From owner-freebsd-pf@FreeBSD.ORG Mon Jul 23 11:08:30 2007 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 195F216A480 for ; Mon, 23 Jul 2007 11:08:30 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id F043B13C45A for ; Mon, 23 Jul 2007 11:08:29 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l6NB8TrV045404 for ; Mon, 23 Jul 2007 11:08:29 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l6NB8SOq045400 for freebsd-pf@FreeBSD.org; Mon, 23 Jul 2007 11:08:28 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 23 Jul 2007 11:08:28 GMT Message-Id: <200707231108.l6NB8SOq045400@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jul 2007 11:08:30 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf [pf] pf accepts nonexistent queue in rules o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d o kern/110174 pf [pf] pf pass route-to does not assign correct IP for t s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114567 pf [pf] LOR pf_ioctl.c + if.c 7 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jul 23 22:47:33 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DF84D16A419 for ; Mon, 23 Jul 2007 22:47:33 +0000 (UTC) (envelope-from dmehler26@woh.rr.com) Received: from ms-smtp-02.ohiordc.rr.com (ms-smtp-02.ohiordc.rr.com [65.24.5.136]) by mx1.freebsd.org (Postfix) with ESMTP id B2A2C13C46A for ; Mon, 23 Jul 2007 22:47:33 +0000 (UTC) (envelope-from dmehler26@woh.rr.com) Received: from satellite (cpe-71-64-129-15.woh.res.rr.com [71.64.129.15]) by ms-smtp-02.ohiordc.rr.com (8.13.6/8.13.6) with SMTP id l6NM0Lqf026371 for ; Mon, 23 Jul 2007 18:00:22 -0400 (EDT) Message-ID: <000901c7cd74$ddb0cb40$0200a8c0@satellite> From: "Dave" To: Date: Mon, 23 Jul 2007 18:00:21 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="Windows-1252"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: FreeBSD 6.2 pf and bittorrent X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dave List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jul 2007 22:47:34 -0000 Hello, I'm running pf on a 6.2 router. I've got one client a linux box, that i'd like to be able to use bittorrent. I'm getting an error about unable to connect to a trackerless client, i believe it's called. I am behind an authenticating httpproxy if that matters. ON the linux box i'm using bittorrent v4.1 and using the bittorrent-console command. The options i used are: bittorrent-console --minport 6881 --maxport 6999 --tracker_proxy http://username:password@machine.domain.com:880/ torrentfile The error is "Error: problem connecting to tracker - nonnumeric port: '80/'". my pf rules look like this: bittorrent = "192.168.0.4/32" bittorrent_port = "6881:6999" # bittorrent rdr on $ext_if inet proto tcp from any to any port $bittorrent_port -> $bittorrent port $bittorrent_port rdr on $ext_if inet proto udp from any to any port $bittorrent_port -> $bittorrent port $bittorrent_port # bittorrent pass in quick on $ext_if inet proto tcp from any to $bittorrent port $bittorrent_port $tcp_state pass in quick on $ext_if inet proto udp from any to $bittorrent port $bittorrent_port keep state # bittorrent pass out quick on $int_if inet proto tcp from any to $bittorrent port $bittorrent_port $tcp_state pass out quick on $int_if inet proto udp from any to $bittorrent port $bittorrent_port keep state The tcp_state option is "flags S/SA modulate state". Any help appreciated. Thanks. Dave. From owner-freebsd-pf@FreeBSD.ORG Tue Jul 24 23:35:47 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A0CD416A418; Tue, 24 Jul 2007 23:35:47 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.179]) by mx1.freebsd.org (Postfix) with ESMTP id 374FB13C45D; Tue, 24 Jul 2007 23:35:47 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.49.198] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis), id 0MKwtQ-1IDTur3keF-0006XZ; Wed, 25 Jul 2007 01:35:46 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 25 Jul 2007 01:35:39 +0200 User-Agent: KMail/1.9.7 References: <200706160347.33331.max@love2party.net> <20070710131224.GC64775@tirith.brixandersen.dk> <200707101520.12272.max@love2party.net> In-Reply-To: <200707101520.12272.max@love2party.net> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4595827.uBupxcFmas"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200707250135.44846.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19XQPMZXwvmt6l9YRd7u2DCxz7/ijWh4VA/7p7 1z727oefuZAjldNYh2fv028KK1opbVajbiSP6Qsw0Ni7hmCcuP n7TyJ7TOqmqNm3nuaMTckCklU0xqJpTwPnrehf7J+Y= Cc: freebsd-net@freebsd.org, freebsd-stable@freebsd.org Subject: RELENG_6 patch [Re: pf 4.1 Update available for testing] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jul 2007 23:35:47 -0000 --nextPart4595827.uBupxcFmas Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline now available at: http://people.freebsd.org/~mlaier/PF41/ with=20 instructions how to build. Please test if possible and provide me with feedback. Again, this work can't be MFC'ed, but I'll try to keep up2date patches=20 available for RELENG_6 and release branches. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart4595827.uBupxcFmas Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBGpozQXyyEoT62BG0RAhXwAJ97UC5tpWRD4sNlqvYiIHql5K169wCfZ+e7 SHJsmcsjTCdI3bzVmDOcoYY= =rsU4 -----END PGP SIGNATURE----- --nextPart4595827.uBupxcFmas-- From owner-freebsd-pf@FreeBSD.ORG Wed Jul 25 11:38:42 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2109516A420 for ; Wed, 25 Jul 2007 11:38:42 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.freebsd.org (Postfix) with ESMTP id 8891113C4B0 for ; Wed, 25 Jul 2007 11:38:41 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from localhost (marvin-mail [192.168.0.2]) by marvin.harmless.hu (Postfix) with ESMTP id 832D97C007B for ; Wed, 25 Jul 2007 13:38:40 +0200 (CEST) X-Virus-Scanned: by amavisd-new-2.4.2 (20060627) (Debian) at harmless.hu Received: from marvin.harmless.hu ([192.168.0.2]) by localhost (marvin.harmless.hu [192.168.0.2]) (amavisd-new, port 10024) with ESMTP id 4vCCeIVC515g for ; Wed, 25 Jul 2007 13:38:40 +0200 (CEST) Received: from marvin.harmless.hu (localhost [127.0.0.1]) by marvin.harmless.hu (Postfix) with ESMTP id 097E37C0079 for ; Wed, 25 Jul 2007 13:38:24 +0200 (CEST) Date: Wed, 25 Jul 2007 13:38:24 +0200 From: Gergely CZUCZY To: freebsd-pf@freebsd.org Message-ID: <20070725113824.GB26977@harmless.hu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=x-unknown; protocol="application/pgp-signature"; boundary="/NkBOFFp2J2Af1nK" Content-Disposition: inline User-Agent: mutt-ng/devel-r804 (FreeBSD) Subject: connection refused on heavy usage X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jul 2007 11:38:42 -0000 --/NkBOFFp2J2Af1nK Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Good morning, I've got a problem that disappeared by disabling pf. =46rom the beginning. I'm testing an http reverse proxy[pound], at the moment. I've got two gateways in a pfsync+carp+pound configuration and two web backends. I'm doing performance testing on the proxy with apache benchmarks, this involves hordes of simultaneous connections in and out. connections are recieved by pound on the gateway and it connects to a given web-backend to make the actual request. The problem is that, periodically it's unable to connect to some backends, or just to one of them and renders it DEAD. When this happens there's a "connect: operation not permitted" message in the syslog. Nor I'm able to connect to the backends directly with elinks from the gateway, it also says "operation not permitted". After waiting a few seconds it works again. So, the proxy can accept client's connections but it's unable to connect forward to the actual web-backends. When I disabled pf with pfctl -d these symptons stopped immedietly. I tried playing around with different tcp timeout values, but that failed to help. My pf.conf is the following: --- chop with axe here --- if_ext=3D"em0" if_vvv=3D"fxp0" if_sync=3D"em1" ip_pub=3D"192.168.4.55" ip_vvv=3D"10.0.0.254" ip_vvv1=3D"10.0.0.1" ip_vvv2=3D"10.0.0.2" ip_vvv3=3D"10.0.0.3" table {$ip_vvv1, $ip_vvv2, $ip_vvv3} # Options: tune the behavior of pf, default values are given. #set timeout { interval 5, frag 30 } #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 30, tcp.closed 60 } #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } #set timeout { icmp.first 20, icmp.error 10 } #set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 70000, adaptive.end 120000 } set limit { states 100000, frags 2000 } #set loginterface none set block-policy return set require-order yes set fingerprints "/etc/pf.os" set debug misc set skip on lo0 #scrub in all rdr on $if_ext proto tcp from any to $ip_pub port 10001 -> $ip_vvv1 port 22 rdr on $if_ext proto tcp from any to $ip_pub port 10002 -> $ip_vvv2 port 22 rdr on $if_ext proto tcp from any to $ip_pub port 10003 -> $ip_vvv3 port 22 block in log on $if_ext all pass in quick on {$if_ext,$if_vvv} proto vrrp pass out quick on {$if_ext,$if_vvv} proto vrrp pass out quick on $if_ext proto udp from any to 192.168.4.200 port 123 keep= state pass in quick on $if_ext proto tcp from any to $if_ext:0 port 22 flags S/SA= synproxy state (no-sync) pass in quick on $if_ext proto tcp from any to $ip_pub port 80 flags S/SA m= odulate state (no-sync) label "2" pass out quick on $if_ext proto udp from $if_ext:0 to port 53 keep state (n= o-sync) pass out quick on $if_ext proto udp from any to port 53 keep state pass out quick on $if_ext proto tcp from $if_ext:0 to port 80 flags S/SA ke= ep state (no-sync) pass out quick on $if_ext proto tcp from any to port 80 flags S/SA keep sta= te pass in quick on $if_ext proto tcp from any to port 22 flags S/SA syn= proxy state pass out quick on $if_vvv proto tcp from ($if_vvv) to port 80 flags S= /SA keep state (no-sync) --- chop with axe here --- FreeBSD lvs1.in.publishing.hu 6.2-RELEASE-p6 FreeBSD 6.2-RELEASE-p6 #1: Tue= Jul 24 08:07:07 UTC 2007 toor@pointyhat.office:/usr/obj/usr/src/sys/LV= S i386 I'm played with the followings without any success: set timeout { tcp.closing 900, tcp.finwait 30, tcp.closed 60 } set timeout { adaptive.start 70000, adaptive.end 120000 } What can cause this issue? How could this be fixed? [pound] http://www.apsis.ch/pound/ Sincerely, Gergely Czuczy mailto: gergely.czuczy@harmless.hu --=20 Weenies test. Geniuses solve problems that arise. --/NkBOFFp2J2Af1nK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) owGlV89vJMUVXkAhUkkIIf6Bp1lLBu10T/eMPbYnGZZl7V0ckaBgwx5WCGq6q2cK d1c1VdUznl05XDkgFOUUaYUUKYcoB6IcOOWScy4c8gdE4ggHbtzzXnXPbNtrYFls S+569er9+N5Xr6r++NwzV55+4ct/fnH32id/evDU58/fmXSLyjk1DQpu5lIFcRTF QX+4t7MTxHEwiIY7W3u78TAWe3vpbnbrb8PoplZOKBccL0sxAidOXa/MuVS/gmTG jRVuXLks2GUrvX1pS22lk1qNQKpcKrGeOzZc2UyY4EAlOpVqOoIPK+1EGpRGKscn uWDsttYpFNoonO8ydrg5FzDVDjiURqNGAW7GHaTS8rIU3IgUJks/nKCzKZRZyNh4 a2g0aQqYiKlUZCyEw00UCetIjSuYOVeCEXOBaZDx0+XdUlcqfbcL3DFaW+gC46aF TRBuoWHKnVjwpcXsKKjMLlVyLeGmvOZXQ6JVJqeV4YQB4yihVQsxgQlPToRKbR1J qn24wmTaFFwlYh2bVj5yHxIspJsxXvLE56KSGZbuxHZRQ1IIc53PhYWZNin+0xlY WVS540roylIsSiQUCOn6YHSFCbXlCCGikEgEwkNZZ9HE0CQLtFI61qyz4DTmPpVz oSizoMmMxAU/EX4pT1zFczT9YYV5YVGO65x8DTF2KmOX8pfIhYTn+RI9bFqoFBGB TDXe6NNiJdgKvy5oAx9U1s9oJSht9Fj4KA1qYEXRFuwf3NgP2Z2ZUDVaM2KMIs/C CPTEodO4GIHGQHzFQGGdcVBIh8zsQCGs5VPBZA2IXdpcI5d+hyFQFS+J1bOuCRWJ idi6vKmjQIqeWMhW5Gzg7VK0PLeYJxGr833BhHAjc8KwBZc1iSETC7ACnac+44VG bgCf4gZFwI90t0WkBCnPk0SUDpJcIq83z/NjUrkLBViVG5ChC27SVXJNZVuFR0p7 mA+bjYhMKrM65TLD9CFIaaUl/IrSkTvrNFYDWVUUIpUCIcKID8EZSYtzvvQJGk9G MoSWM+wdGDe4pAQnC2S4gznPkV5dHz0ximVcknsMdSbyEm3+dkk9gXZlzTqB6eS5 XlD/YUEQYCPTZe2CnwogbgCKmczew243Hux3RBF1aDifz2mYnZb1mHZ+PR93GJPl e2U1oXG81w/j4W64FW5vd0jeLIyjkH7721u1Oorjljxe6fbbyivhoCUc4HrfLuHX OPMK3N9orHWh+eqvvwZnjF2FN0tfZOzglRJNX5zxuUQW4+Ypsy6kIuPYOBpAfVfw +ztkV7HLr/G+j30EKYhasN1FIvMpDCI4u6iEJQozaXCLxv2o64dIamrDqF6PsSlQ y7YzrNbucCsiK48aSXI8TXDVXtQsy6Qi+q/NkAJaGF4SRJWughiiMo3IFKI2aIbU KWWJgstWy6RYLacU/FAYg4jFl2hraiotb/W45a8WnPd43gRPOVZpLkIExjjYiSLK eS2l/opgRmugcoltAdehOp4cGFW9gGpioV/r+SixYfmiZRwPGYUN0y+f5Do5CUqd y2SJXdNVRnk5NWxsWgGdKAaWwnopwj4Vxp/T2KB6wiU93FXadvxsKibVFAppE+bH 9kSWdITkOkL22cRUE39c5jljJjU0tVHvL2pO1FZwS/uuyNWS9u5GvZvwMEIkKLMY gldWlI5rcb//hLb6LVv9n2lr0LI1WNtiHlxKGbFvW/UIlNz62wPijEo4e7+Z7m7U Xeas8T43pqy1iSGPp36J/vmUkPjnUnrYrZAzTWL9AZwIUY5ZTa5LQv4xmPzsKFoh AllOrDzqHd0go0tVn0neOrykdEC99OWf7qZVjd2o5QSKMdNplZP5C04g5xORQwc7 6+Nj9TAhlHp32zVEa+vor53ETyjAo+Z+PLA1Eo8Gdh6HEzFmrSgfN8aLSF9qubY7 Zk9AkPrcepQcRI0xa5Hj+6DA9RdNv9TIX77g4GHYY9YO/BwgP3ARYLeMEK8d7UM+ t3GINyukHJ1b9KaYVTAM+8FbB28c3Dg6CMohrJQviK/GIziusBjwmyqH/hZEu6No B//g7eOb1K13gH6c1ubVEl8GbomXmVBnmUzEqFdZ09OTD/x/a5Ie3kJ7b7wzZkcA crA7pGdS4S9NorksnbvmWC8jCAl9W+El0NrRzz1sn/zwwis5vuDoPprwyormKWNt Ja6z1/UCb6VVntbSCaYhT0V6nbHmceafbaNeb7FYhLy00obJrOenenjjlfiOMiJf 4svxtjBT/IKb96rk3pIVeC90egTTWhwmXvwqPmKLHOHASjIkwbgfsTsCLyp4oNJz LITbOMAg8cJKL63VA6Z+vuAtSVoRso+vP/OLK/RaXr21X3j62U+v/OXz6//96N53 //n23+//+ez3ev+z/h/uqisPfrl5+I9vHjx39vX/zv769d9f/NfGs7e++j8= =TthG -----END PGP SIGNATURE----- --/NkBOFFp2J2Af1nK-- From owner-freebsd-pf@FreeBSD.ORG Wed Jul 25 11:49:23 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 106AE16A418 for ; Wed, 25 Jul 2007 11:49:23 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.freebsd.org (Postfix) with ESMTP id 4BFC213C46C for ; Wed, 25 Jul 2007 11:49:22 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from localhost (marvin-mail [192.168.0.2]) by marvin.harmless.hu (Postfix) with ESMTP id 3A73C7C0083 for ; Wed, 25 Jul 2007 13:49:21 +0200 (CEST) X-Virus-Scanned: by amavisd-new-2.4.2 (20060627) (Debian) at harmless.hu Received: from marvin.harmless.hu ([192.168.0.2]) by localhost (marvin.harmless.hu [192.168.0.2]) (amavisd-new, port 10024) with ESMTP id XrpIQ4ka79uQ for ; Wed, 25 Jul 2007 13:49:20 +0200 (CEST) Received: from marvin.harmless.hu (localhost [127.0.0.1]) by marvin.harmless.hu (Postfix) with ESMTP id AD58F7C0082 for ; Wed, 25 Jul 2007 13:49:05 +0200 (CEST) Date: Wed, 25 Jul 2007 13:49:05 +0200 From: Gergely CZUCZY To: freebsd-pf@freebsd.org Message-ID: <20070725114905.GA27660@harmless.hu> References: <20070725113824.GB26977@harmless.hu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=x-unknown; protocol="application/pgp-signature"; boundary="mYCpIKhGyMATD0i+" Content-Disposition: inline In-Reply-To: <20070725113824.GB26977@harmless.hu> User-Agent: mutt-ng/devel-r804 (FreeBSD) Subject: Re: connection refused on heavy usage X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jul 2007 11:49:23 -0000 --mYCpIKhGyMATD0i+ Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Just catched something in the syslog: Jul 25 13:46:14 lvs1 kernel: pf: BAD state: TCP 10.0.0.251:53051 10.0.0.251= :53051 10.0.0.1:80 [lo=3D2626749835 high=3D2626816443 win=3D33304 modulator= =3D0 wscale=3D1] [lo=3D2986152604 high=3D2986219211 win=3D33304 modulator= =3D0 wscale=3D1] 9:9 S seq=3D2736349746 ack=3D2986152604 len=3D0 ackskew=3D= 0 pkts=3D23:26 dir=3Dout,fwd Jul 25 13:46:14 lvs1 kernel: pf: State failure on: 1 | 5 Jul 25 13:46:14 lvs1 pound: backend 10.0.0.1:80 connect: Operation not perm= itted Jul 25 13:46:14 lvs1 kernel: pf: BAD state: TCP 10.0.0.251:53052 10.0.0.251= :53052 10.0.0.1:80 [lo=3D368073977 high=3D368140585 win=3D33304 modulator= =3D0 wscale=3D1] [lo=3D530543602 high=3D530610209 win=3D33304 modulator=3D0= wscale=3D1] 9:9 S seq=3D477665814 ack=3D530543602 len=3D0 ackskew=3D0 pkts= =3D24:26 dir=3Dout,fwd Jul 25 13:46:14 lvs1 kernel: pf: State failure on: 1 | 5 Jul 25 13:46:14 lvs1 pound: backend 10.0.0.1:80 connect: Operation not perm= itted Jul 25 13:46:14 lvs1 kernel: pf: BAD state: TCP 10.0.0.251:53053 10.0.0.251= :53053 10.0.0.1:80 [lo=3D3069306042 high=3D3069372650 win=3D33304 modulator= =3D0 wscale=3D1] [lo=3D1682247531 high=3D1682314138 win=3D33304 modulator= =3D0 wscale=3D1] 9:9 S seq=3D3178900053 ack=3D1682247531 len=3D0 ackskew=3D= 0 pkts=3D23:26 dir=3Dout,fwd Jul 25 13:46:14 lvs1 kernel: pf: State failure on: 1 | 5 Jul 25 13:46:14 lvs1 pound: backend 10.0.0.1:80 connect: Operation not perm= itted Jul 25 13:46:14 lvs1 last message repeated 40 times Jul 25 13:46:14 lvs1 pound: no back-end "GET /phpinfo-lycos.html HTTP/1.0" = =66rom 192.168.4.21 Jul 25 13:46:14 lvs1 pound: no back-end "GET /phpinfo-lycos.html HTTP/1.0" = =66rom 192.168.4.21 Jul 25 13:46:14 lvs1 pound: backend 10.0.0.1:80 connect: Operation not perm= itted Jul 25 13:46:14 lvs1 pound: no back-end "GET /phpinfo-lycos.html HTTP/1.0" = =66rom 192.168.4.21 Jul 25 13:46:14 lvs1 pound: backend 10.0.0.1:80 connect: Operation not perm= itted Jul 25 13:46:14 lvs1 pound: no back-end "GET /phpinfo-lycos.html HTTP/1.0" = =66rom 192.168.4.21 Jul 25 13:46:17 lvs1 last message repeated 681 times Jul 25 13:46:17 lvs1 pound: BackEnd 10.0.0.1:80 resurrect As i see these tend to happen from time to time. On Wed, Jul 25, 2007 at 01:38:24PM +0200, Gergely CZUCZY wrote: > Good morning, >=20 > I've got a problem that disappeared by disabling pf. >=20 > From the beginning. I'm testing an http reverse proxy[pound], at > the moment. I've got two gateways in a pfsync+carp+pound configuration > and two web backends. I'm doing performance testing on the proxy with > apache benchmarks, this involves hordes of simultaneous connections in > and out. connections are recieved by pound on the gateway and it > connects to a given web-backend to make the actual request. >=20 > The problem is that, periodically it's unable to connect to some > backends, or just to one of them and renders it DEAD. > When this happens there's a "connect: operation not permitted" message > in the syslog. Nor I'm able to connect to the backends directly with > elinks from the gateway, it also says "operation not permitted". After > waiting a few seconds it works again. >=20 > So, the proxy can accept client's connections but it's unable to > connect forward to the actual web-backends. When I disabled pf with > pfctl -d these symptons stopped immedietly. >=20 > I tried playing around with different tcp timeout values, but that > failed to help. >=20 > My pf.conf is the following: > --- chop with axe here --- > if_ext=3D"em0" > if_vvv=3D"fxp0" > if_sync=3D"em1" >=20 > ip_pub=3D"192.168.4.55" > ip_vvv=3D"10.0.0.254" >=20 > ip_vvv1=3D"10.0.0.1" > ip_vvv2=3D"10.0.0.2" > ip_vvv3=3D"10.0.0.3" >=20 > table {$ip_vvv1, $ip_vvv2, $ip_vvv3} >=20 > # Options: tune the behavior of pf, default values are given. > #set timeout { interval 5, frag 30 } > #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } > set timeout { tcp.closing 900, tcp.finwait 30, tcp.closed 60 } > #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } > #set timeout { icmp.first 20, icmp.error 10 } > #set timeout { other.first 60, other.single 30, other.multiple 60 } > set timeout { adaptive.start 70000, adaptive.end 120000 } > set limit { states 100000, frags 2000 } > #set loginterface none > set block-policy return > set require-order yes > set fingerprints "/etc/pf.os" > set debug misc >=20 > set skip on lo0 >=20 > #scrub in all >=20 > rdr on $if_ext proto tcp from any to $ip_pub port 10001 -> $ip_vvv1 port = 22 > rdr on $if_ext proto tcp from any to $ip_pub port 10002 -> $ip_vvv2 port = 22 > rdr on $if_ext proto tcp from any to $ip_pub port 10003 -> $ip_vvv3 port = 22 >=20 > block in log on $if_ext all >=20 > pass in quick on {$if_ext,$if_vvv} proto vrrp > pass out quick on {$if_ext,$if_vvv} proto vrrp >=20 > pass out quick on $if_ext proto udp from any to 192.168.4.200 port 123 ke= ep state >=20 > pass in quick on $if_ext proto tcp from any to $if_ext:0 port 22 flags S/= SA synproxy state (no-sync) > pass in quick on $if_ext proto tcp from any to $ip_pub port 80 flags S/SA= modulate state (no-sync) label "2" >=20 > pass out quick on $if_ext proto udp from $if_ext:0 to port 53 keep state = (no-sync) > pass out quick on $if_ext proto udp from any to port 53 keep state >=20 > pass out quick on $if_ext proto tcp from $if_ext:0 to port 80 flags S/SA = keep state (no-sync) > pass out quick on $if_ext proto tcp from any to port 80 flags S/SA keep s= tate >=20 > pass in quick on $if_ext proto tcp from any to port 22 flags S/SA s= ynproxy state >=20 > pass out quick on $if_vvv proto tcp from ($if_vvv) to port 80 flags= S/SA keep state (no-sync) > --- chop with axe here --- >=20 > FreeBSD lvs1.in.publishing.hu 6.2-RELEASE-p6 FreeBSD 6.2-RELEASE-p6 #1: T= ue Jul 24 08:07:07 UTC 2007 toor@pointyhat.office:/usr/obj/usr/src/sys/= LVS i386 >=20 > I'm played with the followings without any success: > set timeout { tcp.closing 900, tcp.finwait 30, tcp.closed 60 } > set timeout { adaptive.start 70000, adaptive.end 120000 } >=20 > What can cause this issue? > How could this be fixed? >=20 > [pound] http://www.apsis.ch/pound/ >=20 > Sincerely, >=20 > Gergely Czuczy > mailto: gergely.czuczy@harmless.hu >=20 > --=20 > Weenies test. Geniuses solve problems that arise. Sincerely, Gergely Czuczy mailto: gergely.czuczy@harmless.hu --=20 Weenies test. Geniuses solve problems that arise. --mYCpIKhGyMATD0i+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) owHtWc2PHEcVN4m4tEAoFwQX9LReyQmej/6Yrx0YO2vv2jFKSMRuYjlWFNV0V890 tqerXdU944njIxIHDpArQhw5IUBwRwKUG1wQFy78AdxyQVyA3+uP2ZndteO1LSEB 611P96uq937vs97b/cEXX7zwwkt//MWv717+/sc/+tzPvvqX8ddneZYlk+ZM6HmU NB3bdppuv9ezm14z8IXXs0NHDDqhPfBu/HTwy+sqyWSSNQ+XqRxSJu9n7TQWUfIN 8qdCG5mN8ixsDqx6315kUmWiLFLJkKIkjhK5WjvUIjGh1M39xFdBlEyGdC9XmQya qY6STIxjaVnfyk1Gvsj8qQzIqJnMptgJVpRNJZmlidVkiF0xuV1yvGGnN3Q6FM+N Q0dSJzIeUhoO6druHplMZAB9eP0tcuwW/3O7zrDr2V1njTCyNknOcGDT3ViNvD23 5/b6nZ2B16VpNJlWlIHT63Q8WkQJCJ7n2R2aqSCPRab0yALNpoXxRSzx6LxXs9oZ 9Jyu28PmmhUorrPjOs4Ts9oZ7tABGXmPj/e9ntfZ6Xd6JPyjTQmxTIqzWDBHcoHn kWVTepQZ3ucN3R4FkcazyrNGuAg+25wHbEoKRRTnWhL71qHy6yPqnn08VXkSDGkM EDIJNqzrqySRfjakN1OpBccKJSojvMxGVpQhIp7Vwe5pB7tnONjrDey+t9Pv104B wenY3UH3nO5lAR3kjlszAqHn2K698whGYDOyHuncTh8Z2QWUyrfH7E+7tnIsI3M7 /wOu9U671jvLtXZvBz92Z+WSgtJ3e137nM51egPX7fS7nlOzYorndBxv8FS56zn9 wY5tM/DSv2sS/ltzNxao6zNpjJhI0jKVABVQx6YsAvWxMBJVIGkylK2b+4fUTqdp lISqGS99ZVrTbBbTa4eHb7Wdlr1FMH6vp9WMUFxbsGyr03Kd/6yA52nI/2NeF9B/ XHShmJ8ZXv0NVNcAaf+EolqaXGuoalm7hiLkreT+w+B/Bp8pmoo0lQmFjI9lMI0/ W5b1ZkK3ZdCgUmiDXNvuk8jIdobeYOh23nqDLuNqsBt0U+qJjJd0/d23r797hxYa 3dDQukI3lQpQTXSC1qdhXRm5Noi3Ls0lTWBuQalWaJYgeAq2QWQYi9DQeLwsXscx 90xp2KrP3ihgooEay0mUMNsW+IEkTcZbRULTLEuh91yiq2MB95d3CwO91wB2sODT M/RjSdY6hpItFE1g64VYGu7RAC00y8S/7AudXi7Oc9CE0SQv4wWMBBsQ5xZyXAeZ KdEEqoAtdaj0TCS+XOFTZftXwELJzabMJxV+oVHiT9HNHpkG9kQMY67iuTQ0VTrA hwrJRLM8zkQiVW7qIAYY3lsBQjVtbazAnLCGH8EghVlLXSoclcrFyYiNU500HAWC JtEcoQH9mnUSgTwTR0UMobJnuYjB/F4O7VYuOiz1K/wKLdi1DbZFhFYZ1wiiJMou GcoT7pOZYSWTH7lPBovamg1Smj7gRhprKpFsAkieFXg1dsDH4EZ7+7t7kE+3pzIp bVdGNUuXWkKaoK1VzqtTOV9k/Fadd2C00aW36NuAwX49A3ERixVcvtBAjleelQjf I1Pl1rG5G4xZxAb6crhtPQpQi3bDTGowWoioDG8K5QJJDABBoflCIV5ITDDJrBxw oBprQeYjJYTvyxTTSBwh6i9tRs44z0445DgMCPG7EDqoFa08vhYQCPjC6LeqdEWM pWGtfhrCGNQMqopjlrM0Y5EmU/AOIm42k0EkYbAV9luU6YiZxGJZKKyLcGWGkBBi 6IIGlPlpUaMQ7DQXMcKvUejBsQYm3CLIsrjJOF3xfmPJlYSzuIxL9BIqjtWCBzgs N5tNzIIqLYWJ+5I4dpjMARG+j5ER3cqWnNlbJWE+nzMhvJ/WFK4Y5R5nq5Yape+n +Zipx9W/290qVyoWq0aws34Mi87aqnN8xl0/dEz21sjeilMxj9I3sX6FHmxXfBtU PbmrJ+9hfeIirsUiODAo54ms6u1UzCPkAVIwDRsUyFCgFFXmL6pMUS04DS9inF75 5wGSCUGMfYQrJNRiQp5ND09vg1NbYaSR7I6LK4VfkRhc4nGgfEeZ4SvB8Eg96HXs ks9pNn6M0R3nduzqYBglnEIrRryB79UzgeRBDaSH7fzGzGBDr3rlGhylIJx9PvJn NQNWpHiVWsN2zpn7FRepNYnl+5rMknBS6iYTEQj4bC5bMJHOqI+uHCdX1KIBcpm4 OhtHKDM4WUwoBtjKI+whw1f9GlYUwcKJocBVlqAQVyzGsUIXlKo48peox1muk2qF LwUUwybfXJqW6FxKOhwxkbr4NQkKX1tmfhs5qcxWtR7IcT6hWWT8OhiZao6ilK+s WNmrGDW+zsfFVR3HNVEHmrdtl9nKBZALF4pFUYFFsuSasF1mJC5C2Im1dqh5pU4C pySPLNd9an7uGj/3OfDz1vh56/xKpQsnsCHgpXXua3ZJhSm6GvgEW7HnQbWpsV3W sYcVlrnWab2f4+oJD6xJ2Ti1qShSZ0PRtW4YwVaq63oY+UaWTMuwfKQCn2XCYnVY cXVdCmOO6oP2yDrYxUWUlHdjIYNeTlSTK/crTyNozVdot2sxB7sjq56i5UkxaPLH MqYtd+vcljtWDNRCaJcNVpsLcXFKmXM45DTDJwW4sstpgBtWAcA1tOfBetLyZ/Au OY+sZwic8pY8GTQcMiNrI2gebxhwOSng5Yr+ygkxtQqIlzUlTpnncc1JPRlJee1g r5gIW+gGEZZ8U/KENM2p13Kb39l/fX/3YL+Z9labT5AvOkM6HFm5LEe+DtmDod3H N719eL0c//grU0q/mmLGyZZouFoqDCNfDtu50W01/qD4NNpvo3tGvr3+zgFR5A16 x+PfrGjvZNXWbTRipqCxQdkjJkfjaszweVzyz3Bdlrhv84zK3bQvcp6fixHNmFxe xeJraoGmOY+Dkj6GStF9GVytD1cjaDGcDtvtxWLREqmJTMuftoul9qp7jzAvagzT q3l5NVx/mPsfLkGYob/N1JAm5ULLLxZenQo9i2Eu+Ls+2mxW2CUaKVzyPIa2wDCJ oAIacZ4v62GtHNXQyUWGh3/LWkNincDwBAisUvb5JX/v6oufv8B/sqn/3PPSC79r X/jxV/Y/Xvzm009+fuedj36l//y3L/z1t3+fXfjJnX9e3f7HjS/98E9/+G7ufm37 X7//8oNP/g0= =yJXf -----END PGP SIGNATURE----- --mYCpIKhGyMATD0i+-- From owner-freebsd-pf@FreeBSD.ORG Wed Jul 25 13:37:00 2007 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D4C5B16A418 for ; Wed, 25 Jul 2007 13:37:00 +0000 (UTC) (envelope-from matthieu@epita.info) Received: from homer.epita.info (homer.epita.info [213.251.160.11]) by mx1.freebsd.org (Postfix) with ESMTP id 4FAE613C468 for ; Wed, 25 Jul 2007 13:37:00 +0000 (UTC) (envelope-from matthieu@epita.info) Received: (qmail 69100 invoked from network); 25 Jul 2007 15:10:18 +0200 Received: from unknown (HELO ?172.16.31.10?) (172.16.31.10) by 0 with ESMTP; 25 Jul 2007 15:10:18 +0200 Mime-Version: 1.0 (Apple Message framework v752.2) Content-Transfer-Encoding: 7bit Message-Id: <40DDA695-6A41-46EF-872A-37EC6B48CEBE@epita.info> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: pf@freebsd.org From: Matthieu Michaud Date: Wed, 25 Jul 2007 15:10:35 +0200 X-Mailer: Apple Mail (2.752.2) Cc: Subject: (no subject) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jul 2007 13:37:00 -0000 dear pf hackers, i have a simple question about pf's behavior. there is something i don't understand in this piece of code : http://fxr.watson.org/fxr/source/contrib/pf/net/pf.c#L2971 2971 inp = in_pcblookup_hash(pi, saddr->v4, sport,daddr->v4, 2972 dport, 0, NULL); 2973 if (inp == NULL) { 2974 inp = in_pcblookup_hash(pi, saddr->v4, sport, 2975 daddr->v4, dport, INPLOOKUP_WILDCARD,NULL); 2976 if(inp == NULL) { 2977 INP_INFO_RUNLOCK(pi); 2978 return (-1); 2979 } 2980 } there is 2 pcb lookups which only differs by its sixth arguments. as far as i understand, this is because pf would prefer a result on a non wildcard socket than a wildcard one. but, if i'm still correct, a single in_pcblookup_hash call already does that : http://fxr.watson.org/fxr/source/netinet/in_pcb.c#L1010 1010 /* 1011 * First look for an exact match. 1012 */ 1013 head = &pcbinfo->ipi_hashbase[INP_PCBHASH(faddr.s_addr, lport,fport, 1014 pcbinfo->ipi_hashmask)]; 1015 LIST_FOREACH(inp, head, inp_hash) { 1016 #ifdef INET6 1017 if ((inp->inp_vflag & INP_IPV4) == 0) 1018 continue; 1019 #endif 1020 if (inp->inp_faddr.s_addr == faddr.s_addr && 1021 inp->inp_laddr.s_addr == laddr.s_addr && 1022 inp->inp_fport == fport && 1023 inp->inp_lport == lport) 1024 return (inp); 1025 } 1026 1027 /* 1028 * Then look for a wildcard match, if requested. 1029 */ 1030 if (wildcard) { so why having two calls ? sorry for the noise if i'm wrong and misunderstanding this piece of code. in any case, thanks in advance for your answer. From owner-freebsd-pf@FreeBSD.ORG Wed Jul 25 18:56:10 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7F0A016A418 for ; Wed, 25 Jul 2007 18:56:10 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.174]) by mx1.freebsd.org (Postfix) with ESMTP id E9CAE13C461 for ; Wed, 25 Jul 2007 18:56:09 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.27.41] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis), id 0MKwpI-1IDm1Y2MAp-0005VO; Wed, 25 Jul 2007 20:55:54 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 25 Jul 2007 20:55:40 +0200 User-Agent: KMail/1.9.7 References: <200702252202.l1PM2r46003312@cheyenne.sixcompanies.com> <200702261159.l1QBx46X006755@cheyenne.sixcompanies.com> <46A1EA91.5000306@dir.bg> In-Reply-To: <46A1EA91.5000306@dir.bg> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2701767.eXIVtM0v42"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200707252055.50780.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/WGyraAYjjwEd/xFOnFoj2IAC5nZF87oJPjuF cSf4+hfO0P1e2xKVNebVPinl2+haet/3VsluXIgDGnn5QmVxk6 8dAunxIYi3FF5NDCZX3K5qeGpjN5o3Ra29AcwsGfg8= Cc: Jordan Gordeev , freebsd-questions@freebsd.org, jbronson@wixb.com Subject: Re: pf and keep/modulate state on 6.2 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-pf@freebsd.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jul 2007 18:56:10 -0000 --nextPart2701767.eXIVtM0v42 Content-Type: multipart/mixed; boundary="Boundary-01=_wy5pGu5kQ8qazKl" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_wy5pGu5kQ8qazKl Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 21 July 2007, Jordan Gordeev wrote: > J.D. Bronson wrote: > > At 02:52 AM 02/26/2007, you wrote: > >> Wow, this fixed my FTP-over-DSL-to-6.2 problem too. With modulate > >> state, I was getting ~30K/sec. With just keep state, I'm now getting > >> more like what my connection is capable of. This is between two 6.2 > >> hosts on opposite sides of the Atlantic. > >> > >> Ted, I use pf because I like the format of the configuration file, I > >> like the logging and pftop, and like how it's harder to lock > >> yourself out of a remote machine by accident :) > >> > >> /JMS > > > > I use pf since its newer (I think?) and I came from openbsd..pf just > > works and the config file is nice and sweet. > > > > I had thought that modulate state would put a load on my proc, but > > sheesh, its a p4-3.06 - thats more than robust for a router. > > > > I wonder if we should file a bug on this? > > > > I am glad my post helped here. I still use modulate state for any > > INCOMING connections though (www/smtp/etc). > > I'm replying to an old and long-forgotten thread to report my recent > findings. > There's a bug in PF with modulate/synproxy state. Modulate/synproxy > state modulate sequence numbers, but don't modulate sequence numbers in > TCP SACK options. Some firewalls block TCP segments with sequence > numbers in the SACK option pointing outside the window, which causes > connection stalls. The bug was fixed in OpenBSD with revision 1.509 of > src/sys/net/pf.c about an year and a half ago. The bug is present in > FreeBSD-STABLE. A fix for the bug was imported in FreeBSD-CURRENT with > the big import of PF from OpenBSD 4.1. > I'm CC-ing Max to notify him of the bug present in -STABLE and to ask > him to deal with the issue by either porting the fix from OpenBSD, or > by documenting that modulate/synproxy state is broken. Good catch - sorry for the delay. Here is the diff (almost verbatim from=20 OPENBSD_3_8). Please test and report back. I plan to commit this to=20 RELENG_6 in a bit. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_wy5pGu5kQ8qazKl Content-Type: text/x-diff; charset="iso-8859-1"; name="sack-mod.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="sack-mod.diff" Index: pf.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf.c,v retrieving revision 1.34.2.4 diff -u -r1.34.2.4 pf.c =2D-- pf.c 19 Sep 2006 15:45:20 -0000 1.34.2.4 +++ pf.c 25 Jul 2007 18:51:35 -0000 @@ -1,5 +1,5 @@ /* $FreeBSD: src/sys/contrib/pf/net/pf.c,v 1.34.2.4 2006/09/19 15:45:20 cs= jp Exp $ */ =2D/* $OpenBSD: pf.c,v 1.483 2005/03/15 17:38:43 dhartmei Exp $ */ +/* $OpenBSD: pf.c,v 1.502.2.1 2006/05/02 22:55:52 brad Exp $ */ =20 /* * Copyright (c) 2001 Daniel Hartmeier @@ -170,6 +170,8 @@ void pf_change_ap(struct pf_addr *, u_int16_t *, u_int16_t *, u_int16_t *, struct pf_addr *, u_int16_t, u_int8_t, sa_family_t); +int pf_modulate_sack(struct mbuf *, int, struct pf_pdesc *, + struct tcphdr *, struct pf_state_peer *); #ifdef INET6 void pf_change_a6(struct pf_addr *, u_int16_t *, struct pf_addr *, u_int8_t); @@ -1483,6 +1485,63 @@ } #endif /* INET6 */ =20 + +/* + * Need to modulate the sequence numbers in the TCP SACK option + */ +int +pf_modulate_sack(struct mbuf *m, int off, struct pf_pdesc *pd, + struct tcphdr *th, struct pf_state_peer *dst) +{ + int hlen =3D (th->th_off << 2) - sizeof(*th), thoptlen =3D hlen; + u_int8_t opts[MAX_TCPOPTLEN], *opt =3D opts; + int copyback =3D 0, i, olen; + struct sackblk sack; + +#define TCPOLEN_SACKLEN (TCPOLEN_SACK + 2) + if (hlen < TCPOLEN_SACKLEN || + !pf_pull_hdr(m, off + sizeof(*th), opts, hlen, NULL, NULL, pd->af)) + return 0; + + while (hlen >=3D TCPOLEN_SACKLEN) { + olen =3D opt[1]; + switch (*opt) { + case TCPOPT_EOL: /* FALLTHROUGH */ + case TCPOPT_NOP: + opt++; + hlen--; + break; + case TCPOPT_SACK: + if (olen > hlen) + olen =3D hlen; + if (olen >=3D TCPOLEN_SACKLEN) { + for (i =3D 2; i + TCPOLEN_SACK <=3D olen; + i +=3D TCPOLEN_SACK) { + memcpy(&sack, &opt[i], sizeof(sack)); + pf_change_a(&sack.start, &th->th_sum, + htonl(ntohl(sack.start) - + dst->seqdiff), 0); + pf_change_a(&sack.end, &th->th_sum, + htonl(ntohl(sack.end) - + dst->seqdiff), 0); + memcpy(&opt[i], &sack, sizeof(sack)); + } + copyback =3D 1; + } + /* FALLTHROUGH */ + default: + if (olen < 2) + olen =3D 2; + hlen -=3D olen; + opt +=3D olen; + } + } + + if (copyback) + m_copyback(m, off + sizeof(*th), thoptlen, opts); + return (copyback); +} + void pf_change_icmp(struct pf_addr *ia, u_int16_t *ip, struct pf_addr *oa, struct pf_addr *na, u_int16_t np, u_int16_t *pc, u_int16_t *h2c, @@ -4577,6 +4636,25 @@ =20 ackskew =3D dst->seqlo - ack; =20 + + /* + * Need to demodulate the sequence numbers in any TCP SACK options + * (Selective ACK). We could optionally validate the SACK values + * against the current ACK window, either forwards or backwards, but + * I'm not confident that SACK has been implemented properly + * everywhere. It wouldn't surprise me if several stacks accidently + * SACK too far backwards of previously ACKed data. There really aren't + * any security implications of bad SACKing unless the target stack + * doesn't validate the option length correctly. Someone trying to + * spoof into a TCP connection won't bother blindly sending SACK + * options anyway. + */ + if (dst->seqdiff && (th->th_off << 2) > sizeof(struct tcphdr)) { + if (pf_modulate_sack(m, off, pd, th, dst)) + copyback =3D 1; + } + + #define MAXACKWINDOW (0xffff + 1500) /* 1500 is an arbitrary fudge factor = */ if (SEQ_GEQ(src->seqhi, end) && /* Last octet inside other's window space */ --Boundary-01=_wy5pGu5kQ8qazKl-- --nextPart2701767.eXIVtM0v42 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBGp5y2XyyEoT62BG0RAg79AJ9HAJxUJpQZchuFhvY6v2Zf9k01AQCfWO8A J5pVI8w7EIG9XKg6mznt1Jg= =C9in -----END PGP SIGNATURE----- --nextPart2701767.eXIVtM0v42-- From owner-freebsd-pf@FreeBSD.ORG Thu Jul 26 09:16:18 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7A63C16A419 for ; Thu, 26 Jul 2007 09:16:18 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.freebsd.org (Postfix) with ESMTP id CF70913C428 for ; Thu, 26 Jul 2007 09:16:17 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from localhost (marvin-mail [192.168.0.2]) by marvin.harmless.hu (Postfix) with ESMTP id 42AFD7C0ACF; Thu, 26 Jul 2007 11:16:16 +0200 (CEST) X-Virus-Scanned: by amavisd-new-2.4.2 (20060627) (Debian) at harmless.hu Received: from marvin.harmless.hu ([192.168.0.2]) by localhost (marvin.harmless.hu [192.168.0.2]) (amavisd-new, port 10024) with ESMTP id dQz5-BRt8bbh; Thu, 26 Jul 2007 11:16:15 +0200 (CEST) Received: from marvin.harmless.hu (localhost [127.0.0.1]) by marvin.harmless.hu (Postfix) with ESMTP id 99B0A7C0AC9; Thu, 26 Jul 2007 11:16:00 +0200 (CEST) Date: Thu, 26 Jul 2007 11:16:00 +0200 From: Gergely CZUCZY To: freebsd-pf@freebsd.org, max@love2party.net Message-ID: <20070726091600.GA79956@harmless.hu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=x-unknown; protocol="application/pgp-signature"; boundary="6TrnltStXW4iwmi0" Content-Disposition: inline User-Agent: mutt-ng/devel-r804 (FreeBSD) Cc: Subject: connect: not permitted by pf state lookup failures on heavier load X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jul 2007 09:16:18 -0000 --6TrnltStXW4iwmi0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, Recently I've been playing around with a carp+pfsync+pound applevel proxy. On a high connection rate I've noticed some failed connections and the applevel proxy rendered the backend web servers DEAD, that means unreachabl= e. Pound sets on the gateway, accepts connections from the outside world and m= akes connections to the backend servers. The state table grew up to 32K states in total. On a very hight rate when pound tried to reach a backend server with connect(2) it recieved an "operation permitted" response, that was quite strange. Sometimes there are "borken pipes", sometimes also around those state lookup failures. On farther digging i've set pf's loglevel to misc and I've noticed state table lookup failures before pound's connect(2) error messages. It looks like this: Jul 26 10:46:54 lvs1 kernel: pf: BAD state: TCP 192.168.4.55:80 192.168.4.5= 5:80 192.168.4.251:42688 [lo=3D3773866253 high=3D3773932711 win=3D2003 modu= lator=3D155307840 wscale=3D5] [lo=3D9137549 high=3D9201645 win=3D33304 modu= lator=3D2788154389 wscale=3D1] 9:9 S seq=3D3822349776 ack=3D9137549 len=3D0= ackskew=3D0 pkts=3D35:42 dir=3Din,fwd Jul 26 10:46:54 lvs1 kernel: pf: State failure on: 1 | 5 Also there are lots of operation timeouts and connection reset by peers. =2E When I disable pf there's a lot less of them. The pf.conf is the following: --- BEGIN pf.conf --- if_ext=3D"em0" if_vvv=3D"fxp0" if_sync=3D"em1" ip_pub=3D"192.168.4.55" ip_vvv=3D"10.0.0.254" ip_vvv1=3D"10.0.0.1" ip_vvv2=3D"10.0.0.2" ip_vvv3=3D"10.0.0.3" table {$ip_vvv1, $ip_vvv2, $ip_vvv3} # Options: tune the behavior of pf, default values are given. set timeout { interval 5, frag 30 } #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 30, tcp.closed 60 } #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } #set timeout { icmp.first 20, icmp.error 10 } #set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 30000, adaptive.end 90000 } set limit { states 100000, frags 2000 } #set loginterface none set block-policy return set require-order yes set fingerprints "/etc/pf.os" set debug misc set skip on lo0 #scrub in all rdr on $if_ext proto tcp from any to $ip_pub port 10001 -> $ip_vvv1 port 22 rdr on $if_ext proto tcp from any to $ip_pub port 10002 -> $ip_vvv2 port 22 rdr on $if_ext proto tcp from any to $ip_pub port 10003 -> $ip_vvv3 port 22 block in log on $if_ext all pass in quick on {$if_ext,$if_vvv} proto vrrp pass out quick on {$if_ext,$if_vvv} proto vrrp pass out quick on $if_ext proto udp from any to 192.168.4.200 port 123 keep= state pass in quick on $if_ext proto tcp from any to $if_ext:0 port 22 flags S/SA= synproxy state (no-sync) pass in quick on $if_ext proto tcp from any to $ip_pub port 80 flags S/SA m= odulate state (no-sync) pass out quick on $if_ext proto udp from $if_ext:0 to port 53 keep state (n= o-sync) pass out quick on $if_ext proto udp from any to port 53 keep state pass out quick on $if_ext proto tcp from $if_ext:0 to port 80 flags S/SA ke= ep state (no-sync) pass out quick on $if_ext proto tcp from any to port 80 flags S/SA keep sta= te pass in quick on $if_ext proto tcp from any to port 22 flags S/SA syn= proxy state #pass out quick on $if_vvv proto tcp from ($if_vvv) to port 80 flags = S/SA keep state (no-sync) pass out quick on $if_vvv proto tcp from ($if_vvv) to {$ip_vvv1,$ip_vvv2,$i= p_vvv3} port 80 flags S/SA keep state (no-sync) --- END pf.conf --- Here, i've player around with the tcp timeouts, scrubbing, adaptive settings and swapped the last two rules (table VS individual rules), but they lead to nowhere, nothing changed. I'm testing this proxy with around 10-15 ab's (apache benchmark, part of th= e port), with 8 or 16 connections per instance and 500 requests/instance in an infin= ite loop. Here's an hour's messages log. pf wasn't enabled for the whole hour, but ac= cordingly more then half an hour: http://phoemix.harmless.hu/messages-pffail.0.bz2 The question is, what can cause this high rate of connection failures? What have I done wrong? What's happening, I've never seen such a thing =66rom pf? How could it be repaired to make pf behave stable on a heavier load? Sincerely, Gergely Czuczy mailto: gergely.czuczy@harmless.hu --=20 Weenies test. Geniuses solve problems that arise. --6TrnltStXW4iwmi0 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) owGlWM2rW8cVdxOyGSjFu0I3w4vBdizp3Q9JT1KjOI6f67iFxM0z9SKEMLqaKw26 unMzc69k2TUtFEopWZTSRaCLdlFKFy100T+gm0AXpV0Wuit0Uyi0C/8B/Z2ZK72r 9x61k/iBuXNm5nz8zpnzoZ98+eVLL13+y+//8P6Nj3/68y/97vLfJ68tq7LMZ+2l MCuVt8MgCNtHw2Gv347bSdI/SoKgf9QXQgbxN36T3r+t81LmZfvBppAjXspH5WGR CZV/nSdzYawsx1WZtgdse+5Y2UJbVSqdj7jKM5XL3d4DI3KbStO+kyd6qvLZiH9U 6VJO24VReSkmmWTsbZllusXYezLBnWzD711dST6RMucQvMEtLoyu8ilfq3LOBU+E KW4Uqd3kyY3CbYiiyORKZrww+tGmw97NcWyuZnOe6DyXCSnHjSil553rUiVyyq1e Sp4KleH79KDlAizLuWT7bLmR+VQa6fb4RCQLSTrJCbfSrKSx/PjOreMWdkXJlxKW 8yo3UgC2STZmssPYfactMLQcChGbGZRai02LiySRBehNPVKjl+6UrkqrppKvtcmm Tr3lmImFtKx5vNR7mtVaQewDUG1J5jvI+czINa8KuhBH3/JbFr4DoRRZhzv4cHfj MCw9cuu5zJmHuzSKUNDcWYez+yK9n2rNrkXXuQILmShAScqzA11IsCSf4GOpSgTE AU4gjnIrawDXwiJWVEmaI4pmssNP4K5SLaEqzDRwj5H8YKLNgiJFFdIetJxL/RmR Wb0NnHKu7RaCTOsFbCe3V5AJeGBuKgzx5FM1m1HAKQoT+IkX6VWLKzMfBzB5qWzi PLAfScSaeXTPCEAkpxqaOuiu2iYu0hhtECrWipnT5F7pbkOiWsBZc2VH7JtVxqM+ D4NRtz/qdXm2siFfSJPLbAT1RvytW8de/og/uH2fh8OoE/YHnW6n1xsNguZ6zM5Q ol446kb9wYC/n+lxfBwfHcWDfj/qxc7zNWUYR0dhCK/mIERBEPOlnlZjlolSG5DC Xi8OjgbdgK9tIjIJUu+DmuMwjI963eGW3TAKwn63V/OK4zjonmEWHQ0GYa8bD4an 3MIP+HA05CfwyEd0bRBFcXd4dNTHq1k0hGSSuAZjRnS7kGta8WJRWrrVg6lwMAlR eStdT58P7YmLmNqTnBJcyP2/7/IeY7coxFwscorFTNO7TvlpeFMk0tt1AdNMRZJi a7JB/LsXOo7u8Id4X/weFLQuiorUc0bECOIM46zjDuqyftNF2gHTlCv3IniqkUjX lGVZu93mb925e++d3RlQmEo/RDqH/QdyGRzQcrVa0TJ9VPg15VS/Hx4wpooPi2pC 62ZQHRC9vhgGHfqLel1/HOSwQQ+3Z6Pm4S0xbhBj3PfP53XsvMGfXKm5tXj9Fe2+ 4qeMvcrfLVzWQ4mqcukTn5yLlcKLAkpF2uJTmYoqK/lKZBUlBLhoplYy7zBCv/YN f4LEVyJviYz3Wki5YsbjgD9lr+4fKpOikypjSx5GQcst4eeckkVcr6UlC5SdIyEM +t2AuJxnkmSolrg1DOprqcrXAilyy4YOgEP/AiWq6VaJPg7TilgBtLheLmGvQtG6 8LZKltvrZIJb+hQUXnBaU/g1pPl1Q54n7EvcZyGmAk5ayQ6AMWRgQDbvqFQxhkSr L2YKtQDX6noUBv48ucRC42CnJPKx81kqEkrBaDjcc8p0smgXOlMJ1eqyMrmjG4k6 YmRbG1RvvkHRJCpQn0nj2hDLDw5lmRziqWh74HanclLNXK5nbm0XqqCSnekAsWcT U02oXoosY8xMDW1d8a+LegUqxEnhy7fIN1Q2rvi3hCoAIMiykLff2AZ06MlR9Dl5 RQ1e0RfkFTd4xTtezIFLJgP7JleHQCGsax+AMw5h90m93bric8zTWvrKmMKfpgB5 seMXnN83CXG/Z1KjvCFkvGFRjLwuC1QGX6nPq/w8mNzuKNgiwtOMovLk8OQWMd3k vkX0Lca1XLcpk17/7GIa3kClPhVCDR/qZCZKeU7IiyN0agaoTkjPA7PjCSlN1T8D 7OfZPV+xnf3nFdu3fiHRQBcXw/si/Js6nuXs+Y7Z5wgLX6vOhwQFxJg1QgJJ42Jd weAs72s1/foZCTu9x2xP8xdA5HlSTqvtrtheUTDAV9v/B9uecOo67rxzvNdzYLwz 6OldQ03jHFJwc5qjuk06bTsldPCUXCfIzqeVgjrxEhTLqI+ya8xl9RSWCVSnco1J pEJ/xK/5FuI7J/DhVK3UtEJVd1vXW3wCVHBng05K0PTCcr2eO+XQxc+pJGNSQ1GY UiN+FYMX6jlRqQ2vJ0A/gHr1w6Ad9riYoEG7JgrMQdSA5MkcY/aixQsqeK5bQ+A6 AK+3mLs+4FRw+3uDHhpGaAw4cxQ0srGHzEV1CyrYw90OVZwc/6N2jZnys0zR8RBT n5jzua4MvrYjBWXrDrWSmKbyqyWXOeEzRadoHHzruQZcdMnDI5IxJkpDk3q2YUsa W0pqS+ciS7fsR2xelsXo8LCYa7lUjzpzYZbUnHbm1eFWcLtIqWtGYzd5HPlm1RlD za+Ck9c04iXgmIjK+knHz+tu1ARujWZ5O0jdZA/pFno8SX0yyj5fG53PbnKiw+o5 xUXuIscPZ5KGUUs/JNjKzanOzWzc79MLKNKb7G29hqgKQzU6j4kE5oVQxg+3SwzY hJ1rK13WpdjS7qcFiUYTvDMtpjcZO1HwjpHZpsXYXWlm+OK3H1fJY2AI5Us94jNP 7iSO/GYDM4ZnM44C9hB6KpptAVOH38UCyFgMtBm9HKMhfGn9bCyMsrLDfnTz5Vcu 0U822597Lr/06JNLv3jzKx//4MfPPv327a9+7Yd//PWv/vbXf/7300u//P4rn/z5 t68/+9nT/zy5/+9/vPfsT73v/et/ =I3PG -----END PGP SIGNATURE----- --6TrnltStXW4iwmi0-- From owner-freebsd-pf@FreeBSD.ORG Thu Jul 26 13:37:53 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A5C4216A419 for ; Thu, 26 Jul 2007 13:37:53 +0000 (UTC) (envelope-from bseklecki@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id 6473713C46E for ; Thu, 26 Jul 2007 13:37:53 +0000 (UTC) (envelope-from bseklecki@collaborativefusion.com) Received: from collaborativefusion.com (mx01.pub.collaborativefusion.com [206.210.89.201]) (TLS: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Thu, 26 Jul 2007 09:37:52 -0400 id 00056426.46A8A3B0.0000DEA0 Received: from Internal Mail-Server by mx01 (envelope-from bseklecki@collaborativefusion.com) with RC4-MD5 encrypted SMTP; 26 Jul 2007 08:37:52 -0500 From: "Brian A. Seklecki" To: Lars Thegler In-Reply-To: <4693DCEC.3050500@FreeBSD.org> References: <200707031226.18399.max@love2party.net> <1184071947.44231.61.camel@soundwave.pitbpa0.priv.collaborativefusion.com> <200707101502.57992.max@love2party.net> <4693DCEC.3050500@FreeBSD.org> Organization: Collaborative Fusion, Inc. Date: Thu, 26 Jul 2007 09:37:51 -0400 Message-Id: <1185457071.50472.23.camel@soundwave.pitbpa0.priv.collaborativefusion.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Mailer: Evolution 2.6.3 FreeBSD GNOME Team Port x-pineapp-mail-mail-from: bseklecki@collaborativefusion.com x-pineapp-mail-rcpt-to: lth@freebsd.org Cc: kuriyama@freebsd.org, freebsd-pf@freebsd.org Subject: Re: HEADSUP: pf 4.1 import X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jul 2007 13:37:53 -0000 Right -- all of the BSDs that import pf(4) should have these patches to their net-snmp port. I can beta-test patches if you want to fwd them my way. I'll have to check to see when NetBSD plans to pull in the 4.1 pf(4). ~BAS On Tue, 2007-07-10 at 21:24 +0200, Lars Thegler wrote: > On 10-07-2007 15:02, Max Laier wrote: > > On Tuesday 10 July 2007, Brian A. Seklecki wrote: > >> On Tue, 2007-07-03 at 12:26 +0200, Max Laier wrote: > >>> All, > >>> > >>> in the course of this afternoon (CEST) I'll import the OpenBSD 4.1 > >>> version > >> We'll also have to see if Joel Knight's Net-SNMP patches work with our > >> 5.3 in ports/net-mgmnt. > > > > not 100% sure what you are talking about, but I'll CC the p5-Net-SNMP > > maintainer - maybe Lars has an idea. Note that the changes for the base > > system SNMP module where rather painless. > > I believe you are talking about net-mgmt/net-snmp, of which kuriyama@ is > the maintainer? > > /Lars > > > > > > -- Brian A. Seklecki Collaborative Fusion, Inc. IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. From owner-freebsd-pf@FreeBSD.ORG Thu Jul 26 17:06:51 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7B5F816A418 for ; Thu, 26 Jul 2007 17:06:51 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.freebsd.org (Postfix) with ESMTP id 10DEC13C442 for ; Thu, 26 Jul 2007 17:06:50 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.25.232] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu8) with ESMTP (Nemesis), id 0ML31I-1IE6nJ27ld-0003xk; Thu, 26 Jul 2007 19:06:33 +0200 From: Max Laier Organization: FreeBSD To: Gergely CZUCZY Date: Thu, 26 Jul 2007 19:06:26 +0200 User-Agent: KMail/1.9.7 References: <20070726091600.GA79956@harmless.hu> In-Reply-To: <20070726091600.GA79956@harmless.hu> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1440239.zBqsb3ABdx"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200707261906.32174.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19jcG8+/M5H2Z1T0CHwyZ7F6MJLuoikqT1l7hM V9S3bNhNdD82IVgVJzKSoe/SW3zXsE9rNDA37r1H5NFF5wcU60 jpdhryaQzj6JbKgnxa19Q2ZNnUObn8Kg49uArBYwZU= Cc: freebsd-pf@freebsd.org Subject: Re: connect: not permitted by pf state lookup failures on heavier load X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jul 2007 17:06:51 -0000 --nextPart1440239.zBqsb3ABdx Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 26 July 2007, Gergely CZUCZY wrote: > Recently I've been playing around with a carp+pfsync+pound applevel > proxy. On a high connection rate I've noticed some failed connections > and the applevel proxy rendered the backend web servers DEAD, that > means unreachable. See http://lists.freebsd.org/pipermail/freebsd-pf/2007-July/003563.html =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1440239.zBqsb3ABdx Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBGqNSYXyyEoT62BG0RAlX8AJ4qMq0P2msfoW3EnxJbpjnG9GbZ8QCcC+Vr 7vtSHV/tEkZN0Gmy3In6KZo= =75PB -----END PGP SIGNATURE----- --nextPart1440239.zBqsb3ABdx-- From owner-freebsd-pf@FreeBSD.ORG Thu Jul 26 18:49:35 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3070D16A41A for ; Thu, 26 Jul 2007 18:49:35 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.246]) by mx1.freebsd.org (Postfix) with ESMTP id E40C213C45E for ; Thu, 26 Jul 2007 18:49:34 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so156028anc for ; Thu, 26 Jul 2007 11:49:34 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=AArL+Kv8P1of749JoWwgKPuH9Tztuz2EGe5r5BEvlB1TZus7yPmYzKaqM1uRKTgjupzqBIsBMiSjMNV0VlsxBf8zXvXtzUsrf2ddZaq0wJDdC9j+WwWJqWD2Ea30xG9PB7GYOVxPUoXDXRV7+Pgw/whPW4tDLxpJ4HPcEz3K9p0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=AB33zpCTQKn0Fg/aYUciH7a9am5xOJ1dckUx7lrUH0pMBiGCa+iCaLuaibyyu95yo8YzYXjXpZ5K1MQylJcbtrS5kmAcog0jq8O+QbRr41zDs56NXLyfr7Lh8HY48SwL3fSW9sttVb4BWNoUtuNr29yKFCNKr3L+KDdAFWu36g8= Received: by 10.100.142.12 with SMTP id p12mr1824782and.1185475768902; Thu, 26 Jul 2007 11:49:28 -0700 (PDT) Received: by 10.100.92.13 with HTTP; Thu, 26 Jul 2007 11:49:28 -0700 (PDT) Message-ID: <8e10486b0707261149k5e2304b7p52841e459de36632@mail.gmail.com> Date: Thu, 26 Jul 2007 15:49:28 -0300 From: "Alexandre Biancalana" To: freebsd-pf@freebsd.org In-Reply-To: <200707202207.20859.max@love2party.net> MIME-Version: 1.0 References: <8e10486b0707180621q6a38d018u206ce9ee4fbbe10c@mail.gmail.com> <20070720173722.GB12522@verio.net> <8e10486b0707201254j4eece5dq55c1afa838a3092@mail.gmail.com> <200707202207.20859.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Single IP failover without carpdev X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jul 2007 18:49:35 -0000 On 7/20/07, Max Laier wrote: > > I am working on a patch to bring over carpdev functionality sponsored by > pil.sk This will, however, take a bit longer than I initially though it > would. Any news about it ? From owner-freebsd-pf@FreeBSD.ORG Thu Jul 26 21:20:02 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4827816A41F for ; Thu, 26 Jul 2007 21:20:02 +0000 (UTC) (envelope-from jgordeev@dir.bg) Received: from dir.bg (mail.dir.bg [194.145.63.28]) by mx1.freebsd.org (Postfix) with ESMTP id CB85313C478 for ; Thu, 26 Jul 2007 21:20:00 +0000 (UTC) (envelope-from jgordeev@dir.bg) Received: from [77.85.115.15] (account jgordeev HELO [10.102.9.50]) by dir.bg (CommuniGate Pro SMTP 4.2.10) with ESMTP-TLS id 24235065; Thu, 26 Jul 2007 23:19:59 +0300 Message-ID: <46A90266.5050204@dir.bg> Date: Thu, 26 Jul 2007 23:21:58 +0300 From: Jordan Gordeev User-Agent: Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.7) Gecko/20070411 X-Accept-Language: bg, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <200702252202.l1PM2r46003312@cheyenne.sixcompanies.com> <200702261159.l1QBx46X006755@cheyenne.sixcompanies.com> <46A1EA91.5000306@dir.bg> <200707252055.50780.max@love2party.net> In-Reply-To: <200707252055.50780.max@love2party.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: pf and keep/modulate state on 6.2 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jul 2007 21:20:02 -0000 Max Laier wrote: >On Saturday 21 July 2007, Jordan Gordeev wrote: > >>I'm replying to an old and long-forgotten thread to report my recent >>findings. >>There's a bug in PF with modulate/synproxy state. Modulate/synproxy >>state modulate sequence numbers, but don't modulate sequence numbers in >>TCP SACK options. Some firewalls block TCP segments with sequence >>numbers in the SACK option pointing outside the window, which causes >>connection stalls. The bug was fixed in OpenBSD with revision 1.509 of >>src/sys/net/pf.c about an year and a half ago. The bug is present in >>FreeBSD-STABLE. A fix for the bug was imported in FreeBSD-CURRENT with >>the big import of PF from OpenBSD 4.1. >>I'm CC-ing Max to notify him of the bug present in -STABLE and to ask >>him to deal with the issue by either porting the fix from OpenBSD, or >>by documenting that modulate/synproxy state is broken. >> >> > >Good catch - sorry for the delay. Here is the diff (almost verbatim from >OPENBSD_3_8). Please test and report back. I plan to commit this to >RELENG_6 in a bit. > > > The patch fixed the problem I was having with modulate state and SACK on my lightly loaded personal NAT box. From owner-freebsd-pf@FreeBSD.ORG Fri Jul 27 02:41:08 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3A33616A417; Fri, 27 Jul 2007 02:41:08 +0000 (UTC) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.freebsd.org (Postfix) with ESMTP id 25ACE13C459; Fri, 27 Jul 2007 02:41:08 +0000 (UTC) (envelope-from kris@obsecurity.org) Received: from rot26.obsecurity.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id 440EB1A3C1A; Thu, 26 Jul 2007 19:41:05 -0700 (PDT) Received: by rot26.obsecurity.org (Postfix, from userid 1001) id E5DDABBB1; Thu, 26 Jul 2007 22:41:07 -0400 (EDT) Date: Thu, 26 Jul 2007 22:41:07 -0400 From: Kris Kennaway To: Julian Elischer Message-ID: <20070727024107.GA69300@rot26.obsecurity.org> References: <20070717131518.G1177@fledge.watson.org> <200707172342.39082.max@love2party.net> <20070720111539.U1096@fledge.watson.org> <46A100C2.1030606@elischer.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <46A100C2.1030606@elischer.org> User-Agent: Mutt/1.4.2.3i Cc: freebsd-net@freebsd.org, freebsd-arch@freebsd.org, freebsd-current@freebsd.org, Robert Watson , freebsd-pf@freebsd.org Subject: Re: Attention pf/ipfw users with uid/gid/jail rules (Re: Reminder: NET_NEEDS_GIANT, debug.mpsafenet going away in 7.0) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jul 2007 02:41:08 -0000 On Fri, Jul 20, 2007 at 11:36:50AM -0700, Julian Elischer wrote: > Robert Watson wrote: > > > >On Tue, 17 Jul 2007, Max Laier wrote: > > > >So far I have had 0 (zero) reports of problems since this thread began. > >Could people using uid/gid/jail rules with ipfw or pf on 7.x *please* > >try running their firewalls without debug.mpsafenet -- ignore the > >witness warnings and/or disable witness, and let us know if you > >experience deadlocks. We're reaching the very end of the merge cycle > >for 7.0, and I would really like to remove the Giant crutches (now > >effectively unused) from the network stack so it's not part of the > >ABI/API, the code is simplified and cleaned up, etc. > > > > does "problem" include a LOR message, or only a deadlock? > I've seen plenty of the first, but not the second. Various users have reported definite deadlocks relating to uid/gid firewall rules in the past. Kris From owner-freebsd-pf@FreeBSD.ORG Sat Jul 28 22:13:23 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F55516A41F for ; Sat, 28 Jul 2007 22:13:23 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.freebsd.org (Postfix) with ESMTP id C949513C4B3 for ; Sat, 28 Jul 2007 22:13:22 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.39.206] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1IEuXJ0Z4I-0007Co; Sun, 29 Jul 2007 00:13:21 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Sun, 29 Jul 2007 00:13:10 +0200 User-Agent: KMail/1.9.7 X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<%}*_BD U_or=\mOZf764&nYj=JYbR1PW0ud>|!~, , CPC.1-D$FG@0h3#'5"k{V]a~. X-Provags-ID: V01U2FsdGVkX1/Jb0eFTHTaLSE30Kkp3ZsUCS4MhmI0spA8hdd U5VjOpzQUxadg0jykst5z7DNPXiQe4aHJx2ixmeZ3ru/248YPt BYXBDjyqKZG225jGWbsyQLHF1tNInNUNh6M5ctgBxM= Cc: Kip Macy Subject: Fwd: call for ALTQ users X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Jul 2007 22:13:23 -0000 --nextPart4048186.pRa0NEnQrb Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Here should be most of them ... help Kip testing. =2D--------- Forwarded message ---------- =46rom: Kip Macy Date: Jul 28, 2007 2:03 PM Subject: call for ALTQ users To: freebsd-net I'm looking at extending ifnet to support multiple tx queues. It appears that this will inevitably interact with ALTQ. I don't know anyone using ALTQ so I need users to raise their hands to eventually test prospective changes. Thanks. -Kip =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart4048186.pRa0NEnQrb Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBGq79/XyyEoT62BG0RAlk3AJ40OYbXtiE0g6kPloZTrz0kA8nVtQCfV1xv MOX/wB5PvhxRl6JGk6oQDCo= =sovz -----END PGP SIGNATURE----- --nextPart4048186.pRa0NEnQrb--