Date: Tue, 4 Nov 2014 11:56:47 +1100 (EST) From: Dave Horsfall <dave@horsfall.org> To: FreeBSD PF List <freebsd-pf@freebsd.org> Subject: Re: Getting tables to work in PF (fwd) Message-ID: <alpine.BSF.2.00.1411041155080.1220@aneurin.horsfall.org>
next in thread | raw e-mail | index | archive | help
Meant to go to list; I was interrupted by a phone call at the crucial moment... -- Dave Horsfall (VK2KFU) "Bliss is a MacBook with a FreeBSD server." http://www.horsfall.org/spam.html (and check the home page whilst you're there) ---------- Forwarded message ---------- Date: Tue, 4 Nov 2014 11:54:40 +1100 (EST) From: Dave Horsfall <dave@horsfall.org> To: Doug Hardie <bc979@lafn.org> Subject: Re: Getting tables to work in PF On Mon, 3 Nov 2014, Doug Hardie wrote: >Do the rules show after that? I’ve never seen that last line before. I >suspect it indicates an error of some sort. DIOCSETSTATUSIF? I thought it was part of the ALTQ stuff. net/pfvar.h only has this to say: #define DIOCSETSTATUSIF _IOWR('D', 20, struct pfioc_if) and in pf(4): DIOCSETSTATUSIF struct pfioc_if *pi Specify the interface for which statistics are accumulated. As for "ifconfig fxp0" (the only NIC on the box): fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=2009<RXCSUM,VLAN_MTU,WOL_MAGIC> ether00:08:02:c4:b4:49 inet10.0.0.3 netmask 0xffffff00 broadcast 10.0.0.255 media:Ethernet autoselect (100baseTX <full-duplex>) status:active The rules? Not a sausage. It's behaving as though it's reading the file (which it is), but not honouring the rules themselves (which it isn't). Here: aneurin# pfctl -s all No ALTQ support in kernel ALTQ related functions disabled FILTER RULES: INFO: Status: Enabled for 1 days 04:14:05 Debug: Urgent State Table Total Rate current entries 0 searches 209120 2.1/s inserts 0 0.0/s removals 0 0.0/s Counters match 209120 2.1/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 813 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s TIMEOUTS: tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff 30s udp.first 60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 6000 states adaptive.end 12000 states src.track 0s LIMITS: states hard limit 10000 src-nodes hard limit 10000 frags hard limit 5000 tables hard limit 1000 table-entries hard limit 200000 TABLES: spammers woodpeckers OS FINGERPRINTS: 696 fingerprints loaded aneurin# So, if pf(4) actually known to work on: FreeBSD aneurin.horsfall.org 8.2-RELEASE-p3 FreeBSD 8.2-RELEASE-p3 #0: Tue Sep 27 18:07:27 UTC 2011 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 and if so, does anyone have a working sample pf.conf from such a box? There's no kernel source on the thing, so I cannot rebuild with ALTQ, and my DVD is busted so I cannot upgrade; if I can load up an 8GB USB stick with FreeBSD then that could be one upgrade path, I suppose, but I don't know if this thing (a Compaq Evo) will boot from USB. -- Dave Horsfall (VK2KFU) "Bliss is a MacBook with a FreeBSD server." http://www.horsfall.org/spam.html(and check the home page whilst you're there) From owner-freebsd-pf@FreeBSD.ORG Tue Nov 4 05:53:17 2014 Return-Path: <owner-freebsd-pf@FreeBSD.ORG> Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9BEB678C for <freebsd-pf@freebsd.org>; Tue, 4 Nov 2014 05:53:17 +0000 (UTC) Received: from smtp.new-ukraine.org (smtp.new-ukraine.org [148.251.53.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.new-ukraine.org", Issuer "smtp.new-ukraine.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3E6F038E for <freebsd-pf@freebsd.org>; Tue, 4 Nov 2014 05:53:16 +0000 (UTC) Received: on behalf of honored client by smtp.new-ukraine.org with ESMTP id sA45rClM079741 for <freebsd-pf@freebsd.org> on Tue, 4 Nov 2014 07:53:12 +0200 (EET) Message-ID: <20141104075307.79740@smtp.new-ukraine.org> Date: Tue, 04 Nov 2014 07:53:07 +0200 From: "Zeus Panchenko" <zeus@ibs.dn.ua> To: <freebsd-pf@freebsd.org> cc: Subject: pfctl ... driver does not support altq Organization: I.B.S. LLC Reply-To: "Zeus Panchenko" <zeus@ibs.dn.ua> X-Attribution: zeus Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAFVBMVEWxsbGdnZ3U1NQTExN cXFzx8fG/v7+f8hyWAAACXUlEQVQ4jUWSwXYiIRBFi4yyhtjtWpmRdTL0ZC3TJOukDa6Rc+T/P2F eFepwtFvr8upVFVDua8mLWw6La4VIKTuMdAPOebdU55sQs3n/D1xFFPFGVGh4AHKttr5K0bS6g7N ZCge7qpVLB+f1Z2WAj2OKXwIWt/bXpdXSiu8KXbviWkHxF5td9+lg2e3xlI2SCvatK8YLfHyh9lw 15yrad8Va5eXg4Llr7QmAaC+dL9sDt9iad/DX3OKvLMBf+dm0A0QuMrTvYIevSik1IaSVvgjIHt5 lSCG2ynNRpEcBZ8cgDWk+Ns99qzsYYV3MZoppWzGtYlTO9+meG6m/g92iNO9LfQB2JZsMpoJs7QG ku2KtabRK0bZRwDLyBDvwlxTm6ZlP7qyOqLcfqtLexpDSB4M0H3I/PQy1emvjjzgK+A0LmMKl6Lq zlqzh0VGAw440F6MJd8cY0nI7wiF/fVIBGY7UNCAXy6DmfYGCLLI0wtDbVcDUMqtJLmAhLqODQAe riERAxXJ1/QYGpa0ymqyytpKC19MNXHjvFmEsfcHIrncFR4xdbYWgmfEGLCcZokpGbGj1egMR+6M 1BkNX1pDdhPcOXpAnAeLQUwQLYepgQoZVNGS61yaE8CYA7gYAcWKzwGstACY2HTFvvOwk4FXAG/a mKHni/EcA/GkOk7I0IK7UMIf3+SahU8/FJdiE7KcuWdM3MFocUDEEIX9LfJoo4xV5tnNKc3jJuSs SZWgnnhepgU1zN4Hii18yW4RwDX52CXUtk0Hqz6cHOIUkWaX8fDcB+J7y1y2xDHwjv/8Buu8Ekz6 7tXQAAAAASUVORK5CYII= X-Mailer: MH-E 8.3.1; GNU Mailutils 2.99.98; GNU Emacs 24.3.1 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable X-NewUkraine-Agent: mailfromd (7.99.92) X-NewUkraine-URL: http://www.ibs.dn.ua/smtp.html X-NewUkraine-VirStat: NO X-NewUkraine-VirScan: ScanPE, ScanELF, ScanOLE2, ScanMail, PhishingSignatures, ScanHTML, ScanPDF X-NewUkraine-SpamStat: NO X-NewUkraine-SpamScore: -1.600 of 3.500 X-NewUkraine-SpamKeys: AWL,BAYES_00,NO_RECEIVED,NO_RELAYS X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" <freebsd-pf.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>; List-Post: <mailto:freebsd-pf@freebsd.org> List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=subscribe> X-List-Received-Date: Tue, 04 Nov 2014 05:53:17 -0000 =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 greetings, I see, in list the issue appears from time to time but I was not able to find the solution for my case, please help me to get working altq on my igb(4) if it is possible at all I was trying igb(4) original OS drivers and the one from Intel but the result is the same bellow are my details: > uname -a FreeBSD 10.0-RELEASE-p11 #2 r273597 and64 > dmesg =2D ---[ quotation start ]------------------------------------------- igb3: <Intel(R) PRO/1000 Network Connection version - 2.4.2> port 0xa000-0x= a01f mem 0xf7100000-0xf717ffff,0xf7180000-0xf7183fff irq 19 at device 0.0 o= n pci7 igb3: Using MSIX interrupts with 5 vectors igb3: Ethernet address: 00:25:90:d1:dc:6b igb3: Bound queue 0 to cpu 0 igb3: Bound queue 1 to cpu 1 igb3: Bound queue 2 to cpu 2 igb3: Bound queue 3 to cpu 3 =2D ---[ quotation end ]------------------------------------------- > pciconf -l igb3@pci0:7:0:0: class=3D0x020000 card=3D0x153315d9 chip=3D0x1533808= 6 rev=3D0x03 hdr=3D0x00 vendor =3D 'Intel Corporation' device =3D 'I210 Gigabit Network Connection' class =3D network subclass =3D ethernet > /boot/loader.conf =2D ---[ quotation start ]------------------------------------------- hw.igb.rxd=3D4096 hw.igb.txd=3D4096 hw.igb.rx_process_limit=3D"-1" hw.igb.num_queues=3D0 hw.igb.max_interrupt_rate=3D32000 net.isr.defaultqlimit=3D4096 net.isr.bindthreads=3D1 net.isr.maxthreads=3D4 net.isr.maxqlimit=3D32768 =2D ---[ quotation end ]------------------------------------------- > /usr/src/sys/amd64/conf/MY_KERNEL =2D ---[ quotation start ]------------------------------------------- options ALTQ options ALTQ_CBQ options ALTQ_RED options ALTQ_RIO options ALTQ_HFSC options ALTQ_CDNR options ALTQ_PRIQ options ALTQ_NOPCC options ALTQ_DEBUG =2D ---[ quotation end ]------------------------------------------- > /etc/pf.conf =2D ---[ quotation start ]------------------------------------------- altq on igb3 cbq bandwidth 1000Mb queue { wan_rest, wan_viber } queue wan_viber bandwidth 5Mb priority 0 queue wan_rest bandwidth 995Mb cbq(default) =2D ---[ quotation end ]------------------------------------------- > service pf check && service pf reload Checking pf rules. Reloading pf rules. pfctl: igb3: driver does not support altq =2D --=20 Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlRYacMACgkQr3jpPg/3oyp1iwCgxQCBIWoYa5b0yKAQxVODSGNb NSYAn15io3G83u46pHN+BwRcN2ywsNIZ =3DwaxI =2D----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1411041155080.1220>