From owner-freebsd-pf@FreeBSD.ORG Sun Apr 11 04:32:55 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A0887106564A for ; Sun, 11 Apr 2010 04:32:55 +0000 (UTC) (envelope-from zeddersuk@yahoo.co.uk) Received: from web29018.mail.ird.yahoo.com (web29018.mail.ird.yahoo.com [212.82.110.165]) by mx1.freebsd.org (Postfix) with SMTP id 2810B8FC08 for ; Sun, 11 Apr 2010 04:32:54 +0000 (UTC) Received: (qmail 30807 invoked by uid 60001); 11 Apr 2010 04:06:13 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s1024; t=1270958773; bh=h8h6f/XyA67mnsa4E6u2rUCaDGge/lEDcyyrjyMVrqI=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:To:MIME-Version:Content-Type; b=5CdmOy0ijUtqP7dyYTAwBqUmUcirk6KLgRHmYOnXde1Fvr7e7FaSoMtC/nrYpQc7M576Dgjjd3VdRv6449VW0RDJqlYdBud9L6l/t5y+tG1neTOFHri4PMROL8uOP+HFXVw3cNDAd+mRxyXh/O0uOJyeArVNkHDeELCGs6RN9k8= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.uk; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:To:MIME-Version:Content-Type; b=uU05e0yqFIOKidv0UD6PQwUNbBwr5GkmdyReN1Y3B421Wi7JFT/De+V5GyHRmfqHkDWMZjx7C6TO4YAFPQwZe6APQtIjLUM30DZ+lRYJdmeimiAbUopyHgSxZhP8pUieJ8EzDEfipEQ1rHU5AWflXhOvdlzMLpvloPea6IGXa/w=; Message-ID: <751667.28807.qm@web29018.mail.ird.yahoo.com> X-YMail-OSG: vkVr6P8VM1kVfqZlztKMA48ReNKKQC6Iu0MP5bQ6ZZ6hRgv h7BvnLRNbONsnYivTCAo3r7tl_6QiEDxQaUmYHFbVpr5uBMqv9hl4fJXAbuq 0VLuNZOGgDgD666kpq8A_avNssjm6fFxlwU0kKmFvT15rcizgjhYzp6tD8QO SSffAJw_gHhZBmV3FywOP_d2nCnVoHk6MLX7d37VH2usbQpeXmD_xu_Shjvl KMpCY3u6_LoYoDMZmod2INMF9dWMmd5KmMLDs6PwzKnVCOfubt73nrjFRNAW _mfvr33GyOEddpXCIwipagmE_8w-- Received: from [82.15.247.40] by web29018.mail.ird.yahoo.com via HTTP; Sun, 11 Apr 2010 04:06:13 GMT X-Mailer: YahooMailClassic/10.0.8 YahooMailWebService/0.8.100.260964 Date: Sun, 11 Apr 2010 04:06:13 +0000 (GMT) From: Z Wing To: freebsd-pf@freebsd.org MIME-Version: 1.0 X-Mailman-Approved-At: Sun, 11 Apr 2010 05:01:00 +0000 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: (no subject) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Apr 2010 04:32:55 -0000 Hiya all, Could someone clarify for me the purpose of the =0Abandwidth parameter when= used with hfsc? Please consider my queue (512Kb=0A max upload through the = ADSL line): =A0altq on em1 bandwidth 500Kb =0Ahfsc queue { ack, dns, ssh, other } =A0 queue ack=A0=A0=A0=A0=A0=A0=A0 bandwidth 95% =0Apriority 8 qlimit 500 h= fsc (realtime=A0=A0 20%) =A0 queue dns=A0=A0=A0=A0=A0=A0=A0 =0Abandwidth 95% priority 7 qlimit 500 h= fsc (realtime=A0=A0=A0 5%) =A0 queue =0Assh=A0=A0=A0=A0=A0=A0=A0 bandwidth 95% priority 6 qlimit 500 h= fsc (realtime=A0=A0 20%) =0A{ssh_login, ssh_bulk} =A0=A0 queue ssh_login bandwidth 95% priority 6 =0Aqlimit 500 hfsc =A0=A0 queue ssh_bulk=A0 bandwidth 95% priority 5 qlimit =0A500 hfsc =A0 queue other=A0=A0=A0=A0=A0 bandwidth 95% priority 5 qlimit 500 hfsc =0A= (realtime=A0=A0 20% default) My understanding was that "bandwidth =0Axx%" tells pf that the queue can on= ly use xx% of the total parent queue =0Abandwidth and the various guides on= the Internet say that it cannot go =0Aabove 100% which sort of makes sense= . However what I want, for example, =0Ais the 'other' queue to get all the = upload bandwidth as long as there is=0A no acks or ssh traffic in the queue= . If I set bandwidth 20% for other, =0Awon't that mean that no matter what,= the 'other' queue will only get a =0Amaximum of 20% of the bandwidth (even= if there is no ssh traffic =0Awaiting?) I think I haven't quite understood this properly but =0Aperhaps someone cou= ld clarify it. I found a lot out from calomel.org's =0Aexcellent page but t= hat's the only bit that confused me. Thanks From owner-freebsd-pf@FreeBSD.ORG Sun Apr 11 04:39:24 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DB91A106566B for ; Sun, 11 Apr 2010 04:39:23 +0000 (UTC) (envelope-from zeddersuk@yahoo.co.uk) Received: from web29002.mail.ird.yahoo.com (web29002.mail.ird.yahoo.com [212.82.110.133]) by mx1.freebsd.org (Postfix) with SMTP id 467648FC12 for ; Sun, 11 Apr 2010 04:39:22 +0000 (UTC) Received: (qmail 85993 invoked by uid 60001); 11 Apr 2010 04:39:22 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s1024; t=1270960762; bh=/ErJvqCHWOe9mUzYQ20XD2ZluDljQRuNOFHoqawS4a4=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:To:MIME-Version:Content-Type; b=kUoYUqv3MrftMuedmR+0jzdTlJMkkZKBK2kCOYjG5odA0S+63Z9/cwbtG5ey2egysqep6tR1vG+VaA3ytVhKAjETWNMEEzwHqRWT9lsfLkUHTEY+iEexlTxLdt1vzMfRx2uYrXhqx+oinXnGN7P6j+H+LKW6/cDshNPsQDQwgqM= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.uk; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:To:MIME-Version:Content-Type; b=R0Qhgm6aa62gDQv2ScOviVHlVD/32VVWHAnOJB0g/67pL7i8G0xNp6KFvvPd6wd9akQXIyWIrbg7ji6yJ3wp2LB85gs3TmRJvACtnrTdNroOQvD/GF76FyIG9s5yEoSdZyE16pVv+aFjaRtgnYimYVo29oOU0Um3VMUA5LAxkJ4=; Message-ID: <996868.85026.qm@web29002.mail.ird.yahoo.com> X-YMail-OSG: VqaSwyQVM1kbbX_2z3Vhvxw.cC27wUXK5JTtJwWRbTRGRF1 f4YLbOOQf3uGUrm1lNe5jotoZWqKhwvpD8olHQFnBhjjWr_yz4tfnT6ZdssP X7dhKWp4vnPVdzFefkW8szgl8q3GIzJrKdv1kluHYgjP5_isGtO2LN1U9xV3 z6jOeeiESb8a5p1zOToGS3KB_smAz7G8w7YGdvrUy0Wah3.xSr6DAi7SZMm5 wgEQTZ5mR9UVsu26XlSSNSuXRolfXIgfWG1ctAexdZw-- Received: from [82.15.247.40] by web29002.mail.ird.yahoo.com via HTTP; Sun, 11 Apr 2010 04:39:21 GMT X-Mailer: YahooMailClassic/10.0.8 YahooMailWebService/0.8.100.260964 Date: Sun, 11 Apr 2010 04:39:21 +0000 (GMT) From: Z Wing To: freebsd-pf@freebsd.org MIME-Version: 1.0 X-Mailman-Approved-At: Sun, 11 Apr 2010 05:01:15 +0000 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: (no subject) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Apr 2010 04:39:24 -0000 Hiya all, Could someone clarify for me the purpose of the =0Abandwidth parameter when= used with hfsc? Please consider my queue (512Kb=0A max upload through the = ADSL line): =A0altq on em1 bandwidth 500Kb =0Ahfsc queue { ack, dns, ssh, other } =A0 queue ack=A0=A0=A0=A0=A0=A0=A0 bandwidth 95% =0Apriority 8 qlimit 500 h= fsc (realtime=A0=A0 20%) =A0 queue dns=A0=A0=A0=A0=A0=A0=A0 =0Abandwidth 95% priority 7 qlimit 500 h= fsc (realtime=A0=A0=A0 5%) =A0 queue =0Assh=A0=A0=A0=A0=A0=A0=A0 bandwidth 95% priority 6 qlimit 500 h= fsc (realtime=A0=A0 20%) =0A{ssh_login, ssh_bulk} =A0=A0 queue ssh_login bandwidth 95% priority 6 =0Aqlimit 500 hfsc =A0=A0 queue ssh_bulk=A0 bandwidth 95% priority 5 qlimit =0A500 hfsc =A0 queue other=A0=A0=A0=A0=A0 bandwidth 95% priority 5 qlimit 500 hfsc =0A= (realtime=A0=A0 20% default) My understanding was that "bandwidth 20%" tells pf that the queue can only = use 20% of the total parent queue =0Abandwidth and the various guides on th= e Internet say that it cannot go =0Aabove 100% which sort of makes sense. H= owever what I want, for example, =0Ais the 'other' queue to get all the upl= oad bandwidth as long as there is=0A no acks or ssh traffic in the queue. I= f I set bandwidth 20% for other, =0Awon't that mean that no matter what, th= e 'other' queue will only get a =0Amaximum of 20% of the bandwidth (even if= there is no ssh traffic =0Awaiting?) From owner-freebsd-pf@FreeBSD.ORG Sun Apr 11 06:55:12 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 37BEA106564A for ; Sun, 11 Apr 2010 06:55:12 +0000 (UTC) (envelope-from fbsdq@peterk.org) Received: from poshta.pknet.net (poshta.pknet.net [216.241.167.213]) by mx1.freebsd.org (Postfix) with ESMTP id E6A4E8FC14 for ; Sun, 11 Apr 2010 06:55:11 +0000 (UTC) Received: (qmail 71573 invoked by uid 89); 11 Apr 2010 06:55:10 -0000 Received: from poshta.pknet.net (HELO pop.pknet.net) (216.241.167.213) by poshta.pknet.net with SMTP; 11 Apr 2010 06:55:10 -0000 Received: from 216.241.170.11 (SquirrelMail authenticated user fbsdq@peterk.org) by pop.pknet.net with HTTP; Sun, 11 Apr 2010 00:55:11 -0600 Message-ID: <7860e51d2b17e3643d8f6c4f1aa81ef6.squirrel@pop.pknet.net> In-Reply-To: <996868.85026.qm@web29002.mail.ird.yahoo.com> References: <996868.85026.qm@web29002.mail.ird.yahoo.com> Date: Sun, 11 Apr 2010 00:55:11 -0600 From: "Peter" To: "Z Wing" User-Agent: SquirrelMail/1.4.20-RC2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-pf@freebsd.org Subject: Re: (no subject) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Apr 2010 06:55:12 -0000 > Hiya all, > > Could someone clarify for me the purpose of the > bandwidth parameter when used with hfsc? Please consider my queue (512Kb > max upload through the ADSL line): > >  altq on em1 bandwidth 500Kb > hfsc queue { ack, dns, ssh, other } >   queue ack        bandwidth 95% > priority 8 qlimit 500 hfsc (realtime   20%) >   queue dns        > bandwidth 95% priority 7 qlimit 500 hfsc (realtime    5%) >   queue > ssh        bandwidth 95% priority 6 qlimit 500 hfsc (realtime   20%) > {ssh_login, ssh_bulk} >    queue ssh_login bandwidth 95% priority 6 > qlimit 500 hfsc >    queue ssh_bulk  bandwidth 95% priority 5 qlimit > 500 hfsc >   queue other      bandwidth 95% priority 5 qlimit 500 hfsc > (realtime   20% default) > > My understanding was that "bandwidth 20%" tells pf that the queue can only > use 20% of the total parent queue > bandwidth and the various guides on the Internet say that it cannot go > above 100% which sort of makes sense. However what I want, for example, > is the 'other' queue to get all the upload bandwidth as long as there is > no acks or ssh traffic in the queue. If I set bandwidth 20% for other, > won't that mean that no matter what, the 'other' queue will only get a > maximum of 20% of the bandwidth (even if there is no ssh traffic > waiting?) As I remember and how I've got it setup: [http://lists.freebsd.org/pipermail/freebsd-pf/2009-March/005061.html] hfsc by default borrows from parent [up to 100% or 'upperlimit' you set] - So if your other queues are not being used, it will borrow from parents unless you have an upperlimit set. That link has more info/explanation on how it worked for me. ]Peter[ From owner-freebsd-pf@FreeBSD.ORG Sun Apr 11 11:17:23 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3FB781065670 for ; Sun, 11 Apr 2010 11:17:23 +0000 (UTC) (envelope-from zeddersuk@yahoo.co.uk) Received: from web29018.mail.ird.yahoo.com (web29018.mail.ird.yahoo.com [212.82.110.165]) by mx1.freebsd.org (Postfix) with SMTP id 85E598FC13 for ; Sun, 11 Apr 2010 11:17:22 +0000 (UTC) Received: (qmail 11294 invoked by uid 60001); 11 Apr 2010 11:17:21 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s1024; t=1270984641; bh=7XGN8JfytEopFM0TZflxh0uMXbC/wilm+kvh1Dc8phM=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=y5Xe8GGB3yODHavxIDTficvHKuBCwNvnkXuSpdrjK8L2Ymu4zgFrGjB12wAXAXtsROXEdlNx10AyaZ5mkElc+FIGchKJjLILtDsDDz00KT0nrkdCe7VdyYmm30RHTyvlggpbFTLeuCJjmw0MfiVRPeeqKdcp7jBpvejg/1td44E= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.uk; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=u3clbwA1hH++81gb7tu0dodtQcWUwFnmvo4BytyYLe7zOhKsNUWZpQ6Fag5XbPaFHrvEC/uWiJwQSwIWW/vFn+tOdZjLL5feTYySJ0vtansdmo/Gmfd7TnZa+3G5BOWLbraS3CvcEA5A7vr8RcEG7mWlTSf02lag7nvqYhEGhxo=; Message-ID: <520101.10970.qm@web29018.mail.ird.yahoo.com> X-YMail-OSG: PfQk2a0VM1m0Tb4Aqe64K.fS_xZPRiETAmcHoscMJ7kQThd LNoUPZLVSXflsRp_Y.X43i23kBXMBPKwk2PokjsAou_m0CqWbQrTWumNhyj5 SFxg0JH8owkHnc7No0yB4aC7dp.fpD7XSp5_fnoKmrW_lrnQyvxQscb62bYo 1q8IwkvcjyGCpFzrMlhDtB8.X4dHXkaHyUnAbOYhp8mfppvO.i8TbgCXtkkn JSDYPuCZFSeTiuu9CrmX8eeQMqoXi1VuhVA9t0htvvK_wBbCcgJPdxwuXqtG w Received: from [82.15.247.40] by web29018.mail.ird.yahoo.com via HTTP; Sun, 11 Apr 2010 11:17:21 GMT X-Mailer: YahooMailWebService/0.8.100.260964 Date: Sun, 11 Apr 2010 11:17:21 +0000 (GMT) From: Z Wing To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Sun, 11 Apr 2010 11:57:49 +0000 Subject: hsfc & pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Apr 2010 11:17:23 -0000 hi Peter, That link seems to 404, could you recheck it? If hsfc borrows 100% and you = control it with upperlimit, what s the point of the bandwidth parameter for= anything other than the first altq line specifying your total bw? From owner-freebsd-pf@FreeBSD.ORG Sun Apr 11 12:35:04 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4DF74106566C; Sun, 11 Apr 2010 12:35:04 +0000 (UTC) (envelope-from jille@quis.cx) Received: from mulgore.hexon-is.nl (mulgore.hexon-is.nl [82.94.237.14]) by mx1.freebsd.org (Postfix) with ESMTP id DD38A8FC08; Sun, 11 Apr 2010 12:35:03 +0000 (UTC) Received: from hinterlands.hexon-is.nl (hinterlands.hexon-is.nl [82.94.237.6]) by mulgore.hexon-is.nl (8.14.3/8.14.3) with ESMTP id o3BC3Lfh021761; Sun, 11 Apr 2010 14:03:21 +0200 MIME-Version: 1.0 Date: Sun, 11 Apr 2010 14:03:21 +0200 From: Jille Timmermans To: , Message-ID: <8d194046e93da0b44295f29a75a5775f@imap.hexon.cx> X-Sender: jille@quis.cx User-Agent: RoundCube Webmail/0.2.2 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 X-Hexon-MailScanner-Information: Please contact the ISP for more information X-Hexon-MailScanner-ID: o3BC3Lfh021761 X-Hexon-MailScanner: Found to be clean X-Hexon-MailScanner-From: jille@quis.cx X-Hexon-MailScanner-Watermark: 1271592202.73004@bnkzIcjHfemPkIezA1LqTg Cc: Subject: Panic with VIMAGE and pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Apr 2010 12:35:04 -0000 Hello, I was trying to enable VIMAGE (for use with jails) but stumbled upon the following panic: Fatal trap 12: page fault while in kernel mode fault virtual address: 0x28 current proceess = 38 (pfctl) db> bt pfil_head_get() at +0x41 pfioctl() at +0x11f2 devfs_ioctl_f() at +0x77 kern_ioctl() at +0xf6 ioctl() at +0xf0 syscall() +0x137 I can easily reproduce this in single user mode using: # kldload pf # pfctl -f /etc/pf.conf I disabled VIMAGE and the panic didn't occur anymore. I'm running amd64 stable/8; r206458. (I also tried this 3 weeks ago; but had the same problem) I'm not able to get a dump; the memory dump-thing stalls after printing the first mark. -- Jille From owner-freebsd-pf@FreeBSD.ORG Sun Apr 11 12:45:08 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 30E0B106564A; Sun, 11 Apr 2010 12:45:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [IPv6:2001:4068:10::3]) by mx1.freebsd.org (Postfix) with ESMTP id B14098FC1A; Sun, 11 Apr 2010 12:45:07 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id BF19A41C707; Sun, 11 Apr 2010 14:45:06 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([192.168.74.103]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id AMsm5N6KJwda; Sun, 11 Apr 2010 14:45:06 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id 063CF41C6A1; Sun, 11 Apr 2010 14:45:06 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 7B01D4448EC; Sun, 11 Apr 2010 12:43:42 +0000 (UTC) Date: Sun, 11 Apr 2010 12:43:42 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Jille Timmermans In-Reply-To: <8d194046e93da0b44295f29a75a5775f@imap.hexon.cx> Message-ID: <20100411124229.Q40281@maildrop.int.zabbadoz.net> References: <8d194046e93da0b44295f29a75a5775f@imap.hexon.cx> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Panic with VIMAGE and pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Apr 2010 12:45:08 -0000 On Sun, 11 Apr 2010, Jille Timmermans wrote: Hi, > I was trying to enable VIMAGE (for use with jails) but stumbled upon the > following panic: > > Fatal trap 12: page fault while in kernel mode > fault virtual address: 0x28 > current proceess = 38 (pfctl) > > db> bt > pfil_head_get() at +0x41 > pfioctl() at +0x11f2 > devfs_ioctl_f() at +0x77 > kern_ioctl() at +0xf6 > ioctl() at +0xf0 > syscall() +0x137 > > I can easily reproduce this in single user mode using: > # kldload pf > # pfctl -f /etc/pf.conf > > I disabled VIMAGE and the panic didn't occur anymore. > > I'm running amd64 stable/8; r206458. (I also tried this 3 weeks ago; but > had the same problem) > > I'm not able to get a dump; the memory dump-thing stalls after printing > the first mark. This is a FAQ. pf hasn't been virtulaized (in-tree) yet. See http://lists.freebsd.org/pipermail/freebsd-virtualization/2010-February/000449.html for how far it is and how to get it. That might, btw., be the better list to ask VIMAGE questions;) /bz -- Bjoern A. Zeeb It will not break if you know what you are doing. From owner-freebsd-pf@FreeBSD.ORG Mon Apr 12 02:23:29 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8871F106566C for ; Mon, 12 Apr 2010 02:23:29 +0000 (UTC) (envelope-from rmaglasang@infoweapons.com) Received: from infoweapons.com (mailroute.ipv6home.org [204.2.248.50]) by mx1.freebsd.org (Postfix) with ESMTP id 286D18FC15 for ; Mon, 12 Apr 2010 02:23:28 +0000 (UTC) Received: from ([120.89.47.15]) by mail0.infoweapons.com with ESMTP with TLS id 4321444.7246686; Sun, 11 Apr 2010 22:08:14 -0400 Received: from sho2.cebu.infoweapons.com (2001:418:5403:2410:215:f2ff:fe2e:b2d6) by webmail.infoweapons.com (2001:418:5403:2410::10:11) with Microsoft SMTP Server (TLS) id 8.2.234.1; Mon, 12 Apr 2010 10:08:13 +0800 Message-ID: <4BC28390.3010808@infoweapons.com> Date: Mon, 12 Apr 2010 10:21:04 +0800 From: Sho User-Agent: Thunderbird 2.0.0.21 (X11/20090706) MIME-Version: 1.0 To: Z Wing References: <520101.10970.qm@web29018.mail.ird.yahoo.com> In-Reply-To: <520101.10970.qm@web29018.mail.ird.yahoo.com> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="ISO-8859-1"; format="flowed" Cc: "freebsd-pf@freebsd.org" Subject: Re: hsfc & pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Apr 2010 02:23:29 -0000 Z Wing wrote: > hi Peter, > > That link seems to 404, could you recheck it? If hsfc borrows 100% and you control it with upperlimit, what s the point of the bandwidth parameter for anything other than the first altq line specifying your total bw? > __ You can think of it as the initial bandwidth allocation for the queue. Would save a few computations if you have it specified. > _____________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Mon Apr 12 11:07:07 2010 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E432F106566C for ; Mon, 12 Apr 2010 11:07:06 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D20F08FC2B for ; Mon, 12 Apr 2010 11:07:06 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o3CB76mQ042520 for ; Mon, 12 Apr 2010 11:07:06 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o3CB75e2042512 for freebsd-pf@FreeBSD.org; Mon, 12 Apr 2010 11:07:05 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 12 Apr 2010 11:07:05 GMT Message-Id: <201004121107.o3CB75e2042512@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Apr 2010 11:07:07 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/144311 pf [pf] [icmp] massive ICMP storm on lo0 occurs when usin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 43 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Apr 12 13:18:59 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A261A106564A for ; Mon, 12 Apr 2010 13:18:59 +0000 (UTC) (envelope-from zeddersuk@yahoo.co.uk) Received: from web29004.mail.ird.yahoo.com (web29004.mail.ird.yahoo.com [212.82.110.137]) by mx1.freebsd.org (Postfix) with SMTP id 0A6B68FC13 for ; Mon, 12 Apr 2010 13:18:58 +0000 (UTC) Received: (qmail 29611 invoked by uid 60001); 12 Apr 2010 13:18:57 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s1024; t=1271078337; bh=61hF9Ja6xb9g0G7INWIR6wLuboHwI7nSXzP2fL5oJ48=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=G7m+BMJiOqCEeWxbRlSj+TcMQSI1quR08xAE8xUACJ6cLwZNtB/bC+JFPR6WBLPQhzRidYqQZETljs5yovFCPpXoT1kE1ZUrnmOkepz92SqIeOZj0iKXTyl5haZITpkVJ1p4rf5+S5BftTsiA+yza+whwrIp2xJUV5NciPBXg8k= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.uk; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=zWaxBJtEff6df2JHv4vS6wIhyY+Ib+5/ONwfANvAFEFi+zjqXICdO1H6859759CYNo5AoIaX8e9TggSqWTTvN4h+Kp7D1+sTfzUyiSZ7AgiRdudWi7I9uNGQIIw2ZBV0zhnwvXmgI4M973RpLK1mioGkFZ0cGUJZZ60BR/vp3kM=; Message-ID: <803125.29540.qm@web29004.mail.ird.yahoo.com> X-YMail-OSG: cNsRZUcVM1nmiHKBSB2uEZQ2s3ni80B7k4n4PWnAQeP1reE gfYIoonwmyOWTlrAvR5mvXz3rE485A1.VUCfFycq7zuWczBjuWre.zSTPoRW alhQTQnmxrGocSlXPa5jWLcaKgUF7z0Fxa1bh7kkWSCV75esETZmM3B9.QLb W9HQIcRWDHOeajA2i4bt9OReddX5D9zjQeXbVqHTkEaB4XTtC3bo2bxX6t8v X7PIBJLb2MP69A2VG39m7nzJhYWHk33BFukGq8sIHy5sDvQzljrASMbZxxDu LNqIPnxb6aFMATCSWFJJK Received: from [82.15.247.40] by web29004.mail.ird.yahoo.com via HTTP; Mon, 12 Apr 2010 13:18:57 GMT X-Mailer: YahooMailClassic/10.0.8 YahooMailWebService/0.8.100.260964 Date: Mon, 12 Apr 2010 13:18:57 +0000 (GMT) From: Z Wing To: Sho In-Reply-To: <4BC28390.3010808@infoweapons.com> MIME-Version: 1.0 X-Mailman-Approved-At: Mon, 12 Apr 2010 15:15:10 +0000 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "freebsd-pf@freebsd.org" Subject: Re: hsfc & pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Apr 2010 13:18:59 -0000 Oh I see, so you set that initally but each queue will definitely borrow fr= om the parent queue (up to upperlimit)? with cbq you have to specify "borro= w" don't you, but is my understanding right that borrow is implied with hfs= c? From owner-freebsd-pf@FreeBSD.ORG Thu Apr 15 14:36:26 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EAE2A1065672 for ; Thu, 15 Apr 2010 14:36:26 +0000 (UTC) (envelope-from dave.list@pixelhammer.com) Received: from smtp2.tls.net (smtp2.tls.net [65.124.104.105]) by mx1.freebsd.org (Postfix) with ESMTP id 7A12D8FC21 for ; Thu, 15 Apr 2010 14:36:26 +0000 (UTC) Received: (qmail 26665 invoked from network); 15 Apr 2010 14:36:25 -0000 Received: by simscan 1.4.0 ppid: 26610, pid: 26658, t: 0.1834s scanners: attach: 1.4.0 clamav: 0.95.3/m:52/d:10744 spam: 3.2.1 X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on smtp-2.tls.net X-Spam-Level: * X-Spam-Status: No, score=1.6 required=7.0 tests=ALL_TRUSTED,TVD_RCVD_IP autolearn=disabled version=3.2.1 Received: from 208-70-40-225.bb.hrtc.net (HELO ?192.168.1.46?) (ldg@tls.net@208.70.40.225) by ssl-smtp2.tls.net with ESMTPA; 15 Apr 2010 14:36:24 -0000 Message-ID: <4BC72457.1000202@pixelhammer.com> Date: Thu, 15 Apr 2010 10:36:07 -0400 From: DAve User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <4BBF59E2.80303@pixelhammer.com> <4BBF8629.1090109@pixelhammer.com> In-Reply-To: X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: Fwd: Issues with pf and snmp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Apr 2010 14:36:27 -0000 Peter Maxwell wrote: > > Can't see anything obvious but have you tried these things in the event > something strange is going on: > > - removing the scrub rule; > > - removing the antispoof rule; > > - add 'log' to the the pass rules and then check to see if there are any > other snmp udp packets getting passed/dropped in the wrong place. A good idea. I will try to get that done this evening, though I am running 100% until Monday. Thanks, DAve -- "Posterity, you will know how much it cost the present generation to preserve your freedom. I hope you will make good use of it. If you do not, I shall repent in heaven that ever I took half the pains to preserve it." John Adams http://appleseedinfo.org From owner-freebsd-pf@FreeBSD.ORG Fri Apr 16 04:11:23 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7BF51106564A for ; Fri, 16 Apr 2010 04:11:23 +0000 (UTC) (envelope-from dave.list@pixelhammer.com) Received: from smtp2.tls.net (smtp2.tls.net [65.124.104.105]) by mx1.freebsd.org (Postfix) with ESMTP id 241E48FC12 for ; Fri, 16 Apr 2010 04:11:22 +0000 (UTC) Received: (qmail 43803 invoked from network); 16 Apr 2010 04:11:21 -0000 Received: by simscan 1.4.0 ppid: 43766, pid: 43799, t: 0.1428s scanners: attach: 1.4.0 clamav: 0.95.3/m:52/d:10744 spam: 3.2.1 X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on smtp-2.tls.net X-Spam-Level: * X-Spam-Status: No, score=1.6 required=7.0 tests=ALL_TRUSTED,TVD_RCVD_IP autolearn=disabled version=3.2.1 Received: from 208-70-40-225.bb.hrtc.net (HELO ?192.168.1.46?) (ldg@tls.net@208.70.40.225) by ssl-smtp2.tls.net with ESMTPA; 16 Apr 2010 04:11:21 -0000 Message-ID: <4BC7E357.2070203@pixelhammer.com> Date: Fri, 16 Apr 2010 00:11:03 -0400 From: DAve User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <4BBF59E2.80303@pixelhammer.com> <4BBF8629.1090109@pixelhammer.com> <4BC72457.1000202@pixelhammer.com> In-Reply-To: <4BC72457.1000202@pixelhammer.com> X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: Fwd: Issues with pf and snmp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Apr 2010 04:11:23 -0000 DAve wrote: > Peter Maxwell wrote: >> Can't see anything obvious but have you tried these things in the event >> something strange is going on: >> >> - removing the scrub rule; >> >> - removing the antispoof rule; >> >> - add 'log' to the the pass rules and then check to see if there are any >> other snmp udp packets getting passed/dropped in the wrong place. > > A good idea. I will try to get that done this evening, though I am > running 100% until Monday. > Nope, no scrubbing no antispoof, same result exactly. I did check snmpget and it seemed to work. I will check which oid is next in line and see if I can get that value next. It appears some restriction on the snmpwalk, possibly a limit on how many results are being returned? (Shooting in the dark now). I use Cacti everywhere within our networks, no snmpwalk is a show stopper for me here... DAve -- "Posterity, you will know how much it cost the present generation to preserve your freedom. I hope you will make good use of it. If you do not, I shall repent in heaven that ever I took half the pains to preserve it." John Adams http://appleseedinfo.org From owner-freebsd-pf@FreeBSD.ORG Fri Apr 16 05:13:47 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B140B106566C for ; Fri, 16 Apr 2010 05:13:47 +0000 (UTC) (envelope-from allicient3141@googlemail.com) Received: from mail-gy0-f182.google.com (mail-gy0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id 64EA88FC0C for ; Fri, 16 Apr 2010 05:13:47 +0000 (UTC) Received: by gyh20 with SMTP id 20so1166249gyh.13 for ; Thu, 15 Apr 2010 22:13:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:received:message-id:subject :from:to:cc:content-type; bh=5rXNVKJc2SHi1xFFWKpUzync0EVzPFNhVhaH3pqtMiE=; b=Vj7xUSX648oR1D+ctxYymEiFDo+nuyxqY9VL/FiEL0zIY5s2j8eQDMOEQG1odYlD7b wyEaFzmrWozlXqTk4ThmXmQsjzv6vrAx/XDO5My5J+tglh6kBOCYKgcPCTvOU2fHRPUe tpU7rsdCywUWcX5BiaCoR+gEnDtSVLvASUoDk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=UEEiRbvrVOiqVyNSiOw0x79/XmGMGTR+RGeV+abtDKfYiuzfJe2t8HwspUA7kdP3+Q DD+jbNNC5TBmRFt5uTGuDELdhnzmFS9hT9hlWBp2BM9ZgKGgYNIsCyCHCsvmH4MPipqJ Yget2unGYMg40uhQkqci/GRxLL0lqo4QciTWo= MIME-Version: 1.0 Sender: allicient3141@googlemail.com Received: by 10.90.86.7 with HTTP; Thu, 15 Apr 2010 22:13:46 -0700 (PDT) In-Reply-To: <4BC7E357.2070203@pixelhammer.com> References: <4BBF59E2.80303@pixelhammer.com> <4BBF8629.1090109@pixelhammer.com> <4BC72457.1000202@pixelhammer.com> <4BC7E357.2070203@pixelhammer.com> Date: Fri, 16 Apr 2010 06:13:46 +0100 X-Google-Sender-Auth: e7fb857b52e70d46 Received: by 10.90.18.37 with SMTP id 37mr707230agr.15.1271394826607; Thu, 15 Apr 2010 22:13:46 -0700 (PDT) Message-ID: From: Peter Maxwell To: DAve Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: Fwd: Issues with pf and snmp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Apr 2010 05:13:47 -0000 On 16 April 2010 05:11, DAve wrote: > DAve wrote: > > Peter Maxwell wrote: > >> Can't see anything obvious but have you tried these things in the event > >> something strange is going on: > >> > >> - removing the scrub rule; > >> > >> - removing the antispoof rule; > >> > >> - add 'log' to the the pass rules and then check to see if there are any > >> other snmp udp packets getting passed/dropped in the wrong place. > > > > A good idea. I will try to get that done this evening, though I am > > running 100% until Monday. > > > > Nope, no scrubbing no antispoof, same result exactly. I did check > snmpget and it seemed to work. I will check which oid is next in line > and see if I can get that value next. > If snmpget is working, pf is passing packets and there is something unexpected happening. I'd start opening up your ruleset until it works or you reach a 'pass all' ruleset (with the former you've found the problem, in the later you know for certain pf is the problem). - add an equivalent 'pass out' rule for the network; - change the pass rule to be 'from to any'; - comment out the three unnecessary block rules (3 through 5); - remove *all* instances of the 'quick' keyword; - move the snmp rules to immediately underneath the first block rules; - remove all the pass rules and replace with pass in from any to $ext_if & pass out from $ext_if to any. If you've reached this far and it still doesn't work then, erm, we'll deal with that if it happens. > It appears some restriction on the snmpwalk, possibly a limit on how > many results are being returned? (Shooting in the dark now). > No, that would be on the application layer, the tcpdump output showed an inbound udp packet getting blocked. The only difference I can imagine between snmpget and snmpwalk would be the size of the packets, number of packets, or source port numbers. I'd try doing a tcpdump on the dc0 interface of the snmpwalk session when pf isn't loaded then load pf and collect a tcpdump from both the dc0 and pflog0 interfaces. There should be enough information in those three datasets to discover what on earth is going on. > > I use Cacti everywhere within our networks, no snmpwalk is a show > stopper for me here... > > DAve > > > -- > "Posterity, you will know how much it cost the present generation to > preserve your freedom. I hope you will make good use of it. If you > do not, I shall repent in heaven that ever I took half the pains to > preserve it." John Adams > > http://appleseedinfo.org > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Fri Apr 16 11:50:29 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B21721065670 for ; Fri, 16 Apr 2010 11:50:29 +0000 (UTC) (envelope-from gaurav@subisu.net.np) Received: from mx-01.subisu.net.np (mx-01.subisu.net.np [202.63.240.20]) by mx1.freebsd.org (Postfix) with ESMTP id 3BA548FC15 for ; Fri, 16 Apr 2010 11:50:28 +0000 (UTC) Received: from localhost (mx-01.subisu.net.np [127.0.0.1]) by mx-01.subisu.net.np (Postfix) with ESMTP id 53928EE00B5 for ; Fri, 16 Apr 2010 17:35:25 +0545 (NPT) X-Virus-Scanned: amavisd-new at subisu.net.np Received: from mx-01.subisu.net.np ([127.0.0.1]) by localhost (mx-01.subisu.net.np [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YhPtvA01Chae for ; Fri, 16 Apr 2010 17:35:24 +0545 (NPT) Received: from [202.63.244.34] (unknown [202.63.244.34]) by mx-01.subisu.net.np (Postfix) with ESMTP id 97F25EE00AE for ; Fri, 16 Apr 2010 17:35:24 +0545 (NPT) Message-ID: <4BC84F00.1060700@subisu.net.np> Date: Fri, 16 Apr 2010 17:35:24 +0545 From: Gaurav Ghimire User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.10pre) Gecko/20100410 Shredder/3.0.5pre MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: ping sendto: operation not permitted. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Apr 2010 11:50:29 -0000 Dear all, I am lately having problems with my firewall. There had not been any changes to the configuration and it had been working very fine. Out of nowhere I believe that pf is now acting abnormal and is blocking outgoing packets at random. It doesn't occur regular but I am getting the ping sendto: operation not permitted error and also its delaying udp queries to by dns servers that it generally protects. If I disable pf using 'pfctl -d' things go to normal and there isn't any issue. I also see connection breaks when the pf itself tries to contact my ldap server for information. Disabling pf makes everything go back to normal. Any hint as where I should be looking would be highly appreciated. I have been pulling my hairs literally lately. Regards, -- Gaurav From owner-freebsd-pf@FreeBSD.ORG Fri Apr 16 12:33:23 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7A0691065670 for ; Fri, 16 Apr 2010 12:33:23 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from mail2.jellyfishnet.co.uk (mail2.jellyfishnet.co.uk [93.91.20.10]) by mx1.freebsd.org (Postfix) with ESMTP id 160388FC17 for ; Fri, 16 Apr 2010 12:33:22 +0000 (UTC) Received: from pemexhub01.jellyfishnet.co.uk.local (93.91.20.2) by mail2.jellyfishnet.co.uk (93.91.20.10) with Microsoft SMTP Server (TLS) id 8.1.393.1; Fri, 16 Apr 2010 13:32:54 +0100 Received: from PEMEXMBXVS02.jellyfishnet.co.uk.local ([192.168.65.37]) by pemexhub01.jellyfishnet.co.uk.local ([192.168.65.7]) with mapi; Fri, 16 Apr 2010 13:33:21 +0100 From: Greg Hennessy To: Gaurav Ghimire , "freebsd-pf@freebsd.org" Date: Fri, 16 Apr 2010 13:32:57 +0100 Thread-Topic: ping sendto: operation not permitted. Thread-Index: AcrdWw0fKuccsL0qS3uan1K5P3EuowABeRgq Message-ID: <9E8D76EC267C9444AC737F649CBBAD902767E3BEDD@PEMEXMBXVS02.jellyfishnet.co.uk.local> References: <4BC84F00.1060700@subisu.net.np> In-Reply-To: <4BC84F00.1060700@subisu.net.np> Accept-Language: en-US, en-GB Content-Language: en-GB X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-GB Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: Subject: RE: ping sendto: operation not permitted. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Apr 2010 12:33:23 -0000 Running out of state table entries ?=20 ________________________________________ From: owner-freebsd-pf@freebsd.org [owner-freebsd-pf@freebsd.org] On Behalf= Of Gaurav Ghimire [gaurav@subisu.net.np] Sent: 16 April 2010 12:50 To: freebsd-pf@freebsd.org Subject: ping sendto: operation not permitted. Dear all, I am lately having problems with my firewall. There had not been any changes to the configuration and it had been working very fine. Out of nowhere I believe that pf is now acting abnormal and is blocking outgoing packets at random. It doesn't occur regular but I am getting the ping sendto: operation not permitted error and also its delaying udp queries to by dns servers that it generally protects. If I disable pf using 'pfctl -d' things go to normal and there isn't any issue. I also see connection breaks when the pf itself tries to contact my ldap server for information. Disabling pf makes everything go back to normal. Any hint as where I should be looking would be highly appreciated. I have been pulling my hairs literally lately. Regards, -- Gaurav _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"= From owner-freebsd-pf@FreeBSD.ORG Fri Apr 16 14:24:11 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 438A9106564A for ; Fri, 16 Apr 2010 14:24:11 +0000 (UTC) (envelope-from metdeth1@yahoo.com) Received: from web38005.mail.mud.yahoo.com (web38005.mail.mud.yahoo.com [209.191.124.116]) by mx1.freebsd.org (Postfix) with SMTP id EC5BC8FC17 for ; Fri, 16 Apr 2010 14:24:10 +0000 (UTC) Received: (qmail 45947 invoked by uid 60001); 16 Apr 2010 13:57:30 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1271426250; bh=vnE9ugL4y426lMF38B3gSx5mBTyBqRsHozYV4dJvR0o=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=vCS/YZtS0wMmJU08BK/onJTb+lPI2yXgulXaaSDzEpdy822uq/ITDx+pvFV6rHXZP0g1sI5s1tvCZWNJjpNOx/Gb3GpxAbNcDcX1DNupd2NM7c8mIlYp3s0l6BBvGCwuf0+ZWs58xC3pE6c3wZIBf0eMKhZpivprXgw0cFSY6ko= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=2asEa7vD5mhaB2qY3pIb6izvrvc/9NcNXZCbrMBu0SseMzWz6ncFqX/RQNp/PtodKBuh9og1UfLiMk4mHsSF53Qz+LMietjpLDBXduLKcKjpHOwGWBIH4vxRWDMKrRCpz0uIqfhHf8CI9GKhlrCbZMsbW3zJ65sQ+/JUwAbXH9g=; Message-ID: <85262.45908.qm@web38005.mail.mud.yahoo.com> X-YMail-OSG: 8sFFR_AVM1lxAmYbZc0EnJbG_uluPmuuTnV9nc0KKGPQKXp KcJyu58G1JceOMO07JGjx8s449vlGS9Sy_CE2PjjiLX8ptPnqCcZgYefA1WC TmJPWXHrAy1Z3dH30fzBXr.hoc.TEG8bBs1szC819ygy1SsoQZiOsBGurRq0 OInFQk955JRMVO8WJwvfQPlWXicBNvAn4r0XYV5hK4bsVLwo_JOknCnvUyu8 9zYnubdhY5QvWayn7xOz8ogWm27G2a_1SrCWBEW0cYN0XItmbAPcUjqkiH8f qv3YnYo4mh2vpfhw36c818RgMmt9Tzzgpw0u_Pp6wf7qf6TTUIsuHwJdybS5 dZ_UpZUc_OXNIi.cy4mDnpEATqXFCPw-- Received: from [124.83.5.246] by web38005.mail.mud.yahoo.com via HTTP; Fri, 16 Apr 2010 06:57:29 PDT X-Mailer: YahooMailRC/348.3 YahooMailWebService/0.8.100.260964 References: <4BC84F00.1060700@subisu.net.np> Date: Fri, 16 Apr 2010 06:57:29 -0700 (PDT) From: jose ycogo To: Gaurav Ghimire , freebsd-pf@freebsd.org In-Reply-To: <4BC84F00.1060700@subisu.net.np> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: ping sendto: operation not permitted. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Apr 2010 14:24:11 -0000 =0A=0Ai think its best if you post your pf.conf =0A=0Acheers...=0A=0A=0A=0A= =0A________________________________=0AFrom: Gaurav Ghimire =0ATo: freebsd-pf@freebsd.org=0ASent: Friday, April 16, 2010 19:50:24= =0ASubject: ping sendto: operation not permitted.=0A=0ADear all,=0A=0AI am = lately having problems with my firewall. There had not been any changes to = the configuration and it had been working very fine. Out of nowhere I belie= ve that pf is now acting abnormal and is blocking outgoing packets at rando= m. It doesn't occur regular but I am getting the ping sendto: operation not= permitted error and also its delaying udp queries to by dns servers that i= t generally protects. If I disable pf using 'pfctl -d' things go to normal = and there isn't any issue. I also see connection breaks when the pf itself= tries to contact my ldap server for information. Disabling pf makes everyt= hing go back to normal. Any hint as where I should be looking would be high= ly appreciated. I have been pulling my hairs literally lately.=0A=0ARegards= ,=0A=0A-- Gaurav=0A=0A_______________________________________________=0Afre= ebsd-pf@freebsd.org mailing list=0Ahttp://lists.freebsd.org/mailman/listinf= o/freebsd-pf=0ATo unsubscribe, send any mail to "freebsd-pf-unsubscribe@fre= ebsd.org"=0A=0A=0A=0A Get your preferred Email name!=0ANow you can @ym= ail.com and @rocketmail.com. =0Ahttp://mail.promotions.yahoo.com/newdomains= /aa/ From owner-freebsd-pf@FreeBSD.ORG Fri Apr 16 14:31:06 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 174DB1065670 for ; Fri, 16 Apr 2010 14:31:06 +0000 (UTC) (envelope-from allicient3141@googlemail.com) Received: from mail-gw0-f54.google.com (mail-gw0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id C28638FC12 for ; Fri, 16 Apr 2010 14:31:04 +0000 (UTC) Received: by gwaa12 with SMTP id a12so1377493gwa.13 for ; Fri, 16 Apr 2010 07:31:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:received:message-id:subject :from:to:content-type; bh=AjYUCeSB1uHS5xySDvLc/Ya9DkDtb/xezRgmDDl3RlM=; b=HLRSdHLmMAhzhtu1i3bx/2wPdXXMzRuRK4/pPrklq/0kzMAPNYhh0unaooN3X2LyZz vqYQdk+UTwnkqgLLNApFSCwa5sP43vzNd+xmlsFPmeQfbbPZnijYpfpZaQxOnaXjTZ8C xu/h1RU4ROszRj7maCjCuDqKrP0d8j+dDaDkk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; b=l5x9o3W/MxSfGA6dTo1jhaRmmyASekEpF7bl1wRWu0rA+0SYRusLoXvcAqKRnU0Xu4 DrcLP0rC41YJSA7JxKsH7qw1L9YdQtccHfRI7MC/wDP16/Wv7Z8L90U/xS+Ik4UrRwTX 9hHvL7VBG40YvN2rn/V8PS674St6Pb73hmMC4= MIME-Version: 1.0 Sender: allicient3141@googlemail.com Received: by 10.90.86.7 with HTTP; Fri, 16 Apr 2010 07:31:04 -0700 (PDT) In-Reply-To: <85262.45908.qm@web38005.mail.mud.yahoo.com> References: <4BC84F00.1060700@subisu.net.np> <85262.45908.qm@web38005.mail.mud.yahoo.com> Date: Fri, 16 Apr 2010 15:31:04 +0100 X-Google-Sender-Auth: 10341b51462a8a14 Received: by 10.91.51.25 with SMTP id d25mr969530agk.41.1271428264152; Fri, 16 Apr 2010 07:31:04 -0700 (PDT) Message-ID: From: Peter Maxwell To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: ping sendto: operation not permitted. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Apr 2010 14:31:06 -0000 Checking whether there is anything unexpected in the dmesg output and posting the output of pfctl -v -s a wouldn't hurt either. On 16 April 2010 14:57, jose ycogo wrote: > > > i think its best if you post your pf.conf > > cheers... > > > > > ________________________________ > From: Gaurav Ghimire > To: freebsd-pf@freebsd.org > Sent: Friday, April 16, 2010 19:50:24 > Subject: ping sendto: operation not permitted. > > Dear all, > > I am lately having problems with my firewall. There had not been any > changes to the configuration and it had been working very fine. Out of > nowhere I believe that pf is now acting abnormal and is blocking outgoing > packets at random. It doesn't occur regular but I am getting the ping > sendto: operation not permitted error and also its delaying udp queries to > by dns servers that it generally protects. If I disable pf using 'pfctl -d' > things go to normal and there isn't any issue. I also see connection breaks > when the pf itself tries to contact my ldap server for information. > Disabling pf makes everything go back to normal. Any hint as where I should > be looking would be highly appreciated. I have been pulling my hairs > literally lately. > > Regards, > > -- Gaurav > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > > Get your preferred Email name! > Now you can @ymail.com and @rocketmail.com. > http://mail.promotions.yahoo.com/newdomains/aa/ > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >