From owner-freebsd-pf@FreeBSD.ORG Mon Oct 18 11:07:03 2010 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7CBB81065674 for ; Mon, 18 Oct 2010 11:07:03 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 69F688FC34 for ; Mon, 18 Oct 2010 11:07:03 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o9IB73VV029402 for ; Mon, 18 Oct 2010 11:07:03 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o9IB72r0029400 for freebsd-pf@FreeBSD.org; Mon, 18 Oct 2010 11:07:02 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 18 Oct 2010 11:07:02 GMT Message-Id: <201010181107.o9IB72r0029400@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Oct 2010 11:07:03 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 45 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Oct 12 22:21:47 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 058891065673 for ; Tue, 12 Oct 2010 22:21:47 +0000 (UTC) (envelope-from laszlo_danielisz@yahoo.com) Received: from web30807.mail.mud.yahoo.com (web30807.mail.mud.yahoo.com [68.142.200.150]) by mx1.freebsd.org (Postfix) with SMTP id B67F68FC0C for ; Tue, 12 Oct 2010 22:21:46 +0000 (UTC) Received: (qmail 43766 invoked by uid 60001); 12 Oct 2010 21:55:05 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1286920505; bh=jMkPqkj67MeDSMEXBOmxDmQlf5gEAATSdoJSs3hdBhI=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=zumG88syeyKsxuig1hnqpEdEoRoPkbegzHVzbIzzObaJGB83frhvInZBA8jmIRA0Sa6vEWTZxTbtbEnRImQQ+4Sc9bA5ONUoZf2Y14JfSqbCZZTwI7zRGbe6J0Ev6a0TVqvO+Nhz3Fs00q+4dNCZG3CvtZo0EZcx6pYHbaOtyy4= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=PxYcXQbOqFaMeTvBVzlK2+WMxrSisH3+4qf+FwQnWNhqe6Wp0M/hqvYaUtcVt+6oloM8Yr308SPqNhLhg5xwAM9NawCf1PnIeORNOKx+FtIbdjHo+0h10m1FQ7A7jgCnjmTBOhrpYDLXNn8HDIMY3lVB6nbWKwR9nYyT2GQ1p+U=; Message-ID: <79341.43349.qm@web30807.mail.mud.yahoo.com> X-YMail-OSG: lo52EwYVM1mNVQDOXqnsqBWT_4W_6gu4veQlbdLTH.t96p1 BUgyF4iiz6IS0d3XHUBMjOR4QR0CCsgYRvKx8gG7y1bKvRWnUVgezyuUYhyI g3RQqF7zGv5cxqfjG5LzEJICyU3XP4h7Y.nECmsfH4WcznDYVU2nsjtlpGLs MihYqr_Zh3qyYN7l9Qon7__iMrqSUlGdrlWFg8l6YQxy3J_IqtY1ww411fCl v3NDHE4wOZ7yM__ewBdgNht_Jr.3xYYkUn.E.7YDFCs3HholS52FQ5FkdN.h AeA-- Received: from [78.131.57.57] by web30807.mail.mud.yahoo.com via HTTP; Tue, 12 Oct 2010 14:55:05 PDT X-Mailer: YahooMailRC/504.5 YahooMailWebService/0.8.106.282862 Date: Tue, 12 Oct 2010 14:55:05 -0700 (PDT) From: =?iso-8859-1?Q?D=E1nielisz_L=E1szl=F3?= To: freebsd-pf@freebsd.org MIME-Version: 1.0 X-Mailman-Approved-At: Mon, 18 Oct 2010 11:36:29 +0000 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: FIN_WAIT_2:FIN_WAIT_2 , FIN_WAIT_2:ESTABLISHED X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Oct 2010 22:21:47 -0000 Hi,=0A=0AI'm behind a freebsd - pf machine, I'd like to connect to a webpag= e, but it =0Aloads a bit and then it stops, I checked out the pf -s stat an= d it =0Asays: FIN_WAIT_2:ESTABLISHED and FIN_WAIT_2:FIN_WAIT_for the conn= ection.=0ADo you have any idea whats happening?=0A=0AThank you!=0ALaszlo=0A= =0A=0A From owner-freebsd-pf@FreeBSD.ORG Mon Oct 18 18:40:44 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 04976106567A; Mon, 18 Oct 2010 18:40:44 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 5D8738FC14; Mon, 18 Oct 2010 18:40:41 +0000 (UTC) Received: by bwz16 with SMTP id 16so4733bwz.13 for ; Mon, 18 Oct 2010 11:40:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:sender:received:from:date :x-google-sender-auth:message-id:subject:to:content-type; bh=gYpdvLJPkjZwsO12A/qbZFLQuhW3hn/+1V6u6O7rLp0=; b=HHGozPI6HMa3fVeAt6nNSctPYdNoONAiEmXOtv29QM3p06qoCARSXhq3BdTdoQ8c2c ef4X0Ghz/huwkr2Lh5nridvPY2Zb+sOYp4wXeLKWepNVW+zLzKJiWBQmkY6BsEHkbviT UFSfCpxhiQBRDoNDJHWOSeIDSYXtsywL0WBEM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:from:date:x-google-sender-auth:message-id :subject:to:content-type; b=RN2B7ff4aZvMGiS0AyV897KKjaxIanils4EEo3wMWKgQNd4VmTEndweK5f4pRWMPkZ 9/FqnVGMotJIAkfbxOQQT1G05PfM0tDmUdkLzOJoo7KdENEsF8bvyphxaoQ6US9/H2ym 5nixuafaNEqa8nl+FHzcyG2jLfclOGYPhrb54= Received: by 10.204.99.131 with SMTP id u3mr4825872bkn.41.1287425465205; Mon, 18 Oct 2010 11:11:05 -0700 (PDT) MIME-Version: 1.0 Sender: ermal.luci@gmail.com Received: by 10.204.35.68 with HTTP; Mon, 18 Oct 2010 11:10:44 -0700 (PDT) From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= Date: Mon, 18 Oct 2010 19:10:44 +0100 X-Google-Sender-Auth: 8IlNRlSknaXVNiWcboSW7deCKz0 Message-ID: To: freebsd-pf@freebsd.org, freebsd-net Content-Type: text/plain; charset=ISO-8859-1 Cc: Subject: [PATCH] pf(4) patch from OpenBSD 4.5 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Oct 2010 18:40:44 -0000 Hello, the link http://people.freebsd.org/~eri/pf45_1.diff has the patch for pf(4) as of OpenBSD 4.5 version. The patch is against HEAD. After OpenBSD 4.5 the syntax has changed and this is the reason for such an 'old' version patch. After importing this one the work will go on the newest version and decisions on it will than be done. Be aware that this patch has even support for VIMAGE/VNET. It will enable you to run pf(4) with[in] jails+vnets or just vnets themselves with separate rulesets and policies. pfsync(4) can be loaded as a module also with this patch. Feedback is very welcome. Regards, -- Ermal From owner-freebsd-pf@FreeBSD.ORG Tue Oct 19 03:47:55 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1F5391065693; Tue, 19 Oct 2010 03:47:55 +0000 (UTC) (envelope-from jamesbrandongooch@gmail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 831A88FC0A; Tue, 19 Oct 2010 03:47:54 +0000 (UTC) Received: by wyb38 with SMTP id 38so2068007wyb.13 for ; Mon, 18 Oct 2010 20:47:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=KNglrZGlqKNRcnJukhqTu94peDU8dKi9ZMEr6tTZrz0=; b=wVuoIZuf9cuLxG4FAlneYbm2TkZOJ66UjMsOJzfp4Viaat093OWDzvlVeXHmOHK5PI 8ngZSlyEelyZhlSUc5jGC+5qSUjXJjHAwy7YX56LrdoALF1Z1gtwTya7Agl+22IhBU4u bBNAFQhScI27fLFVEWWap5qMUF1jJiLK/ph3s= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=eYGF3T3JPx/mCL2beHfsXyyAKwjTeX7SYPdsVWDEiHLlPN9SUKXawpJvIMkDVfulxF jLxwaS6V6hjpEcOaAtc/HB1vCDCDND+XtIigryJ7c7Cdm0YI4tFsEtBQ8765OxHvWUZi r63/JLZsbultZcrgdFaCkBObAGuWZ3uJJCnNI= MIME-Version: 1.0 Received: by 10.227.208.73 with SMTP id gb9mr5562348wbb.13.1287458196065; Mon, 18 Oct 2010 20:16:36 -0700 (PDT) Received: by 10.216.55.135 with HTTP; Mon, 18 Oct 2010 20:16:36 -0700 (PDT) In-Reply-To: References: Date: Mon, 18 Oct 2010 22:16:36 -0500 Message-ID: From: Brandon Gooch To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-net , freebsd-pf@freebsd.org Subject: Re: [PATCH] pf(4) patch from OpenBSD 4.5 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Oct 2010 03:47:55 -0000 On Mon, Oct 18, 2010 at 1:10 PM, Ermal Lu=E7i wrote: > Hello, > > the link http://people.freebsd.org/~eri/pf45_1.diff has the patch for > pf(4) as of OpenBSD 4.5 version. > The patch is against HEAD. > After OpenBSD 4.5 the syntax has changed and this is the reason for > such an 'old' version patch. > > After importing this one the work will go on the newest version and > decisions on it will than be done. > > Be aware that this patch has even support for VIMAGE/VNET. > It will enable you to run pf(4) with[in] jails+vnets or just vnets > themselves with separate rulesets > and policies. > pfsync(4) can be loaded as a module also with this patch. > > Feedback is very welcome. Should this compile against HEAD, because I think we're missing a header: brandon@x300:~$ cd /usr/src brandon@x300:/usr/src$ patch < ~/pf45_1.diff brandon@x300:/usr/src$ cd /usr/src/sys/modules/pf brandon@x300:modules/pf$ sudo make Warning: Object directory not changed from original /usr/src/sys/modules/pf @ -> /usr/src/sys machine -> /usr/src/sys/amd64/include echo "#define DEV_PF 1" > opt_pf.h echo "#define DEV_PFLOG 1" >> opt_pf.h echo "#define DEV_PFSYNC 1" >> opt_pf.h echo "#define DEV_PFLOW 1" >> opt_pf.h echo "#define INET 1" > opt_inet.h echo "#define INET6 1" > opt_inet6.h echo "#define DEV_BPF 1" > opt_bpf.h :> opt_global.h clang -O2 -pipe -fno-strict-aliasing -D_KERNEL -DKLD_MODULE -nostdinc -I/usr/src/sys/modules/pf/../../contrib/pf -I. -I@ -I@/contrib/altq -fno-common -fno-omit-frame-pointer -mcmodel=3Dkernel -mno-red-zone -mfpmath=3D387 -mno-sse -mno-sse2 -mno-sse3 -mno-mmx -mno-3dnow -msoft-float -fno-asynchronous-unwind-tables -ffreestanding -fstack-protector -std=3Diso9899:1999 -fstack-protector -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -Wundef -Wno-pointer-sign -fformat-extensions -c /usr/src/sys/modules/pf/../../contrib/pf/net/pf.c clang: warning: argument unused during compilation: '-mfpmath=3D387' /usr/src/sys/modules/pf/../../contrib/pf/net/pf.c:149:10: fatal error: 'net/if_pflow.h' file not found #include ^ 1 error generated. *** Error code 1 Thanks for working on this! -Brandon From owner-freebsd-pf@FreeBSD.ORG Tue Oct 19 04:28:18 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C829E1065672; Tue, 19 Oct 2010 04:28:18 +0000 (UTC) (envelope-from max@laiers.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.9]) by mx1.freebsd.org (Postfix) with ESMTP id 587F58FC19; Tue, 19 Oct 2010 04:28:18 +0000 (UTC) Received: from [192.168.8.46] (75-147-189-33-Washington.hfc.comcastbusiness.net [75.147.189.33]) by mrelayeu.kundenserver.de (node=mrbap1) with ESMTP (Nemesis) id 0Lxdhj-1ObXv62Jyt-016lu0; Tue, 19 Oct 2010 06:15:41 +0200 Message-ID: <4CBD1B68.2040502@laiers.net> Date: Mon, 18 Oct 2010 21:15:36 -0700 From: Max Laier User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9) Gecko/20100915 Thunderbird/3.1.4 MIME-Version: 1.0 To: Brandon Gooch References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Provags-ID: V02:K0:4SeBd2kN+fgjDDcdyFek/rwEAZKAo3N7v2mi29fXk00 TPZfZSo4oscCqSxp+h+HFHwH7TMyGU83bDG4RisOoVWvYERtF4 15zh0KYDgAeBhrCNdabA/E+hcYDYk4++q7rJzE53OwdpA6M6b4 RWi4J+1h5y/DyW7yw8nEvRBKOGtUqBKq2bI0RbsfBBnhqrApLW S9B+A+gdvrp9mXjtaHe8Q== Cc: freebsd-net , freebsd-pf@freebsd.org Subject: Re: [PATCH] pf(4) patch from OpenBSD 4.5 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Oct 2010 04:28:19 -0000 On 18.10.2010 20:16, Brandon Gooch wrote: > On Mon, Oct 18, 2010 at 1:10 PM, Ermal Luçi wrote: >> Hello, >> >> the link http://people.freebsd.org/~eri/pf45_1.diff has the patch for >> pf(4) as of OpenBSD 4.5 version. >> The patch is against HEAD. >> After OpenBSD 4.5 the syntax has changed and this is the reason for >> such an 'old' version patch. >> >> After importing this one the work will go on the newest version and >> decisions on it will than be done. >> >> Be aware that this patch has even support for VIMAGE/VNET. >> It will enable you to run pf(4) with[in] jails+vnets or just vnets >> themselves with separate rulesets >> and policies. >> pfsync(4) can be loaded as a module also with this patch. >> >> Feedback is very welcome. > > Should this compile against HEAD, because I think we're missing a header: > > brandon@x300:~$ cd /usr/src > brandon@x300:/usr/src$ patch< ~/pf45_1.diff $ patch -p0 < ~/pf45_1.diff > brandon@x300:/usr/src$ cd /usr/src/sys/modules/pf > brandon@x300:modules/pf$ sudo make Regards, Max From owner-freebsd-pf@FreeBSD.ORG Tue Oct 19 13:39:03 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B90410656B7; Tue, 19 Oct 2010 13:39:03 +0000 (UTC) (envelope-from jamesbrandongooch@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 70C138FC18; Tue, 19 Oct 2010 13:39:02 +0000 (UTC) Received: by fxm12 with SMTP id 12so1594891fxm.13 for ; Tue, 19 Oct 2010 06:39:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=g0tRUsFxXcUpJvIeGEQ/weA0uyVYQk5TqORHfoXZKpc=; b=A/Vu83+7eqUkdH+Dymq5OsBnO6AgpvByKhnFZMDqT0QavnKMbLBGVX1QemqZuna4WT iLq3bQnAX7RH5u6eLOoSvTm1iBWFUy6qXvn3znXfZjZ/86dV9O8XKMt3MIxgJQeXOJQU bIwWd6/FSJUiRZcRUjfpMro3sUlNvvy+var0o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=wCnq4qodvZTIk2IeId25rZmFMLsZUKQkBUngEtDg/GwXbXsu7vfYn4/Qo1iHRy1tnM aKvKC4IOPSN2qSWUnKYflT8q9TEndS3ZZC15Jn5JUYQVqZXvmWNoFpj3NxdOBw4o3DJj zbRHLJzQQevcru0BE2D6HfMJP03TbgzxYA1BI= MIME-Version: 1.0 Received: by 10.216.51.21 with SMTP id a21mr6120131wec.50.1287495541194; Tue, 19 Oct 2010 06:39:01 -0700 (PDT) Received: by 10.216.55.135 with HTTP; Tue, 19 Oct 2010 06:39:01 -0700 (PDT) In-Reply-To: <4CBD1B68.2040502@laiers.net> References: <4CBD1B68.2040502@laiers.net> Date: Tue, 19 Oct 2010 08:39:01 -0500 Message-ID: From: Brandon Gooch To: Max Laier Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-net , freebsd-pf@freebsd.org Subject: Re: [PATCH] pf(4) patch from OpenBSD 4.5 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Oct 2010 13:39:03 -0000 On Mon, Oct 18, 2010 at 11:15 PM, Max Laier wrote: > On 18.10.2010 20:16, Brandon Gooch wrote: >> >> On Mon, Oct 18, 2010 at 1:10 PM, Ermal Lu=E7i =A0wrote: >>> >>> Hello, >>> >>> the link http://people.freebsd.org/~eri/pf45_1.diff has the patch for >>> pf(4) as of OpenBSD 4.5 version. >>> The patch is against HEAD. >>> After OpenBSD 4.5 the syntax has changed and this is the reason for >>> such an 'old' version patch. >>> >>> After importing this one the work will go on the newest version and >>> decisions on it will than be done. >>> >>> Be aware that this patch has even support for VIMAGE/VNET. >>> It will enable you to run pf(4) with[in] jails+vnets or just vnets >>> themselves with separate rulesets >>> and policies. >>> pfsync(4) can be loaded as a module also with this patch. >>> >>> Feedback is very welcome. >> >> Should this compile against HEAD, because I think we're missing a header= : >> >> brandon@x300:~$ cd /usr/src >> brandon@x300:/usr/src$ patch< =A0~/pf45_1.diff > > $ patch -p0 < ~/pf45_1.diff > >> brandon@x300:/usr/src$ cd /usr/src/sys/modules/pf >> brandon@x300:modules/pf$ sudo make > > Regards, > =A0Max Thanks Max! -Brandon From owner-freebsd-pf@FreeBSD.ORG Tue Oct 19 14:27:19 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 417F1106566B for ; Tue, 19 Oct 2010 14:27:19 +0000 (UTC) (envelope-from kevin.wilcox@gmail.com) Received: from mail-gx0-f182.google.com (mail-gx0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id 004628FC16 for ; Tue, 19 Oct 2010 14:27:18 +0000 (UTC) Received: by gxk3 with SMTP id 3so641747gxk.13 for ; Tue, 19 Oct 2010 07:27:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=HHSpmrlA3+pwwcDWTxOjO+MXbt3oS76IvfEDRZtVpis=; b=la/2nmlB/s+2FfkbnNYdYX731MmYqCVZKX11XTMi4+Xw6NW5pAw5mSCxjexsHvY3BQ z0rbP+16HMun4Wo1gn8U4lkanC/yk28IpmtZcWDT/9uX0e4MlIqCeRZ5/l4hJGxZBB9Y uH2AiOc7V/7K4OG7mLKSkgrzHFbvbhWEb5Ocs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=Y5/P5LK1yIToemomrUEM9racr5/Ry86AEJsZEyoMG9nuVvSRwrqIXxCBgAEUYRDjoJ +FpN+n9MIvQ8RSdz7jUkLl82CBzBfcJaznWvsmXogdJfQHeLrOJJYT3RiC+HOYoO3Ugd vD283jneRaNy1KjyQxOv2yZpJDGmHZqMWQg7k= MIME-Version: 1.0 Received: by 10.90.65.2 with SMTP id n2mr2125397aga.119.1287497103091; Tue, 19 Oct 2010 07:05:03 -0700 (PDT) Received: by 10.90.10.19 with HTTP; Tue, 19 Oct 2010 07:05:02 -0700 (PDT) Date: Tue, 19 Oct 2010 10:05:02 -0400 Message-ID: From: Kevin Wilcox To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Subject: pf + NAT + log X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Oct 2010 14:27:19 -0000 Hi everyone. I sent this out to freebsd-questions@ yesterday but haven't had any nibbles. I'm testing NAT on FreeBSD 8.1. My setup is very simple: My workstation -> { internal network switch } -> FreeBSD 8.1routing firewall with squid 3 -> { switch going to Internet } My pf configuration is a bare minimum for passing everything and logging at every stage I can think of. I'll start filtering after I get this sorted out. pf.conf: ======================= ext_if=bge0 int_if=bge1 rdr pass log(all) on $int_if proto tcp from any to any port 80 -> 127.0.0.1 port 3128 nat pass log(all) on $ext_if from $int_if:network to any -> ($ext_if) pass log(all) on $int_if pass log(all) on $ext_if ======================= If my internal workstation is 10.201.201.1, the external interface on my FreeBSD machine is 10.100.100.1 and I ssh to a server at 10.1.1.1, the connection works. On the server I get a connection on port 22 from the FreeBSD router on source port 30000. This is confirmed by netstat and tcpdump on the server. On the workstation, tcpdump and netstat confirm a connection from the workstation to the server; destination port is 22, source port is 10000. On the FreeBSD router, 'pfctl -s s' confirms: all tcp 10.201.201.1:10000 -> 10.100.100.1:30000 -> 10.1.1.1:22 ESTABLISHED:ESTABLISHED Here is where my problem sits. If I do a tcpdump of the pflog, I get an entry from my workstation to the server showing communication from port 10000 to port 22. I get an entry from the FreeBSD router to the server, from port 30000 to port 22. What I don't get, and what I desperately need, is a way to show that the connection from the FreeBSD router to the server is on behalf of my workstation. Have I missed something in the NAT configuration that logs the actual translations? Can you configure pf to log similar to the output of pfctl where it shows something like: