+r3DqpdSFIByLaY9k= MIME-Version: 1.0 Received: by 10.86.89.20 with SMTP id m20mr5013288fgb.18.1239654443797; Mon, 13 Apr 2009 13:27:23 -0700 (PDT) Date: Mon, 13 Apr 2009 22:27:23 +0200 Message-ID: <692660060904131327n6b7c0659u2888c24a3d538fac@mail.gmail.com> From: =?ISO-8859-1?Q?Sebastian_Tymk=F3w?= To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Authpf -remove only anchor X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Apr 2009 20:27:25 -0000 Hi, I wonder if there is any patch which alow me to delete only anchor rules for authpf. Authpf usually closes all conections including ssh. I did some modifications which allow me using authpf as normal program (executing from shell) but this close all my conections at the end. Best regards, Sebastian Tymkow From owner-freebsd-pf@FreeBSD.ORG Mon Apr 13 20:29:07 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 13AB2106564A for ; Mon, 13 Apr 2009 20:29:07 +0000 (UTC) (envelope-from aline@riseup.net) Received: from mail.gringo.nu (mail.gringo.nu [209.20.87.19]) by mx1.freebsd.org (Postfix) with ESMTP id EA85C8FC12 for ; Mon, 13 Apr 2009 20:29:06 +0000 (UTC) (envelope-from aline@riseup.net) Received: from ada-lovelace.local (unknown [189.62.209.80]) (Authenticated sender: aline@gringo.nu) by mail.gringo.nu (Postfix) with ESMTPA id 2A91029C021 for ; Mon, 13 Apr 2009 20:04:06 +0000 (UTC) Message-ID: <49E39AB5.8010208@riseup.net> Date: Mon, 13 Apr 2009 17:04:05 -0300 From: Aline Freitas User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <200904131857.n3DIvV7C025975@lava.sentex.ca> In-Reply-To: <200904131857.n3DIvV7C025975@lava.sentex.ca> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: OpenBSD/FreeBSD pf issue ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Apr 2009 20:29:07 -0000 FreeBSD is not affected: Affected OS : OpenBSD 4.{3,4,5}, OpenBSD-current http://helith.net/txt/openbsd_4.3-current_pf_null_pointer_dereference_kernel_panic.txt Warning: When browsing the PF FAQ, please keep in mind that different versions of FreeBSD contain different versions of PF: * FreeBSD 5.X -- PF is at OpenBSD 3.5 * FreeBSD 6.X -- PF is at OpenBSD 3.7 * FreeBSD 7.X -- PF is at OpenBSD 4.1 http://www.freebsd.org/doc/en/books/handbook/firewalls-pf.html []'s Aline Mike Tancsa wrote: > > > ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/013_pf.patch > > http://helith.net/txt/openbsd_4.3-current_pf_null_pointer_dereference_kernel_panic.txt > > > > Not sure if this impacts FreeBSD or not ? > > ---Mike > > > -------------------------------------------------------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, mike@sentex.net > Providing Internet since 1994 www.sentex.net > Cambridge, Ontario Canada www.sentex.net/mike > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Mon Apr 13 20:47:06 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7AFB3106574C for ; Mon, 13 Apr 2009 20:47:06 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id 052B68FC19 for ; Mon, 13 Apr 2009 20:47:05 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-019-008.pools.arcor-ip.net [88.66.19.8]) by mrelayeu.kundenserver.de (node=mreu0) with ESMTP (Nemesis) id 0MKuxg-1LtT3Y3yrm-0001VL; Mon, 13 Apr 2009 22:47:05 +0200 Received: (qmail 44822 invoked from network); 13 Apr 2009 20:47:04 -0000 Received: from fbsd8.laiers.local (192.168.4.200) by ns1.laiers.local with SMTP; 13 Apr 2009 20:47:04 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Mon, 13 Apr 2009 21:47:03 +0100 User-Agent: KMail/1.11.0 (FreeBSD/8.0-CURRENT; KDE/4.2.1; i386; ; ) References: <200904131857.n3DIvV7C025975@lava.sentex.ca> In-Reply-To: <200904131857.n3DIvV7C025975@lava.sentex.ca> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200904132247.04332.max@love2party.net> X-Provags-ID: V01U2FsdGVkX18T0k9mF3pPgpg3CFxkrTaHSe1A1cWbT37hqp3 TEkEtsst6IYQe3cSmC9zPQepzqqjjOdQxKJiYLd9zBv19KV9eW 5MOOZMc7QIPW9KipQLQSw== Cc: Subject: Re: OpenBSD/FreeBSD pf issue ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Apr 2009 20:47:08 -0000 On Monday 13 April 2009 20:58:14 Mike Tancsa wrote: > ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/013_pf.patch > > http://helith.net/txt/openbsd_4.3-current_pf_null_pointer_dereference_kerne >l_panic.txt > > > Not sure if this impacts FreeBSD or not ? It looks like FreeBSD is not vulnerable to this - it seems the problem was introduced with OpenBSD pf.c rev. 1.539 (which first appeared in OpenBSD 4.2). Our last full import was OpenBSD 4.1 which doesn't include the vulnerability. Please note that this a preliminary assessment - I will follow-up with a proper version as soon as more people have looked at the situation. Feel free to pitch in if you see remaining problems in the FreeBSD version of pf.c - maybe off-list. In addition it might make sense to drop this kind of packets as part of the "scrub" process, but that is not an immediate concern at this point. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Mon Apr 13 20:54:06 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AE67910656E6 for ; Mon, 13 Apr 2009 20:54:06 +0000 (UTC) (envelope-from aline@bsd.com.br) Received: from mail.gringo.nu (mail.gringo.nu [209.20.87.19]) by mx1.freebsd.org (Postfix) with ESMTP id 8FE968FC13 for ; Mon, 13 Apr 2009 20:54:06 +0000 (UTC) (envelope-from aline@bsd.com.br) Received: from ada-lovelace.local (unknown [189.62.209.80]) (Authenticated sender: aline@gringo.nu) by mail.gringo.nu (Postfix) with ESMTPA id 9139029C00F; Mon, 13 Apr 2009 20:34:39 +0000 (UTC) Message-ID: <49E3A1DE.2050404@bsd.com.br> Date: Mon, 13 Apr 2009 17:34:38 -0300 From: Aline Freitas User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209) MIME-Version: 1.0 To: Mike Tancsa References: <200904131857.n3DIvV7C025975@lava.sentex.ca> In-Reply-To: <200904131857.n3DIvV7C025975@lava.sentex.ca> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: OpenBSD/FreeBSD pf issue ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Apr 2009 20:54:08 -0000 Mike Tancsa wrote: > > > ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/013_pf.patch > > http://helith.net/txt/openbsd_4.3-current_pf_null_pointer_dereference_kernel_panic.txt > > > > Not sure if this impacts FreeBSD or not ? > > ---Mike > > > -------------------------------------------------------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, mike@sentex.net > Providing Internet since 1994 www.sentex.net > Cambridge, Ontario Canada www.sentex.net/mike > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" FreeBSD is not affected: Affected OS : OpenBSD 4.{3,4,5}, OpenBSD-current http://helith.net/txt/openbsd_4.3-current_pf_null_pointer_dereference_kernel_panic.txt Warning: When browsing the PF FAQ, please keep in mind that different versions of FreeBSD contain different versions of PF: * FreeBSD 5.X -- PF is at OpenBSD 3.5 * FreeBSD 6.X -- PF is at OpenBSD 3.7 * FreeBSD 7.X -- PF is at OpenBSD 4.1 http://www.freebsd.org/doc/en/books/handbook/firewalls-pf.html []'s Aline From owner-freebsd-pf@FreeBSD.ORG Mon Apr 13 21:48:33 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 632651065700 for ; Mon, 13 Apr 2009 21:48:33 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id AC90C8FC23 for ; Mon, 13 Apr 2009 21:48:32 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: (qmail 3566 invoked by uid 0); 13 Apr 2009 21:21:51 -0000 Received: from 194.231.39.124 by www052.gmx.net with HTTP; Mon, 13 Apr 2009 23:21:51 +0200 (CEST) Content-Type: text/plain; charset="iso-8859-1" Date: Mon, 13 Apr 2009 23:21:51 +0200 From: "Olli Hauer" In-Reply-To: <692660060904131327n6b7c0659u2888c24a3d538fac@mail.gmail.com> Message-ID: <20090413212151.241590@gmx.net> MIME-Version: 1.0 References: <692660060904131327n6b7c0659u2888c24a3d538fac@mail.gmail.com> To: =?iso-8859-1?Q?=22Sebastian_Tymk=F3w=22?= , freebsd-pf@freebsd.org X-Authenticated: #1956535 X-Flags: 0001 X-Mailer: WWW-Mail 6100 (Global Message Exchange) X-Priority: 3 X-Provags-ID: V01U2FsdGVkX1+vDLZH2vCvCNRDGG1fVpPV4ZCkCAKBauiwDMWuBh aEjhkeaRb7nivnGHx2Pc/M3sK3c7K7tCepoQ== Content-Transfer-Encoding: 8bit X-GMX-UID: 3JvReGt2IydmB5K/aWdry/tSa2FkZlVr X-FuHaFi: 0.73 Cc: Subject: Re: Authpf -remove only anchor X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Apr 2009 21:48:34 -0000 > Hi, > > I wonder if there is any patch which alow me to delete only anchor rules > for > authpf. > Authpf usually closes all conections including ssh. I did some > modifications > which allow me > using authpf as normal program (executing from shell) but this close all > my > conections at the end. > > Best regards, > > Sebastian Tymkow No, but you can look at into the function authpf_kill_states in file src/contrib/pf/authpf/authpf.c My question is for what exactly do you use authpf? I use a modified authpf shell inside a chrooted cvs server to terminate only the ssh session and allow a tunnel to the pserver port. This way I can provide secure access to the cvs service to non existent system users. Access to pserver is provided via sshd_config. Even it is a good benefit to lower connections from the scrappy Tortoise and Eclipse which tries to fork many sessions for just an update/commit. Best Regards, olli -- Psssst! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger01 From owner-freebsd-pf@FreeBSD.ORG Mon Apr 13 22:08:46 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E8D40106566C for ; Mon, 13 Apr 2009 22:08:46 +0000 (UTC) (envelope-from allicient3141@googlemail.com) Received: from mail-ew0-f171.google.com (mail-ew0-f171.google.com [209.85.219.171]) by mx1.freebsd.org (Postfix) with ESMTP id 4B28A8FC19 for ; Mon, 13 Apr 2009 22:08:46 +0000 (UTC) (envelope-from allicient3141@googlemail.com) Received: by ewy19 with SMTP id 19so2191015ewy.43 for ; Mon, 13 Apr 2009 15:08:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to :content-type:content-transfer-encoding; bh=sKFW4jz3I8OKLp87Sg/66JiOfXlRMwG9o9/K0j8M7JY=; b=lzwB8V/BS0MZr7T714DjpIpJiPCqe+US+SjTYBnKsSCUoQhe7BzutMj/uU+1Uhv4ep 239WXkmGLvcvUkcJggltlyI6Aaf3vtxwH8ov2AQvfzyB02xfQKB+9jyK9tqaRS6YoGIp QUMZQf/QIKBCWXJ+z2Q44Bm2Vpk3ZiTqsOqR8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; b=XOzH2oZnsJqCyvZ6S3VGklakZy9KyNgyoXEpzUdicxo6AgH8jGF9tkiSAPqou8fww3 FvDULH5mzcIFEUUNYwaVLaBYMUsLTV76C1Euf+p1TroA2G9naCyBe8X70IWlX1lUJp44 nLAV6eEG1JpH4kw9TGen3t0m8akhTCNkl9VAg= MIME-Version: 1.0 Sender: allicient3141@googlemail.com Received: by 10.210.19.7 with SMTP id 7mr5619476ebs.90.1239658928588; Mon, 13 Apr 2009 14:42:08 -0700 (PDT) In-Reply-To: <49E39547.201@citrin.ru> References: <49E39547.201@citrin.ru> Date: Mon, 13 Apr 2009 22:42:08 +0100 X-Google-Sender-Auth: 569647b1eb79c003 Message-ID: <7731938b0904131442q4a6ff305x2cd78e584abf4477@mail.gmail.com> From: Peter Maxwell To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: max-src-conn issue X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Apr 2009 22:08:47 -0000 Hi Yuzhaninov, Interestingly enough, I checked the pf.conf man page for max-src-conn: "For stateful TCP connections, limits on established connections (connec- tions which have completed the TCP 3-way handshake) can also be enforc= ed per source IP. max-src-conn Limits the maximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make. max-src-conn-rate / Limit the rate of new connections over a time interval. The con= - nection rate is an approximation calculated as a moving average.= " which does indicate that only completed handshakes are counted towards max-src-conn; it doesn't however say anything about the initial SYN packet - essentially it seems undefined. You might be able to get a better answer by looking at the source, or asking someone who knows more than me ;-) Have you tried the rules without the 'quick' keyword, I know it's probably down to personal taste but I've always found using 'quick' unless its absolutely essential (and that's not often at all) can cause unexpected difficulties. I don't think this is necessarily a problem either, as I think FreeBSD comes out of the box with protection against SYN floods - again perhaps someone more knowledgeable can expand on this. Best wishes, Peter 2009/4/13 Anton Yuzhaninov : > Hi All. > > It seems to be, that max-src-conn is broken under FreeBSD, and not useful= to > limit incoming connections. > > 1. I have added 2 rules: > > $ pfctl -s rule > pass quick on re0 inet proto tcp from 81.19.90.0/23 to any port =3D ssh f= lags > S/SA keep state (source-track rule, max-src-conn 3) > block drop quick on re0 inet proto tcp from 81.19.90.0/23 to any port =3D= ssh > > 2. Open 3 ssh connections: > > $ pfctl -s state > all tcp 81.19.90.176:22 <- 81.19.90.156:47767 =A0 =A0 =A0 ESTABLISHED:EST= ABLISHED > all tcp 81.19.90.176:22 <- 81.19.90.156:47768 =A0 =A0 =A0 ESTABLISHED:EST= ABLISHED > all tcp 81.19.90.176:22 <- 81.19.90.156:47769 =A0 =A0 =A0 ESTABLISHED:EST= ABLISHED > > $ netstat -n -p tcp > Active Internet connections > Proto Recv-Q Send-Q =A0Local Address =A0 =A0 =A0 =A0 =A0Foreign Address = =A0 =A0 =A0 (state) > tcp4 =A0 =A0 =A0 0 =A0 =A0 =A00 81.19.90.176.22 =A0 =A0 =A0 =A081.19.90.1= 56.47769 > ESTABLISHED > tcp4 =A0 =A0 =A0 0 =A0 =A0 =A00 81.19.90.176.22 =A0 =A0 =A0 =A081.19.90.1= 56.47768 > ESTABLISHED > tcp4 =A0 =A0 =A0 0 =A0 =A0 =A00 81.19.90.176.22 =A0 =A0 =A0 =A081.19.90.1= 56.47767 > ESTABLISHED > > 3. When I tried to open one more connections packets matched by first rul= e > was passed, bat state was not created. > > $ pfctl -z > > On remote host: > ssh 81.19.90.176 > > $ pfctl -v -s rule > pass quick on re0 inet proto tcp from 81.19.90.0/23 to any port =3D ssh f= lags > S/SA keep state (source-track rule, max-src-conn 3) > =A0[ Evaluations: 752 =A0 =A0 =A0 Packets: 2 =A0 =A0 =A0 =A0 Bytes: 120 = =A0 =A0 =A0 =A0 States: 3 > =A0 ] > =A0[ Inserted: uid 0 pid 98818 ] > block drop quick on re0 inet proto tcp from 81.19.90.0/23 to any port =3D= ssh > =A0[ Evaluations: 2 =A0 =A0 =A0 =A0 Packets: 2 =A0 =A0 =A0 =A0 Bytes: 128= =A0 =A0 =A0 =A0 States: 0 > =A0 ] > =A0[ Inserted: uid 0 pid 98818 ] > $ pfctl -s state > all tcp 81.19.90.176:22 <- 81.19.90.156:47767 =A0 =A0 =A0 ESTABLISHED:EST= ABLISHED > all tcp 81.19.90.176:22 <- 81.19.90.156:47768 =A0 =A0 =A0 ESTABLISHED:EST= ABLISHED > all tcp 81.19.90.176:22 <- 81.19.90.156:47769 =A0 =A0 =A0 ESTABLISHED:EST= ABLISHED > $ netstat -np tcp > Active Internet connections > Proto Recv-Q Send-Q =A0Local Address =A0 =A0 =A0 =A0 =A0Foreign Address = =A0 =A0 =A0 (state) > tcp4 =A0 =A0 =A0 0 =A0 =A0 =A00 81.19.90.176.22 =A0 =A0 =A0 =A081.19.90.1= 56.48149 =A0 =A0 SYN_RCVD > tcp4 =A0 =A0 =A0 0 =A0 =A0 =A00 81.19.90.176.22 =A0 =A0 =A0 =A081.19.90.1= 56.47769 > ESTABLISHED > tcp4 =A0 =A0 =A0 0 =A0 =A0 =A00 81.19.90.176.22 =A0 =A0 =A0 =A081.19.90.1= 56.47768 > ESTABLISHED > tcp4 =A0 =A0 =A0 0 =A0 =A0 =A00 81.19.90.176.22 =A0 =A0 =A0 =A081.19.90.1= 56.47767 > ESTABLISHED > > New state not created, but packets matched first rule is passed, while > should be dropped. > > Because of this new half-open connection is created (in SYN_RCVD state). > > This makes max-src-conn not very useful under FreeBSD - bad guys can eat = as > many sockets as they want on attacked host, even when number of connectio= ns > is limited by pf. > > $ uname -psv > FreeBSD FreeBSD 8.0-CURRENT #0: Wed Apr =A08 05:31:05 MSD 2009 > citrin@citrin.park.rambler.ru:/usr/obj/usr/src/sys/GENERIC =A0amd64 > > I have tested same rules on OpenBSD 4.4 - they works as expected - when > limit reached, packets matched by first rule dropped, and new state not > created. > > -- > =A0Anton Yuzhaninov > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Mon Apr 13 22:46:40 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 61FCD10656FC for ; Mon, 13 Apr 2009 22:46:39 +0000 (UTC) (envelope-from darkibot@gmail.com) Received: from mail-bw0-f164.google.com (mail-bw0-f164.google.com [209.85.218.164]) by mx1.freebsd.org (Postfix) with ESMTP id D24108FC08 for ; Mon, 13 Apr 2009 22:46:38 +0000 (UTC) (envelope-from darkibot@gmail.com) Received: by bwz8 with SMTP id 8so2219113bwz.43 for ; Mon, 13 Apr 2009 15:46:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=1aQ4Dm/CCjrxUkJjK+NsJA2tjWLyZiq8zdoYDmMBfII=; b=gW16P8O/Lj7hojwHB5GqWFCqhOOUYkljs1tc18SrlOw07DloQgGsOf7GhyLWMp+Xmm S6i6nMjWzJqqKOKmPYliJDQtd1pu4CK+r7ntx7tkdeDK6ckNNN8zR/n15OBzYMoreGwq q5Z2bWwe/fAtrKw9o+QNBbnFO+1110aLNOKh8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=dwUbCFaBBMbZ5T4OHQyoDasJ20fayF2Zw6eMzT+RK5IWVHnF9wR3dqPNtH0fRnYJS+ 3Mq9fu1nV4hQNN9t2faSsGoEjvz28IXohhIydrkdbmZIykH7YTv5nlvyyX3yhZDFOe// ldguUHXK/Ase3KjZej28tIrCoMy3h1Py+LIzw= MIME-Version: 1.0 Received: by 10.223.108.140 with SMTP id f12mr1279251fap.69.1239660832588; Mon, 13 Apr 2009 15:13:52 -0700 (PDT) In-Reply-To: <200904110020.n3B0K301081510@freefall.freebsd.org> References: <200904110020.n3B0K301081510@freefall.freebsd.org> Date: Tue, 14 Apr 2009 01:13:52 +0300 Message-ID: From: Oleg S To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: kern/130977: [netgraph][pf] kernel panic trap 12 on user connect to VPN server X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Apr 2009 22:46:40 -0000 i'm tried to reproduce bug with current patch, but it's not reproduced. as i see bug is fixed. thanks. 2009/4/11 Max Laier : > The following reply was made to PR kern/130977; it has been noted by GNAT= S. > > From: Max Laier > To: bug-followup@freebsd.org, > =A0darkibot@gmail.com > Cc: > Subject: Re: kern/130977: [netgraph][pf] kernel panic trap 12 on user con= nect to VPN server > Date: Sat, 11 Apr 2009 01:11:54 +0100 > > =A0--Boundary-00=3D_LB+3JRWytgyQ4AY > =A0Content-Type: text/plain; > =A0 charset=3D"us-ascii" > =A0Content-Transfer-Encoding: 7bit > =A0Content-Disposition: inline > > =A0Here is the MFC patch - if possible, please try and report back. > > =A0-- > =A0 Max > > =A0--Boundary-00=3D_LB+3JRWytgyQ4AY > =A0Content-Type: text/x-patch; > =A0 charset=3D"ISO-8859-1"; > =A0 name=3D"mfc.ifg.patch" > =A0Content-Transfer-Encoding: 7bit > =A0Content-Disposition: attachment; > =A0 =A0 =A0 =A0filename=3D"mfc.ifg.patch" > > =A0Index: sys/net/if.c > =A0=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =A0--- sys/net/if.c =A0 =A0 =A0 (revision 190905) > =A0+++ sys/net/if.c =A0 =A0 =A0 (working copy) > =A0@@ -128,6 +128,7 @@ > =A0static void =A0 do_link_state_change(void *, int); > =A0static int =A0 =A0if_getgroup(struct ifgroupreq *, struct ifnet *); > =A0static int =A0 =A0if_getgroupmembers(struct ifgroupreq *); > =A0+static void =A0 if_delgroups(struct ifnet *); > =A0#ifdef INET6 > =A0/* > =A0 * XXX: declare here to avoid to include many inet6 related files.. > =A0@@ -828,6 +829,7 @@ > =A0 =A0 =A0 =A0rt_ifannouncemsg(ifp, IFAN_DEPARTURE); > =A0 =A0 =A0 =A0EVENTHANDLER_INVOKE(ifnet_departure_event, ifp); > =A0 =A0 =A0 =A0devctl_notify("IFNET", ifp->if_xname, "DETACH", NULL); > =A0+ =A0 =A0 =A0if_delgroups(ifp); > > =A0 =A0 =A0 =A0IF_AFDATA_LOCK(ifp); > =A0 =A0 =A0 =A0for (dp =3D domains; dp; dp =3D dp->dom_next) { > =A0@@ -963,6 +965,53 @@ > =A0} > > =A0/* > =A0+ * Remove an interface from all groups > =A0+ */ > =A0+static void > =A0+if_delgroups(struct ifnet *ifp) > =A0+{ > =A0+ =A0 =A0 =A0struct ifg_list =A0 =A0 =A0 =A0 *ifgl; > =A0+ =A0 =A0 =A0struct ifg_member =A0 =A0 =A0 *ifgm; > =A0+ =A0 =A0 =A0char groupname[IFNAMSIZ]; > =A0+ > =A0+ =A0 =A0 =A0IFNET_WLOCK(); > =A0+ =A0 =A0 =A0while (!TAILQ_EMPTY(&ifp->if_groups)) { > =A0+ =A0 =A0 =A0 =A0 =A0 =A0 =A0ifgl =3D TAILQ_FIRST(&ifp->if_groups); > =A0+ > =A0+ =A0 =A0 =A0 =A0 =A0 =A0 =A0strlcpy(groupname, ifgl->ifgl_group->ifg_= group, IFNAMSIZ); > =A0+ > =A0+ =A0 =A0 =A0 =A0 =A0 =A0 =A0IF_ADDR_LOCK(ifp); > =A0+ =A0 =A0 =A0 =A0 =A0 =A0 =A0TAILQ_REMOVE(&ifp->if_groups, ifgl, ifgl_= next); > =A0+ =A0 =A0 =A0 =A0 =A0 =A0 =A0IF_ADDR_UNLOCK(ifp); > =A0+ > =A0+ =A0 =A0 =A0 =A0 =A0 =A0 =A0TAILQ_FOREACH(ifgm, &ifgl->ifgl_group->if= g_members, ifgm_next) > =A0+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (ifgm->ifgm_ifp =3D=3D= ifp) > =A0+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0break; > =A0+ > =A0+ =A0 =A0 =A0 =A0 =A0 =A0 =A0if (ifgm !=3D NULL) { > =A0+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0TAILQ_REMOVE(&ifgl->ifgl_= group->ifg_members, ifgm, > =A0+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ifgm_next); > =A0+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0free(ifgm, M_TEMP); > =A0+ =A0 =A0 =A0 =A0 =A0 =A0 =A0} > =A0+ > =A0+ =A0 =A0 =A0 =A0 =A0 =A0 =A0if (--ifgl->ifgl_group->ifg_refcnt =3D=3D= 0) { > =A0+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0TAILQ_REMOVE(&ifg_head, i= fgl->ifgl_group, ifg_next); > =A0+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0EVENTHANDLER_INVOKE(group= _detach_event, > =A0+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ifgl->ifgl_group)= ; > =A0+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0free(ifgl->ifgl_group, M_= TEMP); > =A0+ =A0 =A0 =A0 =A0 =A0 =A0 =A0} > =A0+ =A0 =A0 =A0 =A0 =A0 =A0 =A0IFNET_WUNLOCK(); > =A0+ > =A0+ =A0 =A0 =A0 =A0 =A0 =A0 =A0free(ifgl, M_TEMP); > =A0+ > =A0+ =A0 =A0 =A0 =A0 =A0 =A0 =A0EVENTHANDLER_INVOKE(group_change_event, g= roupname); > =A0+ > =A0+ =A0 =A0 =A0 =A0 =A0 =A0 =A0IFNET_WLOCK(); > =A0+ =A0 =A0 =A0} > =A0+ =A0 =A0 =A0IFNET_WUNLOCK(); > =A0+} > =A0+ > =A0+/* > =A0 * Stores all groups from an interface in memory pointed > =A0 * to by data > =A0 */ > > =A0--Boundary-00=3D_LB+3JRWytgyQ4AY-- > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Mon Apr 13 22:50:02 2009 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7F31C10656C1 for ; Mon, 13 Apr 2009 22:50:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 627CF8FC18 for ; Mon, 13 Apr 2009 22:50:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n3DMo2mq037554 for ; Mon, 13 Apr 2009 22:50:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n3DMo2fk037553; Mon, 13 Apr 2009 22:50:02 GMT (envelope-from gnats) Date: Mon, 13 Apr 2009 22:50:02 GMT Message-Id: <200904132250.n3DMo2fk037553@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: dfilter@FreeBSD.ORG (dfilter service) Cc: Subject: Re: kern/130977: commit references a PR X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfilter service List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Apr 2009 22:50:03 -0000 The following reply was made to PR kern/130977; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/130977: commit references a PR Date: Mon, 13 Apr 2009 22:47:11 +0000 (UTC) Author: mlaier Date: Mon Apr 13 22:17:03 2009 New Revision: 191025 URL: http://svn.freebsd.org/changeset/base/191025 Log: MFH r190903 & r190895: Remove interfaces from interface groups on detach. Reported by: various Submitted by: Mikolaj Golub (r190895) PR: kern/130977, kern/131310 Approved by: re (gnn) Modified: stable/7/sys/ (props changed) stable/7/sys/contrib/pf/ (props changed) stable/7/sys/dev/ath/ath_hal/ (props changed) stable/7/sys/dev/cxgb/ (props changed) stable/7/sys/net/if.c Modified: stable/7/sys/net/if.c ============================================================================== --- stable/7/sys/net/if.c Mon Apr 13 21:04:53 2009 (r191024) +++ stable/7/sys/net/if.c Mon Apr 13 22:17:03 2009 (r191025) @@ -128,6 +128,7 @@ static void if_start_deferred(void *cont static void do_link_state_change(void *, int); static int if_getgroup(struct ifgroupreq *, struct ifnet *); static int if_getgroupmembers(struct ifgroupreq *); +static void if_delgroups(struct ifnet *); #ifdef INET6 /* * XXX: declare here to avoid to include many inet6 related files.. @@ -828,6 +829,7 @@ if_detach(struct ifnet *ifp) rt_ifannouncemsg(ifp, IFAN_DEPARTURE); EVENTHANDLER_INVOKE(ifnet_departure_event, ifp); devctl_notify("IFNET", ifp->if_xname, "DETACH", NULL); + if_delgroups(ifp); IF_AFDATA_LOCK(ifp); for (dp = domains; dp; dp = dp->dom_next) { @@ -963,6 +965,53 @@ if_delgroup(struct ifnet *ifp, const cha } /* + * Remove an interface from all groups + */ +static void +if_delgroups(struct ifnet *ifp) +{ + struct ifg_list *ifgl; + struct ifg_member *ifgm; + char groupname[IFNAMSIZ]; + + IFNET_WLOCK(); + while (!TAILQ_EMPTY(&ifp->if_groups)) { + ifgl = TAILQ_FIRST(&ifp->if_groups); + + strlcpy(groupname, ifgl->ifgl_group->ifg_group, IFNAMSIZ); + + IF_ADDR_LOCK(ifp); + TAILQ_REMOVE(&ifp->if_groups, ifgl, ifgl_next); + IF_ADDR_UNLOCK(ifp); + + TAILQ_FOREACH(ifgm, &ifgl->ifgl_group->ifg_members, ifgm_next) + if (ifgm->ifgm_ifp == ifp) + break; + + if (ifgm != NULL) { + TAILQ_REMOVE(&ifgl->ifgl_group->ifg_members, ifgm, + ifgm_next); + free(ifgm, M_TEMP); + } + + if (--ifgl->ifgl_group->ifg_refcnt == 0) { + TAILQ_REMOVE(&ifg_head, ifgl->ifgl_group, ifg_next); + EVENTHANDLER_INVOKE(group_detach_event, + ifgl->ifgl_group); + free(ifgl->ifgl_group, M_TEMP); + } + IFNET_WUNLOCK(); + + free(ifgl, M_TEMP); + + EVENTHANDLER_INVOKE(group_change_event, groupname); + + IFNET_WLOCK(); + } + IFNET_WUNLOCK(); +} + +/* * Stores all groups from an interface in memory pointed * to by data */ _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Mon Apr 13 23:34:46 2009 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BB499106567E; Mon, 13 Apr 2009 23:34:46 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8FB178FC1F; Mon, 13 Apr 2009 23:34:46 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n3DNYkle004925; Mon, 13 Apr 2009 23:34:46 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n3DNYkGU004921; Mon, 13 Apr 2009 23:34:46 GMT (envelope-from mlaier) Date: Mon, 13 Apr 2009 23:34:46 GMT Message-Id: <200904132334.n3DNYkGU004921@freefall.freebsd.org> To: darkibot@gmail.com, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org From: mlaier@FreeBSD.org Cc: Subject: Re: kern/130977: [netgraph][pf] kernel panic trap 12 on user connect to VPN server X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Apr 2009 23:34:48 -0000 Synopsis: [netgraph][pf] kernel panic trap 12 on user connect to VPN server State-Changed-From-To: open->closed State-Changed-By: mlaier State-Changed-When: Mon Apr 13 23:33:36 UTC 2009 State-Changed-Why: Fix commited to head and stable/7. Thanks. http://www.freebsd.org/cgi/query-pr.cgi?pr=130977 From owner-freebsd-pf@FreeBSD.ORG Tue Apr 14 15:41:59 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4DA1C106566C for ; Tue, 14 Apr 2009 15:41:59 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id D70B48FC1D for ; Tue, 14 Apr 2009 15:41:58 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-019-008.pools.arcor-ip.net [88.66.19.8]) by mrelayeu.kundenserver.de (node=mreu2) with ESMTP (Nemesis) id 0MKv5w-1Ltklp2SAe-0001dL; Tue, 14 Apr 2009 17:41:57 +0200 Received: (qmail 58494 invoked from network); 14 Apr 2009 15:41:57 -0000 Received: from fbsd8.laiers.local (192.168.4.200) by mx.laiers.local with SMTP; 14 Apr 2009 15:41:57 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Tue, 14 Apr 2009 17:41:56 +0200 User-Agent: KMail/1.11.0 (FreeBSD/8.0-CURRENT; KDE/4.2.1; i386; ; ) References: <49E39547.201@citrin.ru> In-Reply-To: <49E39547.201@citrin.ru> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200904141741.56835.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+Gsdv/HbidkeqJ/3iniYP34grbMYmVlqjsHCb 3ys67ZNMl++XF5ZhOEYLmJtlQkGez6PMCcSjKbiHO1SZHr/fhR RgP1+dBKvZULXypF4DR5w== Cc: Subject: Re: max-src-conn issue X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Apr 2009 15:41:59 -0000 Hello Anton, On Monday 13 April 2009 21:40:55 Anton Yuzhaninov wrote: > It seems to be, that max-src-conn is broken under FreeBSD, and not useful > to limit incoming connections. >... > New state not created, but packets matched first rule is passed, while > should be dropped. > > Because of this new half-open connection is created (in SYN_RCVD state). > > This makes max-src-conn not very useful under FreeBSD - bad guys can eat as > many sockets as they want on attacked host, even when number of connections > is limited by pf. > > $ uname -psv > > FreeBSD FreeBSD 8.0-CURRENT #0: Wed Apr 8 05:31:05 MSD 2009 > citrin@citrin.park.rambler.ru:/usr/obj/usr/src/sys/GENERIC amd64 > > I have tested same rules on OpenBSD 4.4 - they works as expected - when > limit reached, packets matched by first rule dropped, and new state not > created. This is indeed a problem in FreeBSD. A workaround solution is to use "synproxy state" instead of a simple "keep state" - this way the connection won't make it through to the final destination and is blocked at the firewall. The fix is a bit intrusive, but I might get to it - could you submit a PR with your analysis, please? Possibly add if the "synproxy state" workaround fixes things for you. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Tue Apr 14 21:35:10 2009 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C3EAB1065670; Tue, 14 Apr 2009 21:35:10 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9B0F28FC13; Tue, 14 Apr 2009 21:35:10 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n3ELZAAn025044; Tue, 14 Apr 2009 21:35:10 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n3ELZAtD025040; Tue, 14 Apr 2009 21:35:10 GMT (envelope-from linimon) Date: Tue, 14 Apr 2009 21:35:10 GMT Message-Id: <200904142135.n3ELZAtD025040@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/133732: [pf] max-src-conn issue X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Apr 2009 21:35:11 -0000 Synopsis: [pf] max-src-conn issue Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Tue Apr 14 21:35:00 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=133732 From owner-freebsd-pf@FreeBSD.ORG Thu Apr 16 13:17:06 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3372E1065673 for ; Thu, 16 Apr 2009 13:17:06 +0000 (UTC) (envelope-from andrew@accid.net) Received: from postville.darq.net (postville.darq.net [82.136.41.65]) by mx1.freebsd.org (Postfix) with ESMTP id E9F668FC12 for ; Thu, 16 Apr 2009 13:17:05 +0000 (UTC) (envelope-from andrew@accid.net) Received: from localhost (postville [82.136.41.65]) by postville.darq.net (Postfix) with ESMTP id 76D8C31543A7 for ; Thu, 16 Apr 2009 13:59:58 +0100 (BST) X-Virus-Scanned: amavisd-new at darq.net Received: from postville.darq.net ([82.136.41.65]) by localhost (postville.darq.net [82.136.41.65]) (amavisd-new, port 10024) with ESMTP id blj7A+WObdEx for ; Thu, 16 Apr 2009 13:59:56 +0100 (BST) Received: from [10.10.10.9] (78-105-7-89.zone3.bethere.co.uk [78.105.7.89]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: andrew@accid.net) by postville.darq.net (Postfix) with ESMTPSA id E1688315435A for ; Thu, 16 Apr 2009 13:59:56 +0100 (BST) Message-ID: <49E72BCC.9000405@accid.net> Date: Thu, 16 Apr 2009 13:59:56 +0100 From: Andrew Von Cid User-Agent: Thunderbird 2.0.0.17 (X11/20081023) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: pfctl: Cannot allocate memory. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Apr 2009 13:17:06 -0000 Hi, I'm running pf with spamd on 7.0-RELEASE and I'm getting: pfctl: Cannot allocate memory. when I run spamd-setup -b It only happens when the spamd table reaches approx 84530 entries. When I flush the table manually, spamd-setup will work fine for a while (it loaded 75480 entries just now). As far as I understand by default pf can hold up to 200000 entries in a table (please correct me if I'm wrong). I'm nowhere near this. I read somewhere that spamd-setup will load new entries before flushing the old ones so for some time both old and new entries will be held in the table, until the old ones are removed. But even then the table shoudn't hit the size limit. The machine has 4G of RAM, there is usually around 80M free and 56% of swap in use. Is it the lack of free memory that's causing this? If so why wouldn't it use the remaining swap? Many thanks, Andrew. From owner-freebsd-pf@FreeBSD.ORG Thu Apr 16 14:14:16 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EA7A1106566B for ; Thu, 16 Apr 2009 14:14:16 +0000 (UTC) (envelope-from citrin@citrin.ru) Received: from mail-chaos.rambler.ru (mail-chaos.rambler.ru [81.19.68.130]) by mx1.freebsd.org (Postfix) with ESMTP id A4C768FC2F for ; Thu, 16 Apr 2009 14:14:16 +0000 (UTC) (envelope-from citrin@citrin.ru) Received: from [192.168.1.5] (unknown [81.19.90.156]) (Authenticated sender: citrin@citrin.ru) by mail-chaos.rambler.ru (Postfix) with ESMTPSA id EF34D1703A for ; Thu, 16 Apr 2009 18:14:14 +0400 (MSD) Message-ID: <49E73D36.4020104@citrin.ru> Date: Thu, 16 Apr 2009 18:14:14 +0400 From: Anton Yuzhaninov User-Agent: Thunderbird 2.0.0.21 (X11/20090321) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <49E72BCC.9000405@accid.net> In-Reply-To: <49E72BCC.9000405@accid.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: pfctl: Cannot allocate memory. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Apr 2009 14:14:18 -0000 Andrew Von Cid wrote: > I'm running pf with spamd on 7.0-RELEASE and I'm getting: > > pfctl: Cannot allocate memory. > > when I run spamd-setup -b > > It only happens when the spamd table reaches approx 84530 entries. When > I flush the table manually, spamd-setup will work fine for a while (it > loaded 75480 entries just now). > > As far as I understand by default pf can hold up to 200000 entries in a > table (please correct me if I'm wrong). Better to set this limit explicitly in pf.conf, e. g. set limit table-entries 200000 -- Anton Yuzhaninov From owner-freebsd-pf@FreeBSD.ORG Thu Apr 16 16:21:32 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A9D95106566B for ; Thu, 16 Apr 2009 16:21:32 +0000 (UTC) (envelope-from andrew@accid.net) Received: from postville.darq.net (postville.darq.net [82.136.41.65]) by mx1.freebsd.org (Postfix) with ESMTP id 6D3358FC13 for ; Thu, 16 Apr 2009 16:21:32 +0000 (UTC) (envelope-from andrew@accid.net) Received: from localhost (postville [82.136.41.65]) by postville.darq.net (Postfix) with ESMTP id 4C6A1315439E; Thu, 16 Apr 2009 17:21:31 +0100 (BST) X-Virus-Scanned: amavisd-new at darq.net Received: from postville.darq.net ([82.136.41.65]) by localhost (postville.darq.net [82.136.41.65]) (amavisd-new, port 10024) with ESMTP id gLXOEPJFlEFm; Thu, 16 Apr 2009 17:21:29 +0100 (BST) Received: from [10.10.10.9] (78-105-7-89.zone3.bethere.co.uk [78.105.7.89]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: andrew@accid.net) by postville.darq.net (Postfix) with ESMTPSA id B89B5315435A; Thu, 16 Apr 2009 17:21:29 +0100 (BST) Message-ID: <49E75B09.2000404@accid.net> Date: Thu, 16 Apr 2009 17:21:29 +0100 From: Andrew Von Cid User-Agent: Thunderbird 2.0.0.17 (X11/20081023) MIME-Version: 1.0 To: Anton Yuzhaninov References: <49E72BCC.9000405@accid.net> <49E73D36.4020104@citrin.ru> In-Reply-To: <49E73D36.4020104@citrin.ru> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: pfctl: Cannot allocate memory. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Apr 2009 16:21:32 -0000 > Better to set this limit explicitly in pf.conf, e. g. > > set limit table-entries 200000 Thanks Anton, I'll give it a try. Cheers, Andrew.