From owner-freebsd-pf@FreeBSD.ORG Sun Dec 14 00:31:53 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CBE60F48 for ; Sun, 14 Dec 2014 00:31:53 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [IPv6:2001:4f8:3:ffe0:406a:0:50:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AD874C87 for ; Sun, 14 Dec 2014 00:31:53 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [127.0.1.5]) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9) with ESMTP id sBE0VrMM022561 for ; Sun, 14 Dec 2014 00:31:53 GMT (envelope-from root@phabric-backend.isc.freebsd.org) Received: (from root@localhost) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9/Submit) id sBE0Vr2L022559; Sun, 14 Dec 2014 00:31:53 GMT (envelope-from root) Date: Sun, 14 Dec 2014 00:31:53 +0000 To: freebsd-pf@freebsd.org From: "rodrigc (Craig Rodrigues)" Subject: [Differential] [Request, 70 lines] D1309: VIMAGE PF fixes #1 Message-ID: X-Priority: 3 Thread-Topic: D1309: VIMAGE PF fixes #1 X-Herald-Rules: none X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: Thread-Index: NzA2ZjJlODRkOGZmNmYwM2M1MmQ1N2YzYTJk X-Phabricator-Sent-This-Message: Yes X-Mail-Transport-Agent: MetaMTA X-Auto-Response-Suppress: All X-Phabricator-Mail-Tags: , , , MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="utf-8" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2014 00:31:53 -0000 rodrigc created this revision. rodrigc added reviewers: bz, glebius. rodrigc added subscribers: freebsd-net, freebsd-pf, freebsd-virtualization. REVISION SUMMARY Merge: r258322 from projects/pf branch - Split functions that initialize various pf parts into their vimage parts and global parts. - Since global parts appeared to be only mutex initializations, just abandon them and use MTX_SYSINIT() instead. - Kill my incorrect VNET_FOREACH() iterator and instead use correct approach with VNET_SYSINIT(). Submitted by: glebius, Nikos Vassiliadis Reviewed by: trociny TEST PLAN - compiled CURRENT kernel with this patch - booted - created VNET jail - started PF in the jail Eliminated some crashes such as PR 194515 REVISION DETAIL https://reviews.freebsd.org/D1309 AFFECTED FILES sys/net/pfvar.h sys/netpfil/pf/pf.c sys/netpfil/pf/pf_if.c sys/netpfil/pf/pf_ioctl.c sys/netpfil/pf/pf_norm.c To: rodrigc, bz, glebius Cc: freebsd-virtualization, freebsd-pf, freebsd-net From owner-freebsd-pf@FreeBSD.ORG Sun Dec 14 00:33:01 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 73F7729F for ; Sun, 14 Dec 2014 00:33:01 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [IPv6:2001:4f8:3:ffe0:406a:0:50:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4F962CB4 for ; Sun, 14 Dec 2014 00:33:01 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [127.0.1.5]) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9) with ESMTP id sBE0X1ei023595 for ; Sun, 14 Dec 2014 00:33:01 GMT (envelope-from root@phabric-backend.isc.freebsd.org) Received: (from root@localhost) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9/Submit) id sBE0X1kG023594; Sun, 14 Dec 2014 00:33:01 GMT (envelope-from root) Date: Sun, 14 Dec 2014 00:33:01 +0000 To: freebsd-pf@freebsd.org From: "rodrigc (Craig Rodrigues)" Subject: [Differential] [Updated] D1309: VIMAGE PF fixes #1 Message-ID: X-Priority: 3 Thread-Topic: D1309: VIMAGE PF fixes #1 X-Herald-Rules: none X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: In-Reply-To: References: Thread-Index: NzA2ZjJlODRkOGZmNmYwM2M1MmQ1N2YzYTJkIFSM2r0= X-Phabricator-Sent-This-Message: Yes X-Mail-Transport-Agent: MetaMTA X-Auto-Response-Suppress: All X-Phabricator-Mail-Tags: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="utf-8" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2014 00:33:01 -0000 rodrigc added a reviewer: network. REVISION DETAIL https://reviews.freebsd.org/D1309 To: rodrigc, bz, glebius, np, melifaro, hrs, wollman, bryanv, rpaulo, adrian, gnn, hiren, rwatson Cc: freebsd-virtualization, freebsd-pf, freebsd-net From owner-freebsd-pf@FreeBSD.ORG Sun Dec 14 00:53:47 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7B50E619 for ; Sun, 14 Dec 2014 00:53:47 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [IPv6:2001:4f8:3:ffe0:406a:0:50:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 56440EAF for ; Sun, 14 Dec 2014 00:53:47 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [127.0.1.5]) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9) with ESMTP id sBE0rlUe044618 for ; Sun, 14 Dec 2014 00:53:47 GMT (envelope-from root@phabric-backend.isc.freebsd.org) Received: (from root@localhost) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9/Submit) id sBE0rlEY044617; Sun, 14 Dec 2014 00:53:47 GMT (envelope-from root) Date: Sun, 14 Dec 2014 00:53:47 +0000 To: freebsd-pf@freebsd.org From: "rodrigc (Craig Rodrigues)" Subject: [Differential] [Updated] D1309: VIMAGE PF fixes #1 Message-ID: <4d28e8d06847c8adce6f826c879b5481@localhost.localdomain> X-Priority: 3 Thread-Topic: D1309: VIMAGE PF fixes #1 X-Herald-Rules: none X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: In-Reply-To: References: Thread-Index: NzA2ZjJlODRkOGZmNmYwM2M1MmQ1N2YzYTJkIFSM35s= X-Phabricator-Sent-This-Message: Yes X-Mail-Transport-Agent: MetaMTA X-Auto-Response-Suppress: All X-Phabricator-Mail-Tags: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="utf-8" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2014 00:53:47 -0000 rodrigc added a reviewer: trociny. REVISION DETAIL https://reviews.freebsd.org/D1309 To: rodrigc, bz, glebius, np, melifaro, hrs, wollman, bryanv, rpaulo, adrian, gnn, hiren, rwatson, trociny Cc: freebsd-virtualization, freebsd-pf, freebsd-net From owner-freebsd-pf@FreeBSD.ORG Sun Dec 14 03:18:59 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3F204C3A for ; Sun, 14 Dec 2014 03:18:59 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [IPv6:2001:4f8:3:ffe0:406a:0:50:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 20B8DF0C for ; Sun, 14 Dec 2014 03:18:59 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [127.0.1.5]) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9) with ESMTP id sBE3IwZW051796 for ; Sun, 14 Dec 2014 03:18:58 GMT (envelope-from root@phabric-backend.isc.freebsd.org) Received: (from root@localhost) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9/Submit) id sBE3IwYa051795; Sun, 14 Dec 2014 03:18:58 GMT (envelope-from root) Date: Sun, 14 Dec 2014 03:18:58 +0000 To: freebsd-pf@freebsd.org From: "rodrigc (Craig Rodrigues)" Subject: [Differential] [Request, 46 lines] D1312: VNET PF fixes #2 Message-ID: X-Priority: 3 Thread-Topic: D1312: VNET PF fixes #2 X-Herald-Rules: none X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: Thread-Index: OTEzZmU1MDE5NzRjYjllYzQxMmNjNjQyZWM1 X-Phabricator-Sent-This-Message: Yes X-Mail-Transport-Agent: MetaMTA X-Auto-Response-Suppress: All X-Phabricator-Mail-Tags: , , , MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="utf-8" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2014 03:18:59 -0000 rodrigc created this revision. rodrigc added reviewers: bz, glebius, trociny. rodrigc added subscribers: freebsd-net, freebsd-virtualization, freebsd-pf. REVISION SUMMARY Virtualize the pfr_ktables variable. Submitted by: Nikos Vassiliadis REVISION DETAIL https://reviews.freebsd.org/D1312 AFFECTED FILES sys/netpfil/pf/pf_table.c To: rodrigc, bz, glebius, trociny Cc: freebsd-pf, freebsd-virtualization, freebsd-net From owner-freebsd-pf@FreeBSD.ORG Sun Dec 14 03:19:55 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 17C33D52 for ; Sun, 14 Dec 2014 03:19:55 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [IPv6:2001:4f8:3:ffe0:406a:0:50:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ECE90F1C for ; Sun, 14 Dec 2014 03:19:54 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [127.0.1.5]) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9) with ESMTP id sBE3Jsc5052402 for ; Sun, 14 Dec 2014 03:19:54 GMT (envelope-from root@phabric-backend.isc.freebsd.org) Received: (from root@localhost) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9/Submit) id sBE3Jsef052401; Sun, 14 Dec 2014 03:19:54 GMT (envelope-from root) Date: Sun, 14 Dec 2014 03:19:54 +0000 To: freebsd-pf@freebsd.org From: "rodrigc (Craig Rodrigues)" Subject: [Differential] [Updated] D1312: VIMAGE PF fixes #2 Message-ID: <4ae8912ebb9d9e1dcd071d2f9364b49c@localhost.localdomain> X-Priority: 3 Thread-Topic: D1312: VNET PF fixes #2 X-Herald-Rules: none X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: In-Reply-To: References: Thread-Index: OTEzZmU1MDE5NzRjYjllYzQxMmNjNjQyZWM1IFSNAdo= X-Phabricator-Sent-This-Message: Yes X-Mail-Transport-Agent: MetaMTA X-Auto-Response-Suppress: All X-Phabricator-Mail-Tags: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="utf-8" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2014 03:19:55 -0000 rodrigc retitled this revision from "VNET PF fixes #2" to "VIMAGE PF fixes #2". REVISION DETAIL https://reviews.freebsd.org/D1312 To: rodrigc, bz, glebius, trociny Cc: freebsd-pf, freebsd-virtualization, freebsd-net From owner-freebsd-pf@FreeBSD.ORG Sun Dec 14 03:22:46 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DB555F1D for ; Sun, 14 Dec 2014 03:22:46 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [IPv6:2001:4f8:3:ffe0:406a:0:50:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B717BFDE for ; Sun, 14 Dec 2014 03:22:46 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [127.0.1.5]) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9) with ESMTP id sBE3Mknh057213 for ; Sun, 14 Dec 2014 03:22:46 GMT (envelope-from root@phabric-backend.isc.freebsd.org) Received: (from root@localhost) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9/Submit) id sBE3MkuN057212; Sun, 14 Dec 2014 03:22:46 GMT (envelope-from root) Date: Sun, 14 Dec 2014 03:22:46 +0000 To: freebsd-pf@freebsd.org From: "rodrigc (Craig Rodrigues)" Subject: [Differential] [Request, 26 lines] D1313: VIMAGE PF fixes #3 Message-ID: X-Priority: 3 Thread-Topic: D1313: VIMAGE PF fixes #3 X-Herald-Rules: none X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: Thread-Index: N2E2YTZiYWMwMDJmYzAzMTFiODgwZDc5MmEy X-Phabricator-Sent-This-Message: Yes X-Mail-Transport-Agent: MetaMTA X-Auto-Response-Suppress: All X-Phabricator-Mail-Tags: , , , MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="utf-8" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2014 03:22:46 -0000 rodrigc created this revision. rodrigc added reviewers: bz, glebius, trociny, network. rodrigc added subscribers: freebsd-net, freebsd-pf, freebsd-virtualization. REVISION SUMMARY Only register attach/detach event handlers if the current vnet is vnet0. Submitted by: Nikos Vassiliadis REVISION DETAIL https://reviews.freebsd.org/D1313 AFFECTED FILES sys/netpfil/pf/pf_if.c To: rodrigc, bz, glebius, trociny, np, melifaro, hrs, wollman, bryanv, rpaulo, adrian, gnn, hiren, rwatson Cc: freebsd-virtualization, freebsd-pf, freebsd-net From owner-freebsd-pf@FreeBSD.ORG Sun Dec 14 14:54:21 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 08D361C6 for ; Sun, 14 Dec 2014 14:54:21 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [IPv6:2001:4f8:3:ffe0:406a:0:50:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C093F2DB for ; Sun, 14 Dec 2014 14:54:20 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [127.0.1.5]) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9) with ESMTP id sBEEsK4C024014 for ; Sun, 14 Dec 2014 14:54:20 GMT (envelope-from root@phabric-backend.isc.freebsd.org) Received: (from root@localhost) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9/Submit) id sBEEsKTd024013; Sun, 14 Dec 2014 14:54:20 GMT (envelope-from root) Date: Sun, 14 Dec 2014 14:54:20 +0000 To: freebsd-pf@freebsd.org From: "rodrigc (Craig Rodrigues)" Subject: [Differential] [Request, 100 lines] D1315: VIMAGE PF fixes #4 Message-ID: X-Priority: 3 Thread-Topic: D1315: VIMAGE PF fixes #4 X-Herald-Rules: none X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: Thread-Index: ZGI1YWY1MTBmYjU4M2RhM2FhZDQyNzA4YWQ1 X-Phabricator-Sent-This-Message: Yes X-Mail-Transport-Agent: MetaMTA X-Auto-Response-Suppress: All X-Phabricator-Mail-Tags: , , , MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="utf-8" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2014 14:54:21 -0000 rodrigc created this revision. rodrigc added reviewers: bz, glebius, trociny, network. rodrigc added subscribers: freebsd-net, freebsd-pf, freebsd-virtualization. REVISION SUMMARY Instead of creating a purge thread for every vnet, create a single purge thread and clean up all vnets from this thread. TEST PLAN (1) Boot a kernel with VIMAGE enabled (2) Create a vnet jail jail -c persist name=testjail001 vnet path=/ host.hostname=testjail001 allow.raw_sockets allow.socket_af (3) Start pf inside the jail service start pf (4) Delete the vnet jail jail -r testjail001 Without this patch, the kernel would panic in step (4). With the patch, the kernel does not panic REVISION DETAIL https://reviews.freebsd.org/D1315 AFFECTED FILES sys/net/pfvar.h sys/netpfil/pf/pf.c sys/netpfil/pf/pf_ioctl.c To: rodrigc, bz, glebius, trociny, np, melifaro, hrs, wollman, bryanv, rpaulo, adrian, gnn, hiren, rwatson Cc: freebsd-virtualization, freebsd-pf, freebsd-net From owner-freebsd-pf@FreeBSD.ORG Sun Dec 14 15:35:14 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CFA62B2E for ; Sun, 14 Dec 2014 15:35:14 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [IPv6:2001:4f8:3:ffe0:406a:0:50:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AA319B5A for ; Sun, 14 Dec 2014 15:35:14 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [127.0.1.5]) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9) with ESMTP id sBEFZEdG044758 for ; Sun, 14 Dec 2014 15:35:14 GMT (envelope-from root@phabric-backend.isc.freebsd.org) Received: (from root@localhost) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9/Submit) id sBEFZEDK044757; Sun, 14 Dec 2014 15:35:14 GMT (envelope-from root) Date: Sun, 14 Dec 2014 15:35:14 +0000 To: freebsd-pf@freebsd.org From: "zec (Marko Zec)" Subject: [Differential] [Changed Subscribers] D1315: VIMAGE PF fixes #4 Message-ID: X-Priority: 3 Thread-Topic: D1315: VIMAGE PF fixes #4 X-Herald-Rules: none X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: In-Reply-To: References: Thread-Index: ZGI1YWY1MTBmYjU4M2RhM2FhZDQyNzA4YWQ1IFSNrjI= X-Phabricator-Sent-This-Message: Yes X-Mail-Transport-Agent: MetaMTA X-Auto-Response-Suppress: All X-Phabricator-Mail-Tags: , MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="utf-8" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2014 15:35:14 -0000 zec added a subscriber: zec. INLINE COMMENTS sys/netpfil/pf/pf.c:1384 *v could be marked as __unused sys/netpfil/pf/pf_ioctl.c:282 Passing curvnet as an argument here is redundant now. REVISION DETAIL https://reviews.freebsd.org/D1315 To: rodrigc, bz, glebius, trociny, np, melifaro, hrs, wollman, bryanv, rpaulo, adrian, gnn, hiren, rwatson Cc: zec, freebsd-virtualization, freebsd-pf, freebsd-net From owner-freebsd-pf@FreeBSD.ORG Sun Dec 14 18:59:45 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C53782D3 for ; Sun, 14 Dec 2014 18:59:45 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [IPv6:2001:4f8:3:ffe0:406a:0:50:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9EC9A90 for ; Sun, 14 Dec 2014 18:59:45 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [127.0.1.5]) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9) with ESMTP id sBEIxjrK052817 for ; Sun, 14 Dec 2014 18:59:45 GMT (envelope-from root@phabric-backend.isc.freebsd.org) Received: (from root@localhost) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9/Submit) id sBEIxjmm052816; Sun, 14 Dec 2014 18:59:45 GMT (envelope-from root) Date: Sun, 14 Dec 2014 18:59:45 +0000 To: freebsd-pf@freebsd.org From: "rodrigc (Craig Rodrigues)" Subject: [Differential] [Updated] D1315: VIMAGE PF fixes #4 Message-ID: X-Priority: 3 Thread-Topic: D1315: VIMAGE PF fixes #4 X-Herald-Rules: none X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: In-Reply-To: References: Thread-Index: ZGI1YWY1MTBmYjU4M2RhM2FhZDQyNzA4YWQ1IFSN3iE= X-Phabricator-Sent-This-Message: Yes X-Mail-Transport-Agent: MetaMTA X-Auto-Response-Suppress: All X-Phabricator-Mail-Tags: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="utf-8" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2014 18:59:45 -0000 rodrigc added a reviewer: zec. REVISION DETAIL https://reviews.freebsd.org/D1315 To: rodrigc, bz, glebius, trociny, np, melifaro, hrs, wollman, bryanv, rpaulo, adrian, gnn, hiren, rwatson, zec Cc: zec, freebsd-virtualization, freebsd-pf, freebsd-net From owner-freebsd-pf@FreeBSD.ORG Sun Dec 14 19:00:16 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B4273406 for ; Sun, 14 Dec 2014 19:00:16 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [IPv6:2001:4f8:3:ffe0:406a:0:50:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8E8C9B2 for ; Sun, 14 Dec 2014 19:00:16 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [127.0.1.5]) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9) with ESMTP id sBEJ0GgE053971 for ; Sun, 14 Dec 2014 19:00:16 GMT (envelope-from root@phabric-backend.isc.freebsd.org) Received: (from root@localhost) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9/Submit) id sBEJ0G6r053970; Sun, 14 Dec 2014 19:00:16 GMT (envelope-from root) Date: Sun, 14 Dec 2014 19:00:16 +0000 To: freebsd-pf@freebsd.org From: "rodrigc (Craig Rodrigues)" Subject: [Differential] [Updated] D1309: VIMAGE PF fixes #1 Message-ID: X-Priority: 3 Thread-Topic: D1309: VIMAGE PF fixes #1 X-Herald-Rules: none X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: In-Reply-To: References: Thread-Index: NzA2ZjJlODRkOGZmNmYwM2M1MmQ1N2YzYTJkIFSN3kA= X-Phabricator-Sent-This-Message: Yes X-Mail-Transport-Agent: MetaMTA X-Auto-Response-Suppress: All X-Phabricator-Mail-Tags: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="utf-8" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2014 19:00:16 -0000 rodrigc added a reviewer: zec. REVISION DETAIL https://reviews.freebsd.org/D1309 To: rodrigc, bz, glebius, np, melifaro, hrs, wollman, bryanv, rpaulo, adrian, gnn, hiren, rwatson, trociny, zec Cc: freebsd-virtualization, freebsd-pf, freebsd-net From owner-freebsd-pf@FreeBSD.ORG Sun Dec 14 19:01:06 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A7529561 for ; Sun, 14 Dec 2014 19:01:06 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [IPv6:2001:4f8:3:ffe0:406a:0:50:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 814DBD8 for ; Sun, 14 Dec 2014 19:01:06 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [127.0.1.5]) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9) with ESMTP id sBEJ16qe056195 for ; Sun, 14 Dec 2014 19:01:06 GMT (envelope-from root@phabric-backend.isc.freebsd.org) Received: (from root@localhost) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9/Submit) id sBEJ166n056194; Sun, 14 Dec 2014 19:01:06 GMT (envelope-from root) Date: Sun, 14 Dec 2014 19:01:06 +0000 To: freebsd-pf@freebsd.org From: "rodrigc (Craig Rodrigues)" Subject: [Differential] [Updated] D1312: VIMAGE PF fixes #2 Message-ID: X-Priority: 3 Thread-Topic: D1312: VNET PF fixes #2 X-Herald-Rules: none X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: In-Reply-To: References: Thread-Index: OTEzZmU1MDE5NzRjYjllYzQxMmNjNjQyZWM1IFSN3nI= X-Phabricator-Sent-This-Message: Yes X-Mail-Transport-Agent: MetaMTA X-Auto-Response-Suppress: All X-Phabricator-Mail-Tags: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="utf-8" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2014 19:01:06 -0000 rodrigc added reviewers: zec, network. REVISION DETAIL https://reviews.freebsd.org/D1312 To: rodrigc, bz, glebius, trociny, zec, np, melifaro, hrs, wollman, bryanv, rpaulo, adrian, gnn, hiren, rwatson Cc: freebsd-pf, freebsd-virtualization, freebsd-net From owner-freebsd-pf@FreeBSD.ORG Sun Dec 14 19:01:45 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D3F7D690 for ; Sun, 14 Dec 2014 19:01:45 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [IPv6:2001:4f8:3:ffe0:406a:0:50:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AC286183 for ; Sun, 14 Dec 2014 19:01:45 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [127.0.1.5]) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9) with ESMTP id sBEJ1jGd056535 for ; Sun, 14 Dec 2014 19:01:45 GMT (envelope-from root@phabric-backend.isc.freebsd.org) Received: (from root@localhost) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9/Submit) id sBEJ1jI0056534; Sun, 14 Dec 2014 19:01:45 GMT (envelope-from root) Date: Sun, 14 Dec 2014 19:01:45 +0000 To: freebsd-pf@freebsd.org From: "rodrigc (Craig Rodrigues)" Subject: [Differential] [Updated] D1313: VIMAGE PF fixes #3 Message-ID: <4665813f09eeadecdab73fbfd8ee99d2@localhost.localdomain> X-Priority: 3 Thread-Topic: D1313: VIMAGE PF fixes #3 X-Herald-Rules: none X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: In-Reply-To: References: Thread-Index: N2E2YTZiYWMwMDJmYzAzMTFiODgwZDc5MmEyIFSN3pk= X-Phabricator-Sent-This-Message: Yes X-Mail-Transport-Agent: MetaMTA X-Auto-Response-Suppress: All X-Phabricator-Mail-Tags: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="utf-8" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2014 19:01:45 -0000 rodrigc added a reviewer: zec. REVISION DETAIL https://reviews.freebsd.org/D1313 To: rodrigc, bz, glebius, trociny, np, melifaro, hrs, wollman, bryanv, rpaulo, adrian, gnn, hiren, rwatson, zec Cc: freebsd-virtualization, freebsd-pf, freebsd-net From owner-freebsd-pf@FreeBSD.ORG Sun Dec 14 19:36:40 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1422AE1F for ; Sun, 14 Dec 2014 19:36:40 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [IPv6:2001:4f8:3:ffe0:406a:0:50:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E28AA669 for ; Sun, 14 Dec 2014 19:36:39 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [127.0.1.5]) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9) with ESMTP id sBEJadII091446 for ; Sun, 14 Dec 2014 19:36:39 GMT (envelope-from root@phabric-backend.isc.freebsd.org) Received: (from root@localhost) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9/Submit) id sBEJadtX091445; Sun, 14 Dec 2014 19:36:39 GMT (envelope-from root) Date: Sun, 14 Dec 2014 19:36:39 +0000 To: freebsd-pf@freebsd.org From: "zec (Marko Zec)" Subject: [Differential] [Commented On] D1309: VIMAGE PF fixes #1 Message-ID: X-Priority: 3 Thread-Topic: D1309: VIMAGE PF fixes #1 X-Herald-Rules: none X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: In-Reply-To: References: Thread-Index: NzA2ZjJlODRkOGZmNmYwM2M1MmQ1N2YzYTJkIFSN5sc= X-Phabricator-Sent-This-Message: Yes X-Mail-Transport-Agent: MetaMTA X-Auto-Response-Suppress: All X-Phabricator-Mail-Tags: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="utf-8" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2014 19:36:40 -0000 zec added inline comments. INLINE COMMENTS sys/netpfil/pf/pf_ioctl.c:3804 Perhaps SI_ORDER_MIDDLE could work here instead of (SI_ORDER_ANY - 255)? REVISION DETAIL https://reviews.freebsd.org/D1309 To: rodrigc, bz, glebius, np, melifaro, hrs, wollman, bryanv, rpaulo, adrian, gnn, hiren, rwatson, trociny, zec Cc: freebsd-virtualization, freebsd-pf, freebsd-net From owner-freebsd-pf@FreeBSD.ORG Mon Dec 15 10:56:08 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 62CF9378 for ; Mon, 15 Dec 2014 10:56:08 +0000 (UTC) Received: from nm37-vm2.bullet.mail.bf1.yahoo.com (nm37-vm2.bullet.mail.bf1.yahoo.com [72.30.238.202]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E6FC3AC9 for ; Mon, 15 Dec 2014 10:56:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1418640959; bh=Il5738Klg9O50pobLcMUuroAPep5Az0MUn06bWyaLoo=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=sVu8+uiJDOVbpBMKoZ0JXH49HgLgA1WQqHz1KPnXaGQZgkw5Ko87bhQGxStfuHIfm0KljhLHagX979aO3Ecc88X3V2+bpbMqd+tad6l4t2sP9JdUXlyNNud5dc+K3lk/2fvQVdE6bw39tLiEp5Og+BjtQhT4p5iPY/FQKcQcXlwIVTat17I1MOMR8mcCxJEuYqD/HTKRkyhQbZ7fvBce7yjPm3fLCJtaqPyUYxlF0xyH50DP97XpzgU3dOcgUN9BXhIHkvGOiTteZksd1ilXpRNjWeYRG2/T2dOa7Et8MBkfZpxXwpcOmaA2Vn87koG+8pZPyPzHA2sSKxmYNAZmcA== DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s2048; d=yahoo.com; b=G3gkNdiNqKRhTuy8uY2Nry94KC0qpTIeYJ38gk98F6N0edhyq3c5QZ3pPttU88W1q069+q6cVdW6gLHTpPmSy0FBmxbaUnZpjUwzGDr4VqRj/6aNPuEPsvP7F0LAgyoZrnmJRvDju2SX03NFwtbUchLA8F/vxTRAuKwQ/v6xs42sSdiKhy/iL7xaid8tsIJHsIvkIVErB7nxoMfNzwvscbYqJwDIwjzkw8BLJRd4GXEgMFDpDpLCtpVLnrbGW11ahFd8Qi+0pUgqNSek0oiBVPl8ts0q7kk2a2O6bzGpvifSw39PXIe0D+wRZ6GTJVVr7m6GdP/eaFH5fcVT9iUbFQ==; Received: from [66.196.81.174] by nm37.bullet.mail.bf1.yahoo.com with NNFMP; 15 Dec 2014 10:55:59 -0000 Received: from [98.139.215.248] by tm20.bullet.mail.bf1.yahoo.com with NNFMP; 15 Dec 2014 10:55:59 -0000 Received: from [127.0.0.1] by omp1061.mail.bf1.yahoo.com with NNFMP; 15 Dec 2014 10:55:59 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 516961.15250.bm@omp1061.mail.bf1.yahoo.com X-YMail-OSG: abunZaEVM1kwjJIGvxLi1d0YIZogVRrpRYjxp78zfU6wIx7e.zKAHHFwHfc7F9g WjTjgc9QZkCjas5j5oWOaD9lQNML.xeAMd7CwhPESV70D_z4DHQtmUID8mHYp2IBbbX49oiS3acA jja.MwLNfZMTODjtpAAu3eKLSIRvdSYBbZ8whXPSbvqw.aAiKre9PxAzQ5O_T0unR7Qf1mYuSa8e ps4WpPg5SOA002YFMaPB6G0Laze.ImYH7cHHSX0WaicTBo_heH57AsyFQa9Bfp_RgTcAt1pNQnPA TmLsEIV1tjbBe7xmumui0jTBbce8zIMsK7iNkA63ESnPY_jrP4yj3JRuj55TLERndfdI9AeQhZ2Q HBYICfi5nuYg_icCroFQYUGLsMy_qpVJZagdgoRcoq_EbV.H_C0wu_fYPsQR2FptMZ5rxbNOWlE4 WNIwy3IOe958Qa9QzB66qkdWMXj8aRvktWwgBUnrrr5ncxJTxW1HWykhfthl6gO46kpvNIKwGWHZ QikNvFWAIzda1um0- Received: by 76.13.26.159; Mon, 15 Dec 2014 10:55:59 +0000 Date: Mon, 15 Dec 2014 10:55:58 +0000 (UTC) From: Laszlo Danielisz Reply-To: Laszlo Danielisz To: =?UTF-8?Q?Ask_Bj=C3=B8rn_Hansen?= , "freebsd-pf@freebsd.org" Message-ID: <2145096021.191695.1418640958794.JavaMail.yahoo@jws106147.mail.bf1.yahoo.com> In-Reply-To: References: <28FA3DD9-0B7D-4C41-831D-D12DCB4BAB69@develooper.com> Subject: Re: pfctl: DIOCADDRULE: Operation not supported by device MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Dec 2014 10:56:08 -0000 Hi, What do you mean be "clean rc.conf"?I'm facing this issue as well:=C2=A0pfc= tl: DIOCGETRULES: Permission denied=C2=A0using 10.1-RELEASE Thank you! =20 On Thursday, November 24, 2011 9:16 AM, Ask Bj=C3=B8rn Hansen wrote: =20 =20 On Nov 23, 2011, at 17:02, Ask Bj=C3=B8rn Hansen wrote: > Hi everyone, >=20 > After upgrading to 9.0 my NanoBSD images stopped supporting pf.=C2=A0 I g= et errors like: >=20 > pfctl: DIOCGETRULES: Permission denied > pfctl: DIOCADDRULE: Operation not supported by device Hmpfr - booting with a clean rc.conf (and a slightly newer build) it works = fine.=C2=A0 I wonder if my /usr/src was out of date in some spectacular way= when I made the first build. Ask_______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Tue Dec 16 13:10:38 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 768C89A2 for ; Tue, 16 Dec 2014 13:10:38 +0000 (UTC) Received: from pi.nmdps.net (pi.nmdps.net [IPv6:2a01:be00:10:201:0:80:0:1]) by mx1.freebsd.org (Postfix) with ESMTP id 3CF981ECA for ; Tue, 16 Dec 2014 13:10:37 +0000 (UTC) Received: from pi.nmdps.net (pi.nmdps.net [109.61.102.5]) (Authenticated sender: krichy@cflinux.hu) by pi.nmdps.net (Postfix) with ESMTPSA id 7C51E17DA for ; Tue, 16 Dec 2014 14:10:28 +0100 (CET) Date: Tue, 16 Dec 2014 14:10:28 +0100 (CET) From: Richard Kojedzinszky X-X-Sender: krichy@pi.nmdps.net To: freebsd-pf@freebsd.org Subject: synproxy on out rule Message-ID: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Dec 2014 13:10:38 -0000 Dear pf gurus, I am going to setup a redundant pf+carp setup as described, and found that with my simple pf.conf the tcp sessions are not proxied well with pf. I am using bsd router project, which is freebsd based. My simple pf.conf: --- scrub all set skip on {lo0, re0} #pass in quick on { re0 } pass out quick proto {icmp, icmp6, ospf} pass quick on { re2 } keep state (no-sync) pass quick on { re1 } proto carp keep state (no-sync) anchor out quick on { re1 } { pass quick proto tcp from any to any port {22, 5001} synproxy state block drop log } --- If i reorder the rules so that the synproxy state line matches on an "in" rule, proxying works, but for me it seems with "out" rules it does not. Or I do something wrong. It is 10.1-RELEASE. Any advice? Kojedzinszky Richard From owner-freebsd-pf@FreeBSD.ORG Thu Dec 18 00:02:47 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3DD24D79 for ; Thu, 18 Dec 2014 00:02:47 +0000 (UTC) Received: from mailstore06.sysedata.no (b.mail.tornado.no [195.159.29.130]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 032191447 for ; Thu, 18 Dec 2014 00:02:45 +0000 (UTC) Received: from [195.159.29.130] (helo=www.eposttjener.no) by mailstore06.sysedata.no with esmtpa (Exim 4.71) (envelope-from ) id 1Y1OG7-0002nY-L1 for freebsd-pf@freebsd.org; Thu, 18 Dec 2014 00:43:59 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Date: Thu, 18 Dec 2014 00:43:59 +0100 From: Daniel Engberg To: freebsd-pf@freebsd.org Subject: Alternative to =?UTF-8?Q?pf=3F?= Message-ID: <7be936232e96ae10d9734598014fd9d5@pyret.net> X-Sender: daniel.engberg.lists@pyret.net User-Agent: Roundcube Webmail/0.9.4 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 00:02:47 -0000 Hi, During the year there has been several discussions regarding the state of pf in FreeBSD. In most cases it seems to boil down to that it's too hard/time-consuming to bring upstream patches from OpenBSD to FreeBSD. As it's been mentioned Apple seems to update pf somewhat (copyright is changed to 2013 at least) and file size differs between OS X releases but I wasn't able to find any commit logs. That said, NetBSD have something similar to pf in syntax called npf which seems actively maintained and the author seems open to the idea of porting it to FreeBSD. http://www.netbsd.org/~rmind/pub/npf_asiabsdcon_2014.pdf - Page 24 However I'm not certain that it surpasses our current pf in terms of functionality in all cases (apart from the firewalling ALTQ comes to mind etc). Perhaps this might be worth looking into and in the end drop pf due to the reasons above? That said, don't forget all the work that has gone into getting pf where it is today. While I'm at it, does anyone else than me use ALTQ? While it's not multithreaded I find a very good "tool" and it does shaping really well. Best regards, Daniel From owner-freebsd-pf@FreeBSD.ORG Thu Dec 18 00:32:21 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 89D63F9 for ; Thu, 18 Dec 2014 00:32:21 +0000 (UTC) Received: from sender1.zohomail.com (sender1.zohomail.com [74.201.84.157]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 72E2717CB for ; Thu, 18 Dec 2014 00:32:21 +0000 (UTC) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=bsdjunk; d=bsdjunk.com; h=date:from:to:subject:message-id:references:mime-version:content-type:in-reply-to:user-agent; b=JhhNy4m5RfElxOs5LkoI2nUhy5BDfOYU4lYISpF5G7ZOTfXxLarVjPV7iz8NNCvZph0SbC9/aajN K/quQ73BsVvLfg8oAEtBpQIkLbNuILDHEjH40CIQWhACERb+JErue9AnMRYlt7KZLVYm9+REsc8p CP4GbiVSlSg/ArtQYuU= Received: from bsdjunk.com (netbsd.bsdjunk.com [199.48.135.150]) by mx.zohomail.com with SMTPS id 1418861819592199.98821561435523; Wed, 17 Dec 2014 16:16:59 -0800 (PST) Date: Thu, 18 Dec 2014 00:16:57 +0000 From: Christopher Petrik To: freebsd-pf@freebsd.org Subject: Re: Alternative to pf? Message-ID: <20141218001656.GA18291@bsdjunk.com> References: <7be936232e96ae10d9734598014fd9d5@pyret.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7be936232e96ae10d9734598014fd9d5@pyret.net> User-Agent: Mutt/1.5.23 (2014-03-12) X-ZohoMailClient: External X-Zoho-Virus-Status: 2 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 00:32:21 -0000 On Thu, Dec 18, 2014 at 12:43:59AM +0100, Daniel Engberg wrote: > Hi, > > During the year there has been several discussions regarding the state of pf > in FreeBSD. In most cases it seems to boil down to that it's too > hard/time-consuming to bring upstream patches from OpenBSD to FreeBSD. As > it's been mentioned Apple seems to update pf somewhat (copyright is changed > to 2013 at least) and file size differs between OS X releases but I wasn't > able to find any commit logs. > > That said, NetBSD have something similar to pf in syntax called npf which > seems actively maintained and the author seems open to the idea of porting > it to FreeBSD. > http://www.netbsd.org/~rmind/pub/npf_asiabsdcon_2014.pdf - Page 24 > However I'm not certain that it surpasses our current pf in terms of > functionality in all cases (apart from the firewalling ALTQ comes to mind > etc). > Perhaps this might be worth looking into and in the end drop pf due to the > reasons above? > > That said, don't forget all the work that has gone into getting pf where it > is today. > While I'm at it, does anyone else than me use ALTQ? While it's not > multithreaded I find a very good "tool" and it does shaping really well. > > Best regards, > Daniel > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" Hi, I think the real question is, "Do we really need so many firewall suites in FreeBSD" we have ipfw, ipf, pf I think the solution would be to port npf as it's bases is to be portable. I use it and it takes some getting used to but it looks promising. But then this creates a 4th suite to add into FreeBSD ? Chris -- In Tennessee, it is illegal to shoot any game other than whales from a moving automobile. Mutt Version: 1.5.23 OS Version: NetBSD 6.1.5 Hostname: netbsd.bsdjunk.com From owner-freebsd-pf@FreeBSD.ORG Thu Dec 18 00:47:43 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0939831D for ; Thu, 18 Dec 2014 00:47:43 +0000 (UTC) Received: from mail-ob0-f175.google.com (mail-ob0-f175.google.com [209.85.214.175]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C51991947 for ; Thu, 18 Dec 2014 00:47:42 +0000 (UTC) Received: by mail-ob0-f175.google.com with SMTP id wp4so114525obc.6 for ; Wed, 17 Dec 2014 16:47:41 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=aMJvgFJHAp7ZDzJ2oS3tRMh/Q184jUPVO93kXSd798w=; b=BEsw8LG4+80tt0+tpezZC8XeYyqBKwoF4C3mfjxjYaY1EfBYPCLoTT57LKOQISMIPV Ng4O6q5cNAy+xwSwvXg5t/OS9sXiKzWSUhFJp6ot75YTV8ZNQ06sBzL9xRfg/Bh0Lj/P KKAc6PGeIlQL9PtosNSWHNX4twWCs954tx91T0/QDAwDOOgRhPlHqRLynkaykxYSvHZE RQG8TzrwLa0IUQL0dHylwkr8FLDl59RnW5xMpcnuFusmnHfZUdopsBNhF6+hjs9Mtksr IV8L7XTc8eAXDxGYBra5iEBAyS8QBfJCRSdAcQklS6Qo7+BnVZNbM9D06l0rMrZudYwY jeqQ== X-Gm-Message-State: ALoCoQk5JM3hLw565nm0mPP7eyZyHIevq+p9xb0aNweRM1Cs5FYS+VNxTmPbvKviCMKl2wtZjZAz X-Received: by 10.182.50.168 with SMTP id d8mr27914452obo.2.1418863661509; Wed, 17 Dec 2014 16:47:41 -0800 (PST) Received: from ?IPv6:2610:160:11:33:911a:c3db:259:10bc? ([2610:160:11:33:911a:c3db:259:10bc]) by mx.google.com with ESMTPSA id df13sm2487228oeb.1.2014.12.17.16.47.40 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 17 Dec 2014 16:47:41 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2064\)) Subject: Re: Alternative to pf? From: Jim Thompson In-Reply-To: <20141218001656.GA18291@bsdjunk.com> Date: Wed, 17 Dec 2014 18:47:40 -0600 Content-Transfer-Encoding: quoted-printable Message-Id: <4F19F7E8-0286-4F2F-B4E3-9DCB8B3BFF9B@netgate.com> References: <7be936232e96ae10d9734598014fd9d5@pyret.net> <20141218001656.GA18291@bsdjunk.com> To: Christopher Petrik X-Mailer: Apple Mail (2.2064) Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 00:47:43 -0000 > On Dec 17, 2014, at 6:16 PM, Christopher Petrik = wrote: >=20 > On Thu, Dec 18, 2014 at 12:43:59AM +0100, Daniel Engberg wrote: >> Hi, >>=20 >> During the year there has been several discussions regarding the = state of pf >> in FreeBSD. In most cases it seems to boil down to that it's too >> hard/time-consuming to bring upstream patches from OpenBSD to = FreeBSD. As >> it's been mentioned Apple seems to update pf somewhat (copyright is = changed >> to 2013 at least) and file size differs between OS X releases but I = wasn't >> able to find any commit logs. >>=20 >> That said, NetBSD have something similar to pf in syntax called npf = which >> seems actively maintained and the author seems open to the idea of = porting >> it to FreeBSD. >> http://www.netbsd.org/~rmind/pub/npf_asiabsdcon_2014.pdf - Page 24 >> However I'm not certain that it surpasses our current pf in terms of >> functionality in all cases (apart from the firewalling ALTQ comes to = mind >> etc). >> Perhaps this might be worth looking into and in the end drop pf due = to the >> reasons above? >>=20 >> That said, don't forget all the work that has gone into getting pf = where it >> is today. >> While I'm at it, does anyone else than me use ALTQ? While it's not >> multithreaded I find a very good "tool" and it does shaping really = well. >>=20 >> Best regards, >> Daniel >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Hi, > I think the real question is, "Do we really need so many firewall = suites > in FreeBSD" we have ipfw, ipf, pf I think the solution would be to = port > npf as it's bases is to be portable. I use it and it takes some = getting > used to but it looks promising. But then this creates a 4th suite to = add > into FreeBSD ? We could =E2=80=98port=E2=80=99 it to run on top of netmap (like the = version of ipfw that runs over netmap). Then it=E2=80=99s not necessarily =E2=80=9Cin=E2=80=9D FreeBSD. Jim= From owner-freebsd-pf@FreeBSD.ORG Thu Dec 18 00:50:06 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6F82738F for ; Thu, 18 Dec 2014 00:50:06 +0000 (UTC) Received: from mail-lb0-x232.google.com (mail-lb0-x232.google.com [IPv6:2a00:1450:4010:c04::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CF1E31975 for ; Thu, 18 Dec 2014 00:50:05 +0000 (UTC) Received: by mail-lb0-f178.google.com with SMTP id f15so146466lbj.37 for ; Wed, 17 Dec 2014 16:50:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=7RGWoKpJ7A8vq9Ul9oCn/oY0tWsdqThYnh8ARucgFIA=; b=u6cd9jWqSmyc94nHsRSxe1MetTKyaeXlhzKEDBOaU/4Xs6voKwrTnnGz8NKrna5L82 R6LtK6PXKV6VC0f/Qg5FtE59MDdtmWahw1o8kYXBfKo/QOlvfx9M29e7YZfKkBGPld9r L0Su+OBAz1GdFhJ0kuKtGtOGASAXoQ9V8wwioQL2PBxJiVvQsOig2gMXrmUNPZB7RoaE /mliv37rsaUR+9+HEZljcxwiM+MjvyVbOCrns3i0IXRUJZjAVlTfLAeUrHD/QbP8vkXc vtSuya8IeFZIo+EYnhGmaktNZrR16nC/z5iHja8b36/k9yH4So6GkIRRHvh7LEezXh9W ueSA== MIME-Version: 1.0 X-Received: by 10.112.16.129 with SMTP id g1mr39339002lbd.30.1418863803679; Wed, 17 Dec 2014 16:50:03 -0800 (PST) Received: by 10.152.125.168 with HTTP; Wed, 17 Dec 2014 16:50:03 -0800 (PST) In-Reply-To: <4F19F7E8-0286-4F2F-B4E3-9DCB8B3BFF9B@netgate.com> References: <7be936232e96ae10d9734598014fd9d5@pyret.net> <20141218001656.GA18291@bsdjunk.com> <4F19F7E8-0286-4F2F-B4E3-9DCB8B3BFF9B@netgate.com> Date: Thu, 18 Dec 2014 11:50:03 +1100 Message-ID: Subject: Re: Alternative to pf? From: Outback Dingo To: Jim Thompson Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 00:50:06 -0000 On Thu, Dec 18, 2014 at 11:47 AM, Jim Thompson wrote: > > > > On Dec 17, 2014, at 6:16 PM, Christopher Petrik > wrote: > > > > On Thu, Dec 18, 2014 at 12:43:59AM +0100, Daniel Engberg wrote: > >> Hi, > >> > >> During the year there has been several discussions regarding the state > of pf > >> in FreeBSD. In most cases it seems to boil down to that it's too > >> hard/time-consuming to bring upstream patches from OpenBSD to FreeBSD. > As > >> it's been mentioned Apple seems to update pf somewhat (copyright is > changed > >> to 2013 at least) and file size differs between OS X releases but I > wasn't > >> able to find any commit logs. > >> > >> That said, NetBSD have something similar to pf in syntax called npf > which > >> seems actively maintained and the author seems open to the idea of > porting > >> it to FreeBSD. > >> http://www.netbsd.org/~rmind/pub/npf_asiabsdcon_2014.pdf - Page 24 > >> However I'm not certain that it surpasses our current pf in terms of > >> functionality in all cases (apart from the firewalling ALTQ comes to > mind > >> etc). > >> Perhaps this might be worth looking into and in the end drop pf due to > the > >> reasons above? > >> > >> That said, don't forget all the work that has gone into getting pf > where it > >> is today. > >> While I'm at it, does anyone else than me use ALTQ? While it's not > >> multithreaded I find a very good "tool" and it does shaping really wel= l. > >> > >> Best regards, > >> Daniel > >> _______________________________________________ > >> freebsd-pf@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf > >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > Hi, > > I think the real question is, "Do we really need so many firewall suite= s > > in FreeBSD" we have ipfw, ipf, pf I think the solution would be to port > > npf as it's bases is to be portable. I use it and it takes some getting > > used to but it looks promising. But then this creates a 4th suite to ad= d > > into FreeBSD ? > > We could =E2=80=98port=E2=80=99 it to run on top of netmap (like the vers= ion of ipfw that > runs over netmap). > > Then it=E2=80=99s not necessarily =E2=80=9Cin=E2=80=9D FreeBSD. > > there in lies the big question, how portable is it... how much work would be required to make it "netmap" compatible" and will it integrate well, and whats the time frame :) > > > Jim > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Thu Dec 18 01:57:00 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 999ED28C for ; Thu, 18 Dec 2014 01:57:00 +0000 (UTC) Received: from mail-qg0-x22a.google.com (mail-qg0-x22a.google.com [IPv6:2607:f8b0:400d:c04::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 51DBF1F3 for ; Thu, 18 Dec 2014 01:57:00 +0000 (UTC) Received: by mail-qg0-f42.google.com with SMTP id q108so217565qgd.1 for ; Wed, 17 Dec 2014 17:56:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsd.com.br; s=capeta; h=date:from:to:subject:message-id:in-reply-to:references:organization :mime-version:content-type:content-transfer-encoding; bh=luRPw0KMIoB03eXxeSbLZLTD92h/ZsbYSxVjqtk0z9A=; b=R9msQFlAQrdyzS8W8vZZh6zYuJe80SnhCgytJAC5dDXSpxPA+wMRpY4tXC/PDp7pF5 gzlD/M7nxtOPOhgCJto/SGwPk/ues/mQr1zXQlstFz6lsy7wcmczJdKmBqdAaqblBXeE z+vJ0ot6QyQ5I+Wjpbr++0qre+96ZvT8xILn0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to :references:organization:mime-version:content-type :content-transfer-encoding; bh=luRPw0KMIoB03eXxeSbLZLTD92h/ZsbYSxVjqtk0z9A=; b=SrwbFodXOboo0thhTmXfVE/s6BdxiLLsk+Qwp5pfa3Sk/sTLwJvOZzU3aaf9CIlHOd +cdTQE6DMPk4oFdJm7I51CoDeyTxAh7rTWmyN40/bExi3ukUz5EWyMc9vwvZgEgjso0S n0C/DbodhY+9NRlvXPsopqRWY+bSQwmpcc1o4txcmrb8+JC9XkBd7MAx2XRrmV2gviZE Wzx9hUoKney0MWTuqLskrccisj8YTSLHrmQ3QRJQm/Cwc7bEAfnCbsVp4koOFklr5hur izs+TualcQqJN77SSmZYZazhd+1n+DpZaU7OWn9Tsp9uOMulazQ7Tyimprf8QpIMsLSv pWNQ== X-Gm-Message-State: ALoCoQkqXXvpWz/iADcyMSiGG197hJfDE6Z9mhCV/XCIoVg/16nloN/W7fn1pHrdlBEqNmqfc7if X-Received: by 10.224.67.132 with SMTP id r4mr18283242qai.1.1418867819250; Wed, 17 Dec 2014 17:56:59 -0800 (PST) Received: from Papi ([177.134.207.177]) by mx.google.com with ESMTPSA id l93sm5590782qge.6.2014.12.17.17.56.58 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 17 Dec 2014 17:56:59 -0800 (PST) Date: Wed, 17 Dec 2014 22:54:57 -0300 From: Mario Lobo To: freebsd-pf@freebsd.org Subject: Re: Alternative to pf? Message-ID: <20141217225457.64c16404@Papi> In-Reply-To: <7be936232e96ae10d9734598014fd9d5@pyret.net> References: <7be936232e96ae10d9734598014fd9d5@pyret.net> Organization: BSD X-Mailer: Claws Mail 3.10.1 (GTK+ 2.24.22; amd64-portbld-freebsd10.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 01:57:00 -0000 On Thu, 18 Dec 2014 00:43:59 +0100 Daniel Engberg wrote: > Hi, >=20 > During the year there has been several discussions regarding the > state of pf in FreeBSD. In most cases it seems to boil down to that > it's too hard/time-consuming to bring upstream patches from OpenBSD > to FreeBSD. As it's been mentioned Apple seems to update pf somewhat > (copyright is changed to 2013 at least) and file size differs between > OS X releases but I wasn't able to find any commit logs. >=20 > That said, NetBSD have something similar to pf in syntax called npf=20 > which seems actively maintained and the author seems open to the idea > of porting it to FreeBSD. > http://www.netbsd.org/~rmind/pub/npf_asiabsdcon_2014.pdf - Page 24 > However I'm not certain that it surpasses our current pf in terms of=20 > functionality in all cases (apart from the firewalling ALTQ comes to=20 > mind etc). > Perhaps this might be worth looking into and in the end drop pf due > to the reasons above? >=20 > That said, don't forget all the work that has gone into getting pf > where it is today. > While I'm at it, does anyone else than me use ALTQ? While it's not=20 > multithreaded I find a very good "tool" and it does shaping really > well. >=20 > Best regards, > Daniel > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" I think that just pf and ipfw would be more than "enough" for FBSD. I have used both but I'm more comfortable with pf's configuration than with ipfw. I have even tested ipfw filtering together with pf altq. I totally rely on pf's ALTQ at production simply because it works perfectly, no matter how complex the setup. Been using it for years now. =46rom what I have read, there are quite a few changes in openbsd pf, specially as far syntax is concerned. I'm just a user so I can only imagine the hard work involved in porting it but running the risk of making a lame comment, I would be completely satisfied if only 2 things could be implemented: SMP and fix the ALTQ limitation "bug". For everything else, I wouldn't change a thing. --=20 Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE) =20 "UNIX was not designed to stop you from doing stupid things,=20 because that would also stop you from doing clever things." From owner-freebsd-pf@FreeBSD.ORG Thu Dec 18 02:05:14 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2857D492 for ; Thu, 18 Dec 2014 02:05:14 +0000 (UTC) Received: from mail-ob0-f182.google.com (mail-ob0-f182.google.com [209.85.214.182]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E4646379 for ; Thu, 18 Dec 2014 02:05:13 +0000 (UTC) Received: by mail-ob0-f182.google.com with SMTP id wo20so489561obc.13 for ; Wed, 17 Dec 2014 18:05:12 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=siB+IHEYh4evHhqWyxlwp8uGk5mlgfpRIQN305JezPY=; b=X4tLhQKxW7psueTohCsw75G7tyNzPWZOQJDRZBLDARn9VH7Ax7tzFqVvQ+bhwgCKrJ d+buekt28K+Kl/dAw7di4SHvTvvfnf4EBTHPOuUf5kh+onQKVd5v0Vb5tlHSXo229ALw ibx8iSD1j4JHgpvwLophxswmDGfIomkOcMg/nDJEI8fJRjA+7B+QPaWtX/ay2w5NFT7L FJbavw0q29v7RRkHLVu6eWGgkNSjcZ+V5P/KHefE7tSi17mMdGtG8QyrUhAcfyJ1Tr7v sImihZyjMofUx0iltsk38CugI3BNtx5js2zl/am2T5Kng2wvMfuJMgnWv2H0PzO96XE3 /w5A== X-Gm-Message-State: ALoCoQmJhh7lDtQY6jsnrxB262EODQeF6k7en1Xeqq6UePcE3+b2SDOdSahfAwmrSiwp57mAYnSm X-Received: by 10.60.96.68 with SMTP id dq4mr28265555oeb.47.1418868312230; Wed, 17 Dec 2014 18:05:12 -0800 (PST) Received: from ?IPv6:2610:160:11:33:911a:c3db:259:10bc? ([2610:160:11:33:911a:c3db:259:10bc]) by mx.google.com with ESMTPSA id k9sm2564001oev.8.2014.12.17.18.05.11 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 17 Dec 2014 18:05:11 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2064\)) Subject: Re: Alternative to pf? From: Jim Thompson In-Reply-To: <20141217225457.64c16404@Papi> Date: Wed, 17 Dec 2014 20:05:10 -0600 Content-Transfer-Encoding: quoted-printable Message-Id: <55B84D9D-B376-4EFF-8998-723A62AF5D6A@netgate.com> References: <7be936232e96ae10d9734598014fd9d5@pyret.net> <20141217225457.64c16404@Papi> To: Mario Lobo X-Mailer: Apple Mail (2.2064) Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 02:05:14 -0000 > On Dec 17, 2014, at 7:54 PM, Mario Lobo wrote: >=20 > On Thu, 18 Dec 2014 00:43:59 +0100 > Daniel Engberg wrote: >=20 >> Hi, >>=20 >> During the year there has been several discussions regarding the >> state of pf in FreeBSD. In most cases it seems to boil down to that >> it's too hard/time-consuming to bring upstream patches from OpenBSD >> to FreeBSD. As it's been mentioned Apple seems to update pf somewhat >> (copyright is changed to 2013 at least) and file size differs between >> OS X releases but I wasn't able to find any commit logs. >>=20 >> That said, NetBSD have something similar to pf in syntax called npf=20= >> which seems actively maintained and the author seems open to the idea >> of porting it to FreeBSD. >> http://www.netbsd.org/~rmind/pub/npf_asiabsdcon_2014.pdf - Page 24 >> However I'm not certain that it surpasses our current pf in terms of=20= >> functionality in all cases (apart from the firewalling ALTQ comes to=20= >> mind etc). >> Perhaps this might be worth looking into and in the end drop pf due >> to the reasons above? >>=20 >> That said, don't forget all the work that has gone into getting pf >> where it is today. >> While I'm at it, does anyone else than me use ALTQ? While it's not=20 >> multithreaded I find a very good "tool" and it does shaping really >> well. >>=20 >> Best regards, >> Daniel >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >=20 >=20 > I think that just pf and ipfw would be more than "enough" for FBSD. I > have used both but I'm more comfortable with pf's configuration than > with ipfw. I have even tested ipfw filtering together with pf altq. I > totally rely on pf's ALTQ at production simply because it works > perfectly, no matter how complex the setup. Been using it for years = now. Even with the SMP in 10, pf is as slow as molasses in January, and 10G = interfaces are a thing now. (Someone is sure to cry, =E2=80=9Cbut I can fill a 10G interface in = front of pf!=E2=80=9D. Yes, with max-sized packets. Try it with 256 byte (or 64 byte) packets. Yup. Moreover, pf is has fundamental limitations (last match). =20 > =46rom what I have read, there are quite a few changes in openbsd pf, > specially as far syntax is concerned. I'm just a user so I can only > imagine the hard work involved in porting it but running the risk of > making a lame comment, I would be completely satisfied if only 2 = things > could be implemented: SMP and fix the ALTQ limitation "bug=E2=80=9D. FreeBSD already has SMP, and I don=E2=80=99t know what you might be = referring to as =E2=80=9CALTQ limitation =E2=80=98bug=E2=80=99=E2=80=9D. Are you saying you=E2=80=99d be =E2=80=9Ccompletely satisfied=E2=80=9D = if you had SMP support with OpenBSD or a port of OpenBSD=E2=80=99s pf to = FreeBSD, or something else? From owner-freebsd-pf@FreeBSD.ORG Thu Dec 18 03:15:15 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 219FA7C for ; Thu, 18 Dec 2014 03:15:15 +0000 (UTC) Received: from mail-ob0-f176.google.com (mail-ob0-f176.google.com [209.85.214.176]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DC480FE2 for ; Thu, 18 Dec 2014 03:15:14 +0000 (UTC) Received: by mail-ob0-f176.google.com with SMTP id vb8so896460obc.7 for ; Wed, 17 Dec 2014 19:15:13 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=kEDvCjoyBmXWAXXhapOgt2jzTfqqi1Aq1frdqQpSqGg=; b=MT0z7TkeHcXEuHl3faPT1dQGlFBG3RgrtOnyLexcFjezptilIPhpnjYwVjVTTDSKB6 6dkKfhnVSSIh3wex/a2JK+7KbMUGSj3ydmH9IduZmrh0VBEwV1vH4WNV+kenLmMjHPsg Z40UzxrR3FASDzNruVWDU3Qjbp/IZFfwCKr6OwKiwZiUmuwDI6ZJ7rbxpJnBia0ty126 68o216GmMB6hasj1LAoOHu9sgTuShB5JePpUtS2E73VHAF/Mu8j7RafFIsKVNhoxtnAa i8KzP4+4C6KcEuK8Cg6xzm794BzMTXbU5mXPoAlf6fv4utXGPDvlZToB63TG6P/RkaD5 rNkg== X-Gm-Message-State: ALoCoQmVjdB0BJVE69A5ueXsHP2fN3ufWDn3/XPxmBcvpB9MKm7cqZyqYdG8ssWigrIRkl+fsh0A X-Received: by 10.60.102.211 with SMTP id fq19mr28834328oeb.2.1418872513717; Wed, 17 Dec 2014 19:15:13 -0800 (PST) Received: from [172.21.0.83] (65-36-83-120.static.grandenetworks.net. [65.36.83.120]) by mx.google.com with ESMTPSA id s10sm2640899oeo.3.2014.12.17.19.15.13 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 17 Dec 2014 19:15:13 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) Subject: Re: Alternative to pf? From: Jim Thompson X-Mailer: iPhone Mail (12B440) In-Reply-To: <20141217235636.3c607e57@Papi> Date: Wed, 17 Dec 2014 21:15:11 -0600 Content-Transfer-Encoding: quoted-printable Message-Id: References: <7be936232e96ae10d9734598014fd9d5@pyret.net> <20141217225457.64c16404@Papi> <55B84D9D-B376-4EFF-8998-723A62AF5D6A@netgate.com> <20141217235636.3c607e57@Papi> To: Mario Lobo Cc: freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 03:15:15 -0000 > On Dec 17, 2014, at 8:56 PM, Mario Lobo wrote: >=20 > On Wed, 17 Dec 2014 20:05:10 -0600 > Jim Thompson wrote: >=20 >>=20 >>> On Dec 17, 2014, at 7:54 PM, Mario Lobo wrote: >>>=20 >>> On Thu, 18 Dec 2014 00:43:59 +0100 >>> Daniel Engberg wrote: >>>=20 >>>> Hi, >>>>=20 >>>> During the year there has been several discussions regarding the >>>> state of pf in FreeBSD. In most cases it seems to boil down to that >>>> it's too hard/time-consuming to bring upstream patches from OpenBSD >>>> to FreeBSD. As it's been mentioned Apple seems to update pf >>>> somewhat (copyright is changed to 2013 at least) and file size >>>> differs between OS X releases but I wasn't able to find any commit >>>> logs. >>>>=20 >>>> That said, NetBSD have something similar to pf in syntax called >>>> npf which seems actively maintained and the author seems open to >>>> the idea of porting it to FreeBSD. >>>> http://www.netbsd.org/~rmind/pub/npf_asiabsdcon_2014.pdf - Page 24 >>>> However I'm not certain that it surpasses our current pf in terms >>>> of functionality in all cases (apart from the firewalling ALTQ >>>> comes to mind etc). >>>> Perhaps this might be worth looking into and in the end drop pf due >>>> to the reasons above? >>>>=20 >>>> That said, don't forget all the work that has gone into getting pf >>>> where it is today. >>>> While I'm at it, does anyone else than me use ALTQ? While it's not=20 >>>> multithreaded I find a very good "tool" and it does shaping really >>>> well. >>>>=20 >>>> Best regards, >>>> Daniel >>>> _______________________________________________ >>>> freebsd-pf@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>> To unsubscribe, send any mail to >>>> "freebsd-pf-unsubscribe@freebsd.org" >>>=20 >>>=20 >>> I think that just pf and ipfw would be more than "enough" for FBSD. >>> I have used both but I'm more comfortable with pf's configuration >>> than with ipfw. I have even tested ipfw filtering together with pf >>> altq. I totally rely on pf's ALTQ at production simply because it >>> works perfectly, no matter how complex the setup. Been using it for >>> years now. >>=20 >> Even with the SMP in 10, pf is as slow as molasses in January, and >> 10G interfaces are a thing now. >>=20 >> (Someone is sure to cry, =E2=80=9Cbut I can fill a 10G interface in front= of >> pf!=E2=80=9D. Yes, with max-sized packets. Try it with 256 byte (or 64 b= yte) >> packets. Yup. >>=20 >> Moreover, pf is has fundamental limitations (last match). =20 >>=20 >>> =46rom what I have read, there are quite a few changes in openbsd pf, >>> specially as far syntax is concerned. I'm just a user so I can only >>> imagine the hard work involved in porting it but running the risk of >>> making a lame comment, I would be completely satisfied if only 2 >>> things could be implemented: SMP and fix the ALTQ limitation "bug=E2=80=9D= . >>=20 >> FreeBSD already has SMP, and I don=E2=80=99t know what you might be refer= ring >> to as =E2=80=9CALTQ limitation =E2=80=98bug=E2=80=99=E2=80=9D. >>=20 >> Are you saying you=E2=80=99d be =E2=80=9Ccompletely satisfied=E2=80=9D if= you had SMP support >> with OpenBSD or a port of OpenBSD=E2=80=99s pf to FreeBSD, or something e= lse? >=20 > You're right! But I am very conservative when dealing with production > servers and your observation that "Even with the SMP in 10, pf is as > slow as molasses" is one of the reasons why I'm still with a fast > stable/8 pf, No, you seem to have (deliberately?) misinterpreted me.=20 The pf in 8 is even slower. A lot slower.=20 > plus the links we use are not even close to 10G, So, "not my problem".=20 pf won't even fill a 1Gb link with min-sized packets.=20 > so an SMP pf patch that could be applied on 8 wouldn't be bad at all Nobody in their right mind (who doesn't have a 8 figure engineering budget) i= s working on 8.=20 > Like I said, it has been working flawlessly for us since day one. >=20 > Yeah, I know ... I'll have to upgrade sometime but not before checking > if everything works on 10 EXACTLY (and I mean EXACTLY) as it is working > on 8 right now, SMP or not. >=20 > I can't speak about the nuts and bolts of pf's inside engine but as for > the tweaks I can see and manage or its config syntax, yes I am satisfied > and i must confess that I wouldn't be thrilled to change my pf.conf to > a different layout and pray that it works exactly the same way. This is the largest reason that the openBSD pf wasn't brought forward.=20 In other words: you can't have both X and !X.=20 > As for the "bug" I was referring to: >=20 > http://marc.info/?l=3Dfreebsd-pf&m=3D137359958238507&w=3D2 >=20 > It doesn't concern me in the practical sense because we're the little > guys with modest small links to the internet but concerns me as > faithful user and admirer of FreeBSD that always wants to see it top > notch no matter what conditions it is subjected to.=20 It's fixed in pfSense.=20 >=20 > --=20 > Mario Lobo > http://www.mallavoodoo.com.br > FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE) >=20 > "UNIX was not designed to stop you from doing stupid things,=20 > because that would also stop you from doing clever things." From owner-freebsd-pf@FreeBSD.ORG Thu Dec 18 10:29:03 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6965CC21; Thu, 18 Dec 2014 10:29:03 +0000 (UTC) Received: from olymp.kibab.com (olymp6.kibab.com [IPv6:2a01:4f8:160:84c1::2]) by mx1.freebsd.org (Postfix) with ESMTP id 27A401B08; Thu, 18 Dec 2014 10:29:02 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.8.3 olymp.kibab.com 3153475917 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=bakulin.de; s=default; t=1418898541; bh=tTIS78KgNYB0Ry/huntuVgYEZZoPnx05ElBXxBi4J/A=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=SP6PGB7w/GMHU4j/6fAkhoD8wnKsSuaIo3bfwet/Dsm1eoxmQ6m6BSdRf9mCk2R1j g2Eq92da2WElqufhFLGRXC1FBiveShSksIKRB8nhll1PtzjRkMf5fwdm9gkSaLKVDr BQUhBo8+QgqtYzkZcJzmZbWyDIy3YH3UHjtzrnVU= MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Thu, 18 Dec 2014 11:29:01 +0100 From: Ilya Bakulin To: Kristof Provost Subject: PF IPv6 fragments handling (was: Re: Checksumming outgoing packets in PF vs in =?UTF-8?Q?ip=5B=36=5D=5Foutput=29?= Organization: Deglitch Networks In-Reply-To: <20141109201557.GH2044@vega.codepro.be> References: <1415210423.3394438.187470637.21CD8D3D@webmail.messagingengine.com> <9355b23f1a07008eca61f16ebd828d0b@mail.bakulin.de> <20141107133101.GF2044@vega.codepro.be> <545F6C8F.6010700@bakulin.de> <20141109201557.GH2044@vega.codepro.be> Message-ID: <694672ef2ebe8adb6badcd4b059942c1@mail.bakulin.de> X-Sender: ilya@bakulin.de Cc: freebsd-net@freebsd.org, clusteradm@freebsd.org, Mark Felder , freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 10:29:03 -0000 On 2014-11-09 21:15, Kristof Provost wrote: > On 2014-11-09 14:30:55 (+0100), Ilya Bakulin wrote: >> On 07.11.14, 14:31, Kristof Provost wrote: > You can find the patch series here: > http://www.sigsegv.be/files/pf_inet6_frag.tar > and everything in one big patch here: > http://www.sigsegv.be/files/pf_inet6_frag.patch > > It's not cleaned up yet, or even extensively tested. > Basically the only testing that's been done is setting up a pf config > to > drop all traffic except icmp echo requests, and then sending out > fragmented icmp echo requests. Without the patch those get dropped, > with > the patch they make it through the firewall. > I've done some quick flood ping testing, so I'm reasonably confident it > doesn't leak mbufs. > > I started from the OpenBSD work, and imported and adjusted their inet6 > defragmentation patches. > > Regards, > Kristof Hi Kristof, I have tested your patchset and it works! Apart from testing with fragmented ICMPv6 requests, I've performed an UDP test using Scapy: >>> pkt=IPv6(dst="fdf9:37e3:7c53::100:2")/IPv6ExtHdrFragment()/UDP(dport=8000)/("a" >>> * 10000) >>> pktlist = fragment6(pkt, 1000) >>> send(pktlist) fdf9:37e3:7c53::100:2 in this case is the address of my FreeBSD 11-CURRENT VM running with your patch. sending pktlist on wire results in 11 packets being sent, they all get reassembled by PF and I can receive the data if I start nc on UDP port 8000. What I want to do is to do the test with overlapping fragments (that should be dropped because overlapping IPv6 fragments are forbidden) and maybe some other non-typical packets. At this poing I would like to ask clusteradm@ (CC'ed) to at least look at this patchet. The distinction between CROP and DROP that was dropped upstream is IMHO not important :-) I highly doubt that it makes any difference to anyone, and parcticularly at FreeBSD cluster. On the other hand, clusteradm@ people have complained about missing IPv6 fragment support -- so here is the solution. -- Ilya From owner-freebsd-pf@FreeBSD.ORG Thu Dec 18 11:08:56 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2ED178B4; Thu, 18 Dec 2014 11:08:56 +0000 (UTC) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DD29910B7; Thu, 18 Dec 2014 11:08:55 +0000 (UTC) Received: from vega.codepro.be (unknown [172.16.1.3]) by venus.codepro.be (Postfix) with ESMTP id 3B3C521DA3; Thu, 18 Dec 2014 12:08:51 +0100 (CET) Received: by vega.codepro.be (Postfix, from userid 1001) id 3126A10224; Thu, 18 Dec 2014 12:08:51 +0100 (CET) Date: Thu, 18 Dec 2014 12:08:51 +0100 From: Kristof Provost To: Ilya Bakulin Subject: Re: PF IPv6 fragments handling (was: Re: Checksumming outgoing packets in PF vs in ip[6]_output) Message-ID: <20141218110850.GR5741@vega.codepro.be> References: <1415210423.3394438.187470637.21CD8D3D@webmail.messagingengine.com> <9355b23f1a07008eca61f16ebd828d0b@mail.bakulin.de> <20141107133101.GF2044@vega.codepro.be> <545F6C8F.6010700@bakulin.de> <20141109201557.GH2044@vega.codepro.be> <694672ef2ebe8adb6badcd4b059942c1@mail.bakulin.de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <694672ef2ebe8adb6badcd4b059942c1@mail.bakulin.de> X-PGP-Fingerprint: E114 D9EA 909E D469 8F57 17A5 7D15 91C6 9EFA F286 X-Checked-By-NSA: Probably User-Agent: Mutt/1.5.23 (2014-03-12) Cc: freebsd-net@freebsd.org, clusteradm@freebsd.org, Mark Felder , freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 11:08:56 -0000 On 2014-12-18 11:29:01 (+0100), Ilya Bakulin wrote: > On 2014-11-09 21:15, Kristof Provost wrote: > > On 2014-11-09 14:30:55 (+0100), Ilya Bakulin wrote: > >> On 07.11.14, 14:31, Kristof Provost wrote: > > You can find the patch series here: > > http://www.sigsegv.be/files/pf_inet6_frag.tar > > and everything in one big patch here: > > http://www.sigsegv.be/files/pf_inet6_frag.patch > > > > I have tested your patchset and it works! > At this poing I would like to ask clusteradm@ (CC'ed) to at least look > at this patchet. The distinction between CROP and DROP that was dropped > upstream is IMHO not important :-) I highly doubt that it makes any > difference to anyone, and parcticularly at FreeBSD cluster. On the other > hand, Thanks for testing! I still have the CROP/DROP thing on my TODO. If there's a consensus that we can drop it that's fine by me of course. In that case I'll just clean up the current patches and submit those for review. If people feel we should keep CROP/DROP (as was my original plan) I should have some time to work on that over the holidays. Regards, Kristof From owner-freebsd-pf@FreeBSD.ORG Fri Dec 19 11:10:35 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2EEE299E for ; Fri, 19 Dec 2014 11:10:35 +0000 (UTC) Received: from smtp.lamaiziere.net (net.lamaiziere.net [37.59.62.186]) by mx1.freebsd.org (Postfix) with ESMTP id E3EBF214F for ; Fri, 19 Dec 2014 11:10:34 +0000 (UTC) Received: from mr185083.univ-rennes1.fr (mr185083.univ-rennes1.fr [129.20.185.83]) by smtp.lamaiziere.net (Postfix) with ESMTPA id 4B1796F52 for ; Fri, 19 Dec 2014 12:01:52 +0100 (CET) Received: from mr185083 (localhost [127.0.0.1]) by mr185083.univ-rennes1.fr (Postfix) with ESMTP id B9285A40 for ; Wed, 17 Dec 2014 15:11:27 +0100 (CET) Date: Wed, 17 Dec 2014 15:11:27 +0100 From: Patrick Lamaiziere To: freebsd-pf@freebsd.org Subject: Re: Getting tables to work in PF Message-ID: <20141217151127.69671d4a@mr185083> In-Reply-To: References: X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; amd64-portbld-freebsd10.0) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (smtp.lamaiziere.net [0.0.0.0]); Fri, 19 Dec 2014 12:01:52 +0100 (CET) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Dec 2014 11:10:35 -0000 Le Mon, 3 Nov 2014 23:12:52 +0000, David DeSimone a écrit : Hello, > set skip on lo > > I'm pretty sure the loopback name should be "lo0" instead of just > "lo". Yes and no, the grammar (pf.conf) set skip on ifspec = ( [ "!" ] ( interface-name | interface-group ) ) | "{" interface-list "}" and lo is a valid interface group. So it should work. But you are right because "set skip" does not allow interface groups, this is a bug fixed in recent OpenBSD pf. Regards, From owner-freebsd-pf@FreeBSD.ORG Fri Dec 19 13:26:31 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BD03E665 for ; Fri, 19 Dec 2014 13:26:31 +0000 (UTC) Received: from krichy.tvnetwork.hu (unknown [IPv6:2a01:be00:0:2::10]) by mx1.freebsd.org (Postfix) with ESMTP id 8301B1621 for ; Fri, 19 Dec 2014 13:26:31 +0000 (UTC) Received: by krichy.tvnetwork.hu (Postfix, from userid 1000) id 2BCB51B87; Fri, 19 Dec 2014 14:26:28 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by krichy.tvnetwork.hu (Postfix) with ESMTP id 282041B86 for ; Fri, 19 Dec 2014 14:26:28 +0100 (CET) Date: Fri, 19 Dec 2014 14:26:28 +0100 (CET) From: krichy@tvnetwork.hu To: freebsd-pf@freebsd.org Subject: simple setup Message-ID: User-Agent: Alpine 2.11 (DEB 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Dec 2014 13:26:31 -0000 Dear pf gurus, I would need some help. I am trying to setup a synproxy state rule, without success. And unfortunately I dont know what am I doing wrong. The simple script is at http://pastebin.com/gmAUeKUR You will find that all block rules are commented out, but synproxy even does not work. I am trying to make a connection from the direction of re0 to a network on re2 port 22, the connection gets established on re0 side, but on re2 side it stalls. Any advice? Kojedzinszky Richard Euronet Magyarorszag Informatika Zrt.