From owner-freebsd-pf@FreeBSD.ORG Mon Jul 2 01:11:57 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4757B16A41F for ; Mon, 2 Jul 2007 01:11:57 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.247]) by mx1.freebsd.org (Postfix) with ESMTP id 007BB13C455 for ; Mon, 2 Jul 2007 01:11:56 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so329066anc for ; Sun, 01 Jul 2007 18:11:56 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:from:to:cc:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=C7TERski1EuABfZHdMiSH3GyFTAR+4ZuH4DpT1G4AzGgIc3tpxrDjSv22Z9hvHULeSue+480gNtOHJYfxn+B8HNv8/T8020NcTOrVtMmrDmFsMD5KpOART9KgcbZsQCcq5WbZh6seU6LUMQZbuw5cHTWT6wOnFgG8r7r5NPKfwY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:from:to:cc:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=Rvw5xHMTI/XeAhdCorF5/00HTsFG8SmAmBMbJe8Zm+LAEyh4Wann4Tw7HelbWf8BQFIxVsbe7vKhNTbRn0420EPtl0Ubp1GMTxctTvMmkbkzhZYJ3aLmkrAt1991jiEPMK5Zdvq67YHv3VlCnR0tP08TNDJ7d5oM1vUkUfL/UmQ= Received: by 10.100.11.7 with SMTP id 7mr3372359ank.1183338716327; Sun, 01 Jul 2007 18:11:56 -0700 (PDT) Received: from d600 ( [70.109.59.182]) by mx.google.com with ESMTP id c29sm18587713anc.2007.07.01.18.11.54 (version=SSLv3 cipher=RC4-MD5); Sun, 01 Jul 2007 18:11:54 -0700 (PDT) Message-ID: <002401c7bc45$e7fa89f0$c40a0a0a@chepkov.lan> From: "Vadym Chepkov" To: "Max Laier" , References: <20070528224225.GC40678@registro.br><20070629000630.GA52912@cdnetworks.co.kr><200706291431.37159.max@love2party.net> <200706291505.05141.max@love2party.net> Date: Sun, 1 Jul 2007 21:11:22 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-6"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 Cc: Hugo Koji Kobayashi Subject: Re: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jul 2007 01:11:57 -0000 Max, I have applied the patch, seems to be working fine, thank you. Vadym Chepkov ----- Original Message ----- From: "Max Laier" To: Cc: "Hugo Koji Kobayashi" Sent: Friday, June 29, 2007 9:04 AM Subject: Re: udp fragmentation On Friday 29 June 2007, Max Laier wrote: > On Friday 29 June 2007, Pyun YongHyeon wrote: > > On Thu, Jun 28, 2007 at 10:56:01PM +0200, Max Laier wrote: > > > > > The only thing common about your setup seems to be the bge(4) > > > > > NIC. Can you try disabling hardware checksumming (ifconfig > > > > > -txcsum -rxcsum)? My test is over a hardware checksumming > > > > > fxp(4) card, though. > > > > > > > > Yes, this eliminated the issue. Bug in bge driver? > > > > > > Kind of - the driver claims to have done UDP checksum testing on > > > the fragment (which is impossible). The attached patch should fix > > > the issue for bge(4) and any other similar NIC. > > > > I guess bge(4) has Rx checksum offload bug on fragmented UDP > > datagrams. Since other hardwares with checksum offload capability > > does not show this issue, it could be related with UDP pseudo header > > calculation. How about disabling UDP pseudo header calculation? > > > > I don't have bge(4) hardwares so the patch is just guess work. > > In fact it doesn't seem broken at all, we would just have to do > something along the lines of ip_input.c::ip_reass() (line 1001 ff): >... > Have to ponder a bit, if this is easily possible in pf's reassembly. Works - see attached. Does anyone know of a tool to generate nasty fragments to really test this? Reordered / overlapping / etc. ? -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Mon Jul 2 06:29:10 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0E7B716A468 for ; Mon, 2 Jul 2007 06:29:10 +0000 (UTC) (envelope-from andrei.manescu@clicknet.ro) Received: from mailstore4.romtelecom.net (mailstore4.romtelecom.net [86.35.15.23]) by mx1.freebsd.org (Postfix) with ESMTP id 9911913C468 for ; Mon, 2 Jul 2007 06:29:09 +0000 (UTC) (envelope-from andrei.manescu@clicknet.ro) Received: (qmail 12771 invoked by uid 11184); 2 Jul 2007 06:02:27 -0000 Message-ID: <20070702060227.12770.qmail@mailstore4.romtelecom.net> From: "andrei.manescu@clicknet.ro" To: freebsd-pf@freebsd.org Date: Mon, 02 Jul 2007 09:02:27 +0300 Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8"; format=flowed Content-Transfer-Encoding: 7bit Subject: PF & altq benzedrine.cz prioritizing ACK packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jul 2007 06:29:10 -0000 Hello everyone. I've stumbled upon this article at http://www.benzedrine.cx/ackpri.html about prioritizing ACKs and the pass out/pass in rules are for packets with flags S/SA (SYN flags = set, ACK flag = unset, rest = ignored). In the pf manual I found: pass in on fxp0 proto tcp from any to any port ssh flags S/SA The above rule passes TCP traffic with the SYN flag set while only looking at the SYN and ACK flags. A packet with the SYN and ECE flags would match the above rule while a packet with SYN and ACK or just ACK would not. So now I wonder how does Daniel Hartmeier's rule prioritize ACKs packets when these packets don't even match that rule ?? That rule is only for packets that have SYN flag set, ACK flag unset and the rest of the flags set/unset. I would apreciate an explanation. Thank you in advance. Andrei. From owner-freebsd-pf@FreeBSD.ORG Mon Jul 2 07:26:36 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C585316A41F for ; Mon, 2 Jul 2007 07:26:36 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout1.email.verio.net (dfw-smtpout1.email.verio.net [129.250.36.41]) by mx1.freebsd.org (Postfix) with ESMTP id 9E1F513C44C for ; Mon, 2 Jul 2007 07:26:36 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout1.email.verio.net with esmtp id 1I5GIt-0005LA-Fz for freebsd-pf@freebsd.org; Mon, 02 Jul 2007 07:26:35 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1I5GIt-00051T-C3 for freebsd-pf@freebsd.org; Mon, 02 Jul 2007 07:26:35 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 867178E296; Mon, 2 Jul 2007 02:26:28 -0500 (CDT) Date: Mon, 2 Jul 2007 02:26:28 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20070702072627.GA31664@verio.net> References: <20070702060227.12770.qmail@mailstore4.romtelecom.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <20070702060227.12770.qmail@mailstore4.romtelecom.net> User-Agent: Mutt/1.5.9i Subject: Re: PF & altq benzedrine.cz prioritizing ACK packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jul 2007 07:26:36 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 andrei.manescu@clicknet.ro wrote: > > So now I wonder how does Daniel Hartmeier's rule prioritize ACKs > packets when these packets don't even match that rule ?? > That rule is only for packets that have SYN flag set, ACK flag unset > and the rest of the flags set/unset. The rule specifies "keep state" so that PF will build a state table entry that follows the connection in both directions. The rule need only specify the start of the state (which is the packet with S/SA flags), and PF will notice and process all further packets in the connection matching any rules. The pf.conf(5) man page has this to say about the 'queue' modifier: queue | (, ) Packets matching this rule will be assigned to the specified queue. If two queues are given, packets which have a tos of lowdelay and TCP ACKs with no data payload will be assigned to the second one. The article you referenced is using the second form of the queue modifier, giving a low-priority and high-priority queue. Thus as PF tracks the state of all packets within the connection, it also performs the queue assignment for each packet, as described. - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGiKijFSrKRjX5eCoRAk3qAJwKPkjS6ppovMElUy2eTeaq3XgAOQCgok7l ++8NqZ3FP+4rj3zHTUuZRDY= =/ZYs -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Mon Jul 2 11:08:48 2007 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 308FE16A4A6 for ; Mon, 2 Jul 2007 11:08:48 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 2105713C48A for ; Mon, 2 Jul 2007 11:08:48 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l62B8leC082747 for ; Mon, 2 Jul 2007 11:08:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l62B8k5L082743 for freebsd-pf@FreeBSD.org; Mon, 2 Jul 2007 11:08:46 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 2 Jul 2007 11:08:46 GMT Message-Id: <200707021108.l62B8k5L082743@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jul 2007 11:08:48 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf [pf] pf accepts nonexistent queue in rules o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d o kern/110174 pf [pf] pf pass route-to does not assign correct IP for t s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 6 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Jul 3 10:24:37 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6152816A41F; Tue, 3 Jul 2007 10:24:37 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.freebsd.org (Postfix) with ESMTP id EB4BE13C44C; Tue, 3 Jul 2007 10:24:36 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.181.58] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis), id 0MKwpI-1I5fYh3nu9-000418; Tue, 03 Jul 2007 12:24:36 +0200 From: Max Laier Organization: FreeBSD To: freebsd-current@freebsd.org Date: Tue, 3 Jul 2007 12:26:11 +0200 User-Agent: KMail/1.9.6 X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<%}*_BD U_or=\mOZf764&nYj=JYbR1PW0ud>|!~, , CPC.1-D$FG@0h3#'5"k{V]a~. X-Provags-ID: V01U2FsdGVkX1+wjhyKULV71mkMgPeXhe1gYyPXYp6up7EcUKr lhwLTonIr4BuhS0kqpFGfT6+UJL2bY3FEwGJvFaVDxRgzAWN09 p7icaCLghIeDXKFWw3IGxr0Efof66EJn3d9uMSlX6M= Cc: freebsd-pf@freebsd.org Subject: HEADSUP: pf 4.1 import X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2007 10:24:37 -0000 --nextPart6613064.jzQGIW6EcU Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline All, in the course of this afternoon (CEST) I'll import the OpenBSD 4.1 version= =20 of pf. The build might break for a short time, but I'll try to keep it=20 as short as possible. Users of pf should hold off a bit as I plan to commit a tiny ABI break=20 after the update is finished in order to be able to add netgraph support=20 in the future. After that a full "buildworld buildkernel installkernel=20 installworld mergemaster"-run is advised. Will send an all clear when done. =2D-=20 =46reeBSD Status reports due: 07/07/07 :-) /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart6613064.jzQGIW6EcU Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGiiRKXyyEoT62BG0RAm2wAJ9kMYqFFKxgIVz441+iV93zXUJtaACfY0rX 5xqwjq7HlvL49E92AUDOU6k= =Qt9n -----END PGP SIGNATURE----- --nextPart6613064.jzQGIW6EcU-- From owner-freebsd-pf@FreeBSD.ORG Tue Jul 3 10:52:12 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 49F7316A400; Tue, 3 Jul 2007 10:52:12 +0000 (UTC) (envelope-from thomas@FreeBSD.ORG) Received: from melamine.cuivre.fr.eu.org (melusine.cuivre.fr.eu.org [82.225.155.84]) by mx1.freebsd.org (Postfix) with ESMTP id 107C113C44B; Tue, 3 Jul 2007 10:52:12 +0000 (UTC) (envelope-from thomas@FreeBSD.ORG) Received: by melamine.cuivre.fr.eu.org (Postfix, from userid 1000) id 947B85C287; Tue, 3 Jul 2007 12:34:51 +0200 (CEST) Date: Tue, 3 Jul 2007 12:34:51 +0200 From: Thomas Quinot To: Max Laier Message-ID: <20070703103451.GB8689@melamine.cuivre.fr.eu.org> References: <200707031226.18399.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200707031226.18399.max@love2party.net> X-message-flag: WARNING! Using Outlook can damage your computer. User-Agent: Mutt/1.5.11 Cc: freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: HEADSUP: pf 4.1 import X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2007 10:52:12 -0000 * Max Laier, 2007-07-03 : > in the course of this afternoon (CEST) I'll import the OpenBSD 4.1 version > of pf. The build might break for a short time, but I'll try to keep it > as short as possible. Thanks Max! Is there a place on the web that lists interesting new features and fixes in that release? Thomas. From owner-freebsd-pf@FreeBSD.ORG Tue Jul 3 11:23:20 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D269416A47C; Tue, 3 Jul 2007 11:23:20 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.174]) by mx1.freebsd.org (Postfix) with ESMTP id 20D3413C4BF; Tue, 3 Jul 2007 11:23:19 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.181.58] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu8) with ESMTP (Nemesis), id 0ML31I-1I5gTW1rGQ-00042p; Tue, 03 Jul 2007 13:23:18 +0200 From: Max Laier Organization: FreeBSD To: freebsd-current@freebsd.org Date: Tue, 3 Jul 2007 13:24:48 +0200 User-Agent: KMail/1.9.6 References: <200707031226.18399.max@love2party.net> <20070703103451.GB8689@melamine.cuivre.fr.eu.org> In-Reply-To: <20070703103451.GB8689@melamine.cuivre.fr.eu.org> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1349471.Ch83g9P1M3"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200707031324.55556.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19ctay1tO1qiCWwSxLFDUxa71QeielbFbVUIDp 7pOOLP4ba4yms8maEe2/L55ftNkhbj/jpgz8rOkokoxjLPJi25 27RKsSpJtGss/g2krR40SGz/VvhB07UmZ4DYq0Z2yM= Cc: freebsd-pf@freebsd.org, Thomas Quinot Subject: Re: HEADSUP: pf 4.1 import X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2007 11:23:21 -0000 --nextPart1349471.Ch83g9P1M3 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 03 July 2007, Thomas Quinot wrote: > * Max Laier, 2007-07-03 : > > in the course of this afternoon (CEST) I'll import the OpenBSD 4.1 > > version of pf. The build might break for a short time, but I'll try > > to keep it as short as possible. > > Thanks Max! Is there a place on the web that lists interesting new > features and fixes in that release? http://www.openbsd.org/{38,39,40,41}.html Note that some functionality is= =20 not available in FreeBSD (routing code related stuff, pfsync for IPSEC,=20 something I'm forgetting right now ... I'll try to compile a list later). =2D-=20 =46reeBSD Status reports due: 07/07/07 :-) /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1349471.Ch83g9P1M3 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGijIHXyyEoT62BG0RAplxAJ47gjNCzT5UtTNMvLYVlGjSHHzDngCfdReW Pl3zMIpoAIqzcw4Wc6xnNp4= =gCxt -----END PGP SIGNATURE----- --nextPart1349471.Ch83g9P1M3-- From owner-freebsd-pf@FreeBSD.ORG Tue Jul 3 13:23:38 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 48B9116A41F; Tue, 3 Jul 2007 13:23:38 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.174]) by mx1.freebsd.org (Postfix) with ESMTP id B914F13C480; Tue, 3 Jul 2007 13:23:37 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.181.58] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1I5iLw3IO2-0002lP; Tue, 03 Jul 2007 15:23:37 +0200 From: Max Laier Organization: FreeBSD To: freebsd-current@freebsd.org Date: Tue, 3 Jul 2007 15:24:58 +0200 User-Agent: KMail/1.9.6 References: <200707031226.18399.max@love2party.net> In-Reply-To: <200707031226.18399.max@love2party.net> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1220379.Y0FbH8A0d7"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200707031525.17385.max@love2party.net> X-Provags-ID: V01U2FsdGVkX18peO8jw0YwWkTDvsPe05jsErd6Re7LsTPrCFJ XZoUY1sn4WxRAseQVBlcla3wm2fdPP85wYLL2nYCKL3DI/IVSK L85Gfro8RrbmbzT6Ehyd1vu5+GfxoZRS5vWEZ0Byrc= Cc: freebsd-pf@freebsd.org Subject: Re: HEADSUP: pf 4.1 import X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2007 13:23:38 -0000 --nextPart1220379.Y0FbH8A0d7 Content-Type: multipart/mixed; boundary="Boundary-01=_w4kiG1lSY2K0P6k" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_w4kiG1lSY2K0P6k Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 03 July 2007, Max Laier wrote: > Users of pf should hold off a bit as I plan to commit a tiny ABI break > after the update is finished in order to be able to add netgraph > support in the future. After that a full "buildworld buildkernel > installkernel installworld mergemaster"-run is advised. > > Will send an all clear when done. this is it. Though my post commit build is still running, things should=20 be alright again. Users of pf please note that tcpdump and libpcap need additional patches=20 that need to go through the vendor first. I'm trying to get things=20 moving there, but for the time being, please use the attached patch to=20 understand the new pflog format. Anyone with hands at tcpdump.org? Help appreciated! =2D-=20 =46reeBSD Status reports due: 07/07/07 :-) /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_w4kiG1lSY2K0P6k Content-Type: text/x-diff; charset="iso-8859-6"; name="pf.41.tcpdump_local.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="pf.41.tcpdump_local.diff" Index: contrib/libpcap/gencode.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/contrib/libpcap/gencode.c,v retrieving revision 1.16 diff -u -r1.16 gencode.c =2D-- contrib/libpcap/gencode.c 4 Sep 2006 19:54:21 -0000 1.16 +++ contrib/libpcap/gencode.c 30 Jun 2007 17:01:13 -0000 @@ -75,7 +75,14 @@ #include "ppp.h" #include "sll.h" #include "arcnet.h" +#ifdef HAVE_NET_PFVAR_H +#include +#include +#include +#include +#else #include "pf.h" +#endif #ifndef offsetof #define offsetof(s, e) ((size_t)&((s *)0)->e) #endif Index: contrib/libpcap/grammar.y =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/contrib/libpcap/grammar.y,v retrieving revision 1.11 diff -u -r1.11 grammar.y =2D-- contrib/libpcap/grammar.y 4 Sep 2006 19:54:21 -0000 1.11 +++ contrib/libpcap/grammar.y 30 Jun 2007 17:02:55 -0000 @@ -53,7 +53,13 @@ #include "pcap-int.h" =20 #include "gencode.h" +#ifdef HAVE_NET_PFVAR_H +#include +#include +#include +#else #include "pf.h" +#endif #include =20 #ifdef HAVE_OS_PROTO_H Index: contrib/tcpdump/print-pflog.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/contrib/tcpdump/print-pflog.c,v retrieving revision 1.1.1.3 diff -u -r1.1.1.3 print-pflog.c =2D-- contrib/tcpdump/print-pflog.c 4 Sep 2006 20:04:14 -0000 1.1.1.3 +++ contrib/tcpdump/print-pflog.c 30 Jun 2007 17:03:26 -0000 @@ -28,6 +28,16 @@ #include "config.h" #endif =20 +#ifdef HAVE_NET_PFVAR_H +#include +#include +#include +#include +#include +#else +#include "pf.h" +#endif + #include =20 #include @@ -35,7 +45,6 @@ =20 #include "interface.h" #include "addrtoname.h" =2D#include "pf.h" =20 static struct tok pf_reasons[] =3D { { 0, "0(match)" }, Index: lib/libpcap/config.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/lib/libpcap/config.h,v retrieving revision 1.5 diff -u -r1.5 config.h =2D-- lib/libpcap/config.h 29 May 2005 18:12:46 -0000 1.5 +++ lib/libpcap/config.h 30 Jun 2007 17:05:20 -0000 @@ -45,6 +45,9 @@ /* Define to 1 if you have the header file. */ #define HAVE_MEMORY_H 1 =20 +/* Define to 1 if you have the header file. */ +#define HAVE_NET_PFVAR_H 1 + /* Define to 1 if you have the header file. */ /* #undef HAVE_NETINET_ETHER_H */ =20 Index: usr.sbin/tcpdump/tcpdump/config.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/usr.sbin/tcpdump/tcpdump/config.h,v retrieving revision 1.7 diff -u -r1.7 config.h =2D-- usr.sbin/tcpdump/tcpdump/config.h 11 Jul 2005 04:14:42 -0000 1.7 +++ usr.sbin/tcpdump/tcpdump/config.h 30 Jun 2007 17:06:34 -0000 @@ -193,6 +193,9 @@ /* Define to 1 if you have the header file. */ /* #undef HAVE_NETDNET_DNETDB_H */ =20 +/* Define to 1 if you have the header file. */ +#define HAVE_NET_PFVAR_H 1 + /* Define to 1 if you have the header file. */ /* #undef HAVE_NETINET_ETHER_H */ =20 --Boundary-01=_w4kiG1lSY2K0P6k-- --nextPart1220379.Y0FbH8A0d7 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGik49XyyEoT62BG0RArLMAJ4nvRw9pOxA8PeCx17SnlJbsxEMuQCeINhe myLG2kFI6GqhO8ZkEDAn52A= =dWon -----END PGP SIGNATURE----- --nextPart1220379.Y0FbH8A0d7-- From owner-freebsd-pf@FreeBSD.ORG Tue Jul 3 13:30:46 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C4C3C16A46B; Tue, 3 Jul 2007 13:30:46 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id 5950F13C458; Tue, 3 Jul 2007 13:30:46 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.181.58] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis), id 0MKwtQ-1I5iSr1nen-0003Mv; Tue, 03 Jul 2007 15:30:45 +0200 From: Max Laier Organization: FreeBSD To: freebsd-current@freebsd.org Date: Tue, 3 Jul 2007 15:32:09 +0200 User-Agent: KMail/1.9.6 References: <200707031226.18399.max@love2party.net> <200707031525.17385.max@love2party.net> In-Reply-To: <200707031525.17385.max@love2party.net> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4054542.YNlyLNGQj4"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200707031532.25879.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19V/qwHUNndBblkNF4t0EZ/J/bJJBeZzF56RFB p674h1hmIhc63nNQ6mmkSMTSoaZqcA9/jek/Ju0Y2ohXAzZdRv N+VKoW6/cD8e4gqA5Q2r+uaCeVAmKTS0WFh19SKZq0= Cc: freebsd-pf@freebsd.org Subject: Re: HEADSUP: pf 4.1 import X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2007 13:30:46 -0000 --nextPart4054542.YNlyLNGQj4 Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline In case you wondered, too. The signature on my last message was bad=20 because the ?list? applied the following cleanup: -Content-Type: text/x-diff; charset=3D"iso-8859-6"; - name=3D"pf.41.tcpdump_local.diff" +Content-Type: text/x-diff; + charset=3D"iso-8859-6"; + name=3D"pf.41.tcpdump_local.diff" The patch is good - there is no conspiracy ;) =2D-=20 =46reeBSD Status reports due: 07/07/07 :-) /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart4054542.YNlyLNGQj4 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGik/pXyyEoT62BG0RAnbOAJ49ZLkR30HKOMfg0evU0fi/DOOhvQCeMI8u m4N8V9YinqOOX7j6v0Y5T14= =SS3Y -----END PGP SIGNATURE----- --nextPart4054542.YNlyLNGQj4-- From owner-freebsd-pf@FreeBSD.ORG Tue Jul 3 13:33:27 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A853516A41F for ; Tue, 3 Jul 2007 13:33:27 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.179]) by mx1.freebsd.org (Postfix) with ESMTP id 4052113C4C4 for ; Tue, 3 Jul 2007 13:33:27 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.181.58] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis), id 0MKwtQ-1I5iVS1JfW-0003HU; Tue, 03 Jul 2007 15:33:26 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Tue, 3 Jul 2007 15:34:49 +0200 User-Agent: KMail/1.9.6 References: <200707021108.l62B8k5L082743@freefall.freebsd.org> In-Reply-To: <200707021108.l62B8k5L082743@freefall.freebsd.org> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1346416.n7AptyDeH0"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200707031535.07300.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/xj++IB3VfOsB1tAJxsFK8dYkN+1j9ee43gVN XT8233ni+PKitINqBb/WZt9NO2WW4x+ng4oMdzRlWnUUS8HBw/ 7ha1cGDQqXQHXpNbfwsLVEyPKJw688Mvl/x4LJ32k0= Subject: Re: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2007 13:33:27 -0000 --nextPart1346416.n7AptyDeH0 Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline I'll ask all owners of pf-related PRs to reevaluate the problem in light=20 of the update. It's unlikely that fixes can easily be backported, but I=20 will try if positive feedback is available. =2D-=20 =46reeBSD Status reports due: 07/07/07 :-) /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1346416.n7AptyDeH0 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGilCLXyyEoT62BG0RAhQCAJ4stnp/PwnGYcx1fmFFPAkb24yFnQCfULRB KVpUR8q0Hn9TJlejB38uVsM= =K+ps -----END PGP SIGNATURE----- --nextPart1346416.n7AptyDeH0-- From owner-freebsd-pf@FreeBSD.ORG Tue Jul 3 16:23:06 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A4C9216A41F for ; Tue, 3 Jul 2007 16:23:06 +0000 (UTC) (envelope-from andrei.manescu@clicknet.ro) Received: from proxy1.romtelecom.net (proxy1.romtelecom.net [86.35.15.38]) by mx1.freebsd.org (Postfix) with ESMTP id 0169313C4BA for ; Tue, 3 Jul 2007 16:23:05 +0000 (UTC) (envelope-from andrei.manescu@clicknet.ro) Received: (qmail 621 invoked from network); 3 Jul 2007 16:23:02 -0000 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on proxy1 X-Spam-Level: X-Spam-Status: No, score=0.3 required=5.0 tests=AWL,HTML_40_50,HTML_MESSAGE autolearn=disabled version=3.1.7 Received: from ip4-83-240-46-91.cust.nbox.cz (HELO ivorde) (andrei.manescu@clicknet.ro@[83.240.46.91]) (envelope-sender ) by proxy1.romtelecom.net (qmail-ldap-1.03) with SMTP for ; 3 Jul 2007 16:23:02 -0000 Message-ID: <000e01c7bd8e$747bbae0$5501a8c0@ivorde> From: "Andrei Manescu" To: Date: Tue, 3 Jul 2007 19:23:13 +0300 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ALTQ + CBQ -> http & ftp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2007 16:23:06 -0000 Hello everyone. Probabily this is not the first email on this topic, so I'll be brief: I have the following queues: altq on xl0 cbq bandwidth 5000Kb queue { def, ftp, http, ssh, icmp, ack = } queue ack bandwidth 50Kb priority 7 cbq(borrow) queue ssh bandwidth 50Kb priority 6 { ssh_login, ssh_bulk } queue ssh_login bandwidth 25% priority 6 cbq(borrow) queue ssh_bulk bandwidth 75% priority 5 cbq(borrow) queue http bandwidth 4000Kb priority 5 cbq queue ftp bandwidth 390Kb priority 2 cbq(borrow) queue def bandwidth 500Kb priority 1 cbq(default) queue icmp bandwidth 10Kb priority 0 cbq ... and these rules for http & ftp traffic: pass in log-all quick on $ext_if1 proto tcp from any to port = {80, 8080} flags S/SA synproxy state queue http pass in log quick on $ext_if1 proto tcp from any to port ftp = flags S/SA synproxy state pass out log-all quick on $ext_if1 proto {tcp,udp} from $external_addr1 = \ to any port 65530:65534 flags S/SA keep state queue ftp The thing is that ftp is in passive mode and when there is traffic both = on http & ftp each type of transfer has ~50% of the bandwidth, so the = higher priority from http queue doesn't apply at all. Has anyone some suggestion for the rules above ? Thank you in advance for your pacience and wisdom :) Andrei. From owner-freebsd-pf@FreeBSD.ORG Tue Jul 3 16:47:03 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A4C7916A468 for ; Tue, 3 Jul 2007 16:47:03 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 57E1B13C468 for ; Tue, 3 Jul 2007 16:47:03 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=jC40eirDt7LAt3ZAFulYHwRZ5sGeib43lDR6zjhni9VzDHmBRv0Mf1pypGKIwUnT/7+fwAhQ6lal7ytMSM/vqE5QsYqN8hrM8I3IJB0ail/EjLER+ADophuZA6dDiy/MaX9kM8qIm/Nyuim/y+02ySMf7X/OnTxDcsVgnTWQztg=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1I5lWm-0007Py-Iz; Tue, 03 Jul 2007 20:47:00 +0400 Date: Tue, 3 Jul 2007 20:46:56 +0400 From: Eygene Ryabinkin To: Nate Lawson , Max Laier Message-ID: <20070703164655.GA1707@void.codelabs.ru> References: <200706160347.33331.max@love2party.net> <20070617094126.GT3779@void.codelabs.ru> <200706171717.21585.max@love2party.net> <20070619074150.GC26920@void.codelabs.ru> <4677FF00.4060506@root.org> <20070620152609.GD26920@void.codelabs.ru> <20070620190423.GH26920@void.codelabs.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20070620190423.GH26920@void.codelabs.ru> Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-3.0 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_00 Cc: freebsd-pf@freebsd.org Subject: Re: pf 4.1 Update available for testing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2007 16:47:03 -0000 Nate, Max, good day. Wed, Jun 20, 2007 at 11:04:23PM +0400, Eygene Ryabinkin wrote: > This error can potentially be responsible to the weird bandwidth > values I am having with the altq on my notebook. The issue is > described on the thread > http://lists.freebsd.org/pipermail/freebsd-current/2007-April/070730.html > Basically, I am setting one BW limit in pf.conf and seeing another > one (much lower) via the ifstat utility. > > I was able only to test the compilation of the new patched kernel. > No bandwidth tests were done: I have no access to the fast LAN link > up to the Monday, 24th, sorry. May be I will be able to setup > ng_eiface and test with it, but I am not fluent with the netgraph. > Will post an update if tests will be carried. At last, carried the tests. No luck: still seeing weird bandwidth numbers as compared with the setting in the pf.conf. But still, the second issue about non-initialized variables can be committed: it will not harm. What do you both think? Thank you. -- Eygene From owner-freebsd-pf@FreeBSD.ORG Tue Jul 3 18:18:56 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0D94616A400 for ; Tue, 3 Jul 2007 18:18:56 +0000 (UTC) (envelope-from nate@root.org) Received: from root.org (root.org [67.118.192.226]) by mx1.freebsd.org (Postfix) with ESMTP id CA91C13C44C for ; Tue, 3 Jul 2007 18:18:55 +0000 (UTC) (envelope-from nate@root.org) Received: (qmail 78931 invoked from network); 3 Jul 2007 18:18:56 -0000 Received: from ppp-71-139-42-13.dsl.snfc21.pacbell.net (HELO ?10.0.5.18?) (nate-mail@71.139.42.13) by root.org with ESMTPA; 3 Jul 2007 18:18:56 -0000 Message-ID: <468A9305.3050804@root.org> Date: Tue, 03 Jul 2007 11:18:45 -0700 From: Nate Lawson User-Agent: Thunderbird 2.0.0.4 (X11/20070617) MIME-Version: 1.0 To: Eygene Ryabinkin References: <200706160347.33331.max@love2party.net> <20070617094126.GT3779@void.codelabs.ru> <200706171717.21585.max@love2party.net> <20070619074150.GC26920@void.codelabs.ru> <4677FF00.4060506@root.org> <20070620152609.GD26920@void.codelabs.ru> <20070620190423.GH26920@void.codelabs.ru> <20070703164655.GA1707@void.codelabs.ru> In-Reply-To: <20070703164655.GA1707@void.codelabs.ru> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: pf 4.1 Update available for testing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2007 18:18:56 -0000 Eygene Ryabinkin wrote: > Nate, Max, good day. > > Wed, Jun 20, 2007 at 11:04:23PM +0400, Eygene Ryabinkin wrote: >> This error can potentially be responsible to the weird bandwidth >> values I am having with the altq on my notebook. The issue is >> described on the thread >> http://lists.freebsd.org/pipermail/freebsd-current/2007-April/070730.html >> Basically, I am setting one BW limit in pf.conf and seeing another >> one (much lower) via the ifstat utility. >> >> I was able only to test the compilation of the new patched kernel. >> No bandwidth tests were done: I have no access to the fast LAN link >> up to the Monday, 24th, sorry. May be I will be able to setup >> ng_eiface and test with it, but I am not fluent with the netgraph. >> Will post an update if tests will be carried. > > At last, carried the tests. No luck: still seeing weird > bandwidth numbers as compared with the setting in the pf.conf. > > But still, the second issue about non-initialized variables > can be committed: it will not harm. What do you both think? > > Thank you. I'm reviewing your patch; started yesterday. I think it can be done simpler. I'll get back to you today. -- Nate From owner-freebsd-pf@FreeBSD.ORG Tue Jul 3 18:35:24 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6EF8B16A468 for ; Tue, 3 Jul 2007 18:35:24 +0000 (UTC) (envelope-from linux@giboia.org) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.173]) by mx1.freebsd.org (Postfix) with ESMTP id 12B1A13C45A for ; Tue, 3 Jul 2007 18:35:23 +0000 (UTC) (envelope-from linux@giboia.org) Received: by ug-out-1314.google.com with SMTP id o4so173411uge for ; Tue, 03 Jul 2007 11:35:23 -0700 (PDT) Received: by 10.82.189.6 with SMTP id m6mr15912288buf.1183487722699; Tue, 03 Jul 2007 11:35:22 -0700 (PDT) Received: by 10.82.134.16 with HTTP; Tue, 3 Jul 2007 11:35:22 -0700 (PDT) Message-ID: <6e6841490707031135i3c2ef75awf988aa9f367b3a9a@mail.gmail.com> Date: Tue, 3 Jul 2007 15:35:22 -0300 From: "Gilberto Villani Brito" To: freebsd-pf@freebsd.org In-Reply-To: <000e01c7bd8e$747bbae0$5501a8c0@ivorde> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <000e01c7bd8e$747bbae0$5501a8c0@ivorde> Subject: Re: ALTQ + CBQ -> http & ftp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2007 18:35:24 -0000 On 03/07/07, Andrei Manescu wrote: > Hello everyone. > > Probabily this is not the first email on this topic, so I'll be brief: > I have the following queues: > > altq on xl0 cbq bandwidth 5000Kb queue { def, ftp, http, ssh, icmp, ack } > queue ack bandwidth 50Kb priority 7 cbq(borrow) > queue ssh bandwidth 50Kb priority 6 { ssh_login, ssh_bulk } > queue ssh_login bandwidth 25% priority 6 cbq(borrow) > queue ssh_bulk bandwidth 75% priority 5 cbq(borrow) > queue http bandwidth 4000Kb priority 5 cbq > queue ftp bandwidth 390Kb priority 2 cbq(borrow) > queue def bandwidth 500Kb priority 1 cbq(default) > queue icmp bandwidth 10Kb priority 0 cbq > ... and these rules for http & ftp traffic: > > pass in log-all quick on $ext_if1 proto tcp from any to port {80, 8080} flags S/SA synproxy state queue http > > pass in log quick on $ext_if1 proto tcp from any to port ftp flags S/SA synproxy state > pass out log-all quick on $ext_if1 proto {tcp,udp} from $external_addr1 \ > to any port 65530:65534 flags S/SA keep state queue ftp > > The thing is that ftp is in passive mode and when there is traffic both on http & ftp each type of transfer has ~50% of the bandwidth, so the higher priority from http queue doesn't apply at all. > > Has anyone some suggestion for the rules above ? > > Thank you in advance for your pacience and wisdom :) > > Andrei. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > How much is the traffic each connection?? -- Gilberto Villani Brito System Administrator Londrina - PR Brazil gilbertovb(a)gmail.com From owner-freebsd-pf@FreeBSD.ORG Tue Jul 3 22:24:27 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 58D8E16A468 for ; Tue, 3 Jul 2007 22:24:27 +0000 (UTC) (envelope-from nate@root.org) Received: from root.org (root.org [67.118.192.226]) by mx1.freebsd.org (Postfix) with ESMTP id 3B6BA13C45E for ; Tue, 3 Jul 2007 22:24:27 +0000 (UTC) (envelope-from nate@root.org) Received: (qmail 90951 invoked from network); 3 Jul 2007 22:24:27 -0000 Received: from ppp-71-139-42-13.dsl.snfc21.pacbell.net (HELO ?10.0.5.18?) (nate-mail@71.139.42.13) by root.org with ESMTPA; 3 Jul 2007 22:24:27 -0000 Message-ID: <468ACC91.9010806@root.org> Date: Tue, 03 Jul 2007 15:24:17 -0700 From: Nate Lawson User-Agent: Thunderbird 2.0.0.4 (X11/20070617) MIME-Version: 1.0 To: Eygene Ryabinkin References: <200706160347.33331.max@love2party.net> <20070617094126.GT3779@void.codelabs.ru> <200706171717.21585.max@love2party.net> <20070619074150.GC26920@void.codelabs.ru> <4677FF00.4060506@root.org> <20070620152609.GD26920@void.codelabs.ru> <20070620190423.GH26920@void.codelabs.ru> In-Reply-To: <20070620190423.GH26920@void.codelabs.ru> X-Enigmail-Version: 0.95.0 Content-Type: multipart/mixed; boundary="------------060406020103030708050005" Cc: freebsd-pf@freebsd.org Subject: Re: pf 4.1 Update available for testing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2007 22:24:27 -0000 This is a multi-part message in MIME format. --------------060406020103030708050005 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Eygene Ryabinkin wrote: > Nate, Max, good day. > > Wed, Jun 20, 2007 at 07:26:09PM +0400, Eygene Ryabinkin wrote: >> Fine, thanks! So, you're happy with the way the problem was fixed? >> I see that another function that uses tbr_callout is tbr_timeout, >> but it will not be called before tbr_set. So it seems to me that >> callout initialisation only in tbr_set is enough. But maybe I am >> missing something? > > After some thinking I came to the idea that one more patch must be > applied. The variables machclk_usepcc and machclk_per_tick can be > left uninitialised following the same codepath as for tbr_callout: > tsc_freq_changed() touches only machclk_freq, but init_machclk > touches all three variables. > > This error can potentially be responsible to the weird bandwidth > values I am having with the altq on my notebook. The issue is > described on the thread > http://lists.freebsd.org/pipermail/freebsd-current/2007-April/070730.html > Basically, I am setting one BW limit in pf.conf and seeing another > one (much lower) via the ifstat utility. > > I was able only to test the compilation of the new patched kernel. > No bandwidth tests were done: I have no access to the fast LAN link > up to the Monday, 24th, sorry. May be I will be able to setup > ng_eiface and test with it, but I am not fluent with the netgraph. > Will post an update if tests will be carried. > > But I am pretty sure that the altq_subr.c should be patched to > properly handle the initialization of these two variables. The > only question is how to do it: via my patch or using some different > strategy. > > No more words, the patch is attached. Comments are welcome! > I have tried to achieve the same goal with a simpler patch. Here are the changes: Be sure to initialize the callout struct and other setup tasks before proceeding. Previously, machclk_freq could be set to a non-zero value by tsc_freq_changed(), preventing the callout from being initialized. To fix this, call init_machclk() from all paths. init_machclk() is split into two functions, one that only runs the first time it is called. The second half runs each time the frequency changes and calibrates various items. Also, static variables are zero so no need to initialize them. If you can test this, that would be great. Thanks, -- Nate --------------060406020103030708050005 Content-Type: text/x-patch; name="altq-fix-3.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="altq-fix-3.diff" Index: altq_subr.c =================================================================== RCS file: /home/ncvs/src/sys/contrib/altq/altq/altq_subr.c,v retrieving revision 1.9 diff -u -r1.9 altq_subr.c --- altq_subr.c 26 Mar 2007 18:03:29 -0000 1.9 +++ altq_subr.c 3 Jul 2007 22:15:05 -0000 @@ -887,8 +887,8 @@ #define MACHCLK_SHIFT 8 int machclk_usepcc; -u_int32_t machclk_freq = 0; -u_int32_t machclk_per_tick = 0; +u_int32_t machclk_freq; +u_int32_t machclk_per_tick; #ifdef __alpha__ #ifdef __FreeBSD__ @@ -911,14 +911,15 @@ return; /* Total setting for this level gives the new frequency in MHz. */ - machclk_freq = level->total_set.freq * 1000000; + tsc_freq = level->total_set.freq * 1000000; + init_machclk(); } EVENTHANDLER_DEFINE(cpufreq_post_change, tsc_freq_changed, NULL, EVENTHANDLER_PRI_ANY); #endif /* __FreeBSD_version >= 700035 */ -void -init_machclk(void) +static void +init_machclk_setup(void) { #if (__FreeBSD_version >= 600000) callout_init(&tbr_callout, 0); @@ -941,6 +942,18 @@ tsc_is_broken)) machclk_usepcc = 0; #endif +} + +void +init_machclk(void) +{ + static int called; + + /* Call one-time initialization function. */ + if (!called) { + init_machclk_setup(); + called = 1; + } if (machclk_usepcc == 0) { /* emulate 256MHz using microtime() */ --------------060406020103030708050005-- From owner-freebsd-pf@FreeBSD.ORG Wed Jul 4 05:41:19 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AFBBE16A41F for ; Wed, 4 Jul 2007 05:41:19 +0000 (UTC) (envelope-from novel@FreeBSD.org) Received: from viefep32-int.chello.at (viefep18-int.chello.at [213.46.255.22]) by mx1.freebsd.org (Postfix) with ESMTP id F308E13C44C for ; Wed, 4 Jul 2007 05:41:18 +0000 (UTC) (envelope-from novel@FreeBSD.org) Received: from novel.renet.ru ([82.116.33.234]) by viefep28-int.chello.at (InterMail vM.7.08.02.02 201-2186-121-104-20070414) with ESMTP id <20070704052505.KZCJ23618.viefep28-int.chello.at@novel.renet.ru> for ; Wed, 4 Jul 2007 07:25:05 +0200 Date: Wed, 4 Jul 2007 09:26:40 +0400 From: Roman Bogorodskiy To: freebsd-pf@freebsd.org Message-ID: <20070704052640.GA72918@underworld.novel.ru> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="n8g4imXOkfNTN/H1" Content-Disposition: inline X-PGP: http://people.freebsd.org/~novel/novel.key.asc Subject: using pfctl -s labels and keep state for traffic accounting X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jul 2007 05:41:19 -0000 --n8g4imXOkfNTN/H1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, I'm going to use pf's label feature for traffic accounting, i.e. creating an anchor for being able to add/remove rules with labels on fly and parse the output of pfctl -s labels. However, I spotted some problems with such an approach. When using 'keep state' it seems to have some limitations. First of all, it doesn't seem to allow to account in only one direction. Well, it was expected because states works that way. But calculating traffic in both directions give stange resuls too. I have a rule: pass log quick on $ext_if proto tcp from self to some_host port https label "labels:test", I have a file on https which I download. After first try it gives:=20 labels:test 284 23 2943 Then I add 'keep state', reload the rules file, check if the counters are zeroed and download the same file again and get: labels:test 3 46 29427 Why does it happen that way? BTW, is there some other limitations to the approach of traffic accounting based on pf labels? Roman Bogorodskiy --n8g4imXOkfNTN/H1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iQCVAwUBRosvkIB0WzgdqspGAQJF7wP/Z2oNbWeFb1rwE2Pl0KWyoHAAxaHDK2Sj rDzu/n8mF74lGPFXY4toPFlzHGaYD2FF44S9rOhzfz38TjZpyehtXZEAuusUvJm1 st5NpC1sHN9rp7htgkYXFG/qb0UBGN69cLKOeK00BUE9S3//mKjrL8//t38Uau3X FOToG0NBMvY= =18mZ -----END PGP SIGNATURE----- --n8g4imXOkfNTN/H1-- From owner-freebsd-pf@FreeBSD.ORG Wed Jul 4 15:00:45 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 32D9C16A400 for ; Wed, 4 Jul 2007 15:00:45 +0000 (UTC) (envelope-from feh_aguilar@hotmail.com) Received: from bay0-omc1-s41.bay0.hotmail.com (bay0-omc1-s41.bay0.hotmail.com [65.54.246.113]) by mx1.freebsd.org (Postfix) with ESMTP id 1D22A13C484 for ; Wed, 4 Jul 2007 15:00:45 +0000 (UTC) (envelope-from feh_aguilar@hotmail.com) Received: from BAY138-W4 ([64.4.49.39]) by bay0-omc1-s41.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Wed, 4 Jul 2007 07:48:44 -0700 Message-ID: X-Originating-IP: [189.130.1.8] From: =?iso-8859-1?Q?Flor_Estela_Hern=E1ndez_Aguilar?= To: Date: Wed, 4 Jul 2007 09:48:44 -0500 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 04 Jul 2007 14:48:44.0875 (UTC) FILETIME=[6BCC31B0:01C7BE4A] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: How to kill messenger? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jul 2007 15:00:45 -0000 Hello Everyone!! =20 May be its no the first time you read about it; but these are my first less= ons with ipf rules. I have to "kill" or block the msn service but only in = a few of IP's, not at all. Do yo know the way to do this? I tried with: =20 block out proto tcp from any to 192.168.1.10 port=3D1863 =20 Surely i am in a mistake. =20 I thank yours opinions. =20 Flor. From: freebsd-pf-request@freebsd.orgSubject: freebsd-pf Digest, Vol 145, Is= sue 3To: freebsd-pf@freebsd.orgDate: Wed, 4 Jul 2007 12:00:26 +0000Send fre= ebsd-pf mailing list submissions to freebsd-pf@freebsd.org To subscribe or = unsubscribe via the World Wide Web, visit http://lists.freebsd.org/mailman/= listinfo/freebsd-pfor, via email, send a message with subject or body 'help= ' to freebsd-pf-request@freebsd.org You can reach the person managing the l= ist at freebsd-pf-owner@freebsd.org When replying, please edit your Subject= line so it is more specificthan "Re: Contents of freebsd-pf digest..." --Archivo adjunto de mensaje reenviado--From: max@love2party.netCC: freebsd= -pf@freebsd.orgTo: freebsd-current@freebsd.orgDate: Tue, 3 Jul 2007 15:24:5= 8 +0200Subject: Re: HEADSUP: pf 4.1 importOn Tuesday 03 July 2007, Max Laie= r wrote:> Users of pf should hold off a bit as I plan to commit a tiny ABI = break> after the update is finished in order to be able to add netgraph> su= pport in the future. After that a full "buildworld buildkernel> installker= nel installworld mergemaster"-run is advised.>> Will send an all clear when= done. this is it. Though my post commit build is still running, things sh= ould be alright again. Users of pf please note that tcpdump and libpcap nee= d additional patches that need to go through the vendor first. I'm trying = to get things moving there, but for the time being, please use the attached= patch to understand the new pflog format. Anyone with hands at tcpdump.org= ? Help appreciated! -- FreeBSD Status reports due: 07/07/07 :-) /"\ Best = regards, | mlaier@freebsd.org\ / Max Laier = | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mla= ier@EFnet/ \ ASCII Ribbon Campaign | Against HTML Mail and Ne= ws --Archivo adjunto de mensaje reenviado--From: max@love2party.netCC: freebsd= -pf@freebsd.orgTo: freebsd-current@freebsd.orgDate: Tue, 3 Jul 2007 15:32:0= 9 +0200Subject: Re: HEADSUP: pf 4.1 importIn case you wondered, too. The s= ignature on my last message was bad because the ?list? applied the followin= g cleanup: -Content-Type: text/x-diff; charset=3D"iso-8859-6"; - n= ame=3D"pf.41.tcpdump_local.diff" +Content-Type: text/x-diff; + charset= =3D"iso-8859-6"; + name=3D"pf.41.tcpdump_local.diff" The patch is good - = there is no conspiracy ;) -- FreeBSD Status reports due: 07/07/07 :-) /"\ = Best regards, | mlaier@freebsd.org\ / Max Laier = | ICQ #67774661 X http://pf4freebsd.love2party.net/ = | mlaier@EFnet/ \ ASCII Ribbon Campaign | Against HTML Mail a= nd News --Archivo adjunto de mensaje reenviado--From: max@love2party.netTo: freebsd= -pf@freebsd.orgDate: Tue, 3 Jul 2007 15:34:49 +0200Subject: Re: Current pro= blem reports assigned to youI'll ask all owners of pf-related PRs to reeval= uate the problem in light of the update. It's unlikely that fixes can easi= ly be backported, but I will try if positive feedback is available. -- Free= BSD Status reports due: 07/07/07 :-) /"\ Best regards, = | mlaier@freebsd.org\ / Max Laier | ICQ #677746= 61 X http://pf4freebsd.love2party.net/ | mlaier@EFnet/ \ ASCII Ribbon C= ampaign | Against HTML Mail and News --Archivo adjunto de mensaje reenviado--From: andrei.manescu@clicknet.roTo:= freebsd-pf@freebsd.orgDate: Tue, 3 Jul 2007 19:23:13 +0300Subject: ALTQ + = CBQ -> http & ftpHello everyone. Probabily this is not the first email on t= his topic, so I'll be brief:I have the following queues: altq on xl0 cbq ba= ndwidth 5000Kb queue { def, ftp, http, ssh, icmp, ack }queue ack bandwidth = 50Kb priority 7 cbq(borrow)queue ssh bandwidth 50Kb priority 6 { ssh_login,= ssh_bulk } queue ssh_login bandwidth 25% priority 6 cbq(borrow) queu= e ssh_bulk bandwidth 75% priority 5 cbq(borrow)queue http bandwidth 4000Kb = priority 5 cbqqueue ftp bandwidth 390Kb priority 2 cbq(borrow)queue def ban= dwidth 500Kb priority 1 cbq(default)queue icmp bandwidth 10Kb priority 0 cb= q... and these rules for http & ftp traffic: pass in log-all quick on $ext_= if1 proto tcp from any to port {80, 8080} flags S/SA synproxy state= queue http pass in log quick on $ext_if1 proto tcp from any to por= t ftp flags S/SA synproxy statepass out log-all quick on $ext_if1 proto {tc= p,udp} from $external_addr1 \to any port 65530:65534 flags S/SA keep state = queue ftp The thing is that ftp is in passive mode and when there is traffi= c both on http & ftp each type of transfer has ~50% of the bandwidth, so th= e higher priority from http queue doesn't apply at all. Has anyone some sug= gestion for the rules above ? Thank you in advance for your pacience and wi= sdom :) Andrei.=20 --Archivo adjunto de mensaje reenviado--From: rea-fbsd@codelabs.ruCC: freeb= sd-pf@freebsd.orgTo: nate@root.org; max@love2party.netDate: Tue, 3 Jul 2007= 20:46:56 +0400Subject: Re: pf 4.1 Update available for testingNate, Max, g= ood day. Wed, Jun 20, 2007 at 11:04:23PM +0400, Eygene Ryabinkin wrote:> Th= is error can potentially be responsible to the weird bandwidth> values I am= having with the altq on my notebook. The issue is> described on the threa= d> http://lists.freebsd.org/pipermail/freebsd-current/2007-April/070730.h= tml> Basically, I am setting one BW limit in pf.conf and seeing another> on= e (much lower) via the ifstat utility.> > I was able only to test the comp= ilation of the new patched kernel.> No bandwidth tests were done: I have no= access to the fast LAN link> up to the Monday, 24th, sorry. May be I will= be able to setup> ng_eiface and test with it, but I am not fluent with the= netgraph.> Will post an update if tests will be carried. At last, carried = the tests. No luck: still seeing weirdbandwidth numbers as compared with t= he setting in the pf.conf. But still, the second issue about non-initialize= d variablescan be committed: it will not harm. What do you both think? Tha= nk you.-- Eygene=20 --Archivo adjunto de mensaje reenviado--From: nate@root.orgCC: freebsd-pf@f= reebsd.orgTo: rea-fbsd@codelabs.ruDate: Tue, 3 Jul 2007 11:18:45 -0700Subje= ct: Re: pf 4.1 Update available for testingEygene Ryabinkin wrote:> Nate, M= ax, good day.> > Wed, Jun 20, 2007 at 11:04:23PM +0400, Eygene Ryabinkin wr= ote:>> This error can potentially be responsible to the weird bandwidth>> v= alues I am having with the altq on my notebook. The issue is>> described o= n the thread>> http://lists.freebsd.org/pipermail/freebsd-current/2007-Ap= ril/070730.html>> Basically, I am setting one BW limit in pf.conf and seein= g another>> one (much lower) via the ifstat utility.>>>> I was able only t= o test the compilation of the new patched kernel.>> No bandwidth tests were= done: I have no access to the fast LAN link>> up to the Monday, 24th, sorr= y. May be I will be able to setup>> ng_eiface and test with it, but I am n= ot fluent with the netgraph.>> Will post an update if tests will be carried= .> > At last, carried the tests. No luck: still seeing weird> bandwidth nu= mbers as compared with the setting in the pf.conf.> > But still, the second= issue about non-initialized variables> can be committed: it will not harm.= What do you both think?> > Thank you. I'm reviewing your patch; started y= esterday. I think it can be donesimpler. I'll get back to you today. -- N= ate=20 --Archivo adjunto de mensaje reenviado--From: linux@giboia.orgTo: freebsd-p= f@freebsd.orgDate: Tue, 3 Jul 2007 15:35:22 -0300Subject: Re: ALTQ + CBQ ->= http & ftpOn 03/07/07, Andrei Manescu wrote:>= Hello everyone.>> Probabily this is not the first email on this topic, so = I'll be brief:> I have the following queues:>> altq on xl0 cbq bandwidth 50= 00Kb queue { def, ftp, http, ssh, icmp, ack }> queue ack bandwidth 50Kb pri= ority 7 cbq(borrow)> queue ssh bandwidth 50Kb priority 6 { ssh_login, ssh_b= ulk }> queue ssh_login bandwidth 25% priority 6 cbq(borrow)> queue = ssh_bulk bandwidth 75% priority 5 cbq(borrow)> queue http bandwidth 4000Kb = priority 5 cbq> queue ftp bandwidth 390Kb priority 2 cbq(borrow)> queue def= bandwidth 500Kb priority 1 cbq(default)> queue icmp bandwidth 10Kb priorit= y 0 cbq> ... and these rules for http & ftp traffic:>> pass in log-all quic= k on $ext_if1 proto tcp from any to port {80, 8080} flags S/SA synp= roxy state queue http>> pass in log quick on $ext_if1 proto tcp from any to= port ftp flags S/SA synproxy state> pass out log-all quick on $ext= _if1 proto {tcp,udp} from $external_addr1 \> to any port 65530:65534 flags = S/SA keep state queue ftp>> The thing is that ftp is in passive mode and wh= en there is traffic both on http & ftp each type of transfer has ~50% of th= e bandwidth, so the higher priority from http queue doesn't apply at all.>>= Has anyone some suggestion for the rules above ?>> Thank you in advance fo= r your pacience and wisdom :)>> Andrei.> __________________________________= _____________> freebsd-pf@freebsd.org mailing list> http://lists.freebsd.or= g/mailman/listinfo/freebsd-pf> To unsubscribe, send any mail to "freebsd-pf= -unsubscribe@freebsd.org"> How much is the traffic each connection?? -- Gi= lberto Villani BritoSystem AdministratorLondrina - PRBrazilgilbertovb(a)gma= il.com=20 --Archivo adjunto de mensaje reenviado--From: nate@root.orgCC: freebsd-pf@f= reebsd.orgTo: rea-fbsd@codelabs.ruDate: Tue, 3 Jul 2007 15:24:17 -0700Subje= ct: Re: pf 4.1 Update available for testingEygene Ryabinkin wrote:> Nate, M= ax, good day.> > Wed, Jun 20, 2007 at 07:26:09PM +0400, Eygene Ryabinkin wr= ote:>> Fine, thanks! So, you're happy with the way the problem was fixed?>= > I see that another function that uses tbr_callout is tbr_timeout,>> but i= t will not be called before tbr_set. So it seems to me that>> callout init= ialisation only in tbr_set is enough. But maybe I am>> missing something?>= > After some thinking I came to the idea that one more patch must be> appl= ied. The variables machclk_usepcc and machclk_per_tick can be> left uninit= ialised following the same codepath as for tbr_callout:> tsc_freq_changed()= touches only machclk_freq, but init_machclk> touches all three variables.>= > This error can potentially be responsible to the weird bandwidth> values= I am having with the altq on my notebook. The issue is> described on the = thread> http://lists.freebsd.org/pipermail/freebsd-current/2007-April/070= 730.html> Basically, I am setting one BW limit in pf.conf and seeing anothe= r> one (much lower) via the ifstat utility.> > I was able only to test the= compilation of the new patched kernel.> No bandwidth tests were done: I ha= ve no access to the fast LAN link> up to the Monday, 24th, sorry. May be I= will be able to setup> ng_eiface and test with it, but I am not fluent wit= h the netgraph.> Will post an update if tests will be carried.> > But I am = pretty sure that the altq_subr.c should be patched to> properly handle the = initialization of these two variables. The> only question is how to do it:= via my patch or using some different> strategy.> > No more words, the patc= h is attached. Comments are welcome!> I have tried to achieve the same go= al with a simpler patch. Here arethe changes: Be sure to initialize the ca= llout struct and other setup tasks beforeproceeding. Previously, machclk_f= req could be set to a non-zero valueby tsc_freq_changed(), preventing the c= allout from being initialized.To fix this, call init_machclk() from all pat= hs. init_machclk() issplit into two functions, one that only runs the firs= t time it iscalled. The second half runs each time the frequency changes a= ndcalibrates various items. Also, static variables are zero so no need toi= nitialize them. If you can test this, that would be great. Thanks,-- Nate --Archivo adjunto de mensaje reenviado--From: novel@FreeBSD.orgTo: freebsd-= pf@freebsd.orgDate: Wed, 4 Jul 2007 09:26:40 +0400Subject: using pfctl -s l= abels and keep state for traffic accountingHi, I'm going to use pf's label = feature for traffic accounting, i.e.creating an anchor for being able to ad= d/remove rules with labelson fly and parse the output of pfctl -s labels. H= owever, I spotted some problems with such an approach. When using 'keepstat= e' it seems to have some limitations. First of all, it doesn't seemto allow= to account in only one direction. Well, it was expected becausestates work= s that way. But calculating traffic in both directions give stange resuls t= oo. I have a rule: pass log quick on $ext_if proto tcp from self to some_ho= st porthttps label "labels:test", I have a file on https which I download. = After first try it gives: labels:test 284 23 2943 Then I add 'keep state',= reload the rules file, check if the countersare zeroed and download the sa= me file again and get: labels:test 3 46 29427 Why does it happen that way? = BTW, is there some other limitations to the approach of trafficaccounting b= ased on pf labels? Roman Bogorodskiy _________________________________________________________________ T=FA mundo y lo que te gusta en una p=E1gina que t=FA mismo creas: Live.com= =20 http://www.live.com/getstarted= From owner-freebsd-pf@FreeBSD.ORG Thu Jul 5 06:26:35 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8FE5C16A41F for ; Thu, 5 Jul 2007 06:26:35 +0000 (UTC) (envelope-from llevier@argosnet.com) Received: from mx.levier.org (ns.argosnet.com [213.251.139.26]) by mx1.freebsd.org (Postfix) with ESMTP id 4284F13C468 for ; Thu, 5 Jul 2007 06:26:35 +0000 (UTC) (envelope-from llevier@argosnet.com) Received: from localhost (ns [213.251.139.26]) by mx.levier.org (Postfix) with ESMTP id 27B02267E81 for ; Thu, 5 Jul 2007 08:26:35 +0200 (CEST) X-Virus-Scanned: amavisd-new at argosnet.com Received: from mx.levier.org ([213.251.139.26]) by localhost (ns.levier.org [213.251.139.26]) (amavisd-new, port 10024) with ESMTP id MNGRWX8CISQa for ; Thu, 5 Jul 2007 08:25:47 +0200 (CEST) Received: from Osgiliath.argosnet.com (tirion.argosnet.com [82.224.1.141]) by mx.levier.org (Postfix) with ESMTP id BF688267E13 for ; Thu, 5 Jul 2007 08:25:46 +0200 (CEST) X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Thu, 05 Jul 2007 08:25:42 +0200 To: freebsd-pf@freebsd.org From: Laurent LEVIER Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Message-Id: <20070705062546.BF688267E13@mx.levier.org> Subject: Issue with PF on FreeBSD 6.2.5? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jul 2007 06:26:35 -0000 Hi All, I am currently setting up a ChilliSpot server using the conup/condown command. Since the LAN will also be publicly available, I am using Chilli as UAM. These con* scripts are launched with additional arguments (IP address, device) when a user is authenticated ont he HotSpot This way, I can update firewall rules dynamically to allow the authenticated user to pass...or to no longer pass when session is over. Apparently, best way to solve this with pf is to use tables, since an anchor permits to add a rule, but not to delete the added rule (at least I did not find how to). But it seems it does not fully work for me. If you read at my pf.conf file at the end of this email, you will see I created a table "public_granted" that is associated with 2 rules: 1) a rdr to redirect to Squid transparently (rule is before the one redirecting transparently to Chilli authentication server) 2) a pass in quick rule to allow new user to pass through. The problem I have is: - When the public_granted table is updated with a new IP address, pf let the user pass through. - But when I delete this @IP from the table, pf keeps allowing the user to pass through. I appreciate all advices to help me solving this weird situation. Thanks in advance My pf.conf: ### Options # pf configuration set block-policy return set state-policy if-bound # localhost set skip on lo0 ### Declarations # Interface declaration if_ext="nve0" # Internet Interface if_int="bge0" # Public access Interface if_wifi="tun0" # WiFi Hotspot Interface # Subnets declaration net_public= "192.168.254.0/24" net_wifi_admin="192.168.253.252/30" # IP declaration ip_ext_me="192.168.0.100" ip_wifi_me="192.168.254.1" ip_wifi_admin_me="192.168.253.253" ip_hotspot="192.168.253.254" ### Tables! table ### Redirections # Squid redirection for authenticated users on Public rdr on $if_int proto tcp from to 0.0.0.0/0 port 80 -> localhost port 8080 rdr on $if_wifi proto tcp from to 0.0.0.0/0 port 80 -> localhost port 8080 # Authentication portal for Public rdr on $if_int proto tcp from $net_public to any port 80 -> $ip_wifi_me port 3990 rdr on $if_wifi proto tcp from $net_public to any port 80 -> $ip_wifi_me port 3990 ### NAT # Public to me on Internet side nat on $if_ext from $net_public to any -> $ip_ext_me ### Filtering # Hotspot is a typical network client pass out quick from any to any keep state # Who can admin me? pass in log quick on $if_ext proto tcp from any to $ip_ext_me port = 22 ## Logs from Public access side # Syslog from access point sent to me pass in log quick on $if_int proto udp from $ip_hotspot to $ip_wifi_admin_me port = 514 # DHCP pass in log quick on $if_int proto udp from $net_public to $ip_wifi_me port = 67 pass in log quick on $if_int proto udp from $net_public to $ip_wifi_me port = 68 # DNS for Public pass in log quick on $if_int proto tcp from $net_public to $ip_wifi_me port = 53 pass in log quick on $if_int proto udp from $net_public to $ip_wifi_me port = 53 # DNS for WiFi pass in log quick on $if_wifi proto tcp from $net_public to $ip_wifi_me port = 53 pass in log quick on $if_wifi proto udp from $net_public to $ip_wifi_me port = 53 # Authentication portal for Public pass in log quick on $if_int proto tcp from $net_public to $ip_wifi_me port = 3990 pass in log quick on $if_int proto tcp from $net_public to $ip_wifi_me port = 443 # Authentication portal for Wifi pass in log quick on $if_wifi proto tcp from $net_public to $ip_wifi_me port = 3990 pass in log quick on $if_wifi proto tcp from $net_public to $ip_wifi_me port = 443 # Ping is granted to authenticated users (public_granted table) pass in log quick on $if_wifi proto icmp from to $ip_wifi_me keep state # Closing rule for Public & WiFi block in log quick from any to $ip_wifi_me block in log quick from any to $ip_wifi_admin_me ## HotSpot LAN configuration # Table public_granted: contains granted users on Radius pass in log quick on $if_int from to any keep state pass in log quick on $if_wifi from to any keep state # Finally block & log everything block in log from any to any Laurent LEVIER Systems & Networks Senior Security Expert, CISSP CISM From owner-freebsd-pf@FreeBSD.ORG Thu Jul 5 09:50:21 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4DC9016A474 for ; Thu, 5 Jul 2007 09:50:21 +0000 (UTC) (envelope-from pergesu@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.239]) by mx1.freebsd.org (Postfix) with ESMTP id 1090B13C48A for ; Thu, 5 Jul 2007 09:50:20 +0000 (UTC) (envelope-from pergesu@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so1466429wxd for ; Thu, 05 Jul 2007 02:50:20 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=ldpKs3aYLoPSrBRf0DwIPfjUbUydaoePhMr/6niCXK3z7xkaJdfcNe46DyQ/Z0KPHVsBYg7An4pjuc/+Nyg4Za4S/Z9ilFUTz7Hv/cGiYsrMCMdeUtpWPK0UiKKs3K+AHOUuh0Cv8b39W6OtG/PLyZaaq0IvgQYYxz5nUsq7PuQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=XqFsi8RaJXBQjpppth0ahk747VKqefMHtc0gZ+X+7AJfeDYQ+9OCKz7QswIPDq8E5rMM7gfGRpN1ihvnye49/6EXqXnZSoYCFUPhIpqMeL1TCOpTfgXYFczR495IDX3pzlanvgrbRFIeV6JVVlwoo/EzG7KP11TJPQo3cnSiR08= Received: by 10.78.153.17 with SMTP id a17mr4556920hue.1183627355203; Thu, 05 Jul 2007 02:22:35 -0700 (PDT) Received: by 10.78.200.15 with HTTP; Thu, 5 Jul 2007 02:22:35 -0700 (PDT) Message-ID: <810a540e0707050222s55a62641je0138e931832e86@mail.gmail.com> Date: Thu, 5 Jul 2007 03:22:35 -0600 From: "Pat Maddox" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Losing connections/performance with PF turned on X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jul 2007 09:50:21 -0000 We're doing some stress testing on our server, and noticed that when we turn PF on, we lose connections and have a drastic reduction in performance. We used SIEGE for 120 seconds, 50 connections, on req/conn Firewall On: Num Users: 50 Availability: 97.23 % Transaction rate: 58.02 trans/sec Concurrency: 3.80 Successful: 6994 Failed: 198 Longest Req: 9.06s Firewall Off: Num Users: 50 Availability: 100 % Transaction rate: 94.62 trans/sec Concurrency: 1.76 Successful: 11342 Failed: 0 Longest Req: 0.51s You'll notice that with the firewall off, we don't lose any connections. We also have a 60% increase in tx/sec, and the longest request takes 1/20 of the time. I've included my complete pf.conf file, hopefully something will jump out at someone. Thanks, Pat # ------- pf.conf skeleton for server # # --------------- MACRO Section ----------------- EXT_IF="em0" PING = "echoreq" # --- allowed incoming services initiated by clients TCP_IN = "{ http, 8080, nrpe }" #UDP_IN = "{ }" SSH_IN = "{ xxx.xxx.xxx.xxx }" # --- allowed services initiated by server TCP_OUT = "{ ssh, smtp, domain, ntp, 3690, 2222, http, ftp, 29125 }" UDP_OUT = "{ domain, ntp }" ORIGINS = "{ xxx.xxx.xxx.xxx }" # ------------------ TABLE Section -------------- # ------------------ OPTIONS Section set loginterface $EXT_IF set block-policy return # --------- TRAFFIC NORMALIZATION ---------------- scrub in all antispoof for $EXT_IF # ---------- TRANSLATION Section (NAT/RDR) # ---------- FILTER section # --- DEFAULT POLICY block log all # --- LOOPBACK pass quick on lo0 all # --- BRUTE FORCE TABLE table persist block quick from # ======================= INCOMING ================ # ----------- EXTERNAL INTERFACE # --- TCP pass in quick on $EXT_IF inet proto tcp from any to $EXT_IF port $TCP_IN flags S/SA keep state # Allow postgres connection from db server pass in quick on $EXT_IF inet proto tcp from xxx.xxx.xxx.xxx to $EXT_IF port 5432 flags S/SA keep state # --- SSH with brute force blocking pass in quick on $EXT_IF inet proto { tcp, udp } from any to $SSH_IN port ssh flags S/SA keep state (max-src-conn 25, max-src-conn-rate 5/3, overload flush global) # --- UDP #pass in quick on $EXT_IF inet proto udp from any to $EXT_IF port $UDP_IN keep state # --- ICMP pass in quick on $EXT_IF inet proto icmp from any to $EXT_IF icmp-type $PING keep state # ======================= OUTGOING ================ # ----------- EXTERNAL INTERFACE # --- TCP pass out quick on $EXT_IF inet proto tcp from $EXT_IF to any port $TCP_OUT flags S/SA keep state # Allow postgres connection to db server pass out quick on $EXT_IF inet proto tcp from $EXT_IF to xxx.xxx.xxx.xxx port 5432 flags S/SA keep state # Allow any connection to uploaders pass out quick on $EXT_IF inet proto tcp from $EXT_IF to $ORIGINS flags S/SA keep state # --- UDP pass out quick on $EXT_IF inet proto udp from $EXT_IF to any port $UDP_OUT keep state # --- ICMP pass out quick on $EXT_IF inet proto icmp from $EXT_IF to any icmp-type $PING keep state # ----------------- end of pf.conf From owner-freebsd-pf@FreeBSD.ORG Thu Jul 5 10:16:46 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 35D0D16A421 for ; Thu, 5 Jul 2007 10:16:46 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.149.33.74]) by mx1.freebsd.org (Postfix) with ESMTP id F3A2C13C469 for ; Thu, 5 Jul 2007 10:16:41 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local (unknown [62.3.210.250]) by smtp.nildram.co.uk (Postfix) with ESMTP id D673755DB2 for ; Thu, 5 Jul 2007 11:15:58 +0100 (BST) From: "Greg Hennessy" To: "'Pat Maddox'" , References: <810a540e0707050222s55a62641je0138e931832e86@mail.gmail.com> In-Reply-To: <810a540e0707050222s55a62641je0138e931832e86@mail.gmail.com> Date: Thu, 5 Jul 2007 11:15:55 +0100 Message-ID: <000301c7beed$79583920$6c08ab60$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Ace+63TUrcMSYO8dTve7DSRhdYXV/AAARByg Content-Language: en-gb X-Antivirus: avast! (VPS 000754-1, 04/07/2007), Outbound message X-Antivirus-Status: Clean Cc: Subject: RE: Losing connections/performance with PF turned on X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jul 2007 10:16:46 -0000 > > We're doing some stress testing on our server, CPU ? Memory ? > and noticed that when > we turn PF on, we lose connections and have a drastic reduction in > performance. > > We used SIEGE for 120 seconds, 50 connections, on req/conn > [snip] > # --- DEFAULT POLICY > block log all > What drops are you seeing in the firewall logs for the missing connections ? Are you monitoring the number of entries in the state table with pfctl -si ? The default is iirc 10k, a benchmarking tool can easily chew through this. Greg From owner-freebsd-pf@FreeBSD.ORG Thu Jul 5 13:12:03 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EF03C16A469 for ; Thu, 5 Jul 2007 13:12:02 +0000 (UTC) (envelope-from linux@giboia.org) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.190]) by mx1.freebsd.org (Postfix) with ESMTP id 7526913C48C for ; Thu, 5 Jul 2007 13:11:59 +0000 (UTC) (envelope-from linux@giboia.org) Received: by mu-out-0910.google.com with SMTP id w9so2733500mue for ; Thu, 05 Jul 2007 06:11:58 -0700 (PDT) Received: by 10.82.174.20 with SMTP id w20mr20163401bue.1183641118400; Thu, 05 Jul 2007 06:11:58 -0700 (PDT) Received: by 10.82.134.16 with HTTP; Thu, 5 Jul 2007 06:11:58 -0700 (PDT) Message-ID: <6e6841490707050611l66b7b705h2889dcaf8a2fc784@mail.gmail.com> Date: Thu, 5 Jul 2007 10:11:58 -0300 From: "Gilberto Villani Brito" To: "FreeBSD (PF)" In-Reply-To: <20070705062546.BF688267E13@mx.levier.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070705062546.BF688267E13@mx.levier.org> Subject: Re: Issue with PF on FreeBSD 6.2.5? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jul 2007 13:12:03 -0000 On 05/07/07, Laurent LEVIER wrote: > Hi All, > > I am currently setting up a ChilliSpot server using the conup/condown command. > Since the LAN will also be publicly available, I am using Chilli as UAM. > > These con* scripts are launched with additional arguments (IP > address, device) when a user is authenticated ont he HotSpot > This way, I can update firewall rules dynamically to allow the > authenticated user to pass...or to no longer pass when session is over. > > Apparently, best way to solve this with pf is to use tables, since an > anchor permits to add a rule, but not to delete the added rule (at > least I did not find how to). > > But it seems it does not fully work for me. > If you read at my pf.conf file at the end of this email, you will see > I created a table "public_granted" that is associated with 2 rules: > 1) a rdr to redirect to Squid transparently (rule is before the one > redirecting transparently to Chilli authentication server) > 2) a pass in quick rule to allow new user to pass through. > > The problem I have is: > - When the public_granted table is updated with a new IP address, pf > let the user pass through. > - But when I delete this @IP from the table, pf keeps allowing the > user to pass through. > > I appreciate all advices to help me solving this weird situation. > > Thanks in advance > > My pf.conf: > ### Options > # pf configuration > set block-policy return > set state-policy if-bound > > # localhost > set skip on lo0 > > ### Declarations > # Interface declaration > if_ext="nve0" # Internet Interface > if_int="bge0" # Public access Interface > if_wifi="tun0" # WiFi Hotspot Interface > > # Subnets declaration > net_public= "192.168.254.0/24" > net_wifi_admin="192.168.253.252/30" > > # IP declaration > ip_ext_me="192.168.0.100" > ip_wifi_me="192.168.254.1" > ip_wifi_admin_me="192.168.253.253" > ip_hotspot="192.168.253.254" > > ### Tables! > table > > ### Redirections > # Squid redirection for authenticated users on Public > rdr on $if_int proto tcp from to 0.0.0.0/0 port 80 > -> localhost port 8080 > rdr on $if_wifi proto tcp from to 0.0.0.0/0 port 80 > -> localhost port 8080 > # Authentication portal for Public > rdr on $if_int proto tcp from $net_public to any port 80 -> > $ip_wifi_me port 3990 > rdr on $if_wifi proto tcp from $net_public to any port 80 -> > $ip_wifi_me port 3990 > > ### NAT > # Public to me on Internet side > nat on $if_ext from $net_public to any -> $ip_ext_me > > ### Filtering > # Hotspot is a typical network client > pass out quick from any to any keep state > > # Who can admin me? > pass in log quick on $if_ext proto tcp from any to $ip_ext_me port = 22 > > ## Logs from Public access side > # Syslog from access point sent to me > pass in log quick on $if_int proto udp from $ip_hotspot to > $ip_wifi_admin_me port = 514 > > # DHCP > pass in log quick on $if_int proto udp from $net_public to > $ip_wifi_me port = 67 > pass in log quick on $if_int proto udp from $net_public to > $ip_wifi_me port = 68 > > # DNS for Public > pass in log quick on $if_int proto tcp from $net_public to > $ip_wifi_me port = 53 > pass in log quick on $if_int proto udp from $net_public to > $ip_wifi_me port = 53 > # DNS for WiFi > pass in log quick on $if_wifi proto tcp from $net_public to > $ip_wifi_me port = 53 > pass in log quick on $if_wifi proto udp from $net_public to > $ip_wifi_me port = 53 > > # Authentication portal for Public > pass in log quick on $if_int proto tcp from $net_public to > $ip_wifi_me port = 3990 > pass in log quick on $if_int proto tcp from $net_public to > $ip_wifi_me port = 443 > # Authentication portal for Wifi > pass in log quick on $if_wifi proto tcp from $net_public to > $ip_wifi_me port = 3990 > pass in log quick on $if_wifi proto tcp from $net_public to > $ip_wifi_me port = 443 > > # Ping is granted to authenticated users (public_granted table) > pass in log quick on $if_wifi proto icmp from to > $ip_wifi_me keep state > > # Closing rule for Public & WiFi > block in log quick from any to $ip_wifi_me > block in log quick from any to $ip_wifi_admin_me > > ## HotSpot LAN configuration > # Table public_granted: contains granted users on Radius > pass in log quick on $if_int from to any keep state > pass in log quick on $if_wifi from to any keep state > > # Finally block & log everything > block in log from any to any > > Laurent LEVIER > Systems & Networks Senior Security Expert, CISSP CISM > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Hi Laurent, I have the same problem, but this is because PF works with sessions, on end of a session it will block the next session. -- Gilberto Villani Brito System Administrator Londrina - PR Brazil gilbertovb(a)gmail.com From owner-freebsd-pf@FreeBSD.ORG Thu Jul 5 14:41:57 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8E58816A41F for ; Thu, 5 Jul 2007 14:41:57 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout2.email.verio.net (dfw-smtpout2.email.verio.net [129.250.36.42]) by mx1.freebsd.org (Postfix) with ESMTP id 6497713C44B for ; Thu, 5 Jul 2007 14:41:57 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.64] (helo=dfw-mmp4.email.verio.net) by dfw-smtpout2.email.verio.net with esmtp id 1I6SWq-00012u-H4 for freebsd-pf@freebsd.org; Thu, 05 Jul 2007 14:41:56 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp4.email.verio.net with esmtp id 1I6SWq-00057S-Ds for freebsd-pf@freebsd.org; Thu, 05 Jul 2007 14:41:56 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id AFE338E296; Thu, 5 Jul 2007 09:41:55 -0500 (CDT) Date: Thu, 5 Jul 2007 09:41:55 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20070705144155.GA3490@verio.net> References: <20070705062546.BF688267E13@mx.levier.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <20070705062546.BF688267E13@mx.levier.org> User-Agent: Mutt/1.5.9i Subject: Re: Issue with PF on FreeBSD 6.2.5? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jul 2007 14:41:57 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Laurent LEVIER wrote: > > The problem I have is: > - When the public_granted table is updated with a new IP address, pf > let the user pass through. > - But when I delete this @IP from the table, pf keeps allowing the > user to pass through. PF always examines its state table before evaluating rules, so once a state entry is created you must clear it in order to stop communications on that open connection. See pfctl(1) specifically -k option: -k host Kill all of the state entries originating from the specified host. A second -k host option may be specified, which will kill all the state entries from the first host to the second host. For example, to kill all of the state entries originating from host: # pfctl -k To kill all of the state entries from host1 to host2: # pfctl -k -k - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGjQMzFSrKRjX5eCoRArigAJ9dstUkt5Ycb6qGA/SvTMhfloPAIQCfUScp NQ7qEjoSmwK/Zehm+Ltiv58= =5j5D -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Thu Jul 5 15:06:28 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D60BE16A400 for ; Thu, 5 Jul 2007 15:06:28 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id 6C01713C43E for ; Thu, 5 Jul 2007 15:06:28 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.38.139] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis), id 0MKwtQ-1I6SuJ3HeA-0003OP; Thu, 05 Jul 2007 17:06:25 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 5 Jul 2007 17:08:17 +0200 User-Agent: KMail/1.9.7 References: <810a540e0707050222s55a62641je0138e931832e86@mail.gmail.com> In-Reply-To: <810a540e0707050222s55a62641je0138e931832e86@mail.gmail.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1387552.7bBZdNJTva"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200707051708.24137.max@love2party.net> X-Provags-ID: V01U2FsdGVkX191pwevU/AJiXSjCpMgWOaltDgKkGv4FA8OOwJ flugpZA16Tp6tv7OPGNMe7jxJFL6xtoF6aXMugeF5UvvFa+hwJ v4xf7LX1rwQSC74xrjqgydbR4XKVz2u3szhK8aMDgU= Cc: Subject: Re: Losing connections/performance with PF turned on X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jul 2007 15:06:28 -0000 --nextPart1387552.7bBZdNJTva Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 05 July 2007, Pat Maddox wrote: > We're doing some stress testing on our server, and noticed that when > we turn PF on, we lose connections and have a drastic reduction in > performance. My guess would be that you are exhausting the ephemeral port range of the=20 querying box. pf has quite strict (maybe too strict) enforcement of the=20 TIME_WAIT silence periode. There are several ways to work around this=20 (which only is a problem while benchmarking): - use shorter state timeouts. "tcp.closed" in particular - increase the ephemeral port range on the query node net.inet.ip.portrange.[hi]{last,first} see ip(4) for details. - Use a more realistic benchmark (i.e. coming from more than one IP) In order to verify that this is indeed the problem look for state-mismatch= =20 counter increases in the "pfctl -si" output or debug messages on the=20 console while running with "pfctl -xm". > We used SIEGE for 120 seconds, 50 connections, on req/conn > > Firewall On: > > Num Users: 50 > Availability: 97.23 % > Transaction rate: 58.02 trans/sec > Concurrency: 3.80 > Successful: 6994 > Failed: 198 > Longest Req: 9.06s > > Firewall Off: > > Num Users: 50 > Availability: 100 % > Transaction rate: 94.62 trans/sec > Concurrency: 1.76 > Successful: 11342 > Failed: 0 > Longest Req: 0.51s =2E.. =2D-=20 =46reeBSD Status reports due: 07/07/07 :-) /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1387552.7bBZdNJTva Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBGjQloXyyEoT62BG0RAt0qAJ460qwrJPvDODa2/HoWV0GndI7aXQCbB6j+ B7m0YVs2mHORAvZbGwEgNFM= =G096 -----END PGP SIGNATURE----- --nextPart1387552.7bBZdNJTva-- From owner-freebsd-pf@FreeBSD.ORG Thu Jul 5 17:23:34 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C562A16A41F for ; Thu, 5 Jul 2007 17:23:34 +0000 (UTC) (envelope-from llevier@argosnet.com) Received: from mx.levier.org (ns.argosnet.com [213.251.139.26]) by mx1.freebsd.org (Postfix) with ESMTP id 8BF0213C447 for ; Thu, 5 Jul 2007 17:23:34 +0000 (UTC) (envelope-from llevier@argosnet.com) Received: from localhost (ns [213.251.139.26]) by mx.levier.org (Postfix) with ESMTP id 0D41E267FAC; Thu, 5 Jul 2007 19:23:35 +0200 (CEST) X-Virus-Scanned: amavisd-new at argosnet.com Received: from mx.levier.org ([213.251.139.26]) by localhost (ns.levier.org [213.251.139.26]) (amavisd-new, port 10024) with ESMTP id jbCAf5-gAQAb; Thu, 5 Jul 2007 19:18:13 +0200 (CEST) Received: from Osgiliath.argosnet.com (tirion.argosnet.com [82.224.1.141]) by mx.levier.org (Postfix) with ESMTP id 3F2E7267F61; Thu, 5 Jul 2007 18:43:43 +0200 (CEST) X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Thu, 05 Jul 2007 18:43:40 +0200 To: "Gilberto Villani Brito" From: Laurent LEVIER In-Reply-To: <6e6841490707050611l66b7b705h2889dcaf8a2fc784@mail.gmail.co m> References: <20070705062546.BF688267E13@mx.levier.org> <6e6841490707050611l66b7b705h2889dcaf8a2fc784@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Message-Id: <20070705164343.3F2E7267F61@mx.levier.org> Cc: "FreeBSD \(PF\)" Subject: Re: Issue with PF on FreeBSD 6.2.5? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jul 2007 17:23:34 -0000 At 15:11 05/07/2007, Gilberto Villani Brito wrote: >Hi Laurent, Hi Gilberto, >I have the same problem, but this is because PF works with sessions, >on end of a session it will block the next session. Agree, but it is not acceptable. You can imagine a tunnel setup on the access? The user could remain years connected. When I pfctl -k the host, it does not help. Brgrds Laurent LEVIER Systems & Networks Senior Security Expert, CISSP CISM From owner-freebsd-pf@FreeBSD.ORG Thu Jul 5 18:10:17 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5AF3516A468 for ; Thu, 5 Jul 2007 18:10:17 +0000 (UTC) (envelope-from llevier@argosnet.com) Received: from mx.levier.org (ns.argosnet.com [213.251.139.26]) by mx1.freebsd.org (Postfix) with ESMTP id 1FC1813C46E for ; Thu, 5 Jul 2007 18:10:16 +0000 (UTC) (envelope-from llevier@argosnet.com) Received: from localhost (ns [213.251.139.26]) by mx.levier.org (Postfix) with ESMTP id C16EA267EA4; Thu, 5 Jul 2007 20:10:17 +0200 (CEST) X-Virus-Scanned: amavisd-new at argosnet.com Received: from mx.levier.org ([213.251.139.26]) by localhost (ns.levier.org [213.251.139.26]) (amavisd-new, port 10024) with ESMTP id RMVcViHh5EhM; Thu, 5 Jul 2007 20:08:13 +0200 (CEST) Received: from wm.argosnet.com (ns [213.251.139.26]) by mx.levier.org (Postfix) with ESMTP id 6B523267FE8; Thu, 5 Jul 2007 17:17:45 +0200 (CEST) Received: from 57.250.229.136 (SquirrelMail authenticated user llevier) by wm.argosnet.com with HTTP; Thu, 5 Jul 2007 17:17:45 +0200 (CEST) Message-ID: <46706.57.250.229.136.1183648665.squirrel@wm.argosnet.com> In-Reply-To: <20070705144155.GA3490@verio.net> References: <20070705062546.BF688267E13@mx.levier.org> <20070705144155.GA3490@verio.net> Date: Thu, 5 Jul 2007 17:17:45 +0200 (CEST) From: "Laurent LEVIER" To: "David DeSimone" User-Agent: SquirrelMail/1.4.9a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-pf@freebsd.org Subject: Re: Issue with PF on FreeBSD 6.2.5? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jul 2007 18:10:17 -0000 > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > PF always examines its state table before evaluating rules, so once a > state entry is created you must clear it in order to stop communications > on that open connection. > > See pfctl(1) specifically -k option: > > -k host > > Kill all of the state entries originating from the specified > host. A second -k host option may be specified, which will kill > all the state entries from the first host to the second host. > For example, to kill all of the state entries originating from > host: > > # pfctl -k > > To kill all of the state entries from host1 to host2: > > # pfctl -k -k > Hi David, Thanks for your input. However, I tested this and it did not helped :-( Brgrds From owner-freebsd-pf@FreeBSD.ORG Thu Jul 5 19:55:26 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BF60F16A46D for ; Thu, 5 Jul 2007 19:55:26 +0000 (UTC) (envelope-from pergesu@gmail.com) Received: from ik-out-1112.google.com (ik-out-1112.google.com [66.249.90.182]) by mx1.freebsd.org (Postfix) with ESMTP id 3FD3D13C4AD for ; Thu, 5 Jul 2007 19:55:25 +0000 (UTC) (envelope-from pergesu@gmail.com) Received: by ik-out-1112.google.com with SMTP id c21so2160171ika for ; Thu, 05 Jul 2007 12:55:24 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=D3ufnkWdvUxAOE62HdWKvHCYa5HimDv8LKORfQFw2MfcoiDBC1fIO9vuPlr+FYZ+wH2y9zaTnTwV6dpuqP+rbu4ghFmfRdvOawj50l3Zw0OFsuNOaaJVEn48m2kHeaiK1YlXE99NHdwgy/4/r9IaIo8mCtrgImqdBqj21HR0O30= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=O3qAGJNzVE7VOuf3nvpinnXlugqV1w1teu1nV66FJtsdExduDLthXEpPJfOPEtyDAQJB6QZ3YP92SIhjlkkB+jfBiauQAjSBS5vDNda9JNHmf+l3QPT2HimL8771iKJqWP+13xCiH3gut9l8LA/ITfIZpGgsJPOtSsgiVnd3cLk= Received: by 10.78.185.15 with SMTP id i15mr4894514huf.1183665324268; Thu, 05 Jul 2007 12:55:24 -0700 (PDT) Received: by 10.78.200.15 with HTTP; Thu, 5 Jul 2007 12:55:24 -0700 (PDT) Message-ID: <810a540e0707051255w269b7362g576bce5695ba76ab@mail.gmail.com> Date: Thu, 5 Jul 2007 13:55:24 -0600 From: "Pat Maddox" To: "Greg Hennessy" In-Reply-To: <-7932512891363606358@unknownmsgid> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <810a540e0707050222s55a62641je0138e931832e86@mail.gmail.com> <-7932512891363606358@unknownmsgid> Cc: freebsd-pf@freebsd.org Subject: Re: Losing connections/performance with PF turned on X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jul 2007 19:55:26 -0000 On 7/5/07, Greg Hennessy wrote: > > > > We're doing some stress testing on our server, > > CPU ? Memory ? Xeon 3060 (dual core @ 2.4 Ghz) 2 gigs of ram > > and noticed that when > > we turn PF on, we lose connections and have a drastic reduction in > > performance. > > > > We used SIEGE for 120 seconds, 50 connections, on req/conn > > > > [snip] > > > # --- DEFAULT POLICY > > block log all > > > > What drops are you seeing in the firewall logs for the missing connections ? I'm not very familiar with pf at this point. Here's a snippet of the log: pat@~: sudo tcpdump -n -e -ttt -r /var/log/pflog | grep CLIENT reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) 281. 491774 rule 2/0(match): block in on em0: CLIENT.56441 > SERVER.80: . ack 3842266997 win 5080 000117 rule 2/0(match): block in on em0: CLIENT.56456 > SERVER.80: P 3759758688:3759758883(195) ack 769179073 win 1460 000007 rule 2/0(match): block in on em0: CLIENT.56442 > SERVER.80: . ack 2278771587 win 5804 000005 rule 2/0(match): block in on em0: CLIENT.56442 > SERVER.80: F 0:0(0) ack 628 win 5804 000111 rule 2/0(match): block in on em0: CLIENT.56437 > SERVER.80: . ack 21684384 win 2184 > Are you monitoring the number of entries in the state table with pfctl -si ? > The default is iirc 10k, a benchmarking tool can easily chew through this. > > > > Greg I reran the benchmarks and monitored the # of entries, we hit 10k pretty quickly. Kept upping it until we got to 35k which is where we stopped seeing any returns. We still dropped some connections (99.6% of requests came back successfully), and the throughput was 3.4 Mbp as opposed to the 9.8 Mbps we get with the firewall off. I'll be doing a lot more testing over the next few days, so I'll have better info in a couple days...but if you can shed any light on this I'd really appreciate it. Pat From owner-freebsd-pf@FreeBSD.ORG Fri Jul 6 00:30:52 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F094116A421 for ; Fri, 6 Jul 2007 00:30:52 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout2.email.verio.net (dfw-smtpout2.email.verio.net [129.250.36.42]) by mx1.freebsd.org (Postfix) with ESMTP id C7BB813C469 for ; Fri, 6 Jul 2007 00:30:52 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.64] (helo=dfw-mmp4.email.verio.net) by dfw-smtpout2.email.verio.net with esmtp id 1I6bim-0000Ah-2h for freebsd-pf@freebsd.org; Fri, 06 Jul 2007 00:30:52 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp4.email.verio.net with esmtp id 1I6bil-0001Go-U7 for freebsd-pf@freebsd.org; Fri, 06 Jul 2007 00:30:51 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id C170A8E296; Thu, 5 Jul 2007 19:30:51 -0500 (CDT) Date: Thu, 5 Jul 2007 19:30:51 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20070706003051.GC3557@verio.net> References: <20070705062546.BF688267E13@mx.levier.org> <6e6841490707050611l66b7b705h2889dcaf8a2fc784@mail.gmail.com> <20070705164343.3F2E7267F61@mx.levier.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <20070705164343.3F2E7267F61@mx.levier.org> User-Agent: Mutt/1.5.9i Subject: Re: Issue with PF on FreeBSD 6.2.5? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jul 2007 00:30:53 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Laurent LEVIER wrote: > > When I pfctl -k the host, it does not help. Do you mean that you checked the session table (pfctl -ss) before and after running the pfctl -k command, and you find that the session is not removed? - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGjY07FSrKRjX5eCoRAsmLAJ9tonKVBq8azp+NHVAzw4mEehIilwCcCKsT CDXskvJnX25W4yNHkGJZJns= =/J3N -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Fri Jul 6 04:29:43 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0A99716A41F for ; Fri, 6 Jul 2007 04:29:43 +0000 (UTC) (envelope-from llevier@argosnet.com) Received: from mx.levier.org (ns.argosnet.com [213.251.139.26]) by mx1.freebsd.org (Postfix) with ESMTP id C566013C455 for ; Fri, 6 Jul 2007 04:29:42 +0000 (UTC) (envelope-from llevier@argosnet.com) Received: from localhost (ns [213.251.139.26]) by mx.levier.org (Postfix) with ESMTP id 1D80F267E25; Fri, 6 Jul 2007 06:29:43 +0200 (CEST) X-Virus-Scanned: amavisd-new at argosnet.com Received: from mx.levier.org ([213.251.139.26]) by localhost (ns.levier.org [213.251.139.26]) (amavisd-new, port 10024) with ESMTP id wLc1KZXWJLPk; Fri, 6 Jul 2007 06:29:00 +0200 (CEST) Received: from Osgiliath.argosnet.com (tirion.argosnet.com [82.224.1.141]) by mx.levier.org (Postfix) with ESMTP id C3808267E14; Fri, 6 Jul 2007 06:28:59 +0200 (CEST) X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 06 Jul 2007 06:28:56 +0200 To: David DeSimone From: Laurent LEVIER In-Reply-To: <20070706003051.GC3557@verio.net> References: <20070705062546.BF688267E13@mx.levier.org> <6e6841490707050611l66b7b705h2889dcaf8a2fc784@mail.gmail.com> <20070705164343.3F2E7267F61@mx.levier.org> <20070706003051.GC3557@verio.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Message-Id: <20070706042859.C3808267E14@mx.levier.org> Cc: freebsd-pf@freebsd.org Subject: Re: Issue with PF on FreeBSD 6.2.5? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jul 2007 04:29:43 -0000 At 02:30 06/07/2007, David DeSimone wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Do you mean that you checked the session table (pfctl -ss) before and >after running the pfctl -k command, and you find that the session is not >removed? Nope, I did not check that one. I'll test with this additional test. Still wondering what to do if the host keeps being in the list. I cant endlessly do a -k while host does not disappear... Thanks for this one!! Brgrds Laurent LEVIER Systems & Networks Senior Security Expert, CISSP CISM From owner-freebsd-pf@FreeBSD.ORG Fri Jul 6 06:50:44 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3C12516A468 for ; Fri, 6 Jul 2007 06:50:44 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout1.email.verio.net (dfw-smtpout1.email.verio.net [129.250.36.41]) by mx1.freebsd.org (Postfix) with ESMTP id 0FF7013C483 for ; Fri, 6 Jul 2007 06:50:43 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout1.email.verio.net with esmtp id 1I6heM-0004Dp-Ja for freebsd-pf@freebsd.org; Fri, 06 Jul 2007 06:50:42 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1I6heM-0005Dw-FQ for freebsd-pf@freebsd.org; Fri, 06 Jul 2007 06:50:42 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 067B38E296; Fri, 6 Jul 2007 01:50:37 -0500 (CDT) Date: Fri, 6 Jul 2007 01:50:36 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20070706065036.GA3771@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <20070705062546.BF688267E13@mx.levier.org> <6e6841490707050611l66b7b705h2889dcaf8a2fc784@mail.gmail.com> <20070705164343.3F2E7267F61@mx.levier.org> <20070706003051.GC3557@verio.net> <20070706042859.C3808267E14@mx.levier.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <20070706042859.C3808267E14@mx.levier.org> Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: Issue with PF on FreeBSD 6.2.5? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jul 2007 06:50:44 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Laurent LEVIER wrote: > > Still wondering what to do if the host keeps being in the list. > I cant endlessly do a -k while host does not disappear... What might be happening is that the initial packet passing through PF is going in the opposite direction than expected. This establishes the state with the source/destination reversed. pfctl -k removes state entries by destination IP. If the state entry has your target IP as the source, you have to use the "-k -k" option, where you specify both source and destination IP's to be removed. There is probably a good way to integrate this into your scripts so that you don't have to perform the state removal manually; it can be done by the same script that is removing anchors from PF policy and such. - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGjeY8FSrKRjX5eCoRAtJjAJ9u4wBKI4r/pTXTLaGAYXTL///iwwCfd1XM uiLuFtK1NLqaTmj4dWtsjXI= =6sB9 -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Fri Jul 6 19:15:56 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E8F1916A400 for ; Fri, 6 Jul 2007 19:15:56 +0000 (UTC) (envelope-from llevier@argosnet.com) Received: from mx.levier.org (ns.argosnet.com [213.251.139.26]) by mx1.freebsd.org (Postfix) with ESMTP id AAB4A13C44C for ; Fri, 6 Jul 2007 19:15:56 +0000 (UTC) (envelope-from llevier@argosnet.com) Received: from localhost (ns [213.251.139.26]) by mx.levier.org (Postfix) with ESMTP id 457E8267E1F; Fri, 6 Jul 2007 21:15:57 +0200 (CEST) X-Virus-Scanned: amavisd-new at argosnet.com Received: from mx.levier.org ([213.251.139.26]) by localhost (ns.levier.org [213.251.139.26]) (amavisd-new, port 10024) with ESMTP id NxTxvp-6f7xx; Fri, 6 Jul 2007 21:15:19 +0200 (CEST) Received: from Osgiliath.argosnet.com (tirion.argosnet.com [82.224.1.141]) by mx.levier.org (Postfix) with ESMTP id 6118A267E18; Fri, 6 Jul 2007 21:15:19 +0200 (CEST) X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 06 Jul 2007 21:15:16 +0200 To: David DeSimone ,"Scott Ullrich" From: Laurent LEVIER In-Reply-To: <20070706003051.GC3557@verio.net> References: <20070705062546.BF688267E13@mx.levier.org> <6e6841490707050611l66b7b705h2889dcaf8a2fc784@mail.gmail.com> <20070705164343.3F2E7267F61@mx.levier.org> <20070706003051.GC3557@verio.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Message-Id: <20070706191519.6118A267E18@mx.levier.org> Cc: freebsd-pf@freebsd.org Subject: Re: Issue with PF on FreeBSD 6.2.5? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jul 2007 19:15:57 -0000 Hi All, At 02:30 06/07/2007, David DeSimone wrote: >Do you mean that you checked the session table (pfctl -ss) before and >after running the pfctl -k command, and you find that the session is not >removed? First, thanks for your help. I finally found the issue... I was pinging indefinitely a host to check barring. Apparently, UDP & TCP are really blocked right after the pfctl -k, but ICMP ping (a ping -t from Windoze) keeps working. Whatever I attempted to do, I did not succeeded setting up a real barring on all ports & protocols. I must now check some other weird protocols as AH/ESP to ensure the HotSpot really bars properly traffic. Brgrds Laurent LEVIER Systems & Networks Senior Security Expert, CISSP CISM From owner-freebsd-pf@FreeBSD.ORG Fri Jul 6 20:40:20 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D822016A400 for ; Fri, 6 Jul 2007 20:40:20 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.149.33.74]) by mx1.freebsd.org (Postfix) with ESMTP id 712BD13C43E for ; Fri, 6 Jul 2007 20:40:20 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local (unknown [62.3.210.250]) by smtp.nildram.co.uk (Postfix) with ESMTP id D8B66540E3 for ; Fri, 6 Jul 2007 21:40:15 +0100 (BST) From: "Greg Hennessy" To: "'Pat Maddox'" References: <810a540e0707050222s55a62641je0138e931832e86@mail.gmail.com> <-7932512891363606358@unknownmsgid> <810a540e0707051255w269b7362g576bce5695ba76ab@mail.gmail.com> In-Reply-To: <810a540e0707051255w269b7362g576bce5695ba76ab@mail.gmail.com> Date: Fri, 6 Jul 2007 21:40:17 +0100 Message-ID: <000d01c7c00d$dcb6e4f0$9624aed0$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Ace/PzqU58cbJBRGR5WLOc7U7t/G/AAy9rIw Content-Language: en-gb x-cr-hashedpuzzle: Ag2L BMuu Dw4F FUeh GOib GWlU HUfy IvGs Ke0d LI8W LvZs Mc/y Oha4 Ph22 TFYS TO/U; 2; ZgByAGUAZQBiAHMAZAAtAHAAZgBAAGYAcgBlAGUAYgBzAGQALgBvAHIAZwA7AHAAZQByAGcAZQBzAHUAQABnAG0AYQBpAGwALgBjAG8AbQA=; Sosha1_v1; 7; {CABADE12-A33A-4241-B90E-DDDF0F19C564}; ZwByAGUAZwAuAGgAZQBuAG4AZQBzAHMAeQBAAG4AdgBpAHoALgBuAGUAdAA=; Fri, 06 Jul 2007 20:40:12 GMT; UgBFADoAIABMAG8AcwBpAG4AZwAgAGMAbwBuAG4AZQBjAHQAaQBvAG4AcwAvAHAAZQByAGYAbwByAG0AYQBuAGMAZQAgAHcAaQB0AGgAIABQAEYAIAB0AHUAcgBuAGUAZAAgAG8AbgA= x-cr-puzzleid: {CABADE12-A33A-4241-B90E-DDDF0F19C564} X-Antivirus: avast! (VPS 000754-4, 06/07/2007), Outbound message X-Antivirus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: RE: Losing connections/performance with PF turned on X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jul 2007 20:40:21 -0000 > > > We're doing some stress testing on our server, > > > > CPU ? Memory ? > > Xeon 3060 (dual core @ 2.4 Ghz) > 2 gigs of ram That's got more than enough grunt, intel gig-e nics, a good recipe for PF success. > I'm not very familiar with pf at this point. It won't take you long, it's very intuitive and more importantly easy to work on after spending time away from a policy. > Here's a snippet of the log: > > pat@~: sudo tcpdump -n -e -ttt -r /var/log/pflog | grep CLIENT > reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) > 281. 491774 rule 2/0(match): block in on em0: CLIENT.56441 > > SERVER.80: . ack 3842266997 win 5080 242815600> > 000117 rule 2/0(match): block in on em0: CLIENT.56456 > SERVER.80: P > 3759758688:3759758883(195) ack 769179073 win 1460 995763116 242815600> > 000007 rule 2/0(match): block in on em0: CLIENT.56442 > SERVER.80: . > ack 2278771587 win 5804 > 000005 rule 2/0(match): block in on em0: CLIENT.56442 > SERVER.80: F > 0:0(0) ack 628 win 5804 > 000111 rule 2/0(match): block in on em0: CLIENT.56437 > SERVER.80: . > ack 21684384 win 2184 Hmmm, rule number two, it's not the default block which is catching these. The default block would match as rule 0/0. What's rule 2 as outputted by pfctl -vvsr ? If I am reading your policy correctly, that's the bruteforce block. Which should only match against SSH not 80/tcp traffic. I would also replace # --- LOOPBACK pass quick on lo0 all with set skip on lo0 > > I reran the benchmarks and monitored the # of entries, we hit 10k > pretty quickly. Kept upping it until we got to 35k which is where we > stopped seeing any returns. We still dropped some connections (99.6% > of requests came back successfully), and the throughput was 3.4 Mbp as > opposed to the 9.8 Mbps we get with the firewall off. Can you repeat the test with scrub commented out ? I've seen scrub cause about a 10-15% hit on throughput, but that was ~800meg/sec versus > 900 meg/sec though multiple em using iperf on a single 2.4 ghz opteron running 6.0. > I'll be doing a lot more testing over the next few days, so I'll have > better info in a couple days...but if you can shed any light on this > I'd really appreciate it. Are the drop logs still matching the same entry after increasing the size of the state table ? As Max has said previously, you could well be hitting a 2MSL issue with the benchmark hardware. Greg > > Pat > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"