From owner-freebsd-pf@FreeBSD.ORG Mon Jul 16 11:08:27 2007 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D3E9316A412 for ; Mon, 16 Jul 2007 11:08:27 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id C358B13C49D for ; Mon, 16 Jul 2007 11:08:27 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l6GB8Reu018088 for ; Mon, 16 Jul 2007 11:08:27 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l6GB8QTa018084 for freebsd-pf@FreeBSD.org; Mon, 16 Jul 2007 11:08:26 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 16 Jul 2007 11:08:26 GMT Message-Id: <200707161108.l6GB8QTa018084@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jul 2007 11:08:27 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf [pf] pf accepts nonexistent queue in rules o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d o kern/110174 pf [pf] pf pass route-to does not assign correct IP for t s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 6 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Jul 17 21:42:52 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B961516A400; Tue, 17 Jul 2007 21:42:52 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.freebsd.org (Postfix) with ESMTP id 44B9713C491; Tue, 17 Jul 2007 21:42:52 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.59.43] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis), id 0ML21M-1IAuok46hu-0004TK; Tue, 17 Jul 2007 23:42:51 +0200 From: Max Laier Organization: FreeBSD To: freebsd-arch@freebsd.org Date: Tue, 17 Jul 2007 23:42:14 +0200 User-Agent: KMail/1.9.7 References: <20070717131518.G1177@fledge.watson.org> In-Reply-To: <20070717131518.G1177@fledge.watson.org> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1196626.J7k12aMeaH"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200707172342.39082.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19wTlp8A33NdffBkuSCqDVAD9+nCn7iRlaGezK eaN4BkrpsX6hiwe8m+8VQDx2f86eCa9Ytt2Wkgxy/oHT2itbKU Pk3iYvWGauWY9V9jxacvY/MrZAJ8dPFw1jm9FBMSpQ= Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org, Robert Watson , freebsd-pf@freebsd.org Subject: Re: Reminder: NET_NEEDS_GIANT, debug.mpsafenet going away in 7.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jul 2007 21:42:52 -0000 --nextPart1196626.J7k12aMeaH Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline [ Excess CC-list ... testers needed!!! ] On Tuesday 17 July 2007, Robert Watson wrote: > Dear all: > > This is a reminder e-mail that, in the very near future, Giant > compatibility shims for network protocols will be removed. <...> > The *only* remaining case I am aware of where removing debug.mpsafenet > presents an issue is credential-related firewall rules (uid, gid, > jail). I'm am currently in an active e-mail discussion with the > various firewall maintainers about how to address this issue; as the > implementations of these rules violate the global lock order, deadlocks > occur if debug.mpsafenet isn't set to 1, which causes Giant to act as a > guard lock preventing parallel lock acquisition in the firewall.=20 > Hopefully we will have this resolved, in some form, soon. What we really need right now, is real understanding of the problem (if=20 there even is any). So we would like to ask everybody who is able to -=20 to stress test user/group rules (in pf) or uid/gid/jail rules (in ipfw)=20 with debug.mpsafenet=3D1 It is normal that (in an WITNESS enabled kernel)= =20 you get a LOR similar to 14-17 and 32 from [1]. Everything different to=20 those should be reported. If you indeed get a deadlock, please let us know and provide as much=20 debugging information as you can. DDB's "ps", "show locks", "show=20 alllocks" would be perfect, but detailed information how to repeat would=20 be a good start to already. Thanks a lot! If you are unable to provoke a deadlock, please let us know= =20 as well. Include a few setup details (ruleset, SMP, special sysctl=20 settings ...) so we can look for patterns. [1] http://sources.zabbadoz.net/freebsd/lor.html =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1196626.J7k12aMeaH Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBGnTfPXyyEoT62BG0RAlyQAJ4gRB+txS34yl7wZUd4WEF1fNI32ACfecPR prtWaB/DFI+ykloZIk8nin4= =Mvwf -----END PGP SIGNATURE----- --nextPart1196626.J7k12aMeaH-- From owner-freebsd-pf@FreeBSD.ORG Tue Jul 17 22:04:44 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 73BD316A401 for ; Tue, 17 Jul 2007 22:04:44 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outG.internet-mail-service.net (outG.internet-mail-service.net [216.240.47.230]) by mx1.freebsd.org (Postfix) with ESMTP id 5943E13C461 for ; Tue, 17 Jul 2007 22:04:44 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.32) with ESMTP; Tue, 17 Jul 2007 14:52:06 -0700 Received: from julian-mac.elischer.org (nat.ironport.com [63.251.108.100]) by idiom.com (Postfix) with ESMTP id 45AB8125AE6; Tue, 17 Jul 2007 14:52:06 -0700 (PDT) Message-ID: <469D3A23.5000809@elischer.org> Date: Tue, 17 Jul 2007 14:52:35 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.4 (Macintosh/20070604) MIME-Version: 1.0 To: Max Laier References: <20070717131518.G1177@fledge.watson.org> <200707172342.39082.max@love2party.net> In-Reply-To: <200707172342.39082.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org, Robert Watson , freebsd-pf@freebsd.org, freebsd-arch@freebsd.org Subject: Re: Reminder: NET_NEEDS_GIANT, debug.mpsafenet going away in 7.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jul 2007 22:04:44 -0000 Max Laier wrote: > [ Excess CC-list ... testers needed!!! ] > > On Tuesday 17 July 2007, Robert Watson wrote: >> Dear all: >> >> This is a reminder e-mail that, in the very near future, Giant >> compatibility shims for network protocols will be removed. > > <...> > >> The *only* remaining case I am aware of where removing debug.mpsafenet >> presents an issue is credential-related firewall rules (uid, gid, >> jail). I'm am currently in an active e-mail discussion with the >> various firewall maintainers about how to address this issue; as the >> implementations of these rules violate the global lock order, deadlocks >> occur if debug.mpsafenet isn't set to 1, which causes Giant to act as a >> guard lock preventing parallel lock acquisition in the firewall. >> Hopefully we will have this resolved, in some form, soon. > > What we really need right now, is real understanding of the problem (if > there even is any). So we would like to ask everybody who is able to - > to stress test user/group rules (in pf) or uid/gid/jail rules (in ipfw) > with debug.mpsafenet=1 It is normal that (in an WITNESS enabled kernel) > you get a LOR similar to 14-17 and 32 from [1]. Everything different to > those should be reported. > > If you indeed get a deadlock, please let us know and provide as much > debugging information as you can. DDB's "ps", "show locks", "show > alllocks" would be perfect, but detailed information how to repeat would > be a good start to already. > > Thanks a lot! If you are unable to provoke a deadlock, please let us know > as well. Include a few setup details (ruleset, SMP, special sysctl > settings ...) so we can look for patterns. I've not seen a deadlock, only LOR warnings. > > [1] http://sources.zabbadoz.net/freebsd/lor.html > From owner-freebsd-pf@FreeBSD.ORG Wed Jul 18 13:47:02 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7F13C16A40E for ; Wed, 18 Jul 2007 13:47:02 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.233]) by mx1.freebsd.org (Postfix) with ESMTP id 3A21613C4A5 for ; Wed, 18 Jul 2007 13:47:01 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so167268wxd for ; Wed, 18 Jul 2007 06:47:01 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=nurNq2MFw79TBGYv5bHzYu1BoepoH2a0e8wytg3pRMF27q2WbfxfuCerPDhJ9zMTHjCOHaL57ie033UV+FN7CuHZ1Z59/7Znv0kPXLq6vhhWTiVsDSmCLC7kA9xZb/jrR+YWmLT+aCnzTdgEaV9YAxPC03nfClX6fcwjn83+ulw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=Y2ukJhjouEXd2+Y07CLebnGnPYK006e4m8fQXOfieRXvupY+yyA7NRiW7cGCOMaetsTpZoIwaWcn/Lb/4luoVyFmqgj+zmVAVvA/BMotrDbn6YbXNwD+kAP+Y1OYSnzPreu4vIiLHbolKzPWBNU7gT8xOI0qK15km3z++pgyyOU= Received: by 10.70.59.20 with SMTP id h20mr2630403wxa.1184764874231; Wed, 18 Jul 2007 06:21:14 -0700 (PDT) Received: by 10.70.63.4 with HTTP; Wed, 18 Jul 2007 06:21:14 -0700 (PDT) Message-ID: <8e10486b0707180621q6a38d018u206ce9ee4fbbe10c@mail.gmail.com> Date: Wed, 18 Jul 2007 10:21:14 -0300 From: "Alexandre Biancalana" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Single IP failover without carpdev X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2007 13:47:02 -0000 Hi list, I'm using 6-STABLE and need to do failover between 2 firewall machines, but my Internet connection have just one valid ip address. Carp documentation describes that carp interface is associated with physical interfaces via ip address configuration. How can I associate carp interface with physical interface without carpdev ? Exists some patch that port this funcionality from OpenBSD to 6-STABLE ? When it will be available ? Thanks for any hints Alexandre From owner-freebsd-pf@FreeBSD.ORG Wed Jul 18 21:42:57 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9E42A16A400 for ; Wed, 18 Jul 2007 21:42:57 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (eris.uffner.com [207.245.121.212]) by mx1.freebsd.org (Postfix) with ESMTP id 5B86713C4B4 for ; Wed, 18 Jul 2007 21:42:57 +0000 (UTC) (envelope-from tom@uffner.com) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) by eris.uffner.com (8.13.3/8.13.3) with ESMTP id l6ILLBp5054861 for ; Wed, 18 Jul 2007 17:21:14 -0400 (EDT) (envelope-from tom@uffner.com) Message-ID: <469E8445.6080201@uffner.com> Date: Wed, 18 Jul 2007 17:21:09 -0400 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.4) Gecko/20070714 SeaMonkey/1.1.2 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (eris.uffner.com [192.168.1.212]); Wed, 18 Jul 2007 17:21:16 -0400 (EDT) X-Virus-Scanned: ClamAV 0.88.6/3692/Wed Jul 18 03:39:32 2007 on eris.uffner.com X-Virus-Status: Clean Subject: pf and proxy arp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2007 21:42:57 -0000 If I deploy a pf firewall on a network where the attached routers or hosts can not or will not route the appropriate traffic to the firewall, then the firewall must direct that traffic to itself by either binding the addresses of devices behind it or by publishing proxy-arp for them. For various reasons, binding the addresses either doesn't work or is very inconvenient. That leaves me with proxy arp. I have written rc.d scripts to publish proxy arp for all my non NATed addresses behind the firewall, and/or to read my pf.conf and proxy for all the addresses that are the object of one or more translation rules at startup. But two cases where this static approach becomes problematic are: translation rules that are dynamically added & removed inside anchors, and on redundant CARP firewalls where it is not obvious how the shell can determine the shared MAC address of carpN and presumably only the the box with the fastest heartbeat should be proxying unless it goes down. I think the first case be handled by adding an option to pfctl to add (or delete) an appropriate pub entry in the arp cache any time it is called to add/delete a translation rule, but I am at a bit of a loss for to handle the 2nd case cleanly. Would it cause contention if all the hosts sharing an address via CARP were doing proxy arp for one or more other addresses? Comments? suggestions? thanks, tom From owner-freebsd-pf@FreeBSD.ORG Wed Jul 18 21:53:42 2007 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A7E6416A402; Wed, 18 Jul 2007 21:53:42 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 8108513C46B; Wed, 18 Jul 2007 21:53:42 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l6ILrgfL084975; Wed, 18 Jul 2007 21:53:42 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l6ILrglM084971; Wed, 18 Jul 2007 21:53:42 GMT (envelope-from linimon) Date: Wed, 18 Jul 2007 21:53:42 GMT Message-Id: <200707182153.l6ILrglM084971@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/114567: [pf] LOR pf_ioctl.c + if.c X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2007 21:53:42 -0000 Old Synopsis: LOR pf_ioctl.c + if.c New Synopsis: [pf] LOR pf_ioctl.c + if.c Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Wed Jul 18 21:53:20 UTC 2007 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=114567 From owner-freebsd-pf@FreeBSD.ORG Thu Jul 19 08:18:11 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 24DCB16A407 for ; Thu, 19 Jul 2007 08:18:11 +0000 (UTC) (envelope-from marko.lerota@claresco.hr) Received: from zid.claresco.hr (zid.claresco.hr [85.114.42.226]) by mx1.freebsd.org (Postfix) with ESMTP id 7150113C46B for ; Thu, 19 Jul 2007 08:18:10 +0000 (UTC) (envelope-from marko.lerota@claresco.hr) Received: (qmail 3972 invoked by uid 1001); 19 Jul 2007 09:51:23 +0200 To: "Alexandre Biancalana" Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJFBMVEWgnbRLVpRNVY9jMRPh s21jSlEyNVX45Mv4zI+sbUclFAtMVpT8V0lFAAACZ0lEQVR4nG3Tv2vbQBQHcFMogWyeNeVK BLXGl5j6xnABOaNTuXFGmWpwtw519yj4soW6AatT4GKD3+aDZrl/rt/Tr9qlGiz7Pn7v3bsf HVc/NrIiSfElqH53GgijcCqzk/+AmBF5cN0DsFlIRGMh/oHuqxkTM6VlzB4EoZEs2aSZOASb EQJYZpweQshE697GTDndBXtgp9LIT9+OpDGHEfb9knk+nx+jfN1JCVZMCl6XwFm0a2EXztZD 3s4fj47ZbKI2VeBmJImeEfGLJ+M9sDPilX7IB5rN6sdfcGhuoHU+LC4nxfnI7YOJtdb95Gb+ fbgJ2uJ2ZgaA++f5ZzBqNCCYfMTd5q0BfBVNqm7I8gUjQ+YtXotRW6PH9AEj+dKs/KuNQAl5 o/NY+QkonW8aQAl0oXMYPvRiXIM4pRJifbXytnhTA8alBx/jefG2ar3DBlt34/PXz9M+nMVN iNaPUdCApJc2ItejOmLGoK1qQLV9pJmXBnL10DYoBA5aHNfj8ZNwZa5O4CzgTJeilKJmrQJs IHIt1/7/Sg2p3iq/Hz0/5W05rq4M9aN2B5FLohUP4ylVyfxhEIjAs8J4PhIJ9U+CEroogib5 BXAf7bB4vkfAzgPFt1tM9sJZAOH+lCexhwswuNtim4QTZdokqo4o89LkH7V6iFxICeqfp+Wh fmUuGPunLj2Meti6Cn4DjJ/UReROqR+aqawAi/JkfgKE64rrfkhjU8MtT8ivR4S5n6Yo08A7 HvgAlHDWRSGlNSDxwK9HtXy4FS2I60EdUIJM+Ut9OZNJG4CpbEQW1VBQoQoPuBw2EVa4P0u0 TgzQF+VoAAAAAElFTkSuQmCC In-Reply-To: <8e10486b0707180621q6a38d018u206ce9ee4fbbe10c@mail.gmail.com> (Alexandre Biancalana's message of "Wed, 18 Jul 2007 10:21:14 -0300") References: <8e10486b0707180621q6a38d018u206ce9ee4fbbe10c@mail.gmail.com> Organization: *BSD Users - Fanatics Dept. From: Marko Lerota Date: Thu, 19 Jul 2007 09:51:23 +0200 Message-ID: <867iow7rwk.fsf@zid.claresco.hr> User-Agent: Gnus/5.1008 (Gnus v5.10.8) Emacs/22.1 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-pf@freebsd.org Subject: Re: Single IP failover without carpdev X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2007 08:18:11 -0000 "Alexandre Biancalana" writes: > Hi list, > > I'm using 6-STABLE and need to do failover between 2 firewall machines, > but my Internet connection have just one valid ip address. And?, this is the most usual config in almost any network :) You can easily implement CARP on this. > Carp documentation describes that carp interface is associated with > physical interfaces via ip address configuration. How can I associate carp > interface with physical interface without carpdev ? Exists some patch that > port this funcionality from OpenBSD to 6-STABLE ? When it will be available > ? -- One cannot sell the earth upon which the people walk Tacunka Witco From owner-freebsd-pf@FreeBSD.ORG Thu Jul 19 13:48:47 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BB7CA16A40A for ; Thu, 19 Jul 2007 13:48:47 +0000 (UTC) (envelope-from lorenzhelleis@yahoo.com.br) Received: from web53701.mail.re2.yahoo.com (web53701.mail.re2.yahoo.com [206.190.37.22]) by mx1.freebsd.org (Postfix) with SMTP id 53C9C13C4B3 for ; Thu, 19 Jul 2007 13:48:47 +0000 (UTC) (envelope-from lorenzhelleis@yahoo.com.br) Received: (qmail 72092 invoked by uid 60001); 19 Jul 2007 13:22:06 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.br; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Message-ID; b=klmeEHNSuEK1VJnEgweunqv9knkoXCo0084KImkWsAGwB4Im5dL1HfsIqpADauhnAqucgMRXQW4PZ68AnfkCuevwACVAg9Q6T8Jg6yVCQhDNNPMWNzqREr+Hsg5zh42oem9PUR4p92uvmZp/JhAoTGwLv85T9M4TkAZKgwBGI0U=; X-YMail-OSG: .nzyOt0VM1ngKutCADlTlSxfENFf.PodZNC0E11O5FIw5xOhYPHQAIab9QhPUXPjuEFrUOWWfr66fbj_Xsa.h2Q0flDsziZ6utgDdt7J285h67CcO60YY_jIih9RfumuJNAwFjWkTnapmg-- Received: from [200.189.112.13] by web53701.mail.re2.yahoo.com via HTTP; Thu, 19 Jul 2007 06:22:05 PDT X-Mailer: YahooMailRC/651.41 YahooMailWebService/0.7.41.16 Date: Thu, 19 Jul 2007 06:22:05 -0700 (PDT) From: Lorenz Helleis To: freebsd-pf@freebsd.org MIME-Version: 1.0 Message-ID: <957126.71438.qm@web53701.mail.re2.yahoo.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Session Limit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2007 13:48:47 -0000 Hi...=0A=0AI'm using PF and i would like to know how can i implement PF on= a big network? with more than 100.000 connections ? I read that the li= mit of PF is 100.000 sessions.. :( =0A=0Asome idea ??=0A=0Athank you=0A=0A= God bless you. =0A=0A=0A=0A=0A=0A=0A=0A Flickr agora em portugu=EAs. = Voc=EA cria, todo mundo v=EA.=0Ahttp://www.flickr.com.br/ From owner-freebsd-pf@FreeBSD.ORG Thu Jul 19 13:57:34 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C07E716A40D for ; Thu, 19 Jul 2007 13:57:34 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.freebsd.org (Postfix) with ESMTP id 5385813C49D for ; Thu, 19 Jul 2007 13:57:34 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.23.211] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu3) with ESMTP (Nemesis), id 0MKxQS-1IBWVN01Ay-0004MU; Thu, 19 Jul 2007 15:57:30 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 19 Jul 2007 15:56:58 +0200 User-Agent: KMail/1.9.7 References: <957126.71438.qm@web53701.mail.re2.yahoo.com> In-Reply-To: <957126.71438.qm@web53701.mail.re2.yahoo.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart32914133.FxL5PGbQjL"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200707191557.07893.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/Cq7Ha8F+uV3wu8Oilu1FPe3sHxxglaonU21l BOD/4X2XAZTdSYXh4G7QfNad9YrFGVpf5g/wXCb6JfwAnzFI6F sl9u8kSGNqf7gKhu8IL38xzdARMUrOPYN2Xhx0laDc= Cc: Subject: Re: Session Limit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2007 13:57:34 -0000 --nextPart32914133.FxL5PGbQjL Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 19 July 2007, Lorenz Helleis wrote: > I'm using PF and i would like to know how can i implement PF on a big > network? with more than 100.000 connections ? I read that the limit > of PF is 100.000 sessions.. :( There is no limit on the number of sessions. The only limit is (kernel)=20 memory. In order to not panic there is an upper limit on states, but=20 that can be adjusted with "set limit states". Read pf.conf(5) =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart32914133.FxL5PGbQjL Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBGn22zXyyEoT62BG0RAmL2AJ9dE6UF4kgNzAFndwZqF1xoWPsF8ACfT3KO Q9t19ySGQq6vxeWc1Y7Ur3E= =necS -----END PGP SIGNATURE----- --nextPart32914133.FxL5PGbQjL-- From owner-freebsd-pf@FreeBSD.ORG Thu Jul 19 20:05:24 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 241F316A403 for ; Thu, 19 Jul 2007 20:05:24 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout1.email.verio.net (dfw-smtpout1.email.verio.net [129.250.36.41]) by mx1.freebsd.org (Postfix) with ESMTP id EC9AF13C47E for ; Thu, 19 Jul 2007 20:05:23 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout1.email.verio.net with esmtp id 1IBcFX-0004Al-CX for freebsd-pf@freebsd.org; Thu, 19 Jul 2007 20:05:23 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1IBcFX-0001dh-8W for freebsd-pf@freebsd.org; Thu, 19 Jul 2007 20:05:23 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 7B0B58E296; Thu, 19 Jul 2007 15:05:16 -0500 (CDT) Date: Thu, 19 Jul 2007 15:05:16 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20070719200515.GA12028@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <469E8445.6080201@uffner.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <469E8445.6080201@uffner.com> Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: pf and proxy arp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2007 20:05:24 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Uffner wrote: > > on redundant CARP firewalls where it is not obvious how the shell can > determine the shared MAC address of carpN and presumably only the the > box with the fastest heartbeat should be proxying unless it goes down. The MAC used for CARP interfaces is 00:00:5e:00:01:, where the last octet is the vhid for the interface. You should be able to simply configure both firewalls to respond with the virtual MAC for any CARP interfaces. Any ARP clients which ask will receive the same answer. It should not be a problem that both firewalls respond to any arp request since they are serving the same information. - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGn8P7FSrKRjX5eCoRAhiaAJ9Wk6xpP72LtevGQ+5/QodTPM42NwCfWjb6 FSAuWEpptwXUUvhq/I2/pWk= =h1bz -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Fri Jul 20 02:50:02 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3FDFC16A420 for ; Fri, 20 Jul 2007 02:50:02 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.233]) by mx1.freebsd.org (Postfix) with ESMTP id ECA5013C458 for ; Fri, 20 Jul 2007 02:50:01 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so613378wxd for ; Thu, 19 Jul 2007 19:50:01 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=dmtqOxR2NaeJNp8P8Gp0GQGGKKxU/lCnXk3aaPbwEBZYgWlV/Uas8+q1DUqQzV65j0ND2Im4+RTf04tMPfm2l78Lg+uNbiDJYTBtoPREqS6SCI+hipJ67C/nD5cTBxYFSVsBr5rKbDpQrEO9r5X+kUxXqNV2yt09LyWYVgOeun4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=B8FpFrhtxb0LyWMCqgXoBD5ToB2d2Mmj2bzTF10Do46wlZPeeqoiCttf0crituUXAjqE+IkZIKw9OWqp0hN3FAWpqTfW44xSUzrWisfX50c97ZuEF+ywLNCrKAJAsWveufaOBYSGomERv6blzrYLxVNG+dO9Zz7X6dpRO7PVcX0= Received: by 10.70.15.15 with SMTP id 15mr5389926wxo.1184899800875; Thu, 19 Jul 2007 19:50:00 -0700 (PDT) Received: by 10.70.66.10 with HTTP; Thu, 19 Jul 2007 19:50:00 -0700 (PDT) Message-ID: <8e10486b0707191950s2ffd4e89q7484181acba745be@mail.gmail.com> Date: Thu, 19 Jul 2007 23:50:00 -0300 From: "Alexandre Biancalana" To: freebsd-pf@freebsd.org In-Reply-To: <867iow7rwk.fsf@zid.claresco.hr> MIME-Version: 1.0 References: <8e10486b0707180621q6a38d018u206ce9ee4fbbe10c@mail.gmail.com> <867iow7rwk.fsf@zid.claresco.hr> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Single IP failover without carpdev X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jul 2007 02:50:02 -0000 On 7/19/07, Marko Lerota wrote: > > > And?, this is the most usual config in almost any network :) > You can easily implement CARP on this. Right ! I think it too... let's the me show one example to clarify my doubt. External IP: 192.168.1.2 netmask 255.255.255.252 Default Router: 192.168.1.1 How can I associate carp interface with physical interface without ifconfig carpdev option and without have more ips available in the same network of carp interface ? From owner-freebsd-pf@FreeBSD.ORG Fri Jul 20 10:40:02 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C74C416A419 for ; Fri, 20 Jul 2007 10:40:02 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id A125B13C45A for ; Fri, 20 Jul 2007 10:40:02 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 85B3248507; Fri, 20 Jul 2007 06:17:39 -0400 (EDT) Date: Fri, 20 Jul 2007 11:17:39 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Max Laier In-Reply-To: <200707172342.39082.max@love2party.net> Message-ID: <20070720111539.U1096@fledge.watson.org> References: <20070717131518.G1177@fledge.watson.org> <200707172342.39082.max@love2party.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org, freebsd-pf@freebsd.org, freebsd-arch@freebsd.org Subject: Attention pf/ipfw users with uid/gid/jail rules (Re: Reminder: NET_NEEDS_GIANT, debug.mpsafenet going away in 7.0) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jul 2007 10:40:02 -0000 On Tue, 17 Jul 2007, Max Laier wrote: > [ Excess CC-list ... testers needed!!! ] > > On Tuesday 17 July 2007, Robert Watson wrote: >> Dear all: >> >> This is a reminder e-mail that, in the very near future, Giant >> compatibility shims for network protocols will be removed. > > <...> > >> The *only* remaining case I am aware of where removing debug.mpsafenet >> presents an issue is credential-related firewall rules (uid, gid, jail). >> I'm am currently in an active e-mail discussion with the various firewall >> maintainers about how to address this issue; as the implementations of >> these rules violate the global lock order, deadlocks occur if >> debug.mpsafenet isn't set to 1, which causes Giant to act as a guard lock >> preventing parallel lock acquisition in the firewall. Hopefully we will >> have this resolved, in some form, soon. > > What we really need right now, is real understanding of the problem (if > there even is any). So we would like to ask everybody who is able to - to > stress test user/group rules (in pf) or uid/gid/jail rules (in ipfw) with > debug.mpsafenet=1 It is normal that (in an WITNESS enabled kernel) you get a > LOR similar to 14-17 and 32 from [1]. Everything different to those should > be reported. So far I have had 0 (zero) reports of problems since this thread began. Could people using uid/gid/jail rules with ipfw or pf on 7.x *please* try running their firewalls without debug.mpsafenet -- ignore the witness warnings and/or disable witness, and let us know if you experience deadlocks. We're reaching the very end of the merge cycle for 7.0, and I would really like to remove the Giant crutches (now effectively unused) from the network stack so it's not part of the ABI/API, the code is simplified and cleaned up, etc. We'll need to figure out the best way to suppress these witness warnings without suppressing too many other things still. Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-pf@FreeBSD.ORG Fri Jul 20 15:13:31 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CDE7516A419 for ; Fri, 20 Jul 2007 15:13:31 +0000 (UTC) (envelope-from dalibor.gudzic@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.237]) by mx1.freebsd.org (Postfix) with ESMTP id 86FC013C45D for ; Fri, 20 Jul 2007 15:13:31 +0000 (UTC) (envelope-from dalibor.gudzic@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so754816wxd for ; Fri, 20 Jul 2007 08:13:30 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=W0gFjDngajr+o59xlfa0nAQpv73PAkGJxS7xij5lFxCUF2qxnI0aPONvX4HD5R0WfchWlOi1LAMOG6NwIi8dI7t4I+RwbKB4NXpAGUfJmKpC9kIwfg7yb0uza1gkHWtWTVK5hlZqRAuRcmhv4YgMeUj8Hb8M46z/TpSYmdkHbdw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=BMoR9imF9+rC+7vqWzkbomW6MoUakhIJvb8YjyPo5Oq5TRyScZY22XF9+NF40V7cYa5as058xuAIIvfVJOyXGPkk39OGh4tE7q4KPbj1coQBvq7lKBRMGPj9sWrV+FU/z/tsPSPamXPnZs5xZjZlvOy/nzGfIQI52jPijRiKAtQ= Received: by 10.90.79.6 with SMTP id c6mr442520agb.1184944410879; Fri, 20 Jul 2007 08:13:30 -0700 (PDT) Received: by 10.90.87.8 with HTTP; Fri, 20 Jul 2007 08:13:30 -0700 (PDT) Message-ID: <866fa9520707200813s7938bdbdjdfb57c87dd23e268@mail.gmail.com> Date: Fri, 20 Jul 2007 17:13:30 +0200 From: "Dalibor Gudzic" To: "Alexandre Biancalana" In-Reply-To: <8e10486b0707191950s2ffd4e89q7484181acba745be@mail.gmail.com> MIME-Version: 1.0 References: <8e10486b0707180621q6a38d018u206ce9ee4fbbe10c@mail.gmail.com> <867iow7rwk.fsf@zid.claresco.hr> <8e10486b0707191950s2ffd4e89q7484181acba745be@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: Single IP failover without carpdev X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jul 2007 15:13:31 -0000 On 7/20/07, Alexandre Biancalana wrote: > > On 7/19/07, Marko Lerota wrote: > > >How can I associate carp interface with physical interface without > ifconfig > >carpdev option and without have more ips available in the same network of > >carp interface ? I'm not sure I understand You, but have you read the CARP section in pf FAQ? It says: "CARP is the Common Address Redundancy Protocol. Its primary purpose is to > allow multiple hosts on the same network segment to share an IP address." > http://www.openbsd.org/faq/pf/carp.html I think You think that one must have two IP addresses to get redundant failover firewalls with Carp? _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Fri Jul 20 17:37:30 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F325116A419 for ; Fri, 20 Jul 2007 17:37:29 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout1.email.verio.net (dfw-smtpout1.email.verio.net [129.250.36.41]) by mx1.freebsd.org (Postfix) with ESMTP id C384813C459 for ; Fri, 20 Jul 2007 17:37:29 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout1.email.verio.net with esmtp id 1IBwPw-0005P4-Ul for freebsd-pf@freebsd.org; Fri, 20 Jul 2007 17:37:28 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1IBwPw-0001Qr-QQ for freebsd-pf@freebsd.org; Fri, 20 Jul 2007 17:37:28 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 4825F8E296; Fri, 20 Jul 2007 12:37:22 -0500 (CDT) Date: Fri, 20 Jul 2007 12:37:22 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20070720173722.GB12522@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <8e10486b0707180621q6a38d018u206ce9ee4fbbe10c@mail.gmail.com> <867iow7rwk.fsf@zid.claresco.hr> <8e10486b0707191950s2ffd4e89q7484181acba745be@mail.gmail.com> <866fa9520707200813s7938bdbdjdfb57c87dd23e268@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <866fa9520707200813s7938bdbdjdfb57c87dd23e268@mail.gmail.com> Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: Single IP failover without carpdev X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jul 2007 17:37:30 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dalibor Gudzic wrote: > > http://www.openbsd.org/faq/pf/carp.html > > I think You think that one must have two IP addresses to get redundant > failover firewalls with Carp? That is OpenBSD's documentation you are referring to, but this is FreeBSD we are talking about. The implementation is not the same. In order for CARP to be effective, it must send out hello packets on a particular interface. Under OpenBSD, I believe there is a "carpdev" option for ifconfig, which allows you to set the interface explicitly. However, FreeBSD's implementation (at least in 6.x where I'm familiar with it) is missing that option. Instead, the interface is chosen by matching the IP address of the carp interface to the same subnet as the physical interface. In a case where your ISP has only assigned a single IP address to you, you cannot (legally) assign a pair of addresses to your firewalls and then assign a third IP to CARP in order to have it bind correctly to the external interface. Under OpenBSD, you could assign private RFC1918 addresses to the external interfaces, and use "carpdev" to assign a virtual public IP, but it seems that is not possible with FreeBSD. If I am wrong, I hope that someone will correct my understanding. - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGoPLSFSrKRjX5eCoRAtUeAJ9H2QPgA3qM2ZxPcXoB5BS1G4c1IwCePeLJ WNohhKo7LneJi/LordOx6OU= =I3jk -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Fri Jul 20 18:10:51 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9CFD016A419 for ; Fri, 20 Jul 2007 18:10:51 +0000 (UTC) (envelope-from dalibor.gudzic@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.226]) by mx1.freebsd.org (Postfix) with ESMTP id 5770913C459 for ; Fri, 20 Jul 2007 18:10:51 +0000 (UTC) (envelope-from dalibor.gudzic@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so796637wxd for ; Fri, 20 Jul 2007 11:10:48 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=G5E6+nBmIYSgEM5OaKxRpzMl2dVGOFr1E93dMoVKarGicIEkULUjKyM9DimlT+Gbew2BC629HMGHQrttuZQKOp2R9Tb7i6ElTq0z29thdLp9fwxvVcxlIQcltaDDx+ER6FcM+mZUjT08431y9viNlnArvhBzGitp1zmJcgsZtX4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=j5jkrRixbd5JkZOOSJHXF4Wo1v3lil7E/soaXhyQ3ZIAvrAOZYY+oD1Iq2WBoW8lw0oUpBIvP0dzAvZjX0qz9vNz5YfIOwMmKEERpR0Hdtv5LymDc56sMeMlk40l6kRusbIY/7WEHpmjs+eqLWRFmPpkqtD3IvKyQbiJ40JZk5M= Received: by 10.90.119.15 with SMTP id r15mr723069agc.1184955048743; Fri, 20 Jul 2007 11:10:48 -0700 (PDT) Received: by 10.90.87.8 with HTTP; Fri, 20 Jul 2007 11:10:48 -0700 (PDT) Message-ID: <866fa9520707201110h37f06912kaad57b0bdf682e7e@mail.gmail.com> Date: Fri, 20 Jul 2007 20:10:48 +0200 From: "Dalibor Gudzic" To: freebsd-pf@freebsd.org In-Reply-To: <20070720173722.GB12522@verio.net> MIME-Version: 1.0 References: <8e10486b0707180621q6a38d018u206ce9ee4fbbe10c@mail.gmail.com> <867iow7rwk.fsf@zid.claresco.hr> <8e10486b0707191950s2ffd4e89q7484181acba745be@mail.gmail.com> <866fa9520707200813s7938bdbdjdfb57c87dd23e268@mail.gmail.com> <20070720173722.GB12522@verio.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Single IP failover without carpdev X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jul 2007 18:10:51 -0000 Ah, sorry, got lost in tons of messages, didn't see where I was replying to. My apology. On 7/20/07, David DeSimone wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Dalibor Gudzic wrote: > > > > http://www.openbsd.org/faq/pf/carp.html > > > > I think You think that one must have two IP addresses to get redundant > > failover firewalls with Carp? > > That is OpenBSD's documentation you are referring to, but this is > FreeBSD we are talking about. The implementation is not the same. > > In order for CARP to be effective, it must send out hello packets on a > particular interface. Under OpenBSD, I believe there is a "carpdev" > option for ifconfig, which allows you to set the interface explicitly. > However, FreeBSD's implementation (at least in 6.x where I'm familiar > with it) is missing that option. Instead, the interface is chosen by > matching the IP address of the carp interface to the same subnet as the > physical interface. > > In a case where your ISP has only assigned a single IP address to you, > you cannot (legally) assign a pair of addresses to your firewalls and > then assign a third IP to CARP in order to have it bind correctly to > the external interface. Under OpenBSD, you could assign private RFC1918 > addresses to the external interfaces, and use "carpdev" to assign a > virtual public IP, but it seems that is not possible with FreeBSD. > > If I am wrong, I hope that someone will correct my understanding. > > - -- > David DeSimone == Network Admin == fox@verio.net > "It took me fifteen years to discover that I had no > talent for writing, but I couldn't give it up because > by that time I was too famous. -- Robert Benchley > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (GNU/Linux) > > iD8DBQFGoPLSFSrKRjX5eCoRAtUeAJ9H2QPgA3qM2ZxPcXoB5BS1G4c1IwCePeLJ > WNohhKo7LneJi/LordOx6OU= > =I3jk > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Fri Jul 20 18:36:18 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3E33E16A41F for ; Fri, 20 Jul 2007 18:36:18 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outV.internet-mail-service.net (outV.internet-mail-service.net [216.240.47.245]) by mx1.freebsd.org (Postfix) with ESMTP id 1DF0713C46B for ; Fri, 20 Jul 2007 18:36:18 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.32) with ESMTP; Fri, 20 Jul 2007 11:36:17 -0700 Received: from julian-mac.elischer.org (nat.ironport.com [63.251.108.100]) by idiom.com (Postfix) with ESMTP id 429B2125A23; Fri, 20 Jul 2007 11:36:17 -0700 (PDT) Message-ID: <46A100C2.1030606@elischer.org> Date: Fri, 20 Jul 2007 11:36:50 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.4 (Macintosh/20070604) MIME-Version: 1.0 To: Robert Watson References: <20070717131518.G1177@fledge.watson.org> <200707172342.39082.max@love2party.net> <20070720111539.U1096@fledge.watson.org> In-Reply-To: <20070720111539.U1096@fledge.watson.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-arch@freebsd.org, freebsd-current@freebsd.org, freebsd-pf@freebsd.org, freebsd-net@freebsd.org Subject: Re: Attention pf/ipfw users with uid/gid/jail rules (Re: Reminder: NET_NEEDS_GIANT, debug.mpsafenet going away in 7.0) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jul 2007 18:36:18 -0000 Robert Watson wrote: > > On Tue, 17 Jul 2007, Max Laier wrote: > > So far I have had 0 (zero) reports of problems since this thread began. > Could people using uid/gid/jail rules with ipfw or pf on 7.x *please* > try running their firewalls without debug.mpsafenet -- ignore the > witness warnings and/or disable witness, and let us know if you > experience deadlocks. We're reaching the very end of the merge cycle > for 7.0, and I would really like to remove the Giant crutches (now > effectively unused) from the network stack so it's not part of the > ABI/API, the code is simplified and cleaned up, etc. > does "problem" include a LOR message, or only a deadlock? I've seen plenty of the first, but not the second. From owner-freebsd-pf@FreeBSD.ORG Fri Jul 20 19:35:05 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 34C9916A417; Fri, 20 Jul 2007 19:35:05 +0000 (UTC) (envelope-from jd@ugcs.caltech.edu) Received: from regurgitate.ugcs.caltech.edu (regurgitate.ugcs.caltech.edu [131.215.176.97]) by mx1.freebsd.org (Postfix) with ESMTP id 0B21413C457; Fri, 20 Jul 2007 19:35:05 +0000 (UTC) (envelope-from jd@ugcs.caltech.edu) Received: by regurgitate.ugcs.caltech.edu (Postfix, from userid 3640) id 04D80E8AC; Fri, 20 Jul 2007 12:12:01 -0700 (PDT) Date: Fri, 20 Jul 2007 12:12:01 -0700 From: Paul Allen To: Julian Elischer Message-ID: <20070720191201.GE5504@regurgitate.ugcs.caltech.edu> References: <20070717131518.G1177@fledge.watson.org> <200707172342.39082.max@love2party.net> <20070720111539.U1096@fledge.watson.org> <46A100C2.1030606@elischer.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <46A100C2.1030606@elischer.org> Sender: jd@ugcs.caltech.edu Cc: freebsd-net@freebsd.org, freebsd-arch@freebsd.org, freebsd-current@freebsd.org, Robert Watson , freebsd-pf@freebsd.org Subject: Re: Attention pf/ipfw users with uid/gid/jail rules (Re: Reminder: NET_NEEDS_GIANT, debug.mpsafenet going away in 7.0) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jul 2007 19:35:05 -0000 >From Julian Elischer , Fri, Jul 20, 2007 at 11:36:50AM -0700: > Robert Watson wrote: > > > >On Tue, 17 Jul 2007, Max Laier wrote: > > > >So far I have had 0 (zero) reports of problems since this thread began. > >Could people using uid/gid/jail rules with ipfw or pf on 7.x *please* > >try running their firewalls without debug.mpsafenet -- ignore the > >witness warnings and/or disable witness, and let us know if you > >experience deadlocks. We're reaching the very end of the merge cycle > >for 7.0, and I would really like to remove the Giant crutches (now > >effectively unused) from the network stack so it's not part of the > >ABI/API, the code is simplified and cleaned up, etc. Wasn't there a a clear solution to the uid/gid problem involving flip-pages: eliminate the pf lock by forcing reconfigurations to build a parallel data-structure and then perform an atomic operation to exchange the pointers. AFAIK, Max's patch was just an ugly hack and it isn't really suitable for performance reasons. What's the state of MAC for the networking stack? Are we able to restrict particular uid's to listening only on particular ports? From owner-freebsd-pf@FreeBSD.ORG Fri Jul 20 19:55:00 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0213416A420 for ; Fri, 20 Jul 2007 19:55:00 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.231]) by mx1.freebsd.org (Postfix) with ESMTP id AF80B13C474 for ; Fri, 20 Jul 2007 19:54:59 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so818575wxd for ; Fri, 20 Jul 2007 12:54:59 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=PhLkYlvPRswwwXZSokE4xoNxyyX6hwLHN1wPAi6jZBcE0oDNDkx5oiqv3auseGpA7NbGFUtqXJdJwUYfE+iiFBfVl4RozDSGEA4tUyuwCTW9RXXCTZBqi2JvAxbe3dmuoXwn81MaP056EwV7DjdUYKjOGPoGumJCKqBYr7bvcQM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=eAqD3K3Ppz6Q3XH1w9hImof2oBFe8gAexDdiMs3qUlkuBUxUuft6Ol3C9oAIHPhyYGmUbpn8ZQpsOpCmNGxivYp6//T6BSCzIYxo+ksfSKcJWyasltwju+HCtnu/W0sSLJOhSSONjRU7R3B3Rfo5nXzqwcRz704XW+zX0iYvvgI= Received: by 10.70.31.18 with SMTP id e18mr1363581wxe.1184961299010; Fri, 20 Jul 2007 12:54:59 -0700 (PDT) Received: by 10.70.66.10 with HTTP; Fri, 20 Jul 2007 12:54:58 -0700 (PDT) Message-ID: <8e10486b0707201254j4eece5dq55c1afa838a3092@mail.gmail.com> Date: Fri, 20 Jul 2007 16:54:58 -0300 From: "Alexandre Biancalana" To: freebsd-pf@freebsd.org In-Reply-To: <20070720173722.GB12522@verio.net> MIME-Version: 1.0 References: <8e10486b0707180621q6a38d018u206ce9ee4fbbe10c@mail.gmail.com> <867iow7rwk.fsf@zid.claresco.hr> <8e10486b0707191950s2ffd4e89q7484181acba745be@mail.gmail.com> <866fa9520707200813s7938bdbdjdfb57c87dd23e268@mail.gmail.com> <20070720173722.GB12522@verio.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Single IP failover without carpdev X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jul 2007 19:55:00 -0000 On 7/20/07, David DeSimone wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > That is OpenBSD's documentation you are referring to, but this is > FreeBSD we are talking about. The implementation is not the same. > > In order for CARP to be effective, it must send out hello packets on a > particular interface. Under OpenBSD, I believe there is a "carpdev" > option for ifconfig, which allows you to set the interface explicitly. > However, FreeBSD's implementation (at least in 6.x where I'm familiar > with it) is missing that option. Instead, the interface is chosen by > matching the IP address of the carp interface to the same subnet as the > physical interface. > > In a case where your ISP has only assigned a single IP address to you, > you cannot (legally) assign a pair of addresses to your firewalls and > then assign a third IP to CARP in order to have it bind correctly to > the external interface. Under OpenBSD, you could assign private RFC1918 > addresses to the external interfaces, and use "carpdev" to assign a > virtual public IP, but it seems that is not possible with FreeBSD. > > If I am wrong, I hope that someone will correct my understanding. Exactly this! Want I want to know is if exists some alternative way to configure this.... From owner-freebsd-pf@FreeBSD.ORG Fri Jul 20 20:07:24 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0C29716A418 for ; Fri, 20 Jul 2007 20:07:24 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.freebsd.org (Postfix) with ESMTP id 9184413C46A for ; Fri, 20 Jul 2007 20:07:23 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.47.171] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis), id 0ML25U-1IBykz3kFh-0004RO; Fri, 20 Jul 2007 22:07:22 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 20 Jul 2007 22:07:14 +0200 User-Agent: KMail/1.9.7 References: <8e10486b0707180621q6a38d018u206ce9ee4fbbe10c@mail.gmail.com> <20070720173722.GB12522@verio.net> <8e10486b0707201254j4eece5dq55c1afa838a3092@mail.gmail.com> In-Reply-To: <8e10486b0707201254j4eece5dq55c1afa838a3092@mail.gmail.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart21945283.5NqIpushGu"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200707202207.20859.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/ndXH3wSG1jji4+5mBqDvUKRsngN9dM1/aIKh M572qy6j4l3F4eFdujc+5egkoi7S6Toq07dAPNIlCOW8CzhAHz UWa/nOMBkdSDmNaw9tEe87xkyQJEZ5LmyqNlv11fSQ= Cc: Subject: Re: Single IP failover without carpdev X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jul 2007 20:07:24 -0000 --nextPart21945283.5NqIpushGu Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline I am working on a patch to bring over carpdev functionality sponsored by=20 pil.sk This will, however, take a bit longer than I initially though it=20 would. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart21945283.5NqIpushGu Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBGoRX4XyyEoT62BG0RAn6JAJ0X4fhOlQKNmNsDf3Abl6lwZrxqPwCfXRL+ b9Vsf70VE605uvxSXEQNxIQ= =agVf -----END PGP SIGNATURE----- --nextPart21945283.5NqIpushGu-- From owner-freebsd-pf@FreeBSD.ORG Fri Jul 20 20:29:24 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94B0C16A417; Fri, 20 Jul 2007 20:29:24 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id E003013C45A; Fri, 20 Jul 2007 20:29:23 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 9528346B95; Fri, 20 Jul 2007 16:29:22 -0400 (EDT) Date: Fri, 20 Jul 2007 21:29:22 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Paul Allen In-Reply-To: <20070720191201.GE5504@regurgitate.ugcs.caltech.edu> Message-ID: <20070720212206.J83919@fledge.watson.org> References: <20070717131518.G1177@fledge.watson.org> <200707172342.39082.max@love2party.net> <20070720111539.U1096@fledge.watson.org> <46A100C2.1030606@elischer.org> <20070720191201.GE5504@regurgitate.ugcs.caltech.edu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org, freebsd-arch@freebsd.org, freebsd-current@freebsd.org, Julian Elischer , freebsd-pf@freebsd.org Subject: Re: Attention pf/ipfw users with uid/gid/jail rules (Re: Reminder: NET_NEEDS_GIANT, debug.mpsafenet going away in 7.0) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jul 2007 20:29:24 -0000 On Fri, 20 Jul 2007, Paul Allen wrote: > From Julian Elischer , Fri, Jul 20, 2007 at 11:36:50AM -0700: >> Robert Watson wrote: >>> On Tue, 17 Jul 2007, Max Laier wrote: >>> >>> So far I have had 0 (zero) reports of problems since this thread began. >>> Could people using uid/gid/jail rules with ipfw or pf on 7.x *please* try >>> running their firewalls without debug.mpsafenet -- ignore the witness >>> warnings and/or disable witness, and let us know if you experience >>> deadlocks. We're reaching the very end of the merge cycle for 7.0, and I >>> would really like to remove the Giant crutches (now effectively unused) >>> from the network stack so it's not part of the ABI/API, the code is >>> simplified and cleaned up, etc. > > Wasn't there a a clear solution to the uid/gid problem involving flip-pages: > eliminate the pf lock by forcing reconfigurations to build a parallel > data-structure and then perform an atomic operation to exchange the > pointers. I think there are a few potential solutions and areas for work here, the trick is figuring out the best approach to get 7.0 out the door. I think any long term structural changes to the firewalls should be avoided at this point, and targeted at 7.1 or 8.0. FYI, my feeling is that the current approach taken, using a pcb lookup in the firewall, is not really an appropriate solution to the problem. Among other things, there are (small) race conditions such that the lookup could return one pcb in the input path and use that for the check, but another pcb during TCP-layer delivery. The lock order reversal warning is a symptom of reaching across layers in fairly ugly (and atomicity-unsafe) ways. One idea that I'd been pondering was having the inpcb code in the TCP/UDP/SCTP/etc layers invoke event handlers as bindings/connections are made, making credentials and other information available to firewall packages, which could then cache information under their own locks. > AFAIK, Max's patch was just an ugly hack and it isn't really suitable for > performance reasons. > > What's the state of MAC for the networking stack? Are we able to restrict > particular uid's to listening only on particular ports? See mac_portacl(4), which is a functional but not particularly elegant implementation of this idea. In Mac OS X Leopard, many of the traditional "firewall" sorts of checks are now performed at the socket layer using this sort of approach -- this provides greater application context, allows control of things like binding/listening, not just packet transmission and receipt, and provides access to the data as received at the application layer rather than at the datagram layer, avoiding the need for normalization. The MAC Framework will not be enabled by default in 7.0, but one of my goals for 8.0 is to ship the framework enabled in GENERIC by default. This will require a significant amount of performance optimization to do. Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-pf@FreeBSD.ORG Fri Jul 20 20:33:42 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4A51516A419; Fri, 20 Jul 2007 20:33:42 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id F359A13C467; Fri, 20 Jul 2007 20:33:41 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 902AE48748; Fri, 20 Jul 2007 16:33:40 -0400 (EDT) Date: Fri, 20 Jul 2007 21:33:40 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Julian Elischer In-Reply-To: <46A100C2.1030606@elischer.org> Message-ID: <20070720213241.N83919@fledge.watson.org> References: <20070717131518.G1177@fledge.watson.org> <200707172342.39082.max@love2party.net> <20070720111539.U1096@fledge.watson.org> <46A100C2.1030606@elischer.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-arch@freebsd.org, freebsd-current@freebsd.org, freebsd-pf@freebsd.org, freebsd-net@freebsd.org Subject: Re: Attention pf/ipfw users with uid/gid/jail rules (Re: Reminder: NET_NEEDS_GIANT, debug.mpsafenet going away in 7.0) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jul 2007 20:33:42 -0000 On Fri, 20 Jul 2007, Julian Elischer wrote: > Robert Watson wrote: >> >> On Tue, 17 Jul 2007, Max Laier wrote: >> >> So far I have had 0 (zero) reports of problems since this thread began. >> Could people using uid/gid/jail rules with ipfw or pf on 7.x *please* try >> running their firewalls without debug.mpsafenet -- ignore the witness >> warnings and/or disable witness, and let us know if you experience >> deadlocks. We're reaching the very end of the merge cycle for 7.0, and I >> would really like to remove the Giant crutches (now effectively unused) >> from the network stack so it's not part of the ABI/API, the code is >> simplified and cleaned up, etc. > > does "problem" include a LOR message, or only a deadlock? I've seen plenty > of the first, but not the second. Deadlocks. The LOR is expected, but actually a false positive with respect to deadlock potential, we now believe. To be specific: there is a cycle, but since the cycling conditions always involve read acquisition, they shouldn't lead to a wait cycle. So what we're looking for here is evidence of something more than the WITNESS warning. Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-pf@FreeBSD.ORG Fri Jul 20 21:36:33 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D76DA16A47B for ; Fri, 20 Jul 2007 21:36:33 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from smtp814.mail.ird.yahoo.com (smtp814.mail.ird.yahoo.com [217.146.188.74]) by mx1.freebsd.org (Postfix) with SMTP id 4E7E013C47E for ; Fri, 20 Jul 2007 21:36:32 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: (qmail 25242 invoked from network); 20 Jul 2007 21:09:52 -0000 Received: from unknown (HELO ?192.168.1.2?) (thomasjudge@btinternet.com@86.140.28.215 with plain) by smtp814.mail.ird.yahoo.com with SMTP; 20 Jul 2007 21:09:52 -0000 X-YMail-OSG: XdZHeREVM1ldX10kCWO4bYNSh_U1trHcVpm2OcDR3xrK0wfW Message-ID: <46A132F9.9020208@tomjudge.com> Date: Fri, 20 Jul 2007 23:11:05 +0100 From: Tom Judge User-Agent: Thunderbird 1.5.0.12 (X11/20070604) MIME-Version: 1.0 To: Alexandre Biancalana References: <8e10486b0707180621q6a38d018u206ce9ee4fbbe10c@mail.gmail.com> <867iow7rwk.fsf@zid.claresco.hr> <8e10486b0707191950s2ffd4e89q7484181acba745be@mail.gmail.com> <866fa9520707200813s7938bdbdjdfb57c87dd23e268@mail.gmail.com> <20070720173722.GB12522@verio.net> <8e10486b0707201254j4eece5dq55c1afa838a3092@mail.gmail.com> In-Reply-To: <8e10486b0707201254j4eece5dq55c1afa838a3092@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Single IP failover without carpdev X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jul 2007 21:36:33 -0000 Alexandre Biancalana wrote: > On 7/20/07, David DeSimone wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> That is OpenBSD's documentation you are referring to, but this is >> FreeBSD we are talking about. The implementation is not the same. >> >> In order for CARP to be effective, it must send out hello packets on a >> particular interface. Under OpenBSD, I believe there is a "carpdev" >> option for ifconfig, which allows you to set the interface explicitly. >> However, FreeBSD's implementation (at least in 6.x where I'm familiar >> with it) is missing that option. Instead, the interface is chosen by >> matching the IP address of the carp interface to the same subnet as the >> physical interface. >> >> In a case where your ISP has only assigned a single IP address to you, >> you cannot (legally) assign a pair of addresses to your firewalls and >> then assign a third IP to CARP in order to have it bind correctly to >> the external interface. Under OpenBSD, you could assign private RFC1918 >> addresses to the external interfaces, and use "carpdev" to assign a >> virtual public IP, but it seems that is not possible with FreeBSD. >> >> If I am wrong, I hope that someone will correct my understanding. > > > Exactly this! Want I want to know is if exists some alternative way to > configure this.... Well after reading [RELENG_6_2]sys/netinet/ip_carp.c (carp_set_addr) I have found the code that is used to look up the interface the key part is this block: ia_if = NULL; own = 0; TAILQ_FOREACH(ia, &in_ifaddrhead, ia_link) { /* and, yeah, we need a multicast-capable iface too */ if (ia->ia_ifp != SC2IFP(sc) && (ia->ia_ifp->if_flags & IFF_MULTICAST) && (iaddr & ia->ia_subnetmask) == ia->ia_subnet) { if (!ia_if) ia_if = ia; if (sin->sin_addr.s_addr == ia->ia_addr.sin_addr.s_addr) own++; } } This is the first stage of finding the carp_softc->sc_carpdev device. It doesn't look like it would take too much to add a carpdev option to ifconfig and fall back to the existing code if no carpdev is specified. I may try and have a look at this over the weekend, it looks like an interesting first challenge. Tom From owner-freebsd-pf@FreeBSD.ORG Fri Jul 20 22:41:33 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CECF616A41A for ; Fri, 20 Jul 2007 22:41:33 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.230]) by mx1.freebsd.org (Postfix) with ESMTP id 87EAE13C4B5 for ; Fri, 20 Jul 2007 22:41:33 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so847061wxd for ; Fri, 20 Jul 2007 15:41:32 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=qS4eUZE+k09J1gU+o/SjY4hVOOtvxs0usBy8WK4OSphN+iBBdktADEOds2RdO1AJvjXCjfdDdNBb4JFWbyr6cDVjaMAHCnWABuq1v9Z5ejuGLWZdE+Co2xH0Q7TISh69tHznMNyLb4D1+Yb9p+3DAHTNj/Fv+7Vk+nZfp+GOrNY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=RygQL/4X+GeuYm46ID5+gmWw7luqhtgurPu1pcheNWXjdMufFR2eJDrXZukttQG2NCtCJINqQ/io0PfbLr8S3Xhljz9ztkUUklhzRfivcSDkcV2qahPGcdNx/sBmwIxQ5nQXKpf03zqrKx6w/2aNPSzPhcRJ9s3sW7H8Td+CEnw= Received: by 10.70.87.11 with SMTP id k11mr1594620wxb.1184971292274; Fri, 20 Jul 2007 15:41:32 -0700 (PDT) Received: by 10.70.66.10 with HTTP; Fri, 20 Jul 2007 15:41:32 -0700 (PDT) Message-ID: <8e10486b0707201541q78ec9469lf22dd26da4e694c4@mail.gmail.com> Date: Fri, 20 Jul 2007 19:41:32 -0300 From: "Alexandre Biancalana" To: "Max Laier" In-Reply-To: <200707202207.20859.max@love2party.net> MIME-Version: 1.0 References: <8e10486b0707180621q6a38d018u206ce9ee4fbbe10c@mail.gmail.com> <20070720173722.GB12522@verio.net> <8e10486b0707201254j4eece5dq55c1afa838a3092@mail.gmail.com> <200707202207.20859.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: Single IP failover without carpdev X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jul 2007 22:41:33 -0000 On 7/20/07, Max Laier wrote: > > I am working on a patch to bring over carpdev functionality sponsored by > pil.sk This will, however, take a bit longer than I initially though it > would. Great !!