From owner-freebsd-pf@freebsd.org Sun Jun 11 07:34:05 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4AA75C08CA8 for ; Sun, 11 Jun 2017 07:34:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3780978D78 for ; Sun, 11 Jun 2017 07:34:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v5B7Y4KC080206 for ; Sun, 11 Jun 2017 07:34:05 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 219803] [patch] PF: implement RFC 4787 REQ 1 and 3 (full cone NAT) Date: Sun, 11 Jun 2017 07:34:04 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: damjan.jov@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: see_also Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Jun 2017 07:34:05 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219803 Damjan Jovanovic changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.freebsd.org/bu | |gzilla/show_bug.cgi?id=3D2= 199 | |18 --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Sun Jun 11 07:59:40 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AA887C3135A for ; Sun, 11 Jun 2017 07:59:40 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 986CB80D54 for ; Sun, 11 Jun 2017 07:59:40 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v5B7xee0042969 for ; Sun, 11 Jun 2017 07:59:40 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 219803] [patch] PF: implement RFC 4787 REQ 1 and 3 (full cone NAT) Date: Sun, 11 Jun 2017 07:59:40 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: damjan.jov@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Jun 2017 07:59:40 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219803 --- Comment #5 from Damjan Jovanovic --- Thank you. I've developed a patch for the same feature in LibAlias (tested with IPFW b= ut presumably applies to natd/pppd too) on bug 219918, which you might want to look at first, as it's much shorter and simpler than this one, only about 2= 00 lines long. Also my tests show IPFILTER already does endpoint-independent mapping, as d= oes "iptables" in Linux. I've also emailed freebsd-net@ with an explanation: https://lists.freebsd.org/pipermail/freebsd-net/2017-June/048135.html --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Sun Jun 11 21:01:09 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AAD73B94D83 for ; Sun, 11 Jun 2017 21:01:09 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8758976AC4 for ; Sun, 11 Jun 2017 21:01:09 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v5BL015f064872 for ; Sun, 11 Jun 2017 21:01:09 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <201706112101.v5BL015f064872@kenobi.freebsd.org> From: bugzilla-noreply@FreeBSD.org To: freebsd-pf@FreeBSD.org Subject: Problem reports for freebsd-pf@FreeBSD.org that need special attention Date: Sun, 11 Jun 2017 21:01:09 +0000 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Jun 2017 21:01:09 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. From owner-freebsd-pf@freebsd.org Thu Jun 15 18:21:56 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0CDADD8F9FD for ; Thu, 15 Jun 2017 18:21:56 +0000 (UTC) (envelope-from mg@maltedoc.de) Received: from mail.maltedoc.de (mail.maltedoc.de [IPv6:2001:1608:10:226::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A8A5A7EF8C for ; Thu, 15 Jun 2017 18:21:55 +0000 (UTC) (envelope-from mg@maltedoc.de) Received: from garlic.maltedoc.de (unknown [IPv6:2001:1608:10:226::7]) by mail.maltedoc.de (Postfix) with ESMTPSA id C2E711B71B4 for ; Thu, 15 Jun 2017 20:25:34 +0200 (CEST) To: freebsd-pf@freebsd.org From: Malte Graebner Subject: pf logging only no active filtering Message-ID: Date: Thu, 15 Jun 2017 20:21:50 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.0 MIME-Version: 1.0 Content-Language: en-US X-PPP-Message-ID: <20170615182534.17590.38891@mail.maltedoc.de> X-PPP-Vhost: maltedoc.de Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jun 2017 18:21:56 -0000 Hello folks, is there an option, to only log all stuff going on via "log" command and without taking any action to traffic flow itself ? I'm migrating an existing iptables firewall, and i want to set the new one in front of it and bridge the traffic to the old one. Meanwhile I want to test my iptables -> pf ruleset and snooping the bridge traffic with pflog and tcpdump, but the "new" firewall needs to let the traffic flow without take any actions except logging. br, malte From owner-freebsd-pf@freebsd.org Thu Jun 15 19:18:24 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D0017B9482C for ; Thu, 15 Jun 2017 19:18:24 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost2.sentex.ca (smarthost2.sentex.ca [205.211.164.50]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "smarthost.sentex.ca", Issuer "smarthost.sentex.ca" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 79AA1808B6 for ; Thu, 15 Jun 2017 19:18:23 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (lava.sentex.ca [IPv6:2607:f3e0:0:5::11]) by smarthost2.sentex.ca (8.15.2/8.15.2) with ESMTPS id v5FJIB6n006538 (version=TLSv1 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Thu, 15 Jun 2017 15:18:11 -0400 (EDT) (envelope-from mike@sentex.net) Received: from [192.168.43.26] (saphire3.sentex.ca [192.168.43.26]) by lava.sentex.ca (8.15.2/8.15.2) with ESMTP id v5FJI8Xa092345; Thu, 15 Jun 2017 15:18:09 -0400 (EDT) (envelope-from mike@sentex.net) Subject: Re: pf logging only no active filtering To: Malte Graebner , freebsd-pf@freebsd.org References: From: Mike Tancsa Organization: Sentex Communications Message-ID: <32bdfeef-fd4a-09d9-d811-4b4b6b24aa15@sentex.net> Date: Thu, 15 Jun 2017 15:18:08 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.78 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jun 2017 19:18:24 -0000 On 6/15/2017 2:21 PM, Malte Graebner wrote: > Hello folks, > is there an option, to only log all stuff going on via "log" command and > without taking any action to traffic flow itself ? Perhaps pass quick log ... quick matches and then no longer evals the rules. ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-pf@freebsd.org Thu Jun 15 19:32:48 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CD7AEB94DE8 for ; Thu, 15 Jun 2017 19:32:48 +0000 (UTC) (envelope-from mg@maltedoc.de) Received: from mail.maltedoc.de (mail.maltedoc.de [IPv6:2001:1608:10:226::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9650681009 for ; Thu, 15 Jun 2017 19:32:48 +0000 (UTC) (envelope-from mg@maltedoc.de) Received: from garlic.maltedoc.de (unknown [IPv6:2001:1608:10:226::7]) by mail.maltedoc.de (Postfix) with ESMTPSA id F3C3F1B71B4; Thu, 15 Jun 2017 21:36:21 +0200 (CEST) Subject: Re: pf logging only no active filtering To: Mike Tancsa , freebsd-pf@freebsd.org References: <32bdfeef-fd4a-09d9-d811-4b4b6b24aa15@sentex.net> From: Malte Graebner Message-ID: Date: Thu, 15 Jun 2017 21:32:37 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.0 MIME-Version: 1.0 In-Reply-To: <32bdfeef-fd4a-09d9-d811-4b4b6b24aa15@sentex.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-PPP-Message-ID: <20170615193622.18589.3194@mail.maltedoc.de> X-PPP-Vhost: maltedoc.de X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jun 2017 19:32:48 -0000 using quick phrase has the side effect, that Im not able to see, if there are any packets that would be blocked which shouldn't, because of not eval the hole ruleset ( about 500 rules ). e.g. : multiple bi directional nat rules , doing not what I expect them to do. Then I can fix the ruleset, without affecting the live environment. But therefore I need to process the hole ruleset, to not get unhandy suprises with some rules when going live. Am 15.06.2017 um 21:18 schrieb Mike Tancsa: > On 6/15/2017 2:21 PM, Malte Graebner wrote: >> Hello folks, >> is there an option, to only log all stuff going on via "log" command and >> without taking any action to traffic flow itself ? > Perhaps > > pass quick log > > ... quick matches and then no longer evals the rules. > > ---Mike > > From owner-freebsd-pf@freebsd.org Thu Jun 15 19:47:23 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 201F0B950E2 for ; Thu, 15 Jun 2017 19:47:23 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost2.sentex.ca (smarthost2.sentex.ca [205.211.164.50]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "smarthost.sentex.ca", Issuer "smarthost.sentex.ca" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id E15CF8164E for ; Thu, 15 Jun 2017 19:47:22 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (lava.sentex.ca [IPv6:2607:f3e0:0:5::11]) by smarthost2.sentex.ca (8.15.2/8.15.2) with ESMTPS id v5FJlGRo009834 (version=TLSv1 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Thu, 15 Jun 2017 15:47:16 -0400 (EDT) (envelope-from mike@sentex.net) Received: from [192.168.43.26] (saphire3.sentex.net [192.168.43.26]) by lava.sentex.ca (8.15.2/8.15.2) with ESMTP id v5FJlD32092407; Thu, 15 Jun 2017 15:47:14 -0400 (EDT) (envelope-from mike@sentex.net) Subject: Re: pf logging only no active filtering To: Malte Graebner , freebsd-pf@freebsd.org References: <32bdfeef-fd4a-09d9-d811-4b4b6b24aa15@sentex.net> From: Mike Tancsa Organization: Sentex Communications Message-ID: Date: Thu, 15 Jun 2017 15:47:13 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.78 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jun 2017 19:47:23 -0000 On 6/15/2017 3:32 PM, Malte Graebner wrote: > using quick phrase has the side effect, that Im not able to see, if > there are any packets that would be blocked which shouldn't, because of > not eval the hole ruleset ( about 500 rules ). I am not sure I follow, can you rephrase/state the above ? Do you mean the quick pass rule is not being evaluated, even if its the very first rule ? perhaps illustrate the condition with a minimal set of pf rules? If you dont use the pass in {rdr|binat|nat} and make the quick line the first line, nothing should get evaluated after the quick pass. Also, I would always add 'log' to all the rules when debugging, so you see whats actually being hit. There should not be any mysteries that way. ---Mike > > e.g. : multiple bi directional nat rules , doing not what I expect them > to do. Then I can fix the ruleset, without affecting the live > environment. But therefore I need to process the hole ruleset, to not > get unhandy suprises with some rules when going live. > > > Am 15.06.2017 um 21:18 schrieb Mike Tancsa: >> On 6/15/2017 2:21 PM, Malte Graebner wrote: >>> Hello folks, >>> is there an option, to only log all stuff going on via "log" command and >>> without taking any action to traffic flow itself ? >> Perhaps >> >> pass quick log >> >> ... quick matches and then no longer evals the rules. >> >> ---Mike >> >> > > -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-pf@freebsd.org Thu Jun 15 20:14:21 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9CBA1B95C29 for ; Thu, 15 Jun 2017 20:14:21 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 823C982A86 for ; Thu, 15 Jun 2017 20:14:21 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v5FKELhi065923 for ; Thu, 15 Jun 2017 20:14:21 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 219803] [patch] PF: implement RFC 4787 REQ 1 and 3 (full cone NAT) Date: Thu, 15 Jun 2017 20:14:21 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jun 2017 20:14:21 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219803 --- Comment #6 from Kristof Provost --- With this patch my gateway box (pf and vimage jails) panics pretty quickly during boot. #0 doadump (textdump=3D0) at pcpu.h:232 #1 0xffffffff803a4c2b in db_dump (dummy=3D, dummy2=3D= , dummy3=3D, dummy4=3D) at /usr/src/sys/ddb/db_command.c:546 #2 0xffffffff803a4a1f in db_command (cmd_table=3D) at /usr/src/sys/ddb/db_command.c:453 #3 0xffffffff803a4754 in db_command_loop () at /usr/src/sys/ddb/db_command.c:506 #4 0xffffffff803a781f in db_trap (type=3D, code=3D) at /usr/src/sys/ddb/db_main.c:248 #5 0xffffffff80a9bd33 in kdb_trap (type=3D12, code=3D0, tf=3D) at /usr/src/sys/kern/subr_kdb.c:654 #6 0xffffffff80efb4f2 in trap_fatal (frame=3D0xfffffe022fefaf50, eva=3D48)= at /usr/src/sys/amd64/amd64/trap.c:796 #7 0xffffffff80efb5a2 in trap_pfault (frame=3D0xfffffe022fefaf50, usermode= =3D0) at pcpu.h:232 #8 0xffffffff80efad3d in trap (frame=3D0xfffffe022fefaf50) at /usr/src/sys/amd64/amd64/trap.c:421 #9 0xffffffff80edcf31 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:236 #10 0xffffffff8267409a in pf_addrcpy (dst=3D0x30, src=3D0xfffff8002d09f590,= af=3D2 '\002') at pcpu.h:231 #11 0xffffffff82689ead in pf_get_translation (pd=3D0xfffffe022fefc351, m=3D= , off=3D, direction=3D2, kif=3D, sn=3D0xfffffe022fefb438, skp=3D, nkp=3D, saddr=3D, daddr=3D, sport= =3D, dport=3D, anchor_stack=3D) at /usr/src/sys/netpfil/pf/pf_lb.c:262 #12 0xffffffff8267dd08 in pf_test_rule (rm=3D0xfffffe022fefb6d0, sm=3D0xfffffe022fefb6e0, direction=3D2, kif=3D0xfffff80006dddb00, m=3D0xfffff8002d23f000, off=3D20, pd=3D, am=3D0xfffffe022fefb6a0, inp=3D) at /usr/src/sys/netpfil/pf/pf.c:3336 #13 0xffffffff8267af11 in pf_test (dir=3D, ifp=3D, m0=3D, inp=3D0x0) at /usr/src/sys/netpfil/pf/pf.c:6088 #14 0xffffffff8268cd9d in pf_check_out (arg=3D, m=3D0xfffffe022fefb7c0, ifp=3D, dir=3D, inp=3D) at /usr/src/sys/netpfil/pf/pf_ioctl.c:3582 #15 0xffffffff80b74314 in pfil_run_hooks (ph=3D0xfffffe0000de7a18, mp=3D0xfffffe022fefb818, ifp=3D0xfffff80006e1d800, dir=3D2, inp=3D0x0) at /usr/src/sys/net/pfil.c:108 #16 0xffffffff80bdbf80 in ip_tryforward (m=3D0xfffff8002d23f000) at /usr/src/sys/netinet/ip_fastfwd.c:306 #17 0xffffffff80bde9f1 in ip_input (m=3D0xfffff8002d23f000) at /usr/src/sys/netinet/ip_input.c:570 #18 0xffffffff80b731bf in netisr_dispatch_src (proto=3D1, source=3D0, m=3D0xfffff8002d23f000) at /usr/src/sys/net/netisr.c:1120 #19 0xffffffff80b593be in ether_demux (ifp=3D0xfffff80006e1c000, m=3D) at /usr/src/sys/net/if_ethersubr.c:848 #20 0xffffffff80b5a3f2 in ether_nh_input (m=3D) at /usr/src/sys/net/if_ethersubr.c:637 #21 0xffffffff80b731bf in netisr_dispatch_src (proto=3D5, source=3D0, m=3D0xfffff8002d23f000) at /usr/src/sys/net/netisr.c:1120 #22 0xffffffff80b5977f in ether_input (ifp=3D0xfffff80006e1c000, m=3D0x0) at /usr/src/sys/net/if_ethersubr.c:757 #23 0xffffffff80b54d6a in if_input (ifp=3D, sendmp=3D<= value optimized out>) at /usr/src/sys/net/if.c:3993 #24 0xffffffff804ff9cc in bge_rxeof () at /usr/src/sys/dev/bge/if_bge.c:4424 #25 0xffffffff804fd0d2 in bge_intr_task (arg=3D0xfffffe0000fe5000, pending= =3D) at /usr/src/sys/dev/bge/if_bge.c:4654 #26 0xffffffff80aae22d in taskqueue_run_locked (queue=3D0xfffff80005637400)= at /usr/src/sys/kern/subr_taskqueue.c:454 #27 0xffffffff80aaefe8 in taskqueue_thread_loop (arg=3D) at /usr/src/sys/kern/subr_taskqueue.c:746 #28 0xffffffff80a1ab44 in fork_exit (callout=3D0xffffffff80aaef60 , arg=3D0xfffffe0000fec568, frame=3D0xfffffe022fefbc= 00) at /usr/src/sys/kern/kern_fork.c:1038 #29 0xffffffff80edd46e in fork_trampoline () at /usr/src/sys/amd64/amd64/exception.S:611 #30 0x0000000000000000 in ?? () ... #11 0xffffffff82689ead in pf_get_translation (pd=3D0xfffffe022fefc351, m=3D= , off=3D, direction=3D2, kif=3D, sn=3D0xfffffe022fefb438, skp=3D, nkp=3D, saddr=3D, daddr=3D, sport= =3D, dport=3D, anchor_stack=3D) at /usr/src/sys/netpfil/pf/pf_lb.c:262 262 PF_ACPY(&(*udp_mapping)->endpoints[1].addr, naddr, = af); (kgdb) p udp_mapping Cannot access memory at address 0x0 (kgdb) I'm not quite sure how that happens, but it's easy to reproduce. My pf.conf is a pretty typical gateway config. A nat rule and a couple of r= dr rules (including for UDP). --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Thu Jun 15 20:22:07 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9F4D0B95F60 for ; Thu, 15 Jun 2017 20:22:07 +0000 (UTC) (envelope-from mg@maltedoc.de) Received: from mail.maltedoc.de (mail.maltedoc.de [IPv6:2001:1608:10:226::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 67923831A1 for ; Thu, 15 Jun 2017 20:22:07 +0000 (UTC) (envelope-from mg@maltedoc.de) Received: from garlic.maltedoc.de (unknown [IPv6:2001:1608:10:226::7]) by mail.maltedoc.de (Postfix) with ESMTPSA id D6DB41B71B4; Thu, 15 Jun 2017 22:25:48 +0200 (CEST) Subject: Re: pf logging only no active filtering To: Mike Tancsa , freebsd-pf@freebsd.org References: <32bdfeef-fd4a-09d9-d811-4b4b6b24aa15@sentex.net> From: Malte Graebner Message-ID: <2355471a-1507-d38f-41c4-7c8523b838b2@maltedoc.de> Date: Thu, 15 Jun 2017 22:22:05 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-PPP-Message-ID: <20170615202548.19378.2580@mail.maltedoc.de> X-PPP-Vhost: maltedoc.de X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jun 2017 20:22:07 -0000 Don't get me wrong. I get your point. I guess when using your method, I need to put in rule by rule, to test each "pass" rule one on its own - okay no problem. But ... :D I also need to test a mix of 300 nat/binat/rdr rules out of 10 networks. So the pass quick rule can't help me, because the nat rules still getting evaluated and filtered ( rule order ) or I'm wrong ? I'm looking for something like pfctl -vv -n -f /etc/pf.conf for the pf set which is logging against an "virtual" rule set, what will not take any actions except logging the theoretical action to pflog.0 . Am 15.06.2017 um 21:47 schrieb Mike Tancsa: > On 6/15/2017 3:32 PM, Malte Graebner wrote: >> using quick phrase has the side effect, that Im not able to see, if >> there are any packets that would be blocked which shouldn't, because of >> not eval the hole ruleset ( about 500 rules ). > I am not sure I follow, can you rephrase/state the above ? Do you mean > the quick pass rule is not being evaluated, even if its the very first > rule ? perhaps illustrate the condition with a minimal set of pf rules? > > If you dont use the pass in {rdr|binat|nat} and make the quick line the > first line, nothing should get evaluated after the quick pass. > Also, I would always add 'log' to all the rules when debugging, so you > see whats actually being hit. There should not be any mysteries that way. > > ---Mike > > > > >> e.g. : multiple bi directional nat rules , doing not what I expect them >> to do. Then I can fix the ruleset, without affecting the live >> environment. But therefore I need to process the hole ruleset, to not >> get unhandy suprises with some rules when going live. >> >> >> Am 15.06.2017 um 21:18 schrieb Mike Tancsa: >>> On 6/15/2017 2:21 PM, Malte Graebner wrote: >>>> Hello folks, >>>> is there an option, to only log all stuff going on via "log" command and >>>> without taking any action to traffic flow itself ? >>> Perhaps >>> >>> pass quick log >>> >>> ... quick matches and then no longer evals the rules. >>> >>> ---Mike >>> >>> >> > From owner-freebsd-pf@freebsd.org Fri Jun 16 04:44:39 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 91751BF6441 for ; Fri, 16 Jun 2017 04:44:39 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7EE4D6FECC for ; Fri, 16 Jun 2017 04:44:39 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v5G4idh3026319 for ; Fri, 16 Jun 2017 04:44:39 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 219803] [patch] PF: implement RFC 4787 REQ 1 and 3 (full cone NAT) Date: Fri, 16 Jun 2017 04:44:39 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: damjan.jov@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.isobsolete attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jun 2017 04:44:39 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219803 Damjan Jovanovic changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #183243|0 |1 is obsolete| | --- Comment #7 from Damjan Jovanovic --- Created attachment 183512 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D183512&action= =3Dedit pf RFC 4787 req 1 and 3 implementation, version 2 Sorry about that. pf_lb.c:262 expected (*udp_mapping) to be set, which is o= nly true for UDP (I didn't test with TCP). This new patch only writes to it if = it's not NULL. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Fri Jun 16 07:48:19 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 37F54BF9342 for ; Fri, 16 Jun 2017 07:48:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2397274B30 for ; Fri, 16 Jun 2017 07:48:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v5G7mIeI061443 for ; Fri, 16 Jun 2017 07:48:19 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 219803] [patch] PF: implement RFC 4787 REQ 1 and 3 (full cone NAT) Date: Fri, 16 Jun 2017 07:48:18 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jun 2017 07:48:19 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219803 --- Comment #8 from Kristof Provost --- Thanks. I'll start testing this patch. Can you also take a look at the style(9) remarks in the review (https://reviews.freebsd.org/D11137)? --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Fri Jun 16 14:28:31 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D4EECC0A1CC for ; Fri, 16 Jun 2017 14:28:31 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C280081D03 for ; Fri, 16 Jun 2017 14:28:31 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v5GESVJX002370 for ; Fri, 16 Jun 2017 14:28:31 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 219803] [patch] PF: implement RFC 4787 REQ 1 and 3 (full cone NAT) Date: Fri, 16 Jun 2017 14:28:31 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: damjan.jov@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.isobsolete attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jun 2017 14:28:31 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219803 Damjan Jovanovic changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #183512|0 |1 is obsolete| | --- Comment #9 from Damjan Jovanovic --- Created attachment 183534 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D183534&action= =3Dedit pf RFC 4787 req 1 and 3 implementation, version 3 Thank you. Here is version 3, with the style changes, and without an extran= eous file added in version 2. --=20 You are receiving this mail because: You are the assignee for the bug.=