From owner-freebsd-pf@FreeBSD.ORG Sun May 10 15:17:43 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2A62376D for ; Sun, 10 May 2015 15:17:43 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [IPv6:2001:4f8:3:ffe0:406a:0:50:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0BD7518C0 for ; Sun, 10 May 2015 15:17:43 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [127.0.1.5]) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9) with ESMTP id t4AFHg7w037467 for ; Sun, 10 May 2015 15:17:42 GMT (envelope-from daemon-user@phabric-backend.isc.freebsd.org) Received: (from daemon-user@localhost) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9/Submit) id t4AFHgvk037466; Sun, 10 May 2015 15:17:42 GMT (envelope-from daemon-user) Date: Sun, 10 May 2015 15:17:42 +0000 To: freebsd-pf@freebsd.org From: "julian (JulianElischer)" Subject: [Differential] [Commented On] D1944: PF and VIMAGE fixes Message-ID: X-Priority: 3 Thread-Topic: D1944: PF and VIMAGE fixes X-Herald-Rules: none X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: In-Reply-To: References: Thread-Index: NDc2NzM0MzY4OTdiYThiNTU1MjY2ZDZmMTJiIFVPdpY= Precedence: bulk X-Phabricator-Sent-This-Message: Yes X-Mail-Transport-Agent: MetaMTA X-Auto-Response-Suppress: All X-Phabricator-Mail-Tags: , MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="utf-8" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 May 2015 15:17:43 -0000 julian added a subscriber: julian. julian added a comment. in case I didn't point you at this before... http://p4web.freebsd.org/@md=d&cd=//depot/projects/vimage/&cdf=//depot/projects/vimage/porting_to_vimage.txt&c=win@//depot/projects/vimage/porting_to_vimage.txt?ac=22 REVISION DETAIL https://reviews.freebsd.org/D1944 EMAIL PREFERENCES https://reviews.freebsd.org/settings/panel/emailpreferences/ To: nvass-gmx.com, bz, zec, trociny, glebius, rodrigc, kristof, gnn Cc: julian, robak, freebsd-virtualization, freebsd-pf, freebsd-net From owner-freebsd-pf@FreeBSD.ORG Mon May 11 10:48:15 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0AAB2A49 for ; Mon, 11 May 2015 10:48:15 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [IPv6:2001:4f8:3:ffe0:406a:0:50:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D91DF1F46 for ; Mon, 11 May 2015 10:48:14 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [127.0.1.5]) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9) with ESMTP id t4BAmElU066986 for ; Mon, 11 May 2015 10:48:14 GMT (envelope-from daemon-user@phabric-backend.isc.freebsd.org) Received: (from daemon-user@localhost) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9/Submit) id t4BAmEl7066985; Mon, 11 May 2015 10:48:14 GMT (envelope-from daemon-user) Date: Mon, 11 May 2015 10:48:14 +0000 To: freebsd-pf@freebsd.org From: "nvass-gmx.com (Nikos Vassiliadis)" Subject: [Differential] [Commented On] D1944: PF and VIMAGE fixes Message-ID: <258f9eafbf280d7d5489cb8b6e90ec0e@localhost.localdomain> X-Priority: 3 Thread-Topic: D1944: PF and VIMAGE fixes X-Herald-Rules: none X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: In-Reply-To: References: Thread-Index: NDc2NzM0MzY4OTdiYThiNTU1MjY2ZDZmMTJiIFVQiO4= Precedence: bulk X-Phabricator-Sent-This-Message: Yes X-Mail-Transport-Agent: MetaMTA X-Auto-Response-Suppress: All X-Phabricator-Mail-Tags: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="utf-8" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 May 2015 10:48:15 -0000 nvass-gmx.com added a comment. This guilde is definitely invaluable, I have seen it. It would be great if we could move it in the source tree. Regarding PF it can be further simplified. I think the logic right is OK but there are many *init* functions for sure and some of these functions can go away. Maybe we could do that a step two? REVISION DETAIL https://reviews.freebsd.org/D1944 EMAIL PREFERENCES https://reviews.freebsd.org/settings/panel/emailpreferences/ To: nvass-gmx.com, bz, zec, trociny, glebius, rodrigc, kristof, gnn Cc: julian, robak, freebsd-virtualization, freebsd-pf, freebsd-net From owner-freebsd-pf@FreeBSD.ORG Wed May 13 02:25:34 2015 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 69C44F5C for ; Wed, 13 May 2015 02:25:34 +0000 (UTC) Received: from fedex2.jetcafe.org (fedex2.jetcafe.org [205.147.26.23]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3C32918F0 for ; Wed, 13 May 2015 02:25:30 +0000 (UTC) X-Envelope-To: Received: from [205.147.26.4] (hokkshideh.jetcafe.org [205.147.26.4]) by fedex2.jetcafe.org (8.14.9/8.14.9) with ESMTP id t4D2PO15082194 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Tue, 12 May 2015 19:25:24 -0700 (PDT) (envelope-from dave@jetcafe.org) Message-ID: <5552B614.4080502@jetcafe.org> Date: Tue, 12 May 2015 19:25:24 -0700 From: Dave Hayes User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org Subject: Pf, rtable, and rdr...bug? Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Spam-Score: -1 ( out of 6) ALL_TRUSTED,SHORTCIRCUIT X-Spam-Checker-Version: SpamAssassin version 3.4.0 X-Scanned-By: MIMEDefang 2.75 on 205.147.26.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 May 2015 02:25:34 -0000 [ Resending this to the PF list in hopes of some insight. Thanks. ] Hello everyone. I'm having a problem with using rdr in an existing pf that uses rtable. I'm running 10.1-STABLE #0 r282154 and I believe this is a bug, but it could also be something I haven't spotted. I have a firewall with three interfaces. The ip addresses have been changed to protect the innocent. :) - a slow net (1.2.3.0/24) interface: em0 @ 1.2.3.10 - a fast net (4.5.6.0/24) interface: em1 @ 4.5.6.10 - an internal net (192.168.4.0/24) interface: em2 @ 192.168.4.10 I route the internal net traffic over the fast cable net, and allow the internet net to access machines on the slower work net. Both default routes for the slow and fast net are .1 addresses (e.g. 1.2.3.1 and 4.5.6.1). I use an alias on both the slow and fast net (.42) to route the traffic from so I can see what's going on. I have net.fibs="2" in loader.conf and two different default routes set up for each fib. The default "default route" (fib 0) is 1.2.3.1. Here's my pf ruleset that works, paraphrased. $slow_net = "1.2.3.0/24" $slow_if = "em0" $slow_nat_ip = "1.2.3.42" $fast_net = "4.5.6.0/24" $fast_if = "em1" $fast_nat_ip = "4.5.6.42" $int_net = "192.168.4.0/24" $int_if = "em2" $int_ip = "192.168.4.10" # I don't alias this side table const { 10/8, 172.16/12, 192.168/16 } nat log in $fast_if inet from $int_if:network to ! $slow_net -> $fast_nat_ip nat log on $slow_if inet from $int_if:network to $slow_net -> $slow_nat_ip block in log all antispoof log quick for { $slow_if $fast_if $int_if } pass in log quick on $int_if inet from $int_net to !$slow_if:network modulate state rtable 1 pass in log quick on $int_if inet from $int_net to $slow_if:network modulate state rtable 0 pass log on $slow_if inet from ! to any modulate state pass out log inet from any to any modulate state So I tried to use rdr to forward some ports from the to a machine on the internal net: $webserver = "192.168.4.22" .... rdr on $fast_if inet proto tcp from any to port 80 -> $webserver This doesn't work. When I turn on tcpdump on all three interfaces, I see the packets coming in from the fast net to the internal net. The responses are appearing on the slow net, with the IP addresses of the fast net. So if I see this from em1: 14:34:11.887357 IP 10.11.12.13:18600 > 4.5.6.42:80 ... I then see the response...but on em0: 14:34:12.087283 IP 4.5.6.42:80 > 10.11.12.13:18600 ... Why doesn't this response packet go out the proper interface? Thanks in advance for any insight. If I don't hear from anyone, I'm going to assume this is a bug and file a bug report. -- Dave Hayes - Consultant - Altadena CA, USA - dave@jetcafe.org >>>> *The opinions expressed above are entirely my own* <<<< A path and a gateway have no meaning or use once the objective is in sight. From owner-freebsd-pf@FreeBSD.ORG Wed May 13 03:51:12 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5175DF54 for ; Wed, 13 May 2015 03:51:12 +0000 (UTC) Received: from SNT004-OMC2S29.hotmail.com (snt004-omc2s29.hotmail.com [65.55.90.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 21CB7135A for ; Wed, 13 May 2015 03:51:11 +0000 (UTC) Received: from SNT146-W26 ([65.55.90.73]) by SNT004-OMC2S29.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.22751); Tue, 12 May 2015 20:51:05 -0700 X-TMN: [m7D67OKA6K0yl6fLcPfBQR0EWnFyK8wS] X-Originating-Email: [ricky1252@hotmail.com] Message-ID: From: Ricky G To: Dave Hayes CC: "freebsd-pf@FreeBSD.org" Subject: RE: Pf, rtable, and rdr...bug? Date: Tue, 12 May 2015 23:51:04 -0400 Importance: Normal In-Reply-To: <5552B614.4080502@jetcafe.org> References: <5552B614.4080502@jetcafe.org> MIME-Version: 1.0 X-OriginalArrivalTime: 13 May 2015 03:51:05.0187 (UTC) FILETIME=[098C2330:01D08D30] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 May 2015 03:51:12 -0000 The reason is because you are forcing all your traffic to flow out of fast = net. If you want a incoming response to go back out the same interface you = will have to do a reply-to rule. Its not a bug just a rule you have in plac= e =3D] > Date: Tue=2C 12 May 2015 19:25:24 -0700 > From: dave@jetcafe.org > To: freebsd-pf@FreeBSD.org > Subject: Pf=2C rtable=2C and rdr...bug? >=20 > [ Resending this to the PF list in hopes of some insight. Thanks. ] >=20 > Hello everyone. I'm having a problem with using rdr in an existing pf tha= t uses rtable. I'm running 10.1-STABLE #0 r282154 and I believe this is a b= ug=2C but it could also be something I haven't spotted. >=20 > I have a firewall with three interfaces. The ip addresses have been chang= ed to protect the innocent. :) >=20 > - a slow net (1.2.3.0/24) interface: em0 @ 1.2.3.10 > - a fast net (4.5.6.0/24) interface: em1 @ 4.5.6.10 > - an internal net (192.168.4.0/24) interface: em2 @ 192.168.4.10 >=20 > I route the internal net traffic over the fast cable net=2C and allow the= internet net to access machines on the slower work net. Both default route= s for the slow and fast net are .1 addresses (e.g. 1.2.3.1 and 4.5.6.1). I = use an alias on both the slow and fast net (.42) to route the traffic from = so I can see what's going on. I have net.fibs=3D"2" in loader.conf and two = different default routes set up for each fib. The default "default route" (= fib 0) is 1.2.3.1. >=20 > Here's my pf ruleset that works=2C paraphrased. >=20 > $slow_net =3D "1.2.3.0/24" > $slow_if =3D "em0" > $slow_nat_ip =3D "1.2.3.42" >=20 > $fast_net =3D "4.5.6.0/24" > $fast_if =3D "em1" > $fast_nat_ip =3D "4.5.6.42" > $int_net =3D "192.168.4.0/24" > $int_if =3D "em2" > $int_ip =3D "192.168.4.10" # I don't alias this side >=20 > table const { 10/8=2C 172.16/12=2C 192.168/16 } >=20 > nat log in $fast_if inet from $int_if:network to ! $slow_net -> $fast= _nat_ip > nat log on $slow_if inet from $int_if:network to $slow_net -> $slow_n= at_ip > block in log all > antispoof log quick for { $slow_if $fast_if $int_if } > pass in log quick on $int_if inet from $int_net to !$slow_if:network = modulate state rtable 1 > pass in log quick on $int_if inet from $int_net to $slow_if:network m= odulate state rtable 0 > pass log on $slow_if inet from ! to any modulate state > pass out log inet from any to any modulate state >=20 > So I tried to use rdr to forward some ports from the to a machine on the = internal net: >=20 > $webserver =3D "192.168.4.22" > .... > rdr on $fast_if inet proto tcp from any to port 80 -> $webserver > =20 > This doesn't work. When I turn on tcpdump on all three interfaces=2C I se= e the packets coming in from the fast net to the internal net. The response= s are appearing on the slow net=2C with the IP addresses of the fast net. S= o if I see this from em1: >=20 > 14:34:11.887357 IP 10.11.12.13:18600 > 4.5.6.42:80 ... >=20 > I then see the response...but on em0: >=20 > 14:34:12.087283 IP 4.5.6.42:80 > 10.11.12.13:18600 ... >=20 > Why doesn't this response packet go out the proper interface? >=20 > Thanks in advance for any insight. If I don't hear from anyone=2C I'm goi= ng to assume this is a bug and file a bug report.=20 > --=20 > Dave Hayes - Consultant - Altadena CA=2C USA - dave@jetcafe.org=20 > >>>> *The opinions expressed above are entirely my own* <<<< >=20 > A path and a gateway have no meaning or use once the > objective is in sight. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe=2C send any mail to "freebsd-pf-unsubscribe@freebsd.org" = From owner-freebsd-pf@FreeBSD.ORG Wed May 13 06:34:34 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0963EA86 for ; Wed, 13 May 2015 06:34:34 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [IPv6:2001:4f8:3:ffe0:406a:0:50:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DF6CF13BD for ; Wed, 13 May 2015 06:34:33 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [127.0.1.5]) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9) with ESMTP id t4D6YXlF061764 for ; Wed, 13 May 2015 06:34:33 GMT (envelope-from daemon-user@phabric-backend.isc.freebsd.org) Received: (from daemon-user@localhost) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9/Submit) id t4D6YXE3061763; Wed, 13 May 2015 06:34:33 GMT (envelope-from daemon-user) Date: Wed, 13 May 2015 06:34:33 +0000 To: freebsd-pf@freebsd.org From: "rodrigc (Craig Rodrigues)" Subject: [Differential] [Commented On] D1944: PF and VIMAGE fixes Message-ID: X-Priority: 3 Thread-Topic: D1944: PF and VIMAGE fixes X-Herald-Rules: none X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: In-Reply-To: References: Thread-Index: NDc2NzM0MzY4OTdiYThiNTU1MjY2ZDZmMTJiIFVS8Hk= Precedence: bulk X-Phabricator-Sent-This-Message: Yes X-Mail-Transport-Agent: MetaMTA X-Auto-Response-Suppress: All X-Phabricator-Mail-Tags: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="utf-8" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 May 2015 06:34:34 -0000 rodrigc added a comment. In https://reviews.freebsd.org/D1944#46127, @julian wrote: > in case I didn't point you at this before... > http://p4web.freebsd.org/@md=d&cd=//depot/projects/vimage/&cdf=//depot/projects/vimage/porting_to_vimage.txt&c=win@//depot/projects/vimage/porting_to_vimage.txt?ac=22 @julian , I have copied this to: https://wiki.freebsd.org/VIMAGE/porting-to-vimage so that this isn't buried in Perforce. REVISION DETAIL https://reviews.freebsd.org/D1944 EMAIL PREFERENCES https://reviews.freebsd.org/settings/panel/emailpreferences/ To: nvass-gmx.com, bz, zec, trociny, glebius, rodrigc, kristof, gnn Cc: julian, robak, freebsd-virtualization, freebsd-pf, freebsd-net From owner-freebsd-pf@FreeBSD.ORG Fri May 15 17:08:50 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 815CD954 for ; Fri, 15 May 2015 17:08:50 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [IPv6:2001:4f8:3:ffe0:406a:0:50:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 489061736 for ; Fri, 15 May 2015 17:08:50 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [127.0.1.5]) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9) with ESMTP id t4FH8okQ006506 for ; Fri, 15 May 2015 17:08:50 GMT (envelope-from daemon-user@phabric-backend.isc.freebsd.org) Received: (from daemon-user@localhost) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9/Submit) id t4FH8ome006505; Fri, 15 May 2015 17:08:50 GMT (envelope-from daemon-user) Date: Fri, 15 May 2015 17:08:50 +0000 To: freebsd-pf@freebsd.org From: "rodrigc (Craig Rodrigues)" Subject: [Differential] [Commented On] D1944: PF and VIMAGE fixes Message-ID: <471ba42f126e8cbe457e7bf5a0ad0fac@localhost.localdomain> X-Priority: 3 Thread-Topic: D1944: PF and VIMAGE fixes X-Herald-Rules: none X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: In-Reply-To: References: Thread-Index: NDc2NzM0MzY4OTdiYThiNTU1MjY2ZDZmMTJiIFVWKCI= Precedence: bulk X-Phabricator-Sent-This-Message: Yes X-Mail-Transport-Agent: MetaMTA X-Auto-Response-Suppress: All X-Phabricator-Mail-Tags: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="utf-8" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 May 2015 17:08:50 -0000 rodrigc added a comment. I tested this patch. # kldload pf # kldunload pf kldunload: can't unload file: Device busy The fact that the pf module cannot be unloaded was one of the reasons that @glebius used to back out the entire changeset last time I committed your pf changes. Can you fix this? I also saw this in dmesg: CURVNET_SET() recursion in pfi_vnet_initialize() line 130, prev in vnet_register_sysinit() 0xfffff800056e4100 -> 0xfffff800056e4100 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe046389a550 pfi_vnet_initialize() at pfi_vnet_initialize+0x21b/frame 0xfffffe046389a590 pf_vnet_init() at pf_vnet_init+0x35/frame 0xfffffe046389a5c0 vnet_register_sysinit() at vnet_register_sysinit+0x13c/frame 0xfffffe046389a600 linker_load_module() at linker_load_module+0xc87/frame 0xfffffe046389a920 kern_kldload() at kern_kldload+0x10e/frame 0xfffffe046389a970 sys_kldload() at sys_kldload+0x5b/frame 0xfffffe046389a9a0 amd64_syscall() at amd64_syscall+0x27f/frame 0xfffffe046389aab0 Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffe046389aab0 REVISION DETAIL https://reviews.freebsd.org/D1944 EMAIL PREFERENCES https://reviews.freebsd.org/settings/panel/emailpreferences/ To: nvass-gmx.com, bz, zec, trociny, glebius, rodrigc, kristof, gnn Cc: julian, robak, freebsd-virtualization, freebsd-pf, freebsd-net From owner-freebsd-pf@FreeBSD.ORG Sat May 16 05:14:49 2015 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 37E0B6C3 for ; Sat, 16 May 2015 05:14:49 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2318A16CB for ; Sat, 16 May 2015 05:14:49 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id t4G5Enip080178 for ; Sat, 16 May 2015 05:14:49 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 200222] [patch][pf] fix possible kernel panic on missing mtag Date: Sat, 16 May 2015 05:14:48 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.0-STABLE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: mfc-stable10? X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 May 2015 05:14:49 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200222 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|freebsd-bugs@FreeBSD.org |freebsd-pf@FreeBSD.org -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@FreeBSD.ORG Sat May 16 12:25:57 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A3FA5491 for ; Sat, 16 May 2015 12:25:57 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [IPv6:2001:4f8:3:ffe0:406a:0:50:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8344D100F for ; Sat, 16 May 2015 12:25:57 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [127.0.1.5]) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9) with ESMTP id t4GCPv5X067960 for ; Sat, 16 May 2015 12:25:57 GMT (envelope-from daemon-user@phabric-backend.isc.freebsd.org) Received: (from daemon-user@localhost) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9/Submit) id t4GCPvkk067959; Sat, 16 May 2015 12:25:57 GMT (envelope-from daemon-user) Date: Sat, 16 May 2015 12:25:57 +0000 To: freebsd-pf@freebsd.org From: "nvass-gmx.com (Nikos Vassiliadis)" Subject: [Differential] [Commented On] D1944: PF and VIMAGE fixes Message-ID: <45bd2d50759252437267a1084fc56a47@localhost.localdomain> X-Priority: 3 Thread-Topic: D1944: PF and VIMAGE fixes X-Herald-Rules: none X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: In-Reply-To: References: Thread-Index: NDc2NzM0MzY4OTdiYThiNTU1MjY2ZDZmMTJiIFVXN1U= Precedence: bulk X-Phabricator-Sent-This-Message: Yes X-Mail-Transport-Agent: MetaMTA X-Auto-Response-Suppress: All X-Phabricator-Mail-Tags: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="utf-8" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 May 2015 12:25:57 -0000 nvass-gmx.com added a comment. In https://reviews.freebsd.org/D1944#47231, @rodrigc wrote: > I tested this patch. > > # kldload pf > # kldunload pf > kldunload: can't unload file: Device busy > > > The fact that the pf module cannot be unloaded was one of the > reasons that @glebius used to back out the entire changeset last time > I committed your pf changes. Can you fix this? This is intended behaviour, regadless of VIMAGE. You need to use kldunload -f to unload it. > I also saw this in dmesg: > > CURVNET_SET() recursion in pfi_vnet_initialize() line 130, prev in vnet_register_sysinit() > 0xfffff800056e4100 -> 0xfffff800056e4100 > KDB: stack backtrace: > db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe046389a550 > pfi_vnet_initialize() at pfi_vnet_initialize+0x21b/frame 0xfffffe046389a590 > pf_vnet_init() at pf_vnet_init+0x35/frame 0xfffffe046389a5c0 > vnet_register_sysinit() at vnet_register_sysinit+0x13c/frame 0xfffffe046389a600 > linker_load_module() at linker_load_module+0xc87/frame 0xfffffe046389a920 > kern_kldload() at kern_kldload+0x10e/frame 0xfffffe046389a970 > sys_kldload() at sys_kldload+0x5b/frame 0xfffffe046389a9a0 > amd64_syscall() at amd64_syscall+0x27f/frame 0xfffffe046389aab0 > Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffe046389aab0 > This should be ok. It is just a warning that we are setting curvnet although it is already set. Maybe it can be avoided. REVISION DETAIL https://reviews.freebsd.org/D1944 EMAIL PREFERENCES https://reviews.freebsd.org/settings/panel/emailpreferences/ To: nvass-gmx.com, bz, zec, trociny, glebius, rodrigc, kristof, gnn Cc: julian, robak, freebsd-virtualization, freebsd-pf, freebsd-net From owner-freebsd-pf@FreeBSD.ORG Sat May 16 23:23:14 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 901C6AC8 for ; Sat, 16 May 2015 23:23:14 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [IPv6:2001:4f8:3:ffe0:406a:0:50:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 583751177 for ; Sat, 16 May 2015 23:23:14 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [127.0.1.5]) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9) with ESMTP id t4GNNEu1079177 for ; Sat, 16 May 2015 23:23:14 GMT (envelope-from daemon-user@phabric-backend.isc.freebsd.org) Received: (from daemon-user@localhost) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9/Submit) id t4GNNE9R079176; Sat, 16 May 2015 23:23:14 GMT (envelope-from daemon-user) Date: Sat, 16 May 2015 23:23:14 +0000 To: freebsd-pf@freebsd.org From: "rodrigc (Craig Rodrigues)" Subject: [Differential] [Commented On] D1944: PF and VIMAGE fixes Message-ID: <8667288450d0f5a7efe13a4b7e84d65e@localhost.localdomain> X-Priority: 3 Thread-Topic: D1944: PF and VIMAGE fixes X-Herald-Rules: none X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: In-Reply-To: References: Thread-Index: NDc2NzM0MzY4OTdiYThiNTU1MjY2ZDZmMTJiIFVX0WI= Precedence: bulk X-Phabricator-Sent-This-Message: Yes X-Mail-Transport-Agent: MetaMTA X-Auto-Response-Suppress: All X-Phabricator-Mail-Tags: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="utf-8" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 May 2015 23:23:14 -0000 rodrigc added a comment. I can confirm that: kldunload -f pf.ko does work to unload the module. That is good. I saw this warning message in dmesg: lock order reversal: (sleepable after non-sleepable) 1st 0xffffffff823b72e0 pf rulesets (pf rulesets) @ /opt2/branches/head/sys/modules/pf/../../netpfil/pf/pf_ioctl.c:321 2nd 0xffffffff818f99a0 umadrain (umadrain) @ /opt2/branches/head/sys/vm/uma_core.c:2109 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe04639fd310 witness_checkorder() at witness_checkorder+0xe26/frame 0xfffffe04639fd3a0 _sx_slock() at _sx_slock+0x76/frame 0xfffffe04639fd3e0 uma_zdestroy() at uma_zdestroy+0x23/frame 0xfffffe04639fd400 pf_normalize_cleanup() at pf_normalize_cleanup+0x26/frame 0xfffffe04639fd420 pf_vnet_uninit() at pf_vnet_uninit+0x6e7/frame 0xfffffe04639fd8c0 vnet_deregister_sysuninit() at vnet_deregister_sysuninit+0x9c/frame 0xfffffe04639fd900 linker_file_unload() at linker_file_unload+0x45e/frame 0xfffffe04639fd950 kern_kldunload() at kern_kldunload+0x12f/frame 0xfffffe04639fd9a0 amd64_syscall() at amd64_syscall+0x27f/frame 0xfffffe04639fdab0 Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffe04639fdab0 If possible, it would be good to clean that up. REVISION DETAIL https://reviews.freebsd.org/D1944 EMAIL PREFERENCES https://reviews.freebsd.org/settings/panel/emailpreferences/ To: nvass-gmx.com, bz, zec, trociny, glebius, rodrigc, kristof, gnn Cc: julian, robak, freebsd-virtualization, freebsd-pf, freebsd-net