From owner-freebsd-pf@FreeBSD.ORG Mon Mar 25 11:06:48 2013 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 32AA6C2 for ; Mon, 25 Mar 2013 11:06:48 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 23B79CB for ; Mon, 25 Mar 2013 11:06:48 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r2PB6lks007246 for ; Mon, 25 Mar 2013 11:06:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r2PB6lve007244 for freebsd-pf@FreeBSD.org; Mon, 25 Mar 2013 11:06:47 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 25 Mar 2013 11:06:47 GMT Message-Id: <201303251106.r2PB6lve007244@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Mar 2013 11:06:48 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/176763 pf [pf] [patch] Removing pf Source entries locks kernel. o kern/176268 pf [pf] [patch] synproxy not working with route-to o kern/173659 pf [pf] PF fatal trap on 9.1 (taskq fatal trap on pf_test o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 50 problems total. From owner-freebsd-pf@FreeBSD.ORG Thu Mar 28 14:10:02 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 30FD5B42; Thu, 28 Mar 2013 14:10:02 +0000 (UTC) (envelope-from longwitz@incore.de) Received: from dss.incore.de (dss.incore.de [195.145.1.138]) by mx1.freebsd.org (Postfix) with ESMTP id B5C9FA51; Thu, 28 Mar 2013 14:10:01 +0000 (UTC) Received: from inetmail.dmz (inetmail.dmz [10.3.0.3]) by dss.incore.de (Postfix) with ESMTP id 0025C5DE81; Thu, 28 Mar 2013 15:03:28 +0100 (CET) X-Virus-Scanned: amavisd-new at incore.de Received: from dss.incore.de ([10.3.0.3]) by inetmail.dmz (inetmail.dmz [10.3.0.3]) (amavisd-new, port 10024) with LMTP id 6EJqRlHNY3jp; Thu, 28 Mar 2013 15:03:27 +0100 (CET) Received: from mail.incore (fwintern.dmz [10.0.0.253]) by dss.incore.de (Postfix) with ESMTP id B686E5DE9B; Thu, 28 Mar 2013 15:03:27 +0100 (CET) Received: from bsdlo.incore (bsdlo.incore [192.168.0.84]) by mail.incore (Postfix) with ESMTP id 97D3350879; Thu, 28 Mar 2013 15:03:27 +0100 (CET) Message-ID: <51544DAF.7000203@incore.de> Date: Thu, 28 Mar 2013 15:03:27 +0100 From: Andreas Longwitz User-Agent: Thunderbird 2.0.0.19 (X11/20090113) MIME-Version: 1.0 To: =?ISO-8859-15?Q?Ermal_Lu=E7i?= , freebsd-pf@freebsd.org Subject: Re: [patch] Reloading pf rules breaks connections on lo0 References: <5134C218.6060701@incore.de> <5149BE75.3040308@incore.de> <5149E3A8.3020608@incore.de> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Mar 2013 14:10:02 -0000 Ermal Luçi wrote: > > I say intended because so it behaves on the upstream. > By introducing another not needed option you introduce another hack on > top of the already hackish 'set skip' one. > > The correct 'fix' for it to behave correctly is to fetch the interface > list from pf(4) and verify if something needs to be cleared or not. > You can call pfi_get_ifaces and compare it with the defined 'set skip' > rules. > > That is easier than adding a new option. > I agree with your statements completely. The following patch for pfctl.c solves for me the lo0 breaking problem without introducing a new option. The patched pfctl clears the skip flag exactly for those actual skip interfaces not longer included in the new pf.conf anymore. --- pfctl.c.orig 2013-01-14 15:17:48.000000000 +0100 +++ pfctl.c 2013-03-27 22:01:37.000000000 +0100 @@ -67,6 +67,9 @@ int pfctl_enable(int, int); int pfctl_disable(int, int); int pfctl_clear_stats(int, int); +int pfctl_get_skip_ifaces(void); +int pfctl_check_skip_ifaces(char *); +int pfctl_clear_skip_ifaces(struct pfctl *); int pfctl_clear_interface_flags(int, int); int pfctl_clear_rules(int, int, char *); int pfctl_clear_nat(int, int, char *); @@ -101,10 +104,13 @@ struct pf_ruleset *, int, int); int pfctl_load_rule(struct pfctl *, char *, struct pf_rule *, int); const char *pfctl_lookup_option(char *, const char **); +static void radix_perror(void); struct pf_anchor_global pf_anchors; struct pf_anchor pf_main_anchor; +struct pfr_buffer skip_b; + const char *clearopt; char *rulesopt; const char *showopt; @@ -296,6 +302,53 @@ return (0); } +void +radix_perror(void) +{ + extern char *__progname; + fprintf(stderr, "%s: %s.\n", __progname, pfr_strerror(errno)); +} + +int +pfctl_get_skip_ifaces(void) +{ + bzero(&skip_b, sizeof(skip_b)); + skip_b.pfrb_type = PFRB_IFACES; + for (;;) { + pfr_buf_grow(&skip_b, skip_b.pfrb_size); + skip_b.pfrb_size = skip_b.pfrb_msize; + if (pfi_get_ifaces(NULL, skip_b.pfrb_caddr, &skip_b.pfrb_size)) { + radix_perror(); + return (1); + } + if (skip_b.pfrb_size <= skip_b.pfrb_msize) + break; + } + return (0); +} + +int +pfctl_check_skip_ifaces(char *ifname) +{ + struct pfi_kif *p; + + PFRB_FOREACH(p, &skip_b) + if ((p->pfik_flags & PFI_IFLAG_SKIP) && !strcmp(ifname, p->pfik_name)) + p->pfik_flags &= ~PFI_IFLAG_SKIP; + return (0); +} + +int +pfctl_clear_skip_ifaces(struct pfctl *pf) +{ + struct pfi_kif *p; + + PFRB_FOREACH(p, &skip_b) + if (p->pfik_flags & PFI_IFLAG_SKIP) + pfctl_set_interface_flags(pf, p->pfik_name, PFI_IFLAG_SKIP, 0); + return (0); +} + int pfctl_clear_interface_flags(int dev, int opts) { @@ -1437,6 +1490,8 @@ else goto _error; } + if (loadopt & PFCTL_FLAG_OPTION) + pfctl_clear_skip_ifaces(&pf); if ((pf.loadopt & PFCTL_FLAG_FILTER && (pfctl_load_ruleset(&pf, path, rs, PF_RULESET_SCRUB, 0))) || @@ -1861,6 +1916,7 @@ } else { if (ioctl(pf->dev, DIOCSETIFFLAG, &pi)) err(1, "DIOCSETIFFLAG"); + pfctl_check_skip_ifaces(ifname); } } return (0); @@ -2340,7 +2396,7 @@ } if ((rulesopt != NULL) && (loadopt & PFCTL_FLAG_OPTION) && !anchorname[0]) - if (pfctl_clear_interface_flags(dev, opts | PF_OPT_QUIET)) + if (pfctl_get_skip_ifaces()) error = 1; if (rulesopt != NULL && !(opts & (PF_OPT_MERGE|PF_OPT_NOACTION)) && -- Andreas Longwitz From owner-freebsd-pf@FreeBSD.ORG Thu Mar 28 16:31:33 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 93565DB6 for ; Thu, 28 Mar 2013 16:31:33 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-qe0-f53.google.com (mail-qe0-f53.google.com [209.85.128.53]) by mx1.freebsd.org (Postfix) with ESMTP id 572F22F1 for ; Thu, 28 Mar 2013 16:31:33 +0000 (UTC) Received: by mail-qe0-f53.google.com with SMTP id q19so3099283qeb.26 for ; Thu, 28 Mar 2013 09:31:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=BTmvpviRGFmXOn5zBNnUh5exxwYa7L+qO/EBgLmiRYc=; b=WJ7SMBbkLhRwOnHwbpin6z8bQpXr4n3CdKO7NH5Tp+EuSExUUsjQKWFqFTCZ6tM10g 6c3wZqjDbe933eLw16xBUOnJh61zbKsOZTw/L92BmSt7MfnrFPo1U1Wq6u9a4NoIdvD2 dYvsA4T60Yn1vp722N3DpjGbrF9pvCsgOA/Nbl5eWaaw4/NB6So2q24W+avj20xTU9J3 QigPo0Ge+Ppqd5aQtEm234HgTia5xkpJSlgo3V4EseolCpsaRQ6xP3yje+Ios6z5oF45 XrBJ2NSckR51HvVW8RuqiSydGnclcfypLnyeBdpRAiCQIeYPF/wTPa3FZPmLcLIUyBl2 bM7w== MIME-Version: 1.0 X-Received: by 10.224.198.67 with SMTP id en3mr17991978qab.23.1364488292426; Thu, 28 Mar 2013 09:31:32 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.49.49.37 with HTTP; Thu, 28 Mar 2013 09:31:32 -0700 (PDT) In-Reply-To: <51544DAF.7000203@incore.de> References: <5134C218.6060701@incore.de> <5149BE75.3040308@incore.de> <5149E3A8.3020608@incore.de> <51544DAF.7000203@incore.de> Date: Thu, 28 Mar 2013 17:31:32 +0100 X-Google-Sender-Auth: w4WBdbw64BJNyocirTapwvHuun0 Message-ID: Subject: Re: [patch] Reloading pf rules breaks connections on lo0 From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Andreas Longwitz Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Mar 2013 16:31:33 -0000 On Thu, Mar 28, 2013 at 3:03 PM, Andreas Longwitz wrote= : > Ermal Lu=E7i wrote: > > > > I say intended because so it behaves on the upstream. > > By introducing another not needed option you introduce another hack on > > top of the already hackish 'set skip' one. > > > > The correct 'fix' for it to behave correctly is to fetch the interface > > list from pf(4) and verify if something needs to be cleared or not. > > You can call pfi_get_ifaces and compare it with the defined 'set skip' > > rules. > > > > That is easier than adding a new option. > > > I agree with your statements completely. The following patch for pfctl.c > solves for me the lo0 breaking problem without introducing a new > option. The patched pfctl clears the skip flag exactly for those actual > skip interfaces not longer included in the new pf.conf anymore. > > --- pfctl.c.orig 2013-01-14 15:17:48.000000000 +0100 > +++ pfctl.c 2013-03-27 22:01:37.000000000 +0100 > @@ -67,6 +67,9 @@ > int pfctl_enable(int, int); > int pfctl_disable(int, int); > int pfctl_clear_stats(int, int); > +int pfctl_get_skip_ifaces(void); > +int pfctl_check_skip_ifaces(char *); > +int pfctl_clear_skip_ifaces(struct pfctl *); > int pfctl_clear_interface_flags(int, int); > int pfctl_clear_rules(int, int, char *); > int pfctl_clear_nat(int, int, char *); > @@ -101,10 +104,13 @@ > struct pf_ruleset *, int, int); > int pfctl_load_rule(struct pfctl *, char *, struct pf_rule *, int); > const char *pfctl_lookup_option(char *, const char **); > +static void radix_perror(void); > > struct pf_anchor_global pf_anchors; > struct pf_anchor pf_main_anchor; > > +struct pfr_buffer skip_b; > any reason this is not static? > + > const char *clearopt; > char *rulesopt; > const char *showopt; > @@ -296,6 +302,53 @@ > return (0); > } > > +void > +radix_perror(void) > +{ > Why do you need the extra function? If any reason can you redo the patch with a pfctl_ prepended and a better naming? > + extern char *__progname; > + fprintf(stderr, "%s: %s.\n", __progname, pfr_strerror(errno)); > +} > + > +int > +pfctl_get_skip_ifaces(void) > +{ > + bzero(&skip_b, sizeof(skip_b)); > + skip_b.pfrb_type =3D PFRB_IFACES; > + for (;;) { > + pfr_buf_grow(&skip_b, skip_b.pfrb_size); > + skip_b.pfrb_size =3D skip_b.pfrb_msize; > + if (pfi_get_ifaces(NULL, skip_b.pfrb_caddr, &skip_b.pfrb_size)) { > + radix_perror(); > + return (1); > + } > + if (skip_b.pfrb_size <=3D skip_b.pfrb_msize) > + break; > + } > + return (0); > +} > + > +int > +pfctl_check_skip_ifaces(char *ifname) > +{ > + struct pfi_kif *p; > + > + PFRB_FOREACH(p, &skip_b) > + if ((p->pfik_flags & PFI_IFLAG_SKIP) && !strcmp(ifname, > p->pfik_name)) > + p->pfik_flags &=3D ~PFI_IFLAG_SKIP; > + return (0); > +} > + > +int > +pfctl_clear_skip_ifaces(struct pfctl *pf) > +{ > + struct pfi_kif *p; > + > + PFRB_FOREACH(p, &skip_b) > + if (p->pfik_flags & PFI_IFLAG_SKIP) > + pfctl_set_interface_flags(pf, p->pfik_name, PFI_IFLAG_SKIP, 0); > + return (0); > +} > + > int > pfctl_clear_interface_flags(int dev, int opts) > { > @@ -1437,6 +1490,8 @@ > else > goto _error; > } > + if (loadopt & PFCTL_FLAG_OPTION) > + pfctl_clear_skip_ifaces(&pf); > > if ((pf.loadopt & PFCTL_FLAG_FILTER && > (pfctl_load_ruleset(&pf, path, rs, PF_RULESET_SCRUB, 0))) || > @@ -1861,6 +1916,7 @@ > } else { > if (ioctl(pf->dev, DIOCSETIFFLAG, &pi)) > err(1, "DIOCSETIFFLAG"); > + pfctl_check_skip_ifaces(ifname); > } > } > return (0); > @@ -2340,7 +2396,7 @@ > } > if ((rulesopt !=3D NULL) && (loadopt & PFCTL_FLAG_OPTION) && > !anchorname[0]) > - if (pfctl_clear_interface_flags(dev, opts | PF_OPT_QUIET)) > + if (pfctl_get_skip_ifaces()) > error =3D 1; > > if (rulesopt !=3D NULL && !(opts & (PF_OPT_MERGE|PF_OPT_NOACTION)) &= & > > > -- > Andreas Longwitz > > Looks ok. Can you make the changes so i can push it? --=20 Ermal