From owner-freebsd-pf@FreeBSD.ORG Sun Mar 17 18:21:09 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 2B179C11 for ; Sun, 17 Mar 2013 18:21:09 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: from mail-wi0-x234.google.com (mail-wi0-x234.google.com [IPv6:2a00:1450:400c:c05::234]) by mx1.freebsd.org (Postfix) with ESMTP id BAB3CCC3 for ; Sun, 17 Mar 2013 18:21:08 +0000 (UTC) Received: by mail-wi0-f180.google.com with SMTP id hi8so1877000wib.13 for ; Sun, 17 Mar 2013 11:21:07 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:subject:date:user-agent:cc:references :in-reply-to:mime-version:content-type:content-transfer-encoding :message-id:x-gm-message-state; bh=L1wDGFpj2sJPrL/QXtwdWMyWmRELxbmHKLHmpLIhfpk=; b=aRddkXy3xv1a3hq9sJOpVOVNGzdFg7QzC8PSx9NZyTvRhU5ApKu2v3AY8bCtYUnLn9 Ti9tTaPSIvJPQGJs4r8e5qVCSExlrWgyBEyQLOnh01EkPb6ZdGmyJjSQD2+L0f8LsHMx U5/TFZyh6h2q6Gkx1l22MDnkPWSfev5As94xIYXb6/WNSr+vpktFAIAoiG4XQVZ3j16J AIfbLcRnMWmxZlkfAQOCSBd4TXAZ+BHnVrasDv9TF5qjUioB2nyFNdRGmwaP7nvg30+p LtDwbm4z6xymH/VmfIadTYLjKLeN6+TDT6o7nZTe+YGThUOLaiI7XQC85HqaReaKq8oQ VZHw== X-Received: by 10.180.105.99 with SMTP id gl3mr12616605wib.22.1363544467720; Sun, 17 Mar 2013 11:21:07 -0700 (PDT) Received: from zvezda.localnet ([109.144.239.183]) by mx.google.com with ESMTPS id ex1sm10482636wib.7.2013.03.17.11.21.06 (version=TLSv1 cipher=RC4-SHA bits=128/128); Sun, 17 Mar 2013 11:21:06 -0700 (PDT) From: Kajetan Staszkiewicz To: Ermal =?iso-8859-1?q?Lu=E7i?= Subject: Re: [patch] Source entries removing is awfully slow. Date: Sun, 17 Mar 2013 19:18:17 +0100 User-Agent: KMail/1.13.5 (Linux/3.6.6-vegeta.1; KDE/4.4.5; x86_64; ; ) References: <201303081419.17743.vegeta@tuxpowered.net> <201303111751.18274.vegeta@tuxpowered.net> <201303131651.03250.vegeta@tuxpowered.net> In-Reply-To: <201303131651.03250.vegeta@tuxpowered.net> MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <201303171918.17512.vegeta@tuxpowered.net> X-Gm-Message-State: ALoCoQlx4DBQC2xlZDCIAKU+o3FnBVot+1nyUNXo9Y37P3UrbkuZyDruGBErV81b78W8DeZSoLID Cc: "freebsd-net@freebsd.org" , "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Mar 2013 18:21:09 -0000 Hi, I think I have the answer. 1. Some traffic creates a nat src node and some states. 2. Those states are properly linked to src_node->state_list, each has a proper pointer to nat_src_node. 3. At some point insertion of state (I do not for what reason) fails in this code: 3970 if (pf_state_insert(BOUND_IFACE(r, kif), skw, sks, s)) { 3971 if (pd->proto == IPPROTO_TCP) 3972 pf_normalize_tcp_cleanup(s); 3973 REASON_SET(&reason, PFRES_STATEINS); 3974 pf_src_tree_remove_state(s); 3975 STATE_DEC_COUNTERS(s); 3976 #ifdef __FreeBSD__ 3977 pool_put(&V_pf_state_pl, s); This state already has nat_src_node properly pointing to the src node. pf_src_tree_remove_state() is called: - s->nat_src_node is not NULL - TAILQ_EMPTY is false, as the src_node has a state_list containing some previously and properly created states - TAILQ_REMOVE fails because state s is not in the list, s->srcnode_link is {NULL,NULL}, src_node->state_list's head gets broken, giving the result as in my previous post and kernel panic. With calling TAILQ_INSERT_HEAD before any pf_src_tree_remove_state is potentally called, I have a kernel running stable since the last week. -- | pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' From owner-freebsd-pf@FreeBSD.ORG Mon Mar 18 11:06:47 2013 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id B63B7BAB for ; Mon, 18 Mar 2013 11:06:47 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id DB12CAB6 for ; Mon, 18 Mar 2013 11:06:46 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r2IB6kNR002229 for ; Mon, 18 Mar 2013 11:06:46 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r2IB6kY3002227 for freebsd-pf@FreeBSD.org; Mon, 18 Mar 2013 11:06:46 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 18 Mar 2013 11:06:46 GMT Message-Id: <201303181106.r2IB6kY3002227@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2013 11:06:47 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/176763 pf [pf] [patch] Removing pf Source entries locks kernel. o kern/176268 pf [pf] [patch] synproxy not working with route-to o kern/173659 pf [pf] PF fatal trap on 9.1 (taskq fatal trap on pf_test o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 50 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Mar 18 11:30:27 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 5D48FCB4 for ; Mon, 18 Mar 2013 11:30:27 +0000 (UTC) (envelope-from cfsadmin@iafrica.com) Received: from cpt-ipcrelay07.mweb.co.za (cpt-ipcrelay07.mweb.co.za [196.28.182.87]) by mx1.freebsd.org (Postfix) with ESMTP id C137912C for ; Mon, 18 Mar 2013 11:30:26 +0000 (UTC) Received: from 41-133-123-213.dsl.mweb.co.za ([41.133.123.213] helo=CFS05) by cpt-ipcrelay07.mweb.co.za with esmtpa (Exim 4.80) id 1UHXgG-000Num-PA by authid with login_authenticator for ; Mon, 18 Mar 2013 12:52:45 +0200 From: "Tracy Diesel" To: Subject: Drive A New Car from R499 P/M Date: Mon, 18 Mar 2013 12:52:38 +0200 Message-ID: MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_0000_01CE23D7.799AEC20" X-Mailer: Microsoft Outlook 14.0 Thread-Index: Ac4jxqWOo8Z8xNAqRsmNc2HUKsECZg== Content-Language: en-us X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2013 11:30:27 -0000 This is a multipart message in MIME format. ------=_NextPart_000_0000_01CE23D7.799AEC20 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Please fwd me information regarding the above CFS TRACY DIESEL CREDIT CONTROLLER Tel: 043 722 9611 Fax: 086 619 0764 Email: cfsadmin@iafrica.com ------=_NextPart_000_0000_01CE23D7.799AEC20-- From owner-freebsd-pf@FreeBSD.ORG Mon Mar 18 20:33:45 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 7EA68AA2 for ; Mon, 18 Mar 2013 20:33:45 +0000 (UTC) (envelope-from ilavsky.martin@gmail.com) Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com [IPv6:2a00:1450:400c:c05::22f]) by mx1.freebsd.org (Postfix) with ESMTP id 2595E902 for ; Mon, 18 Mar 2013 20:33:45 +0000 (UTC) Received: by mail-wi0-f175.google.com with SMTP id l13so3166747wie.14 for ; Mon, 18 Mar 2013 13:33:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=iDFFR4w0RBepb+8GLu2bInCbXgfkNBAeBz28ADH6SRc=; b=DO+VqVNH3OmIS3znXonLRVY3EtYLT/9NH6n9B5HyxmB+lRwdihWQb10P0UdrrcMErA 5S0htGZ/I/m56yDQcXA0R4OOIhvQr6f0kh4csUokLnmX55x/1dUtjtF9JXdkGSMrJCoR i60nHwCD7qaURonhTL2KmPh5RQ/FQ1d967wE/fyoRBLbWcboDdeC9GyWprqvSCq3+2Ob tRfm+8rarS4H5HqY+zceVAGaiwVBax/W2afAz8TPhGGm/8rJ4XW70iJuF3nu2Qptf5oC 25gs/g7j5llM1ZI8e/DL6qdwuS3oMvL1P5d/MRNuEpGwZeD2u0dZfQP7OMtSMmXFuviV arPg== MIME-Version: 1.0 X-Received: by 10.194.88.138 with SMTP id bg10mr28011461wjb.13.1363638824436; Mon, 18 Mar 2013 13:33:44 -0700 (PDT) Received: by 10.194.76.71 with HTTP; Mon, 18 Mar 2013 13:33:44 -0700 (PDT) Date: Mon, 18 Mar 2013 21:33:44 +0100 Message-ID: Subject: Regression with jails/IPv6/pf From: martin i To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2013 20:33:45 -0000 > On 01/08/2012 18:13, Bjoern A. Zeeb wrote: > >> Any of you who are expereincing problems with packets dropped due to >> invalid checksums with IPv6 and pf after the recent merges, can you >> report back if you also see this without "modulate state" in your >> pf.conf (if you have 'modulate' in there, can you try changing it to >> 'keep' and see if that fixes the problem)? > > Alas, I was already using 'keep state'. I did just try 'modulate > state,' just on the off-chance but it makes no difference. Hi, I think I've the similar problem described in this thread, though I don't see any discards (no issues with tcpdump at least). My setup is amd64 9.1-RELEASE r245315. I posted my problem on FreeBSD forums too: http://forums.freebsd.org/showthread.php?t=38448 I've webserver in jail with private IPv4 and public IPv6 address. Jail IPs are assigned to custom loopback interfaces and ports 80,443 are redirected by PF to proper destination. My configuration was posted in thread mentioned above. Webserver is not reachable from outside, though PF shows traffic being correctly redirected to jail's IPs. This setup was working on 9.0-RELEASE. I verified this on home-lab setup. Martin -- ..life is hard, and then you die.. From owner-freebsd-pf@FreeBSD.ORG Wed Mar 20 13:55:02 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 0FF93AA6 for ; Wed, 20 Mar 2013 13:55:02 +0000 (UTC) (envelope-from longwitz@incore.de) Received: from dss.incore.de (dss.incore.de [195.145.1.138]) by mx1.freebsd.org (Postfix) with ESMTP id 96D9C9A3 for ; Wed, 20 Mar 2013 13:55:01 +0000 (UTC) Received: from secmail.incore (inetdns.dmz [10.1.0.3]) by dss.incore.de (Postfix) with ESMTP id DC25A5D92C for ; Wed, 20 Mar 2013 14:49:36 +0100 (CET) Received: from lolap.longwitz (188-181-6-199-dynamic.dk.customer.tdc.net [188.181.6.199]) by secmail.incore (Postfix) with ESMTPS id A352C5C1B for ; Wed, 20 Mar 2013 14:49:36 +0100 (CET) Message-ID: <5149BE75.3040308@incore.de> Date: Wed, 20 Mar 2013 14:49:41 +0100 From: Andreas Longwitz User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:15.0) Gecko/20120917 Thunderbird/15.0.1 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Re: [pach] Reloading pf rules breaks connections on lo0 References: <5134C218.6060701@incore.de> In-Reply-To: <5134C218.6060701@incore.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Mar 2013 13:55:02 -0000 Am 04.03.2013 16:47, schrieb Andreas Longwitz: > I run FreeBSD 8 Stable with pf enabled and have the line > set skip on lo0 > in my /etc/pf.conf. Reloading the pf rules with > pfctl -f /etc/pf.conf > breaks any active running connections on lo0. > > Example: > -> scp bigfile 127.0.0.1:bigfile.copy > bigfile 10% 96MB 10.5MB/s > 01:15 ETA > Write failed: Operation not permitted > lost connection > > In pflog I see > 15:33:37.310320 127.0.0.1 -> 127.0.0.1 TCP 164 [block lo0/0] > ssh > 52650 [PSH, ACK] Seq=1 Ack=1 Win=8960 Len=48 > 15:33:37.310732 127.0.0.1 -> 127.0.0.1 TCP 14452 [block lo0/0] > 52650 > ssh [ACK] Seq=1 Ack=1 Win=8960 Len=14336 > 15:33:37.311153 127.0.0.1 -> 127.0.0.1 TCP 2212 [block lo0/0] > 52650 > ssh [FIN, PSH, ACK] Seq=14337 Ack=1 Win=8960 Len=2096 > 15:33:37.314473 127.0.0.1 -> 127.0.0.1 TCP 116 [block lo0/0] > ssh > 52650 [FIN, ACK] Seq=49 Ack=1 Win=8960 Len=0 > > I can avoid the break on active connections on lo0 using the commands > pfctl -d > pfctl -f /etc/pf.conf > pfctl -e > but this may break other things and is not what I want. > > From man pf.conf "set skip on .." > Packets passing in or out on such interfaces are passed as if pf was > disabled, i.e. pf does not process them in any way. > > I think this should be true for reloading the rules too. > > This problem is caused by the way pfctl -f works: In a first step the kernel is requested to clear all interface flags, therefore the kernel does not respect an old skip lo0 rule anymore. In a second step the new file pf.conf - with skip lo0 included - is loaded in the kernel. So there is a short time window between step 1 and step 2 without any active skip rule in the kernel. A running socket on lo0 will break immediately. This behavior of pfctl is well known, see kern/166336. To get rid of the problem I use the following patch for pfctl. The patch executes the first step only if a new option c (=clearifflag) is given. Therefore a simple pfctl -f /etc/pf.conf does not break running connections on lo0 anymore. --- pfctl_parser.h.orig 2013-01-14 15:17:48.000000000 +0100 +++ pfctl_parser.h 2013-03-19 18:22:39.000000000 +0100 @@ -51,6 +51,7 @@ #define PF_OPT_NUMERIC 0x1000 #define PF_OPT_MERGE 0x2000 #define PF_OPT_RECURSE 0x4000 +#define PF_OPT_CLRIFFLAG 0x10000 #define PF_TH_ALL 0xFF --- pfctl.c.orig 2013-01-14 15:17:48.000000000 +0100 +++ pfctl.c 2013-03-19 18:40:02.000000000 +0100 @@ -235,7 +235,7 @@ { extern char *__progname; - fprintf(stderr, "usage: %s [-AdeghmNnOPqRrvz] ", __progname); + fprintf(stderr, "usage: %s [-AcdeghmNnOPqRrvz] ", __progname); fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]\n"); fprintf(stderr, "\t[-f file] [-i interface] [-K host | network] "); fprintf(stderr, "[-k host | network ]\n"); @@ -301,7 +301,8 @@ { struct pfioc_iface pi; - if ((opts & PF_OPT_NOACTION) == 0) { + if (((opts & PF_OPT_NOACTION) == 0) && + ((opts & PF_OPT_CLRIFFLAG) != 0)) { bzero(&pi, sizeof(pi)); pi.pfiio_flags = PFI_IFLAG_SKIP; @@ -1980,11 +1981,14 @@ usage(); while ((ch = getopt(argc, argv, - "a:AdD:eqf:F:ghi:k:K:mnNOo::Pp:rRs:t:T:vx:z")) != -1) { + "a:AcdD:eqf:F:ghi:k:K:mnNOo::Pp:rRs:t:T:vx:z")) != -1) { switch (ch) { case 'a': anchoropt = optarg; break; + case 'c': + opts |= PF_OPT_CLRIFFLAG; + break; case 'd': opts |= PF_OPT_DISABLE; mode = O_RDWR; A better solution for the skip-problem requires assistence of the kernel. With a function pfctl_get_interface_flags() pfctl could show the active skip interfaces (not possible now) and realize a one shot solution for reloading all rules. Andreas Longwitz From owner-freebsd-pf@FreeBSD.ORG Wed Mar 20 15:23:49 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id C9A2D49F for ; Wed, 20 Mar 2013 15:23:49 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-qa0-f53.google.com (mail-qa0-f53.google.com [209.85.216.53]) by mx1.freebsd.org (Postfix) with ESMTP id 8D736E94 for ; Wed, 20 Mar 2013 15:23:49 +0000 (UTC) Received: by mail-qa0-f53.google.com with SMTP id k4so255188qaq.12 for ; Wed, 20 Mar 2013 08:23:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=qZaRZkR+02VYUj+PORIFEvRYrF3bycKK2cjJ7wN4yMo=; b=NqXz8ie2xxYJMHlo2e5pLJ5/FxRHqGgrnsAIZjSMa4erQLbsc7CcvrY7koQxjrOcoQ aV6l+8Xl+/t5RfpiIyPxK3sG2K6yABiYWL9p6+wDDI+uWcUq4y+k7pkaK4x3YRYUTEB+ IiDWSI+IBKYxbU5nrOew74KdH6XQuJ7PIP2sHKoOvepIJIHtAO9Tr1DtZGU/VGx6XJFZ SbNsUFXlJ3iO/WXRkulmYp4/Kl6tM1qc6KZD+K+ViOsqz3JBm/MZwUHdt3cMKZVTM1Xj MGO28wCdBp2P3exFVjpjt69VuStqPBnAOsoeTQ+cXgYwotkHFvCSMZgMMZZ0NuQicmjb gzPg== MIME-Version: 1.0 X-Received: by 10.229.128.65 with SMTP id j1mr1552068qcs.101.1363793023401; Wed, 20 Mar 2013 08:23:43 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.49.98.103 with HTTP; Wed, 20 Mar 2013 08:23:43 -0700 (PDT) In-Reply-To: <5149BE75.3040308@incore.de> References: <5134C218.6060701@incore.de> <5149BE75.3040308@incore.de> Date: Wed, 20 Mar 2013 16:23:43 +0100 X-Google-Sender-Auth: 5cE49esLCV6iLnqwDSt80AEcc-o Message-ID: Subject: Re: [pach] Reloading pf rules breaks connections on lo0 From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Andreas Longwitz Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Mar 2013 15:23:49 -0000 That is intended behavior. There is an option -m to merge the configs which should not break it. On Wed, Mar 20, 2013 at 2:49 PM, Andreas Longwitz wrote: > Am 04.03.2013 16:47, schrieb Andreas Longwitz: > > I run FreeBSD 8 Stable with pf enabled and have the line >> set skip on lo0 >> in my /etc/pf.conf. Reloading the pf rules with >> pfctl -f /etc/pf.conf >> breaks any active running connections on lo0. >> >> Example: >> -> scp bigfile 127.0.0.1:bigfile.copy >> bigfile 10% 96MB 10.5MB/s >> 01:15 ETA >> Write failed: Operation not permitted >> lost connection >> >> In pflog I see >> 15:33:37.310320 127.0.0.1 -> 127.0.0.1 TCP 164 [block lo0/0] >> ssh > 52650 [PSH, ACK] Seq=1 Ack=1 Win=8960 Len=48 >> 15:33:37.310732 127.0.0.1 -> 127.0.0.1 TCP 14452 [block lo0/0] >> 52650 > ssh [ACK] Seq=1 Ack=1 Win=8960 Len=14336 >> 15:33:37.311153 127.0.0.1 -> 127.0.0.1 TCP 2212 [block lo0/0] >> 52650 > ssh [FIN, PSH, ACK] Seq=14337 Ack=1 Win=8960 Len=2096 >> 15:33:37.314473 127.0.0.1 -> 127.0.0.1 TCP 116 [block lo0/0] >> ssh > 52650 [FIN, ACK] Seq=49 Ack=1 Win=8960 Len=0 >> >> I can avoid the break on active connections on lo0 using the commands >> pfctl -d >> pfctl -f /etc/pf.conf >> pfctl -e >> but this may break other things and is not what I want. >> >> From man pf.conf "set skip on .." >> Packets passing in or out on such interfaces are passed as if pf was >> disabled, i.e. pf does not process them in any way. >> >> I think this should be true for reloading the rules too. >> >> >> This problem is caused by the way pfctl -f works: In a first step the > kernel is requested to clear all interface flags, therefore the kernel does > not respect an old skip lo0 rule anymore. In a second step the new file > pf.conf - with skip lo0 included - is loaded in the kernel. So there is a > short time window between step 1 and step 2 without any active skip rule in > the kernel. A running socket on lo0 will break immediately. This behavior > of pfctl is well known, see kern/166336. > > To get rid of the problem I use the following patch for pfctl. The patch > executes the first step only if a new option c (=clearifflag) is given. > Therefore a simple pfctl -f /etc/pf.conf does not break running connections > on lo0 anymore. > > --- pfctl_parser.h.orig 2013-01-14 15:17:48.000000000 +0100 > +++ pfctl_parser.h 2013-03-19 18:22:39.000000000 +0100 > @@ -51,6 +51,7 @@ > #define PF_OPT_NUMERIC 0x1000 > #define PF_OPT_MERGE 0x2000 > #define PF_OPT_RECURSE 0x4000 > +#define PF_OPT_CLRIFFLAG 0x10000 > > #define PF_TH_ALL 0xFF > > --- pfctl.c.orig 2013-01-14 15:17:48.000000000 +0100 > +++ pfctl.c 2013-03-19 18:40:02.000000000 +0100 > @@ -235,7 +235,7 @@ > { > extern char *__progname; > > - fprintf(stderr, "usage: %s [-AdeghmNnOPqRrvz] ", __progname); > + fprintf(stderr, "usage: %s [-AcdeghmNnOPqRrvz] ", __progname); > fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]\n"); > fprintf(stderr, "\t[-f file] [-i interface] [-K host | network] "); > fprintf(stderr, "[-k host | network ]\n"); > @@ -301,7 +301,8 @@ > { > struct pfioc_iface pi; > > - if ((opts & PF_OPT_NOACTION) == 0) { > + if (((opts & PF_OPT_NOACTION) == 0) && > + ((opts & PF_OPT_CLRIFFLAG) != 0)) { > bzero(&pi, sizeof(pi)); > pi.pfiio_flags = PFI_IFLAG_SKIP; > > @@ -1980,11 +1981,14 @@ > usage(); > > while ((ch = getopt(argc, argv, > - "a:AdD:eqf:F:ghi:k:K:mnNOo::**Pp:rRs:t:T:vx:z")) != -1) { > + "a:AcdD:eqf:F:ghi:k:K:mnNOo::**Pp:rRs:t:T:vx:z")) != -1) { > switch (ch) { > case 'a': > anchoropt = optarg; > break; > + case 'c': > + opts |= PF_OPT_CLRIFFLAG; > + break; > case 'd': > opts |= PF_OPT_DISABLE; > mode = O_RDWR; > > A better solution for the skip-problem requires assistence of the kernel. > With a function pfctl_get_interface_flags() pfctl could show the active > skip interfaces (not possible now) and realize a one shot solution for > reloading all rules. > > > Andreas Longwitz > ______________________________**_________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/**mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@**freebsd.org > " > -- Ermal From owner-freebsd-pf@FreeBSD.ORG Wed Mar 20 23:13:04 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 20047693 for ; Wed, 20 Mar 2013 23:13:04 +0000 (UTC) (envelope-from longwitz@incore.de) Received: from dss.incore.de (dss.incore.de [195.145.1.138]) by mx1.freebsd.org (Postfix) with ESMTP id DA110A3A for ; Wed, 20 Mar 2013 23:13:03 +0000 (UTC) Received: from secmail.incore (inetdns.dmz [10.1.0.3]) by dss.incore.de (Postfix) with ESMTP id 0C5EE5D9D0 for ; Thu, 21 Mar 2013 00:13:02 +0100 (CET) Received: from lolap.longwitz (188-181-6-199-dynamic.dk.customer.tdc.net [188.181.6.199]) by secmail.incore (Postfix) with ESMTPS id D775C5C11 for ; Thu, 21 Mar 2013 00:13:01 +0100 (CET) Message-ID: <514A427F.9050804@incore.de> Date: Thu, 21 Mar 2013 00:13:03 +0100 From: Andreas Longwitz User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:15.0) Gecko/20120917 Thunderbird/15.0.1 MIME-Version: 1.0 To: "freebsd-pf@freebsd.org" Subject: Re: [patch] Reloading pf rules breaks connections on lo0 References: <5134C218.6060701@incore.de> <5149BE75.3040308@incore.de> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Mar 2013 23:13:04 -0000 Thanks for answer! Am 20.03.2013 16:23, Ermal Luçi wrote: > That is intended behavior. What is intended bahavior, your reference is not clear to me. > There is an option -m to merge the configs which should not break it. Ok, but this option does never prevent pfctl from clearing all interface option flags. If you run the command from the man page echo "set loginterface fxp0" | pfctl -mf - then every active running socket over lo0 breaks because the function pfctl_clear_interface_flags() is called independent of the PF_OPT_MERGE flag. In the example the option -m provokes that pfctl_load_logif() is called as intended, but not pfctl_load_limit(), pfctl_load_timeout(), pfctl_load_debug(), pfctl_load_hostid() and pfctl_file_fingerprints(). The lo0 breaking function pfctl_clear_interface_flags() is called when the flag PFCTL_FLAG_OPTION is set. This is the case with option -O but also if none of the options -N, -R, -A are set, thats a little bit tricky. Therefore pfctl -N -R -A -f /etc/pf.conf never breaks lo0 but does not exactly the same as pfctl -f /etc/pf.conf because the flag PFCTL_FLAG_OPTION is not set. Andreas Longwitz