From owner-freebsd-pf@FreeBSD.ORG Mon Sep 3 06:01:49 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 576911065673 for ; Mon, 3 Sep 2012 06:01:49 +0000 (UTC) (envelope-from sales@selectedenergy.co.za) Received: from mail-ie0-f182.google.com (mail-ie0-f182.google.com [209.85.223.182]) by mx1.freebsd.org (Postfix) with ESMTP id 145608FC1A for ; Mon, 3 Sep 2012 06:01:48 +0000 (UTC) Received: by iebc12 with SMTP id c12so4009666ieb.13 for ; Sun, 02 Sep 2012 23:01:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=from:mime-version:x-mailer:thread-index:date:message-id:subject:to :content-type:x-gm-message-state; bh=eBYyyY5jy6+SAIA9SR2Pg2IUEGH9P3ycPrFXxuQggys=; b=hJGjbda2/vby2ivDt/J0K723DpDGZZLYtiS0LpqygZh3cdTa93rLyOZXfWzNGuPqoo lFicJvFfmtLXnospSl5RdXgY2uHhVu53uFbnv9jihv/Ley/rV6PyC07hzbxOmwbGqV/H xabjYC8Hio4yRBIpsVWPFpugalOCWxQC0wGmNInABkGFmuvPsX1ZUyn1XEk0QJxb3jUe RjjJLm8wnSur9F8YL5qSyXyEqef6PVOzi74PPMAQcC7yjXDB2pRq0CWwprlNNKE7Otkd xyLTGlUBDO16dixk+WXCUTJo3DJUKTUMByrDX2moLkG+yRNmpr2/u5V5MU1BQa3b4YnZ uBAw== Received: by 10.50.76.137 with SMTP id k9mr9500942igw.58.1346652107914; Sun, 02 Sep 2012 23:01:47 -0700 (PDT) From: Nicolene Fourie MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Ac2JmZoRisFmq9hCRz2gvJd61a0+Lg== Date: Mon, 3 Sep 2012 08:01:47 +0200 Message-ID: <2055ed07fd973a0758f53ab3e9952e25@mail.gmail.com> To: freebsd-pf@freebsd.org Content-Type: multipart/related; boundary=e89a8f23433b873e4204c8c5e0c1 X-Gm-Message-State: ALoCoQkyV/raux+OdjS1jC3pZV3caBcb20uinf72cSKv0VnGMRww4iqmotLPGoCFtSDJDvCFTdQQ X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Drive A New Car from R499 P/M X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Sep 2012 06:01:49 -0000 --e89a8f23433b873e4204c8c5e0c1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable *Hi * * * *Do you still have cars available?* * * *[image: Description: cid:image001.png@01CD22C1.D6F315E0]* *Nicolene Fourie* *Sales Assistant / PA to Ray Fernandez* * **Tel: **(+27 )011- 467 4972, or (+27) 0860 solahart (7652 4278)* *Fax:** (+27) 0866 572 025, Cell: (+27) 083 388 9003* *Physical:** 23 Fountain Road, Beverley AH, Sandton* *Coordinates: **S26=CB=9A00=E2=80=9914.3=E2=80=9D E028=CB=9A00=E2=80=9956.= 9=E2=80=9D* *Web:** www.selectedenergy.co.za* *Mail:** sales@selectedenergy.co.za * * * * **[image: Description: Description: Description: cid:image005.png@01CCAECE.5FCE3FB0]* * * World leaders in Solar Water Heating, Installed over a million systems world wide Established in South Africa since 1982 P Please consider the environment before printing this email. =C3=BD *Confidentiality notice*: This e-mail may contain confidential information and is intended only for the use of the recipient named above. Should you receive this e-mail in error, please forward it to * sales@selectedenergy.co.za * and delete from your inbox. Any disclosure, copying, distribution or action on the contents of this e-mail is strictly prohibited --e89a8f23433b873e4204c8c5e0c1-- From owner-freebsd-pf@FreeBSD.ORG Mon Sep 3 11:09:50 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6E48D106564A for ; Mon, 3 Sep 2012 11:09:50 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 578E98FC15 for ; Mon, 3 Sep 2012 11:09:50 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q83B9om7049542 for ; Mon, 3 Sep 2012 11:09:50 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q83B9m25049163 for freebsd-pf@FreeBSD.org; Mon, 3 Sep 2012 11:09:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 3 Sep 2012 11:09:48 GMT Message-Id: <201209031109.q83B9m25049163@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Sep 2012 11:09:50 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag s kern/167057 pf [pf] PF firewall version 4.5 in FreeBSD 9.0 & 8.2 nolo o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 53 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed Sep 5 11:26:57 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0F9861065687 for ; Wed, 5 Sep 2012 11:26:57 +0000 (UTC) (envelope-from wcouchman@gedore.co.za) Received: from wblv-ip-mesg-1-1.saix.net (wblv-ip-mesg-1-1.saix.net [196.25.240.79]) by mx1.freebsd.org (Postfix) with ESMTP id 5F8EE8FC08 for ; Wed, 5 Sep 2012 11:26:54 +0000 (UTC) Received: from Marshal.gedoretools.local (dsl-242-235-111.telkomadsl.co.za [41.242.235.111]) by wblv-ip-mesg-1-1.saix.net (Postfix) with ESMTP id 22EF437B for ; Wed, 5 Sep 2012 12:31:22 +0200 (SAST) Received: from Drawing1PC (Not Verified[192.168.3.66]) by Marshal.gedoretools.local with MailMarshal (v6, 8, 4, 9558) id ; Wed, 05 Sep 2012 12:34:05 +0200 From: "Warren Couchman" To: Date: Wed, 5 Sep 2012 12:34:05 +0200 MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_0018_01CD8B62.BCC55FC0" X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Thread-Index: Ac2LUfkxAWt2det4RPaGq9rbvLhKuQ== X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7600.16807 Message-Id: <20120905103123.22EF437B@wblv-ip-mesg-1-1.saix.net> X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Drive A New Car from R499 P/M X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2012 11:26:57 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_0018_01CD8B62.BCC55FC0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Warren Couchman Draughtsman GEDORE TOOLS SA (PTY) LTD Physical: 103 Shepstone Road, New Germany 3610, South Africa Postal: PO Box 68, New Germany 3620, South Africa Phone: +27 (31) 705 3587 Fax: +27 (31) 705 4735 Email: wcouchman@gedore.co.za Internet: www.gedore.co.za Description: cid:image001.png@01CBD81F.69FFAAE0 ##################################################################################### This transmission is intended only for the person or entity to which it is addressed and may contain information that is confidential and/or restricted. If you receive this in error, you are hereby notified that any replicating, distribution or dissemination of this email is strictly prohibited. Please contact the sender and delete the material from any computer. Opinions, assumptions, conclusions and other information in this message that do not relate to the official business of Gedore Tools SA (Pty) Ltd shall be understood as neither given nor endorsed by it. ##################################################################################### ------=_NextPart_000_0018_01CD8B62.BCC55FC0-- From owner-freebsd-pf@FreeBSD.ORG Wed Sep 5 11:51:52 2012 Return-Path: Delivered-To: pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 95199106566C; Wed, 5 Sep 2012 11:51:52 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.64.117]) by mx1.freebsd.org (Postfix) with ESMTP id E77F98FC14; Wed, 5 Sep 2012 11:51:48 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.5/8.14.5) with ESMTP id q85BpeEL029470; Wed, 5 Sep 2012 15:51:40 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.5/8.14.5/Submit) id q85BpeBO029469; Wed, 5 Sep 2012 15:51:40 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Wed, 5 Sep 2012 15:51:40 +0400 From: Gleb Smirnoff To: net@FreeBSD.org, pf@FreeBSD.org Message-ID: <20120905115140.GF15915@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Cc: Subject: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2012 11:51:52 -0000 Hi! [announce goes both to net@ and pf@, but any discussion should go on on pf@FreeBSD.org only, please] As you already may now, last half a year I've been working on making pf SMP-scalable and faster in general. More info can be found here: http://lists.freebsd.org/pipermail/freebsd-pf/2012-June/006643.html http://lists.freebsd.org/pipermail/freebsd-pf/2012-June/006662.html Since that announce in June, I've been running experimental code for more than 2 months in production on several routers. Also, some brave people volunteered to be beta-testers and also run the experimental branch in last couple of months. Code proved to be stable enough. The new code performs better in production: less CPU load, less jitter, more responsive system under high load. It performs better under synthetic benchmarks like random generated UDP flood. It performs much better when DoS comes in. Thus, I plan to merge projects/pf/head to head this weekend, and this is a HEADS UP email! You have been warned. :) What I'd like to do next: 1) Move pf out of contrib. 2) Refactor the pfvar.h into pf.h and pf_var.h. Provide stable kernel<->pfctl ABI. And probably other clean up tasks. ... 3) ... too far to build any plans, yet. :) -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Wed Sep 5 14:28:26 2012 Return-Path: Delivered-To: pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D9B35106566C; Wed, 5 Sep 2012 14:28:26 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from mail.tyknet.dk (mail.tyknet.dk [IPv6:2a01:4f8:141:52a3:186::]) by mx1.freebsd.org (Postfix) with ESMTP id 6C0878FC1C; Wed, 5 Sep 2012 14:28:26 +0000 (UTC) Received: from [IPv6:2a01:3a0:a:90:58e1:509a:ca11:b1b5] (unknown [IPv6:2a01:3a0:a:90:58e1:509a:ca11:b1b5]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.tyknet.dk (Postfix) with ESMTPSA id A3515D1B2D; Wed, 5 Sep 2012 16:28:24 +0200 (CEST) X-DKIM: OpenDKIM Filter v2.5.2 mail.tyknet.dk A3515D1B2D DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gibfest.dk; s=default; t=1346855305; bh=2Y3v2YNOQ4ryWK5abN5yZ3La3nKW4B3CZYRkvga8cfs=; h=Date:From:To:CC:Subject:References:In-Reply-To; b=byt1Sj2EOofhyktX7kHPEsnymsGLuDjOWSA0zkCqHUp3Y4mA7wsU9+YLM5ixduyqv 0P5LzR9giSeYPxNbfgebDg0uk0xq66g3ZXsOf0nrWR0LlXt98KpZ2XPeO8WIZE9Ifw V6NINc79GTv8bpmSdxqNBxQwOknw/KllUIK4vsjE= Message-ID: <50476187.8000303@gibfest.dk> Date: Wed, 05 Sep 2012 16:28:23 +0200 From: Thomas Steen Rasmussen User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120824 Thunderbird/15.0 MIME-Version: 1.0 To: Gleb Smirnoff References: <20120905115140.GF15915@FreeBSD.org> In-Reply-To: <20120905115140.GF15915@FreeBSD.org> X-Enigmail-Version: 1.4.4 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit Cc: pf@FreeBSD.org Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2012 14:28:26 -0000 On 05-09-2012 13:51, Gleb Smirnoff wrote: > Hi! > > [announce goes both to net@ and pf@, but any discussion should > go on on pf@FreeBSD.org only, please] > > As you already may now, last half a year I've been working on > making pf SMP-scalable and faster in general. More info can be > found here: > > http://lists.freebsd.org/pipermail/freebsd-pf/2012-June/006643.html > http://lists.freebsd.org/pipermail/freebsd-pf/2012-June/006662.html Hello Gleb (and list), Your work seems very exciting from a performance standpoint, and it is certainty something I am looking forward to. Please don't take the following as a critique of your important work :) In your orignal announcement you confirmed my fears that this work will make our pf divert a lot from OpenBSDs pf, making bulk code-imports impossible in the future. As you know we are stuck on the old pf-syntax, how will we ever get to the new pf-syntax if your work goes into HEAD ? Currently the common "pf-ecosystem" that we've always more-or-less shared with OpenBSD seems to be crumbling. If we are going to continue along our own "branch" of pf, with old syntax and SMP support, and who knows what else in the future, should we consider renaming it to avoid having two similar-but-not-identical firewalls with the same name ? Best regards, Thomas Steen Rasmussen From owner-freebsd-pf@FreeBSD.ORG Wed Sep 5 17:16:37 2012 Return-Path: Delivered-To: pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DB314106568A; Wed, 5 Sep 2012 17:16:37 +0000 (UTC) (envelope-from ianf@clue.co.za) Received: from zcs03.jnb1.cloudseed.co.za (zcs03.jnb1.cloudseed.co.za [41.154.0.139]) by mx1.freebsd.org (Postfix) with ESMTP id 6881A8FC0C; Wed, 5 Sep 2012 17:16:37 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zcs03.jnb1.cloudseed.co.za (Postfix) with ESMTP id C078E2B42A51; Wed, 5 Sep 2012 19:11:09 +0200 (SAST) X-Virus-Scanned: amavisd-new at zcs03.jnb1.cloudseed.co.za Received: from zcs03.jnb1.cloudseed.co.za ([127.0.0.1]) by localhost (zcs03.jnb1.cloudseed.co.za [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nKi2t9QmoJMB; Wed, 5 Sep 2012 19:11:08 +0200 (SAST) Received: from clue.co.za (unknown [41.154.88.19]) by zcs03.jnb1.cloudseed.co.za (Postfix) with ESMTPSA id 90F2B2B42A3A; Wed, 5 Sep 2012 19:11:08 +0200 (SAST) Received: from localhost ([127.0.0.1] helo=clue.co.za) by clue.co.za with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1T9J87-000G9p-BB; Wed, 05 Sep 2012 19:11:07 +0200 To: Gleb Smirnoff From: Ian FREISLICH In-Reply-To: <20120905115140.GF15915@FreeBSD.org> References: <20120905115140.GF15915@FreeBSD.org> X-Attribution: BOFH Date: Wed, 05 Sep 2012 19:11:07 +0200 Message-Id: Cc: pf@FreeBSD.org Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2012 17:16:37 -0000 Gleb Smirnoff wrote: > As you already may now, last half a year I've been working on > making pf SMP-scalable and faster in general. More info can be > found here: Very good news. I'm in the process of staging for deployment to our production system for testing under significant load. Ian -- Ian Freislich From owner-freebsd-pf@FreeBSD.ORG Wed Sep 5 18:36:10 2012 Return-Path: Delivered-To: pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9D1271065680 for ; Wed, 5 Sep 2012 18:36:10 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.64.117]) by mx1.freebsd.org (Postfix) with ESMTP id 29FEE8FC0C for ; Wed, 5 Sep 2012 18:36:09 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.5/8.14.5) with ESMTP id q85Ia71t031958; Wed, 5 Sep 2012 22:36:07 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.5/8.14.5/Submit) id q85Ia75S031957; Wed, 5 Sep 2012 22:36:07 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Wed, 5 Sep 2012 22:36:07 +0400 From: Gleb Smirnoff To: Thomas Steen Rasmussen Message-ID: <20120905183607.GI15915@glebius.int.ru> References: <20120905115140.GF15915@FreeBSD.org> <50476187.8000303@gibfest.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <50476187.8000303@gibfest.dk> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: pf@FreeBSD.org Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2012 18:36:10 -0000 Thomas, On Wed, Sep 05, 2012 at 04:28:23PM +0200, Thomas Steen Rasmussen wrote: T> Your work seems very exciting from a performance standpoint, and it T> is certainty something I am looking forward to. Please don't take the T> following as a critique of your important work :) T> T> In your orignal announcement you confirmed my fears that this work T> will make our pf divert a lot from OpenBSDs pf, making bulk code-imports T> impossible in the future. As you know we are stuck on the old pf-syntax, T> how will we ever get to the new pf-syntax if your work goes into HEAD ? What's bad with "getting stuck" with old syntax? I personally don't have any problems with it. I have had problems with performance, however. Here you are advocating to a thesis that new => good, older => bad. If we believe this thesis, and focus on keeping up to date with OpenBSD, then we will spend zillions of manhours porting newer and newer and newer pf to FreeBSD, but we will always get the old one, because OpenBSD will be at least one minor revision ahead of us. This race can never be won. Samba will never become Windows :) However, if someone eagers to see new syntax in FreeBSD, I have nothing against this. Just sit down and port it. Yes, porting will require some time to understand code and quality port it to FreeBSD. Bulk imports are no longer possible (unless one wants to ruin all my work). We have had some pain with bulk imports. The last one, for example, have broken pfsync completely. First, imports were made with focus on minimizing diff to OpenBSD. Code was made compilable on FreeBSD and somehow working. But the operating systems have diverged very much sincle last 15 years, and thus quality porting requires more than just make it compile. For example, OpenBSD runs network stack under splnet(9). They can run ip_output() anywhere in the network stack (except of ip_output() itself, heh). We can't since that would make lock order reversals. This was just one example, but believe me, there are much more. All this peculiarity were worked out correctly in my branch. So, this branch is not about SMP scalability only, this is a better port of pf to FreeBSD. Second, the imported code (what we have now in head) is polluted with zillions of ifdefs and is difficultly readable even by the person who wrote it. Any other developer runs away in fear when he faces that. This ends up with no one willing to fix open problem reports. We have now 53 PR assigned to freebsd-pf@. They are rotting and no one takes them. Most of these PRs can't be forwarded to OpenBSD, since they are specific to our port (yep, port has problems - see above paragraph). >From my point of view the state of pf in FreeBSD is (was) a dead end. We don't modify it, since it isn't ours, but we hope that new bulk import would fix problems. I hope that new state of pf in FreeBSD would attract more developers to it. I have nothing against with cherry-picking new features from OpenBSD (but taking into account new multithreaded design). I have nothing against completely new features. I'd appreciate any attempt to reduce number of PRs assigned to freebsd-pf@. T> Currently the common "pf-ecosystem" that we've always more-or-less T> shared with OpenBSD seems to be crumbling. If we are going to continue T> along our own "branch" of pf, with old syntax and SMP support, and who T> knows what else in the future, should we consider renaming it to avoid T> having two similar-but-not-identical firewalls with the same name ? May be it is worth renaming, I have nothing against this. But I don't think it is already time to rename right now. Now the only rewritten part is keys/states storage, all other code is shared with OpenBSD, however touched a lot. -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Wed Sep 5 20:02:18 2012 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A7F1D106566B; Wed, 5 Sep 2012 20:02:18 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-ie0-f182.google.com (mail-ie0-f182.google.com [209.85.223.182]) by mx1.freebsd.org (Postfix) with ESMTP id 5ECBA8FC0C; Wed, 5 Sep 2012 20:02:17 +0000 (UTC) Received: by iebc12 with SMTP id c12so2276236ieb.13 for ; Wed, 05 Sep 2012 13:02:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=duytMCuuYL3XotmOXbZbbSoy5vE+/NukpwhKtmBjpnw=; b=xns59By0QApnCbUwdlodP6I/y0PJpN7RjComMR+DkzZwcx6o6XAcYj3r9zOByQ2l9P 9Ijsn7wDbWHlz7Ouk3Qobl0kI/SDzsb0Ot3+kKvrRyp4D2TaxPfS2pKCu7Ei2I20zxVR hVbxZ6gxGOKrzZnu2cmTG7B7RjF6cwxw3OfwWB1JxcLJuUpdAziJVSs7o8iRsoXCL2cT /RBGL9lsEV7KrlaQSR4vVf3smU0DOoNup+70MnNPrAdP5bIcHPT+kES4/9VOORQwRpi1 kkMomwpvnGBEGdrU6KFF6npweq8sy6ZTkedHzJrYVn19+4gU7Tyk9ezScPYdXXTL8Lt9 GWvg== MIME-Version: 1.0 Received: by 10.50.149.137 with SMTP id ua9mr19409819igb.65.1346875337511; Wed, 05 Sep 2012 13:02:17 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.231.47.73 with HTTP; Wed, 5 Sep 2012 13:02:17 -0700 (PDT) In-Reply-To: <20120905183607.GI15915@glebius.int.ru> References: <20120905115140.GF15915@FreeBSD.org> <50476187.8000303@gibfest.dk> <20120905183607.GI15915@glebius.int.ru> Date: Wed, 5 Sep 2012 22:02:17 +0200 X-Google-Sender-Auth: clktyEwFLULj4J1Tu89fczhohmM Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Gleb Smirnoff Content-Type: text/plain; charset=ISO-8859-1 Cc: pf@freebsd.org Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2012 20:02:18 -0000 Hi Gleb, On Wed, Sep 5, 2012 at 8:36 PM, Gleb Smirnoff wrote: > Thomas, > > On Wed, Sep 05, 2012 at 04:28:23PM +0200, Thomas Steen Rasmussen wrote: > T> Your work seems very exciting from a performance standpoint, and it > T> is certainty something I am looking forward to. Please don't take the > T> following as a critique of your important work :) > T> > T> In your orignal announcement you confirmed my fears that this work > T> will make our pf divert a lot from OpenBSDs pf, making bulk code-imports > T> impossible in the future. As you know we are stuck on the old pf-syntax, > T> how will we ever get to the new pf-syntax if your work goes into HEAD ? > > What's bad with "getting stuck" with old syntax? I personally don't have > any problems with it. I have had problems with performance, however. > > Here you are advocating to a thesis that new => good, older => bad. If > we believe this thesis, and focus on keeping up to date with OpenBSD, > then we will spend zillions of manhours porting newer and newer and > newer pf to FreeBSD, but we will always get the old one, because OpenBSD > will be at least one minor revision ahead of us. This race can never > be won. Samba will never become Windows :) > > However, if someone eagers to see new syntax in FreeBSD, I have nothing > against this. Just sit down and port it. Yes, porting will require some > time to understand code and quality port it to FreeBSD. > as already shared with you the opinion the new 're-arrangement' of data structure together with new syntax is more helpful to SMP in general, so complementary to this work. As the person who has done most of the work on last import of pf form OpenBSD, so you can say knowledgeable about the internals of it, will still recommend the new syntax. - No more multiple rulesets is the single biggest reason. But you did not listen than i do not expect you to listen now. I do not even expect you to change your standpoint after your work. > Bulk imports are no longer possible (unless one wants to ruin all my work). > We have had some pain with bulk imports. The last one, for example, have > broken pfsync completely. > > First, imports were made with focus on minimizing diff to OpenBSD. Code was > made compilable on FreeBSD and somehow working. But the operating systems have > diverged very much sincle last 15 years, and thus quality porting requires more > than just make it compile. For example, OpenBSD runs network stack under splnet(9). > They can run ip_output() anywhere in the network stack (except of ip_output() > itself, heh). We can't since that would make lock order reversals. This was just > one example, but believe me, there are much more. All this peculiarity were worked > out correctly in my branch. So, this branch is not about SMP scalability only, > this is a better port of pf to FreeBSD. > This is more a issue of FreeBSD rather than OpenBSD perse. pf(4) has survived with code sharing so far quite well and i have seen nothing in your project branch that does a better job to this. > Second, the imported code (what we have now in head) is polluted with zillions of > ifdefs and is difficultly readable even by the person who wrote it. Any other > developer runs away in fear when he faces that. This ends up with no one willing > to fix open problem reports. We have now 53 PR assigned to freebsd-pf@. They are > rotting and no one takes them. Most of these PRs can't be forwarded to OpenBSD, > since they are specific to our port (yep, port has problems - see above paragraph). > This is not an argument but just whining. Too much code in FreeBSD has that. > >From my point of view the state of pf in FreeBSD is (was) a dead end. We don't > modify it, since it isn't ours, but we hope that new bulk import would fix problems. > > I hope that new state of pf in FreeBSD would attract more developers to it. I > have nothing against with cherry-picking new features from OpenBSD (but > taking into account new multithreaded design). I have nothing against completely > new features. I'd appreciate any attempt to reduce number of PRs assigned to > freebsd-pf@. > > T> Currently the common "pf-ecosystem" that we've always more-or-less > T> shared with OpenBSD seems to be crumbling. If we are going to continue > T> along our own "branch" of pf, with old syntax and SMP support, and who > T> knows what else in the future, should we consider renaming it to avoid > T> having two similar-but-not-identical firewalls with the same name ? > > May be it is worth renaming, I have nothing against this. But I don't > think it is already time to rename right now. Now the only rewritten part > is keys/states storage, all other code is shared with OpenBSD, however > touched a lot. > I would suggest this, and always would be for this, since too much expected internal behavior has changed internally with what i have seen on your project branch. People can test the renamed version and have an option to roll back to the previous one. After all you are saying that its not pf yourself. > -- > Totus tuus, Glebius. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" -- Ermal From owner-freebsd-pf@FreeBSD.ORG Wed Sep 5 20:09:24 2012 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E344B1065670; Wed, 5 Sep 2012 20:09:24 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-ie0-f182.google.com (mail-ie0-f182.google.com [209.85.223.182]) by mx1.freebsd.org (Postfix) with ESMTP id 8E6828FC1E; Wed, 5 Sep 2012 20:09:24 +0000 (UTC) Received: by iebc12 with SMTP id c12so2290708ieb.13 for ; Wed, 05 Sep 2012 13:09:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=BAaa1Wv/Bf5vA5OAKsyEV1J0V65x/iRPY6CQ24BrjaE=; b=YMTeteWrlxchI7sKHswQV5FYW6pTQmNM4wl9QOpxRMSOxnzAVE9q/aqHQvdhr3aY/t uTJBkaMM/iOkRJyxpr5ZNwPtBzFBaP/VXuhzcc6PUQc9BK4WqJuS6+LELuFBM7lqqDDC pkW1BMQ2aWNOWAyFdL+sCILteRWq4bABiuT45D+qNDJfvhk9tiVmGTU6m1pbmEw+bxdd x9WFbtcDjes3EOSyf1tHQjuAeDs1NNgc+We00tkT9xdr5CO/cz3t76G4fmyB91mPlLWL TE+gbZ6ua2w8W1yzCptirgYT36KaFtLz/a5MxVFfj+IWKaI6rS/8e4ZL2WY7yYJEedaJ IaKQ== MIME-Version: 1.0 Received: by 10.42.155.135 with SMTP id u7mr22127547icw.25.1346875764014; Wed, 05 Sep 2012 13:09:24 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.231.47.73 with HTTP; Wed, 5 Sep 2012 13:09:23 -0700 (PDT) In-Reply-To: <20120905115140.GF15915@FreeBSD.org> References: <20120905115140.GF15915@FreeBSD.org> Date: Wed, 5 Sep 2012 22:09:23 +0200 X-Google-Sender-Auth: KpA_Ufil8V4wmk4YQRXcnRAJ6hs Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Gleb Smirnoff Content-Type: text/plain; charset=ISO-8859-1 Cc: pf@freebsd.org, net@freebsd.org Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2012 20:09:25 -0000 Hi Gleb, On Wed, Sep 5, 2012 at 1:51 PM, Gleb Smirnoff wrote: > Hi! > > [announce goes both to net@ and pf@, but any discussion should > go on on pf@FreeBSD.org only, please] > > As you already may now, last half a year I've been working on > making pf SMP-scalable and faster in general. More info can be > found here: > > http://lists.freebsd.org/pipermail/freebsd-pf/2012-June/006643.html > http://lists.freebsd.org/pipermail/freebsd-pf/2012-June/006662.html > > Since that announce in June, I've been running experimental code for > more than 2 months in production on several routers. Also, some brave > people volunteered to be beta-testers and also run the experimental > branch in last couple of months. Code proved to be stable enough. > > The new code performs better in production: less CPU load, less > jitter, more responsive system under high load. It performs better > under synthetic benchmarks like random generated UDP flood. It > performs much better when DoS comes in. > Its good to see results on your work and is good moving forward. Claiming better behavior, under DoS or other comparison without showing any data or technical reason is a bit over this RFC. > Thus, I plan to merge projects/pf/head to head this weekend, and > this is a HEADS UP email! You have been warned. :) > > What I'd like to do next: > > 1) Move pf out of contrib. I do not see a reason behind this, any particular reason? > 2) Refactor the pfvar.h into pf.h and pf_var.h. Provide stable > kernel<->pfctl ABI. And probably other clean up tasks. Just this reason is a bit contradictory with 1) above! Let alone what does this mean to the user?! Nothing? They are after syntax stability, not breaking their machines on upgrade, ABI is nothing to them. Please reconsider the option of renaming the import and allowing both ports to coexist. Than you can have your changes going through. Regards, Ermal From owner-freebsd-pf@FreeBSD.ORG Wed Sep 5 23:13:18 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 469CC106564A for ; Wed, 5 Sep 2012 23:13:18 +0000 (UTC) (envelope-from kpaasial@gmail.com) Received: from mail-vc0-f182.google.com (mail-vc0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id EFF5E8FC0C for ; Wed, 5 Sep 2012 23:13:17 +0000 (UTC) Received: by vcbgb30 with SMTP id gb30so2070981vcb.13 for ; Wed, 05 Sep 2012 16:13:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=HWS18vQq7C5RsE1HGHAHFMIQo0LGs7dQJ8FEEe8jWL8=; b=nNFMuEh/UXxHwVCnORh/PyIKHtwiEFDfWHRbI8+g63kKJmUQPnwZVKgH5SwHkYUq9u I8j6HTKL4xk2S9Kr0qWwMZ0EU4OjQWD03kck6VQC9yeF9v7O4N35zTto7r+t+QLAQjOL GPit0oB084rR/XYd3r5lNoY93MQsZ5MLGDDxoOqRE04J8FF3wRDSk1ijzBfiW3s0Bl/F 70wvNtkv5ldaDmZN6DWCo6GWaG0cMKtApWn8kwYyEnQNPcsIPeC3xQBZo05OGCZSdIxv tJ5+pxfdtpxYgPLe8x2/DCgekoufzdOuYFTwgga3viIR9bYePQObeZkZfpEjxnWBQsGb yOSQ== MIME-Version: 1.0 Received: by 10.220.142.79 with SMTP id p15mr135963vcu.24.1346886790940; Wed, 05 Sep 2012 16:13:10 -0700 (PDT) Received: by 10.58.230.134 with HTTP; Wed, 5 Sep 2012 16:13:10 -0700 (PDT) Date: Thu, 6 Sep 2012 02:13:10 +0300 Message-ID: From: Kimmo Paasiala To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Subject: PF: matching gif(4) encapsulated IPv6 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2012 23:13:18 -0000 Hello, I'd like to prioritize gif(4) encapsulated IPv6 over other IPv4 traffic on an interface. I have queues set up and the shaping works for other types of IPv4 traffic but for some reason I can't find a way to match outgoing protocol 41 (ipv6) on the interface. My rule is simply: pass out log quick on $WAN proto ipv6 from to queue(qWAN_proto41) The rule should match but gets no hits. What is really puzzling is that pfctl -v -ss shows a state: all ipv6 -> MULTIPLE:MULTIPLE age 28:01:28, expires in 00:00:59, 198282:210890 pkts, 31007357:140434503 bytes What creates this state if it's not my rule? System details: 9-STABLE r239722 amd64. Pf(4) compiled with altq(4) and loaded as modules. ifconfig gif0 shows: gif0: flags=8051 metric 0 mtu 1280 tunnel inet --> inet6 fe80::6ef0:49ff:fed3:b400%gif0 prefixlen 64 scopeid 0x6 inet6 --> prefixlen 128 nd6 options=21 options=1 metric 0 mtu 1500 options=209b ether 00:1b:21:14:ca:5e inet6 fe80::21b:21ff:fe14:ca5e%em0 prefixlen 64 scopeid 0x2 inet netmask 0xfffff000 broadcast aa.bb.cc.dd nd6 options=21 media: Ethernet autoselect (1000baseT ) status: active From owner-freebsd-pf@FreeBSD.ORG Thu Sep 6 01:17:26 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EF40D106564A for ; Thu, 6 Sep 2012 01:17:25 +0000 (UTC) (envelope-from kpaasial@gmail.com) Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id A44AE8FC08 for ; Thu, 6 Sep 2012 01:17:25 +0000 (UTC) Received: by vbmv11 with SMTP id v11so1092027vbm.13 for ; Wed, 05 Sep 2012 18:17:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=Rdkhb/DMUVhQ6SXLGcK1WdoHmrQkCyg0J1ACsp/Dw+4=; b=B9Ih7ahcogj+oG56m04q8P8ocRy9fz8vdlaNz5rtfBqH4JE9qh9iEfYZE7qWJSpmir K5CXCKvJtNskCB4Ve48oNKgJ1ZQE9/iy2mpZVNSxYQVTKw1GwXyH6zUkrLf8JYy0em3D t5m9BvaszR1YK1Iy7XmApFvm7mVzQivZ7szbA/sTjL+1xoBCeiVChv20hDdURZkO+/Qu KgwvhzbAga1LAA488xyf/1NJGJqOQvdlQVrSoK8tGqxDvANYWfGOhnxRUCrMz4FbcRCx mMA8GT4MaE2g6ZOARWbz2E2v7kqKLLukrLQJNpIwuR+reJaGdFeEnKF6zZv4xedI/8OW m6xA== MIME-Version: 1.0 Received: by 10.220.220.203 with SMTP id hz11mr347774vcb.50.1346894244340; Wed, 05 Sep 2012 18:17:24 -0700 (PDT) Received: by 10.58.230.134 with HTTP; Wed, 5 Sep 2012 18:17:24 -0700 (PDT) In-Reply-To: References: Date: Thu, 6 Sep 2012 04:17:24 +0300 Message-ID: From: Kimmo Paasiala To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Subject: Re: PF: matching gif(4) encapsulated IPv6 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2012 01:17:26 -0000 On Thu, Sep 6, 2012 at 2:13 AM, Kimmo Paasiala wrote: > Hello, > > I'd like to prioritize gif(4) encapsulated IPv6 over other IPv4 > traffic on an interface. I have queues set up and the shaping works > for other types of IPv4 traffic but for some reason I can't find a way > to match outgoing protocol 41 (ipv6) on the interface. My rule is > simply: > > pass out log quick on $WAN proto ipv6 from to > queue(qWAN_proto41) > > The rule should match but gets no hits. What is really puzzling is > that pfctl -v -ss shows a state: > > all ipv6 -> MULTIPLE:MULTIPLE > age 28:01:28, expires in 00:00:59, 198282:210890 pkts, > 31007357:140434503 bytes > > What creates this state if it's not my rule? > > System details: 9-STABLE r239722 amd64. Pf(4) compiled with altq(4) > and loaded as modules. > > ifconfig gif0 shows: > > gif0: flags=8051 metric 0 mtu 1280 > tunnel inet --> > inet6 fe80::6ef0:49ff:fed3:b400%gif0 prefixlen 64 scopeid 0x6 > inet6 --> prefixlen 128 > nd6 options=21 > options=1 > ifconfig em0 (WAN): > > em0: flags=8943 metric > 0 mtu 1500 > options=209b > ether 00:1b:21:14:ca:5e > inet6 fe80::21b:21ff:fe14:ca5e%em0 prefixlen 64 scopeid 0x2 > inet netmask 0xfffff000 broadcast aa.bb.cc.dd > nd6 options=21 > media: Ethernet autoselect (1000baseT ) > status: active This was probably a failure to properly reset states after changing configuration. After a 'service pf restart' the rule works. Sorry for the noise. -Kimmo From owner-freebsd-pf@FreeBSD.ORG Thu Sep 6 06:46:43 2012 Return-Path: Delivered-To: pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 478EB106564A; Thu, 6 Sep 2012 06:46:43 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.64.117]) by mx1.freebsd.org (Postfix) with ESMTP id 6F4CA8FC0A; Thu, 6 Sep 2012 06:46:42 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.5/8.14.5) with ESMTP id q866ker9036100; Thu, 6 Sep 2012 10:46:40 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.5/8.14.5/Submit) id q866kel6036099; Thu, 6 Sep 2012 10:46:40 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Thu, 6 Sep 2012 10:46:40 +0400 From: Gleb Smirnoff To: Ermal Lu?i Message-ID: <20120906064640.GL15915@glebius.int.ru> References: <20120905115140.GF15915@FreeBSD.org> <50476187.8000303@gibfest.dk> <20120905183607.GI15915@glebius.int.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: pf@FreeBSD.org Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2012 06:46:43 -0000 Ermal, On Wed, Sep 05, 2012 at 10:02:17PM +0200, Ermal Lu?i wrote: E> as already shared with you the opinion the new 're-arrangement' of E> data structure together with new syntax E> is more helpful to SMP in general, so complementary to this work. E> As the person who has done most of the work on last import of pf form E> OpenBSD, so you E> can say knowledgeable about the internals of it, will still recommend E> the new syntax. E> - No more multiple rulesets is the single biggest reason. The new or old syntax is completely orthogonal to SMP. The SMP scalability is all about the storage, not about rulesets. I have looked into newer OpenBSD and their new pf modifies rulesets from the forwarding path more then pf-4.5 did, thus it is not "more helpful to SMP in general", but the opposite. E> > Bulk imports are no longer possible (unless one wants to ruin all my work). E> > We have had some pain with bulk imports. The last one, for example, have E> > broken pfsync completely. E> > E> > First, imports were made with focus on minimizing diff to OpenBSD. Code was E> > made compilable on FreeBSD and somehow working. But the operating systems have E> > diverged very much sincle last 15 years, and thus quality porting requires more E> > than just make it compile. For example, OpenBSD runs network stack under splnet(9). E> > They can run ip_output() anywhere in the network stack (except of ip_output() E> > itself, heh). We can't since that would make lock order reversals. This was just E> > one example, but believe me, there are much more. All this peculiarity were worked E> > out correctly in my branch. So, this branch is not about SMP scalability only, E> > this is a better port of pf to FreeBSD. E> > E> E> This is more a issue of FreeBSD rather than OpenBSD perse. E> pf(4) has survived with code sharing so far quite well and i have seen E> nothing in your project branch that does a better job to this. I'd prefer not survival for the pf, but robustness and performance :) Let me number the most important things in my project branch that do better job: - safely decoupled stack when sending generated packets: pf_send_tcp(), pf_send_icmp() - safely decoupled stack when sending pfsync(4) deferrals - safely removed the "pfugidhack" - provided correct locking in pf_route(), pf_route6() - offloaded the "flush" functionality to a taskqueue - removed unsafe lock dropping before malloc(9), or unsafe entering malloc(M_WAITOK) with locks held - removed unsafe lock dropping before copyin(9)/copyout(9) E> > Second, the imported code (what we have now in head) is polluted with zillions of E> > ifdefs and is difficultly readable even by the person who wrote it. Any other E> > developer runs away in fear when he faces that. This ends up with no one willing E> > to fix open problem reports. We have now 53 PR assigned to freebsd-pf@. They are E> > rotting and no one takes them. Most of these PRs can't be forwarded to OpenBSD, E> > since they are specific to our port (yep, port has problems - see above paragraph). E> > E> This is not an argument but just whining. E> Too much code in FreeBSD has that. "Too much code in FreeBSD has that" isn't an excuse either an argument. E> > >From my point of view the state of pf in FreeBSD is (was) a dead end. We don't E> > modify it, since it isn't ours, but we hope that new bulk import would fix problems. E> > E> > I hope that new state of pf in FreeBSD would attract more developers to it. I E> > have nothing against with cherry-picking new features from OpenBSD (but E> > taking into account new multithreaded design). I have nothing against completely E> > new features. I'd appreciate any attempt to reduce number of PRs assigned to E> > freebsd-pf@. E> > E> > T> Currently the common "pf-ecosystem" that we've always more-or-less E> > T> shared with OpenBSD seems to be crumbling. If we are going to continue E> > T> along our own "branch" of pf, with old syntax and SMP support, and who E> > T> knows what else in the future, should we consider renaming it to avoid E> > T> having two similar-but-not-identical firewalls with the same name ? E> > E> > May be it is worth renaming, I have nothing against this. But I don't E> > think it is already time to rename right now. Now the only rewritten part E> > is keys/states storage, all other code is shared with OpenBSD, however E> > touched a lot. E> E> I would suggest this, and always would be for this, E> since too much expected internal behavior has changed internally with E> what i have seen on your project branch. E> E> People can test the renamed version and have an option to roll back to E> the previous one. E> After all you are saying that its not pf yourself. I won't keep OpenBSD-pf and FreeBSD-pf in parallel in FreeBSD. The OpenBSD-pf port have proved to be poorly maintained. After last import that was made by you, at least the following regressions were introduced: - enabling pfsync immediately panics - kldunload pf.ko immediately panics Hey, these aren't a difficult to catch bugs, that require special setup or weeks of catching a race condition. This is basic functionality, and panics are evidence that code wasn't tested properly. Okay, we all ain't saints, and people do errors. But why wasn't you promptly fixing these errors? You just dropped many Kb of code into SVN (via bz@) and then disappeared. Have you closed at least on PR in GNATS? If you (or anyone else) really loves vanilla pf from OpenBSD, and if for you word "new" implies "better" then you should just install OpenBSD and enjoy the newest pf available in the world. -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Thu Sep 6 07:08:08 2012 Return-Path: Delivered-To: pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1DAEA106564A; Thu, 6 Sep 2012 07:08:08 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.64.117]) by mx1.freebsd.org (Postfix) with ESMTP id 88CF58FC0A; Thu, 6 Sep 2012 07:08:07 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.5/8.14.5) with ESMTP id q867860v036324; Thu, 6 Sep 2012 11:08:06 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.5/8.14.5/Submit) id q86786eu036323; Thu, 6 Sep 2012 11:08:06 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Thu, 6 Sep 2012 11:08:06 +0400 From: Gleb Smirnoff To: Ermal Lu?i Message-ID: <20120906070806.GM15915@glebius.int.ru> References: <20120905115140.GF15915@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: pf@FreeBSD.org, net@FreeBSD.org Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2012 07:08:08 -0000 Ermal, On Wed, Sep 05, 2012 at 10:09:23PM +0200, Ermal Lu?i wrote: E> Its good to see results on your work and is good moving forward. E> Claiming better behavior, under DoS or other comparison without showing any data E> or technical reason is a bit over this RFC. Benchmark by authors are always biased, thus I didn't boast about results. Much better if benchmarking is performed by someone else. If you insist here is some data: 1) Casting UDP flood of 400k states in this simple setup: [box A] -> [pf] -> [blackhole] On my particular box, head pf can forward 520 kpps and anything above is lost. SMP-pf can do 980 kpps. If we increase number of states, results would be more dramatic. If we make load bidirectional (which is the case in 99%) results would be more dramatic. Increasing number of rx/tx threads (more NICs, or more smart NICs) as well as increasing number of CPUs would make results even more dramatic. 2) DoSes Results are just empirical. At my job, when running old pf and encountering DoS attack, we usually notice that by bad web sites responsibility, customers complaining, etc. The box under attack is very unresponsive via ssh. With new SMP-pf a DoS may come in and if it doesn't consume entire bandwidth it can be noticed only post-factum when looking at monitoring plots. I'd appreciate if you perform benchmarking and testing. As said above, results from author are usually biased, but results from opponents more interesting. E> > 1) Move pf out of contrib. E> I do not see a reason behind this, any particular reason? It is no longer contributed source, but source developed by the FreeBSD project. E> > 2) Refactor the pfvar.h into pf.h and pf_var.h. Provide stable E> > kernel<->pfctl ABI. And probably other clean up tasks. E> Just this reason is a bit contradictory with 1) above! E> Let alone what does this mean to the user?! Nothing? E> They are after syntax stability, not breaking their machines on E> upgrade, ABI is nothing to them. Do you understand that "absense of stable ABI" == "breaking machines after upgrade"? Right now, the structures supplied via ioctl() include many fields that aren't related to API, but are internal kernel. Any internal kernel change breaks ABI. If new API structures are introduced, then we can do a lot of hacking on pf in 11.0-CURRENT with ability to safely merge changes to 10.0-STABLE. -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Thu Sep 6 10:40:53 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CAE0F1065672 for ; Thu, 6 Sep 2012 10:40:53 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 8D78F8FC15 for ; Thu, 6 Sep 2012 10:40:53 +0000 (UTC) Received: by iayy25 with SMTP id y25so2377627iay.13 for ; Thu, 06 Sep 2012 03:40:52 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type :x-gm-message-state; bh=AxUYCkGA7P8dLmqXIZ2L/gMwij6xNUDgTZ3/yrdeqqo=; b=k5pK4Kbpt9OesGGNVDYQA2AHATaEFhL3vkBGnIHsb72YtPANZqX9bc2F+BZD1hpouQ uUqdeUfOyj1k8gAJ04FFI8OUB3dY4YeV0Put/WqK7NmcUav9JX84auOQk5uLfzF3A10n wdXswAYGpXJcpmuZc24Uv8lwkjIlgA8l9zJOrbmIeJf5IcGr70Da5hCVNG7c7cbh5Gqe 5yulXJNj6crr7jHmYDDJrHAQuw3kR6r5ysLULLvrOMeZwEIdusJpiAGoH4XLAWpSVpyK 56x8NPh8JAhkGZtxhzgFZCJ1eu7egcBua/zUllwkhADWXg4Ne5KG/WJnnp3XP3I0EwqD 99WA== MIME-Version: 1.0 Received: by 10.43.92.71 with SMTP id bp7mr1700019icc.52.1346928052882; Thu, 06 Sep 2012 03:40:52 -0700 (PDT) Received: by 10.64.96.131 with HTTP; Thu, 6 Sep 2012 03:40:52 -0700 (PDT) Date: Thu, 6 Sep 2012 12:40:52 +0200 Message-ID: From: Damien Fleuriot To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQmUkhzQxfkCP4JrRfpOqku7FUqDN+x3lpexOnyCyEd/P1oVpLFREQY0++SxvBoB60EB3fh6 Subject: Including files in pf.conf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2012 10:40:53 -0000 Hello list, Is there any interest regarding the support of includes in PF's configuration ? As in: include /etc/pf/interfaces include /etc/pf/timers include /etc/pf/tables ... I for one would dearly love such functionality. In the meantime, I have taken to splitting our rulesets at work into anchors, to have pseudo include files. The sad part is, every time I want to change an option (for example the TCP flags to match a rule) I have to do it in every anchor, like: flags="flags S/SAFR" Would this be of interest to anyone besides me ? From owner-freebsd-pf@FreeBSD.ORG Thu Sep 6 11:54:29 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 11528106564A for ; Thu, 6 Sep 2012 11:54:29 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from mail.tyknet.dk (mail.tyknet.dk [176.9.9.186]) by mx1.freebsd.org (Postfix) with ESMTP id BB5FA8FC16 for ; Thu, 6 Sep 2012 11:54:28 +0000 (UTC) Received: from [10.20.15.92] (out1.hq.siminn.dk [195.184.109.1]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.tyknet.dk (Postfix) with ESMTPSA id BED2BD2830; Thu, 6 Sep 2012 13:54:18 +0200 (CEST) X-DKIM: OpenDKIM Filter v2.5.2 mail.tyknet.dk BED2BD2830 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gibfest.dk; s=default; t=1346932461; bh=NcXzD4zcXG8g74OlIz1EMHWYK6F30bLwubU2uieNuPY=; h=Date:From:To:CC:Subject:References:In-Reply-To; b=EI2EEbLLNmUyghxjYEKB89h306Be2VUdSd+GKDBGm/edac50YBoAyvTCZxY2Z/IAM 0OZkd316TnMETpffTLwyZlmsCaC374qgIsE24cJ+q0tFG268n6ggzUqo6V2/13Mu4B uF8nJYMM70jPL8nSWPIQ5/T8bl/0p2Dn9V/ceGuQ= Message-ID: <50488EE7.9020308@gibfest.dk> Date: Thu, 06 Sep 2012 13:54:15 +0200 From: Thomas Steen Rasmussen User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120824 Thunderbird/15.0 MIME-Version: 1.0 To: Damien Fleuriot References: In-Reply-To: X-Enigmail-Version: 1.4.4 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Including files in pf.conf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2012 11:54:29 -0000 On 06-09-2012 12:40, Damien Fleuriot wrote: > Would this be of interest to anyone besides me ? Hello, Yes, I would be interested. Sounds very nice for large rulesets that can get a bit unmanageable in one file. If possible, please support wildcard inclusion like: "include /etc/pf/customers/*.conf" - or something like that :) Best regards, Thomas Steen Rasmussen From owner-freebsd-pf@FreeBSD.ORG Thu Sep 6 12:14:12 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1B687106564A for ; Thu, 6 Sep 2012 12:14:12 +0000 (UTC) (envelope-from tonix@interazioni.it) Received: from mx02.interazioni.net (mx02.interazioni.net [80.94.114.204]) by mx1.freebsd.org (Postfix) with ESMTP id 4B9978FC19 for ; Thu, 6 Sep 2012 12:14:10 +0000 (UTC) Received: (qmail 54002 invoked by uid 88); 6 Sep 2012 12:07:28 -0000 Received: from unknown (HELO ?192.168.1.100?) (tonix@interazioni.it@93.63.130.13) by relay.interazioni.net with ESMTPA; 6 Sep 2012 12:07:28 -0000 Message-ID: <504891FD.4040208@interazioni.it> Date: Thu, 06 Sep 2012 14:07:25 +0200 From: "Tonix (Antonio Nati)" User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20120614 Thunderbird/13.0.1 MIME-Version: 1.0 To: "freebsd-pf@freebsd.org >> \"freebsd-pf@freebsd.org\"" References: <50488EE7.9020308@gibfest.dk> In-Reply-To: <50488EE7.9020308@gibfest.dk> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Including files in pf.conf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2012 12:14:12 -0000 Il 06/09/2012 13:54, Thomas Steen Rasmussen ha scritto: > On 06-09-2012 12:40, Damien Fleuriot wrote: >> Would this be of interest to anyone besides me ? > Hello, > > Yes, I would be interested. Sounds very nice for large > rulesets that can get a bit unmanageable in one file. > > If possible, please support wildcard inclusion like: > "include /etc/pf/customers/*.conf" > - or something like that :) It should be great to manage order of inclusion... 00100_stop_hackers.conf before 00200_dns.conf. Regards, Tonino > > Best regards, > > Thomas Steen Rasmussen > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- ------------------------------------------------------------ Inter@zioni Interazioni di Antonio Nati http://www.interazioni.it tonix@interazioni.it ------------------------------------------------------------ From owner-freebsd-pf@FreeBSD.ORG Fri Sep 7 08:02:49 2012 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C993C1065670; Fri, 7 Sep 2012 08:02:49 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-bk0-f54.google.com (mail-bk0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 22D128FC08; Fri, 7 Sep 2012 08:02:48 +0000 (UTC) Received: by bkcje9 with SMTP id je9so1319898bkc.13 for ; Fri, 07 Sep 2012 01:02:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=U+q6aWEPbzmAnnLzTl/0SGKGOnwPv6vFiORZvfn9CCo=; b=KlW7w6AOX8pchsJ9KpdI44R6T5j7eO8kp3AEX5+4mWkTRvmOyMVeTCNLJ0Q1XMEUmz oupcIRumLTnQrHv+fV5fzGVN4TEpXTF+6C07Tht2axu3Y+DjHWCDy8pJhJr5tT+/eFpC i9RQEEiJyCrSyHlpjNQrnRduku2jjQAVNb790FChxllhppol4ThCYylHAZ50QeuwjNUH Olr3tKDG2q+mRIvDPdJ5TNqW6ZT1yD5GQPX8k+8SuuyJjAXJBubEldk94zOtPzSxnjkB 1gKK4mXxR+Ti/Ce6apqfqvoWddQFMCdx0AN1CmA+mYxkvlxsWAl6NTHmFTjgxoZke/4u EOAw== MIME-Version: 1.0 Received: by 10.205.139.6 with SMTP id iu6mr2181221bkc.20.1347004967559; Fri, 07 Sep 2012 01:02:47 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.204.48.194 with HTTP; Fri, 7 Sep 2012 01:02:47 -0700 (PDT) In-Reply-To: <20120906064640.GL15915@glebius.int.ru> References: <20120905115140.GF15915@FreeBSD.org> <50476187.8000303@gibfest.dk> <20120905183607.GI15915@glebius.int.ru> <20120906064640.GL15915@glebius.int.ru> Date: Fri, 7 Sep 2012 10:02:47 +0200 X-Google-Sender-Auth: NvZPFMKP7SUuloSX92B9yl48Gm4 Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Gleb Smirnoff Content-Type: text/plain; charset=ISO-8859-1 Cc: pf@freebsd.org Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Sep 2012 08:02:49 -0000 On Thu, Sep 6, 2012 at 8:46 AM, Gleb Smirnoff wrote: > Ermal, > > On Wed, Sep 05, 2012 at 10:02:17PM +0200, Ermal Lu?i wrote: > E> as already shared with you the opinion the new 're-arrangement' of > E> data structure together with new syntax > E> is more helpful to SMP in general, so complementary to this work. > E> As the person who has done most of the work on last import of pf form > E> OpenBSD, so you > E> can say knowledgeable about the internals of it, will still recommend > E> the new syntax. > E> - No more multiple rulesets is the single biggest reason. > > The new or old syntax is completely orthogonal to SMP. The SMP scalability > is all about the storage, not about rulesets. > > I have looked into newer OpenBSD and their new pf modifies rulesets from > the forwarding path more then pf-4.5 did, thus it is not "more helpful > to SMP in general", but the opposite. > > E> > Bulk imports are no longer possible (unless one wants to ruin all my work). > E> > We have had some pain with bulk imports. The last one, for example, have > E> > broken pfsync completely. > E> > > E> > First, imports were made with focus on minimizing diff to OpenBSD. Code was > E> > made compilable on FreeBSD and somehow working. But the operating systems have > E> > diverged very much sincle last 15 years, and thus quality porting requires more > E> > than just make it compile. For example, OpenBSD runs network stack under splnet(9). > E> > They can run ip_output() anywhere in the network stack (except of ip_output() > E> > itself, heh). We can't since that would make lock order reversals. This was just > E> > one example, but believe me, there are much more. All this peculiarity were worked > E> > out correctly in my branch. So, this branch is not about SMP scalability only, > E> > this is a better port of pf to FreeBSD. > E> > > E> > E> This is more a issue of FreeBSD rather than OpenBSD perse. > E> pf(4) has survived with code sharing so far quite well and i have seen > E> nothing in your project branch that does a better job to this. > > I'd prefer not survival for the pf, but robustness and performance :) > > Let me number the most important things in my project branch that do better job: > > - safely decoupled stack when sending generated packets: pf_send_tcp(), pf_send_icmp() > - safely decoupled stack when sending pfsync(4) deferrals > - safely removed the "pfugidhack" > - provided correct locking in pf_route(), pf_route6() > - offloaded the "flush" functionality to a taskqueue > - removed unsafe lock dropping before malloc(9), or unsafe entering malloc(M_WAITOK) > with locks held > - removed unsafe lock dropping before copyin(9)/copyout(9) > > E> > Second, the imported code (what we have now in head) is polluted with zillions of > E> > ifdefs and is difficultly readable even by the person who wrote it. Any other > E> > developer runs away in fear when he faces that. This ends up with no one willing > E> > to fix open problem reports. We have now 53 PR assigned to freebsd-pf@. They are > E> > rotting and no one takes them. Most of these PRs can't be forwarded to OpenBSD, > E> > since they are specific to our port (yep, port has problems - see above paragraph). > E> > > E> This is not an argument but just whining. > E> Too much code in FreeBSD has that. > > "Too much code in FreeBSD has that" isn't an excuse either an argument. > > E> > >From my point of view the state of pf in FreeBSD is (was) a dead end. We don't > E> > modify it, since it isn't ours, but we hope that new bulk import would fix problems. > E> > > E> > I hope that new state of pf in FreeBSD would attract more developers to it. I > E> > have nothing against with cherry-picking new features from OpenBSD (but > E> > taking into account new multithreaded design). I have nothing against completely > E> > new features. I'd appreciate any attempt to reduce number of PRs assigned to > E> > freebsd-pf@. > E> > > E> > T> Currently the common "pf-ecosystem" that we've always more-or-less > E> > T> shared with OpenBSD seems to be crumbling. If we are going to continue > E> > T> along our own "branch" of pf, with old syntax and SMP support, and who > E> > T> knows what else in the future, should we consider renaming it to avoid > E> > T> having two similar-but-not-identical firewalls with the same name ? > E> > > E> > May be it is worth renaming, I have nothing against this. But I don't > E> > think it is already time to rename right now. Now the only rewritten part > E> > is keys/states storage, all other code is shared with OpenBSD, however > E> > touched a lot. > E> > E> I would suggest this, and always would be for this, > E> since too much expected internal behavior has changed internally with > E> what i have seen on your project branch. > E> > E> People can test the renamed version and have an option to roll back to > E> the previous one. > E> After all you are saying that its not pf yourself. > > I won't keep OpenBSD-pf and FreeBSD-pf in parallel in FreeBSD. The OpenBSD-pf > port have proved to be poorly maintained. After last import that was made > by you, at least the following regressions were introduced: > > - enabling pfsync immediately panics > - kldunload pf.ko immediately panics > Going to personal attacks shows your willing to discuss as civilized person. Though that does not mean anything in the sense that bugs are there to be found by testers. If you have not found out yet, testers for something that people take for granted as firewalls are scarce in general. Something that has been learnt from history is that people want software X to be compatible with software Y from where it came from. They are not interested on X to use the same rules but hey its different from Y because of Z. > Hey, these aren't a difficult to catch bugs, that require special setup > or weeks of catching a race condition. This is basic functionality, and panics > are evidence that code wasn't tested properly. Okay, we all ain't saints, and > people do errors. But why wasn't you promptly fixing these errors? You just > dropped many Kb of code into SVN (via bz@) and then disappeared. Have you closed > at least on PR in GNATS? > AFAIK i fixed any reported panics on freebsd-pf list. I did not even go the PR route because i had other plans which $DAYLIFE/WORK still have not allowed to pursue. Furthermore, there is nothing guaranteeing that you will not do the same, or have the same bugs in different fashion, i.e. VIMAGE/VNET?!. Just because you are doing work right now and are the only one behind these changes, AFAIK, does not mean its a long term partnership or that you will provide better SLA on this part. As a last comment on this: Keeping your patched pf, which is still contrib software btw, under a new name for one RELEASE cycle makes sure that nothing breaks during this period. You and I will never be able to run all the tests needed for such critical subsystem because cannot have all those environments in one place. This is just to avoid having to deal with critcal bugs as you have pointed before just after a RELEASE. > If you (or anyone else) really loves vanilla pf from OpenBSD, and if for you > word "new" implies "better" then you should just install OpenBSD and enjoy > the newest pf available in the world. > There is only one reply to this but i will spare in public list, sorry. -- Ermal From owner-freebsd-pf@FreeBSD.ORG Fri Sep 7 08:53:22 2012 Return-Path: Delivered-To: pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0B4D31065670; Fri, 7 Sep 2012 08:53:22 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.64.117]) by mx1.freebsd.org (Postfix) with ESMTP id 863498FC0C; Fri, 7 Sep 2012 08:53:21 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.5/8.14.5) with ESMTP id q878rE9T046045; Fri, 7 Sep 2012 12:53:14 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.5/8.14.5/Submit) id q878rEbv046044; Fri, 7 Sep 2012 12:53:14 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Fri, 7 Sep 2012 12:53:14 +0400 From: Gleb Smirnoff To: Ermal Lu?i Message-ID: <20120907085314.GC44854@glebius.int.ru> References: <20120905115140.GF15915@FreeBSD.org> <50476187.8000303@gibfest.dk> <20120905183607.GI15915@glebius.int.ru> <20120906064640.GL15915@glebius.int.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: pf@FreeBSD.org Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Sep 2012 08:53:22 -0000 Ermal, On Fri, Sep 07, 2012 at 10:02:47AM +0200, Ermal Lu?i wrote: E> > I won't keep OpenBSD-pf and FreeBSD-pf in parallel in FreeBSD. The OpenBSD-pf E> > port have proved to be poorly maintained. After last import that was made E> > by you, at least the following regressions were introduced: E> > E> > - enabling pfsync immediately panics E> > - kldunload pf.ko immediately panics E> > E> Going to personal attacks shows your willing to discuss as civilized person. E> Though that does not mean anything in the sense that bugs are there to E> be found by testers. Subtle and difficult to catch bugs are to be found by testers. Bugs that show up immediately after a subsystem had been started, shouldn't make their way to SVN. If I even agree with you that immediate crash on enabling pfsync should had been found not by you, but by a random FreeBSD-CURRENT user, then the next question would be: who is responsible to fix it? Let's look... A random user hits the panic and submits kern/159029. Who did fix that? Why not you? And here I am not picking at a certain exclusive bug that you missed. The bulk import of pf-4.5 was followed by dozens of bug fixes, most of which were done by bz@, pluknet@ and me. E> If you have not found out yet, testers for something that people take E> for granted as firewalls are scarce in general. Mistake. There are some people, who run my branch prior to its merge to head. More people then I expected. E> Something that has been learnt from history is that people want E> software X to be compatible with software Y from where it came from. E> They are not interested on X to use the same rules but hey its E> different from Y because of Z. From what I see, there is a another rule in FreeBSD. FreeBSD-N should be compatible not with OpenBSD-M, but with FreeBSD-(N-1). And idea to bring new syntax is breaking this rule. Haven't this been discussed before importing pf-4.5? E> > Hey, these aren't a difficult to catch bugs, that require special setup E> > or weeks of catching a race condition. This is basic functionality, and panics E> > are evidence that code wasn't tested properly. Okay, we all ain't saints, and E> > people do errors. But why wasn't you promptly fixing these errors? You just E> > dropped many Kb of code into SVN (via bz@) and then disappeared. Have you closed E> > at least on PR in GNATS? E> E> AFAIK i fixed any reported panics on freebsd-pf list. False. During the 9.0-RELEASE release cycle, linimon@ had thoroughly assigned all new pf bugs to freebsd-pf@ list. You took none of them. E> I did not even go the PR route because i had other plans which E> $DAYLIFE/WORK still have not allowed to pursue. E> Furthermore, there is nothing guaranteeing that you will not do the E> same, or have the same bugs in different fashion, i.e. VIMAGE/VNET?!. E> Just because you are doing work right now and are the only one behind E> these changes, AFAIK, does not mean its a long term partnership E> or that you will provide better SLA on this part. Agreed. I may go away from pf in future. But in this case I won't pretend that I'm still its maintainer and block other people willing to work. -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Fri Sep 7 09:34:53 2012 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BFB741065672; Fri, 7 Sep 2012 09:34:53 +0000 (UTC) (envelope-from ianf@clue.co.za) Received: from zcs04.jnb1.cloudseed.co.za (zcs04.jnb1.cloudseed.co.za [41.154.0.161]) by mx1.freebsd.org (Postfix) with ESMTP id 48BC58FC12; Fri, 7 Sep 2012 09:34:53 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zcs04.jnb1.cloudseed.co.za (Postfix) with ESMTP id D5CCB2A82A76; Fri, 7 Sep 2012 11:26:24 +0200 (SAST) X-Virus-Scanned: amavisd-new at zcs04.jnb1.cloudseed.co.za Received: from zcs04.jnb1.cloudseed.co.za ([127.0.0.1]) by localhost (zcs04.jnb1.cloudseed.co.za [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G0xi8-TfXzFx; Fri, 7 Sep 2012 11:26:24 +0200 (SAST) Received: from clue.co.za (l2tp.clue.co.za [41.154.88.20]) by zcs04.jnb1.cloudseed.co.za (Postfix) with ESMTPSA id CEF972A829F8; Fri, 7 Sep 2012 11:26:23 +0200 (SAST) Received: from localhost ([127.0.0.1] helo=clue.co.za) by clue.co.za with esmtp (Exim 4.80 (FreeBSD)) (envelope-from ) id 1T9upR-0000bK-SI; Fri, 07 Sep 2012 11:26:21 +0200 To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= From: Ian FREISLICH In-Reply-To: References: <20120905115140.GF15915@FreeBSD.org> <50476187.8000303@gibfest.dk> <20120905183607.GI15915@glebius.int.ru> <20120906064640.GL15915@glebius.int.ru> X-Attribution: BOFH Date: Fri, 07 Sep 2012 11:26:21 +0200 Message-Id: Cc: pf@freebsd.org Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Sep 2012 09:34:53 -0000 > > I won't keep OpenBSD-pf and FreeBSD-pf in parallel in FreeBSD. The > > OpenBSD-pf port have proved to be poorly maintained. After last > > import that was made by you, at least the following regressions were > > introduced: > > > > - enabling pfsync immediately panics > > - kldunload pf.ko immediately panics > > Going to personal attacks shows your willing to discuss as civilized > person. Though that does not mean anything in the sense that bugs are > there to be found by testers. I don't think Gleb is is being personal about this. Facts are facts and pf is currently unusable for me, even at home because of spuriously dropped packets. >From my point of view as a user, the FreeBSD pf port is unmaintained. I'm sorry if you find this observation offensive. It seems like only fixes available are to import a new pf from OpenBSD. There are structural issues that need to be addressed to make it work properly on FreeBSD and Gleb has done that. We're stuggling with an issue that appears to be a "forever problem" - the "pf: state key linking mismatch" which affects pf as far back as we've been prepared to test (FreeBSD-8.0). Although it only became visible in the logs in -CURRENT before 9-RELEASE with the pf import then. It manifests as connections stalling randomly. There's not been a fix since it was first reported. We're seeing 0.08% of our connections dropped on the floor or about 4 per second. As a result, we've been seriously considering replacing our FreeBSD routers. > If you have not found out yet, testers for something that people take > for granted as firewalls are scarce in general. Testing this stuff is hard because it's very difficult to simulate a production environment outside of the production environment. People generally don't want production to break. Ian -- Ian Freislich From owner-freebsd-pf@FreeBSD.ORG Fri Sep 7 11:02:42 2012 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 11E4C106564A; Fri, 7 Sep 2012 11:02:42 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-bk0-f54.google.com (mail-bk0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 58E7D8FC0A; Fri, 7 Sep 2012 11:02:40 +0000 (UTC) Received: by bkcje9 with SMTP id je9so1425035bkc.13 for ; Fri, 07 Sep 2012 04:02:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=zKH0iecPgfuMiDnd5rczohO4TqY9KlAk/YeND6/DawA=; b=0nIvL6747SZSyuwuQWKCVDRTOlvGYecAJkM7iihbGnF8RvyJBuwkv0KbxdAfzHoYM1 bQHeamrKndF7AL35JDvMXXWDmz7d3c+4hHBWrrbL1ArXFBUrS7J2S4HHDhYyVDj//jM6 nndCBIFVldBO8RExLc9+ELtjC+EFAxCO6ITF/0zmq84UbpO52K8d8HXFVu51LVuTJl5q +5sW7tI9vyuAARbx509qrDNvG80/HYu3Z1KysJi/0sMwa+QRoZFzuVH1gHl4oyNisyLN i4q4vZosghGROaHGh7ux5jXY960J0ayU+uASzgBs7yIfmWdr7nvoZ6nCMa4fXK3pGh0G CNmA== MIME-Version: 1.0 Received: by 10.205.126.15 with SMTP id gu15mr2380254bkc.134.1347015759204; Fri, 07 Sep 2012 04:02:39 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.204.48.194 with HTTP; Fri, 7 Sep 2012 04:02:39 -0700 (PDT) In-Reply-To: References: <20120905115140.GF15915@FreeBSD.org> <50476187.8000303@gibfest.dk> <20120905183607.GI15915@glebius.int.ru> <20120906064640.GL15915@glebius.int.ru> Date: Fri, 7 Sep 2012 13:02:39 +0200 X-Google-Sender-Auth: OytfGPVJVoeOkldooxNkmriA25k Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Ian FREISLICH Content-Type: text/plain; charset=ISO-8859-1 Cc: pf@freebsd.org Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Sep 2012 11:02:42 -0000 Hello Ian, On Fri, Sep 7, 2012 at 11:26 AM, Ian FREISLICH wrote: >> > I won't keep OpenBSD-pf and FreeBSD-pf in parallel in FreeBSD. The >> > OpenBSD-pf port have proved to be poorly maintained. After last >> > import that was made by you, at least the following regressions were >> > introduced: >> > >> > - enabling pfsync immediately panics >> > - kldunload pf.ko immediately panics >> >> Going to personal attacks shows your willing to discuss as civilized >> person. Though that does not mean anything in the sense that bugs are >> there to be found by testers. > > I don't think Gleb is is being personal about this. Facts are > facts and pf is currently unusable for me, even at home because > of spuriously dropped packets. > I have missed this in the freebsd-pf lists! I know of many things to be fixed in general in pf(4), since i mostly fixed them already for pfSense. Pushing some of those fixes in FreeBSD has mostly been delayed from $WORK or workflow to follow for putting those fixes in FreeBSD. FYI, i still have maintainer approval to go through. > From my point of view as a user, the FreeBSD pf port is unmaintained. > I'm sorry if you find this observation offensive. It seems like > only fixes available are to import a new pf from OpenBSD. There > are structural issues that need to be addressed to make it work > properly on FreeBSD and Gleb has done that. > This problem is not very related to this since there is no improvement in this regard from what Gleb proposes. > We're stuggling with an issue that appears to be a "forever problem" > - the "pf: state key linking mismatch" which affects pf as far back > as we've been prepared to test (FreeBSD-8.0). Although it only > became visible in the logs in -CURRENT before 9-RELEASE with the > pf import then. It manifests as connections stalling randomly. > This has been an issue since new pf(4) import. It mostly comes from mbuf reuse and not proper cleanup of mbuf tags. Some fixes were done already in FreeBSD some come from Gleb commit of making pf(4) tags persistent, some have yet to be found. > There's not been a fix since it was first reported. We're seeing > 0.08% of our connections dropped on the floor or about 4 per second. > As a result, we've been seriously considering replacing our FreeBSD > routers. I have missed the report of this, can you point to details? > >> If you have not found out yet, testers for something that people take >> for granted as firewalls are scarce in general. > > Testing this stuff is hard because it's very difficult to simulate > a production environment outside of the production environment. > People generally don't want production to break. > > Ian > > -- > Ian Freislich -- Ermal From owner-freebsd-pf@FreeBSD.ORG Fri Sep 7 12:05:18 2012 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EA3621065689; Fri, 7 Sep 2012 12:05:17 +0000 (UTC) (envelope-from ianf@clue.co.za) Received: from zcs04.jnb1.cloudseed.co.za (zcs04.jnb1.cloudseed.co.za [41.154.0.161]) by mx1.freebsd.org (Postfix) with ESMTP id 06C358FC15; Fri, 7 Sep 2012 12:05:16 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zcs04.jnb1.cloudseed.co.za (Postfix) with ESMTP id 688822A82A8B; Fri, 7 Sep 2012 14:05:14 +0200 (SAST) X-Virus-Scanned: amavisd-new at zcs04.jnb1.cloudseed.co.za Received: from zcs04.jnb1.cloudseed.co.za ([127.0.0.1]) by localhost (zcs04.jnb1.cloudseed.co.za [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0taU1UGM5gGR; Fri, 7 Sep 2012 14:05:13 +0200 (SAST) Received: from clue.co.za (l2tp.clue.co.za [41.154.88.20]) by zcs04.jnb1.cloudseed.co.za (Postfix) with ESMTPSA id 4D64D2A829F8; Fri, 7 Sep 2012 14:05:13 +0200 (SAST) Received: from localhost ([127.0.0.1] helo=clue.co.za) by clue.co.za with esmtp (Exim 4.80 (FreeBSD)) (envelope-from ) id 1T9xJ9-0000pZ-Mg; Fri, 07 Sep 2012 14:05:11 +0200 To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= From: Ian FREISLICH In-Reply-To: References: <20120905115140.GF15915@FreeBSD.org> <50476187.8000303@gibfest.dk> <20120905183607.GI15915@glebius.int.ru> <20120906064640.GL15915@glebius.int.ru> X-Attribution: BOFH Date: Fri, 07 Sep 2012 14:05:11 +0200 Message-Id: Cc: pf@freebsd.org Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Sep 2012 12:05:18 -0000 =?ISO-8859-1?Q?Ermal_Lu=E7i?= wrote: > > - the "pf: state key linking mismatch" which affects pf as far back > > as we've been prepared to test (FreeBSD-8.0). Although it only > > became visible in the logs in -CURRENT before 9-RELEASE with the > > pf import then. It manifests as connections stalling randomly. > > > This has been an issue since new pf(4) import. My contention is that this issue is also present in earlier pf. It's just not logged verbosely: [firewall1.jnb1] ~ # uname -a FreeBSD firewall1.jnb1.gp-online.net 8.1-RELEASE FreeBSD 8.1-RELEASE #23: Tue Aug 7 20:21:54 SAST 2012 ianf@firewall1.jnb1.gp-online.net:/usr/obj/usr/src/sys/FIREWALL amd64 [firewall1.jnb1] ~ # pfctl -s inf Status: Enabled for 30 days 16:27:26 Debug: Urgent State Table Total Rate current entries 377102 searches 126189706387 47596.4/s inserts 6358571792 2398.3/s removals 6358194690 2398.2/s Counters match 23798723897 8976.4/s bad-offset 0 0.0/s fragment 29807 0.0/s short 76362 0.0/s normalize 234 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 78290 0.0/s proto-cksum 11023818 4.2/s state-mismatch 4799367 1.8/s state-insert 75295 0.0/s state-limit 22 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s Every time the state-mismatch counter increments, the connection stalls. This manifests as as web pages needing to be reloaded sometimes in order to complete downloading, or ssh connections being reset. While 4799367 is a small fraction of the total searches, the chance of your flow being bitten is multiplied by each hop through a FreeBSD router running pf. While composing this email, the state-mismatch counter increased by 11589. We don't see this issue at all with Gleb's patches applied and forwarding performance is greatly improved. Whatever happens I'd like a way forward to be found because pf deployed at the scale we're using it is unuseable post 2011-06-28 (and not ideal before). > > There's not been a fix since it was first reported. We're seeing > > 0.08% of our connections dropped on the floor or about 4 per second. > > As a result, we've been seriously considering replacing our FreeBSD > > routers. > > I have missed the report of this, can you point to details? http://www.freebsd.org/cgi/query-pr.cgi?pr=163208 Comes to mind. I'm sure there were some earlier reports, but I can't find them in a hurry. I'm also pretty sure there have been reports on current@. I posted to current@ http://www.freebsd.org/cgi/getmsg.cgi?fetch=164206+169604+/usr/local/www/db/text/2012/freebsd-current/20120812.freebsd-current Which is how I came to this list on mail from Gleb. I can tell you that this is not peculiar to 9 and later. pf pre-9 was just silent about dropping the flows although the problem occurs less frequently. Ian -- Ian Freislich From owner-freebsd-pf@FreeBSD.ORG Fri Sep 7 13:40:26 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3DC2D106564A for ; Fri, 7 Sep 2012 13:40:26 +0000 (UTC) (envelope-from tom@claimlynx.com) Received: from na3sys009aog133.obsmtp.com (na3sys009aog133.obsmtp.com [74.125.149.82]) by mx1.freebsd.org (Postfix) with ESMTP id BBFF68FC08 for ; Fri, 7 Sep 2012 13:40:25 +0000 (UTC) Received: from mail-yx0-f182.google.com ([209.85.213.182]) (using TLSv1) by na3sys009aob133.postini.com ([74.125.148.12]) with SMTP ID DSNKUEn5Q7cyf+kJ5DHQtQBwFtpMDlWvQjkF@postini.com; Fri, 07 Sep 2012 06:40:25 PDT Received: by yenl7 with SMTP id l7so551727yen.13 for ; Fri, 07 Sep 2012 06:40:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:x-gm-message-state; bh=0V/IlIcO8t5qFAxQz4KqRBAsCaKfnjEEla8UxlSIfoQ=; b=akeOPtPTS15yDo5sQUWeFIUVNvN28jAibvvnAM8iQU+Naytxv2wuXn3jH8BMitg/iQ 7abVGVjN/gNDQBRC922B5GOGYhXYmEA5YBxoxkc8dBqKyud3rAZomBBDlA+W3H1IJmWw 2fC1r+ixLq7XtUkeB1etqTLlyMsMMM/+a42+uUnIyjKOWs0UZOmsAXAaYhJSLnevtBdR 5ycqhTWWxewk92+TdkkrQSt1vDDRZR11DG+t2jzBFGDXs+hy0Ge7pLorcU2plzfwB2vi 3Uh/hOazp/axYWX1DarqdWmQ6GUN/KJM9R0SlrLDJj4lxAZ/hL0lOu77/9uAGd2yapQw eKdA== MIME-Version: 1.0 Received: by 10.58.106.4 with SMTP id gq4mr7880809veb.35.1347025218962; Fri, 07 Sep 2012 06:40:18 -0700 (PDT) Received: by 10.58.14.133 with HTTP; Fri, 7 Sep 2012 06:40:18 -0700 (PDT) In-Reply-To: References: <20120905115140.GF15915@FreeBSD.org> <50476187.8000303@gibfest.dk> <20120905183607.GI15915@glebius.int.ru> Date: Fri, 7 Sep 2012 08:40:18 -0500 Message-ID: From: Thomas Johnson To: freebsd-pf@freebsd.org X-Gm-Message-State: ALoCoQl6paZxSMITa76KanqGNU84Z0ZAIcZ1eR2w5FhLP48PVLaFiELIB3bEwo7vgZ5GqqOqTaJB Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Sep 2012 13:40:26 -0000 >From a strictly end-user perspective, I can say that we have been eagerly awaiting a new port of the OpenBSD/pf code. We have immediate applications for a number of the newish features, 'match' support in particular. We have investigated switching to OpenBSD, but we really like our homogenous FreeBSD environment. That being said, Gleb's performance changes are intriguing. The fact of the matter is that we are getting along alright without the new goodies, and we would like to get some more mileage out of our existing routing gear. My pf-envy really only gets really bad for the month surrounding BSDCan :-) On Wed, Sep 5, 2012 at 1:36 PM, Gleb Smirnoff wrote: > > > What's bad with "getting stuck" with old syntax? I personally don't have > any problems with it. I have had problems with performance, however. > -- Thomas Johnson ClaimLynx, Inc. From owner-freebsd-pf@FreeBSD.ORG Fri Sep 7 14:48:09 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 09F2E1065676 for ; Fri, 7 Sep 2012 14:48:08 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from rush.bluerosetech.com (rush.bluerosetech.com [199.48.134.58]) by mx1.freebsd.org (Postfix) with ESMTP id 9AF208FC1B for ; Fri, 7 Sep 2012 14:48:08 +0000 (UTC) Received: from vivi.cat.pdx.edu (vivi.cat.pdx.edu [IPv6:2610:10:20:214::6]) by rush.bluerosetech.com (Postfix) with ESMTPSA id AFECC1141D; Fri, 7 Sep 2012 07:48:02 -0700 (PDT) Received: from [127.0.0.1] (remote230.cecs.pdx.edu [131.252.222.230]) by vivi.cat.pdx.edu (Postfix) with ESMTPSA id CBF3C24CDB; Fri, 7 Sep 2012 07:48:01 -0700 (PDT) Message-ID: <504A0927.4060805@bluerosetech.com> Date: Fri, 07 Sep 2012 07:48:07 -0700 From: Darren Pilgrim User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0.6esrpre) Gecko/20120713 Thunderbird/10.0.6 MIME-Version: 1.0 To: Damien Fleuriot References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Including files in pf.conf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Sep 2012 14:48:09 -0000 On 2012-09-06 03:40, Damien Fleuriot wrote: > Is there any interest regarding the support of includes in PF's configuration ? Pf already supports loading tables and anchors from file. Can you expand a bit on what you want to do? From owner-freebsd-pf@FreeBSD.ORG Fri Sep 7 16:32:39 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 22420106564A for ; Fri, 7 Sep 2012 16:32:39 +0000 (UTC) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) by mx1.freebsd.org (Postfix) with ESMTP id CF4978FC0A for ; Fri, 7 Sep 2012 16:32:38 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1TA1Tz-0006EJ-AE for freebsd-pf@freebsd.org; Fri, 07 Sep 2012 18:32:39 +0200 Received: from 208.85.208.53 ([208.85.208.53]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 07 Sep 2012 18:32:39 +0200 Received: from atkin901 by 208.85.208.53 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 07 Sep 2012 18:32:39 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-pf@freebsd.org From: Mark Atkinson Date: Fri, 07 Sep 2012 09:32:25 -0700 Lines: 12 Message-ID: References: <20120905115140.GF15915@FreeBSD.org> <50476187.8000303@gibfest.dk> <20120905183607.GI15915@glebius.int.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: 208.85.208.53 User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:15.0) Gecko/20120904 Thunderbird/15.0 In-Reply-To: <20120905183607.GI15915@glebius.int.ru> X-Enigmail-Version: 1.4.3 Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Sep 2012 16:32:39 -0000 On 09/05/2012 11:36, Gleb Smirnoff wrote: > What's bad with "getting stuck" with old syntax? I personally don't > have any problems with it. I have had problems with performance, > however. Just as an aside is there a decent set of stable web docs for FreeBSD's current syntax? I'm constantly burned when I try to looks something up (because it isn't working like I expect) and all I find is the new, sexy syntax with all it's quick 'match' operators and their ilk. From owner-freebsd-pf@FreeBSD.ORG Fri Sep 7 17:44:04 2012 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1BBAF106564A for ; Fri, 7 Sep 2012 17:44:04 +0000 (UTC) (envelope-from tom@claimlynx.com) Received: from na3sys009aog123.obsmtp.com (na3sys009aog123.obsmtp.com [74.125.149.149]) by mx1.freebsd.org (Postfix) with ESMTP id 968CB8FC0A for ; Fri, 7 Sep 2012 17:44:03 +0000 (UTC) Received: from mail-gg0-f182.google.com ([209.85.161.182]) (using TLSv1) by na3sys009aob123.postini.com ([74.125.148.12]) with SMTP ID DSNKUEoyYvrs2QIAfNxYN6oeOh2ikI/sad2Z@postini.com; Fri, 07 Sep 2012 10:44:03 PDT Received: by ggnk4 with SMTP id k4so671890ggn.13 for ; Fri, 07 Sep 2012 10:44:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=MeGut7zoP4HMd9+ZPX9EwnlRjuzGXVYC3OeVIXe+sb8=; b=MTuPPgiiIqwhU8+FX/VU2Ch0/1R5sQNImgY9cAI7JVhrU+b44CCEvXUQyKkTr5FyQE cbvDS28o3Lb8X6oqexlMZv7hSEMxsZfAPwb+5uJ+zfJc+eeH8is5NOt5UZcuMGE21ofB hvnBgJGhxB7KwROYgTe4vIEkD1xG8dHnb3iWfKgbQq0hRgHvhTHLo7SU14wAUzGYGl2s 00cVajLaeP8eNmm51No63wEKLMnz8rbd7K3am4HpTXFs/4ly6kkLVXrjxMR3V0UnJBGI Phcd1j77zGVSRtJF2lDyFtKU4Dtly6dnlfHLUzVUKS+Vw8NfTizDH1E+1R3oyu+4ENYO LmrQ== MIME-Version: 1.0 Received: by 10.221.10.81 with SMTP id oz17mr7041603vcb.67.1347024535261; Fri, 07 Sep 2012 06:28:55 -0700 (PDT) Received: by 10.58.14.133 with HTTP; Fri, 7 Sep 2012 06:28:55 -0700 (PDT) In-Reply-To: <20120905183607.GI15915@glebius.int.ru> References: <20120905115140.GF15915@FreeBSD.org> <50476187.8000303@gibfest.dk> <20120905183607.GI15915@glebius.int.ru> Date: Fri, 7 Sep 2012 08:28:55 -0500 Message-ID: From: Thomas Johnson To: Gleb Smirnoff X-Gm-Message-State: ALoCoQmE9Ur0aRhtsRxooADQGKXRC/oR3B39CgDsyPGPxKiy8ShWjO9pI/LLZukDY3lpUOhRFpqw Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: pf@freebsd.org, Cron Daemon Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Sep 2012 17:44:04 -0000 >From a strictly end-user perspective, I can say that we have been eagerly awaiting a new port of the OpenBSD/pf code. We have immediate applications for a number of the newish features, 'match' support in particular. We have investigated switching to OpenBSD, but we really like our homogenous FreeBSD environment. That being said, Gleb's performance changes are intriguing. The fact of the matter is that we are getting along alright without the new goodies, and we would like to get some more mileage out of our existing routing gear. My pf-envy really only gets really bad for the month surrounding BSDCan :-) On Wed, Sep 5, 2012 at 1:36 PM, Gleb Smirnoff wrote: > > > What's bad with "getting stuck" with old syntax? I personally don't have > any problems with it. I have had problems with performance, however. > -- Thomas Johnson ClaimLynx, Inc. From owner-freebsd-pf@FreeBSD.ORG Fri Sep 7 18:15:56 2012 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6F6F3106564A; Fri, 7 Sep 2012 18:15:56 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id C03768FC0A; Fri, 7 Sep 2012 18:15:55 +0000 (UTC) Received: by eeke52 with SMTP id e52so1514548eek.13 for ; Fri, 07 Sep 2012 11:15:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=FAKiOZce5SrraQfG34RrYnhVHo5WRGjfLg0ZcFGCpcQ=; b=tsLbQoFyFQicWyB2N1YhjhUdPvsZDseN7Wp3sThGvdB2aKoBrP5J5oAhMbEdB8+LSX cCCJtBgWuUoM9C8egdqYAzJsOtQxhoiKxIYq21Qe9s/g5FT1cEKsy31BXMvb5cQSxM5r ZxLhi2B6Cd3gO9rTUXvrZwG/rZG6rl1MGFaIwSAl2Vi0s14cOFfPPxosDDb5jGWERjUW bGY7TiVwlTMIhoZRUPLbB/DLUeHjmRLoAHKZu3AkKA06g63oW9+DzbI6BSsoxcryvtkn V30bkfMXcmbFPv+o8ZmyYhHIGNnNgjSwgt9a00b7Pb2syDxyFuzmAY2MvLmKN4kNBOez ZPTg== MIME-Version: 1.0 Received: by 10.205.139.6 with SMTP id iu6mr3086132bkc.20.1347041754430; Fri, 07 Sep 2012 11:15:54 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.204.48.194 with HTTP; Fri, 7 Sep 2012 11:15:54 -0700 (PDT) In-Reply-To: References: <20120905115140.GF15915@FreeBSD.org> <50476187.8000303@gibfest.dk> <20120905183607.GI15915@glebius.int.ru> <20120906064640.GL15915@glebius.int.ru> Date: Fri, 7 Sep 2012 20:15:54 +0200 X-Google-Sender-Auth: Wx3FYmsIHLWp0RLK8tmNO4UMg7k Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Ian FREISLICH Content-Type: text/plain; charset=ISO-8859-1 Cc: pf@freebsd.org Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Sep 2012 18:15:56 -0000 On Fri, Sep 7, 2012 at 2:05 PM, Ian FREISLICH wrote: > =?ISO-8859-1?Q?Ermal_Lu=E7i?= wrote: >> > - the "pf: state key linking mismatch" which affects pf as far back >> > as we've been prepared to test (FreeBSD-8.0). Although it only >> > became visible in the logs in -CURRENT before 9-RELEASE with the >> > pf import then. It manifests as connections stalling randomly. >> > >> This has been an issue since new pf(4) import. > > My contention is that this issue is also present in earlier pf. > It's just not logged verbosely: > > [firewall1.jnb1] ~ # uname -a > FreeBSD firewall1.jnb1.gp-online.net 8.1-RELEASE FreeBSD 8.1-RELEASE #23: Tue Aug 7 20:21:54 SAST 2012 ianf@firewall1.jnb1.gp-online.net:/usr/obj/usr/src/sys/FIREWALL amd64 > [firewall1.jnb1] ~ # pfctl -s inf > Status: Enabled for 30 days 16:27:26 Debug: Urgent > > State Table Total Rate > current entries 377102 > searches 126189706387 47596.4/s > inserts 6358571792 2398.3/s > removals 6358194690 2398.2/s > Counters > match 23798723897 8976.4/s > bad-offset 0 0.0/s > fragment 29807 0.0/s > short 76362 0.0/s > normalize 234 0.0/s > memory 0 0.0/s > bad-timestamp 0 0.0/s > congestion 0 0.0/s > ip-option 78290 0.0/s > proto-cksum 11023818 4.2/s > state-mismatch 4799367 1.8/s > state-insert 75295 0.0/s > state-limit 22 0.0/s > src-limit 0 0.0/s > synproxy 0 0.0/s > > Every time the state-mismatch counter increments, the connection > stalls. This manifests as as web pages needing to be reloaded > sometimes in order to complete downloading, or ssh connections being > reset. While 4799367 is a small fraction of the total searches, > the chance of your flow being bitten is multiplied by each hop > through a FreeBSD router running pf. While composing this email, > the state-mismatch counter increased by 11589. > This is not enough information to debug anything. - Please post your ruleset - A dump of your state table at the time - Describe your environment to allow understanding - Any kind of routing related - Tcpdump would be helpful as well Normally this issue, should exist in Gleb repo even though you are not facing it loudly. Nothing has changed in Gleb's repo related to this behaviour apart not having the linked state functionality(right?), which as you say does not seem the source of this since happens even before 9.0 anyway. I have not seen this reported in pfSense side of things either. If you can try a quick test with pfSense, either just copying the kernel and pfctl binary, and see if you have same behavior would be helpful. > We don't see this issue at all with Gleb's patches applied and > forwarding performance is greatly improved. > That's a good thing in general and is good to have improvements just i am a bit sceptic about its changes in some areas. > Whatever happens I'd like a way forward to be found because pf > deployed at the scale we're using it is unuseable post 2011-06-28 > (and not ideal before). > >> > There's not been a fix since it was first reported. We're seeing >> > 0.08% of our connections dropped on the floor or about 4 per second. >> > As a result, we've been seriously considering replacing our FreeBSD >> > routers. >> >> I have missed the report of this, can you point to details? > > http://www.freebsd.org/cgi/query-pr.cgi?pr=163208 > > Comes to mind. I'm sure there were some earlier reports, but I > can't find them in a hurry. I'm also pretty sure there have been > reports on current@. > > I posted to current@ > http://www.freebsd.org/cgi/getmsg.cgi?fetch=164206+169604+/usr/local/www/db/text/2012/freebsd-current/20120812.freebsd-current > > Which is how I came to this list on mail from Gleb. > > I can tell you that this is not peculiar to 9 and later. pf pre-9 > was just silent about dropping the flows although the problem occurs > less frequently. > > Ian > > -- > Ian Freislich -- Ermal