From owner-freebsd-pf@FreeBSD.ORG Sun Jun 3 07:25:42 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EF39F16A41F for ; Sun, 3 Jun 2007 07:25:42 +0000 (UTC) (envelope-from sash-b@mail.ru) Received: from mx28.mail.ru (mx28.mail.ru [194.67.23.67]) by mx1.freebsd.org (Postfix) with ESMTP id AA21013C44B for ; Sun, 3 Jun 2007 07:25:42 +0000 (UTC) (envelope-from sash-b@mail.ru) Received: from f76.mail.ru (f73.mail.ru [194.67.57.173]) by mx28.mail.ru (mPOP.Fallback_MX) with ESMTP id D5EC29ABDF; Sun, 3 Jun 2007 09:33:11 +0400 (MSD) Received: from mail by f76.mail.ru with local id 1Huii4-0004AW-00; Sun, 03 Jun 2007 09:33:00 +0400 Received: from [217.17.178.234] by win.mail.ru with HTTP; Sun, 03 Jun 2007 09:33:00 +0400 From: =?koi8-r?Q?=E1=CC=C5=CB=D3=C1=CE=C4=D2_=C2=D9=DA=CF=D7?= To: freebsd-pf@freebsd.org Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: [217.17.178.234] Date: Sun, 03 Jun 2007 09:33:00 +0400 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: Cc: bal@lenta.ru Subject: pfctl -k Not functioning! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?koi8-r?Q?=E1=CC=C5=CB=D3=C1=CE=C4=D2_=C2=D9=DA=CF=D7?= List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jun 2007 07:25:43 -0000 Hello, I run FreeBSD 6.2, FreeBSD 6.1 on the same result. When I run pfctl-k target_ip I expect that will be killed every state with target_ip, but killed only if target_ip a source. The source address is located on the left in the withdrawal pfctl -ss rather than one who is the arrow. Example : FreeBSD-GW# pfctl -ss self tcp 192.168.17.238:1766 -> 217.17.178.234:57229 -> 64.233.183.147:80 ESTABLISHED:ESTABLISHED self tcp 64.233.183.147:80 <- 192.168.17.238:1766 ESTABLISHED:ESTABLISHED self tcp 192.168.17.200:22 -> 192.168.17.238:1305 ESTABLISHED:ESTABLISHED FreeBSD-GW# pfctl -k 192.168.17.238 killed 1 states from 1 sources and 0 destinations FreeBSD-GW# pfctl -ss self tcp 64.233.183.147:80 <- 192.168.17.238:1766 ESTABLISHED:ESTABLISHED self tcp 192.168.17.200:22 -> 192.168.17.238:1305 ESTABLISHED:ESTABLISHED FreeBSD-GW# pfctl -k 64.233.183.147 killed 1 states from 1 sources and 0 destinations FreeBSD-GW# pfctl -ss self tcp 192.168.17.200:22 -> 192.168.17.238:1305 ESTABLISHED:ESTABLISHED FreeBSD-GW# Task would be solved if we can kill all the states where destination is target_ip . For example in OpenBSD running command : #pfctl -k 0.0.0.0/0 -k 192.168.2.238 but my computer has responded: pfctl: getaddrinfo: hostname nor servname provided, or not known Hope for your help in solving this problem. -- Sorry for my English! Sincerely, Byzov Alexander mailto : sash-b@mail.ru From owner-freebsd-pf@FreeBSD.ORG Sun Jun 3 16:00:05 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 27A4416A400 for ; Sun, 3 Jun 2007 16:00:05 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [210.51.165.229]) by mx1.freebsd.org (Postfix) with ESMTP id C315413C43E for ; Sun, 3 Jun 2007 16:00:04 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from localhost (tarsier.geekcn.org [210.51.165.229]) by tarsier.geekcn.org (Postfix) with ESMTP id 5BAF8EB6F2C; Sun, 3 Jun 2007 23:43:33 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([210.51.165.229]) by localhost (mail.geekcn.org [210.51.165.229]) (amavisd-new, port 10024) with ESMTP id 8Pr8vG6OVOnQ; Sun, 3 Jun 2007 23:43:30 +0800 (CST) Received: from LI-Xins-MacBook.local (unknown [61.51.109.40]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTP id 4AFA1EB1A10; Sun, 3 Jun 2007 23:43:29 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:organization:user-agent:mime-version:to:cc: subject:references:in-reply-to:x-enigmail-version:content-type; b=vMDEu7ylrLOBjYkKE79zcHGnf3mltiwTSBKt+FD3f//Vxbj8OPaHpSaU3Nl2iGTyh +q+1nY+3yuZZhxf778R3A== Message-ID: <4662E18E.6010404@delphij.net> Date: Sun, 03 Jun 2007 23:43:10 +0800 From: LI Xin Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.0 (Macintosh/20070326) MIME-Version: 1.0 To: Max Laier References: <20070601103549.GA22490@localhost.localdomain> <200706011717.54698.max@love2party.net> <1180766346.30151.3.camel@genius.i.cz> <200706022242.37207.max@love2party.net> In-Reply-To: <200706022242.37207.max@love2party.net> X-Enigmail-Version: 0.95.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="------------enig846CF4050C9312DAF256EE08" Cc: Michal Mertl , freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jun 2007 16:00:05 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig846CF4050C9312DAF256EE08 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Max Laier wrote: [...] > How do people feel about removing ftp-proxy from the base altogether? = I=20 > think it's better off in ports anyway. Opinions? /me vote for this. Cheers, --=20 Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! --------------enig846CF4050C9312DAF256EE08 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGYuGPOfuToMruuMARCk6NAJ9ABOcHtLb4QY00P7BvVdSiL2ksfQCfTrC8 tlr7XBaEE3UnyrLBzOEGnE8= =QkEi -----END PGP SIGNATURE----- --------------enig846CF4050C9312DAF256EE08-- From owner-freebsd-pf@FreeBSD.ORG Sun Jun 3 16:49:21 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 563CB16A400; Sun, 3 Jun 2007 16:49:21 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.freebsd.org (Postfix) with ESMTP id 11AC013C484; Sun, 3 Jun 2007 16:49:21 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from localhost (marvin-mail [192.168.0.2]) by marvin.harmless.hu (Postfix) with ESMTP id 270067C0CB6; Sun, 3 Jun 2007 18:16:49 +0200 (CEST) X-Virus-Scanned: by amavisd-new-2.4.2 (20060627) (Debian) at harmless.hu Received: from marvin.harmless.hu ([192.168.0.2]) by localhost (marvin.harmless.hu [192.168.0.2]) (amavisd-new, port 10024) with ESMTP id FXQHGcFq-cSj; Sun, 3 Jun 2007 18:16:48 +0200 (CEST) Received: from marvin.harmless.hu (localhost [127.0.0.1]) by marvin.harmless.hu (Postfix) with ESMTP id 87F6E7C0B0D; Sun, 3 Jun 2007 18:16:33 +0200 (CEST) Date: Sun, 3 Jun 2007 18:16:33 +0200 From: Gergely CZUCZY To: LI Xin Message-ID: <20070603161633.GA32255@harmless.hu> References: <20070601103549.GA22490@localhost.localdomain> <200706011717.54698.max@love2party.net> <1180766346.30151.3.camel@genius.i.cz> <200706022242.37207.max@love2party.net> <4662E18E.6010404@delphij.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=x-unknown; protocol="application/pgp-signature"; boundary="tKW2IUtsqtDRztdT" Content-Disposition: inline In-Reply-To: <4662E18E.6010404@delphij.net> User-Agent: mutt-ng/devel-r804 (FreeBSD) Cc: Michal Mertl , freebsd-pf@freebsd.org, freebsd-current@freebsd.org Subject: Re: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jun 2007 16:49:21 -0000 --tKW2IUtsqtDRztdT Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jun 03, 2007 at 11:43:10PM +0800, LI Xin wrote: > Max Laier wrote: > [...] > > How do people feel about removing ftp-proxy from the base altogether? = I=20 > > think it's better off in ports anyway. Opinions? I would vote for including pftpx (the newer version in OpenBSD) iirc. Almost a year ago I've made an ftp service where the ftpd was jailed to a local IP address, and i had to use ftp-proxy for this propose. This reverse-proxying stuff couldn't be achived with the ftp-proxy in base, so i had to use the later version, which has the name pftpx in the ports tree. I'd vote for replacing ftp-proxy with pftpx. >=20 > /me vote for this. >=20 > Cheers, > --=20 > Xin LI http://www.delphij.net/ > FreeBSD - The Power to Serve! >=20 Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu --=20 Weenies test. Geniuses solve problems that arise. --tKW2IUtsqtDRztdT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) owFVVD1vHEUYNnEoGEgRIURB8yAhjsi3e3t3OWxdsB3i4ORQgi1skUhRJOZ237ud MDuzzMze+tLSoIgiIKVKkYK0SCnyA+gokPgNdAjxCyiQePcudpxtdued9+P5mNmH 51ZXzpz/49nzO2s//PT4tV/OvjNeK6oQzDQqpJspE3WTpBv1e73BIPo4GiS9hAbr G4Nxn/rd9Yu747/ljjWBTIgO5yUNEegodEotlbmENJfOU9iswiTaEMd5V5UvrVdB WTOEMloZOtk7dNL4CbnoM5PaTJnpEN9WNlAWlU6ZIMeahNgzOKhMG59XBkm/jV6S rEMGdLvDi/1hN9m/ibVkI0nauDHCbWVQO24xFFu4KY9wQypyL0N34ji+y+8tXLc1 MouSbKkJEyINObZVgKPCshJTTELJOOzRHBNnC4ScMJaeIHWwU+Kl2wY2xWizlyw6 hlyZb6BCy2NMIfBYO5kwZZTWBQ9p5rWcx8BeqQyr4bfFCLWtdIYZo8PEOk5OddUI gZKnH+GjZqihmnvNyHmuavrtlWSuHFy9AKVcGotPdWF9gMScpIOcWoxaM0IhM8Zq GhrwxOamhJpB04IJRzPU0uOeVJoyBCsktE2lxmgfMssced/m+gwKuWwSUHk6LQrj ZcoevGSHKcYhr4SjBiktkxomPlQsQ9oQNa3A0kCmuZrxzFqF/BjMi6bKiEbjNrx9 dW6TpmV4KUSbyag05xy/2DSyoKVqgiVqIkvZgyOGNmqdUtkRn9j0VYsXWBblsdha Otrhhic1DdOTnZ2cGESbv6JoGWnOHR+/TzLSZa7uXX7xjg2FrTfyEMphp1PXdXwq 3uGyXQbHTiJi7Qj7tjGaCR+wXfT+cho/V+bUFuIauSnpOXbuV+n9uSjYt2CHmC7D cboIX+Y7WGi2Ls4rIZbobhEZRawE+RDjGi9YUM8Kaz4lzJ5vWdFoyHdKOsVGiu+3 V19faS778Z/i/Bn6euWJ3r3+1s/f/dp6e++vd5/+8/TBjw+2L608+fLfh+fK38dv /vlB68P3vvrt0Wr+xX//Aw== =HKO6 -----END PGP SIGNATURE----- --tKW2IUtsqtDRztdT-- From owner-freebsd-pf@FreeBSD.ORG Sun Jun 3 18:52:56 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EA77816A41F; Sun, 3 Jun 2007 18:52:56 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.freebsd.org (Postfix) with ESMTP id 7F77F13C45E; Sun, 3 Jun 2007 18:52:56 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.48.230] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis), id 0MKwtQ-1HuvBa3Hwe-0003IY; Sun, 03 Jun 2007 20:52:19 +0200 From: Max Laier Organization: FreeBSD To: Gergely CZUCZY Date: Sun, 3 Jun 2007 20:52:03 +0200 User-Agent: KMail/1.9.6 References: <20070601103549.GA22490@localhost.localdomain> <4662E18E.6010404@delphij.net> <20070603161633.GA32255@harmless.hu> In-Reply-To: <20070603161633.GA32255@harmless.hu> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1470510.dkmkTBrb1h"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706032052.12077.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+m+DAMAkhOo1Eqxrn52D4HA/JbYRYejpAVA4r nW/x+fGhcXseiKs68tmz0jAKwsHy0QloGOkJWgDEeCoxvT/bQy w5J5c0Yo2wNOAyi5GzTIg== Cc: Michal Mertl , freebsd-pf@freebsd.org, freebsd-current@freebsd.org Subject: Re: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jun 2007 18:52:57 -0000 --nextPart1470510.dkmkTBrb1h Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 03 June 2007, Gergely CZUCZY wrote: > On Sun, Jun 03, 2007 at 11:43:10PM +0800, LI Xin wrote: > > Max Laier wrote: > > [...] > > > > > How do people feel about removing ftp-proxy from the base > > > altogether? I think it's better off in ports anyway. Opinions? > > I would vote for including pftpx (the newer version in OpenBSD) iirc. > Almost a year ago I've made an ftp service where the ftpd was jailed to > a local IP address, and i had to use ftp-proxy for this propose. This > reverse-proxying stuff couldn't be achived with the ftp-proxy in > base, so i had to use the later version, which has the name pftpx > in the ports tree. I'd vote for replacing ftp-proxy with pftpx. Okay, but why? Is there any reason you can't use pftpx (or the newer=20 version of ftp-proxy) from the ports tree? Why does ftp-proxy have to be=20 in base? =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1470510.dkmkTBrb1h Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGYw3cXyyEoT62BG0RAst3AJ9uJty0UNWIWjv/Ln7ZYyRmxPm+qwCeIJZk 58AkakQ6ECJbAx3QI4EnlcI= =Z0Ug -----END PGP SIGNATURE----- --nextPart1470510.dkmkTBrb1h-- From owner-freebsd-pf@FreeBSD.ORG Sun Jun 3 18:56:58 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6F1EA16A421; Sun, 3 Jun 2007 18:56:58 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.freebsd.org (Postfix) with ESMTP id EF72313C4B8; Sun, 3 Jun 2007 18:56:57 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from localhost (marvin-mail [192.168.0.2]) by marvin.harmless.hu (Postfix) with ESMTP id 177FC7C0CF2; Sun, 3 Jun 2007 20:57:06 +0200 (CEST) X-Virus-Scanned: by amavisd-new-2.4.2 (20060627) (Debian) at harmless.hu Received: from marvin.harmless.hu ([192.168.0.2]) by localhost (marvin.harmless.hu [192.168.0.2]) (amavisd-new, port 10024) with ESMTP id V0XMMfthOSt1; Sun, 3 Jun 2007 20:57:05 +0200 (CEST) Received: from marvin.harmless.hu (localhost [127.0.0.1]) by marvin.harmless.hu (Postfix) with ESMTP id 5B46D7C0CE8; Sun, 3 Jun 2007 20:56:49 +0200 (CEST) Date: Sun, 3 Jun 2007 20:56:49 +0200 From: Gergely CZUCZY To: Max Laier Message-ID: <20070603185649.GA35611@harmless.hu> References: <20070601103549.GA22490@localhost.localdomain> <4662E18E.6010404@delphij.net> <20070603161633.GA32255@harmless.hu> <200706032052.12077.max@love2party.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=x-unknown; protocol="application/pgp-signature"; boundary="0OAP2g/MAC+5xKAE" Content-Disposition: inline In-Reply-To: <200706032052.12077.max@love2party.net> User-Agent: mutt-ng/devel-r804 (FreeBSD) Cc: Michal Mertl , freebsd-pf@freebsd.org, freebsd-current@freebsd.org Subject: Re: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jun 2007 18:56:58 -0000 --0OAP2g/MAC+5xKAE Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jun 03, 2007 at 08:52:03PM +0200, Max Laier wrote: > On Sunday 03 June 2007, Gergely CZUCZY wrote: > > On Sun, Jun 03, 2007 at 11:43:10PM +0800, LI Xin wrote: > > > Max Laier wrote: > > > [...] > > > > > > > How do people feel about removing ftp-proxy from the base > > > > altogether? I think it's better off in ports anyway. Opinions? > > > > I would vote for including pftpx (the newer version in OpenBSD) iirc. > > Almost a year ago I've made an ftp service where the ftpd was jailed to > > a local IP address, and i had to use ftp-proxy for this propose. This > > reverse-proxying stuff couldn't be achived with the ftp-proxy in > > base, so i had to use the later version, which has the name pftpx > > in the ports tree. I'd vote for replacing ftp-proxy with pftpx. >=20 > Okay, but why? Is there any reason you can't use pftpx (or the newer=20 > version of ftp-proxy) from the ports tree? Why does ftp-proxy have to be= =20 > in base? Because it's somehow part of pf. Very loosely, but part of it. This is the way how pf(4) does the tracking of the data connections associated with the control connections, so it's kind of part of it. We could even use csup, ssh, or natd for ipfw from ports, but it's also somehow part of the base system, for a bit similar reason, I think so. >=20 > --=20 > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu --=20 Weenies test. Geniuses solve problems that arise. --0OAP2g/MAC+5xKAE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) owF1Vb9vI0UUDjkhpJVAuhZRPIFELoq9tuPYDj4lucTJcUYJCSSQ+wXSePetd8ju zDIza2dPVyGEKCgQFRIFiIYKiYKGho6GAgQl4k+gAR006BBvZuPYdxybIt6Z9773 ve97O/Phkxfm5i/+8NXXt5Y++OiTx758ojZYSnNjxLCaMjXiotqo1xvVZqvdaFTb 1dZKC8MXsNNsdlrNdtC6Gjz1e08Kg8JUj4oMu2Dw1NSyhHFxGYKYKY1mLTdRddWb xG1znUnNDZeiC1wkXOD53pFiQkeoqjsikCEXwy68nUuDYTVTXBg2SNDz9gUc5qIC L+UC6s0KLNfrHWAG6qvd1nK33jzYg6U6LVZgj53CLuOoYKwIpeutQ5kcsoJSLQK6 9Aq8iGqISQG9m6/1bt6Yxk8y/luu0eiuNLuNuiu3asvt9uE6F7O564+iYP9u+b7/ Rvn7bGUdrskxhBIylFmCECEmwAYyN6AwlWTFECKTkRDytIBIyRRMjDBgGs8RWGLk EGlZbQD0aZ+LE+BmQcMAjSEOMopIcsikMhqYKMas8AH2My7IDb3hTej0YSzzJIQR UYZIKkoKktwaAhmROIVLtrbAMWGOUGnKtrj7GYqtw+1F4FwFvkPaTFKpDTAokClg Qwn9hRFCykIkArYj0EiDFiCMiTe6pmg1hDHT8BbjCYZgpMNikMiAJdA/ABaGCrWu EEYIHGJmgyDXOKsR8SYJNNArTRz6cERvDkmhZY1loO1Km5ykCWzTYsGQXMCCmI+o 9pibeELqDJgLB2Klr4CWD9a3oQkzU2Eq1BgPYorRblOwFEsVHQrJZldLS4xCotlf mFFeIX1NwYPuO04OgkReW67buT5hRQUGNC3juLDuu2LKilwQBtPkUCFzCJjtzxI9 M9KJdOZlCTUxVEbTkovTiZsypTLHcUEzi3qGXMzIXxJjgGteCUgtWq02vC0MmC3t RlLLFGMa+YwpY2tlkQ+voyrIZDIrOetmsstNaR9w15hHkwsuO7q0slhSsOSMYsGJ FYtS7HvIDCNbhcDAHjg09FrLgJM/pbOeDaJ9o2QyG1f6amkSWujoTYl43jGWswI0 R8KpGeg8oyQdV4AUFcyE5XeTReNSOieb68lzuCyhCg9rMPmiQRfaYFpxGAwG3IDm KU+Y8kovK+eft5bE52wIqtXyf+3Z2wBbqO3RMWQqpLqPfO5Cmtiz6UpEbg506Es1 pPTbUIOZg+t/n7vQ770Cz7U7nc5Ku92gTLhOy7ExWbdWy6KVCWwiR7hseyx8gaY2 U3jnKi1YxlQUNg97/T68ygcDmr4eSzPGh+LhkptDuluos2tHe7tEkifuCHgZx9qj Z6vAiuedH+Z38uBO4aUUZWQXhuWyH7jlK3Q7pQkdIn6ce14p3TGi4HaUSDuf7gTB yVs7qgnNNI033T+pHTQ6/pnidKR4729ceHzOXoOTO/Ti/K/vzX328Zv3fjq5/rT6 5/vP7//84+Ez9+5vXp77dDv74rvn53/75vTPP/7+9t1f9g/+emfnXw== =9GRi -----END PGP SIGNATURE----- --0OAP2g/MAC+5xKAE-- From owner-freebsd-pf@FreeBSD.ORG Sun Jun 3 19:29:02 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CCEFC16A46B for ; Sun, 3 Jun 2007 19:29:02 +0000 (UTC) (envelope-from cmarlatt@rxsec.com) Received: from core.rxsec.com (core.rxsec.com [64.132.46.102]) by mx1.freebsd.org (Postfix) with SMTP id 5DB5013C448 for ; Sun, 3 Jun 2007 19:29:02 +0000 (UTC) (envelope-from cmarlatt@rxsec.com) Received: (qmail 15237 invoked by uid 2009); 3 Jun 2007 18:55:36 -0000 Received: from 10.1.0.101 by core.rxsec.com (envelope-from , uid 2008) with qmail-scanner-1.25-st-qms (clamdscan: 0.86.2/1102. spamassassin: 3.0.4. perlscan: 1.25-st-qms. Clear:RC:0(10.1.0.101):SA:0(-4.4/5.0):. Processed in 1.290514 secs); 03 Jun 2007 18:55:36 -0000 X-Spam-Status: No, hits=-4.4 required=5.0 X-Antivirus-RXSEC-Mail-From: cmarlatt@rxsec.com via core.rxsec.com X-Antivirus-RXSEC: 1.25-st-qms (Clear:RC:0(10.1.0.101):SA:0(-4.4/5.0):. Processed in 1.290514 secs Process 15227) Received: from unknown (HELO ?10.1.0.101?) (cmarlatt@rxsec.com@10.1.0.101) by core.rxsec.com with SMTP; 3 Jun 2007 18:55:35 -0000 Message-ID: <46631034.5030700@rxsec.com> Date: Sun, 03 Jun 2007 15:02:12 -0400 From: Chris Marlatt Organization: Receive Security User-Agent: Thunderbird 1.5.0.10 (X11/20070306) MIME-Version: 1.0 To: Max Laier References: <20070601103549.GA22490@localhost.localdomain> <4662E18E.6010404@delphij.net> <20070603161633.GA32255@harmless.hu> <200706032052.12077.max@love2party.net> In-Reply-To: <200706032052.12077.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Michal Mertl , freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jun 2007 19:29:02 -0000 Max Laier wrote: > > Okay, but why? Is there any reason you can't use pftpx (or the newer > version of ftp-proxy) from the ports tree? Why does ftp-proxy have to be > in base? > Why does named, or tftp, or openssh, or ntp, or,.. or... Why shouldn't there be have a fully packaged pf implementation in the base OS? From owner-freebsd-pf@FreeBSD.ORG Sun Jun 3 22:23:45 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AE23616A400 for ; Sun, 3 Jun 2007 22:23:45 +0000 (UTC) (envelope-from bcook@poughkeepsieschools.org) Received: from a.outbound.bsdwebsolutions.com (a.outbound.bsdwebsolutions.com [64.72.68.2]) by mx1.freebsd.org (Postfix) with ESMTP id 7EF1B13C45A for ; Sun, 3 Jun 2007 22:23:45 +0000 (UTC) (envelope-from bcook@poughkeepsieschools.org) Received: from mail.bsdwebsolutions.com ([64.72.68.15]) by a.outbound.bsdwebsolutions.com with esmtps (TLSv1:AES256-SHA:256) (BSD Web Solutions, Inc.) (envelope-from ) id 1HuyUC-000LIL-Dy for freebsd-pf@freebsd.org; Sun, 03 Jun 2007 18:23:44 -0400 Received: from [64.72.66.117] (helo=mail.poughkeepsieschools.org) by mail.bsdwebsolutions.com with esmtps (TLSv1:AES256-SHA:256) (BSD WebSolutions, Inc.) (envelope-from ) id 1HuyUC-0001oK-5w for freebsd-pf@freebsd.org ; Sun, 03 Jun 2007 18:23:44 -0400 Received: from localhost ([127.0.0.1]:54244 helo=mail.poughkeepsieschools.org) by mail.poughkeepsieschools.org with esmtp (BSD WebSolutions, Inc.) (envelope-from ) id 1HuyUB-000Erq-Ti for freebsd-pf@freebsd.org ; Sun, 03 Jun 2007 18:23:44 -0400 Received: from 24.161.13.8 (SquirrelMail authenticated user bcook) by mail.poughkeepsieschools.org with HTTP; Sun, 3 Jun 2007 18:23:43 -0400 (EDT) X-BSD-Virus-Check: ClamAV 0.90.2/3345 on mail.poughkeepsieschools.org; Sun, 03 Jun 2007 18:23:44 -0400 Message-ID: <51250.24.161.13.8.1180909423.squirrel@mail.poughkeepsieschools.org> Date: Sun, 3 Jun 2007 18:23:43 -0400 (EDT) From: "B. Cook" To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.9a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: cbq: adds red by default? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jun 2007 22:23:45 -0000 I am trying to create rules to filter traffic up and down for the place where I work. My syntax seems to be correct, as they pass pfctl -vvvvvnf , but after looking at the rules I wrote, and what pf will interpret them as; I am a little confused. on my children queue's most of them are set to borrow and to do ecn. As most of my machines are newer FreeBSD 6.2 machines, and a random sprinkling of Linux machines. I can not find specific documentation that says that FreeBSD 6.2 supports ecn, I am hoping that it does. what I see when I look at the commands parsed by pfctl is that where I wrote: cbq(ecn borrow) that it has replaced it with: cbq( red ecn borrow ) and I can not find things in the pf.conf man page telling me why it does that :) Below are my rules after being seen by pfctl: [~]# 44 > pfctl -vvvvvonf bsd-pf.conf | cat -n 1 altq on fxp0 cbq bandwidth 4Mb tbrsize 6000 queue { qUbsd qUschools qUothers } 2 queue qUbsd bandwidth 25% priority 6 cbq( red ecn borrow ) { qUack qUdns qUssh qUmail qUwww } 3 queue qUack bandwidth 1% priority 6 cbq( red ecn borrow ) 4 queue qUdns bandwidth 1% priority 5 cbq( red ecn borrow ) 5 queue qUssh bandwidth 2% priority 4 cbq( red ecn borrow ) { qUssh_int qUssh_bulk } 6 queue qUssh_int bandwidth 50% priority 7 cbq( borrow ) 7 queue qUssh_bulk bandwidth 50% priority 0 cbq( borrow ) 8 queue qUwww bandwidth 1% priority 3 cbq( red ecn borrow ) 9 queue qUmail bandwidth 1% priority 2 cbq( red ecn borrow ) 10 queue qUschools bandwidth 74% priority 5 cbq( red ecn ) { qUschool1 qUschool2 qUschool3 } 11 queue qUothers bandwidth 1% priority 4 cbq( default ) 12 queue qUschool1 bandwidth 25% priority 5 cbq( red ecn ) { qUevan qUfiero qUbram qUdon } 13 queue qUschool2 bandwidth 25% priority 5 cbq( red ecn ) { qUrhw qUsears qUeagle qUpnr qUlds qUshea } 14 queue qUschool3 bandwidth 25% priority 5 cbq( red ecn ) { qUvhwifi qUvhweb qUvhmail } 15 queue qUevan bandwidth 25% priority 6 cbq( red ecn borrow ) 16 queue qUfiero bandwidth 25% priority 6 cbq( red ecn borrow ) 17 queue qUbram bandwidth 25% priority 5 cbq( red ecn borrow ) 18 queue qUdon bandwidth 25% priority 3 cbq( red ecn borrow ) 19 queue qUrhw bandwidth 5% priority 6 cbq( red ecn borrow ) 20 queue qUsears bandwidth 5% priority 5 cbq( red ecn borrow ) 21 queue qUeagle bandwidth 5% priority 4 cbq( red ecn borrow ) 22 queue qUpnr bandwidth 5% priority 3 cbq( red ecn borrow ) 23 queue qUlds bandwidth 5% priority 3 cbq( red ecn borrow ) 24 queue qUshea bandwidth 5% priority 3 cbq( red ecn borrow ) 25 queue qUvhwifi bandwidth 5% priority 6 cbq( red ecn borrow ) 26 queue qUvhweb bandwidth 5% priority 5 cbq( red ecn borrow ) 27 queue qUvhmail bandwidth 5% priority 4 cbq( red ecn borrow ) 28 altq on plip0 cbq bandwidth 4Mb tbrsize 6000 queue { qDbsd qDschools qDothers } 29 queue qDbsd bandwidth 25% priority 6 cbq( red ecn borrow ) { qDack qDdns qDssh qDmail qDwww } 30 queue qDack bandwidth 1% priority 6 cbq( red ecn borrow ) 31 queue qDdns bandwidth 1% priority 5 cbq( red ecn borrow ) 32 queue qDssh bandwidth 2% priority 4 cbq( red ecn borrow ) { qDssh_int qDssh_bulk } 33 queue qDssh_int bandwidth 50% priority 7 cbq( borrow ) 34 queue qDssh_bulk bandwidth 50% priority 0 cbq( borrow ) 35 queue qDwww bandwidth 1% priority 3 cbq( red ecn borrow ) 36 queue qDmail bandwidth 1% priority 2 cbq( red ecn borrow ) 37 queue qDschools bandwidth 74% priority 5 cbq( red ecn ) { qDschool1 qDschool2 qDschool3 } 38 queue qDothers bandwidth 1% priority 4 cbq( default ) 39 queue qDschool1 bandwidth 25% priority 5 cbq( red ecn ) { qDevan qDfiero qDbram qDdon } 40 queue qDschool2 bandwidth 25% priority 5 cbq( red ecn ) { qDrhw qDsears qDeagle qDpnr qDlds qDshea } 41 queue qDschool3 bandwidth 25% priority 5 cbq( red ecn ) { qDvhwifi qDvhweb qDvhmail } 42 queue qDevan bandwidth 25% priority 6 cbq( red ecn borrow ) 43 queue qDfiero bandwidth 25% priority 6 cbq( red ecn borrow ) 44 queue qDbram bandwidth 25% priority 5 cbq( red ecn borrow ) 45 queue qDdon bandwidth 25% priority 3 cbq( red ecn borrow ) 46 queue qDrhw bandwidth 5% priority 6 cbq( red ecn borrow ) 47 queue qDsears bandwidth 5% priority 5 cbq( red ecn borrow ) 48 queue qDeagle bandwidth 5% priority 4 cbq( red ecn borrow ) 49 queue qDpnr bandwidth 5% priority 3 cbq( red ecn borrow ) 50 queue qDlds bandwidth 5% priority 3 cbq( red ecn borrow ) 51 queue qDshea bandwidth 5% priority 3 cbq( red ecn borrow ) 52 queue qDvhwifi bandwidth 5% priority 6 cbq( red ecn borrow ) 53 queue qDvhweb bandwidth 5% priority 5 cbq( red ecn borrow ) 54 queue qDvhmail bandwidth 5% priority 4 cbq( red ecn borrow ) If you are wondering about the plip0 interface.. These are not in place, they are not running. I am trying to create the rules here and then put them in place on the other box, so here the rules use plip0; as that is the only other interface I have on this box :) From owner-freebsd-pf@FreeBSD.ORG Mon Jun 4 10:51:37 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 63C4E16A41F for ; Mon, 4 Jun 2007 10:51:37 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 26CCD13C458 for ; Mon, 4 Jun 2007 10:51:36 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7c65.q.ppp-pool.de [89.53.124.101]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 6362F128846; Mon, 4 Jun 2007 12:51:29 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id CDBFC3F9EA; Mon, 4 Jun 2007 12:50:41 +0200 (CEST) Message-ID: <4663EE86.6000400@vwsoft.com> Date: Mon, 04 Jun 2007 12:50:46 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070528) MIME-Version: 1.0 To: "B. Cook" References: <51250.24.161.13.8.1180909423.squirrel@mail.poughkeepsieschools.org> In-Reply-To: <51250.24.161.13.8.1180909423.squirrel@mail.poughkeepsieschools.org> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: cbq: adds red by default? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jun 2007 10:51:37 -0000 On 06/04/07 00:23, B. Cook wrote: > I am trying to create rules to filter traffic up and down for the place > where I work. > > My syntax seems to be correct, as they pass pfctl -vvvvvnf , but after > looking at the rules I wrote, and what pf will interpret them as; I am a > little confused. > > on my children queue's most of them are set to borrow and to do ecn. As > most of my machines are newer FreeBSD 6.2 machines, and a random > sprinkling of Linux machines. I can not find specific documentation that > says that FreeBSD 6.2 supports ecn, I am hoping that it does. > > what I see when I look at the commands parsed by pfctl is that where I wrote: > > cbq(ecn borrow) > > that it has replaced it with: > > cbq( red ecn borrow ) > > and I can not find things in the pf.conf man page telling me why it does > that :) ... cite from pf.conf(5): ecn Enables ECN (Explicit Congestion Notification) on this queue. ECN implies RED. ^^^^^^^^^^^^^^^^ HTH Volker From owner-freebsd-pf@FreeBSD.ORG Mon Jun 4 11:08:40 2007 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EC25F16A47F for ; Mon, 4 Jun 2007 11:08:40 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id CBC1813C487 for ; Mon, 4 Jun 2007 11:08:40 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l54B8eIT037600 for ; Mon, 4 Jun 2007 11:08:40 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l54B8dZu037596 for freebsd-pf@FreeBSD.org; Mon, 4 Jun 2007 11:08:39 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 4 Jun 2007 11:08:39 GMT Message-Id: <200706041108.l54B8dZu037596@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jun 2007 11:08:41 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- f conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf [pf] pf accepts nonexistent queue in rules o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d o kern/110174 pf [pf] pf pass route-to does not assign correct IP for t s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 7 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jun 4 19:44:32 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 445E816A46B for ; Mon, 4 Jun 2007 19:44:32 +0000 (UTC) (envelope-from koji@registro.br) Received: from clone.registro.br (clone.registro.br [200.160.2.4]) by mx1.freebsd.org (Postfix) with ESMTP id A65B713C457 for ; Mon, 4 Jun 2007 19:44:31 +0000 (UTC) (envelope-from koji@registro.br) Received: by clone.registro.br (Postfix, from userid 1002) id 8DA98958B6; Mon, 4 Jun 2007 16:44:30 -0300 (BRT) Date: Mon, 4 Jun 2007 16:44:30 -0300 From: Hugo Koji Kobayashi To: Max Laier Message-ID: <20070604194430.GD21681@registro.br> References: <20070528224225.GC40678@registro.br> <200705301002.04911.max@love2party.net> <20070531134923.GH39552@registro.br> <200706021704.53787.max@love2party.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="yEPQxsgoJgBvi8ip" Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <200706021704.53787.max@love2party.net> User-Agent: Mutt/1.4.2.2i X-Organization: Registro.br X-URL: http://registro.br/ X-Operating-System: FreeBSD Cc: freebsd-pf@freebsd.org Subject: Re: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jun 2007 19:44:32 -0000 --yEPQxsgoJgBvi8ip Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit Hi Max, pf is running on the DNS client machine. The DNS server is on a completely different network (I don't control this server). The client can send the udp request with no problem (it's a small udp datagram; less than 512 bytes), the server sends the udp response fragmented, but the client can't receive it. Please, find attached a new test with the requested information. Regards, Hugo On Sat, Jun 02, 2007 at 05:04:52PM +0200, Max Laier wrote: > Hi Hugo, > > On Thursday 31 May 2007, Hugo Koji Kobayashi wrote: > > Please find attached the tests results after enabling extended > > logging. > > > > I've done the test twice, changing dig's "+bufsize" parameter. > > looking at your log file, it seems that the packet traverses pf alright: > > > ---- Console begin > > pf_normalize_ip: reass frag 11881 @ 0-1480 > > pf_normalize_ip: reass frag 11881 @ 1480-2960 > > pf_normalize_ip: reass frag 11881 @ 2960-4094 > > pf_reassemble: 4094 < 4094? > > pf_reassemble: complete: 0xc4338000(4114) > > ---- Console end > > > > fbsd7# date ; pfctl -si > > Tue May  8 04:15:24 BRT 2007 > > No ALTQ support in kernel > > ALTQ related functions disabled > > Status: Enabled for 0 days 00:05:27             Debug: Misc > > > > Hostid: 0xfd3ea603 > > > > State Table                          Total             Rate > >   current entries                        3               > >   searches                             405            1.2/s > >   inserts                               40            0.1/s > >   removals                              37            0.1/s > > Counters > >   match                                 40            0.1/s > >   bad-offset                             0            0.0/s > >   fragment                               0            0.0/s > >   short                                  0            0.0/s > >   normalize                              0            0.0/s > >   memory                                 0            0.0/s > >   bad-timestamp                          0            0.0/s > >   congestion                             0            0.0/s > >   ip-option                              0            0.0/s > >   proto-cksum                            0            0.0/s > >   state-mismatch                         0            0.0/s > >   state-insert                           0            0.0/s > >   state-limit                            0            0.0/s > >   src-limit                              0            0.0/s > >   synproxy                               0            0.0/s > > So the culprit should be somewhere up the stack. i.e. FreeBSD chokes on > the already reassembled packet. Could you also provide netstat -ssp udp > and netstat -ssp ip from before and after your test to get an idea where > the packet is lost? To make sure I understand your setup correctly: pf > is running on the DNS server i.e. the destination address of the datagram > is a local address? > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News --yEPQxsgoJgBvi8ip Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="pf-edns0-tests-2.txt" fbsd7# date ; pfctl -si Tue May 8 07:59:57 BRT 2007 No ALTQ support in kernel ALTQ related functions disabled Status: Enabled for 0 days 00:25:01 Debug: Misc Hostid: 0xfd3ea603 State Table Total Rate current entries 5 searches 975 0.6/s inserts 42 0.0/s removals 37 0.0/s Counters match 42 0.0/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s fbsd7# date ; pfctl -xm Tue May 8 08:00:00 BRT 2007 No ALTQ support in kernel ALTQ related functions disabled debug level set to 'misc' fbsd7# date ; pfctl -si Tue May 8 08:00:03 BRT 2007 No ALTQ support in kernel ALTQ related functions disabled Status: Enabled for 0 days 00:25:07 Debug: Misc Hostid: 0xfd3ea603 State Table Total Rate current entries 5 searches 989 0.7/s inserts 42 0.0/s removals 37 0.0/s Counters match 42 0.0/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s fbsd7# date; netstat -ssp udp Tue May 8 08:00:06 BRT 2007 udp: 36 datagrams received 2 with bad checksum 34 delivered 40 datagrams output fbsd7# date; netstat -ssp ip Tue May 8 08:00:09 BRT 2007 ip: 521 total packets received 514 packets for this host 489 packets sent from this host fbsd7# dig @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0 ; <<>> DiG 9.3.4 <<>> @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0 ; (1 server found) ;; global options: printcmd ;; connection timed out; no servers could be reached ---- Console begin pf_normalize_ip: reass frag 43470 @ 0-1480 pf_normalize_ip: reass frag 43470 @ 1480-2960 pf_normalize_ip: reass frag 43470 @ 2960-4094 pf_reassemble: 4096 < 4096? pf_reassemble: complete: 0x433bb00(4116) ---- Console end fbsd7# date; netstat -ssp udp Tue May 8 08:00:19 BRT 2007 udp: 36 datagrams received 3 with bad checksum 33 delivered 41 datagrams output fbsd7# date; netstat -ssp ip Tue May 8 08:00:24 BRT 2007 ip: 533 total packets received 523 packets for this host 501 packets sent from this host fbsd7# date ; pfctl -si Tue May 8 08:00:27 BRT 2007 No ALTQ support in kernel ALTQ related functions disabled Status: Enabled for 0 days 00:25:31 Debug: Misc Hostid: 0xfd3ea603 State Table Total Rate current entries 5 searches 1031 0.7/s inserts 43 0.0/s removals 38 0.0/s Counters match 43 0.0/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s --yEPQxsgoJgBvi8ip-- From owner-freebsd-pf@FreeBSD.ORG Mon Jun 4 20:00:23 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0A99016A46B for ; Mon, 4 Jun 2007 20:00:23 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id 9569313C44C for ; Mon, 4 Jun 2007 20:00:22 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.9.242] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu3) with ESMTP (Nemesis), id 0MKxQS-1HvIiv2YC6-0008Cp; Mon, 04 Jun 2007 22:00:18 +0200 From: Max Laier Organization: FreeBSD To: Hugo Koji Kobayashi Date: Mon, 4 Jun 2007 22:00:03 +0200 User-Agent: KMail/1.9.6 References: <20070528224225.GC40678@registro.br> <200706021704.53787.max@love2party.net> <20070604194430.GD21681@registro.br> In-Reply-To: <20070604194430.GD21681@registro.br> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1563787.u5XYN0iWIJ"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706042200.14860.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+Fwn5G0Qdt3CZUwp5rf/SeLLEVMk1YYIdK7JT iPrTt3deL2hdeip4k1JCh/AlJWXdQiFEjF7u4MF8/B7zk+g8sl Kn4soMMFZU5DuoNENGsFg== Cc: freebsd-pf@freebsd.org Subject: Re: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jun 2007 20:00:23 -0000 --nextPart1563787.u5XYN0iWIJ Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hi again, On Monday 04 June 2007, Hugo Koji Kobayashi wrote: > pf is running on the DNS client machine. The DNS server is on a > completely different network (I don't control this server). The client > can send the udp request with no problem (it's a small udp datagram; > less than 512 bytes), the server sends the udp response fragmented, > but the client can't receive it. > > Please, find attached a new test with the requested information. > udp: > 36 datagrams received > 2 with bad checksum > 34 delivered > 40 datagrams output > udp: > 36 datagrams received > 3 with bad checksum > 33 delivered > 41 datagrams output Aha! Can you confirm that "bad checksum" increases for every fragmented=20 packet and I'll look for a cure. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1563787.u5XYN0iWIJ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGZG9OXyyEoT62BG0RAp3EAJ4gOJ82gJBok4FVWVstDLamLdFlawCdF+lD /RItcBoZWGoZqFdLZt5rTkQ= =wDm1 -----END PGP SIGNATURE----- --nextPart1563787.u5XYN0iWIJ-- From owner-freebsd-pf@FreeBSD.ORG Mon Jun 4 20:20:35 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 619F916A46D for ; Mon, 4 Jun 2007 20:20:35 +0000 (UTC) (envelope-from koji@registro.br) Received: from clone.registro.br (clone.registro.br [200.160.2.4]) by mx1.freebsd.org (Postfix) with ESMTP id 22FFC13C43E for ; Mon, 4 Jun 2007 20:20:35 +0000 (UTC) (envelope-from koji@registro.br) Received: by clone.registro.br (Postfix, from userid 1002) id 0C08B95854; Mon, 4 Jun 2007 17:20:34 -0300 (BRT) Date: Mon, 4 Jun 2007 17:20:34 -0300 From: Hugo Koji Kobayashi To: Max Laier Message-ID: <20070604202033.GE21681@registro.br> References: <20070528224225.GC40678@registro.br> <200706021704.53787.max@love2party.net> <20070604194430.GD21681@registro.br> <200706042200.14860.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200706042200.14860.max@love2party.net> User-Agent: Mutt/1.4.2.2i X-Organization: Registro.br X-URL: http://registro.br/ X-Operating-System: FreeBSD Cc: freebsd-pf@freebsd.org Subject: Re: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jun 2007 20:20:35 -0000 Hi, Yes. It increments every time I run that dig command. Before this test, I had run it twice. Regards, Hugo On Mon, Jun 04, 2007 at 10:00:03PM +0200, Max Laier wrote: > Hi again, > > On Monday 04 June 2007, Hugo Koji Kobayashi wrote: > > pf is running on the DNS client machine. The DNS server is on a > > completely different network (I don't control this server). The client > > can send the udp request with no problem (it's a small udp datagram; > > less than 512 bytes), the server sends the udp response fragmented, > > but the client can't receive it. > > > > Please, find attached a new test with the requested information. > > > udp: > > 36 datagrams received > > 2 with bad checksum > > 34 delivered > > 40 datagrams output > > > udp: > > 36 datagrams received > > 3 with bad checksum > > 33 delivered > > 41 datagrams output > > Aha! Can you confirm that "bad checksum" increases for every fragmented > packet and I'll look for a cure. > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Mon Jun 4 20:32:05 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C165416A469 for ; Mon, 4 Jun 2007 20:32:05 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id 8115313C45B for ; Mon, 4 Jun 2007 20:32:05 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id 85D8A20A5; Mon, 4 Jun 2007 22:13:09 +0200 (CEST) X-Spam-Tests: AWL X-Spam-Learn: disabled X-Spam-Score: 0.0/3.0 X-Spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on tim.des.no Received: from dwp.des.no (des.no [80.203.243.180]) by smtp.des.no (Postfix) with ESMTP id 0518520A4; Mon, 4 Jun 2007 22:13:09 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 1001) id 12C6054D2; Mon, 4 Jun 2007 22:13:14 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Max Laier References: <20070601103549.GA22490@localhost.localdomain> <465FFFA4.1060706@delphij.net> <200706011717.54698.max@love2party.net> Date: Mon, 04 Jun 2007 22:13:13 +0200 In-Reply-To: <200706011717.54698.max@love2party.net> (Max Laier's message of "Fri\, 1 Jun 2007 17\:17\:52 +0200") Message-ID: <86wsyjfpgm.fsf@dwp.des.no> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jun 2007 20:32:05 -0000 Max Laier writes: > Anything else? ftp-proxy(8) and tftp-proxy(8) would be nice... DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-pf@FreeBSD.ORG Mon Jun 4 21:03:23 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BF9D016A468 for ; Mon, 4 Jun 2007 21:03:23 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.234]) by mx1.freebsd.org (Postfix) with ESMTP id 6C57113C489 for ; Mon, 4 Jun 2007 21:03:23 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: by wr-out-0506.google.com with SMTP id 69so835090wra for ; Mon, 04 Jun 2007 14:03:20 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=mtypoeLc39R8oaX+Us0P861lPcB17lAET1aTgaY/us2prUpD4GQlu7lefp4BgMBMq86P8qFRSauGoHnJHV/BqpcUp8wJtddJZo5J4KTwSKn/945H8ew1UkEppW+YKlc7Jj6pyVzSzdCel8GtlGPedQa+m69Fi9ccqfPWh+GzgkA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=bVjd+x6lGUlhA3U969CaRKv4a8s8AdgxlYL4Ci+y7oU2M5hrV+byFXQDPfIr2Cey9FiXduOFb4uegJhZrQw5A5vOzN2cFb3pcc6+thkNcEnJTsw0JD525y+pF4BrJyLFVJ64SfwASg1cWoYkIk889uJx27XlQvqncRsN92oTEF0= Received: by 10.90.93.6 with SMTP id q6mr4286124agb.1180991000202; Mon, 04 Jun 2007 14:03:20 -0700 (PDT) Received: by 10.90.50.6 with HTTP; Mon, 4 Jun 2007 14:03:20 -0700 (PDT) Message-ID: <70f41ba20706041403q1d51ac75jee625130ea4ed10@mail.gmail.com> Date: Mon, 4 Jun 2007 14:03:20 -0700 From: snowcrash+freebsd Sender: schneecrash@gmail.com To: freebsd-questions@freebsd.org, freebsd-pf MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Google-Sender-Auth: 639eb2303a4c032f Cc: Subject: fbsd 6.2 pf starts -- but not on boot X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jun 2007 21:03:23 -0000 hi, i've fbsd 6.2R/p5, with pf compiled into a custom kernel. on boot, pf is, apparently, not starting. but, if i exec /etc/rc.d/pf start immediately after boot to prompt is done, then all's OK. the only related (?) messages -- error or otherwise -- i've found are on startup. any ideas/suggestions as to what might be the prob? and/or how to troubleshoot? thanks! for reference, from console output @ startup, ---------------------------------------- ... sis0: link state changed to UP sis1: link state changed to UP lo0: flags=8049 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 sscopeid 0x5 inet6 ::1 prefisxlen 128 inet2 127.0.0.1 netma:sk 0xff000000 sis0: flags=8843l mtu 149k2 options=48s inet 10.0.0.10 netmask 0xfafffff00 broadcastt 10.0.0.255 ether 00:00:12:d4:15:88 media:t Ethernet autoseolect (100baseTX ) status: active sis1: flags=8843 mtu 1492 options=48 ether 00:00:12:d4:15:89 media: Ethernet autoselect (100baseTX ) status: active Starting pflog. pflog0: promiscuous mode enabled Enabling pf. Jun 4 13:38:11 pflogd[479]: [priv]: msg PRIV_OPEN_LOG received pfctl: DIOCSETSTATUSIF pf enabled Starting ppp. add net default: gateway 10.0.0.10 Additional routing options:. Starting devd. Mounting NFS file systems:. ... ---------------------------------------- and, further, % cat /etc/rc.conf ---------------------------------------- ifconfig_sis1="mtu 1492 polling" ifconfig_sis0="inet 10.0.0.10 netmask 255.255.255.0 mtu 1492 polling" hostname="router.mydomain.com" defaultrouter="10.0.0.10" # PPP ppp_enable="YES" ppp_mode="ddial" ppp_nat="NO" ppp_profile="ppp`" # PF pf_enable="YES" pf_flags="" pf_rules="/usr/local/etc/pf/pf.conf" pflog_enable="YES" pflog_flags="" pflog_logfile="/var/log/pflog" # SPAMD obspamd_enable="YES" obspamd_flags="-v -l 127.0.0.1 -h mail.mydomain.com -n GATEWAY" obspamlogd_enable="YES" obspamlogd_flags="" # MISC inetd_enable="YES" firewall_enable="NO" nfs_client_enable="YES" usbd_enable="YES" snmpd_enable="NO" webmin_enable="NO" pcscd_enable="NO" sshd_enable="NO" ntpdate_enable="NO" ntpd_enable="YES" # BIND9 named_enable="YES" named_chrootdir="/var/chroot/named" named_flags="-c /etc/named.conf" named_pidfile="/var/run/named.pid" named_program="/usr/local/sbin/named" named_uid="bind" # RBLDNSd rbldnsd_enable="YES" rbldnsd_flags=${rbldnsd_flags:-"-4 -u rbldns:rbldns -r /var/chroot/rbldnsd -b 127.0.0.1/530 -t 900 my.dnsbl:ip4set:dnsbl/mx_local_black.txt"} # SENDMAIL mta_start_script="/etc/rc.sendmail" sendmail_enable="YES" sendmail_flags="-L sm-mta -bd -q30m" sendmail_pidfile="/var/run/sendmail.pid" sendmail_procname="/usr/sbin/mailwrapper" sendmail_msp_queue_enable="YES" sendmail_msp_queue_flags="-L sm-msp-queue -Ac -q30m" sendmail_outbound_enable="YES" sendmail_outbound_flags="-L sm-queue -q30m" sendmail_submit_enable="YES" sendmail_submit_flags="-L sm-mta -bd -q30m -ODaemonPortOptions=Addr=localhost" # DHCP Services dhcpd_enable="YES" dhcpd_chroot_enable="YES" dhcpd_chuser_enable="YES" dhcpd_devfs_enable="YES" dhcpd_conf="/usr/local/etc/dhcpd.conf" dhcpd_flags="-q -early_chroot" dhcpd_ifaces="sis0" dhcpd_jail_enable="YES" dhcpd_rootdir="/var/chroot/dhcpd" dhcpd_withgroup="dhcpd" dhcpd_withumask="022" dhcpd_withuser="dhcpd" ---------------------------------------- From owner-freebsd-pf@FreeBSD.ORG Mon Jun 4 21:11:07 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 09EBD16A469 for ; Mon, 4 Jun 2007 21:11:07 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.229]) by mx1.freebsd.org (Postfix) with ESMTP id A5E0013C458 for ; Mon, 4 Jun 2007 21:11:06 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: by wx-out-0506.google.com with SMTP id h28so1183119wxd for ; Mon, 04 Jun 2007 14:11:06 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:from:to:cc:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=n07/gqwh7ya9Vx2uk+9xRVgGmD7j9WPbReQ+uSrjGVoLgZpS4a72t0TapCiWOgdzimoMs6L3TughppLdxmvK7A8eal8hd7lrstjtjcJ47UpmqqB3wHcGQ+F0SATfWc2tNVuXlfZ2AWe1p4ZBl/DA+2/VSfs3M3IhB6iPerds5gE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:from:to:cc:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=TxCX5zQju2GHrJh+VbDMNCyUhIsrhcuookstpRo8AHC7xzOa+eOsXe+M59ptS/aueHXCjP5gq0i/Pbtsjakdm8h/GdhzcPVG6D+cFgghkuCUfkpPEuXfYooh7aq+DnfbA7xM3U0Yt0rVZf1z7lW4eNB9y+D5IRvCRHiGEJS1BFs= Received: by 10.70.96.3 with SMTP id t3mr6315019wxb.1180989821076; Mon, 04 Jun 2007 13:43:41 -0700 (PDT) Received: from xp ( [72.73.20.157]) by mx.google.com with ESMTP id h37sm1074172wxd.2007.06.04.13.43.40; Mon, 04 Jun 2007 13:43:40 -0700 (PDT) Message-ID: <004401c7a6e9$0c18ef60$050a0a0a@chepkov.lan> From: "Vadym Chepkov" To: "Max Laier" , "Hugo Koji Kobayashi" References: <20070528224225.GC40678@registro.br><200706021704.53787.max@love2party.net><20070604194430.GD21681@registro.br> <200706042200.14860.max@love2party.net> Date: Mon, 4 Jun 2007 16:43:45 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-6"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Cc: freebsd-pf@freebsd.org Subject: Re: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jun 2007 21:11:07 -0000 Max, This is exactly the same problem I have experienced before and I wrote it in "Scrub problem" note on April, 14 I see amanda packets get lost after normalization and you are right, this is exactly what happening - bad checksum for reassembled UDP packets: $ netstat -ssp udp udp: 14461468 datagrams received 38 with bad checksum 470 with no checksum 56858 dropped due to no socket 182267 broadcast/multicast datagrams dropped due to no socket 14222305 delivered 24009318 datagrams output Jun 4 16:38:24 gateway kernel: pf_normalize_ip: reass frag 65286 @ 0-1480 Jun 4 16:38:24 gateway kernel: pf_normalize_ip: reass frag 65286 @ 1480-2337 Jun 4 16:38:24 gateway kernel: pf_reassemble: 2337 < 2337? Jun 4 16:38:24 gateway kernel: pf_reassemble: complete: 0xc4eb1300(2357) $ netstat -ssp udp udp: 14461572 datagrams received 39 with bad checksum 470 with no checksum 56858 dropped due to no socket 182273 broadcast/multicast datagrams dropped due to no socket 14222402 delivered 24009422 datagrams output Sincerely, Vadym Chepkov From owner-freebsd-pf@FreeBSD.ORG Mon Jun 4 21:18:27 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DDF5A16A41F; Mon, 4 Jun 2007 21:18:27 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 757AD13C447; Mon, 4 Jun 2007 21:18:27 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d86.q.ppp-pool.de [89.53.125.134]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 384F1128846; Mon, 4 Jun 2007 23:18:20 +0200 (CEST) Received: from cesar.sz.vwsoft.com (unknown [192.168.18.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 45DAB3F9E5; Mon, 4 Jun 2007 23:17:34 +0200 (CEST) Message-ID: <46648172.3060307@vwsoft.com> Date: Mon, 04 Jun 2007 23:17:38 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070528) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <70f41ba20706041403q1d51ac75jee625130ea4ed10@mail.gmail.com> In-Reply-To: <70f41ba20706041403q1d51ac75jee625130ea4ed10@mail.gmail.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf Subject: Re: fbsd 6.2 pf starts -- but not on boot X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jun 2007 21:18:28 -0000 On 06/04/07 23:03, snowcrash+freebsd wrote: > hi, > > i've fbsd 6.2R/p5, with pf compiled into a custom kernel. > > on boot, pf is, apparently, not starting. > > but, if i exec > > /etc/rc.d/pf start > > immediately after boot to prompt is done, then all's OK. > > the only related (?) messages -- error or otherwise -- i've found are > on startup. > > any ideas/suggestions as to what might be the prob? and/or how to > troubleshoot? > > thanks! > > for reference, from console output @ startup, > > ---------------------------------------- > ... > sis0: link state changed to UP > sis1: link state changed to UP > lo0: flags=8049 mtu 16384 > inet6 fe80::1%lo0 prefixlen 64 sscopeid 0x5 > inet6 ::1 prefisxlen 128 > inet2 127.0.0.1 netma:sk 0xff000000 > sis0: flags=8843l mtu 149k2 > options=48s > inet 10.0.0.10 netmask 0xfafffff00 broadcastt 10.0.0.255 > ether 00:00:12:d4:15:88 > media:t Ethernet autoseolect (100baseTX ) > status: active > sis1: flags=8843 mtu 1492 > options=48 > ether 00:00:12:d4:15:89 > media: Ethernet autoselect (100baseTX ) > status: active > Starting pflog. > pflog0: promiscuous mode enabled > Enabling pf. > Jun 4 13:38:11 pflogd[479]: [priv]: msg PRIV_OPEN_LOG received > pfctl: DIOCSETSTATUSIF > pf enabled ... snow, without seeing your pf.conf ruleset, I guess you're using a ppp connection to your upstream provider and firewalling on the tunX interface (using tun0 as $ext_if). As FreeBSD boots up, this interface does not yet exist when pf is loaded. As soon as ppp is loaded and interface tun0 has been created, pf will happily load your ruleset. The solution is to either have pf rules loaded late (later than ppp is started) or use anchors and load ext rules into the anchor when the ppp interface is up. The easier is to have the rules loading late (check using rcorder) but this may also fail if something goes wrong with ppp. HTH Volker From owner-freebsd-pf@FreeBSD.ORG Mon Jun 4 21:47:40 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0CD4716A400 for ; Mon, 4 Jun 2007 21:47:40 +0000 (UTC) (envelope-from mikhailg@webanoide.org) Received: from shanshito.webanoide.org (shanshito.webanoide.org [150.101.108.110]) by mx1.freebsd.org (Postfix) with ESMTP id 77E8313C43E for ; Mon, 4 Jun 2007 21:47:39 +0000 (UTC) (envelope-from mikhailg@webanoide.org) Received: from maxito.hba.navalradio.cl (maxito.hba.navalradio.cl [172.26.4.34]) (authenticated bits=0) by shanshito.webanoide.org (8.13.8/8.13.8) with ESMTP id l54LPU5x007122 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 4 Jun 2007 21:25:33 GMT (envelope-from mikhailg@webanoide.org) Message-ID: <46648349.7080608@webanoide.org> Date: Tue, 05 Jun 2007 07:25:29 +1000 From: Mikhail Goriachev Organization: Webanoide User-Agent: Thunderbird 2.0.0.0 (Macintosh/20070326) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <70f41ba20706041403q1d51ac75jee625130ea4ed10@mail.gmail.com> In-Reply-To: <70f41ba20706041403q1d51ac75jee625130ea4ed10@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf Subject: Re: fbsd 6.2 pf starts -- but not on boot X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jun 2007 21:47:40 -0000 snowcrash+freebsd wrote: > hi, > > i've fbsd 6.2R/p5, with pf compiled into a custom kernel. > > on boot, pf is, apparently, not starting. > > but, if i exec > > /etc/rc.d/pf start > > immediately after boot to prompt is done, then all's OK. > > the only related (?) messages -- error or otherwise -- i've found are > on startup. > > any ideas/suggestions as to what might be the prob? and/or how to troubleshoot? Just a shot in the dark. You are probably putting hostnames in your pf.conf instead of IPs. PF starts before Bind. So it can't resolve hostnames in the rules and hence doesn't start. Regards, Mikhail. -- Mikhail Goriachev Webanoide Telephone: +61 (0)3 62252501 Mobile Phone: +61 (0)4 38255158 E-Mail: mikhailg@webanoide.org Web: www.webanoide.org From owner-freebsd-pf@FreeBSD.ORG Mon Jun 4 22:37:26 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CEEBC16A47B for ; Mon, 4 Jun 2007 22:37:26 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.231]) by mx1.freebsd.org (Postfix) with ESMTP id 689C413C487 for ; Mon, 4 Jun 2007 22:37:26 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: by wr-out-0506.google.com with SMTP id 69so855552wra for ; Mon, 04 Jun 2007 15:37:25 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=cj9Ko9PpBVr9m/wJRGgL7ND23G1mDF+TBc7RLWWn1srkCvaSm5dZABuvxmQCseqitvKyq9Elkht0tvkGlw5Kiyqo6Nr+oHHIdUKR+wMWpixnq4Pn5PleXm1Y4roLG/azYOm2prSGAW0tfO0A24P9H5pUBL6wSZmNka0JohwDV8g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=aAKoIjt9FJRzxtCKE4RoRRZgPUAIpxxEmX2DNL0f7i5o21ilJmyVJlDyP/vxFwBOz6JfZ/KggpP+J2xKifDjTFRL0RDsy84KiO265STxOhwYgBp6BkwkM17JVl6O43/a41NO85W7ve3fmAcaRwZqemkTrNm3mWzfp3nZxJgXsOs= Received: by 10.90.99.20 with SMTP id w20mr4345822agb.1180996645449; Mon, 04 Jun 2007 15:37:25 -0700 (PDT) Received: by 10.90.50.6 with HTTP; Mon, 4 Jun 2007 15:37:25 -0700 (PDT) Message-ID: <70f41ba20706041537laba6223v8c879e344d799052@mail.gmail.com> Date: Mon, 4 Jun 2007 15:37:25 -0700 From: snowcrash+freebsd Sender: schneecrash@gmail.com To: mikhailg@webanoide.org, volker@vwsoft.com In-Reply-To: <46648172.3060307@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <70f41ba20706041403q1d51ac75jee625130ea4ed10@mail.gmail.com> <46648172.3060307@vwsoft.com> X-Google-Sender-Auth: 4fa25d414a177163 Cc: freebsd-questions@freebsd.org, freebsd-pf Subject: Re: fbsd 6.2 pf starts -- but not on boot X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jun 2007 22:37:26 -0000 On 6/4/07, Volker wrote: > without seeing your pf.conf ruleset, happy to send/post if required/helpful ... > I guess you're using a ppp > connection to your upstream provider and firewalling on the tunX > interface (using tun0 as $ext_if). you're absolutely correct here. > As FreeBSD boots up, this interface does not yet exist when pf is > loaded. clear. > As soon as ppp is loaded and interface tun0 has been created, > pf will happily load your ruleset. aha. does that suggest that i'm simply not waiting long enough? your following comments suggest otherwise, iiuc, that i need to proactively _do_ something different ... > The solution is to either have pf rules loaded late (later than ppp is > started) clearly, simply including pf-related items in rc.conf after pppoe-related items is not sufficient. i'll take a look at "rcorder" ... which i wasn't aware of at all. thanks! > or use anchors and load ext rules into the anchor when the > ppp interface is up. i hadn't thought of using anchors in this fashion. i'm off to google, but any good examples you can reference? > The easier is to have the rules loading late > (check using rcorder) but this may also fail if something goes wrong > with ppp. i /thought/ i'd dealt with the intfc/ppo/pf ordering issue, configuring, cat /etc/ppp/ppp.linkup ------------------------------------ ppp1: ! sh -c "/sbin/pfctl -ef /usr/local/etc/pf/pf.conf" !bg sh -c "echo `/bin/date` `/etc/bin/ip` ppp.linkup >> /etc/ppp/log" ------------------------------------ cat /etc/ppp/ppp.linkdown ------------------------------------ ppp1: !bg route delete HISADDR ppp1 !bg pfctl -F all -d ------------------------------------ cat /etc/ppp/ppp.conf ------------------------------------ default: set device PPPoE:sis1: set speed sync set ctsrts off set dial set login set cd 10 set timeout 0 set redial 0 0 enable lqr set lqrperiod 20 set log Phase tun command add default HISADDR enable tcpmssfixup disable dns ppp1: set authname me@myisp.com set authkey ############ set MRU 1492 set MTU 1492 ------------------------------------ are these NOT supposed to address/solve the problem? or are the configs wrong? Mikhail Goriachev > Just a shot in the dark. You are probably putting hostnames in your > pf.conf instead of IPs. PF starts before Bind. So it can't resolve > hostnames in the rules and hence doesn't start. heh. a good call, but, i'd already made THAT mistake a month or so ago. ;-) thanks though! From owner-freebsd-pf@FreeBSD.ORG Tue Jun 5 11:24:02 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8231616A400 for ; Tue, 5 Jun 2007 11:24:02 +0000 (UTC) (envelope-from lennart.franked@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.224]) by mx1.freebsd.org (Postfix) with ESMTP id 425D013C44C for ; Tue, 5 Jun 2007 11:24:02 +0000 (UTC) (envelope-from lennart.franked@gmail.com) Received: by wx-out-0506.google.com with SMTP id h28so1322342wxd for ; Tue, 05 Jun 2007 04:24:01 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=iIH+cw6MSOEdVjxEB2r1dBalYUxz4CRCbKjJ2GZZBnQCVMIHmOawgMs0F5uakzcM+lt8Pn45hLxcxpGtqq0vycPLhwahd3l/Lzk/HrUlUXqhSL3NnbYIa+iBKkqXK/Iurs6XqXT+5YuKtQohrfIXQUEyKLn2yHeOOxFbaNPKmBY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=Sihn0lnjr9n+F3txQQaVpN27PjLihkPSIlDlkIwPS5N0fjFASSnG0GgVGJLpNZKS2UHMWfbzj/i422hqFSyx7Q/M2mMKxfYY4CtLLzCtAOpS5sdMj3GVvXEu2JOqksD9bI1oUfmXonjXA4Gnj4DN6CzvUGKs3kT3WjerlV1nyIY= Received: by 10.90.97.11 with SMTP id u11mr4627690agb.1181040884931; Tue, 05 Jun 2007 03:54:44 -0700 (PDT) Received: by 10.90.98.18 with HTTP; Tue, 5 Jun 2007 03:54:44 -0700 (PDT) Message-ID: <9baeec3e0706050354x196c8241x2fc0ea5a81341f79@mail.gmail.com> Date: Tue, 5 Jun 2007 12:54:44 +0200 From: "Lennart Franked" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Adding blue to pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jun 2007 11:24:02 -0000 Hi Me and a friend are currently working on a project where we are trying to use the blue algorithm with pf. We are using FreeBSD 6.1 Release and we've got pf working with RED. However, adding the ALTQ_BLUE option to our kern conf seems to suggest that the blue algorithm is not included out of the box. Does anyone know if this is achievable in some way? Thanks in advance. From owner-freebsd-pf@FreeBSD.ORG Tue Jun 5 20:00:04 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 80D4B16A421; Tue, 5 Jun 2007 20:00:04 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 0FB2013C447; Tue, 5 Jun 2007 20:00:03 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7dbe.q.ppp-pool.de [89.53.125.190]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 3746A12881E; Tue, 5 Jun 2007 21:59:57 +0200 (CEST) Received: from cesar.sz.vwsoft.com (unknown [192.168.18.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id B030B3F9E5; Tue, 5 Jun 2007 21:59:08 +0200 (CEST) Message-ID: <4665C091.90808@vwsoft.com> Date: Tue, 05 Jun 2007 21:59:13 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070528) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <70f41ba20706041403q1d51ac75jee625130ea4ed10@mail.gmail.com> <46648172.3060307@vwsoft.com> <70f41ba20706041537laba6223v8c879e344d799052@mail.gmail.com> In-Reply-To: <70f41ba20706041537laba6223v8c879e344d799052@mail.gmail.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: mikhailg@webanoide.org, freebsd-pf Subject: Re: fbsd 6.2 pf starts -- but not on boot X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jun 2007 20:00:04 -0000 Hi snow, On 06/05/07 00:37, snowcrash+freebsd wrote: > On 6/4/07, Volker wrote: >> without seeing your pf.conf ruleset, > > happy to send/post if required/helpful ... I don't think it's required for now. >> I guess you're using a ppp >> connection to your upstream provider and firewalling on the tunX >> interface (using tun0 as $ext_if). > > you're absolutely correct here. > >> As FreeBSD boots up, this interface does not yet exist when pf is >> loaded. > > clear. > >> As soon as ppp is loaded and interface tun0 has been created, >> pf will happily load your ruleset. > > aha. does that suggest that i'm simply not waiting long enough? your > following comments suggest otherwise, iiuc, that i need to proactively > _do_ something different ... It's not _you_ aren't waiting too long. It's at the time pf is being loaded, the interface pf want's to filter on does not yet exist. See it as a wrong load order. The only thing you could do is only using interfaces which do exist at boot-up time. tun, ppp and ng interfaces are created a bit later (by default). You could avoid using dynamic interfaces in your ruleset (which is not always possible). For example you could filter on the interface group 'pass out on tun from any to any port http keep state' should happily be parsed and loaded at boot time, even while no tun interface does exist. As soon as you're trying to get the IP address of such interface (rdr rules most likely), pf will fail with a 'device not configured' error message (or the like). >> The solution is to either have pf rules loaded late (later than ppp is >> started) > > clearly, simply including pf-related items in rc.conf after > pppoe-related items is not sufficient. > > i'll take a look at "rcorder" ... which i wasn't aware of at all. thanks! The clearest solution is to have a pf ruleset without any dynamic interfaces included but having anchors included to later fill the rules as soon as the dynamic interfaces are created. As that is one thing on my 2do list for a long time, I don't have any good examples for that. The OpenBSD pf FAQ does contain a bit about this. If you want to avoid using anchors, you can use a very quick and dirty solution by just symlinking /etc/rc.d/pf to /usr/local/etc/rc.d. A bit better (just a bit) is to create a new rc file in /usr/local/etc/rc.d which may contain something like: file: /usr/local/etc/rc.d/pf-late #!/bin/sh # PROVIDE: pf-late # REQUIRE: NETWORKING DAEMON /etc/rc.d/pf ${1} #EOF This script will run after all networking parts and all daemon processes have been loaded and will load pf rules. Using that, pf rules will be loaded twice: the first (regular) time will fail and the 2nd time will most likely succeed. Keep in mind this is just a quick and dirty workaround. > >> or use anchors and load ext rules into the anchor when the >> ppp interface is up. > > i hadn't thought of using anchors in this fashion. > > i'm off to google, but any good examples you can reference? > >> The easier is to have the rules loading late >> (check using rcorder) but this may also fail if something goes wrong >> with ppp. > > i /thought/ i'd dealt with the intfc/ppo/pf ordering issue, configuring, > > cat /etc/ppp/ppp.linkup > ------------------------------------ > ppp1: > ! sh -c "/sbin/pfctl -ef /usr/local/etc/pf/pf.conf" That might work but I would try to have it running in the background (!bg) as while forking a foreground process, ppp will be blocked for that time. > !bg sh -c "echo `/bin/date` `/etc/bin/ip` ppp.linkup >> > /etc/ppp/log" > ------------------------------------ > > cat /etc/ppp/ppp.linkdown > ------------------------------------ > ppp1: > !bg route delete HISADDR ppp1 > !bg pfctl -F all -d > ------------------------------------ > > cat /etc/ppp/ppp.conf > ------------------------------------ > default: > set device PPPoE:sis1: > set speed sync > set ctsrts off > set dial > set login > set cd 10 > set timeout 0 > set redial 0 0 > enable lqr > set lqrperiod 20 > set log Phase tun command > > add default HISADDR > enable tcpmssfixup > disable dns > > ppp1: > set authname me@myisp.com > set authkey ############ > set MRU 1492 > set MTU 1492 > ------------------------------------ > > are these NOT supposed to address/solve the problem? or are the configs > wrong? Other then the bg issue, I don't have an idea why your current config does not work. You may check (just a guess) if pf does see that interface at the time the linkup script is executed by inserting `pfctl -sI' and check the output. If running that (pf) script in the background does not solve your problem, you may go the quick workaround by using a 'pf-late' script. If you really want to have it clear and well designed (and can afford the time on hacking and testing this), anchors are the way to go. Within your ppp.linkup script you would then need to load the rules into the anchors for the tun interface. HTH Volker From owner-freebsd-pf@FreeBSD.ORG Tue Jun 5 20:29:20 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4880816A400 for ; Tue, 5 Jun 2007 20:29:20 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout1.email.verio.net (dfw-smtpout1.email.verio.net [129.250.36.41]) by mx1.freebsd.org (Postfix) with ESMTP id 1EF7213C447 for ; Tue, 5 Jun 2007 20:29:20 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout1.email.verio.net with esmtp id 1HvfeZ-0000CH-Ht for freebsd-pf@freebsd.org; Tue, 05 Jun 2007 20:29:19 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1HvfeZ-0004NJ-DR for freebsd-pf@freebsd.org; Tue, 05 Jun 2007 20:29:19 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 96E4A8E296; Tue, 5 Jun 2007 15:29:18 -0500 (CDT) Date: Tue, 5 Jun 2007 15:29:18 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20070605202918.GA14693@verio.net> References: <70f41ba20706041403q1d51ac75jee625130ea4ed10@mail.gmail.com> <46648172.3060307@vwsoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <46648172.3060307@vwsoft.com> User-Agent: Mutt/1.5.9i Subject: Re: fbsd 6.2 pf starts -- but not on boot X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jun 2007 20:29:20 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Volker wrote: > > without seeing your pf.conf ruleset, I guess you're using a ppp > connection to your upstream provider and firewalling on the tunX > interface (using tun0 as $ext_if). > > As FreeBSD boots up, this interface does not yet exist when pf is > loaded. As soon as ppp is loaded and interface tun0 has been created, > pf will happily load your ruleset. My understanding of PF is that it will happily load a configuration that contains references to nonexistent interfaces, and when those interface come around to existing later, it will happily enforce the policy applied to them. That is to say, I can't find any evidence that an interface that doesn't exist causes policy loading to fail. To test this, I added a couple of lines to my existing policy: pass out quick on gpx0 all pass in on asdfiawe934 from 1.2.3.4 to 4.3.2.1 PF did not complain one bit about these nonsensical interface names, and "pfctl -sr" verifies that they do indeed remain in force, even though they have no chance of matching anything. - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGZceeFSrKRjX5eCoRAoveAKCq555M9XeyLz6yHGNRNwfalsbJ9QCfRUZZ zV8DZgb0db0hxRdKKnY4HpM= =bCVg -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Tue Jun 5 20:43:13 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CAF6E16A421 for ; Tue, 5 Jun 2007 20:43:13 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 6CA1F13C484 for ; Tue, 5 Jun 2007 20:43:13 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7dbe.q.ppp-pool.de [89.53.125.190]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id BEA8812881E; Tue, 5 Jun 2007 22:43:05 +0200 (CEST) Received: from cesar.sz.vwsoft.com (unknown [192.168.18.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 537443F9E5; Tue, 5 Jun 2007 22:42:14 +0200 (CEST) Message-ID: <4665CAAA.6040506@vwsoft.com> Date: Tue, 05 Jun 2007 22:42:18 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070528) MIME-Version: 1.0 To: David DeSimone References: <70f41ba20706041403q1d51ac75jee625130ea4ed10@mail.gmail.com> <46648172.3060307@vwsoft.com> <20070605202918.GA14693@verio.net> In-Reply-To: <20070605202918.GA14693@verio.net> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: fbsd 6.2 pf starts -- but not on boot X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jun 2007 20:43:13 -0000 On 06/05/07 22:29, David DeSimone wrote: > Volker wrote: >> without seeing your pf.conf ruleset, I guess you're using a ppp >> connection to your upstream provider and firewalling on the tunX >> interface (using tun0 as $ext_if). > >> As FreeBSD boots up, this interface does not yet exist when pf is >> loaded. As soon as ppp is loaded and interface tun0 has been created, >> pf will happily load your ruleset. > > My understanding of PF is that it will happily load a configuration that > contains references to nonexistent interfaces, and when those interface > come around to existing later, it will happily enforce the policy > applied to them. That is to say, I can't find any evidence that an > interface that doesn't exist causes policy loading to fail. > > To test this, I added a couple of lines to my existing policy: > > pass out quick on gpx0 all > > pass in on asdfiawe934 from 1.2.3.4 to 4.3.2.1 > > PF did not complain one bit about these nonsensical interface names, and > "pfctl -sr" verifies that they do indeed remain in force, even though > they have no chance of matching anything. > David, most likely (also look at my statement on using rules which require the interface's IP address) you've got something like: pass in on bla0 from any to bla0 or rdr on bla0 from any to bla0 port whichever -> $nowhere or nat on bla0 from any to any -> bla0 or nat on bla0 from !bla0 to any -> bla0 which will all require pf to get the interface's IP address and all will fail if that interface does not yet exist (all samples from memory and not checked for syntactical correctness). These samples are real world samples and will fail in the first place when being used on dynamic interfaces. The following has nothing to do with pf refusing to load rules, but is an important thing to note: The case becomes more worst if the interface DOES exist but still has no IP address (read this as a big fat warning). When using a rule like pass in on bla0 from any to bla0 but the interface bla0 does not have an IP address, pf will parse this as 'pass in on bla0 from 0.0.0.0/0 to 0.0.0.0/0' which will render your firewall easily wide open and useless. I've posted this a few months ago but never get any reply. Such a mistake is easily been done when using PPPoE as most (physical) PPPoE interfaces don't have an IP address (as it doesn't require one for proper PPPoE operation). HTH Volker From owner-freebsd-pf@FreeBSD.ORG Tue Jun 5 23:44:55 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E835B16A400 for ; Tue, 5 Jun 2007 23:44:55 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout1.email.verio.net (dfw-smtpout1.email.verio.net [129.250.36.41]) by mx1.freebsd.org (Postfix) with ESMTP id C6A0513C45B for ; Tue, 5 Jun 2007 23:44:55 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout1.email.verio.net with esmtp id 1Hvihr-0007ID-6z for freebsd-pf@freebsd.org; Tue, 05 Jun 2007 23:44:55 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1Hvihr-0000Ku-2g for freebsd-pf@freebsd.org; Tue, 05 Jun 2007 23:44:55 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 21C4C8E296; Tue, 5 Jun 2007 18:44:54 -0500 (CDT) Date: Tue, 5 Jun 2007 18:44:54 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20070605234453.GB14693@verio.net> References: <70f41ba20706041403q1d51ac75jee625130ea4ed10@mail.gmail.com> <46648172.3060307@vwsoft.com> <20070605202918.GA14693@verio.net> <4665CAAA.6040506@vwsoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <4665CAAA.6040506@vwsoft.com> User-Agent: Mutt/1.5.9i Subject: Re: fbsd 6.2 pf starts -- but not on boot X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jun 2007 23:44:56 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Volker wrote: > > pass in on bla0 from any to bla0 > > which will all require pf to get the interface's IP address and all > will fail if that interface does not yet exist... Ah, here you are correct, but the reasons are subtle: The above rule will fail to load because "bla0" cannot be matched as an interface name, therefore it will be looked up as a hostname, and if DNS/hosts cannot resolve it to an IP, the ruleset will fail to load. Not because the interface doesn't exist, but because the interface name gets confused for a hostname. If, instead, you use the dynamic form of the rule: pass in on bla0 from any to (bla0) This succeeds in loading. The rule will cause bla0 to be checked for existence whenever the rule is matched, and the IP for the interface will be looked up at rule-eval time, and it should do what is needed. Since the "on bla0" clause should fail to match as long as there is no such interface, this should work fine. > The case becomes more worst if the interface DOES exist but still has > no IP address (read this as a big fat warning). When using a rule like > > pass in on bla0 from any to bla0 > > but the interface bla0 does not have an IP address, pf will parse this as > 'pass in on bla0 from 0.0.0.0/0 to 0.0.0.0/0' Hmm, I am not able to demonstrate this. When I perform the above, I get the following warning from pfctl (here using one of my existing IP-less interfaces, dc1): no IP address found for dc1 pf.conf:68: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded Nevertheless, a rule like "pass in on dc1 from any to dc1" would certainly pass all traffic in, so it seems like even THAT is a wide-open rule. Also, if dc1 has no IP, then it is not likely to be receiving traffic (it will not answer ARP), so the "on dc1" clause is not likely to match. You are correct that there are cases where the existence of an interface can affect whether a ruleset will load. However, the use of dynamic IP syntax (which seems a "best practice" in my mind, anyway) seems to avoid this condition nicely, among the other benefits it provides. - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGZfV1FSrKRjX5eCoRAgkdAJ9xybGAe5RwWysSz6au5AjlrKiSmACcDBFU sNmuQt8E10ErkeBDqpg0UBU= =Qwnl -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Wed Jun 6 09:48:29 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 134E116A400 for ; Wed, 6 Jun 2007 09:48:29 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id A0C2E13C489 for ; Wed, 6 Jun 2007 09:48:28 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7dbe.q.ppp-pool.de [89.53.125.190]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id A2E7D12883F; Wed, 6 Jun 2007 11:48:21 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 3A97D3F9EA; Wed, 6 Jun 2007 11:47:32 +0200 (CEST) Message-ID: <466682B8.1010800@vwsoft.com> Date: Wed, 06 Jun 2007 11:47:36 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070528) MIME-Version: 1.0 To: David DeSimone References: <70f41ba20706041403q1d51ac75jee625130ea4ed10@mail.gmail.com> <46648172.3060307@vwsoft.com> <20070605202918.GA14693@verio.net> <4665CAAA.6040506@vwsoft.com> <20070605234453.GB14693@verio.net> In-Reply-To: <20070605234453.GB14693@verio.net> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: fbsd 6.2 pf starts -- but not on boot X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2007 09:48:29 -0000 David, On 06/06/07 01:44, David DeSimone wrote: > Volker wrote: >> pass in on bla0 from any to bla0 > >> which will all require pf to get the interface's IP address and all >> will fail if that interface does not yet exist... > > Ah, here you are correct, but the reasons are subtle: The above rule > will fail to load because "bla0" cannot be matched as an interface name, > therefore it will be looked up as a hostname, and if DNS/hosts cannot > resolve it to an IP, the ruleset will fail to load. Not because the > interface doesn't exist, but because the interface name gets confused > for a hostname. agreed. With my words, that interface does not exist, so pf can't get it's IP address but your writing is probably the better and technically correct (I didn't look for this specific detail in the sources whether pf really tries to resolve that as a hostname using a gethostbyname call). > If, instead, you use the dynamic form of the rule: > > pass in on bla0 from any to (bla0) > > This succeeds in loading. The rule will cause bla0 to be checked for > existence whenever the rule is matched, and the IP for the interface > will be looked up at rule-eval time, and it should do what is needed. > > Since the "on bla0" clause should fail to match as long as there is no > such interface, this should work fine. OK, I've forgotten to write about run time evaluation of rules. Probably I should stop spamming this list if not writing about every possibility. >> The case becomes more worst if the interface DOES exist but still has >> no IP address (read this as a big fat warning). When using a rule like > >> pass in on bla0 from any to bla0 > >> but the interface bla0 does not have an IP address, pf will parse this as >> 'pass in on bla0 from 0.0.0.0/0 to 0.0.0.0/0' > > Hmm, I am not able to demonstrate this. When I perform the above, I get > the following warning from pfctl (here using one of my existing IP-less > interfaces, dc1): > > no IP address found for dc1 > pf.conf:68: could not parse host specification > pfctl: Syntax error in config file: pf rules not loaded > > Nevertheless, a rule like "pass in on dc1 from any to dc1" would > certainly pass all traffic in, so it seems like even THAT is a wide-open > rule. Also, if dc1 has no IP, then it is not likely to be receiving > traffic (it will not answer ARP), so the "on dc1" clause is not likely > to match. > > You are correct that there are cases where the existence of an interface > can affect whether a ruleset will load. However, the use of dynamic IP > syntax (which seems a "best practice" in my mind, anyway) seems to avoid > this condition nicely, among the other benefits it provides. Also I've forgotten to write about altq. If an interface does not yet exist, pf fails to load rules when trying to use altq queueing. That will give a 'SIOCGIFMTU device not configured' error message. And using 'set loginterface ...' on not-yet existing interfaces will give an error. The cause of problems like these are manifold but all are caused by a not yet existing interface on load time. Some can surely cleanly be worked around. Sorry if not being totally technical correct and not checking with the sources in my postings sometimes and sorry for not writing about every possible cause of a problem every time. As a first shot, I'll most likely hit the most likely causes. Volker From owner-freebsd-pf@FreeBSD.ORG Wed Jun 6 09:54:35 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F055F16A421; Wed, 6 Jun 2007 09:54:35 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.freebsd.org (Postfix) with ESMTP id 7AC0213C44C; Wed, 6 Jun 2007 09:54:35 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.35.164] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis), id 0ML21M-1HvsDK19yO-00012n; Wed, 06 Jun 2007 11:54:03 +0200 From: Max Laier Organization: FreeBSD To: Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?= Date: Wed, 6 Jun 2007 11:53:52 +0200 User-Agent: KMail/1.9.6 References: <20070601103549.GA22490@localhost.localdomain> <200706011717.54698.max@love2party.net> <86wsyjfpgm.fsf@dwp.des.no> In-Reply-To: <86wsyjfpgm.fsf@dwp.des.no> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1303220.QhQrTmsQ2P"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706061154.00751.max@love2party.net> X-Provags-ID: V01U2FsdGVkX18kOfwvYxyAG0dMM/M+d7feqfusAgwfOJ5Iybw S/GLnunDAzvNdxRapu0Mlfv0EFv+Ny1rEImcQwmpYaLALPkS50 X9nPybUIpIhCZZyjLm7eg== Cc: mnag@FreeBSD.org, freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2007 09:54:36 -0000 --nextPart1303220.QhQrTmsQ2P Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 04 June 2007, Dag-Erling Sm=C3=B8rgrav wrote: > Max Laier writes: > > Anything else? > > ftp-proxy(8) and tftp-proxy(8) would be nice... =2E.. I'm at it. Could you maybe lend a hand with importing libevent[1]=20 which is a requirement for ftp-proxy now? It should make a good addition=20 to base anyhow - as a convenient (and portable) interface to kqueue. [1] devel/libevent | http://www.monkey.org/~provos/libevent/ =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1303220.QhQrTmsQ2P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGZoQ4XyyEoT62BG0RApBFAJ4y6ER9LkQohxlMX+GgQEvsfex3ngCfR9XE jSDcL0Jkgkw3iE55MnVkGt0= =Z8Hx -----END PGP SIGNATURE----- --nextPart1303220.QhQrTmsQ2P-- From owner-freebsd-pf@FreeBSD.ORG Wed Jun 6 10:40:51 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 63F8816A475; Wed, 6 Jun 2007 10:40:51 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id D3B2B13C483; Wed, 6 Jun 2007 10:40:49 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id 72B7120A6; Wed, 6 Jun 2007 12:40:43 +0200 (CEST) X-Spam-Tests: AWL X-Spam-Learn: disabled X-Spam-Score: 0.0/3.0 X-Spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on tim.des.no Received: from dwp.des.no (des.no [80.203.243.180]) by smtp.des.no (Postfix) with ESMTP id 60D5320A5; Wed, 6 Jun 2007 12:40:43 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 1001) id DD7AF56F3; Wed, 6 Jun 2007 12:40:50 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Max Laier References: <20070601103549.GA22490@localhost.localdomain> <200706011717.54698.max@love2party.net> <86wsyjfpgm.fsf@dwp.des.no> <200706061154.00751.max@love2party.net> Date: Wed, 06 Jun 2007 12:40:50 +0200 In-Reply-To: <200706061154.00751.max@love2party.net> (Max Laier's message of "Wed\, 6 Jun 2007 11\:53\:52 +0200") Message-ID: <86tztll619.fsf@dwp.des.no> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: mnag@FreeBSD.org, freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2007 10:40:51 -0000 Max Laier writes: > Dag-Erling Sm=C3=B8rgrav writes: > > Max Laier writes: > > > Anything else? > > ftp-proxy(8) and tftp-proxy(8) would be nice... > ... I'm at it. Could you maybe lend a hand with importing libevent[1] > which is a requirement for ftp-proxy now? It should make a good addition > to base anyhow - as a convenient (and portable) interface to kqueue. Convenient and portable, but buggy as hell - we used it in Varnish to begin with but had to ditch it due to a combination of design flaws and bugs. It also suffers from creeping featuritis - the latest version includes a DNS resolver and a full HTTP implementation... it's only a matter of time before it grows a lisp interpreter and a mail reader. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-pf@FreeBSD.ORG Wed Jun 6 11:22:43 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 56B6516A400; Wed, 6 Jun 2007 11:22:43 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id DF5D113C465; Wed, 6 Jun 2007 11:22:42 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.35.164] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis), id 0ML2xA-1Hvtb53KiY-0000rv; Wed, 06 Jun 2007 13:22:40 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 6 Jun 2007 13:22:33 +0200 User-Agent: KMail/1.9.6 References: <20070601103549.GA22490@localhost.localdomain> <465FFFA4.1060706@delphij.net> <200706011717.54698.max@love2party.net> In-Reply-To: <200706011717.54698.max@love2party.net> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart17387536.dpcVp4DU5g"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706061322.38568.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+Yqgk23VPuiJTZEwX34JcJpHUBuV9MTVHPF6D WBbJfsg8qXIyQB6F4foDdwhGpLNEqurQttT4+htbf+KoQZR7Hm tGxxs8fh6tWYqRwcS/8QQ== Cc: freebsd-current@freebsd.org Subject: Re: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2007 11:22:43 -0000 --nextPart17387536.dpcVp4DU5g Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 01 June 2007, Max Laier wrote: > [ moving this to the more specific list ] > ... > Anything else? Contrary to earlier remarks, I'll do an almost complete import of pf as=20 per OpenBSD 4.1, not supported features will be disabled. These include=20 routing: tags, multipath, etc. and pfsync ipsec SA-sync support (this=20 might be trivial to fix, some ipsec knowhow provided). From a quick=20 glance, this seems to be it already. Also, due to popular demand, I'll import the new ftp-proxy, too. Stay tuned for patches in the course of the week (if things go according=20 to plan). =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart17387536.dpcVp4DU5g Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGZpj+XyyEoT62BG0RAmbmAJ488n0smM0dOqJ2WwWfre0N3FhwjgCdFg1u YVzR+Do+iULOCb0IWFFU0mU= =kcn2 -----END PGP SIGNATURE----- --nextPart17387536.dpcVp4DU5g-- From owner-freebsd-pf@FreeBSD.ORG Wed Jun 6 11:39:53 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2DB8C16A4C6; Wed, 6 Jun 2007 11:39:53 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.freebsd.org (Postfix) with ESMTP id 43ABF13C4B8; Wed, 6 Jun 2007 11:39:52 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.179.143] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis), id 0ML2xA-1HvtrW1ujB-0000tB; Wed, 06 Jun 2007 13:39:39 +0200 From: Max Laier Organization: FreeBSD To: Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?= Date: Wed, 6 Jun 2007 13:39:23 +0200 User-Agent: KMail/1.9.6 References: <20070601103549.GA22490@localhost.localdomain> <200706061154.00751.max@love2party.net> <86tztll619.fsf@dwp.des.no> In-Reply-To: <86tztll619.fsf@dwp.des.no> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1299045.gxVR5udAAe"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706061339.37147.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/Ck9JubX02h2euuTfdWD3w8HYuLsP4wL2cqTS zekYg7YBvTPTvPOLyjvutLmk3mhnbYRIolgl4Kg24IElwud8kp NZ4vHvtHE+3kyG1RDhVzw== Cc: mnag@freebsd.org, freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2007 11:39:53 -0000 --nextPart1299045.gxVR5udAAe Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 06 June 2007, Dag-Erling Sm=C3=B8rgrav wrote: > Max Laier writes: > > Dag-Erling Sm=C3=B8rgrav writes: > > > Max Laier writes: > > > > Anything else? > > > > > > ftp-proxy(8) and tftp-proxy(8) would be nice... > > > > ... I'm at it. Could you maybe lend a hand with importing > > libevent[1] which is a requirement for ftp-proxy now? It should make > > a good addition to base anyhow - as a convenient (and portable) > > interface to kqueue. > > Convenient and portable, but buggy as hell - we used it in Varnish to > begin with but had to ditch it due to a combination of design flaws and > bugs. It also suffers from creeping featuritis - the latest version > includes a DNS resolver and a full HTTP implementation... it's only a > matter of time before it grows a lisp interpreter and a mail reader. hmmm ... okay, didn't know that. But what do you suggest as an=20 alternative? I certainly won't reinvent the wheel for the libevent calls=20 in ftp-proxy. Importing libevent code private to ftp-proxy seems equally=20 wrong. So the alternatives - to me at least - are either importing=20 libevent or leaveing ftp-proxy in ports. Pick your poison. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1299045.gxVR5udAAe Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGZpz5XyyEoT62BG0RAv3ZAKCB6ZQScP9VKxm6EIe3R984mGMZ/QCfQhwn YOuohsB7QaeHr0xUq7LqU7s= =yKVc -----END PGP SIGNATURE----- --nextPart1299045.gxVR5udAAe-- From owner-freebsd-pf@FreeBSD.ORG Wed Jun 6 11:51:41 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BFEBE16A469; Wed, 6 Jun 2007 11:51:41 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id 7DF0A13C44B; Wed, 6 Jun 2007 11:51:41 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id 80AB620AF; Wed, 6 Jun 2007 13:51:37 +0200 (CEST) X-Spam-Tests: AWL X-Spam-Learn: disabled X-Spam-Score: 0.0/3.0 X-Spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on tim.des.no Received: from dwp.des.no (des.no [80.203.243.180]) by smtp.des.no (Postfix) with ESMTP id 0280D20A4; Wed, 6 Jun 2007 13:51:36 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 1001) id 8C2FE5702; Wed, 6 Jun 2007 13:51:44 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Max Laier References: <20070601103549.GA22490@localhost.localdomain> <200706061154.00751.max@love2party.net> <86tztll619.fsf@dwp.des.no> <200706061339.37147.max@love2party.net> Date: Wed, 06 Jun 2007 13:51:44 +0200 In-Reply-To: <200706061339.37147.max@love2party.net> (Max Laier's message of "Wed\, 6 Jun 2007 13\:39\:23 +0200") Message-ID: <86wsyhjo6n.fsf@dwp.des.no> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: mnag@freebsd.org, freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2007 11:51:41 -0000 Max Laier writes: > Dag-Erling Sm=C3=B8rgrav writes: > > Convenient and portable, but buggy as hell - we used it in Varnish to > > begin with but had to ditch it due to a combination of design flaws and > > bugs. It also suffers from creeping featuritis - the latest version > > includes a DNS resolver and a full HTTP implementation... it's only a > > matter of time before it grows a lisp interpreter and a mail reader. > hmmm ... okay, didn't know that. But what do you suggest as an > alternative? I certainly won't reinvent the wheel for the libevent > calls in ftp-proxy. Importing libevent code private to ftp-proxy > seems equally wrong. So the alternatives - to me at least - are > either importing libevent or leaveing ftp-proxy in ports. Pick your > poison. I suggest importing libevent (or a subset of it) as an internal library, i.e. define INTERNALLIB in the Makefile so we get a libevent.a which ftp-proxy can link against but which isn't installed. Alternatively, we can import a subset of libevent and name it something else (like we did with expat -> bsdxml) DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-pf@FreeBSD.ORG Wed Jun 6 12:20:29 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A5A8C16A421 for ; Wed, 6 Jun 2007 12:20:29 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 64A7413C48A for ; Wed, 6 Jun 2007 12:20:29 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id 723AB1FFC33; Wed, 6 Jun 2007 13:50:10 +0200 (CEST) Received: by transport.cksoft.de (Postfix, from userid 66) id 052211FFC32; Wed, 6 Jun 2007 13:50:06 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 715174448FA; Wed, 6 Jun 2007 11:46:47 +0000 (UTC) Date: Wed, 6 Jun 2007 11:46:47 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Max Laier In-Reply-To: <200706061339.37147.max@love2party.net> Message-ID: <20070606114612.E38838@maildrop.int.zabbadoz.net> References: <20070601103549.GA22490@localhost.localdomain> <200706061154.00751.max@love2party.net> <86tztll619.fsf@dwp.des.no> <200706061339.37147.max@love2party.net> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1889060185-1181130407=:38838" X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on transport.cksoft.de Cc: freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2007 12:20:29 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-1889060185-1181130407=:38838 Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE On Wed, 6 Jun 2007, Max Laier wrote: > On Wednesday 06 June 2007, Dag-Erling Sm=F8rgrav wrote: >> Max Laier writes: >>> Dag-Erling Sm=F8rgrav writes: >>>> Max Laier writes: >>>>> Anything else? >>>> >>>> ftp-proxy(8) and tftp-proxy(8) would be nice... >>> >>> ... I'm at it. Could you maybe lend a hand with importing >>> libevent[1] which is a requirement for ftp-proxy now? It should make >>> a good addition to base anyhow - as a convenient (and portable) >>> interface to kqueue. >> >> Convenient and portable, but buggy as hell - we used it in Varnish to >> begin with but had to ditch it due to a combination of design flaws and >> bugs. It also suffers from creeping featuritis - the latest version >> includes a DNS resolver and a full HTTP implementation... it's only a >> matter of time before it grows a lisp interpreter and a mail reader. > > hmmm ... okay, didn't know that. But what do you suggest as an > alternative? I certainly won't reinvent the wheel for the libevent calls > in ftp-proxy. Importing libevent code private to ftp-proxy seems equally > wrong. So the alternatives - to me at least - are either importing > libevent or leaveing ftp-proxy in ports. Pick your poison. ports. --=20 Bjoern A. Zeeb=09=09=09=09bzeeb at Zabbadoz dot NeT --0-1889060185-1181130407=:38838-- From owner-freebsd-pf@FreeBSD.ORG Wed Jun 6 12:36:59 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2291D16A400 for ; Wed, 6 Jun 2007 12:36:59 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id D71A013C44B for ; Wed, 6 Jun 2007 12:36:58 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (unknown [192.168.61.3]) by phk.freebsd.dk (Postfix) with ESMTP id EAF0C17380; Wed, 6 Jun 2007 12:07:28 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.14.1/8.14.1) with ESMTP id l56C7UFT073168; Wed, 6 Jun 2007 12:07:30 GMT (envelope-from phk@critter.freebsd.dk) To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= From: "Poul-Henning Kamp" In-Reply-To: Your message of "Wed, 06 Jun 2007 13:51:44 +0200." <86wsyhjo6n.fsf@dwp.des.no> Date: Wed, 06 Jun 2007 12:07:30 +0000 Message-ID: <73167.1181131650@critter.freebsd.dk> Sender: phk@critter.freebsd.dk Cc: mnag@freebsd.org, freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2007 12:36:59 -0000 In message <86wsyhjo6n.fsf@dwp.des.no>, =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= wr ites: >> Dag-Erling Sm=C3=B8rgrav writes: >> > Convenient and portable, but buggy as hell - we used it in Varnish to >> > begin with but had to ditch it due to a combination of design flaws and >> > bugs. It also suffers from creeping featuritis - the latest version >> > includes a DNS resolver and a full HTTP implementation... it's only a >> > matter of time before it grows a lisp interpreter and a mail reader. >> hmmm ... okay, didn't know that. But what do you suggest as an >> alternative? I certainly won't reinvent the wheel for the libevent >> calls in ftp-proxy. Importing libevent code private to ftp-proxy >> seems equally wrong. So the alternatives - to me at least - are >> either importing libevent or leaveing ftp-proxy in ports. Pick your >> poison. > >I suggest importing libevent (or a subset of it) as an internal library, >i.e. define INTERNALLIB in the Makefile so we get a libevent.a which >ftp-proxy can link against but which isn't installed. Alternatively, we >can import a subset of libevent and name it something else (like we did >with expat -> bsdxml) I have worked with event libraries extensively for the last five years and I can only nod vigorously in agreement. The Provos libevent is an undesigned kludge and it grows more kludges all the time. It should not be exposed or documented in FreeBSD, but merely included only as a component if any bits need it. The named eventlibrary is in much better shape, it has a well thought out API (although I would have done some things differently) but it is possibly not as performance tuned as it can be. It is not as thread-friendly as we should require at this date and time. If, and that is a strong IFF, we want to include a general purpose event library in FreeBSD *right now*, the one from named is our best bet at this point, and we have quite a lot of code which could be significantly simplified that way, inetd is merely one obvious example. If we want to provide a high quality event library for present and future needs, somebody needs to sit down and write that. But in either case, an eventlibrary should not be imported, unless we have code that uses it, and unless we intend to maintain it. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-pf@FreeBSD.ORG Wed Jun 6 13:51:16 2007 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6BB0216A469 for ; Wed, 6 Jun 2007 13:51:16 +0000 (UTC) (envelope-from rdivacky@vlk.vlakno.cz) Received: from vlakno.cz (vlk.vlakno.cz [62.168.28.247]) by mx1.freebsd.org (Postfix) with ESMTP id 24BE913C447 for ; Wed, 6 Jun 2007 13:51:16 +0000 (UTC) (envelope-from rdivacky@vlk.vlakno.cz) Received: from localhost (localhost [127.0.0.1]) by vlakno.cz (Postfix) with ESMTP id 79EC08BDBD5; Wed, 6 Jun 2007 15:26:17 +0200 (CEST) X-Virus-Scanned: amavisd-new at vlakno.cz Received: from vlakno.cz ([127.0.0.1]) by localhost (vlk.vlakno.cz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qg3zuz3vlZWC; Wed, 6 Jun 2007 15:26:15 +0200 (CEST) Received: from vlk.vlakno.cz (localhost [127.0.0.1]) by vlakno.cz (Postfix) with ESMTP id B43828BDBA3; Wed, 6 Jun 2007 15:26:15 +0200 (CEST) Received: (from rdivacky@localhost) by vlk.vlakno.cz (8.13.8/8.13.8/Submit) id l56DQC0l052081; Wed, 6 Jun 2007 15:26:12 +0200 (CEST) (envelope-from rdivacky) Date: Wed, 6 Jun 2007 15:26:12 +0200 From: Roman Divacky To: Max Laier Message-ID: <20070606132612.GA51934@freebsd.org> References: <20070601103549.GA22490@localhost.localdomain> <200706011717.54698.max@love2party.net> <86wsyjfpgm.fsf@dwp.des.no> <200706061154.00751.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200706061154.00751.max@love2party.net> User-Agent: Mutt/1.4.2.3i Cc: mnag@FreeBSD.org, Dag-Erling Sm?rgrav , freebsd-current@FreeBSD.org, freebsd-pf@FreeBSD.org Subject: Re: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2007 13:51:16 -0000 On Wed, Jun 06, 2007 at 11:53:52AM +0200, Max Laier wrote: > On Monday 04 June 2007, Dag-Erling Sm??rgrav wrote: > > Max Laier writes: > > > Anything else? > > > > ftp-proxy(8) and tftp-proxy(8) would be nice... > > ... I'm at it. Could you maybe lend a hand with importing libevent[1] > which is a requirement for ftp-proxy now? It should make a good addition > to base anyhow - as a convenient (and portable) interface to kqueue. > > [1] devel/libevent | http://www.monkey.org/~provos/libevent/ just for the record... libevent is needed for hostated which we might want to import as well (once it gets settled in openbsd) roman From owner-freebsd-pf@FreeBSD.ORG Wed Jun 6 14:31:50 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DF59B16A41F; Wed, 6 Jun 2007 14:31:50 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.174]) by mx1.freebsd.org (Postfix) with ESMTP id 67CDE13C4B0; Wed, 6 Jun 2007 14:31:50 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.179.143] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis), id 0ML2xA-1HvwVr2Pkq-0000m2; Wed, 06 Jun 2007 16:29:40 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 6 Jun 2007 16:29:12 +0200 User-Agent: KMail/1.9.6 References: <20070417153357.GA1335@seekingfire.com> <200704182213.50663.max@love2party.net> <20070418214855.GQ1225@seekingfire.com> In-Reply-To: <20070418214855.GQ1225@seekingfire.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2019925.H1o1M21F2J"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706061629.21923.max@love2party.net> X-Provags-ID: V01U2FsdGVkX185QuIKPbJst4DBJMSxOydFLAYteegvAypIItS cu0kSlo67rSQ/8CU87v5xbpELJd81qqPAUVEZ1NPmGtQA4DZyS QbXZyDpBbnkP1rksKCFWg== Cc: Tillman Hodgson , freebsd-current@freebsd.org, Tai-hwa Liang Subject: USER/GROUP rules on the chopping Block [ Re: Panic on boot with April 16 src (lengthy info attached) ] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2007 14:31:51 -0000 --nextPart2019925.H1o1M21F2J Content-Type: multipart/mixed; boundary="Boundary-01=_7SsZG+bwFanvDzd" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_7SsZG+bwFanvDzd Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline After several attempts to fix user/group rules which ended like the most=20 recent one - cited below - with *ZERO* feedback, I won't waste anymore=20 effort. Either somebody steps up, does proper testing and reports back,=20 or user/group rules go! End of story! This is not personal against Tillman - he just happend to be the most=20 recent one to hit the problem. On Wednesday 18 April 2007, Tillman Hodgson wrote: > On Wed, Apr 18, 2007 at 10:13:42PM +0200, Max Laier wrote: > > On Wednesday 18 April 2007 21:28, Tillman Hodgson wrote: > > > Oh, interesting! I'm rebuilding right now with that option :-) > > > I'll report back in a few days how it goes. > > > > Actually, could you test this? It should enable the hack on the fly > > as a user/group rule is added. See "sysctl debug.pfugidhack" or > > "pfctl -x misc" to confirm it's on. > > Sure, I've restarted the build with this patch. and again ... the thread ends here - zero feedback received :-( Does=20 anyone care about user/group rules at all? If so - speak up now or I'll=20 just disable them with the upcoming update!!! =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_7SsZG+bwFanvDzd Content-Type: text/x-diff; charset="iso-8859-1"; name="auto_ugid_hack.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="auto_ugid_hack.diff" Index: pf.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf.c,v retrieving revision 1.43 diff -u -r1.43 pf.c =2D-- pf.c 29 Dec 2006 13:59:03 -0000 1.43 +++ pf.c 18 Apr 2007 19:55:19 -0000 @@ -134,6 +134,7 @@ #include =20 extern int ip_optcopy(struct ip *, struct ip *); +extern int debug_pfugidhack; #endif =20 #define DPFPRINTF(n, x) if (pf_status.debug >=3D (n)) printf x @@ -3032,10 +3033,12 @@ return (PF_DROP); } =20 =2D#if defined(__FreeBSD__) && defined(PF_MPSAFE_UGID) =2D PF_UNLOCK(); =2D lookup =3D pf_socket_lookup(&uid, &gid, direction, pd, inp); =2D PF_LOCK(); +#ifdef __FreeBSD__ + if (debug_pfugidhack) { + PF_UNLOCK(); + lookup =3D pf_socket_lookup(&uid, &gid, direction, pd, inp); + PF_LOCK(); + } #endif =20 r =3D TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); @@ -3434,10 +3437,12 @@ return (PF_DROP); } =20 =2D#if defined(__FreeBSD__) && defined(PF_MPSAFE_UGID) =2D PF_UNLOCK(); =2D lookup =3D pf_socket_lookup(&uid, &gid, direction, pd, inp); =2D PF_LOCK(); +#ifdef __FreeBSD__ + if (debug_pfugidhack) { + PF_UNLOCK(); + lookup =3D pf_socket_lookup(&uid, &gid, direction, pd, inp); + PF_LOCK(); + } #endif =20 r =3D TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); Index: pf_ioctl.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_ioctl.c,v retrieving revision 1.27 diff -u -r1.27 pf_ioctl.c =2D-- pf_ioctl.c 1 Jan 2007 16:51:11 -0000 1.27 +++ pf_ioctl.c 18 Apr 2007 20:04:57 -0000 @@ -84,6 +84,7 @@ #include #include #include +#include #else #include #include @@ -237,6 +238,10 @@ struct mtx pf_task_mtx; pflog_packet_t *pflog_packet_ptr =3D NULL; =20 +int debug_pfugidhack =3D 0; +SYSCTL_INT(_debug, OID_AUTO, pfugidhack, CTLFLAG_RW, &debug_pfugidhack, 0, + "Enable/disable pf user/group rules mpsafe hack"); + void init_pf_mutex(void) { @@ -1603,6 +1608,13 @@ rule->evaluations =3D rule->packets =3D rule->bytes =3D 0; TAILQ_INSERT_TAIL(ruleset->rules[rs_num].inactive.ptr, rule, entries); +#ifdef __FreeBSD__ + if (!debug_pfugidhack && (rule->uid.op || rule->gid.op)) { + DPFPRINTF(PF_DEBUG_MISC, + ("pf: debug.pfugidhack enabled\n")); + debug_pfugidhack =3D 1; + } +#endif break; } =20 @@ -1828,6 +1840,14 @@ newrule->rpool.cur =3D TAILQ_FIRST(&newrule->rpool.list); newrule->evaluations =3D newrule->packets =3D 0; newrule->bytes =3D 0; +#ifdef __FreeBSD__ + if (!debug_pfugidhack && + (newrule->uid.op || newrule->gid.op)) { + DPFPRINTF(PF_DEBUG_MISC, + ("pf: debug.pfugidhack enabled\n")); + debug_pfugidhack =3D 1; + } +#endif } pf_empty_pool(&pf_pabuf); =20 --Boundary-01=_7SsZG+bwFanvDzd-- --nextPart2019925.H1o1M21F2J Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGZsTBXyyEoT62BG0RAmnZAJ0cnhm91dHBec8d7UrBWZHuIsbjpQCeOQfX A05b4uO3iFDG6gfaTIcoFVE= =lCHB -----END PGP SIGNATURE----- --nextPart2019925.H1o1M21F2J-- From owner-freebsd-pf@FreeBSD.ORG Wed Jun 6 14:52:56 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0288416A400 for ; Wed, 6 Jun 2007 14:52:56 +0000 (UTC) (envelope-from cmarlatt@rxsec.com) Received: from core.rxsec.com (core.rxsec.com [64.132.46.102]) by mx1.freebsd.org (Postfix) with SMTP id 8750213C43E for ; Wed, 6 Jun 2007 14:52:55 +0000 (UTC) (envelope-from cmarlatt@rxsec.com) Received: (qmail 27285 invoked by uid 2009); 6 Jun 2007 14:45:50 -0000 Received: from 10.1.0.72 by core.rxsec.com (envelope-from , uid 2008) with qmail-scanner-1.25-st-qms (clamdscan: 0.86.2/1102. spamassassin: 3.0.4. perlscan: 1.25-st-qms. Clear:RC:0(10.1.0.72):SA:0(-4.4/5.0):. Processed in 1.703477 secs); 06 Jun 2007 14:45:50 -0000 X-Spam-Status: No, hits=-4.4 required=5.0 X-Antivirus-RXSEC-Mail-From: cmarlatt@rxsec.com via core.rxsec.com X-Antivirus-RXSEC: 1.25-st-qms (Clear:RC:0(10.1.0.72):SA:0(-4.4/5.0):. Processed in 1.703477 secs Process 27270) Received: from unknown (HELO ?10.1.0.72?) (cmarlatt@rxsec.com@10.1.0.72) by core.rxsec.com with SMTP; 6 Jun 2007 14:45:48 -0000 Message-ID: <4666CA3E.8010501@rxsec.com> Date: Wed, 06 Jun 2007 10:52:46 -0400 From: Chris Marlatt Organization: Receive Security User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: Max Laier References: <20070417153357.GA1335@seekingfire.com> <200704182213.50663.max@love2party.net> <20070418214855.GQ1225@seekingfire.com> <200706061629.21923.max@love2party.net> In-Reply-To: <200706061629.21923.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: USER/GROUP rules on the chopping Block [ Re: Panic on boot with April 16 src (lengthy info attached) ] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2007 14:52:56 -0000 Max Laier wrote: > and again ... the thread ends here - zero feedback received :-( Does > anyone care about user/group rules at all? If so - speak up now or I'll > just disable them with the upcoming update!!! > Unfortunately I can't claim to be seeing this symptom, but I do use user/group rules on shell servers quite often. They're very useful for controlling untrusted users in an environment like that. Hopefully it can continue to be included. From owner-freebsd-pf@FreeBSD.ORG Wed Jun 6 15:04:52 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 91A6C16A400; Wed, 6 Jun 2007 15:04:52 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.freebsd.org (Postfix) with ESMTP id 211CD13C45D; Wed, 6 Jun 2007 15:04:52 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.179.143] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis), id 0ML21M-1Hvx441j5x-0000z8; Wed, 06 Jun 2007 17:04:49 +0200 From: Max Laier Organization: FreeBSD To: Tillman Hodgson Date: Wed, 6 Jun 2007 17:04:34 +0200 User-Agent: KMail/1.9.6 References: <20070417153357.GA1335@seekingfire.com> <200706061629.21923.max@love2party.net> <20070606144835.GI47770@seekingfire.com> In-Reply-To: <20070606144835.GI47770@seekingfire.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2619627.VnQhQaK9OJ"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706061704.41829.max@love2party.net> X-Provags-ID: V01U2FsdGVkX180zLbPxBA6XWSliiUPJExS5JYScD1Xwnej7J+ 9o/kJFcc49VzbxH2dJT3KpW3uA2pZNsgakfA4Lt9+/2NGHX2Z3 HePtppCGieiw6PYegCHXQ== Cc: Tai-hwa Liang , freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: USER/GROUP rules on the chopping Block [ Re: Panic on boot with April 16 src (lengthy info attached) ] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2007 15:04:52 -0000 --nextPart2619627.VnQhQaK9OJ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hi Tillman, On Wednesday 06 June 2007, Tillman Hodgson wrote: > I think you might have missed some posts :-) I successfully built with > that patch and reported it: ahh ... you dropped -pf@ and myself from the CC-list. -current is just=20 too noisy to spot replys. Thanks for the info and sorry for the rant. This does *not* mean that everybody else can stop testing now! Please=20 follow Tillman's example and report back (just keep me in CC this=20 time ;)). =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2619627.VnQhQaK9OJ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGZs0JXyyEoT62BG0RAvMaAJ9qsLFaZYuKqjgzf8apXh73mWNGuQCeJJuC 6s5qDS4bosoZ8uhNl+TpWT4= =9T/y -----END PGP SIGNATURE----- --nextPart2619627.VnQhQaK9OJ-- From owner-freebsd-pf@FreeBSD.ORG Wed Jun 6 15:05:55 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 663FA16A400; Wed, 6 Jun 2007 15:05:55 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id EA92413C4C1; Wed, 6 Jun 2007 15:05:54 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.179.143] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis), id 0MKwpI-1Hvx531xd3-00045c; Wed, 06 Jun 2007 17:05:51 +0200 From: Max Laier Organization: FreeBSD To: Chris Marlatt Date: Wed, 6 Jun 2007 17:05:47 +0200 User-Agent: KMail/1.9.6 References: <20070417153357.GA1335@seekingfire.com> <200706061629.21923.max@love2party.net> <4666CA3E.8010501@rxsec.com> In-Reply-To: <4666CA3E.8010501@rxsec.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1904801.IuHvzGVNal"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706061705.48682.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19zPOSCO7eFqX6/t4eIaa8lyu9f31iJmbfOVrd 1a1x21Tdkn/6mhAwBz+m24AMo+OTGTloQpjFyoJDy4ZWVKpB9K +C78r0WRFsruqt52Za0rg== Cc: freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: USER/GROUP rules on the chopping Block [ Re: Panic on boot with April 16 src (lengthy info attached) ] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2007 15:05:55 -0000 --nextPart1904801.IuHvzGVNal Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 06 June 2007, Chris Marlatt wrote: > Max Laier wrote: > > and again ... the thread ends here - zero feedback received :-( Does > > anyone care about user/group rules at all? If so - speak up now or > > I'll just disable them with the upcoming update!!! > > Unfortunately I can't claim to be seeing this symptom, but I do use > user/group rules on shell servers quite often. They're very useful for > controlling untrusted users in an environment like that. Hopefully it > can continue to be included. Doesn't matter if you see the symptom or not. You should also check how=20 the patch impacts on your workload and if it does at all. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1904801.IuHvzGVNal Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGZs1MXyyEoT62BG0RAnBYAJ9XnoyfUmaJJY4j8IuU+RQrIxHyWgCfd2et MVqk/R/gfW1iOvvFDXPeUZY= =2Qcj -----END PGP SIGNATURE----- --nextPart1904801.IuHvzGVNal-- From owner-freebsd-pf@FreeBSD.ORG Wed Jun 6 15:13:24 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 01C0916A400; Wed, 6 Jun 2007 15:13:24 +0000 (UTC) (envelope-from tillman@seekingfire.com) Received: from mail.seekingfire.com (thoth.seekingfire.com [24.89.83.9]) by mx1.freebsd.org (Postfix) with ESMTP id 95F7F13C4DE; Wed, 6 Jun 2007 15:13:23 +0000 (UTC) (envelope-from tillman@seekingfire.com) Received: by mail.seekingfire.com (Postfix, from userid 500) id E26443982C; Wed, 6 Jun 2007 08:48:35 -0600 (CST) Date: Wed, 6 Jun 2007 08:48:35 -0600 From: Tillman Hodgson To: Max Laier Message-ID: <20070606144835.GI47770@seekingfire.com> References: <20070417153357.GA1335@seekingfire.com> <200704182213.50663.max@love2party.net> <20070418214855.GQ1225@seekingfire.com> <200706061629.21923.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200706061629.21923.max@love2party.net> X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . X-GPG-Key-ID: 828AFC7B X-GPG-Fingerprint: 5584 14BA C9EB 1524 0E68 F543 0F0A 7FBC 828A FC7B X-GPG-Key: http://www.seekingfire.com/personal/gpg_key.asc X-Urban-Legend: There is lots of hidden information in headers X-Tillman-rules: yes he does User-Agent: Mutt/1.5.15 (2007-04-06) Cc: Tai-hwa Liang , freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: USER/GROUP rules on the chopping Block [ Re: Panic on boot with April 16 src (lengthy info attached) ] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2007 15:13:24 -0000 On Wed, Jun 06, 2007 at 04:29:12PM +0200, Max Laier wrote: > After several attempts to fix user/group rules which ended like the most > recent one - cited below - with *ZERO* feedback, I won't waste anymore > effort. Either somebody steps up, does proper testing and reports back, > or user/group rules go! End of story! > > This is not personal against Tillman - he just happend to be the most > recent one to hit the problem. > > On Wednesday 18 April 2007, Tillman Hodgson wrote: > > On Wed, Apr 18, 2007 at 10:13:42PM +0200, Max Laier wrote: > > > On Wednesday 18 April 2007 21:28, Tillman Hodgson wrote: > > > > Oh, interesting! I'm rebuilding right now with that option :-) > > > > I'll report back in a few days how it goes. > > > > > > Actually, could you test this? It should enable the hack on the fly > > > as a user/group rule is added. See "sysctl debug.pfugidhack" or > > > "pfctl -x misc" to confirm it's on. > > > > Sure, I've restarted the build with this patch. > > and again ... the thread ends here - zero feedback received :-( Does > anyone care about user/group rules at all? If so - speak up now or I'll > just disable them with the upcoming update!!! I think you might have missed some posts :-) I successfully built with that patch and reported it: Date: Thu, 19 Apr 2007 08:50:57 -0600 From: Tillman Hodgson Subject: Re: Panic on boot with April 16 src (lengthy info attached) I also reported a week later (after a series of network-heavy daily backup jobs) that it's been stable for the week. Date: Thu, 26 Apr 2007 18:08:43 -0600 From: Tillman Hodgson Subject: Re: Panic on boot with April 16 src (lengthy info attached) I didn't get a reply to either email and had (wrongly) assumed that it had been dropped on your end. Perhaps we just crossed wires :-) I'd be glad to forward those emails to you if you'd find them helpful. There's not that much info in them though and I think the fact that I've been running with the patch since then with no problems is probably more important: [root@athena ~]# uptime 8:40AM up 48 days, 28 secs, 10 users, load averages: 0.19, 0.15, 0.09 If there's any particular information you'd like (such as from pfctl, sysctl, or whatever) let me know. It's stable, and PF is working well for me, so it seems good with my workload. -T -- "The important thing is not to stop questioning. Curiosity has its own reason for existing." -- Albert Einstein From owner-freebsd-pf@FreeBSD.ORG Wed Jun 6 15:16:58 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BBD5B16A46D; Wed, 6 Jun 2007 15:16:58 +0000 (UTC) (envelope-from tillman@seekingfire.com) Received: from mail.seekingfire.com (thoth.seekingfire.com [24.89.83.9]) by mx1.freebsd.org (Postfix) with ESMTP id 8019813C447; Wed, 6 Jun 2007 15:16:58 +0000 (UTC) (envelope-from tillman@seekingfire.com) Received: by mail.seekingfire.com (Postfix, from userid 500) id 041E139829; Wed, 6 Jun 2007 09:16:58 -0600 (CST) Date: Wed, 6 Jun 2007 09:16:57 -0600 From: Tillman Hodgson To: Max Laier Message-ID: <20070606151657.GL47770@seekingfire.com> References: <20070417153357.GA1335@seekingfire.com> <200706061629.21923.max@love2party.net> <20070606144835.GI47770@seekingfire.com> <200706061704.41829.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200706061704.41829.max@love2party.net> X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . X-GPG-Key-ID: 828AFC7B X-GPG-Fingerprint: 5584 14BA C9EB 1524 0E68 F543 0F0A 7FBC 828A FC7B X-GPG-Key: http://www.seekingfire.com/personal/gpg_key.asc X-Urban-Legend: There is lots of hidden information in headers X-Tillman-rules: yes he does User-Agent: Mutt/1.5.15 (2007-04-06) Cc: Tai-hwa Liang , freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: USER/GROUP rules on the chopping Block [ Re: Panic on boot with April 16 src (lengthy info attached) ] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2007 15:16:59 -0000 On Wed, Jun 06, 2007 at 05:04:34PM +0200, Max Laier wrote: > Hi Tillman, > > On Wednesday 06 June 2007, Tillman Hodgson wrote: > > I think you might have missed some posts :-) I successfully built with > > that patch and reported it: > > ahh ... you dropped -pf@ and myself from the CC-list. -current is just > too noisy to spot replys. Thanks for the info and sorry for the rant. > > This does *not* mean that everybody else can stop testing now! Please > follow Tillman's example and report back (just keep me in CC this > time ;)). lol! Sorry about that, I normally drop individual email accounts when I know the person is subscribed to the list to cut down on the duplicate emails for the recipient ('l'ist reply versus 'g'roup reply in mutt). Somehow I must've dropped -pf@ as well. -T -- "Belief gets in the way of learning." -- Robert Heinlein From owner-freebsd-pf@FreeBSD.ORG Wed Jun 6 15:42:56 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2979216A400; Wed, 6 Jun 2007 15:42:56 +0000 (UTC) (envelope-from fergus@cobbled.net) Received: from smtp2.irishbroadband.ie (smtp2.irishbroadband.ie [62.231.32.13]) by mx1.freebsd.org (Postfix) with ESMTP id DE8EE13C447; Wed, 6 Jun 2007 15:42:55 +0000 (UTC) (envelope-from fergus@cobbled.net) Received: from [87.192.210.164] (helo=holyman.cobbled.net) by smtp2.irishbroadband.ie with esmtp (Exim 4.62 (FreeBSD)) (envelope-from ) id 1HvxDF-0005I1-QS; Wed, 06 Jun 2007 16:14:18 +0100 Received: by holyman.cobbled.net (Postfix, from userid 16385) id 43D351707F; Wed, 6 Jun 2007 15:10:44 +0000 (UTC) Date: Wed, 6 Jun 2007 15:10:44 +0000 From: ttw+bsd@cobbled.net To: Max Laier Message-ID: <20070606151044.GA15976@holyman.cobbled.net> Mail-Followup-To: Max Laier , freebsd-pf@freebsd.org, Tillman Hodgson , freebsd-current@freebsd.org, Tai-hwa Liang References: <20070417153357.GA1335@seekingfire.com> <200704182213.50663.max@love2party.net> <20070418214855.GQ1225@seekingfire.com> <200706061629.21923.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200706061629.21923.max@love2party.net> X-Scan-Signature: d9b0d0aa648da0774a8e3c522cd097f0 Cc: Tillman Hodgson , freebsd-current@freebsd.org, Tai-hwa Liang , freebsd-pf@freebsd.org Subject: Re: USER/GROUP rules on the chopping Block [ Re: Panic on boot with April 16 src (lengthy info attached) ] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2007 15:42:56 -0000 On 06.06-16:29, Max Laier wrote: [ ... ] > and again ... the thread ends here - zero feedback received :-( Does > anyone care about user/group rules at all? If so - speak up now or I'll > just disable them with the upcoming update!!! i'm afraid after loosing two systems to processor and memory failures i can't actually look at the problem but, yes, for what it's worth, i use and care about user/group rules. From owner-freebsd-pf@FreeBSD.ORG Wed Jun 6 16:03:12 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D77C716A468; Wed, 6 Jun 2007 16:03:12 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from ca.pugetsoundtechnology.com (ca.pugetsoundtechnology.com [38.99.2.247]) by mx1.freebsd.org (Postfix) with ESMTP id BDB6E13C489; Wed, 6 Jun 2007 16:03:12 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from pool-71-123-204-253.dllstx.fios.verizon.net ([71.123.204.253] helo=reedmedia.net) by ca.pugetsoundtechnology.com with esmtpa (Exim 4.54) id 1HvxHQ-0007bB-KD; Wed, 06 Jun 2007 08:18:36 -0700 Received: from reed@reedmedia.net by reedmedia.net with local (mailout 0.17) id 17395-1181143113; Wed, 06 Jun 2007 10:18:35 -0500 Date: Wed, 6 Jun 2007 10:18:33 -0500 (CDT) From: "Jeremy C. Reed" To: Max Laier In-Reply-To: <200706061629.21923.max@love2party.net> Message-ID: References: <20070417153357.GA1335@seekingfire.com> <200704182213.50663.max@love2party.net> <20070418214855.GQ1225@seekingfire.com> <200706061629.21923.max@love2party.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: Tillman Hodgson , freebsd-current@freebsd.org, Tai-hwa Liang , freebsd-pf@freebsd.org Subject: Re: USER/GROUP rules on the chopping Block [ Re: Panic on boot with April 16 src (lengthy info attached) ] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2007 16:03:12 -0000 On Wed, 6 Jun 2007, Max Laier wrote: > After several attempts to fix user/group rules which ended like the most > recent one - cited below - with *ZERO* feedback, I won't waste anymore > effort. Either somebody steps up, does proper testing and reports back, > or user/group rules go! End of story! Is there a PR ticket number for this? (I am not on the freebsd-current list, just the freebsd-pf list.) Jeremy C. Reed From owner-freebsd-pf@FreeBSD.ORG Wed Jun 6 16:11:49 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BCB9616A400 for ; Wed, 6 Jun 2007 16:11:49 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 4FC3A13C45B for ; Wed, 6 Jun 2007 16:11:48 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7cb2.q.ppp-pool.de [89.53.124.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 2214112883F; Wed, 6 Jun 2007 18:11:42 +0200 (CEST) Received: from cesar.sz.vwsoft.com (unknown [192.168.18.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id B43E13F9E5; Wed, 6 Jun 2007 18:10:50 +0200 (CEST) Message-ID: <4666DC8F.9040309@vwsoft.com> Date: Wed, 06 Jun 2007 18:10:55 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070528) MIME-Version: 1.0 To: Max Laier References: <20070417153357.GA1335@seekingfire.com> <200704182213.50663.max@love2party.net> <20070418214855.GQ1225@seekingfire.com> <200706061629.21923.max@love2party.net> In-Reply-To: <200706061629.21923.max@love2party.net> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: USER/GROUP rules on the chopping Block [ Re: Panic on boot with April 16 src (lengthy info attached) ] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2007 16:11:49 -0000 On 06/06/07 16:29, Max Laier wrote: > After several attempts to fix user/group rules which ended like the most > recent one - cited below - with *ZERO* feedback, I won't waste anymore > effort. Either somebody steps up, does proper testing and reports back, > or user/group rules go! End of story! > > This is not personal against Tillman - he just happend to be the most > recent one to hit the problem. > > On Wednesday 18 April 2007, Tillman Hodgson wrote: >> On Wed, Apr 18, 2007 at 10:13:42PM +0200, Max Laier wrote: >>> On Wednesday 18 April 2007 21:28, Tillman Hodgson wrote: >>>> Oh, interesting! I'm rebuilding right now with that option :-) >>>> I'll report back in a few days how it goes. >>> Actually, could you test this? It should enable the hack on the fly >>> as a user/group rule is added. See "sysctl debug.pfugidhack" or >>> "pfctl -x misc" to confirm it's on. >> Sure, I've restarted the build with this patch. > > and again ... the thread ends here - zero feedback received :-( Does > anyone care about user/group rules at all? If so - speak up now or I'll > just disable them with the upcoming update!!! > > Max, despite the fact I'm lacking a lot of your responses, I really do understand the fact that you're pissed about doing something but not getting responses. And I really appreciate your work! I wasn't aware of the fact that user/group rules have been discussed in detail (I must have missed that topic somehow or it hasn't happened in pf@). To your question, I do care about that topic, I'm able to to beta tests and check things out. Also I do have the machines to check things in a safe environment, if needed. If you have something to checkout, I will be happy to check it out and feed back to you (if you're talking to me... again, I haven't received any responses for weeks from you). If you still care about user/group based rules, keep me up to date (I'm not on current@) and I'll beta test for you and give you any needed feed back. >From my view, the response issue can somewhat been seen as the core team sitting on an island and the user base is far, far away of them. Volker From owner-freebsd-pf@FreeBSD.ORG Wed Jun 6 18:02:13 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 211FE16A468 for ; Wed, 6 Jun 2007 18:02:13 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by mx1.freebsd.org (Postfix) with SMTP id 60FEF13C465 for ; Wed, 6 Jun 2007 18:02:11 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 22118 invoked by uid 399); 6 Jun 2007 17:35:28 -0000 Received: from localhost (HELO lap.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with SMTP; 6 Jun 2007 17:35:28 -0000 X-Originating-IP: 127.0.0.1 Message-ID: <4666F05E.6000908@FreeBSD.org> Date: Wed, 06 Jun 2007 10:35:26 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.0 (X11/20070525) MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <20070601103549.GA22490@localhost.localdomain> <200706061154.00751.max@love2party.net> <86tztll619.fsf@dwp.des.no> <200706061339.37147.max@love2party.net> <20070606114612.E38838@maildrop.int.zabbadoz.net> In-Reply-To: <20070606114612.E38838@maildrop.int.zabbadoz.net> X-Enigmail-Version: 0.95.0 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2007 18:02:13 -0000 Bjoern A. Zeeb wrote: > ports. Agreed. While one can argue what the criteria should be for keeping software in the base, IMO the chief criteria for ADDING software to the base should be, "Will this be useful to a significant majority of FreeBSD users?" I don't see how the answer to that question could be "yes" in this case. Doug -- This .signature sanitized for your protection From owner-freebsd-pf@FreeBSD.ORG Wed Jun 6 19:21:42 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4962F16A46B for ; Wed, 6 Jun 2007 19:21:42 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outS.internet-mail-service.net (outS.internet-mail-service.net [216.240.47.242]) by mx1.freebsd.org (Postfix) with ESMTP id DFF0913C4D1 for ; Wed, 6 Jun 2007 19:21:36 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.32) with ESMTP; Wed, 06 Jun 2007 12:07:25 -0700 Received: from julian-mac.elischer.org (nat.ironport.com [63.251.108.100]) by idiom.com (Postfix) with ESMTP id 8F595125B4B; Wed, 6 Jun 2007 12:07:24 -0700 (PDT) Message-ID: <466705F1.8070201@elischer.org> Date: Wed, 06 Jun 2007 12:07:29 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.0 (Macintosh/20070326) MIME-Version: 1.0 To: Poul-Henning Kamp References: <73167.1181131650@critter.freebsd.dk> In-Reply-To: <73167.1181131650@critter.freebsd.dk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-current@freebsd.org, freebsd-pf@freebsd.org, mnag@freebsd.org, =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= Subject: Re: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2007 19:21:42 -0000 Poul-Henning Kamp wrote: > > > If we want to provide a high quality event library for present and > future needs, somebody needs to sit down and write that. > > But in either case, an eventlibrary should not be imported, unless > we have code that uses it, and unless we intend to maintain it. > I quote from an email from archie@ regarding a BSD licensed event library he wrote.. > On 6/6/07, Julian Elischer wrote: > > You made a port of an event loop library.. > > what was it? > > > > (I think Ive asked you this before) > > libpdel.. but it contains other stuff too, including a web server :-) > But you could rip out the event stuff pretty easily. > > It's in FreeBSD ports.. also http://libpdel.sf.net/ From owner-freebsd-pf@FreeBSD.ORG Wed Jun 6 19:23:19 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8498516A468 for ; Wed, 6 Jun 2007 19:23:19 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outE.internet-mail-service.net (outE.internet-mail-service.net [216.240.47.228]) by mx1.freebsd.org (Postfix) with ESMTP id 6948513C4C3 for ; Wed, 6 Jun 2007 19:23:19 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.32) with ESMTP; Wed, 06 Jun 2007 12:23:19 -0700 Received: from julian-mac.elischer.org (nat.ironport.com [63.251.108.100]) by idiom.com (Postfix) with ESMTP id B7A3B125B4F; Wed, 6 Jun 2007 12:23:18 -0700 (PDT) Message-ID: <466709AB.2060309@elischer.org> Date: Wed, 06 Jun 2007 12:23:23 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.0 (Macintosh/20070326) MIME-Version: 1.0 To: Poul-Henning Kamp References: <73167.1181131650@critter.freebsd.dk> <466705F1.8070201@elischer.org> In-Reply-To: <466705F1.8070201@elischer.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: =?ISO-8859-1?Q?Dag-Erling_S?=, freebsd-pf@freebsd.org, freebsd-current@freebsd.org, =?ISO-8859-1?Q?m=F8rgrav?= , mnag@freebsd.org Subject: Re: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2007 19:23:19 -0000 Julian Elischer wrote: > Poul-Henning Kamp wrote: >> >> >> If we want to provide a high quality event library for present and >> future needs, somebody needs to sit down and write that. >> >> But in either case, an eventlibrary should not be imported, unless >> we have code that uses it, and unless we intend to maintain it. >> > > > I quote from an email from archie@ regarding a BSD licensed event > library he wrote.. > >> On 6/6/07, Julian Elischer wrote: >> > You made a port of an event loop library.. >> > what was it? >> > >> > (I think Ive asked you this before) >> >> libpdel.. but it contains other stuff too, including a web server :-) >> But you could rip out the event stuff pretty easily. >> >> It's in FreeBSD ports.. also http://libpdel.sf.net/ We also appear to have at least one current developer who is involved with it.. (mav@) judging from the svn log. > > > > > > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Sat Jun 9 02:36:53 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CC3B416A4D1 for ; Sat, 9 Jun 2007 02:36:53 +0000 (UTC) (envelope-from provos@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.239]) by mx1.freebsd.org (Postfix) with ESMTP id 7989213C4B8 for ; Sat, 9 Jun 2007 02:36:53 +0000 (UTC) (envelope-from provos@gmail.com) Received: by nz-out-0506.google.com with SMTP id 14so793110nzn for ; Fri, 08 Jun 2007 19:36:53 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=XSi1JuUfpsLGnOKYmwysl5O2cyVdfaTamet/942xhEKXM1tn303KpeJan+gErzZQ0m4GTj5+eTUcyrMTxQSdjUqnoyf0FePLQKG6GnDcnbzW4eVsdHhJc8rLbywY0PDdRQqao9cd/fLOUAskReo+GY8vQBukkWRvbir61o0YKUs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=l0BKbNRzQRn0GQi/kRjcuv++m2CuKrySBBW3/FuWF9ANMvInoLi7o7BQsDEXWBkcG0FAwkt+BR8TV15ffJDMiHTmZcqnnRVS2IjS1UjKeF1Zr+UoWAhrIHGg7XmoWh5OAbt7ROla1ZhRJMek1fS9OcBbxZB1JQKlaW37hjeH9Bw= Received: by 10.142.80.7 with SMTP id d7mr177868wfb.1181355036751; Fri, 08 Jun 2007 19:10:36 -0700 (PDT) Received: by 10.143.166.5 with HTTP; Fri, 8 Jun 2007 19:10:36 -0700 (PDT) Message-ID: <850f7cbe0706081910x52f6f81ete51cf5aeef1fb3fa@mail.gmail.com> Date: Fri, 8 Jun 2007 19:10:36 -0700 From: "Niels Provos" Sender: provos@gmail.com To: phk@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Google-Sender-Auth: edd50b3c6a98ba6c Cc: des@des.no, freebsd-pf@freebsd.org Subject: Re: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jun 2007 02:36:53 -0000 > The Provos libevent is an undesigned kludge and it grows more kludges > all the time. It should not be exposed or documented in FreeBSD, > but merely included only as a component if any bits need it. And you always were a diplomat. I'd take a kludge any day rather than talking about plans on building the perfect event system in the future. But then, I have always been in favor of doing rather than talking. However, if you should have any constructive feedback, I am sure many, including myself, would like to hear it. Looking forward to hear from you, Niels. From owner-freebsd-pf@FreeBSD.ORG Sat Jun 9 06:19:36 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4BA1016A41F for ; Sat, 9 Jun 2007 06:19:36 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id 0674013C48C for ; Sat, 9 Jun 2007 06:19:35 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (unknown [192.168.61.3]) by phk.freebsd.dk (Postfix) with ESMTP id AB45A17380; Sat, 9 Jun 2007 06:19:34 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.14.1/8.14.1) with ESMTP id l596JfUl053462; Sat, 9 Jun 2007 06:19:41 GMT (envelope-from phk@critter.freebsd.dk) To: "Niels Provos" From: "Poul-Henning Kamp" In-Reply-To: Your message of "Fri, 08 Jun 2007 19:10:36 MST." <850f7cbe0706081910x52f6f81ete51cf5aeef1fb3fa@mail.gmail.com> Date: Sat, 09 Jun 2007 06:19:41 +0000 Message-ID: <53461.1181369981@critter.freebsd.dk> Sender: phk@critter.freebsd.dk Cc: des@des.no, freebsd-pf@freebsd.org Subject: Re: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jun 2007 06:19:36 -0000 In message <850f7cbe0706081910x52f6f81ete51cf5aeef1fb3fa@mail.gmail.com>, "Niel s Provos" writes: >However, if you should have any constructive feedback, I am >sure many, including myself, would like to hear it. I sent a long constructive email to you when we tried to use your event library for Varnish and I never heard a word back. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-pf@FreeBSD.ORG Sat Jun 9 12:05:23 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1E31216A469; Sat, 9 Jun 2007 12:05:23 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id D1E6613C45B; Sat, 9 Jun 2007 12:05:22 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id 8CADE20A5; Sat, 9 Jun 2007 14:05:18 +0200 (CEST) X-Spam-Tests: AWL X-Spam-Learn: disabled X-Spam-Score: 0.0/3.0 X-Spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on tim.des.no Received: from dwp.des.no (des.no [80.203.243.180]) by smtp.des.no (Postfix) with ESMTP id 1918920A4; Sat, 9 Jun 2007 14:05:18 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 1001) id 0097F5851; Sat, 9 Jun 2007 14:05:29 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: "Niels Provos" References: <850f7cbe0706081910x52f6f81ete51cf5aeef1fb3fa@mail.gmail.com> Date: Sat, 09 Jun 2007 14:05:29 +0200 In-Reply-To: <850f7cbe0706081910x52f6f81ete51cf5aeef1fb3fa@mail.gmail.com> (Niels Provos's message of "Fri\, 8 Jun 2007 19\:10\:36 -0700") Message-ID: <86645x72pi.fsf@dwp.des.no> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: phk@FreeBSD.ORG, freebsd-pf@freebsd.org Subject: Re: pf(4) status in 7.0-R X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jun 2007 12:05:23 -0000 "Niels Provos" writes: > And you always were a diplomat. I'd take a kludge any day rather than > talking about plans on building the perfect event system in the > future. But then, I have always been in favor of doing rather than > talking. However, if you should have any constructive feedback, I am > sure many, including myself, would like to hear it. Right... Been there, done that, got royally fed up with being ignored. I've sent you patches for tree.h (several times), and Poul-Henning sent you patches for libevent. You never responded. You can still find at least some patches in the Varnish repo: http://varnish.projects.linpro.no/browser/trunk/varnish-cache/contrib/libev= ent?rev=3D689 In the end, though, Poul-Henning replaced libevent with his own code, which only took a few hours to write, and Varnish magically stopped segfaulting. We never looked back. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-pf@FreeBSD.ORG Sat Jun 9 19:26:31 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0983C16A421; Sat, 9 Jun 2007 19:26:31 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 2A55813C45B; Sat, 9 Jun 2007 19:26:29 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7ce3.q.ppp-pool.de [89.53.124.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 12FEA12883F; Sat, 9 Jun 2007 21:26:20 +0200 (CEST) Received: from cesar.sz.vwsoft.com (unknown [192.168.18.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id DABBD3F9EA; Sat, 9 Jun 2007 21:25:18 +0200 (CEST) Message-ID: <466AFEA3.1040008@vwsoft.com> Date: Sat, 09 Jun 2007 21:25:23 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070528) MIME-Version: 1.0 To: Max Laier References: <20070417153357.GA1335@seekingfire.com> <200704182213.50663.max@love2party.net> <20070418214855.GQ1225@seekingfire.com> <200706061629.21923.max@love2party.net> In-Reply-To: <200706061629.21923.max@love2party.net> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: USER/GROUP rules on the chopping Block X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jun 2007 19:26:31 -0000 On 06/06/07 16:29, Max Laier wrote: > After several attempts to fix user/group rules which ended like the most > recent one - cited below - with *ZERO* feedback, I won't waste anymore > effort. Either somebody steps up, does proper testing and reports back, > or user/group rules go! End of story! Max, I've upgraded my -STABLE standby desktop system into a -CURRENT system (just for you... *s*) to test your patch. Before trying to check your fixes, I've set up a plain (recently csup'ed) -CURRENT system w/o your patch. Unfortunately while trying hard to get that box into an LOR, I'm unable to do so easy. As I need to verify an unpatched against a patched system, I need to find a _reliable_ way to get the box LORing. I've added two pf rules which should (AFAIK) get this into an LOR: pass out log quick on $if_lan all user volker keep state pass in log on $if_lan proto {tcp udp} from any to \ any port 49152:65535 user avahi keep state After having that box running for a while (3-4 hours), generated some icmp, tcp and udp traffic, I was able to get just one single LOR which has been caused by a DHCPd response (but even 1 out of 5 bootp udp packets caused that LOR): lock order reversal: 1st 0xc34e7d84 pf task mtx (pf task mtx) @ /usr/src/sys/modules/pf/../../contrib/pf/net/pf.c:6414 2nd 0xc0a6456c udp (udp) @ /usr/src/sys/modules/pf/../../contrib/pf/net/pf.c:2760 KDB: stack backtrace: db_trace_self_wrapper(c092a516,d404d888,c06ab8fe,c092c9c0,c0a6456c,...) at db_trace_self_wrapper+0x26 kdb_backtrace(c092c9c0,c0a6456c,c092ca6d,c092ca6d,c34e4da8,...) at kdb_backtrace+0x29 witness_checkorder(c0a6456c,9,c34e4da8,ac8,0,...) at witness_checkorder+0x6de _mtx_lock_flags(c0a6456c,0,c34e4da8,ac8,1,...) at _mtx_lock_flags+0xbc pf_socket_lookup(d404d984,d404d980,1,d404d9f0,0,...) at pf_socket_lookup+0x25b pf_test_udp(d404da74,d404da70,1,c3481300,c3259c00,...) at pf_test_udp+0x1099 pf_test(1,c3160c00,d404dad0,0,0,...) at pf_test+0xf32 pf_check_in(0,d404dad0,c3160c00,1,0,...) at pf_check_in+0x39 pfil_run_hooks(c0a63d60,d404db24,c3160c00,1,0,...) at pfil_run_hooks+0x88 ip_input(c3259c00,14e,800,c3160c00,800,...) at ip_input+0x27d netisr_dispatch(2,c3259c00,10,3,0,...) at netisr_dispatch+0x73 ether_demux(c3160c00,c3259c00,3,0,3,...) at ether_demux+0x1f1 ether_input(c3160c00,c3259c00,c094ce2d,647,c32516d8,...) at ether_input+0x41f nve_ospacketrx(c3251600,d404dc04,1,0,0,...) at nve_ospacketrx+0xfa UpdateReceiveDescRingData(c088a950,c088aa80,c088a980,c088ab20,c088a930,...) at UpdateReceiveDescRingData+0x2f8 nve_osalloc(c3249a40,d4306010,c3251600,c088a9b0,c088a950,...) at nve_osalloc _end(c32c9c00,c3102c08,3065766e,0,0,...) at 0xc30f8540 _end(c3249a40,d4306010,c3251600,c088a9b0,c088a950,...) at 0xc32423c0 What am I doing wrong? How do I get the (unpatched) system reliable into an LOR and being able to verify that with a patched system? My pf.c (w/o your patch): src/sys/contrib/pf/net/pf.c,v 1.44 2007/05/21 20:08:59 dhartmei pf.c commit rev 1.43 already states LORs as being fixed. By reading your patches, you're just wrapping 1.43 fixes by a systctl setting. Next story... what does your patch really do? I've analyzed it and you're just wrapping the pf_socket_lookup by an if(debug_pfugidhack) statement. Your patch also auto sets debug.pfugidhack=1 if an uid/gid rule has been parsed. It can manually be set to zero by sysctl but that would just cause skipping pf_socket_lookup() completely at runtime (which disables uid/gid rule parsing?). So I'm wondering if the LOR has really been fixed or if the patch is just a cosmetical one? Can you help me to find a reliable way to get that LOR and proof your patch? Anybody else having any comments on this? Thx Volker epeios# uname -v FreeBSD 7.0-CURRENT #15: Sat Jun 9 08:19:03 CEST 2007 dmesg: Copyright (c) 1992-2007 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 7.0-CURRENT #15: Sat Jun 9 08:19:03 CEST 2007 root@epeios.sz.vwsoft.com:/usr/obj/usr/src/sys/EPEIOS WARNING: WITNESS option enabled, expect reduced performance. ACPI APIC Table: Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: AMD Athlon(tm) 64 Processor 3200+ (2009.16-MHz 686-class CPU) Origin = "AuthenticAMD" Id = 0x20ff2 Stepping = 2 Features=0x78bfbff Features2=0x1 AMD Features=0xe2500800 AMD Features2=0x1 real memory = 503054336 (479 MB) avail memory = 474140672 (452 MB) ioapic0 irqs 0-23 on motherboard kbd1 at kbdmux0 ath_hal: 0.9.20.3 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413) cryptosoft0: on motherboard acpi0: on motherboard acpi0: [ITHREAD] acpi0: Power Button (fixed) acpi0: reservation of 0, a0000 (3) failed acpi0: reservation of 100000, 1ff00000 (3) failed Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000 acpi_timer0: <24-bit timer at 3.579545MHz> port 0x508-0x50b on acpi0 cpu0: on acpi0 pcib0: port 0xcf8-0xcff on acpi0 pci0: on pcib0 pci0: at device 0.0 (no driver attached) pci0: at device 0.1 (no driver attached) pci0: at device 0.2 (no driver attached) pci0: at device 0.3 (no driver attached) pci0: at device 0.4 (no driver attached) pci0: at device 0.5 (no driver attached) pci0: at device 0.6 (no driver attached) pci0: at device 0.7 (no driver attached) pcib1: at device 2.0 on pci0 pci1: on pcib1 pcib2: at device 3.0 on pci0 pci2: on pcib2 pcib3: at device 4.0 on pci0 pci3: on pcib3 nvidia0: mem 0xfd000000-0xfdffffff,0xd0000000-0xdfffffff,0xfc000000-0xfcffffff at device 5.0 on pci0 nvidia0: [GIANT-LOCKED] nvidia0: [ITHREAD] pci0: at device 9.0 (no driver attached) isab0: at device 10.0 on pci0 isa0: on isab0 pci0: at device 10.1 (no driver attached) ohci0: mem 0xfebde000-0xfebdefff irq 21 at device 11.0 on pci0 ohci0: [GIANT-LOCKED] ohci0: [ITHREAD] usb0: OHCI version 1.0, legacy support usb0: on ohci0 usb0: USB revision 1.0 uhub0: on usb0 uhub0: 8 ports with 8 removable, self powered ehci0: mem 0xfebdfc00-0xfebdfcff irq 22 at device 11.1 on pci0 ehci0: [GIANT-LOCKED] ehci0: [ITHREAD] usb1: EHCI version 1.0 usb1: companion controller, 8 ports each: usb0 usb1: on ehci0 usb1: USB revision 2.0 uhub1: on usb1 uhub1: 8 ports with 8 removable, self powered atapci0: port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xffa0-0xffaf at device 13.0 on pci0 ata0: on atapci0 ata0: [ITHREAD] ata1: on atapci0 ata1: [ITHREAD] atapci1: port 0xe800-0xe807,0xe480-0xe483,0xe400-0xe407,0xe080-0xe083,0xe000-0xe00f mem 0xfebdd000-0xfebddfff irq 23 at device 14.0 on pci0 atapci1: [ITHREAD] ata2: on atapci1 ata2: [ITHREAD] ata3: on atapci1 ata3: [ITHREAD] atapci2: port 0xdc00-0xdc07,0xd880-0xd883,0xd800-0xd807,0xd480-0xd483,0xd400-0xd40f mem 0xfebdc000-0xfebdcfff irq 20 at device 15.0 on pci0 atapci2: [ITHREAD] ata4: on atapci2 ata4: [ITHREAD] ata5: on atapci2 ata5: [ITHREAD] pcib4: at device 16.0 on pci0 pci4: on pcib4 fwohci0: port 0xcc00-0xcc7f mem 0xfaaff800-0xfaafffff irq 17 at device 5.0 on pci4 fwohci0: [FILTER] fwohci0: OHCI version 1.0 (ROM=1) fwohci0: No. of Isochronous channels is 4. fwohci0: EUI64 00:11:d8:00:00:67:ed:4b fwohci0: Phy 1394a available S400, 2 ports. fwohci0: Link S400, max_rec 2048 bytes. firewire0: on fwohci0 fwe0: on firewire0 if_fwe0: Fake Ethernet address: 02:11:d8:67:ed:4b fwe0: Ethernet address: 02:11:d8:67:ed:4b fwip0: on firewire0 fwip0: Firewire address: 00:11:d8:00:00:67:ed:4b @ 0xfffe00000000, S400, maxrec 2048 sbp0: on firewire0 dcons_crom0: on firewire0 dcons_crom0: bus_addr 0x1d500000 fwohci0: Initiate bus reset fwohci0: BUS reset fwohci0: node_id=0xc800ffc0, gen=1, CYCLEMASTER mode pci0: at device 16.1 (no driver attached) nve0: port 0xd080-0xd087 mem 0xfebd7000-0xfebd7fff irq 22 at device 20.0 on pci0 nve0: Ethernet address 00:15:f2:02:df:f5 miibus0: on nve0 e1000phy0: PHY 1 on miibus0 e1000phy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseTX-FDX, auto nve0: using obsoleted if_watchdog interface nve0: Ethernet address: 00:15:f2:02:df:f5 nve0: [ITHREAD] acpi_button0: on acpi0 fdc0: port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on acpi0 fdc0: [FILTER] atkbdc0: port 0x60,0x64 irq 1 on acpi0 atkbd0: irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] atkbd0: [ITHREAD] psm0: irq 12 on atkbdc0 psm0: [GIANT-LOCKED] psm0: [ITHREAD] psm0: model MouseMan+, device ID 0 pmtimer0 on isa0 sc0: at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=0x300> vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 ppc0: at port 0x378-0x37f irq 7 on isa0 ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode ppc0: FIFO with 16/16/9 bytes threshold ppbus0: on ppc0 lpt0: on ppbus0 lpt0: Interrupt-driven port ppi0: on ppbus0 ppc0: [GIANT-LOCKED] ppc0: [ITHREAD] Timecounter "TSC" frequency 2009159850 Hz quality 800 Timecounters tick every 1.000 msec Fast IPsec: Initialized Security Association Processing. firewire0: 1 nodes, maxhop <= 0, cable IRM = 0 (me) firewire0: bus manager 0 (me) ad4: 76319MB at ata2-master SATA300 WARNING: WITNESS option enabled, expect reduced performance. Trying to mount root from ufs:/dev/ad4s1a KERNCONF: machine i386 cpu I686_CPU ident EPEIOS # To statically compile in device wiring instead of /boot/device.hints #hints "GENERIC.hints" # Default places to look for devices. makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols options SCHED_4BSD # 4BSD scheduler options PREEMPTION # Enable kernel thread preemption options INET # InterNETworking options INET6 # IPv6 communications protocols options FAST_IPSEC options FFS # Berkeley Fast Filesystem options SOFTUPDATES # Enable FFS soft updates support options UFS_ACL # Support for access control lists options UFS_DIRHASH # Improve performance on big directories options UFS_GJOURNAL # Enable gjournal-based UFS journaling options MD_ROOT # MD is a potential root device options NFSCLIENT # Network Filesystem Client options NFSSERVER # Network Filesystem Server options NFS_ROOT # NFS usable as /, requires NFSCLIENT options MSDOSFS # MSDOS Filesystem options CD9660 # ISO 9660 Filesystem options PROCFS # Process filesystem (requires PSEUDOFS) options PSEUDOFS # Pseudo-filesystem framework #options GEOM_GPT # GUID Partition Tables. options GEOM_PART_GPT # GUID Partition Tables. options COMPAT_43 # Compatible with BSD 4.3 [KEEP THIS!] options COMPAT_43TTY # BSD 4.3 TTY compat [KEEP THIS!] options COMPAT_FREEBSD4 # Compatible with FreeBSD4 options COMPAT_FREEBSD5 # Compatible with FreeBSD5 options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI options KTRACE # ktrace(1) support options SYSVSHM # SYSV-style shared memory options SYSVMSG # SYSV-style message queues options SYSVSEM # SYSV-style semaphores options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions options KBD_INSTALL_CDEV # install a CDEV entry in /dev options ADAPTIVE_GIANT # Giant mutex is adaptive. options STOP_NMI # Stop CPUS using NMI instead of IPI options HZ=1000 options SMP device apic # I/O APIC # Debugging for use in -current options KDB # Enable kernel debugger support. options DDB # Support DDB. options GDB # Support remote GDB. options INVARIANTS # Enable calls of extra sanity checking options INVARIANT_SUPPORT # Extra sanity checks of internal structures, required by INVARIANTS options WITNESS # Enable checks to detect deadlocks and cycles options WITNESS_SKIPSPIN # Don't run witness on spinlocks for speed # Bus support. #device eisa device pci # Floppy drives device fdc # ATA and ATAPI devices device ata device atadisk # ATA disk drives device ataraid # ATA RAID drives device atapicd # ATAPI CDROM drives device atapifd # ATAPI floppy drives device atapist # ATAPI tape drives options ATA_STATIC_ID # Static device numbering device atapicam # SCSI Controllers device ahc # AHA2940 and onboard AIC7xxx devices options AHC_REG_PRETTY_PRINT # Print register bitfields in debug # output. Adds ~128k to driver. device ahd # AHA39320/29320 and onboard AIC79xx devices options AHD_REG_PRETTY_PRINT # Print register bitfields in debug # output. Adds ~215k to driver. device ncv # NCR 53C500 device nsp # Workbit Ninja SCSI-3 device stg # TMC 18C30/18C50 # SCSI peripherals device scbus # SCSI bus (required for SCSI) device ch # SCSI media changers device da # Direct Access (disks) device sa # Sequential Access (tape etc) device cd # CD device pass # Passthrough device (direct SCSI access) device ses # SCSI Environmental Services (and SAF-TE) # atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc # AT keyboard controller device atkbd # AT keyboard device psm # PS/2 mouse device kbdmux # keyboard multiplexer device vga # VGA video card driver device splash # Splash screen and screen saver support # syscons is the default console driver, resembling an SCO console device sc # Enable this for the pcvt (VT220 compatible) console driver #device vt #options XSERVER # support for X server on a vt console #options FAT_CURSOR # start with block cursor device agp # support several AGP chipsets # Power management support (see NOTES for more options) #device apm # Add suspend/resume support for the i8254. device pmtimer # Serial (COM) ports #device sio # 8250, 16[45]50 based serial ports #device uart # Parallel port device ppc device ppbus # Parallel port bus (required) device lpt # Printer device ppi # Parallel port interface device #device vpo # Requires scbus and da # If you've got a "dumb" serial or parallel PCI card that is # supported by the puc(4) glue driver, uncomment the following # line to enable it (connects to the sio and/or ppc drivers): #device puc # PCI Ethernet NICs. device de # DEC/Intel DC21x4x (``Tulip'') device em # Intel PRO/1000 adapter Gigabit Ethernet Card device ixgb # Intel PRO/10GbE Ethernet Card device txp # 3Com 3cR990 (``Typhoon'') device vx # 3Com 3c590, 3c595 (``Vortex'') # PCI Ethernet NICs that use the common MII bus controller code. # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs! device miibus # MII bus support device bce # Broadcom BCM5706/BCM5708 Gigabit Ethernet device bfe # Broadcom BCM440x 10/100 Ethernet device bge # Broadcom BCM570xx Gigabit Ethernet device dc # DEC/Intel 21143 and various workalikes device fxp # Intel EtherExpress PRO/100B (82557, 82558) device lge # Level 1 LXT1001 gigabit Ethernet device nge # NatSemi DP83820 gigabit Ethernet device nve # nVidia nForce MCP on-board Ethernet Networking device pcn # AMD Am79C97x PCI 10/100(precedence over 'lnc') device re # RealTek 8139C+/8169/8169S/8110S device rl # RealTek 8129/8139 device sf # Adaptec AIC-6915 (``Starfire'') device sis # Silicon Integrated Systems SiS 900/SiS 7016 device sk # SysKonnect SK-984x & SK-982x gigabit Ethernet device ste # Sundance ST201 (D-Link DFE-550TX) device stge # Sundance/Tamarack TC9021 gigabit Ethernet device ti # Alteon Networks Tigon I/II gigabit Ethernet device tl # Texas Instruments ThunderLAN device tx # SMC EtherPower II (83c170 ``EPIC'') device vge # VIA VT612x gigabit Ethernet device vr # VIA Rhine, Rhine II device wb # Winbond W89C840F device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'') # Wireless NIC cards device wlan # 802.11 support device wlan_wep # 802.11 WEP support device wlan_ccmp # 802.11 CCMP support device wlan_tkip # 802.11 TKIP support device wlan_amrr device an # Aironet 4500/4800 802.11 wireless NICs. device ath # Atheros pci/cardbus NIC's device ath_hal # Atheros HAL (Hardware Access Layer) device ath_rate_sample # SampleRate tx rate control for ath device awi # BayStack 660 and others device ral # Ralink Technology RT2500 wireless NICs. device wi # WaveLAN/Intersil/Symbol 802.11 wireless NICs. #device wl # Older non 802.11 Wavelan wireless NIC. # Pseudo devices. device mem device io device loop # Network loopback device random # Entropy device device ether # Ethernet support device ppp # Kernel PPP device tun # Packet tunnel. device pty # Pseudo-ttys (telnet etc) device md # Memory "disks" device gif # IPv6 and IPv4 tunneling device faith # IPv6-to-IPv4 relaying (translation) # The `bpf' device enables the Berkeley Packet Filter. # Be aware of the administrative consequences of enabling this! # Note that 'bpf' is required for DHCP. device bpf # Berkeley packet filter # USB support device uhci # UHCI PCI->USB interface device ohci # OHCI PCI->USB interface device ehci # EHCI PCI->USB interface (USB 2.0) device usb # USB Bus (required) #device udbp # USB Double Bulk Pipe devices device ugen # Generic device uhid # "Human Interface Devices" device ukbd # Keyboard device ulpt # Printer device umass # Disks/Mass storage - Requires scbus and da device ums # Mouse device ural # Ralink Technology RT2500USB wireless NICs device rum device urio # Diamond Rio 500 MP3 player device uscanner # Scanners # USB Ethernet, requires miibus device aue # ADMtek USB Ethernet device axe # ASIX Electronics USB Ethernet device cdce # Generic USB over Ethernet device cue # CATC USB Ethernet device kue # Kawasaki LSI USB Ethernet device rue # RealTek RTL8150 USB Ethernet options ALTQ options ALTQ_CBQ # Class Bases Queueing options ALTQ_RED # Random Early Detection options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler options ALTQ_CDNR # Traffic conditioner options ALTQ_PRIQ # Priority Queueing options ALTQ_NOPCC # Required if the TSC is unusable #options ALTQ_DEBUG # FireWire support device firewire # FireWire bus code device sbp # SCSI over FireWire (Requires scbus and da) device fwe # Ethernet over FireWire (non-standard!) device fwip device dcons device dcons_crom device crypto device enc