From owner-freebsd-pf@FreeBSD.ORG Sun Oct 21 21:09:36 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E328F16A417 for ; Sun, 21 Oct 2007 21:09:36 +0000 (UTC) (envelope-from func@okejl.dk) Received: from mx03.stofanet.dk (mx03.stofanet.dk [212.10.10.13]) by mx1.freebsd.org (Postfix) with ESMTP id A842D13C4AA for ; Sun, 21 Oct 2007 21:09:36 +0000 (UTC) (envelope-from func@okejl.dk) Received: from 3e6b63fa.rev.stofanet.dk ([62.107.99.250] helo=shh.okejl.dk) by mx05.stofanet.dk (envelope-from ) with esmtp id 1IjOQ3-0000hB-0u; Sun, 21 Oct 2007 02:11:51 +0200 Received: from wibble.okejl.dk (wibble.okejl.dk [192.168.0.200]) by shh.okejl.dk (8.13.8/8.13.8) with ESMTP id l9L0BIPb068245; Sun, 21 Oct 2007 02:11:18 +0200 (CEST) (envelope-from func@okejl.dk) Received: from wibble.okejl.dk (localhost [127.0.0.1]) by wibble.okejl.dk (8.13.8/8.13.8) with ESMTP id l9L0BGsc038838; Sat, 20 Oct 2007 18:11:16 -0600 (MDT) (envelope-from func@wibble.okejl.dk) Received: (from func@localhost) by wibble.okejl.dk (8.13.8/8.13.8/Submit) id l9L0BGZU038837; Sat, 20 Oct 2007 18:11:16 -0600 (MDT) (envelope-from func) Date: Sat, 20 Oct 2007 18:11:16 -0600 From: =?iso-8859-1?Q?Asbj=F8rn?= Clemmensen To: Dave Message-ID: <20071021001115.GA38102@wibble.okejl.dk> References: <000301c80aca$99695db0$0200a8c0@satellite> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <000301c80aca$99695db0$0200a8c0@satellite> User-Agent: mutt-ng/devel-r804 (FreeBSD) Cc: freebsd-pf@freebsd.org Subject: Re: pf and sip X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Oct 2007 21:09:37 -0000 > Hello, > I've got a FreeBSD 6.2 gateway/router/firewall providing nat services among others. I've just tried to hook up voip phone services, i did some checking and it is > using the sip protocol. I'm not getting a dial tone and calls aren't happening. According to the digital box i have it can't contact the login server. Below are my pf > rules. If anyone has pf and sip working i'd be interested in hearing from you. Try looking into siproxd from the ports system. Also check their website[1] which details what ports need to be forwarded. This of course requires your phones to be able to use a proxy. [1] http://siproxd.sourceforge.net/ > Thanks. > Dave. > > ipphone1="192.168.0.9" > sip="5060" > sip1="5061" > # One translation line per IP phone. static-port is necessary to make pf retain the UDP > # ephemeral port, so that the remote SIP proxy knows what session we belong to > nat on $ext_if proto udp from $ipphone1 to any -> ($ext_if) static-port > # experimental sip for viatalk > pass in quick on $int_if inet proto udp from 192.168.0.9 port $sip to any keep state > pass in quick on $int_if inet proto udp from 192.168.0.9 port $sip1 to any keep state > pass out quick on $ext_if inet proto udp from $int_if port $sip to any keep state > pass out quick on $ext_if inet proto udp from $int_if port $sip1 to any keep state -- Asbjørn Clemmensen From owner-freebsd-pf@FreeBSD.ORG Mon Oct 22 11:07:11 2007 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4B5DD16A420 for ; Mon, 22 Oct 2007 11:07:11 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 36FE813C49D for ; Mon, 22 Oct 2007 11:07:11 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l9MB7BfP080031 for ; Mon, 22 Oct 2007 11:07:11 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l9MB7Aa4080027 for freebsd-pf@FreeBSD.org; Mon, 22 Oct 2007 11:07:10 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 22 Oct 2007 11:07:10 GMT Message-Id: <200710221107.l9MB7Aa4080027@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Oct 2007 11:07:11 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid o bin/116610 pf [patch] teach tcpdump(1) to cope with the new-style pf 4 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/115640 pf [net] [pf] pfctl -k dont works o kern/116645 pf pfctl -k does not work in securelevel 3 7 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Oct 22 16:48:50 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 10C2416A46C for ; Mon, 22 Oct 2007 16:48:50 +0000 (UTC) (envelope-from wearabnet@yahoo.ca) Received: from web33714.mail.mud.yahoo.com (web33714.mail.mud.yahoo.com [68.142.201.211]) by mx1.freebsd.org (Postfix) with SMTP id ACC9F13C4B7 for ; Mon, 22 Oct 2007 16:48:49 +0000 (UTC) (envelope-from wearabnet@yahoo.ca) Received: (qmail 39209 invoked by uid 60001); 22 Oct 2007 16:21:44 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.ca; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=6rMmG8xfQZMeOqc6F4jiCKJHGG+vDSYn7QUWzW2CJltdN6KuUEtorU319m2Psohyfwbw9v7g211u/Bam+rQWg4FTib36O37fXSZmIfwEQt4cI30P9f/Kv1RH3F7YZ1vvI+z1OtF4hsp18u7easmwBxVSMJYv7K6FNUAz8iy6LAA=; X-YMail-OSG: _3P7ArsVM1n3QBYj3LN3r_clbSt8q.xwsMwTX7udsIwulLtmbV2mJapvqfHjWNhCjlZFV_DosnXqEHDHQoakMu_3qczlnq_ccaj3OZ3Nt26gBbx7nz8- Received: from [86.62.225.4] by web33714.mail.mud.yahoo.com via HTTP; Mon, 22 Oct 2007 09:21:44 PDT X-Mailer: YahooMailRC/814.06 YahooMailWebService/0.7.134.12 Date: Mon, 22 Oct 2007 09:21:44 -0700 (PDT) From: Abdullah Ibn Hamad Al-Marri To: freebs-docs@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Message-ID: <740753.39206.qm@web33714.mail.mud.yahoo.com> Cc: freebsd-pf@freebsd.org Subject: pf.conf example in RELENG_7 is out of date X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Oct 2007 16:48:50 -0000 Greetings,=0A=0A=0A=0AThe example pf.conf needs to be updated for since it= still has "keep state" and so in man pf.conf=0A=0A=0A=0Afor example there= is ass in on $ext_if proto tcp to $webserver port www keep state \=0A=0A = (max-src-conn-rate 100/10, overload flush gl= obal) =0A=0A=0ACould some one please take of it?=0A=0ARegards, =0A=0A-Abdul= lah Ibn Hamad Al-Marri=0A=0AArab Portal=0A=0Ahttp://www.WeArab.Net/=0A=0A= =0A=0A=0A=0A=0A__________________________________________________=0ADo You = Yahoo!?=0ATired of spam? Yahoo! Mail has the best spam protection around = =0Ahttp://mail.yahoo.com From owner-freebsd-pf@FreeBSD.ORG Wed Oct 24 05:58:03 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 913F016A417 for ; Wed, 24 Oct 2007 05:58:03 +0000 (UTC) (envelope-from sugarfreemonkey@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.181]) by mx1.freebsd.org (Postfix) with ESMTP id 76FD913C4A3 for ; Wed, 24 Oct 2007 05:58:03 +0000 (UTC) (envelope-from sugarfreemonkey@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so118621waf for ; Tue, 23 Oct 2007 22:57:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; bh=p4GMwiTiH+nY2EV+6REX4XQzlEqblyz7wviaKCieEqc=; b=Jo1vDngFxtOtLIHRhqqowoBIPwejIY4TTKZPvzpvnY4UuaekaJtJpYUX0X7Xq3HbsvrGxVewICD0sNC44FsB+qtMaZry3tDomMXn6/pfp7CtagNw2rG6rsR5lra426CJp4ivKC4eNXMApz6C3tboPDFf90fTMRQ0LBlrcmEX0Os= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=KYCIYqJyXC2oJEHp4HfPHw8OePKFNZfc9f8MvcFE0633B4I6aYeXlUs9B00xrG4EQTN2rj1uldL7hT2VuenPaHJ2NkZ6mGQEX/EZ59KgKCSeS79KsK7iie2AAHggbCDqKZXklsGlLEj9KGnKrm9vfixjLWTjI4EFt8NQeo18v18= Received: by 10.114.183.1 with SMTP id g1mr268840waf.1193205055994; Tue, 23 Oct 2007 22:50:55 -0700 (PDT) Received: by 10.115.16.3 with HTTP; Tue, 23 Oct 2007 22:50:55 -0700 (PDT) Message-ID: <1fc8a2a60710232250i5954c8c3tc501ed4ec71dac80@mail.gmail.com> Date: Wed, 24 Oct 2007 13:50:55 +0800 From: "Nex Mon" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: disabling implicit creation of state for NAT, BINAT and RDR X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Oct 2007 05:58:03 -0000 hello, is there a way to disable implicit creation of states for NAT, BINAT and RDR rules? the man page of pf.conf says this: Note: nat, binat and rdr rules implicitly create state for connections. i've looked at the PF implemenation in openbsd and checked the online documentation in http://www.openbsd.org/faq/pf. i found out that you can specify "no state" to prevent the rule from creating a state. http://www.openbsd.org/faq/pf/filter.html#state can someone tell if this is supported in freebsd or not? thanks a lot, nex From owner-freebsd-pf@FreeBSD.ORG Wed Oct 24 06:59:40 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E5A3916A417 for ; Wed, 24 Oct 2007 06:59:40 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [IPv6:2001:6f8:1098::2]) by mx1.freebsd.org (Postfix) with ESMTP id 95D1913C4B5 for ; Wed, 24 Oct 2007 06:59:40 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id l9O6xdTS029031 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Wed, 24 Oct 2007 08:59:39 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id l9O6xc2M020665; Wed, 24 Oct 2007 08:59:38 +0200 (MEST) Date: Wed, 24 Oct 2007 08:59:38 +0200 From: Daniel Hartmeier To: Nex Mon Message-ID: <20071024065938.GA20387@insomnia.benzedrine.cx> References: <1fc8a2a60710232250i5954c8c3tc501ed4ec71dac80@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1fc8a2a60710232250i5954c8c3tc501ed4ec71dac80@mail.gmail.com> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: disabling implicit creation of state for NAT, BINAT and RDR X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Oct 2007 06:59:41 -0000 On Wed, Oct 24, 2007 at 01:50:55PM +0800, Nex Mon wrote: > hello, is there a way to disable implicit creation of states for NAT, BINAT > and RDR rules? the man page of pf.conf says this: > > Note: nat, binat and rdr rules implicitly create state for connections. Yes, translations require states. Imagine you have a connection from Client Gateway External 10.1.2.3 -> 62.65.145.30 -> 69.147.83.33 i.e. the client 10.1.2.3 sends a TCP SYN to external server 69.147.83.33. The NAT gateway replaces the source address with 62.65.145.30. Now the external server sends a TCP SYN+ACK back to 62.65.145.30. How would the gateway know that this packet is for 10.1.2.3, and needs the destination address translated back to 10.1.2.3, without a state entry? The state entry is the only part that holds this mapping information. Daniel From owner-freebsd-pf@FreeBSD.ORG Wed Oct 24 07:52:11 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 80E3A16A420 for ; Wed, 24 Oct 2007 07:52:08 +0000 (UTC) (envelope-from sugarfreemonkey@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.176]) by mx1.freebsd.org (Postfix) with ESMTP id 6254013C4A3 for ; Wed, 24 Oct 2007 07:52:08 +0000 (UTC) (envelope-from sugarfreemonkey@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so146731waf for ; Wed, 24 Oct 2007 00:52:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; bh=7lnWhnrwsA6ffRt1U6TRxMzmCys621x6W7Xn3GyktZU=; b=ODDhNw8F3S1yD3TPil1Xipks+zK/EBTM3vqkF8buWY8hnFhfTpSHMrAYGPhmUkDZ1ER7JivoUAGXH7XQHdhgXccMuhfd2e0oRFKT6zyg/1OhMeEqgZcHBrRAZyAeByk1qYnkFX88+kJQuAFKn1XomhlkemCtGV+dPy9ALeEdxiw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=XWIZAejuWD4BX1TExy61G4+retoncsT1sMBvdU+epMgvSnO5CKH573ca58LaxrkrFF3wqZwLU843YHz2JhnZx+aGKkbaksMIxZ5WccCIZH2OxqLCcrEiS26PAIJY/CTtg6TBbOmG0IkhCbReqjC2y2oqvhqHJ6gh3igU4y6Ea2Y= Received: by 10.114.109.1 with SMTP id h1mr393154wac.1193212320017; Wed, 24 Oct 2007 00:52:00 -0700 (PDT) Received: by 10.115.16.3 with HTTP; Wed, 24 Oct 2007 00:51:59 -0700 (PDT) Message-ID: <1fc8a2a60710240051l4a5744bawacf48c47276ccba4@mail.gmail.com> Date: Wed, 24 Oct 2007 15:51:59 +0800 From: "Nex Mon" To: "Daniel Hartmeier" In-Reply-To: <20071024065938.GA20387@insomnia.benzedrine.cx> MIME-Version: 1.0 References: <1fc8a2a60710232250i5954c8c3tc501ed4ec71dac80@mail.gmail.com> <20071024065938.GA20387@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: disabling implicit creation of state for NAT, BINAT and RDR X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Oct 2007 07:52:12 -0000 On 10/24/07, Daniel Hartmeier wrote: > > On Wed, Oct 24, 2007 at 01:50:55PM +0800, Nex Mon wrote: > > > hello, is there a way to disable implicit creation of states for NAT, > BINAT > > and RDR rules? the man page of pf.conf says this: > > > > Note: nat, binat and rdr rules implicitly create state for connections. > > Yes, translations require states. > > Imagine you have a connection from > > Client Gateway External > 10.1.2.3 -> 62.65.145.30 -> 69.147.83.33 > > i.e. the client 10.1.2.3 sends a TCP SYN to external server > 69.147.83.33. The NAT gateway replaces the source address with > 62.65.145.30. > > Now the external server sends a TCP SYN+ACK back to 62.65.145.30. > How would the gateway know that this packet is for 10.1.2.3, and needs > the destination address translated back to 10.1.2.3, without a state > entry? > > The state entry is the only part that holds this mapping information. Are you saying there is only one type of state for all the filter, RDR, etc rules? I have this understanding that NAT has its own translation table where it keeps states of NAT sessions. So in the example above, the only way to apply filter rules for translated (reply)packets would be at the internal interface? I'm curious about OpenBSD's implementation of "no state" which can be applied to NAT, RDR, etc. Is there any chance this feature will be supported in FreeBSD? Daniel > From owner-freebsd-pf@FreeBSD.ORG Wed Oct 24 08:49:30 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1CB1816A418 for ; Wed, 24 Oct 2007 08:49:30 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id CB50B13C4B2 for ; Wed, 24 Oct 2007 08:49:29 +0000 (UTC) (envelope-from max@love2party.net) Received: from amd64.laiers.local (dslb-088-066-000-181.pools.arcor-ip.net [88.66.0.181]) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis) id 0MKwpI-1IkbvM0gDF-0007Wf; Wed, 24 Oct 2007 10:49:13 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 24 Oct 2007 10:49:01 +0200 User-Agent: KMail/1.9.7 References: <1fc8a2a60710232250i5954c8c3tc501ed4ec71dac80@mail.gmail.com> <20071024065938.GA20387@insomnia.benzedrine.cx> <1fc8a2a60710240051l4a5744bawacf48c47276ccba4@mail.gmail.com> In-Reply-To: <1fc8a2a60710240051l4a5744bawacf48c47276ccba4@mail.gmail.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1643430.QFMSolvSL8"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200710241049.10530.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/hFVP0h1piCgkTCvuy5sxokuRpQWqwHANuBpx 9pg81sdp2pGvKnUO5+zvnHLcvMzioeprlG1wO0V8uKKISd4qvd VKuyc9DdHQ56tsJYN2MCpoLscOYy66PYsUxyZC7umc= Cc: Subject: Re: disabling implicit creation of state for NAT, BINAT and RDR X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Oct 2007 08:49:30 -0000 --nextPart1643430.QFMSolvSL8 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 24 October 2007, Nex Mon wrote: > On 10/24/07, Daniel Hartmeier wrote: > > On Wed, Oct 24, 2007 at 01:50:55PM +0800, Nex Mon wrote: > > > hello, is there a way to disable implicit creation of states for > > > NAT, > > > > BINAT > > > > > and RDR rules? the man page of pf.conf says this: > > > > > > Note: nat, binat and rdr rules implicitly create state for > > > connections. > > > > Yes, translations require states. > > > > Imagine you have a connection from > > > > Client Gateway External > > 10.1.2.3 -> 62.65.145.30 -> 69.147.83.33 > > > > i.e. the client 10.1.2.3 sends a TCP SYN to external server > > 69.147.83.33. The NAT gateway replaces the source address with > > 62.65.145.30. > > > > Now the external server sends a TCP SYN+ACK back to 62.65.145.30. > > How would the gateway know that this packet is for 10.1.2.3, and > > needs the destination address translated back to 10.1.2.3, without a > > state entry? > > > > The state entry is the only part that holds this mapping information. > > Are you saying there is only one type of state for all the filter, RDR, > etc rules? I have this understanding that NAT has its own translation > table where it keeps states of NAT sessions. So in the example above, > the only way to apply filter rules for translated (reply)packets would > be at the internal interface? The translations states are different from the filter states. The former=20 just record the addresses on each side to be able to do the translation,=20 the later record the addresses to be able to match traffic to the state=20 and consequently allow or deny it. Unless you use the "pass" modifier on=20 the translation statement, a translation state does not automatically=20 allow the matched traffic to flow. The pf.conf(5) manpage states: If the pass modifier is given, packets matching the translation rule are passed without inspecting the filter rules: rdr pass on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 \ port 8080 Otherwise you will have to have a pass rule for that traffic as well. > I'm curious about OpenBSD's implementation of "no state" which can be > applied to NAT, RDR, etc. Is there any chance this feature will be > supported in FreeBSD? The "no state" modifier is supported in FreeBSD (7.0 and later) for pass=20 rules only. This is the same in OpenBSD. Translation rules allways have=20 to keep state as they can otherwise not do the translation! =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1643430.QFMSolvSL8 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBHHwcGXyyEoT62BG0RAjkrAJ4ga5vWLy3Ewy+dfxRZ0f7AFokKuACffCc3 AQMtfp482+PbQTzwL384nNs= =ffv9 -----END PGP SIGNATURE----- --nextPart1643430.QFMSolvSL8-- From owner-freebsd-pf@FreeBSD.ORG Wed Oct 24 09:15:14 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20DFE16A418 for ; Wed, 24 Oct 2007 09:15:14 +0000 (UTC) (envelope-from dssampson@yahoo.com) Received: from web35813.mail.mud.yahoo.com (web35813.mail.mud.yahoo.com [66.163.179.182]) by mx1.freebsd.org (Postfix) with SMTP id E5BDD13C4A8 for ; Wed, 24 Oct 2007 09:15:13 +0000 (UTC) (envelope-from dssampson@yahoo.com) Received: (qmail 39044 invoked by uid 60001); 24 Oct 2007 08:48:24 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=4qd0yT5nxjC6McfUZ5n0HkplZ2hnmGxrF9d+Zw22Po4n05amvVtfJ9ZHcipytgfKku6mtItbIyZ1M8eJIv19r5fr6SIPzTWQ3XRlaHgZu0Z9OTVKul2fxQ0SgA44pdqkUau8UMbiffvv0vrHJr75XDmwit5XWSTfZlnwzkLGF84=; X-YMail-OSG: TcyBBEoVM1nSXM05lK5.Laqgaa7Buz6d7CSHysNo1gRsPkPd8lA3_K9B2LNyTpcr6w-- Received: from [216.70.250.2] by web35813.mail.mud.yahoo.com via HTTP; Wed, 24 Oct 2007 01:48:24 PDT X-Mailer: YahooMailRC/814.06 YahooMailWebService/0.7.134.12 Date: Wed, 24 Oct 2007 01:48:24 -0700 (PDT) From: dssampson@yahoo.com To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Message-ID: <680860.38462.qm@web35813.mail.mud.yahoo.com> Subject: spamd nonfunctioning due to power outage in SD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Oct 2007 09:15:14 -0000 I had a power outage to our building due to the fires in San Diego and it c= rashed those without UPSes. One of them is the spamd machine. I've brought = it back up and ran fsck on all volumes. However, mail will not come into ou= r mailboxes from outside but mail can be delivered to outside recipients. I= can telnet into the spamd machine and send mail externally and internally.= Postfix seems to be ok. When I stop pf, mail from the outside of our LAN c= ome pouring in. When I start up pf, inbound mail comes to a stop. In the sp= amd log, I see all kinds of connections being blacklisted and greylisted bu= t still not one mail is being delivered. I am using spamd-mywhite as my whi= telist and put all known GMail IP addresses on it. I then send an email fro= m my GMail account to this machine. It gets greylisted and eventually sits = in the greylist for quite a while. I also see ports 25 open on both externa= l and internal NICs and port 8025 open on the localhost interface.=0A=0AI n= eed assistance in troubleshooting this. Running spamd 4.1.2 on FreeBSD 6.2.= We average 800 valid mail per day and so far in the last 24 hours, not one= mail has come through using the existing spamd configuration.=0A=0Amailfil= ter-root@/usr/ports# pfctl -vvnf /etc/pf.conf=0Aext_if =3D "rl0"=0Aint_if = =3D "xl0"=0Ainternal_net =3D "192.168.1.1/24"=0Aexternal_addr =3D "216.70.2= 50.4"=0Avpn_net =3D "10.8.0.0/24"=0Aicmp_types =3D "echoreq"=0ANoRouteIPs = =3D "{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 }"=0Awebserver1 = =3D "192.168.1.4"=0Aset skip on { lo0 }=0Aset skip on { gif0 }=0A@0 scrub i= n all fragment reassemble=0A@1 nat on rl0 inet from 192.168.1.0/24 to any -= > (rl0) round-robin=0A@2 nat on rl0 inet from 10.8.0.0/24 to any -> (rl0) r= ound-robin=0A@3 rdr on rl0 inet proto tcp from any to 216.70.250.4 port =3D= http -> 192.168.1.4 port 80=0Atable persist=0Atable = persist=0Atable persist file "/usr/local/etc/spamd/spamd-my= white"=0A@4 rdr inet proto tcp from to 216.70.250.4 port = =3D smtp -> 127.0.0.1 port 25=0A@5 rdr inet proto tcp from = to 216.70.250.4 port =3D smtp -> 127.0.0.1 port 25=0A@6 rdr pass inet proto= tcp from to 216.70.250.4 port =3D smtp -> 127.0.0.1 port 8025=0A= @7 rdr pass inet proto tcp from ! to 216.70.250.4 port =3D = smtp -> 127.0.0.1 port 8025=0A@8 pass in log inet proto tcp from any to 216= .70.250.4 port =3D smtp flags S/SA synproxy state=0A@9 pass out log inet pr= oto tcp from 216.70.250.4 to any port =3D smtp flags S/SA synproxy state=0A= @10 pass in log inet proto tcp from 192.168.1.0/24 to 192.168.1.25 port =3D= smtp flags S/SA synproxy state=0A@11 block drop in log all=0A@12 pass in l= og quick on xl0 inet proto tcp from any to 192.168.1.25 port =3D ssh flags = S/SA synproxy state=0A@13 block drop in log quick on rl0 inet from 127.0.0.= 0/8 to any=0A@14 block drop in log quick on rl0 inet from 192.168.0.0/16 to= any=0A@15 block drop in log quick on rl0 inet from 172.16.0.0/12 to any=0A= @16 block drop in log quick on rl0 inet from 10.0.0.0/8 to any=0A@17 block = drop out log quick on rl0 inet from any to 127.0.0.0/8=0A@18 block drop out= log quick on rl0 inet from any to 192.168.0.0/16=0A@19 block drop out log = quick on rl0 inet from any to 172.16.0.0/12=0A@20 block drop out log quick = on rl0 inet from any to 10.0.0.0/8=0A@21 block drop in log quick on ! xl0 i= net from 192.168.1.0/24 to any=0A@22 block drop in log quick inet from 192.= 168.1.25 to any=0A@23 pass in on xl0 inet from 192.168.1.0/24 to any=0A@24 = pass out log on xl0 inet from any to 192.168.1.0/24=0A@25 pass out log quic= k on xl0 inet from any to 10.8.0.0/24=0A@26 pass out on rl0 proto tcp all f= lags S/SA modulate state=0A@27 pass out on rl0 proto udp all keep state=0A@= 28 pass out on rl0 proto icmp all keep state=0A@29 pass in on rl0 inet prot= o tcp from any to 192.168.1.4 port =3D http flags S/SA synproxy state=0A@30= pass in on xl0 inet proto tcp from any to 192.168.1.25 port =3D ssh keep s= tate=0Awarning: macro 'icmp_types' not used=0Amailfilter-root@/usr/ports# = =0A=0AWhat's the quickest way to recover from this? Any other troubleshooti= ng techniques?=0A=0A~Doug=0A=0A=0A=0A______________________________________= ____________=0ADo You Yahoo!?=0ATired of spam? Yahoo! Mail has the best sp= am protection around =0Ahttp://mail.yahoo.com From owner-freebsd-pf@FreeBSD.ORG Wed Oct 24 09:52:18 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D7BAF16A41A for ; Wed, 24 Oct 2007 09:52:18 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id 7ED4613C48D for ; Wed, 24 Oct 2007 09:52:18 +0000 (UTC) (envelope-from max@love2party.net) Received: from amd64.laiers.local (dslb-088-066-000-181.pools.arcor-ip.net [88.66.0.181]) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis) id 0MKwpI-1IkcTM2v2Z-0007DV; Wed, 24 Oct 2007 11:24:21 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 24 Oct 2007 11:24:08 +0200 User-Agent: KMail/1.9.7 References: <680860.38462.qm@web35813.mail.mud.yahoo.com> In-Reply-To: <680860.38462.qm@web35813.mail.mud.yahoo.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2113328.M9dQ5sPdR3"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200710241124.18859.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/0cw03a9FyTz/HXjvJTMVq6+tVfG66HOUTcw1 diyquimo4RRiNCJ5kAsIDv6PC1TJkRzlnws+RjTakhuf+h/kRT Z3OuZzgPRcH/L8O5z9O5tVC5JF5uf1AtMrgmJ9srbs= Cc: Subject: Re: spamd nonfunctioning due to power outage in SD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Oct 2007 09:52:18 -0000 --nextPart2113328.M9dQ5sPdR3 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 24 October 2007, dssampson@yahoo.com wrote: > I had a power outage to our building due to the fires in San Diego and > it crashed those without UPSes. One of them is the spamd machine. I've > brought it back up and ran fsck on all volumes. However, mail will not > come into our mailboxes from outside but mail can be delivered to > outside recipients. I can telnet into the spamd machine and send mail > externally and internally. Postfix seems to be ok. When I stop pf, mail > from the outside of our LAN come pouring in. When I start up pf, > inbound mail comes to a stop. In the spamd log, I see all kinds of > connections being blacklisted and greylisted but still not one mail is > being delivered. I am using spamd-mywhite as my whitelist and put all > known GMail IP addresses on it. I then send an email from my GMail > account to this machine. It gets greylisted and eventually sits in the > greylist for quite a while. I also see ports 25 open on both external > and internal NICs and port 8025 open on the localhost interface. > > I need assistance in troubleshooting this. Running spamd 4.1.2 on > FreeBSD 6.2. We average 800 valid mail per day and so far in the last > 24 hours, not one mail has come through using the existing spamd > configuration. Wild guess: Did you forget to mount fdescfs(5) by default? I know I've=20 been bitten by this before. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2113328.M9dQ5sPdR3 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBHHw9CXyyEoT62BG0RAtidAJ9qe5zQ+xH98aEyV8xmk2qMKbUYAQCdGpZW qZx7Ogjgbc2h5Tj1FhNouks= =IBWt -----END PGP SIGNATURE----- --nextPart2113328.M9dQ5sPdR3-- From owner-freebsd-pf@FreeBSD.ORG Wed Oct 24 13:13:23 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7721816A418 for ; Wed, 24 Oct 2007 13:13:23 +0000 (UTC) (envelope-from lm.net.security@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.227]) by mx1.freebsd.org (Postfix) with ESMTP id C9A0513C494 for ; Wed, 24 Oct 2007 13:13:22 +0000 (UTC) (envelope-from lm.net.security@gmail.com) Received: by wr-out-0506.google.com with SMTP id 70so162352wra for ; Wed, 24 Oct 2007 06:13:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; bh=64o/xv5PJXonzalmqCxDIjrmQ4vYoFwK0ZNujYc3FT4=; b=MjfGciJ8OKBW8AET/3RYMQRfQBpP9m1u3fnnVVR7snOfHpdZs2GTjiwMStDbXEg4w65+Pp+GTPG6st3a5j3IYig8AeiYzMpu0SlKH/MeJQGKb4kavD6Ek4ADCmrSPYXdKT4wno62t6UlbDGCZvQFMQfKAcGAZoVRKVVYj+swwSQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=MIm9TVbrqdKQ9bWnd/jO9csv+++2XX/kMUMDa0xiapylqy2WkqHqvgXhiirPpYk4b52y+uSfq/XMsM6fYbayHphqSbpARlKtSgMcaSKjMwZg09vV7GOMb43a2FYBi5R6Fku2261eAe0RocfnQz+6RkZCXO9bFfd6GxuoT2yross= Received: by 10.142.101.17 with SMTP id y17mr56745wfb.1193229904636; Wed, 24 Oct 2007 05:45:04 -0700 (PDT) Received: by 10.143.4.8 with HTTP; Wed, 24 Oct 2007 05:45:04 -0700 (PDT) Message-ID: <8142b02f0710240545p62916227y1781e4b720d46f80@mail.gmail.com> Date: Wed, 24 Oct 2007 10:45:04 -0200 From: "Leandro Malaquias" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Bloqueando MSN X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Oct 2007 13:13:23 -0000 Tenho recebido v=E1rios e-mail perguntando como se pode bloquear msn utilizando o PF, ent=E3o decidi postar na lista. O que eu fiz foi o seguinte: Bloqueie toda saida pela porta 443 da minha rede. Isso mesmo!!! todas os sites https usados pelos usu=E1rios (bancos, etc...) foram colocados numa lista de excess=E3o e todo o resto foi bloqueado. Percebi que sem a porta 443 o usu=E1rio n=E3o consegue se autenticar no msn= . flw, --=20 Linux are for those who hate Windows BSD are for those who love Unix # echo '[q]sa[ln0=3Daln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc From owner-freebsd-pf@FreeBSD.ORG Wed Oct 24 17:20:52 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 22AB116A418 for ; Wed, 24 Oct 2007 17:20:52 +0000 (UTC) (envelope-from dssampson@yahoo.com) Received: from web35809.mail.mud.yahoo.com (web35809.mail.mud.yahoo.com [66.163.179.178]) by mx1.freebsd.org (Postfix) with SMTP id CF3F813C491 for ; Wed, 24 Oct 2007 17:20:51 +0000 (UTC) (envelope-from dssampson@yahoo.com) Received: (qmail 53420 invoked by uid 60001); 24 Oct 2007 17:20:23 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=QpLGHGgs+BpJ1yVf6gKF8KoD7tZhA/BwGTvuhv+iMNO2gkipCAliXMfPVVmmRQVQxM+l/1VHlH4ALqFORC3JBaqvxOW2FPf1Jf3BPlEsLUx3pit57yPwbdpnablPve6pf7TRiIUgSlPhfxtV62PnZ2+cG4ZnPkzelRvXzLpLsCs=; X-YMail-OSG: ci3ROMYVM1musVbv9vnJn72RbQUwYf0UHjdKED1RIHL9wQ7t_Cg5KUe3UOFuwP0PE948qbtFMRIBd3WUs02AXULkqW_.ePRKeb1OqkmAN9AtK2tv6AyMsB6UQZB4CQ-- Received: from [76.176.224.67] by web35809.mail.mud.yahoo.com via HTTP; Wed, 24 Oct 2007 10:20:23 PDT X-Mailer: YahooMailRC/814.06 YahooMailWebService/0.7.134.12 Date: Wed, 24 Oct 2007 10:20:23 -0700 (PDT) From: dssampson@yahoo.com To: Max Laier , freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Message-ID: <569990.52359.qm@web35809.mail.mud.yahoo.com> Cc: Subject: Re: spamd nonfunctioning due to power outage in SD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Oct 2007 17:20:52 -0000 > Wild guess: Did you forget to mount fdescfs(5) by default? I=0A> know= =0A> =0A I've =0A> been bitten by this before.=0A> =0A=0ANope. I checked th= at also.=0A=0Amailfilter-root@/usr/ports# df=0AFilesystem 1K-blocks Use= d Avail Capacity Mounted on=0A/dev/ad0s1a 507630 60890 406130 = 13% /=0Adevfs 1 1 0 100% /dev=0A/dev/ad= 0s1e 507630 592 466428 0% /tmp=0A/dev/ad0s1f 22112710 1934= 430 18409264 10% /usr=0A/dev/ad0s1d 5077038 115326 4555550 2%= /var=0Afdescfs 1 1 0 100% /dev/fd=0A=0A~D= oug =0A--=0ADoug Sampson=0Adssampson (at) yahoo dot com=0A=0A=0A=0A=0A_____= _____________________________________________=0ADo You Yahoo!?=0ATired of s= pam? Yahoo! Mail has the best spam protection around =0Ahttp://mail.yahoo.= com From owner-freebsd-pf@FreeBSD.ORG Wed Oct 24 18:15:20 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3F8C716A417 for ; Wed, 24 Oct 2007 18:15:20 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id AA25B13C491 for ; Wed, 24 Oct 2007 18:15:19 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: (qmail invoked by alias); 24 Oct 2007 17:48:32 -0000 Received: from u18-124.dsl.vianetworks.de (EHLO [172.20.1.30]) [194.231.39.124] by mail.gmx.net (mp035) with SMTP; 24 Oct 2007 19:48:32 +0200 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX1/7vUt7D8D7PbdmUnbaIZkRZw9SPKbwIDROuqhq6/ qbPEJQ1O7qrNZh Message-ID: <471F8562.9070103@gmx.de> Date: Wed, 24 Oct 2007 19:48:18 +0200 From: Olli Hauer User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: dssampson@yahoo.com References: <680860.38462.qm@web35813.mail.mud.yahoo.com> In-Reply-To: <680860.38462.qm@web35813.mail.mud.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: freebsd-pf@freebsd.org Subject: Re: spamd nonfunctioning due to power outage in SD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Oct 2007 18:15:20 -0000 dssampson@yahoo.com wrote: > I had a power outage to our building due to the fires in San Diego and it crashed those without UPSes. One of them is the spamd machine. I've brought it back up and ran fsck on all volumes. However, mail will not come into our mailboxes from outside but mail can be delivered to outside recipients. I can telnet into the spamd machine and send mail externally and internally. Postfix seems to be ok. When I stop pf, mail from the outside of our LAN come pouring in. When I start up pf, inbound mail comes to a stop. In the spamd log, I see all kinds of connections being blacklisted and greylisted but still not one mail is being delivered. I am using spamd-mywhite as my whitelist and put all known GMail IP addresses on it. I then send an email from my GMail account to this machine. It gets greylisted and eventually sits in the greylist for quite a while. I also see ports 25 open on both external and internal NICs and port 8025 open on the localhost interface. > > I need assistance in troubleshooting this. Running spamd 4.1.2 on FreeBSD 6.2. We average 800 valid mail per day and so far in the last 24 hours, not one mail has come through using the existing spamd configuration. > > mailfilter-root@/usr/ports# pfctl -vvnf /etc/pf.conf > ext_if = "rl0" > int_if = "xl0" > internal_net = "192.168.1.1/24" > external_addr = "216.70.250.4" > vpn_net = "10.8.0.0/24" > icmp_types = "echoreq" > NoRouteIPs = "{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 }" > webserver1 = "192.168.1.4" > set skip on { lo0 } > set skip on { gif0 } > @0 scrub in all fragment reassemble > @1 nat on rl0 inet from 192.168.1.0/24 to any -> (rl0) round-robin > @2 nat on rl0 inet from 10.8.0.0/24 to any -> (rl0) round-robin > @3 rdr on rl0 inet proto tcp from any to 216.70.250.4 port = http -> 192.168.1.4 port 80 > table persist > table persist > table persist file "/usr/local/etc/spamd/spamd-mywhite" > @4 rdr inet proto tcp from to 216.70.250.4 port = smtp -> 127.0.0.1 port 25 > @5 rdr inet proto tcp from to 216.70.250.4 port = smtp -> 127.0.0.1 port 25 > @6 rdr pass inet proto tcp from to 216.70.250.4 port = smtp -> 127.0.0.1 port 8025 > @7 rdr pass inet proto tcp from ! to 216.70.250.4 port = smtp -> 127.0.0.1 port 8025 > @8 pass in log inet proto tcp from any to 216.70.250.4 port = smtp flags S/SA synproxy state > @9 pass out log inet proto tcp from 216.70.250.4 to any port = smtp flags S/SA synproxy state > @10 pass in log inet proto tcp from 192.168.1.0/24 to 192.168.1.25 port = smtp flags S/SA synproxy state > @11 block drop in log all > @12 pass in log quick on xl0 inet proto tcp from any to 192.168.1.25 port = ssh flags S/SA synproxy state > @13 block drop in log quick on rl0 inet from 127.0.0.0/8 to any > @14 block drop in log quick on rl0 inet from 192.168.0.0/16 to any > @15 block drop in log quick on rl0 inet from 172.16.0.0/12 to any > @16 block drop in log quick on rl0 inet from 10.0.0.0/8 to any > @17 block drop out log quick on rl0 inet from any to 127.0.0.0/8 > @18 block drop out log quick on rl0 inet from any to 192.168.0.0/16 > @19 block drop out log quick on rl0 inet from any to 172.16.0.0/12 > @20 block drop out log quick on rl0 inet from any to 10.0.0.0/8 > @21 block drop in log quick on ! xl0 inet from 192.168.1.0/24 to any > @22 block drop in log quick inet from 192.168.1.25 to any > @23 pass in on xl0 inet from 192.168.1.0/24 to any > @24 pass out log on xl0 inet from any to 192.168.1.0/24 > @25 pass out log quick on xl0 inet from any to 10.8.0.0/24 > @26 pass out on rl0 proto tcp all flags S/SA modulate state > @27 pass out on rl0 proto udp all keep state > @28 pass out on rl0 proto icmp all keep state > @29 pass in on rl0 inet proto tcp from any to 192.168.1.4 port = http flags S/SA synproxy state > @30 pass in on xl0 inet proto tcp from any to 192.168.1.25 port = ssh keep state > warning: macro 'icmp_types' not used > mailfilter-root@/usr/ports# > > What's the quickest way to recover from this? Any other troubleshooting techniques? > > ~Doug > with rule @11 (log) you can do a tcpdump -net -i pflog0 and look at the block rule number. also do a sockstat -4 -p 25 and look if your mailserver listen at 127.0.0.1:25 otherwise rule @4 and @5 have no effect olli From owner-freebsd-pf@FreeBSD.ORG Wed Oct 24 21:01:35 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8609116A419 for ; Wed, 24 Oct 2007 21:01:35 +0000 (UTC) (envelope-from dssampson@yahoo.com) Received: from web35812.mail.mud.yahoo.com (web35812.mail.mud.yahoo.com [66.163.179.181]) by mx1.freebsd.org (Postfix) with SMTP id 482AE13C481 for ; Wed, 24 Oct 2007 21:01:35 +0000 (UTC) (envelope-from dssampson@yahoo.com) Received: (qmail 44129 invoked by uid 60001); 24 Oct 2007 21:01:26 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=hwCh8tzu6ZSIKhnbMgMOlRdqhDHTb1v7X+V1dqFwVqfQWAkEnTg9ani4m7MV2s2VG4UQyAXAiDBefmsKFgaJEgwdDnNwGVxORz9ZVhSrhKzXvmwtwYBQ21iieRXDFs1NZZhWPzRPBNYJ5NearN0OqooLlSBzumc7HcPvO2Adpls=; X-YMail-OSG: AE4urF0VM1kjKnF20uvdORXGMnTqwqE6rkOGpsV6ay47CARQYASL2.Q8HxyI.hH73xWN_PdUFDN.i9jriixQGc8NtTiJOs2NM_IflfHyzlYGLY9dNWc.RFP4t1MTB_tCAUi4wY60dAZ0JA..D3Yfhh7JdieoYJqtYoE- Received: from [216.70.250.2] by web35812.mail.mud.yahoo.com via HTTP; Wed, 24 Oct 2007 14:01:25 PDT X-Mailer: YahooMailRC/814.06 YahooMailWebService/0.7.134.12 Date: Wed, 24 Oct 2007 14:01:25 -0700 (PDT) From: dssampson@yahoo.com To: Olli Hauer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Message-ID: <101025.43337.qm@web35812.mail.mud.yahoo.com> Cc: freebsd-pf@freebsd.org Subject: Re: spamd nonfunctioning due to power outage in SD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Oct 2007 21:01:35 -0000 > dssampson@yahoo.com wrote:=0A> > I had a power outage to our building due= to the fires in San=0A> Diego=0A> =0A and it crashed those without UPSes. = One of them is the spamd=0A> machine.=0A> =0A I've brought it back up and r= an fsck on all volumes. However, mail=0A> will=0A> =0A not come into our ma= ilboxes from outside but mail can be delivered=0A> to=0A> =0A outside recip= ients. I can telnet into the spamd machine and send=0A> mail=0A> =0A extern= ally and internally. Postfix seems to be ok. When I stop pf,=0A> mail=0A> = =0A from the outside of our LAN come pouring in. When I start up pf,=0A> in= bound=0A> =0A mail comes to a stop. In the spamd log, I see all kinds of=0A= > connections=0A> =0A being blacklisted and greylisted but still not one ma= il is=0A> being=0A> =0A delivered. I am using spamd-mywhite as my whitelist= and put all known GMail=0A> IP=0A> =0A addresses on it. I then send an ema= il from my GMail account to=0A> this=0A> =0A machine. It gets greylisted an= d eventually sits in the greylist for=0A> quite=0A> =0A a while. I also see= ports 25 open on both external and internal=0A> NICs=0A> =0A and port 8025= open on the localhost interface.=0A> > =0A> > I need assistance in trouble= shooting this. Running spamd 4.1.2=0A> on=0A> =0A FreeBSD 6.2. We average 8= 00 valid mail per day and so far in the last=0A> 24=0A> =0A hours, not one = mail has come through using the existing=0A> spamd=0A> =0A configuration.= =0A> > =0A> > mailfilter-root@/usr/ports# pfctl -vvnf /etc/pf.conf=0A> > ex= t_if =3D "rl0"=0A> > int_if =3D "xl0"=0A> > internal_net =3D "192.168.1.1/2= 4"=0A> > external_addr =3D "216.70.250.4"=0A> > vpn_net =3D "10.8.0.0/24"= =0A> > icmp_types =3D "echoreq"=0A> > NoRouteIPs =3D "{ 127.0.0.0/8 192.168= .0.0/16 172.16.0.0/12=0A> 10.0.0.0/8=0A> =0A }"=0A> > webserver1 =3D "192.1= 68.1.4"=0A> > set skip on { lo0 }=0A> > set skip on { gif0 }=0A> > @0 scrub= in all fragment reassemble=0A> > @1 nat on rl0 inet from 192.168.1.0/24 to= any -> (rl0) round-robin=0A> > @2 nat on rl0 inet from 10.8.0.0/24 to any = -> (rl0) round-robin=0A> > @3 rdr on rl0 inet proto tcp from any to 216.70.= 250.4 port =3D http=0A> ->=0A> =0A 192.168.1.4 port 80=0A> > table persist= =0A> > table persist=0A> > table persist=0A> file=0A> =0A "/usr/local/etc= /spamd/spamd-mywhite"=0A> > @4 rdr inet proto tcp from to 216.70.250.4 por= t=0A> =3D=0A> =0A smtp -> 127.0.0.1 port 25=0A> > @5 rdr inet proto tcp fro= m to 216.70.250.4 port=0A> =3D=0A> =0A smtp -> 127.0.0.1 port 25=0A> > @6 = rdr pass inet proto tcp from to 216.70.250.4 port =3D=0A> smtp=0A> =0A -> = 127.0.0.1 port 8025=0A> > @7 rdr pass inet proto tcp from ! to=0A> 216.70.= 250.4=0A> =0A port =3D smtp -> 127.0.0.1 port 8025=0A> > @8 pass in log ine= t proto tcp from any to 216.70.250.4 port =3D=0A> smtp=0A> =0A flags S/SA s= ynproxy state=0A> > @9 pass out log inet proto tcp from 216.70.250.4 to any= port =3D=0A> smtp=0A> =0A flags S/SA synproxy state=0A> > @10 pass in log = inet proto tcp from 192.168.1.0/24 to=0A> 192.168.1.25=0A> =0A port =3D smt= p flags S/SA synproxy state=0A> > @11 block drop in log all=0A> > @12 pass = in log quick on xl0 inet proto tcp from any to=0A> 192.168.1.25=0A> =0A por= t =3D ssh flags S/SA synproxy state=0A> > @13 block drop in log quick on rl= 0 inet from 127.0.0.0/8 to any=0A> > @14 block drop in log quick on rl0 ine= t from 192.168.0.0/16 to any=0A> > @15 block drop in log quick on rl0 inet = from 172.16.0.0/12 to any=0A> > @16 block drop in log quick on rl0 inet fro= m 10.0.0.0/8 to any=0A> > @17 block drop out log quick on rl0 inet from any= to 127.0.0.0/8=0A> > @18 block drop out log quick on rl0 inet from any to = 192.168.0.0/16=0A> > @19 block drop out log quick on rl0 inet from any to 1= 72.16.0.0/12=0A> > @20 block drop out log quick on rl0 inet from any to 10.= 0.0.0/8=0A> > @21 block drop in log quick on ! xl0 inet from 192.168.1.0/24= to any=0A> > @22 block drop in log quick inet from 192.168.1.25 to any=0A>= > @23 pass in on xl0 inet from 192.168.1.0/24 to any=0A> > @24 pass out lo= g on xl0 inet from any to 192.168.1.0/24=0A> > @25 pass out log quick on xl= 0 inet from any to 10.8.0.0/24=0A> > @26 pass out on rl0 proto tcp all flag= s S/SA modulate state=0A> > @27 pass out on rl0 proto udp all keep state=0A= > > @28 pass out on rl0 proto icmp all keep state=0A> > @29 pass in on rl0 = inet proto tcp from any to 192.168.1.4 port =3D=0A> http=0A> =0A flags S/SA= synproxy state=0A> > @30 pass in on xl0 inet proto tcp from any to 192.168= .1.25 port =3D=0A> ssh=0A> =0A keep state=0A> > warning: macro 'icmp_types'= not used=0A> > mailfilter-root@/usr/ports# =0A> > =0A> > What's the quicke= st way to recover from this? Any=0A> other=0A> =0A troubleshooting techniqu= es?=0A> > =0A> > ~Doug=0A> > =0A> =0A> with rule @11 (log) you can do a=0A>= tcpdump -net -i pflog0 and look at the block rule number.=0A=0AThis is wha= t I am seeing:=0A303784 rule 3/0(match): block in on rl0: 66.218.67.246.308= 33 > 127.0.0.1.25: S 863049525:863049525(0) win 65535 =0A1. 266221 rule 3/0(match): block in on rl0: 63.209.114.3.1923 >= 127.0.0.1.25: S 3256136674:3256136674(0) win 57344 =0A157399 rul= e 3/0(match): block in on rl0: 207.158.59.100.38643 > 127.0.0.1.25: S 40159= 67731:4015967731(0) win 5840 =0A1. 139142 = rule 3/0(match): block in on rl0: 200.46.204.71.49347 > 127.0.0.1.25: S 423= 7450357:4237450357(0) win 65535 =0A199803 rul= e 3/0(match): block in on rl0: 200.46.204.71.53512 > 127.0.0.1.25: S 239020= 5679:2390205679(0) win 65535 =0A039859 rule 3= /0(match): block in on rl0: 200.46.204.71.65136 > 127.0.0.1.25: S 180204626= 7:1802046267(0) win 65535 =0A101924 rule 3/0(= match): block in on rl0: 200.46.204.71.61323 > 127.0.0.1.25: S 1996496288:1= 996496288(0) win 65535 =0A295669 rule 3/0(mat= ch): block in on rl0: 66.218.67.246.30833 > 127.0.0.1.25: S 863049525:86304= 9525(0) win 65535 =0A192006 rule 3/0(match): = block in on rl0: 38.100.230.154.1856 > 127.0.0.1.25: S 1648209710:164820971= 0(0) win 5840 =0A639961 rule 3/0(match): b= lock in on rl0: 207.158.59.100.60302 > 127.0.0.1.25: S 490829265:490829265(= 0) win 5840 =0A391948 rule 3/0(match): blo= ck in on rl0: 207.158.59.100.38643 > 127.0.0.1.25: S 4015967731:4015967731(= 0) win 5840 =0A042299 rule 3/0(match): blo= ck in on rl0: 63.209.114.3.1923 > 127.0.0.1.25: S 3256136674:3256136674(0) = win 57344 =0A025190 rule 3/0(match): block in on rl0: 209.11.60.2= 1.14104 > 127.0.0.1.25: S 598584256:598584256(0) win 16384 =0A1. = 310404 rule 3/0(match): block in on rl0: 200.46.204.71.49347 > 127.0.0.1.25= : S 4237450357:4237450357(0) win 65535 =0A214949 rule = 3/0(match): block in on rl0: 200.46.204.71.53512 > 127.0.0.1.25: S 23902056= 79:2390205679(0) win 65535 =0A038980 rule 3/0= (match): block in on rl0: 200.46.204.71.65136 > 127.0.0.1.25: S 1802046267:= 1802046267(0) w=0A=0AWhich of the rules above does rule 3/0(match) refer to= ?=0A=0AAlso,=0Amailfilter-root@/usr/ports# tcpdump -n -e -ttt -r /var/log/p= flog port 8025=0Areading from file /var/log/pflog, link-type PFLOG (OpenBSD= pflog file)=0Amailfilter-root@/usr/ports# =0A=0ANo forwarding to port 8025= is occurring at this point, or so it seems.=0A=0A> =0A> also do a sockstat= -4 -p 25 and look if your mailserver listen=0A> at 127.0.0.1:25 otherwise = rule @4 and @5 have no effect=0A =0A=0Amailfilter-root@/usr/ports# sockstat= -4 -p 25=0AUSER COMMAND PID FD PROTO LOCAL ADDRESS FOREI= GN ADDRESS =0Aroot master 841 11 tcp4 *:25 = *:*=0A=0AI should mention that this is a relay for our internal Exchange = server. I'm going to test if Postfix is relaying correctly. From all indica= tions it does seem to relay correctly but I need to make sure it does!=0A= =0A~Doug=0A=0A=0A__________________________________________________=0ADo Yo= u Yahoo!?=0ATired of spam? Yahoo! Mail has the best spam protection around= =0Ahttp://mail.yahoo.com From owner-freebsd-pf@FreeBSD.ORG Wed Oct 24 21:07:35 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E358516A420 for ; Wed, 24 Oct 2007 21:07:35 +0000 (UTC) (envelope-from dssampson@yahoo.com) Received: from web35810.mail.mud.yahoo.com (web35810.mail.mud.yahoo.com [66.163.179.179]) by mx1.freebsd.org (Postfix) with SMTP id B781B13C480 for ; Wed, 24 Oct 2007 21:07:35 +0000 (UTC) (envelope-from dssampson@yahoo.com) Received: (qmail 78259 invoked by uid 60001); 24 Oct 2007 21:07:28 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=mIzOtDqfcuEn55XIX2KE51O47gDvKOy5AM0Duskj20XtOJ1gHHaVM8tUifXmYY5y185Ay5Mm8sqsgNstUPp7hHvoupaGI0BvRk2kpf5nJJhzRFvZaXeS0VcDDT1JdFKquY87fwMZnZFfI3qLoYBuMx+3dODamIcieyZn1MsfDUs=; X-YMail-OSG: 9_H7m8cVM1muZ_9J_QG6KV4QYO.OxaD6lKRSMPqWblO48wlFYQE.0HE6e.g5pkbAcQsvhTyAwieZU8c797L01rIsGfFKOIBhC2K0NQ1YgxGkh7BkPrSaiwluWvqdqg-- Received: from [216.70.250.2] by web35810.mail.mud.yahoo.com via HTTP; Wed, 24 Oct 2007 14:07:28 PDT X-Mailer: YahooMailRC/814.06 YahooMailWebService/0.7.134.12 Date: Wed, 24 Oct 2007 14:07:28 -0700 (PDT) From: dssampson@yahoo.com To: Olli Hauer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Message-ID: <171080.78059.qm@web35810.mail.mud.yahoo.com> Cc: freebsd-pf@freebsd.org Subject: Re: spamd nonfunctioning due to power outage in SD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Oct 2007 21:07:36 -0000 This is what I am seeing in the spamd log:=0A=0AOct 24 14:01:50 mailfilter = spamd[15989]: 24.141.184.194: connected (12/11)=0AOct 24 14:01:55 mailfilte= r spamd[15989]: (BLACK) 69.51.22.81: <1-28235-dawnsign.com?ericc@vt81.visio= ntourgaming.com> -> =0AOct 24 14:02:04 mailfilter spamd= [15989]: (BLACK) 83.98.177.49: <1-83315-dawnsign.com?dougs@mx1.wheelsbusine= ss.com> -> =0AOct 24 14:02:09 mailfilter spamd[15989]: = 64.125.115.71: disconnected after 378 seconds. lists: spamd-greytrap=0AOct = 24 14:02:09 mailfilter last message repeated 4 times=0AOct 24 14:02:09 mail= filter spamd[15989]: 64.125.115.71: connected (8/7), lists: spamd-greytrap= =0AOct 24 14:02:09 mailfilter spamd[15989]: 64.125.115.71: connected (9/8),= lists: spamd-greytrap=0AOct 24 14:02:09 mailfilter spamd[15989]: 64.125.11= 5.71: connected (10/9), lists: spamd-greytrap=0AOct 24 14:02:09 mailfilter = spamd[15989]: 64.125.115.71: connected (11/10), lists: spamd-greytrap=0AOct= 24 14:02:11 mailfilter spamd[15989]: 85.127.216.4: connected (12/10)=0AOct= 24 14:02:23 mailfilter spamd[15989]: (GREY) 85.127.216.4: -> =0AOct 24 14:02:23 mailfilter spamd[= 15989]: 85.127.216.4: disconnected after 12 seconds.=0AOct 24 14:02:49 mail= filter spamd[15989]: 83.67.135.178: connected (12/10)=0AOct 24 14:02:50 mai= lfilter spamd[15989]: 83.27.20.179: connected (13/10)=0AOct 24 14:02:57 mai= lfilter spamd[15989]: 83.98.177.49: From: Sunroom Tree =0AOct 24 14:02:57 mailfilter spamd[15989]: 83.98.177.49: To: doug= s@dawnsign.com=0AOct 24 14:02:57 mailfilter spamd[15989]: 83.98.177.49: Sub= ject: Sunroom Estimates Fre e from local contractors=0AOct 24 14:03:00 mail= filter spamd[15989]: (BLACK) 129.250.156.187: -> =0AOct 24 14:03:00 mailfilter spamd[1598= 9]: (GREY) 83.67.135.178: -> =0AOct 24 14:03:00 mailfilter spamd[15989]: 83.67.135.178: di= sconnected after 11 seconds.=0AOct 24 14:03:02 mailfilter spamd[15989]: (GR= EY) 83.27.20.179: -> =0AOct= 24 14:03:02 mailfilter spamd[15989]: 83.27.20.179: disconnected after 12 s= econds.=0AOct 24 14:03:13 mailfilter spamd[15989]: 217.173.198.237: connect= ed (12/10)=0AOct 24 14:03:25 mailfilter spamd[15989]: (GREY) 217.173.198.23= 7: -> =0AOct 24 14= :03:25 mailfilter spamd[15989]: 217.173.198.237: disconnected after 12 seco= nds.=0A=0AMy pf.conf rules only deals with spamd, spamd-white, and spamd-my= white tables. Why am I seeing spamd-greytrap here? Are my tables corrupted?= =0A=0A~Doug=0A=0A=0A__________________________________________________=0ADo= You Yahoo!?=0ATired of spam? Yahoo! Mail has the best spam protection aro= und =0Ahttp://mail.yahoo.com From owner-freebsd-pf@FreeBSD.ORG Thu Oct 25 05:44:23 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CF09F16A418 for ; Thu, 25 Oct 2007 05:44:23 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 200B713C49D for ; Thu, 25 Oct 2007 05:44:22 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: (qmail invoked by alias); 25 Oct 2007 05:44:20 -0000 Received: from u18-124.dsl.vianetworks.de (EHLO [172.20.1.30]) [194.231.39.124] by mail.gmx.net (mp052) with SMTP; 25 Oct 2007 07:44:20 +0200 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX19anBgLo01apByE+rm4fQUxuU7zqP/kvUIwP5qION HbMOfDlBlDjCUF Message-ID: <47202D27.1050001@gmx.de> Date: Thu, 25 Oct 2007 07:44:07 +0200 From: Olli Hauer User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: dssampson@yahoo.com References: <101025.43337.qm@web35812.mail.mud.yahoo.com> In-Reply-To: <101025.43337.qm@web35812.mail.mud.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: freebsd-pf@freebsd.org Subject: Re: spamd nonfunctioning due to power outage in SD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Oct 2007 05:44:23 -0000 dssampson@yahoo.com wrote: >> dssampson@yahoo.com wrote: >>> I had a power outage to our building due to the fires in San >> Diego >> > and it crashed those without UPSes. One of them is the spamd >> machine. >> > I've brought it back up and ran fsck on all volumes. However, mail >> will >> > not come into our mailboxes from outside but mail can be delivered >> to >> > outside recipients. I can telnet into the spamd machine and send >> mail >> > externally and internally. Postfix seems to be ok. When I stop pf, >> mail >> > from the outside of our LAN come pouring in. When I start up pf, >> inbound >> > mail comes to a stop. In the spamd log, I see all kinds of >> connections >> > being blacklisted and greylisted but still not one mail is >> being >> > delivered. I am using spamd-mywhite as my whitelist and put all known GMail >> IP >> > addresses on it. I then send an email from my GMail account to >> this >> > machine. It gets greylisted and eventually sits in the greylist for >> quite >> > a while. I also see ports 25 open on both external and internal >> NICs >> > and port 8025 open on the localhost interface. >>> I need assistance in troubleshooting this. Running spamd 4.1.2 >> on >> > FreeBSD 6.2. We average 800 valid mail per day and so far in the last >> 24 >> > hours, not one mail has come through using the existing >> spamd >> > configuration. >>> mailfilter-root@/usr/ports# pfctl -vvnf /etc/pf.conf >>> ext_if = "rl0" >>> int_if = "xl0" >>> internal_net = "192.168.1.1/24" >>> external_addr = "216.70.250.4" >>> vpn_net = "10.8.0.0/24" >>> icmp_types = "echoreq" >>> NoRouteIPs = "{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 >> 10.0.0.0/8 >> > }" >>> webserver1 = "192.168.1.4" >>> set skip on { lo0 } >>> set skip on { gif0 } >>> @0 scrub in all fragment reassemble >>> @1 nat on rl0 inet from 192.168.1.0/24 to any -> (rl0) round-robin >>> @2 nat on rl0 inet from 10.8.0.0/24 to any -> (rl0) round-robin >>> @3 rdr on rl0 inet proto tcp from any to 216.70.250.4 port = http >> -> >> > 192.168.1.4 port 80 >>> table persist >>> table persist >>> table persist >> file >> > "/usr/local/etc/spamd/spamd-mywhite" >>> @4 rdr inet proto tcp from to 216.70.250.4 port >> = >> > smtp -> 127.0.0.1 port 25 >>> @5 rdr inet proto tcp from to 216.70.250.4 port >> = >> > smtp -> 127.0.0.1 port 25 >>> @6 rdr pass inet proto tcp from to 216.70.250.4 port = >> smtp >> > -> 127.0.0.1 port 8025 >>> @7 rdr pass inet proto tcp from ! to >> 216.70.250.4 >> > port = smtp -> 127.0.0.1 port 8025 >>> @8 pass in log inet proto tcp from any to 216.70.250.4 port = >> smtp >> > flags S/SA synproxy state >>> @9 pass out log inet proto tcp from 216.70.250.4 to any port = >> smtp >> > flags S/SA synproxy state >>> @10 pass in log inet proto tcp from 192.168.1.0/24 to >> 192.168.1.25 >> > port = smtp flags S/SA synproxy state >>> @11 block drop in log all >>> @12 pass in log quick on xl0 inet proto tcp from any to >> 192.168.1.25 >> > port = ssh flags S/SA synproxy state >>> @13 block drop in log quick on rl0 inet from 127.0.0.0/8 to any >>> @14 block drop in log quick on rl0 inet from 192.168.0.0/16 to any >>> @15 block drop in log quick on rl0 inet >from 172.16.0.0/12 to any >>> @16 block drop in log quick on rl0 inet from 10.0.0.0/8 to any >>> @17 block drop out log quick on rl0 inet from any to 127.0.0.0/8 >>> @18 block drop out log quick on rl0 inet from any to 192.168.0.0/16 >>> @19 block drop out log quick on rl0 inet from any to 172.16.0.0/12 >>> @20 block drop out log quick on rl0 inet from any to 10.0.0.0/8 >>> @21 block drop in log quick on ! xl0 inet from 192.168.1.0/24 to any >>> @22 block drop in log quick inet from 192.168.1.25 to any >>> @23 pass in on xl0 inet from 192.168.1.0/24 to any >>> @24 pass out log on xl0 inet from any to 192.168.1.0/24 >>> @25 pass out log quick on xl0 inet from any to 10.8.0.0/24 >>> @26 pass out on rl0 proto tcp all flags S/SA modulate state >>> @27 pass out on rl0 proto udp all keep state >>> @28 pass out on rl0 proto icmp all keep state >>> @29 pass in on rl0 inet proto tcp from any to 192.168.1.4 port = >> http >> > flags S/SA synproxy state >>> @30 pass in on xl0 inet proto tcp from any to 192.168.1.25 port = >> ssh >> > keep state >>> warning: macro 'icmp_types' not used >>> mailfilter-root@/usr/ports# >>> >>> What's the quickest way to recover from this? Any >> other >> > troubleshooting techniques? >>> ~Doug >>> >> with rule @11 (log) you can do a >> tcpdump -net -i pflog0 and look at the block rule number. > > This is what I am seeing: > 303784 rule 3/0(match): block in on rl0: 66.218.67.246.30833 > 127.0.0.1.25: S 863049525:863049525(0) win 65535 > 1. 266221 rule 3/0(match): block in on rl0: 63.209.114.3.1923 > 127.0.0.1.25: S 3256136674:3256136674(0) win 57344 > 157399 rule 3/0(match): block in on rl0: 207.158.59.100.38643 > 127.0.0.1.25: S 4015967731:4015967731(0) win 5840 > 1. 139142 rule 3/0(match): block in on rl0: 200.46.204.71.49347 > 127.0.0.1.25: S 4237450357:4237450357(0) win 65535 > 199803 rule 3/0(match): block in on rl0: 200.46.204.71.53512 > 127.0.0.1.25: S 2390205679:2390205679(0) win 65535 > 039859 rule 3/0(match): block in on rl0: 200.46.204.71.65136 > 127.0.0.1.25: S 1802046267:1802046267(0) win 65535 > 101924 rule 3/0(match): block in on rl0: 200.46.204.71.61323 > 127.0.0.1.25: S 1996496288:1996496288(0) win 65535 > 295669 rule 3/0(match): block in on rl0: 66.218.67.246.30833 > 127.0.0.1.25: S 863049525:863049525(0) win 65535 > 192006 rule 3/0(match): block in on rl0: 38.100.230.154.1856 > 127.0.0.1.25: S 1648209710:1648209710(0) win 5840 > 639961 rule 3/0(match): block in on rl0: 207.158.59.100.60302 > 127.0.0.1.25: S 490829265:490829265(0) win 5840 > 391948 rule 3/0(match): block in on rl0: 207.158.59.100.38643 > 127.0.0.1.25: S 4015967731:4015967731(0) win 5840 > 042299 rule 3/0(match): block in on rl0: 63.209.114.3.1923 > 127.0.0.1.25: S 3256136674:3256136674(0) win 57344 > 025190 rule 3/0(match): block in on rl0: 209.11.60.21.14104 > 127.0.0.1.25: S 598584256:598584256(0) win 16384 > 1. 310404 rule 3/0(match): block in on rl0: 200.46.204.71.49347 > 127.0.0.1.25: S 4237450357:4237450357(0) win 65535 > 214949 rule 3/0(match): block in on rl0: 200.46.204.71.53512 > 127.0.0.1.25: S 2390205679:2390205679(0) win 65535 > 038980 rule 3/0(match): block in on rl0: 200.46.204.71.65136 > 127.0.0.1.25: S 1802046267:1802046267(0) w > > Which of the rules above does rule 3/0(match) refer to? It's easier to count the rules this way Nat/rdr rules: # pfctl -sn filter rues: # pfctl -sr => now look at the 3'rd line > @8 pass in log inet proto tcp from any to 216.70.250.4 port = smtp flags S/SA synproxy state > @9 pass out log inet proto tcp from 216.70.250.4 to any port = smtp flags S/SA synproxy state > @10 pass in log inet proto tcp from 192.168.1.0/24 to 192.168.1.25 port = smtp flags S/SA synproxy state > @11 block drop in log all There is no quick keyword, so please place @11 before @8 reload the pf rules and post the output of 1) pfctl -sn 2) pfctl -sr 3) now take again a look with tcpdump -i pflog0 this makes things easier to count and refer > Also, > mailfilter-root@/usr/ports# tcpdump -n -e -ttt -r /var/log/pflog port 8025 > reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) > mailfilter-root@/usr/ports# > > No forwarding to port 8025 is occurring at this point, or so it seems. > >> also do a sockstat -4 -p 25 and look if your mailserver listen >> at 127.0.0.1:25 otherwise rule @4 and @5 have no effect > > > mailfilter-root@/usr/ports# sockstat -4 -p 25 > USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS > root master 841 11 tcp4 *:25 *:* > OK, so we are shure postfix is listening From owner-freebsd-pf@FreeBSD.ORG Sat Oct 27 21:10:50 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2ADE316A419 for ; Sat, 27 Oct 2007 21:10:50 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id 3AA8613C4B8 for ; Sat, 27 Oct 2007 21:10:48 +0000 (UTC) (envelope-from max@love2party.net) Received: from [192.168.4.160] (dslb-088-066-000-061.pools.arcor-ip.net [88.66.0.61]) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis) id 0ML2xA-1Ilsvc13rf-0004vV; Sat, 27 Oct 2007 23:10:46 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Sat, 27 Oct 2007 23:11:00 +0200 User-Agent: KMail/1.9.7 X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<%}*_BD U_or=\mOZf764&nYj=JYbR1PW0ud>|!~, , CPC.1-D$FG@0h3#'5"k{V]a~. X-Provags-ID: V01U2FsdGVkX18MFuEkShtbfn9dI89ckrePGLqOq5ffXW2puv9 TnKqeLR2LCDcd/M25axN8W7YU055eGn6evuO8jEzxgmTWOGHt1 fShO55MXCJFSPldeIg/hqICQjdWGnPQbwM/egW5CmQ= Subject: carpdev ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Oct 2007 21:10:50 -0000 --nextPart3069786.LU2bnx6mTt Content-Type: multipart/mixed; boundary="Boundary-01=_nl6IH3bgJTGz2kl" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_nl6IH3bgJTGz2kl Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline =2E.. the neverending story continues :-\ I am making progress ... really, really slowly as I'm not at the top of my= =20 health (inflammation in my front teeth) and 7.0 got in the way, too. Anyways, here is something for *BETA* testing. Nobody put this in=20 production (or you deserve whatever goes wrong). But if you have spare=20 time and lab machines, please test and report back! Details welcome ;) IPv6 is still TBD. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_nl6IH3bgJTGz2kl Content-Type: text/x-diff; charset="us-ascii"; name="carpdev.BETA.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="carpdev.BETA.diff" =2D-- //depot/vendor/freebsd/src/contrib/pf/pflogd/pidfile.c 2007/07/03 14:= 46:49 +++ //depot/user/mlaier/carp2/contrib/pf/pflogd/pidfile.c 2007/09/12 12:13:= 13 @@ -1,4 +1,4 @@ =2D/* $FreeBSD: src/contrib/pf/pflogd/pidfile.c,v 1.6 2007/07/03 14:08:49 m= laier Exp $ */ +/* $FreeBSD: src/contrib/pf/pflogd/pidfile.c,v 1.4 2005/05/03 16:55:20 mla= ier Exp $ */ /* $OpenBSD: pidfile.c,v 1.5 2002/05/26 09:29:02 deraadt Exp $ */ /* $NetBSD: pidfile.c,v 1.4 2001/02/19 22:43:42 cgd Exp $ */ =20 =2D-- //depot/vendor/freebsd/src/contrib/pf/pflogd/pidfile.h 2007/07/03 14:= 46:49 +++ //depot/user/mlaier/carp2/contrib/pf/pflogd/pidfile.h 2007/09/12 12:13:= 13 @@ -1,3 +1,1 @@ =2D/* $FreeBSD: src/contrib/pf/pflogd/pidfile.h,v 1.3 2007/07/03 14:08:49 m= laier Exp $ */ =2D int pidfile(const char *); =2D-- //depot/vendor/freebsd/src/sbin/ifconfig/ifcarp.c 2005/02/22 14:37:13 +++ //depot/user/mlaier/carp2/sbin/ifconfig/ifcarp.c 2007/09/12 16:12:46 @@ -52,13 +52,7 @@ =20 static const char *carp_states[] =3D { CARP_STATES }; =20 =2Dvoid carp_status(int s); =2Dvoid setcarp_advbase(const char *,int, int, const struct afswtch *rafp); =2Dvoid setcarp_advskew(const char *, int, int, const struct afswtch *rafp); =2Dvoid setcarp_passwd(const char *, int, int, const struct afswtch *rafp); =2Dvoid setcarp_vhid(const char *, int, int, const struct afswtch *rafp); =2D =2Dvoid +static void carp_status(int s) { const char *state; @@ -76,17 +70,17 @@ else state =3D carp_states[carpr.carpr_state]; =20 =2D printf("\tcarp: %s vhid %d advbase %d advskew %d\n", =2D state, carpr.carpr_vhid, carpr.carpr_advbase, =2D carpr.carpr_advskew); + printf("\tcarp: %s carpdev %s vhid %d advbase %d advskew %d\n", + state, carpr.carpr_carpdev, carpr.carpr_vhid, + carpr.carpr_advbase, carpr.carpr_advskew); } =20 return; =20 } =20 =2Dvoid =2Dsetcarp_passwd(const char *val, int d, int s, const struct afswtch *afp) +static +DECL_CMD_FUNC(setcarp_passwd, val, d) { struct carpreq carpr; =20 @@ -105,8 +99,8 @@ return; } =20 =2Dvoid =2Dsetcarp_vhid(const char *val, int d, int s, const struct afswtch *afp) +static +DECL_CMD_FUNC(setcarp_vhid, val, d) { int vhid; struct carpreq carpr; @@ -130,8 +124,8 @@ return; } =20 =2Dvoid =2Dsetcarp_advskew(const char *val, int d, int s, const struct afswtch *afp) +static +DECL_CMD_FUNC(setcarp_advskew, val, d) { int advskew; struct carpreq carpr; @@ -152,8 +146,8 @@ return; } =20 =2Dvoid =2Dsetcarp_advbase(const char *val, int d, int s, const struct afswtch *afp) +static +DECL_CMD_FUNC(setcarp_advbase, val, d) { int advbase; struct carpreq carpr; @@ -174,11 +168,51 @@ return; } =20 +static +DECL_CMD_FUNC(setcarp_carpdev, val, d) +{ + struct carpreq carpr; + + memset((char *)&carpr, 0, sizeof(struct carpreq)); + ifr.ifr_data =3D (caddr_t)&carpr; + + if (ioctl(s, SIOCGVH, (caddr_t)&ifr) =3D=3D -1) + err(1, "SIOCGVH"); + + strlcpy(carpr.carpr_carpdev, val, sizeof(carpr.carpr_carpdev)); + + if (ioctl(s, SIOCSVH, (caddr_t)&ifr) =3D=3D -1) + err(1, "SIOCSVH"); + + return; +} + +static +DECL_CMD_FUNC(setcarp_unsetcarpdev, val, d) +{ + struct carpreq carpr; + + memset((char *)&carpr, 0, sizeof(struct carpreq)); + ifr.ifr_data =3D (caddr_t)&carpr; + + if (ioctl(s, SIOCGVH, (caddr_t)&ifr) =3D=3D -1) + err(1, "SIOCGVH"); + + memset(carpr.carpr_carpdev, 0, sizeof(carpr.carpr_carpdev)); + + if (ioctl(s, SIOCSVH, (caddr_t)&ifr) =3D=3D -1) + err(1, "SIOCSVH"); + + return; +} + static struct cmd carp_cmds[] =3D { DEF_CMD_ARG("advbase", setcarp_advbase), DEF_CMD_ARG("advskew", setcarp_advskew), DEF_CMD_ARG("pass", setcarp_passwd), DEF_CMD_ARG("vhid", setcarp_vhid), + DEF_CMD_ARG("carpdev", setcarp_carpdev), + DEF_CMD_OPTARG("-carpdev", setcarp_unsetcarpdev), }; static struct afswtch af_carp =3D { .af_name =3D "af_carp", =2D-- //depot/vendor/freebsd/src/sys/net/ethernet.h 2007/05/29 12:43:19 +++ //depot/user/mlaier/carp2/sys/net/ethernet.h 2007/09/19 18:47:18 @@ -380,6 +380,7 @@ extern void ether_ifattach(struct ifnet *, const u_int8_t *); extern void ether_ifdetach(struct ifnet *); extern int ether_ioctl(struct ifnet *, u_long, caddr_t); +extern void ether_input(struct ifnet *, struct mbuf *); extern int ether_output(struct ifnet *, struct mbuf *, struct sockaddr *, struct rtentry *); extern int ether_output_frame(struct ifnet *, struct mbuf *); =2D-- //depot/vendor/freebsd/src/sys/net/if.c 2007/07/27 12:03:05 +++ //depot/user/mlaier/carp2/sys/net/if.c 2007/09/19 18:47:18 @@ -1309,8 +1309,7 @@ pfctlinput(PRC_IFDOWN, ifa->ifa_addr); if_qflush(&ifp->if_snd); #ifdef DEV_CARP =2D if (ifp->if_carp) =2D carp_carpdev_state(ifp->if_carp); + carp_carpdev_state(ifp); #endif rt_ifmsg(ifp); } @@ -1333,8 +1332,7 @@ if (fam =3D=3D PF_UNSPEC || (fam =3D=3D ifa->ifa_addr->sa_family)) pfctlinput(PRC_IFUP, ifa->ifa_addr); #ifdef DEV_CARP =2D if (ifp->if_carp) =2D carp_carpdev_state(ifp->if_carp); + carp_carpdev_state(ifp); #endif rt_ifmsg(ifp); #ifdef INET6 @@ -1386,8 +1384,7 @@ IFP2AC(ifp)->ac_netgraph !=3D NULL) (*ng_ether_link_state_p)(ifp, link_state); #ifdef DEV_CARP =2D if (ifp->if_carp) =2D carp_carpdev_state(ifp->if_carp); + carp_carpdev_state(ifp); #endif if (ifp->if_bridge) { KASSERT(bstp_linkstate_p !=3D NULL,("if_bridge bstp not loaded!")); =2D-- //depot/vendor/freebsd/src/sys/net/if_ethersubr.c 2007/09/14 07:03:02 +++ //depot/user/mlaier/carp2/sys/net/if_ethersubr.c 2007/10/05 22:40:49 @@ -153,6 +153,9 @@ u_char esrc[ETHER_ADDR_LEN], edst[ETHER_ADDR_LEN]; struct ether_header *eh; struct pf_mtag *t; +#ifdef DEV_CARP + struct ifnet *ifp0 =3D ifp; +#endif int loop_copy =3D 1; int hlen; /* link layer header length */ =20 @@ -162,6 +165,19 @@ senderr(error); #endif =20 +#ifdef DEV_CARP + if (ifp->if_type =3D=3D IFT_CARP) { + struct ifaddr *ifa; + + if (dst !=3D NULL && ifp->if_link_state =3D=3D LINK_STATE_UP && + (ifa =3D ifa_ifwithaddr(dst)) !=3D NULL && + ifa->ifa_ifp =3D=3D ifp) + return (looutput(ifp, m, dst, rt0)); + + ifp =3D ifp->if_carpdev; + } +#endif + if (ifp->if_flags & IFF_MONITOR) senderr(ENETDOWN); if (!((ifp->if_flags & IFF_UP) && @@ -172,7 +188,11 @@ switch (dst->sa_family) { #ifdef INET case AF_INET: +#ifdef DEV_CARP + error =3D arpresolve(ifp0, rt0, m, dst, edst); +#else error =3D arpresolve(ifp, rt0, m, dst, edst); +#endif if (error) return (error =3D=3D EWOULDBLOCK ? 0 : error); type =3D htons(ETHERTYPE_IP); @@ -293,6 +313,14 @@ (void)memcpy(eh->ether_shost, IF_LLADDR(ifp), sizeof(eh->ether_shost)); =20 +#ifdef DEV_CARP + if (ifp0 !=3D ifp && ifp0->if_type =3D=3D IFT_CARP) { + /* XXX: LINK1 */ + (void)memcpy(eh->ether_shost, IF_LLADDR(ifp0), + sizeof(eh->ether_shost)); + } +#endif + /* * If a simplex interface, and the packet is being sent to our * Ethernet address or a broadcast address, loopback a copy. @@ -351,12 +379,6 @@ return (error); } =20 =2D#ifdef DEV_CARP =2D if (ifp->if_carp && =2D (error =3D carp_output(ifp, m, dst, NULL))) =2D goto bad; =2D#endif =2D /* Handle ng_ether(4) processing, if any */ if (IFP2AC(ifp)->ac_netgraph !=3D NULL) { KASSERT(ng_ether_output_p !=3D NULL, @@ -506,7 +528,7 @@ * Process a received Ethernet packet; the packet is in the * mbuf chain m with the ethernet header at the front. */ =2Dstatic void +void ether_input(struct ifnet *ifp, struct mbuf *m) { struct ether_header *eh; @@ -658,19 +680,15 @@ } =20 #ifdef DEV_CARP =2D /* =2D * Clear M_PROMISC on frame so that carp(4) will see it when the =2D * mbuf flows up to Layer 3. =2D * FreeBSD's implementation of carp(4) uses the inprotosw =2D * to dispatch IPPROTO_CARP. carp(4) also allocates its own =2D * Ethernet addresses of the form 00:00:5e:00:01:xx, which =2D * is outside the scope of the M_PROMISC test below. =2D * TODO: Maintain a hash table of ethernet addresses other than =2D * ether_dhost which may be active on this ifp. =2D */ =2D if (ifp->if_carp && carp_forus(ifp->if_carp, eh->ether_dhost)) { =2D m->m_flags &=3D ~M_PROMISC; =2D } else + if (ifp->if_carp) { + if (ifp->if_type !=3D IFT_CARP && (carp_input(m) =3D=3D 0)) + return; + else if (ifp->if_type =3D=3D IFT_CARP && + /* XXX: LINK2 */ + m->m_flags & (M_BCAST | M_MCAST) && + !bcmp(IFP2AC(ifp), eh->ether_dhost, ETHER_ADDR_LEN)) + m->m_flags &=3D ~(M_BCAST | M_MCAST); + } #endif { /* =2D-- //depot/vendor/freebsd/src/sys/net/if_loop.c 2007/02/09 00:13:58 +++ //depot/user/mlaier/carp2/sys/net/if_loop.c 2007/09/19 18:47:18 @@ -99,8 +99,6 @@ =20 int loioctl(struct ifnet *, u_long, caddr_t); static void lortrequest(int, struct rtentry *, struct rt_addrinfo *); =2Dint looutput(struct ifnet *ifp, struct mbuf *m, =2D struct sockaddr *dst, struct rtentry *rt); static int lo_clone_create(struct if_clone *, int, caddr_t); static void lo_clone_destroy(struct ifnet *); =20 =2D-- //depot/vendor/freebsd/src/sys/net/if_var.h 2007/05/16 18:42:49 +++ //depot/user/mlaier/carp2/sys/net/if_var.h 2007/09/19 18:47:18 @@ -131,7 +131,12 @@ */ struct knlist if_klist; /* events attached to this if */ int if_pcount; /* number of promiscuous listeners */ =2D struct carp_if *if_carp; /* carp interface structure */ + union { + struct carp_if *carp_s; + struct ifnet *carp_d; + } if_carp_ptr; +#define if_carp if_carp_ptr.carp_s +#define if_carpdev if_carp_ptr.carp_d struct bpf_if *if_bpf; /* packet filter structure */ u_short if_index; /* numeric abbreviation for this if */ short if_timer; /* time 'til if_watchdog called */ @@ -691,6 +696,8 @@ struct ifaddr *ifaof_ifpforaddr(struct sockaddr *, struct ifnet *); =20 int if_simloop(struct ifnet *ifp, struct mbuf *m, int af, int hlen); +int looutput(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst, + struct rtentry *rt); =20 typedef void *if_com_alloc_t(u_char type, struct ifnet *ifp); typedef void if_com_free_t(void *com, u_char type); =2D-- //depot/vendor/freebsd/src/sys/netinet/if_ether.c 2007/10/07 20:49:19 +++ //depot/user/mlaier/carp2/sys/netinet/if_ether.c 2007/10/10 00:26:22 @@ -110,7 +110,6 @@ &arp_proxyall, 0, "Enable proxy ARP for all suitable requests"); =20 static void arp_init(void); =2Dstatic void arp_rtrequest(int, struct rtentry *, struct rt_addrinfo *); static void arprequest(struct ifnet *, struct in_addr *, struct in_addr *, u_char *); static void arpintr(struct mbuf *); @@ -144,7 +143,7 @@ /* * Parallel to llc_rtrequest. */ =2Dstatic void +void arp_rtrequest(int req, struct rtentry *rt, struct rt_addrinfo *info) { struct sockaddr *gate; @@ -608,7 +607,8 @@ itaddr.s_addr =3D=3D ia->ia_addr.sin_addr.s_addr) goto match; #ifdef DEV_CARP =2D if (ifp->if_carp !=3D NULL && + if (ifp->if_type !=3D IFT_CARP && ifp->if_carp !=3D NULL && + ia->ia_ifp->if_type =3D=3D IFT_CARP && carp_iamatch(ifp->if_carp, ia, &isaddr, &enaddr) && itaddr.s_addr =3D=3D ia->ia_addr.sin_addr.s_addr) { carp_match =3D 1; @@ -679,6 +679,7 @@ && (ifp->if_type !=3D IFT_CARP || !carp_match) #endif ) { +// printf("arp: %s %d\n", ifp->if_xname, carp_match); if (log_arp_wrong_iface) log(LOG_ERR, "arp: %s is on %s but got reply from %*D on %s\n", inet_ntoa(isaddr), =2D-- //depot/vendor/freebsd/src/sys/netinet/if_ether.h 2005/02/22 13:06:15 +++ //depot/user/mlaier/carp2/sys/netinet/if_ether.h 2007/09/19 18:47:18 @@ -113,6 +113,7 @@ struct mbuf *m, struct sockaddr *dst, u_char *desten); void arp_ifinit(struct ifnet *, struct ifaddr *); void arp_ifinit2(struct ifnet *, struct ifaddr *, u_char *); +void arp_rtrequest(int, struct rtentry *, struct rt_addrinfo *); #endif =20 #endif =2D-- //depot/vendor/freebsd/src/sys/netinet/in_proto.c 2007/10/07 20:49:19 +++ //depot/user/mlaier/carp2/sys/netinet/in_proto.c 2007/10/10 00:26:22 @@ -318,7 +318,7 @@ .pr_domain =3D &inetdomain, .pr_protocol =3D IPPROTO_CARP, .pr_flags =3D PR_ATOMIC|PR_ADDR, =2D .pr_input =3D carp_input, + .pr_input =3D carp_proto_input, .pr_output =3D (pr_output_t*)rip_output, .pr_ctloutput =3D rip_ctloutput, .pr_usrreqs =3D &rip_usrreqs =2D-- //depot/vendor/freebsd/src/sys/netinet/ip_carp.c 2007/10/07 20:49:19 +++ //depot/user/mlaier/carp2/sys/netinet/ip_carp.c 2007/10/27 20:24:21 @@ -92,11 +92,9 @@ =20 struct carp_softc { struct ifnet *sc_ifp; /* Interface clue */ =2D struct ifnet *sc_carpdev; /* Pointer to parent interface */ =2D struct in_ifaddr *sc_ia; /* primary iface address */ +#define sc_carpdev sc_ifp->if_carpdev struct ip_moptions sc_imo; #ifdef INET6 =2D struct in6_ifaddr *sc_ia6; /* primary iface address v6 */ struct ip6_moptions sc_im6o; #endif /* INET6 */ TAILQ_ENTRY(carp_softc) sc_list; @@ -159,7 +157,7 @@ struct mtx vhif_mtx; }; =20 =2D/* Get carp_if from softc. Valid after carp_set_addr{,6}. */ +/* Get carp_if from softc. Valid after carp_set_{addr[6],ifp}. */ #define SC2CIF(sc) ((struct carp_if *)(sc)->sc_carpdev->if_carp) =20 /* lock per carp_if queue */ @@ -190,7 +188,7 @@ static int carp_hmac_verify(struct carp_softc *, u_int32_t *, unsigned char *); static void carp_setroute(struct carp_softc *, int); =2Dstatic void carp_input_c(struct mbuf *, struct carp_header *, sa_family_= t); +static void carp_proto_input_c(struct mbuf *, struct carp_header *, sa_fam= ily_t); static int carp_clone_create(struct if_clone *, int, caddr_t); static void carp_clone_destroy(struct ifnet *); static void carpdetach(struct carp_softc *, int); @@ -203,7 +201,7 @@ static void carp_master_down(void *); static void carp_master_down_locked(struct carp_softc *); static int carp_ioctl(struct ifnet *, u_long, caddr_t); =2Dstatic int carp_looutput(struct ifnet *, struct mbuf *, struct sockaddr = *, +static int carp_output(struct ifnet *, struct mbuf *, struct sockaddr *, struct rtentry *); static void carp_start(struct ifnet *); static void carp_setrun(struct carp_softc *, sa_family_t); @@ -212,13 +210,16 @@ enum { CARP_COUNT_MASTER, CARP_COUNT_RUNNING }; =20 static void carp_multicast_cleanup(struct carp_softc *); +static int carp_set_ifp(struct carp_softc *, struct ifnet *); static int carp_set_addr(struct carp_softc *, struct sockaddr_in *); +static int carp_join_multicast(struct carp_softc *); static int carp_del_addr(struct carp_softc *, struct sockaddr_in *); static void carp_carpdev_state_locked(struct carp_if *); static void carp_sc_state_locked(struct carp_softc *); #ifdef INET6 static void carp_send_na(struct carp_softc *); static int carp_set_addr6(struct carp_softc *, struct sockaddr_in6 *); +static int carp_join_multicast6(struct carp_softc *); static int carp_del_addr6(struct carp_softc *, struct sockaddr_in6 *); static void carp_multicast6_cleanup(struct carp_softc *); #endif @@ -247,9 +248,9 @@ #endif =20 if (sc->sc_carpdev) =2D CARP_SCLOCK(sc); + CARP_SCLOCK_ASSERT(sc); =20 =2D /* XXX: possible race here */ + /* XXX: possible race here - really? */ =20 /* compute ipad from key */ bzero(sc->sc_pad, sizeof(sc->sc_pad)); @@ -285,8 +286,6 @@ for (i =3D 0; i < sizeof(sc->sc_pad); i++) sc->sc_pad[i] ^=3D 0x36 ^ 0x5c; =20 =2D if (sc->sc_carpdev) =2D CARP_SCUNLOCK(sc); } =20 static void @@ -334,13 +333,106 @@ TAILQ_FOREACH(ifa, &SC2IFP(sc)->if_addrlist, ifa_list) { if (ifa->ifa_addr->sa_family =3D=3D AF_INET && sc->sc_carpdev !=3D NULL) { =2D int count =3D carp_addrcount( =2D (struct carp_if *)sc->sc_carpdev->if_carp, =2D ifatoia(ifa), CARP_COUNT_MASTER); + int count =3D 0, error; + struct sockaddr sa; + struct rtentry *rt; + struct radix_node_head *rnh; + struct radix_node *rn; + struct rt_addrinfo info; + int hr_otherif, nr_ourif; + + /* + * Avoid screwing with the routes if there are other + * carp interfaces which are master and have the same + * address. + */ + if (sc->sc_carpdev !=3D NULL && + sc->sc_carpdev->if_carp !=3D NULL) { + count =3D carp_addrcount( + (struct carp_if *)sc->sc_carpdev->if_carp, + ifatoia(ifa), CARP_COUNT_MASTER); + if ((cmd =3D=3D RTM_ADD && count !=3D 1) || + (cmd =3D=3D RTM_DELETE && count !=3D 0)) + continue; + } + + /* Remove the existing host route, if any */ + bzero(&info, sizeof(info)); + info.rti_info[RTAX_DST] =3D ifa->ifa_addr; + info.rti_flags =3D RTF_HOST; + error =3D rtrequest1(RTM_DELETE, &info, NULL); + rt_missmsg(RTM_DELETE, &info, info.rti_flags, error); + + /* Check for our address on another interface */ + /* XXX cries for proper API */ + rnh =3D rt_tables[ifa->ifa_addr->sa_family]; + RADIX_NODE_HEAD_LOCK(rnh); + rn =3D rnh->rnh_matchaddr(ifa->ifa_addr, rnh); + rt =3D (struct rtentry *)rn; + hr_otherif =3D (rt && rt->rt_ifp !=3D sc->sc_ifp && + rt->rt_flags & (RTF_CLONING|RTF_WASCLONED)); + + /* Check for a network route on our interface */ + bcopy(ifa->ifa_addr, &sa, sizeof(sa)); + satosin(&sa)->sin_addr.s_addr =3D satosin(ifa->ifa_netmask + )->sin_addr.s_addr & satosin(&sa)->sin_addr.s_addr; + rn =3D rnh->rnh_lookup(&sa, ifa->ifa_netmask, rnh); + rt =3D (struct rtentry *)rn; + nr_ourif =3D (rt && rt->rt_ifp =3D=3D sc->sc_ifp); + RADIX_NODE_HEAD_UNLOCK(rnh); + + switch (cmd) { + case RTM_ADD: + if (hr_otherif) { + ifa->ifa_rtrequest =3D NULL; + ifa->ifa_flags &=3D ~RTF_CLONING; + bzero(&info, sizeof(info)); + info.rti_info[RTAX_DST] =3D + ifa->ifa_addr; + info.rti_info[RTAX_GATEWAY] =3D + ifa->ifa_addr; + info.rti_flags =3D RTF_UP | RTF_HOST; + error =3D rtrequest1(RTM_ADD, &info, + NULL); + rt_missmsg(RTM_ADD, &info, + info.rti_flags, error); + } + if (!hr_otherif || nr_ourif || !rt) { + if (nr_ourif && !(rt->rt_flags & + RTF_CLONING)) { + bzero(&info, sizeof(info)); + info.rti_info[RTAX_DST] =3D &sa; + info.rti_info[RTAX_NETMASK] =3D + ifa->ifa_netmask; + error =3D rtrequest1(RTM_DELETE, + &info, NULL); + rt_missmsg(RTM_DELETE, &info, + info.rti_flags, error); + } + + ifa->ifa_rtrequest =3D arp_rtrequest; + ifa->ifa_flags |=3D RTF_CLONING; =20 =2D if ((cmd =3D=3D RTM_ADD && count =3D=3D 1) || =2D (cmd =3D=3D RTM_DELETE && count =3D=3D 0)) =2D rtinit(ifa, cmd, RTF_UP | RTF_HOST); + bzero(&info, sizeof(info)); + info.rti_info[RTAX_DST] =3D &sa; + info.rti_info[RTAX_GATEWAY] =3D + ifa->ifa_addr; + info.rti_info[RTAX_NETMASK] =3D + ifa->ifa_netmask; + error =3D rtrequest1(RTM_ADD, &info, + NULL); + if (error =3D=3D 0) + ifa->ifa_flags |=3D IFA_ROUTE; + rt_missmsg(RTM_ADD, &info, + info.rti_flags, error); + } + break; + case RTM_DELETE: + break; + default: + break; + } + break; } #ifdef INET6 if (ifa->ifa_addr->sa_family =3D=3D AF_INET6) { @@ -360,6 +452,7 @@ =20 struct carp_softc *sc; struct ifnet *ifp; + static const u_char eaddr[ETHER_ADDR_LEN]; /* 00:00:00:00:00:00 */ =20 MALLOC(sc, struct carp_softc *, sizeof(*sc), M_CARP, M_WAITOK|M_ZERO); ifp =3D SC2IFP(sc) =3D if_alloc(IFT_ETHER); @@ -391,16 +484,13 @@ =09 ifp->if_softc =3D sc; if_initname(ifp, CARP_IFNAME, unit); =2D ifp->if_mtu =3D ETHERMTU; =2D ifp->if_flags =3D IFF_LOOPBACK; + ether_ifattach(ifp, eaddr); + ifp->if_flags =3D IFF_BROADCAST | IFF_SIMPLEX | IFF_MULTICAST; ifp->if_ioctl =3D carp_ioctl; =2D ifp->if_output =3D carp_looutput; + ifp->if_output =3D carp_output; ifp->if_start =3D carp_start; ifp->if_type =3D IFT_CARP; ifp->if_snd.ifq_maxlen =3D ifqmaxlen; =2D ifp->if_hdrlen =3D 0; =2D if_attach(ifp); =2D bpfattach(SC2IFP(sc), DLT_NULL, sizeof(u_int32_t)); mtx_lock(&carp_mtx); LIST_INSERT_HEAD(&carpif_list, sc, sc_next); mtx_unlock(&carp_mtx); @@ -503,7 +593,7 @@ * but it seems more efficient this way or not possible otherwise. */ void =2Dcarp_input(struct mbuf *m, int hlen) +carp_proto_input(struct mbuf *m, int hlen) { struct ip *ip =3D mtod(m, struct ip *); struct carp_header *ch; @@ -517,9 +607,9 @@ } =20 /* check if received on a valid carp interface */ =2D if (m->m_pkthdr.rcvif->if_carp =3D=3D NULL) { + if (m->m_pkthdr.rcvif->if_type !=3D IFT_CARP) { carpstats.carps_badif++; =2D CARP_LOG("carp_input: packet received on non-carp " + CARP_LOG("carp_proto_input: packet received on non-carp " "interface: %s\n", m->m_pkthdr.rcvif->if_xname); m_freem(m); @@ -529,7 +619,7 @@ /* verify that the IP TTL is 255. */ if (ip->ip_ttl !=3D CARP_DFLTTL) { carpstats.carps_badttl++; =2D CARP_LOG("carp_input: received ttl %d !=3D 255i on %s\n", + CARP_LOG("carp_proto_input: received ttl %d !=3D 255i on %s\n", ip->ip_ttl, m->m_pkthdr.rcvif->if_xname); m_freem(m); @@ -540,7 +630,7 @@ =20 if (m->m_pkthdr.len < iplen + sizeof(*ch)) { carpstats.carps_badlen++; =2D CARP_LOG("carp_input: received len %zd < " + CARP_LOG("carp_proto_input: received len %zd < " "sizeof(struct carp_header)\n", m->m_len - sizeof(struct ip)); m_freem(m); @@ -550,7 +640,7 @@ if (iplen + sizeof(*ch) < m->m_len) { if ((m =3D m_pullup(m, iplen + sizeof(*ch))) =3D=3D NULL) { carpstats.carps_hdrops++; =2D CARP_LOG("carp_input: pullup failed\n"); + CARP_LOG("carp_proto_input: pullup failed\n"); return; } ip =3D mtod(m, struct ip *); @@ -564,7 +654,7 @@ len =3D iplen + sizeof(*ch); if (len > m->m_pkthdr.len) { carpstats.carps_badlen++; =2D CARP_LOG("carp_input: packet too short %d on %s\n", + CARP_LOG("carp_proto_input: packet too short %d on %s\n", m->m_pkthdr.len, m->m_pkthdr.rcvif->if_xname); m_freem(m); @@ -582,19 +672,19 @@ m->m_data +=3D iplen; if (carp_cksum(m, len - iplen)) { carpstats.carps_badsum++; =2D CARP_LOG("carp_input: checksum failed on %s\n", + CARP_LOG("carp_proto_input: checksum failed on %s\n", m->m_pkthdr.rcvif->if_xname); m_freem(m); return; } m->m_data -=3D iplen; =20 =2D carp_input_c(m, ch, AF_INET); + carp_proto_input_c(m, ch, AF_INET); } =20 #ifdef INET6 int =2Dcarp6_input(struct mbuf **mp, int *offp, int proto) +carp6_proto_input(struct mbuf **mp, int *offp, int proto) { struct mbuf *m =3D *mp; struct ip6_hdr *ip6 =3D mtod(m, struct ip6_hdr *); @@ -609,9 +699,9 @@ } =20 /* check if received on a valid carp interface */ =2D if (m->m_pkthdr.rcvif->if_carp =3D=3D NULL) { + if (m->m_pkthdr.rcvif->if_type !=3D IFT_CARP) { carpstats.carps_badif++; =2D CARP_LOG("carp6_input: packet received on non-carp " + CARP_LOG("carp6_proto_input: packet received on non-carp " "interface: %s\n", m->m_pkthdr.rcvif->if_xname); m_freem(m); @@ -621,7 +711,7 @@ /* verify that the IP TTL is 255 */ if (ip6->ip6_hlim !=3D CARP_DFLTTL) { carpstats.carps_badttl++; =2D CARP_LOG("carp6_input: received ttl %d !=3D 255 on %s\n", + CARP_LOG("carp6_proto_input: received ttl %d !=3D 255 on %s\n", ip6->ip6_hlim, m->m_pkthdr.rcvif->if_xname); m_freem(m); @@ -633,7 +723,7 @@ IP6_EXTHDR_GET(ch, struct carp_header *, m, *offp, sizeof(*ch)); if (ch =3D=3D NULL) { carpstats.carps_badlen++; =2D CARP_LOG("carp6_input: packet size %u too small\n", len); + CARP_LOG("carp6_proto_input: packet size %u too small\n", len); return (IPPROTO_DONE); } =20 @@ -642,22 +732,22 @@ m->m_data +=3D *offp; if (carp_cksum(m, sizeof(*ch))) { carpstats.carps_badsum++; =2D CARP_LOG("carp6_input: checksum failed, on %s\n", + CARP_LOG("carp6_proto_input: checksum failed, on %s\n", m->m_pkthdr.rcvif->if_xname); m_freem(m); return (IPPROTO_DONE); } m->m_data -=3D *offp; =20 =2D carp_input_c(m, ch, AF_INET6); + carp_proto_input_c(m, ch, AF_INET6); return (IPPROTO_DONE); } #endif /* INET6 */ =20 static void =2Dcarp_input_c(struct mbuf *m, struct carp_header *ch, sa_family_t af) +carp_proto_input_c(struct mbuf *m, struct carp_header *ch, sa_family_t af) { =2D struct ifnet *ifp =3D m->m_pkthdr.rcvif; + struct ifnet *ifp =3D m->m_pkthdr.rcvif->if_carpdev; struct carp_softc *sc; u_int64_t tmp_counter; struct timeval sc_tv, ch_tv; @@ -793,9 +883,6 @@ static int carp_prepare_ad(struct mbuf *m, struct carp_softc *sc, struct carp_header = *ch) { =2D struct m_tag *mtag; =2D struct ifnet *ifp =3D SC2IFP(sc); =2D if (sc->sc_init_counter) { /* this could also be seconds since unix epoch */ sc->sc_counter =3D arc4random(); @@ -809,16 +896,6 @@ =20 carp_hmac_generate(sc, ch->carp_counter, ch->carp_md); =20 =2D /* Tag packet for carp_output */ =2D mtag =3D m_tag_get(PACKET_TAG_CARP, sizeof(struct ifnet *), M_NOWAIT); =2D if (mtag =3D=3D NULL) { =2D m_freem(m); =2D SC2IFP(sc)->if_oerrors++; =2D return (ENOMEM); =2D } =2D bcopy(&ifp, (caddr_t)(mtag + 1), sizeof(struct ifnet *)); =2D m_tag_prepend(m, mtag); =2D return (0); } =20 @@ -859,6 +936,8 @@ struct carp_header *ch_ptr; struct mbuf *m; int len, advbase, advskew; + struct ifaddr *ifa; + struct sockaddr sa; =20 CARP_SCLOCK_ASSERT(sc); =20 @@ -887,7 +966,7 @@ ch.carp_cksum =3D 0; =20 #ifdef INET =2D if (sc->sc_ia) { + if (sc->sc_naddrs) { struct ip *ip; =20 MGETHDR(m, M_DONTWAIT, MT_HEADER); @@ -916,7 +995,15 @@ ip->ip_ttl =3D CARP_DFLTTL; ip->ip_p =3D IPPROTO_CARP; ip->ip_sum =3D 0; =2D ip->ip_src.s_addr =3D sc->sc_ia->ia_addr.sin_addr.s_addr; + + bzero(&sa, sizeof(sa)); + sa.sa_family =3D AF_INET; + ifa =3D ifaof_ifpforaddr(&sa, SC2IFP(sc)); + if (ifa =3D=3D NULL) + ip->ip_src.s_addr =3D 0; + else + ip->ip_src.s_addr =3D + ifatoia(ifa)->ia_addr.sin_addr.s_addr; ip->ip_dst.s_addr =3D htonl(INADDR_CARP_GROUP); =20 ch_ptr =3D (struct carp_header *)(&ip[1]); @@ -959,7 +1046,7 @@ } #endif /* INET */ #ifdef INET6 =2D if (sc->sc_ia6) { + if (sc->sc_naddrs6) { struct ip6_hdr *ip6; =20 MGETHDR(m, M_DONTWAIT, MT_HEADER); @@ -983,8 +1070,15 @@ ip6->ip6_vfc |=3D IPV6_VERSION; ip6->ip6_hlim =3D CARP_DFLTTL; ip6->ip6_nxt =3D IPPROTO_CARP; =2D bcopy(&sc->sc_ia6->ia_addr.sin6_addr, &ip6->ip6_src, =2D sizeof(struct in6_addr)); + + bzero(&sa, sizeof(sa)); + sa.sa_family =3D AF_INET6; + ifa =3D ifaof_ifpforaddr(&sa, SC2IFP(sc)); + if (ifa =3D=3D NULL) + bzero(&ip6->ip6_src, sizeof(struct in6_addr)); + else + bcopy(ifatoia6(ifa)->ia_addr.sin6_addr.s6_addr, + &ip6->ip6_src, sizeof(struct in6_addr)); /* set the multicast destination */ =20 ip6->ip6_dst.s6_addr16[0] =3D htons(0xff02); @@ -1058,7 +1152,7 @@ continue; =20 /* arprequest(sc->sc_carpdev, &in, &in, IF_LLADDR(sc->sc_ifp)); */ =2D arp_ifinit2(sc->sc_carpdev, ifa, IF_LLADDR(sc->sc_ifp)); + arp_ifinit2(SC2IFP(sc), ifa, IF_LLADDR(sc->sc_ifp)); =20 DELAY(1000); /* XXX */ } @@ -1119,9 +1213,17 @@ struct carp_softc *vh; int index, count =3D 0; struct ifaddr *ifa; + char iastr[INET_ADDRSTRLEN]; + char isstr[INET_ADDRSTRLEN]; + =20 CARP_LOCK(cif); =20 + inet_ntoa_r(ia->ia_addr.sin_addr, iastr); + inet_ntoa_r(*isaddr, isstr); + printf("carp_iamatch(%s, %s, %s, ...)\n", cif->vhif_ifp->if_xname, + iastr, isstr); + if (carp_opts[CARPCTL_ARPBALANCE]) { /* * XXX proof of concept implementation. @@ -1173,8 +1275,11 @@ ia->ia_ifp =3D=3D SC2IFP(vh) && vh->sc_state =3D=3D MASTER) { *enaddr =3D IF_LLADDR(vh->sc_ifp); + printf("found: %s\n", vh->sc_ifp->if_xname); CARP_UNLOCK(cif); return (1); + } else { + printf("not: %s\n", vh->sc_ifp->if_xname); } } } @@ -1211,7 +1316,6 @@ void * carp_macmatch6(void *v, struct mbuf *m, const struct in6_addr *taddr) { =2D struct m_tag *mtag; struct carp_if *cif =3D v; struct carp_softc *sc; struct ifaddr *ifa; @@ -1223,18 +1327,6 @@ &ifatoia6(ifa)->ia_addr.sin6_addr) && (SC2IFP(sc)->if_flags & IFF_UP) && (SC2IFP(sc)->if_drv_flags & IFF_DRV_RUNNING)) { =2D struct ifnet *ifp =3D SC2IFP(sc); =2D mtag =3D m_tag_get(PACKET_TAG_CARP, =2D sizeof(struct ifnet *), M_NOWAIT); =2D if (mtag =3D=3D NULL) { =2D /* better a bit than nothing */ =2D CARP_UNLOCK(cif); =2D return (IF_LLADDR(sc->sc_ifp)); =2D } =2D bcopy(&ifp, (caddr_t)(mtag + 1), =2D sizeof(struct ifnet *)); =2D m_tag_prepend(m, mtag); =2D CARP_UNLOCK(cif); return (IF_LLADDR(sc->sc_ifp)); } @@ -1423,15 +1515,116 @@ #endif =20 static int +carp_set_ifp(struct carp_softc *sc, struct ifnet *ifp) +{ + struct carp_if *cif =3D NULL, *ncif =3D NULL; + struct carp_softc *vr, *after =3D NULL; + int myself =3D 0, error =3D 0; + + if (ifp =3D=3D sc->sc_carpdev) + return (0); + + if (ifp !=3D NULL) { + if ((ifp->if_flags & IFF_MULTICAST) =3D=3D 0) + return (ENODEV); + if (ifp->if_type =3D=3D IFT_CARP) + return (EINVAL); + + if (ifp->if_carp =3D=3D NULL) { + MALLOC(ncif, struct carp_if *, sizeof(*ncif), M_CARP, + M_WAITOK|M_ZERO); + if (!ncif) + return (ENOBUFS); + if ((error =3D ifpromisc(ifp, 1))) { + FREE(ncif, M_CARP); + return (error); + } + } else { + cif =3D (struct carp_if *)ifp->if_carp; + CARP_LOCK(cif); + TAILQ_FOREACH(vr, &cif->vhif_vrs, sc_list) + if (vr !=3D sc && vr->sc_vhid =3D=3D sc->sc_vhid) { + CARP_UNLOCK(cif); + return (EINVAL); + } + } + + /* detach from old interface */ + if (sc->sc_carpdev !=3D NULL) { + CARP_SCLOCK(sc); + carpdetach(sc, 1); + } + + if (sc->sc_naddrs !=3D 0 && + (error =3D carp_join_multicast(sc)) !=3D 0) + goto cleanup; +#ifdef INET6 + if (sc->sc_naddrs6 !=3D 0 && + (error =3D carp_join_multicast6(sc)) !=3D 0) { + carp_multicast_cleanup(sc); + goto cleanup; + } +#endif + + /* attach carp glue to physical interface */ + if (ncif !=3D NULL) { + CARP_LOCK_INIT(ncif); + CARP_LOCK(ncif); + ncif->vhif_ifp =3D ifp; + TAILQ_INIT(&ncif->vhif_vrs); + TAILQ_INSERT_HEAD(&ncif->vhif_vrs, sc, sc_list); + ncif->vhif_nvrs++; + ifp->if_carp =3D ncif; + CARP_UNLOCK(ncif); + } else { + cif =3D (struct carp_if *)ifp->if_carp; + TAILQ_FOREACH(vr, &cif->vhif_vrs, sc_list) { + if (vr =3D=3D sc) + myself =3D 1; + if (vr->sc_vhid < sc->sc_vhid) + after =3D vr; + } + if (!myself) { + if (after =3D=3D NULL) { + TAILQ_INSERT_TAIL(&cif->vhif_vrs, sc, + sc_list); + } else { + TAILQ_INSERT_AFTER(&cif->vhif_vrs, + after, sc, sc_list); + } + cif->vhif_nvrs++; + } + CARP_UNLOCK(cif); + } + + sc->sc_carpdev =3D ifp; + if (sc->sc_naddrs || sc->sc_naddrs6) + sc->sc_ifp->if_flags |=3D IFF_UP; + carp_carpdev_state(ifp); + } else { + CARP_SCLOCK(sc); + carpdetach(sc, 1); + SC2IFP(sc)->if_flags &=3D ~IFF_UP; + SC2IFP(sc)->if_drv_flags &=3D ~IFF_DRV_RUNNING; + } + + return (0); +cleanup: + if (ncif) + FREE(ncif, M_CARP); + else + CARP_UNLOCK(cif); + + return (error); +} + +static int carp_set_addr(struct carp_softc *sc, struct sockaddr_in *sin) { =2D struct ifnet *ifp; =2D struct carp_if *cif; + struct ifnet *ifp =3D sc->sc_carpdev; struct in_ifaddr *ia, *ia_if; =2D struct ip_moptions *imo =3D &sc->sc_imo; =2D struct in_addr addr; u_long iaddr =3D htonl(sin->sin_addr.s_addr); =2D int own, error; + int error; =20 if (sin->sin_addr.s_addr =3D=3D 0) { if (!(SC2IFP(sc)->if_flags & IFF_UP)) @@ -1443,7 +1636,7 @@ } =20 /* we have to do it by hands to check we won't match on us */ =2D ia_if =3D NULL; own =3D 0; + ia_if =3D NULL; TAILQ_FOREACH(ia, &in_ifaddrhead, ia_link) { /* and, yeah, we need a multicast-capable iface too */ if (ia->ia_ifp !=3D SC2IFP(sc) && @@ -1451,106 +1644,65 @@ (iaddr & ia->ia_subnetmask) =3D=3D ia->ia_subnet) { if (!ia_if) ia_if =3D ia; =2D if (sin->sin_addr.s_addr =3D=3D =2D ia->ia_addr.sin_addr.s_addr) =2D own++; } } =20 =2D if (!ia_if) =2D return (EADDRNOTAVAIL); =2D =2D ia =3D ia_if; =2D ifp =3D ia->ia_ifp; =2D =2D if (ifp =3D=3D NULL || (ifp->if_flags & IFF_MULTICAST) =3D=3D 0 || =2D (imo->imo_multicast_ifp && imo->imo_multicast_ifp !=3D ifp)) =2D return (EADDRNOTAVAIL); =2D =2D if (imo->imo_num_memberships =3D=3D 0) { =2D addr.s_addr =3D htonl(INADDR_CARP_GROUP); =2D if ((imo->imo_membership[0] =3D in_addmulti(&addr, ifp)) =3D=3D NULL) =2D return (ENOBUFS); =2D imo->imo_num_memberships++; =2D imo->imo_multicast_ifp =3D ifp; =2D imo->imo_multicast_ttl =3D CARP_DFLTTL; =2D imo->imo_multicast_loop =3D 0; =2D } =2D =2D if (!ifp->if_carp) { =2D =2D MALLOC(cif, struct carp_if *, sizeof(*cif), M_CARP, =2D M_WAITOK|M_ZERO); =2D if (!cif) { =2D error =3D ENOBUFS; =2D goto cleanup; + if (ia_if) { + ia =3D ia_if; + if (ifp) { + if (ifp !=3D ia->ia_ifp) + return (EADDRNOTAVAIL); + } else { + ifp =3D ia->ia_ifp; } =2D if ((error =3D ifpromisc(ifp, 1))) { =2D FREE(cif, M_CARP); =2D goto cleanup; =2D } =2D =09 =2D CARP_LOCK_INIT(cif); =2D CARP_LOCK(cif); =2D cif->vhif_ifp =3D ifp; =2D TAILQ_INIT(&cif->vhif_vrs); =2D ifp->if_carp =3D cif; =2D =2D } else { =2D struct carp_softc *vr; =2D =2D cif =3D (struct carp_if *)ifp->if_carp; =2D CARP_LOCK(cif); =2D TAILQ_FOREACH(vr, &cif->vhif_vrs, sc_list) =2D if (vr !=3D sc && vr->sc_vhid =3D=3D sc->sc_vhid) { =2D CARP_UNLOCK(cif); =2D error =3D EINVAL; =2D goto cleanup; =2D } } =2D sc->sc_ia =3D ia; =2D sc->sc_carpdev =3D ifp; =20 =2D { /* XXX prevent endless loop if already in queue */ =2D struct carp_softc *vr, *after =3D NULL; =2D int myself =3D 0; =2D cif =3D (struct carp_if *)ifp->if_carp; + if ((error =3D carp_set_ifp(sc, ifp))) + return (error); =20 =2D /* XXX: cif should not change, right? So we still hold the lock */ =2D CARP_LOCK_ASSERT(cif); + if (sc->sc_carpdev =3D=3D NULL) + return (EADDRNOTAVAIL); =20 =2D TAILQ_FOREACH(vr, &cif->vhif_vrs, sc_list) { =2D if (vr =3D=3D sc) =2D myself =3D 1; =2D if (vr->sc_vhid < sc->sc_vhid) =2D after =3D vr; + CARP_SCLOCK(sc); + if (sc->sc_naddrs =3D=3D 0 && (error =3D carp_join_multicast(sc)) !=3D 0)= { + CARP_SCUNLOCK(sc); + return (error); } =20 =2D if (!myself) { =2D /* We're trying to keep things in order */ =2D if (after =3D=3D NULL) { =2D TAILQ_INSERT_TAIL(&cif->vhif_vrs, sc, sc_list); =2D } else { =2D TAILQ_INSERT_AFTER(&cif->vhif_vrs, after, sc, sc_list); =2D } =2D cif->vhif_nvrs++; =2D } =2D } =2D sc->sc_naddrs++; SC2IFP(sc)->if_flags |=3D IFF_UP; =2D if (own) =2D sc->sc_advskew =3D 0; carp_sc_state_locked(sc); carp_setrun(sc, 0); + CARP_SCUNLOCK(sc); + + return (0); + +/* + * XXX: cleanup multi? + * cleanup: + * return (error); + */ +} + +static int +carp_join_multicast(struct carp_softc *sc) +{ + struct ip_moptions *imo =3D &sc->sc_imo; + struct in_addr addr; + + KASSERT(imo->imo_num_memberships =3D=3D 0, + ("carp_join_multicast: leftover multicast memberships")); =20 =2D CARP_UNLOCK(cif); + addr.s_addr =3D htonl(INADDR_CARP_GROUP); + if ((imo->imo_membership[0] =3D + in_addmulti(&addr, SC2IFP(sc))) =3D=3D NULL) + return (ENOBUFS); + imo->imo_num_memberships++; + imo->imo_multicast_ifp =3D SC2IFP(sc); + imo->imo_multicast_ttl =3D CARP_DFLTTL; + imo->imo_multicast_loop =3D 0; =20 return (0); =2D =2Dcleanup: =2D in_delmulti(imo->imo_membership[--imo->imo_num_memberships]); =2D return (error); } =20 static int @@ -1587,12 +1739,8 @@ carp_set_addr6(struct carp_softc *sc, struct sockaddr_in6 *sin6) { struct ifnet *ifp; =2D struct carp_if *cif; struct in6_ifaddr *ia, *ia_if; =2D struct ip6_moptions *im6o =3D &sc->sc_im6o; =2D struct in6_multi_mship *imm; =2D struct in6_addr in6; =2D int own, error; + int own; =20 if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) { if (!(SC2IFP(sc)->if_flags & IFF_UP)) @@ -1633,114 +1781,74 @@ ifp =3D ia->ia_ifp; =20 if (ifp =3D=3D NULL || (ifp->if_flags & IFF_MULTICAST) =3D=3D 0 || =2D (im6o->im6o_multicast_ifp && im6o->im6o_multicast_ifp !=3D ifp)) + (sc->sc_im6o.im6o_multicast_ifp && + sc->sc_im6o.im6o_multicast_ifp !=3D ifp)) return (EADDRNOTAVAIL); =20 =2D if (!sc->sc_naddrs6) { =2D im6o->im6o_multicast_ifp =3D ifp; + sc->sc_carpdev =3D ifp; =20 =2D /* join CARP multicast address */ =2D bzero(&in6, sizeof(in6)); =2D in6.s6_addr16[0] =3D htons(0xff02); =2D in6.s6_addr8[15] =3D 0x12; =2D if (in6_setscope(&in6, ifp, NULL) !=3D 0) =2D goto cleanup; =2D if ((imm =3D in6_joingroup(ifp, &in6, &error, 0)) =3D=3D NULL) =2D goto cleanup; =2D LIST_INSERT_HEAD(&im6o->im6o_memberships, imm, i6mm_chain); + sc->sc_naddrs6++; + SC2IFP(sc)->if_flags |=3D IFF_UP; + if (own) + sc->sc_advskew =3D 0; + carp_sc_state_locked(sc); + carp_setrun(sc, 0); =20 =2D /* join solicited multicast address */ =2D bzero(&in6, sizeof(in6)); =2D in6.s6_addr16[0] =3D htons(0xff02); =2D in6.s6_addr32[1] =3D 0; =2D in6.s6_addr32[2] =3D htonl(1); =2D in6.s6_addr32[3] =3D sin6->sin6_addr.s6_addr32[3]; =2D in6.s6_addr8[12] =3D 0xff; =2D if (in6_setscope(&in6, ifp, NULL) !=3D 0) =2D goto cleanup; =2D if ((imm =3D in6_joingroup(ifp, &in6, &error, 0)) =3D=3D NULL) =2D goto cleanup; =2D LIST_INSERT_HEAD(&im6o->im6o_memberships, imm, i6mm_chain); =2D } + return (0); =20 =2D if (!ifp->if_carp) { =2D MALLOC(cif, struct carp_if *, sizeof(*cif), M_CARP, =2D M_WAITOK|M_ZERO); =2D if (!cif) { =2D error =3D ENOBUFS; =2D goto cleanup; =2D } =2D if ((error =3D ifpromisc(ifp, 1))) { =2D FREE(cif, M_CARP); =2D goto cleanup; =2D } +/* XXX: + * cleanup: + * * clean up multicast memberships * + * if (!sc->sc_naddrs6) { + * while (!LIST_EMPTY(&im6o->im6o_memberships)) { + * imm =3D LIST_FIRST(&im6o->im6o_memberships); + * LIST_REMOVE(imm, i6mm_chain); + * in6_leavegroup(imm); + * } + * } + * return (error); + */ +} =20 =2D CARP_LOCK_INIT(cif); =2D CARP_LOCK(cif); =2D cif->vhif_ifp =3D ifp; =2D TAILQ_INIT(&cif->vhif_vrs); =2D ifp->if_carp =3D cif; +static int +carp_join_multicast6(struct carp_softc *sc) +{ + struct ip6_moptions *im6o =3D &sc->sc_im6o; + struct in6_multi_mship *imm, *imm2; + struct in6_addr in6; + int error =3D 0; =20 =2D } else { =2D struct carp_softc *vr; + /* join CARP multicast address */ + bzero(&in6, sizeof(in6)); + in6.s6_addr16[0] =3D htons(0xff02); + in6.s6_addr8[15] =3D 0x12; + if ((error =3D in6_setscope(&in6, sc->sc_carpdev, NULL)) !=3D 0) + return (error); + if ((imm =3D in6_joingroup(sc->sc_carpdev, &in6, &error, 0)) =3D=3D NULL) + return (error); =20 =2D cif =3D (struct carp_if *)ifp->if_carp; =2D CARP_LOCK(cif); =2D TAILQ_FOREACH(vr, &cif->vhif_vrs, sc_list) =2D if (vr !=3D sc && vr->sc_vhid =3D=3D sc->sc_vhid) { =2D CARP_UNLOCK(cif); =2D error =3D EINVAL; =2D goto cleanup; =2D } + /* join solicited multicast address */ + bzero(&in6, sizeof(in6)); + in6.s6_addr16[0] =3D htons(0xff02); + in6.s6_addr32[1] =3D 0; + in6.s6_addr32[2] =3D htonl(1); + in6.s6_addr32[3] =3D 0; /* XXX: sin6->sin6_addr.s6_addr32[3]; */ + in6.s6_addr8[12] =3D 0xff; + if ((error =3D in6_setscope(&in6, sc->sc_carpdev, NULL)) !=3D 0) { + in6_leavegroup(imm); + return (error); } =2D sc->sc_ia6 =3D ia; =2D sc->sc_carpdev =3D ifp; =2D =2D { /* XXX prevent endless loop if already in queue */ =2D struct carp_softc *vr, *after =3D NULL; =2D int myself =3D 0; =2D cif =3D (struct carp_if *)ifp->if_carp; =2D CARP_LOCK_ASSERT(cif); =2D =2D TAILQ_FOREACH(vr, &cif->vhif_vrs, sc_list) { =2D if (vr =3D=3D sc) =2D myself =3D 1; =2D if (vr->sc_vhid < sc->sc_vhid) =2D after =3D vr; + if ((imm2 =3D in6_joingroup(sc->sc_carpdev, &in6, &error, 0)) =3D=3D NULL= ) { + in6_leavegroup(imm); + return (error); } =20 =2D if (!myself) { =2D /* We're trying to keep things in order */ =2D if (after =3D=3D NULL) { =2D TAILQ_INSERT_TAIL(&cif->vhif_vrs, sc, sc_list); =2D } else { =2D TAILQ_INSERT_AFTER(&cif->vhif_vrs, after, sc, sc_list); =2D } =2D cif->vhif_nvrs++; =2D } =2D } + im6o->im6o_multicast_ifp =3D sc->sc_carpdev; =20 =2D sc->sc_naddrs6++; =2D SC2IFP(sc)->if_flags |=3D IFF_UP; =2D if (own) =2D sc->sc_advskew =3D 0; =2D carp_sc_state_locked(sc); =2D carp_setrun(sc, 0); + LIST_INSERT_HEAD(&im6o->im6o_memberships, imm, i6mm_chain); + LIST_INSERT_HEAD(&im6o->im6o_memberships, imm2, i6mm_chain); =20 =2D CARP_UNLOCK(cif); =2D return (0); =2D =2Dcleanup: =2D /* clean up multicast memberships */ =2D if (!sc->sc_naddrs6) { =2D while (!LIST_EMPTY(&im6o->im6o_memberships)) { =2D imm =3D LIST_FIRST(&im6o->im6o_memberships); =2D LIST_REMOVE(imm, i6mm_chain); =2D in6_leavegroup(imm); =2D } =2D } =2D return (error); } =20 static int @@ -1786,7 +1894,8 @@ struct ifaddr *ifa; struct ifreq *ifr; struct ifaliasreq *ifra; =2D int locked =3D 0, error =3D 0; + struct ifnet *cdev =3D NULL; + int locked =3D 0, error =3D 0, changed =3D 0; =20 ifa =3D (struct ifaddr *)addr; ifra =3D (struct ifaliasreq *)addr; @@ -1794,12 +1903,12 @@ =20 switch (cmd) { case SIOCSIFADDR: + case SIOCAIFADDR: + changed++; switch (ifa->ifa_addr->sa_family) { #ifdef INET case AF_INET: SC2IFP(sc)->if_flags |=3D IFF_UP; =2D bcopy(ifa->ifa_addr, ifa->ifa_dstaddr, =2D sizeof(struct sockaddr)); error =3D carp_set_addr(sc, satosin(ifa->ifa_addr)); break; #endif /* INET */ @@ -1815,29 +1924,8 @@ } break; =20 =2D case SIOCAIFADDR: =2D switch (ifa->ifa_addr->sa_family) { =2D#ifdef INET =2D case AF_INET: =2D SC2IFP(sc)->if_flags |=3D IFF_UP; =2D bcopy(ifa->ifa_addr, ifa->ifa_dstaddr, =2D sizeof(struct sockaddr)); =2D error =3D carp_set_addr(sc, satosin(&ifra->ifra_addr)); =2D break; =2D#endif /* INET */ =2D#ifdef INET6 =2D case AF_INET6: =2D SC2IFP(sc)->if_flags |=3D IFF_UP; =2D error =3D carp_set_addr6(sc, satosin6(&ifra->ifra_addr)); =2D break; =2D#endif /* INET6 */ =2D default: =2D error =3D EAFNOSUPPORT; =2D break; =2D } =2D break; =2D case SIOCDIFADDR: + changed++; switch (ifa->ifa_addr->sa_family) { #ifdef INET case AF_INET: @@ -1881,6 +1969,14 @@ if ((error =3D copyin(ifr->ifr_data, &carpr, sizeof carpr))) break; error =3D 1; + changed++; + if (carpr.carpr_carpdev[0] !=3D '\0' && + (cdev =3D ifunit(carpr.carpr_carpdev)) =3D=3D NULL) { + error =3D EINVAL; + break; + } + if ((error =3D carp_set_ifp(sc, cdev))) + break; if (sc->sc_carpdev) { locked =3D 1; CARP_SCLOCK(sc); @@ -1959,64 +2055,37 @@ if (error =3D=3D 0) bcopy(sc->sc_key, carpr.carpr_key, sizeof(carpr.carpr_key)); + if (sc->sc_carpdev !=3D NULL) + strlcpy(carpr.carpr_carpdev, sc->sc_carpdev->if_xname, + CARPDEVNAMSIZ); error =3D copyout(&carpr, ifr->ifr_data, sizeof(carpr)); break; =20 + case SIOCADDMULTI: + case SIOCDELMULTI: + /* TODO: tell carpdev */ + break; + default: error =3D EINVAL; } =20 + if (changed) { + if (!locked && sc->sc_carpdev) { + /* XXX: This really shouldn't happen */ + CARP_SCLOCK(sc); + locked =3D 1; + } + carp_hmac_prepare(sc); + } + if (locked) CARP_SCUNLOCK(sc); =20 =2D carp_hmac_prepare(sc); =2D return (error); } =20 /* =2D * XXX: this is looutput. We should eventually use it from there. =2D */ =2Dstatic int =2Dcarp_looutput(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst, =2D struct rtentry *rt) =2D{ =2D u_int32_t af; =2D =2D M_ASSERTPKTHDR(m); /* check if we have the packet header */ =2D =2D if (rt && rt->rt_flags & (RTF_REJECT|RTF_BLACKHOLE)) { =2D m_freem(m); =2D return (rt->rt_flags & RTF_BLACKHOLE ? 0 : =2D rt->rt_flags & RTF_HOST ? EHOSTUNREACH : ENETUNREACH); =2D } =2D =2D ifp->if_opackets++; =2D ifp->if_obytes +=3D m->m_pkthdr.len; =2D =2D /* BPF writes need to be handled specially. */ =2D if (dst->sa_family =3D=3D AF_UNSPEC) { =2D bcopy(dst->sa_data, &af, sizeof(af)); =2D dst->sa_family =3D af; =2D } =2D =2D#if 1 /* XXX */ =2D switch (dst->sa_family) { =2D case AF_INET: =2D case AF_INET6: =2D case AF_IPX: =2D case AF_APPLETALK: =2D break; =2D default: =2D printf("carp_looutput: af=3D%d unexpected\n", dst->sa_family); =2D m_freem(m); =2D return (EAFNOSUPPORT); =2D } =2D#endif =2D return(if_simloop(ifp, m, dst->sa_family, 0)); =2D} =2D =2D/* * Start output on carp interface. This function should never be called. */ static void @@ -2027,80 +2096,83 @@ #endif } =20 =2Dint +static int carp_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *sa, struct rtentry *rt) { =2D struct m_tag *mtag; =2D struct carp_softc *sc; =2D struct ifnet *carp_ifp; + struct carp_softc *sc =3D ifp->if_softc; + + if (sc->sc_carpdev !=3D NULL && sc->sc_state =3D=3D MASTER) + return (sc->sc_carpdev->if_output(ifp, m, sa, rt)); + else { + m_freem(m); + return (ENETUNREACH); + } +} + +struct ifnet * +carp_ourether(void *v, struct ether_header *eh, u_char iftype, int src) +{ + struct carp_if *cif =3D (struct carp_if *)v; + struct carp_softc *vh; + u_int8_t *ena; =20 =2D if (!sa) =2D return (0); + if (src) + ena =3D (u_int8_t *)&eh->ether_shost; + else + ena =3D (u_int8_t *)&eh->ether_dhost; =20 =2D switch (sa->sa_family) { =2D#ifdef INET =2D case AF_INET: =2D break; =2D#endif /* INET */ =2D#ifdef INET6 =2D case AF_INET6: =2D break; =2D#endif /* INET6 */ =2D default: =2D return (0); + TAILQ_FOREACH(vh, &cif->vhif_vrs, sc_list) { + if ((vh->sc_ifp->if_flags & (IFF_UP)) !=3D (IFF_UP)) + continue; + if ((vh->sc_state =3D=3D MASTER /* || vh->sc_ifp->if_flags & IFF_LINK0 *= /) + && !bcmp(ena, IF_LLADDR(vh->sc_ifp), ETHER_ADDR_LEN)) + return (vh->sc_ifp); } + return (NULL); +} =20 =2D mtag =3D m_tag_find(m, PACKET_TAG_CARP, NULL); =2D if (mtag =3D=3D NULL) =2D return (0); +int +carp_input(struct mbuf *m) +{ + struct ether_header *eh; + struct carp_if *cif =3D (struct carp_if *)m->m_pkthdr.rcvif->if_carp; + struct ifnet *ifp; =20 =2D bcopy(mtag + 1, &carp_ifp, sizeof(struct ifnet *)); =2D sc =3D carp_ifp->if_softc; + eh =3D mtod(m, struct ether_header *); =20 =2D /* Set the source MAC address to Virtual Router MAC Address */ =2D switch (ifp->if_type) { =2D case IFT_ETHER: =2D case IFT_L2VLAN: { =2D struct ether_header *eh; + if ((ifp =3D carp_ourether(cif, eh, m->m_pkthdr.rcvif->if_type, 0))) + ; + else if (m->m_flags & (M_BCAST|M_MCAST)) { + struct carp_softc *vh; + struct mbuf *m0; =20 =2D eh =3D mtod(m, struct ether_header *); =2D eh->ether_shost[0] =3D 0; =2D eh->ether_shost[1] =3D 0; =2D eh->ether_shost[2] =3D 0x5e; =2D eh->ether_shost[3] =3D 0; =2D eh->ether_shost[4] =3D 1; =2D eh->ether_shost[5] =3D sc->sc_vhid; + /* + * XXX Should really check the list of multicast addresses + * for each CARP interface _before_ copying. + */ + TAILQ_FOREACH(vh, &cif->vhif_vrs, sc_list) { + m0 =3D m_dup(m, M_DONTWAIT); + if (m0 =3D=3D NULL) + continue; + m0->m_pkthdr.rcvif =3D vh->sc_ifp; + ether_input(vh->sc_ifp, m0); } =2D break; =2D case IFT_FDDI: { =2D struct fddi_header *fh; + return (1); + } + + if (ifp =3D=3D NULL) + return (1); + + m->m_pkthdr.rcvif =3D ifp; =20 =2D fh =3D mtod(m, struct fddi_header *); =2D fh->fddi_shost[0] =3D 0; =2D fh->fddi_shost[1] =3D 0; =2D fh->fddi_shost[2] =3D 0x5e; =2D fh->fddi_shost[3] =3D 0; =2D fh->fddi_shost[4] =3D 1; =2D fh->fddi_shost[5] =3D sc->sc_vhid; =2D } =2D break; =2D case IFT_ISO88025: { =2D struct iso88025_header *th; =2D th =3D mtod(m, struct iso88025_header *); =2D th->iso88025_shost[0] =3D 3; =2D th->iso88025_shost[1] =3D 0; =2D th->iso88025_shost[2] =3D 0x40 >> (sc->sc_vhid - 1); =2D th->iso88025_shost[3] =3D 0x40000 >> (sc->sc_vhid - 1); =2D th->iso88025_shost[4] =3D 0; =2D th->iso88025_shost[5] =3D 0; =2D } =2D break; =2D default: =2D printf("%s: carp is not supported for this interface type\n", =2D ifp->if_xname); =2D return (EOPNOTSUPP); =2D } +#if 0 /* XXX: BPF */ + if (ifp->if_bpf) + bpf_mtap_hdr(ifp->if_bpf, (char *)&eh, ETHER_HDR_LEN, m, + BPF_DIRECTION_IN); +#endif + ifp->if_ipackets++; + ether_input(ifp, m); =20 return (0); } @@ -2131,9 +2203,14 @@ } =20 void =2Dcarp_carpdev_state(void *v) +carp_carpdev_state(struct ifnet *ifp) { =2D struct carp_if *cif =3D v; + struct carp_if *cif; + + if (ifp->if_type =3D=3D IFT_CARP || ifp->if_carp =3D=3D NULL) + return; + + cif =3D ifp->if_carp; =20 CARP_LOCK(cif); carp_carpdev_state_locked(cif); =2D-- //depot/vendor/freebsd/src/sys/netinet/ip_carp.h 2006/12/01 18:41:18 +++ //depot/user/mlaier/carp2/sys/netinet/ip_carp.h 2007/09/19 18:47:18 @@ -117,6 +117,13 @@ uint64_t carps_preempt; /* if enabled, preemptions */ }; =20 +#define CARPDEVNAMSIZ 16 +#ifdef IFNAMSIZ +#if CARPDEVNAMSIZ !=3D IFNAMSIZ +#error +#endif +#endif + /* * Configuration structure for SIOCSVH SIOCGVH */ @@ -128,6 +135,7 @@ int carpr_advskew; int carpr_advbase; unsigned char carpr_key[CARP_KEY_LEN]; + char carpr_carpdev[CARPDEVNAMSIZ]; }; #define SIOCSVH _IOWR('i', 245, struct ifreq) #define SIOCGVH _IOWR('i', 246, struct ifreq) @@ -152,15 +160,15 @@ } =20 #ifdef _KERNEL =2Dvoid carp_carpdev_state(void *); =2Dvoid carp_input (struct mbuf *, int); =2Dint carp6_input (struct mbuf **, int *, int); =2Dint carp_output (struct ifnet *, struct mbuf *, struct sockaddr *, =2D struct rtentry *); =2Dint carp_iamatch (void *, struct in_ifaddr *, struct in_addr *, +void carp_carpdev_state(struct ifnet *); +void carp_proto_input(struct mbuf *, int); +int carp6_proto_input(struct mbuf **, int *, int); +int carp_iamatch(void *, struct in_ifaddr *, struct in_addr *, u_int8_t **); struct ifaddr *carp_iamatch6(void *, struct in6_addr *); void *carp_macmatch6(void *, struct mbuf *, const struct in6_addr *); =2Dstruct ifnet *carp_forus (void *, void *); +struct ifnet *carp_forus(void *, void *); +struct ifnet *carp_ourether(void *, struct ether_header *, u_char, int); +int carp_input(struct mbuf *); #endif #endif /* _IP_CARP_H */ =2D-- //depot/vendor/freebsd/src/sys/netinet6/in6_proto.c 2007/07/05 16:32:= 05 +++ //depot/user/mlaier/carp2/sys/netinet6/in6_proto.c 2007/09/19 18:47:18 @@ -319,7 +319,7 @@ .pr_domain =3D &inet6domain, .pr_protocol =3D IPPROTO_CARP, .pr_flags =3D PR_ATOMIC|PR_ADDR, =2D .pr_input =3D carp6_input, + .pr_input =3D carp6_proto_input, .pr_output =3D rip6_output, .pr_ctloutput =3D rip6_ctloutput, .pr_usrreqs =3D &rip6_usrreqs --Boundary-01=_nl6IH3bgJTGz2kl-- --nextPart3069786.LU2bnx6mTt Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBHI6ltXyyEoT62BG0RAqlmAJ9HUKDcYxSN3tUzsl9duGj/rkIorwCfWrJf vceD/SVvMTCFgK5xLyH9S5s= =XJkp -----END PGP SIGNATURE----- --nextPart3069786.LU2bnx6mTt--