From owner-freebsd-pf@FreeBSD.ORG Mon Feb 24 11:06:54 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EF599AB5 for ; Mon, 24 Feb 2014 11:06:54 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id DA5841628 for ; Mon, 24 Feb 2014 11:06:54 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id s1OB6soU027638 for ; Mon, 24 Feb 2014 11:06:54 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s1OB6s8R027636 for freebsd-pf@FreeBSD.org; Mon, 24 Feb 2014 11:06:54 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 24 Feb 2014 11:06:54 GMT Message-Id: <201402241106.s1OB6s8R027636@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Feb 2014 11:06:55 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/182401 pf [pf] pf state for some IPs reaches 4294967295 suspicou o kern/182350 pf [pf] core dump with packet filter -- pf_overlad_task o kern/179392 pf [pf] [ip6] Incorrect TCP checksums in rdr return packe o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176268 pf [pf] [patch] synproxy not working with route-to o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/87074 pf [pf] pf does not log dropped packets when max-* statef a kern/86752 pf [pf] pf does not use default timeouts when reloading c o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 54 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Mar 3 11:06:50 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 349D5E57 for ; Mon, 3 Mar 2014 11:06:50 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 217FF94D for ; Mon, 3 Mar 2014 11:06:50 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s23B6nNU008606 for ; Mon, 3 Mar 2014 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s23B6njP008604 for freebsd-pf@FreeBSD.org; Mon, 3 Mar 2014 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 3 Mar 2014 11:06:49 GMT Message-Id: <201403031106.s23B6njP008604@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Mar 2014 11:06:50 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/182401 pf [pf] pf state for some IPs reaches 4294967295 suspicou o kern/182350 pf [pf] core dump with packet filter -- pf_overlad_task o kern/179392 pf [pf] [ip6] Incorrect TCP checksums in rdr return packe o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176268 pf [pf] [patch] synproxy not working with route-to o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/87074 pf [pf] pf does not log dropped packets when max-* statef a kern/86752 pf [pf] pf does not use default timeouts when reloading c o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 54 problems total. From owner-freebsd-pf@FreeBSD.ORG Fri Mar 7 21:03:03 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7F3F874D for ; Fri, 7 Mar 2014 21:03:03 +0000 (UTC) Received: from hydra.pix.net (hydra.pix.net [IPv6:2001:470:e254::4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 2E92DE54 for ; Fri, 7 Mar 2014 21:03:03 +0000 (UTC) Received: from torb.pix.net (torb.pix.net [IPv6:2001:470:e254:10:12dd:b1ff:febf:eca9]) (authenticated bits=0) by hydra.pix.net (8.14.5/8.14.5) with ESMTP id s27L31sX018722; Fri, 7 Mar 2014 16:03:01 -0500 (EST) (envelope-from lidl@pix.net) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98 at mail.pix.net Message-ID: <531A3405.6090903@pix.net> Date: Fri, 07 Mar 2014 16:03:01 -0500 From: Kurt Lidl User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: http://www.freebsd.org/cgi/query-pr.cgi?pr=187224 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Mar 2014 21:03:03 -0000 Any chance that someone could review this bug and fix it? It makes the daily pf logging much less needlessly verbose. Thanks. -Kurt From owner-freebsd-pf@FreeBSD.ORG Sun Mar 9 11:38:45 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C33ED7F6 for ; Sun, 9 Mar 2014 11:38:45 +0000 (UTC) Received: from mail.netability.ie (mail.netability.ie [IPv6:2a03:8900:0:100::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 45B38EB2 for ; Sun, 9 Mar 2014 11:38:44 +0000 (UTC) X-Envelope-To: Received: from cupcake.foobar.org ([IPv6:2001:4d68:2002:100::110]) (authenticated bits=0) by mail.netability.ie (8.14.8/8.14.5) with ESMTP id s29BceMR007009 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Sun, 9 Mar 2014 11:38:40 GMT (envelope-from nick@foobar.org) X-Authentication-Warning: cheesecake.netability.ie: Host [IPv6:2001:4d68:2002:100::110] claimed to be cupcake.foobar.org Message-ID: <531C52C0.9010007@foobar.org> Date: Sun, 09 Mar 2014 11:38:40 +0000 From: Nick Hilliard User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: pfctl: DIOCSETLIMIT X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,RDNS_NONE autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on cheesecake.netability.ie X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Mar 2014 11:38:45 -0000 I have a vanilla freebsd 10.0-RELEASE system running pf with a trivial configuration (see below). When I attempt to load the configuration, it returns: > # /sbin/pfctl -f /etc/pf.conf > No ALTQ support in kernel > ALTQ related functions disabled > pfctl: DIOCSETLIMIT As a result, no rules are loaded. I patched pfctl to show which index/limit it was failing on: > # ./pfctl-custom -f /etc/pf.conf > No ALTQ support in kernel > ALTQ related functions disabled > pfctl: DIOCSETLIMIT: index 4, limit 200000 index 4 refers to PF_LIMIT_TABLE_ENTRIES. I tested this out with a lower limit using "set limit table-entries 50" in pf.conf but it failed with the same error: > # ./pfctl-custom -f /etc/pf.conf > No ALTQ support in kernel > ALTQ related functions disabled > pfctl: DIOCSETLIMIT: index 4, limit 50 The UMA zone limits look like this: > # vmstat -z | egrep -i '(entries|limit)' > ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP > pf table entries: 160, 0, 2, 123, 2, 0, 0 > pf frag entries: 32, 5000, 0, 0, 0, 0, 0 Does anyone have any ideas why this might be failing? Nick box config: > # grep "real memory" /var/run/dmesg.boot > real memory = 8589934592 (8192 MB) > # uname -a > FreeBSD pancake.netability.ie 10.0-RELEASE FreeBSD 10.0-RELEASE #0 r260789: Thu Jan 16 22:34:59 UTC 2014 root@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 /etc/pf.conf: > ext_if="vlan112" > icmp_types_ipv4 = "echoreq" > set block-policy drop > set skip on lo0 > set skip on vlan200 > set skip on vlan250 > table persist > scrub in inet all > block in quick on $ext_if from to any > block in log on $ext_if inet all > pass out on $ext_if inet all keep state > pass in on $ext_if inet proto icmp all icmp-type $icmp_types_ipv4 keep state > pass in on $ext_if inet proto udp from any to any port { 33433 >< 33626 } > pass in on $ext_if proto tcp from any to { $ext_if } port ssh flags S/SA keep state > pass in on $ext_if proto tcp from any to any port domain flags S/SA keep state > pass in on $ext_if proto udp from any to any port domain > pass in on $ext_if proto udp from any to any port ntp From owner-freebsd-pf@FreeBSD.ORG Mon Mar 10 11:06:50 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E280B1B0 for ; Mon, 10 Mar 2014 11:06:50 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id CFBA1814 for ; Mon, 10 Mar 2014 11:06:50 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s2AB6oxl043304 for ; Mon, 10 Mar 2014 11:06:50 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s2AB6oB2043302 for freebsd-pf@FreeBSD.org; Mon, 10 Mar 2014 11:06:50 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 10 Mar 2014 11:06:50 GMT Message-Id: <201403101106.s2AB6oB2043302@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Mar 2014 11:06:50 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/182401 pf [pf] pf state for some IPs reaches 4294967295 suspicou o kern/182350 pf [pf] core dump with packet filter -- pf_overlad_task o kern/179392 pf [pf] [ip6] Incorrect TCP checksums in rdr return packe o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176268 pf [pf] [patch] synproxy not working with route-to o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/87074 pf [pf] pf does not log dropped packets when max-* statef a kern/86752 pf [pf] pf does not use default timeouts when reloading c o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 54 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Mar 17 11:06:50 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B523EA7D for ; Mon, 17 Mar 2014 11:06:50 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id A20AC29D for ; Mon, 17 Mar 2014 11:06:50 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s2HB6op4011350 for ; Mon, 17 Mar 2014 11:06:50 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s2HB6omc011348 for freebsd-pf@FreeBSD.org; Mon, 17 Mar 2014 11:06:50 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 17 Mar 2014 11:06:50 GMT Message-Id: <201403171106.s2HB6omc011348@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Mar 2014 11:06:50 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/182401 pf [pf] pf state for some IPs reaches 4294967295 suspicou o kern/182350 pf [pf] core dump with packet filter -- pf_overlad_task o kern/179392 pf [pf] [ip6] Incorrect TCP checksums in rdr return packe o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176268 pf [pf] [patch] synproxy not working with route-to o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/87074 pf [pf] pf does not log dropped packets when max-* statef a kern/86752 pf [pf] pf does not use default timeouts when reloading c o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 54 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Mar 18 17:44:03 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C23AD7D3 for ; Tue, 18 Mar 2014 17:44:03 +0000 (UTC) Received: from elf.hq.norma.perm.ru (mail.norma.perm.ru [IPv6:2001:470:1f09:14c0::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 1F874390 for ; Tue, 18 Mar 2014 17:44:02 +0000 (UTC) Received: from [192.168.248.33] ([192.168.248.33]) by elf.hq.norma.perm.ru (8.14.5/8.14.5) with ESMTP id s2IHhwN5009761 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Tue, 18 Mar 2014 23:43:58 +0600 (YEKT) (envelope-from emz@norma.perm.ru) Message-ID: <532885D9.6080109@norma.perm.ru> Date: Tue, 18 Mar 2014 23:43:53 +0600 From: "Eugene M. Zheganin" User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: ecn/red Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (elf.hq.norma.perm.ru [192.168.3.10]); Tue, 18 Mar 2014 23:43:58 +0600 (YEKT) X-Spam-Status: No hits=-101.0 bayes=0.5 testhits ALL_TRUSTED=-1, USER_IN_WHITELIST=-100 autolearn=unavailable version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on elf.hq.norma.perm.ru X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Mar 2014 17:44:03 -0000 Hi. Is ECN implemented in FreeBSD ? What do I need to turn it on ? Does it work in conjunction with fp/RED ? I see sysctl oid, but I have a strong impression that it should be used with pf. On the other hand, I have a working set of HFSC queues - do I need to turn on this sysctl oid ? Thanks. Eugene. From owner-freebsd-pf@FreeBSD.ORG Mon Mar 24 11:06:50 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 357A7156 for ; Mon, 24 Mar 2014 11:06:50 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 22A09177 for ; Mon, 24 Mar 2014 11:06:50 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s2OB6nsW013945 for ; Mon, 24 Mar 2014 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s2OB6nCT013943 for freebsd-pf@FreeBSD.org; Mon, 24 Mar 2014 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 24 Mar 2014 11:06:49 GMT Message-Id: <201403241106.s2OB6nCT013943@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Mar 2014 11:06:50 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/182401 pf [pf] pf state for some IPs reaches 4294967295 suspicou o kern/182350 pf [pf] core dump with packet filter -- pf_overlad_task o kern/179392 pf [pf] [ip6] Incorrect TCP checksums in rdr return packe o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176268 pf [pf] [patch] synproxy not working with route-to o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/87074 pf [pf] pf does not log dropped packets when max-* statef a kern/86752 pf [pf] pf does not use default timeouts when reloading c o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 54 problems total. From owner-freebsd-pf@FreeBSD.ORG Fri Mar 28 13:55:17 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3E9D2738 for ; Fri, 28 Mar 2014 13:55:17 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EB9A0F48 for ; Fri, 28 Mar 2014 13:55:16 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1WTXFP-0002Of-2C for freebsd-pf@freebsd.org; Fri, 28 Mar 2014 14:55:03 +0100 Received: from c-98-212-192-10.hsd1.il.comcast.net ([98.212.192.10]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 28 Mar 2014 14:55:03 +0100 Received: from njriley by c-98-212-192-10.hsd1.il.comcast.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 28 Mar 2014 14:55:03 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-pf@freebsd.org From: Nicholas Riley Subject: Re: pf + NAT + ICMP issues? Date: Fri, 28 Mar 2014 08:53:49 -0500 Organization: University of Illinois College of Medicine at Urbana-Champaign Lines: 12 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: c-98-212-192-10.hsd1.il.comcast.net User-Agent: MT-NewsWatcher/3.5.3b3 (Intel Mac OS X) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Mar 2014 13:55:17 -0000 In article , Daniel Engberg wrote: > Tried that and no go, actually allowing all types of ICMP doesn't seem > to help either so I guess it might be something within pf? Does anyone > have this working on HEAD? Have you had any luck with this since? I just tried pf on HEAD and am running into NAT breakage, including the "first ping lost" issue you documented. natd/ipfw works fine on the same machine. -- Nicholas Riley From owner-freebsd-pf@FreeBSD.ORG Sat Mar 29 06:50:23 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E5B57F50 for ; Sat, 29 Mar 2014 06:50:23 +0000 (UTC) Received: from mx1.rpsol.net (mx1.rpsol.net [74.206.97.74]) by mx1.freebsd.org (Postfix) with ESMTP id CB030D09 for ; Sat, 29 Mar 2014 06:50:23 +0000 (UTC) Received: from [172.16.1.100] (wsip-72-215-202-18.ph.ph.cox.net [72.215.202.18]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.rpsol.net (Postfix) with ESMTPSA id 1044CFFE268 for ; Fri, 28 Mar 2014 23:41:13 -0700 (MST) Message-ID: <53366B85.3020002@soliddataservices.com> Date: Fri, 28 Mar 2014 23:43:17 -0700 From: Matt Lager User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Controlling traffic between jails on the same host Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-RPS-MailScanner-Information: Please contact the ISP for more information X-RPS-MailScanner-ID: 1044CFFE268.AF1BD X-RPS-MailScanner: Found to be clean X-RPS-MailScanner-From: matt@soliddataservices.com X-Spam-Status: No X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Mar 2014 06:50:24 -0000 The Setup: I've got a pretty simple setup... A FreeBSD 10.0 host with 3 jails on it. The host, and each jail are assigned a public IP address. The host runs PF that controls inbound and outbound traffic for itself and it's jails. All works really nicely. Here's a basic diagram: PF does a really good job controlling traffic to and from remote system. I have recently come across the need to limit traffic from jails on the host to other jails on the same host. I.E. HostA-JailA needs to not be able to communicate with HostA-JailB. What I am seeing, however, is that because all these jails share a single interface, the traffic must not be going through PF as it is just seen as local traffic. I briefly tried to bring up a jail on another interface (lo1 for example) and use NAT to provide it with its connectivity, but even then the local traffic was still not filterable. There's got to be a way, but my brain hasn't thought of it yet. Any advice would be amazing, thanks so much ahead of time! --Matt -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From owner-freebsd-pf@FreeBSD.ORG Sat Mar 29 09:31:26 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2EA563A9 for ; Sat, 29 Mar 2014 09:31:26 +0000 (UTC) Received: from mail-la0-x22f.google.com (mail-la0-x22f.google.com [IPv6:2a00:1450:4010:c03::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AAB01B38 for ; Sat, 29 Mar 2014 09:31:25 +0000 (UTC) Received: by mail-la0-f47.google.com with SMTP id pn19so191020lab.6 for ; Sat, 29 Mar 2014 02:31:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=VNw5nw/xPoFNr8bFRv5Azj6ZZq3WtnTksulYYBFauS4=; b=O6jOzBYt1kSBxdluWxT7m/A8QUnim6kgOHwgxHkD5bVgNed5nGtMtngZwuKpIEbzf/ 25e84pe5o+5XehtVVnaOruADreT0tFDHGUScZ6ey6BVlcdfsiEZi6RWiA6Z1CphjMl5j kwJQco1IXdqIiylbqmuMM+uEpDWjr7KQxnbQ0QyT+JPauxfXujzeQ3O718vcIiXf8C5r HdLdfrf70aMnXeAyp+JORGNZOS65UIf4pKcIIfz4607ZVRmJ4tZ84G5cUZUKojMI/Wt5 pEalpk/xPVfOqvBSyJjN+36/477gxmAYtSPzlGhg3nPA1cMY2UgEhlFHGat/L61SUXun 4ekg== X-Received: by 10.152.120.195 with SMTP id le3mr9602332lab.6.1396085483055; Sat, 29 Mar 2014 02:31:23 -0700 (PDT) Received: from ?IPv6:2001:16d8:eed3:beef:69da:ccc3:5d02:7d9c? ([2001:16d8:eed3:beef:69da:ccc3:5d02:7d9c]) by mx.google.com with ESMTPSA id d4sm5465042lbr.27.2014.03.29.02.31.21 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 29 Mar 2014 02:31:22 -0700 (PDT) Message-ID: <533692E0.6000104@gmail.com> Date: Sat, 29 Mar 2014 10:31:12 +0100 From: Mikal Sande User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Re: Controlling traffic between jails on the same host References: <53366B85.3020002@soliddataservices.com> In-Reply-To: <53366B85.3020002@soliddataservices.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Mar 2014 09:31:26 -0000 On 03/29/2014 07:43 AM, Matt Lager wrote: > The Setup: I've got a pretty simple setup... A FreeBSD 10.0 host with > 3 jails on it. The host, and each jail are assigned a public IP > address. The host runs PF that controls inbound and outbound traffic > for itself and it's jails. All works really nicely. Here's a basic > diagram: > > PF does a really good job controlling traffic to and from remote > system. I have recently come across the need to limit traffic from > jails on the host to other jails on the same host. I.E. HostA-JailA > needs to not be able to communicate with HostA-JailB. What I am > seeing, however, is that because all these jails share a single > interface, the traffic must not be going through PF as it is just seen > as local traffic. > > I briefly tried to bring up a jail on another interface (lo1 for > example) and use NAT to provide it with its connectivity, but even > then the local traffic was still not filterable. > > There's got to be a way, but my brain hasn't thought of it yet. Any > advice would be amazing, thanks so much ahead of time! > > --Matt > Do you have rules that allow all traffic on loopback, or do you have 'set skip on lo0' or something in your pf.conf? I had the latter set last time I tried to limit traffic between jails, it took me a little time to realize it. From owner-freebsd-pf@FreeBSD.ORG Sat Mar 29 11:22:53 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 155A06D2 for ; Sat, 29 Mar 2014 11:22:53 +0000 (UTC) Received: from frv196.fwdcdn.com (frv196.fwdcdn.com [212.42.77.196]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C371960E for ; Sat, 29 Mar 2014 11:22:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To:Message-Id:Cc:To:Subject:From:Date; bh=Yyi9jgZpZwghHWoB//CQSfo2O32gYV3zXMs8B3UBcRU=; b=majQ0A05vnd/7KI3Ojr1U3IFztSyOhdfSH6yxLE6TmcTVGE/i08ChanctZmnYBsMa2Ba+oGijWktAdlWxxM8FosbQ3wHn0XvumQVRzpX/SEHy2i1BwPI7/UfnTkVzWSQRf9v6l08zKfl1z2rL1J34jH/LIbOKH6/2emuNw9/zcU=; Received: from [10.10.10.34] (helo=frv34.fwdcdn.com) by frv196.fwdcdn.com with smtp ID 1WTrLT-000F2b-5c for freebsd-pf@freebsd.org; Sat, 29 Mar 2014 13:22:39 +0200 Date: Sat, 29 Mar 2014 13:22:38 +0200 From: wishmaster Subject: Re: Controlling traffic between jails on the same host To: Matt Lager X-Mailer: mail.ukr.net 5.0 Message-Id: <1396090896.265476232.r0xv69g2@frv34.fwdcdn.com> In-Reply-To: <53366B85.3020002@soliddataservices.com> References: <53366B85.3020002@soliddataservices.com> MIME-Version: 1.0 Received: from artemrts@ukr.net by frv34.fwdcdn.com; Sat, 29 Mar 2014 13:22:38 +0200 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: binary Content-Disposition: inline Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Mar 2014 11:22:53 -0000 --- Original message --- From: "Matt Lager" Date: 29 March 2014, 08:50:27 > The Setup: I've got a pretty simple setup... A FreeBSD 10.0 host with 3 > jails on it. The host, and each jail are assigned a public IP address. > The host runs PF that controls inbound and outbound traffic for itself > and it's jails. All works really nicely. Here's a basic diagram: > > PF does a really good job controlling traffic to and from remote system. > I have recently come across the need to limit traffic from jails on the > host to other jails on the same host. I.E. HostA-JailA needs to not be > able to communicate with HostA-JailB. What I am seeing, however, is that > because all these jails share a single interface, the traffic must not > be going through PF as it is just seen as local traffic. > > I briefly tried to bring up a jail on another interface (lo1 for > example) and use NAT to provide it with its connectivity, but even then > the local traffic was still not filterable. > > There's got to be a way, but my brain hasn't thought of it yet. Any > advice would be amazing, thanks so much ahead of time! > I had the same problem and have switched to vnet. With vnet you will be able to have internal network and communicate with base host,others jails and world via epair switch. In jails you can completely disable pf and do traffic filtering on each epair*a interface. But I don't know how pf is stable with virtualized network stack (question to glebius@ ?). I use ipfw. There is one more important factor. This is traffic shaping and prioritization. If your base host is works as router for LAN and have some services in vneted jails you can easy divide and prioritize Internet link among jailed services and LAN users. -- Cheers, Vitaliy From owner-freebsd-pf@FreeBSD.ORG Sat Mar 29 18:05:35 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0C2CA7D4 for ; Sat, 29 Mar 2014 18:05:35 +0000 (UTC) Received: from mx1.rpsol.net (mx1.rpsol.net [74.206.97.74]) by mx1.freebsd.org (Postfix) with ESMTP id DCB65C36 for ; Sat, 29 Mar 2014 18:05:34 +0000 (UTC) Received: from [172.16.1.100] (wsip-72-215-202-18.ph.ph.cox.net [72.215.202.18]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.rpsol.net (Postfix) with ESMTPSA id 35D2DFFE035 for ; Sat, 29 Mar 2014 11:05:24 -0700 (MST) Message-ID: <53370BE0.20806@soliddataservices.com> Date: Sat, 29 Mar 2014 11:07:28 -0700 From: Matt Lager User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Re: Controlling traffic between jails on the same host References: <53366B85.3020002@soliddataservices.com> <533692E0.6000104@gmail.com> In-Reply-To: <533692E0.6000104@gmail.com> X-RPS-MailScanner-Information: Please contact the ISP for more information X-RPS-MailScanner-ID: 35D2DFFE035.AD8C0 X-RPS-MailScanner: Found to be clean X-RPS-MailScanner-From: matt@soliddataservices.com X-Spam-Status: No Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Mar 2014 18:05:35 -0000 That was it, lo0 was the answer and I had set skip on lo0. For some reason, that's in every freaking pf.conf example out there so I never gave it a second thought. Thanks :) On 3/29/2014 2:31 AM, Mikal Sande wrote: > On 03/29/2014 07:43 AM, Matt Lager wrote: >> The Setup: I've got a pretty simple setup... A FreeBSD 10.0 host with >> 3 jails on it. The host, and each jail are assigned a public IP >> address. The host runs PF that controls inbound and outbound traffic >> for itself and it's jails. All works really nicely. Here's a basic >> diagram: >> >> PF does a really good job controlling traffic to and from remote >> system. I have recently come across the need to limit traffic from >> jails on the host to other jails on the same host. I.E. HostA-JailA >> needs to not be able to communicate with HostA-JailB. What I am >> seeing, however, is that because all these jails share a single >> interface, the traffic must not be going through PF as it is just >> seen as local traffic. >> >> I briefly tried to bring up a jail on another interface (lo1 for >> example) and use NAT to provide it with its connectivity, but even >> then the local traffic was still not filterable. >> >> There's got to be a way, but my brain hasn't thought of it yet. Any >> advice would be amazing, thanks so much ahead of time! >> >> --Matt >> > Do you have rules that allow all traffic on loopback, or do you have > 'set skip on lo0' or something in your pf.conf? I had the latter set > last time I tried to limit traffic between jails, it took me a little > time to realize it. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Solid Data Services Matt Lager / President *Office:* 480-351-5122 *Mobile:* 501-269-8606 www.SolidDataServices.com This e-mail message may contain confidential or legally privileged information and is intended only for the use of the intended recipient(s). Any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is prohibited. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, or contain viruses. Anyone who communicates with us by e-mail is deemed to have accepted these risks. Solid Data Services is not responsible for errors or omissions in this message and denies any responsibility for any damage arising from the use of e-mail. Any opinion and other statement contained in this message and any attachment are solely those of the author and do not necessarily represent those of the company. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From owner-freebsd-pf@FreeBSD.ORG Sat Mar 29 19:17:18 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1FE7C858 for ; Sat, 29 Mar 2014 19:17:18 +0000 (UTC) Received: from mx1.rpsol.net (mx1.rpsol.net [74.206.97.74]) by mx1.freebsd.org (Postfix) with ESMTP id F105B1E0 for ; Sat, 29 Mar 2014 19:17:17 +0000 (UTC) Received: from [172.16.1.100] (wsip-72-215-202-18.ph.ph.cox.net [72.215.202.18]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.rpsol.net (Postfix) with ESMTPSA id B33FBFFE03B for ; Sat, 29 Mar 2014 12:17:06 -0700 (MST) Message-ID: <53371CAE.2090804@soliddataservices.com> Date: Sat, 29 Mar 2014 12:19:10 -0700 From: Matt Lager User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Re: Controlling traffic between jails on the same host References: <53366B85.3020002@soliddataservices.com> <533692E0.6000104@gmail.com> <53370BE0.20806@soliddataservices.com> In-Reply-To: <53370BE0.20806@soliddataservices.com> X-RPS-MailScanner-Information: Please contact the ISP for more information X-RPS-MailScanner-ID: B33FBFFE03B.A0910 X-RPS-MailScanner: Found to be clean X-RPS-MailScanner-From: matt@soliddataservices.com X-Spam-Status: No Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Mar 2014 19:17:18 -0000 Any particular reason pfctl -f /etc/pf.conf takes about a minute to reload when I remove "set skip on { lo0 }"? It eventually reloads, but can't figure out what it's trying to do, I haven't even put any rules in yet. On 3/29/2014 11:07 AM, Matt Lager wrote: > That was it, lo0 was the answer and I had set skip on lo0. For some > reason, that's in every freaking pf.conf example out there so I never > gave it a second thought. Thanks :) > > On 3/29/2014 2:31 AM, Mikal Sande wrote: >> On 03/29/2014 07:43 AM, Matt Lager wrote: >>> The Setup: I've got a pretty simple setup... A FreeBSD 10.0 host >>> with 3 jails on it. The host, and each jail are assigned a public IP >>> address. The host runs PF that controls inbound and outbound traffic >>> for itself and it's jails. All works really nicely. Here's a basic >>> diagram: >>> >>> PF does a really good job controlling traffic to and from remote >>> system. I have recently come across the need to limit traffic from >>> jails on the host to other jails on the same host. I.E. HostA-JailA >>> needs to not be able to communicate with HostA-JailB. What I am >>> seeing, however, is that because all these jails share a single >>> interface, the traffic must not be going through PF as it is just >>> seen as local traffic. >>> >>> I briefly tried to bring up a jail on another interface (lo1 for >>> example) and use NAT to provide it with its connectivity, but even >>> then the local traffic was still not filterable. >>> >>> There's got to be a way, but my brain hasn't thought of it yet. Any >>> advice would be amazing, thanks so much ahead of time! >>> >>> --Matt >>> >> Do you have rules that allow all traffic on loopback, or do you have >> 'set skip on lo0' or something in your pf.conf? I had the latter set >> last time I tried to limit traffic between jails, it took me a little >> time to realize it. >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > -- Solid Data Services Matt Lager / President *Office:* 480-351-5122 *Mobile:* 501-269-8606 www.SolidDataServices.com This e-mail message may contain confidential or legally privileged information and is intended only for the use of the intended recipient(s). Any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is prohibited. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, or contain viruses. Anyone who communicates with us by e-mail is deemed to have accepted these risks. Solid Data Services is not responsible for errors or omissions in this message and denies any responsibility for any damage arising from the use of e-mail. Any opinion and other statement contained in this message and any attachment are solely those of the author and do not necessarily represent those of the company. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From owner-freebsd-pf@FreeBSD.ORG Sun Mar 30 08:27:21 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 737206F6; Sun, 30 Mar 2014 08:27:21 +0000 (UTC) Received: from mail.vx.sk (mail.vx.sk [IPv6:2a01:4f8:150:6101::4]) by mx1.freebsd.org (Postfix) with ESMTP id 1A68215F; Sun, 30 Mar 2014 08:27:18 +0000 (UTC) Received: from mail.vx.sk (localhost [127.0.0.1]) by mail.vx.sk (Postfix) with ESMTP id 935321B98C; Sun, 30 Mar 2014 10:27:09 +0200 (CEST) X-Virus-Scanned: amavisd-new at mail.vx.sk Received: from mail.vx.sk by mail.vx.sk (amavisd-new, unix socket) with LMTP id y2uVPNJv8tZv; Sun, 30 Mar 2014 10:27:08 +0200 (CEST) Received: from [192.168.2.103] (dslb-092-078-029-103.pools.arcor-ip.net [92.78.29.103]) by mail.vx.sk (Postfix) with ESMTPSA id A82A21B981; Sun, 30 Mar 2014 10:27:07 +0200 (CEST) Message-ID: <5337D55A.6030607@FreeBSD.org> Date: Sun, 30 Mar 2014 10:27:06 +0200 From: Martin Matuska User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Nikos Vassiliadis , Mikolaj Golub Subject: CFR projects/pf: vnet awareness for pf_overloadqueue X-Enigmail-Version: 1.5.2 Content-Type: multipart/mixed; boundary="------------070708030109060004010007" Cc: freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Mar 2014 08:27:21 -0000 This is a multi-part message in MIME format. --------------070708030109060004010007 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hi, with the pf_mtag_z patch applied, the second patch that fixes panics I experience is the overload queue patch. I have looked into solving this via context (adding a "struct vnet" member to pf_overload_entry). This leaves unsolved problems - first, we have now vnet information on per-entry instead of per-queue. There are two places in pf_overload_task() where we are not processing an entry but need vnet information: 1. V_pf_idhash[i] in pf_overload_task(): for (int i = 0; i <= pf_hashmask; i++) { struct pf_idhash *ih = &V_pf_idhash[i]; struct pf_state_key *sk; struct pf_state *s; PF_HASHROW_LOCK(ih); LIST_FOREACH(s, &ih->states, entry) { 2. end of pf_overload_task() but that is only the debug tunable V_pf_status_debug: if (V_pf_status.debug >= PF_DEBUG_MISC) printf("%s: %u states killed", __func__, killed); On the other hand, if we want to keep per-vnet overloadqueues than it makes sense to store vnet information on queue level. If we pack vnet information into each entry and the overloadqueue has global locks anyway, why not keeping a single global queue with entries from different vnets? At the current state the code causes panics if pf_overload_task() is fired because vnet context is missing. It needs to be fixed in any of the ways. A patch for adding per-queue vnet information is attached. Thank you. mm --------------070708030109060004010007 Content-Type: text/x-patch; name="pf_overloadqueue.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="pf_overloadqueue.patch" Index: projects/pf/head/sys/netpfil/pf/pf.c =================================================================== --- projects/pf/head/sys/netpfil/pf/pf.c (revision 263908) +++ projects/pf/head/sys/netpfil/pf/pf.c (working copy) @@ -173,7 +173,11 @@ struct pf_overload_entry { struct pf_rule *rule; }; -SLIST_HEAD(pf_overload_head, pf_overload_entry); +struct pf_overload_head { + SLIST_HEAD(, pf_overload_entry) head; + struct vnet *vnet; +}; + static VNET_DEFINE(struct pf_overload_head, pf_overloadqueue); #define V_pf_overloadqueue VNET(pf_overloadqueue) static VNET_DEFINE(struct task, pf_overloadtask); @@ -512,7 +516,7 @@ pf_src_connlimit(struct pf_state **state) pfoe->rule = (*state)->rule.ptr; pfoe->dir = (*state)->direction; PF_OVERLOADQ_LOCK(); - SLIST_INSERT_HEAD(&V_pf_overloadqueue, pfoe, next); + SLIST_INSERT_HEAD(&V_pf_overloadqueue.head, pfoe, next); PF_OVERLOADQ_UNLOCK(); taskqueue_enqueue(taskqueue_swi, &V_pf_overloadtask); @@ -529,11 +533,13 @@ pf_overload_task(void *c, int pending) PF_OVERLOADQ_LOCK(); queue = *(struct pf_overload_head *)c; - SLIST_INIT((struct pf_overload_head *)c); + SLIST_INIT(&((struct pf_overload_head *)c)->head); PF_OVERLOADQ_UNLOCK(); + CURVNET_SET(queue.vnet); + bzero(&p, sizeof(p)); - SLIST_FOREACH(pfoe, &queue, next) { + SLIST_FOREACH(pfoe, &queue.head, next) { V_pf_status.lcounters[LCNT_OVERLOAD_TABLE]++; if (V_pf_status.debug >= PF_DEBUG_MISC) { printf("%s: blocking address ", __func__); @@ -565,16 +571,19 @@ pf_overload_task(void *c, int pending) /* * Remove those entries, that don't need flushing. */ - SLIST_FOREACH_SAFE(pfoe, &queue, next, pfoe1) + SLIST_FOREACH_SAFE(pfoe, &queue.head, next, pfoe1) if (pfoe->rule->flush == 0) { - SLIST_REMOVE(&queue, pfoe, pf_overload_entry, next); + SLIST_REMOVE(&queue.head, pfoe, pf_overload_entry, + next); free(pfoe, M_PFTEMP); } else V_pf_status.lcounters[LCNT_OVERLOAD_FLUSH]++; /* If nothing to flush, return. */ - if (SLIST_EMPTY(&queue)) + if (SLIST_EMPTY(&queue.head)) { + CURVNET_RESTORE(); return; + } for (int i = 0; i <= pf_hashmask; i++) { struct pf_idhash *ih = &V_pf_idhash[i]; @@ -584,7 +593,7 @@ pf_overload_task(void *c, int pending) PF_HASHROW_LOCK(ih); LIST_FOREACH(s, &ih->states, entry) { sk = s->key[PF_SK_WIRE]; - SLIST_FOREACH(pfoe, &queue, next) + SLIST_FOREACH(pfoe, &queue.head, next) if (sk->af == pfoe->af && ((pfoe->rule->flush & PF_FLUSH_GLOBAL) || pfoe->rule == s->rule.ptr) && @@ -599,10 +608,12 @@ pf_overload_task(void *c, int pending) } PF_HASHROW_UNLOCK(ih); } - SLIST_FOREACH_SAFE(pfoe, &queue, next, pfoe1) + SLIST_FOREACH_SAFE(pfoe, &queue.head, next, pfoe1) free(pfoe, M_PFTEMP); if (V_pf_status.debug >= PF_DEBUG_MISC) printf("%s: %u states killed", __func__, killed); + + CURVNET_RESTORE(); } /* @@ -803,8 +814,9 @@ pf_vnet_initialize() /* Send & overload+flush queues. */ STAILQ_INIT(&V_pf_sendqueue); - SLIST_INIT(&V_pf_overloadqueue); + SLIST_INIT(&V_pf_overloadqueue.head); TASK_INIT(&V_pf_overloadtask, 0, pf_overload_task, &V_pf_overloadqueue); + V_pf_overloadqueue.vnet = curvnet; /* Unlinked, but may be referenced rules. */ TAILQ_INIT(&V_pf_unlinked_rules); @@ -1680,7 +1692,7 @@ pf_purge_unlinked_rules() * an already unlinked rule. */ PF_OVERLOADQ_LOCK(); - if (!SLIST_EMPTY(&V_pf_overloadqueue)) { + if (!SLIST_EMPTY(&V_pf_overloadqueue.head)) { PF_OVERLOADQ_UNLOCK(); return; } --------------070708030109060004010007-- From owner-freebsd-pf@FreeBSD.ORG Mon Mar 31 11:06:49 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 52024A75 for ; Mon, 31 Mar 2014 11:06:49 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3F284BA5 for ; Mon, 31 Mar 2014 11:06:49 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s2VB6nIk058783 for ; Mon, 31 Mar 2014 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s2VB6mkN058780 for freebsd-pf@FreeBSD.org; Mon, 31 Mar 2014 11:06:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 31 Mar 2014 11:06:48 GMT Message-Id: <201403311106.s2VB6mkN058780@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2014 11:06:49 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/182401 pf [pf] pf state for some IPs reaches 4294967295 suspicou o kern/182350 pf [pf] core dump with packet filter -- pf_overlad_task o kern/179392 pf [pf] [ip6] Incorrect TCP checksums in rdr return packe o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176268 pf [pf] [patch] synproxy not working with route-to o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/87074 pf [pf] pf does not log dropped packets when max-* statef a kern/86752 pf [pf] pf does not use default timeouts when reloading c o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 54 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Mar 31 19:41:18 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CE360C3D; Mon, 31 Mar 2014 19:41:18 +0000 (UTC) Received: from mail-we0-x22a.google.com (mail-we0-x22a.google.com [IPv6:2a00:1450:400c:c03::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1CE26BF3; Mon, 31 Mar 2014 19:41:17 +0000 (UTC) Received: by mail-we0-f170.google.com with SMTP id w61so5327741wes.1 for ; Mon, 31 Mar 2014 12:41:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=hN/mgwrowX7TSd9FpV6/YMAxmhGIFKxaw33zJOs2vQo=; b=Db1LXoabRI0cbeKipnN80UrJbWOjkn3l9QZuB7jM9efL/qOqA62ZpyLHWfjXbPyGcr RvPCPjP/UFEUHeizpALLAegnRWXhqvfUQdy37HR/VJOASmbNocEDunEI4nKfr8J0FNe6 YJRsjP9E8f1PVtQsfZTwdzvR5PGxh1/tFtDG2AJNUBcP/CWx/8nY3w6XPb6ldNOTsoyP dra3ifGHN5DH1IHZBRNqxY9JvNkMIGa/6qIQrwZcSg1i+EOR7ud0jm3DmcJEcmLAd/J3 KJhpX/S42WIOBXmGsmb0fDLDX8meCri7w/u0T0gaNK6f3VK7gxEgw9kB1uGjNV5DD0nk fWGA== X-Received: by 10.180.101.40 with SMTP id fd8mr14617366wib.1.1396294876464; Mon, 31 Mar 2014 12:41:16 -0700 (PDT) Received: from localhost ([178.150.115.244]) by mx.google.com with ESMTPSA id w1sm35202825eel.16.2014.03.31.12.41.15 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 31 Mar 2014 12:41:15 -0700 (PDT) Sender: Mikolaj Golub Date: Mon, 31 Mar 2014 22:41:13 +0300 From: Mikolaj Golub To: Martin Matuska Subject: Re: CFR projects/pf: vnet awareness for pf_overloadqueue Message-ID: <20140331194109.GA17582@gmail.com> References: <5337D55A.6030607@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5337D55A.6030607@FreeBSD.org> User-Agent: Mutt/1.5.22 (2013-10-16) Cc: freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2014 19:41:19 -0000 On Sun, Mar 30, 2014 at 10:27:06AM +0200, Martin Matuska wrote: > Hi, > > with the pf_mtag_z patch applied, the second patch that fixes panics I > experience is the overload queue patch. > > I have looked into solving this via context (adding a "struct vnet" > member to pf_overload_entry). This leaves unsolved problems - first, we > have now vnet information on per-entry instead of per-queue. > > There are two places in pf_overload_task() where we are not processing > an entry but need vnet information: > > 1. V_pf_idhash[i] in pf_overload_task(): > > for (int i = 0; i <= pf_hashmask; i++) { > struct pf_idhash *ih = &V_pf_idhash[i]; > struct pf_state_key *sk; > struct pf_state *s; > > PF_HASHROW_LOCK(ih); > LIST_FOREACH(s, &ih->states, entry) { > > 2. end of pf_overload_task() but that is only the debug tunable > V_pf_status_debug: > > if (V_pf_status.debug >= PF_DEBUG_MISC) > printf("%s: %u states killed", __func__, killed); > > On the other hand, if we want to keep per-vnet overloadqueues than it > makes sense to store vnet information on queue level. > If we pack vnet information into each entry and the overloadqueue has > global locks anyway, why not keeping a single global queue with entries > from different vnets? > > At the current state the code causes panics if pf_overload_task() is > fired because vnet context is missing. It needs to be fixed in any of > the ways. A patch for adding per-queue vnet information is attached. Martin, I think you missed my point in the message to src@. You don't need to embed vnet into pf_overloadqueue. What you need is a way to access it in a right vnet context, i.e. by passing vnet as an argument to pf_overload_task: pf_vnet_initialize(): - TASK_INIT(&V_pf_overloadtask, 0, pf_overload_task, &V_pf_overloadqueue); + TASK_INIT(&V_pf_overloadtask, 0, pf_overload_task, curvnet); pf_overload_task(void *c, int pending): { + struct vnet *vnet; struct pf_overload_head queue; struct pfr_addr p; struct pf_overload_entry *pfoe, *pfoe1; uint32_t killed = 0; + vnet = (vnet *)c; + CURVNET_SET(vnet); PF_OVERLOADQ_LOCK(); - queue = *(struct pf_overload_head *)c; - SLIST_INIT((struct pf_overload_head *)c); + queue = V_pf_overloadqueue; + SLIST_INIT(V_pf_overloadqueue); PF_OVERLOADQ_UNLOCK(); -- Mikolaj Golub From owner-freebsd-pf@FreeBSD.ORG Wed Apr 2 07:36:02 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8A3BFD6C for ; Wed, 2 Apr 2014 07:36:02 +0000 (UTC) Received: from mail-lb0-f174.google.com (mail-lb0-f174.google.com [209.85.217.174]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0F8A5690 for ; Wed, 2 Apr 2014 07:36:01 +0000 (UTC) Received: by mail-lb0-f174.google.com with SMTP id u14so7824143lbd.33 for ; Wed, 02 Apr 2014 00:35:54 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=vxwURSWygoP2NpefqDSb9bSBSUNEW4waD7GxOVSF6C8=; b=Y1Frio282CaPsRVddbn+Bh3F/AY0cmy57lb29lVuchJlNIzWiO+izlyFbLSkZPv+7J 428uoPpuByuwoYDC1CXewv/ENKEwe5Bei6gfR8597JPDwkgK1QP2acOddpfgLcYhxD8x ila0k0oAQqklOzSFcgOoYSKvS3037rmVF1/O4ILTsDxNtiIwCjDPH/fl+sgU1dyw4Kz8 O+KaNvF11oX+ES9m8k7YWrSZ/6Xi2rBB/Xt7ecWaSSRl/HM3n67m3y9fnOrmgB/MGe+6 Au4CIUN3fC2uyo562M6q4ujkYVUYBXEgJWChNznMCkRjl+PN8WWPgPCR05VyUzKGFZFN dTLQ== X-Gm-Message-State: ALoCoQl2JXk6CUQ8TrfquIsWX7pJLIMAz9k9fFWiGOw38XyEXx7n3jmHpxecnjHvSwUgTmKkmxdU X-Received: by 10.152.29.8 with SMTP id f8mr26252190lah.11.1396424154430; Wed, 02 Apr 2014 00:35:54 -0700 (PDT) Received: from grey.office.se.prisjakt.nu ([212.16.170.194]) by mx.google.com with ESMTPSA id r5sm810261lbb.7.2014.04.02.00.35.53 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 02 Apr 2014 00:35:53 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) Subject: Re: FreeBSD 10-STABLE and CARP states From: mxb In-Reply-To: <4A818132-757F-4BAD-8137-CDB1F6F0681C@alumni.chalmers.se> Date: Wed, 2 Apr 2014 09:35:54 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4A818132-757F-4BAD-8137-CDB1F6F0681C@alumni.chalmers.se> To: freebsd-net@freebsd.org X-Mailer: Apple Mail (2.1874) Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2014 07:36:02 -0000 Moving this to freebsd-pf. On 31 mar 2014, at 22:21, mxb wrote: >=20 > Manually setting net.inet.carp.demotion brought BOTH VHIDs in desired = state. > pfsync bulk update seems to not put everything back as it should. >=20 > lagg0: flags=3D8943 = metric 0 mtu 9000 > = options=3D8407bb > ether 00:25:90:e3:71:f2 > inet 172.16.0.234 netmask 0xfffff800 broadcast 172.16.7.255 > inet6 fe80::225:90ff:fee3:71f2%lagg0 prefixlen 64 scopeid 0x5 > inet 172.16.0.231 netmask 0xfffff800 broadcast 172.16.7.255 vhid = 201 > inet 172.16.0.233 netmask 0xfffff800 broadcast 172.16.7.255 vhid = 202 > nd6 options=3D29 > media: Ethernet autoselect > status: active > carp: MASTER vhid 201 advbase 1 advskew 1 > carp: BACKUP vhid 202 advbase 5 advskew 100 > laggproto lacp lagghash l2,l3,l4 > laggport: ix1 flags=3D1c > laggport: ix0 flags=3D1c >=20 >=20 > On 31 mar 2014, at 20:42, mxb wrote: >=20 >>=20 >> Hi list, >>=20 >> hopefully this is the right place to have my question regarding CARP = on 10-STABLE. >>=20 >> I have two nodes with following setup(node1): >>=20 >> lagg0: flags=3D8943 = metric 0 mtu 9000 >> = options=3D8407bb >> ether 00:25:90:e3:71:f2 >> inet 172.16.0.234 netmask 0xfffff800 broadcast 172.16.7.255 >> inet6 fe80::225:90ff:fee3:71f2%lagg0 prefixlen 64 scopeid 0x5 >> inet 172.16.0.231 netmask 0xfffff800 broadcast 172.16.7.255 vhid = 201 >> inet 172.16.0.233 netmask 0xfffff800 broadcast 172.16.7.255 vhid = 202 >> nd6 options=3D29 >> media: Ethernet autoselect >> status: active >> carp: BACKUP vhid 201 advbase 1 advskew 1 >> carp: BACKUP vhid 202 advbase 5 advskew 100 >> laggproto lacp lagghash l2,l3,l4 >> laggport: ix1 flags=3D1c >> laggport: ix0 flags=3D1c >>=20 >> net.inet.carp.preempt=3D1 on both nodes. as well as PSYNC as this: >>=20 >> pfsync0: flags=3D41 metric 0 mtu 1500 >> pfsync: syncdev: vlan22 syncpeer: 10.22.22.2 maxupd: 128 defer: = off >>=20 >> The problem is (if it is not clear from the ifconfig-output for the = lagg0) the state of VHID 201. >> Node2 with advskew of 100 is currently MASTER, but it SHOULD NOT as = of setup. >>=20 >> Am I hitting a bug or doing something wrong? >>=20 >> I also have noted that after the pfsync bulk update the demotion = counter never setts to 0, but stays on 480, >> thus preventing node1 become a MASTER 201(?). Or is this a normal = behavior? >>=20 >> Regards, >> mxb >>=20 >>=20 >=20 From owner-freebsd-pf@FreeBSD.ORG Wed Apr 2 13:18:28 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 63A40574 for ; Wed, 2 Apr 2014 13:18:28 +0000 (UTC) Received: from mail-lb0-f171.google.com (mail-lb0-f171.google.com [209.85.217.171]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DCC48EAB for ; Wed, 2 Apr 2014 13:18:27 +0000 (UTC) Received: by mail-lb0-f171.google.com with SMTP id w7so148279lbi.30 for ; Wed, 02 Apr 2014 06:18:18 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=IlnkqK0rw0UbYlajJ8GBFCzXDY9B+z6xxp/15OxdNJA=; b=E79WZw77KpSjm7TE5Czbev5kBMM59YuJjOLr2EXpqkibKl0temn82fAC/PXagqq13T hfKN4YMHDoe6OpCQVSqfVP10A/ZlL3s9zFC6uOwByvqHRyxRcFmJB3oHvzRyN0syO+gi FcYDYU+0yrYZfD9Gy7eely3sIvPb2sxNIjlrUhJ3+r2r6b2/O/NcK/D7wT3tFO+Tmbdm SyZIN34YJtqzBkQjnHuHOWBWkOURT06laHeQmhln+oTMCGUQJTd+jeBRybWX0GLPkczh 1hxTNp1clUsQFx2SxB7n3mZ9zwidRQePG5nYn7jbqBwpVIpZi0Ga6CgdfsNk0ZVqrJqW YPQA== X-Gm-Message-State: ALoCoQmbIMnsBiun8JYwMjMD6Pmo5vbvpJ67snC7uL9dMQUIWLEpyN1G1rRMz4Hlf4FN3XnffTlA X-Received: by 10.112.198.164 with SMTP id jd4mr18355lbc.92.1396444394380; Wed, 02 Apr 2014 06:13:14 -0700 (PDT) Received: from grey.office.se.prisjakt.nu ([212.16.170.194]) by mx.google.com with ESMTPSA id f9sm1919046laa.8.2014.04.02.06.13.12 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 02 Apr 2014 06:13:13 -0700 (PDT) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) Subject: Re: FreeBSD 10-STABLE and CARP states From: mxb In-Reply-To: Date: Wed, 2 Apr 2014 15:13:21 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <1E20234E-4F81-4BA1-BA57-FADD80F782F4@alumni.chalmers.se> References: <4A818132-757F-4BAD-8137-CDB1F6F0681C@alumni.chalmers.se> To: freebsd-net@freebsd.org X-Mailer: Apple Mail (2.1874) Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2014 13:18:28 -0000 OK, thanks everyone whom replayed. E.g. NONE. The problem seems to be related to LACP trunking. Disabling LACP and configuring trunk in =91loadbalance=92 mode puts all = in desired state (even after reboot). lagg0: flags=3D8943 = metric 0 mtu 9000 = options=3D8407bb ether 00:25:90:e3:71:f2 inet 172.16.0.234 netmask 0xfffff800 broadcast 172.16.7.255 inet6 fe80::225:90ff:fee3:71f2%lagg0 prefixlen 64 scopeid 0x5 inet 172.16.0.231 netmask 0xfffff800 broadcast 172.16.7.255 vhid = 201 inet 172.16.0.233 netmask 0xfffff800 broadcast 172.16.7.255 vhid = 202 nd6 options=3D29 media: Ethernet autoselect status: active carp: MASTER vhid 201 advbase 1 advskew 1 carp: BACKUP vhid 202 advbase 5 advskew 100 laggproto loadbalance lagghash l2,l3,l4 laggport: ix1 flags=3D4 laggport: ix0 flags=3D4 vlan2: flags=3D8943 = metric 0 mtu 9000 options=3D303 ether 00:25:90:e3:71:f2 inet 10.11.11.201 netmask 0xffffff00 broadcast 10.11.11.255 inet6 fe80::225:90ff:fee3:71f2%vlan2 prefixlen 64 scopeid 0x6 inet 10.11.12.203 netmask 0xffffff00 broadcast 10.11.12.255 vhid = 12 nd6 options=3D29 media: Ethernet autoselect status: active vlan: 2 parent interface: lagg0 carp: BACKUP vhid 12 advbase 1 advskew 100 //mxb =20 On 2 apr 2014, at 09:35, mxb wrote: >=20 > Moving this to freebsd-pf. >=20 > On 31 mar 2014, at 22:21, mxb wrote: >=20 >>=20 >> Manually setting net.inet.carp.demotion brought BOTH VHIDs in desired = state. >> pfsync bulk update seems to not put everything back as it should. >>=20 >> lagg0: flags=3D8943 = metric 0 mtu 9000 >> = options=3D8407bb >> ether 00:25:90:e3:71:f2 >> inet 172.16.0.234 netmask 0xfffff800 broadcast 172.16.7.255 >> inet6 fe80::225:90ff:fee3:71f2%lagg0 prefixlen 64 scopeid 0x5 >> inet 172.16.0.231 netmask 0xfffff800 broadcast 172.16.7.255 vhid = 201 >> inet 172.16.0.233 netmask 0xfffff800 broadcast 172.16.7.255 vhid = 202 >> nd6 options=3D29 >> media: Ethernet autoselect >> status: active >> carp: MASTER vhid 201 advbase 1 advskew 1 >> carp: BACKUP vhid 202 advbase 5 advskew 100 >> laggproto lacp lagghash l2,l3,l4 >> laggport: ix1 flags=3D1c >> laggport: ix0 flags=3D1c >>=20 >>=20 >> On 31 mar 2014, at 20:42, mxb wrote: >>=20 >>>=20 >>> Hi list, >>>=20 >>> hopefully this is the right place to have my question regarding CARP = on 10-STABLE. >>>=20 >>> I have two nodes with following setup(node1): >>>=20 >>> lagg0: flags=3D8943 = metric 0 mtu 9000 >>> = options=3D8407bb >>> ether 00:25:90:e3:71:f2 >>> inet 172.16.0.234 netmask 0xfffff800 broadcast 172.16.7.255 >>> inet6 fe80::225:90ff:fee3:71f2%lagg0 prefixlen 64 scopeid 0x5 >>> inet 172.16.0.231 netmask 0xfffff800 broadcast 172.16.7.255 vhid = 201 >>> inet 172.16.0.233 netmask 0xfffff800 broadcast 172.16.7.255 vhid = 202 >>> nd6 options=3D29 >>> media: Ethernet autoselect >>> status: active >>> carp: BACKUP vhid 201 advbase 1 advskew 1 >>> carp: BACKUP vhid 202 advbase 5 advskew 100 >>> laggproto lacp lagghash l2,l3,l4 >>> laggport: ix1 flags=3D1c >>> laggport: ix0 flags=3D1c >>>=20 >>> net.inet.carp.preempt=3D1 on both nodes. as well as PSYNC as this: >>>=20 >>> pfsync0: flags=3D41 metric 0 mtu 1500 >>> pfsync: syncdev: vlan22 syncpeer: 10.22.22.2 maxupd: 128 defer: = off >>>=20 >>> The problem is (if it is not clear from the ifconfig-output for the = lagg0) the state of VHID 201. >>> Node2 with advskew of 100 is currently MASTER, but it SHOULD NOT as = of setup. >>>=20 >>> Am I hitting a bug or doing something wrong? >>>=20 >>> I also have noted that after the pfsync bulk update the demotion = counter never setts to 0, but stays on 480, >>> thus preventing node1 become a MASTER 201(?). Or is this a normal = behavior? >>>=20 >>> Regards, >>> mxb >>>=20 >>>=20 >>=20 >=20 From owner-freebsd-pf@FreeBSD.ORG Fri Apr 4 08:17:37 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A6848D3E for ; Fri, 4 Apr 2014 08:17:37 +0000 (UTC) Received: from mailstore06.sysedata.no (b.mail.tornado.no [195.159.29.130]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6BCA3C7C for ; Fri, 4 Apr 2014 08:17:37 +0000 (UTC) Received: from [195.159.29.130] (helo=www.eposttjener.no) by mailstore06.sysedata.no with esmtpa (Exim 4.71) (envelope-from ) id 1WVzJf-0004ML-1r for freebsd-pf@freebsd.org; Fri, 04 Apr 2014 10:17:35 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Date: Fri, 04 Apr 2014 10:17:34 +0200 From: Daniel Engberg To: freebsd-pf@freebsd.org Subject: pf + NAT + ICMP =?UTF-8?Q?issues=3F?= Message-ID: <29dcd4992e32b76281eb084a88d248ea@pyret.net> X-Sender: daniel.engberg.lists@pyret.net User-Agent: Roundcube Webmail/0.9.4 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Apr 2014 08:17:37 -0000 Hi, Sorry for the late reply, unfortunately I'm still experiencing the same issues but NAT seems to work at least for me as far as I can tell. I did upgrade to r263658 11.0-CURRENT but I'm still seeing the same issues. If there's no traction I'll file a pr regarding this as at least two are seeing the same issues. Best regards, Daniel From owner-freebsd-pf@FreeBSD.ORG Fri Apr 4 09:51:33 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E13641B7 for ; Fri, 4 Apr 2014 09:51:33 +0000 (UTC) Received: from mail-la0-f42.google.com (mail-la0-f42.google.com [209.85.215.42]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 592497BB for ; Fri, 4 Apr 2014 09:51:32 +0000 (UTC) Received: by mail-la0-f42.google.com with SMTP id ec20so2283804lab.15 for ; Fri, 04 Apr 2014 02:51:24 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=VOicdCnivV4ZwFLYV8uThhyaISgOqO4eBp6Q7wMMp3o=; b=ksABhObGGDUYuBweviPdNmv3Ww1YvR2jXRzYJZKNIPWOLWY9ggSRW5lHbQF6UkulGH bDVB9PAF3KbMHSBGHr558ygn+MLZNZrtVzLFTjNOMuHIKZhg2ecT8ns2en3gDvXjI11n +BeI5Gn1kCIwWs5TGYl3vpKUZHX1ULOFVDVNc85+FE/o/R24etiobYTUz6tH28g2Lt5k Njskdg9HxNEkG+vjvu01FjAbRGOlIyYCFP4q4AyHT/Fd1M0zCqhx47g7qoynE9QVpQAB OiAeZihemt+Ti1t3FtJhTk6VUXzRXqcFGoItAtAfe+l4xeBEbaPso8jHM+Z0v+Xwwlp/ PZtw== X-Gm-Message-State: ALoCoQlRe6xbJMhskSZvWukwhBN1MDOywdWWRHLBawuA7FDtapUSTQ8YzireGeMf4+YRC4SgRQkB X-Received: by 10.152.18.229 with SMTP id z5mr7962493lad.27.1396605084090; Fri, 04 Apr 2014 02:51:24 -0700 (PDT) Received: from grey.office.se.prisjakt.nu ([212.16.170.194]) by mx.google.com with ESMTPSA id j2sm7410456lag.12.2014.04.04.02.51.22 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 04 Apr 2014 02:51:23 -0700 (PDT) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) Subject: Re: LACP lagg and CARP - ENETDOWN (was: FreeBSD 10-STABLE and CARP states) From: mxb In-Reply-To: <1E20234E-4F81-4BA1-BA57-FADD80F782F4@alumni.chalmers.se> Date: Fri, 4 Apr 2014 11:51:28 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4A818132-757F-4BAD-8137-CDB1F6F0681C@alumni.chalmers.se> <1E20234E-4F81-4BA1-BA57-FADD80F782F4@alumni.chalmers.se> To: freebsd-net@freebsd.org X-Mailer: Apple Mail (2.1874) Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Apr 2014 09:51:33 -0000 According my own research around this problem ip_output() at line 839 of ip_carp.c returns ENETDOWN then lagg is = configured in LACP mode. On 2 apr 2014, at 15:13, mxb wrote: >=20 > OK, thanks everyone whom replayed. E.g. NONE. >=20 > The problem seems to be related to LACP trunking. > Disabling LACP and configuring trunk in =91loadbalance=92 mode puts = all in desired state (even after reboot). >=20 > lagg0: flags=3D8943 = metric 0 mtu 9000 > = options=3D8407bb > ether 00:25:90:e3:71:f2 > inet 172.16.0.234 netmask 0xfffff800 broadcast 172.16.7.255 > inet6 fe80::225:90ff:fee3:71f2%lagg0 prefixlen 64 scopeid 0x5 > inet 172.16.0.231 netmask 0xfffff800 broadcast 172.16.7.255 vhid = 201 > inet 172.16.0.233 netmask 0xfffff800 broadcast 172.16.7.255 vhid = 202 > nd6 options=3D29 > media: Ethernet autoselect > status: active > carp: MASTER vhid 201 advbase 1 advskew 1 > carp: BACKUP vhid 202 advbase 5 advskew 100 > laggproto loadbalance lagghash l2,l3,l4 > laggport: ix1 flags=3D4 > laggport: ix0 flags=3D4 > vlan2: flags=3D8943 = metric 0 mtu 9000 > options=3D303 > ether 00:25:90:e3:71:f2 > inet 10.11.11.201 netmask 0xffffff00 broadcast 10.11.11.255 > inet6 fe80::225:90ff:fee3:71f2%vlan2 prefixlen 64 scopeid 0x6 > inet 10.11.12.203 netmask 0xffffff00 broadcast 10.11.12.255 vhid = 12 > nd6 options=3D29 > media: Ethernet autoselect > status: active > vlan: 2 parent interface: lagg0 > carp: BACKUP vhid 12 advbase 1 advskew 100 >=20 > //mxb >=20 > On 2 apr 2014, at 09:35, mxb wrote: >=20 >>=20 >> Moving this to freebsd-pf. >>=20 >> On 31 mar 2014, at 22:21, mxb wrote: >>=20 >>>=20 >>> Manually setting net.inet.carp.demotion brought BOTH VHIDs in = desired state. >>> pfsync bulk update seems to not put everything back as it should. >>>=20 >>> lagg0: flags=3D8943 = metric 0 mtu 9000 >>> = options=3D8407bb >>> ether 00:25:90:e3:71:f2 >>> inet 172.16.0.234 netmask 0xfffff800 broadcast 172.16.7.255 >>> inet6 fe80::225:90ff:fee3:71f2%lagg0 prefixlen 64 scopeid 0x5 >>> inet 172.16.0.231 netmask 0xfffff800 broadcast 172.16.7.255 vhid = 201 >>> inet 172.16.0.233 netmask 0xfffff800 broadcast 172.16.7.255 vhid = 202 >>> nd6 options=3D29 >>> media: Ethernet autoselect >>> status: active >>> carp: MASTER vhid 201 advbase 1 advskew 1 >>> carp: BACKUP vhid 202 advbase 5 advskew 100 >>> laggproto lacp lagghash l2,l3,l4 >>> laggport: ix1 flags=3D1c >>> laggport: ix0 flags=3D1c >>>=20 >>>=20 >>> On 31 mar 2014, at 20:42, mxb wrote: >>>=20 >>>>=20 >>>> Hi list, >>>>=20 >>>> hopefully this is the right place to have my question regarding = CARP on 10-STABLE. >>>>=20 >>>> I have two nodes with following setup(node1): >>>>=20 >>>> lagg0: flags=3D8943 = metric 0 mtu 9000 >>>> = options=3D8407bb >>>> ether 00:25:90:e3:71:f2 >>>> inet 172.16.0.234 netmask 0xfffff800 broadcast 172.16.7.255 >>>> inet6 fe80::225:90ff:fee3:71f2%lagg0 prefixlen 64 scopeid 0x5 >>>> inet 172.16.0.231 netmask 0xfffff800 broadcast 172.16.7.255 vhid = 201 >>>> inet 172.16.0.233 netmask 0xfffff800 broadcast 172.16.7.255 vhid = 202 >>>> nd6 options=3D29 >>>> media: Ethernet autoselect >>>> status: active >>>> carp: BACKUP vhid 201 advbase 1 advskew 1 >>>> carp: BACKUP vhid 202 advbase 5 advskew 100 >>>> laggproto lacp lagghash l2,l3,l4 >>>> laggport: ix1 flags=3D1c >>>> laggport: ix0 flags=3D1c >>>>=20 >>>> net.inet.carp.preempt=3D1 on both nodes. as well as PSYNC as this: >>>>=20 >>>> pfsync0: flags=3D41 metric 0 mtu 1500 >>>> pfsync: syncdev: vlan22 syncpeer: 10.22.22.2 maxupd: 128 defer: = off >>>>=20 >>>> The problem is (if it is not clear from the ifconfig-output for the = lagg0) the state of VHID 201. >>>> Node2 with advskew of 100 is currently MASTER, but it SHOULD NOT as = of setup. >>>>=20 >>>> Am I hitting a bug or doing something wrong? >>>>=20 >>>> I also have noted that after the pfsync bulk update the demotion = counter never setts to 0, but stays on 480, >>>> thus preventing node1 become a MASTER 201(?). Or is this a normal = behavior? >>>>=20 >>>> Regards, >>>> mxb >>>>=20 >>>>=20 >>>=20 >>=20 >=20 From owner-freebsd-pf@FreeBSD.ORG Sat Apr 5 22:21:31 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5DB10250; Sat, 5 Apr 2014 22:21:31 +0000 (UTC) Received: from mail.vx.sk (mail.vx.sk [IPv6:2a01:4f8:150:6101::4]) by mx1.freebsd.org (Postfix) with ESMTP id 1B159381; Sat, 5 Apr 2014 22:21:31 +0000 (UTC) Received: from mail.vx.sk (localhost [127.0.0.1]) by mail.vx.sk (Postfix) with ESMTP id BC10BB58F; Sun, 6 Apr 2014 00:21:29 +0200 (CEST) X-Virus-Scanned: amavisd-new at mail.vx.sk Received: from mail.vx.sk by mail.vx.sk (amavisd-new, unix socket) with LMTP id GiaYUcmaN6Mt; Sun, 6 Apr 2014 00:21:29 +0200 (CEST) Received: from [192.168.2.103] (dslb-092-078-029-103.pools.arcor-ip.net [92.78.29.103]) by mail.vx.sk (Postfix) with ESMTPSA id A2CBCB585; Sun, 6 Apr 2014 00:21:28 +0200 (CEST) Message-ID: <534081E7.3040403@FreeBSD.org> Date: Sun, 06 Apr 2014 00:21:27 +0200 From: Martin Matuska User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Mikolaj Golub Subject: Re: CFR projects/pf: vnet awareness for pf_overloadqueue References: <5337D55A.6030607@FreeBSD.org> <20140331194109.GA17582@gmail.com> In-Reply-To: <20140331194109.GA17582@gmail.com> X-Enigmail-Version: 1.5.2 Content-Type: multipart/mixed; boundary="------------070903080608050809070009" Cc: freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Apr 2014 22:21:31 -0000 This is a multi-part message in MIME format. --------------070903080608050809070009 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit An reworked pf_overloadqueue patch is attached (Mikolaj thanks for the input). This time to keep a united look I used identical syntax as in some other functions. Thank you for reviewing & comments. --------------070903080608050809070009 Content-Type: text/x-patch; name="pf_overloadqueue_2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="pf_overloadqueue_2.patch" Index: projects/pf/head/sys/netpfil/pf/pf.c =================================================================== --- projects/pf/head/sys/netpfil/pf/pf.c (revision 263908) +++ projects/pf/head/sys/netpfil/pf/pf.c (working copy) @@ -288,7 +288,7 @@ static int pf_addr_wrap_neq(struct pf_addr_wrap static struct pf_state *pf_find_state(struct pfi_kif *, struct pf_state_key_cmp *, u_int); static int pf_src_connlimit(struct pf_state **); -static void pf_overload_task(void *c, int pending); +static void pf_overload_task(void *v, int pending); static int pf_insert_src_node(struct pf_src_node **, struct pf_rule *, struct pf_addr *, sa_family_t); static u_int pf_purge_expired_states(u_int, int); @@ -520,7 +520,7 @@ pf_src_connlimit(struct pf_state **state) } static void -pf_overload_task(void *c, int pending) +pf_overload_task(void *v, int pending) { struct pf_overload_head queue; struct pfr_addr p; @@ -527,9 +527,11 @@ static void struct pf_overload_entry *pfoe, *pfoe1; uint32_t killed = 0; + CURVNET_SET((struct vnet *)v); + PF_OVERLOADQ_LOCK(); - queue = *(struct pf_overload_head *)c; - SLIST_INIT((struct pf_overload_head *)c); + queue = V_pf_overloadqueue; + SLIST_INIT(&V_pf_overloadqueue); PF_OVERLOADQ_UNLOCK(); bzero(&p, sizeof(p)); @@ -573,8 +575,10 @@ static void V_pf_status.lcounters[LCNT_OVERLOAD_FLUSH]++; /* If nothing to flush, return. */ - if (SLIST_EMPTY(&queue)) + if (SLIST_EMPTY(&queue)) { + CURVNET_RESTORE(); return; + } for (int i = 0; i <= pf_hashmask; i++) { struct pf_idhash *ih = &V_pf_idhash[i]; @@ -603,6 +607,8 @@ static void free(pfoe, M_PFTEMP); if (V_pf_status.debug >= PF_DEBUG_MISC) printf("%s: %u states killed", __func__, killed); + + CURVNET_RESTORE(); } /* @@ -804,7 +810,7 @@ pf_vnet_initialize() /* Send & overload+flush queues. */ STAILQ_INIT(&V_pf_sendqueue); SLIST_INIT(&V_pf_overloadqueue); - TASK_INIT(&V_pf_overloadtask, 0, pf_overload_task, &V_pf_overloadqueue); + TASK_INIT(&V_pf_overloadtask, 0, pf_overload_task, curvnet); /* Unlinked, but may be referenced rules. */ TAILQ_INIT(&V_pf_unlinked_rules); --------------070903080608050809070009-- From owner-freebsd-pf@FreeBSD.ORG Sun Apr 6 17:17:33 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 39A90FE; Sun, 6 Apr 2014 17:17:33 +0000 (UTC) Received: from mail-we0-x22a.google.com (mail-we0-x22a.google.com [IPv6:2a00:1450:400c:c03::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7806F231; Sun, 6 Apr 2014 17:17:32 +0000 (UTC) Received: by mail-we0-f170.google.com with SMTP id w61so5751381wes.29 for ; Sun, 06 Apr 2014 10:17:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=OQAEQjgLCPwULoVVqWeQQsOfp9GV5hSTyf+ZqM6fZc8=; b=NESlIekMTEDKI066io1+OTVuAXtQU3GedOZ387DKFas2GCIfqDXEzviR8/LvytB68o Jw95YT14g9KzPtmWItI5z594Zlfd5vJCbaZgbys509VzcHZc8VtEhjt0WM1266zBcxI/ 8RN+apu3KWpotNZnNATNB9/DBFSD7HzTalWM5yRKSf0uV0rV7VL0jPG7tXmejJAbUq/3 DhR/mWm4KUQ3dN01BhvKDvINVqaGvb4e5e0bEufo1+/xIO3haCWL/SrjccoowzblBwXj 0IXp7lsAjhNggJVaBvE5qKSJQonk0Vpx6H8XcokOq30q1DGJ/7nFxUpwaM0rNZJSFCgb 6Cew== X-Received: by 10.180.96.200 with SMTP id du8mr20168856wib.43.1396804650521; Sun, 06 Apr 2014 10:17:30 -0700 (PDT) Received: from localhost ([178.150.115.244]) by mx.google.com with ESMTPSA id 48sm35811294eei.24.2014.04.06.10.17.29 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 06 Apr 2014 10:17:29 -0700 (PDT) Sender: Mikolaj Golub Date: Sun, 6 Apr 2014 20:17:28 +0300 From: Mikolaj Golub To: Martin Matuska Subject: Re: CFR projects/pf: vnet awareness for pf_overloadqueue Message-ID: <20140406171726.GA3828@gmail.com> References: <5337D55A.6030607@FreeBSD.org> <20140331194109.GA17582@gmail.com> <534081E7.3040403@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <534081E7.3040403@FreeBSD.org> User-Agent: Mutt/1.5.22 (2013-10-16) Cc: freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2014 17:17:33 -0000 On Sun, Apr 06, 2014 at 12:21:27AM +0200, Martin Matuska wrote: > An reworked pf_overloadqueue patch is attached Looks good to me. Thanks. -- Mikolaj Golub From owner-freebsd-pf@FreeBSD.ORG Mon Apr 7 11:06:49 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 71120B86 for ; Mon, 7 Apr 2014 11:06:49 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5DFB9C01 for ; Mon, 7 Apr 2014 11:06:49 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s37B6nim071157 for ; Mon, 7 Apr 2014 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s37B6mqc071155 for freebsd-pf@FreeBSD.org; Mon, 7 Apr 2014 11:06:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 7 Apr 2014 11:06:48 GMT Message-Id: <201404071106.s37B6mqc071155@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2014 11:06:49 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/182401 pf [pf] pf state for some IPs reaches 4294967295 suspicou o kern/182350 pf [pf] core dump with packet filter -- pf_overlad_task o kern/179392 pf [pf] [ip6] Incorrect TCP checksums in rdr return packe o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176268 pf [pf] [patch] synproxy not working with route-to o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/87074 pf [pf] pf does not log dropped packets when max-* statef a kern/86752 pf [pf] pf does not use default timeouts when reloading c o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 54 problems total. From owner-freebsd-pf@FreeBSD.ORG Thu Apr 10 04:07:28 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 434D0243 for ; Thu, 10 Apr 2014 04:07:28 +0000 (UTC) Received: from mail-wi0-x22b.google.com (mail-wi0-x22b.google.com [IPv6:2a00:1450:400c:c05::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CE4341B27 for ; Thu, 10 Apr 2014 04:07:27 +0000 (UTC) Received: by mail-wi0-f171.google.com with SMTP id q5so9987145wiv.16 for ; Wed, 09 Apr 2014 21:07:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=fhzRcdy62X6E1ZgYtMbMN+oCjrE1E5KKrAaIy2VolqY=; b=GEr+FOwdY2MnujePuF6pZIXtvKi6yU8vP6HbBi0M5tPq/R11R42eBYdPSVzAv94QFC +xu46hB1XnVnTjBj1jwyYODM+fVT1ulwQVQjoVd3/DPpJqSGK8SbMdx0X/T+o3kxRLYg EIwW4VrlaEEM0ElLO8ZYxU1gKuoZR0WF1KUNCQ1fQ81guOld07qSnO0ZeFkzSnFkw6Sa wOf7tnFnVdc/4M14hs0YXsK2qVXYCjZAzWAe4lgauyzt3bFKuvBzsuV8Jx2/SC1r0S+t joKeguTZ3pbbq7A/alvAMg0moD/f6GQ9HHvqwkLEoKVqY7B4ll3s5CvORnZNKcOTPRFr FoYQ== MIME-Version: 1.0 X-Received: by 10.180.101.166 with SMTP id fh6mr13049637wib.2.1397102845143; Wed, 09 Apr 2014 21:07:25 -0700 (PDT) Received: by 10.194.36.193 with HTTP; Wed, 9 Apr 2014 21:07:25 -0700 (PDT) Date: Thu, 10 Apr 2014 12:07:25 +0800 Message-ID: Subject: Firewall for IPv6 for ISP PPP connection From: Khairil Yusof To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2014 04:07:28 -0000 I have a home server that also acts as a router/firewall home network. re0 is the main network interface connected to the rest of the network tun0 is the ipv4/ipv6 ppp tunnel connected to ISP via ppp. fxp0 is spare unused interface. With ipv4, the rules were straight forward. tun0 the ppp interface had an external ip and is easily identifiable as the external if. The rules would nat non-local IP's going out via tun0, block incoming tcp via tun0 and set state for all outgoing tcp via tun0. With ipv6 however, there is no external IPv6 address except link local on the tun0. All the IPv6 assigned addresses including the one on re0 are now also "external" too. So I can't block re0 in, as that would block all my internal ipv6 network too. In this ipv6 case, what would be the simplest rule possible, where I would block all incoming ipv6 traffic (except key ones like route discovery) not from local network, set state for all outgoing and pass in all with state? Most of the examples I see on the Internet show a dedicated external network interface for their IPv6 connection, which isn't too different from my ipv4 setup with ext ip on tun0. I'm guessing, that something like? block in all inet6 from !$ipv6addr_/64 pass out all inet6 from !$ipv6addr_/64 keep state Any pointers would be helpful, I can figure out how to right the rules myself later, but would like to be pointed to the right approach. Regards From owner-freebsd-pf@FreeBSD.ORG Thu Apr 10 17:23:00 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A324E977 for ; Thu, 10 Apr 2014 17:23:00 +0000 (UTC) Received: from mail.cyberleo.net (mtumishi.cyberleo.net [216.226.128.201]) by mx1.freebsd.org (Postfix) with ESMTP id 804D41C51 for ; Thu, 10 Apr 2014 17:23:00 +0000 (UTC) Received: from [172.16.44.4] (vitani.den.cyberleo.net [216.80.73.130]) by mail.cyberleo.net (Postfix) with ESMTPSA id 6A3CF2059; Thu, 10 Apr 2014 13:22:51 -0400 (EDT) Message-ID: <5346D36C.6050700@cyberleo.net> Date: Thu, 10 Apr 2014 12:22:52 -0500 From: CyberLeo Kitsana User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: Khairil Yusof , freebsd-pf@freebsd.org Subject: Re: Firewall for IPv6 for ISP PPP connection References: In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2014 17:23:00 -0000 On 04/09/2014 11:07 PM, Khairil Yusof wrote: > I have a home server that also acts as a router/firewall home network. > > re0 is the main network interface connected to the rest of the network > tun0 is the ipv4/ipv6 ppp tunnel connected to ISP via ppp. > fxp0 is spare unused interface. > > With ipv4, the rules were straight forward. > > tun0 the ppp interface had an external ip and is easily identifiable as the > external if. > > The rules would nat non-local IP's going out via tun0, block incoming tcp > via tun0 and set state for all outgoing tcp via tun0. > > With ipv6 however, there is no external IPv6 address except link local on > the tun0. All the IPv6 assigned addresses including the one on re0 are now > also "external" too. > > So I can't block re0 in, as that would block all my internal ipv6 network > too. > > In this ipv6 case, what would be the simplest rule possible, where I would > block all incoming ipv6 traffic (except key ones like route discovery) not > from local network, set state for all outgoing and pass in all with state? > > Most of the examples I see on the Internet show a dedicated external > network interface for their IPv6 connection, which isn't too different from > my ipv4 setup with ext ip on tun0. > > I'm guessing, that something like? > > block in all inet6 from !$ipv6addr_/64 > pass out all inet6 from !$ipv6addr_/64 keep state > > Any pointers would be helpful, I can figure out how to right the rules > myself later, but would like to be pointed to the right approach. Should be able to be handled in pretty much the same way; especially if you have native v6 routing from your ISP: just filter on tun0 instead of gif0. I have a /48 from TunnelBroker, and have assigned the routing subnet to the gif0 interface and distributed the /48 amongst my various internal networks. Here are the simplified rules I have set up on my gif interface are as follows: ----8<---- # Block v6 inbound by default, unless otherwise stated block return quick on gif0 from !$my_nets_v6 to !$my_nets_v6 block return in on gif0 from any to !(gif0) pass in on gif0 from any to (gif0) pass out on gif0 from any to any keep state tag Q_DFLT ----8<---- And then individual rules loaded into anchors control arbitrary inbound access to specific hosts: ----8<---- pass in on gif0 proto tcp from any to $sshgateway_v6 port 22 keep state tag Q_SSH ... pass in on gif0 proto tcp from any to $loadbalancer_v6 port { 80, 443 } keep state tag Q_BULK ----8<---- Hope this helps! -- Fuzzy love, -CyberLeo Technical Administrator CyberLeo.Net Webhosting http://www.CyberLeo.Net Furry Peace! - http://www.fur.com/peace/ From owner-freebsd-pf@FreeBSD.ORG Mon Apr 14 11:06:50 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0C493133 for ; Mon, 14 Apr 2014 11:06:50 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EDE841666 for ; Mon, 14 Apr 2014 11:06:49 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3EB6nsa025968 for ; Mon, 14 Apr 2014 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3EB6ndw025966 for freebsd-pf@FreeBSD.org; Mon, 14 Apr 2014 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 14 Apr 2014 11:06:49 GMT Message-Id: <201404141106.s3EB6ndw025966@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2014 11:06:50 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/182401 pf [pf] pf state for some IPs reaches 4294967295 suspicou o kern/182350 pf [pf] core dump with packet filter -- pf_overlad_task o kern/179392 pf [pf] [ip6] Incorrect TCP checksums in rdr return packe o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176268 pf [pf] [patch] synproxy not working with route-to o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/87074 pf [pf] pf does not log dropped packets when max-* statef a kern/86752 pf [pf] pf does not use default timeouts when reloading c o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 54 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed Apr 16 00:42:21 2014 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A3EADAE0; Wed, 16 Apr 2014 00:42:21 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 78A49122E; Wed, 16 Apr 2014 00:42:21 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3G0gL78092441; Wed, 16 Apr 2014 00:42:21 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3G0gLL8092440; Wed, 16 Apr 2014 00:42:21 GMT (envelope-from linimon) Date: Wed, 16 Apr 2014 00:42:21 GMT Message-Id: <201404160042.s3G0gLL8092440@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: bin/182819: pfctl(8) interprets "# .... \" as multi-line comment X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2014 00:42:21 -0000 Old Synopsis: pfctl interprets "# .... \" as multi-line comment New Synopsis: pfctl(8) interprets "# .... \" as multi-line comment Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Wed Apr 16 00:40:48 UTC 2014 Responsible-Changed-Why: assign. http://www.freebsd.org/cgi/query-pr.cgi?pr=182819 From owner-freebsd-pf@FreeBSD.ORG Wed Apr 16 00:57:53 2014 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CB48B152; Wed, 16 Apr 2014 00:57:53 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9F54A1341; Wed, 16 Apr 2014 00:57:53 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3G0vrpB096498; Wed, 16 Apr 2014 00:57:53 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3G0vrHB096497; Wed, 16 Apr 2014 00:57:53 GMT (envelope-from linimon) Date: Wed, 16 Apr 2014 00:57:53 GMT Message-Id: <201404160057.s3G0vrHB096497@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: kern/183198: [pf] pf tables not loaded if only used inside anchor X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2014 00:57:53 -0000 Old Synopsis: pf tables not loaded if only used inside anchor New Synopsis: [pf] pf tables not loaded if only used inside anchor Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Wed Apr 16 00:57:19 UTC 2014 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=183198 From owner-freebsd-pf@FreeBSD.ORG Wed Apr 16 01:28:34 2014 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 03209ECB; Wed, 16 Apr 2014 01:28:34 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CBF25167B; Wed, 16 Apr 2014 01:28:33 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3G1SXij008835; Wed, 16 Apr 2014 01:28:33 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3G1SXK4008834; Wed, 16 Apr 2014 01:28:33 GMT (envelope-from linimon) Date: Wed, 16 Apr 2014 01:28:33 GMT Message-Id: <201404160128.s3G1SXK4008834@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: kern/188063: [pf] [hang] deadlock between syncache(4) and pf(4) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2014 01:28:34 -0000 Old Synopsis: deadlock between syncache(4) and pf(4) New Synopsis: [pf] [hang] deadlock between syncache(4) and pf(4) Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Wed Apr 16 01:27:59 UTC 2014 Responsible-Changed-Why: reclassify. http://www.freebsd.org/cgi/query-pr.cgi?pr=188063 From owner-freebsd-pf@FreeBSD.ORG Wed Apr 16 01:31:43 2014 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 06A52E7; Wed, 16 Apr 2014 01:31:43 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CE7231720; Wed, 16 Apr 2014 01:31:42 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3G1Vg5k011714; Wed, 16 Apr 2014 01:31:42 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3G1VgK3011713; Wed, 16 Apr 2014 01:31:42 GMT (envelope-from linimon) Date: Wed, 16 Apr 2014 01:31:42 GMT Message-Id: <201404160131.s3G1VgK3011713@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: kern/188188: [pf] [panic] pfsync0 mtu 9000 results in 10-STABLE reboot X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2014 01:31:43 -0000 Old Synopsis: pfsync0 mtu 9000 results in 10-STABLE reboot New Synopsis: [pf] [panic] pfsync0 mtu 9000 results in 10-STABLE reboot Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Wed Apr 16 01:31:17 UTC 2014 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=188188 From owner-freebsd-pf@FreeBSD.ORG Wed Apr 16 01:32:53 2014 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3D30E17B; Wed, 16 Apr 2014 01:32:53 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 11D2F172B; Wed, 16 Apr 2014 01:32:53 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3G1Wqci011806; Wed, 16 Apr 2014 01:32:52 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3G1WqhA011805; Wed, 16 Apr 2014 01:32:52 GMT (envelope-from linimon) Date: Wed, 16 Apr 2014 01:32:52 GMT Message-Id: <201404160132.s3G1WqhA011805@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: kern/188253: [pf] ICMP / NAT issues using pf on -CURRENT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2014 01:32:53 -0000 Old Synopsis: ICMP / NAT issues using pf on -CURRENT New Synopsis: [pf] ICMP / NAT issues using pf on -CURRENT Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Wed Apr 16 01:32:29 UTC 2014 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=188253 From owner-freebsd-pf@FreeBSD.ORG Wed Apr 16 01:39:46 2014 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C6070466; Wed, 16 Apr 2014 01:39:46 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9AA051777; Wed, 16 Apr 2014 01:39:46 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3G1dkWK012748; Wed, 16 Apr 2014 01:39:46 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3G1dkc0012747; Wed, 16 Apr 2014 01:39:46 GMT (envelope-from linimon) Date: Wed, 16 Apr 2014 01:39:46 GMT Message-Id: <201404160139.s3G1dkc0012747@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: kern/188511: [pf] [patch] divert-reply implementation for pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2014 01:39:46 -0000 Old Synopsis: divert-reply implementation for pf New Synopsis: [pf] [patch] divert-reply implementation for pf Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Wed Apr 16 01:38:05 UTC 2014 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=188511 From owner-freebsd-pf@FreeBSD.ORG Wed Apr 16 01:52:31 2014 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7DE69A40; Wed, 16 Apr 2014 01:52:31 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5317A1914; Wed, 16 Apr 2014 01:52:31 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3G1qVR1019242; Wed, 16 Apr 2014 01:52:31 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3G1qVRx019241; Wed, 16 Apr 2014 01:52:31 GMT (envelope-from linimon) Date: Wed, 16 Apr 2014 01:52:31 GMT Message-Id: <201404160152.s3G1qVRx019241@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-amd64@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: kern/188035: [pf] Can not set limit for table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2014 01:52:31 -0000 Old Synopsis: PF - Can not set limit for table New Synopsis: [pf] Can not set limit for table Responsible-Changed-From-To: freebsd-amd64->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Wed Apr 16 01:52:10 UTC 2014 Responsible-Changed-Why: reclassify. http://www.freebsd.org/cgi/query-pr.cgi?pr=188035 From owner-freebsd-pf@FreeBSD.ORG Wed Apr 16 07:29:02 2014 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 02273A85; Wed, 16 Apr 2014 07:29:02 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5C9E6183F; Wed, 16 Apr 2014 07:29:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3G7T1Cb045855; Wed, 16 Apr 2014 07:29:01 GMT (envelope-from glebius@freefall.freebsd.org) Received: (from glebius@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3G7T14H045854; Wed, 16 Apr 2014 07:29:01 GMT (envelope-from glebius) Date: Wed, 16 Apr 2014 07:29:01 GMT Message-Id: <201404160729.s3G7T14H045854@freefall.freebsd.org> To: glebius@FreeBSD.org, freebsd-pf@FreeBSD.org, glebius@FreeBSD.org From: glebius@FreeBSD.org Subject: Re: kern/188253: [pf] ICMP / NAT issues using pf on -CURRENT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2014 07:29:02 -0000 Synopsis: [pf] ICMP / NAT issues using pf on -CURRENT Responsible-Changed-From-To: freebsd-pf->glebius Responsible-Changed-By: glebius Responsible-Changed-When: Wed Apr 16 07:19:11 UTC 2014 Responsible-Changed-Why: I must take care of this. http://www.freebsd.org/cgi/query-pr.cgi?pr=188253 From owner-freebsd-pf@FreeBSD.ORG Mon Apr 21 11:06:51 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 965C6A3 for ; Mon, 21 Apr 2014 11:06:51 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 793E81969 for ; Mon, 21 Apr 2014 11:06:51 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3LB6pSP085802 for ; Mon, 21 Apr 2014 11:06:51 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3LB6p7S085800 for freebsd-pf@FreeBSD.org; Mon, 21 Apr 2014 11:06:51 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 21 Apr 2014 11:06:51 GMT Message-Id: <201404211106.s3LB6p7S085800@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Apr 2014 11:06:51 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/188511 pf [pf] [patch] divert-reply implementation for pf o kern/188188 pf [pf] [panic] pfsync0 mtu 9000 results in 10-STABLE reb o kern/188063 pf [pf] [hang] deadlock between syncache(4) and pf(4) o kern/188035 pf [pf] Can not set limit for table o kern/183198 pf [pf] pf tables not loaded if only used inside anchor o bin/182819 pf pfctl(8) interprets "# .... \" as multi-line comment o kern/182401 pf [pf] pf state for some IPs reaches 4294967295 suspicou o kern/182350 pf [pf] core dump with packet filter -- pf_overlad_task o kern/179392 pf [pf] [ip6] Incorrect TCP checksums in rdr return packe o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176268 pf [pf] [patch] synproxy not working with route-to o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/87074 pf [pf] pf does not log dropped packets when max-* statef a kern/86752 pf [pf] pf does not use default timeouts when reloading c o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 60 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Apr 22 05:31:41 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 394CE143 for ; Tue, 22 Apr 2014 05:31:41 +0000 (UTC) Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com [IPv6:2a00:1450:400c:c05::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C93D91533 for ; Tue, 22 Apr 2014 05:31:40 +0000 (UTC) Received: by mail-wi0-f175.google.com with SMTP id cc10so2660336wib.8 for ; Mon, 21 Apr 2014 22:31:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:from:date:message-id:subject:to:content-type; bh=zthIclECrE8qziMPilNmWZSwbueO0ouRq1lv4lX0ciU=; b=OBKADf4fsq1XNPoWlXSlQ04cfWDoVbtOo1NTwwfLh9rSBoO8G/3YgAWTXhM67Xo7yw udgQ/newuzDK7JsledeOTqQOAi2KkOLeuFZ0LI5fHMaQErrhWjreDTebOB17yLv57dOE +b6I5ZnFxQBwvVBHNeL4IrzEz5O/LKpKIUrS4fgBmWt7HlCS2Z9g6rOGq6FXT0/uBnMA WLfWD5BiPXwsZZ/+9wbGjuX6ZdRgV0VZ7kYghhGCMfsVMjUcTImN+3QcApvFL7R43V7k USAVOXMp1ht0AdIsVevBrugoo6KyX9dtqe4w4fljdaym4o6zfF0D4rAT3ZbO93pHCc38 fFBg== X-Received: by 10.195.13.76 with SMTP id ew12mr112451wjd.80.1398144699082; Mon, 21 Apr 2014 22:31:39 -0700 (PDT) MIME-Version: 1.0 Sender: s.khanchi@gmail.com Received: by 10.194.81.135 with HTTP; Mon, 21 Apr 2014 22:31:19 -0700 (PDT) From: h bagade Date: Tue, 22 Apr 2014 10:01:19 +0430 X-Google-Sender-Auth: j9GYJZQwuWEEheIJw_q4lbNTMU4 Message-ID: Subject: To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Apr 2014 05:31:41 -0000 Hi all, I have troubles with running altq on igb cards in freebsd 9.2-release. I used a patch to fix this in freebsd 8.2 and it works. Then I migrated to freebsd 9.2 and I expected this bug is fixed there but it isn't. Should I apply a patch to fix this issue on freebsd9.2 or I missed something? Thanks in advance From owner-freebsd-pf@FreeBSD.ORG Sun Apr 27 22:10:01 2014 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 85671A13 for ; Sun, 27 Apr 2014 22:10:01 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 715F56B3 for ; Sun, 27 Apr 2014 22:10:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3RMA1fu083452 for ; Sun, 27 Apr 2014 22:10:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3RMA1jm083451; Sun, 27 Apr 2014 22:10:01 GMT (envelope-from gnats) Date: Sun, 27 Apr 2014 22:10:01 GMT Message-Id: <201404272210.s3RMA1jm083451@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org Cc: From: Dan Langille Subject: Re: kern/163208: [pf] PF state key linking mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: Dan Langille List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Apr 2014 22:10:01 -0000 The following reply was made to PR kern/163208; it has been noted by GNATS. From: Dan Langille To: bug-followup@FreeBSD.org, mlager@sdunix.com Cc: Subject: Re: kern/163208: [pf] PF state key linking mismatch Date: Sun, 27 Apr 2014 18:09:11 -0400 --Apple-Mail=_B1F8C892-5B6D-4185-885D-1476614E03C5 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii FYI, this problem persists with FreeBSD 9.2-RELEASE-p4 -- Dan Langille - http://langille.org --Apple-Mail=_B1F8C892-5B6D-4185-885D-1476614E03C5 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAlNdgA0ACgkQCgsXFM/7nTzatQCglLRGfSeVksCSCmCkLq8uExES zmYAoOVwra4kIjRf9a8qStLUCNIoxmOT =sGmg -----END PGP SIGNATURE----- --Apple-Mail=_B1F8C892-5B6D-4185-885D-1476614E03C5-- From owner-freebsd-pf@FreeBSD.ORG Mon Apr 28 11:06:52 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1ECDC50C for ; Mon, 28 Apr 2014 11:06:52 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0221C1AAD for ; Mon, 28 Apr 2014 11:06:52 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3SB6plC086225 for ; Mon, 28 Apr 2014 11:06:51 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3SB6pPf086222 for freebsd-pf@FreeBSD.org; Mon, 28 Apr 2014 11:06:51 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 28 Apr 2014 11:06:51 GMT Message-Id: <201404281106.s3SB6pPf086222@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 11:06:52 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/188511 pf [pf] [patch] divert-reply implementation for pf o kern/188188 pf [pf] [panic] pfsync0 mtu 9000 results in 10-STABLE reb o kern/188063 pf [pf] [hang] deadlock between syncache(4) and pf(4) o kern/188035 pf [pf] Can not set limit for table o kern/183198 pf [pf] pf tables not loaded if only used inside anchor o bin/182819 pf pfctl(8) interprets "# .... \" as multi-line comment o kern/182401 pf [pf] pf state for some IPs reaches 4294967295 suspicou o kern/182350 pf [pf] core dump with packet filter -- pf_overlad_task o kern/179392 pf [pf] [ip6] Incorrect TCP checksums in rdr return packe o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176268 pf [pf] [patch] synproxy not working with route-to o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/87074 pf [pf] pf does not log dropped packets when max-* statef a kern/86752 pf [pf] pf does not use default timeouts when reloading c o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 60 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Apr 28 14:18:44 2014 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6BCD0F21; Mon, 28 Apr 2014 14:18:44 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3F78A12C1; Mon, 28 Apr 2014 14:18:44 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3SEIiQl056923; Mon, 28 Apr 2014 14:18:44 GMT (envelope-from glebius@freefall.freebsd.org) Received: (from glebius@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3SEIhAX056922; Mon, 28 Apr 2014 14:18:43 GMT (envelope-from glebius) Date: Mon, 28 Apr 2014 14:18:43 GMT Message-Id: <201404281418.s3SEIhAX056922@freefall.freebsd.org> To: Jaumont@mediagrif.com, glebius@FreeBSD.org, freebsd-pf@FreeBSD.org From: glebius@FreeBSD.org Subject: Re: kern/188035: [pf] Can not set limit for table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 14:18:44 -0000 Synopsis: [pf] Can not set limit for table State-Changed-From-To: open->closed State-Changed-By: glebius State-Changed-When: Mon Apr 28 14:17:59 UTC 2014 State-Changed-Why: The number of tables is not limited now. http://www.freebsd.org/cgi/query-pr.cgi?pr=188035 From owner-freebsd-pf@FreeBSD.ORG Sun May 4 04:31:07 2014 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BFC22FA0; Sun, 4 May 2014 04:31:07 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8D62B1A46; Sun, 4 May 2014 04:31:07 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s444V7Qx076848; Sun, 4 May 2014 04:31:07 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s444V7dZ076847; Sun, 4 May 2014 04:31:07 GMT (envelope-from linimon) Date: Sun, 4 May 2014 04:31:07 GMT Message-Id: <201405040431.s444V7dZ076847@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: kern/189060: [pf] pf + altq doesn't work on octe (Edgerouter Lite) [regression] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 May 2014 04:31:07 -0000 Old Synopsis: pf + altq doesn't work on octe (Edgerouter Lite) New Synopsis: [pf] pf + altq doesn't work on octe (Edgerouter Lite) [regression] Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Sun May 4 04:30:33 UTC 2014 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=189060 From owner-freebsd-pf@FreeBSD.ORG Sun May 4 04:51:01 2014 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 20C11418; Sun, 4 May 2014 04:51:01 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E248C1C1F; Sun, 4 May 2014 04:51:00 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s444p0e3083652; Sun, 4 May 2014 04:51:00 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s444p0CO083651; Sun, 4 May 2014 04:51:00 GMT (envelope-from linimon) Date: Sun, 4 May 2014 04:51:00 GMT Message-Id: <201405040451.s444p0CO083651@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-net@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: kern/169620: [ng] [pf] ng_l2tp incoming packet bypass pf firewall X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 May 2014 04:51:01 -0000 Synopsis: [ng] [pf] ng_l2tp incoming packet bypass pf firewall Responsible-Changed-From-To: freebsd-net->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Sun May 4 04:50:27 UTC 2014 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=169620 From owner-freebsd-pf@FreeBSD.ORG Sun May 4 04:51:19 2014 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 880644E6; Sun, 4 May 2014 04:51:19 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5D1FF1C2A; Sun, 4 May 2014 04:51:19 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s444pJ6s083687; Sun, 4 May 2014 04:51:19 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s444pJFi083686; Sun, 4 May 2014 04:51:19 GMT (envelope-from linimon) Date: Sun, 4 May 2014 04:51:19 GMT Message-Id: <201405040451.s444pJFi083686@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: kern/187566: [pf] incoming ng_l2tp/ipsec packet bypass PF firewall X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 May 2014 04:51:19 -0000 Old Synopsis: incomming ng_l2tp/ipsec packet bypass PF firewall New Synopsis: [pf] incoming ng_l2tp/ipsec packet bypass PF firewall Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Sun May 4 04:49:54 UTC 2014 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=187566 From owner-freebsd-pf@FreeBSD.ORG Sun May 4 05:04:24 2014 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 621B4837; Sun, 4 May 2014 05:04:24 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 32A241D08; Sun, 4 May 2014 05:04:24 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s4454OpJ087519; Sun, 4 May 2014 05:04:24 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s4454OmX087518; Sun, 4 May 2014 05:04:24 GMT (envelope-from linimon) Date: Sun, 4 May 2014 05:04:24 GMT Message-Id: <201405040504.s4454OmX087518@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-arm@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: bin/185617: pfctl(8): 10.0-RC1, armv6: "pfctl -s state" crashes on BeagleBone Black due to unaligned access X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 May 2014 05:04:24 -0000 Old Synopsis: 10.0-RC1, armv6: "pfctl -s state" crashes on BeagleBone Black due to unaligned access New Synopsis: pfctl(8): 10.0-RC1, armv6: "pfctl -s state" crashes on BeagleBone Black due to unaligned access Responsible-Changed-From-To: freebsd-arm->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Sun May 4 05:03:54 UTC 2014 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=185617 From owner-freebsd-pf@FreeBSD.ORG Sun May 4 14:35:52 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CAD372CE for ; Sun, 4 May 2014 14:35:52 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 87ECC19FB for ; Sun, 4 May 2014 14:35:52 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1WgxW0-00033N-Ug for freebsd-pf@freebsd.org; Sun, 04 May 2014 16:35:40 +0200 Received: from static-78-8-147-77.ssp.dialog.net.pl ([78.8.147.77]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 04 May 2014 16:35:40 +0200 Received: from mwisnicki+freebsd by static-78-8-147-77.ssp.dialog.net.pl with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 04 May 2014 16:35:40 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-pf@freebsd.org From: Marcin Wisnicki Subject: make package no longer installing Date: Sun, 4 May 2014 14:35:30 +0000 (UTC) Lines: 6 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: static-78-8-147-77.ssp.dialog.net.pl User-Agent: Pan/0.140 (Chocolate Salty Balls; Unknown) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 May 2014 14:35:52 -0000 portupgrade -p invokes make with DEPENDS_TARGET=package[1] but this no longer installs dependencies. Which target or option should be used instead ? [1] https://github.com/freebsd/portupgrade/issues/58 From owner-freebsd-pf@FreeBSD.ORG Sun May 4 15:10:24 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A0D9D84B for ; Sun, 4 May 2014 15:10:24 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5902D1C53 for ; Sun, 4 May 2014 15:10:23 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1Wgy3U-0002fn-57 for freebsd-pf@freebsd.org; Sun, 04 May 2014 17:10:16 +0200 Received: from static-78-8-147-77.ssp.dialog.net.pl ([78.8.147.77]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 04 May 2014 17:10:16 +0200 Received: from mwisnicki+freebsd by static-78-8-147-77.ssp.dialog.net.pl with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 04 May 2014 17:10:16 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-pf@freebsd.org From: Marcin Wisnicki Subject: Re: make package no longer installing Date: Sun, 4 May 2014 15:10:04 +0000 (UTC) Lines: 8 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: static-78-8-147-77.ssp.dialog.net.pl User-Agent: Pan/0.140 (Chocolate Salty Balls; Unknown) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 May 2014 15:10:24 -0000 On Sun, 04 May 2014 14:35:30 +0000, Marcin Wisnicki wrote: > portupgrade -p invokes make with DEPENDS_TARGET=package[1] but this no > longer installs dependencies. Which target or option should be used > instead ? > Sorry, wrong list. From owner-freebsd-pf@FreeBSD.ORG Mon May 5 11:06:48 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C4C3FE1D for ; Mon, 5 May 2014 11:06:48 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A83251CF6 for ; Mon, 5 May 2014 11:06:48 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s45B6mnZ083205 for ; Mon, 5 May 2014 11:06:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s45B6mHQ083202 for freebsd-pf@FreeBSD.org; Mon, 5 May 2014 11:06:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 5 May 2014 11:06:48 GMT Message-Id: <201405051106.s45B6mHQ083202@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 May 2014 11:06:48 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/189060 pf [pf] pf + altq doesn't work on octe (Edgerouter Lite) o kern/188511 pf [pf] [patch] divert-reply implementation for pf o kern/188188 pf [pf] [panic] pfsync0 mtu 9000 results in 10-STABLE reb o kern/188063 pf [pf] [hang] deadlock between syncache(4) and pf(4) f kern/187566 pf [pf] incoming ng_l2tp/ipsec packet bypass PF firewall o bin/185617 pf pfctl(8): 10.0-RC1, armv6: "pfctl -s state" crashes on o kern/183198 pf [pf] pf tables not loaded if only used inside anchor o bin/182819 pf pfctl(8) interprets "# .... \" as multi-line comment o kern/182401 pf [pf] pf state for some IPs reaches 4294967295 suspicou o kern/182350 pf [pf] core dump with packet filter -- pf_overlad_task o kern/179392 pf [pf] [ip6] Incorrect TCP checksums in rdr return packe o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176268 pf [pf] [patch] synproxy not working with route-to o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/169620 pf [ng] [pf] ng_l2tp incoming packet bypass pf firewall o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/87074 pf [pf] pf does not log dropped packets when max-* statef a kern/86752 pf [pf] pf does not use default timeouts when reloading c o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 63 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon May 5 21:20:01 2014 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AC2542A5 for ; Mon, 5 May 2014 21:20:01 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 97F0D858 for ; Mon, 5 May 2014 21:20:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s45LK0KU093615 for ; Mon, 5 May 2014 21:20:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s45LK0ii093614; Mon, 5 May 2014 21:20:00 GMT (envelope-from gnats) Date: Mon, 5 May 2014 21:20:00 GMT Message-Id: <201405052120.s45LK0ii093614@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org Cc: From: Daniel Engberg Subject: Re: kern/189060: [pf] pf + altq doesn't work on octe (Edgerouter Lite) [regression] Reply-To: Daniel Engberg X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 May 2014 21:20:01 -0000 The following reply was made to PR kern/189060; it has been noted by GNATS. From: Daniel Engberg To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/189060: [pf] pf + altq doesn't work on octe (Edgerouter Lite) [regression] Date: Mon, 05 May 2014 23:18:26 +0200 The issue is that octe uses the new framework (if_transmit()) for network handling while altq only supports the old one (if_start()). As for now, there are no plans on adding support for the old framework making it support both as the em driver. There's a plan by glebius@ of adding altq support or equivalent funtionality to FreeBSD 11 but there a no solid promises as for now. From owner-freebsd-pf@FreeBSD.ORG Wed May 7 15:50:01 2014 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4D1569AE for ; Wed, 7 May 2014 15:50:01 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3955A994 for ; Wed, 7 May 2014 15:50:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s47Fo1HV079893 for ; Wed, 7 May 2014 15:50:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s47Fo0um079887; Wed, 7 May 2014 15:50:00 GMT (envelope-from gnats) Date: Wed, 7 May 2014 15:50:00 GMT Message-Id: <201405071550.s47Fo0um079887@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org Cc: From: Mathieu Subject: Re: kern/188063: deadlock between syncache(4) and pf(4) Reply-To: Mathieu X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2014 15:50:01 -0000 The following reply was made to PR kern/188063; it has been noted by GNATS. From: Mathieu To: FreeBSD-gnats-submit@FreeBSD.org Cc: Subject: Re: kern/188063: deadlock between syncache(4) and pf(4) Date: Wed, 07 May 2014 11:45:39 -0400 On 3/29/2014 7:10 PM, FreeBSD-gnats-submit@FreeBSD.org wrote: > Thank you very much for your problem report. > It has the internal identification `kern/188063'. > The individual assigned to look at your > report is: freebsd-bugs. > > You can access the state of your problem report at any time > via this link: > > http://www.freebsd.org/cgi/query-pr.cgi?pr=188063 > >> Category: kern >> Responsible: freebsd-bugs >> Synopsis: deadlock between syncache(4) and pf(4) >> Arrival-Date: Sat Mar 29 23:10:00 UTC 2014 Well, turns out this was caused by pf(4) "user" rules. It's been about a month since I removed them and the server has been running without deadlocking since then. Looks like the "workaround" mentioned in the pf(4) manpage isn't totally safe on 9.X. From owner-freebsd-pf@FreeBSD.ORG Sat May 10 22:04:15 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 975B9DD7 for ; Sat, 10 May 2014 22:04:15 +0000 (UTC) Received: from zoom.lafn.org (zoom.lafn.org [108.92.93.123]) by mx1.freebsd.org (Postfix) with ESMTP id 71D0FECD for ; Sat, 10 May 2014 22:04:14 +0000 (UTC) Received: from [10.0.1.3] (static-71-177-216-148.lsanca.fios.verizon.net [71.177.216.148]) (authenticated bits=0) by zoom.lafn.org (8.14.7/8.14.7) with ESMTP id s4ALYI96034489 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Sat, 10 May 2014 14:34:19 -0700 (PDT) (envelope-from bc979@lafn.org) From: Doug Hardie Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: Unexpected pf behavior Message-Id: <7782AB7B-59BC-4A31-95FA-3EDF408AA507@lafn.org> Date: Sat, 10 May 2014 14:34:18 -0700 To: freebsd-pf@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) X-Mailer: Apple Mail (2.1510) X-Virus-Scanned: clamav-milter 0.98 at zoom.lafn.org X-Virus-Status: Clean X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 May 2014 22:04:15 -0000 I have a pf rule (FreeBSD 9.2) that uses a table to block access from = specific networks. This morning I found the following situation: 12 attempts from an address in one of the blocked network to access the = server. All were blocked and marked as such with the proper rule number = in pflog. 10 succeeding connections that were passed through to the port. These = were logged by the process listening on that port. There were no changes to the rules, reboots, etc. during that time. = This all transpired in about 10 minutes. A dump of the table shows the = proper address range. I am not logging the pass throughs so only the = original 12 blocks are in the logs. I have never seen anything like = this in the past. Is there some way I can test a specific IP address = and have pf tell me what it would do if it received a packet from that = address? From owner-freebsd-pf@FreeBSD.ORG Sat May 10 22:13:36 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A531D278 for ; Sat, 10 May 2014 22:13:36 +0000 (UTC) Received: from udns.ultimateDNS.NET (ultimatedns.net [209.180.214.225]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6EC99F90 for ; Sat, 10 May 2014 22:13:35 +0000 (UTC) Received: from udns.ultimateDNS.NET (localhost [127.0.0.1]) by udns.ultimateDNS.NET (8.14.5/8.14.5) with ESMTP id s4AMF3TU076615; Sat, 10 May 2014 15:15:09 -0700 (PDT) (envelope-from bsd-lists@bsdforge.com) Received: (from www@localhost) by udns.ultimateDNS.NET (8.14.5/8.14.5/Submit) id s4AMEwj7076609; Sat, 10 May 2014 15:14:58 -0700 (PDT) (envelope-from bsd-lists@bsdforge.com) Received: from udns.ultimatedns.net ([209.180.214.225]) (UDNSMS authenticated user chrish) by ultimatedns.net with HTTP; Sat, 10 May 2014 15:14:58 -0700 (PDT) Message-ID: <3d5ba75b4ddd0bbc57725279b9ad2872.authenticated@ultimatedns.net> In-Reply-To: <7782AB7B-59BC-4A31-95FA-3EDF408AA507@lafn.org> References: <7782AB7B-59BC-4A31-95FA-3EDF408AA507@lafn.org> Date: Sat, 10 May 2014 15:14:58 -0700 (PDT) Subject: Re: Unexpected pf behavior From: "Chris H" To: "Doug Hardie" User-Agent: UDNSMS/2.0.3 MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 May 2014 22:13:36 -0000 > I have a pf rule (FreeBSD 9.2) that uses a table to block access from specific networks. > This morning I found the following situation: > > 12 attempts from an address in one of the blocked network to access the server. All were > blocked and marked as such with the proper rule number in pflog. > > 10 succeeding connections that were passed through to the port. These were logged by the > process listening on that port. > > There were no changes to the rules, reboots, etc. during that time. This all transpired in > about 10 minutes. A dump of the table shows the proper address range. I am not logging the > pass throughs so only the original 12 blocks are in the logs. I have never seen anything > like this in the past. Is there some way I can test a specific IP address and have pf tell > me what it would do if it received a packet from that address? As memory serves pfctl(8) provides some info in the examples section. Also net/wireshark, tcpdump(1) may also be of interest to you. HTH --Chris > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Sat May 10 22:21:51 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8DAC648C for ; Sat, 10 May 2014 22:21:51 +0000 (UTC) Received: from mail-qc0-f169.google.com (mail-qc0-f169.google.com [209.85.216.169]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4E4138E for ; Sat, 10 May 2014 22:21:50 +0000 (UTC) Received: by mail-qc0-f169.google.com with SMTP id e16so6259783qcx.0 for ; Sat, 10 May 2014 15:21:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=/yzcmeUOpp0pbi35Tf/BVcwfyXIiDN+9BWugWYZ2kHk=; b=R7LgYv3YIbDmK6w5K173IzG/rsIOAidi2idPY0o+vMn1q/rbbSq5kzy0Uu0rpT/EzA wwr32DZEraDv7iPlAzAJG8U77OnfDU4RehgbPLLhfdaYx0x6wWYuBObbWzl1nLWpmrFu f1qbQWYBn5peaUCF2eI6/XT7dlPAyQtTcpGVtkpugFLclRIgxqsMBhU+llUU3zVsPsYk 0rl3+uoKg2D0oskplAi6mI4xLChCDD6sddPoXlIL4P9IvQZGarJ3urd617CNTO8IMGlD V0DqyHLZ5FumbZxcO2zyRbEe33GsEoXjz5TY6uP93r4M/v1KmPsXlrAEWQfWbXh0Cr2R Ah3Q== X-Gm-Message-State: ALoCoQmduTWvz3/oInf6VgDtMt5TF9JhIihHCNNefJE9PH4GGiZLY+2TRL40qApoXlCnrQfV1hqq MIME-Version: 1.0 X-Received: by 10.224.64.132 with SMTP id e4mr26129557qai.16.1399760040887; Sat, 10 May 2014 15:14:00 -0700 (PDT) Received: by 10.140.91.85 with HTTP; Sat, 10 May 2014 15:14:00 -0700 (PDT) In-Reply-To: <7782AB7B-59BC-4A31-95FA-3EDF408AA507@lafn.org> References: <7782AB7B-59BC-4A31-95FA-3EDF408AA507@lafn.org> Date: Sat, 10 May 2014 15:14:00 -0700 Message-ID: Subject: Re: Unexpected pf behavior From: Brandon Vincent To: Doug Hardie Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 May 2014 22:21:51 -0000 Doug, As long as you are on the same LAN/broadcast domain, it would be pretty easy to use a program like Nmap with the "-S, --source-ip" parameter to spoof the source IP. Would you mind sharing the rule that caused this problem? Brandon Vincent On Sat, May 10, 2014 at 2:34 PM, Doug Hardie wrote: > I have a pf rule (FreeBSD 9.2) that uses a table to block access from > specific networks. This morning I found the following situation: > > 12 attempts from an address in one of the blocked network to access the > server. All were blocked and marked as such with the proper rule number in > pflog. > > 10 succeeding connections that were passed through to the port. These > were logged by the process listening on that port. > > There were no changes to the rules, reboots, etc. during that time. This > all transpired in about 10 minutes. A dump of the table shows the proper > address range. I am not logging the pass throughs so only the original 12 > blocks are in the logs. I have never seen anything like this in the past. > Is there some way I can test a specific IP address and have pf tell me > what it would do if it received a packet from that address? > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Sat May 10 23:16:48 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 453CA253 for ; Sat, 10 May 2014 23:16:48 +0000 (UTC) Received: from zoom.lafn.org (zoom.lafn.org [108.92.93.123]) by mx1.freebsd.org (Postfix) with ESMTP id 1C71B1A4E for ; Sat, 10 May 2014 23:16:47 +0000 (UTC) Received: from [10.0.1.3] (static-71-177-216-148.lsanca.fios.verizon.net [71.177.216.148]) (authenticated bits=0) by zoom.lafn.org (8.14.7/8.14.7) with ESMTP id s4ANGga0036913 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Sat, 10 May 2014 16:16:43 -0700 (PDT) (envelope-from bc979@lafn.org) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) Subject: Re: Unexpected pf behavior From: Doug Hardie In-Reply-To: Date: Sat, 10 May 2014 16:16:42 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <7782AB7B-59BC-4A31-95FA-3EDF408AA507@lafn.org> To: Brandon Vincent X-Mailer: Apple Mail (2.1510) X-Virus-Scanned: clamav-milter 0.98 at zoom.lafn.org X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 May 2014 23:16:48 -0000 On 10 May 2014, at 15:14, Brandon Vincent = wrote: > Doug, >=20 > As long as you are on the same LAN/broadcast domain, it would be = pretty easy to use a program like Nmap with the "-S, --source-ip" = parameter to spoof the source IP. >=20 > Would you mind sharing the rule that caused this problem? >=20 > Brandon Vincent >=20 >=20 > On Sat, May 10, 2014 at 2:34 PM, Doug Hardie wrote: > I have a pf rule (FreeBSD 9.2) that uses a table to block access from = specific networks. This morning I found the following situation: >=20 > 12 attempts from an address in one of the blocked network to access = the server. All were blocked and marked as such with the proper rule = number in pflog. >=20 > 10 succeeding connections that were passed through to the port. These = were logged by the process listening on that port. >=20 > There were no changes to the rules, reboots, etc. during that time. = This all transpired in about 10 minutes. A dump of the table shows the = proper address range. I am not logging the pass throughs so only the = original 12 blocks are in the logs. I have never seen anything like = this in the past. Is there some way I can test a specific IP address = and have pf tell me what it would do if it received a packet from that = address? >=20 nmap does a good test. Took awhile to figure out how to make it spoof = properly though. Unfortunately I can't make pf fail. It blocks = everything I send from that range. I guess I'll just have to monitor = this a lot closer.= From owner-freebsd-pf@FreeBSD.ORG Sun May 11 03:43:16 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9BC856F0 for ; Sun, 11 May 2014 03:43:16 +0000 (UTC) Received: from mail.egr.msu.edu (hill.egr.msu.edu [35.9.37.162]) by mx1.freebsd.org (Postfix) with ESMTP id 71C172D8E for ; Sun, 11 May 2014 03:43:15 +0000 (UTC) Received: from hill (localhost [127.0.0.1]) by mail.egr.msu.edu (Postfix) with ESMTP id 0D9B63827C; Sat, 10 May 2014 23:33:09 -0400 (EDT) X-Virus-Scanned: amavisd-new at egr.msu.edu Received: from mail.egr.msu.edu ([127.0.0.1]) by hill (hill.egr.msu.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BtWJurTOMD58; Sat, 10 May 2014 23:33:08 -0400 (EDT) Received: from daemon.localdomain (daemon.egr.msu.edu [35.9.44.65]) by mail.egr.msu.edu (Postfix) with ESMTP id B9D8838273; Sat, 10 May 2014 23:33:00 -0400 (EDT) Received: by daemon.localdomain (Postfix, from userid 21281) id 701E15BC40; Sat, 10 May 2014 23:33:00 -0400 (EDT) Date: Sat, 10 May 2014 23:33:00 -0400 From: Adam McDougall To: Doug Hardie Subject: Re: Unexpected pf behavior Message-ID: <20140511033300.GL1519@egr.msu.edu> References: <7782AB7B-59BC-4A31-95FA-3EDF408AA507@lafn.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7782AB7B-59BC-4A31-95FA-3EDF408AA507@lafn.org> User-Agent: Mutt/1.5.23 (2014-03-12) Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 May 2014 03:43:16 -0000 On Sat, May 10, 2014 at 02:34:18PM -0700, Doug Hardie wrote: 10 succeeding connections that were passed through to the port. These were logged by the process listening on that port. Are you certain those log events were from 2014? Some logs may not get rotated yearly and summary scripts can report misleading results. This is something that has surprised me in the past so I made sure all my logs rotate daily instead of by size alone. From owner-freebsd-pf@FreeBSD.ORG Sun May 11 04:39:02 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3CDE7F55 for ; Sun, 11 May 2014 04:39:02 +0000 (UTC) Received: from zoom.lafn.org (zoom.lafn.org [108.92.93.123]) by mx1.freebsd.org (Postfix) with ESMTP id 0E9AA209E for ; Sun, 11 May 2014 04:39:01 +0000 (UTC) Received: from [192.168.0.111] (cpe-172-250-57-145.socal.res.rr.com [172.250.57.145]) (authenticated bits=0) by zoom.lafn.org (8.14.7/8.14.7) with ESMTP id s4B4cvI7044258 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Sat, 10 May 2014 21:38:58 -0700 (PDT) (envelope-from bc979@lafn.org) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) Subject: Re: Unexpected pf behavior From: Doug Hardie In-Reply-To: <20140511033300.GL1519@egr.msu.edu> Date: Sat, 10 May 2014 21:38:57 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <066D7E60-ED46-4D01-A055-F430FAF98387@lafn.org> References: <7782AB7B-59BC-4A31-95FA-3EDF408AA507@lafn.org> <20140511033300.GL1519@egr.msu.edu> To: Adam McDougall X-Mailer: Apple Mail (2.1510) X-Virus-Scanned: clamav-milter 0.98 at zoom.lafn.org X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 May 2014 04:39:02 -0000 On 10 May 2014, at 20:33, Adam McDougall wrote: > On Sat, May 10, 2014 at 02:34:18PM -0700, Doug Hardie wrote: >=20 > 10 succeeding connections that were passed through to the port. > These were logged by the process listening on that port. >=20 > Are you certain those log events were from 2014? Some logs may not > get rotated yearly and summary scripts can report misleading results. > This is something that has surprised me in the past so I made sure > all my logs rotate daily instead of by size alone. >=20 Yes, all logs are rotated daily. Brandon Vincent = found the issue. There was another port open = to that service that did not have a pf rule. It does now. From owner-freebsd-pf@FreeBSD.ORG Mon May 12 11:06:49 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0101FB5A for ; Mon, 12 May 2014 11:06:49 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D6FD626D2 for ; Mon, 12 May 2014 11:06:48 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s4CB6mjw067911 for ; Mon, 12 May 2014 11:06:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s4CB6mpS067908 for freebsd-pf@FreeBSD.org; Mon, 12 May 2014 11:06:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 12 May 2014 11:06:48 GMT Message-Id: <201405121106.s4CB6mpS067908@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 May 2014 11:06:49 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/189060 pf [pf] pf + altq doesn't work on octe (Edgerouter Lite) o kern/188511 pf [pf] [patch] divert-reply implementation for pf o kern/188188 pf [pf] [panic] pfsync0 mtu 9000 results in 10-STABLE reb o kern/188063 pf [pf] [hang] deadlock between syncache(4) and pf(4) f kern/187566 pf [pf] incoming ng_l2tp/ipsec packet bypass PF firewall o bin/185617 pf pfctl(8): 10.0-RC1, armv6: "pfctl -s state" crashes on o kern/183198 pf [pf] pf tables not loaded if only used inside anchor o bin/182819 pf pfctl(8) interprets "# .... \" as multi-line comment o kern/182401 pf [pf] pf state for some IPs reaches 4294967295 suspicou o kern/182350 pf [pf] core dump with packet filter -- pf_overlad_task o kern/179392 pf [pf] [ip6] Incorrect TCP checksums in rdr return packe o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176268 pf [pf] [patch] synproxy not working with route-to o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/169620 pf [ng] [pf] ng_l2tp incoming packet bypass pf firewall o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/87074 pf [pf] pf does not log dropped packets when max-* statef a kern/86752 pf [pf] pf does not use default timeouts when reloading c o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 63 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon May 12 19:53:10 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 275E9E19 for ; Mon, 12 May 2014 19:53:10 +0000 (UTC) Received: from mail-qg0-x241.google.com (mail-qg0-x241.google.com [IPv6:2607:f8b0:400d:c04::241]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E046028AE for ; Mon, 12 May 2014 19:53:09 +0000 (UTC) Received: by mail-qg0-f65.google.com with SMTP id i50so2876592qgf.4 for ; Mon, 12 May 2014 12:53:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=w8VrQzutQinjz7NRwSN1w1uc1nHBC0zAyuVMjAOmSkk=; b=evlaLGI+uRAMBiQoYJJA0E92Gu0OyId7boCLlwxX2FCMWFE2HqYWD8BfuNIMc3KXcm 9HFQ40kBbZsAiyqA5IP5tdM+UyCcUaIoth5Ttz5bbKdMRdPZAfvgDJtElqqvnxVyHcHp EenxR+ALZSKPUhRqD/2F//aKH85z3pVBSLEKUJ/gp8GZdC96zKu9xDvL+L8FzqwdDM8Y 6RqmNHsdro2y4LJiAc1ilKrwv8FOEY7jKCNaDCThK/dRrQXReQ0GtxR8yqbhJ9Xlw50/ G/nJvoX4Y6XRyofpLbV2vKFFAMDJQ2hU+zGQUaSoRuU9Ce+MHbDpsyioepfYw1PfUIAn +fDQ== MIME-Version: 1.0 X-Received: by 10.140.49.110 with SMTP id p101mr20087340qga.86.1399924389047; Mon, 12 May 2014 12:53:09 -0700 (PDT) Received: by 10.140.31.116 with HTTP; Mon, 12 May 2014 12:53:08 -0700 (PDT) Received: by 10.140.31.116 with HTTP; Mon, 12 May 2014 12:53:08 -0700 (PDT) Date: Mon, 12 May 2014 21:53:08 +0200 Message-ID: Subject: Need car From: luyanda s Sigaga To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 May 2014 19:53:10 -0000 I can afford R 499 and R699 p/m I am coming at home with R 3 500 also self employed From owner-freebsd-pf@FreeBSD.ORG Fri May 16 06:30:01 2014 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AF8E1961 for ; Fri, 16 May 2014 06:30:01 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 84A9B2D87 for ; Fri, 16 May 2014 06:30:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s4G6U1jf007613 for ; Fri, 16 May 2014 06:30:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s4G6U1U9007612; Fri, 16 May 2014 06:30:01 GMT (envelope-from gnats) Date: Fri, 16 May 2014 06:30:01 GMT Message-Id: <201405160630.s4G6U1U9007612@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org Cc: From: Ari Suutari Subject: Re: kern/179392: [pf] [ip6] Incorrect TCP checksums in rdr return packets Reply-To: Ari Suutari X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 May 2014 06:30:01 -0000 The following reply was made to PR kern/179392; it has been noted by GNATS. From: Ari Suutari To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/179392: [pf] [ip6] Incorrect TCP checksums in rdr return packets Date: Fri, 16 May 2014 09:12:52 +0300 I was hit by this problem also, on 9.2-RELEASE. I think it might be caused by the workaround introduced in kern/170070. Ari S. From owner-freebsd-pf@FreeBSD.ORG Mon May 19 11:06:50 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4FB9D466 for ; Mon, 19 May 2014 11:06:50 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3291F2DBB for ; Mon, 19 May 2014 11:06:50 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s4JB6ojm080110 for ; Mon, 19 May 2014 11:06:50 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s4JB6nNk080108 for freebsd-pf@FreeBSD.org; Mon, 19 May 2014 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 19 May 2014 11:06:49 GMT Message-Id: <201405191106.s4JB6nNk080108@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2014 11:06:50 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/189060 pf [pf] pf + altq doesn't work on octe (Edgerouter Lite) o kern/188511 pf [pf] [patch] divert-reply implementation for pf o kern/188188 pf [pf] [panic] pfsync0 mtu 9000 results in 10-STABLE reb o kern/188063 pf [pf] [hang] deadlock between syncache(4) and pf(4) f kern/187566 pf [pf] incoming ng_l2tp/ipsec packet bypass PF firewall o bin/185617 pf pfctl(8): 10.0-RC1, armv6: "pfctl -s state" crashes on o kern/183198 pf [pf] pf tables not loaded if only used inside anchor o bin/182819 pf pfctl(8) interprets "# .... \" as multi-line comment o kern/182401 pf [pf] pf state for some IPs reaches 4294967295 suspicou o kern/182350 pf [pf] core dump with packet filter -- pf_overlad_task o kern/179392 pf [pf] [ip6] Incorrect TCP checksums in rdr return packe o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176268 pf [pf] [patch] synproxy not working with route-to o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/169620 pf [ng] [pf] ng_l2tp incoming packet bypass pf firewall o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/87074 pf [pf] pf does not log dropped packets when max-* statef a kern/86752 pf [pf] pf does not use default timeouts when reloading c o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 63 problems total. From owner-freebsd-pf@FreeBSD.ORG Fri May 23 03:30:02 2014 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C7DCA790 for ; Fri, 23 May 2014 03:30:02 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9DB4729F5 for ; Fri, 23 May 2014 03:30:02 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s4N3U24F017060 for ; Fri, 23 May 2014 03:30:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s4N3U2BG016976; Fri, 23 May 2014 03:30:02 GMT (envelope-from gnats) Date: Fri, 23 May 2014 03:30:02 GMT Message-Id: <201405230330.s4N3U2BG016976@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org Cc: From: J David Subject: Re: kern/179392: [pf] [ip6] Incorrect TCP checksums in rdr return packets Reply-To: J David X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 May 2014 03:30:02 -0000 The following reply was made to PR kern/179392; it has been noted by GNATS. From: J David To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/179392: [pf] [ip6] Incorrect TCP checksums in rdr return packets Date: Thu, 22 May 2014 23:22:35 -0400 We also have encountered this issue. PF not working properly with IPv6 seems like a very serious problem. What needs to happen in order to advance this issue? How can we help? Thanks! From owner-freebsd-pf@FreeBSD.ORG Mon May 26 11:06:50 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C78F7E81 for ; Mon, 26 May 2014 11:06:50 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A999C24E7 for ; Mon, 26 May 2014 11:06:50 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s4QB6ox3032115 for ; Mon, 26 May 2014 11:06:50 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s4QB6oF5032113 for freebsd-pf@FreeBSD.org; Mon, 26 May 2014 11:06:50 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 26 May 2014 11:06:50 GMT Message-Id: <201405261106.s4QB6oF5032113@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2014 11:06:50 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/189060 pf [pf] pf + altq doesn't work on octe (Edgerouter Lite) o kern/188511 pf [pf] [patch] divert-reply implementation for pf o kern/188188 pf [pf] [panic] pfsync0 mtu 9000 results in 10-STABLE reb o kern/188063 pf [pf] [hang] deadlock between syncache(4) and pf(4) f kern/187566 pf [pf] incoming ng_l2tp/ipsec packet bypass PF firewall o bin/185617 pf pfctl(8): 10.0-RC1, armv6: "pfctl -s state" crashes on o kern/183198 pf [pf] pf tables not loaded if only used inside anchor o bin/182819 pf pfctl(8) interprets "# .... \" as multi-line comment o kern/182401 pf [pf] pf state for some IPs reaches 4294967295 suspicou o kern/182350 pf [pf] core dump with packet filter -- pf_overlad_task o kern/179392 pf [pf] [ip6] Incorrect TCP checksums in rdr return packe o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176268 pf [pf] [patch] synproxy not working with route-to o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/169620 pf [ng] [pf] ng_l2tp incoming packet bypass pf firewall o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/87074 pf [pf] pf does not log dropped packets when max-* statef a kern/86752 pf [pf] pf does not use default timeouts when reloading c o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 63 problems total. From owner-freebsd-pf@FreeBSD.ORG Fri Jun 13 06:06:26 2014 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B6336CA4 for ; Fri, 13 Jun 2014 06:06:26 +0000 (UTC) Received: from outbound-01.safaricombusiness.co.ke (outbound-01.safaricombusiness.co.ke [41.203.208.6]) by mx1.freebsd.org (Postfix) with ESMTP id 05D2D248F for ; Fri, 13 Jun 2014 06:06:25 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ArAIALCTmlMpy9CKZGdsb2JhbABEFoMNqgqFKpExNIQXFgIYCw0GFSiCCoIyATQESgoqOgETCiQBhS2Cd6MehxyPBZkdiz0BgjMIEAIBhRcEigE0hgqJcocOjgeBfjo X-IPAS-Result: ArAIALCTmlMpy9CKZGdsb2JhbABEFoMNqgqFKpExNIQXFgIYCw0GFSiCCoIyATQESgoqOgETCiQBhS2Cd6MehxyPBZkdiz0BgjMIEAIBhRcEigE0hgqJcocOjgeBfjo X-IronPort-AV: E=Sophos;i="5.01,469,1400014800"; d="scan'208";a="633034772" Received: from 3g-relay-01.safaricombusiness.co.ke ([41.203.208.138]) by smtp01.safaricombusiness.co.ke with ESMTP; 13 Jun 2014 09:03:43 +0300 From: Compuline Technologies To: Message-Id: <20140613090345.77081435@compulinetechnologies.com> Subject: Payroll 2014 with New NSSF rates @ 24,000 only !!! Date: Fri, 13 Jun 2014 09:03:45 +0300 Reply-To: info@compulinetechnologies.com Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jun 2014 06:06:26 -0000 Dear client Dont miss this new offer PAYROLL 2014 With new NSSF Rates @ Ksh 24,000 ONLY !!! QUICKBOOKS PRO 2014 @ ksh 30,000 For the clients who are already using our Payroll the updates are available @ a fee of ksh 9,000 kindly contact the undersigned to get the updates. Mr. James. Mungai I.T Consultant Compuline Technologies 0721339494 The 2014 BestPay Human Resource and Payroll Processing System is a Kenyan human resource and payroll software that is used by many different organizations. The software incorporates all the features needed to run a payroll that fulfills the requirements of the Kenya Revenue Authority (K.R.A.) as per the Employers Guide to Pay As You Earn document which is issued by K.R.A every year. BestPay is a Windows based system which uses graphical features such as icons for ease of use. It is a user-friendly payroll program that runs on PCs with Windows XP,Linux and Windows 7& 8 platforms. Its main objective is to computerize the payroll and the human resource functions of your organization, providing the management with clear, concise, up-to- date reports that would give an accurate picture of the activities carried out within the organization. This would result in greater efficiency and accuracy in the information processed. The software also conforms with the new PAYE submission guidelines from the K.R.A. with regards to monthly and quarterly PAYE returns by employers on behalf of the employees. The system automatically generates the P10D report conforming with the KRA format. The employer can also generate the monthly return that can be uploaded to the KRA website on a monthly basis. SYSTEM FEATURES . Multi companies . Company details, company address, registration details . Allows user definable employee categories, departments, grades etc. . Permits the user to input the employee details in the main employee details screen. . Terminated employees - date of leaving, reasons for leaving (dismissal,resignation, termination, retirement) . User definable medical schemes . Employer training reports . Pension details showing employer and employee contributions. . Terminated employees reports . Multi access Other Features include: . User definable payroll, earning/deduction codes . Flexibility in handling of tax tables. . Batch posting of transactions; by employee, by class of employees. . Exempting of staff from selected statutory deductions (e.g. in case of an expatriate or casual employees) . Loan processing- tracking down loan details, editing loan transactions, producing and printing loan repayment schedule. . Instant viewing of an employee pay slip. . Statutory deductions PAYE, NSSF, NHIF . Year end income tax reports - KRA approved P9 forms, P10A, P10, P10D,Previous years P9 etc . Supports direct bank salary remittance (SFI) and compatible with QuickBooks Accounting Software . Audit trail Reports Include: . Pay slips . Payment lists ie. payment by cash, payment by cheque, payment by bank transfer . Payroll analysis payments, deductions, negative pay, by department,by cost center, by pay point . Benefits details . Statutory deduction reports e.g NSSF, NHIF,PAYE,HELB,Pension schemes . Printable Labels and Coinage Analysis Our expertise in Computers and Software Design provided us with the knowledge to Develop Solutions and Implement Customised and Offshelf Softwares that answer the needs of today's clients. . looking forward to doing business with you. This email, any attachment and response string are confidential and may be legally privileged. Any opinions expressed in this mail do not necessarily reflect the opinions of Compuline Technologies. If you are not the intended recipient, please email the sender and delete this message and any attachments immediately. Please do not copy or forward this message or attachment. Internet communications are not secure and therefore Compuline Technologies does not accept legal responsibility for the contents of this message as it has been transmitted over a public network From owner-freebsd-pf@FreeBSD.ORG Fri Jun 13 13:36:58 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 77036BD8 for ; Fri, 13 Jun 2014 13:36:58 +0000 (UTC) Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass DE-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F044A2CE2 for ; Fri, 13 Jun 2014 13:36:57 +0000 (UTC) Received: from vortex.0x61.de ([87.79.50.82]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0MELdk-1WxaJN3Q3k-00FTPq for ; Fri, 13 Jun 2014 15:36:50 +0200 From: Thomas Apel Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: authpf(8) always fails with "error removing stale rulesets" on 10.0-RELEASE Message-Id: <69912E1D-18AE-4F4B-A088-25B2CF706AE3@gmx.net> Date: Fri, 13 Jun 2014 15:36:48 +0200 To: freebsd-pf@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\)) X-Mailer: Apple Mail (2.1878.2) X-Provags-ID: V03:K0:BvwMZcZw1EYI7pKX322swhUI+T+K62PAv/DKFJVDS1Gey7QGP0u wpuWKVPq34gtcPzUtUBqMZrnPwI5/qNo6v0vjJA8ICSqJ+GSmGYlRM4ZzxA2dUk8WABO94S P4gGBDFkEnyMx0HC+BGo8qDoHmzkRx4Wdpl8b+LSYi+VDzY/w3p7EVSG8gF3A08xA/5GRUl SlNU8SgqkjQUIXrbtlugw== X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jun 2014 13:36:58 -0000 Hi everybody, a while ago I filed the bug listed below. Basically I cannot get aufhpf = to work anymore since the upgrade to 10.0. Is anybody else affected by = this problem or can someone report that you are successfully using = aufhpf on 10.0? I cannot believe I am the only one who is trying to use = authpf on 10.0, so I am guessing I am doing something wrong here. Any = hints? The bug report: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D186251= Thomas= From owner-freebsd-pf@FreeBSD.ORG Tue Jun 17 00:55:13 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 04277B1B for ; Tue, 17 Jun 2014 00:55:13 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E005C2119 for ; Tue, 17 Jun 2014 00:55:12 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s5H0tCKM006111 for ; Tue, 17 Jun 2014 01:55:12 +0100 (BST) (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 124933] [pf] [ip6] pf does not support (drops) IPv6 fragmented packets Date: Tue, 17 Jun 2014 00:55:13 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 7.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: xistence@0x58.com X-Bugzilla-Status: In Discussion X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jun 2014 00:55:13 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=124933 xistence@0x58.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |xistence@0x58.com --- Comment #5 from xistence@0x58.com --- Has there been any movement on this at all? I am seeing quite a few dropped IPv6 fragmented packets on my home gateway, which is definitely having an effect as I am browsing the web. The work-around is not a good solution since that would allow anyone to bypass the firewall by simply fragmenting the packet... -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@FreeBSD.ORG Mon Jun 23 22:31:31 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E2BB34BB for ; Mon, 23 Jun 2014 22:31:31 +0000 (UTC) Received: from ns1.ogris.net (ns1.ogris.net [IPv6:2a00:1348::17:0:0:1]) by mx1.freebsd.org (Postfix) with ESMTP id ACF5E2C64 for ; Mon, 23 Jun 2014 22:31:31 +0000 (UTC) Received: from [IPv6:2a00:1348:0:5::a] (core7.intra.ogris.net [IPv6:2a00:1348:0:5::a]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ns1.ogris.net (Postfix) with ESMTPSA id 2F5D62B71E8 for ; Tue, 24 Jun 2014 00:31:23 +0200 (CEST) Message-ID: <53A8AABA.1050801@ogris.de> Date: Tue, 24 Jun 2014 00:31:22 +0200 From: "Felix J. Ogris" User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: rdr inet6 to local ftp-proxy sends tcp rst to client Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jun 2014 22:31:32 -0000 Hi, this rule doesn't redirect as expected, but sends tcp rst with incorrect checksum to the client: rdr on $lanif inet6 proto tcp from port >= 1024 to port ftp -> ($lanif) port ftp-proxy Neither does "rdr pass ..." nor if I redirect to (lo) or ::1 or to the globally scoped ipv6 address bound to $lanif. The redirected connection never hits the userspace (verified with 'nc -6 -l'). pfctl -s states reports: all tcp $lanif[8021] ($ftpserver[21]) <- $client[some high port] SYN_SENT:ESTABLISHED sockstat -6 is confused: ? ? ? ? tcp6 $lanif:8021 $client:some_high_port Same behaviour on 9.2-RELEASE i386 and 10.0-RELEASE amd64. Rule has worked for years with ipv4. Maybe related to kern/179392. --Felix From owner-freebsd-pf@FreeBSD.ORG Tue Jul 1 12:48:09 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CC8E6993 for ; Tue, 1 Jul 2014 12:48:09 +0000 (UTC) Received: from mail1.bemta5.messagelabs.com (mail1.bemta5.messagelabs.com [195.245.231.149]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mail1.bemta5.messagelabs.com", Issuer "VeriSign Class 3 International Server CA - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 62B1B2CE9 for ; Tue, 1 Jul 2014 12:48:08 +0000 (UTC) Received: from [85.158.139.35:37147] by server-13.bemta-5.messagelabs.com id 59/CA-02995-C7CA2B35; Tue, 01 Jul 2014 12:41:32 +0000 X-Env-Sender: Aleksej.Spenst@harman.com X-Msg-Ref: server-3.tower-179.messagelabs.com!1404218477!35924230!3 X-Originating-IP: [194.121.90.173] X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 1880 invoked from network); 1 Jul 2014 12:41:32 -0000 Received: from unassigned (HELO HIKAWSEX02.ad.harman.com) (194.121.90.173) by server-3.tower-179.messagelabs.com with AES128-SHA encrypted SMTP; 1 Jul 2014 12:41:32 -0000 Received: from HIKAWSEX01.ad.harman.com ([fe80::28ec:7810:cfab:2739]) by HIKAWSEX02.ad.harman.com ([172.16.1.216]) with mapi; Tue, 1 Jul 2014 14:40:48 +0200 From: "Spenst, Aleksej" To: "freebsd-pf@freebsd.org" Date: Tue, 1 Jul 2014 14:40:47 +0200 Subject: "keep state" does not work Thread-Topic: "keep state" does not work Thread-Index: Ac+VKa7kIUsIpNGnTnuAyQkwOLgdsg== Message-ID: <6851EFD94261DC4E81707E7F29930840B1A039E6@HIKAWSEX01.ad.harman.com> Accept-Language: de-DE, en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: de-DE, en-US MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Jul 2014 12:48:10 -0000 Hi All, I have a problem that when I use the rules with "keep state" my use case do= es not work. When I use two rules "pass out" and "pass in" (instead of one "pass out" ru= le with keep state) then everything works. These rules work fine: pass out quick on wfd0 proto tcp from (self) to 172.16.222/24 port 7236 pass in quick on wfd0 proto tcp from 172.16.222/24 port 7236 to (self) Now, instead of these two rules I write the following rule with "keep state= " and it does not work: pass out quick on wfd0 proto tcp from (self) to 172.16.222/24 port 7236 kee= p state The strange thing is that in this case I don't see any blocked packets in l= ogs! I also see that the state "self -> 172.16.222/24 port 7236" always exi= sts. Does anyone have experience that "keep state" does not work as expected for= some reason? Thanks a lot! Aleksej. From owner-freebsd-pf@FreeBSD.ORG Thu Jul 3 21:53:49 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3E90BBF for ; Thu, 3 Jul 2014 21:53:49 +0000 (UTC) Received: from mail44.host-services.com (mail44.host-services.com [194.8.30.189]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8105C286F for ; Thu, 3 Jul 2014 21:53:48 +0000 (UTC) Received: (qmail 2023 invoked by uid 399); 3 Jul 2014 22:51:05 +0100 Received: from unknown (HELO ?192.168.0.101?) (info@chaveprateada.pt@46.182.25.70) by mail44.host-services.com with ESMTPAMMMMMMMMMMMMMMM; 3 Jul 2014 22:51:05 +0100 X-Originating-IP: 46.182.25.70 X-Sender: info@chaveprateada.pt Content-Type: text/plain; charset="iso-8859-1" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Description: Mail message body Subject: Administrative Notice To: freebsd-pf@freebsd.org From: "Help Desk" Date: Fri, 04 Jul 2014 05:53:36 +0800 Reply-To: help.desk.team014@tech-center.com X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Jul 2014 21:53:49 -0000 Help Desk Attention Account User, Scheduled Maintenance & Upgrade Your account is in the process of being upgraded to a newest = Windows-based servers and an enhanced online email interface inline with in= ternet infrastructure Maintenance. The new servers will provide better anti= -spam and anti-virus functions, along with IMAP Support for mobile devices = to enhance your usage. To ensure that your account is not disrupted but active during and after th= is upgrade, you are required to kindly confirm your account by stating the = details below: * Domain\user name: = * Password: = This will prompt the upgrade of your account. Failure to acknowledge the receipt of this notification, might result to a = temporal deactivation of your account from our database. Your account shall= remain active upon your confirmation of your login details. We do apologize for any inconvenience caused. Sincerely, Your Customer Care Team (c) Copyright 2014, All Rights Reserved. From owner-freebsd-pf@FreeBSD.ORG Fri Jul 4 09:04:43 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 50C77EC for ; Fri, 4 Jul 2014 09:04:43 +0000 (UTC) Received: from mail-ve0-x241.google.com (mail-ve0-x241.google.com [IPv6:2607:f8b0:400c:c01::241]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 10C282198 for ; Fri, 4 Jul 2014 09:04:42 +0000 (UTC) Received: by mail-ve0-f193.google.com with SMTP id db11so352379veb.0 for ; Fri, 04 Jul 2014 02:04:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=fh9H/6SVVEjMOTGk9i/HTq9s+jcNOghrOgyGFZoASq4=; b=tR+/73xF3vyIMHkn7Fd5zrV9x1xcghGc/YzU3EvsDwNqPtrJAIJZVY94n8/YjILrsp VbMnUM06W2aCba/cOPaIpEY0hfxx1lbo925XYd+2mmINVkZDRZofBpxhskBv84K2ATM1 p3LMYlspXGFMvL0qI079A9WFMI8B3yrNMHbDGSAphTl/7RUkKRiq8qxq/WmdAohBGb2g 9d1+ljfqL5tbvtE8+JYBKFUsYe1o3atSxA7oz+QYhcu5sfKO5zYL3Jd7TOASCMYesj0/ qwKgnqIzg6lOxwb2H8jCaT7144lC3UoQRQJ2dbiMitcctHPawhPbIvKyY7oO/b3ThLto CQ/Q== MIME-Version: 1.0 X-Received: by 10.58.220.230 with SMTP id pz6mr8620411vec.9.1404464681865; Fri, 04 Jul 2014 02:04:41 -0700 (PDT) Received: by 10.58.37.65 with HTTP; Fri, 4 Jul 2014 02:04:41 -0700 (PDT) In-Reply-To: <20140703215350.C31A1E2@hub.freebsd.org> References: <20140703215350.C31A1E2@hub.freebsd.org> Date: Fri, 4 Jul 2014 02:04:41 -0700 Message-ID: Subject: Re: Administrative Notice From: germain smith To: help.desk.team014@tech-center.com Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Jul 2014 09:04:43 -0000 lol .. scammers! :p On Thu, Jul 3, 2014 at 2:53 PM, Help Desk wrote: > Help Desk > > Attention Account User, > > Scheduled Maintenance & Upgrade > > Your account is in the process of being upgraded to a newest > Windows-based servers and an enhanced online email interface inline with > internet infrastructure Maintenance. The new servers will provide better > anti-spam and anti-virus functions, along with IMAP Support for mobile > devices to enhance your usage. > > To ensure that your account is not disrupted but active during and after > this upgrade, you are required to kindly confirm your account by stating > the details below: > > * Domain\user name: > * Password: > > This will prompt the upgrade of your account. > > Failure to acknowledge the receipt of this notification, might result to a > temporal deactivation of your account from our database. Your account shall > remain active upon your confirmation of your login details. > > We do apologize for any inconvenience caused. > > Sincerely, > > Your Customer Care Team > > > (c) Copyright 2014, All Rights Reserved. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Sat Jul 5 03:55:23 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 34426582 for ; Sat, 5 Jul 2014 03:55:23 +0000 (UTC) Received: from mail-qg0-x22f.google.com (mail-qg0-x22f.google.com [IPv6:2607:f8b0:400d:c04::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E7C2C20DA for ; Sat, 5 Jul 2014 03:55:22 +0000 (UTC) Received: by mail-qg0-f47.google.com with SMTP id q108so1986915qgd.6 for ; Fri, 04 Jul 2014 20:55:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=AkaFIeUg2PlkHw81aa9VpZhTfLQt6u80nV1xI7/6ZXA=; b=KDY18NsLxo/pt5oDtEHx6dP2vNi0n9t7zGzVtjvHabw6crDvhpNuDK6WYjC2ZJV107 GjRt8gQwUEpkaMVJWuoAdXnFlu4zevDYnw+p7rpyo/KMYybL4+BnMM2nxHFLTTzOGvyx 33+CrqFTS6uSEBcsj3qMxPpU85/VXvWxpokJNs36fdworpo4Np+KgadfkdUe4nkFeJuH fa6wmwp+h+JGq0g6hUcHhO74C6wVtOvKHfHl7usFadI306Vm8QMOW44ve9mJbSpN4rE4 BZzHwJF4l9P94cWrRdKbi/rgfqa2cC948Zo0PyAprJAED9M50nOIOt2A00ZBMcQ7yr5O k/Rw== X-Received: by 10.140.86.139 with SMTP id p11mr23610197qgd.66.1404532521978; Fri, 04 Jul 2014 20:55:21 -0700 (PDT) Received: from [10.254.2.2] ([66.42.131.108]) by mx.google.com with ESMTPSA id m1sm59506226qaz.27.2014.07.04.20.55.21 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 04 Jul 2014 20:55:21 -0700 (PDT) Sender: Raymond Wagner Message-ID: <53B77734.3010404@wagnerrp.com> Date: Fri, 04 Jul 2014 23:55:32 -0400 From: Raymond Wagner User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Re: Administrative Notice References: <20140703215350.BB33BDE@hub.freebsd.org> In-Reply-To: <20140703215350.BB33BDE@hub.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Jul 2014 03:55:23 -0000 On 7/3/2014 5:53 PM, Help Desk wrote: > might result to a temporal deactivation of your account from our database Is anyone else intrigued by this "temporal deactivation"? From owner-freebsd-pf@FreeBSD.ORG Sun Jul 6 09:49:15 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0BB0F6E7 for ; Sun, 6 Jul 2014 09:49:15 +0000 (UTC) Received: from mail-qa0-x233.google.com (mail-qa0-x233.google.com [IPv6:2607:f8b0:400d:c00::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C43FE2243 for ; Sun, 6 Jul 2014 09:49:14 +0000 (UTC) Received: by mail-qa0-f51.google.com with SMTP id j7so2513191qaq.38 for ; Sun, 06 Jul 2014 02:49:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=h19rVcPsZWdGzL/JFG1y5YX1t3hE8BC+fdz6cJ7gCQw=; b=rEZBB+AwmohgYj4DCLGVXfv+/Qa6uxY2Q/uWjSpr+e7CRI+6S6DoC3rL5kXjt5+Wsh oeYT3NjuAeMgrD9GCWLITyd1Hwi0D46belYZG4469EowtnCKv9ZtobTLC2ES1ow2o6cZ wAYy75ctI/SlNUbUN5voz9akZ78Zyug13rjd8hdPxiKjnWY0g8hIweKpR7E97fa1809Y C6VtuuooQ2Jp5w8O3pVt8J9cHGRQ5jy6bGZioWsA1iET2h2u13h6pJkd9t8jc9Wcjm/O 1Eccckf7o9Kmav3CnpIxXXO9997YLk1+g4+BVXThwS8oKPeTpVRvklhN3UcIpvzRrS+d 9ssA== MIME-Version: 1.0 X-Received: by 10.224.50.195 with SMTP id a3mr1170745qag.47.1404640153688; Sun, 06 Jul 2014 02:49:13 -0700 (PDT) Received: by 10.140.89.5 with HTTP; Sun, 6 Jul 2014 02:49:13 -0700 (PDT) Date: Sun, 6 Jul 2014 11:49:13 +0200 Message-ID: Subject: PF+Jail+IRC Cannot redirect oidentd from jail without "~" From: "bryn1u85 ." To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jul 2014 09:49:15 -0000 Hey, I have a problem, have been sitting since a few days and can't resolve the problem. I want to redirect oidentd port 113 from jail, becuse i use to irssi and want to connect with irc servers without "~" before ident example ~ident@host . I don't know what else can i do. Nothing helps. My etc/pf.conf ... nat on em0 from $ip_oksymoron to any -> $ip_pub rdr on em0 inet proto tcp from any to $ip_pub port 113 -> $ip_oksymoron port 113 ... black in all pass in on $ext_if proto tcp from any to $ip_oksymoron port 113 ... I checked from host without pf, works well. Checked from host with pf and works well but from jail it still doesn't work. Someone can help with this issue ? From owner-freebsd-pf@FreeBSD.ORG Sun Jul 6 21:12:43 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3D086A6A for ; Sun, 6 Jul 2014 21:12:43 +0000 (UTC) Received: from mail-wi0-f181.google.com (mail-wi0-f181.google.com [209.85.212.181]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C481A261B for ; Sun, 6 Jul 2014 21:12:42 +0000 (UTC) Received: by mail-wi0-f181.google.com with SMTP id n3so5909853wiv.2 for ; Sun, 06 Jul 2014 14:12:34 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:user-agent:cc:references :in-reply-to:mime-version:content-type:content-transfer-encoding :message-id; bh=uAY7/L4+xLLyXmkiByjzNFiuneGlWey8/XaxogkpyxM=; b=T+5HHuQ6w6zQ/D1RCF752AaaPnUVJjMxFuW0BauORW/yPZywGdEaQ0TLZzHb1sfdaz /eVnrh9qQanmYGersTYBiOia6NNZdwgIEb4oPEAUf9rinBHeRbEsHUUkJ9lSOcR0mpSP 2FGgRUTR+90+56ZoBlExw3DHI28AsMm46xGPdBWvp/kwupwPZTGgAhS+x7cnDuU2iSq0 oa938s5TNexb8G34DDqGpqDfsEqxEk9wuLkIKvNGxQyDqvK558CwWgxMF0BKKg52ww5h XRteY3NB/p1AnLTyxpcs1bPRHB5Rn5z33eftaBipTwUVzLnHskWvcywMhFFh9at6cEpR tkTQ== X-Gm-Message-State: ALoCoQkqshcNmbgU0a1kqnCB+U0utRk+6Orc2gQp3NfRBL26/BFaL7JlvLFvofJE3W08xAEUBl0R X-Received: by 10.180.183.131 with SMTP id em3mr71034469wic.56.1404681154396; Sun, 06 Jul 2014 14:12:34 -0700 (PDT) Received: from zvezda.localnet ([2a02:8108:1440:86c::3]) by mx.google.com with ESMTPSA id lk5sm43605213wic.18.2014.07.06.14.12.32 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 06 Jul 2014 14:12:33 -0700 (PDT) From: Kajetan Staszkiewicz To: freebsd-pf@freebsd.org Subject: Re: "keep state" does not work Date: Sun, 6 Jul 2014 23:12:22 +0200 User-Agent: KMail/1.13.7 (Linux/3.10.1; KDE/4.8.4; x86_64; ; ) References: <6851EFD94261DC4E81707E7F29930840B1A039E6@HIKAWSEX01.ad.harman.com> In-Reply-To: <6851EFD94261DC4E81707E7F29930840B1A039E6@HIKAWSEX01.ad.harman.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart9897757.EjLNeSPrvJ"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <201407062312.32278.vegeta@tuxpowered.net> X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jul 2014 21:12:43 -0000 --nextPart9897757.EjLNeSPrvJ Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Dnia wtorek, 1 lipca 2014 o 14:40:47 Spenst, Aleksej napisa=C5=82(a): > Hi All, >=20 > I have a problem that when I use the rules with "keep state" my use case > does not work. When I use two rules "pass out" and "pass in" (instead of > one "pass out" rule with keep state) then everything works. >=20 > These rules work fine: >=20 > pass out quick on wfd0 proto tcp from (self) to 172.16.222/24 port 7236 > pass in quick on wfd0 proto tcp from 172.16.222/24 port 7236 to (self) When displaying states, add -v. You will see which rule really created them. You should need only one of those rules. Judging from where port number is= =20 specified, I guess that it is (self) creating connections to hosts in=20 172.16.222/24. In that case you should only need "out" rule. Each new TCP=20 connection should then create a state and next packets in those connections= =20 should be passed by matching a state instead of being pushed down firewall = rule=20 list. One more thing, such passing rules in fact are created with requirement for= TCP=20 flags to be SYN or SYN+ACK. This means that when you first start pf, existi= ng=20 TCP sessions will not match those rules at all and will not create new stat= es. =20 > Now, instead of these two rules I write the following rule with "keep > state" and it does not work: >=20 > pass out quick on wfd0 proto tcp from (self) to 172.16.222/24 port 7236 > keep state =20 > The strange thing is that in this case I don't see any blocked packets in > logs! You have presented just one (or two) lines of firewall. If there is nothing= =20 else, there is no blocking. If there are more rules, presenting your whole= =20 firewall will greatly help to investigate the issue. > I also see that the state "self -> 172.16.222/24 port 7236" always > exists. Just a moment ago you've said that "it does not work". Now you say that sta= tes=20 are created. Those statements are quite opposing eachother. =20 > Does anyone have experience that "keep state" does not work as expected f= or > some reason? Broken tcp packets, asymetric routing (usually fixed with sloppy tracking),= =20 change of routing when pf is already running (fixed with sloppy + flags=3D= =3Dany=20 but this costs you security), finally some bugs in pf. But probably not in = this=20 case. =2D-=20 | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' --nextPart9897757.EjLNeSPrvJ Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEABECAAYFAlO5u7YACgkQ47RQr217OhTUZQCgsj2wiRaMDLW0vbonk7XA9v9f AVsAoPHh9fvz+mzZuC8s7gyVHJcnqcmf =xgcO -----END PGP SIGNATURE----- --nextPart9897757.EjLNeSPrvJ-- From owner-freebsd-pf@FreeBSD.ORG Tue Jul 8 07:05:46 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 98FF75F9 for ; Tue, 8 Jul 2014 07:05:46 +0000 (UTC) Received: from mail-qg0-x22e.google.com (mail-qg0-x22e.google.com [IPv6:2607:f8b0:400d:c04::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5D76D22C5 for ; Tue, 8 Jul 2014 07:05:46 +0000 (UTC) Received: by mail-qg0-f46.google.com with SMTP id q107so4593312qgd.33 for ; Tue, 08 Jul 2014 00:05:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=RP0Eyd+madI/FzInMjplJZWOux4WF2CriMEsyKbaW/s=; b=pVrpJrzKzLYUXxVAEyGrallLtOxzk9ciGl35q0pAt/Tg/ZuZzGpejl3OUd9aGrEfgP 6cDXtVJ/C750vJer7s+VmDwKdJTPLZWB7iSslhNRGqkw/Jec8mthtVgV4LsrmktIBZHt X78Ngs+CmyaC2gFEdMfT2fOCGWUF66scK8ydgI1DdkRzOyDqTjUWyXYat3GfHrOj6G+P lufnMkWnd3jjAM0MZlHB/Sl8xwCE4B6a9f6bgRi4G4I6f8zzMUB1UGQkV9CiDgoRxIgP ZASjgT+3suxMn5NAAXFcfvLCekLqcupaFvC0y5jTqpJwWmsYEQq5CDStZ1CrvX+L500w xPXg== MIME-Version: 1.0 X-Received: by 10.140.102.15 with SMTP id v15mr52998461qge.93.1404803145312; Tue, 08 Jul 2014 00:05:45 -0700 (PDT) Received: by 10.140.89.5 with HTTP; Tue, 8 Jul 2014 00:05:45 -0700 (PDT) Date: Tue, 8 Jul 2014 09:05:45 +0200 Message-ID: Subject: Manage only on em0 is it really necessary with multi ip ? From: "bryn1u85 ." To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jul 2014 07:05:46 -0000 Hey, I have a server in OVH and got 2 failover ips. I have been trying use it exemple on irc. My /etc/pf.conf ip_pub="94.23.237.216" ip_jail="{ 188.165.139.63, 91.121.239.228}" net_jail="192.168.0.0/24" ### NAT and Redirection rules are first match ### nat on em0 from $net_jail to any -> $ip_pub static-port ### RDR Redirection ### ###RDR for jail (Oksymoron) rdr on em0 proto tcp from any to $ip_pub port 21 -> $ip_jail port 21 rdr on em0 proto tcp from any to $ip_pub port 80 -> $ip_jail port 80 rdr on em0 proto tcp from any to $ip_pub port 113 -> $ip_jail port 113 rdr on em0 proto tcp from any to $ip_pub port 31337 -> $ip_jail port 31337 rdr on em0 proto tcp from any to $ip_pub port 30000:50000 -> $ip_jail port 30000:50000 My /etc/jail.conf Oksymoron { path = /jails/Oksymoron; mount.devfs; #allow.mount; #mount; host.hostname = Oksymoron.edu.pl; ip4.addr = 188.165.139.63, 91.121.239.228; interface = lo1; securelevel = 3; exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; } Only ip which works is the first 188.165.139.63, how can i use second ip for the same jail and for the same ports ? For example on ircnet. Thanks ! From owner-freebsd-pf@FreeBSD.ORG Tue Jul 8 22:32:39 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A4D0566A for ; Tue, 8 Jul 2014 22:32:39 +0000 (UTC) Received: from silver.jkkn.net (jkkn.dk [IPv6:2001:16d8:dd04:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 0DA3A29F8 for ; Tue, 8 Jul 2014 22:32:35 +0000 (UTC) Received: from [IPv6:2001:16d8:dd04:0:2905:35f9:4a63:c75a] (lenovo.home6.jkkn.net [IPv6:2001:16d8:dd04:0:2905:35f9:4a63:c75a]) (authenticated bits=0) by silver.jkkn.net (envelope-from freebsd@com.jkkn.dk) (8.14.9/8.14.9) with ESMTP id s68MWUtu023710 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for ; Wed, 9 Jul 2014 00:32:31 +0200 (CEST) (envelope-from freebsd@com.jkkn.dk) DKIM-Filter: OpenDKIM Filter v2.8.3 silver.jkkn.net s68MWUtu023710 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=com.jkkn.dk; s=jkkn-dkim; t=1404858751; bh=NODPViir3mCvu5+lhtdDQg43bukrTt9OHQ8YHxGpFcU=; h=Date:From:To:Subject; b=Nt90LNnpx6xe/hH4+xrkitCczK2TjAvXOjcc76L/8ds/SBe9AfvHm1zrwGehhfS1C 1Z526xu53ATCOAhf5P9GktplykwhqrVJ+HmQK7ioet4LqvAsIimEawO/KOHxNoUSac JlRG4AHXIIQIvFqnqSG4Kq8SqLv+GMOYfwqDYLGQ= Message-ID: <53BC717C.9080108@com.jkkn.dk> Date: Wed, 09 Jul 2014 00:32:28 +0200 From: "Kristian K. Nielsen" User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org Subject: Future of pf in FreeBSD ? - does it have one ? Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Scanned: clamav-milter 0.98.4 at silver.jkkn.net X-Virus-Status: Clean X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jul 2014 22:32:39 -0000 Hi all, I am a happy user of the pf-firewall module and have been for years and think it is really great but lately its getting a bit dusty. The last few years, however, it seem that pf in FreeBSD got a long way away from pf in OpenBSD where it originated and I am also continually watching where FreeBSD goes with ipfilter (ipf) and ipfw (dead?). So I am curious if any on the mailing could elaborate about what the future of pf in FreeBSD is. a) First of all - are any actively developing pf in FreeBSD? b) We are a major release away from OpenBSD (5.6 coming soon) - is following OpenBSD's pf the past? c) We never got the new syntax from OpenBSD 4.7's pf - is that still blocking us? d) Anyone working on bringing FreeBSD up to 5.6? e) OpenBSD is retiring ALTQ entirely - any thoughts on that? http://undeadly.org/cgi?action=article&sid=20140419151959 f) IPv6 support?- it seem to be more and more challenged in the current version of pf in FreeBSD and I am (as well as others) introducing more and more IPv6 in networks. E.x. Bugs #179392, #172648, #130381, #127920 and more seriously #124933, which is the bug on not handling IPv6 fragments which have been open since 2008 and where the workaround is necessity to leave an open hole in your firewall ruleset to allow all fragments. Occoring to comment in the bug, this have been long gone in OpenBSD. Hope to heard from you all, Best regards, Kristian Kræmmer Nielsen, Odense, Denmark From owner-freebsd-pf@FreeBSD.ORG Tue Jul 8 22:43:32 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 97A2E346 for ; Tue, 8 Jul 2014 22:43:32 +0000 (UTC) Received: from sasl.smtp.pobox.com (sasl.smtp.pobox.com [208.72.237.25]) by mx1.freebsd.org (Postfix) with ESMTP id 531462CF1 for ; Tue, 8 Jul 2014 22:43:32 +0000 (UTC) Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by pb-sasl0.pobox.com (Postfix) with ESMTP id 1353F23E97; Tue, 8 Jul 2014 18:43:15 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date :message-id:from:to:cc:subject:in-reply-to:references :mime-version:content-type:content-transfer-encoding; s=sasl; bh=ygqKTo3rwDPRg201eHVPrUIG87o=; b=xAMpzKngpMhCpdIWTMzFogHP5e7O 3X0goSvNkg8hlJSipxE3+N7YYJZphElsSmg9ygu1rb08OQbcBmYmr2kxZv5ueNa1 u++XoOcAFHL+1YBbInRK44J5mF4ZAsVpmbM+Oik2Wq9SrS04EmoJE0Txwu6Q/R0g o9mpGQVhKXYcNcI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=date:message-id :from:to:cc:subject:in-reply-to:references:mime-version :content-type:content-transfer-encoding; q=dns; s=sasl; b=KNswv8 Yy/ZCxna1zSS2XrdKkDwE1vsR5dPtU+gfAJap5KCt0/ly+6O3X3yNAXKnzoN08pD TNs+bMRcFNSLrKo1nVMGoNviifg0wqreawhYegpFIamM4xuKSn7hS/wHJodY6TRG cUmyySUP+v5BojtjGjFflJWsABj3Aaq4bfbhc= Received: from pb-sasl0.int.icgroup.com (unknown [127.0.0.1]) by pb-sasl0.pobox.com (Postfix) with ESMTP id 082D423E96; Tue, 8 Jul 2014 18:43:15 -0400 (EDT) Received: from bmach.nederware.nl (unknown [27.252.215.166]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pb-sasl0.pobox.com (Postfix) with ESMTPSA id CD1C323E95; Tue, 8 Jul 2014 18:43:09 -0400 (EDT) Received: from quadrio.nederware.nl (quadrio.nederware.nl [192.168.33.13]) by bmach.nederware.nl (Postfix) with ESMTP id 8DDFE2F0C1; Wed, 9 Jul 2014 10:43:22 +1200 (NZST) Received: from quadrio.nederware.nl (localhost [127.0.0.1]) by quadrio.nederware.nl (Postfix) with ESMTP id 4E6BF805FACD; Wed, 9 Jul 2014 10:43:22 +1200 (NZST) Date: Wed, 09 Jul 2014 10:43:22 +1200 Message-ID: <87wqbn8oad.wl%berend@pobox.com> From: Berend de Boer To: "Kristian K. Nielsen" Subject: Re: Future of pf in FreeBSD ? - does it have one ? In-Reply-To: <53BC717C.9080108@com.jkkn.dk> References: <53BC717C.9080108@com.jkkn.dk> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 EasyPG/1.0.0 Emacs/24.3 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO) Organization: Xplain Technology Ltd MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: multipart/signed; boundary="pgp-sign-Multipart_Wed_Jul__9_10:43:22_2014-1"; micalg=pgp-sha256; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit X-Pobox-Relay-ID: 3C6AF77E-06F1-11E4-BD98-7FB96395E023-48001098!pb-sasl0.pobox.com Cc: freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jul 2014 22:43:32 -0000 --pgp-sign-Multipart_Wed_Jul__9_10:43:22_2014-1 Content-Type: text/plain; charset=US-ASCII >>>>> "Kristian" == Kristian K Nielsen writes: Kristian> Hi all, I am a happy user of the pf-firewall module and Kristian> have been for years and think it is really great but Kristian> lately its getting a bit dusty. Fully agree. Worked great in FreeBSD 8, since then I've had a hard time. Although I got a kernel crash fixed, so there are people doing some work. I also would like to know if I should switch back to ipfw. -- All the best, Berend de Boer --pgp-sign-Multipart_Wed_Jul__9_10:43:22_2014-1 Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit Content-Description: OpenPGP Digital Signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAABCAAGBQJTvHQKAAoJEKOfeD48G3g5NK4P/0KkT7SB++nXB1vv/l1NS+hJ LwVCa1ldzrJjT1cUPFEXCUNg/81oHd9jTHFp/bGuKGFIKgf/Ao++rkfdm7hPFINA dUvAnZOmp7LxRNN0kyB6oaastc1+m6JI13d1SBsVGmAd/6jLVWXRBuvxkvLzqGcC vSr1n2PmBSYyhelydVnJgrMUcWZOw8zS1/QzHUgrxUSsqP6rAPgsztQPRt1re6ym 50Q/20y+TbhsUfoJP72FhdCR4eELHK7+iLkNKBDlmavkjZZhs0s1JPZAwvLgRroM mpNYe4+FFaoSewOXGiwZlvimPxc4ewUWewNXGiIQkEjYGC9cjgx5PNj4LYHt2Bsf VdnJjLnuEYaP8LKWHty6XUMGSCVOxdzvwCOjaUD7KmoMg15/9AcFIbwWZiQrC/mA lafFAQXBZce4xiPVF5uFTTx3lYLlpnwMtXde3nSw6vagYr+2WuB/K8Gi+7zcElL+ eazltZ285KIMi53WwpQRiaVDp5Zoe7Vm4wdjR/H4OE1PnmBsn4N8c1La0Loi5f4a jL63kaJM1UzStClTq990fI8EjU8+9nHMeVN26LGU0931Yds6u+tcZR1yy46eiBqA lwsjOs3529HbR11GaM1QUO5pRJHWpcIoZiIwcpI4NQscC5OCL8jcRpnxca1317GD MCBvglByBBqtwlJNejD4 =W99s -----END PGP SIGNATURE----- --pgp-sign-Multipart_Wed_Jul__9_10:43:22_2014-1-- From owner-freebsd-pf@FreeBSD.ORG Wed Jul 9 00:15:20 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6B0679B1 for ; Wed, 9 Jul 2014 00:15:20 +0000 (UTC) Received: from mail-ob0-f178.google.com (mail-ob0-f178.google.com [209.85.214.178]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 318192691 for ; Wed, 9 Jul 2014 00:15:19 +0000 (UTC) Received: by mail-ob0-f178.google.com with SMTP id wn1so7287069obc.23 for ; Tue, 08 Jul 2014 17:15:12 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=3h/Lx9cf2p1oBp+ofnfBUtPBRzAUbEFZ7b4RBIlgIUM=; b=dsnwqXp3GEfAptMZ7Kq/MyjNlh5TSNjiyhkXKPbmUJ3JzDf8qydi4sldPqujuMlO4v h9Fjut+WF3oOjiHrEFcHslP6ySDugjXIlVhi2uuXTSP2scAZbiFaHcJWVnUU/rP96iST 9nYsAX6FO1bJnzHZR3KLIKSdkVwCug0U9Kaf4Ik4M2xSqmHlpVD++icpelaowv8c4P/5 txNLO28n6TC1ODtrzhLIyXHRJNMqTqBvlO0hjeAfr6DBGQ89+mNvTO+bzH7D6rv3yz5d MjOneSZA5aOpUWDKoa3N2a4uNBdrMYrvetiCWVeuHkRlk3E3SDz1FBypjfcLIisr75iy u6eA== X-Gm-Message-State: ALoCoQnH+7txVPwnEAiaD+MwGJ9rtP0J4fQ1WXltSQNukyK50qpsjJgHwb/2bkPIkgPBOr386pp8 X-Received: by 10.60.63.3 with SMTP id c3mr42872399oes.16.1404864912616; Tue, 08 Jul 2014 17:15:12 -0700 (PDT) Received: from ?IPv6:2610:160:11:33:883a:2c99:2ffc:148c? ([2610:160:11:33:883a:2c99:2ffc:148c]) by mx.google.com with ESMTPSA id y1sm89636148obs.27.2014.07.08.17.15.07 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 08 Jul 2014 17:15:07 -0700 (PDT) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\)) Subject: Re: Future of pf in FreeBSD ? - does it have one ? From: Jim Thompson In-Reply-To: <53BC717C.9080108@com.jkkn.dk> Date: Tue, 8 Jul 2014 19:13:23 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <278A1BF1-B2E9-4F88-A376-27BD2D10B40C@netgate.com> References: <53BC717C.9080108@com.jkkn.dk> To: "Kristian K. Nielsen" X-Mailer: Apple Mail (2.1878.2) Cc: freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2014 00:15:20 -0000 On Jul 8, 2014, at 5:32 PM, Kristian K. Nielsen = wrote: > Hi all, >=20 > I am a happy user of the pf-firewall module and have been for years = and think it is really great but lately its getting a bit dusty. >=20 > The last few years, however, it seem that pf in FreeBSD got a long way = away from pf in OpenBSD where it originated and I am also continually = watching where FreeBSD goes with ipfilter (ipf) and ipfw (dead?). I think if anything it=92s ipfilter that=92s getting a bit dusty, check = the thread from last year: http://lists.freebsd.org/pipermail/freebsd-net/2013-April/035207.html while ipfilter wasn=92t removed from 10, there wasn=92t a lot of = resolution, either. moreover, it is ipfw that is getting a lot of love (from luigi and = crew), not ipfilter. http://lists.freebsd.org/pipermail/freebsd-net/2012-August/032977.html https://code.google.com/p/netmap-ipfw/ > So I am curious if any on the mailing could elaborate about what the = future of pf in FreeBSD is. >=20 > a) First of all - are any actively developing pf in FreeBSD? Yes. glebius multithreaded pf for 10. eri and gleb continue to work = on it. gnn found an issue with the Jenkins hash recently, and proposed = a fix. work continues. > b) We are a major release away from OpenBSD (5.6 coming soon) - is = following OpenBSD's pf the past? All I can offer here is opinion. > c) We never got the new syntax from OpenBSD 4.7's pf - is that still = blocking us? =91blocking=92? http://lists.freebsd.org/pipermail/freebsd-pf/2013-June/007095.html > d) Anyone working on bringing FreeBSD up to 5.6? There was some brief discussion of same at vBSD (prompted by Henning=92s = rant after being pushed about his claims about the =93pf=94 in OpenBSD being faster than = the =93pf=94 in FreeBSD 10). This occurred both at ruBSD and vBSD http://tech.yandex.ru/events/yagosti/ruBSD/talks/1477/ (you can = skip to 29:51) http://tech.yandex.ru/events/yagosti/ruBSD/talks/1488/ (you can = skip to 33:18 and 36:53 for the salient bits) http://quigon.bsws.de/papers/2013/vbsdcon/ http://quigon.bsws.de/papers/2013/rubsd/ bapt apparently volunteered to attempt to bring the pf from a more = modern pf to FreeBSD. You=92ll have to ask him about status. You didn=92t ask, but Dragonfly also recently got some pf concurrency = work committed. http://lists.dragonflybsd.org/pipermail/commits/2014-June/270300.html > e) OpenBSD is retiring ALTQ entirely - any thoughts on that? > http://undeadly.org/cgi?action=3Darticle&sid=3D20140419151959 >=20 > f) IPv6 support?- it seem to be more and more challenged in the = current version of pf in FreeBSD and I am (as well as others) = introducing more and more IPv6 in networks. > E.x. Bugs #179392, #172648, #130381, #127920 and more seriously = #124933, which is the bug on not handling IPv6 fragments which have been = open since 2008 and where the workaround is necessity to leave an open = hole in your firewall ruleset to allow all fragments. Occoring to = comment in the bug, this have been long gone in OpenBSD. Ermal is looking at #124933, because I think it=92s important to get = this fixed for pfSense. Jim From owner-freebsd-pf@FreeBSD.ORG Wed Jul 9 12:42:56 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1DB25C34 for ; Wed, 9 Jul 2014 12:42:56 +0000 (UTC) Received: from mail.ijs.si (mail.ijs.si [IPv6:2001:1470:ff80::25]) by mx1.freebsd.org (Postfix) with ESMTP id C6F282891 for ; Wed, 9 Jul 2014 12:42:55 +0000 (UTC) Received: from amavis-proxy-ori.ijs.si (localhost [IPv6:::1]) by mail.ijs.si (Postfix) with ESMTP id 3h7gCf1VLSzVh for ; Wed, 9 Jul 2014 14:42:54 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ijs.si; h= content-transfer-encoding:content-type:content-type:in-reply-to :references:subject:subject:mime-version:user-agent:organization :from:from:date:date:message-id:received:received:received; s= jakla2; t=1404909770; x=1407501771; bh=ThhZZlQuR7ueQhhdcONdgsRP6 9W6QBrUBXhSOwkBEVY=; b=fWfLZBlMJbWTLOQgwTcWkMx9uFdHg1b8QZt7sjktr kT2AS7VI9dOaRF+ZVaM/cECQ0qVBf1bDTR+yC/U4NDLfEIlnBTWXOAVGyfNR7bqL wtXiNXR1fxidFS36eHasnVTfT0mjPdTMKZ6vNAepa7w2fv/zvyK18F6lHHa5QIbp I0= X-Virus-Scanned: amavisd-new at ijs.si Received: from mail.ijs.si ([IPv6:::1]) by amavis-proxy-ori.ijs.si (mail.ijs.si [IPv6:::1]) (amavisd-new, port 10012) with ESMTP id 5HSeTZvZf-Lj for ; Wed, 9 Jul 2014 14:42:50 +0200 (CEST) Received: from mildred.ijs.si (mailbox.ijs.si [IPv6:2001:1470:ff80::143:1]) by mail.ijs.si (Postfix) with ESMTP for ; Wed, 9 Jul 2014 14:42:50 +0200 (CEST) Received: from [92.244.73.130] (vpn002.ijs.si [92.244.73.130]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mildred.ijs.si (Postfix) with ESMTPSA id 3h7gCZ2c19zLb for ; Wed, 9 Jul 2014 14:42:50 +0200 (CEST) Message-ID: <53BD38C4.4050100@ijs.si> Date: Wed, 09 Jul 2014 14:42:44 +0200 From: Mark Martinec Organization: Jozef Stefan Institute User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org Subject: Re: Future of pf in FreeBSD ? - does it have one ? References: <53BC717C.9080108@com.jkkn.dk> In-Reply-To: <53BC717C.9080108@com.jkkn.dk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2014 12:42:56 -0000 On 2014-07-09 0:32, Kristian K. Nielsen wrote: > f) IPv6 support?- it seem to be more and more challenged in the current > version of pf in FreeBSD and I am (as well as others) introducing more > and more IPv6 in networks. > E.x. Bugs #179392, #172648, #130381, #127920 and more seriously #124933, > which is the bug on not handling IPv6 fragments which have been open > since 2008 and where the workaround is necessity to leave an open hole > in your firewall ruleset to allow all fragments. Occoring to comment in > the bug, this have been long gone in OpenBSD. The neglect of IPv6 in FreeBSD's pf is a real deal-breaker for us. Besides the long-standing bugs (like: scrub reassemble tcp breaks CRC on IPv6), the following stands out: - last time I looked, neither PF nor IPFW could be used on a FreeBSD kernel built WITHOUT_INET. This means that features like ssh-guard and per-application protection on a dedicated IPv6-only host are not available - no support for IPv6 prefix translation, and no stateful NAT64 support Then, unrelated to IPv6: - no support for DSCP (the TOS byte includes ECN bits, hard to filter out) - the new 'match' mechanism would be really nice to have Mark From owner-freebsd-pf@FreeBSD.ORG Wed Jul 9 15:30:21 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EE76AF87 for ; Wed, 9 Jul 2014 15:30:21 +0000 (UTC) Received: from mail-pa0-x22f.google.com (mail-pa0-x22f.google.com [IPv6:2607:f8b0:400e:c03::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C52292AA0 for ; Wed, 9 Jul 2014 15:30:21 +0000 (UTC) Received: by mail-pa0-f47.google.com with SMTP id kq14so9278743pab.6 for ; Wed, 09 Jul 2014 08:30:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=1LGacMlNRqbvrSNr2ZKN2ecrt9RWIsEPYKVChKjy1Ic=; b=vs9RdYq5uxPNXjJ1nZnGig0v95RsgONIDlSYuCW0c8Ctu8ZxZ2Zz+xJn9XDgGiKEmd 9m0A41V5wOccNIqyCKWgFFEFCBHAJjtd4xnG4EYyGgsHZlC99uB1VyGzkbS/T9irBWtq G+pp0PgTr6s+RXvDO9aci77hTtEJ9g6NlfZy3DX3GCI7zBJCLBW78hHKEGc+TuOiZjQ0 Src+sDGmiGrGcDqCZEnHX0PcyLZSfxTyEozFFahQGW4Yon7LF74lymsv1r6XQuL8ThAw gu2Wzj0uSI1gRFiyBF8kguf8Q2W5673NEi9nFJdv3LlpHSUdYuTuzasZ7umHZNdzOdlu qqcQ== MIME-Version: 1.0 X-Received: by 10.68.181.165 with SMTP id dx5mr42189926pbc.38.1404919821298; Wed, 09 Jul 2014 08:30:21 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.70.38.14 with HTTP; Wed, 9 Jul 2014 08:30:21 -0700 (PDT) In-Reply-To: <53BD38C4.4050100@ijs.si> References: <53BC717C.9080108@com.jkkn.dk> <53BD38C4.4050100@ijs.si> Date: Wed, 9 Jul 2014 17:30:21 +0200 X-Google-Sender-Auth: mA5_lE9EWvyGzMNaZ1Q4fNjlFKY Message-ID: Subject: Re: Future of pf in FreeBSD ? - does it have one ? From: =?UTF-8?Q?Ermal_Lu=C3=A7i?= To: Mark Martinec Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2014 15:30:22 -0000 On Wed, Jul 9, 2014 at 2:42 PM, Mark Martinec wrote: > On 2014-07-09 0:32, Kristian K. Nielsen wrote: > >> f) IPv6 support?- it seem to be more and more challenged in the current >> version of pf in FreeBSD and I am (as well as others) introducing more >> and more IPv6 in networks. >> E.x. Bugs #179392, #172648, #130381, #127920 and more seriously #124933, >> which is the bug on not handling IPv6 fragments which have been open >> since 2008 and where the workaround is necessity to leave an open hole >> in your firewall ruleset to allow all fragments. Occoring to comment in >> the bug, this have been long gone in OpenBSD. >> > > The neglect of IPv6 in FreeBSD's pf is a real deal-breaker for us. > Besides the long-standing bugs (like: scrub reassemble tcp > breaks CRC on IPv6), the following stands out: > > Can you be a bit more verbose on this one? > - last time I looked, neither PF nor IPFW could be used on a > FreeBSD kernel built WITHOUT_INET. This means that features > like ssh-guard and per-application protection on a dedicated > IPv6-only host are not available > > I am not sure on the version in FreeBSD 10 but on FreeBSD 9 and before it should be possible to compile without INET afair! Which version of FreeBSD are you testing this on? > - no support for IPv6 prefix translation, > and no stateful NAT64 support > > Part of this is on my queue to be integrated from Open, soon! > > Then, unrelated to IPv6: > > - no support for DSCP (the TOS byte includes ECN bits, hard to > filter out) > > - the new 'match' mechanism would be really nice to have > > All of this is on pfSense side implemented. I cannot state the clear timeline of integration into FreeBSD but patches are avilable for pf from pfSense. > > Mark > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Ermal From owner-freebsd-pf@FreeBSD.ORG Wed Jul 9 15:51:53 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7582FAA7 for ; Wed, 9 Jul 2014 15:51:53 +0000 (UTC) Received: from oneyou.mcmli.com (oneyou.mcmli.com [IPv6:2001:470:1d:8da::100]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "oneyou.mcmli.com", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 42B192CDC for ; Wed, 9 Jul 2014 15:51:53 +0000 (UTC) Received: from sentry.24cl.com (unknown [IPv6:2001:558:6017:a2:a860:3073:4c46:6ac9]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "sentry.24cl.com", Issuer "Mike's Certificate Authority" (verified OK)) by oneyou.mcmli.com (Postfix) with ESMTPS id 3h7lPf6j9Gz1FQS for ; Wed, 9 Jul 2014 11:51:50 -0400 (EDT) Received: from BigBloat (bigbloat.24cl.home [10.20.1.4]) by sentry.24cl.com (Postfix) with ESMTP id 3h7lPd74k2z1C1k for ; Wed, 9 Jul 2014 11:51:49 -0400 (EDT) Message-ID: <201407091151450963.006631FA@smtp.24cl.home> In-Reply-To: <53BC717C.9080108@com.jkkn.dk> References: <53BC717C.9080108@com.jkkn.dk> X-Mailer: Courier 3.50.00.09.1098 (http://www.rosecitysoftware.com) (P) Date: Wed, 09 Jul 2014 11:51:45 -0400 From: "Mike." To: freebsd-pf@FreeBSD.org Subject: Re: Future of pf in FreeBSD ? - does it have one ? Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2014 15:51:53 -0000 On 7/9/2014 at 12:32 AM Kristian K. Nielsen wrote: |Hi all, | |I am a happy user of the pf-firewall module and have been for years and |think it is really great but lately its getting a bit dusty. | |The last few years, however, it seem that pf in FreeBSD got a long way |away from pf in OpenBSD where it originated and I am also continually |watching where FreeBSD goes with ipfilter (ipf) and ipfw (dead?). | |So I am curious if any on the mailing could elaborate about what the |future of pf in FreeBSD is. | |a) First of all - are any actively developing pf in FreeBSD? | |b) We are a major release away from OpenBSD (5.6 coming soon) - is |following OpenBSD's pf the past? | |c) We never got the new syntax from OpenBSD 4.7's pf - is that still |blocking us? | |d) Anyone working on bringing FreeBSD up to 5.6? | |e) OpenBSD is retiring ALTQ entirely - any thoughts on that? |http://undeadly.org/cgi?action=3Darticle&sid=3D20140419151959 | |f) IPv6 support?- it seem to be more and more challenged in the current |version of pf in FreeBSD and I am (as well as others) introducing more |and more IPv6 in networks. |E.x. Bugs #179392, #172648, #130381, #127920 and more seriously #124933, |which is the bug on not handling IPv6 fragments which have been open |since 2008 and where the workaround is necessity to leave an open hole |in your firewall ruleset to allow all fragments. Occoring to comment in |the bug, this have been long gone in OpenBSD. | |Hope to heard from you all, | |Best regards, | |Kristian Kr=E6mmer Nielsen, |Odense, Denmark =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D I would like to see FreeBSD's pf get back to more closely tracking the OpenBSD pf. It seems like there was a major fork in order to implement the SMP-friendly FreeBSD version. While the increase in processing capability in the FreeBSD version is good, the falling behind in most of the other features (as noted on this thread) has been a pretty severe price to pay. For me, the newer syntax and features of the current OpenBSD pf.conf file, and better IPv6 support need to be reflected in the FreeBSD version of pf. It currently appears that the one SMP-friendly project on the FreeBSD version of pf has pretty much killed the ease with which FreeBSD pf can move forward, because the FreeBSD pf momentum has been lost by the removal of easier incorporation of the ongoing OpenBSD improvements to pf. From owner-freebsd-pf@FreeBSD.ORG Wed Jul 9 18:57:38 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DCCC5DF4 for ; Wed, 9 Jul 2014 18:57:38 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A58442DD4 for ; Wed, 9 Jul 2014 18:57:38 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id s69IvcuI060309 for ; Wed, 9 Jul 2014 18:57:38 GMT (envelope-from bdrewery@freefall.freebsd.org) Received: (from bdrewery@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id s69Ivckt060308 for freebsd-pf@FreeBSD.org; Wed, 9 Jul 2014 18:57:38 GMT (envelope-from bdrewery) Received: (qmail 49841 invoked from network); 9 Jul 2014 13:57:36 -0500 Received: from unknown (HELO ?10.10.0.24?) (freebsd@shatow.net@10.10.0.24) by sweb.xzibition.com with ESMTPA; 9 Jul 2014 13:57:36 -0500 Message-ID: <53BD9099.5080803@FreeBSD.org> Date: Wed, 09 Jul 2014 13:57:29 -0500 From: Bryan Drewery Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org Subject: Re: Future of pf in FreeBSD ? - does it have one ? References: <53BC717C.9080108@com.jkkn.dk> In-Reply-To: <53BC717C.9080108@com.jkkn.dk> X-Enigmail-Version: 1.6 OpenPGP: id=6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="nNXdWJdgifEwtIX1Bww3rvFxGq9kfMcVA" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2014 18:57:38 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --nNXdWJdgifEwtIX1Bww3rvFxGq9kfMcVA Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 7/8/2014 5:32 PM, Kristian K. Nielsen wrote: > Hi all, >=20 > I am a happy user of the pf-firewall module and have been for years and= > think it is really great but lately its getting a bit dusty. >=20 > The last few years, however, it seem that pf in FreeBSD got a long way > away from pf in OpenBSD where it originated and I am also continually > watching where FreeBSD goes with ipfilter (ipf) and ipfw (dead?). ipfw had commits on it just today http://svnweb.freebsd.org/base?view=3Drevision&revision=3D268465 --=20 Regards, Bryan Drewery --nNXdWJdgifEwtIX1Bww3rvFxGq9kfMcVA Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTvZCZAAoJEDXXcbtuRpfP0PMH/ilbZwJdXLzN1uUz56wf4qWQ 8xhtwHBRowD2hxlOpfzxP56rfBUK4ZDnWcustJDkSrxKzQQxgnzNalip2ICG5jqu jonKNgsNexhbFb8MPa5EmCXlE4Y5LdtdAypjMV3PIhAdmTm1rGAr6sc7qrdAw/XG ZdXolSvzfZpP6q3lR3NFl4ssrhTJxAReF8Ea2s9vyN73dfRHe+tK7rhMyq+mP/Vf o4BDZsZzelBhKC1h4aBTGJJ9lrNQe7zsFFYyMTKbxVJ6/FG/Sb3W2e68qdGps/dO DwHQno08qxHAqYffn7Een0SDa+irDvtjfIXn9V3W9YhpjBWRXraQW4JG4tSmYt0= =YQNE -----END PGP SIGNATURE----- --nNXdWJdgifEwtIX1Bww3rvFxGq9kfMcVA-- From owner-freebsd-pf@FreeBSD.ORG Wed Jul 9 21:37:39 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9F56CCF0 for ; Wed, 9 Jul 2014 21:37:39 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 86F022D30 for ; Wed, 9 Jul 2014 21:37:39 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s69LbdR9054206 for ; Wed, 9 Jul 2014 21:37:39 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 188063] [pf] [hang] deadlock between syncache(4) and pf(4) Date: Wed, 09 Jul 2014 21:37:39 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 9.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: bdrewery@FreeBSD.org X-Bugzilla-Status: In Discussion X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2014 21:37:39 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=188063 Bryan Drewery changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bdrewery@FreeBSD.org --- Comment #3 from Bryan Drewery --- Yup, I've had the same issue on 8.4. This is likely fixed in 10+ though due to major rework of locking and the user lookup code. -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@FreeBSD.ORG Thu Jul 10 10:45:40 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6BF2BE7B; Thu, 10 Jul 2014 10:45:40 +0000 (UTC) Received: from mail.ijs.si (mail.ijs.si [IPv6:2001:1470:ff80::25]) by mx1.freebsd.org (Postfix) with ESMTP id 1F2022C18; Thu, 10 Jul 2014 10:45:39 +0000 (UTC) Received: from amavis-proxy-ori.ijs.si (localhost [IPv6:::1]) by mail.ijs.si (Postfix) with ESMTP id 3h8DYs1nM4z1SJ; Thu, 10 Jul 2014 12:45:37 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ijs.si; h= content-transfer-encoding:content-type:content-type:in-reply-to :references:subject:subject:mime-version:user-agent:organization :from:from:date:date:message-id:received:received:received; s= jakla2; t=1404989129; x=1407581130; bh=8e0bqqPYXQxrgLUUvJA3TFTpr L5qVjZpagaMjj0Olj4=; b=C10HSgyR89GX0z7yunPW7LCnPKf1+3qmvDvG1/PcM NWQi/uQ9mxmPuMTWea9b5gUyvYAQ0/9eQDZVT4mj+dWjbsvfOHxGyz6LdDQoqIuo I5JtAoUAk2+7tBf8dbSlxr+0RYMJ3a12gBrAmiyJ/mgEjGCZnh7SgrvnJeahr36M 0Q= X-Virus-Scanned: amavisd-new at ijs.si Received: from mail.ijs.si ([IPv6:::1]) by amavis-proxy-ori.ijs.si (mail.ijs.si [IPv6:::1]) (amavisd-new, port 10012) with ESMTP id a9TzsNavo4tg; Thu, 10 Jul 2014 12:45:29 +0200 (CEST) Received: from mildred.ijs.si (mailbox.ijs.si [IPv6:2001:1470:ff80::143:1]) by mail.ijs.si (Postfix) with ESMTP; Thu, 10 Jul 2014 12:45:29 +0200 (CEST) Received: from [92.244.73.132] (vpn004.ijs.si [92.244.73.132]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mildred.ijs.si (Postfix) with ESMTPSA id 3h8DYj10CHz1L0; Thu, 10 Jul 2014 12:45:28 +0200 (CEST) Message-ID: <53BE6EC5.3060605@ijs.si> Date: Thu, 10 Jul 2014 12:45:25 +0200 From: Mark Martinec Organization: Jozef Stefan Institute User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: =?UTF-8?B?RXJtYWwgTHXDp2k=?= Subject: Re: Future of pf in FreeBSD ? - does it have one ? References: <53BC717C.9080108@com.jkkn.dk> <53BD38C4.4050100@ijs.si> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jul 2014 10:45:40 -0000 On 2014-07-09 17:30, Ermal Luçi wrote: > On Wed, Jul 9, 2014 at 2:42 PM, Mark Martinec > wrote: > > On 2014-07-09 0:32, Kristian K. Nielsen wrote: > f) IPv6 support?- it seem to be more and more challenged in the > current > version of pf in FreeBSD and I am (as well as others) > introducing more > and more IPv6 in networks. > E.x. Bugs #179392, #172648, #130381, #127920 and more seriously > #124933, > which is the bug on not handling IPv6 fragments which have been open > since 2008 and where the workaround is necessity to leave an > open hole > in your firewall ruleset to allow all fragments. Occoring to > comment in > the bug, this have been long gone in OpenBSD. > > The neglect of IPv6 in FreeBSD's pf is a real deal-breaker for us. > Besides the long-standing bugs (like: scrub reassemble tcp > breaks CRC on IPv6), the following stands out: > > Can you be a bit more verbose on this one? http://www.freebsd.org/cgi/query-pr.cgi?pr=172648 > - last time I looked, neither PF nor IPFW could be used on a > FreeBSD kernel built WITHOUT_INET. This means that features > like ssh-guard and per-application protection on a dedicated > IPv6-only host are not available > > I am not sure on the version in FreeBSD 10 but on FreeBSD 9 and before > it should be possible to compile without INET afair! > Which version of FreeBSD are you testing this on? It compiles just fine, but can't be loaded or run. If memory serves, pf kernel module loads fine but pfctl fails, and the ipfw kernel module can't be loaded at all. Will need to re-run this experiment to make sure, and will report back. Mark From owner-freebsd-pf@FreeBSD.ORG Thu Jul 10 12:50:11 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CB2DCA7B for ; Thu, 10 Jul 2014 12:50:11 +0000 (UTC) Received: from mail.ijs.si (mail.ijs.si [IPv6:2001:1470:ff80::25]) by mx1.freebsd.org (Postfix) with ESMTP id 7E6F12736 for ; Thu, 10 Jul 2014 12:50:11 +0000 (UTC) Received: from amavis-proxy-ori.ijs.si (localhost [IPv6:::1]) by mail.ijs.si (Postfix) with ESMTP id 3h8HKR4yKJz13X for ; Thu, 10 Jul 2014 14:50:03 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ijs.si; h= content-transfer-encoding:content-type:content-type:in-reply-to :references:subject:subject:mime-version:user-agent:organization :from:from:date:date:message-id:received:received:received; s= jakla2; t=1404996599; x=1407588600; bh=NoxoxTdpJz+TKjES1eY72tFm9 BQrH2Cln2PgVdU2q3M=; b=jlwXyaIVRh3TFYXYTzMGat+Um5Kchz8Y114Qi1Xbf j7JbmWjwknD3SHAC7V0B9TN79YsplBDnwl6mrT5wdX0YkiYf6O8c0JlmpUyM87fq HK5A3j1hgr6d6uLfi9BZmIdz+79WJT+EOim1mZ9lE6eLyXaDvrSxG9Ra8XkHGKSK Rk= X-Virus-Scanned: amavisd-new at ijs.si Received: from mail.ijs.si ([IPv6:::1]) by amavis-proxy-ori.ijs.si (mail.ijs.si [IPv6:::1]) (amavisd-new, port 10012) with ESMTP id yslp9_yZGEKp for ; Thu, 10 Jul 2014 14:49:59 +0200 (CEST) Received: from mildred.ijs.si (mailbox.ijs.si [IPv6:2001:1470:ff80::143:1]) by mail.ijs.si (Postfix) with ESMTP for ; Thu, 10 Jul 2014 14:49:59 +0200 (CEST) Received: from [92.244.73.133] (vpn005.ijs.si [92.244.73.133]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mildred.ijs.si (Postfix) with ESMTPSA id 3h8HKM54TnzpB for ; Thu, 10 Jul 2014 14:49:59 +0200 (CEST) Message-ID: <53BE8BF6.809@ijs.si> Date: Thu, 10 Jul 2014 14:49:58 +0200 From: Mark Martinec Organization: Jozef Stefan Institute User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Re: Future of pf in FreeBSD ? - does it have one ? References: <53BC717C.9080108@com.jkkn.dk> <53BD38C4.4050100@ijs.si> <53BE6EC5.3060605@ijs.si> In-Reply-To: <53BE6EC5.3060605@ijs.si> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jul 2014 12:50:11 -0000 me wrote: > It compiles just fine, but can't be loaded or run. > If memory serves, pf kernel module loads fine but pfctl fails, > and the ipfw kernel module can't be loaded at all. Will need > to re-run this experiment to make sure, and will report back. Updating my statement after checking with release/10.0 kernel, rebuilt with: include GENERIC options ALTQ options ALTQ_CBQ options ALTQ_RED options ALTQ_RIO options ALTQ_HFSC options ALTQ_PRIQ options ALTQ_NOPCC makeoptions MKMODULESENV+="WITHOUT_INET_SUPPORT=" nooptions INET So, the pf does indeed load and run, but states that ALTQ is not available. Tried some simple rules and appears ok, although some rules are not liked, e.g.: set skip on lo0 produces: # pfctl -f /etc/pf.conf No ALTQ support in kernel ALTQ related functions disabled pfctl: socket: Address family not supported by protocol family The ipfw is another story. Seems the module ipfw.ko is not built at all, although there is a ipfw_nat.ko : # ls -c1 /boot/kernel/*ipfw* /boot/kernel/ipfw_nat.ko /boot/kernel/ipfw_nat.ko.symbols /boot/kernel/ng_ipfw.ko /boot/kernel/ng_ipfw.ko.symbols Mark From owner-freebsd-pf@FreeBSD.ORG Sat Jul 12 06:23:09 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 94612D65 for ; Sat, 12 Jul 2014 06:23:09 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7C069241A for ; Sat, 12 Jul 2014 06:23:09 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s6C6N9BU054042 for ; Sat, 12 Jul 2014 06:23:09 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 182350] [pf] core dump with packet filter -- pf_overlad_task Date: Sat, 12 Jul 2014 06:23:09 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: pi@FreeBSD.org X-Bugzilla-Status: In Discussion X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: titi5187@gmail.com X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jul 2014 06:23:09 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=182350 Kurt Jaeger changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pi@FreeBSD.org Assignee|freebsd-pf@FreeBSD.org |titi5187@gmail.com --- Comment #2 from Kurt Jaeger --- Can you still reproduce it on 10.0-RELEASE ? -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@FreeBSD.ORG Tue Jul 15 11:36:38 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 84176AD7 for ; Tue, 15 Jul 2014 11:36:38 +0000 (UTC) Received: from vps.rulingia.com (vps.rulingia.com [103.243.244.15]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "vps.rulingia.com", Issuer "CAcert Class 3 Root" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 18D292C0B for ; Tue, 15 Jul 2014 11:36:37 +0000 (UTC) Received: from server.rulingia.com (c220-239-242-83.belrs5.nsw.optusnet.com.au [220.239.242.83]) by vps.rulingia.com (8.14.7/8.14.7) with ESMTP id s6FBFt0Q011044 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Tue, 15 Jul 2014 21:16:00 +1000 (EST) (envelope-from peter@rulingia.com) X-Bogosity: Ham, spamicity=0.000000 Received: from server.rulingia.com (localhost.rulingia.com [127.0.0.1]) by server.rulingia.com (8.14.9/8.14.9) with ESMTP id s6FBFo22077551 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 15 Jul 2014 21:15:50 +1000 (EST) (envelope-from peter@server.rulingia.com) Received: (from peter@localhost) by server.rulingia.com (8.14.9/8.14.9/Submit) id s6FBFoEL077550 for freebsd-pf@freebsd.org; Tue, 15 Jul 2014 21:15:50 +1000 (EST) (envelope-from peter) Date: Tue, 15 Jul 2014 21:15:50 +1000 From: Peter Jeremy To: freebsd-pf@freebsd.org Subject: Filtering bridge(4) traffic Message-ID: <20140715111550.GC32968@server.rulingia.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="xHFwDpU9dbj6ez1V" Content-Disposition: inline X-PGP-Key: http://www.rulingia.com/keys/peter.pgp User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jul 2014 11:36:38 -0000 --xHFwDpU9dbj6ez1V Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I'm successfully using pf(4) on FreeBSD 9.2 as a firewall and would like to also use the box as an AP. At this stage I'm only using IPv4. As originally configured, I have re0 connected to the Internet, em0 connected to my internal LAN and a couple of jails attached to loopback interfaces. All the interfaces are interconnected using nat/rdr and filter rules. I'm trying to add an AP (run0/wlan0), bridged with em0, to replace an existing standalone AP. At this point, I don't need to filter packets between wlan0 and em0. I've successfully migrated my rules from em0 to bridge0 and can correctly block/pass traffic between the firewall (and Internet) and internal devices via either em0 or wlan0. New connections between em0 and wlan0 also work but existing connections (eg clients failing over between wired and wireless) fail - apparently due to missing state table entries. I don't understand why packets between wlan0 and em0 are being filtered and would appreciate any insights. Relevant sysctl parameters (all default): net.link.bridge.pfil_local_phys: 0 net.link.bridge.pfil_member: 1 net.link.bridge.pfil_bridge: 1 net.link.bridge.pfil_onlyip: 1 Extract from pf.conf: set skip on lo0 scrub in all nat/rdr rules... block out log all block in log all block in quick proto udp from any to any port { netbios-ns, netbios-dgm, wh= o, ldap, 1900, 3902, mdns, 9956 } pass in quick on em0 tag em0 pass in quick on wlan0 tag wlan0 pass out on wlan0 all tagged em0 pass out on em0 all tagged wlan0 pass out on bridge0 all tagged em0 pass out on bridge0 all tagged wlan0 other filtering rules... --=20 Peter Jeremy --xHFwDpU9dbj6ez1V Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJTxQ1mXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFRUIyOTg2QzMwNjcxRTc0RTY1QzIyN0Ux NkE1OTdBMEU0QTIwQjM0AAoJEBall6Dkogs0OooP/AwJsMfs10prBt6a4cOw+KEU NDtP+c55BjlRLGI1+aBVrZ8Wq5cxJa5MpMHqNc9D1AvHyDYCeAKGzpAJ92mWEZTH sUo6lDfcQ3kTCZzuqop3VLPV92Z07BCETfQLWxz6Lc9Wx0tdd2m8MeRZoTVtu1Uc 1hLIJ5Sz97Ua4I08sPAYiHeg9hW4ctGBMEKNDUgpLY36BpNP6s/vJNAQh5UCwSjZ VShjRVk69yZWLceFoLLPEU36YfDzae5VTe7xKQiY4mahqHhG1uNU5gvpqd2FGHVb SvCjTAuhX0coMddFp/wW4jnh30YwdZ1NAnUXfHXBqcRFRQIiDPz3CvRwhdo0GGRE b1SK1PnaGHRq+t1burCic16gnSbj5gkktL2p3+oQqIYD1DE/1kNDnzfztNTJpOqa DVWiYjAR1qsUFaA9YfXYq26usoms2skZFNzlXEm8ImdOGLC49v7ulhPxZY3XIBKd 1NmIlCqjQzWJlXN2X53AsE4O/ovbMV3zgfqhiPhdT1REjoLXKdRUwkR+QsS4PFJw xbjtprO7nSkiYUifeZILbOpWPWv6xyGO21b39nQluzN79CKvEZsZ1UbkFrv1zX4a QpP+hFeEcKyzhMGdl/54lfIuP16owF5sBks+XgJlghhzjhOq3n4ohqPMTadoqS1Z 0T2xoL0eyGLNoYiEeGfw =G4Kh -----END PGP SIGNATURE----- --xHFwDpU9dbj6ez1V--