From owner-freebsd-pf@FreeBSD.ORG Sun Jan 27 23:54:07 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9367916A417; Sun, 27 Jan 2008 23:54:07 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6C2CD13C45B; Sun, 27 Jan 2008 23:54:07 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m0RNs7xn056394; Sun, 27 Jan 2008 23:54:07 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m0RNs7tt056390; Sun, 27 Jan 2008 23:54:07 GMT (envelope-from linimon) Date: Sun, 27 Jan 2008 23:54:07 GMT Message-Id: <200801272354.m0RNs7tt056390@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/120057: [patch] Allow proper settings of ALTQ_HFSC. The check i wrong since even with the values forbidden from this check you get a concave curve. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Jan 2008 23:54:07 -0000 Old Synopsis: Allow propper settings of ALTQ_HFSC. The check i wrong since even with the values forbidden from this check you get a concave curve. New Synopsis: [patch] Allow proper settings of ALTQ_HFSC. The check i wrong since even with the values forbidden from this check you get a concave curve. Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Sun Jan 27 23:53:31 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=120057 From owner-freebsd-pf@FreeBSD.ORG Mon Jan 28 11:07:07 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6D1C716A50B for ; Mon, 28 Jan 2008 11:07:07 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5A6D213C4D1 for ; Mon, 28 Jan 2008 11:07:07 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m0SB775o016409 for ; Mon, 28 Jan 2008 11:07:07 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m0SB76c6016405 for freebsd-pf@FreeBSD.org; Mon, 28 Jan 2008 11:07:06 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 28 Jan 2008 11:07:06 GMT Message-Id: <200801281107.m0SB76c6016405@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2008 11:07:07 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid o bin/116610 pf [patch] teach tcpdump(1) to cope with the new-style pf o kern/117827 pf [pf] [panic] kernel panic with pf and ng 5 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c f kern/116645 pf [request] pfctl -k does not work in securelevel 3 o kern/118355 pf [pf] [patch] pfctl help message options order false -t f kern/119661 pf [pf] "queue (someq, empy_acks)" doesn't work o kern/120057 pf [patch] Allow proper settings of ALTQ_HFSC. The check 10 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jan 28 19:00:05 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1610616A4DA for ; Mon, 28 Jan 2008 19:00:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id DE5C713C474 for ; Mon, 28 Jan 2008 19:00:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m0SJ04K3057821 for ; Mon, 28 Jan 2008 19:00:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m0SJ04rk057820; Mon, 28 Jan 2008 19:00:04 GMT (envelope-from gnats) Date: Mon, 28 Jan 2008 19:00:04 GMT Message-Id: <200801281900.m0SJ04rk057820@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Max Laier Cc: Subject: Re: kern/120057: [patch] Allow proper settings of ALTQ_HFSC. The check i wrong since even with the values forbidden from this check you get a concave curve. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Max Laier List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2008 19:00:05 -0000 The following reply was made to PR kern/120057; it has been noted by GNATS. From: Max Laier To: bug-followup@freebsd.org, eri@freebsd.org Cc: Subject: Re: kern/120057: [patch] Allow proper settings of ALTQ_HFSC. The check i wrong since even with the values forbidden from this check you get a concave curve. Date: Mon, 28 Jan 2008 19:45:01 +0100 http://www.cs.cmu.edu/~hzhang/HFSC/main.html agrees with the pfctl restrictions. Can you give an example that is restricted by this check and shouldn't be? - Max From owner-freebsd-pf@FreeBSD.ORG Mon Jan 28 20:20:03 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0D88B16A418 for ; Mon, 28 Jan 2008 20:20:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id EDCA313C459 for ; Mon, 28 Jan 2008 20:20:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m0SKK2TC065128 for ; Mon, 28 Jan 2008 20:20:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m0SKK2v9065127; Mon, 28 Jan 2008 20:20:02 GMT (envelope-from gnats) Date: Mon, 28 Jan 2008 20:20:02 GMT Message-Id: <200801282020.m0SKK2v9065127@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" Cc: Subject: Re: kern/120057: [patch] Allow proper settings of ALTQ_HFSC. The check i wrong since even with the values forbidden from this check you get a concave curve. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2008 20:20:03 -0000 The following reply was made to PR kern/120057; it has been noted by GNATS. From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: "Max Laier" Cc: bug-followup@freebsd.org, eri@freebsd.org Subject: Re: kern/120057: [patch] Allow proper settings of ALTQ_HFSC. The check i wrong since even with the values forbidden from this check you get a concave curve. Date: Mon, 28 Jan 2008 21:13:41 +0100 Also not that the link you gave me, has the note: In order to decouple delay and bandwidth allocation, HFSC is designed based on the service curve service model. In HFSC, only two-piece linear service curves are used for simplicity. A two-piece linear service curve is characterized by three parameters: * m1, the slope of the first segment * m2, the slope of the second segment * d, the x-projection of the intersection point of the two segments The following figure illustrates the two types of two-piece linear service curves used in HFSC. For a convex curve (when m1 is less than m2), m1 is always zero. But beware, that From owner-freebsd-pf@FreeBSD.ORG Mon Jan 28 20:40:05 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0F52A16A41B for ; Mon, 28 Jan 2008 20:40:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id F13D713C442 for ; Mon, 28 Jan 2008 20:40:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m0SKe4tN068360 for ; Mon, 28 Jan 2008 20:40:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m0SKe4EA068359; Mon, 28 Jan 2008 20:40:04 GMT (envelope-from gnats) Date: Mon, 28 Jan 2008 20:40:04 GMT Message-Id: <200801282040.m0SKe4EA068359@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" Cc: Subject: Re: kern/120057: [patch] Allow proper settings of ALTQ_HFSC. The check i wrong since even with the values forbidden from this check you get a concave curve. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2008 20:40:05 -0000 The following reply was made to PR kern/120057; it has been noted by GNATS. From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: "Max Laier" Cc: bug-followup@freebsd.org, eri@freebsd.org Subject: Re: kern/120057: [patch] Allow proper settings of ALTQ_HFSC. The check i wrong since even with the values forbidden from this check you get a concave curve. Date: Mon, 28 Jan 2008 21:03:39 +0100 http://www.sigcomm.org/sigcomm97/papers/p011.pdf If you look at the paper on the link i gave here and i copied a snippet from page 11: To demonstrate H-FSC's ability to ensure low delay for real-time connections, we target for a 5 ms delay for the audio session, and a 10 ms delay for the video session. To achieve these objectives, we assign to the audio session the service curve Sa = (umax a = 160 bytes; dmax a = 5 ms; ra = 64 Kbps), and to the video session the service curve Sv = (umax v = 8 KB; dmax v = 10 ms; rv = 2 Mbps). Also, in order to pass the admission control test, we assign to the FTP session the service curve SFTP = (umax FTP = 4 KB; dmax FTP = 16.25 ms; rFTP = 5 Mbps). The service curves of all the other sessions and classes are linear And the paper specifically states that ALTQ_HFSC implementation doesn't allow for convex curve with a m1 parameter of 0. Furthermore, the check is wrong since the second curve starting point is not (0, 0) but the point where the first curve ends, with x = d and y = conversion of m1. So the resultant curve is concave. Sorry the bug follow up was not complete first time, but was tired when reported. P.S. There is another check actually, but that can be part of another PR, which does not allow setting only the realtime parameter and so forbids making altq non work conserving and being used in admission mode. always if you cipole it with a daemon that makes the propper changes in time. From owner-freebsd-pf@FreeBSD.ORG Mon Jan 28 23:27:18 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EDF4916A418 for ; Mon, 28 Jan 2008 23:27:18 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from donald.cts.cwu.edu (donald.cts.cwu.edu [198.104.67.147]) by mx1.freebsd.org (Postfix) with ESMTP id D1EC513C4CE for ; Mon, 28 Jan 2008 23:27:18 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from CONVERSION-CWU-DAEMON.DONALD.CTS.CWU.EDU by DONALD.CTS.CWU.EDU (PMDF V6.3-x13 #31358) id <01MQMQO8U0CW0009W9@DONALD.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Mon, 28 Jan 2008 15:27:18 -0800 (PST) Received: from hermes.cwu.edu (hermes.cwu.edu [172.16.21.28]) by DONALD.CTS.CWU.EDU (PMDF V6.3-x13 #31358) with ESMTP id <01MQMQO88TMI000C48@DONALD.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Mon, 28 Jan 2008 15:27:17 -0800 (PST) Received: from cwugate1-MTA by hermes.cwu.edu with Novell_GroupWise; Mon, 28 Jan 2008 15:27:17 -0800 Date: Mon, 28 Jan 2008 15:27:04 -0800 From: Gavin Spomer To: freebsd-pf@freebsd.org Message-id: <479DF4480200009000013240@hermes.cwu.edu> MIME-version: 1.0 X-Mailer: Novell GroupWise Internet Agent 7.0.2 HP Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: quoted-printable Content-disposition: inline Subject: Re: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2008 23:27:19 -0000 Well, after a recommendation from our university network engineer, Chris, = who is a FreeBSD expert, I decided to look into the whole devfs thing. = Although it was new to me, a couple of quick glances at man pages and = experiments produced a /dev/pf for me. Now I have a firewall! :D Seems = very strange to me that I had to do this to make it work, however. Can = anyone tell me what the permissions/ownerships for thier /dev/pf is? I = want to make sure that mine is kosher, even though my pf is already = working. Thanks to all who helped me on this problem, not to mention those who's = mailboxes filled up with this thread! ;) Now I'm having fun dinking around with the pf.conf. One thing I really dig = so far about pf versus the firewall I use on my SuSE machines (iptables), = is that I don't have to reboot for changes to take effect. Way happy about = that! :) - Gavin >>> Gavin Spomer 01/25/08 3:30 PM >>> >>> Jeremy Chadwick 01/25/08 2:39 PM >>> > link_elf: symbol altq_remove undefined > link_elf: symbol altq_remove undefined > link_elf: symbol altq_remove undefined > link_elf: symbol altq_remove undefined > link_elf: symbol altq_remove undefined > link_elf: symbol altq_remove undefined And, very likely, here is the cause of your pf problem. :-) Please go back to what I said about your kernel configuration -- you're missing a lot of "option" arguments for ALTQ support. Add all of the ones I gave you, follow the instructions for buildkernel/installkernel, and it should all begin working. The ALTQ options are still in my kernel; I never removed them since you = recommended I put them in and I rebuilt my kernel. I went ahead and did the buildkernel/installkernel again, = checking to see if the ALTQ stuff was in there before. This time I tried adding the "device pf" stuff back in. Still the same = story. Maybe I'm rebuilding my kernel wrong? Doesn't seem likely. How hard is it to screw up the following? 1. vi /usr/src/sys/i386/conf/MACHINEHOSTNAME (edit accordingly) 2. cd /usr/src 3. make buildkernel KERNCONF=3DMACHINEHOSTNAME 4. make installkernel KERNCONF=3DMACHINEHOSTNAME 5. shutdown -r now Well, the weekend is upon us. We can continue this on Monday, if you're = still willing. Thanks for the extra effort. - Gavin _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Mon Jan 28 23:50:59 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20C9C16A417 for ; Mon, 28 Jan 2008 23:50:59 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout1.email.verio.net (dfw-smtpout1.email.verio.net [129.250.36.41]) by mx1.freebsd.org (Postfix) with ESMTP id EDA6613C4CC for ; Mon, 28 Jan 2008 23:50:58 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout1.email.verio.net with esmtp id 1JJdkg-0004RW-Ew for freebsd-pf@freebsd.org; Mon, 28 Jan 2008 23:50:58 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1JJdkg-0000wz-90 for freebsd-pf@freebsd.org; Mon, 28 Jan 2008 23:50:58 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 8730F8E296; Mon, 28 Jan 2008 17:50:57 -0600 (CST) Date: Mon, 28 Jan 2008 17:50:57 -0600 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20080128235056.GE17913@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <479DF4480200009000013240@hermes.cwu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <479DF4480200009000013240@hermes.cwu.edu> Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2008 23:50:59 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gavin Spomer wrote: > > Although it was new to me, a couple of quick glances at man pages and > experiments produced a /dev/pf for me. Can you tell us what it was that you changed? Someone else may need to know, someday. > One thing I really dig so far about pf versus the firewall I use on my > SuSE machines (iptables), is that I don't have to reboot for changes > to take effect. Way happy about that! :) It has been a while since I worked with iptables, but I have NEVER had to reboot in order to make changes to it. That is just bizarre! - -- David DeSimone == Network Admin == fox@verio.net "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, dis- tribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you." --Lawyer Bot 6000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFHnmpgFSrKRjX5eCoRAjRQAJ9kwRgtphURoIfSGULpFTOgGp2nHQCeMvWo tU0i54Vqi6hxpqaU37SC6NU= =OV/d -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Tue Jan 29 08:27:35 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 32BA816A46B for ; Tue, 29 Jan 2008 08:27:35 +0000 (UTC) (envelope-from swp@swp.pp.ru) Received: from ns1.uni-altai.ru (ns1.uni-altai.ru [83.246.160.193]) by mx1.freebsd.org (Postfix) with ESMTP id 39A2513C44B for ; Tue, 29 Jan 2008 08:27:33 +0000 (UTC) (envelope-from swp@swp.pp.ru) Received: from bspu.secna.ru (mail2.uni-altai.ru [10.250.2.12]) by ns1.uni-altai.ru (8.14.1/8.14.1) with ESMTP id m0T89pe5042223 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Tue, 29 Jan 2008 14:09:51 +0600 (NOVT) (envelope-from swp@swp.pp.ru) Received: from swp.pp.ru (swp-bb0.uni-altai.ru [10.250.10.5]) by bspu.secna.ru (8.14.2/8.14.2) with ESMTP id m0T8B29P070231 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Tue, 29 Jan 2008 14:11:02 +0600 (NOVT) (envelope-from swp@swp.pp.ru) Received: from swp.pp.ru (localhost [127.0.0.1]) by swp.pp.ru (8.14.2/8.14.2) with ESMTP id m0T8AcvM063142 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 29 Jan 2008 14:10:39 +0600 (NOVT) (envelope-from swp@swp.pp.ru) Received: (from swp@localhost) by swp.pp.ru (8.14.2/8.14.2/Submit) id m0T8Acj1063141 for freebsd-pf@freebsd.org; Tue, 29 Jan 2008 14:10:38 +0600 (NOVT) (envelope-from swp) Date: Tue, 29 Jan 2008 14:10:38 +0600 From: "mitrohin a.s." To: freebsd-pf@freebsd.org Message-ID: <20080129081038.GB62870@swp.pp.ru> Mail-Followup-To: freebsd-pf@freebsd.org References: <4784F7E3.3060508@rodhouse.org> <1199919114.59461.10.camel@xenon> <1a5f1a2d0801100501j664f6b81sebe866b986a05500@mail.gmail.com> <1199977668.36543.12.camel@xenon> <1a5f1a2d0801100910r1316d24dibb2b12720dfda207@mail.gmail.com> <1200009515.36543.27.camel@xenon> <1a5f1a2d0801101837r338b5453m7a8f673e3b03833e@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1a5f1a2d0801101837r338b5453m7a8f673e3b03833e@mail.gmail.com> User-Agent: Mutt/1.5.16 (2007-06-09) X-Virus-Scanned: ClamAV version 0.92, clamav-milter version 0.92 on main.uni-altai.ru X-Virus-Scanned: ClamAV version 0.91.2, clamav-milter version 0.91.2 on bspu.secna.ru X-Virus-Status: Clean X-Milter: Spamilter (Reciever: ns1.uni-altai.ru; Sender-ip: 10.250.2.12; Sender-helo: bspu.secna.ru; ) Subject: Re: Forwarding another host X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: swp@swp.pp.ru List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jan 2008 08:27:35 -0000 On Thu, Jan 10, 2008 at 09:37:49PM -0500, Rodrique Heron wrote: > On 1/10/08, Michal Varga wrote: > > > > > > On Thu, 2008-01-10 at 12:10 -0500, Rodrique Heron wrote: > > > > > > > Thanks > > > > > > FreeBSD syntax for log all is "log-all", I have no block rules. I am > > > passing everything with. > > > > > > pass in quick all > > > pass out qick all > > > > > ah, I think this may be another problem. Syntax for log (all) really > > *was* log-all, in PF 3.7, that is approximately the version used in > > FreeBSD 6.x. I somehow forgot about this from your first mail. As > > FreeBSD 7 incporporates PF 3.9, things behave a little differently here > > and there. anyway, can you show me the exact PF config you are using > > now, one that you think should work and doesn't? > > > > > > > > > > > > Sorry for the duplicate, I forgot to CC the list. > > Both host are in the same broadcast domain,connected to the same switch. > > INTERNET > | > | > PIX Firewall > | > | > SWITCH*---*HOSTA 192.168.2.14 > * > | > | > * > HOSTB 192.168.2.27 > > > ### /etc/pf.conf > ext_if = "em0" > int_if = "lo0" > > host_ip = " 192.168.2.14" > jail_ip = "192.168.2.18" > external_host = "192.168.2.27" > > rdr on $ext_if proto tcp from any to $host_ip port 22 -> $external_host port > 22 > rdr on $ext_if proto tcp from any to $host_ip port 26 -> $jail_ip port 22 > > pass in quick all > pass out quick all try this: rdr pass proto from any to $host_ip port ssh tag A -> $external_host nat pass all tagged A -> $host_ip /swp From owner-freebsd-pf@FreeBSD.ORG Tue Jan 29 17:24:03 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 79EF316A421 for ; Tue, 29 Jan 2008 17:24:03 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from donald.cts.cwu.edu (donald.cts.cwu.edu [198.104.67.147]) by mx1.freebsd.org (Postfix) with ESMTP id 598F413C514 for ; Tue, 29 Jan 2008 17:24:03 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from CONVERSION-CWU-DAEMON.DONALD.CTS.CWU.EDU by DONALD.CTS.CWU.EDU (PMDF V6.3-x13 #31358) id <01MQNSA75FJ4000GR0@DONALD.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Tue, 29 Jan 2008 09:24:02 -0800 (PST) Received: from hermes.cwu.edu (hermes.cwu.edu [172.16.21.28]) by DONALD.CTS.CWU.EDU (PMDF V6.3-x13 #31358) with ESMTP id <01MQNSA6FJ7O000GU6@DONALD.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Tue, 29 Jan 2008 09:24:01 -0800 (PST) Received: from cwugate1-MTA by hermes.cwu.edu with Novell_GroupWise; Tue, 29 Jan 2008 09:24:00 -0800 Date: Tue, 29 Jan 2008 09:23:48 -0800 From: Gavin Spomer To: freebsd-pf@freebsd.org Message-id: <479EF0A402000090000132D4@hermes.cwu.edu> MIME-version: 1.0 X-Mailer: Novell GroupWise Internet Agent 7.0.2 HP Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: quoted-printable Content-disposition: inline Subject: Re: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jan 2008 17:24:03 -0000 >>> David DeSimone 01/28/08 3:50 PM >>> Gavin Spomer wrote: > > Although it was new to me, a couple of quick glances at man pages and > experiments produced a /dev/pf for me. Can you tell us what it was that you changed? Someone else may need to know, someday. You're absolutely right. I guess I forgot my obligation in my excitement= to go home yesterday. ;) Here's what I did: 1. cp /etc/defaults/devfs.rules /etc/ 2. chmod u+w /etc/devfs.rules 3. vi /etc/devfs.rules: Added "add path pf unhide" to the [devfsrules= _unhide_basic=3D2] ruleset 4. vi /etc/devfs.conf: Added "own pf root:wheel" and "perm pf 0660". = * 5. shutdown -r now * I don't know if my permissions/ownerships for /dev/pf are correct, = but I looked at other devices and made a guess. Anyone know what they're supposed to be? Just noticed I don't have pflog or pfsync devices either, so I guess = I'll create those too. > One thing I really dig so far about pf versus the firewall I use on my > SuSE machines (iptables), is that I don't have to reboot for changes > to take effect. Way happy about that! :) It has been a while since I worked with iptables, but I have NEVER had to reboot in order to make changes to it. That is just bizarre! I never took the time to actually write my own iptables rules, but SuSE = has a built in mechanism that simplified it: SuSEfirewall2. Basically you just have a fairly simple config file to = edit and SuSEconfig writes the rules for you. In the O-Reilly book Linux Server Security (2nd Edition), it says "... = all you do is edit the file /etc/sysconfig/SUSEfirewall2=20 (in earlier versions of SUSE, /etc/rc.conf.d/firewall2.rc.config), run = SUSEconfig, and reboot". So I've been doing it that way ever since. But after a quick Googling, it seems that maybe I don't = have to reboot and can just run "/sbin/rcSuSEfirewall2 restart". Just an example of one of the times I = wasn't very thorough in investigating something. ;) - Gavin From owner-freebsd-pf@FreeBSD.ORG Tue Jan 29 18:26:42 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3D45E16A46D for ; Tue, 29 Jan 2008 18:26:42 +0000 (UTC) (envelope-from nullpt@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.238]) by mx1.freebsd.org (Postfix) with ESMTP id F09E513C458 for ; Tue, 29 Jan 2008 18:26:41 +0000 (UTC) (envelope-from nullpt@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so1680177wxd.7 for ; Tue, 29 Jan 2008 10:26:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=JkVylATQup3Uip5Ruu14atiYSALzJ+IBFFVQS7Ta21I=; b=I21+23rZF/rBvyNFh8yETCnB9PTiPIOV/xNVGMgPhpZaNaBnkO/yVDTMhvQccosJBsPDXm8Q4AydJ95NX89mLqBMRAytby9L3uJimn8QvvDWgZs48z68y0RIsGLIdHwITeQ4PLz0T03RceM/FyghRxWWPyROwNBDbA9rZ3XqtI8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=nLijOb7kf90hRvv60wSUcYRxfS6voFKAq24bqGKVUlNIfMYCVXZI8QK9CV/TH0J3TUsDmJrtQyF4aGukINE6jF9aDrhG6Vo2ruV4/HdSq7kXQBFCJCzPIReLtyCzgOpM8Td2m0Urb75agZLLZXMKSGf2pSsDWJbid96YBmE/EQ0= Received: by 10.141.28.12 with SMTP id f12mr4633799rvj.1.1201631194290; Tue, 29 Jan 2008 10:26:34 -0800 (PST) Received: by 10.141.132.15 with HTTP; Tue, 29 Jan 2008 10:26:34 -0800 (PST) Message-ID: <755cb9fc0801291026oc273ae1o7122cfd580f9413e@mail.gmail.com> Date: Tue, 29 Jan 2008 18:26:34 +0000 From: "Alexandre Vieira" To: freebsd-pf@freebsd.org, freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: Subject: Relayd l3 redirect send/expect check X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jan 2008 18:26:42 -0000 Hi all, There used to be a check send "string" expect "string" in the old config method in hoststated. I've checked the relayd.conf man page and apparently the only way to do this now is with an external script. I've tried to add the " forward to check send "" expect "banner string" " and the relayd validates the config file but always sets my table hosts down :\ Also a simple " forward to
check tcp " won't work. While snooping the interface to the pool servers I can see that relayd tries to contact all pool servers in the defined interval and in the correct port but doesn't actually open a connection, just send a SYN, the servers answer and then it RST them. The hosts are shown as "down" in relayctl. 18:11:10.387565 IP 172.16.135.142.52679 > 172.16.135.148.rtsp: S 675781109:675781109(0) win 16384 18:11:10.387591 IP 172.16.135.142.49363 > 172.16.135.133.rtsp: S 1229756465:1229756465(0) win 16384 18:11:10.387850 IP 172.16.135.148.rtsp > 172.16.135.142.52679: S 216269779:216269779(0) ack 675781110 win 24616 18:11:10.387870 IP 172.16.135.142.52679 > 172.16.135.148.rtsp: R 675781110:675781110(0) win 0 18:11:10.387873 IP 172.16.135.133.rtsp > 172.16.135.142.49363: S 2827025081:2827025081(0) ack 1229756466 win 49232 18:11:10.387882 IP 172.16.135.142.49363 > 172.16.135.133.rtsp: R 1229756466:1229756466(0) win 0 The only way I have to get it working is a simple check icmp, which is sucky :\ When the pool hosts are up the rdrs work great. relayd.conf: public_ip="10.16.3.177" rtsp1="172.16.135.148" rtsp2="172.16.135.133" interval 5 # check hosts every 5 seconds table { $rtsp1 $rtsp2 } redirect rtsp { listen on $public_ip port 554 interface bge0 tag RELAYD sticky-address forward to check tcp } pf.conf: scrub all fragment reassemble rdr-anchor "relayd/*" pass all keep state FreeBSD 7.0-RC1 FreeBSD 7.0-RC1 #1: Fri Jan 18 13:36:30 WET 2008 root@:/usr/obj/usr/src/sys/me amd64 kernel diff: device pf device pflog device pfsync device carp options ALTQ options ALTQ_CBQ # Class Bases Queuing (CBQ) options ALTQ_RED # Random Early Detection (RED) options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) options ALTQ_PRIQ # Priority Queuing (PRIQ) options ALTQ_NOPCC # Required for SMP build The objective is to use relayd/pf as a simple l3 roundrobin load balancer with service health check. Any advice is most welcome. Regards, From owner-freebsd-pf@FreeBSD.ORG Tue Jan 29 19:03:28 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 73A6D16A418 for ; Tue, 29 Jan 2008 19:03:28 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.250]) by mx1.freebsd.org (Postfix) with ESMTP id 24E1813C455 for ; Tue, 29 Jan 2008 19:03:27 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so594867anc.13 for ; Tue, 29 Jan 2008 11:03:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=RcDa1qXqIzTljFY3ExYjYFQxeGqKjTEIS5LUDpFD0mY=; b=CqP2VgNp3Z9PmDuvNFkTZ/ceku4vxe1CQoUiEjcBUI2leXJn3t0ldUyhMNA37pCFQcxh7RN8n5fZ8fPr9MX9IPpEIHI21LY1rFrzPVYsrfetVs1PyhRpjNWcqQPahSO/Gu0VeEhRfXY0JtaFGgx7FBay1JeyNMaNfsWWxdrVEGs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=rr1fv/k6eM7k4/byh2R3OwGpq+lOH7cCOpED8SV4Bm0hq9MTKthTF7JWQQpMJKplLQeS4sdFx+FgwJNyGUSF9dclxv+2hOTXjLJxb4TLpPonVvVTcl7jvX8L6crxuaQe65pqUkODCJXQnF8ZX4cJc1GkOd2ig1pB1yjgSsjILOM= Received: by 10.100.125.12 with SMTP id x12mr15415721anc.84.1201631840086; Tue, 29 Jan 2008 10:37:20 -0800 (PST) Received: by 10.100.231.6 with HTTP; Tue, 29 Jan 2008 10:37:20 -0800 (PST) Message-ID: <55e8a96c0801291037r7bd013cfr6f3c6448024afd42@mail.gmail.com> Date: Tue, 29 Jan 2008 12:37:20 -0600 From: "Bill Marquette" To: "freebsd-pf@freebsd.org" MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: LOR in pf on 6.2 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jan 2008 19:03:28 -0000 Been having some kernel locks on some machines at work, not sure if this LOR is related (and I see an XXX LOR comment in the code too, so I'm guessing it's been seen before) although I have certainly had some of the machines lock during bootup right around the place that this LOR prints out. Jan 29 12:11:46 1st 0xc09e4420 pf task mtx (pf task mtx) @ /usr/src/sys/contrib/pf/net/pf.c:6386 Jan 29 12:11:46 2nd 0xc0a5142c udp (udp) @ /usr/src/sys/contrib/pf/net/pf.c:2744 I've got a couple machines that reliably lock w/in 24 hours or so of uptime, I can easily test any source patches on them. All machines are built off of FreeBSD 6.2-RELEASE-p10 sources. Thanks --Bill From owner-freebsd-pf@FreeBSD.ORG Tue Jan 29 19:36:58 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C9A4216A41B for ; Tue, 29 Jan 2008 19:36:58 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id 5E7A613C4D1 for ; Tue, 29 Jan 2008 19:36:58 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-006-194.pools.arcor-ip.net [88.66.6.194]) by mrelayeu.kundenserver.de (node=mrelayeu8) with ESMTP (Nemesis) id 0ML31I-1JJwGO2qhZ-0002hQ; Tue, 29 Jan 2008 20:36:56 +0100 Received: (qmail 37853 invoked by uid 80); 29 Jan 2008 19:35:51 -0000 Received: from 192.168.4.151 (SquirrelMail authenticated user mlaier) by router.laiers.local with HTTP; Tue, 29 Jan 2008 20:35:51 +0100 (CET) Message-ID: <32841.192.168.4.151.1201635351.squirrel@router.laiers.local> In-Reply-To: <55e8a96c0801291037r7bd013cfr6f3c6448024afd42@mail.gmail.com> References: <55e8a96c0801291037r7bd013cfr6f3c6448024afd42@mail.gmail.com> Date: Tue, 29 Jan 2008 20:35:51 +0100 (CET) From: "Max Laier" To: "Bill Marquette" User-Agent: SquirrelMail/1.4.13 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Provags-ID: V01U2FsdGVkX1+4N+B+XvRlme3Gw4vqm2UCQKj6VMSG0KB3MYB cObNgs4/9o58GhcFNcKbDGA4R4BwGyPAX1ssb9OLQQbfZbSBRh EDGls0SVm2Haa0iMLkbtw== Cc: "freebsd-pf@freebsd.org" Subject: Re: LOR in pf on 6.2 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jan 2008 19:36:58 -0000 Am Di, 29.01.2008, 19:37, schrieb Bill Marquette: > Been having some kernel locks on some machines at work, not sure if > this LOR is related (and I see an XXX LOR comment in the code too, so > I'm guessing it's been seen before) although I have certainly had some > of the machines lock during bootup right around the place that this > LOR prints out. > > Jan 29 12:11:46 1st 0xc09e4420 pf task mtx (pf task mtx) @ > /usr/src/sys/contrib/pf/net/pf.c:6386 > Jan 29 12:11:46 2nd 0xc0a5142c udp (udp) @ > /usr/src/sys/contrib/pf/net/pf.c:2744 > > I've got a couple machines that reliably lock w/in 24 hours or so of > uptime, I can easily test any source patches on them. All machines > are built off of FreeBSD 6.2-RELEASE-p10 sources. Thanks >From the pf.conf(5) in RELENG_6_2: BUGS Due to a lock order reversal (LOR) with the socket layer, the use of the group and user filter parameter in conjuction with a Giant-free netstack can result in a deadlock. If you have to use group or user you must set debug.mpsafenet to ``0'' from the loader(8), for the moment. This work- around will still produce the LOR, but Giant will protect from the dead- lock. A better fix is in RELENG_7 ... backporting won't make much sense. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Tue Jan 29 20:33:23 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C5A8516A417 for ; Tue, 29 Jan 2008 20:33:23 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from el-out-1112.google.com (el-out-1112.google.com [209.85.162.177]) by mx1.freebsd.org (Postfix) with ESMTP id EB51113C447 for ; Tue, 29 Jan 2008 20:33:22 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: by el-out-1112.google.com with SMTP id r27so492947ele.3 for ; Tue, 29 Jan 2008 12:33:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:from:to:cc:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; bh=kKBIBhZQGw1CCqIoDO0atIXZbAu5kMLoDJ54IQTOug8=; b=bZuEgCHidktPQk537fOi1FiY8x+t9EaSywTEF76Ox29qyg7CsxNJvse2PVaigIb9rGI2dnKd7NViQNn++swp9Le1/eq4077EYG69UUdqgdOP4Svgv6EsxCyx1Yckc8agTUiZkGvUTywILBeo1uT5xg3YW/TeAlDEueXPaiKDCEI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:from:to:cc:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=vvZ6t2HZrDr7DM6g3po9HfaMkwajLkI1xW9SdtldSgsQqEHTOs8btGwoM9fEZHcA8Gc1YIGVavhyu1mKc8VofuNZhVBjpuhLwfehBT63uTi0srvOti/Obfp1vmWXUJs5JL0nZGMmpLj4ehz+CUgbuhlhLXkNCNxRoT/Wz7HAk7I= Received: by 10.143.33.19 with SMTP id l19mr728107wfj.85.1201637197306; Tue, 29 Jan 2008 12:06:37 -0800 (PST) Received: from xp ( [72.86.47.124]) by mx.google.com with ESMTPS id 7sm9603498wrl.33.2008.01.29.12.06.22 (version=SSLv3 cipher=RC4-MD5); Tue, 29 Jan 2008 12:06:23 -0800 (PST) Message-ID: <005e01c862b2$78a6d7c0$050a0a0a@chepkov.lan> From: "Vadym Chepkov" To: "Gavin Spomer" References: <479EF0A402000090000132D4@hermes.cwu.edu> Date: Tue, 29 Jan 2008 15:06:43 -0500 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 Cc: freebsd-pf@freebsd.org Subject: Re: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jan 2008 20:33:23 -0000 Gavin, I have never had to do anything like this and nevertheless I have /dev/pf I have pf compiled into the kernel, so I wouldn't blame it on "must be module" either. Could you send me, please, the following files, I would really like to understand the problem - KERNEL config - /etc/make.conf - /etc/rc.conf - /etc/fstab - /boot/loader.conf Thanks Sincerely, Vadym Chepkov ----- Original Message ----- From: "Gavin Spomer" To: Sent: Tuesday, January 29, 2008 12:23 PM Subject: Re: How does /dev/pf get created? >>> David DeSimone 01/28/08 3:50 PM >>> Gavin Spomer wrote: > > Although it was new to me, a couple of quick glances at man pages and > experiments produced a /dev/pf for me. Can you tell us what it was that you changed? Someone else may need to know, someday. You're absolutely right. I guess I forgot my obligation in my excitement to go home yesterday. ;) Here's what I did: 1. cp /etc/defaults/devfs.rules /etc/ 2. chmod u+w /etc/devfs.rules 3. vi /etc/devfs.rules: Added "add path pf unhide" to the [devfsrules_unhide_basic=2] ruleset 4. vi /etc/devfs.conf: Added "own pf root:wheel" and "perm pf 0660". * 5. shutdown -r now * I don't know if my permissions/ownerships for /dev/pf are correct, but I looked at other devices and made a guess. Anyone know what they're supposed to be? Just noticed I don't have pflog or pfsync devices either, so I guess I'll create those too. > One thing I really dig so far about pf versus the firewall I use on my > SuSE machines (iptables), is that I don't have to reboot for changes > to take effect. Way happy about that! :) It has been a while since I worked with iptables, but I have NEVER had to reboot in order to make changes to it. That is just bizarre! I never took the time to actually write my own iptables rules, but SuSE has a built in mechanism that simplified it: SuSEfirewall2. Basically you just have a fairly simple config file to edit and SuSEconfig writes the rules for you. In the O-Reilly book Linux Server Security (2nd Edition), it says "... all you do is edit the file /etc/sysconfig/SUSEfirewall2 (in earlier versions of SUSE, /etc/rc.conf.d/firewall2.rc.config), run SUSEconfig, and reboot". So I've been doing it that way ever since. But after a quick Googling, it seems that maybe I don't have to reboot and can just run "/sbin/rcSuSEfirewall2 restart". Just an example of one of the times I wasn't very thorough in investigating something. ;) - Gavin _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Tue Jan 29 21:06:59 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 86D0316A468 for ; Tue, 29 Jan 2008 21:06:59 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from lewey.cts.cwu.edu (lewey.cts.cwu.edu [198.104.67.145]) by mx1.freebsd.org (Postfix) with ESMTP id 6223F13C457 for ; Tue, 29 Jan 2008 21:06:58 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from CONVERSION-CWU-DAEMON.LEWEY.CTS.CWU.EDU by LEWEY.CTS.CWU.EDU (PMDF V6.3-x13 #31358) id <01MQO01M3FXS000BN9@LEWEY.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Tue, 29 Jan 2008 13:06:56 -0800 (PST) Received: from hermes.cwu.edu (hermes.cwu.edu [172.16.21.28]) by LEWEY.CTS.CWU.EDU (PMDF V6.3-x13 #31358) with ESMTP id <01MQO01JQYQQ000BNH@LEWEY.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Tue, 29 Jan 2008 13:06:07 -0800 (PST) Received: from cwugate1-MTA by hermes.cwu.edu with Novell_GroupWise; Tue, 29 Jan 2008 13:06:07 -0800 Date: Tue, 29 Jan 2008 13:05:56 -0800 From: Gavin Spomer To: freebsd-pf@freebsd.org Message-id: <479F24B5020000900001332F@hermes.cwu.edu> MIME-version: 1.0 X-Mailer: Novell GroupWise Internet Agent 7.0.2 HP Content-type: multipart/mixed; boundary="Boundary_(ID_uDM+RPkNl1Edf5zBjdY5Sw)" Subject: Re: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jan 2008 21:06:59 -0000 This is a MIME message. If you are reading this text, you may want to consider changing to a mail reader or gateway that understands how to properly handle MIME multipart messages. --Boundary_(ID_uDM+RPkNl1Edf5zBjdY5Sw) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: quoted-printable Content-disposition: inline >>> Vadym Chepkov 01/29/08 12:06 PM >>> Gavin, I have never had to do anything like this and nevertheless I have /dev/pf I have pf compiled into the kernel, so I wouldn't blame it on "must be=20 module" either. Could you send me, please, the following files, I would really like to=20 understand the problem - KERNEL config - /etc/make.conf - /etc/rc.conf - /etc/fstab - /boot/loader.conf Sure. KERNEL config is attached. /etc/make.conf: # added by use.perl 2007-12-11 11:29:06 PERL_VER=3D5.8.8 PERL_VERSION=3D5.8.8 /etc/rc.conf: hostname=3D"myhostname.cwu.edu" ifconfig_bce0=3D"DHCP" linux_enable=3D"YES" sshd_enable=3D"YES" #usbd_enable=3D"YES" ntpd_enable=3D"YES" mysql_enable=3D"YES" apache22_enable=3D"YES" zope210_enable=3D"YES" zope210_instances=3D"/usr/local/zope" #Packet Filter (Firewall) pf_enable=3D"YES" pf_rules=3D"/etc/pf.conf" pflog_enable=3D"YES" pflog_logfile=3D"/var/log/pflog" pf_flags=3D"" /etc/fstab: # Device Mountpoint FStype Options Dump = Pass# /dev/da0s1b none swap sw 0 = 0 /dev/da0s1a / ufs rw 1 = 1 /dev/da0s1e /tmp ufs rw 2 = 2 /dev/da0s1f /usr ufs rw 2 = 2 /dev/da0s1d /var ufs rw 2 = 2 /dev/acd0 /cdrom cd9660 ro,noauto 0 = 0 /boot/loader.conf: # Makes Apache Work - 11/30/07 - GS accf_http_load=3D"YES" Thanks for your interest. - Gavin --Boundary_(ID_uDM+RPkNl1Edf5zBjdY5Sw) Content-type: application/octet-stream; name=MYKERNEL Content-transfer-encoding: BASE64 Content-disposition: attachment; filename=MYKERNEL IwojIEdFTkVSSUMgLS0gR2VuZXJpYyBrZXJuZWwgY29uZmlndXJhdGlvbiBmaWxl IGZvciBGcmVlQlNEL2kzODYKIwojIEZvciBtb3JlIGluZm9ybWF0aW9uIG9uIHRo aXMgZmlsZSwgcGxlYXNlIHJlYWQgdGhlIGhhbmRib29rIHNlY3Rpb24gb24KIyBL ZXJuZWwgQ29uZmlndXJhdGlvbiBGaWxlczoKIwojICAgIGh0dHA6Ly93d3cuRnJl ZUJTRC5vcmcvZG9jL2VuX1VTLklTTzg4NTktMS9ib29rcy9oYW5kYm9vay9rZXJu ZWxjb25maWctY29uZmlnLmh0bWwKIwojIFRoZSBoYW5kYm9vayBpcyBhbHNvIGF2 YWlsYWJsZSBsb2NhbGx5IGluIC91c3Ivc2hhcmUvZG9jL2hhbmRib29rCiMgaWYg eW91J3ZlIGluc3RhbGxlZCB0aGUgZG9jIGRpc3RyaWJ1dGlvbiwgb3RoZXJ3aXNl IGFsd2F5cyBzZWUgdGhlCiMgRnJlZUJTRCBXb3JsZCBXaWRlIFdlYiBzZXJ2ZXIg KGh0dHA6Ly93d3cuRnJlZUJTRC5vcmcvKSBmb3IgdGhlCiMgbGF0ZXN0IGluZm9y bWF0aW9uLgojCiMgQW4gZXhoYXVzdGl2ZSBsaXN0IG9mIG9wdGlvbnMgYW5kIG1v cmUgZGV0YWlsZWQgZXhwbGFuYXRpb25zIG9mIHRoZQojIGRldmljZSBsaW5lcyBp cyBhbHNvIHByZXNlbnQgaW4gdGhlIC4uLy4uL2NvbmYvTk9URVMgYW5kIE5PVEVT IGZpbGVzLgojIElmIHlvdSBhcmUgaW4gZG91YnQgYXMgdG8gdGhlIHB1cnBvc2Ug b3IgbmVjZXNzaXR5IG9mIGEgbGluZSwgY2hlY2sgZmlyc3QKIyBpbiBOT1RFUy4K IwojICRGcmVlQlNEOiBzcmMvc3lzL2kzODYvY29uZi9HRU5FUklDLHYgMS40Mjku Mi4xMyAyMDA2LzEwLzA5IDE4OjQxOjM2IHNpbW9uIEV4cCAkCgptYWNoaW5lCQlp Mzg2CiNjcHUJCUk0ODZfQ1BVCiNjcHUJCUk1ODZfQ1BVCmNwdQkJSTY4Nl9DUFUK aWRlbnQJCU1ZSE9TVE5BTUUKCiMgVG8gc3RhdGljYWxseSBjb21waWxlIGluIGRl dmljZSB3aXJpbmcgaW5zdGVhZCBvZiAvYm9vdC9kZXZpY2UuaGludHMKI2hpbnRz CQkiR0VORVJJQy5oaW50cyIJCSMgRGVmYXVsdCBwbGFjZXMgdG8gbG9vayBmb3Ig ZGV2aWNlcy4KCm1ha2VvcHRpb25zCURFQlVHPS1nCQkjIEJ1aWxkIGtlcm5lbCB3 aXRoIGdkYigxKSBkZWJ1ZyBzeW1ib2xzCgpvcHRpb25zIAlTQ0hFRF80QlNECQkj IDRCU0Qgc2NoZWR1bGVyCm9wdGlvbnMgCVBSRUVNUFRJT04JCSMgRW5hYmxlIGtl cm5lbCB0aHJlYWQgcHJlZW1wdGlvbgpvcHRpb25zIAlJTkVUCQkJIyBJbnRlck5F VHdvcmtpbmcKb3B0aW9ucyAJSU5FVDYJCQkjIElQdjYgY29tbXVuaWNhdGlvbnMg cHJvdG9jb2xzCm9wdGlvbnMgCUZGUwkJCSMgQmVya2VsZXkgRmFzdCBGaWxlc3lz dGVtCm9wdGlvbnMgCVNPRlRVUERBVEVTCQkjIEVuYWJsZSBGRlMgc29mdCB1cGRh dGVzIHN1cHBvcnQKb3B0aW9ucyAJVUZTX0FDTAkJCSMgU3VwcG9ydCBmb3IgYWNj ZXNzIGNvbnRyb2wgbGlzdHMKb3B0aW9ucyAJVUZTX0RJUkhBU0gJCSMgSW1wcm92 ZSBwZXJmb3JtYW5jZSBvbiBiaWcgZGlyZWN0b3JpZXMKb3B0aW9ucyAJTURfUk9P VAkJCSMgTUQgaXMgYSBwb3RlbnRpYWwgcm9vdCBkZXZpY2UKI29wdGlvbnMgCU5G U0NMSUVOVAkJIyBOZXR3b3JrIEZpbGVzeXN0ZW0gQ2xpZW50CiNvcHRpb25zIAlO RlNTRVJWRVIJCSMgTmV0d29yayBGaWxlc3lzdGVtIFNlcnZlcgojb3B0aW9ucyAJ TkZTX1JPT1QJCSMgTkZTIHVzYWJsZSBhcyAvLCByZXF1aXJlcyBORlNDTElFTlQK I29wdGlvbnMgCU1TRE9TRlMJCQkjIE1TRE9TIEZpbGVzeXN0ZW0Kb3B0aW9ucyAJ Q0Q5NjYwCQkJIyBJU08gOTY2MCBGaWxlc3lzdGVtCm9wdGlvbnMgCVBST0NGUwkJ CSMgUHJvY2VzcyBmaWxlc3lzdGVtIChyZXF1aXJlcyBQU0VVRE9GUykKb3B0aW9u cyAJUFNFVURPRlMJCSMgUHNldWRvLWZpbGVzeXN0ZW0gZnJhbWV3b3JrCm9wdGlv bnMgCUdFT01fR1BUCQkjIEdVSUQgUGFydGl0aW9uIFRhYmxlcy4Kb3B0aW9ucyAJ Q09NUEFUXzQzCQkjIENvbXBhdGlibGUgd2l0aCBCU0QgNC4zIFtLRUVQIFRISVMh XQpvcHRpb25zIAlDT01QQVRfRlJFRUJTRDQJCSMgQ29tcGF0aWJsZSB3aXRoIEZy ZWVCU0Q0Cm9wdGlvbnMgCUNPTVBBVF9GUkVFQlNENQkJIyBDb21wYXRpYmxlIHdp dGggRnJlZUJTRDUKb3B0aW9ucyAJU0NTSV9ERUxBWT01MDAwCQkjIERlbGF5IChp biBtcykgYmVmb3JlIHByb2JpbmcgU0NTSQpvcHRpb25zIAlLVFJBQ0UJCQkjIGt0 cmFjZSgxKSBzdXBwb3J0CiNvcHRpb25zIAlTWVNWU0hNCQkJIyBTWVNWLXN0eWxl IHNoYXJlZCBtZW1vcnkKb3B0aW9ucyAJU1lTVk1TRwkJCSMgU1lTVi1zdHlsZSBt ZXNzYWdlIHF1ZXVlcwpvcHRpb25zIAlTWVNWU0VNCQkJIyBTWVNWLXN0eWxlIHNl bWFwaG9yZXMKb3B0aW9ucyAJX0tQT1NJWF9QUklPUklUWV9TQ0hFRFVMSU5HICMg UE9TSVggUDEwMDNfMUIgcmVhbC10aW1lIGV4dGVuc2lvbnMKb3B0aW9ucyAJS0JE X0lOU1RBTExfQ0RFVgkjIGluc3RhbGwgYSBDREVWIGVudHJ5IGluIC9kZXYKb3B0 aW9ucyAJQURBUFRJVkVfR0lBTlQJCSMgR2lhbnQgbXV0ZXggaXMgYWRhcHRpdmUu CgpkZXZpY2UJCWFwaWMJCQkjIEkvTyBBUElDCgojIEJ1cyBzdXBwb3J0LgpkZXZp Y2UJCWVpc2EKZGV2aWNlCQlwY2kKCiMgRmxvcHB5IGRyaXZlcwojZGV2aWNlCQlm ZGMKCiMgQVRBIGFuZCBBVEFQSSBkZXZpY2VzCmRldmljZQkJYXRhCiNkZXZpY2UJ CWF0YWRpc2sJCSMgQVRBIGRpc2sgZHJpdmVzCiNkZXZpY2UJCWF0YXJhaWQJCSMg QVRBIFJBSUQgZHJpdmVzCiNkZXZpY2UJCWF0YXBpY2QJCSMgQVRBUEkgQ0RST00g ZHJpdmVzCiNkZXZpY2UJCWF0YXBpZmQJCSMgQVRBUEkgZmxvcHB5IGRyaXZlcwoj ZGV2aWNlCQlhdGFwaXN0CQkjIEFUQVBJIHRhcGUgZHJpdmVzCm9wdGlvbnMgCUFU QV9TVEFUSUNfSUQJIyBTdGF0aWMgZGV2aWNlIG51bWJlcmluZwoKIyBTQ1NJIENv bnRyb2xsZXJzCmRldmljZQkJYWhiCQkjIEVJU0EgQUhBMTc0MiBmYW1pbHkKZGV2 aWNlCQlhaGMJCSMgQUhBMjk0MCBhbmQgb25ib2FyZCBBSUM3eHh4IGRldmljZXMK b3B0aW9ucyAJQUhDX1JFR19QUkVUVFlfUFJJTlQJIyBQcmludCByZWdpc3RlciBi aXRmaWVsZHMgaW4gZGVidWcKCQkJCQkjIG91dHB1dC4gIEFkZHMgfjEyOGsgdG8g ZHJpdmVyLgpkZXZpY2UJCWFoZAkJIyBBSEEzOTMyMC8yOTMyMCBhbmQgb25ib2Fy ZCBBSUM3OXh4IGRldmljZXMKb3B0aW9ucyAJQUhEX1JFR19QUkVUVFlfUFJJTlQJ IyBQcmludCByZWdpc3RlciBiaXRmaWVsZHMgaW4gZGVidWcKCQkJCQkjIG91dHB1 dC4gIEFkZHMgfjIxNWsgdG8gZHJpdmVyLgpkZXZpY2UJCWFtZAkJIyBBTUQgNTND OTc0IChUZWtyYW0gREMtMzkwKFQpKQpkZXZpY2UJCWlzcAkJIyBRbG9naWMgZmFt aWx5CiNkZXZpY2UgCWlzcGZ3CQkjIEZpcm13YXJlIGZvciBRTG9naWMgSEJBcy0g bm9ybWFsbHkgYSBtb2R1bGUKZGV2aWNlCQltcHQJCSMgTFNJLUxvZ2ljIE1QVC1G dXNpb24KI2RldmljZQkJbmNyCQkjIE5DUi9TeW1iaW9zIExvZ2ljCmRldmljZQkJ c3ltCQkjIE5DUi9TeW1iaW9zIExvZ2ljIChuZXdlciBjaGlwc2V0cyArIHRob3Nl IG9mIGBuY3InKQpkZXZpY2UJCXRybQkJIyBUZWtyYW0gREMzOTVVL1VXL0YgREMz MTVVIGFkYXB0ZXJzCgpkZXZpY2UJCWFkdgkJIyBBZHZhbnN5cyBTQ1NJIGFkYXB0 ZXJzCmRldmljZQkJYWR3CQkjIEFkdmFuc3lzIHdpZGUgU0NTSSBhZGFwdGVycwpk ZXZpY2UJCWFoYQkJIyBBZGFwdGVjIDE1NHggU0NTSSBhZGFwdGVycwpkZXZpY2UJ CWFpYwkJIyBBZGFwdGVjIDE1WzAxMl14IFNDU0kgYWRhcHRlcnMsIEFJQy02WzIz XTYwLgpkZXZpY2UJCWJ0CQkjIEJ1c2xvZ2ljL015bGV4IE11bHRpTWFzdGVyIFND U0kgYWRhcHRlcnMKCmRldmljZQkJbmN2CQkjIE5DUiA1M0M1MDAKZGV2aWNlCQlu c3AJCSMgV29ya2JpdCBOaW5qYSBTQ1NJLTMKZGV2aWNlCQlzdGcJCSMgVE1DIDE4 QzMwLzE4QzUwCgojIFNDU0kgcGVyaXBoZXJhbHMKZGV2aWNlCQlzY2J1cwkJIyBT Q1NJIGJ1cyAocmVxdWlyZWQgZm9yIFNDU0kpCmRldmljZQkJY2gJCSMgU0NTSSBt ZWRpYSBjaGFuZ2VycwpkZXZpY2UJCWRhCQkjIERpcmVjdCBBY2Nlc3MgKGRpc2tz KQpkZXZpY2UJCXNhCQkjIFNlcXVlbnRpYWwgQWNjZXNzICh0YXBlIGV0YykKZGV2 aWNlCQljZAkJIyBDRApkZXZpY2UJCXBhc3MJCSMgUGFzc3Rocm91Z2ggZGV2aWNl IChkaXJlY3QgU0NTSSBhY2Nlc3MpCmRldmljZQkJc2VzCQkjIFNDU0kgRW52aXJv bm1lbnRhbCBTZXJ2aWNlcyAoYW5kIFNBRi1URSkKCiMgUkFJRCBjb250cm9sbGVy cyBpbnRlcmZhY2VkIHRvIHRoZSBTQ1NJIHN1YnN5c3RlbQojZGV2aWNlCQlhbXIJ CSMgQU1JIE1lZ2FSQUlECiNkZXZpY2UJCWFyY21zcgkJIyBBcmVjYSBTQVRBIElJ IFJBSUQKI2RldmljZQkJYXNyCQkjIERQVCBTbWFydFJBSUQgViwgVkkgYW5kIEFk YXB0ZWMgU0NTSSBSQUlECmRldmljZQkJY2lzcwkJIyBDb21wYXEgU21hcnQgUkFJ RCA1KgojZGV2aWNlCQlkcHQJCSMgRFBUIFNtYXJ0Y2FjaGUgSUlJLCBJViAtIFNl ZSBOT1RFUyBmb3Igb3B0aW9ucwojZGV2aWNlCQlocHRtdgkJIyBIaWdocG9pbnQg Um9ja2V0UkFJRCAxODJ4CiNkZXZpY2UJCXJyMjMyeAkJIyBIaWdocG9pbnQgUm9j a2V0UkFJRCAyMzJ4CiNkZXZpY2UJCWlpcgkJIyBJbnRlbCBJbnRlZ3JhdGVkIFJB SUQKI2RldmljZQkJaXBzCQkjIElCTSAoQWRhcHRlYykgU2VydmVSQUlECiNkZXZp Y2UJCW1seQkJIyBNeWxleCBBY2NlbGVSQUlEL2VYdHJlbWVSQUlECiNkZXZpY2UJ CXR3YQkJIyAzd2FyZSA5MDAwIHNlcmllcyBQQVRBL1NBVEEgUkFJRAoKIyBSQUlE IGNvbnRyb2xsZXJzCiNkZXZpY2UJCWFhYwkJIyBBZGFwdGVjIEZTQSBSQUlECiNk ZXZpY2UJCWFhY3AJCSMgU0NTSSBwYXNzdGhyb3VnaCBmb3IgYWFjIChyZXF1aXJl cyBDQU0pCmRldmljZQkJaWRhCQkjIENvbXBhcSBTbWFydCBSQUlECiNkZXZpY2UJ CW1maQkJIyBMU0kgTWVnYVJBSUQgU0FTCiNkZXZpY2UJCW1seAkJIyBNeWxleCBE QUM5NjAgZmFtaWx5CiNkZXZpY2UJCXBzdAkJIyBQcm9taXNlIFN1cGVydHJhayBT WDYwMDAKI2RldmljZQkJdHdlCQkjIDN3YXJlIEFUQSBSQUlECgojIGF0a2JkYzAg Y29udHJvbHMgYm90aCB0aGUga2V5Ym9hcmQgYW5kIHRoZSBQUy8yIG1vdXNlCmRl dmljZQkJYXRrYmRjCQkjIEFUIGtleWJvYXJkIGNvbnRyb2xsZXIKZGV2aWNlCQlh dGtiZAkJIyBBVCBrZXlib2FyZApkZXZpY2UJCXBzbQkJIyBQUy8yIG1vdXNlCgoj ZGV2aWNlCQlrYmRtdXgJCSMga2V5Ym9hcmQgbXVsdGlwbGV4ZXIKCmRldmljZQkJ dmdhCQkjIFZHQSB2aWRlbyBjYXJkIGRyaXZlcgoKZGV2aWNlCQlzcGxhc2gJCSMg U3BsYXNoIHNjcmVlbiBhbmQgc2NyZWVuIHNhdmVyIHN1cHBvcnQKCiMgc3lzY29u cyBpcyB0aGUgZGVmYXVsdCBjb25zb2xlIGRyaXZlciwgcmVzZW1ibGluZyBhbiBT Q08gY29uc29sZQpkZXZpY2UJCXNjCgojIEVuYWJsZSB0aGlzIGZvciB0aGUgcGN2 dCAoVlQyMjAgY29tcGF0aWJsZSkgY29uc29sZSBkcml2ZXIKI2RldmljZQkJdnQK I29wdGlvbnMgCVhTRVJWRVIJCSMgc3VwcG9ydCBmb3IgWCBzZXJ2ZXIgb24gYSB2 dCBjb25zb2xlCiNvcHRpb25zIAlGQVRfQ1VSU09SCSMgc3RhcnQgd2l0aCBibG9j ayBjdXJzb3IKCiNkZXZpY2UJCWFncAkJIyBzdXBwb3J0IHNldmVyYWwgQUdQIGNo aXBzZXRzCgojIFBvd2VyIG1hbmFnZW1lbnQgc3VwcG9ydCAoc2VlIE5PVEVTIGZv ciBtb3JlIG9wdGlvbnMpCiNkZXZpY2UJCWFwbQojIEFkZCBzdXNwZW5kL3Jlc3Vt ZSBzdXBwb3J0IGZvciB0aGUgaTgyNTQuCmRldmljZQkJcG10aW1lcgoKIyBQQ0NB UkQgKFBDTUNJQSkgc3VwcG9ydAojIFBDTUNJQSBhbmQgY2FyZGJ1cyBicmlkZ2Ug c3VwcG9ydAojZGV2aWNlCQljYmIJCSMgY2FyZGJ1cyAoeWVudGEpIGJyaWRnZQoj ZGV2aWNlCQlwY2NhcmQJCSMgUEMgQ2FyZCAoMTYtYml0KSBidXMKI2RldmljZQkJ Y2FyZGJ1cwkJIyBDYXJkQnVzICgzMi1iaXQpIGJ1cwoKIyBTZXJpYWwgKENPTSkg cG9ydHMKZGV2aWNlCQlzaW8JCSMgODI1MCwgMTZbNDVdNTAgYmFzZWQgc2VyaWFs IHBvcnRzCgojIFBhcmFsbGVsIHBvcnQKZGV2aWNlCQlwcGMKZGV2aWNlCQlwcGJ1 cwkJIyBQYXJhbGxlbCBwb3J0IGJ1cyAocmVxdWlyZWQpCiNkZXZpY2UJCWxwdAkJ IyBQcmludGVyCmRldmljZQkJcGxpcAkJIyBUQ1AvSVAgb3ZlciBwYXJhbGxlbApk ZXZpY2UJCXBwaQkJIyBQYXJhbGxlbCBwb3J0IGludGVyZmFjZSBkZXZpY2UKI2Rl dmljZQkJdnBvCQkjIFJlcXVpcmVzIHNjYnVzIGFuZCBkYQoKIyBJZiB5b3UndmUg Z290IGEgImR1bWIiIHNlcmlhbCBvciBwYXJhbGxlbCBQQ0kgY2FyZCB0aGF0IGlz CiMgc3VwcG9ydGVkIGJ5IHRoZSBwdWMoNCkgZ2x1ZSBkcml2ZXIsIHVuY29tbWVu dCB0aGUgZm9sbG93aW5nCiMgbGluZSB0byBlbmFibGUgaXQgKGNvbm5lY3RzIHRv IHRoZSBzaW8gYW5kL29yIHBwYyBkcml2ZXJzKToKI2RldmljZQkJcHVjCgojIFBD SSBFdGhlcm5ldCBOSUNzLgpkZXZpY2UJCWRlCQkjIERFQy9JbnRlbCBEQzIxeDR4 IChgYFR1bGlwJycpCmRldmljZQkJZW0JCSMgSW50ZWwgUFJPLzEwMDAgYWRhcHRl ciBHaWdhYml0IEV0aGVybmV0IENhcmQKZGV2aWNlCQlpeGdiCQkjIEludGVsIFBS Ty8xMEdiRSBFdGhlcm5ldCBDYXJkCmRldmljZQkJdHhwCQkjIDNDb20gM2NSOTkw IChgYFR5cGhvb24nJykKZGV2aWNlCQl2eAkJIyAzQ29tIDNjNTkwLCAzYzU5NSAo YGBWb3J0ZXgnJykKCiMgUENJIEV0aGVybmV0IE5JQ3MgdGhhdCB1c2UgdGhlIGNv bW1vbiBNSUkgYnVzIGNvbnRyb2xsZXIgY29kZS4KIyBOT1RFOiBCZSBzdXJlIHRv IGtlZXAgdGhlICdkZXZpY2UgbWlpYnVzJyBsaW5lIGluIG9yZGVyIHRvIHVzZSB0 aGVzZSBOSUNzIQojQnJvYWRjb20gTmV0WHRyZW1lIElJIEJDTTU3MDggMTAwMEJh c2UtVCAoQjIpCmRldmljZQkJbWlpYnVzCQkjIE1JSSBidXMgc3VwcG9ydApkZXZp Y2UJCWJjZQkJIyBCcm9hZGNvbSBCQ001NzA2L0JDTTU3MDggR2lnYWJpdCBFdGhl cm5ldAojZGV2aWNlCQliZmUJCSMgQnJvYWRjb20gQkNNNDQweCAxMC8xMDAgRXRo ZXJuZXQKI2RldmljZQkJYmdlCQkjIEJyb2FkY29tIEJDTTU3MHh4IEdpZ2FiaXQg RXRoZXJuZXQKI2RldmljZQkJZGMJCSMgREVDL0ludGVsIDIxMTQzIGFuZCB2YXJp b3VzIHdvcmthbGlrZXMKI2RldmljZQkJZnhwCQkjIEludGVsIEV0aGVyRXhwcmVz cyBQUk8vMTAwQiAoODI1NTcsIDgyNTU4KQojZGV2aWNlCQlsZ2UJCSMgTGV2ZWwg MSBMWFQxMDAxIGdpZ2FiaXQgRXRoZXJuZXQKI2RldmljZQkJbmdlCQkjIE5hdFNl bWkgRFA4MzgyMCBnaWdhYml0IEV0aGVybmV0CiNkZXZpY2UJCW52ZQkJIyBuVmlk aWEgbkZvcmNlIE1DUCBvbi1ib2FyZCBFdGhlcm5ldCBOZXR3b3JraW5nCiNkZXZp Y2UJCXBjbgkJIyBBTUQgQW03OUM5N3ggUENJIDEwLzEwMChwcmVjZWRlbmNlIG92 ZXIgJ2xuYycpCiNkZXZpY2UJCXJlCQkjIFJlYWxUZWsgODEzOUMrLzgxNjkvODE2 OVMvODExMFMKI2RldmljZQkJcmwJCSMgUmVhbFRlayA4MTI5LzgxMzkKI2Rldmlj ZQkJc2YJCSMgQWRhcHRlYyBBSUMtNjkxNSAoYGBTdGFyZmlyZScnKQojZGV2aWNl CQlzaXMJCSMgU2lsaWNvbiBJbnRlZ3JhdGVkIFN5c3RlbXMgU2lTIDkwMC9TaVMg NzAxNgojZGV2aWNlCQlzawkJIyBTeXNLb25uZWN0IFNLLTk4NHggJiBTSy05ODJ4 IGdpZ2FiaXQgRXRoZXJuZXQKI2RldmljZQkJc3RlCQkjIFN1bmRhbmNlIFNUMjAx IChELUxpbmsgREZFLTU1MFRYKQojZGV2aWNlCQlzdGdlCQkjIFN1bmRhbmNlL1Rh bWFyYWNrIFRDOTAyMSBnaWdhYml0IEV0aGVybmV0CiNkZXZpY2UJCXRpCQkjIEFs dGVvbiBOZXR3b3JrcyBUaWdvbiBJL0lJIGdpZ2FiaXQgRXRoZXJuZXQKI2Rldmlj ZQkJdGwJCSMgVGV4YXMgSW5zdHJ1bWVudHMgVGh1bmRlckxBTgojZGV2aWNlCQl0 eAkJIyBTTUMgRXRoZXJQb3dlciBJSSAoODNjMTcwIGBgRVBJQycnKQojZGV2aWNl CQl2Z2UJCSMgVklBIFZUNjEyeCBnaWdhYml0IEV0aGVybmV0CiNkZXZpY2UJCXZy CQkjIFZJQSBSaGluZSwgUmhpbmUgSUkKI2RldmljZQkJd2IJCSMgV2luYm9uZCBX ODlDODQwRgojZGV2aWNlCQl4bAkJIyAzQ29tIDNjOTB4IChgYEJvb21lcmFuZycn LCBgYEN5Y2xvbmUnJykKCiMgSVNBIEV0aGVybmV0IE5JQ3MuICBwY2NhcmQgTklD cyBpbmNsdWRlZC4KZGV2aWNlCQljcwkJIyBDcnlzdGFsIFNlbWljb25kdWN0b3Ig Q1M4OXgwIE5JQwojICdkZXZpY2UgZWQnIHJlcXVpcmVzICdkZXZpY2UgbWlpYnVz JwpkZXZpY2UJCWVkCQkjIE5FWzEyXTAwMCwgU01DIFVsdHJhLCAzYzUwMywgRFM4 MzkwIGNhcmRzCmRldmljZQkJZXgJCSMgSW50ZWwgRXRoZXJFeHByZXNzIFByby8x MCBhbmQgUHJvLzEwKwpkZXZpY2UJCWVwCQkjIEV0aGVybGluayBJSUkgYmFzZWQg Y2FyZHMKZGV2aWNlCQlmZQkJIyBGdWppdHN1IE1CODY5NnggYmFzZWQgY2FyZHMK ZGV2aWNlCQlpZQkJIyBFdGhlckV4cHJlc3MgOC8xNiwgM0M1MDcsIFN0YXJMQU4g MTAgZXRjLgpkZXZpY2UJCWxuYwkJIyBORTIxMDAsIE5FMzItVkwgTGFuY2UgRXRo ZXJuZXQgY2FyZHMKZGV2aWNlCQlzbgkJIyBTTUMncyA5MDAwIHNlcmllcyBvZiBF dGhlcm5ldCBjaGlwcwpkZXZpY2UJCXhlCQkjIFhpcmNvbSBwY2NhcmQgRXRoZXJu ZXQKCiMgV2lyZWxlc3MgTklDIGNhcmRzCiNkZXZpY2UJCXdsYW4JCSMgODAyLjEx IHN1cHBvcnQKI2RldmljZQkJd2xhbl93ZXAJIyA4MDIuMTEgV0VQIHN1cHBvcnQK I2RldmljZQkJd2xhbl9jY21wCSMgODAyLjExIENDTVAgc3VwcG9ydAojZGV2aWNl CQl3bGFuX3RraXAJIyA4MDIuMTEgVEtJUCBzdXBwb3J0CiNkZXZpY2UJCWFuCQkj IEFpcm9uZXQgNDUwMC80ODAwIDgwMi4xMSB3aXJlbGVzcyBOSUNzLgojZGV2aWNl CQlhdGgJCSMgQXRoZXJvcyBwY2kvY2FyZGJ1cyBOSUMncwojZGV2aWNlCQlhdGhf aGFsCQkjIEF0aGVyb3MgSEFMIChIYXJkd2FyZSBBY2Nlc3MgTGF5ZXIpCiNkZXZp Y2UJCWF0aF9yYXRlX3NhbXBsZQkjIFNhbXBsZVJhdGUgdHggcmF0ZSBjb250cm9s IGZvciBhdGgKI2RldmljZQkJYXdpCQkjIEJheVN0YWNrIDY2MCBhbmQgb3RoZXJz CiNkZXZpY2UJCXJhbAkJIyBSYWxpbmsgVGVjaG5vbG9neSBSVDI1MDAgd2lyZWxl c3MgTklDcy4KI2RldmljZQkJd2kJCSMgV2F2ZUxBTi9JbnRlcnNpbC9TeW1ib2wg ODAyLjExIHdpcmVsZXNzIE5JQ3MuCiNkZXZpY2UJCXdsCQkjIE9sZGVyIG5vbiA4 MDIuMTEgV2F2ZWxhbiB3aXJlbGVzcyBOSUMuCgojIFBzZXVkbyBkZXZpY2VzLgpk ZXZpY2UJCWxvb3AJCSMgTmV0d29yayBsb29wYmFjawpkZXZpY2UJCXJhbmRvbQkJ IyBFbnRyb3B5IGRldmljZQpkZXZpY2UJCWV0aGVyCQkjIEV0aGVybmV0IHN1cHBv cnQKI2RldmljZQkJc2wJCSMgS2VybmVsIFNMSVAKZGV2aWNlCQlwcHAJCSMgS2Vy bmVsIFBQUApkZXZpY2UJCXR1bgkJIyBQYWNrZXQgdHVubmVsLgpkZXZpY2UJCXB0 eQkJIyBQc2V1ZG8tdHR5cyAodGVsbmV0IGV0YykKZGV2aWNlCQltZAkJIyBNZW1v cnkgImRpc2tzIgpkZXZpY2UJCWdpZgkJIyBJUHY2IGFuZCBJUHY0IHR1bm5lbGlu ZwpkZXZpY2UJCWZhaXRoCQkjIElQdjYtdG8tSVB2NCByZWxheWluZyAodHJhbnNs YXRpb24pCgojIFRoZSBgYnBmJyBkZXZpY2UgZW5hYmxlcyB0aGUgQmVya2VsZXkg UGFja2V0IEZpbHRlci4KIyBCZSBhd2FyZSBvZiB0aGUgYWRtaW5pc3RyYXRpdmUg Y29uc2VxdWVuY2VzIG9mIGVuYWJsaW5nIHRoaXMhCiMgTm90ZSB0aGF0ICdicGYn IGlzIHJlcXVpcmVkIGZvciBESENQLgpkZXZpY2UJCWJwZgkJIyBCZXJrZWxleSBw YWNrZXQgZmlsdGVyCgojIHBmIChGaXJld2FsbCkKZGV2aWNlIHBmCmRldmljZSBw ZmxvZwpkZXZpY2UgcGZzeW5jCm9wdGlvbnMgQUxUUQoKIyBVU0Igc3VwcG9ydAoj ZGV2aWNlCQl1aGNpCQkjIFVIQ0kgUENJLT5VU0IgaW50ZXJmYWNlCiNkZXZpY2UJ CW9oY2kJCSMgT0hDSSBQQ0ktPlVTQiBpbnRlcmZhY2UKI2RldmljZQkJZWhjaQkJ IyBFSENJIFBDSS0+VVNCIGludGVyZmFjZSAoVVNCIDIuMCkKI2RldmljZQkJdXNi CQkjIFVTQiBCdXMgKHJlcXVpcmVkKQojZGV2aWNlCQl1ZGJwCQkjIFVTQiBEb3Vi bGUgQnVsayBQaXBlIGRldmljZXMKI2RldmljZQkJdWdlbgkJIyBHZW5lcmljCiNk ZXZpY2UJCXVoaWQJCSMgIkh1bWFuIEludGVyZmFjZSBEZXZpY2VzIgojZGV2aWNl CQl1a2JkCQkjIEtleWJvYXJkCiNkZXZpY2UJCXVscHQJCSMgUHJpbnRlcgojZGV2 aWNlCQl1bWFzcwkJIyBEaXNrcy9NYXNzIHN0b3JhZ2UgLSBSZXF1aXJlcyBzY2J1 cyBhbmQgZGEKI2RldmljZQkJdW1zCQkjIE1vdXNlCiNkZXZpY2UJCXVyYWwJCSMg UmFsaW5rIFRlY2hub2xvZ3kgUlQyNTAwVVNCIHdpcmVsZXNzIE5JQ3MKI2Rldmlj ZQkJdXJpbwkJIyBEaWFtb25kIFJpbyA1MDAgTVAzIHBsYXllcgojZGV2aWNlCQl1 c2Nhbm5lcgkjIFNjYW5uZXJzCiMgVVNCIEV0aGVybmV0LCByZXF1aXJlcyBtaWli dXMKI2RldmljZQkJYXVlCQkjIEFETXRlayBVU0IgRXRoZXJuZXQKI2RldmljZQkJ YXhlCQkjIEFTSVggRWxlY3Ryb25pY3MgVVNCIEV0aGVybmV0CiNkZXZpY2UJCWNk Y2UJCSMgR2VuZXJpYyBVU0Igb3ZlciBFdGhlcm5ldAojZGV2aWNlCQljdWUJCSMg Q0FUQyBVU0IgRXRoZXJuZXQKI2RldmljZQkJa3VlCQkjIEthd2FzYWtpIExTSSBV U0IgRXRoZXJuZXQKI2RldmljZQkJcnVlCQkjIFJlYWxUZWsgUlRMODE1MCBVU0Ig RXRoZXJuZXQKCiMgRmlyZVdpcmUgc3VwcG9ydAojZGV2aWNlCQlmaXJld2lyZQkj IEZpcmVXaXJlIGJ1cyBjb2RlCiNkZXZpY2UJCXNicAkJIyBTQ1NJIG92ZXIgRmly ZVdpcmUgKFJlcXVpcmVzIHNjYnVzIGFuZCBkYSkKI2RldmljZQkJZndlCQkjIEV0 aGVybmV0IG92ZXIgRmlyZVdpcmUgKG5vbi1zdGFuZGFyZCEpCg== --Boundary_(ID_uDM+RPkNl1Edf5zBjdY5Sw)-- From owner-freebsd-pf@FreeBSD.ORG Tue Jan 29 21:20:03 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CD73D16A41A for ; Tue, 29 Jan 2008 21:20:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id BA22313C447 for ; Tue, 29 Jan 2008 21:20:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m0TLK3xl087306 for ; Tue, 29 Jan 2008 21:20:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m0TLK3TC087305; Tue, 29 Jan 2008 21:20:03 GMT (envelope-from gnats) Date: Tue, 29 Jan 2008 21:20:03 GMT Message-Id: <200801292120.m0TLK3TC087305@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" Cc: Subject: Re: kern/120057: [patch] Allow proper settings of ALTQ_HFSC. The check i wrong since even with the values forbidden from this check you get a concave curve. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jan 2008 21:20:03 -0000 The following reply was made to PR kern/120057; it has been noted by GNATS. From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: "Max Laier" Cc: bug-followup@freebsd.org, eri@freebsd.org Subject: Re: kern/120057: [patch] Allow proper settings of ALTQ_HFSC. The check i wrong since even with the values forbidden from this check you get a concave curve. Date: Tue, 29 Jan 2008 22:11:32 +0100 Following up, since i noticed that the mail was truncated. Also not that the link you gave me, has the note: In order to decouple delay and bandwidth allocation, HFSC is designed based on the service curve service model. In HFSC, only two-piece linear service curves are used for simplicity. A two-piece linear service curve is characterized by three parameters: * m1, the slope of the first segment * m2, the slope of the second segment * d, the x-projection of the intersection point of the two segments The following figure illustrates the two types of two-piece linear service curves used in HFSC. For a convex curve (when m1 is less than m2), m1 is always zero. But beware, that m1 here is in slope terms while m1 parameter of service curves is not a slope! It is bytes per tick. To check if a curve is concave, in the paper there is a proper formula but needs some info that is not available at configuration time. But as i said you cannot really configure a convex service curve. From owner-freebsd-pf@FreeBSD.ORG Wed Jan 30 01:35:06 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AD28616A418 for ; Wed, 30 Jan 2008 01:35:06 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.245]) by mx1.freebsd.org (Postfix) with ESMTP id 62BB413C447 for ; Wed, 30 Jan 2008 01:35:06 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so14373anc.13 for ; Tue, 29 Jan 2008 17:35:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=8ryLlP+vIYdO/Pjs9adLy9xwCOAEHh00A8rsoB9bbvc=; b=Pbpu1E+CQCvdoBP6WXNn2Xcu3iNr1QUFe5xHHc0LXKrKnat2M2cN1Lif74miPPUH6i/jT8Hvk4apyd+fmZCiHn66FVkiSIu+XAQtoNXOff/s8e2On0B0ZmmzEVmFTAIUCwdQmy/uK/LH76ktSNvrs2F9BMDKORbBak9gmQob8Fg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=rNqDMtUJj7AWwP3FoCaB0Ra2rd572C6tNfleO4sL2vwXVA9+M4eyh1ktKtM4yHVpYxrHYnuLXJ58yxJZpFKxrvZ2Rz77QoAHySOto9IGHZCpZi4zhoU7MQfd+tAeeG8pfu5n0qoWLpuLQUdYnJAb6Edju7VOntTW80HJWtLb/pc= Received: by 10.100.7.1 with SMTP id 1mr265829ang.73.1201656905553; Tue, 29 Jan 2008 17:35:05 -0800 (PST) Received: by 10.100.231.6 with HTTP; Tue, 29 Jan 2008 17:35:05 -0800 (PST) Message-ID: <55e8a96c0801291735g4a356d17p2871b6673e446cb5@mail.gmail.com> Date: Tue, 29 Jan 2008 19:35:05 -0600 From: "Bill Marquette" To: "Max Laier" In-Reply-To: <32841.192.168.4.151.1201635351.squirrel@router.laiers.local> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <55e8a96c0801291037r7bd013cfr6f3c6448024afd42@mail.gmail.com> <32841.192.168.4.151.1201635351.squirrel@router.laiers.local> Cc: "freebsd-pf@freebsd.org" Subject: Re: LOR in pf on 6.2 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jan 2008 01:35:06 -0000 On Jan 29, 2008 1:35 PM, Max Laier wrote: > From the pf.conf(5) in RELENG_6_2: > > BUGS > Due to a lock order reversal (LOR) with the socket layer, the use of the > group and user filter parameter in conjuction with a Giant-free netstack > can result in a deadlock. If you have to use group or user you must set > debug.mpsafenet to ``0'' from the loader(8), for the moment. This work- > around will still produce the LOR, but Giant will protect from the dead- > lock. Crud, didn't see that...I was suspecting the user/group code. Thanks Max, I'll pull that from our ruleset immediately. --Bill From owner-freebsd-pf@FreeBSD.ORG Thu Jan 31 20:23:49 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 82F6116A418 for ; Thu, 31 Jan 2008 20:23:49 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from po-out-1718.google.com (po-out-1718.google.com [72.14.252.154]) by mx1.freebsd.org (Postfix) with ESMTP id 2FD2313C46E for ; Thu, 31 Jan 2008 20:23:49 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: by po-out-1718.google.com with SMTP id a23so190026poh.3 for ; Thu, 31 Jan 2008 12:23:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:from:to:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; bh=pL5IMv3B+as8In+0mHLUhDV0Byrh44ifwEFiveA8J0o=; b=wvyevh7T+evV7C6xHL2+OtxnT9HyZfBDZF4/eZQM28PwDdYn2O35SolETngJRcmSla+ppQ7pPFonXUXo2N7rCiaPuA5RYNTRWTt4oQ9t2bZNnDJGgCctWBFMNCx4XYiQs9rLS8Kf94yUvUhopkT+cId+bi3CAE2VSLQ7GfreAB0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:from:to:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=VoNap2idBs//1/uJvFb3+/dpiEDg/I5Z1PKjpZ32e2BJA1K6qjS//oiPp0TfDQ8srhFD9oCBZUEMoEQIg1ZbOmI2VlEwo3UBR0zX6TNWGDPqK5GRctgOv/mZHy0j2XUc2SOrdxQ/Szu5XPmSNqAAXex6mxuD20pfX2MtSNExKVQ= Received: by 10.110.49.6 with SMTP id w6mr1540755tiw.2.1201811027255; Thu, 31 Jan 2008 12:23:47 -0800 (PST) Received: from xp ( [72.86.47.124]) by mx.google.com with ESMTPS id h8sm365339wxd.34.2008.01.31.12.23.45 (version=SSLv3 cipher=RC4-MD5); Thu, 31 Jan 2008 12:23:45 -0800 (PST) Message-ID: <001601c86447$2df07c90$050a0a0a@chepkov.lan> From: "Vadym Chepkov" To: "Gavin Spomer" , References: <479F24B5020000900001332F@hermes.cwu.edu> Date: Thu, 31 Jan 2008 15:23:43 -0500 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 Cc: Subject: Re: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jan 2008 20:23:49 -0000 Gavin, That doesn't make sense to me, everything seems to be normal. Could you send output of uname -a ? When I have device pf compiled in kernel it's getting created during kernel startup. Try to boot in single mode (boot -s in loader prompt) and see if you have /dev/pf then, maybe it is getting destroyed ? Vadym ----- Original Message ----- From: "Gavin Spomer" To: Sent: Tuesday, January 29, 2008 4:05 PM Subject: Re: How does /dev/pf get created? >>> Vadym Chepkov 01/29/08 12:06 PM >>> Gavin, I have never had to do anything like this and nevertheless I have /dev/pf I have pf compiled into the kernel, so I wouldn't blame it on "must be module" either. Could you send me, please, the following files, I would really like to understand the problem - KERNEL config - /etc/make.conf - /etc/rc.conf - /etc/fstab - /boot/loader.conf Sure. KERNEL config is attached. /etc/make.conf: # added by use.perl 2007-12-11 11:29:06 PERL_VER=5.8.8 PERL_VERSION=5.8.8 /etc/rc.conf: hostname="myhostname.cwu.edu" ifconfig_bce0="DHCP" linux_enable="YES" sshd_enable="YES" #usbd_enable="YES" ntpd_enable="YES" mysql_enable="YES" apache22_enable="YES" zope210_enable="YES" zope210_instances="/usr/local/zope" #Packet Filter (Firewall) pf_enable="YES" pf_rules="/etc/pf.conf" pflog_enable="YES" pflog_logfile="/var/log/pflog" pf_flags="" /etc/fstab: # Device Mountpoint FStype Options Dump Pass# /dev/da0s1b none swap sw 0 0 /dev/da0s1a / ufs rw 1 1 /dev/da0s1e /tmp ufs rw 2 2 /dev/da0s1f /usr ufs rw 2 2 /dev/da0s1d /var ufs rw 2 2 /dev/acd0 /cdrom cd9660 ro,noauto 0 0 /boot/loader.conf: # Makes Apache Work - 11/30/07 - GS accf_http_load="YES" Thanks for your interest. - Gavin -------------------------------------------------------------------------------- > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Thu Jan 31 20:31:03 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA3AC16A41A for ; Thu, 31 Jan 2008 20:31:03 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from charybdis.cts.cwu.edu (charybdis.cts.cwu.edu [198.104.67.152]) by mx1.freebsd.org (Postfix) with ESMTP id B9E1213C4EE for ; Thu, 31 Jan 2008 20:31:03 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from CONVERSION-CWU-DAEMON.CHARYBDIS.CTS.CWU.EDU by CHARYBDIS.CTS.CWU.EDU (PMDF V6.3-x13 #31358) id <01MQQRDS1BN4000RIR@CHARYBDIS.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Thu, 31 Jan 2008 12:31:03 -0800 (PST) Received: from hermes.cwu.edu (hermes.cwu.edu [172.16.21.28]) by CHARYBDIS.CTS.CWU.EDU (PMDF V6.3-x13 #31358) with ESMTP id <01MQQRDRUZPU000VUG@CHARYBDIS.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Thu, 31 Jan 2008 12:31:02 -0800 (PST) Received: from cwugate1-MTA by hermes.cwu.edu with Novell_GroupWise; Thu, 31 Jan 2008 12:31:02 -0800 Date: Thu, 31 Jan 2008 12:30:55 -0800 From: Gavin Spomer To: freebsd-pf@freebsd.org Message-id: <47A1BF7F0200009000013587@hermes.cwu.edu> MIME-version: 1.0 X-Mailer: Novell GroupWise Internet Agent 7.0.2 HP Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: quoted-printable Content-disposition: inline Subject: Re: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jan 2008 20:31:03 -0000 >>> Vadym Chepkov 01/31/08 12:23 PM >>> Gavin, That doesn't make sense to me, everything seems to be normal. Could you send output of uname -a ? uname -a: FreeBSD myhostname.cwu.edu 6.2-RELEASE FreeBSD 6.2-RELEASE #6: Fri = Jan 25 15:05:58 PST 2008 spomerg@myhostname.cwu.edu:/usr/obj/usr/src/sy= s/MYHOSTNAME i386 When I have device pf compiled in kernel it's getting created during = kernel=20 startup. Try to boot in single mode (boot -s in loader prompt) and see = if=20 you have /dev/pf then, maybe it is getting destroyed ? Vadym ----- Original Message -----=20 From: "Gavin Spomer" To: Sent: Tuesday, January 29, 2008 4:05 PM Subject: Re: How does /dev/pf get created? >>> Vadym Chepkov 01/29/08 12:06 PM >>> Gavin, I have never had to do anything like this and nevertheless I have /dev/pf I have pf compiled into the kernel, so I wouldn't blame it on "must be module" either. Could you send me, please, the following files, I would really like to understand the problem - KERNEL config - /etc/make.conf - /etc/rc.conf - /etc/fstab - /boot/loader.conf Sure. KERNEL config is attached. /etc/make.conf: # added by use.perl 2007-12-11 11:29:06 PERL_VER=3D5.8.8 PERL_VERSION=3D5.8.8 /etc/rc.conf: hostname=3D"myhostname.cwu.edu" ifconfig_bce0=3D"DHCP" linux_enable=3D"YES" sshd_enable=3D"YES" #usbd_enable=3D"YES" ntpd_enable=3D"YES" mysql_enable=3D"YES" apache22_enable=3D"YES" zope210_enable=3D"YES" zope210_instances=3D"/usr/local/zope" #Packet Filter (Firewall) pf_enable=3D"YES" pf_rules=3D"/etc/pf.conf" pflog_enable=3D"YES" pflog_logfile=3D"/var/log/pflog" pf_flags=3D"" /etc/fstab: # Device Mountpoint FStype Options = Dump=20 Pass# /dev/da0s1b none swap sw 0=20 0 /dev/da0s1a / ufs rw 1=20 1 /dev/da0s1e /tmp ufs rw 2=20 2 /dev/da0s1f /usr ufs rw 2=20 2 /dev/da0s1d /var ufs rw 2=20 2 /dev/acd0 /cdrom cd9660 ro,noauto 0=20 0 /boot/loader.conf: # Makes Apache Work - 11/30/07 - GS accf_http_load=3D"YES" Thanks for your interest. - Gavin ---------------------------------------------------------------------------= ----- > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >=20 _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Fri Feb 1 12:09:33 2008 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 688DF16A419 for ; Fri, 1 Feb 2008 12:09:33 +0000 (UTC) (envelope-from root@cathoo.schedom-europe.net) Received: from cathoo.schedom-europe.net (cathoo.schedom-europe.net [193.109.185.2]) by mx1.freebsd.org (Postfix) with ESMTP id C571813C4E3 for ; Fri, 1 Feb 2008 12:09:32 +0000 (UTC) (envelope-from root@cathoo.schedom-europe.net) Received: (qmail 19909 invoked by uid 48); 1 Feb 2008 12:56:23 +0100 Date: 1 Feb 2008 12:56:23 +0100 Message-ID: <20080201115623.19899.qmail@cathoo.schedom-europe.net> To: pf@freebsd.org From: Storistes de France Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Job Offer X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jobadvert@storistes-de-france.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Feb 2008 12:09:33 -0000 Storistes de France is currently looking for English Corrections Officer. We currently need three english corrections officer, someone who can edit our customer service messages and correct errors in our english customer service messages. This is an opportunity is open to anyone who know how to write english without errors and someone who can correct mistakes/errors in English Language and we also need someone who will be working as our agent. You are required to work for one hour daily by checking your email for our customer service message and edit it because of correction and other english errors. WHAT WE EXPECT FROM A CANDIDATE: - Applicants must be living in USA,Canada or Australia. - Applicants must be high school or vocational high school graduates. - Above 18 years old. - Confident computer skills. - Applicants must be avaliable to check his/her e-mail messages between 7am - 12noon. - Good working relationship with new people. - Required to be online at least 1-3hours and 2 days per week. WHAT WE OFFER - Speedy career progress - High earnings plus performance results bonus. - A Personal Toshiba Laptop. - Weekly payment of $250.00. - Monthly Salary : Starting from $10,000 - $55,000.00. **** To apply please send your CV/Resume to our email: storistes@temporaryforwarding.com Milla Cole Storistes de France Website: http://www.storistes-de-france.com/ From owner-freebsd-pf@FreeBSD.ORG Fri Feb 1 12:31:44 2008 Return-Path: Delivered-To: pf@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 481CE16A41A for ; Fri, 1 Feb 2008 12:31:44 +0000 (UTC) (envelope-from root@cathoo.schedom-europe.net) Received: from cathoo.schedom-europe.net (cathoo.schedom-europe.net [193.109.185.2]) by mx1.freebsd.org (Postfix) with ESMTP id 9D07113C4E1 for ; Fri, 1 Feb 2008 12:31:43 +0000 (UTC) (envelope-from root@cathoo.schedom-europe.net) Received: (qmail 20169 invoked by uid 48); 1 Feb 2008 13:31:39 +0100 Date: 1 Feb 2008 13:31:39 +0100 Message-ID: <20080201123139.20168.qmail@cathoo.schedom-europe.net> To: pf@FreeBSD.ORG From: Storistes de France Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Job Offer X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jobadvert@storistes-de-france.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Feb 2008 12:31:44 -0000 Storistes de France is currently looking for English Corrections Officer. We currently need three english corrections officer, someone who can edit our customer service messages and correct errors in our english customer service messages. This is an opportunity is open to anyone who know how to write english without errors and someone who can correct mistakes/errors in English Language and we also need someone who will be working as our agent. You are required to work for one hour daily by checking your email for our customer service message and edit it because of correction and other english errors. WHAT WE EXPECT FROM A CANDIDATE: - Applicants must be living in USA,Canada or Australia. - Applicants must be high school or vocational high school graduates. - Above 18 years old. - Confident computer skills. - Applicants must be avaliable to check his/her e-mail messages between 7am - 12noon. - Good working relationship with new people. - Required to be online at least 1-3hours and 2 days per week. WHAT WE OFFER - Speedy career progress - High earnings plus performance results bonus. - A Personal Toshiba Laptop. - Weekly payment of $250.00. - Monthly Salary : Starting from $10,000 - $55,000.00. **** To apply please send your CV/Resume to our email: storistes@temporaryforwarding.com Milla Cole Storistes de France Website: http://www.storistes-de-france.com/