From owner-freebsd-pf@FreeBSD.ORG Sun Dec 7 09:46:34 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BE1992B1 for ; Sun, 7 Dec 2014 09:46:34 +0000 (UTC) Received: from mic.frontdam.com (mic.frontdam.com [37.247.48.72]) by mx1.freebsd.org (Postfix) with SMTP id 197C1B1D for ; Sun, 7 Dec 2014 09:46:33 +0000 (UTC) Received: (qmail 76721 invoked by uid 0); 7 Dec 2014 09:39:50 -0000 Received: from unknown (HELO ?192.168.178.20?) (m.mazzucchi@keencons.com@unknown) by unknown with SMTP; 7 Dec 2014 09:39:50 -0000 From: Michele Mazzucchi Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: TCP retransmission on rdr pass or nat pass Message-Id: <632B9CC6-AF5D-45A2-A26F-C50220F36A56@keencons.com> Date: Sun, 7 Dec 2014 10:39:41 +0100 To: freebsd-pf@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) X-Mailer: Apple Mail (2.1993) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Dec 2014 09:46:34 -0000 Hello folks, A few weeks ago I noticed random resets in ssh connections. Commands generating short response sequences were unaffected, while those = producing much output (e.g. scp or cat) would reset the ssh connection. Log messages going "pf: BAD state: TCP in wire=E2=80=9D helped tracking = the issue down to PF. I broke down a =E2=80=9Crdr=E2=80=9D rule from rdr pass proto tcp from any to $jail2_pubip port $jail2_tcpports -> = $jail2_privip to rdr proto tcp from any to $jail2_pubip port $jail2_tcpports -> = $jail2_privip [=E2=80=A6 ; block in log ; pass out quick] pass in quick proto tcp from any to $jail2_privip port $jail2_tcpports This surprisingly solved the issue. I=E2=80=99m not clear here: = =E2=80=9Cpass=E2=80=9D rules now default to =E2=80=9Ckeep state=E2=80=9D, but this seems to only apply when they = belong to the =E2=80=9CFiltering=E2=80=9D region. What=E2=80=99s their behavior when they decorate RDR rules? Also, why does the lack of a state produce such unpredictable resets? cheers -m= From owner-freebsd-pf@FreeBSD.ORG Sun Dec 7 10:56:59 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 25AD1388 for ; Sun, 7 Dec 2014 10:56:59 +0000 (UTC) Received: from nskntmtas06p.mx.bigpond.com (nskntmtas06p.mx.bigpond.com [61.9.168.152]) by mx1.freebsd.org (Postfix) with ESMTP id B672D12D for ; Sun, 7 Dec 2014 10:56:58 +0000 (UTC) Received: from nskntcmgw08p ([61.9.169.168]) by nskntmtas06p.mx.bigpond.com with ESMTP id <20141207105656.VQCW7536.nskntmtas06p.mx.bigpond.com@nskntcmgw08p>; Sun, 7 Dec 2014 10:56:56 +0000 Received: from hermes.heuristicsystems.com.au ([58.173.108.194]) by nskntcmgw08p with BigPond Outbound id Qawv1p00R4BhPve01awvKa; Sun, 07 Dec 2014 10:56:56 +0000 X-Authority-Analysis: v=2.0 cv=D6DF24tj c=1 sm=1 a=4+whva0L5pAyL5dznpY5+Q==:17 a=lcq_WjttSJ0A:10 a=N659UExz7-8A:10 a=GHIR_BbyAAAA:8 a=A92cGCtB03wA:10 a=6I5d2MoRAAAA:8 a=3tcz3bTJAAAA:8 a=mtxm2xT171OXkqf2SW0A:9 a=pILNOxqGKmIA:10 a=4+whva0L5pAyL5dznpY5+Q==:117 Received: from [10.0.5.3] (ewsw01.hs [10.0.5.3]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.14.5/8.13.6) with ESMTP id sB7Au1g7078415 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sun, 7 Dec 2014 21:56:04 +1100 (EST) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Message-ID: <54843241.1070908@heuristicsystems.com.au> Date: Sun, 07 Dec 2014 21:56:01 +1100 From: Dewayne Geraghty User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: Martin Hanson , freebsd-pf@freebsd.org Subject: Re: FOLLOW-UP References: <363021417833295@web21g.yandex.ru> In-Reply-To: <363021417833295@web21g.yandex.ru> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Dec 2014 10:56:59 -0000 On 6/12/2014 1:34 PM, Martin Hanson wrote: > Okay, this part "Has any important bugs been fixed in PF on OpenBSD > since the current port in FreeBSD that actually makes the current PF in > FreeBSD "dangerous" to run with?" was actually a really stupid question! > > The.. > > http://svnweb.freebsd.org/base/vendor-sys/pf/4.5.002/?view=log > > .. shows that the last import was for tag 4.5.002 5 years and 3 month > ago! > > Going back to that time in the OpenBSD CVS log and then scrolling up > until present day shows quite a bunch of REALLY important fixes! I am > NOT talking about the changes made by the OpenBSD guys, just bug and > error fixes! > > http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c > > Problems that can cause kernel crashes, fixes for PF crashing faults, > out-of-memory errors, leak of states, and a whole lot of other > important stuff. > > Nobody in their right mind would run the current version of PF on > FreeBSD! > > I am sorry, but how can someone be so stupid as to get a whole bunch of > new features into a product that seriously needs upgrading first!? > > Whats going on FreeBSD? You used to be all about quality, now you're > all about "bleeding edge features" and don't give a s*** about the rest? > > Linux can get away with that crap ONLY because such a huge bunch of > people and organisations are running and supporting it, they have a LOT > of people developing stuff and fixing stuff really quick, FreeBSD > haven't got that user base! > > It needs to be about quality over features! Like in the good old 4.x > and 5.x days! > > Martin > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Martin, I'm new to the pf list, as I'm looking to transition from ipfw to pf. I wonder if your comparison might be better placed between http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c and the goodies under https://svnweb.freebsd.org/base/head/sys/netpfil/pf/ rather than https://svnweb.freebsd.org/base/vendor-sys/pf/ I don't know if the latter has any relevance? Regards, Dewayne -- For the talkers: “The superior man acts before he speaks, and afterwards speaks according to his action.” For everyone else: “Life is really simple, but we insist on making it complicated.” From owner-freebsd-pf@FreeBSD.ORG Sun Dec 7 10:57:20 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C59473C5 for ; Sun, 7 Dec 2014 10:57:20 +0000 (UTC) Received: from home.opsec.eu (home.opsec.eu [IPv6:2001:14f8:200::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 806F7130 for ; Sun, 7 Dec 2014 10:57:20 +0000 (UTC) Received: from pi by home.opsec.eu with local (Exim 4.82 (FreeBSD)) (envelope-from ) id 1XxZWf-0004sP-KX; Sun, 07 Dec 2014 11:57:17 +0100 Date: Sun, 7 Dec 2014 11:57:17 +0100 From: Kurt Jaeger To: freebsd-pf@freebsd.org Subject: Re: Get RID of the multi threading patch in FreeBSDs version of PF Message-ID: <20141207105717.GP44537@home.opsec.eu> References: <136621417831771@web24j.yandex.ru> <5483605C.4070400@bluerosetech.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5483605C.4070400@bluerosetech.com> Cc: Martin Hanson X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Dec 2014 10:57:20 -0000 Hi! > On 12/5/2014 6:09 PM, Martin Hanson wrote: > > Has any important bugs been fixed in PF on OpenBSD since the current > > port in FreeBSD that actually makes the current PF in FreeBSD > > "dangerous" to run with? > > FreeBSD's pf is broken for IPv6. Its lack of fragment support means a > FreeBSD breaks EDNS0 and other large-packet protocols that rely on > fragment headers. This was fixed recently as far as I understand. Have a look at https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=179392 and https://svnweb.freebsd.org/changeset/base/274709 -- pi@opsec.eu +49 171 3101372 6 years to go ! From owner-freebsd-pf@FreeBSD.ORG Sun Dec 7 11:12:34 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B390E6C0 for ; Sun, 7 Dec 2014 11:12:34 +0000 (UTC) Received: from home.opsec.eu (home.opsec.eu [IPv6:2001:14f8:200::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6F32F2E4 for ; Sun, 7 Dec 2014 11:12:34 +0000 (UTC) Received: from pi by home.opsec.eu with local (Exim 4.82 (FreeBSD)) (envelope-from ) id 1XxZlR-0004ti-6B; Sun, 07 Dec 2014 12:12:33 +0100 Date: Sun, 7 Dec 2014 12:12:33 +0100 From: Kurt Jaeger To: Martin Hanson Subject: Why merging recent OpenBSD PF code is not easy (was Re: FOLLOW-UP) Message-ID: <20141207111233.GQ44537@home.opsec.eu> References: <363021417833295@web21g.yandex.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <363021417833295@web21g.yandex.ru> Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Dec 2014 11:12:34 -0000 Hi! > Nobody in their right mind would run the current version of PF on > FreeBSD! There was a big discussion on PF this summer, see http://lists.freebsd.org/pipermail/freebsd-current/2014-July/051229.html There are several issues why it can not easily be merged. The one I remember was that the PF code is not suitable for multi-core use. Today's hosts need multicore to keep up with line rates (and I have a bunch of routers speaking BGP4 and running FreeBSD), so something needs to be done in either direction. There is an OpenBSD fork (!): https://www.bitrig.org/ probably because the way OpenBSD handles its issues, and maybe the multicore (vrs. old platform support) is one of them. So please do not consider it an easy problem. It's hard. -- pi@opsec.eu +49 171 3101372 6 years to go ! From owner-freebsd-pf@FreeBSD.ORG Sun Dec 7 15:28:12 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 19B4E51B for ; Sun, 7 Dec 2014 15:28:12 +0000 (UTC) Received: from forward3h.mail.yandex.net (forward3h.mail.yandex.net [IPv6:2a02:6b8:0:f05::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Certum Level IV CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 86291DE6 for ; Sun, 7 Dec 2014 15:28:11 +0000 (UTC) Received: from web11h.yandex.ru (web11h.yandex.ru [84.201.186.40]) by forward3h.mail.yandex.net (Yandex) with ESMTP id 4CABA13619AE; Sun, 7 Dec 2014 18:27:58 +0300 (MSK) Received: from 127.0.0.1 (localhost [127.0.0.1]) by web11h.yandex.ru (Yandex) with ESMTP id B5FBD1204ED; Sun, 7 Dec 2014 18:27:57 +0300 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.com; s=mail; t=1417966077; bh=pbLL/B0ZhCgLG5YuN13zujKF41RvQfSZ00odBfgfzOw=; h=From:To:In-Reply-To:References:Subject:Date; b=Eo8ssA1tFiftKf/bE8G8Qh0Yp2EDZRShNsVqSysT/4RUjGjsFbfvteC46agBi2rbz k3cHwCeFJIsplKfAxtY1XvU6w0T+y9fW+0onDl4Cs3QiSsYPJwPmq9J8ZXA/ASCMrh Ob2ocUln5voF3Xonl+nyrJIrzPZ66sP/i0iz1Rz4= Received: from 053f90e4.rdns.100tb.com (053f90e4.rdns.100tb.com [5.63.144.228]) by web11h.yandex.ru with HTTP; Sun, 07 Dec 2014 18:27:57 +0300 From: Martin Hanson To: Dewayne Geraghty , "freebsd-pf@freebsd.org" In-Reply-To: <54843241.1070908@heuristicsystems.com.au> References: <363021417833295@web21g.yandex.ru> <54843241.1070908@heuristicsystems.com.au> Subject: Re: FOLLOW-UP MIME-Version: 1.0 Message-Id: <413861417966077@web11h.yandex.ru> X-Mailer: Yamail [ http://yandex.ru ] 5.0 Date: Sun, 07 Dec 2014 16:27:57 +0100 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=utf-8 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Dec 2014 15:28:12 -0000 I stand corrected on that. Thanks Dewayne. 07.12.2014, 11:56, "Dewayne Geraghty" : > On 6/12/2014 1:34 PM, Martin Hanson wrote: >>  Okay, this part "Has any important bugs been fixed in PF on OpenBSD >>  since the current port in FreeBSD that actually makes the current PF in >>  FreeBSD "dangerous" to run with?" was actually a really stupid question! >> >>  The.. >> >>  http://svnweb.freebsd.org/base/vendor-sys/pf/4.5.002/?view=log >> >>  .. shows that the last import was for tag 4.5.002 5 years and 3 month >>  ago! >> >>  Going back to that time in the OpenBSD CVS log and then scrolling up >>  until present day shows quite a bunch of REALLY important fixes! I am >>  NOT talking about the changes made by the OpenBSD guys, just bug and >>  error fixes! >> >>  http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c >> >>  Problems that can cause kernel crashes, fixes for PF crashing faults, >>  out-of-memory errors, leak of states, and a whole lot of other >>  important stuff. >> >>  Nobody in their right mind would run the current version of PF on >>  FreeBSD! >> >>  I am sorry, but how can someone be so stupid as to get a whole bunch of >>  new features into a product that seriously needs upgrading first!? >> >>  Whats going on FreeBSD? You used to be all about quality, now you're >>  all about "bleeding edge features" and don't give a s*** about the rest? >> >>  Linux can get away with that crap ONLY because such a huge bunch of >>  people and organisations are running and supporting it, they have a LOT >>  of people developing stuff and fixing stuff really quick, FreeBSD >>  haven't got that user base! >> >>  It needs to be about quality over features! Like in the good old 4.x >>  and 5.x days! >> >>  Martin >>  _______________________________________________ >>  freebsd-pf@freebsd.org mailing list >>  http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>  To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > Martin, > I'm new to the pf list, as I'm looking to transition from ipfw to pf.  I > wonder if your comparison might be better placed between > http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c > and the goodies under > https://svnweb.freebsd.org/base/head/sys/netpfil/pf/ > rather than https://svnweb.freebsd.org/base/vendor-sys/pf/ > I don't know if the latter has any relevance? > Regards, Dewayne > > -- > For the talkers: “The superior man acts before he speaks, and afterwards speaks according to his action.” > For everyone else: “Life is really simple, but we insist on making it complicated.” From owner-freebsd-pf@FreeBSD.ORG Sun Dec 7 15:53:04 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C8D21981 for ; Sun, 7 Dec 2014 15:53:04 +0000 (UTC) Received: from forward5h.mail.yandex.net (forward5h.mail.yandex.net [84.201.186.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Certum Level IV CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 751A299 for ; Sun, 7 Dec 2014 15:53:04 +0000 (UTC) Received: from web11h.yandex.ru (web11h.yandex.ru [84.201.186.40]) by forward5h.mail.yandex.net (Yandex) with ESMTP id 9A2F1D00D71; Sun, 7 Dec 2014 18:52:54 +0300 (MSK) Received: from 127.0.0.1 (localhost [127.0.0.1]) by web11h.yandex.ru (Yandex) with ESMTP id DAE921204E2; Sun, 7 Dec 2014 18:52:53 +0300 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.com; s=mail; t=1417967574; bh=FJoBSwC861NwUUfgIWzEnlmcnDlLfFBkbf1Ffa3ij3Y=; h=From:To:Cc:In-Reply-To:References:Subject:Date; b=JXr3ZYDJM+GGkCHvtl2JZwWbnr00OU9iyp0Zzpe/i0CTA+nFu4C3MfamxhzwYnONv qNVVrYc3oHpP3wu1QYXii9PqvvXkbTvxthPodPh/RmUEcFdzUbxyVgsfw6S2F+yJiZ NvXLYvMHeyLe1sDitwomCiMdMkGW65w4l6PHF22c= Received: from 053f90e4.rdns.100tb.com (053f90e4.rdns.100tb.com [5.63.144.228]) by web11h.yandex.ru with HTTP; Sun, 07 Dec 2014 18:52:53 +0300 From: Martin Hanson To: Kurt Jaeger In-Reply-To: <20141207111233.GQ44537@home.opsec.eu> References: <363021417833295@web21g.yandex.ru> <20141207111233.GQ44537@home.opsec.eu> Subject: Re: Why merging recent OpenBSD PF code is not easy (was Re: FOLLOW-UP) MIME-Version: 1.0 Message-Id: <473461417967573@web11h.yandex.ru> X-Mailer: Yamail [ http://yandex.ru ] 5.0 Date: Sun, 07 Dec 2014 16:52:53 +0100 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=koi8-r Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Dec 2014 15:53:04 -0000 >> šNobody in their right mind would run the current version of PF on >> šFreeBSD! > > There was a big discussion on PF this summer, see > > http://lists.freebsd.org/pipermail/freebsd-current/2014-July/051229.html > > There are several issues why it can not easily be merged. The one > I remember was that the PF code is not suitable for multi-core use. > Today's hosts need multicore to keep up with line rates (and I have > a bunch of routers speaking BGP4 and running FreeBSD), so > something needs to be done in either direction. All in good time! But the way it has been dealt with on FreeBSD is just plain stupid! I am sorry, but take a look at the PF on OpenBSD! The PF code on OpenBSD has essentially been completely replaced by the redesign those guys did. Its not just syntax changes, those changes was a result of the redesign. Did anyone on FreeBSD bother to look at that first? Multi-threading!? So okay, now there's essentially another product on FreeBSD, its NOT PF any longer! It's "old crap that should have been updated some six years ago" with new multi-threading support! And then some fixes here and there by a single guy, or two guys. Bad decisions don't become right just because you sugar coat them with some new flavor. All we need now is a new name, how about fpf (f***ed, PF?). Sorry. > There is an OpenBSD fork (!): > > https://www.bitrig.org/ > > probably because the way OpenBSD handles its issues, and maybe > the multicore (vrs. old platform support) is one of them. So please do > not consider it an easy problem. It's hard. Nobody said it was easy. But there is something a lot of people seem to misunderstand. OpenBSD will eventually get multicore support, no doubt about that, but the difference is that once they do, they do it RIGHT! They don't let big companies bully them around! Other people are just in a hurry, so who the hell cares if getting there causes serious documentation lacking, old crap - that should have been fixed - gets mixed with new crap, and quality is.. well.. we don't recognize that word any longer - do we!? bitrig.org? YES! Lets break some more stuff! > -- > pi@opsec.eu ššššššššššš+49 171 3101372 šššššššššššššššššššššššš6 years to go ! From owner-freebsd-pf@FreeBSD.ORG Sun Dec 7 18:55:43 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 92013540 for ; Sun, 7 Dec 2014 18:55:43 +0000 (UTC) Received: from etive.allicient.co.uk (etive.allicient.co.uk [207.158.37.19]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6C94A623 for ; Sun, 7 Dec 2014 18:55:42 +0000 (UTC) Received: (qmail 52971 invoked from network); 7 Dec 2014 18:49:01 -0000 Received: from mail-vc0-f181.google.com (allicientsmtpauth@[209.85.220.181]) (envelope-sender ) by etive.allicient.co.uk (qmail-ldap-1.03) with RC4-SHA encrypted SMTP for ; 7 Dec 2014 18:49:01 -0000 Received: by mail-vc0-f181.google.com with SMTP id le20so1593957vcb.40 for ; Sun, 07 Dec 2014 10:48:59 -0800 (PST) X-Received: by 10.220.106.78 with SMTP id w14mr22013646vco.46.1417978139687; Sun, 07 Dec 2014 10:48:59 -0800 (PST) MIME-Version: 1.0 Received: by 10.31.59.202 with HTTP; Sun, 7 Dec 2014 10:48:29 -0800 (PST) In-Reply-To: <473461417967573@web11h.yandex.ru> References: <363021417833295@web21g.yandex.ru> <20141207111233.GQ44537@home.opsec.eu> <473461417967573@web11h.yandex.ru> From: Peter Maxwell Date: Sun, 7 Dec 2014 18:48:29 +0000 Message-ID: Subject: Re: Why merging recent OpenBSD PF code is not easy (was Re: FOLLOW-UP) To: "freebsd-pf@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Dec 2014 18:55:43 -0000 On 7 December 2014 at 15:52, Martin Hanson wrote: > > > Did anyone on FreeBSD bother to look at that first? > > Multi-threading!? > > So okay, now there's essentially another product on FreeBSD, its NOT PF any > longer! It's "old crap that should have been updated some six years ago" > with > new multi-threading support! And then some fixes here and there by a single > guy, or two guys. > > Bad decisions don't become right just because you sugar coat them with some > new flavor. > > All we need now is a new name, how about fpf (f***ed, PF?). Sorry. > Given you appear to believe you are well acquainted with the problem, why not pull your finger out of your proverbial and sort it yourself? From owner-freebsd-pf@FreeBSD.ORG Sun Dec 7 23:09:13 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6DA62C55 for ; Sun, 7 Dec 2014 23:09:13 +0000 (UTC) Received: from forward2m.mail.yandex.net (forward2m.mail.yandex.net [IPv6:2a02:6b8:0:2519::3:11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Certum Level IV CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 23DFB28 for ; Sun, 7 Dec 2014 23:09:12 +0000 (UTC) Received: from web27m.yandex.ru (web27m.yandex.ru [37.140.138.118]) by forward2m.mail.yandex.net (Yandex) with ESMTP id 3113F5CA127F; Mon, 8 Dec 2014 02:09:08 +0300 (MSK) Received: from 127.0.0.1 (localhost [127.0.0.1]) by web27m.yandex.ru (Yandex) with ESMTP id 7848719E18A7; Mon, 8 Dec 2014 02:09:07 +0300 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.com; s=mail; t=1417993747; bh=FuXP3BX9yDdPC2mgc+wBs5PplRvaC13ZOWMzXxBgu2k=; h=From:To:Cc:Subject:Date; b=QtYdLGgKzad70Yl18SaY5g2cdgS5bT+c1NcMEASu2Lja9OO5OWWVP88jIRwww2U3F JIe+yQ7J0j4/1Aly6lBGCbF5LMQM8zQFF2N2WkLVs8UWhQVLBzpl50rluYV37gVsq/ L0SFvkDQMUfTgmLb6D0yuT7flapv4uKEKKtwRO34= Received: from [185.3.135.138] ([185.3.135.138]) by web27m.yandex.ru with HTTP; Mon, 08 Dec 2014 02:09:07 +0300 From: Martin Hanson To: peter@allicient.co.uk Subject: Re: Why merging recent OpenBSD PF code is not easy (was Re: FOLLOW-UP) MIME-Version: 1.0 Message-Id: <115251417993747@web27m.yandex.ru> X-Mailer: Yamail [ http://yandex.ru ] 5.0 Date: Mon, 08 Dec 2014 00:09:07 +0100 Content-Transfer-Encoding: 7bit Content-Type: text/plain Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Dec 2014 23:09:13 -0000 > Given you appear to believe you are well acquainted with the problem, why > not pull your finger out of your proverbial and sort it yourself? LOL, good one! Seems like you have missed the whole point, nobody can sort it out now! From owner-freebsd-pf@FreeBSD.ORG Sun Dec 7 23:33:19 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C0B97136 for ; Sun, 7 Dec 2014 23:33:19 +0000 (UTC) Received: from etive.allicient.co.uk (etive.allicient.co.uk [207.158.37.19]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9CBC132E for ; Sun, 7 Dec 2014 23:33:18 +0000 (UTC) Received: (qmail 58857 invoked from network); 7 Dec 2014 23:33:17 -0000 Received: from mail-vc0-f178.google.com (allicientsmtpauth@[209.85.220.178]) (envelope-sender ) by etive.allicient.co.uk (qmail-ldap-1.03) with RC4-SHA encrypted SMTP for ; 7 Dec 2014 23:33:17 -0000 Received: by mail-vc0-f178.google.com with SMTP id hq11so1736364vcb.9 for ; Sun, 07 Dec 2014 15:33:15 -0800 (PST) X-Received: by 10.52.83.196 with SMTP id s4mr18666844vdy.50.1417995195086; Sun, 07 Dec 2014 15:33:15 -0800 (PST) MIME-Version: 1.0 Received: by 10.31.59.202 with HTTP; Sun, 7 Dec 2014 15:32:44 -0800 (PST) In-Reply-To: <115251417993747@web27m.yandex.ru> References: <115251417993747@web27m.yandex.ru> From: Peter Maxwell Date: Sun, 7 Dec 2014 23:32:44 +0000 Message-ID: Subject: Re: Why merging recent OpenBSD PF code is not easy (was Re: FOLLOW-UP) To: "freebsd-pf@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Dec 2014 23:33:19 -0000 On 7 December 2014 at 23:09, Martin Hanson wrote: > > Given you appear to believe you are well acquainted with the problem, why > > not pull your finger out of your proverbial and sort it yourself? > > LOL, good one! > > Seems like you have missed the whole point, nobody can sort it out now! > If nobody can sort it then there nothing to be gained in whinging about the situation, ergo can you please hud yer wheesht. From owner-freebsd-pf@FreeBSD.ORG Mon Dec 8 00:31:32 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0AD79AF1 for ; Mon, 8 Dec 2014 00:31:32 +0000 (UTC) Received: from luigi.brtsvcs.net (luigi.brtsvcs.net [204.109.60.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DA0A9A5C for ; Mon, 8 Dec 2014 00:31:31 +0000 (UTC) Received: from chombo.houseloki.net (unknown [IPv6:2601:7:2580:674:21c:c0ff:fe7f:96ee]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by luigi.brtsvcs.net (Postfix) with ESMTPSA id EEA582D4F9B; Mon, 8 Dec 2014 00:31:23 +0000 (UTC) Received: from [IPv6:2601:7:2580:674:baca:3aff:fe83:bd29] (ivy.libssl.so [IPv6:2601:7:2580:674:baca:3aff:fe83:bd29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by chombo.houseloki.net (Postfix) with ESMTPSA id B73DB1D66; Sun, 7 Dec 2014 16:31:21 -0800 (PST) Message-ID: <5484F157.9010707@bluerosetech.com> Date: Sun, 07 Dec 2014 16:31:19 -0800 From: Darren Pilgrim Reply-To: freebsd-pf@freebsd.org User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: Kurt Jaeger , freebsd-pf@freebsd.org Subject: Re: Get RID of the multi threading patch in FreeBSDs version of PF References: <136621417831771@web24j.yandex.ru> <5483605C.4070400@bluerosetech.com> <20141207105717.GP44537@home.opsec.eu> In-Reply-To: <20141207105717.GP44537@home.opsec.eu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2014 00:31:32 -0000 On 12/7/2014 2:57 AM, Kurt Jaeger wrote: >> On 12/5/2014 6:09 PM, Martin Hanson wrote: >>> Has any important bugs been fixed in PF on OpenBSD since the current >>> port in FreeBSD that actually makes the current PF in FreeBSD >>> "dangerous" to run with? >> >> FreeBSD's pf is broken for IPv6. Its lack of fragment support means a >> FreeBSD breaks EDNS0 and other large-packet protocols that rely on >> fragment headers. > > This was fixed recently as far as I understand. > > Have a look at > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=179392 > > and > > https://svnweb.freebsd.org/changeset/base/274709 I think you're confused about the issue I described. I'm talking about pf not supporting fragment headers and as such dropping fragmented packets instead of statefully passing them. See https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=124933 From owner-freebsd-pf@FreeBSD.ORG Mon Dec 8 02:23:02 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D84E5396 for ; Mon, 8 Dec 2014 02:23:02 +0000 (UTC) Received: from mail-ob0-f177.google.com (mail-ob0-f177.google.com [209.85.214.177]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9F5C633F for ; Mon, 8 Dec 2014 02:23:02 +0000 (UTC) Received: by mail-ob0-f177.google.com with SMTP id va2so2938757obc.22 for ; Sun, 07 Dec 2014 18:23:01 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=+N0d31OaddR5j1DzWNuNnoFfe++JHvVAi/1R+8me9lA=; b=L7aMrXzRxxcG2SmZJfNXRK98aBheukKfeMrcuTWb+9RIcHGILEpxCGyrqug7u0Lwin FO9CjnqW77p8v0qziPYFKjFuXuxPHTu2atRvlDAsVpiRe9FdhCmEsg0voH5J/S0lGcAa F5fAFanSGanpwpNiZO+VyWM4kP9jABINWAo2S0nWMfQRHPSTydFllVkXwYdaq5/jHTQd gM+aRoo2axIXvgqyqv9a5MrWMjDlyAaoOdjSZ5zqtO+fXGwUtFbivxkd9bCI4WrslCS0 sBgR/+QGv2Mm+OMrEl+V0w40hDnrzk4jE7rbvrcOLc5zl06VRXOcd7QHyMOyaajIG+1/ TjtQ== X-Gm-Message-State: ALoCoQlUvHbMV+0R+pFSR+vR7NGJ7ioeToV4m5ovIa0xyC4lJ8yJxKLXyrfwLzN1OXM+a/vYZXDN X-Received: by 10.202.98.10 with SMTP id w10mr5463285oib.104.1418005380869; Sun, 07 Dec 2014 18:23:00 -0800 (PST) Received: from ?IPv6:2610:160:11:33:8d68:8c2c:b451:393e? ([2610:160:11:33:8d68:8c2c:b451:393e]) by mx.google.com with ESMTPSA id mq4sm17628571obb.22.2014.12.07.18.22.59 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 07 Dec 2014 18:23:00 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2058.2\)) Subject: Re: Why merging recent OpenBSD PF code is not easy (was Re: FOLLOW-UP) From: Jim Thompson In-Reply-To: <115251417993747@web27m.yandex.ru> Date: Sun, 7 Dec 2014 20:22:58 -0600 Content-Transfer-Encoding: quoted-printable Message-Id: <75F1B874-8BF5-4500-A9EB-9A6E3F90C3F2@netgate.com> References: <115251417993747@web27m.yandex.ru> To: Martin Hanson X-Mailer: Apple Mail (2.2058.2) Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2014 02:23:02 -0000 > On Dec 7, 2014, at 5:09 PM, Martin Hanson = wrote: >=20 >> Given you appear to believe you are well acquainted with the problem, = why >> not pull your finger out of your proverbial and sort it yourself? >=20 > LOL, good one! >=20 > Seems like you have missed the whole point, nobody can sort it out = now! No, you=E2=80=99re missing the point. The codebase has forked, and it=E2=80=99s unlikely that anyone who is = working on (or in a position to direct work on) pf believes that the = correct course of action is to reverse at this point, and follow your = prescriptive. However, there is an architecture available (pfill) which will allow = you, or someone you find to do the work, to bring the current =E2=80=9Cpf=E2= =80=9D from OpenBSD work into FreeBSD. Given this, I=E2=80=99m left to = ask why you continue to pound the desk with demands when there is a path = by which you can accomplish your goal. The other question, of course, = is to ask you what is lacking in OpenBSD that you can=E2=80=99t use that = for your firewalling needs, given your obsequiousness toward OpenBSD. To directly counter your assertion, I suggest you read http://lists.freebsd.org/pipermail/freebsd-pf/2012-June/006643.html = http://lists.freebsd.org/pipermail/svn-src-projects/2012-April/005056.html= = http://lists.freebsd.org/pipermail/freebsd-questions/2014-August/259703.ht= ml and this thread from this past Summer: = http://lists.freebsd.org/pipermail/freebsd-pf/2014-July/007393.html Where I respond to "Anyone working on bringing FreeBSD up to 5.6?=E2=80=9D= in part with: > There was some brief discussion of same at vBSD (prompted by = Henning=E2=80=99s rant after being > pushed about his claims about the =E2=80=9Cpf=E2=80=9D in OpenBSD = being faster than the =E2=80=9Cpf=E2=80=9D in FreeBSD 10). > This occurred both at ruBSD and vBSD >=20 > http://tech.yandex.ru/events/yagosti/ruBSD/talks/1477/ (you = can skip to 29:51) > http://tech.yandex.ru/events/yagosti/ruBSD/talks/1488/ (you = can skip to 33:18 and 36:53 for the salient bits) > http://quigon.bsws.de/papers/2013/vbsdcon/ > http://quigon.bsws.de/papers/2013/rubsd/ >=20 > bapt apparently volunteered to attempt to bring the pf from a more = modern pf to FreeBSD. You=E2=80=99ll have to ask him about status. And if you want to read nothing else, read this thread: = https://lists.freebsd.org/pipermail/freebsd-pf/2012-September/006740.html Wherein, Gleb was specifically asked about doing >exactly< as you = request, by several people, and directly rejected same. (A minor = skirmish broke out between Gleb and Ermal, and Gleb got a bit =E2=80=A6 = well, let=E2=80=99s just say it can make one squeamish to watch. = https://lists.freebsd.org/pipermail/freebsd-pf/2012-September/006754.html = Let=E2=80=99s just say that Gleb should offer an apology to Ermal for = that, and that Ermal had other things happening during that period.) The salient points are that: a) your assertion is not new, b) work = continues, and c) there is likely more low-hanging fruit:=20 http://lists.freebsd.org/pipermail/freebsd-net/2013-April/035417.html Given this, (and all of the above), it is unlikely that the current = course will be abandoned, as you demand. The two main people working on = pf (Ermal and Gleb) are both still working on it. > On Dec 7, 2014, at 9:52 AM, Martin Hanson = wrote: > OpenBSD will eventually get multicore support, no doubt about that, = but the difference is that once they do, they do it RIGHT! One of the frustrating things about your statement here is that you = imply that the multicore support in FreeBSD is not =E2=80=9Cright=E2=80=9D= . That is is, for reasons unstated, somehow lacking. OpenBSD may eventually grow proper multicore support, but that is of = little concern to the FreeBSD project. It took FreeBSD years to get = proper multicore support, and I doubt OpenBSD gets there any faster. Nor have they started. This is bad news = for OpenBSD, because the world is now multicore, 1Gbps are common (I = have one to my house) and 10Gbps connections are increasingly common. = OpenBSD=E2=80=99s =E2=80=9Cpf=E2=80=9D doesn=E2=80=99t even handle 1Gbps = unless=20 OpenBSD and FreeBSD have different goals. To quote: = https://www.freebsd.org/doc/en_US.ISO8859-1/articles/committers-guide/arch= s.html#AEN1248 The FreeBSD Project targets "production quality commercial off-the-shelf = (COTS) workstation, server, and high-end embedded systems=E2=80=9D OpenBSD doesn=E2=80=99t seem to be concerned about performance of pf: = http://www.openbsd.org/faq/pf/perf.html Even with the multi-core processing, neither ipfw or pf is what it needs = to be. Neither will deal with the 1.488Mpps of 1Gbps Ethernet. = http://bsdrp.net/documentation/examples/forwarding_performance_lab_of_an_i= bm_system_x3550_m3_with_intel_82580 Nor are we done with pf. One of the short-term goals is to improve = performance by creating a per-core state-table, rather than locking a = single state table in RAM. Another is to investigate the effects of thread-pinning, as well as getting correct RSS mechanisms = in the kernel such that a given (set of) flow(s) are always directed at = the same core. One of the largest issues with the common open-source packet filters is = that they tightly couple the flow classification and treatment, i.e. = after flows are classified actions are executed locally immediately = after the classification. While we might get to 1Gbps (with some work) = via this route, or even slightly above, I find it unlikely that we can = get anywhere near the 14.88Mpps required to correctly process 10Gbps = Ethernet at line rate using the same architecture. Have you studied the problem, Martin? Or are you going to continue to = beat the =E2=80=9COpenBSD =C3=BCber alles=E2=80=9D drum? Jim From owner-freebsd-pf@FreeBSD.ORG Mon Dec 8 11:04:16 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1FEF7927 for ; Mon, 8 Dec 2014 11:04:16 +0000 (UTC) Received: from mx1.sbone.de (bird.sbone.de [46.4.1.90]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id C9417AD for ; Mon, 8 Dec 2014 11:04:15 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 56D2825D385E; Mon, 8 Dec 2014 11:04:04 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id E0599C76FDF; Mon, 8 Dec 2014 11:04:03 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id oTPy7BS6Cem3; Mon, 8 Dec 2014 11:04:02 +0000 (UTC) Received: from [IPv6:fde9:577b:c1a9:4420:cabc:c8ff:fe8b:4fe6] (orange-tun0-ula.sbone.de [IPv6:fde9:577b:c1a9:4420:cabc:c8ff:fe8b:4fe6]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id F32FDC76FCE; Mon, 8 Dec 2014 11:04:00 +0000 (UTC) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: Re: Why merging recent OpenBSD PF code is not easy (was Re: FOLLOW-UP) From: "Bjoern A. Zeeb" In-Reply-To: <75F1B874-8BF5-4500-A9EB-9A6E3F90C3F2@netgate.com> Date: Mon, 8 Dec 2014 11:04:00 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <6BB4C12E-DB19-42C1-93C8-264BAA053CED@lists.zabbadoz.net> References: <115251417993747@web27m.yandex.ru> <75F1B874-8BF5-4500-A9EB-9A6E3F90C3F2@netgate.com> To: Jim Thompson X-Mailer: Apple Mail (2.1878.6) Cc: Martin Hanson , freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2014 11:04:16 -0000 On 08 Dec 2014, at 02:22 , Jim Thompson wrote: >> On Dec 7, 2014, at 5:09 PM, Martin Hanson = wrote: >>=20 >> Seems like you have missed the whole point, nobody can sort it out = now! >=20 > No, you=92re missing the point. >=20 > The codebase has forked, and it=92s unlikely that anyone who is = working on (or in a position to direct work on) pf believes that the = correct course of action is to reverse at this point, and follow your = prescriptive. I have not read all your references but there are more points one could = possibly consider: - backward compatibility; FreeBSD tries not to screw users over with = every new major release and constantly changing syntax and old firewall = rules no longer working are just not an option for us; you can =93fix=94 = this by writing a backward compat parser and adjusting the code to = support all the stuff still; just a lot more extra work on code you = don=92t maintain and thus making it hard to sync. - the #ifdefs were indeed just not sustainable and a major pain reading = the code; that could have been reduced but frankly prevented us for too = long to work on the code. V_irtualisation is just another code mangler. - the tight integration of pf in OpenBSD with the rest of their network = stack started to suit the more generic FreeBSD model less and less. We = can=92t just do that unless we drop other firewalls and screw a lot of = commercial user base. - There is another major pf player in the game who wasn=92t mentioned = yet, and that=92s Apple. Has anyone considered looking at their = implementation shipping on millions of devices, requiring similar =93API = stability=94 as FreeBSD would love to support? Just a few things from the top of my head. =97=20 Bjoern A. Zeeb Charles Haddon Spurgeon: "Friendship is one of the sweetest joys of life. Many might have failed beneath the bitterness of their trial had they not found a friend." From owner-freebsd-pf@FreeBSD.ORG Mon Dec 8 15:27:56 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B38A9F3E for ; Mon, 8 Dec 2014 15:27:56 +0000 (UTC) Received: from mail-wi0-f176.google.com (mail-wi0-f176.google.com [209.85.212.176]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4C8FBA0 for ; Mon, 8 Dec 2014 15:27:56 +0000 (UTC) Received: by mail-wi0-f176.google.com with SMTP id ex7so5010003wid.15 for ; Mon, 08 Dec 2014 07:27:54 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=8ARt60wBia+A6yslpK5rgxoa32WmVT2NfYgduwEebUo=; b=Aoqhf/rtpIwQUwSUkDOf1QucVwcpyTxZOnQeqX/rLmxIx++W4WNI+uf0HfuBMu+jfI DzBlAWc4NRX55Z6JaUjKSzcgmQHB/28zQuzj8sSs22FD6n5TnTlZW1VWFmXq1b9J1rrH ipIn05iJ8nVXyPGFTVNHwJE3gvEh2mqL5q9QjYHDm56SFHlgpsKRJpBgxY94u/ByHOXS VlWEicFzLytHOBkUECX7aqM5PAD58fvs6E+0CRULWTMbUOnSlvtiws6C16i6Cq2YjP8z Jy98hkxUpdkUR5A8E+wp9kIFd9/hWcyAZ9Zh/61hmHUksnLhI4d6B/e9ItsSrLpvUAhG Hv6A== X-Gm-Message-State: ALoCoQn7iDo3EoPMgRu5//5pH7cFi+rHcWSAvGyyPR5eXod+LnqyU21G+/8aQLVyUKpUX1LKaqvb X-Received: by 10.194.63.229 with SMTP id j5mr18442144wjs.23.1418052473984; Mon, 08 Dec 2014 07:27:53 -0800 (PST) MIME-Version: 1.0 Received: by 10.180.223.100 with HTTP; Mon, 8 Dec 2014 07:27:23 -0800 (PST) In-Reply-To: <75F1B874-8BF5-4500-A9EB-9A6E3F90C3F2@netgate.com> References: <115251417993747@web27m.yandex.ru> <75F1B874-8BF5-4500-A9EB-9A6E3F90C3F2@netgate.com> From: Maxim Khitrov Date: Mon, 8 Dec 2014 10:27:23 -0500 Message-ID: Subject: Re: Why merging recent OpenBSD PF code is not easy (was Re: FOLLOW-UP) To: Jim Thompson Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: Martin Hanson , "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2014 15:27:56 -0000 On Sun, Dec 7, 2014 at 9:22 PM, Jim Thompson wrote: > OpenBSD may eventually grow proper multicore support, but that is of litt= le concern to the FreeBSD project. It took FreeBSD years to get proper mu= lticore support, and I doubt > OpenBSD gets there any faster. Nor have they started. This is bad news f= or OpenBSD, because the world is now multicore, 1Gbps are common (I have on= e to my house) and 10Gbps connections are increasingly common. OpenBSD=E2= =80=99s =E2=80=9Cpf=E2=80=9D doesn=E2=80=99t even handle 1Gbps unless How many of your 1 Gbps links are handling 1.488 Mpps? I wasn't very interested in that use case when I did my testing, so for me, OpenBSD 5.3 handled 4.2 Gbps (MTU 1500) with Intel X540 NIC and Xeon E3-1275v2. If I did the math right, that's ~0.35 Mpps: http://marc.info/?l=3Dopenbsd-misc&m=3D137600809910496&w=3D2 The limiting factor was not pf (nearly same performance with it disabled), but single-core processing of all interrupts and packets. Yes, there is work to be done there. Even with that "poor" performance, I'm now using OpenBSD for firewalls because the new pf.conf syntax, which makes the ruleset much cleaner and easier to maintain, as well as other features (interface groups, set prio, new queueing system, received-on, etc.), are more important to me than being able to push 10 Gbps of traffic through the box. I understand that other people and organizations have other priorities, but IMHO, OpenBSD covers the common use case better than FreeBSD at the moment. How many people managed to figure out hfsc for altq (which isn't even compiled into the GENERIC kernel)? I tried... I really did. Even with cbq, the resulting ruleset was an unmaintainable mess most of the time. From owner-freebsd-pf@FreeBSD.ORG Tue Dec 9 00:31:57 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DB08961B for ; Tue, 9 Dec 2014 00:31:57 +0000 (UTC) Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com [IPv6:2a00:1450:400c:c05::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 59836AC3 for ; Tue, 9 Dec 2014 00:31:57 +0000 (UTC) Received: by mail-wi0-f177.google.com with SMTP id l15so89705wiw.4 for ; Mon, 08 Dec 2014 16:31:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=t81VFDl3Tkdjg/rDbpg8kj4ufP8NbjoJvyEG/17yABA=; b=YVv/gwfNRGAgD1ZUbEeAn+eaYaMd/4yMbB3LsJ/obFSKLs/y2+J7C7aMm25UDX+D6D qD3rs/L8L3/h5yIilI0OLiNiQwQCJfmq/eaUtR+LOTU36OECXSZ8SyGozrUR/EkmN9Ig yxn6ujljEicUL2aFjYvVA+A67ueFODj2TittdFdO7DEQuEKOopV2AA/rmGN++toY35KC PwC1v1msqInt89g1RaWcuKtlj3OQcgFJNhWNKakGlvMiQrwGhB4FKmtI/mXCSJ3VyM7l dudJB33MAiqr09KV+dNOo3Z6XbeCgFW+TPsadFV8Wf3xU/qv+uunGlbsnjUoKCu4pM2c 6c4g== X-Received: by 10.180.218.39 with SMTP id pd7mr241862wic.21.1418085115774; Mon, 08 Dec 2014 16:31:55 -0800 (PST) MIME-Version: 1.0 Sender: cochard@gmail.com Received: by 10.194.61.98 with HTTP; Mon, 8 Dec 2014 16:31:35 -0800 (PST) In-Reply-To: References: <115251417993747@web27m.yandex.ru> <75F1B874-8BF5-4500-A9EB-9A6E3F90C3F2@netgate.com> From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= Date: Tue, 9 Dec 2014 01:31:35 +0100 X-Google-Sender-Auth: Cy4RCD-C56rSNNXpSY68IbqYJgU Message-ID: Subject: Re: Why merging recent OpenBSD PF code is not easy (was Re: FOLLOW-UP) To: Maxim Khitrov Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: Martin Hanson , "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Dec 2014 00:31:58 -0000 On Mon, Dec 8, 2014 at 4:27 PM, Maxim Khitrov wrote: > On Sun, Dec 7, 2014 at 9:22 PM, Jim Thompson wrote: > > OpenBSD may eventually grow proper multicore support, but that is of > little concern to the FreeBSD project. It took FreeBSD years to get > proper multicore support, and I doubt > > OpenBSD gets there any faster. Nor have they started. This is bad news > for OpenBSD, because the world is now multicore, 1Gbps are common (I have > one to my house) and 10Gbps connections are increasingly common. > OpenBSD's "pf" doesn't even handle 1Gbps unless > > How many of your 1 Gbps links are handling 1.488 Mpps? I wasn't very > interested in that use case when I did my testing, so for me, OpenBSD > 5.3 handled 4.2 Gbps (MTU 1500) with Intel X540 NIC and Xeon > E3-1275v2. If I did the math right, that's ~0.35 Mpps: > > http://marc.info/?l=openbsd-misc&m=137600809910496&w=2 > > If your firewall's using Gbps link you should take care of supporting the maximum Gigabit Ethernet throughput of 1.488Mpps: It's too easy to DOS any kind of OpenBSD firewall with a simple user-land tool like src/tools/tools/netrate/netblast. You only need to generate about 700Kpps for an OpenBSD 5.4 (I didn't test more recent release). But the performance of a firewall isn't limited to the "forwarding performance" (and the unit is a throughput in Packet-per-second, not a bandwidth): There are lot's more parameters to take care of (cf RFC 3511 " Benchmarking Methodology for Firewall Performance"). Regards, Olivier From owner-freebsd-pf@FreeBSD.ORG Tue Dec 9 01:01:29 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ABF8CE94 for ; Tue, 9 Dec 2014 01:01:29 +0000 (UTC) Received: from mail-lb0-x243.google.com (mail-lb0-x243.google.com [IPv6:2a00:1450:4010:c04::243]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2F1B5D13 for ; Tue, 9 Dec 2014 01:01:29 +0000 (UTC) Received: by mail-lb0-f195.google.com with SMTP id u10so1118708lbd.6 for ; Mon, 08 Dec 2014 17:01:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=TIRHG5QaJN1SAhGxTYJ2I9Sp55csQUVuJxfjfgDcKOI=; b=JzYncHpojga3XZQn0ms7VC2PfIeb/ofkY4rNGvDPlR5LJ9BUurZ108uV0hKoahOybo 9WKvH4rmrrb/hgQxE115vbtkc1Z6Q9ndUZoKfgfReuXlqP6sD9k2AKlnHZrpSu3qeZLf bto/NYqVZRRq6o6GmMV689AyWTSZSEPFGJzce0tty626O1mw63Bg4zIgleKFGudrceAl FzaQKNsNbD2EDlgYSZ8MSgygkrxkOR8duhbOZ3IqwRM/tCvxNkFq/xCRLEj8MzFR8hnf zwOXzyh3sd+MTEV25Nm46hAkZc2iiKi6B8n0oncWCJBctMKK/1aGLRSu4uFuAyrsFDfe pNQg== MIME-Version: 1.0 X-Received: by 10.112.128.197 with SMTP id nq5mr1378557lbb.0.1418086887229; Mon, 08 Dec 2014 17:01:27 -0800 (PST) Received: by 10.152.36.65 with HTTP; Mon, 8 Dec 2014 17:01:27 -0800 (PST) Date: Mon, 8 Dec 2014 20:01:27 -0500 Message-ID: Subject: Forwarding packets generated through a VPN connection to a different subnet From: Manas Bhatnagar To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Dec 2014 01:01:29 -0000 Hello, I have an OpenVPN server that is configured to hand out IP addresses on the 10.8.0.0/24 network, it creates a tun0 device. I also have an interface on the machine that is configured with the IP 10.8.1.11, this is on the em1 interface. I am able to ping to other machines on the 10.8.1.0/24 network from the machine. However, as an OpenVPN client, when I try to ping any address on the 10.8.1.0/24 network other than 10.8.1.11, I do not receive a response. My attempt at making this work was through using NAT with PF. This is the line in my /etc/pf.conf nat on tun0 from 10.8.0.0/24 to 10.8.1.0/24 -> (em1) When I run tcpdump -i tun0 on the machine I see the ICMP packets being generated by the OpenVPN client. But, when I check the traffic on em1 with tcpdump the source address is still in the 10.8.0.0/24 range. I have also tried the following pf.conf: rdr on tun0 from 10.8.0.0/24 to 10.8.1.0/24 -> (em1) nat on em1 from 10.8.0.0/24 to 10.8.1.0/24 -> (em1) rdr on em1 from 10.8.1.0/24 to 10.8.0.0/24 -> (tun0) With the same results. Please let me know how this can be configured. This is on 10.1-RELEASE. Thanks, Manas From owner-freebsd-pf@FreeBSD.ORG Tue Dec 9 04:07:06 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 37462B1A for ; Tue, 9 Dec 2014 04:07:06 +0000 (UTC) Received: from mail-lb0-x243.google.com (mail-lb0-x243.google.com [IPv6:2a00:1450:4010:c04::243]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AC48D2EB for ; Tue, 9 Dec 2014 04:07:05 +0000 (UTC) Received: by mail-lb0-f195.google.com with SMTP id u10so1152030lbd.10 for ; Mon, 08 Dec 2014 20:07:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=w9cEjL6va1p4O35H7SJuVKwiD8rGkEoGgdupNDxeNXk=; b=KX61iGqth51ZOLa9DqnxVgoW4UO2x4gwA1NEZBXKBN/KcJJ8X/odBssJ4B3AKnBNvI juB5Is2wmVlRSeQtiNS/Wz07/NzdCYqp1hxfF4GtJ9Ano/LoUjE8nXuTgi6VTMu3b0Dm 0vxStaHBnY/pdcSsvmXLHG7kpKUN5WGmIK04UzhsjOLptCf0tYmWKatToL8SzLCpQo3S 19I+hU1K68WTzKrmKCeQmYQe8rKIRtlTP0OM+WZe5pujV9DVotavZEp73vQ2cnJNuarn vFgNXdEjYd2ajg59Zto4+21hRln+wmi/A3bkkH/vjMQDQBEq0SIu1CN+AxJyHWJfar7r pwXQ== MIME-Version: 1.0 X-Received: by 10.112.73.102 with SMTP id k6mr19726372lbv.75.1418098023861; Mon, 08 Dec 2014 20:07:03 -0800 (PST) Received: by 10.152.36.65 with HTTP; Mon, 8 Dec 2014 20:07:03 -0800 (PST) In-Reply-To: <548655C6.3090709@heuristicsystems.com.au> References: <548655C6.3090709@heuristicsystems.com.au> Date: Mon, 8 Dec 2014 23:07:03 -0500 Message-ID: Subject: Re: Forwarding packets generated through a VPN connection to a different subnet From: Manas Bhatnagar To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Dec 2014 04:07:06 -0000 >You shouldn't need a firewall to do nat or redirecting. I suspect that: >a) the openvpn server isn't setup for forwarding >b) the clients don't have a correct route established > >I'd suggest that you turn off pf, using pfctl -d and watch what happens >on your em1 interface, as that might also provide a clue (ie tcpdump -ni >em1 ) > >If this assists please provide a reply to the mailing list so others may >benefit. :) > >Regards, Dewayne It is working now. OpenVPN is configured to push the route: push "route 10.8.1.0 255.255.255.0" to clients. Gateway is not pushed to the client. The line in PF that works is: nat on em1 from 10.8.0.0/24 to any -> (em1) Thanks for the input! Thanks, Manas On Mon, Dec 8, 2014 at 8:52 PM, Dewayne Geraghty < dewayne.geraghty@heuristicsystems.com.au> wrote: > You shouldn't need a firewall to do nat or redirecting. I suspect that: > a) the openvpn server isn't setup for forwarding > b) the clients don't have a correct route established > > I'd suggest that you turn off pf, using pfctl -d and watch what happens > on your em1 interface, as that might also provide a clue (ie tcpdump -ni > em1 ) > > If this assists please provide a reply to the mailing list so others may > benefit. :) > > Regards, Dewayne > > From owner-freebsd-pf@FreeBSD.ORG Fri Dec 12 02:39:14 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 62363641 for ; Fri, 12 Dec 2014 02:39:14 +0000 (UTC) Received: from mail-pd0-x22e.google.com (mail-pd0-x22e.google.com [IPv6:2607:f8b0:400e:c02::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2AA78BD3 for ; Fri, 12 Dec 2014 02:39:14 +0000 (UTC) Received: by mail-pd0-f174.google.com with SMTP id fp1so6179131pdb.5 for ; Thu, 11 Dec 2014 18:39:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=w3BgCFgvCayobR8ztNJj2r4wCg86VECurHF4m5h15Mw=; b=XQ8APi/H+fdC10+Oe6YbHG31D+n7nmTXvnUdPMsAStIjKx/DOu44HS0ntbGVl9OO1N 4U6CRFrDhkOiz6G/2VFQicH/PiujptUWOfNqMfWjct57rk5NKgd70KyYfxdKOOPymGqR CQpbSGjEvPrR074r/oeA4u4wfVg+xxR2H/VR5p3SUmYKxqx/GG8V3PUCdgMIhMJqSi6M vjlgMkIFOfNZC0qOSRA/JNTYTp3Tf/iDi3Hg6nG2IEw43Z7sBA+SPAsTyOpyIEUSGJP+ dAdXTLrKGacWYXWAYb99zK8A2E3jMoAptEIActcM3M1cjRyTs3Ef0sbK++hiHsKtaHB+ 6TGg== X-Received: by 10.70.19.101 with SMTP id d5mr22979645pde.10.1418351953710; Thu, 11 Dec 2014 18:39:13 -0800 (PST) Received: from dibbler.crodrigues.org (c-24-6-186-207.hsd1.ca.comcast.net. [24.6.186.207]) by mx.google.com with ESMTPSA id ur2sm1527pbc.51.2014.12.11.18.39.11 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 11 Dec 2014 18:39:12 -0800 (PST) Sender: Craig Rodrigues Date: Thu, 11 Dec 2014 18:39:04 -0800 From: Craig Rodrigues To: suraj sandhu Subject: Re: VIMAGE/VNETs support for PF Message-ID: <20141212023904.GA2184@dibbler.crodrigues.org> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pf9I7BMVVzbSWLtt" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Dec 2014 02:39:14 -0000 --pf9I7BMVVzbSWLtt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 13, 2014 at 02:17:54PM -0500, suraj sandhu wrote: > Hi all, >=20 > I am working on a product which used ipfilter but since ipfilter is not > supported by the FreeBSD community anymore and doesn't support VNETs, I > need to make a choice between IPFW and PF. >=20 > I know IPFW is supported and works with VIMAGE, can someone here please l= et > me know if the PF also works with VIMAGE, specifically in FreeBSD 9? Can you describe what kind of product you are working on, and your requirements? Are you interested in: (1) Using a system with VIMAGE compiled into the kernel, using the packet filter (IPFW, ipfilter, or PF) *not* inside a VNET jail. (2) Using a system with VIMAGE compiled into the kernel, *and* using the packet filter (IPFW, ipfilter, or PF) inside a VN= ET jail. My experience on what works in FreeBSD 9 is based on working with FreeNAS (which is derived from FreeBSD 9): ipfw: Seems to work with (1) or (2) with least problems, but needs more in= vestigation pf: Seems to work with (1), but (2) has problems some of which are fixed= in FreeBSD 10 ipfilter: crashes on bootup I committed one fix for ipfilter which is not in FreeBSD 9: https://lists.f= reebsd.org/pipermail/svn-src-all/2014-November/095036.html which addresses (1) but not (2). --=20 Craig --pf9I7BMVVzbSWLtt Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlSKVUIACgkQ0gqKKjmYR53u6wCfbdYKMDo4JSIBROIb+RBB3Ct3 NUIAni2cKxc3ixMRFRgU0wA9owduurwy =cnQ5 -----END PGP SIGNATURE----- --pf9I7BMVVzbSWLtt--