From owner-freebsd-questions@FreeBSD.ORG Thu Jan 22 13:03:41 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2756DC68 for ; Thu, 22 Jan 2015 13:03:41 +0000 (UTC) Received: from mail-pd0-x229.google.com (mail-pd0-x229.google.com [IPv6:2607:f8b0:400e:c02::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E22E6F2 for ; Thu, 22 Jan 2015 13:03:40 +0000 (UTC) Received: by mail-pd0-f169.google.com with SMTP id g10so1611579pdj.0 for ; Thu, 22 Jan 2015 05:03:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=dkgM340L0rNHBeyvi3kcaXrYjAKjJxiJzMdkqasflUw=; b=MydEleI+mTXaSVScjIb0cKkOokq6IDAJOzvQBVge966uKsyDROpQSRuTrssIrJJA8c gabOtN3/cl3pdyDHoj1+CG9cU7X8oxqtHLsgqwZnw0L1VqrYfmOehgU7GdjzAAbpIzsH K1bRMaRrbC1JuqxO1gRgyMRS5bp/nuuUq3zCsG1R/xOd2GHHNuVc9TXYKqM7IWmZGpGU DPF9bQVy/q+Wza3PC2Qoq2kdRwIC6bSTsFV8VtTg2jYIDJFPquHF1JYXLZpmU3Px271i IAwmR+0TBTDjENxUBdnyGasMxOhvae3gl6ztLLOa26+JnBKRWAqinOP/xw+LLdpJi+X5 5czg== X-Received: by 10.70.35.227 with SMTP id l3mr1941677pdj.33.1421931820497; Thu, 22 Jan 2015 05:03:40 -0800 (PST) Received: from [192.168.111.118] ([120.29.76.131]) by mx.google.com with ESMTPSA id w3sm2296369pbs.11.2015.01.22.05.03.38 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 22 Jan 2015 05:03:39 -0800 (PST) Message-ID: <54C0F52E.2010906@gmail.com> Date: Thu, 22 Jan 2015 21:03:42 +0800 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: galtsev@kicp.uchicago.edu Subject: Re: IPFilter & FreeBSD-10.1 References: <54BF7050.90605@ShaneWare.Biz> <51264.128.135.70.2.1421883154.squirrel@cosmo.uchicago.edu> <54C0510C.8070408@gmail.com> <8292.76.193.18.182.1421893014.squirrel@cosmo.uchicago.edu> In-Reply-To: <8292.76.193.18.182.1421893014.squirrel@cosmo.uchicago.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: User Questions , Luzar X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jan 2015 13:03:41 -0000 > > No, I'm not the original poster of this thread, the problem I have is > different, I'll describe it later > > > Again, my problem is different. Originally after upgrade from 9.3 RELEASE > to 10.0 RELEASE (shortly after it was released). I started observing too > many packets (more that 90%) dropped by ipfilter. Network feels like 100 > time slower. All config files are in place. I asked on this list for help > - no one replied (if my memory doesn't fail me). Then I looked into the > code of kernel module itself, I noticed it is much slimmer than kernel > module code on 9.3 (many files are missing, some of the ones that are > there are noticeably shorter). I moved /usr/src off the way and checked > out fresh copy: all is exactly the same. After that I just replaced the > code of ipfilter module with the one from 9.3, rebuilt kernel module, > unloaded and loaded freshly built module. And my ipfilter problem was > fixed. I just posted this to the thread I have started, so it looks like > one of the posts here on this thread just quotes what I did (or maybe > someone else did and described the same). Note that config files didn't > change. > > After some time living with 10.0 on that box, that box was upgraded to > 10.1 RELEASE. Also shortly after it was released. And the same problem > reappeared: ipfilter when it is on drops majority of packets, connections > seem to be 100 slower... > > I know, happy people (who do not have problem themselves) ... hm ... not > always can imagine that problem can be real for somebody else. But I still > hope someone will be able to answer my questions. > > 1. How can I find website (Documentation) for latest ipfilter? Where is > new place for it (it appears, developer moved it from where it was in the > past) > There is no website where the IPF rule documentation is published. There is only the "man pages". > 2. Did the syntax change between versions or not? On 9.3 I have version: > v4.1.28 (496), whereas on 10.1: v5.1.2 (608). If yes, where do I find > appropriate documentation. I certainly will be able to rewrite my rules > myself after reading documentation. After all I wrote them (of course, > using amazing FreeBSD online documentation ! ;-) > In 10.0 where ipfilter is stated as new version added gives no warning that rule syntax has changed > Thanks in advance for all your replies. > > Valeri > > > There is a very long thread dated Apr 15, 2013 with subject "ipfilter(4) needs maintainer" in the questions and current mailing lists Cy Schuert became the maintainer. Cy.Schuert@komquats.com He's the person you should be talking to. If you still get no joy then file a PR to shine more light on your problem