Date: Mon, 02 Jul 2018 16:52:09 +0200 From: "Kristof Provost" <kp@FreeBSD.org> To: "Felix J. Ogris" <fjo-lists@ogris.de> Cc: freebsd-pf@freebsd.org Subject: Re: pf reload/resync and skipped interface groups on 11.2-RELEASE Message-ID: <5F55C95D-4A1E-4758-B349-06E43E6ADA36@FreeBSD.org> In-Reply-To: <51A8A900-32B4-47A0-99D9-F02B31D2C735@ogris.de> References: <51A8A900-32B4-47A0-99D9-F02B31D2C735@ogris.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2 Jul 2018, at 16:44, Felix J. Ogris wrote: > this is a fresh install of 11.2-RELEASE amd64 with a minimal pf rule > set. After the first reload/resync, any traffic on an interface that > is skipped via an interface group statement in pf.conf is rejected: > Thanks for the report. I think that’s the same issue as described in PR 229241, in which case it’s on my todo list already. Regards, Kristof From owner-freebsd-pf@freebsd.org Mon Jul 2 15:55:52 2018 Return-Path: <owner-freebsd-pf@freebsd.org> Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EFD78102DBA1; Mon, 2 Jul 2018 15:55:51 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 962498E9C0; Mon, 2 Jul 2018 15:55:51 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 45BA1C1D2; Mon, 2 Jul 2018 15:55:51 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [172.28.128.1] (d5152df30.static.telenet.be [81.82.223.48]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id ECC9959AB2; Mon, 2 Jul 2018 17:55:48 +0200 (CEST) From: "Kristof Provost" <kp@FreeBSD.org> To: "Jakub Chromy" <hicks@cgi.cz> Cc: freebsd-virtualization@freebsd.org, "FreeBSD PF List" <freebsd-pf@freebsd.org>, "Andreas Longwitz" <longwitz@incore.de> Subject: Re: Possible bug: 11.2-RELEASE guest with vtnet and PF Date: Mon, 02 Jul 2018 17:55:47 +0200 X-Mailer: MailMate (2.0BETAr6113) Message-ID: <65938540-E8D5-4E81-84C7-6AF64D533032@FreeBSD.org> In-Reply-To: <753B1604-6BFE-48F6-9AA0-38A1C11B6E9B@FreeBSD.org> References: <848b6851-89fb-b6c8-b412-d5ed897f63d2@cgi.cz> <753B1604-6BFE-48F6-9AA0-38A1C11B6E9B@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.27 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" <freebsd-pf.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>; List-Post: <mailto:freebsd-pf@freebsd.org> List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=subscribe> X-List-Received-Date: Mon, 02 Jul 2018 15:55:52 -0000 On 2 Jul 2018, at 16:17, Kristof Provost wrote: > Hi Jakub, > > On 30 Jun 2018, at 17:07, Jakub Chromy wrote: >> I've just installed a 11.2-RELEASE guest under bhyve (hypervisor is >> 11.1-RELEASE)... and I cant use Virtio network interface with PF: >> >> odine:/boot/kernel# /sbin/pfctl -n -f ~/local/tmp/pf.work >> *pfctl: pfi_get_ifaces: Bad file descriptor* >> >> the file contains the following single line only: >> >> pass out quick on vtnet0 proto tcp from any to any keep state >> > I’m pretty sure this is a pf bug rather than an issue with vtnet. > > Does this still happen if you don’t specify ‘-n’? > > I suspect this might be related to r333181, but that’s included in > CURRENT too, and I’ve not been able to reproduce this on my CURRENT > box. I’m updating my stable/11 test VM now, but that’ll take a > while. > Ah, I think I see the problem. I think you don’t have the pf module loaded, which is apparently not treated as a fatal error if ‘-n’ is specified, but the change in r333181 can’t cope with that. We should probably fix that, but it’s not a particularly critical problem. Regards, Kristof From owner-freebsd-pf@freebsd.org Mon Jul 2 16:24:35 2018 Return-Path: <owner-freebsd-pf@freebsd.org> Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 276C3102E780; Mon, 2 Jul 2018 16:24:35 +0000 (UTC) (envelope-from hicks@cgi.cz) Received: from hel.cgi.cz (hel.cgi.cz [178.238.36.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AE23B8F8D4; Mon, 2 Jul 2018 16:24:34 +0000 (UTC) (envelope-from hicks@cgi.cz) Received: from hel.cgi.cz (localhost [127.0.0.1]) by hel.cgi.cz (Postfix) with ESMTP id 058A111389E; Mon, 2 Jul 2018 18:24:33 +0200 (CEST) X-Virus-Scanned: amavisd-new at cgi.cz Received: from hel.cgi.cz ([127.0.0.1]) by hel.cgi.cz (hel.cgi.cz [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 8VzhcufG7WCK; Mon, 2 Jul 2018 18:24:29 +0200 (CEST) Received: from mail2.cgi.cz (hermes [172.17.174.1]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by hel.cgi.cz (Postfix) with ESMTPS id AD478113866; Mon, 2 Jul 2018 18:24:29 +0200 (CEST) Received: from [192.168.8.152] (unknown [82.100.31.11]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail2.cgi.cz (Postfix) with ESMTPSA id 8C32942B2F; Mon, 2 Jul 2018 18:24:29 +0200 (CEST) Subject: Re: Possible bug: 11.2-RELEASE guest with vtnet and PF To: Kristof Provost <kp@FreeBSD.org> Cc: freebsd-virtualization@freebsd.org, FreeBSD PF List <freebsd-pf@freebsd.org>, Andreas Longwitz <longwitz@incore.de> References: <848b6851-89fb-b6c8-b412-d5ed897f63d2@cgi.cz> <753B1604-6BFE-48F6-9AA0-38A1C11B6E9B@FreeBSD.org> <65938540-E8D5-4E81-84C7-6AF64D533032@FreeBSD.org> From: Jakub Chromy <hicks@cgi.cz> Message-ID: <117b144b-d558-9319-e073-94e31085e441@cgi.cz> Date: Mon, 2 Jul 2018 18:24:29 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <65938540-E8D5-4E81-84C7-6AF64D533032@FreeBSD.org> Content-Language: cs Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.27 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" <freebsd-pf.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>; List-Post: <mailto:freebsd-pf@freebsd.org> List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=subscribe> X-List-Received-Date: Mon, 02 Jul 2018 16:24:35 -0000 ... omg.. sorry. I've checked the r333181 revision, but I'm not as capable in C to understand it completely. So it looks like that in up to 11.1-RELEASE, one can run the /sbin/pfctl -n -f ./config successfully without having the pf module loaded. Now in 11.2, the pfctl without pf module in the kernel complains on something (eg interfaces) and exits with code greater than zero. This is the point where our script (of many years :) got stuck. Thank you. -- regards Jakub Chromy CGI Systems div. ---------------- CGI CZ s.r.o. sales@cgi.cz 775 144 257 234 697 102 www.cgi.cz > Ah, I think I see the problem. I think you don’t have the pf module > loaded, which is apparently not treated as a fatal error if ‘-n’ is > specified, but the change in r333181 can’t cope with that. > > We should probably fix that, but it’s not a particularly critical problem. > > Regards, > Kristof >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5F55C95D-4A1E-4758-B349-06E43E6ADA36>