From owner-freebsd-pf@FreeBSD.ORG Mon Nov 12 01:14:37 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 603EA16A41A for ; Mon, 12 Nov 2007 01:14:37 +0000 (UTC) (envelope-from rmaglasang@infoweapons.com) Received: from ironmail.infoweapons.com (ironmail.infoweapons.com [58.71.34.140]) by mx1.freebsd.org (Postfix) with ESMTP id 4820213C4B0 for ; Mon, 12 Nov 2007 01:14:36 +0000 (UTC) (envelope-from rmaglasang@infoweapons.com) Received: (qmail 25676 invoked by uid 98); 12 Nov 2007 01:14:21 -0000 Received: from 10.3.1.41 by ironmail.cebu.infoweapons.com (envelope-from , uid 82) with qmail-scanner-1.25 (clamdscan: 0.86.1/959. spamassassin: 3.0.4. Clear:RC:1(10.3.1.41):. Processed in 0.069393 secs); 12 Nov 2007 01:14:21 -0000 X-Qmail-Scanner-Mail-From: rmaglasang@infoweapons.com via ironmail.cebu.infoweapons.com X-Qmail-Scanner: 1.25 (Clear:RC:1(10.3.1.41):. Processed in 0.069393 secs) Received: from unknown (HELO ?10.3.1.41?) (10.3.1.41) by ironmail.infoweapons.com with AES256-SHA encrypted SMTP; 12 Nov 2007 01:14:20 -0000 Message-ID: <4737A52C.2060805@infoweapons.com> Date: Mon, 12 Nov 2007 08:58:20 +0800 From: "Ronnel P. Maglasang" User-Agent: Thunderbird 1.5 (X11/20060613) MIME-Version: 1.0 To: Nickola Kolev References: <015301c8221f$68ebe600$c801000a@balgaa> <4733370D.2010705@bestnet.kharkov.ua> <20071109162419.ab37c614.nikky@mnet.bg> In-Reply-To: <20071109162419.ab37c614.nikky@mnet.bg> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms070609070503050509080408" Cc: Balgansuren Batsukh , freebsd-pf@freebsd.org Subject: Re: Bandwidth manager solution X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Nov 2007 01:14:37 -0000 This is a cryptographically signed message in MIME format. --------------ms070609070503050509080408 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit i believe you can modify the default limit of classes. using ALTQs HFSC scheduler, just set HFSC_MAX_CLASSES to a desired limit and rebuild the kernel. Nickola Kolev wrote: > Hello, > > ?? Thu, 08 Nov 2007 18:19:25 +0200 > Gregory Edigarov ??????: > > >> Balgansuren Batsukh wrote: >> >>> Hello All, >>> >>> Is there any hardware vendor suggest for me? >>> >>> I need to manage bandwidth management 1xSTM-1/OC3-2xSTM-1 optical >>> IP bandwidth circuit. >>> >>> Anyone has experience with www.etinc.com bandwidth manager? >>> >>> I saw others like Allot, Packeteer, Cisco SCE2000 only doing >>> protocol, service based bandwidth management using TCP rate limit, >>> fair queueing. >>> >>> I am looking high performance bandwidth manager, traffic shaper for >>> IP core network to configure leased line, xDSL, Ethernet, >>> GPON/EPON, wireless subscribers. >>> >>> Is there any FreeBSD based solution? >>> >>> >> Uhmmm. Well. Does 'ipfw pipe' or pf altq enoug freebsd based >> solution? ;-) >> > > IPFW is a mere traffic shaper, and not a traffic control solution. Will > pf/altq be flexible enough with its limit of 64 classes? > > --------------ms070609070503050509080408 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJJzCC Au4wggJXoAMCAQICEAu/SDiU2iBCvVIhUs/w2UcwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA3MTAxNTAwNTc1NloX DTA4MTAxNDAwNTc1NlowTDEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEpMCcG CSqGSIb3DQEJARYacm1hZ2xhc2FuZ0BpbmZvd2VhcG9ucy5jb20wggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQDRRLPsALDKEs3TQzU0eDChMYbbwnAaQMAWe8Pwu8d3M2gii7yL 3BgWRPlqHQq2Fg5OPHB6NhkWlHyLIMLSnAxvdTSF6iVGvUUp2FG57hv5fA0P7Vw/9CqQ48U8 15QRkoRa0FcJ3IgRn/S4UW2tCV24JwU+kuswho9bkfUU5YcW0rnTcbpD8MuTV2FGzyzpJGu0 mZjgnv3+SbeidbjFNqzpdKERavnTbatLLzb3KIt5t5Lb1hTxVAdU3poiU3+ZIkBEpTFo4ZZh z+bpeJ17xMHo+jYUS21Nofe9zFYOX1IxJSVyiO1TABRiZe/X49xKRtrdPszjxhY5N2H5qu0h d9rxAgMBAAGjNzA1MCUGA1UdEQQeMByBGnJtYWdsYXNhbmdAaW5mb3dlYXBvbnMuY29tMAwG A1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAHMrh2u0k50O3mgk4HUS+sYT52S02cK2c 4LD3YZIZnC32hNKgSWNoyoTUjstPtzJG6D9QlSpVn9o0QtJOVAuUJUTrEKnEVCclRxunYRAi DzdwJekW1af3SaxviVHWjqUTf4/aVo/8iUIzpBVotvykg/H/ZIUZhhzTeuUmih5ikDYwggLu MIICV6ADAgECAhALv0g4lNogQr1SIVLP8NlHMA0GCSqGSIb3DQEBBQUAMGIxCzAJBgNVBAYT AlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNU aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNzEwMTUwMDU3NTZaFw0w ODEwMTQwMDU3NTZaMEwxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxKTAnBgkq hkiG9w0BCQEWGnJtYWdsYXNhbmdAaW5mb3dlYXBvbnMuY29tMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEA0USz7ACwyhLN00M1NHgwoTGG28JwGkDAFnvD8LvHdzNoIou8i9wY FkT5ah0KthYOTjxwejYZFpR8iyDC0pwMb3U0heolRr1FKdhRue4b+XwND+1cP/QqkOPFPNeU EZKEWtBXCdyIEZ/0uFFtrQlduCcFPpLrMIaPW5H1FOWHFtK503G6Q/DLk1dhRs8s6SRrtJmY 4J79/km3onW4xTas6XShEWr5022rSy829yiLebeS29YU8VQHVN6aIlN/mSJARKUxaOGWYc/m 6Xide8TB6Po2FEttTaH3vcxWDl9SMSUlcojtUwAUYmXv1+PcSkba3T7M48YWOTdh+artIXfa 8QIDAQABozcwNTAlBgNVHREEHjAcgRpybWFnbGFzYW5nQGluZm93ZWFwb25zLmNvbTAMBgNV HRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4GBABzK4drtJOdDt5oJOB1EvrGE+dktNnCtnOCw 92GSGZwt9oTSoEljaMqE1I7LT7cyRug/UJUqVZ/aNELSTlQLlCVE6xCpxFQnJUcbp2EQIg83 cCXpFtWn90msb4lR1o6lE3+P2laP/IlCM6QVaLb8pIPx/2SFGYYc03rlJooeYpA2MIIDPzCC AqigAwIBAgIBDTANBgkqhkiG9w0BAQUFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3Vs dGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UE AxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25h bC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIzNTk1OVow YjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4x LDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQDEpjxVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/ DDph8r9RzgHU5VAKMNcCY1osiRVwjt3J8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+ K/67GD4Hv0CAAmTXp6a7n2XRxSpUhQ9IBH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIG A1UdEwEB/wQIMAYBAf8CAQAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUu Y29tL1RoYXd0ZVBlcnNvbmFsRnJlZW1haWxDQS5jcmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQi MCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwyLTEzODANBgkqhkiG9w0BAQUFAAOBgQBI jNFQg+oLLswNo2asZw9/r6y+whehQ5aUnX9MIbj4Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZ foSxmRsAxRoLgnSeJVCUYsfbJ3FXJY3dqZw5jowgT2Vfldr394fWxghOrvbqNOUQGls1TXfj ViF4gtwhGTXeJLHTHUb/XV9lTzGCA2QwggNgAgEBMHYwYjELMAkGA1UEBhMCWkExJTAjBgNV BAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJz b25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhALv0g4lNogQr1SIVLP8NlHMAkGBSsOAwIaBQCg ggHDMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA3MTExMjAw NTgyMFowIwYJKoZIhvcNAQkEMRYEFBg61o8OxkgKZrQti075lM116eQNMFIGCSqGSIb3DQEJ DzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsO AwIHMA0GCCqGSIb3DQMCAgEoMIGFBgkrBgEEAYI3EAQxeDB2MGIxCzAJBgNVBAYTAlpBMSUw IwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUg UGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQC79IOJTaIEK9UiFSz/DZRzCBhwYLKoZI hvcNAQkQAgsxeKB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGlu ZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWlu ZyBDQQIQC79IOJTaIEK9UiFSz/DZRzANBgkqhkiG9w0BAQEFAASCAQBffGofUWRZa94BjfgS s+AZhxBzf/tsis1Rg9QK1ZX9WoDeIrCeX/byWPjdfGcfFdmTEtvTtLjsBQN9gizBDGesElLO /KXx4zsgIAqZhcFgOS0nCKH4z9HQF7OSgo2RBmikTD8UECGiTL4c1O90TPwh/SPJR2n8+lMf lfcRcD0w2iXw5cvaWZhUz2Ox2YbTg/JPdSQ/B+J+zm39mP1t098op4CNcWXPvDkmqCs6adq+ AIkYDtoHbldtEL/Y93Dd91tPtCrz6vh7tJD9vwJbnZxwWwWdoN/1UViaYF9FBn00tN1MotHY kNwcydleQOBraFYhr+2CcJRR4fsW31mszMPzAAAAAAAA --------------ms070609070503050509080408-- From owner-freebsd-pf@FreeBSD.ORG Mon Nov 12 07:51:09 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8DEBC16A421 for ; Mon, 12 Nov 2007 07:51:09 +0000 (UTC) (envelope-from nikky@mnet.bg) Received: from home.mnet.bg (home.mnet.bg [84.43.191.2]) by mx1.freebsd.org (Postfix) with ESMTP id 03CC413C49D for ; Mon, 12 Nov 2007 07:51:08 +0000 (UTC) (envelope-from nikky@mnet.bg) Received: from localhost (localhost [127.0.0.1]) by home.mnet.bg (Postfix) with ESMTP id 5EF728325C; Mon, 12 Nov 2007 09:50:57 +0200 (EET) X-Virus-Scanned: Debian amavisd-new at mnet.bg Received: from home.mnet.bg ([127.0.0.1]) by localhost (mail.mnet.bg [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 9-YgexevoOw1; Mon, 12 Nov 2007 09:50:53 +0200 (EET) Received: from orange.mnet.bg (orange.mnet.bg [84.43.191.120]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by home.mnet.bg (Postfix) with ESMTP id E46258325E; Mon, 12 Nov 2007 09:50:52 +0200 (EET) Date: Mon, 12 Nov 2007 09:50:50 +0200 From: Nickola Kolev To: "Ronnel P. Maglasang" Message-Id: <20071112095050.ec55eb1d.nikky@mnet.bg> In-Reply-To: <4737A52C.2060805@infoweapons.com> References: <015301c8221f$68ebe600$c801000a@balgaa> <4733370D.2010705@bestnet.kharkov.ua> <20071109162419.ab37c614.nikky@mnet.bg> <4737A52C.2060805@infoweapons.com> Organization: MNET X-Mailer: Sylpheed 2.4.7 (GTK+ 2.12.1; i486-pc-linux-gnu) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="PGP-SHA1"; boundary="Signature=_Mon__12_Nov_2007_09_50_50_+0200_AWSeWruYqg_0448A" Cc: Balgansuren Batsukh , freebsd-pf@freebsd.org Subject: Re: Bandwidth manager solution X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Nov 2007 07:51:09 -0000 --Signature=_Mon__12_Nov_2007_09_50_50_+0200_AWSeWruYqg_0448A Content-Type: text/plain; charset=UTF-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, =D0=9D=D0=B0 Mon, 12 Nov 2007 08:58:20 +0800 "Ronnel P. Maglasang" =D0=BD=D0=B0=D0=BF=D0=B8= =D1=81=D0=B0: > i believe you can modify the default limit of classes. using ALTQs > HFSC scheduler, just set HFSC_MAX_CLASSES to a desired limit > and rebuild the kernel. Yes, I'm aware of that, but have you tried this on a production system? Or at least on a system with high enough number of classes, let's say 1K, 2K or more? How stable would that system be? Just curious... > Nickola Kolev wrote: > > Hello, > > > > ?? Thu, 08 Nov 2007 18:19:25 +0200 > > Gregory Edigarov ??????: > > > > =20 > >> Balgansuren Batsukh wrote: > >> =20 > >>> Hello All, > >>> > >>> Is there any hardware vendor suggest for me? > >>> > >>> I need to manage bandwidth management 1xSTM-1/OC3-2xSTM-1 optical > >>> IP bandwidth circuit. > >>> > >>> Anyone has experience with www.etinc.com bandwidth manager? > >>> > >>> I saw others like Allot, Packeteer, Cisco SCE2000 only doing > >>> protocol, service based bandwidth management using TCP rate limit, > >>> fair queueing. > >>> > >>> I am looking high performance bandwidth manager, traffic shaper > >>> for IP core network to configure leased line, xDSL, Ethernet, > >>> GPON/EPON, wireless subscribers. > >>> > >>> Is there any FreeBSD based solution? > >>> =20 > >>> =20 > >> Uhmmm. Well. Does 'ipfw pipe' or pf altq enoug freebsd based > >> solution? ;-) > >> =20 > > > > IPFW is a mere traffic shaper, and not a traffic control solution. > > Will pf/altq be flexible enough with its limit of 64 classes? > > > > =20 >=20 >=20 --=20 Regards, Nickola Kolev --Signature=_Mon__12_Nov_2007_09_50_50_+0200_AWSeWruYqg_0448A Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHOAXf/g+8nwXNejkRAkTMAJ4qxFwLw9mfWT7yL/bdF9kdCDuIpQCfUpF/ I0stSUZ8Y4HwziwFcVdveUo= =xwyZ -----END PGP SIGNATURE----- --Signature=_Mon__12_Nov_2007_09_50_50_+0200_AWSeWruYqg_0448A-- From owner-freebsd-pf@FreeBSD.ORG Mon Nov 12 09:11:50 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 32E6C16A417 for ; Mon, 12 Nov 2007 09:11:50 +0000 (UTC) (envelope-from mail.listesi@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.189]) by mx1.freebsd.org (Postfix) with ESMTP id 0B6F313C4A5 for ; Mon, 12 Nov 2007 09:11:49 +0000 (UTC) (envelope-from mail.listesi@gmail.com) Received: by rv-out-0910.google.com with SMTP id l15so1026707rvb for ; Mon, 12 Nov 2007 01:11:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=rOZolKJkGIz/3x4mjWT6M53jC1Zn1/WJjRpf5LWp6RY=; b=oj70MJhRU+E9QhlElHIVf5bba4LNFit7FD4ciBRPwLHxMBPwXZl2jKwwMzt/u1cpKXFqtDyoyB6Vs1weLenoMeZIMm+RK/8xN2ROJjUIfSMVGXRmCSAlBqmM3dHJsU92PkUNUV0c30QMsM2mCyRf4EzGNHGkJhQ6Jupl3Efi2KM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=L7NLPeBhV4Jo8PcFyoKcPmh/uWgvHNu997hdpu8cmgKigTJbMeXx29pcLdlHjzj4HOGKcGRGpOI6rk/Bf2ZuX69xyY8njwXJ6zsYinYyoobmqnIqpLu5F1q2DjFan68A7zwR+sRdW034pozu5tEoOAI6BzowBY0/I/ymudHu4y0= Received: by 10.142.80.7 with SMTP id d7mr359009wfb.1194857157107; Mon, 12 Nov 2007 00:45:57 -0800 (PST) Received: by 10.143.29.20 with HTTP; Mon, 12 Nov 2007 00:45:57 -0800 (PST) Message-ID: Date: Mon, 12 Nov 2007 10:45:57 +0200 From: Jeremy To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Giving all hosts on network same bandwidth X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Nov 2007 09:11:50 -0000 Hi all is it possible to describe queue all hosts on network. For example my network address is 10.0.0.0/16 and i want limit http traffic for each host, and i don't want to write all of my hosts ip address in pf.conf, just want to write network address and all of hosts on the network have a same bandwidth value.. From owner-freebsd-pf@FreeBSD.ORG Mon Nov 12 11:07:02 2007 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AFC7B16A41A for ; Mon, 12 Nov 2007 11:07:02 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9412713C48E for ; Mon, 12 Nov 2007 11:07:02 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id lACB72X8089769 for ; Mon, 12 Nov 2007 11:07:02 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id lACB71Tj089765 for freebsd-pf@FreeBSD.org; Mon, 12 Nov 2007 11:07:01 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 12 Nov 2007 11:07:01 GMT Message-Id: <200711121107.lACB71Tj089765@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Nov 2007 11:07:02 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid o bin/116610 pf [patch] teach tcpdump(1) to cope with the new-style pf o kern/117827 pf [pf] kernel panic with pf and ng 5 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/115640 pf [net] [pf] pfctl -k dont works o kern/116645 pf pfctl -k does not work in securelevel 3 7 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Nov 12 13:11:33 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2FE516A41A for ; Mon, 12 Nov 2007 13:11:33 +0000 (UTC) (envelope-from mlists@shadow-security.net) Received: from pecan.exetel.com.au (pecan.exetel.com.au [220.233.0.17]) by mx1.freebsd.org (Postfix) with ESMTP id 84A1313C4B2 for ; Mon, 12 Nov 2007 13:11:33 +0000 (UTC) (envelope-from mlists@shadow-security.net) Received: from 39.233.233.220.exetel.com.au ([220.233.233.39] helo=[192.168.1.150]) by pecan.exetel.com.au with esmtp (Exim 4.63) (envelope-from ) id 1IrVtR-0001an-Ir; Mon, 12 Nov 2007 20:47:45 +1100 Message-ID: <47382139.8050300@shadow-security.net> Date: Mon, 12 Nov 2007 20:47:37 +1100 From: Sh4d03 User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: Jeremy References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Giving all hosts on network same bandwidth X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Nov 2007 13:11:33 -0000 Jeremy wrote: > Hi all > > is it possible to describe queue all hosts on network. For example my > network address is 10.0.0.0/16 and i want limit http traffic for each > host, and i don't want to write all of my hosts ip address in pf.conf, > just want to write network address and all of hosts on the network > have a same bandwidth value.. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > > I must admit I've not dealt with QoS much yet - it's a project for the near future. That said, judging by your question is the use of tables/macros something you've considered? Regards, Sh4d03 From owner-freebsd-pf@FreeBSD.ORG Mon Nov 12 14:33:45 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 118B316A417 for ; Mon, 12 Nov 2007 14:33:45 +0000 (UTC) (envelope-from mail.listesi@gmail.com) Received: from rn-out-0102.google.com (rn-out-0910.google.com [64.233.170.190]) by mx1.freebsd.org (Postfix) with ESMTP id AD6B613C48E for ; Mon, 12 Nov 2007 14:33:44 +0000 (UTC) (envelope-from mail.listesi@gmail.com) Received: by rn-out-0102.google.com with SMTP id s42so490317rnb for ; Mon, 12 Nov 2007 06:33:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=zUxtDmKyfJs7SLCXR4v9UCslHeA5MBeKZ8ORsyxHixI=; b=AEfcdDbhjCGTbKHMtUdOlo/5tMipvdjCnXDBIDOyVGiqt0qclguy/pRogtRBCePnFEeGnlMN/YTsvfGoalC+XNOhqP+z72w3fJK7OjTx7AVAb+qF/ccoPCqCMc1Qoqb1dvgr6JrPFBuoTkob4A7Ba9raGNKC/EpEqyH2qs2cisg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=YeiSTjygYzTczqttaA1fo31EVaocT8tPRrqZKs635BemE7rGmvbROVBEKu/F7jRKVYGsl0j2ZXwnzkSiDJxxLE5b/yenO/t9l+W+Uq3s6beu1CZ+uhAKmrbOmdlqL1UJWhlKeDif03YRLuBHGw4iHWFV6iq4IVpsCpJUrOku/o8= Received: by 10.142.229.4 with SMTP id b4mr1208565wfh.1194878010518; Mon, 12 Nov 2007 06:33:30 -0800 (PST) Received: by 10.143.29.20 with HTTP; Mon, 12 Nov 2007 06:33:30 -0800 (PST) Message-ID: Date: Mon, 12 Nov 2007 16:33:30 +0200 From: Jeremy To: "Rob Shepherd" In-Reply-To: <47382493.9040202@techniumcast.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <47382493.9040202@techniumcast.com> Cc: freebsd-pf@freebsd.org Subject: Re: Giving all hosts on network same bandwidth X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Nov 2007 14:33:45 -0000 On Nov 12, 2007 12:01 PM, Rob Shepherd wrote: > > If the question is: "Can I assign all hosts on a network to a single queue?", > then YES. no, i dont want to assign each addresses to single queue or every addresses to more queues one by one, is there solution in network address rules just like that pass out on dc0 inet proto tcp from $employeehosts to any port 80 keep state queue employees altq on dc0 scheduler cbq bandwidth 10Mb queue { std, http, mail, ssh } queue std bandwidth 10% cbq(default) queue http bandwidth 60% priority 2 cbq(borrow red) { employees, developers } queue developers bandwidth 75% cbq(borrow) queue employees bandwidth 15% queue mail bandwidth 10% priority 0 cbq(borrow ecn) queue ssh bandwidth 20% cbq(borrow) { ssh_interactive, ssh_bulk } queue ssh_interactive bandwidth 100% priority 7 queue ssh_bulk bandwidth 100% priority 0 pass out on dc0 inet proto tcp from $employeehosts to any port 80 keep state queue employees this example qives employeehosts 15% of total bandwidth but i want to give each hosts to same bandwidth ( for example i have 10Mb bandwidth and 20 hosts iwant to give each of hosts to 512 K .if i use 10M in altq rules some hosts' have 9M bandwitdh and some have 1M ) . is that possible writing without all of ip addresses in rules pass out on dc0 inet proto tcp from $employee1 to any port 80 keep state queue employees pass out on dc0 inet proto tcp from $employee2 to any port 80 keep state queue employees pass out on dc0 inet proto tcp from $employee3 to any port 80 keep state queue employees pass out on dc0 inet proto tcp from $employee4 to any port 80 keep state queue employees pass out on dc0 inet proto tcp from $employee5 to any port 80 keep state queue employees pass out on dc0 inet proto tcp from $employee6 to any port 80 keep state queue employees ....... pass out on dc0 inet proto tcp from $employee20 to any port 80 keep state queue employees this is silly > > queue assignment is by pf rules; whatever you can match you can assign to a queue. > > There is an example of matching whole networks and assigning to queues at the > bottom of http://www.openbsd.org/faq/pf/queueing.html > > Rob > > -- > Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd > Technium CAST | LL57 4HJ | http://www.techniumcast.com > From owner-freebsd-pf@FreeBSD.ORG Mon Nov 12 15:18:34 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5CD4F16A41A for ; Mon, 12 Nov 2007 15:18:34 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [IPv6:2001:6f8:1098::2]) by mx1.freebsd.org (Postfix) with ESMTP id 7E98413C4A5 for ; Mon, 12 Nov 2007 15:18:32 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id lACFIXak024343 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Mon, 12 Nov 2007 16:18:33 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id lACFIXs8000065; Mon, 12 Nov 2007 16:18:33 +0100 (MET) Date: Mon, 12 Nov 2007 16:18:33 +0100 From: Daniel Hartmeier To: Jeremy Message-ID: <20071112151833.GD28276@insomnia.benzedrine.cx> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: Giving all hosts on network same bandwidth X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Nov 2007 15:18:34 -0000 On Mon, Nov 12, 2007 at 10:45:57AM +0200, Jeremy wrote: > is it possible to describe queue all hosts on network. No. Daniel From owner-freebsd-pf@FreeBSD.ORG Mon Nov 12 15:26:24 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E5BFD16A421 for ; Mon, 12 Nov 2007 15:26:24 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from qb-out-0506.google.com (qb-out-0506.google.com [72.14.204.234]) by mx1.freebsd.org (Postfix) with ESMTP id 98C6D13C4BC for ; Mon, 12 Nov 2007 15:26:23 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by qb-out-0506.google.com with SMTP id a10so2728854qbd for ; Mon, 12 Nov 2007 07:26:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=EKzJiBhE7tJk6zMKdYAKaO4dLCCHZZH6oS0retg54No=; b=ZMW2GT35QI6DbhSscuH0ZgJsGk+BkzXEj97AxPyJpT2ZLoAliDikU+SnlOcRGDN3exMIDz6QRC8tmmZsAYk9hWktgRedO29iPQRuPYRVqqt2qPG0/qzicJyuH7i9IRcL9Y+xBATTiy48beKjoiH+KGYcS8WU+i1Q0q5TpknetN0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=H/GqTLBk2qxLtVgAReud/9KvGpCIm5z2zebcqt4KPouI1kkZOlNi08mvJwnJbqg5WPuuU36MjGG34HwOfrHttdHtG2ESCCHQLGY2qCoaKlX+aAAkhEwjSiJghS7DpueDqhl7bbaUwKXVs7dXthIuFUBVG7p/7OkGNiejmQmsI7U= Received: by 10.70.6.8 with SMTP id 8mr7025319wxf.1194881169681; Mon, 12 Nov 2007 07:26:09 -0800 (PST) Received: by 10.70.19.4 with HTTP; Mon, 12 Nov 2007 07:26:09 -0800 (PST) Message-ID: <9a542da30711120726u51e0c824rf2ae877725c34e7e@mail.gmail.com> Date: Mon, 12 Nov 2007 16:26:09 +0100 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: "Daniel Hartmeier" In-Reply-To: <20071112151833.GD28276@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20071112151833.GD28276@insomnia.benzedrine.cx> Cc: freebsd-pf@freebsd.org, Jeremy Subject: Re: Giving all hosts on network same bandwidth X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Nov 2007 15:26:25 -0000 Hello Daniel, can i ask why ALTQ_WFQ is not integrated into PF?! It is just about ENOTIME or you found some other issues with those schedulers. Cause i am interested on integrating this schedulres on PF and want to ask first if there is other issue other than time one?! On Nov 12, 2007 4:18 PM, Daniel Hartmeier wrote: > On Mon, Nov 12, 2007 at 10:45:57AM +0200, Jeremy wrote: > > > is it possible to describe queue all hosts on network. > > No. > > Daniel > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Mon Nov 12 15:47:49 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B238716A417 for ; Mon, 12 Nov 2007 15:47:49 +0000 (UTC) (envelope-from jon.otterholm@ide.resurscentrum.se) Received: from mail1.cil.se (mail1.cil.se [217.197.56.125]) by mx1.freebsd.org (Postfix) with ESMTP id 4159013C4AA for ; Mon, 12 Nov 2007 15:47:48 +0000 (UTC) (envelope-from jon.otterholm@ide.resurscentrum.se) Received: from [192.168.2.10] ([192.168.2.10]) by mail1.cil.se with Microsoft SMTPSVC(6.0.3790.1830); Mon, 12 Nov 2007 15:58:32 +0100 Message-ID: <47386A17.3010400@ide.resurscentrum.se> Date: Mon, 12 Nov 2007 15:58:31 +0100 From: Jon Otterholm User-Agent: Thunderbird 2.0.0.6 (X11/20070804) MIME-Version: 1.0 To: Jeremy References: <47382493.9040202@techniumcast.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 12 Nov 2007 14:58:32.0978 (UTC) FILETIME=[7E72D720:01C8253C] Cc: freebsd-pf@freebsd.org Subject: Re: Giving all hosts on network same bandwidth X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Nov 2007 15:47:49 -0000 Jeremy wrote: > On Nov 12, 2007 12:01 PM, Rob Shepherd wrote: > >> If the question is: "Can I assign all hosts on a network to a single queue?", >> then YES. > > no, i dont want to assign each addresses to single queue or every > addresses to more queues one by one, is there solution in network > address rules just like that > > pass out on dc0 inet proto tcp from $employeehosts to any port 80 keep > state queue employees > > altq on dc0 scheduler cbq bandwidth 10Mb queue { std, http, mail, ssh } > queue std bandwidth 10% cbq(default) > queue http bandwidth 60% priority 2 cbq(borrow red) { employees, developers } > queue developers bandwidth 75% cbq(borrow) > queue employees bandwidth 15% > queue mail bandwidth 10% priority 0 cbq(borrow ecn) > queue ssh bandwidth 20% cbq(borrow) { ssh_interactive, ssh_bulk } > queue ssh_interactive bandwidth 100% priority 7 > queue ssh_bulk bandwidth 100% priority 0 > > pass out on dc0 inet proto tcp from $employeehosts to any port 80 keep > state queue employees > > this example qives employeehosts 15% of total bandwidth but i want > to give each hosts to same bandwidth ( for example i have 10Mb > bandwidth and 20 hosts iwant to give each of hosts to 512 K .if i use > 10M in altq rules some hosts' have 9M bandwitdh and some have 1M ) . > is that possible writing without all of ip addresses in rules > > pass out on dc0 inet proto tcp from $employee1 to any port 80 keep > state queue employees > pass out on dc0 inet proto tcp from $employee2 to any port 80 keep > state queue employees > pass out on dc0 inet proto tcp from $employee3 to any port 80 keep > state queue employees > pass out on dc0 inet proto tcp from $employee4 to any port 80 keep > state queue employees > pass out on dc0 inet proto tcp from $employee5 to any port 80 keep > state queue employees > pass out on dc0 inet proto tcp from $employee6 to any port 80 keep > state queue employees > ....... > pass out on dc0 inet proto tcp from $employee20 to any port 80 keep > state queue employees > > this is silly > >> queue assignment is by pf rules; whatever you can match you can assign to a queue. >> >> There is an example of matching whole networks and assigning to queues at the >> bottom of http://www.openbsd.org/faq/pf/queueing.html >> >> Rob >> >> -- >> Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd >> Technium CAST | LL57 4HJ | http://www.techniumcast.com >> > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" The easiest way to do this is to use IPFW+DUMMYNET. DUMMYNET has the ability to dynamically create child-queues based on src-/dst-ip. You can still use PF for all other filtering if you want to, just compile IPFW with "default to accept" and add "option DUMMYNET". To do this add this to your kernel config: options IPFIREWALL options IPFIREWALL_DEFAULT_TO_ACCEPT options DUMMYNET options HZ=1000 A pipe config would look like this: ipfw pipe 100 config bw 1Mbit/s mask dst-ip 0xffffffff and the rule would look like: ipfw add 00100 pipe 100 ip from any to 1.1.1.1/24 This would give any host on the 1.1.1.1/24-network a limit of 1Mbit/s when downloading. //Jon From owner-freebsd-pf@FreeBSD.ORG Mon Nov 12 23:51:14 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6B9CE16A419 for ; Mon, 12 Nov 2007 23:51:14 +0000 (UTC) (envelope-from johan@stromnet.se) Received: from core.stromnet.se (core.stromnet.se [83.218.84.131]) by mx1.freebsd.org (Postfix) with ESMTP id 2500D13C480 for ; Mon, 12 Nov 2007 23:51:13 +0000 (UTC) (envelope-from johan@stromnet.se) Received: from localhost (core.stromnet.se [83.218.84.131]) by core.stromnet.se (Postfix) with ESMTP id 277F0D4728A for ; Tue, 13 Nov 2007 00:51:03 +0100 (CET) X-Virus-Scanned: amavisd-new at stromnet.se Received: from core.stromnet.se ([83.218.84.131]) by localhost (core.stromnet.se [83.218.84.131]) (amavisd-new, port 10024) with ESMTP id JovDlCYYJltG for ; Tue, 13 Nov 2007 00:51:01 +0100 (CET) Received: from [172.28.1.102] (90-224-172-102-no129.tbcn.telia.com [90.224.172.102]) by core.stromnet.se (Postfix) with ESMTP id 0F874D4728C for ; Tue, 13 Nov 2007 00:51:01 +0100 (CET) Mime-Version: 1.0 (Apple Message framework v752.3) In-Reply-To: <74777995-192A-4058-ABE5-8BA1676B0654@stromnet.se> References: <74777995-192A-4058-ABE5-8BA1676B0654@stromnet.se> Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed Message-Id: <77880EC4-3D50-4202-B456-A4C48696BC97@stromnet.se> Content-Transfer-Encoding: quoted-printable From: =?ISO-8859-1?Q?Johan_Str=F6m?= Date: Tue, 13 Nov 2007 00:50:57 +0100 To: freebsd-pf@freebsd.org X-Mailer: Apple Mail (2.752.3) Subject: Re: Jails and PF states on locahost X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Nov 2007 23:51:14 -0000 No-one with any clues or recommendations? :/ CCing to -stable too.. Thanks -- Johan Str=F6m Stromnet johan@stromnet.se http://www.stromnet.se/ On Oct 29, 2007, at 09:37 , Johan Str=F6m wrote: > Hello > > I got a FreeBSD 6.2 box running a few jails, with a pretty strict =20 > PF ruleset. I got a problem with traffic between two of the jails. =20 > Both have public IPs (one of them have two using the jail-multiple-=20 > ip-patch). The problem I have is when they are to talk with each =20 > other. First let med describe the PF ruleset (somewhat stripped =20 > down but this should be the relevant stuff) > > jail1=3Dxx.xx.xx.131 > jail2a=3Dxx.xx.xx.133 > jail2b=3Dxx.xx.xx.134 > scrub in all > block drop in log > # base system talk to itself > pass in on lo0 inet from 127.0.0.1 to 127.0.0.1 > > # all can talk out > pass out on em0 proto tcp flags S/SA modulate state > pass out on em0 proto udp keep state > > # jails talk to them selfs > pass in on lo0 inet from $jail1 to $jail1 > pass in on lo0 inet from {$jail2a $jail2b} to {$jail2a $jail2b} > > # let smtp in on jail1 > pass in on {lo0 em0} inet proto tcp from any to $jail1 port smtp =20 > flags S/SA modulate state > > Okay, so the problem occurs when jail2 shall talk to jail1 on port =20 > 25 (smtp). =46rom the above rules, when the traffic leaves jail2 =20 > (traffic comes from $jail2b it seems) it should match the last rule =20= > and create a state. And so it does! > > self tcp xx.xx.xx:25 <- xx.xx.xx.134:57557 SYN_SENT:ESTABLISHED > [3014249759 + 65536](+2074393365) wscale 1 [4121000179 + 65536]=20 > (+541973245) wscale 1 > age 00:01:03, expires in 00:00:01, 7:10 pkts, 384:640 bytes > > So the SYN arives at $jail1, but the SYNACK fails to go back to =20 > $jail2b (where the state should let the packet back in?), which is =20 > also seen in the following row from pflog0: > > 09:30:34.370402 rule 1/0(match): block in on lo0: (tos 0x0, ttl =20 > 64, id 35618, offset 0, flags [DF], proto: TCP (6), length: 64) =20 > xx.xx.xx.131.25 > xx.xx.xx.134.57557: S 793675827:793675827(0) ack =20 > 4121000179 win 65535 > > So.. What have I missed? The state is created but it doesnt seem to =20= > match enough bytes or something? 384:640 matched packets, so et =20 > matches in both directions? > > Any clues are welcome! Thanks > > -- > Johan Str=F6m > Stromnet > johan@stromnet.se > http://www.stromnet.se/ > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Tue Nov 13 18:06:42 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2C42216A417 for ; Tue, 13 Nov 2007 18:06:42 +0000 (UTC) (envelope-from marceloc@espoltel.net) Received: from jupiter.espoltel.net (jupiter.espoltel.net [200.49.242.4]) by mx1.freebsd.org (Postfix) with ESMTP id E47BB13C4A7 for ; Tue, 13 Nov 2007 18:06:41 +0000 (UTC) (envelope-from marceloc@espoltel.net) Received: from localhost (localhost.espoltel.net [127.0.0.1]) by jupiter.espoltel.net (Postfix) with ESMTP id 2CE002DB675; Tue, 13 Nov 2007 12:42:05 -0500 (ECT) Received: from jupiter.espoltel.net ([127.0.0.1]) by localhost (jupiter.espoltel.net [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 36729-06; Tue, 13 Nov 2007 12:42:00 -0500 (ECT) Received: from [172.26.5.40] (unknown [69.65.149.194]) by jupiter.espoltel.net (Postfix) with ESMTP id B8F9C2DC1DE; Tue, 13 Nov 2007 12:42:00 -0500 (ECT) From: Marcelo Celleri To: Umar In-Reply-To: <13673552.post@talk.nabble.com> References: <13673552.post@talk.nabble.com> Content-Type: text/plain; charset=utf-8 Organization: ESPOLTEL Date: Tue, 13 Nov 2007 12:37:57 -0500 Message-Id: <1194975478.5295.7.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.6.1 Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: by Amavis-new and ClamaV at ESPOLTEL Cc: freebsd-pf@freebsd.org Subject: Re: VPN Routing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: marceloc@espoltel.net List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Nov 2007 18:06:42 -0000 I assume that the configuration is for a tunnel between 2 servers, first you have to add the routes in both sides, and then allow the traffic from UDP port 1194. pass in on $ext_if proto udp from x.x.x.x/x port 1194 to y.y.y.y/y El vie, 09-11-2007 a las 11:30 -0800, Umar escribi=C3=B3: > Dear All! >=20 > I have installed openvpn on FreeBSD 6.2. >=20 > My Localnetwork is 192.168.1.0/24 > My VPN Network is 10.0.0.0/24 >=20 > Now I want my VPN Network also access my Local Network so please tell m= e how > i can do it with pf. >=20 > Regards, >=20 > Umar Draz --=20 ---------------------------------- Marcelo C=C3=A9lleri M. Jefe IP ESPOLTEL S.A. PBX 593 04 2514477 Ext. 114 ---------------------------------- From owner-freebsd-pf@FreeBSD.ORG Tue Nov 13 18:43:32 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 885E416A417 for ; Tue, 13 Nov 2007 18:43:32 +0000 (UTC) (envelope-from spry@anarchy.in.the.ph) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.236]) by mx1.freebsd.org (Postfix) with ESMTP id 2375313C4B0 for ; Tue, 13 Nov 2007 18:43:31 +0000 (UTC) (envelope-from spry@anarchy.in.the.ph) Received: by nz-out-0506.google.com with SMTP id l8so1177658nzf for ; Tue, 13 Nov 2007 10:43:18 -0800 (PST) Received: by 10.114.53.1 with SMTP id b1mr176238waa.1194977760610; Tue, 13 Nov 2007 10:16:00 -0800 (PST) Received: by 10.114.25.17 with HTTP; Tue, 13 Nov 2007 10:16:00 -0800 (PST) Message-ID: Date: Wed, 14 Nov 2007 02:16:00 +0800 From: "Mars G Miro" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_9493_2499946.1194977760600" Subject: pf+ipv6 bug? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Nov 2007 18:43:32 -0000 ------=_Part_9493_2499946.1194977760600 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Hiya, I've encountered this bug for about a few weeks now . The attached kernel config and the minimalist ruleset (i have a much more complicated ruleset), when pf is enabled and you have ipv6, when sending ipv6 packets? (in this case icmp6) to, say, your ipv6 default gw, will crash your box always at this spot: ++++++++++++++++++++++ Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0x1e8 fault code = supervisor read, page not present instruction pointer = 0x20:0xc094a726 stack pointer = 0x28:0xe606dbc0 frame pointer = 0x28:0xe606dc6c code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 17 (swi1: net) trap number = 12 panic: page fault cpuid = 0 Uptime: 1h35m21s Physical memory: 3955 MB Dumping 122 MB: 107 91 75 59 43 27 11 #0 doadump () at pcpu.h:195 195 __asm __volatile("movl %%fs:0,%0" : "=r" (td)); (kgdb) list *0xc094a726 0xc094a726 is in ip6_input (/usr/src/sys/netinet6/ip6_input.c:265). 260 ip6stat.ip6s_m1++; 261 #undef M2MMAX 262 } 263 264 /* drop the packet if IPv6 operation is disabled on the IF */ 265 if ((ND_IFINFO(m->m_pkthdr.rcvif)->flags & ND6_IFF_IFDISABLED)) { 266 m_freem(m); 267 return; 268 } 269 ++++++++++++++++++ Adding in ipv6 neighb* rules (comment out lines 47,48 in the attached ruleset) seem to not crash your box. This is on 7.0-BETA2 (i386,amd64) and from my own tests, this has been on 7.X, since around August back then. This does not seem to exist on 6.X. Thanks. cheers mars ------=_Part_9493_2499946.1194977760600 Content-Type: application/octet-stream; name=CRASHPFIPV6 Content-Transfer-Encoding: base64 X-Attachment-Id: f_f8yqsh76 Content-Disposition: attachment; filename=CRASHPFIPV6 IwojIEdFTkVSSUMgLS0gR2VuZXJpYyBrZXJuZWwgY29uZmlndXJhdGlvbiBmaWxlIGZvciBGcmVl QlNEL2kzODYKIwojIEZvciBtb3JlIGluZm9ybWF0aW9uIG9uIHRoaXMgZmlsZSwgcGxlYXNlIHJl YWQgdGhlIGhhbmRib29rIHNlY3Rpb24gb24KIyBLZXJuZWwgQ29uZmlndXJhdGlvbiBGaWxlczoK IwojICAgIGh0dHA6Ly93d3cuRnJlZUJTRC5vcmcvZG9jL2VuX1VTLklTTzg4NTktMS9ib29rcy9o YW5kYm9vay9rZXJuZWxjb25maWctY29uZmlnLmh0bWwKIwojIFRoZSBoYW5kYm9vayBpcyBhbHNv IGF2YWlsYWJsZSBsb2NhbGx5IGluIC91c3Ivc2hhcmUvZG9jL2hhbmRib29rCiMgaWYgeW91J3Zl IGluc3RhbGxlZCB0aGUgZG9jIGRpc3RyaWJ1dGlvbiwgb3RoZXJ3aXNlIGFsd2F5cyBzZWUgdGhl CiMgRnJlZUJTRCBXb3JsZCBXaWRlIFdlYiBzZXJ2ZXIgKGh0dHA6Ly93d3cuRnJlZUJTRC5vcmcv KSBmb3IgdGhlCiMgbGF0ZXN0IGluZm9ybWF0aW9uLgojCiMgQW4gZXhoYXVzdGl2ZSBsaXN0IG9m IG9wdGlvbnMgYW5kIG1vcmUgZGV0YWlsZWQgZXhwbGFuYXRpb25zIG9mIHRoZQojIGRldmljZSBs aW5lcyBpcyBhbHNvIHByZXNlbnQgaW4gdGhlIC4uLy4uL2NvbmYvTk9URVMgYW5kIE5PVEVTIGZp bGVzLgojIElmIHlvdSBhcmUgaW4gZG91YnQgYXMgdG8gdGhlIHB1cnBvc2Ugb3IgbmVjZXNzaXR5 IG9mIGEgbGluZSwgY2hlY2sgZmlyc3QKIyBpbiBOT1RFUy4KIwojICRGcmVlQlNEOiBzcmMvc3lz L2kzODYvY29uZi9HRU5FUklDLHYgMS40NzMgMjAwNy8wNy8wMSAyMTo0Nzo0NSBuamwgRXhwICQK CiNjcHUJCUk0ODZfQ1BVCmNwdQkJSTU4Nl9DUFUKY3B1CQlJNjg2X0NQVQppZGVudAkJQ1JBU0hQ RklQVjYKCiMgVG8gc3RhdGljYWxseSBjb21waWxlIGluIGRldmljZSB3aXJpbmcgaW5zdGVhZCBv ZiAvYm9vdC9kZXZpY2UuaGludHMKI2hpbnRzCQkiR0VORVJJQy5oaW50cyIJCSMgRGVmYXVsdCBw bGFjZXMgdG8gbG9vayBmb3IgZGV2aWNlcy4KCm1ha2VvcHRpb25zCURFQlVHPS1nCQkjIEJ1aWxk IGtlcm5lbCB3aXRoIGdkYigxKSBkZWJ1ZyBzeW1ib2xzCgpvcHRpb25zIAlTQ0hFRF80QlNECQkj IDRCU0Qgc2NoZWR1bGVyCm9wdGlvbnMgCVBSRUVNUFRJT04JCSMgRW5hYmxlIGtlcm5lbCB0aHJl YWQgcHJlZW1wdGlvbgpvcHRpb25zIAlJTkVUCQkJIyBJbnRlck5FVHdvcmtpbmcKb3B0aW9ucyAJ SU5FVDYJCQkjIElQdjYgY29tbXVuaWNhdGlvbnMgcHJvdG9jb2xzCm9wdGlvbnMgCVNDVFAJCQkj IFN0cmVhbSBUcmFuc21pc3Npb24gQ29udHJvbCBQcm90b2NvbApvcHRpb25zIAlGRlMJCQkjIEJl cmtlbGV5IEZhc3QgRmlsZXN5c3RlbQpvcHRpb25zIAlTT0ZUVVBEQVRFUwkJIyBFbmFibGUgRkZT IHNvZnQgdXBkYXRlcyBzdXBwb3J0Cm9wdGlvbnMgCVVGU19BQ0wJCQkjIFN1cHBvcnQgZm9yIGFj Y2VzcyBjb250cm9sIGxpc3RzCm9wdGlvbnMgCVVGU19ESVJIQVNICQkjIEltcHJvdmUgcGVyZm9y bWFuY2Ugb24gYmlnIGRpcmVjdG9yaWVzCm9wdGlvbnMgCVVGU19HSk9VUk5BTAkJIyBFbmFibGUg Z2pvdXJuYWwtYmFzZWQgVUZTIGpvdXJuYWxpbmcKb3B0aW9ucyAJTURfUk9PVAkJCSMgTUQgaXMg YSBwb3RlbnRpYWwgcm9vdCBkZXZpY2UKb3B0aW9ucyAJTkZTQ0xJRU5UCQkjIE5ldHdvcmsgRmls ZXN5c3RlbSBDbGllbnQKb3B0aW9ucyAJTkZTU0VSVkVSCQkjIE5ldHdvcmsgRmlsZXN5c3RlbSBT ZXJ2ZXIKb3B0aW9ucyAJTkZTX1JPT1QJCSMgTkZTIHVzYWJsZSBhcyAvLCByZXF1aXJlcyBORlND TElFTlQKb3B0aW9ucyAJTVNET1NGUwkJCSMgTVNET1MgRmlsZXN5c3RlbQpvcHRpb25zIAlDRDk2 NjAJCQkjIElTTyA5NjYwIEZpbGVzeXN0ZW0Kb3B0aW9ucyAJUFJPQ0ZTCQkJIyBQcm9jZXNzIGZp bGVzeXN0ZW0gKHJlcXVpcmVzIFBTRVVET0ZTKQpvcHRpb25zIAlQU0VVRE9GUwkJIyBQc2V1ZG8t ZmlsZXN5c3RlbSBmcmFtZXdvcmsKb3B0aW9ucyAJR0VPTV9QQVJUX0dQVAkJIyBHVUlEIFBhcnRp dGlvbiBUYWJsZXMuCm9wdGlvbnMgCUdFT01fTEFCRUwJCSMgUHJvdmlkZXMgbGFiZWxpemF0aW9u Cm9wdGlvbnMgCUNPTVBBVF80M1RUWQkJIyBCU0QgNC4zIFRUWSBjb21wYXQgW0tFRVAgVEhJUyFd Cm9wdGlvbnMgCUNPTVBBVF9GUkVFQlNENAkJIyBDb21wYXRpYmxlIHdpdGggRnJlZUJTRDQKb3B0 aW9ucyAJQ09NUEFUX0ZSRUVCU0Q1CQkjIENvbXBhdGlibGUgd2l0aCBGcmVlQlNENQpvcHRpb25z IAlDT01QQVRfRlJFRUJTRDYJCSMgQ29tcGF0aWJsZSB3aXRoIEZyZWVCU0Q2Cm9wdGlvbnMgCVND U0lfREVMQVk9NTAwMAkJIyBEZWxheSAoaW4gbXMpIGJlZm9yZSBwcm9iaW5nIFNDU0kKb3B0aW9u cyAJS1RSQUNFCQkJIyBrdHJhY2UoMSkgc3VwcG9ydApvcHRpb25zIAlTWVNWU0hNCQkJIyBTWVNW LXN0eWxlIHNoYXJlZCBtZW1vcnkKb3B0aW9ucyAJU1lTVk1TRwkJCSMgU1lTVi1zdHlsZSBtZXNz YWdlIHF1ZXVlcwpvcHRpb25zIAlTWVNWU0VNCQkJIyBTWVNWLXN0eWxlIHNlbWFwaG9yZXMKb3B0 aW9ucyAJX0tQT1NJWF9QUklPUklUWV9TQ0hFRFVMSU5HICMgUE9TSVggUDEwMDNfMUIgcmVhbC10 aW1lIGV4dGVuc2lvbnMKb3B0aW9ucyAJS0JEX0lOU1RBTExfQ0RFVgkjIGluc3RhbGwgYSBDREVW IGVudHJ5IGluIC9kZXYKb3B0aW9ucyAJQURBUFRJVkVfR0lBTlQJCSMgR2lhbnQgbXV0ZXggaXMg YWRhcHRpdmUuCm9wdGlvbnMgCVNUT1BfTk1JCQkjIFN0b3AgQ1BVUyB1c2luZyBOTUkgaW5zdGVh ZCBvZiBJUEkKb3B0aW9ucyAJQVVESVQJCQkjIFNlY3VyaXR5IGV2ZW50IGF1ZGl0aW5nCgojIERl YnVnZ2luZyBmb3IgdXNlIGluIC1jdXJyZW50CiNvcHRpb25zIAlLREIJCQkjIEVuYWJsZSBrZXJu ZWwgZGVidWdnZXIgc3VwcG9ydC4KI29wdGlvbnMgCUREQgkJCSMgU3VwcG9ydCBEREIuCiNvcHRp b25zIAlHREIJCQkjIFN1cHBvcnQgcmVtb3RlIEdEQi4KI29wdGlvbnMgCUlOVkFSSUFOVFMJCSMg RW5hYmxlIGNhbGxzIG9mIGV4dHJhIHNhbml0eSBjaGVja2luZwojb3B0aW9ucyAJSU5WQVJJQU5U X1NVUFBPUlQJIyBFeHRyYSBzYW5pdHkgY2hlY2tzIG9mIGludGVybmFsIHN0cnVjdHVyZXMsIHJl cXVpcmVkIGJ5IElOVkFSSUFOVFMKI29wdGlvbnMgCVdJVE5FU1MJCQkjIEVuYWJsZSBjaGVja3Mg dG8gZGV0ZWN0IGRlYWRsb2NrcyBhbmQgY3ljbGVzCiNvcHRpb25zIAlXSVRORVNTX1NLSVBTUElO CSMgRG9uJ3QgcnVuIHdpdG5lc3Mgb24gc3BpbmxvY2tzIGZvciBzcGVlZAoKIyBUbyBtYWtlIGFu IFNNUCBrZXJuZWwsIHRoZSBuZXh0IHR3byBsaW5lcyBhcmUgbmVlZGVkCm9wdGlvbnMgCVNNUAkJ CSMgU3ltbWV0cmljIE11bHRpUHJvY2Vzc29yIEtlcm5lbApkZXZpY2UJCWFwaWMJCQkjIEkvTyBB UElDCgojIENQVSBmcmVxdWVuY3kgY29udHJvbApkZXZpY2UJCWNwdWZyZXEKCiMgQnVzIHN1cHBv cnQuCmRldmljZQkJZWlzYQpkZXZpY2UJCXBjaQoKIyBGbG9wcHkgZHJpdmVzCmRldmljZQkJZmRj CgojIEFUQSBhbmQgQVRBUEkgZGV2aWNlcwpkZXZpY2UJCWF0YQpkZXZpY2UJCWF0YWRpc2sJCSMg QVRBIGRpc2sgZHJpdmVzCmRldmljZQkJYXRhcmFpZAkJIyBBVEEgUkFJRCBkcml2ZXMKZGV2aWNl CQlhdGFwaWNkCQkjIEFUQVBJIENEUk9NIGRyaXZlcwpkZXZpY2UJCWF0YXBpZmQJCSMgQVRBUEkg ZmxvcHB5IGRyaXZlcwpkZXZpY2UJCWF0YXBpc3QJCSMgQVRBUEkgdGFwZSBkcml2ZXMKb3B0aW9u cyAJQVRBX1NUQVRJQ19JRAkjIFN0YXRpYyBkZXZpY2UgbnVtYmVyaW5nCgojIFNDU0kgQ29udHJv bGxlcnMKZGV2aWNlCQlhaGIJCSMgRUlTQSBBSEExNzQyIGZhbWlseQpkZXZpY2UJCWFoYwkJIyBB SEEyOTQwIGFuZCBvbmJvYXJkIEFJQzd4eHggZGV2aWNlcwpvcHRpb25zIAlBSENfUkVHX1BSRVRU WV9QUklOVAkjIFByaW50IHJlZ2lzdGVyIGJpdGZpZWxkcyBpbiBkZWJ1ZwoJCQkJCSMgb3V0cHV0 LiAgQWRkcyB+MTI4ayB0byBkcml2ZXIuCmRldmljZQkJYWhkCQkjIEFIQTM5MzIwLzI5MzIwIGFu ZCBvbmJvYXJkIEFJQzc5eHggZGV2aWNlcwpvcHRpb25zIAlBSERfUkVHX1BSRVRUWV9QUklOVAkj IFByaW50IHJlZ2lzdGVyIGJpdGZpZWxkcyBpbiBkZWJ1ZwoJCQkJCSMgb3V0cHV0LiAgQWRkcyB+ MjE1ayB0byBkcml2ZXIuCmRldmljZQkJYW1kCQkjIEFNRCA1M0M5NzQgKFRla3JhbSBEQy0zOTAo VCkpCmRldmljZQkJaHB0aW9wCQkjIEhpZ2hwb2ludCBSb2NrZXRSYWlkIDN4eHggc2VyaWVzCmRl dmljZQkJaXNwCQkjIFFsb2dpYyBmYW1pbHkKI2RldmljZSAJaXNwZncJCSMgRmlybXdhcmUgZm9y IFFMb2dpYyBIQkFzLSBub3JtYWxseSBhIG1vZHVsZQpkZXZpY2UJCW1wdAkJIyBMU0ktTG9naWMg TVBULUZ1c2lvbgojZGV2aWNlCQluY3IJCSMgTkNSL1N5bWJpb3MgTG9naWMKZGV2aWNlCQlzeW0J CSMgTkNSL1N5bWJpb3MgTG9naWMgKG5ld2VyIGNoaXBzZXRzICsgdGhvc2Ugb2YgYG5jcicpCmRl dmljZQkJdHJtCQkjIFRla3JhbSBEQzM5NVUvVVcvRiBEQzMxNVUgYWRhcHRlcnMKCmRldmljZQkJ YWR2CQkjIEFkdmFuc3lzIFNDU0kgYWRhcHRlcnMKZGV2aWNlCQlhZHcJCSMgQWR2YW5zeXMgd2lk ZSBTQ1NJIGFkYXB0ZXJzCmRldmljZQkJYWhhCQkjIEFkYXB0ZWMgMTU0eCBTQ1NJIGFkYXB0ZXJz CmRldmljZQkJYWljCQkjIEFkYXB0ZWMgMTVbMDEyXXggU0NTSSBhZGFwdGVycywgQUlDLTZbMjNd NjAuCmRldmljZQkJYnQJCSMgQnVzbG9naWMvTXlsZXggTXVsdGlNYXN0ZXIgU0NTSSBhZGFwdGVy cwoKZGV2aWNlCQluY3YJCSMgTkNSIDUzQzUwMApkZXZpY2UJCW5zcAkJIyBXb3JrYml0IE5pbmph IFNDU0ktMwpkZXZpY2UJCXN0ZwkJIyBUTUMgMThDMzAvMThDNTAKCiMgU0NTSSBwZXJpcGhlcmFs cwpkZXZpY2UJCXNjYnVzCQkjIFNDU0kgYnVzIChyZXF1aXJlZCBmb3IgU0NTSSkKZGV2aWNlCQlj aAkJIyBTQ1NJIG1lZGlhIGNoYW5nZXJzCmRldmljZQkJZGEJCSMgRGlyZWN0IEFjY2VzcyAoZGlz a3MpCmRldmljZQkJc2EJCSMgU2VxdWVudGlhbCBBY2Nlc3MgKHRhcGUgZXRjKQpkZXZpY2UJCWNk CQkjIENECmRldmljZQkJcGFzcwkJIyBQYXNzdGhyb3VnaCBkZXZpY2UgKGRpcmVjdCBTQ1NJIGFj Y2VzcykKZGV2aWNlCQlzZXMJCSMgU0NTSSBFbnZpcm9ubWVudGFsIFNlcnZpY2VzIChhbmQgU0FG LVRFKQoKIyBSQUlEIGNvbnRyb2xsZXJzIGludGVyZmFjZWQgdG8gdGhlIFNDU0kgc3Vic3lzdGVt CmRldmljZQkJYW1yCQkjIEFNSSBNZWdhUkFJRApkZXZpY2UJCWFyY21zcgkJIyBBcmVjYSBTQVRB IElJIFJBSUQKZGV2aWNlCQlhc3IJCSMgRFBUIFNtYXJ0UkFJRCBWLCBWSSBhbmQgQWRhcHRlYyBT Q1NJIFJBSUQKZGV2aWNlCQljaXNzCQkjIENvbXBhcSBTbWFydCBSQUlEIDUqCmRldmljZQkJZHB0 CQkjIERQVCBTbWFydGNhY2hlIElJSSwgSVYgLSBTZWUgTk9URVMgZm9yIG9wdGlvbnMKZGV2aWNl CQlocHRtdgkJIyBIaWdocG9pbnQgUm9ja2V0UkFJRCAxODJ4CmRldmljZQkJcnIyMzJ4CQkjIEhp Z2hwb2ludCBSb2NrZXRSQUlEIDIzMngKZGV2aWNlCQlpaXIJCSMgSW50ZWwgSW50ZWdyYXRlZCBS QUlECmRldmljZQkJaXBzCQkjIElCTSAoQWRhcHRlYykgU2VydmVSQUlECmRldmljZQkJbWx5CQkj IE15bGV4IEFjY2VsZVJBSUQvZVh0cmVtZVJBSUQKZGV2aWNlCQl0d2EJCSMgM3dhcmUgOTAwMCBz ZXJpZXMgUEFUQS9TQVRBIFJBSUQKCiMgUkFJRCBjb250cm9sbGVycwpkZXZpY2UJCWFhYwkJIyBB ZGFwdGVjIEZTQSBSQUlECmRldmljZQkJYWFjcAkJIyBTQ1NJIHBhc3N0aHJvdWdoIGZvciBhYWMg KHJlcXVpcmVzIENBTSkKZGV2aWNlCQlpZGEJCSMgQ29tcGFxIFNtYXJ0IFJBSUQKZGV2aWNlCQlt ZmkJCSMgTFNJIE1lZ2FSQUlEIFNBUwpkZXZpY2UJCW1seAkJIyBNeWxleCBEQUM5NjAgZmFtaWx5 CmRldmljZQkJcHN0CQkjIFByb21pc2UgU3VwZXJ0cmFrIFNYNjAwMApkZXZpY2UJCXR3ZQkJIyAz d2FyZSBBVEEgUkFJRAoKIyBhdGtiZGMwIGNvbnRyb2xzIGJvdGggdGhlIGtleWJvYXJkIGFuZCB0 aGUgUFMvMiBtb3VzZQpkZXZpY2UJCWF0a2JkYwkJIyBBVCBrZXlib2FyZCBjb250cm9sbGVyCmRl dmljZQkJYXRrYmQJCSMgQVQga2V5Ym9hcmQKZGV2aWNlCQlwc20JCSMgUFMvMiBtb3VzZQoKZGV2 aWNlCQlrYmRtdXgJCSMga2V5Ym9hcmQgbXVsdGlwbGV4ZXIKCmRldmljZQkJdmdhCQkjIFZHQSB2 aWRlbyBjYXJkIGRyaXZlcgoKZGV2aWNlCQlzcGxhc2gJCSMgU3BsYXNoIHNjcmVlbiBhbmQgc2Ny ZWVuIHNhdmVyIHN1cHBvcnQKCiMgc3lzY29ucyBpcyB0aGUgZGVmYXVsdCBjb25zb2xlIGRyaXZl ciwgcmVzZW1ibGluZyBhbiBTQ08gY29uc29sZQpkZXZpY2UJCXNjCgpkZXZpY2UJCWFncAkJIyBz dXBwb3J0IHNldmVyYWwgQUdQIGNoaXBzZXRzCgojIFBvd2VyIG1hbmFnZW1lbnQgc3VwcG9ydCAo c2VlIE5PVEVTIGZvciBtb3JlIG9wdGlvbnMpCiNkZXZpY2UJCWFwbQojIEFkZCBzdXNwZW5kL3Jl c3VtZSBzdXBwb3J0IGZvciB0aGUgaTgyNTQuCmRldmljZQkJcG10aW1lcgoKIyBQQ0NBUkQgKFBD TUNJQSkgc3VwcG9ydAojIFBDTUNJQSBhbmQgY2FyZGJ1cyBicmlkZ2Ugc3VwcG9ydApkZXZpY2UJ CWNiYgkJIyBjYXJkYnVzICh5ZW50YSkgYnJpZGdlCmRldmljZQkJcGNjYXJkCQkjIFBDIENhcmQg KDE2LWJpdCkgYnVzCmRldmljZQkJY2FyZGJ1cwkJIyBDYXJkQnVzICgzMi1iaXQpIGJ1cwoKIyBT ZXJpYWwgKENPTSkgcG9ydHMKZGV2aWNlCQlzaW8JCSMgODI1MCwgMTZbNDVdNTAgYmFzZWQgc2Vy aWFsIHBvcnRzCmRldmljZQkJdWFydAkJIyBHZW5lcmljIFVBUlQgZHJpdmVyCgojIFBhcmFsbGVs IHBvcnQKI2RldmljZQkJcHBjCiNkZXZpY2UJCXBwYnVzCQkjIFBhcmFsbGVsIHBvcnQgYnVzIChy ZXF1aXJlZCkKI2RldmljZQkJbHB0CQkjIFByaW50ZXIKI2RldmljZQkJcGxpcAkJIyBUQ1AvSVAg b3ZlciBwYXJhbGxlbAojZGV2aWNlCQlwcGkJCSMgUGFyYWxsZWwgcG9ydCBpbnRlcmZhY2UgZGV2 aWNlCiNkZXZpY2UJCXZwbwkJIyBSZXF1aXJlcyBzY2J1cyBhbmQgZGEKCiMgSWYgeW91J3ZlIGdv dCBhICJkdW1iIiBzZXJpYWwgb3IgcGFyYWxsZWwgUENJIGNhcmQgdGhhdCBpcwojIHN1cHBvcnRl ZCBieSB0aGUgcHVjKDQpIGdsdWUgZHJpdmVyLCB1bmNvbW1lbnQgdGhlIGZvbGxvd2luZwojIGxp bmUgdG8gZW5hYmxlIGl0IChjb25uZWN0cyB0byBzaW8sIHVhcnQgYW5kL29yIHBwYyBkcml2ZXJz KToKI2RldmljZQkJcHVjCgojIFBDSSBFdGhlcm5ldCBOSUNzLgpkZXZpY2UJCWRlCQkjIERFQy9J bnRlbCBEQzIxeDR4IChgYFR1bGlwJycpCmRldmljZQkJZW0JCSMgSW50ZWwgUFJPLzEwMDAgYWRh cHRlciBHaWdhYml0IEV0aGVybmV0IENhcmQKZGV2aWNlCQlpeGdiCQkjIEludGVsIFBSTy8xMEdi RSBFdGhlcm5ldCBDYXJkCmRldmljZQkJbGUJCSMgQU1EIEFtNzkwMCBMQU5DRSBhbmQgQW03OUM5 eHggUENuZXQKZGV2aWNlCQl0eHAJCSMgM0NvbSAzY1I5OTAgKGBgVHlwaG9vbicnKQpkZXZpY2UJ CXZ4CQkjIDNDb20gM2M1OTAsIDNjNTk1IChgYFZvcnRleCcnKQoKIyBQQ0kgRXRoZXJuZXQgTklD cyB0aGF0IHVzZSB0aGUgY29tbW9uIE1JSSBidXMgY29udHJvbGxlciBjb2RlLgojIE5PVEU6IEJl IHN1cmUgdG8ga2VlcCB0aGUgJ2RldmljZSBtaWlidXMnIGxpbmUgaW4gb3JkZXIgdG8gdXNlIHRo ZXNlIE5JQ3MhCmRldmljZQkJbWlpYnVzCQkjIE1JSSBidXMgc3VwcG9ydApkZXZpY2UJCWJjZQkJ IyBCcm9hZGNvbSBCQ001NzA2L0JDTTU3MDggR2lnYWJpdCBFdGhlcm5ldApkZXZpY2UJCWJmZQkJ IyBCcm9hZGNvbSBCQ000NDB4IDEwLzEwMCBFdGhlcm5ldApkZXZpY2UJCWJnZQkJIyBCcm9hZGNv bSBCQ001NzB4eCBHaWdhYml0IEV0aGVybmV0CmRldmljZQkJZGMJCSMgREVDL0ludGVsIDIxMTQz IGFuZCB2YXJpb3VzIHdvcmthbGlrZXMKZGV2aWNlCQlmeHAJCSMgSW50ZWwgRXRoZXJFeHByZXNz IFBSTy8xMDBCICg4MjU1NywgODI1NTgpCmRldmljZQkJbGdlCQkjIExldmVsIDEgTFhUMTAwMSBn aWdhYml0IEV0aGVybmV0CmRldmljZQkJbXNrCQkjIE1hcnZlbGwvU3lzS29ubmVjdCBZdWtvbiBJ SSBHaWdhYml0IEV0aGVybmV0CmRldmljZQkJbmZlCQkjIG5WaWRpYSBuRm9yY2UgTUNQIG9uLWJv YXJkIEV0aGVybmV0CmRldmljZQkJbmdlCQkjIE5hdFNlbWkgRFA4MzgyMCBnaWdhYml0IEV0aGVy bmV0CiNkZXZpY2UJCW52ZQkJIyBuVmlkaWEgbkZvcmNlIE1DUCBvbi1ib2FyZCBFdGhlcm5ldCBO ZXR3b3JraW5nCmRldmljZQkJcGNuCQkjIEFNRCBBbTc5Qzk3eCBQQ0kgMTAvMTAwIChwcmVjZWRl bmNlIG92ZXIgJ2xlJykKZGV2aWNlCQlyZQkJIyBSZWFsVGVrIDgxMzlDKy84MTY5LzgxNjlTLzgx MTBTCmRldmljZQkJcmwJCSMgUmVhbFRlayA4MTI5LzgxMzkKZGV2aWNlCQlzZgkJIyBBZGFwdGVj IEFJQy02OTE1IChgYFN0YXJmaXJlJycpCmRldmljZQkJc2lzCQkjIFNpbGljb24gSW50ZWdyYXRl ZCBTeXN0ZW1zIFNpUyA5MDAvU2lTIDcwMTYKZGV2aWNlCQlzawkJIyBTeXNLb25uZWN0IFNLLTk4 NHggJiBTSy05ODJ4IGdpZ2FiaXQgRXRoZXJuZXQKZGV2aWNlCQlzdGUJCSMgU3VuZGFuY2UgU1Qy MDEgKEQtTGluayBERkUtNTUwVFgpCmRldmljZQkJc3RnZQkJIyBTdW5kYW5jZS9UYW1hcmFjayBU QzkwMjEgZ2lnYWJpdCBFdGhlcm5ldApkZXZpY2UJCXRpCQkjIEFsdGVvbiBOZXR3b3JrcyBUaWdv biBJL0lJIGdpZ2FiaXQgRXRoZXJuZXQKZGV2aWNlCQl0bAkJIyBUZXhhcyBJbnN0cnVtZW50cyBU aHVuZGVyTEFOCmRldmljZQkJdHgJCSMgU01DIEV0aGVyUG93ZXIgSUkgKDgzYzE3MCBgYEVQSUMn JykKZGV2aWNlCQl2Z2UJCSMgVklBIFZUNjEyeCBnaWdhYml0IEV0aGVybmV0CmRldmljZQkJdnIJ CSMgVklBIFJoaW5lLCBSaGluZSBJSQpkZXZpY2UJCXdiCQkjIFdpbmJvbmQgVzg5Qzg0MEYKZGV2 aWNlCQl4bAkJIyAzQ29tIDNjOTB4IChgYEJvb21lcmFuZycnLCBgYEN5Y2xvbmUnJykKCiMgSVNB IEV0aGVybmV0IE5JQ3MuICBwY2NhcmQgTklDcyBpbmNsdWRlZC4KZGV2aWNlCQljcwkJIyBDcnlz dGFsIFNlbWljb25kdWN0b3IgQ1M4OXgwIE5JQwojICdkZXZpY2UgZWQnIHJlcXVpcmVzICdkZXZp Y2UgbWlpYnVzJwpkZXZpY2UJCWVkCQkjIE5FWzEyXTAwMCwgU01DIFVsdHJhLCAzYzUwMywgRFM4 MzkwIGNhcmRzCmRldmljZQkJZXgJCSMgSW50ZWwgRXRoZXJFeHByZXNzIFByby8xMCBhbmQgUHJv LzEwKwpkZXZpY2UJCWVwCQkjIEV0aGVybGluayBJSUkgYmFzZWQgY2FyZHMKZGV2aWNlCQlmZQkJ IyBGdWppdHN1IE1CODY5NnggYmFzZWQgY2FyZHMKZGV2aWNlCQlpZQkJIyBFdGhlckV4cHJlc3Mg OC8xNiwgM0M1MDcsIFN0YXJMQU4gMTAgZXRjLgpkZXZpY2UJCXNuCQkjIFNNQydzIDkwMDAgc2Vy aWVzIG9mIEV0aGVybmV0IGNoaXBzCmRldmljZQkJeGUJCSMgWGlyY29tIHBjY2FyZCBFdGhlcm5l dAoKIyBXaXJlbGVzcyBOSUMgY2FyZHMKZGV2aWNlCQl3bGFuCQkjIDgwMi4xMSBzdXBwb3J0CmRl dmljZQkJd2xhbl93ZXAJIyA4MDIuMTEgV0VQIHN1cHBvcnQKZGV2aWNlCQl3bGFuX2NjbXAJIyA4 MDIuMTEgQ0NNUCBzdXBwb3J0CmRldmljZQkJd2xhbl90a2lwCSMgODAyLjExIFRLSVAgc3VwcG9y dApkZXZpY2UJCXdsYW5fYW1ycgkjIEFNUlIgdHJhbnNtaXQgcmF0ZSBjb250cm9sIGFsZ29yaXRo bQpkZXZpY2UJCXdsYW5fc2Nhbl9hcAkjIDgwMi4xMSBBUCBtb2RlIHNjYW5uaW5nCmRldmljZQkJ d2xhbl9zY2FuX3N0YQkjIDgwMi4xMSBTVEEgbW9kZSBzY2FubmluZwpkZXZpY2UJCWFuCQkjIEFp cm9uZXQgNDUwMC80ODAwIDgwMi4xMSB3aXJlbGVzcyBOSUNzLgpkZXZpY2UJCWF0aAkJIyBBdGhl cm9zIHBjaS9jYXJkYnVzIE5JQydzCmRldmljZQkJYXRoX2hhbAkJIyBBdGhlcm9zIEhBTCAoSGFy ZHdhcmUgQWNjZXNzIExheWVyKQpkZXZpY2UJCWF0aF9yYXRlX3NhbXBsZQkjIFNhbXBsZVJhdGUg dHggcmF0ZSBjb250cm9sIGZvciBhdGgKZGV2aWNlCQlhd2kJCSMgQmF5U3RhY2sgNjYwIGFuZCBv dGhlcnMKZGV2aWNlCQlyYWwJCSMgUmFsaW5rIFRlY2hub2xvZ3kgUlQyNTAwIHdpcmVsZXNzIE5J Q3MuCmRldmljZQkJd2kJCSMgV2F2ZUxBTi9JbnRlcnNpbC9TeW1ib2wgODAyLjExIHdpcmVsZXNz IE5JQ3MuCiNkZXZpY2UJCXdsCQkjIE9sZGVyIG5vbiA4MDIuMTEgV2F2ZWxhbiB3aXJlbGVzcyBO SUMuCgojIFBzZXVkbyBkZXZpY2VzLgpkZXZpY2UJCWxvb3AJCSMgTmV0d29yayBsb29wYmFjawpk ZXZpY2UJCXJhbmRvbQkJIyBFbnRyb3B5IGRldmljZQpkZXZpY2UJCWV0aGVyCQkjIEV0aGVybmV0 IHN1cHBvcnQKZGV2aWNlCQlzbAkJIyBLZXJuZWwgU0xJUApkZXZpY2UJCXBwcAkJIyBLZXJuZWwg UFBQCmRldmljZQkJdHVuCQkjIFBhY2tldCB0dW5uZWwuCmRldmljZQkJcHR5CQkjIFBzZXVkby10 dHlzICh0ZWxuZXQgZXRjKQpkZXZpY2UJCW1kCQkjIE1lbW9yeSAiZGlza3MiCmRldmljZQkJZ2lm CQkjIElQdjYgYW5kIElQdjQgdHVubmVsaW5nCmRldmljZQkJZmFpdGgJCSMgSVB2Ni10by1JUHY0 IHJlbGF5aW5nICh0cmFuc2xhdGlvbikKZGV2aWNlCQlmaXJtd2FyZQkjIGZpcm13YXJlIGFzc2lz dCBtb2R1bGUKCiMgVGhlIGBicGYnIGRldmljZSBlbmFibGVzIHRoZSBCZXJrZWxleSBQYWNrZXQg RmlsdGVyLgojIEJlIGF3YXJlIG9mIHRoZSBhZG1pbmlzdHJhdGl2ZSBjb25zZXF1ZW5jZXMgb2Yg ZW5hYmxpbmcgdGhpcyEKIyBOb3RlIHRoYXQgJ2JwZicgaXMgcmVxdWlyZWQgZm9yIERIQ1AuCmRl dmljZQkJYnBmCQkjIEJlcmtlbGV5IHBhY2tldCBmaWx0ZXIKCiMgVVNCIHN1cHBvcnQKZGV2aWNl CQl1aGNpCQkjIFVIQ0kgUENJLT5VU0IgaW50ZXJmYWNlCmRldmljZQkJb2hjaQkJIyBPSENJIFBD SS0+VVNCIGludGVyZmFjZQpkZXZpY2UJCWVoY2kJCSMgRUhDSSBQQ0ktPlVTQiBpbnRlcmZhY2Ug KFVTQiAyLjApCmRldmljZQkJdXNiCQkjIFVTQiBCdXMgKHJlcXVpcmVkKQojZGV2aWNlCQl1ZGJw CQkjIFVTQiBEb3VibGUgQnVsayBQaXBlIGRldmljZXMKZGV2aWNlCQl1Z2VuCQkjIEdlbmVyaWMK ZGV2aWNlCQl1aGlkCQkjICJIdW1hbiBJbnRlcmZhY2UgRGV2aWNlcyIKZGV2aWNlCQl1a2JkCQkj IEtleWJvYXJkCiNkZXZpY2UJCXVscHQJCSMgUHJpbnRlcgpkZXZpY2UJCXVtYXNzCQkjIERpc2tz L01hc3Mgc3RvcmFnZSAtIFJlcXVpcmVzIHNjYnVzIGFuZCBkYQojZGV2aWNlCQl1bXMJCSMgTW91 c2UKZGV2aWNlCQl1cmFsCQkjIFJhbGluayBUZWNobm9sb2d5IFJUMjUwMFVTQiB3aXJlbGVzcyBO SUNzCmRldmljZQkJcnVtCQkjIFJhbGluayBUZWNobm9sb2d5IFJUMjUwMVVTQiB3aXJlbGVzcyBO SUNzCiNkZXZpY2UJCXVyaW8JCSMgRGlhbW9uZCBSaW8gNTAwIE1QMyBwbGF5ZXIKI2RldmljZQkJ dXNjYW5uZXIJIyBTY2FubmVycwojIFVTQiBFdGhlcm5ldCwgcmVxdWlyZXMgbWlpYnVzCmRldmlj ZQkJYXVlCQkjIEFETXRlayBVU0IgRXRoZXJuZXQKZGV2aWNlCQlheGUJCSMgQVNJWCBFbGVjdHJv bmljcyBVU0IgRXRoZXJuZXQKZGV2aWNlCQljZGNlCQkjIEdlbmVyaWMgVVNCIG92ZXIgRXRoZXJu ZXQKZGV2aWNlCQljdWUJCSMgQ0FUQyBVU0IgRXRoZXJuZXQKZGV2aWNlCQlrdWUJCSMgS2F3YXNh a2kgTFNJIFVTQiBFdGhlcm5ldApkZXZpY2UJCXJ1ZQkJIyBSZWFsVGVrIFJUTDgxNTAgVVNCIEV0 aGVybmV0CgojIEZpcmVXaXJlIHN1cHBvcnQKZGV2aWNlCQlmaXJld2lyZQkjIEZpcmVXaXJlIGJ1 cyBjb2RlCmRldmljZQkJc2JwCQkjIFNDU0kgb3ZlciBGaXJlV2lyZSAoUmVxdWlyZXMgc2NidXMg YW5kIGRhKQpkZXZpY2UJCWZ3ZQkJIyBFdGhlcm5ldCBvdmVyIEZpcmVXaXJlIChub24tc3RhbmRh cmQhKQpkZXZpY2UJCWZ3aXAJCSMgSVAgb3ZlciBGaXJlV2lyZSAoUkZDIDI3MzQsMzE0NikKZGV2 aWNlCQlkY29ucwkJIyBEdW1iIGNvbnNvbGUgZHJpdmVyCmRldmljZQkJZGNvbnNfY3JvbQkjIENv bmZpZ3VyYXRpb24gUk9NIGZvciBkY29ucwoKCiMjIHN0YXJ0IG9mIGN1c3RvbSBjb25maWcsIHJp cHBlZCBmcm9tIGFsbCBvdmVyIDstcCAjIwoKIyBJUFNFQyBmaWx0ZXJpbmcgaW50ZXJmYWNlCmRl dmljZQkJZW5jCgpkZXZpY2UJCXdsYW5feGF1dGgKZGV2aWNlCQl3bGFuX2FjbAoKb3B0aW9ucyAg ICAgICAgIFVOSU9ORlMgICAgICAgICAgICAgICAgICMgVW5pb24gZmlsZXN5c3RlbQoKZGV2aWNl ICAgICAgICAgIGJrdHIKCmRldmljZSAgICAgICAgICBjYXJwCmRldmljZSAgICAgICAgICBwZgpk ZXZpY2UgICAgICAgICAgcGZsb2cKZGV2aWNlICAgICAgICAgIHBmc3luYwpkZXZpY2UgICAgICAg ICAgdmxhbgpkZXZpY2UgICAgICAgICAgZ3JlCgpvcHRpb25zICAgICAgICAgSVBTVEVBTFRICgpv cHRpb25zICAgICAgICAgR0VPTV9VWklQCgpvcHRpb25zICAgICAgICAgSU5DTFVERV9DT05GSUdf RklMRQoKb3B0aW9ucyAgICAgICAgIE5FVEdSQVBIICAgICAgICAgICAgICAgICNuZXRncmFwaCg0 KSBzeXN0ZW0Kb3B0aW9ucyAgICAgICAgIE5FVEdSQVBIX0FTWU5DCm9wdGlvbnMgICAgICAgICBO RVRHUkFQSF9CUEYKb3B0aW9ucyAgICAgICAgIE5FVEdSQVBIX0JSSURHRQpvcHRpb25zICAgICAg ICAgTkVUR1JBUEhfQ0lTQ08Kb3B0aW9ucyAgICAgICAgIE5FVEdSQVBIX0VDSE8Kb3B0aW9ucyAg ICAgICAgIE5FVEdSQVBIX0VUSEVSCm9wdGlvbnMgICAgICAgICBORVRHUkFQSF9GUkFNRV9SRUxB WQpvcHRpb25zICAgICAgICAgTkVUR1JBUEhfSE9MRQpvcHRpb25zICAgICAgICAgTkVUR1JBUEhf SUZBQ0UKb3B0aW9ucyAgICAgICAgIE5FVEdSQVBIX0tTT0NLRVQKCm9wdGlvbnMgICAgICAgICBO RVRHUkFQSF9MTUkKb3B0aW9ucyAgICAgICAgIE5FVEdSQVBIX01QUENfRU5DUllQVElPTgpvcHRp b25zICAgICAgICAgTkVUR1JBUEhfT05FMk1BTlkKb3B0aW9ucyAgICAgICAgIE5FVEdSQVBIX1BQ UApvcHRpb25zICAgICAgICAgTkVUR1JBUEhfUFBQT0UKb3B0aW9ucyAgICAgICAgIE5FVEdSQVBI X1BQVFBHUkUKb3B0aW9ucyAgICAgICAgIE5FVEdSQVBIX1JGQzE0OTAKb3B0aW9ucyAgICAgICAg IE5FVEdSQVBIX1NPQ0tFVApvcHRpb25zICAgICAgICAgTkVUR1JBUEhfVEVFCm9wdGlvbnMgICAg ICAgICBORVRHUkFQSF9UVFkKb3B0aW9ucyAgICAgICAgIE5FVEdSQVBIX1VJCm9wdGlvbnMgICAg ICAgICBORVRHUkFQSF9WSkMKCiMgM0cgZGV2aWNlcwpkZXZpY2UJCXVic2EKZGV2aWNlCQl1Y29t CmRldmljZQkJdXBsY29tCgpvcHRpb25zICAgICAgICAgSVBTRUMKCmRldmljZSAgICAgICAgICBj cnlwdG8gICAgICAgICAgIyBjb3JlIGNyeXB0byBzdXBwb3J0CmRldmljZSAgICAgICAgICBjcnlw dG9kZXYgICAgICAgIyAvZGV2L2NyeXB0byBmb3IgYWNjZXNzIHRvIGgvdwpkZXZpY2UgICAgICAg ICAgcm5kdGVzdCAgICAgICAgICMgRklQUyAxNDAtMiBlbnRyb3B5IHRlc3RlcgpkZXZpY2UgICAg ICAgICAgaGlmbiAgICAgICAgICAgICMgSGlmbiA3OTUxLCA3NzgxLCBldGMuCm9wdGlvbnMgICAg ICAgICBISUZOX0RFQlVHICAgICAgIyBlbmFibGUgZGVidWdnaW5nIHN1cHBvcnQ6IGh3LmhpZm4u ZGVidWcKb3B0aW9ucyAgICAgICAgIEhJRk5fUk5EVEVTVCAgICAjIGVuYWJsZSBybmR0ZXN0IHN1 cHBvcnQKZGV2aWNlICAgICAgICAgIHVic2VjICAgICAgICAgICAjIEJyb2FkY29tIDU1MDEsIDU2 MDEsIDU4eHgKCm9wdGlvbnMgICAgICAgICBBTFRRCm9wdGlvbnMgICAgICAgICBBTFRRX0NCUQpv cHRpb25zICAgICAgICAgQUxUUV9SRUQKb3B0aW9ucyAgICAgICAgIEFMVFFfUklPCm9wdGlvbnMg ICAgICAgICBBTFRRX0hGU0MKb3B0aW9ucyAgICAgICAgIEFMVFFfUFJJUQpvcHRpb25zICAgICAg ICAgQUxUUV9OT1BDQyAgICAgICMgUmVxdWlyZWQgZm9yIFNNUCBidWlsZHMgISEKCiMgYnJpZGdl CmRldmljZSAgICAgICAgICBpZl9icmlkZ2UKCm9wdGlvbnMgICAgICAgICBNU0dNTkI9ODE5MiAg ICAgIyBtYXggIyBvZiBieXRlcyBpbiBhIHF1ZXVlCm9wdGlvbnMgICAgICAgICBNU0dNTkk9NDAg ICAgICAgIyBudW1iZXIgb2YgbWVzc2FnZSBxdWV1ZSBpZGVudGlmaWVycwpvcHRpb25zICAgICAg ICAgTVNHU0VHPTUxMiAgICAgICMgbnVtYmVyIG9mIG1lc3NhZ2Ugc2VnbWVudHMgcGVyIHF1ZXVl Cm9wdGlvbnMgICAgICAgICBNU0dTU1o9MzIgICAgICAgIyBzaXplIG9mIGEgbWVzc2FnZSBzZWdt ZW50Cm9wdGlvbnMgICAgICAgICBNU0dUUUw9MjA0OCAgICAgIyBtYXggbWVzc2FnZXMgaW4gc3lz dGVtCgpkZXZpY2UgICAgICAgICAgdGFwCmRldmljZSAgICAgICAgICBobWUKCiMgCm9wdGlvbnMg ICAgICAgICBOVUxMRlMKCmRldmljZSAgICAgICAgICBzcGVha2VyCgpvcHRpb25zICAgICAgICAg REVWSUNFX1BPTExJTkcKCm9wdGlvbnMgICAgICAgICBaRVJPX0NPUFlfU09DS0VUUwoKb3B0aW9u cwkJVENQX1NJR05BVFVSRQoKb3B0aW9ucyAgICAgICAgIEdFT01fTUlSUk9SCgpkZXZpY2UgICAg ICAgICAgbGFnZwo= ------=_Part_9493_2499946.1194977760600 Content-Type: application/octet-stream; name=pf.rules.crash Content-Transfer-Encoding: base64 X-Attachment-Id: f_f8yqu7l6 Content-Disposition: attachment; filename=pf.rules.crash IyBwZi5ydWxlcy5jcmFzaC4gbWluaW1hbGlzdCBydWxlc2V0IHRoYXQgdy9vIHRoZSBuZWlnaGIq IHJ1bGVzIGF0IGxpbmVzIDQ3LDQ4LCAKIyBzZW5kaW5nIGlwY21wNiAoZS5nLiBwaW5nNikgdG8g eW91ciBpcHY2IGRlZmF1bHQgZ3cgd2lsbCBjcmFzaCB5b3VyIGJveC4KIyBoYXRzIG9mZiB0byBo YW5zaWsgZm9yIGRpcyA7LSkKIyBTeXN0ZW0gQWxpYXNlcwpsb29wYmFjayA9ICJsbzAiCmxhbiA9 ICJlbTIiICAgICAgICAgICAgICMgcmVwbGFjZSBmb3IgYXBwcm9wcmlhdGUgbGFuIGludGVyZmFj ZQp3YW4gPSAiZW0xIiAgICAgICAgICAgICAjIHJlcGxhY2UgZm9yIGFwcHJvcHJpYXRlIHdhbiBp bnRlcmZhY2UKCnJmYzE5MThfYWRkcnMgPSAieyAxMC4wLjAuMC84LCAxMjcuMC4wLjAvOCwgMTcy LjE2LjAuMC8xMiwgMTkyLjE2OC4wLjAvMTYgfSIKCm5ldDQgPSAiWFguWFguWFguWFguLzI2Igpu ZXQ2ID0gIjIwMDE6WFhYOlhYWFg6Oi80OCIKCnNldCBsb2dpbnRlcmZhY2UgJGxhbgpzZXQgbG9n aW50ZXJmYWNlICR3YW4Kc2V0IG9wdGltaXphdGlvbiBub3JtYWwKc2V0IGxpbWl0IHN0YXRlcyAz OTYwMDAKc2V0IGJsb2NrLXBvbGljeSBkcm9wCnNldCBza2lwIG9uICRsb29wYmFjawoKI3NjcnVi IGFsbCBuby1kZiByYW5kb20taWQgZnJhZ21lbnQgcmVhc3NlbWJsZQoKIyBIYW5kbGluZyBGVFAg Y2xpZW50cyBiZWhpbmQgTkFUCm5hdC1hbmNob3IgImZ0cC1wcm94eS8qIgpyZHItYW5jaG9yICJm dHAtcHJveHkvKiIKcmRyIG9uICRsYW4gcHJvdG8gdGNwIGZyb20gYW55IHRvIGFueSBwb3J0IDIx IC0+IDEyNy4wLjAuMSBwb3J0IDgwMjEKCiMgT3V0Ym91bmQgTkFUIHJ1bGVzCm5hdCBvbiAkd2Fu IGZyb20gKCRsYW46bmV0d29yaykgdG8gYW55IC0+ICgkd2FuKQoKIyBXZSB1c2UgdGhlIG1pZ2h0 eSBwZiwgY2FuIHdlIHN0aWxsIGJlIGZvb2xlZD8KYmxvY2sgcXVpY2sgcHJvdG8geyB0Y3AsIHVk cCB9IGZyb20gYW55IHBvcnQgPSAwIHRvIGFueQpibG9jayBxdWljayBwcm90byB7IHRjcCwgdWRw IH0gZnJvbSBhbnkgdG8gYW55IHBvcnQgPSAwCgojIGJsb2NrIFJGQzE5MTggYWRkcmVzc2VzIG9u IFdBTiBpbnRlcmZhY2UKYmxvY2sgaW4gbG9nIHF1aWNrIG9uICR3YW4gZnJvbSAkcmZjMTkxOF9h ZGRycyB0byBhbnkKCiMgYmxvY2tpbmcgc3Bvb2ZlZCBwYWNrZXRzCmFudGlzcG9vZiBmb3IgJHdh bgphbnRpc3Bvb2YgZm9yICRsYW4KCiMga2FtaWthemVlIC0gbGV0IG91dCBhbnl0aGluZyBmcm9t IHRoZSBmaXJld2FsbCBob3N0IGl0c2VsZgpwYXNzIG91dCBxdWljayBvbiAkd2FuIHByb3RvIHsg dGNwLCB1ZHAsIGljbXAgfSBrZWVwIHN0YXRlCnBhc3Mgb3V0IHF1aWNrIG9uICR3YW4gaW5ldDYg cHJvdG8gaWNtcDYgYWxsIGtlZXAgc3RhdGUgIAojCiMgVW5jb21tZW50IHRoZSBmZiBydWxlc2V0 cyB0byBub3QgY3Jhc2ggeW91ciBib3guCiNwYXNzIGluIHF1aWNrIG9uICR3YW4gaW5ldDYgcHJv dG8gaWNtcDYgaWNtcDYtdHlwZSBuZWlnaGJyYWR2IGtlZXAgc3RhdGUKI3Bhc3MgaW4gcXVpY2sg b24gJHdhbiBpbmV0NiBwcm90byBpY21wNiBpY21wNi10eXBlIG5laWdoYnJzb2wga2VlcCBzdGF0 ZQojCnBhc3Mgb3V0IHF1aWNrIG9uICRsYW4gZnJvbSBhbnkgdG8gMTAuMC4wLjAvMTIga2VlcCBz dGF0ZQoKIyBTZXJ2aWNlcy1kZWZpbmVkIHJ1bGVzCnBhc3MgaW4gcXVpY2sgb24gJHdhbiBwcm90 byBpY21wIGZyb20gJG5ldDQgdG8gYW55IGtlZXAgc3RhdGUKcGFzcyBpbiBxdWljayBvbiAkd2Fu IHByb3RvIHRjcCBmcm9tIGFueSB0byBhbnkgcG9ydCAyMiBmbGFncyBTL1NBIGtlZXAgc3RhdGUK CiMtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCiMgcGFyYW5vaWQg YW5kcm9pZCAtIGltcGxpY2l0IGRlbnkgcnVsZXMKIy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLQpibG9jayBpbiBsb2cgcXVpY2sgYWxsCmJsb2NrIG91dCBsb2cgcXVp Y2sgYWxsCg== ------=_Part_9493_2499946.1194977760600-- From owner-freebsd-pf@FreeBSD.ORG Wed Nov 14 11:11:55 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6BA5816A41A for ; Wed, 14 Nov 2007 11:11:55 +0000 (UTC) (envelope-from mohacsi@niif.hu) Received: from mail.ki.iif.hu (mail.ki.iif.hu [IPv6:2001:738:0:411::241]) by mx1.freebsd.org (Postfix) with ESMTP id 4281A13C448 for ; Wed, 14 Nov 2007 11:11:16 +0000 (UTC) (envelope-from mohacsi@niif.hu) Received: from localhost (localhost [IPv6:::1]) by mail.ki.iif.hu (Postfix) with ESMTP id C15968498F; Wed, 14 Nov 2007 11:56:19 +0100 (CET) X-Virus-Scanned: by amavisd-new at mignon.ki.iif.hu Received: from mail.ki.iif.hu ([127.0.0.1]) by localhost (mignon.ki.iif.hu [127.0.0.1]) (amavisd-new, port 10024) with LMTP id IksJH02U78GJ; Wed, 14 Nov 2007 11:56:16 +0100 (CET) Received: by mail.ki.iif.hu (Postfix, from userid 9002) id A02AA846EB; Wed, 14 Nov 2007 11:56:16 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by mail.ki.iif.hu (Postfix) with ESMTP id 9E9BA8468A; Wed, 14 Nov 2007 11:56:16 +0100 (CET) Date: Wed, 14 Nov 2007 11:56:16 +0100 (CET) From: Mohacsi Janos X-X-Sender: mohacsi@mignon.ki.iif.hu To: Mars G Miro In-Reply-To: Message-ID: <20071114114701.W57083@mignon.ki.iif.hu> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-pf@freebsd.org Subject: Re: pf+ipv6 bug? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Nov 2007 11:11:55 -0000 Hi, You should consider adding rules to allow ICMPv6 neighbor solicitation and neighbor advertisement anyway for proper IPv6 operations. ICMPv6 filtering recomendations is documented in RFC 4890 since ICMPv6 is not so auxiliary in IPv6 than in IPv4. The problem is, that this is not documented in pf manual or examples. I submitted a PR while ago: http://www.freebsd.org/cgi/query-pr.cgi?pr=docs/112579 but it seems nobody taking care of it.... The crash seems to be very serious - I think it a bug in the kernel. Best Regards, Janos Mohacsi Network Engineer, Research Associate, Head of Network Planning and Projects NIIF/HUNGARNET, HUNGARY Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00 70EF 9882 On Wed, 14 Nov 2007, Mars G Miro wrote: > Hiya, > > I've encountered this bug for about a few weeks now . The attached > kernel config and the minimalist ruleset (i have a much more > complicated ruleset), when pf is enabled and you have ipv6, when > sending ipv6 packets? (in this case icmp6) to, say, your ipv6 default > gw, will crash your box always at this spot: > > ++++++++++++++++++++++ > Fatal trap 12: page fault while in kernel mode > cpuid = 0; apic id = 00 > fault virtual address = 0x1e8 > fault code = supervisor read, page not present > instruction pointer = 0x20:0xc094a726 > stack pointer = 0x28:0xe606dbc0 > frame pointer = 0x28:0xe606dc6c > code segment = base 0x0, limit 0xfffff, type 0x1b > = DPL 0, pres 1, def32 1, gran 1 > processor eflags = interrupt enabled, resume, IOPL = 0 > current process = 17 (swi1: net) > trap number = 12 > panic: page fault > cpuid = 0 > Uptime: 1h35m21s > Physical memory: 3955 MB > Dumping 122 MB: 107 91 75 59 43 27 11 > > #0 doadump () at pcpu.h:195 > 195 __asm __volatile("movl %%fs:0,%0" : "=r" (td)); > (kgdb) list *0xc094a726 > 0xc094a726 is in ip6_input (/usr/src/sys/netinet6/ip6_input.c:265). > 260 ip6stat.ip6s_m1++; > 261 #undef M2MMAX > 262 } > 263 > 264 /* drop the packet if IPv6 operation is disabled on the IF */ > 265 if ((ND_IFINFO(m->m_pkthdr.rcvif)->flags & > ND6_IFF_IFDISABLED)) { > 266 m_freem(m); > 267 return; > 268 } > 269 > ++++++++++++++++++ > > Adding in ipv6 neighb* rules (comment out lines 47,48 in the attached > ruleset) seem to not crash your box. > This is on 7.0-BETA2 (i386,amd64) and from my own tests, this has > been on 7.X, since around August back then. This does not seem to > exist on 6.X. > > Thanks. > > > cheers > mars > From owner-freebsd-pf@FreeBSD.ORG Wed Nov 14 12:18:42 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9CE8B16A420 for ; Wed, 14 Nov 2007 12:18:42 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id 2E21813C45B for ; Wed, 14 Nov 2007 12:18:41 +0000 (UTC) (envelope-from max@love2party.net) Received: from amd64.laiers.local (dslb-088-066-048-197.pools.arcor-ip.net [88.66.48.197]) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis) id 0MKwpI-1IsHCY1U85-0008Ls; Wed, 14 Nov 2007 13:18:39 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 14 Nov 2007 13:18:23 +0100 User-Agent: KMail/1.9.7 References: In-Reply-To: X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1728626.ofe6tvXGRH"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200711141318.36664.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19dvXlsiKRrorSKPigDfP2EpnwfuoOlAh/sOqD x8n641VkAh1BYeLVmaanLcrUOUW0nEZH+M6MsDStVflBJ8C7sT uOkY5ZgBjBJKwz81+lwPX07PjY+tYcVnkO2lP0ByJg= Cc: Mars G Miro Subject: Re: pf+ipv6 bug? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Nov 2007 12:18:42 -0000 --nextPart1728626.ofe6tvXGRH Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 13 November 2007, Mars G Miro wrote: > Hiya, > > I've encountered this bug for about a few weeks now . The attached > kernel config and the minimalist ruleset (i have a much more > complicated ruleset), when pf is enabled and you have ipv6, when > sending ipv6 packets? (in this case icmp6) to, say, your ipv6 default > gw, will crash your box always at this spot: > > ++++++++++++++++++++++ > Fatal trap 12: page fault while in kernel mode > cpuid =3D 0; apic id =3D 00 > fault virtual address =3D 0x1e8 > fault code =3D supervisor read, page not present > instruction pointer =3D 0x20:0xc094a726 > stack pointer =3D 0x28:0xe606dbc0 > frame pointer =3D 0x28:0xe606dc6c > code segment =3D base 0x0, limit 0xfffff, type 0x1b > =3D DPL 0, pres 1, def32 1, gran 1 > processor eflags =3D interrupt enabled, resume, IOPL =3D 0 > current process =3D 17 (swi1: net) > trap number =3D 12 > panic: page fault > cpuid =3D 0 > Uptime: 1h35m21s > Physical memory: 3955 MB > Dumping 122 MB: 107 91 75 59 43 27 11 > > #0 doadump () at pcpu.h:195 > 195 __asm __volatile("movl %%fs:0,%0" : "=3Dr" (td)); > (kgdb) list *0xc094a726 > 0xc094a726 is in ip6_input (/usr/src/sys/netinet6/ip6_input.c:265). > 260 ip6stat.ip6s_m1++; > 261 #undef M2MMAX > 262 } > 263 > 264 /* drop the packet if IPv6 operation is disabled on the > IF */ 265 if ((ND_IFINFO(m->m_pkthdr.rcvif)->flags & > ND6_IFF_IFDISABLED)) { > 266 m_freem(m); > 267 return; > 268 } > 269 > ++++++++++++++++++ > > Adding in ipv6 neighb* rules (comment out lines 47,48 in the attached > ruleset) seem to not crash your box. > This is on 7.0-BETA2 (i386,amd64) and from my own tests, this has > been on 7.X, since around August back then. This does not seem to > exist on 6.X. Can you please get a complete trace and print the mbuf in the ip6_input=20 frame? =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1728626.ofe6tvXGRH Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBHOuecXyyEoT62BG0RAu66AJ0ZyuSI945fvsxSGsv7eijzkYUJcwCfcmN8 j9rD6EnADWKzPy5hay/z+k0= =8B18 -----END PGP SIGNATURE----- --nextPart1728626.ofe6tvXGRH-- From owner-freebsd-pf@FreeBSD.ORG Wed Nov 14 16:38:13 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5086616A419 for ; Wed, 14 Nov 2007 16:38:13 +0000 (UTC) (envelope-from tobi@casino.uni-stuttgart.de) Received: from hydra.rus.uni-stuttgart.de (hydra.rus.uni-stuttgart.de [129.69.1.55]) by mx1.freebsd.org (Postfix) with ESMTP id 07DC513C465 for ; Wed, 14 Nov 2007 16:38:12 +0000 (UTC) (envelope-from tobi@casino.uni-stuttgart.de) Received: from localhost (localhost [127.0.0.1]) by hydra.rus.uni-stuttgart.de (Postfix) with ESMTP id DABD2351B3 for ; Wed, 14 Nov 2007 17:20:16 +0100 (CET) X-Virus-Scanned: by amavisd-new at hydra.rus.uni-stuttgart.de X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from hydra.rus.uni-stuttgart.de ([127.0.0.1]) by localhost (hydra.rus.uni-stuttgart.de [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 19WROo0QNoc5 for ; Wed, 14 Nov 2007 17:19:43 +0100 (CET) Received: from mail.casino.uni-stuttgart.de (dame.casino.uni-stuttgart.de [141.58.158.2]) by hydra.rus.uni-stuttgart.de (Postfix) with ESMTP id 5C179366A4 for ; Wed, 14 Nov 2007 17:19:36 +0100 (CET) Received: from [127.0.0.1] (herr.casino.uni-stuttgart.de [141.58.158.1]) by mail.casino.uni-stuttgart.de (Postfix) with ESMTP id E2436340520 for ; Wed, 14 Nov 2007 17:19:35 +0100 (CET) Message-ID: <473B2006.8050000@casino.uni-stuttgart.de> Date: Wed, 14 Nov 2007 18:19:18 +0200 From: Tobias Ernst User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT; rv:1.8.1.6) Gecko/20070802 SeaMonkey/1.1.4 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 8bit Subject: How to prevent FS overflow due to excessive logging? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Nov 2007 16:38:13 -0000 Hi all, we have a default policy that logs all dropped packets. Accordingly, I have carefully adjusted my newsyslogd configuration and made sure there is plenty of space in /var/log. Today, one of our computers started sending out UDP packets to a certain (seemingly unknown) IP address, port 7800. And it sent many of them - about 2 million within one hour. This led to a 3 GIG pflog file and of course made our file system overflow. We are currently figuring out what that was, but there is another question that boggles me: how do I prevent such file system overflows in the future? With conventional syslogd logging, syslogd will not print out lines that are excessive repetitions of previous lines. Is there a way to make PF not log excessive repetitions? I do not want to disable UDP logging generally - after all I want to be told when things like this happen. Regards Tobias -- Universität Stuttgart|Fakultät für Architektur und Stadtplanung|casinoIT 70174 Stuttgart Geschwister-Scholl-Straße 24D T +49 (0)711 121-4228 F +49 (0)711 121-4276 E office@casino.uni-stuttgart.de I http://www.casino.uni-stuttgart.de From owner-freebsd-pf@FreeBSD.ORG Wed Nov 14 19:27:13 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6096C16A46C for ; Wed, 14 Nov 2007 19:27:13 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout2.email.verio.net (dfw-smtpout2.email.verio.net [129.250.36.42]) by mx1.freebsd.org (Postfix) with ESMTP id 336BA13C481 for ; Wed, 14 Nov 2007 19:27:13 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.64] (helo=dfw-mmp4.email.verio.net) by dfw-smtpout2.email.verio.net with esmtp id 1IsM7o-0006Qo-6I for freebsd-pf@freebsd.org; Wed, 14 Nov 2007 17:34:04 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp4.email.verio.net with esmtp id 1IsM7o-0006vc-2v for freebsd-pf@freebsd.org; Wed, 14 Nov 2007 17:34:04 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 6CB458E296; Wed, 14 Nov 2007 11:34:00 -0600 (CST) Date: Wed, 14 Nov 2007 11:34:00 -0600 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20071114173359.GO6168@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <473B2006.8050000@casino.uni-stuttgart.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <473B2006.8050000@casino.uni-stuttgart.de> Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: How to prevent FS overflow due to excessive logging? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Nov 2007 19:27:13 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tobias Ernst wrote: > > I do not want to disable UDP logging generally - after all I want to be > told when things like this happen. If you put "keep state" on your drop+log rule, PF will only log the first packet that gets dropped, which reduces logging considerably. However, you will not be alerted to the fact that millions of packets are being sent, in this scenario, so you would have to detect that via other means. - -- David DeSimone == Network Admin == fox@verio.net "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, dis- tribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you." --Lawyer Bot 6000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFHOzGHFSrKRjX5eCoRAlASAJ4sIqjHk1bZ01XuEL/BFS77kby5lwCcCouy 2KjtMZFaXm0OMr38Skxmk3w= =p2SR -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Wed Nov 14 19:38:36 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4256B16A41A for ; Wed, 14 Nov 2007 19:38:36 +0000 (UTC) (envelope-from tobi@casino.uni-stuttgart.de) Received: from charybdis.rus.uni-stuttgart.de (charybdis.rus.uni-stuttgart.de [129.69.1.58]) by mx1.freebsd.org (Postfix) with ESMTP id C23E613C481 for ; Wed, 14 Nov 2007 19:38:35 +0000 (UTC) (envelope-from tobi@casino.uni-stuttgart.de) Received: from localhost (localhost [127.0.0.1]) by charybdis.rus.uni-stuttgart.de (Postfix) with ESMTP id 0634336371A for ; Wed, 14 Nov 2007 20:38:33 +0100 (CET) X-Virus-Scanned: by amavisd-new at charybdis.rus.uni-stuttgart.de X-Spam-Flag: NO X-Spam-Score: -2.284 X-Spam-Level: X-Spam-Status: No, score=-2.284 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SARE_MILLIONSOF=0.315] Received: from charybdis.rus.uni-stuttgart.de ([127.0.0.1]) by localhost (charybdis.rus.uni-stuttgart.de [127.0.0.1]) (amavisd-new, port 10024) with LMTP id t-fwOWBrgL4r for ; Wed, 14 Nov 2007 20:38:31 +0100 (CET) Received: from mail.casino.uni-stuttgart.de (dame.casino.uni-stuttgart.de [141.58.158.2]) by charybdis.rus.uni-stuttgart.de (Postfix) with ESMTP id 4DD87362B2C for ; Wed, 14 Nov 2007 20:38:24 +0100 (CET) Received: from [127.0.0.1] (herr.casino.uni-stuttgart.de [141.58.158.1]) by mail.casino.uni-stuttgart.de (Postfix) with ESMTP id E0438340F65 for ; Wed, 14 Nov 2007 20:38:23 +0100 (CET) Message-ID: <473B4E9E.2040004@casino.uni-stuttgart.de> Date: Wed, 14 Nov 2007 21:38:06 +0200 From: Tobias Ernst User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT; rv:1.8.1.6) Gecko/20070802 SeaMonkey/1.1.4 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <473B2006.8050000@casino.uni-stuttgart.de> <20071114173359.GO6168@verio.net> In-Reply-To: <20071114173359.GO6168@verio.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: How to prevent FS overflow due to excessive logging? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Nov 2007 19:38:36 -0000 David DeSimone schrieb: >> I do not want to disable UDP logging generally - after all I want to be >> told when things like this happen. > If you put "keep state" on your drop+log rule, PF will only log the > first packet that gets dropped, which reduces logging considerably. I thought about this, but block in log from any to any keep state gives me pf.conf:266: keep state on block rules doesn't make sense and the rule is skipped (6.2, maybe this has changed in 7?). > However, you will not be alerted to the fact that millions of packets > are being sent, in this scenario, so you would have to detect that via > other means. That's not a problem. By the way, these turned out to be harmless multicast packets from a remote software installation process that should have been silently dropped, but I had the wrong netmask (/24 instead of /4) in my "multicast silent drop" rule. Regards Tobias -- Universität Stuttgart|Fakultät für Architektur und Stadtplanung|casinoIT 70174 Stuttgart Geschwister-Scholl-Straße 24D T +49 (0)711 121-4228 F +49 (0)711 121-4276 E office@casino.uni-stuttgart.de I http://www.casino.uni-stuttgart.de From owner-freebsd-pf@FreeBSD.ORG Thu Nov 15 22:57:39 2007 Return-Path: Delivered-To: pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3C9BC16A418; Thu, 15 Nov 2007 22:57:39 +0000 (UTC) (envelope-from kmacy@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 159DB13C502; Thu, 15 Nov 2007 22:57:39 +0000 (UTC) (envelope-from kmacy@FreeBSD.org) Received: from freefall.freebsd.org (kmacy@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id lAFMvcA1042748; Thu, 15 Nov 2007 22:57:38 GMT (envelope-from kmacy@freefall.freebsd.org) Received: (from kmacy@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id lAFMvcrB042744; Thu, 15 Nov 2007 22:57:38 GMT (envelope-from kmacy) Date: Thu, 15 Nov 2007 22:57:38 GMT Message-Id: <200711152257.lAFMvcrB042744@freefall.freebsd.org> To: kmacy@FreeBSD.org, freebsd-net@FreeBSD.org, pf@FreeBSD.org From: kmacy@FreeBSD.org Cc: Subject: Re: kern/114095: [carp] carp+pf delay with high state limit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Nov 2007 22:57:39 -0000 Synopsis: [carp] carp+pf delay with high state limit Responsible-Changed-From-To: freebsd-net->pf Responsible-Changed-By: kmacy Responsible-Changed-When: Thu Nov 15 22:56:24 UTC 2007 Responsible-Changed-Why: not clear that this is actually a bug with the state limit set that high http://www.freebsd.org/cgi/query-pr.cgi?pr=114095 From owner-freebsd-pf@FreeBSD.ORG Fri Nov 16 07:13:41 2007 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AA22816A420; Fri, 16 Nov 2007 07:13:41 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8A61D13C45A; Fri, 16 Nov 2007 07:13:41 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (remko@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id lAG7DfuS089141; Fri, 16 Nov 2007 07:13:41 GMT (envelope-from remko@freefall.freebsd.org) Received: (from remko@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id lAG7DfQ8089137; Fri, 16 Nov 2007 07:13:41 GMT (envelope-from remko) Date: Fri, 16 Nov 2007 07:13:41 GMT Message-Id: <200711160713.lAG7DfQ8089137@freefall.freebsd.org> To: remko@FreeBSD.org, pf@FreeBSD.org, freebsd-pf@FreeBSD.org From: remko@FreeBSD.org Cc: Subject: Re: kern/114095: [carp] carp+pf delay with high state limit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Nov 2007 07:13:41 -0000 Synopsis: [carp] carp+pf delay with high state limit Responsible-Changed-From-To: pf->freebsd-pf Responsible-Changed-By: remko Responsible-Changed-When: Fri Nov 16 07:13:21 UTC 2007 Responsible-Changed-Why: reassign to "standard" group http://www.freebsd.org/cgi/query-pr.cgi?pr=114095 From owner-freebsd-pf@FreeBSD.ORG Fri Nov 16 07:13:41 2007 Return-Path: Delivered-To: pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AA22816A420; Fri, 16 Nov 2007 07:13:41 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8A61D13C45A; Fri, 16 Nov 2007 07:13:41 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (remko@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id lAG7DfuS089141; Fri, 16 Nov 2007 07:13:41 GMT (envelope-from remko@freefall.freebsd.org) Received: (from remko@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id lAG7DfQ8089137; Fri, 16 Nov 2007 07:13:41 GMT (envelope-from remko) Date: Fri, 16 Nov 2007 07:13:41 GMT Message-Id: <200711160713.lAG7DfQ8089137@freefall.freebsd.org> To: remko@FreeBSD.org, pf@FreeBSD.org, freebsd-pf@FreeBSD.org From: remko@FreeBSD.org Cc: Subject: Re: kern/114095: [carp] carp+pf delay with high state limit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Nov 2007 07:13:41 -0000 Synopsis: [carp] carp+pf delay with high state limit Responsible-Changed-From-To: pf->freebsd-pf Responsible-Changed-By: remko Responsible-Changed-When: Fri Nov 16 07:13:21 UTC 2007 Responsible-Changed-Why: reassign to "standard" group http://www.freebsd.org/cgi/query-pr.cgi?pr=114095 From owner-freebsd-pf@FreeBSD.ORG Fri Nov 16 13:48:24 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20E9C16A417 for ; Fri, 16 Nov 2007 13:48:24 +0000 (UTC) (envelope-from siseci@gmail.com) Received: from fk-out-0910.google.com (fk-out-0910.google.com [209.85.128.188]) by mx1.freebsd.org (Postfix) with ESMTP id 9DA3513C45B for ; Fri, 16 Nov 2007 13:48:23 +0000 (UTC) (envelope-from siseci@gmail.com) Received: by fk-out-0910.google.com with SMTP id b27so1111970fka for ; Fri, 16 Nov 2007 05:48:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; bh=08usaUsg953fB4pu74Z5SwUZI40m3gBVpMm9wuWD7nk=; b=LxhG7HEKF1YgYehGym8Wd08Dm8HTNxWF79K9Ofhz6cbnPj/8gWzae+Uj3V9nymxgjWEudZKP1SdXH9Iw7fL7orx2L4J1cniKwhQtgydAwtISeSMHcAmu0kxQkDc1fYwWMYCGQCY5fuFGUrv/hCt8I3ykF8hmWZl31WNw0MT3lvs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; b=P/eA6WzXccn09HEQpzyZ8C/4SJ8ztpQPzo6idlJEMrMkiQCwCM2SiiRPgL7RQl+45WGb+GF/HNynKMn+tLBOQmi/f2QzS8p8zPSR2+2bfSnAK7IIag162QAiJn7LtxvJrlGAtzm5a6gBlWCut4VFv062CPfp5+4ZXQEo4z3LVY4= Received: by 10.82.174.20 with SMTP id w20mr4105067bue.1195219286775; Fri, 16 Nov 2007 05:21:26 -0800 (PST) Received: from ?192.168.4.36? ( [193.140.74.2]) by mx.google.com with ESMTPS id b30sm3567211ika.2007.11.16.05.21.25 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 16 Nov 2007 05:21:26 -0800 (PST) Message-ID: <473D9922.4010207@gmail.com> Date: Fri, 16 Nov 2007 15:20:34 +0200 From: "N. Ersen SISECI" User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-9 Content-Transfer-Encoding: 7bit Cc: Subject: Nat Pass and PF Default Rule X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Nov 2007 13:48:24 -0000 Hi, I changed PF's default rule in kernel (pf_ioctl.h). And than i restarted my server. After that server started successfully and then internal network (behind the NAT) wasn't access the external network. Rules: pass in log quick all pass out log quick all Nat rule is: nat pass on em0 inet all -> 192.168.1.1 I changed filtering and NAT rules like these. But it's not working. And then i added log line for default rule in pf_ioctl.h pf_default_rule.log = PF_LOG; And then i see the blocking logs on pflog0 with the same rule set. 2007-11-16 15:03:19.291742 rule 4294967295/0(match): block out on em0: .... ICMP ... 192.168.1.1 > 192.168.1.36: ICMP echo request So, I removed the pass option in the nat rule and suddenly started to working. >From the Man page of pf.conf: Packets that match a translation rule are only automatically passed if the /pass/ modifier is given, otherwise they are still subject to /block/ and /pass/ rules. But, i think it's not working as desribed above. Nat's pass option depends the PF's default rule in the kernel. Is there anything i missed or wrong? Thanks. N. Ersen SISECI http://www.enderunix.org EnderUNIX SDT @ Turkey From owner-freebsd-pf@FreeBSD.ORG Fri Nov 16 14:16:35 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D2DBD16A417 for ; Fri, 16 Nov 2007 14:16:35 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [IPv6:2001:6f8:1098::2]) by mx1.freebsd.org (Postfix) with ESMTP id 79CE313C45D for ; Fri, 16 Nov 2007 14:16:35 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id lAGEGZv0027727 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 16 Nov 2007 15:16:35 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id lAGEGZnK000154; Fri, 16 Nov 2007 15:16:35 +0100 (MET) Date: Fri, 16 Nov 2007 15:16:35 +0100 From: Daniel Hartmeier To: "N. Ersen SISECI" Message-ID: <20071116141635.GE29432@insomnia.benzedrine.cx> References: <473D9922.4010207@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <473D9922.4010207@gmail.com> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: Nat Pass and PF Default Rule X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Nov 2007 14:16:35 -0000 On Fri, Nov 16, 2007 at 03:20:34PM +0200, N. Ersen SISECI wrote: > I changed PF's default rule in kernel (pf_ioctl.h). And than i restarted > my server. Uh, if you do that you deal with the fallout yourself ;) Seriously, there is no reason to do that. Adding a block rule to your ruleset does the trick of defaulting to blocking. Daniel From owner-freebsd-pf@FreeBSD.ORG Fri Nov 16 14:31:02 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9562F16A46D for ; Fri, 16 Nov 2007 14:31:02 +0000 (UTC) (envelope-from siseci@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188]) by mx1.freebsd.org (Postfix) with ESMTP id 1225A13C4C5 for ; Fri, 16 Nov 2007 14:31:01 +0000 (UTC) (envelope-from siseci@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so829762nfb for ; Fri, 16 Nov 2007 06:30:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; bh=htJ3LKPKvHYcCulRICWjPeF8wcD8JhNLFyO2CXqSufM=; b=f/vHcozo6imRK2/lpVlxq/RSrYf7gs1To5rHePDQSuDCqYUICcQB2QkadAeWbLU7XsGm4OxuHb10rdQ7OyLNW6dYoHLywwzSSzaHuWPV9cJxc4hgXS6zuQPZAp9yKhFA7AWU7i3H11OFa+kLE2mcecJjLZXFGd/hD5F+qafOLoY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=ahCh3qKdwwVwIWXAoMzXh7rppHi0vOJl3JalXcI2m6AvssRzFhCBk1KExefcpvtcTCmSTFTHiYY3zaRHRXotPdNpYbQwT6QM7znhQSWMkWLMqAfwsArsPan0U9gn/eSzmljkCUECdgPfmStUpIxqZ5f9AL9bg1BsDWdghr129XQ= Received: by 10.78.147.6 with SMTP id u6mr2017764hud.1195223457881; Fri, 16 Nov 2007 06:30:57 -0800 (PST) Received: from ?192.168.4.36? ( [193.140.74.2]) by mx.google.com with ESMTPS id z40sm3647207ikz.2007.11.16.06.30.56 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 16 Nov 2007 06:30:57 -0800 (PST) Message-ID: <473DA979.1080708@gmail.com> Date: Fri, 16 Nov 2007 16:30:17 +0200 From: "N. Ersen SISECI" User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org References: <473D9922.4010207@gmail.com> <20071116141635.GE29432@insomnia.benzedrine.cx> In-Reply-To: <20071116141635.GE29432@insomnia.benzedrine.cx> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: Re: Nat Pass and PF Default Rule X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Nov 2007 14:31:02 -0000 Hi, I wrote some scripts for adding or removing rules to the current ruleset. If there is a syntax error or something is wrong in new rule set, pf will not load rules and default rule will effect the new connections. Default pass rule will pass everything. And sometimes i can not notice this. If the default rule is block, i will notice this situation. Ersen. Daniel Hartmeier yazmış: > On Fri, Nov 16, 2007 at 03:20:34PM +0200, N. Ersen SISECI wrote: > > >> I changed PF's default rule in kernel (pf_ioctl.h). And than i restarted >> my server. >> > > Uh, if you do that you deal with the fallout yourself ;) > > Seriously, there is no reason to do that. Adding a block rule to your > ruleset does the trick of defaulting to blocking. > > Daniel > > From owner-freebsd-pf@FreeBSD.ORG Fri Nov 16 14:49:38 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D2D6316A417 for ; Fri, 16 Nov 2007 14:49:38 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [IPv6:2001:6f8:1098::2]) by mx1.freebsd.org (Postfix) with ESMTP id 7457513C468 for ; Fri, 16 Nov 2007 14:49:38 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id lAGEncsB029274 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 16 Nov 2007 15:49:38 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id lAGEncQd012730; Fri, 16 Nov 2007 15:49:38 +0100 (MET) Date: Fri, 16 Nov 2007 15:49:38 +0100 From: Daniel Hartmeier To: "N. Ersen SISECI" Message-ID: <20071116144938.GF29432@insomnia.benzedrine.cx> References: <473D9922.4010207@gmail.com> <20071116141635.GE29432@insomnia.benzedrine.cx> <473DA979.1080708@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <473DA979.1080708@gmail.com> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: Nat Pass and PF Default Rule X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Nov 2007 14:49:38 -0000 On Fri, Nov 16, 2007 at 04:30:17PM +0200, N. Ersen SISECI wrote: > I wrote some scripts for adding or removing rules to the current ruleset. > If there is a syntax error or something is wrong in new rule set, pf > will not load rules and default rule > will effect the new connections. Default pass rule will pass everything. > And sometimes i can not notice this. If the default rule is block, i > will notice this situation. No, if loading the ruleset fails, the previous ruleset will remain active. It won't fall back to the empty ruleset. That is, unless you superfluously use -F, too (don't!). Changing the default rule breaks more things than you imagine. It's used for various things (like assignment of pfsync'd states). The breakage will be broad and subtle, I'd advise against it ;) Daniel From owner-freebsd-pf@FreeBSD.ORG Fri Nov 16 17:53:09 2007 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EBB4216A473; Fri, 16 Nov 2007 17:53:09 +0000 (UTC) (envelope-from kmacy@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B6C9113C442; Fri, 16 Nov 2007 17:53:09 +0000 (UTC) (envelope-from kmacy@FreeBSD.org) Received: from freefall.freebsd.org (kmacy@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id lAGHr9nf025084; Fri, 16 Nov 2007 17:53:09 GMT (envelope-from kmacy@freefall.freebsd.org) Received: (from kmacy@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id lAGHr9OA025080; Fri, 16 Nov 2007 17:53:09 GMT (envelope-from kmacy) Date: Fri, 16 Nov 2007 17:53:09 GMT Message-Id: <200711161753.lAGHr9OA025080@freefall.freebsd.org> To: james@jlauser.net, kmacy@FreeBSD.org, freebsd-pf@FreeBSD.org From: kmacy@FreeBSD.org Cc: Subject: Re: kern/116645: pfctl -k does not work in securelevel 3 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Nov 2007 17:53:10 -0000 Synopsis: pfctl -k does not work in securelevel 3 State-Changed-From-To: open->closed State-Changed-By: kmacy State-Changed-When: Fri Nov 16 17:52:23 UTC 2007 State-Changed-Why: >From the securelevel man page: 3 Network secure mode - same as highly secure mode, plus IP packet filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) cannot be changed and dummynet(4) or pf(4) configuration cannot be adjusted. You are seeing the defined behavior. http://www.freebsd.org/cgi/query-pr.cgi?pr=116645 From owner-freebsd-pf@FreeBSD.ORG Fri Nov 16 18:01:00 2007 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20F4416A41A; Fri, 16 Nov 2007 18:01:00 +0000 (UTC) (envelope-from james@jlauser.net) Received: from Pancake.jlauser.net (Pancake.jlauser.net [IPv6:2002:1869:aa6e::1]) by mx1.freebsd.org (Postfix) with ESMTP id CD27B13C448; Fri, 16 Nov 2007 18:00:59 +0000 (UTC) (envelope-from james@jlauser.net) Received: from Orthrus.jlauser.net (Orthrus.jlauser.net [IPv6:2002:48e2:55a7:1:216:cbff:fe83:6ae4]) (authenticated bits=0) by Pancake.jlauser.net (8.13.8/8.13.8) with ESMTP id lAGI0wio081521 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 16 Nov 2007 13:00:58 -0500 (EST) (envelope-from james@jlauser.net) Message-Id: <443E4458-A6C6-4C78-98B7-38D41DA0E131@jlauser.net> From: James Lauser To: kmacy@FreeBSD.org In-Reply-To: <200711161753.lAGHr9OA025080@freefall.freebsd.org> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v915) Date: Fri, 16 Nov 2007 13:00:57 -0500 References: <200711161753.lAGHr9OA025080@freefall.freebsd.org> X-Mailer: Apple Mail (2.915) X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (Pancake.jlauser.net [IPv6:2002:1869:aa6e::1]); Fri, 16 Nov 2007 13:00:58 -0500 (EST) Cc: freebsd-pf@FreeBSD.org Subject: Re: kern/116645: pfctl -k does not work in securelevel 3 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Nov 2007 18:01:00 -0000 I understand that this is defined behavior, which is why I filed the PR as a change-request. I believe it would be useful to modify the state table as a means of preventing an ongoing attack, even if the kernel is in securelevel 3. Changes to the state table are not technically changes to the firewall rules. It is currently possible, however, to make changes to pf tables through pfctl -T, even in securelevel 3, and this feature _is_ actually changing the firewall rules (though this may be an unintended feature). -- James L. Lauser james@jlauser.net Owner, jlauser.net Hosting Services http://jlauser.net/ On Nov 16, 2007, at 12:53 , kmacy@FreeBSD.org wrote: > Synopsis: pfctl -k does not work in securelevel 3 > > State-Changed-From-To: open->closed > State-Changed-By: kmacy > State-Changed-When: Fri Nov 16 17:52:23 UTC 2007 > State-Changed-Why: > >> From the securelevel man page: > 3 Network secure mode - same as highly secure mode, plus IP > packet > filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) > cannot be > changed and dummynet(4) or pf(4) configuration cannot be > adjusted. > > You are seeing the defined behavior. > > http://www.freebsd.org/cgi/query-pr.cgi?pr=116645 From owner-freebsd-pf@FreeBSD.ORG Fri Nov 16 18:05:28 2007 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0158F16A418; Fri, 16 Nov 2007 18:05:28 +0000 (UTC) (envelope-from kmacy@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id C8D3213C442; Fri, 16 Nov 2007 18:05:27 +0000 (UTC) (envelope-from kmacy@FreeBSD.org) Received: from freefall.freebsd.org (kmacy@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id lAGI5RQv025516; Fri, 16 Nov 2007 18:05:27 GMT (envelope-from kmacy@freefall.freebsd.org) Received: (from kmacy@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id lAGI5RZs025512; Fri, 16 Nov 2007 18:05:27 GMT (envelope-from kmacy) Date: Fri, 16 Nov 2007 18:05:27 GMT Message-Id: <200711161805.lAGI5RZs025512@freefall.freebsd.org> To: james@jlauser.net, kmacy@FreeBSD.org, freebsd-pf@FreeBSD.org From: kmacy@FreeBSD.org Cc: Subject: Re: kern/116645: [RFE] pfctl -k does not work in securelevel 3 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Nov 2007 18:05:28 -0000 Old Synopsis: pfctl -k does not work in securelevel 3 New Synopsis: [RFE] pfctl -k does not work in securelevel 3 State-Changed-From-To: closed->feedback State-Changed-By: kmacy State-Changed-When: Fri Nov 16 18:04:43 UTC 2007 State-Changed-Why: Awaiting the opinions of others on what securelevel 3 should mean. http://www.freebsd.org/cgi/query-pr.cgi?pr=116645 From owner-freebsd-pf@FreeBSD.ORG Fri Nov 16 18:33:11 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E209416A419 for ; Fri, 16 Nov 2007 18:33:11 +0000 (UTC) (envelope-from kip.macy@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.179]) by mx1.freebsd.org (Postfix) with ESMTP id 9737213C461 for ; Fri, 16 Nov 2007 18:33:10 +0000 (UTC) (envelope-from kip.macy@gmail.com) Received: by py-out-1112.google.com with SMTP id u77so4530993pyb for ; Fri, 16 Nov 2007 10:33:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=7wmwB34cG2F7979KA7dK1RXtuJMhg7zVYBj7aohPADI=; b=E8PBCrdgR4+TSnPHw3wmja+imRGAOF+BVAN2CEBhjzxFJCNiaLtc3nbZYdb48IfIJ1msOsR1zEghl+hcPWVbSEC1ckiWxQKK2cNfACVbzXQf3ZpHHjhZFD3WnmJyY4r0vFkFAi7GbetZ9lPGqa99LigktKe4iHMRSzXGxzZmTRE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=jbHcl2YqDBDZHjzY5CU/wMoHGc0qpeTAhuDYY9dwxoH4wTsxaeQEG5UrG3n0qZHplqcmqFBGt8enxGDHnOd3WvT7mhALYpb75a5IecAkBgLcMTx2QadbfBlt5GD+64lhuX1JrJ6nGsmmKE0H99cBmDGrPOSEV/9IcX3dU/uBDrU= Received: by 10.114.52.1 with SMTP id z1mr246458waz.1195236259398; Fri, 16 Nov 2007 10:04:19 -0800 (PST) Received: by 10.114.13.15 with HTTP; Fri, 16 Nov 2007 10:04:19 -0800 (PST) Message-ID: Date: Fri, 16 Nov 2007 10:04:19 -0800 From: "Kip Macy" To: "James Lauser" In-Reply-To: <443E4458-A6C6-4C78-98B7-38D41DA0E131@jlauser.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200711161753.lAGHr9OA025080@freefall.freebsd.org> <443E4458-A6C6-4C78-98B7-38D41DA0E131@jlauser.net> Cc: Robert Watson , freebsd-pf@freebsd.org Subject: Re: kern/116645: pfctl -k does not work in securelevel 3 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Nov 2007 18:33:12 -0000 On Nov 16, 2007 10:00 AM, James Lauser wrote: > I understand that this is defined behavior, which is why I filed the > PR as a change-request. I believe it would be useful to modify the > state table as a means of preventing an ongoing attack, even if the > kernel is in securelevel 3. Changes to the state table are not > technically changes to the firewall rules. It is currently possible, > however, to make changes to pf tables through pfctl -T, even in > securelevel 3, and this feature _is_ actually changing the firewall > rules (though this may be an unintended feature). > > > -- James L. Lauser > james@jlauser.net > Owner, jlauser.net Hosting Services > http://jlauser.net/ > Ok, I don't have strong enough feelings on the matter. I'm putting Robert and Max on the CC to get their thoughts. -Kip > > > On Nov 16, 2007, at 12:53 , kmacy@FreeBSD.org wrote: > > > Synopsis: pfctl -k does not work in securelevel 3 > > > > State-Changed-From-To: open->closed > > State-Changed-By: kmacy > > State-Changed-When: Fri Nov 16 17:52:23 UTC 2007 > > State-Changed-Why: > > > >> From the securelevel man page: > > 3 Network secure mode - same as highly secure mode, plus IP > > packet > > filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) > > cannot be > > changed and dummynet(4) or pf(4) configuration cannot be > > adjusted. > > > > You are seeing the defined behavior. > > > > http://www.freebsd.org/cgi/query-pr.cgi?pr=116645 > >