From owner-freebsd-pf@freebsd.org Sun Aug 7 08:27:05 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B01C8BB1CA1; Sun, 7 Aug 2016 08:27:05 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: from mx.box-hlm-02.niklaas.eu (box-hlm-02.niklaas.eu [IPv6:2a02:2770:15:0:21a:4aff:feac:28f6]) by mx1.freebsd.org (Postfix) with ESMTP id 64AD917D0; Sun, 7 Aug 2016 08:27:05 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: from box-hlm-03.niklaas.eu (box-hlm-03.niklaas.eu [IPv6:2a02:2770:15:0:21a:4aff:feaa:e902]) by mx.box-hlm-02.niklaas.eu (Postfix) with ESMTPSA id ABDBA1C9782; Sun, 7 Aug 2016 10:26:56 +0200 (CEST) Date: Sun, 7 Aug 2016 10:26:52 +0200 From: Niklaas Baudet von Gersdorff To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Firewalling jails and lo0 Message-ID: <20160807082651.GA87754@box-hlm-03.niklaas.eu> Reply-To: stdin@niklaas.eu Mail-Followup-To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org References: <20160806155411.GA5289@len-t420.klaas> <3C1C4822-17C2-42D9-A9BE-C3549B9B6F25@lists.zabbadoz.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <3C1C4822-17C2-42D9-A9BE-C3549B9B6F25@lists.zabbadoz.net> User-Agent: Mutt/1.6.1 (2016-04-27) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Aug 2016 08:27:05 -0000 Bjoern A. Zeeb [2016-08-06 20:02 +0000] : > I am curious about this. Can you give me an (obfuscated) example? (if > you want in private email) -- $ jls -v JID Hostname Path Name State CPUSetID IP Address(es) [...] 7 mx.box-hlm-03.niklaas.eu /usr/local/jails/smtp1 smtp1 ACTIVE 8 10.3.8.1 fd16:dcc0:f4cc:3::8:1 [...] 24 proxy1.box-hlm-03.niklaas.eu /usr/local/jails/proxy1 proxy1 ACTIVE 5 10.3.2.1 10.77.2.1 fd16:dcc0:f4cc:3::2:1 fd16:dcc0:f4cc:77::2:1 [...] -- -- $ ifconfig lo1 lo1: flags=8049 metric 0 mtu 16384 options=600003 [...] inet 10.3.8.1 netmask 0xffff0000 inet6 fd16:dcc0:f4cc:3::8:1 prefixlen 64 [...] inet 10.3.2.1 netmask 0xffff0000 inet 10.77.2.1 netmask 0xffff0000 inet6 fd16:dcc0:f4cc:3::2:1 prefixlen 64 inet6 fd16:dcc0:f4cc:77::2:1 prefixlen 64 [...] nd6 options=21 -- The following is a /full/ output: -- $ ifconfig lo0 lo0: flags=8049 metric 0 mtu 16384 options=600003 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 nd6 options=21 -- So, as you can see, the jails only have IP addresses on lo1 and none of them has one on lo0. To make that clear: -- $ jexec smtp1 ifconfig [...] lo0: flags=8049 metric 0 mtu 16384 options=600003 nd6 options=21 lo1: flags=8049 metric 0 mtu 16384 options=600003 inet 10.3.8.1 netmask 0xffff0000 inet6 fd16:dcc0:f4cc:3::8:1 prefixlen 64 nd6 options=21 [...] -- In my pf.conf I have the following. This is a simplified extract: -- /etc/pf.conf 1 ext_if = vtnet0 2 jail_if = lo1 3 4 table persist 5 table persist 6 7 set skip on lo0 8 9 nat on $ext_if from { } to any -> 10 11 block log all 12 13 pass out all keep state 14 15 pass in on $jail_if proto tcp from to port { } -- As you can see I have a principal block in line 11, and skip is set on lo0 solely. That said, I block on lo1. Because of this, I pass on lo1 in line 19. I thought this is necessary. However, here comes the thing: Although the jails have IP addresses attached to lo1 only, I can see traffic like the following: -- $ tcpdump -nettti lo0 host 10.3.2.1 00:00:00.023424 AF IPv4 (2), length 64: 10.3.2.1.51096 > 10.3.8.1.9025: Flags [S], seq 4205430985, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 349909592 ecr 0], length 0 00:00:00.000064 AF IPv4 (2), length 64: 10.3.8.1.9025 > 10.3.2.1.51096: Flags [S.], seq 3921176095, ack 4205430986, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 3273771227 ecr 349909592], length 0 00:00:00.000023 AF IPv4 (2), length 56: 10.3.2.1.51096 > 10.3.8.1.9025: Flags [.], ack 1, win 1275, options [nop,nop,TS val 349909592 ecr 3273771227], length 0 -- -- $ tcpdump -nettti lo0 host fd16:dcc0:f4cc:3::8:1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on lo0, link-type NULL (BSD loopback), capture size 65535 bytes 00:00:00.000000 AF IPv6 (28), length 84: fd16:dcc0:f4cc:3::2:1.35851 > fd16:dcc0:f4cc:3::8:1.25: Flags [S], seq 3339315349, win 65535, options [mss 16324,nop,wscale 6,sackOK,TS val 352469079 ecr 0], length 0 00:00:00.000035 AF IPv6 (28), length 84: fd16:dcc0:f4cc:3::8:1.25 > fd16:dcc0:f4cc:3::2:1.35851: Flags [S.], seq 3726000680, ack 3339315350, win 65535, options [mss 16324,nop,wscale 6,sackOK,TS val 306734766 ecr 352469079], length 0 00:00:00.000044 AF IPv6 (28), length 76: fd16:dcc0:f4cc:3::2:1.35851 > fd16:dcc0:f4cc:3::8:1.25: Flags [.], ack 1, win 1274, options [nop,nop,TS val 352469079 ecr 306734766], length 0 00:00:05.060320 AF IPv6 (28), length 107: fd16:dcc0:f4cc:3::8:1.25 > fd16:dcc0:f4cc:3::2:1.35851: Flags [P.], seq 1:32, ack 1, win 1274, options [nop,nop,TS val 306739827 ecr 352469079], length 31 00:00:00.000113 AF IPv6 (28), length 76: fd16:dcc0:f4cc:3::8:1.25 > fd16:dcc0:f4cc:3::2:1.35851: Flags [F.], seq 32, ack 1, win 1274, options [nop,nop,TS val 306739827 ecr 352469079], length 0 00:00:00.000025 AF IPv6 (28), length 76: fd16:dcc0:f4cc:3::2:1.35851 > fd16:dcc0:f4cc:3::8:1.25: Flags [.], ack 33, win 1273, options [nop,nop,TS val 352474140 ecr 306739827], length 0 00:00:00.000413 AF IPv6 (28), length 76: fd16:dcc0:f4cc:3::2:1.35851 > fd16:dcc0:f4cc:3::8:1.25: Flags [F.], seq 1, ack 33, win 1274, options [nop,nop,TS val 352474140 ecr 306739827], length 0 -- As you can see, this is on lo0 although the jails don't have an IP address on it. That said, restricting traffic on lo1 doesn't make any sense because the jails use lo0 anyway. > Are these ::1 connections, link-local addresses (unlikely as they should > not be visible to jails), or full IP? As you can see, they are full IP. > And what’s the routing table entry in the base system for them? Have a look at the following output of netstat (I removed some lines and cells): -- $ netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire default < > UGS vtnet0 10.0.0.0/8 link#4 U tap0 10.3.2.1 link#3 UH lo1 10.3.8.1 link#3 UH lo1 10.77.2.1 link#3 UH lo1 127.0.0.1 link#2 UH lo0 Internet6: Destination Gateway Flags Netif Expire ::/96 ::1 UGRS lo0 default < > UGS vtnet0 ::1 link#2 UH lo0 ::ffff:0.0.0.0/96 ::1 UGRS lo0 < > link#1 U vtnet0 < > link#1 UHS lo0 fd16:dcc0:f4cc:3::/64 link#3 U lo1 fd16:dcc0:f4cc:3::1 link#4 UHS lo0 fd16:dcc0:f4cc:3::2:1 link#3 UHS lo0 fd16:dcc0:f4cc:3::8:1 link#3 UHS lo0 fd16:dcc0:f4cc:77::/64 link#3 U lo1 fd16:dcc0:f4cc:77::2:1 link#3 UHS lo0 fe80::/10 ::1 UGRS lo0 fe80::%vtnet0/64 link#1 U vtnet0 fe80::< >%vtnet0 link#1 UHS lo0 fe80::%lo0/64 link#2 U lo0 fe80::1%lo0 link#2 UHS lo0 fe80::%tap0/64 link#4 U tap0 fe80::< >%tap0 link#4 UHS lo0 ff01::%vtnet0/32 < >%vtnet0 U vtnet0 ff01::%lo0/32 ::1 U lo0 ff01::%lo1/32 fd16:dcc0:f4cc:3::1:1 U lo1 ff01::%tap0/32 fd16:dcc0:f4cc:3::1 U tap0 ff02::/16 ::1 UGRS lo0 ff02::%vtnet0/32 < >%vtnet0 U vtnet0 ff02::%lo0/32 ::1 U lo0 ff02::%lo1/32 fd16:dcc0:f4cc:3::1:1 U lo1 ff02::%tap0/32 fd16:dcc0:f4cc:3::1 U tap0 -- > especially, do they have any IP address assigned to lo0 in them at all? No, they don't. Niklaas From owner-freebsd-pf@freebsd.org Sun Aug 7 14:20:25 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4A316BB1670; Sun, 7 Aug 2016 14:20:25 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-io0-x22b.google.com (mail-io0-x22b.google.com [IPv6:2607:f8b0:4001:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0A6F61955; Sun, 7 Aug 2016 14:20:25 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-io0-x22b.google.com with SMTP id q83so338578116iod.1; Sun, 07 Aug 2016 07:20:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-transfer-encoding; bh=UYWCxp5yU7qfLIm6sHEWuF8W8vDCjNZ4lynM1EqfHoQ=; b=BzGtnGMBF4lekfBqyUWsnGpqo3gjwvDSIg+HDDqnWHYehCkW94C40pPg3hjpkGn6F4 v7B9izcxdRbNVeVALwUNTjpBmr+7yGMbr0tFICBXPrsa4G8r2iWjV48v/DRqwIZQ1R08 kSO1tz/oOjCsT0HWMm6fctLBy/X/Zfbzg7Uac+IXFIZTnhNBoRR7iHATnxX2KlBbP8im QBmzIAi78gYX9chkjSsnfNMQsVeo50X43gnIve/S0fYhlj0UjxHzQuFF4UCQIBzKKqYs tKXKRW8Xg2oJ1cKZ3jGvJo6JtsF+8wPlZ2ADr+wKEGbc8t8fMVH1EeD8svaRnupFCfl3 olgQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-transfer-encoding; bh=UYWCxp5yU7qfLIm6sHEWuF8W8vDCjNZ4lynM1EqfHoQ=; b=h2RENc0O74pzBR4hb8KzaqOepSZm/c9cgTBzTEbGOTFvVYATrTCXmqMgYF05VywOtg tmGSwLbRjiLvs2kF68cXZhq2NKxSL75MvZIJp4gO5CSZlR+puPm5Hckm2Fmvz3VHJBTg 5RB9sjzamczwXGuFgS05VlhHRZfyrUHfIoyM0PXY9X1u3CF2JmIEjNrtZI13Mm5UbErP FhyK1cKLPwwJiDabb8W2GzP7cMPjpyRUawbXDUosoCoOW2fbX5i3LzjooR6ng9VQxi7L RpC/ClGmvlp0g2X5zJQS4ZKoy+S87HbHq+x0rGOsuJTSleuGzCvt84RL0kHIZDHGHmj/ ml+Q== X-Gm-Message-State: AEkoouss2jT+puua5d6le+CJSjcUhhGycSnGoLk6daYL7j0sH1TFob3yxmmT7oIr6Fnidw== X-Received: by 10.107.134.145 with SMTP id q17mr90082517ioi.25.1470579623747; Sun, 07 Aug 2016 07:20:23 -0700 (PDT) Received: from [10.0.10.3] (cpe-24-165-196-54.neo.res.rr.com. [24.165.196.54]) by smtp.googlemail.com with ESMTPSA id o15sm10427392ith.2.2016.08.07.07.20.22 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 07 Aug 2016 07:20:22 -0700 (PDT) Message-ID: <57A743A8.10005@gmail.com> Date: Sun, 07 Aug 2016 10:20:24 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Firewalling jails and lo0 References: <20160806155411.GA5289@len-t420.klaas> <3C1C4822-17C2-42D9-A9BE-C3549B9B6F25@lists.zabbadoz.net> <20160807082651.GA87754@box-hlm-03.niklaas.eu> In-Reply-To: <20160807082651.GA87754@box-hlm-03.niklaas.eu> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Aug 2016 14:20:25 -0000 Niklaas Baudet von Gersdorff wrote: > Bjoern A. Zeeb [2016-08-06 20:02 +0000] : > >> I am curious about this. Can you give me an (obfuscated) example? (if >> you want in private email) > > -- $ jls -v > JID Hostname Path > Name State > CPUSetID > IP Address(es) > [...] > 7 mx.box-hlm-03.niklaas.eu /usr/local/jails/smtp1 > smtp1 ACTIVE > 8 > 10.3.8.1 > fd16:dcc0:f4cc:3::8:1 > [...] > 24 proxy1.box-hlm-03.niklaas.eu /usr/local/jails/proxy1 > proxy1 ACTIVE > 5 > 10.3.2.1 > 10.77.2.1 > fd16:dcc0:f4cc:3::2:1 > fd16:dcc0:f4cc:77::2:1 > [...] > -- > > -- $ ifconfig lo1 > lo1: flags=8049 metric 0 mtu 16384 > options=600003 > [...] > inet 10.3.8.1 netmask 0xffff0000 > inet6 fd16:dcc0:f4cc:3::8:1 prefixlen 64 > [...] > inet 10.3.2.1 netmask 0xffff0000 > inet 10.77.2.1 netmask 0xffff0000 > inet6 fd16:dcc0:f4cc:3::2:1 prefixlen 64 > inet6 fd16:dcc0:f4cc:77::2:1 prefixlen 64 > [...] > nd6 options=21 > -- > > The following is a /full/ output: > > -- $ ifconfig lo0 > lo0: flags=8049 metric 0 mtu 16384 > options=600003 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 > inet 127.0.0.1 netmask 0xff000000 > nd6 options=21 > -- > > So, as you can see, the jails only have IP addresses on lo1 and > none of them has one on lo0. To make that clear: > > -- $ jexec smtp1 ifconfig > [...] > lo0: flags=8049 metric 0 mtu 16384 > options=600003 > nd6 options=21 > lo1: flags=8049 metric 0 mtu 16384 > options=600003 > inet 10.3.8.1 netmask 0xffff0000 > inet6 fd16:dcc0:f4cc:3::8:1 prefixlen 64 > nd6 options=21 > [...] > -- > > In my pf.conf I have the following. This is a simplified extract: > > -- /etc/pf.conf > 1 ext_if = vtnet0 > 2 jail_if = lo1 > 3 > 4 table persist > 5 table persist > 6 > 7 set skip on lo0 > 8 > 9 nat on $ext_if from { } to any -> > 10 > 11 block log all > 12 > 13 pass out all keep state > 14 > 15 pass in on $jail_if proto tcp from to port { } > -- > > As you can see I have a principal block in line 11, and skip is > set on lo0 solely. That said, I block on lo1. Because of this, > I pass on lo1 in line 19. I thought this is necessary. > > However, here comes the thing: Although the jails have IP addresses > attached to lo1 only, I can see traffic like the following: > > -- $ tcpdump -nettti lo0 host 10.3.2.1 > 00:00:00.023424 AF IPv4 (2), length 64: 10.3.2.1.51096 > 10.3.8.1.9025: Flags [S], seq 4205430985, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 349909592 ecr 0], length 0 > 00:00:00.000064 AF IPv4 (2), length 64: 10.3.8.1.9025 > 10.3.2.1.51096: Flags [S.], seq 3921176095, ack 4205430986, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 3273771227 ecr 349909592], length 0 > 00:00:00.000023 AF IPv4 (2), length 56: 10.3.2.1.51096 > 10.3.8.1.9025: Flags [.], ack 1, win 1275, options [nop,nop,TS val 349909592 ecr 3273771227], length 0 > -- > > -- $ tcpdump -nettti lo0 host fd16:dcc0:f4cc:3::8:1 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on lo0, link-type NULL (BSD loopback), capture size 65535 bytes > 00:00:00.000000 AF IPv6 (28), length 84: fd16:dcc0:f4cc:3::2:1.35851 > fd16:dcc0:f4cc:3::8:1.25: Flags [S], seq 3339315349, win 65535, options [mss 16324,nop,wscale 6,sackOK,TS val 352469079 ecr 0], length 0 > 00:00:00.000035 AF IPv6 (28), length 84: fd16:dcc0:f4cc:3::8:1.25 > fd16:dcc0:f4cc:3::2:1.35851: Flags [S.], seq 3726000680, ack 3339315350, win 65535, options [mss 16324,nop,wscale 6,sackOK,TS val 306734766 ecr 352469079], length 0 > 00:00:00.000044 AF IPv6 (28), length 76: fd16:dcc0:f4cc:3::2:1.35851 > fd16:dcc0:f4cc:3::8:1.25: Flags [.], ack 1, win 1274, options [nop,nop,TS val 352469079 ecr 306734766], length 0 > 00:00:05.060320 AF IPv6 (28), length 107: fd16:dcc0:f4cc:3::8:1.25 > fd16:dcc0:f4cc:3::2:1.35851: Flags [P.], seq 1:32, ack 1, win 1274, options [nop,nop,TS val 306739827 ecr 352469079], length 31 > 00:00:00.000113 AF IPv6 (28), length 76: fd16:dcc0:f4cc:3::8:1.25 > fd16:dcc0:f4cc:3::2:1.35851: Flags [F.], seq 32, ack 1, win 1274, options [nop,nop,TS val 306739827 ecr 352469079], length 0 00:00:00.000025 AF IPv6 (28), length 76: fd16:dcc0:f4cc:3::2:1.35851 > fd16:dcc0:f4cc:3::8:1.25: Flags [.], ack 33, win 1273, options [nop,nop,TS val 352474140 ecr 306739827], length 0 00:00:00.000413 AF IPv6 (28), length 76: fd16:dcc0:f4cc:3::2:1.35851 > fd16:dcc0:f4cc:3::8:1.25: Flags [F.], seq 1, ack 33, win 1274, options [nop,nop,TS val 352474140 ecr 306739827], length 0 > -- > > As you can see, this is on lo0 although the jails don't have an > IP address on it. That said, restricting traffic on lo1 doesn't > make any sense because the jails use lo0 anyway. > >> Are these ::1 connections, link-local addresses (unlikely as they should >> not be visible to jails), or full IP? > > As you can see, they are full IP. > >> And what’s the routing table entry in the base system for them? > > Have a look at the following output of netstat (I removed some lines and cells): > > -- $ netstat -rn > Routing tables > > Internet: > Destination Gateway Flags Netif Expire > default < > UGS vtnet0 > 10.0.0.0/8 link#4 U tap0 > 10.3.2.1 link#3 UH lo1 > 10.3.8.1 link#3 UH lo1 > 10.77.2.1 link#3 UH lo1 > 127.0.0.1 link#2 UH lo0 > > Internet6: > Destination Gateway Flags Netif Expire > ::/96 ::1 UGRS lo0 > default < > UGS vtnet0 > ::1 link#2 UH lo0 > ::ffff:0.0.0.0/96 ::1 UGRS lo0 > < > link#1 U vtnet0 > < > link#1 UHS lo0 > fd16:dcc0:f4cc:3::/64 link#3 U lo1 > fd16:dcc0:f4cc:3::1 link#4 UHS lo0 > fd16:dcc0:f4cc:3::2:1 link#3 UHS lo0 > fd16:dcc0:f4cc:3::8:1 link#3 UHS lo0 > fd16:dcc0:f4cc:77::/64 link#3 U lo1 > fd16:dcc0:f4cc:77::2:1 link#3 UHS lo0 > fe80::/10 ::1 UGRS lo0 > fe80::%vtnet0/64 link#1 U vtnet0 > fe80::< >%vtnet0 link#1 UHS lo0 > fe80::%lo0/64 link#2 U lo0 > fe80::1%lo0 link#2 UHS lo0 > fe80::%tap0/64 link#4 U tap0 > fe80::< >%tap0 link#4 UHS lo0 > ff01::%vtnet0/32 < >%vtnet0 U vtnet0 > ff01::%lo0/32 ::1 U lo0 > ff01::%lo1/32 fd16:dcc0:f4cc:3::1:1 U lo1 > ff01::%tap0/32 fd16:dcc0:f4cc:3::1 U tap0 > ff02::/16 ::1 UGRS lo0 > ff02::%vtnet0/32 < >%vtnet0 U vtnet0 > ff02::%lo0/32 ::1 U lo0 > ff02::%lo1/32 fd16:dcc0:f4cc:3::1:1 U lo1 > ff02::%tap0/32 fd16:dcc0:f4cc:3::1 U tap0 > -- > >> especially, do they have any IP address assigned to lo0 in them at all? > > No, they don't. > > Niklaas I believe the loopback interface lo1 needs 127.0.0.0/8 ip address to enable loopback functionally, and the ip address has to be a different sub-net. IE 127.0.10.1 for lo1 while the hosts lo0 uses 127.0.0.1 From owner-freebsd-pf@freebsd.org Sun Aug 7 15:23:53 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 778CEBB07E1; Sun, 7 Aug 2016 15:23:53 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: from mx.box-hlm-01.niklaas.eu (mx.box-hlm-01.niklaas.eu [IPv6:2a02:2770:15:0:21a:4aff:fe1b:d1ad]) by mx1.freebsd.org (Postfix) with ESMTP id 48F2919E2; Sun, 7 Aug 2016 15:23:53 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: from len-t420.klaas (unknown [IPv6:2a02:908:d722:7b00:224:d7ff:feec:38e0]) by mx.box-hlm-01.niklaas.eu (Postfix) with ESMTPSA id 6622F2C35B3; Sun, 7 Aug 2016 17:23:51 +0200 (CEST) Date: Sun, 7 Aug 2016 17:23:47 +0200 From: Niklaas Baudet von Gersdorff To: freebsd-pf@freebsd.org, freebsd-questions@freebsd.org Subject: Re: Firewalling jails and lo0 Message-ID: <20160807152347.GA9178@len-t420.klaas> Reply-To: stdin@niklaas.eu Mail-Followup-To: freebsd-pf@freebsd.org, freebsd-questions@freebsd.org References: <20160806155411.GA5289@len-t420.klaas> <3C1C4822-17C2-42D9-A9BE-C3549B9B6F25@lists.zabbadoz.net> <20160807082651.GA87754@box-hlm-03.niklaas.eu> <57A743A8.10005@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <57A743A8.10005@gmail.com> User-Agent: Mutt/1.6.0 (2016-04-01) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Aug 2016 15:23:53 -0000 Ernie Luzar [2016-08-07 10:20 -0400] : > I believe the loopback interface lo1 needs 127.0.0.0/8 ip address to enable > loopback functionally, and the ip address has to be a different sub-net. IE > 127.0.10.1 for lo1 while the hosts lo0 uses 127.0.0.1 Aha. So once I assigned those traffic from/to jails should go through lo1 solely? Niklaas From owner-freebsd-pf@freebsd.org Sun Aug 7 17:20:48 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 19859BB124F; Sun, 7 Aug 2016 17:20:48 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-it0-x235.google.com (mail-it0-x235.google.com [IPv6:2607:f8b0:4001:c0b::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DE2DC1E25; Sun, 7 Aug 2016 17:20:47 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-it0-x235.google.com with SMTP id f6so64569778ith.0; Sun, 07 Aug 2016 10:20:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-transfer-encoding; bh=OyXezNfgjsegxdPkMxf9QmC5mOusqWg5d3kQ9t0sJTQ=; b=cmWDO5xHcO2u4dYuK7VFC6kPdCarqPqfm7YBFeumMukwO8DZ9e1wyGxIVH4vcSvOeT QOqD/cT92DfHcya7Sf9eUDnagQJ1/m9yhZzxret4itlrmkFiYQJPHkOmqov2HzcDg5y/ hLGipVqDrUBdgRvq2tJd6jcuzOnsfCQEudJvgNhbX1oHLvNrMwhF3+J/lNdJgbvKHcmg Yu8S2WkYbDuqeac95ha5Q/rpMdrLFSs9rQGgSawWyyOpcZtyvwNYaGmyp0Ahp1fqHMWP 0hB8m8HZBUE5VBiyVigffZf1ViXpuA886MNlIKWv8hNFEmuOn6GQYqdYJrn6esboXYTA mm+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-transfer-encoding; bh=OyXezNfgjsegxdPkMxf9QmC5mOusqWg5d3kQ9t0sJTQ=; b=dFrRBStVqR9/rKHrRzXPtgtMjXtTF2GoQiwbamJ+qCdA6RoZQAoolCkKgenXgBRt1R 8Lvte7QoEBJ4xGO/5ZOF7c27/MxS2Z2MRor6X7Sy1wEthEL71xGbepnWN+zwZUHoB/vZ LaD++M0fue9wGbdj2J4/QjP8uH7Ufnwu0QMelMFajaFKbwp+qz1Q87ljDoX5tUOiH/e9 Nuxxf2cmtCNDFHGX9yaqhIyUfPal/DnqMGQ0dIPnWOFxOTQNRdCGbhsEyPKAmvHMc6tK aTFro1CmFjTBzA+nWr4qtwusmf2fG7KjK7Jq8JBpMqzWw14OiiprdWKdv+39VRG1DvHW LF0w== X-Gm-Message-State: AEkoouvz4cHttus1rlae8Cdm/C6+6aAiZ8lmHvp+4fo8L+ahEBnqbFAl118fAJpHhZSdsg== X-Received: by 10.36.82.81 with SMTP id d78mr13713774itb.65.1470590446990; Sun, 07 Aug 2016 10:20:46 -0700 (PDT) Received: from [10.0.10.3] (cpe-24-165-196-54.neo.res.rr.com. [24.165.196.54]) by smtp.googlemail.com with ESMTPSA id 4sm8368004itw.4.2016.08.07.10.20.46 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 07 Aug 2016 10:20:46 -0700 (PDT) Message-ID: <57A76DF6.6090905@gmail.com> Date: Sun, 07 Aug 2016 13:20:54 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: freebsd-pf@freebsd.org, freebsd-questions@freebsd.org Subject: Re: Firewalling jails and lo0 References: <20160806155411.GA5289@len-t420.klaas> <3C1C4822-17C2-42D9-A9BE-C3549B9B6F25@lists.zabbadoz.net> <20160807082651.GA87754@box-hlm-03.niklaas.eu> <57A743A8.10005@gmail.com> <20160807152347.GA9178@len-t420.klaas> In-Reply-To: <20160807152347.GA9178@len-t420.klaas> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Aug 2016 17:20:48 -0000 Niklaas Baudet von Gersdorff wrote: > Ernie Luzar [2016-08-07 10:20 -0400] : > >> I believe the loopback interface lo1 needs 127.0.0.0/8 ip address to enable >> loopback functionally, and the ip address has to be a different sub-net. IE >> 127.0.10.1 for lo1 while the hosts lo0 uses 127.0.0.1 > > Aha. So once I assigned those traffic from/to jails should go > through lo1 solely? > > Niklaas YES. I am still missing info on your jail.conf. Post the jail.conf file for the jails in question. Also what services are running on the host that you want to communicate with the smtp jail. You have to change the smtp config file to tell it to use the new lo1:127.0.10.2 ip address and you have to do the same thing for what ever host service will communicate with the smtp jail. They all have to be using the same lo1:127.0.10.2 ip. Most admin just keep those types of services on the host because its just easier. From owner-freebsd-pf@freebsd.org Mon Aug 8 08:19:19 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2D1A9BB1EBB; Mon, 8 Aug 2016 08:19:19 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: from mx.box-hlm-02.niklaas.eu (box-hlm-02.niklaas.eu [84.22.107.175]) by mx1.freebsd.org (Postfix) with ESMTP id D41391BD8; Mon, 8 Aug 2016 08:19:17 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: from box-hlm-03.niklaas.eu (box-hlm-03.niklaas.eu [IPv6:2a02:2770:15:0:21a:4aff:feaa:e902]) by mx.box-hlm-02.niklaas.eu (Postfix) with ESMTPSA id C4E6E1C9797; Mon, 8 Aug 2016 10:19:15 +0200 (CEST) Date: Mon, 8 Aug 2016 10:19:10 +0200 From: Niklaas Baudet von Gersdorff To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Firewalling jails and lo0 Message-ID: <20160808081910.GA27370@box-hlm-03.niklaas.eu> Reply-To: stdin@niklaas.eu Mail-Followup-To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org References: <20160806155411.GA5289@len-t420.klaas> <3C1C4822-17C2-42D9-A9BE-C3549B9B6F25@lists.zabbadoz.net> <20160807082651.GA87754@box-hlm-03.niklaas.eu> <57A743A8.10005@gmail.com> <20160807152347.GA9178@len-t420.klaas> <57A76DF6.6090905@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <57A76DF6.6090905@gmail.com> User-Agent: Mutt/1.6.1 (2016-04-27) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Aug 2016 08:19:19 -0000 Ernie Luzar [2016-08-07 13:20 -0400] : > > Aha. So once I assigned those traffic from/to jails should go > > through lo1 solely? > > YES. Thank you for clarifying that and your help. So, I attached additional IP addresses on the jail host side accordingly: lo1: flags=8049 metric 0 mtu 16384 options=600003 [...] inet 127.77.0.1 netmask 0xff000000 inet6 ::77:0:0:0:1 prefixlen 128 nd6 options=21 However, I still see packets being transmitted over lo0. What I tried then was attaching loopback addresses to the jails, like 127.77.2.1/8 and ::77:0:0:2:1/128. I did that for two jails (each on a different subnet) and checked with telnet whether they would start communicating over lo1. They didn't though. > I am still missing info on your jail.conf. Post the jail.conf file for the > jails in question. The following is an extract of /etc/jail.conf. 1 $box = "box-hlm-03"; 2 $box_jail_net = "3"; 3 4 $private_ip4 = "10.$box_jail_net.$network.$id"; 5 $private_ip4_prefixlen = "16"; 6 $private_ip6 = "fd16:dcc0:f4cc:$box_jail_net::$network:$id"; 7 $private_ip6_prefixlen = "64"; 8 $local_ip4 = "10.77.$network.$id"; 9 $local_ip6 = "fd16:dcc0:f4cc:77::$network:$id"; 10 $loopback_ip4 = "127.77.$network.$id"; 11 $loopback_ip6 = "0:0:0:77::$network:$id"; 12 $loopback_ip4_prefixlen = "8"; 13 $loopback_ip6_prefixlen = "128"; 14 15 host.hostname = "$name.$box.klaas"; 16 path = "/usr/local/jails/$name"; 17 ip4.addr = "lo1|$private_ip4/$private_ip4_prefixlen"; 18 ip6.addr = "lo1|$private_ip6/$private_ip6_prefixlen"; 19 ip4.addr += "lo1|$local_ip4/$private_ip4_prefixlen"; 20 ip6.addr += "lo1|$local_ip6/$private_ip6_prefixlen"; 21 ip4.addr += "lo1|$loopback_ip4/$loopback_ip4_prefixlen"; 22 ip6.addr += "lo1|$loopback_ip6/$loopback_ip6_prefixlen"; 23 mount = "/usr/local/jails/templates/base-10.3-RELEASE /usr/local/jails/$name nullfs ro 0 0"; 24 mount += "/usr/local/jails/thinjails/$name /usr/local/jails/$name/jail nullfs rw 0 0"; 25 mount.devfs; 26 27 exec.start = "/bin/sh /etc/rc"; 28 exec.stop = "/bin/sh /etc/rc.shutdown"; 29 exec.clean; 30 31 exec.prestart = "pfctl -t $class -T add $private_ip4 $private_ip6 $local_ip6 $local_ip4"; 32 exec.prestop = "pfctl -t $class -T delete $private_ip4 $private_ip6 $local_ip6 $local_ip4"; 33 34 exec.consolelog = "/usr/local/jails/$name.log"; 35 36 proxy1 { 37 host.hostname = "$name.$box.niklaas.eu"; 38 $network = 2; 39 $id = 1; 40 $class = "proxy"; 41 exec.poststart += "echo 'rdr pass inet6 proto tcp to ( vtnet0 ) port { http https imaps submission smtp } -> $private_ip6' | pfctl -a 'jails/$name-ipv6' -f -"; 42 exec.poststart += "echo 'rdr pass inet proto tcp to ( vtnet0 ) port { http https imaps submission smtp } -> $private_ip4' | pfctl -a 'jails/$name-ipv4' -f -"; 43 exec.poststop += "pfctl -a jails/$name-ipv6 -F all"; 44 exec.poststop += "pfctl -a jails/$name-ipv4 -F all"; 45 } 46 47 smtp1 { 48 host.hostname = "mx.$box.niklaas.eu"; 49 $network = 8; 50 $id = 1; 51 $class = "mail"; 52 } > Also what services are running on the host that you want to > communicate with the smtp jail. You have to change the smtp > config file to tell it to use the new lo1:127.0.10.2 ip address > and you have to do the same thing for what ever host service > will communicate with the smtp jail. They all have to be using > the same lo1:127.0.10.2 ip. Most admin just keep those types of > services on the host because its just easier. I am not sure whether I really want to do what you think I want to. :-) I would like to restrict the jails to solely use the interface they have an IP address attached to -- regardless of the running services in them. The only reason why I intend such a restriction is to limit the damage a potentially malicious jail can cause to other jails. If I configured the services to listen on the address you described above -- while I might make them use lo1 exclusively -- this would not prevent any malicious program from using lo0. My issue can be reduced to the question: When using jails, to secure network traffic as best as I can, do I have to enable the firewall on lo0 or is enabling it on the interface they are attached to (in my case lo1) enough? And: What do I need to do to restrict jails from using lo0? Sorry, if I misunderstood you. Niklaas From owner-freebsd-pf@freebsd.org Mon Aug 8 08:26:10 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6AE97BB24B2 for ; Mon, 8 Aug 2016 08:26:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5AD5D13B6 for ; Mon, 8 Aug 2016 08:26:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u788QAxx092066 for ; Mon, 8 Aug 2016 08:26:10 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 208140] panic: page fault in pf Date: Mon, 08 Aug 2016 08:26:10 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: keywords cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Aug 2016 08:26:10 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D208140 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |patch CC|freebsd-amd64@FreeBSD.org | --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Mon Aug 8 12:40:34 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 833F4BA9A8F for ; Mon, 8 Aug 2016 12:40:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7280C11A7 for ; Mon, 8 Aug 2016 12:40:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u78CeY64032424 for ; Mon, 8 Aug 2016 12:40:34 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 210924] 10.3-STABLE - PF - possible regression in pf.conf set timeout interval Date: Mon, 08 Aug 2016 12:40:34 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: 10.3-STABLE X-Bugzilla-Keywords: patch, regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: lists@peter.de.com X-Bugzilla-Status: Closed X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: resolution bug_status Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Aug 2016 12:40:34 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D210924 Oliver Peter changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|New |Closed --- Comment #7 from Oliver Peter --- Thanks guys! --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Mon Aug 8 16:10:50 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C8E13BB2E9F; Mon, 8 Aug 2016 16:10:50 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (bird.sbone.de [46.4.1.90]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 88D9D175F; Mon, 8 Aug 2016 16:10:49 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 2D39E25D3857; Mon, 8 Aug 2016 16:10:41 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 4B4D2D1F80E; Mon, 8 Aug 2016 16:10:40 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id TTaw63xz81jh; Mon, 8 Aug 2016 16:10:38 +0000 (UTC) Received: from [10.248.105.13] (fresh-tun0-ula.sbone.de [IPv6:fde9:577b:c1a9:4920:2ef0:eeff:fe03:ee34]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 1050AD1F7F9; Mon, 8 Aug 2016 16:10:37 +0000 (UTC) From: "Bjoern A. Zeeb" To: "Niklaas Baudet von Gersdorff" Cc: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Firewalling jails and lo0 Date: Mon, 08 Aug 2016 16:10:36 +0000 Message-ID: <474892D3-A01C-43B2-AF07-E383CD81188E@lists.zabbadoz.net> In-Reply-To: <20160808081910.GA27370@box-hlm-03.niklaas.eu> References: <20160806155411.GA5289@len-t420.klaas> <3C1C4822-17C2-42D9-A9BE-C3549B9B6F25@lists.zabbadoz.net> <20160807082651.GA87754@box-hlm-03.niklaas.eu> <57A743A8.10005@gmail.com> <20160807152347.GA9178@len-t420.klaas> <57A76DF6.6090905@gmail.com> <20160808081910.GA27370@box-hlm-03.niklaas.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailer: MailMate (2.0BETAr6043) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Aug 2016 16:10:50 -0000 On 8 Aug 2016, at 8:19, Niklaas Baudet von Gersdorff wrote: > Ernie Luzar [2016-08-07 13:20 -0400] : > >>> Aha. So once I assigned those traffic from/to jails should go >>> through lo1 solely? >> >> YES. > > Thank you for clarifying that and your help. So, I attached > additional IP addresses on the jail host side accordingly: … > My issue can be reduced to the question: When using jails, to > secure network traffic as best as I can, do I have to enable the > firewall on lo0 or is enabling it on the interface they are > attached to (in my case lo1) enough? > > And: What do I need to do to restrict jails from using lo0? The problem I think is that the routes (see one of your earlier emails) for the jail loopback IP addresses are pointing to lo0 and not lo1. If you’d manually issue a route change -host -inet6 fd16:dcc0:f4cc:3::2:1 -iface lo1 Hmm probably not… root@rabbit4:~ # ifconfig lo1 create lo1: bpf attached root@rabbit4:~ # ifconfig lo1 inet6 fd16:dcc0:f4cc:3::2:1/128 alias root@rabbit4:~ # route get -inet6 fd16:dcc0:f4cc:3::2:1 route to: fd16:dcc0:f4cc:3::2:1 destination: fd16:dcc0:f4cc:3::2:1 fib: 0 interface: lo0 flags: recvpipe sendpipe ssthresh rtt,msec mtu weight expire 0 0 0 0 16384 1 0 root@rabbit4:~ # route change -host -inet6 fd16:dcc0:f4cc:3::2:1 -iface lo1 change host fd16:dcc0:f4cc:3::2:1: gateway lo1 fib 0 root@rabbit4:~ # route get -inet6 fd16:dcc0:f4cc:3::2:1 route to: fd16:dcc0:f4cc:3::2:1 destination: fd16:dcc0:f4cc:3::2:1 fib: 0 interface: lo0 flags: recvpipe sendpipe ssthresh rtt,msec mtu weight expire 0 0 0 0 16384 1 0 Still points to lo0. That is interesting. I think at this point you have to assume packets go over lo0 and firewall there. I wonder if this is a bug or a feature … /bz From owner-freebsd-pf@freebsd.org Tue Aug 9 03:40:18 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E681DBB384B for ; Tue, 9 Aug 2016 03:40:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D5C981752 for ; Tue, 9 Aug 2016 03:40:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u793eIaw026353 for ; Tue, 9 Aug 2016 03:40:18 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 210924] 10.3-STABLE - PF - possible regression in pf.conf set timeout interval Date: Tue, 09 Aug 2016 03:40:19 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: 10.3-STABLE X-Bugzilla-Keywords: patch, regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: commit-hook@freebsd.org X-Bugzilla-Status: Closed X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Aug 2016 03:40:19 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D210924 --- Comment #8 from commit-hook@freebsd.org --- A commit references this bug: Author: loos Date: Tue Aug 9 03:39:21 UTC 2016 New revision: 303864 URL: https://svnweb.freebsd.org/changeset/base/303864 Log: MFC r303760: Fix a regression in pf.conf while parsing the 'interval' keyword. The bug was introduced by r287009. PR: 210924 Submitted by: kp@ Sponsored by: Rubicon Communications (Netgate) Pointy hat to: loos Approved by: re (gjb) Changes: _U stable/11/ stable/11/sbin/pfctl/parse.y --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Tue Aug 9 03:48:21 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 846D6BB3A20 for ; Tue, 9 Aug 2016 03:48:21 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7383E1CB2 for ; Tue, 9 Aug 2016 03:48:21 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u793mLhN025508 for ; Tue, 9 Aug 2016 03:48:21 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 210924] 10.3-STABLE - PF - possible regression in pf.conf set timeout interval Date: Tue, 09 Aug 2016 03:48:21 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: 10.3-STABLE X-Bugzilla-Keywords: patch, regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: commit-hook@freebsd.org X-Bugzilla-Status: Closed X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Aug 2016 03:48:21 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D210924 --- Comment #9 from commit-hook@freebsd.org --- A commit references this bug: Author: loos Date: Tue Aug 9 03:47:38 UTC 2016 New revision: 303865 URL: https://svnweb.freebsd.org/changeset/base/303865 Log: MFC r303760: Fix a regression in pf.conf while parsing the 'interval' keyword. The bug was introduced by r287009. PR: 210924 Submitted by: kp@ Sponsored by: Rubicon Communications (Netgate) Changes: _U stable/10/ stable/10/sbin/pfctl/parse.y --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Tue Aug 9 14:26:31 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6388FBB49B9 for ; Tue, 9 Aug 2016 14:26:31 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 533F815B2 for ; Tue, 9 Aug 2016 14:26:31 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u79EQTJo063541 for ; Tue, 9 Aug 2016 14:26:31 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 201519] pf NAT translates ICMP type 3 packects incorrectly Date: Tue, 09 Aug 2016 14:26:29 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: admin@support.od.ua X-Bugzilla-Status: Closed X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Aug 2016 14:26:31 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D201519 Vladislav V. Prodan changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |admin@support.od.ua --- Comment #13 from Vladislav V. Prodan --- (In reply to clbuisson from comment #11) Show please your network diagram - L1 and L2. As well as the route to the external IP. I'm on FreeBSD 10.3-STABLE r302074 bunch of miracles happening with tracero= ute :( Only I still used carp, route-to with several uplinks ... --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Tue Aug 9 14:30:05 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7F3F3BB4AE7 for ; Tue, 9 Aug 2016 14:30:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6F1081990 for ; Tue, 9 Aug 2016 14:30:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u79EU5EU068098 for ; Tue, 9 Aug 2016 14:30:05 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 201519] pf NAT translates ICMP type 3 packects incorrectly Date: Tue, 09 Aug 2016 14:30:05 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: Closed X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Aug 2016 14:30:05 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D201519 --- Comment #14 from Kristof Provost --- (In reply to Vladislav V. Prodan from comment #13) I've been talking to clbuisson@orange.fr in private, and it looks like ther= e is indeed something wrong in 10.3, but not in 11 or 12. Right now I have no idea why. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed Aug 10 07:29:45 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7149ABB466C for ; Wed, 10 Aug 2016 07:29:45 +0000 (UTC) (envelope-from radek.krejca@starnet.cz) Received: from EXCHANGE.mail.starnet.cz (exchange.mail.starnet.cz [92.62.224.72]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "EXCHANGE.mail.starnet.cz", Issuer "STARNET" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 077E61B28 for ; Wed, 10 Aug 2016 07:29:43 +0000 (UTC) (envelope-from radek.krejca@starnet.cz) Received: from EXCHANGE.mail.starnet.cz ([fe80::d017:9e72:12a5:7bb4]) by EXCHANGE.mail.starnet.cz ([fe80::d017:9e72:12a5:7bb4%14]) with mapi; Wed, 10 Aug 2016 09:28:29 +0200 From: =?iso-8859-2?Q?Radek_Krej=E8a?= To: "'freebsd-pf@freebsd.org'" Date: Wed, 10 Aug 2016 09:28:27 +0200 Subject: Max altq bandwidth 4.26 Gbit Thread-Topic: Max altq bandwidth 4.26 Gbit Thread-Index: AdHy2MttM9YuTAbBR+C7jgVaay7ihw== Message-ID: Accept-Language: cs-CZ Content-Language: cs-CZ X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: cs-CZ Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 07:29:45 -0000 Hello again, I need to shape 10G traffic, but I cant make bandwidth higher than 4.26 Gbi= t: pfctl shows: altq on int0 cbq bandwidth 4.26Gb tbrsize 36000 queue { default_nat........= ...... but in pf.conf is: altq on $int_if cbq bandwidth 8550Mb queue { default_nat.......... or altq on $int_if cbq bandwidth 10Gb queue { default_nat........ Thank you for help Radek From owner-freebsd-pf@freebsd.org Wed Aug 10 09:08:24 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 176C4BB0E03 for ; Wed, 10 Aug 2016 09:08:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 073241257 for ; Wed, 10 Aug 2016 09:08:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u7A98LoG044973 for ; Wed, 10 Aug 2016 09:08:23 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 201519] pf NAT translates ICMP type 3 packects incorrectly Date: Wed, 10 Aug 2016 09:08:21 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: franco@opnsense.org X-Bugzilla-Status: Closed X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 09:08:24 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D201519 Franco Fichtner changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |franco@opnsense.org --- Comment #15 from Franco Fichtner --- I can confirm that the patches break traceroute output on 10.3. Can this be reopened? --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed Aug 10 09:12:00 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C5A34BB0FB7 for ; Wed, 10 Aug 2016 09:12:00 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 935971519 for ; Wed, 10 Aug 2016 09:12:00 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [150.158.232.205] (vega.codepro.be [IPv6:2a01:4f8:162:1127::3]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id 5C1F39ED8; Wed, 10 Aug 2016 11:11:57 +0200 (CEST) From: "Kristof Provost" To: "Radek =?utf-8?q?Krej=C4=8Da?=" Cc: "freebsd-pf@freebsd.org" Subject: Re: Max altq bandwidth 4.26 Gbit Date: Wed, 10 Aug 2016 11:11:53 +0200 Message-ID: In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailer: MailMate (2.0BETAr6044) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 09:12:00 -0000 On 10 Aug 2016, at 9:28, Radek Krejča wrote: > I need to shape 10G traffic, but I cant make bandwidth higher than > 4.26 Gbit: > > pfctl shows: > > altq on int0 cbq bandwidth 4.26Gb tbrsize 36000 queue { > default_nat.............. > > but in pf.conf is: > > altq on $int_if cbq bandwidth 8550Mb queue { default_nat.......... > > or > > altq on $int_if cbq bandwidth 10Gb queue { default_nat........ > That looks like you might be hitting the maximum of an unsigned integer. Try using relative specifications (i.e. as a percentage) instead. Regards, Kristof From owner-freebsd-pf@freebsd.org Wed Aug 10 09:12:57 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D434ABB200A for ; Wed, 10 Aug 2016 09:12:57 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C3DA015EE for ; Wed, 10 Aug 2016 09:12:57 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u7A9Cu1t000405 for ; Wed, 10 Aug 2016 09:12:57 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 201519] pf NAT translates ICMP type 3 packects incorrectly Date: Wed, 10 Aug 2016 09:12:57 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 10.3-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: kp@freebsd.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: version bug_status assigned_to resolution Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 09:12:57 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D201519 Kristof Provost changed: What |Removed |Added ---------------------------------------------------------------------------- Version|9.3-RELEASE |10.3-STABLE Status|Closed |In Progress Assignee|freebsd-pf@FreeBSD.org |kp@freebsd.org Resolution|FIXED |--- --- Comment #16 from Kristof Provost --- Yes, it's on the top of my list. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed Aug 10 09:19:43 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B79B8BB2223 for ; Wed, 10 Aug 2016 09:19:43 +0000 (UTC) (envelope-from radek.krejca@starnet.cz) Received: from EXCHANGE.mail.starnet.cz (exchange.mail.starnet.cz [92.62.224.72]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "EXCHANGE.mail.starnet.cz", Issuer "STARNET" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 451471A6A; Wed, 10 Aug 2016 09:19:42 +0000 (UTC) (envelope-from radek.krejca@starnet.cz) Received: from EXCHANGE.mail.starnet.cz ([fe80::d017:9e72:12a5:7bb4]) by EXCHANGE.mail.starnet.cz ([fe80::d017:9e72:12a5:7bb4%14]) with mapi; Wed, 10 Aug 2016 11:19:38 +0200 From: =?utf-8?B?UmFkZWsgS3JlasSNYQ==?= To: 'Kristof Provost' CC: "'freebsd-pf@freebsd.org'" Date: Wed, 10 Aug 2016 11:19:37 +0200 Subject: RE: Max altq bandwidth 4.26 Gbit Thread-Topic: Max altq bandwidth 4.26 Gbit Thread-Index: AdHy5z9GyvQ3JW6TTQyJiI2Vy1dPrgAALQPw Message-ID: References: In-Reply-To: Accept-Language: cs-CZ Content-Language: cs-CZ X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: cs-CZ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 09:19:43 -0000 PiBUaGF0IGxvb2tzIGxpa2UgeW91IG1pZ2h0IGJlIGhpdHRpbmcgdGhlIG1heGltdW0gb2YgYW4g dW5zaWduZWQNCj4gaW50ZWdlci4NCj4gVHJ5IHVzaW5nIHJlbGF0aXZlIHNwZWNpZmljYXRpb25z IChpLmUuIGFzIGEgcGVyY2VudGFnZSkgaW5zdGVhZC4NCj4gDQoNCkhlbGxvIEtyaXN0b2YsIA0K DQpZZXMsIEkgdGhpbmsgc28uIEJ1dCBJIGRvbnQga25vdywgdGhhdCBJIGNhbiBzYXkgcmVsYXRp dmUgc3BlY2lmaWNhdGlvbiBmb3IgaW50ZWZhY2UgYmFuZHdpZHRoLiBDb3VsZCB5b3Ugc2hvdyBt ZSBob3c/DQoNCkkgaGF2ZSAxMEdiIGxpbmUgYW5kIEkgbmVlZCB0byBzaGFwZSBteSBjbGllbnQg d2l0aCBleGFjdCBiYW5kd2lkdGguIEhvdyBjYW4gSSBtYW5hZ2Ugd2l0aCB5b3VyIGFkdmljZT8N Cg0KUFM6IEkgaGF2ZSA2NGJpdCB2ZXJzaW9uIG9mIEZCU0QuDQoNClRoYW5rIHlvdSB2ZXJ5IG11 Y2gNClJhZGVrDQo= From owner-freebsd-pf@freebsd.org Wed Aug 10 09:30:26 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E0620BB261F for ; Wed, 10 Aug 2016 09:30:26 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AA6CB1446 for ; Wed, 10 Aug 2016 09:30:26 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [150.158.232.205] (vega.codepro.be [IPv6:2a01:4f8:162:1127::3]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id 9621E9F28; Wed, 10 Aug 2016 11:30:24 +0200 (CEST) From: "Kristof Provost" To: "Radek =?utf-8?q?Krej=C4=8Da?=" Cc: "freebsd-pf@freebsd.org" Subject: Re: Max altq bandwidth 4.26 Gbit Date: Wed, 10 Aug 2016 11:30:23 +0200 Message-ID: <13955BA9-910E-4C4A-B86A-5A355F8A10C9@FreeBSD.org> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed; markup=markdown Content-Transfer-Encoding: 8bit X-Mailer: MailMate (2.0BETAr6044) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 09:30:27 -0000 On 10 Aug 2016, at 11:19, Radek Krejča wrote: >> That looks like you might be hitting the maximum of an unsigned >> integer. >> Try using relative specifications (i.e. as a percentage) instead. >> > Yes, I think so. But I dont know, that I can say relative > specification for inteface bandwidth. Could you show me how? > I don’t run ALTQ myself, so all I can say is what the man page says: bandwidth ⟨bw⟩ The maximum bitrate for all queues on an interface may be specified using the bandwidth keyword. The value can be specified as an absolute value or as a percentage of the interface bandwidth. When using an absolute value, the suffixes b, Kb, Mb, and Gb are used to represent bits, kilobits, megabits, and gigabits per second, respectively. The value must not exceed the interface bandwidth. If bandwidth is not specified, the interface bandwidth is used (but take note that some interfaces do not know their bandwidth, or can adapt their bandwidth rates). I’d expect that ‘altq on $int_if cbq bandwidth 85% queue { default_nat.........’ would do what you want. Looking at the code, I’m not at all sure that it’ll end up working either, but it’s worth a try. Fundamentally, we’ll have to change pf (and worse, the interface to user space) to use 64-bit integers to carry bandwidth information, not 32-bit ones. Can you file a bug so this doesn’t get forgotten? > I have 10Gb line and I need to shape my client with exact bandwidth. > How can I manage with your advice? > You can only specify integer percentages (so 85%, not 85.5%), so I’m afraid you’ll lose some accuracy. Regards, Kristof From owner-freebsd-pf@freebsd.org Wed Aug 10 11:47:50 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B5118BB50AF for ; Wed, 10 Aug 2016 11:47:50 +0000 (UTC) (envelope-from zeus@ibs.dn.ua) Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [148.251.53.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.new-ukraine.org", Issuer "smtp.new-ukraine.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3FD9A1DD3 for ; Wed, 10 Aug 2016 11:47:49 +0000 (UTC) (envelope-from zeus@ibs.dn.ua) Received: on behalf of honored client by relay.ibs.dn.ua with ESMTP id u7ABlWbg086915 on Wed, 10 Aug 2016 14:47:33 +0300 (EEST) Message-ID: <20160810144726.86913@relay.ibs.dn.ua> Date: Wed, 10 Aug 2016 14:47:26 +0300 From: "Zeus Panchenko" To: Subject: Re: wan1 as default, wan2 dedicated to a service In-reply-to: Your message of Fri, 5 Aug 2016 08:41:13 +0300 References: <20160805030555.53101@relay.ibs.dn.ua> Organization: I.B.S. LLC Reply-To: "Zeus Panchenko" X-Attribution: zeus Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAFVBMVEWxsbGdnZ3U1NQTExN cXFzx8fG/v7+f8hyWAAACXUlEQVQ4jUWSwXYiIRBFi4yyhtjtWpmRdTL0ZC3TJOukDa6Rc+T/P2F eFepwtFvr8upVFVDua8mLWw6La4VIKTuMdAPOebdU55sQs3n/D1xFFPFGVGh4AHKttr5K0bS6g7N ZCge7qpVLB+f1Z2WAj2OKXwIWt/bXpdXSiu8KXbviWkHxF5td9+lg2e3xlI2SCvatK8YLfHyh9lw 15yrad8Va5eXg4Llr7QmAaC+dL9sDt9iad/DX3OKvLMBf+dm0A0QuMrTvYIevSik1IaSVvgjIHt5 lSCG2ynNRpEcBZ8cgDWk+Ns99qzsYYV3MZoppWzGtYlTO9+meG6m/g92iNO9LfQB2JZsMpoJs7QG ku2KtabRK0bZRwDLyBDvwlxTm6ZlP7qyOqLcfqtLexpDSB4M0H3I/PQy1emvjjzgK+A0LmMKl6Lq zlqzh0VGAw440F6MJd8cY0nI7wiF/fVIBGY7UNCAXy6DmfYGCLLI0wtDbVcDUMqtJLmAhLqODQAe riERAxXJ1/QYGpa0ymqyytpKC19MNXHjvFmEsfcHIrncFR4xdbYWgmfEGLCcZokpGbGj1egMR+6M 1BkNX1pDdhPcOXpAnAeLQUwQLYepgQoZVNGS61yaE8CYA7gYAcWKzwGstACY2HTFvvOwk4FXAG/a mKHni/EcA/GkOk7I0IK7UMIf3+SahU8/FJdiE7KcuWdM3MFocUDEEIX9LfJoo4xV5tnNKc3jJuSs SZWgnnhepgU1zN4Hii18yW4RwDX52CXUtk0Hqz6cHOIUkWaX8fDcB+J7y1y2xDHwjv/8Buu8Ekz6 7tXQAAAAASUVORK5CYII= X-Mailer: MH-E 8.3.1; nil; GNU Emacs 24.3.1 X-NewUkraine-Agent: mailfromd (7.99.92) X-NewUkraine-URL: https://mail.prozora-kraina.org/smtp.html X-NewUkraine-VirStat: NO X-NewUkraine-VirScan: ScanPE, ScanELF, ScanOLE2, ScanMail, PhishingSignatures, ScanHTML, ScanPDF X-NewUkraine-SpamStat: NO X-NewUkraine-SpamScore: -2.200 of 3.500 X-NewUkraine-SpamKeys: AWL,BAYES_00,NO_RECEIVED,NO_RELAYS X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 11:47:50 -0000 Max wrote: > Probably you should use > pass out log on $if_dvr reply-to ($if_wan2 $gw_wan2) to thank you, Max, this helped -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) From owner-freebsd-pf@freebsd.org Wed Aug 10 12:38:42 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 287DDBB366E for ; Wed, 10 Aug 2016 12:38:42 +0000 (UTC) (envelope-from radek.krejca@starnet.cz) Received: from EXCHANGE.mail.starnet.cz (exchange.mail.starnet.cz [92.62.224.72]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "EXCHANGE.mail.starnet.cz", Issuer "STARNET" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id A8DC41276; Wed, 10 Aug 2016 12:38:40 +0000 (UTC) (envelope-from radek.krejca@starnet.cz) Received: from EXCHANGE.mail.starnet.cz ([fe80::d017:9e72:12a5:7bb4]) by EXCHANGE.mail.starnet.cz ([fe80::d017:9e72:12a5:7bb4%14]) with mapi; Wed, 10 Aug 2016 14:38:37 +0200 From: =?utf-8?B?UmFkZWsgS3JlasSNYQ==?= To: 'Kristof Provost' CC: "'freebsd-pf@freebsd.org'" Date: Wed, 10 Aug 2016 14:38:36 +0200 Subject: RE: Max altq bandwidth 4.26 Gbit Thread-Topic: Max altq bandwidth 4.26 Gbit Thread-Index: AdHy6dMXj4R9l0dPTPG03fGCqO7iPAAFuPWQ Message-ID: References: <13955BA9-910E-4C4A-B86A-5A355F8A10C9@FreeBSD.org> In-Reply-To: <13955BA9-910E-4C4A-B86A-5A355F8A10C9@FreeBSD.org> Accept-Language: cs-CZ Content-Language: cs-CZ X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: cs-CZ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 12:38:42 -0000 PiBJ4oCZZCBleHBlY3QgdGhhdCDigJhhbHRxIG9uICRpbnRfaWYgY2JxIGJhbmR3aWR0aCA4NSUg cXVldWUgew0KPiBkZWZhdWx0X25hdC4uLi4uLi4uLuKAmSB3b3VsZCBkbyB3aGF0IHlvdSB3YW50 Lg0KPiBMb29raW5nIGF0IHRoZSBjb2RlLCBJ4oCZbSBub3QgYXQgYWxsIHN1cmUgdGhhdCBpdOKA mWxsIGVuZCB1cCB3b3JraW5nDQo+IGVpdGhlciwgYnV0IGl04oCZcyB3b3J0aCBhIHRyeS4NCj4g DQo+IEZ1bmRhbWVudGFsbHksIHdl4oCZbGwgaGF2ZSB0byBjaGFuZ2UgcGYgKGFuZCB3b3JzZSwg dGhlIGludGVyZmFjZSB0bw0KPiB1c2VyIHNwYWNlKSB0byB1c2UgNjQtYml0IGludGVnZXJzIHRv IGNhcnJ5IGJhbmR3aWR0aCBpbmZvcm1hdGlvbiwgbm90DQo+IDMyLWJpdCBvbmVzLg0KPiBDYW4g eW91IGZpbGUgYSBidWcgc28gdGhpcyBkb2VzbuKAmXQgZ2V0IGZvcmdvdHRlbj8NCj4gDQo+ID4g SSBoYXZlIDEwR2IgbGluZSBhbmQgSSBuZWVkIHRvIHNoYXBlIG15IGNsaWVudCB3aXRoIGV4YWN0 IGJhbmR3aWR0aC4NCj4gPiBIb3cgY2FuIEkgbWFuYWdlIHdpdGggeW91ciBhZHZpY2U/DQo+ID4N Cj4gWW91IGNhbiBvbmx5IHNwZWNpZnkgaW50ZWdlciBwZXJjZW50YWdlcyAoc28gODUlLCBub3Qg ODUuNSUpLCBzbyBJ4oCZbQ0KPiBhZnJhaWQgeW914oCZbGwgbG9zZSBzb21lIGFjY3VyYWN5Lg0K DQoNCkhlbGxvIGFnYWluLA0KDQpJIGhhdmUgY2hhbmdlZCBiYW5kd2lkdGggdG8gMTAwJSwgOTAl IG9yIDk1JS4gU3ludGF4IE9LLCBidXQgdmFsdWUgc3RvcHMgYXQgMS4yN0diaXQgKGl0IGxvb2tz LCB0aGF0IDFHYml0IGlzIGRlZmF1bHQpDQoNCldoZW4gSSBnaXZlIGlmY29uZmlnLCBJIHNlZToN Cg0KbWVkaWE6IEV0aGVybmV0IGF1dG9zZWxlY3QgKDEwR2Jhc2UtU1IgPGZ1bGwtZHVwbGV4LHJ4 cGF1c2UsdHhwYXVzZT4pDQoNCkl0IGxvb2tzIHRoYXQgImF1dG9kZXRlY3Rpb24iIG9mIHBmIGlz IGJyb2tlbiB0by4NCg0KVGhhbmsgeW91IHZlcnkgbXVjaA0KUmFkZWsNCg== From owner-freebsd-pf@freebsd.org Wed Aug 10 12:42:34 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 53685BB3936 for ; Wed, 10 Aug 2016 12:42:34 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1D32717BD for ; Wed, 10 Aug 2016 12:42:34 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [150.158.232.205] (vega.codepro.be [IPv6:2a01:4f8:162:1127::3]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id 298CD1F164; Wed, 10 Aug 2016 14:42:32 +0200 (CEST) From: "Kristof Provost" To: "Radek =?utf-8?q?Krej=C4=8Da?=" Cc: "freebsd-pf@freebsd.org" Subject: Re: Max altq bandwidth 4.26 Gbit Date: Wed, 10 Aug 2016 14:42:30 +0200 Message-ID: <93494711-31C3-4BC8-B310-48882BF8CA74@FreeBSD.org> In-Reply-To: References: <13955BA9-910E-4C4A-B86A-5A355F8A10C9@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed; markup=markdown Content-Transfer-Encoding: 8bit X-Mailer: MailMate (2.0BETAr6044) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 12:42:34 -0000 On 10 Aug 2016, at 14:38, Radek Krejča wrote: > I have changed bandwidth to 100%, 90% or 95%. Syntax OK, but value > stops at 1.27Gbit (it looks, that 1Gbit is default) > > When I give ifconfig, I see: > > media: Ethernet autoselect (10Gbase-SR ) > > It looks that "autodetection" of pf is broken to. > I was afraid of that. I think the issue there is that when pf asks for the speed of the interface it puts a 64-bit value in a 32-bit field, so the resulting value is incorrect. Please do file a bug, because you’ve discovered a real problem and I’d hate for it to get forgotten about. Regards, Kristof From owner-freebsd-pf@freebsd.org Wed Aug 10 13:24:02 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2F6ADBB4C91 for ; Wed, 10 Aug 2016 13:24:02 +0000 (UTC) (envelope-from radek.krejca@starnet.cz) Received: from EXCHANGE.mail.starnet.cz (exchange.mail.starnet.cz [92.62.224.72]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "EXCHANGE.mail.starnet.cz", Issuer "STARNET" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id B5CA21659; Wed, 10 Aug 2016 13:24:01 +0000 (UTC) (envelope-from radek.krejca@starnet.cz) Received: from EXCHANGE.mail.starnet.cz ([fe80::d017:9e72:12a5:7bb4]) by EXCHANGE.mail.starnet.cz ([fe80::d017:9e72:12a5:7bb4%14]) with mapi; Wed, 10 Aug 2016 15:23:58 +0200 From: =?utf-8?B?UmFkZWsgS3JlasSNYQ==?= To: 'Kristof Provost' CC: "'freebsd-pf@freebsd.org'" Date: Wed, 10 Aug 2016 15:23:58 +0200 Subject: RE: Max altq bandwidth 4.26 Gbit Thread-Topic: Max altq bandwidth 4.26 Gbit Thread-Index: AdHzBKoNt7CuZ3udR+mNdza91RSJ2gABbwTw Message-ID: References: <13955BA9-910E-4C4A-B86A-5A355F8A10C9@FreeBSD.org> <93494711-31C3-4BC8-B310-48882BF8CA74@FreeBSD.org> In-Reply-To: <93494711-31C3-4BC8-B310-48882BF8CA74@FreeBSD.org> Accept-Language: cs-CZ Content-Language: cs-CZ X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: cs-CZ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 13:24:02 -0000 PiBQbGVhc2UgZG8gZmlsZSBhIGJ1ZywgYmVjYXVzZSB5b3XigJl2ZSBkaXNjb3ZlcmVkIGEgcmVh bCBwcm9ibGVtIGFuZA0KPiBJ4oCZZCBoYXRlIGZvciBpdCB0byBnZXQgZm9yZ290dGVuIGFib3V0 Lg0KDQpIZWxsbyBLcmlzdG9mLCANCg0KYnVnIHNlbmRlZC4gDQoNClRoYW5rIHlvdSB2ZXJ5IG11 Y2gNClJhZGVrDQo= From owner-freebsd-pf@freebsd.org Wed Aug 10 13:33:50 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 06336BB4109 for ; Wed, 10 Aug 2016 13:33:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EA2EF1CE0 for ; Wed, 10 Aug 2016 13:33:49 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u7ADXnO2086254 for ; Wed, 10 Aug 2016 13:33:49 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 211730] pf uses 32bit value for bandwith with altq Date: Wed, 10 Aug 2016 13:33:49 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 13:33:50 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211730 Kristof Provost changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kp@freebsd.org Assignee|freebsd-bugs@FreeBSD.org |freebsd-pf@FreeBSD.org --- Comment #1 from Kristof Provost --- The root cause here is that pf uses 32-bit values for bandwidth values. Relative values don't help. DIOCGIFSPEED also uses 32-bit values (which in = the kernel are simply assigned from a 64-bit value!). --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed Aug 10 14:13:14 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 41285BB4F6E for ; Wed, 10 Aug 2016 14:13:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 30F811E85 for ; Wed, 10 Aug 2016 14:13:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u7AEDDGL005936 for ; Wed, 10 Aug 2016 14:13:14 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 211730] pf uses 32bit value for bandwith with altq Date: Wed, 10 Aug 2016 14:13:14 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: mokhi64@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 14:13:14 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211730 --- Comment #2 from Mahdi Mokhtari --- Created attachment 173509 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D173509&action= =3Dedit Patch Makes pf_ifspeed.baudrate uint64_t (In reply to Kristof Provost from comment #1) Does the attached patch fix it ? --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed Aug 10 14:20:24 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7330DBB442E for ; Wed, 10 Aug 2016 14:20:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 631991C63 for ; Wed, 10 Aug 2016 14:20:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u7AEKNbQ015935 for ; Wed, 10 Aug 2016 14:20:24 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 211730] pf uses 32bit value for bandwith with altq Date: Wed, 10 Aug 2016 14:20:23 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 14:20:24 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211730 --- Comment #3 from Kristof Provost --- I don't have the hardware to test this, but I'm afraid the problem is a fair bit harder to fix than just that. It looks like the altq internals also use 32 bit values for bandwidth configuration, so at a minimum altq will have to be fixed too. This change will also change the ABI between kernel and user space, so it h= as to be handled carefully. Likely that will mean supporting two versions for = the affected ioctl() commands for at least a full release. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed Aug 10 14:23:54 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9C80FBB4772 for ; Wed, 10 Aug 2016 14:23:54 +0000 (UTC) (envelope-from radek.krejca@starnet.cz) Received: from EXCHANGE.mail.starnet.cz (exchange.mail.starnet.cz [92.62.224.72]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "EXCHANGE.mail.starnet.cz", Issuer "STARNET" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 312F414A2; Wed, 10 Aug 2016 14:23:53 +0000 (UTC) (envelope-from radek.krejca@starnet.cz) Received: from EXCHANGE.mail.starnet.cz ([fe80::d017:9e72:12a5:7bb4]) by EXCHANGE.mail.starnet.cz ([fe80::d017:9e72:12a5:7bb4%14]) with mapi; Wed, 10 Aug 2016 16:23:50 +0200 From: =?utf-8?B?UmFkZWsgS3JlasSNYQ==?= To: 'Kristof Provost' CC: "'freebsd-pf@freebsd.org'" Date: Wed, 10 Aug 2016 16:23:50 +0200 Subject: RE: How to set tos to 0 Thread-Topic: How to set tos to 0 Thread-Index: AdHrbKdLIPU+w8+rSie2qpf96KRF0AHphDrg Message-ID: References: <19EA8000-0945-40D0-8A9E-D33E5397D8CC@FreeBSD.org> In-Reply-To: <19EA8000-0945-40D0-8A9E-D33E5397D8CC@FreeBSD.org> Accept-Language: cs-CZ Content-Language: cs-CZ X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: cs-CZ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 14:23:54 -0000 PiBPbiAzMSBKdWwgMjAxNiwgYXQgMTk6NDYsIFJhZGVrIEtyZWrEjWEgd3JvdGU6DQo+ID4gSSBu ZWVkIHRvIHNldCBUT1MgdG8gMCBhbmQgcmVtYXJrIGl0IHdpdGggcnVsZXMuDQo+ID4NCj4gPiBJ IGFtIHRyeWluZyB0byB1c2Ugc2NydWIgdG8gc2V0IHRvcyB0byAwLCBidXQgSSBoYXZlIHByb2Js ZW06DQo+ID4NCj4gPiBzY3J1YiBhbGwgZnJhZ21lbnQgcmVhc3NlbWJsZSBuby1kZiBzZXQtdG9z IDANCj4gPg0KPiA+IGdpdmUgSWxsZWdhbCB2YWx1ZQ0KPiA+DQo+ID4gYnV0IHNjcnViIGFsbCBm cmFnbWVudCByZWFzc2VtYmxlIG5vLWRmIHNldC10b3MgMQ0KPiA+IGlzIHdvcmtpbmcuDQo+ID4N Cj4gPiBJIGFtIHRyeWluZyAweDAwLCAweDAgYW5kIHN0aWxsIHRoZSBzYW1lLg0KPiA+DQo+ID4g SG93IGNhbiBJIHNldCBUT1MgdG8gMD8NCj4gPg0KPiBJIHRoaW5rIHlvdSBtYXkgaGF2ZSBmb3Vu ZCBhIGJ1Zy4NCj4gDQo+IENhbiB5b3UgZ2l2ZSB0aGlzIHBhdGNoIGEgdHJ5Pw0KPiANCj4gZGlm ZiAtLWdpdCBhL3NiaW4vcGZjdGwvcGFyc2UueSBiL3NiaW4vcGZjdGwvcGFyc2UueQ0KPiBpbmRl eCBlMGNmYTNkLi45ODA5NzZlIDEwMDY0NA0KPiAtLS0gYS9zYmluL3BmY3RsL3BhcnNlLnkNCj4g KysrIGIvc2Jpbi9wZmN0bC9wYXJzZS55DQo+IEBAIC0zNTkzLDggKzM1OTMsOCBAQCB0b3MgICAg ICAgOiBTVFJJTkcgICAgICAgICAgICAgICAgICAgICAgICB7DQo+ICAgICAgICAgICAgICAgICAg ICAgICAgICBlbHNlIGlmICgkMVswXSA9PSAnMCcgJiYgJDFbMV0gPT0gJ3gnKQ0KPiAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAkJCA9IHN0cnRvdWwoJDEsIE5VTEwsIDE2KTsNCj4g ICAgICAgICAgICAgICAgICAgICAgICAgIGVsc2UNCj4gLSAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAkJCA9IDA7ICAgICAgICAgLyogZmxhZyBiYWQgYXJndW1lbnQgKi8NCj4gLSAgICAg ICAgICAgICAgICAgICAgICAgaWYgKCEkJCB8fCAkJCA+IDI1NSkgew0KPiArICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICQkID0gMjU2OyAgICAgICAgICAgICAgIC8qIGZsYWcgYmFkDQo+ IGFyZ3VtZW50ICovDQo+ICsgICAgICAgICAgICAgICAgICAgICAgIGlmICgkJCA8IDAgfHwgJCQg PiAyNTUpIHsNCj4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeXllcnJvcigiaWxs ZWdhbCB0b3MgdmFsdWUgJXMiLCAkMSk7DQo+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIGZyZWUoJDEpOw0KPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZWUVSUk9S Ow0KPiBAQCAtMzYwMyw3ICszNjAzLDcgQEAgdG9zICAgICAgIDogU1RSSU5HICAgICAgICAgICAg ICAgICAgICAgICAgew0KPiAgICAgICAgICAgICAgICAgIH0NCj4gICAgICAgICAgICAgICAgICB8 IE5VTUJFUiAgICAgICAgICAgICAgICAgICAgICAgIHsNCj4gICAgICAgICAgICAgICAgICAgICAg ICAgICQkID0gJDE7DQo+IC0gICAgICAgICAgICAgICAgICAgICAgIGlmICghJCQgfHwgJCQgPiAy NTUpIHsNCj4gKyAgICAgICAgICAgICAgICAgICAgICAgaWYgKCQkIDwgMCB8fCAkJCA+IDI1NSkg ew0KPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eWVycm9yKCJpbGxlZ2FsIHRv cyB2YWx1ZSAlcyIsICQxKTsNCj4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWVlF UlJPUjsNCj4gICAgICAgICAgICAgICAgICAgICAgICAgIH0NCj4gDQoNCkhlbGxvIEtyaXN0b2Ys DQoNCnRoaXMgcGF0Y2ggc2VlbXMgdG8gYmUgd29ya2luZy4NCg0KSSB3aWxsIHBvc3QgYnVncmVw b3J0Lg0KDQpUaGFuayB5b3UNClJhZGVrDQo= From owner-freebsd-pf@freebsd.org Wed Aug 10 14:27:15 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 73489BB496E for ; Wed, 10 Aug 2016 14:27:15 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3FC401854 for ; Wed, 10 Aug 2016 14:27:15 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [150.158.232.205] (vega.codepro.be [IPv6:2a01:4f8:162:1127::3]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id 39B1F1F373; Wed, 10 Aug 2016 16:27:12 +0200 (CEST) From: "Kristof Provost" To: "Radek =?utf-8?q?Krej=C4=8Da?=" Cc: "freebsd-pf@freebsd.org" Subject: Re: How to set tos to 0 Date: Wed, 10 Aug 2016 16:27:09 +0200 Message-ID: <91B1392E-7BF2-4CCA-B6BF-6B927BEE5F05@FreeBSD.org> In-Reply-To: References: <19EA8000-0945-40D0-8A9E-D33E5397D8CC@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Mailer: MailMate (2.0BETAr6047) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 14:27:15 -0000 On 10 Aug 2016, at 16:23, Radek Krejča wrote: > this patch seems to be working. > Thanks for testing! > I will post bugreport. > The patch has already been committed to head (r303663). A bug would still be useful so I don’t forget to merge it back to 11 and 10. Regards, Kristof From owner-freebsd-pf@freebsd.org Wed Aug 10 14:37:35 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 79C90BB4F50 for ; Wed, 10 Aug 2016 14:37:35 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 690351579 for ; Wed, 10 Aug 2016 14:37:35 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u7AEbYPI055616 for ; Wed, 10 Aug 2016 14:37:35 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 211730] pf uses 32bit value for bandwith with altq Date: Wed, 10 Aug 2016 14:37:35 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: mokhi64@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 14:37:35 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211730 --- Comment #4 from Mahdi Mokhtari --- (In reply to Kristof Provost from comment #3) Ah, yes i see most of pf_altq.h is int32. And i guess we should change it too. About your point on kernel ABI and ioctl(), i didn't get your point. Do you mean we should make other version of DIOCGIFSPEED? --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed Aug 10 16:58:52 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 92B15BB53C5 for ; Wed, 10 Aug 2016 16:58:52 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7B6D91D8F for ; Wed, 10 Aug 2016 16:58:52 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u7AGwqkT015805 for ; Wed, 10 Aug 2016 16:58:52 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 211730] pf uses 32bit value for bandwith with altq Date: Wed, 10 Aug 2016 16:58:52 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: rk@starnet.cz X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 16:58:52 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211730 --- Comment #5 from rk@starnet.cz --- (In reply to Mahdi Mokhtari from comment #4) Hello, I have hardware but its production box - so when you say that you have work= ing patch, I can test it. Radek --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed Aug 10 17:41:43 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AAAEBBB51E7 for ; Wed, 10 Aug 2016 17:41:43 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9AB7218DE for ; Wed, 10 Aug 2016 17:41:43 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u7AHfg9f041948 for ; Wed, 10 Aug 2016 17:41:43 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 211730] pf uses 32bit value for bandwith with altq Date: Wed, 10 Aug 2016 17:41:43 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 17:41:43 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211730 --- Comment #6 from Kristof Provost --- (In reply to Mahdi Mokhtari from comment #4) The problem with the ABI is that we can't rely on user space and kernel spa= ce running the same code versions. If someone were to update the kernel, but n= ot the user space code (I don't think we support the reverse) they'd disagree about the size of the bandwidth fields and things would break. It'll likely be best to have two versions of the ioctl() command, one which implements the old 32-bit behaviour (on the same ID as before!), and a new = one which implements the new 64-bit values. That'd have to be supported for a bit, but hopefully it can be removed eventually. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed Aug 10 18:48:54 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 89512BB5BD9 for ; Wed, 10 Aug 2016 18:48:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7925D1974 for ; Wed, 10 Aug 2016 18:48:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u7AImrUF004214 for ; Wed, 10 Aug 2016 18:48:54 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 211730] pf uses 32bit value for bandwith with altq Date: Wed, 10 Aug 2016 18:48:54 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: mokhi64@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 18:48:54 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211730 --- Comment #7 from Mahdi Mokhtari --- (In reply to Kristof Provost from comment #6) Aha :) I see. So you suggest we solve it by adding new IOCTL command. Okay, lemme do a try. When i did it, I'll upload a patch for review (if you have time). --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed Aug 10 18:53:31 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EB4C1BB5D78 for ; Wed, 10 Aug 2016 18:53:31 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DB6921DC0 for ; Wed, 10 Aug 2016 18:53:31 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u7AIrVPK017993 for ; Wed, 10 Aug 2016 18:53:31 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 211730] pf uses 32bit value for bandwith with altq Date: Wed, 10 Aug 2016 18:53:31 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: mokhi64@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 18:53:32 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211730 --- Comment #8 from Mahdi Mokhtari --- (In reply to Mahdi Mokhtari from comment #7) Also, What about structs? Should we use Macros around/inside them of old/new versions? Or we should redefine new structs too ? --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed Aug 10 19:05:59 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D98E5BB50CA for ; Wed, 10 Aug 2016 19:05:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C97781760 for ; Wed, 10 Aug 2016 19:05:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u7AJ5xFK080000 for ; Wed, 10 Aug 2016 19:05:59 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 211730] pf uses 32bit value for bandwith with altq Date: Wed, 10 Aug 2016 19:05:59 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 19:05:59 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211730 --- Comment #9 from Kristof Provost --- That's a good question. I'd have to find a decent example somewhere myself. The ioctl codes actually encode the size of the struct, so perhaps there's = an alternate approach. A good first step would be to find all of the places that need to be fixed.= A patch which doesn't take the backwards compatibility into account would als= o be a good thing.=20 I still haven't even figured out which ioctl actually sets the altq configuration. (The DIOCGIFSPEED call just reads the interface link speed.) --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Thu Aug 11 14:10:55 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 58BE2BB635C for ; Thu, 11 Aug 2016 14:10:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48698173E for ; Thu, 11 Aug 2016 14:10:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u7BEAswf081164 for ; Thu, 11 Aug 2016 14:10:55 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 211730] pf uses 32bit value for bandwith with altq Date: Thu, 11 Aug 2016 14:10:55 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: keywords cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2016 14:10:55 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211730 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |patch CC|freebsd-amd64@FreeBSD.org | --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Thu Aug 11 15:15:15 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7280DBB5916 for ; Thu, 11 Aug 2016 15:15:15 +0000 (UTC) (envelope-from jjasen@gmail.com) Received: from mail-qk0-x22e.google.com (mail-qk0-x22e.google.com [IPv6:2607:f8b0:400d:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2C1541E75 for ; Thu, 11 Aug 2016 15:15:15 +0000 (UTC) (envelope-from jjasen@gmail.com) Received: by mail-qk0-x22e.google.com with SMTP id p186so7432355qkd.1 for ; Thu, 11 Aug 2016 08:15:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=vw/oKecryhcVQiSWVVHP5RtOyL4YwpqkmSpaIxKRNFc=; b=WnZ4GjnHSKQNR+SXj6UNPqgTvf4XqRnj1RNYsxMnYB/m+ZPyFiKXoatBstBHBIzgr1 bzMUmLb53dAb1DhD83S8y2W9SDHmHmK3OZGwL9+nSZMU1mw3V51lSq/1yXbPoR2VcSyi pOv9O1AA1CURUGgWe8ljbSeJcGvnPjDvZXQJEX9JpdOhO2dcpRBvy7OYgsl8I4kbhFFl 7uG2kX0zJpYERuGWCa+6M1u6GHcPWsgu+/C6ntaE9iMDh1iTB1CCXw77S4EuF/IDni2q 1+XOOqre7jFku/QU8/zFmCvij0klhIwZWLjnn2x8j/iuyHK+tiwMT3J8U6KFtDMwlOYN GLDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=vw/oKecryhcVQiSWVVHP5RtOyL4YwpqkmSpaIxKRNFc=; b=Bf4IuEdXMJNy1QfOeTlvuhH4/hgTati1A75gKUc4L2oTwAgFwJCWaZ4qcXTO8UqGjK OrcyapU2v0LrXBYauZcco2csCudIJbwetyEnZ9QwmzWQkOhVDvRYm4UyQNjoFpVuErVt RZfEQYyFTYL0XT6YNARJF0iTil+WFav2THE6EtIxTk7c7Gn/Xwbt56JMQSqPDX4X1f1k 4YErFV/vY56uusA/BN+dNArWgfoDysDMQbE+3AeUWNvcvMrA4v0ydxejJIBpAj3xWnvP fN942XtMv53YhcKXYOI+DCVtHMEfyBAvC8yCCbP/gcNS1lcedkbfcmgPJ38PFKOdLf0X hWIw== X-Gm-Message-State: AEkooutkuhKA1m3NjM4HTWqH/TW7kMASqmWwLTywVSaUuzoPKIXSs4z0V4aVovFoX30Rfw== X-Received: by 10.55.156.135 with SMTP id f129mr11694507qke.160.1470928514089; Thu, 11 Aug 2016 08:15:14 -0700 (PDT) Received: from [10.1.28.105] ([198.119.59.10]) by smtp.googlemail.com with ESMTPSA id g29sm1765100qtg.12.2016.08.11.08.15.12 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 11 Aug 2016 08:15:13 -0700 (PDT) Subject: RE: Max altq bandwidth 4.26 Gbit To: freebsd-pf@freebsd.org References: From: John Jasen Message-ID: <756d9874-7a2c-e670-2a12-19b810877274@gmail.com> Date: Thu, 11 Aug 2016 11:15:12 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2016 15:15:15 -0000 Should FreeBSD fix altq, or follow OpenBSD's lead in this regard? http://undeadly.org/cgi?action=article&sid=20140419151959 On 08/11/2016 08:00 AM, freebsd-pf-request@freebsd.org wrote: > > Today's Topics: > > 1. RE: Max altq bandwidth 4.26 Gbit (Radek Krej?a) > 2. Re: Max altq bandwidth 4.26 Gbit (Kristof Provost) > 3. RE: Max altq bandwidth 4.26 Gbit (Radek Krej?a) > From owner-freebsd-pf@freebsd.org Thu Aug 11 19:23:05 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DBDF4BB666C for ; Thu, 11 Aug 2016 19:23:05 +0000 (UTC) (envelope-from lyndon@orthanc.ca) Received: from orthanc.ca (orthanc.ca [IPv6:2607:f2f8:abf8::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "orthanc.ca", Issuer "Let's Encrypt Authority X1" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id C514D1898 for ; Thu, 11 Aug 2016 19:23:05 +0000 (UTC) (envelope-from lyndon@orthanc.ca) Received: from [192.168.43.199] ([24.114.41.35]) (authenticated bits=0) by orthanc.ca (8.15.2/8.15.2) with ESMTPSA id u7BJN3CW077227 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 11 Aug 2016 12:23:04 -0700 (PDT) (envelope-from lyndon@orthanc.ca) Content-Type: multipart/signed; boundary="Apple-Mail=_7DE57CCB-5729-425F-9D26-3125AAFA9398"; protocol="application/pgp-signature"; micalg=pgp-sha256 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: Max altq bandwidth 4.26 Gbit X-Pgp-Agent: GPGMail From: Lyndon Nerenberg In-Reply-To: <756d9874-7a2c-e670-2a12-19b810877274@gmail.com> Date: Thu, 11 Aug 2016 12:22:57 -0700 Message-Id: <17ADD883-CDE1-41F8-9F6A-CB5573ACBAE9@orthanc.ca> References: <756d9874-7a2c-e670-2a12-19b810877274@gmail.com> To: freebsd-pf@freebsd.org X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2016 19:23:06 -0000 --Apple-Mail=_7DE57CCB-5729-425F-9D26-3125AAFA9398 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii > On Aug 11, 2016, at 8:15 AM, John Jasen wrote: >=20 > Should FreeBSD fix altq, or follow OpenBSD's lead in this regard? If by this you mean start using OpenBSD's new traffic shaping scheme, = that would mean adopting OpenBSD's current pf(4) implementation. That = debate has been going on for longer than I can remember now. While fixing ALTQ for 64 bits will be something of a pain, it pales in = comparison to a full-on pf(4) replacement. --Apple-Mail=_7DE57CCB-5729-425F-9D26-3125AAFA9398 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJXrNCSAAoJEJCSmizucT9Vc+oP/R9GBB47Cc/r7gS8isu548+B tFoJ0bt/qPElHLwSI+MS43bJkWFEFIPkltFPksv3ohfh1cqx5mFygGrjxOwoqIwq jr8w0Y5WTFGuylA/wDz4Ngsw6ZEOPxgYHlSHR7UfulLz1qDnFDl48EooDJjpPkNk 93HK62NyDyZDgoS0aAuMTVp6V7Y9K47TcBqHmRyzYXF45N1+MoUJPkN1AQXb0GyL QGcUez+Tp6kvrnZ8dyZsyl9aaA1LSOjzJnho3ME8yK6o2DuvYXwTV1kS7t5y5HKw 6aDLaaijQshSHPbR1JVcomgEdvE8sCzbtQZeucXRtYoxJLY517SrfHEXigQWIqvH 8uZtS8CUK0PatxmEEvx5zmw/Rs1zL7lHvY5xeXj64v/NpuHM1bN/PUEXOL7H3OVh qwOvQJki5VHxh2FTnh2wyfAN7irG4NtEstOUYq7Ym0rofFOfuYYmW4JI5yMv0DLY xi1o2LffC4HeF0yL9Wy13Xhek1PwfipMHZ9WwqsIFUUAtNrOry4xZuKIr36wjznP BonDJ0/1sBZdJFKqBFkAAYWzZkG+AW5tS1Ftx5atEJOZdSfenzUUmi2iRdNayuiP fKDpPq3NNrwhHK96NVguSBE9KYNWPiYx14CDd1v6bA+2DBFTugZxM9uAyfu7IW+y dM3kSHC2iH9nQZ3SwJkZ =R228 -----END PGP SIGNATURE----- --Apple-Mail=_7DE57CCB-5729-425F-9D26-3125AAFA9398-- From owner-freebsd-pf@freebsd.org Thu Aug 11 20:35:15 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E9EABBB6B19 for ; Thu, 11 Aug 2016 20:35:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D9AB017CF for ; Thu, 11 Aug 2016 20:35:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u7BKZFaQ091177 for ; Thu, 11 Aug 2016 20:35:15 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 211730] pf uses 32bit value for bandwith with altq Date: Thu, 11 Aug 2016 20:35:15 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: rk@starnet.cz X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2016 20:35:16 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211730 --- Comment #10 from rk@starnet.cz --- (In reply to Mahdi Mokhtari from comment #2) Hello Mahdi, I have recompiled kernel, but still the same: in pf.conf: altq on em0 cbq bandwidth 10Gb queue { default_nat,..... queue default_nat bandwidth 8000Mb cbq (borrow, red, default) And with pfctl -nvf /etc/pf.conf altq on em0 cbq bandwidth 1.41Gb tbrsize 36000 queue { default_nat queue root_em0 bandwidth 1.41Gb priority 0 cbq( wrr root ) Interessant thing: If I use in pf.conf this: altq on em0 cbq bandwidth 5000Mb queue { default_nat, \ with pfctl I see: altq on em0 cbq bandwidth 705.03Mb tbrsize 36000 queue { default_nat --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Thu Aug 11 20:44:50 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C4571BB6D0F for ; Thu, 11 Aug 2016 20:44:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B41371B7C for ; Thu, 11 Aug 2016 20:44:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u7BKioPX010446 for ; Thu, 11 Aug 2016 20:44:50 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 211730] pf uses 32bit value for bandwith with altq Date: Thu, 11 Aug 2016 20:44:50 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: mokhi64@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2016 20:44:50 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211730 --- Comment #11 from Mahdi Mokhtari --- (In reply to rk from comment #10) Hi. Thanks for feedback on this patch. > Interessant thing: The result you saw makes sense, cause (as kristof pointed too) I have to ch= ange some other structs too. I'll update patch ASAP. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Fri Aug 12 21:56:07 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 32BB9BB825F for ; Fri, 12 Aug 2016 21:56:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 229031A1E for ; Fri, 12 Aug 2016 21:56:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u7CLu67X030325 for ; Fri, 12 Aug 2016 21:56:06 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 211796] missing htonl calls in pf range check Date: Fri, 12 Aug 2016 21:56:07 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: mokhi64@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Aug 2016 21:56:07 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211796 Mahdi Mokhtari changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mokhi64@gmail.com Assignee|freebsd-bugs@FreeBSD.org |freebsd-pf@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.=