From owner-freebsd-pf@FreeBSD.ORG Wed Jan 5 03:23:59 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 29CB316A4CE for ; Wed, 5 Jan 2005 03:23:59 +0000 (GMT) Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9BEBB43D54 for ; Wed, 5 Jan 2005 03:23:58 +0000 (GMT) (envelope-from yongari@kt-is.co.kr) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id j053NNAh065360 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 5 Jan 2005 12:23:24 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.13.1/8.13.1) with ESMTP id j053NuO6008302 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 5 Jan 2005 12:23:56 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.13.1/8.13.1/Submit) id j053NpKu008301; Wed, 5 Jan 2005 12:23:51 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Date: Wed, 5 Jan 2005 12:23:51 +0900 From: Pyun YongHyeon To: Hideki Yamamoto Message-ID: <20050105032351.GA8022@kt-is.co.kr> References: <20041230.232305.71087886.yamamoto436@oki.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041230.232305.71087886.yamamoto436@oki.com> User-Agent: Mutt/1.4.2.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) cc: freebsd-pf@freebsd.org Subject: Re: pf NAT function with IPv6 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: yongari@kt-is.co.kr List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jan 2005 03:23:59 -0000 On Thu, Dec 30, 2004 at 11:23:05PM +0900, Hideki Yamamoto wrote: > > Hi, > > I tried to use pf to change source address of IPv6 UDP packet, but it does not go well. > As the output of 'pfctl' command seems no problem. > I wonder if pf on FreeBSD does not support IPv6 now. > AFAIK, No. pf is the only firewall that supports (almost) full IPv6 in BSDs. > > ---------- /etc/pf.conf ------------- start > ext_if="bge2" > int_if="bge0" > internal_net="fec0:0:0:d::0/32" > nat on bge2 inet6 from fec0:0:0:d::1 to any -> 2001:b90:ee00:ff0b::1:3 > ---------- /etc/pf.conf ------------- end > > tsrmldgw3# pfctl -s state > No ALTQ support in kernel > ALTQ related functions disabled > self udp fec0:0:0:d::1[15001] -> 2001:b90:ee00:ff0b::1:3[52925] -> 2001:b90:ee00:51b:208:4ff:fe28:a1d2[8001] > SINGLE:NO_TRAFFIC > Works here. Tested on FreeBSD-CURRENT sparc64 mars# pfctl -ss self tcp fec0:0:0:d::1[49152] -> 2001:b90:ee00:ff0b::1[51223] -> 2001:b90:ee00:ff0b::10[22] ESTABLISHED:ESTABLISHED self tcp fec0:0:0:d::1[22] <- 2001:b90:ee00:ff0b::1[22] <- 2001:b90:ee00:ff0b::10[49154] ESTABLISHED:ESTABLISHED mars# pfctl -sr pass in on hme0 inet6 proto tcp all flags S/SA keep state pass out on hme0 inet6 proto tcp all flags S/SA keep state mars# pfctl -sn nat on hme0 inet6 proto tcp from ! (hme0) to any -> 2001:b90:ee00:ff0b::1 rdr on hme0 inet6 proto tcp from any to any port = ssh -> fec0:0:0:d::1 port 22 Due to lack of hardware and IPv6 setup I tested ssh connection. But there is no reason UDP don't work. -- Regards, Pyun YongHyeon http://www.kr.freebsd.org/~yongari | yongari@freebsd.org From owner-freebsd-pf@FreeBSD.ORG Wed Jan 5 03:35:33 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 91AFE16A515 for ; Wed, 5 Jan 2005 03:35:06 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id 257DD43D1F for ; Wed, 5 Jan 2005 03:35:06 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.205] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1Cm1wt-0000kP-00; Wed, 05 Jan 2005 04:35:03 +0100 Received: from [217.83.2.208] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1Cm1ws-0003IW-00; Wed, 05 Jan 2005 04:35:02 +0100 From: Max Laier To: freebsd-pf@freebsd.org, yongari@kt-is.co.kr Date: Wed, 5 Jan 2005 04:34:51 +0100 User-Agent: KMail/1.7.2 References: <20041230.232305.71087886.yamamoto436@oki.com> <20050105032351.GA8022@kt-is.co.kr> In-Reply-To: <20050105032351.GA8022@kt-is.co.kr> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1193678.LWyBo8uWZU"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200501050435.00711.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: pf NAT function with IPv6 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jan 2005 03:35:34 -0000 --nextPart1193678.LWyBo8uWZU Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 05 January 2005 04:23, Pyun YongHyeon wrote: > On Thu, Dec 30, 2004 at 11:23:05PM +0900, Hideki Yamamoto wrote: > > Hi, > > > > I tried to use pf to change source address of IPv6 UDP packet, but it > > does not go well. As the output of 'pfctl' command seems no problem. > > I wonder if pf on FreeBSD does not support IPv6 now. > > AFAIK, No. pf is the only firewall that supports (almost) full > IPv6 in BSDs. True, though that does not mean that it is 100% bug-free ;) > > ---------- /etc/pf.conf ------------- start > > ext_if=3D"bge2" > > int_if=3D"bge0" > > internal_net=3D"fec0:0:0:d::0/32" > > nat on bge2 inet6 from fec0:0:0:d::1 to any -> 2001:b90:ee00:ff0b::1:3 > > ---------- /etc/pf.conf ------------- end > > > > tsrmldgw3# pfctl -s state > > No ALTQ support in kernel > > ALTQ related functions disabled > > self udp fec0:0:0:d::1[15001] -> 2001:b90:ee00:ff0b::1:3[52925] -> > > 2001:b90:ee00:51b:208:4ff:fe28:a1d2[8001] SINGLE:NO_TRAFFIC This state entry indicates that the outgoing packet went out okay. Can you= =20 verify/falsify with tcpdump if it really did? You might also want to check = at=20 the remote to see if the packet makes it there. If yes, check for the reply= =20 on your gateway. If one of the packets caries IPv6 option headers it might get dropped due t= o a=20 recently discovered bug: This is fixed in pf.c HEAD >=3D 1.24 and RELENG_5 >=3D 1.18.2.5 > Works here. Tested on FreeBSD-CURRENT sparc64 > mars# pfctl -ss > self tcp fec0:0:0:d::1[49152] -> 2001:b90:ee00:ff0b::1[51223] -> > 2001:b90:ee00:ff0b::10[22] ESTABLISHED:ESTABLISHED self tcp > fec0:0:0:d::1[22] <- 2001:b90:ee00:ff0b::1[22] <- > 2001:b90:ee00:ff0b::10[49154] ESTABLISHED:ESTABLISHED > > mars# pfctl -sr > pass in on hme0 inet6 proto tcp all flags S/SA keep state > pass out on hme0 inet6 proto tcp all flags S/SA keep state > mars# pfctl -sn > nat on hme0 inet6 proto tcp from ! (hme0) to any -> 2001:b90:ee00:ff0b::1 > rdr on hme0 inet6 proto tcp from any to any port =3D ssh -> fec0:0:0:d::1 > port 22 > > Due to lack of hardware and IPv6 setup I tested ssh connection. But > there is no reason UDP don't work. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1193678.LWyBo8uWZU Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBB22BkXyyEoT62BG0RAma0AJ0e11Nz4lpkQBNqnFjT8dyw9ykYWwCfXPHt 0dWuofaNl4fXySoonbgjiEM= =A5lc -----END PGP SIGNATURE----- --nextPart1193678.LWyBo8uWZU-- From owner-freebsd-pf@FreeBSD.ORG Wed Jan 5 16:35:27 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 594C716A4CF for ; Wed, 5 Jan 2005 16:35:27 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id E193043D39 for ; Wed, 5 Jan 2005 16:35:07 +0000 (GMT) (envelope-from josh.kayse@gmail.com) Received: by wproxy.gmail.com with SMTP id 57so267866wri for ; Wed, 05 Jan 2005 08:35:07 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=P/eB9uAubpV3YijHlAPHIREHAYuKU89s004V5Ge2goQk4lGJ35m7TYRpyHJG+CJjpM4+IMi5+rIvJSG3UzAjIXZNRNHxoaGdxxhgmBGRwlvkBw4A9tk8xZIRiqbiTdFfFsjIUXFaYcc7VTeQCYajuYrpXhxU4AKEdQhoYQ+HU/U= Received: by 10.54.31.71 with SMTP id e71mr470605wre; Wed, 05 Jan 2005 08:35:07 -0800 (PST) Received: by 10.54.23.78 with HTTP; Wed, 5 Jan 2005 08:35:07 -0800 (PST) Message-ID: <7c8f279205010508352b98da57@mail.gmail.com> Date: Wed, 5 Jan 2005 11:35:07 -0500 From: Josh Kayse To: freebsd-pf@freebsd.org, Max Laier Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: [CARP] bringing up interface X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: gtg062h@mail.gatech.edu List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jan 2005 16:35:27 -0000 Maybe I'm missing something very simple but I cannot get the carp interface to come up on system boot. This is the line in my rc.conf ifconfig_carp0="create 192.168.1.13/24 vhid 1 advskew 100 pass vhid" I have also tried: ifconfig_carp0="create inet 192.168.1.13/24 vhid 1 advskew 100 pass vhid" and ifconfig_carp0="inet 192.168.1.13/24 vhid 1 advskew 100 pass vhid" If I manually type in any of those, there interface comes right up and works. Any help is appreciated. -- Joshua Kayse Computer Engineering From owner-freebsd-pf@FreeBSD.ORG Wed Jan 5 18:34:01 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E20FE16A4CE for ; Wed, 5 Jan 2005 18:34:01 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9386A43D39 for ; Wed, 5 Jan 2005 18:34:01 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by wproxy.gmail.com with SMTP id 58so181433wri for ; Wed, 05 Jan 2005 10:34:01 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=H2uGDAvEKjjP6Gfm7GNHQPJcG+TkKWOzPzLw/jCbHwMYPTf6KryGEF+jlOZ2fMcHLbq7ag3ZvTEXcnZCbqKE4rSpWDtUmhwdqM+Q9XIFi2PdPk9lf5agcFecT+TPRmlaVJX6dh3wGCzRCisnIRW5Hz5xPtHaUqiJJqI4E0KhaaY= Received: by 10.54.44.73 with SMTP id r73mr25617wrr; Wed, 05 Jan 2005 10:34:00 -0800 (PST) Received: by 10.54.39.34 with HTTP; Wed, 5 Jan 2005 10:34:00 -0800 (PST) Message-ID: <8eea0408050105103411ec80c7@mail.gmail.com> Date: Wed, 5 Jan 2005 10:34:00 -0800 From: Jon Simola To: freebsd-pf@freebsd.org In-Reply-To: <7c8f279205010508352b98da57@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <7c8f279205010508352b98da57@mail.gmail.com> Subject: Re: [CARP] bringing up interface X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jon@abccomm.com List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jan 2005 18:34:02 -0000 On Wed, 5 Jan 2005 11:35:07 -0500, Josh Kayse wrote: > If I manually type in any of those, there interface comes right up and > works. Any help is appreciated. add to rc.conf: cloned_interfaces="carp0" ifconfig_carp0="inet 192.168.1.13/24 vhid 1 advskew 100 pass vhid" From owner-freebsd-pf@FreeBSD.ORG Thu Jan 6 03:40:03 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 90B7816A4CE for ; Thu, 6 Jan 2005 03:40:03 +0000 (GMT) Received: from out006.verizon.net (out006pub.verizon.net [206.46.170.106]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB78D43D3F for ; Thu, 6 Jan 2005 03:40:02 +0000 (GMT) (envelope-from chi_tran@verizon.net) Received: from Shanghai ([138.88.55.38]) by out006.verizon.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id <20050106034002.SDWX7873.out006.verizon.net@Shanghai> for ; Wed, 5 Jan 2005 21:40:02 -0600 From: "Chi Tran" To: Date: Mon, 27 Dec 2004 22:15:07 -0500 Message-ID: <000001c4f3a1$5db4f100$6501a8c0@Shanghai> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Authentication-Info: Submitted using SMTP AUTH at out006.verizon.net from [138.88.55.38] at Wed, 5 Jan 2005 21:39:51 -0600 Subject: WFQ implementation ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: chi_tran@verizon.net List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Jan 2005 03:40:03 -0000 Does anyone know where can I find the source code for ALTQ WFQ implementation ? Thanks, /Chi. begin 666 ATT00002.htm M/"%$3T-465!%($A434P@4%5"3$E#("(M+R]7,T,O+T141"!(5$U,(#0N,"!4 M7!E(B!#3TY414Y4/2)T97AT+VAT;6P[(&-H87)S M970]:7-O+3@X-3DM,2(^#0H-"@T*/$U%5$$@8V]N=&5N=#TB35-(5$U,(#8N M,# N,C@P,"XQ,3 V(B!N86UE/4=%3D52051/4CX\+TA%040^#0H\0D]$63X- M"CQ$258^/$9/3E0@9F%C93U! Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 086AF16A4CE for ; Fri, 7 Jan 2005 06:09:12 +0000 (GMT) Received: from smtp02.net-yan.com (smtp02.hgcbroadband.com [210.0.255.157]) by mx1.FreeBSD.org (Postfix) with ESMTP id 12F5C43D31 for ; Fri, 7 Jan 2005 06:09:11 +0000 (GMT) (envelope-from sam.wun@authtec.com) Received: (qmail 65155 invoked from network); 7 Jan 2005 06:09:08 -0000 Received: from unknown (HELO [192.168.4.70]) (samwun@hgcbroadband.com@[221.127.169.42]) (envelope-sender ) by localhost (qmail-ldap-1.03) with SMTP for ; 7 Jan 2005 06:09:08 -0000 Message-ID: <41DE275A.7020300@authtec.com> Date: Fri, 07 Jan 2005 14:08:26 +0800 From: sam User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org, max@love2party.net, yongari@kt-is.co.kr Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: structure has no member named `anchor_call' X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Jan 2005 06:09:12 -0000 Hi, I got the following error with anchor_call: error: structure has no member named `anchor_call' The line of code is: /* Create the anchor call rule in main */ bzero(&rule, sizeof(struct pfioc_rule)); strncpy(rule.rule.ifname, pfp->iface, IFNAMSIZ-1); strncpy(rule.anchor_call, pfp->anchorname, PF_ANCHOR_NAME_SIZE-1); I don't know what change made to pf in freebsd. The machine I m using is a FreeBSD beta 6. Should I try it under 5.3 stable? If there is change, what should I modify the code? Thanks Sam From owner-freebsd-pf@FreeBSD.ORG Fri Jan 7 06:22:36 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 988B716A4CE for ; Fri, 7 Jan 2005 06:22:36 +0000 (GMT) Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id F14DD43D39 for ; Fri, 7 Jan 2005 06:22:35 +0000 (GMT) (envelope-from yongari@kt-is.co.kr) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id j076MVAh090377 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 7 Jan 2005 15:22:31 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.13.1/8.13.1) with ESMTP id j076MWq1016204 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 7 Jan 2005 15:22:32 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.13.1/8.13.1/Submit) id j076MKL0016203; Fri, 7 Jan 2005 15:22:20 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Date: Fri, 7 Jan 2005 15:22:19 +0900 From: Pyun YongHyeon To: sam Message-ID: <20050107062219.GA15701@kt-is.co.kr> References: <41DE275A.7020300@authtec.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <41DE275A.7020300@authtec.com> User-Agent: Mutt/1.4.2.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) cc: freebsd-pf@freebsd.org Subject: Re: structure has no member named `anchor_call' X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: yongari@kt-is.co.kr List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Jan 2005 06:22:36 -0000 On Fri, Jan 07, 2005 at 02:08:26PM +0800, sam wrote: > Hi, > > I got the following error with anchor_call: > > error: structure has no member named `anchor_call' > > The line of code is: > /* Create the anchor call rule in main */ > bzero(&rule, sizeof(struct pfioc_rule)); > strncpy(rule.rule.ifname, pfp->iface, IFNAMSIZ-1); > strncpy(rule.anchor_call, pfp->anchorname, PF_ANCHOR_NAME_SIZE-1); > member anchor_call was introduced in OpenBSD 3.6 pf(rev. 1.195 pfvar.h). Unfortunatly, FreeBSD pf is based on OpenBSD 3.5 pf. > I don't know what change made to pf in freebsd. The machine I m using > is a FreeBSD beta 6. Should I try it under 5.3 stable? > If there is change, what should I modify the code? > > Thanks > Sam > -- Regards, Pyun YongHyeon http://www.kr.freebsd.org/~yongari | yongari@freebsd.org From owner-freebsd-pf@FreeBSD.ORG Fri Jan 7 23:49:44 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF12C16A4CE for ; Fri, 7 Jan 2005 23:49:43 +0000 (GMT) Received: from main.gmane.org (main.gmane.org [80.91.229.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 07B3343D2F for ; Fri, 7 Jan 2005 23:49:43 +0000 (GMT) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from list by main.gmane.org with local (Exim 3.35 #1 (Debian)) id 1Cn3rR-0006kt-00 for ; Sat, 08 Jan 2005 00:49:41 +0100 Received: from ppp-62-245-160-224.mnet-online.de ([62.245.160.224]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 08 Jan 2005 00:49:41 +0100 Received: from berni by ppp-62-245-160-224.mnet-online.de with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 08 Jan 2005 00:49:41 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-pf@freebsd.org From: Bernhard Schmidt Date: Fri, 7 Jan 2005 23:49:35 +0000 (UTC) Lines: 81 Message-ID: X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: ppp-62-245-160-224.mnet-online.de User-Agent: slrn/0.9.8.1 (Linux) Sender: news Subject: Scalability of ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Jan 2005 23:49:44 -0000 Hi, we're currently using an old and overloaded packeteer packetshaper for IP-over-Satellite deployment. Since this business will be expanded in the next weeks to a level the packeteer cannot cope with anymore I'm looking for alternatives in the unix-world, especially with pf and ALTQ since it is impressively easy to configure and maintain. There currently are four encapsulating units that have 30-40 Mbps IP bandwidth each. Every unit has up to ten first-level customers with about 20 second-level customers behind them. Every customer (first and second level) has a commited rate and a burstable rate. There is no oversubscribing in this business with regard to the commited rates, while burstable may be used (up to a paid amount) as long as noone else needs it. The address ranges behind those encapsulators tend to be very large (/18 or bigger), with very many concurrent sessions. Due to the transmission technique used the packet shapers cannot see the traffic coming back from the customers, sometimes these packets don't even flow through our site. a) Is pf/kernel capable of that many queues? The only way I could think of copying that commited/burstable model into pf were two queues for each level, something like altq on fxp0 cbq bandwidth 40Mb queue { cust1, cust2, ... } queue cust1 on fxp0 bandwidth 5Mb cbq { cust1_commit } queue cust1_commit on fxp0 bandwidth priority 2 10Mb cbq(borrow) { cust1_sub1, cust1_sub2 } queue cust1_sub1 on fxp0 bandwidth 10Mb cbq { cust1_sub1_commit } queue cust1_sub1_commit on fxp0 priority 2 bandwidth 2Mb cbq(borrow) queue cust1_sub2 on fxp0 bandwidth 0Mb cbq { cust1_sub2_commit } queue cust1_sub2_commit on fxp0 priority 2 bandwidth 10Mb cbq(borrow) and so on, which should simulate the following ruleset Encapsulator 1 (40Mb max rate) Customer1 (10Mb commited + 5Mb burstable) Subcustomer 1 (2Mb commited + 10Mb burstable) Subcustomer 2 (10Mb commited (+ 0Mb burstable)) and so on. Subcustomer1 could even have subcustomers on their own. For 200 subcustomers per encapsulation unit this makes more than 400 queues per box, not talking about handling several encap. units on one box. And if one wants to use the nifty pf feature to use another queue for interactive traffic we're at twice the size. What about adding RED/ECN in this environment, adding additional need for resources (I guess). Another problem that might occur (I haven't tested it yet, so it is just speculation).... assuming the ruleset above, I guess packets "borrowing" from their parent class still get the attributes of their native class. With sub2 doing 10Mbps commited traffic and sub1 10Mbps (2Mbps commited + 8Mbps burst) there would be 20Mbps of traffic fighting for 15Mbps bandwidth of the cust1 queue. With all having prio 2, sub2 might be dropped below his 10Mbps commited rate. After reading up the manpage I believe hsfc could be the solution, with something like queue cust1 on fxp0 hsfc(realtime(10Mb), upperlimit(15Mb)) { cust1_sub1, cust1_sub2 } queue cust1_sub1 on fxp0 hsfc(realtime(2Mb), upperlimit(12Mb)) queue cust1_sub2 on fxp0 hsfc(realtime(10Mb)) would this help me? Any better ideas? b) Is pf/kernel capable of handling that many states? I'm not able to access the packeteer at the moment, but I think we're way over 10000 concurrent sessions. Any idea whether pf would be able to scale at that level? I was thinking about boxes in the P4 2GHz class, best would be if one could handle at least two encapsulators. Even better would be if pf could do this whole thing in a bridged environment, but this might be too much to ask. I'm glad to hear any experience with deployments of that size. Bernhard From owner-freebsd-pf@FreeBSD.ORG Sat Jan 8 00:27:29 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 36DE116A4CE for ; Sat, 8 Jan 2005 00:27:29 +0000 (GMT) Received: from main.gmane.org (main.gmane.org [80.91.229.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id E4D2E43D46 for ; Sat, 8 Jan 2005 00:27:28 +0000 (GMT) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from list by main.gmane.org with local (Exim 3.35 #1 (Debian)) id 1Cn4S0-00089I-00 for ; Sat, 08 Jan 2005 01:27:28 +0100 Received: from ppp-62-245-160-224.mnet-online.de ([62.245.160.224]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 08 Jan 2005 01:27:28 +0100 Received: from berni by ppp-62-245-160-224.mnet-online.de with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 08 Jan 2005 01:27:28 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-pf@freebsd.org From: Bernhard Schmidt Date: Sat, 8 Jan 2005 00:27:23 +0000 (UTC) Lines: 36 Message-ID: References: X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: ppp-62-245-160-224.mnet-online.de User-Agent: slrn/0.9.8.1 (Linux) Sender: news Subject: Re: Scalability of ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jan 2005 00:27:29 -0000 Heya, oh well, why do I always think of more questions the second I send my message .... At this point ... > queue cust1 on fxp0 bandwidth 5Mb cbq { cust1_commit } > queue cust1_commit on fxp0 bandwidth priority 2 10Mb cbq(borrow) { cust1_sub1, cust1_sub2 } > queue cust1_sub1 on fxp0 bandwidth 10Mb cbq { cust1_sub1_commit } > queue cust1_sub1_commit on fxp0 priority 2 bandwidth 2Mb cbq(borrow) > queue cust1_sub2 on fxp0 bandwidth 0Mb cbq { cust1_sub2_commit } > queue cust1_sub2_commit on fxp0 priority 2 bandwidth 10Mb cbq(borrow) I made the error specifying the burstable margin for the "burst" queue instead of the whole bandwidth. So pfctl would have kicked me for this. So it should of course be queue cust1 on fxp0 bandwidth 15Mb cbq { cust1_commit } queue cust1_commit on fxp0 bandwidth priority 2 10Mb cbq(borrow) \ { cust1_sub1, cust1_sub2 } queue cust1_sub1 on fxp0 bandwidth 12Mb cbq { cust1_sub1_commit } queue cust1_sub1 on fxp0 bandwidth 2Mb cbq(borrow) which would kill me, too, since the sum of the child bandwidths (the burstables) might very well be larger than the parent's bandwidth. So I guess cbq is a dead end here. Another thing quite interesting for me would be the queueing inside a queue. Is it just FIFO or is there a way to allow fair bandwidth distribution even with misbehaving sessions in it (think of a 50Mbps UDP DOS which would probably kill all other communications in a queue). Thanks again Bernhard