From owner-freebsd-pf@FreeBSD.ORG Mon Sep 26 11:02:16 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D189D16A41F for ; Mon, 26 Sep 2005 11:02:16 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 87FCE43D49 for ; Mon, 26 Sep 2005 11:02:16 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j8QB2GBQ027125 for ; Mon, 26 Sep 2005 11:02:16 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j8QB2F86027119 for freebsd-pf@freebsd.org; Mon, 26 Sep 2005 11:02:15 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 26 Sep 2005 11:02:15 GMT Message-Id: <200509261102.j8QB2F86027119@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Sep 2005 11:02:17 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency 1 problem total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [patch] /etc/pf.os doesn't match FreeBSD 1 problem total. From owner-freebsd-pf@FreeBSD.ORG Tue Sep 27 22:13:39 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD44516A41F for ; Tue, 27 Sep 2005 22:13:39 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: from qproxy.gmail.com (qproxy.gmail.com [72.14.204.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1022A43D48 for ; Tue, 27 Sep 2005 22:13:38 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by qproxy.gmail.com with SMTP id p26so575901qbb for ; Tue, 27 Sep 2005 15:13:38 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=QWeIS3VTlkMlTDE7sQXpHi6Ys54DMTUIrCsDMMDDYRi3Gg/AcOo8UxMDqVivbNIxYt10Vjmjf3nb33QJr4NmRmEOtt4Sk3XORA/hbzhlUlE79oa3OcnUnTfa8CIyZz/8i0Y1C4UZCkUZH4h3FTIEL6Ji1IsA22jCMfR1O8R0rww= Received: by 10.64.193.6 with SMTP id q6mr652005qbf; Tue, 27 Sep 2005 15:07:02 -0700 (PDT) Received: by 10.64.184.1 with HTTP; Tue, 27 Sep 2005 15:07:02 -0700 (PDT) Message-ID: Date: Tue, 27 Sep 2005 18:07:02 -0400 From: Scott Ullrich To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: pfsync0 panic on bootup X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Scott Ullrich List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Sep 2005 22:13:39 -0000 We are seeing some panics on bootup when creating pfsync0. I've noticed this thread: http://groups.google.com/group/mailing.freebsd.hackers/browse_thread/thread= /c8b33b149f1d9c58/054925d9ec066364?lnk=3Dst&q=3Dsyncdev+ifconfig+freebsd&rn= um=3D2#054925d9ec066364 and also noticed the patch has been commited. Is there anything else we can try? Screen shot of panic. http://www.pfsense.com/screens/preview/carp_kerneltrap.jpg uname -a: FreeBSD right-pfsense.local 6.0-BETA5 FreeBSD 6.0-BETA5 #0: Mon Sep 26 20:05:45 UTC 2005 =20 sullrich@builder.livebsd.com:/usr/obj/usr/src/sys/pfSense.6 i386 Thanks in advance! Scott From owner-freebsd-pf@FreeBSD.ORG Tue Sep 27 22:39:50 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1BF1D16A41F for ; Tue, 27 Sep 2005 22:39:50 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A67F43D48 for ; Tue, 27 Sep 2005 22:39:49 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3F791.dip.t-dialin.net [84.163.247.145] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML2Dk-1EKO71453z-0000Cy; Wed, 28 Sep 2005 00:39:47 +0200 From: Max Laier To: freebsd-pf@freebsd.org, Scott Ullrich Date: Wed, 28 Sep 2005 00:39:34 +0200 User-Agent: KMail/1.8.2 References: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2468701.euUD8hGs2L"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200509280039.45668.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: pfsync0 panic on bootup X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Sep 2005 22:39:50 -0000 --nextPart2468701.euUD8hGs2L Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 28 September 2005 00:07, Scott Ullrich wrote: > We are seeing some panics on bootup when creating pfsync0. I've > noticed this thread: > http://groups.google.com/group/mailing.freebsd.hackers/browse_thread/thre= ad >/c8b33b149f1d9c58/054925d9ec066364?lnk=3Dst&q=3Dsyncdev+ifconfig+freebsd&r= num=3D2# >054925d9ec066364 and also noticed the patch has been commited. Is there > anything else we can try? > > Screen shot of panic. > http://www.pfsense.com/screens/preview/carp_kerneltrap.jpg > > uname -a: > FreeBSD right-pfsense.local 6.0-BETA5 FreeBSD 6.0-BETA5 #0: Mon Sep 26 > 20:05:45 UTC 2005 > sullrich@builder.livebsd.com:/usr/obj/usr/src/sys/pfSense.6 i386 Can you get me the line number for the instruction pointer? 0xc06f12cb (..= eb=20 maybe)? A trace would also be helpful. The problem above was fixed with t= he=20 patch as far as I hear. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2468701.euUD8hGs2L Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDOcoxXyyEoT62BG0RAq8GAJ9//02PtOnK/cuw8D77vKNDYYy8SwCfWw3D 2cVjx2nw9ANE5h0xPs7BcPs= =/KJu -----END PGP SIGNATURE----- --nextPart2468701.euUD8hGs2L-- From owner-freebsd-pf@FreeBSD.ORG Tue Sep 27 22:40:54 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D7F616A420 for ; Tue, 27 Sep 2005 22:40:54 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: from qproxy.gmail.com (qproxy.gmail.com [72.14.204.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id D734143D48 for ; Tue, 27 Sep 2005 22:40:51 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by qproxy.gmail.com with SMTP id a33so223807qbd for ; Tue, 27 Sep 2005 15:40:50 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=DG4mEfIsZ7ZNCqWZP12FlQ5mCitT7fcBMqRly7hQYv5vwyKqCTd+TTXGqesNJGVp+OSUGzXC7tfuEoqnxr0DLfGOSEiAy5l0W0fmgDfPHSCxJcNr7L4kBGJhUvvGr5zZQqBpuuJ6jgrh5AG3BKIWw9JcfK5lLftdrxQiD9EapEs= Received: by 10.65.15.20 with SMTP id s20mr276246qbi; Tue, 27 Sep 2005 15:40:50 -0700 (PDT) Received: by 10.64.184.1 with HTTP; Tue, 27 Sep 2005 15:40:50 -0700 (PDT) Message-ID: Date: Tue, 27 Sep 2005 18:40:50 -0400 From: Scott Ullrich To: Max Laier In-Reply-To: <200509280039.45668.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <200509280039.45668.max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: pfsync0 panic on bootup X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Scott Ullrich List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Sep 2005 22:40:54 -0000 On 9/27/05, Max Laier wrote: > Can you get me the line number for the instruction pointer? 0xc06f12cb (= ..eb > maybe)? A trace would also be helpful. The problem above was fixed with= the > patch as far as I hear. I'll compile a debugging kernel up and see. One interesting note is that we changed from syncif to syncdev and have rebooted atleast 50+ times and the problem seems to have disappeared. Should we use syncdev instead of syncif ? Scott From owner-freebsd-pf@FreeBSD.ORG Wed Sep 28 11:11:38 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E1CAA16A41F for ; Wed, 28 Sep 2005 11:11:38 +0000 (GMT) (envelope-from gdef@cvd.pl) Received: from cvd.pl (cvd.pl [213.25.82.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9924443D48 for ; Wed, 28 Sep 2005 11:11:37 +0000 (GMT) (envelope-from gdef@cvd.pl) Received: by cvd.pl (MTA, from userid 426) id 7575B1FC9C1; Wed, 28 Sep 2005 13:11:33 +0200 (CEST) Received: from mail.cvd.pl (mail.cvd.pl [213.25.82.6]) by cvd.pl (MTA) with ESMTP id 6DB521FC9B0 for ; Wed, 28 Sep 2005 13:11:27 +0200 (CEST) Date: Wed, 28 Sep 2005 13:11:27 +0200 (CEST) From: =?ISO-8859-2?Q?Janusz_Mu=E6ka_=28Defacto=29?= To: freebsd-pf@freebsd.org Message-ID: <20050928131003.G75512@cvd.pl> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on cvd.pl X-Spam-Level: X-Spam-Status: No, score=-5.8 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.0.1 Subject: Four problems with PF/CARP (NAT/CARP/PFSYNC/VLAN) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Sep 2005 11:11:39 -0000 Hi, There are four problems with pf and/or CARP. This is short network descript= ion: WAN <--> CISCO ROUTER <--> PIX FIREWALL <---> FreeBSD 5.4 <---> LAN | | --> FreeBSD 5.4 <-- Network cards in FreeBSD box are: em0: Custom sysctl varibles: kern.maxfiles=3D8144 kern.ipc.somaxconn=3D256 security.bsd.see_other_uids=3D0 net.link.ether.inet.proxyall=3D0 net.link.ether.inet.log_arp_wrong_iface=3D0 net.inet.ip.random_id=3D1 net.inet.ip.stealth=3D1 net.inet.tcp.sendspace=3D65536 net.inet.tcp.drop_synfin=3D1 net.inet.tcp.blackhole=3D2 net.inet.udp.blackhole=3D1 net.inet.carp.preempt=3D1 kern.maxfiles=3D16424 kern.maxfilesperproc=3D16424 System on both boxes (cvsuped today): 5.4-STABLE FreeBSD 5.4-STABLE #12: Wed Sep 28 08:50:40 CEST 2005 And these are the problems: 1) CARP problem. When packet with source IP from CARP logical interface is = sent from interface it has ARP source address of physical interface. It can cause connection reset on firewalls protecting against ARP poisoning= =2E Here is sample from tcpdump: 09:17:12.115469 00:03:47:32:ec:0a > 00:e0:b6:05:6e:4a, ethertype IPv4 (0x08= 00), length 114: IP 192.168.10.33.58296 > 192.168.20.100.22: P 2552:2600(48= ) ack 5822 win 32832 09:17:12.197103 00:e0:b6:05:6e:4a > 00:00:5e:00:01:64, ethertype IPv4 (0x08= 00), length 114: IP 192.168.20.100.22 > 192.168.10.33.58296: P 5822:5870(48= ) ack 2600 win 32832 09:17:12.250509 00:e0:b6:05:6e:4a > 00:00:5e:00:01:64, ethertype IPv4 (0x08= 00), length 146: IP 192.168.20.100.22 > 192.168.10.33.58296: P 5870:5950(80= ) ack 2600 win 32832 09:17:12.254403 00:03:47:32:ec:0a > 00:e0:b6:05:6e:4a, ethertype IPv4 (0x08= 00), length 66: IP 192.168.10.33.58296 > 192.168.20.100.22: . ack 5950 win = 32792 2) PF problem. This is propably NAT issue. After random number of sent pack= ets connection is reseted. Reset is made by PIX because there is strange (v= ery hight) sequential and ACK number in packet (there is 2934356076:2934356124(48) ack 1778440099, but should be 2840:????= (48) ack 6558 - where ???? is next... in this case unknown number). Maybe i= n normal environment packet is sillently dropped and later retransmitted. 10:58:25.461110 00:03:47:32:ec:0a > 00:e0:b6:05:6e:4a, ethertype IPv4 (0x08= 00), length 114: IP 192.168.10.33.50352 > 192.168.20.100.22: P 2552:2600(48= ) ack 5790 win 32832 10:58:25.493246 00:e0:b6:05:6e:4a > 00:03:47:32:ec:0a, ethertype IPv4 (0x08= 00), length 114: IP 192.168.20.100.22 > 192.168.10.33.50352: P 5790:5838(48= ) ack 2600 win 32832 10:58:25.527593 00:e0:b6:05:6e:4a > 00:03:47:32:ec:0a, ethertype IPv4 (0x08= 00), length 146: IP 192.168.20.100.22 > 192.168.10.33.50352: P 5838:5918(80= ) ack 2600 win 32832 10:58:25.538031 00:03:47:32:ec:0a > 00:e0:b6:05:6e:4a, ethertype IPv4 (0x08= 00), length 66: IP 192.168.10.33.50352 > 192.168.20.100.22: . ack 5918 win = 32792 10:58:28.481294 00:03:47:32:ec:0a > 00:e0:b6:05:6e:4a, ethertype IPv4 (0x08= 00), length 114: IP 192.168.10.33.50352 > 192.168.20.100.22: P 2600:2648(48= ) ack 5918 win 32832 10:58:28.527429 00:e0:b6:05:6e:4a > 00:03:47:32:ec:0a, ethertype IPv4 (0x08= 00), length 114: IP 192.168.20.100.22 > 192.168.10.33.50352: P 5918:5966(48= ) ack 2648 win 32832 10:58:28.551036 00:e0:b6:05:6e:4a > 00:03:47:32:ec:0a, ethertype IPv4 (0x08= 00), length 146: IP 192.168.20.100.22 > 192.168.10.33.50352: P 5966:6046(80= ) ack 2648 win 32832 10:58:28.551358 00:03:47:32:ec:0a > 00:e0:b6:05:6e:4a, ethertype IPv4 (0x08= 00), length 66: IP 192.168.10.33.50352 > 192.168.20.100.22: . ack 6046 win = 32792 10:58:30.643914 00:03:47:32:ec:0a > 00:e0:b6:05:6e:4a, ethertype IPv4 (0x08= 00), length 114: IP 192.168.10.33.50352 > 192.168.20.100.22: P 2648:2696(48= ) ack 6046 win 32832 10:58:30.678680 00:e0:b6:05:6e:4a > 00:03:47:32:ec:0a, ethertype IPv4 (0x08= 00), length 114: IP 192.168.20.100.22 > 192.168.10.33.50352: P 6046:6094(48= ) ack 2696 win 32832 10:58:30.707290 00:e0:b6:05:6e:4a > 00:03:47:32:ec:0a, ethertype IPv4 (0x08= 00), length 146: IP 192.168.20.100.22 > 192.168.10.33.50352: P 6094:6174(80= ) ack 2696 win 32832 10:58:30.707617 00:03:47:32:ec:0a > 00:e0:b6:05:6e:4a, ethertype IPv4 (0x08= 00), length 66: IP 192.168.10.33.50352 > 192.168.20.100.22: . ack 6174 win = 32792 10:58:31.050973 00:03:47:32:ec:0a > 00:e0:b6:05:6e:4a, ethertype IPv4 (0x08= 00), length 114: IP 192.168.10.33.50352 > 192.168.20.100.22: P 2696:2744(48= ) ack 6174 win 32832 10:58:31.092163 00:e0:b6:05:6e:4a > 00:03:47:32:ec:0a, ethertype IPv4 (0x08= 00), length 114: IP 192.168.20.100.22 > 192.168.10.33.50352: P 6174:6222(48= ) ack 2744 win 32832 10:58:31.106039 00:e0:b6:05:6e:4a > 00:03:47:32:ec:0a, ethertype IPv4 (0x08= 00), length 146: IP 192.168.20.100.22 > 192.168.10.33.50352: P 6222:6302(80= ) ack 2744 win 32832 10:58:31.124640 00:03:47:32:ec:0a > 00:e0:b6:05:6e:4a, ethertype IPv4 (0x08= 00), length 66: IP 192.168.10.33.50352 > 192.168.20.100.22: . ack 6302 win = 32792 10:58:33.406048 00:03:47:32:ec:0a > 00:e0:b6:05:6e:4a, ethertype IPv4 (0x08= 00), length 114: IP 192.168.10.33.50352 > 192.168.20.100.22: P 2744:2792(48= ) ack 6302 win 32832 10:58:33.442038 00:e0:b6:05:6e:4a > 00:03:47:32:ec:0a, ethertype IPv4 (0x08= 00), length 114: IP 192.168.20.100.22 > 192.168.10.33.50352: P 6302:6350(48= ) ack 2792 win 32832 10:58:33.476625 00:e0:b6:05:6e:4a > 00:03:47:32:ec:0a, ethertype IPv4 (0x08= 00), length 146: IP 192.168.20.100.22 > 192.168.10.33.50352: P 6350:6430(80= ) ack 2792 win 32832 10:58:33.490131 00:03:47:32:ec:0a > 00:e0:b6:05:6e:4a, ethertype IPv4 (0x08= 00), length 66: IP 192.168.10.33.50352 > 192.168.20.100.22: . ack 6430 win = 32792 10:58:35.854608 00:03:47:32:ec:0a > 00:e0:b6:05:6e:4a, ethertype IPv4 (0x08= 00), length 114: IP 192.168.10.33.50352 > 192.168.20.100.22: P 2792:2840(48= ) ack 6430 win 32832 10:58:35.896098 00:e0:b6:05:6e:4a > 00:03:47:32:ec:0a, ethertype IPv4 (0x08= 00), length 114: IP 192.168.20.100.22 > 192.168.10.33.50352: P 6430:6478(48= ) ack 2840 win 32832 10:58:35.911508 00:e0:b6:05:6e:4a > 00:03:47:32:ec:0a, ethertype IPv4 (0x08= 00), length 146: IP 192.168.20.100.22 > 192.168.10.33.50352: P 6478:6558(80= ) ack 2840 win 32832 10:58:35.911917 00:03:47:32:ec:0a > 00:e0:b6:05:6e:4a, ethertype IPv4 (0x08= 00), length 66: IP 192.168.10.33.50352 > 192.168.20.100.22: . ack 6558 win = 32792 10:58:39.005606 00:03:47:32:ec:0a > 00:e0:b6:05:6e:4a, ethertype IPv4 (0x08= 00), length 114: IP 192.168.10.33.51210 > 192.168.20.100.22: P 2934356076:2= 934356124(48) ack 1778440099 win 32832 10:58:39.005867 00:e0:b6:05:6e:4a > 00:03:47:32:ec:0a, ethertype IPv4 (0x08= 00), length 114: IP 192.168.20.100.22 > 192.168.10.33.51210: R 1:49(48) ack= 0 win 32832 3) PFSYNC problem. When states are synchronizing in CARP cluster on BACKUP = state machine after 1000-3000 states flush is made. On machine acting as MA= STER nothing like this is happen. States are normally created and removed (= on connection end, timeout, etc). This cause following problems: a) return to from BACKUP to MASTER state is very long (it can be even impo= ssible beacause before return must be made full states sync and flushes dis= turbs sync process) b) when machine acting as MASTER fails not all connection are keep on BACK= UP. Effect is easy to guess... 4) CARP & VLAN. When VLAN interface parrent device is in down state and CAR= P is created on VLAN, after link state up CARP remains in INIT state. This = is fixed by following patches but still not committed. --- if_em.c.orig Thu May 19 10:23:06 2005 +++ if_em.c Tue Aug 16 14:03:15 2005 @@ -1666,6 +1666,11 @@ return; } + +#ifdef DEV_CARP +extern void (*vlan_link_state_p)(struct ifnet *, int); +#endif + static void em_print_link_status(struct adapter * adapter) { @@ -1685,6 +1690,8 @@ adapter->smartspeed =3D 0; ifp->if_link_state =3D LINK_STATE_UP; #ifdef DEV_CARP + if (ifp->if_nvlans !=3D 0) + (*vlan_link_state_p)(ifp, NOTE_LINKUP); if (ifp->if_carp) carp_carpdev_state(ifp->if_carp); #endif @@ -1697,6 +1704,8 @@ adapter->link_active =3D 0; ifp->if_link_state =3D LINK_STATE_DOWN; #ifdef DEV_CARP + if (ifp->if_nvlans !=3D 0) + (*vlan_link_state_p)(ifp, NOTE_LINKDOWN); if (ifp->if_carp) carp_carpdev_state(ifp->if_carp); #endif --- if_vlan.c.orig Tue Aug 16 13:41:18 2005 +++ if_vlan.c Tue Aug 16 13:47:29 2005 @@ -41,6 +41,7 @@ * and ask it to send them. */ +#include "opt_carp.h" #include "opt_inet.h" #include @@ -67,6 +68,11 @@ #ifdef INET #include #include + +#ifdef DEV_CARP +#include +#include +#endif #endif #define VLANNAME "vlan" @@ -822,6 +828,10 @@ ifv->ifv_if.if_link_state =3D ifv->ifv_p->if_link_s= tate; rt_ifmsg(&(ifv->ifv_if)); KNOTE_UNLOCKED(&ifp->if_klist, link); +#ifdef DEV_CARP + if (ifv->ifv_if.if_carp) + carp_carpdev_state(ifv->ifv_if.if_carp); +#endif } } VLAN_UNLOCK(); Thanks for any answer and possible solutions or patches. I'll be glad to help or test it. -- Janusz Mu=E6ka admin@cvd.pl UIN 82936675 From owner-freebsd-pf@FreeBSD.ORG Thu Sep 29 08:25:29 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7729216A41F for ; Thu, 29 Sep 2005 08:25:29 +0000 (GMT) (envelope-from bconstant@be.tiauto.com) Received: from smtp.eu.tiauto.com (smtp.eu.tiauto.com [195.127.176.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94BAA43D49 for ; Thu, 29 Sep 2005 08:25:28 +0000 (GMT) (envelope-from bconstant@be.tiauto.com) Received: by euex01.resource.tiauto.com with Internet Mail Service (5.5.2657.72) id ; Thu, 29 Sep 2005 10:25:23 +0200 Message-ID: From: "Constant, Benjamin" To: freebsd-pf@freebsd.org Date: Thu, 29 Sep 2005 10:25:21 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain Subject: Shutting down carp interfaces when going single user mode? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Sep 2005 08:25:29 -0000 Good morning list, What do you think about shutting down carp interfaces when going into single user mode? I'm mainly using carp for router boxes (failover) and I always have to quickly disable carp interfaces when going into single user mode as the routing table is flushed. What is the interest in keeping carp up when being in single mode? Thank your for your feedback. Benjamin Constant TI Automotive The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. This communication is from TI Automotive. From owner-freebsd-pf@FreeBSD.ORG Thu Sep 29 09:10:34 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B817216A41F for ; Thu, 29 Sep 2005 09:10:34 +0000 (GMT) (envelope-from solinym@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 47F4143D48 for ; Thu, 29 Sep 2005 09:10:34 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by wproxy.gmail.com with SMTP id 58so26309wri for ; Thu, 29 Sep 2005 02:10:33 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=M+Er8rFc3ZIuSmgeT6VT25ZSQSspUfqNOcv8maLthP7gpOw1DOR6H2h8oNboMrnA9MOS+7W1C6kqMLeJgVDYb5d1wCzT0FkHqq/vbyy4GBu4zQE57rxQe1ulDgAfoHCyF2bpgRedG7ZdL2mzF5r8rJaSTuyRIoRk0g1sBm1Y9Qc= Received: by 10.54.34.54 with SMTP id h54mr403321wrh; Thu, 29 Sep 2005 02:10:33 -0700 (PDT) Received: by 10.54.81.7 with HTTP; Thu, 29 Sep 2005 02:10:33 -0700 (PDT) Message-ID: Date: Thu, 29 Sep 2005 04:10:33 -0500 From: "Travis H." To: Max Laier In-Reply-To: <200509221413.03576.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20050922112017.GB16325@comp.chem.msu.su> <200509221413.03576.max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: PF in /etc/rc.d: some issues X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Travis H." List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Sep 2005 09:10:34 -0000 I had a number of similar issues when dealing with DHCP interfaces back in the day. The $variable substitution that pf currently does is sufficient for many cases, and the (ifc0) lookup helps with DHCP, but there are still corner cases. For example, what does antispoof do regarding an interface with IP 0.0.0.0/32, as DHCP interfaces start out? What happens to antispoof rules if your DHCP IP changes due to lease expiration? Writing a script which generates rules and feeds them to pfctl is pretty straightforward and I recommend it over a static file. -- http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B