From owner-freebsd-pf@FreeBSD.ORG Sun Feb 26 02:18:30 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5CB9716A420 for ; Sun, 26 Feb 2006 02:18:30 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received: from dbmail-mx1.orcon.net.nz (loadbalancer1.orcon.net.nz [219.88.242.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id A950F43D48 for ; Sun, 26 Feb 2006 02:18:29 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received-SPF: none Received: from heff.fud.org.nz (60-234-149-201.bitstream.orcon.net.nz [60.234.149.201]) by dbmail-mx1.orcon.net.nz (8.13.2/8.13.2/Debian-1) with SMTP id k1Q2Ipv8024980; Sun, 26 Feb 2006 15:18:51 +1300 Received: by heff.fud.org.nz (Postfix, from userid 1001) id 5DEED1CC38; Sun, 26 Feb 2006 15:18:26 +1300 (NZDT) Date: Sun, 26 Feb 2006 15:18:26 +1300 From: Andrew Thompson To: Bill Marquette Message-ID: <20060226021826.GB2773@heff.fud.org.nz> References: <55e8a96c0602251445g68376abay3b58bec7f3160113@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <55e8a96c0602251445g68376abay3b58bec7f3160113@mail.gmail.com> User-Agent: Mutt/1.5.11 X-Virus-Scanned: ClamAV version 0.88, clamav-milter version 0.87 on dbmail-mx1.orcon.net.nz X-Virus-Status: Clean Cc: "freebsd-pf@freebsd.org" Subject: Re: HFSC issues in RELENG_6 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Feb 2006 02:18:30 -0000 On Sat, Feb 25, 2006 at 04:45:41PM -0600, Bill Marquette wrote: > I've been having massive issues with HFSC for a while. I finally > spent some time working on it this weekend. I'm testing by using my > VOIP phone with a 90Kb codec. > > This gives me broken calls (lag, dropped packets, etc) > altq on sis1 hfsc(upperlimit 768Kb) queue { qWANdef } > altq on sis0 hfsc(upperlimit 6000Kb) queue { qLANdef } ^^^^ > queue qWANdef priority 6 hfsc(default realtime 128Kb upperlimit 512Kb ) > queue qLANdef priority 6 hfsc(default realtime 128Kb upperlimit 512Kb ) > You may want to test with another network card to verify that sis(4) is actually working correctly with ALTQ. I am having ALTQ problems which went away when using a xl(4) card. I am waiting for a sis card to arrive in the mail so I can diagnose it further. Andrew From owner-freebsd-pf@FreeBSD.ORG Sun Feb 26 04:12:57 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7400A16A424 for ; Sun, 26 Feb 2006 04:12:57 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id CBE1843D46 for ; Sun, 26 Feb 2006 04:12:56 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: by xproxy.gmail.com with SMTP id i30so417815wxd for ; Sat, 25 Feb 2006 20:12:56 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ce5XYPAl0ueENGrFd8dsjbdlnnwaKyyxeRJUe9WfzfHQZJUpctRs0+NHJv4ix90pXZ6/BIG+rbbBcSdAIy1GYjY1CEObHeX8Y68GhylN4j9GxQFjIwK5ME+QUhf2TcD3ULU3NeDdZD9P3gZViBu23gGTUcnezJ71dXHy7tcA0wQ= Received: by 10.70.100.3 with SMTP id x3mr5401889wxb; Sat, 25 Feb 2006 20:12:56 -0800 (PST) Received: by 10.70.89.11 with HTTP; Sat, 25 Feb 2006 20:12:55 -0800 (PST) Message-ID: <55e8a96c0602252012l3e8d9e41oc5be3d3bdd1917a8@mail.gmail.com> Date: Sat, 25 Feb 2006 22:12:55 -0600 From: "Bill Marquette" To: "Andrew Thompson" In-Reply-To: <20060226021826.GB2773@heff.fud.org.nz> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <55e8a96c0602251445g68376abay3b58bec7f3160113@mail.gmail.com> <20060226021826.GB2773@heff.fud.org.nz> Cc: "freebsd-pf@freebsd.org" Subject: Re: HFSC issues in RELENG_6 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Feb 2006 04:12:57 -0000 On 2/25/06, Andrew Thompson wrote: > You may want to test with another network card to verify that sis(4) is > actually working correctly with ALTQ. I am having ALTQ problems which > went away when using a xl(4) card. I am waiting for a sis card to arrive > in the mail so I can diagnose it further. You may be onto something here. I swapped my compact flash over to a Nexcom I have laying around with fxp nic's in it and so far haven't seen the same queue behavior with either the small test case or a full ruleset. --Bill From owner-freebsd-pf@FreeBSD.ORG Sun Feb 26 07:25:24 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AFCE516A420; Sun, 26 Feb 2006 07:25:24 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A1A543D45; Sun, 26 Feb 2006 07:25:24 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k1Q7POUw051444; Sun, 26 Feb 2006 07:25:24 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k1Q7POWY051440; Sun, 26 Feb 2006 07:25:24 GMT (envelope-from linimon) Date: Sun, 26 Feb 2006 07:25:24 GMT From: Mark Linimon Message-Id: <200602260725.k1Q7POWY051440@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/93849: pf no-df breaks IP checksum of all tcp traffic through if_bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Feb 2006 07:25:24 -0000 Synopsis: pf no-df breaks IP checksum of all tcp traffic through if_bridge Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Sun Feb 26 07:25:04 UTC 2006 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=93849 From owner-freebsd-pf@FreeBSD.ORG Sun Feb 26 07:27:49 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CEAFB16A420; Sun, 26 Feb 2006 07:27:49 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id CFC4043D68; Sun, 26 Feb 2006 07:27:47 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k1Q7RlmG051516; Sun, 26 Feb 2006 07:27:47 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k1Q7RlBm051512; Sun, 26 Feb 2006 07:27:47 GMT (envelope-from linimon) Date: Sun, 26 Feb 2006 07:27:47 GMT From: Mark Linimon Message-Id: <200602260727.k1Q7RlBm051512@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/93829: [carp] pfsync state time problem with CARP + Arp.Balance X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Feb 2006 07:27:50 -0000 Old Synopsis: Pfsync state time problem with CARP + Arp.Balance New Synopsis: [carp] pfsync state time problem with CARP + Arp.Balance Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Sun Feb 26 07:25:45 UTC 2006 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=93829 From owner-freebsd-pf@FreeBSD.ORG Sun Feb 26 07:28:44 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 788CE16A420; Sun, 26 Feb 2006 07:28:44 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 34A2043D6D; Sun, 26 Feb 2006 07:28:44 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k1Q7SiLS051611; Sun, 26 Feb 2006 07:28:44 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k1Q7SiWt051607; Sun, 26 Feb 2006 07:28:44 GMT (envelope-from linimon) Date: Sun, 26 Feb 2006 07:28:44 GMT From: Mark Linimon Message-Id: <200602260728.k1Q7SiWt051607@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/93825: [pf] pf reply-to doesn't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Feb 2006 07:28:44 -0000 Synopsis: [pf] pf reply-to doesn't work Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Sun Feb 26 07:28:34 UTC 2006 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=93825 From owner-freebsd-pf@FreeBSD.ORG Sun Feb 26 07:53:09 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C0C416A420 for ; Sun, 26 Feb 2006 07:53:09 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: from uproxy.gmail.com (uproxy.gmail.com [66.249.92.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id C800443D45 for ; Sun, 26 Feb 2006 07:53:08 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by uproxy.gmail.com with SMTP id o2so255560uge for ; Sat, 25 Feb 2006 23:53:07 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=aCrJE1jIUknpnfgrXosNGY/xtwqZ4GKTkMnkJ44k/wjnByKpc2YaO6lWMfJZ0Rjc8AuPI3EfjUicb0/Be9JcLcXr5pZny+UiZb7boMnWC1ymkNzDLTN18kY2Jw4kj8HKSsqOrjrOshV/IKpSUphJSnhf4hLmNmlsj5+8eduIYWw= Received: by 10.66.243.7 with SMTP id q7mr3874116ugh; Sat, 25 Feb 2006 23:53:07 -0800 (PST) Received: by 10.66.223.20 with HTTP; Sat, 25 Feb 2006 23:53:07 -0800 (PST) Message-ID: <8eea04080602252353m57b1ca20i5aa841373e93153e@mail.gmail.com> Date: Sat, 25 Feb 2006 23:53:07 -0800 From: "Jon Simola" Sender: jsimola@gmail.com To: freebsd-pf@freebsd.org In-Reply-To: <200602260727.k1Q7RlBm051512@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <200602260727.k1Q7RlBm051512@freefall.freebsd.org> Subject: Re: kern/93829: [carp] pfsync state time problem with CARP + Arp.Balance X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Feb 2006 07:53:09 -0000 On 2/25/06, Mark Linimon wrote: > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D93829 > pfsync0: flags=3D41 mtu 1348 > pfsync: syncdev: fxp0 syncpeer: 15.1.1.1 maxupd: 128 > ### Pfsync Rule > pass quick on { em1 } proto pfsync This problem seems obvious. -- Jon Simola Systems Administrator ABC Communications From owner-freebsd-pf@FreeBSD.ORG Sun Feb 26 09:22:02 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0483516A422 for ; Sun, 26 Feb 2006 09:22:02 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received: from dbmail-mx1.orcon.net.nz (loadbalancer1.orcon.net.nz [219.88.242.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5946F43D49 for ; Sun, 26 Feb 2006 09:21:59 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received-SPF: none Received: from heff.fud.org.nz (60-234-149-201.bitstream.orcon.net.nz [60.234.149.201]) by dbmail-mx1.orcon.net.nz (8.13.2/8.13.2/Debian-1) with SMTP id k1Q9MMoN011976; Sun, 26 Feb 2006 22:22:22 +1300 Received: by heff.fud.org.nz (Postfix, from userid 1001) id 371851CC38; Sun, 26 Feb 2006 22:21:57 +1300 (NZDT) Date: Sun, 26 Feb 2006 22:21:57 +1300 From: Andrew Thompson To: Bill Marquette Message-ID: <20060226092157.GC2773@heff.fud.org.nz> References: <55e8a96c0602251445g68376abay3b58bec7f3160113@mail.gmail.com> <20060226021826.GB2773@heff.fud.org.nz> <55e8a96c0602252012l3e8d9e41oc5be3d3bdd1917a8@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <55e8a96c0602252012l3e8d9e41oc5be3d3bdd1917a8@mail.gmail.com> User-Agent: Mutt/1.5.11 X-Virus-Scanned: ClamAV version 0.88, clamav-milter version 0.87 on dbmail-mx1.orcon.net.nz X-Virus-Status: Clean Cc: "freebsd-pf@freebsd.org" Subject: Re: HFSC issues in RELENG_6 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Feb 2006 09:22:02 -0000 On Sat, Feb 25, 2006 at 10:12:55PM -0600, Bill Marquette wrote: > On 2/25/06, Andrew Thompson wrote: > > You may want to test with another network card to verify that sis(4) is > > actually working correctly with ALTQ. I am having ALTQ problems which > > went away when using a xl(4) card. I am waiting for a sis card to arrive > > in the mail so I can diagnose it further. > > You may be onto something here. I swapped my compact flash over to a > Nexcom I have laying around with fxp nic's in it and so far haven't > seen the same queue behavior with either the small test case or a full > ruleset. Thats interesting indeed. As I said I am waiting for a pci card to arrive so I can debug further (rather than on my soekris). I would really like to have this fixed for 6.1 but time is short so no guarantees. cheers, Andrew From owner-freebsd-pf@FreeBSD.ORG Sun Feb 26 11:10:10 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 862E916A420 for ; Sun, 26 Feb 2006 11:10:10 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CF3943D48 for ; Sun, 26 Feb 2006 11:10:10 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k1QBAAwV063040 for ; Sun, 26 Feb 2006 11:10:10 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k1QBAA6N063039; Sun, 26 Feb 2006 11:10:10 GMT (envelope-from gnats) Date: Sun, 26 Feb 2006 11:10:10 GMT Message-Id: <200602261110.k1QBAA6N063039@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Gleb Smirnoff Cc: Subject: Re: kern/93829: Pfsync state time problem with CARP + Arp.Balance X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Gleb Smirnoff List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Feb 2006 11:10:10 -0000 The following reply was made to PR kern/93829; it has been noted by GNATS. From: Gleb Smirnoff To: "C.Dornig" Cc: mlaier@FreeBSD.org, dhartmei@FreeBSD.org, freebsd-gnats-submit@FreeBSD.org Subject: Re: kern/93829: Pfsync state time problem with CARP + Arp.Balance Date: Sun, 26 Feb 2006 14:08:43 +0300 On Sat, Feb 25, 2006 at 02:24:25PM +0000, C.Dornig wrote: C> I have a problem with CARP + pf + pfsync in arp.balance mode. C> I have config 2 Cluster Routing / netfilter machines with carp + arpbalance. C> C> The pf rule a the same on both server. C> if the servers run in none arp.balance mode the rules are all fine and working perfektli. C> But, if i turn on arp.balance than i become follow problem. C> I made a ping (icmp packet) from my client pc (Client-LAN) to the Server behind the PF Cluster in other LAN. C> The first packet goes through the PFCluster1 and the back packet goes through 6luster2. But, the state information from the first packet to the server is not fast enough on the PFCluster2 machine and because the pf rules, the back packet will blocked. The next packet from client to server will passed also the back traffic. C> C> With out arp.balance the rule are ok, and all traffic will passed and the states will write correct. Only routing without pf are all ok. C> C> I have made all network diagnostics. I have made tcpdump on all interfaces and the carps are all OK. Also pfsync packets will receive and send from each machine. The two machine can send and receive packet each other. C> C> I think there is a time probleme from the pfsync. I mean that pfsync send too slow the state change to the other. You have a race between three computers - both CARP routers, and the host behind them. The ICMP packet can reach the host and be replied faster, then the state information is sent from one CARP router to another. I think, this problem is not solvable at all, so we must state that ARP load balancing is not compatible with pfsync(4). -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE From owner-freebsd-pf@FreeBSD.ORG Sun Feb 26 14:50:11 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5387F16A420 for ; Sun, 26 Feb 2006 14:50:11 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C89E143D48 for ; Sun, 26 Feb 2006 14:50:10 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k1QEoADU075551 for ; Sun, 26 Feb 2006 14:50:10 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k1QEoAEq075550; Sun, 26 Feb 2006 14:50:10 GMT (envelope-from gnats) Date: Sun, 26 Feb 2006 14:50:10 GMT Message-Id: <200602261450.k1QEoAEq075550@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Pieter de Boer Cc: Subject: Re: sparc64/93530: Incorrect checksums when using pf's route-to on sparc64 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Pieter de Boer List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Feb 2006 14:50:11 -0000 The following reply was made to PR sparc64/93530; it has been noted by GNATS. From: Pieter de Boer To: bug-followup@freebsd.org, pieter@thedarkside.nl Cc: Subject: Re: sparc64/93530: Incorrect checksums when using pf's route-to on sparc64 Date: Sun, 26 Feb 2006 15:48:18 +0100 I've investigated some more and found an interesting heisenbug. =46rom pf.c, pf_route(): ip->ip_sum =3D 0; if (sw_csum & CSUM_DELAY_IP) { /* From KAME */ if (ip->ip_v =3D=3D IPVERSION && (ip->ip_hl << 2) =3D=3D sizeof(*ip)) { ip->ip_sum =3D in_cksum_hdr(ip); } else { ip->ip_sum =3D in_cksum(m0, ip->ip_hl << 2); } } In the tests I've run, the in_cksum_hdr()-function is called, not the=20 in_cksum() function. Ok, I inserted some printf's to find the problem. My= =20 new code looks like this: ip->ip_sum =3D 0; if (sw_csum & CSUM_DELAY_IP) { // printf("pf_route(): B1\n"); /* From KAME */ if (ip->ip_v =3D=3D IPVERSION && (ip->ip_hl << 2) =3D=3D sizeof(*ip)) { =20 // printf("pf_route: B2\n"); =20 ip->ip_sum =3D in_cksum_hdr(ip); =20 } else { // printf("pf_route: B3\n"); ip->ip_sum =3D in_cksum(m0, ip->ip_hl << 2); } } With the printf B1 and B2 commented out, the checksums are wrong. With eith= er=20 printf B1 or B2 not commented out, then the checksums are correct. My theor= y=20 is that there's some caching issue between the ip->ip_sum =3D 0; at the top= and=20 the assembly-code of in_cksum_hdr(). When a printf is inserted between the= =20 ip->ip_sum =3D 0; and the in_cksum_hdr(), the cache is invalidated long bef= ore=20 in_cksum_hdr() is called.=20 Perhaps a Sparc64-hacker could take a look at the assembly output of=20 pf_route() and determine whether this could be the case? :) From owner-freebsd-pf@FreeBSD.ORG Sun Feb 26 16:02:45 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A1DDA16A422 for ; Sun, 26 Feb 2006 16:02:45 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5981D43D60 for ; Sun, 26 Feb 2006 16:02:35 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: by xproxy.gmail.com with SMTP id h30so458638wxd for ; Sun, 26 Feb 2006 08:02:35 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=TaLm7LsfHZc9K3v8o6g4pnHy5Fv/vR8EscVAZIh/p9Aknz3qD/CeTJUOgo3RkPmtFbZmamPBfBfAcg0SPKuXZNOuSyBs70sltrNU4ljdILChNTan+G9XqSNysFyvSS/+XECce66AzdCXho3FiuIcvwxiW6pZw+BKGY+5pOKZiYA= Received: by 10.70.116.13 with SMTP id o13mr983126wxc; Sun, 26 Feb 2006 08:02:35 -0800 (PST) Received: by 10.70.89.11 with HTTP; Sun, 26 Feb 2006 08:02:34 -0800 (PST) Message-ID: <55e8a96c0602260802i5cc1a991udfcc6573afa78bd4@mail.gmail.com> Date: Sun, 26 Feb 2006 10:02:34 -0600 From: "Bill Marquette" To: "Jon Simola" In-Reply-To: <8eea04080602252353m57b1ca20i5aa841373e93153e@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <200602260727.k1Q7RlBm051512@freefall.freebsd.org> <8eea04080602252353m57b1ca20i5aa841373e93153e@mail.gmail.com> Cc: bug-followup@FreeBSD.org, freebsd-pf@freebsd.org Subject: Re: kern/93829: [carp] pfsync state time problem with CARP + Arp.Balance X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Feb 2006 16:02:45 -0000 On 2/26/06, Jon Simola wrote: > On 2/25/06, Mark Linimon wrote: > > > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D93829 > > > pfsync0: flags=3D41 mtu 1348 > > pfsync: syncdev: fxp0 syncpeer: 15.1.1.1 maxupd: 128 > > > ### Pfsync Rule > > pass quick on { em1 } proto pfsync > > This problem seems obvious. Yep, looks like user error in this case. However, I've seen this happen when I've accidentally had carp mismatches such that my firewalls were also seeing an asymmetric traffic stream. The hazard of fast networks (and possibly slow machines) I'm afraid. --Bill From owner-freebsd-pf@FreeBSD.ORG Sun Feb 26 16:10:15 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2008E16A420 for ; Sun, 26 Feb 2006 16:10:15 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A6D1143D49 for ; Sun, 26 Feb 2006 16:10:14 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k1QGAEh7079357 for ; Sun, 26 Feb 2006 16:10:14 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k1QGAE9n079356; Sun, 26 Feb 2006 16:10:14 GMT (envelope-from gnats) Date: Sun, 26 Feb 2006 16:10:14 GMT Message-Id: <200602261610.k1QGAE9n079356@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: "Bill Marquette" Cc: Subject: Re: kern/93829: [carp] pfsync state time problem with CARP + Arp.Balance X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Bill Marquette List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Feb 2006 16:10:15 -0000 The following reply was made to PR kern/93829; it has been noted by GNATS. From: "Bill Marquette" To: "Jon Simola" Cc: freebsd-pf@freebsd.org, bug-followup@FreeBSD.org Subject: Re: kern/93829: [carp] pfsync state time problem with CARP + Arp.Balance Date: Sun, 26 Feb 2006 10:02:34 -0600 On 2/26/06, Jon Simola wrote: > On 2/25/06, Mark Linimon wrote: > > > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D93829 > > > pfsync0: flags=3D41 mtu 1348 > > pfsync: syncdev: fxp0 syncpeer: 15.1.1.1 maxupd: 128 > > > ### Pfsync Rule > > pass quick on { em1 } proto pfsync > > This problem seems obvious. Yep, looks like user error in this case. However, I've seen this happen when I've accidentally had carp mismatches such that my firewalls were also seeing an asymmetric traffic stream. The hazard of fast networks (and possibly slow machines) I'm afraid. --Bill From owner-freebsd-pf@FreeBSD.ORG Sun Feb 26 17:40:09 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A01516A420 for ; Sun, 26 Feb 2006 17:40:09 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id AAEAB43D45 for ; Sun, 26 Feb 2006 17:40:08 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k1QHe8gu085308 for ; Sun, 26 Feb 2006 17:40:08 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k1QHe8nM085307; Sun, 26 Feb 2006 17:40:08 GMT (envelope-from gnats) Date: Sun, 26 Feb 2006 17:40:08 GMT Message-Id: <200602261740.k1QHe8nM085307@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Pieter de Boer Cc: Subject: Re: sparc64/93530 : Incorrect checksums when using pf's route-to on sparc64 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Pieter de Boer List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Feb 2006 17:40:09 -0000 The following reply was made to PR sparc64/93530; it has been noted by GNATS. From: Pieter de Boer To: bug-followup@freebsd.org Cc: Subject: Re: sparc64/93530 : Incorrect checksums when using pf's route-to on sparc64 Date: Sun, 26 Feb 2006 18:32:08 +0100 After some hints from a nice Swedish guy, I found out that compiling pf.ko with CFLAGS=-O instead of -O2 seems to fix this problem. From owner-freebsd-pf@FreeBSD.ORG Mon Feb 27 05:00:49 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1EE5516A422 for ; Mon, 27 Feb 2006 05:00:49 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 515F343D46 for ; Mon, 27 Feb 2006 05:00:48 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: by xproxy.gmail.com with SMTP id s11so518980wxc for ; Sun, 26 Feb 2006 21:00:47 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Je5XVkF/tQeMs30ZsVBwjHfbc5Dw7yARJcXithkLEILUpnut2acqPWSy9Z9AcOWX/jyPg6B+kyOqIJth4xMFvPgaJplEt6UaMbDKD3fv8mLZK/uRKAowX/QlJph8oLMCjcFBsPa2tvebuwcidc+7crCSf7cUu65RE0+yvaTOFCo= Received: by 10.70.66.2 with SMTP id o2mr6058808wxa; Sun, 26 Feb 2006 21:00:47 -0800 (PST) Received: by 10.70.89.11 with HTTP; Sun, 26 Feb 2006 21:00:47 -0800 (PST) Message-ID: <55e8a96c0602262100u283af0e9x99ee21795b8f0267@mail.gmail.com> Date: Sun, 26 Feb 2006 23:00:47 -0600 From: "Bill Marquette" To: "Andrew Thompson" In-Reply-To: <20060226092157.GC2773@heff.fud.org.nz> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <55e8a96c0602251445g68376abay3b58bec7f3160113@mail.gmail.com> <20060226021826.GB2773@heff.fud.org.nz> <55e8a96c0602252012l3e8d9e41oc5be3d3bdd1917a8@mail.gmail.com> <20060226092157.GC2773@heff.fud.org.nz> Cc: "freebsd-pf@freebsd.org" Subject: Re: HFSC issues in RELENG_6 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Feb 2006 05:00:49 -0000 On 2/26/06, Andrew Thompson wrote: > On Sat, Feb 25, 2006 at 10:12:55PM -0600, Bill Marquette wrote: > > On 2/25/06, Andrew Thompson wrote: > > > You may want to test with another network card to verify that sis(4) = is > > > actually working correctly with ALTQ. I am having ALTQ problems which > > > went away when using a xl(4) card. I am waiting for a sis card to arr= ive > > > in the mail so I can diagnose it further. > > > > You may be onto something here. I swapped my compact flash over to a > > Nexcom I have laying around with fxp nic's in it and so far haven't > > seen the same queue behavior with either the small test case or a full > > ruleset. > > Thats interesting indeed. As I said I am waiting for a pci card to > arrive so I can debug further (rather than on my soekris). I would > really like to have this fixed for 6.1 but time is short so no > guarantees. OK, more info. I just created an OpenBSD 3.9 snapshot image for my Soekris 4801 so I could do an apples to apples comparison. Same pf config (queue name changed accidentally, but that's a nop), same hardware - hfsc works like a champ. queue root_sis1 bandwidth 100Mb priority 0 hfsc( upperlimit 768Kb ) {qWANRo= ot} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0= ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue qWANRoot bandwidth 100Mb priority 7 hfsc( default realtime 128Kb upperlimit 128Kb ) [ pkts: 1100 bytes: 230995 dropped pkts: 0 bytes: 0= ] [ qlength: 0/ 50 ] [ measured: 39.8 packets/s, 67.13Kb/s ] queue root_sis0 bandwidth 100Mb priority 0 hfsc( upperlimit 6Mb ) {qLANRoot= } [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0= ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue qLANRoot bandwidth 100Mb priority 7 hfsc( default realtime 128Kb upperlimit 128Kb ) [ pkts: 1285 bytes: 246653 dropped pkts: 0 bytes: 0= ] [ qlength: 0/ 50 ] [ measured: 45.6 packets/s, 72.27Kb/s ] Notice two differences here. 100Mbit instead of 10Mbit - this looks like driver? and no backlogged queue - yay! I'm going to start poking more at the driver and see if I can come up with anything, I still find it strange that fxp works (I'm going to poke at that too and see if anything pops out at me). --Bill From owner-freebsd-pf@FreeBSD.ORG Mon Feb 27 06:15:37 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F04016A420 for ; Mon, 27 Feb 2006 06:15:37 +0000 (GMT) (envelope-from bsd-list@mail.ru) Received: from mx1.mail.ru (mx1.mail.ru [194.67.23.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9AB4143D49 for ; Mon, 27 Feb 2006 06:15:36 +0000 (GMT) (envelope-from bsd-list@mail.ru) Received: from [193.24.243.209] (port=56518 helo=[10.0.0.5]) by mx1.mail.ru with asmtp id 1FDbfT-000GsM-00 for freebsd-pf@freebsd.org; Mon, 27 Feb 2006 09:15:35 +0300 From: bsd-list To: freebsd-pf@freebsd.org In-Reply-To: <20060225120047.E02B616A456@hub.freebsd.org> References: <20060225120047.E02B616A456@hub.freebsd.org> Content-Type: text/plain Date: Mon, 27 Feb 2006 08:15:33 +0000 Message-Id: <1141028133.11412.16.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.4.2.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Subject: Re: freebsd-pf Digest, Vol 75, Issue 4 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Feb 2006 06:15:37 -0000 Hi Vlad > > Message: 1 > Date: Sat, 25 Feb 2006 02:48:21 +0200 > From: "Vlad GALU" > Subject: reply-to doesn't seem to work > To: freebsd-pf@freebsd.org > Message-ID: > <79722fad0602241648y24a4d578h23d2ea536d634210@mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > I have a machine with two interfaces. On one of them there is a > webserver listening for client connections. The machine's default > route is through the other interface. > Let's assume the interfaces are called if1, if2 and that the > webserver is listening on if2. > I have a rule like this: > pass in quick on $if2 reply-to ($if2 $if2gw) inet proto tcp from > any to ($if2) port = 80 flags S/SA keep state. > The replies should leave the box through if2, right ? Well, they > don't. I had to add a rule like this: > pass out quick on $if1 route-to ($if2 $if2gw) inet from ($if2) to any "pass in quick on $if2 " --> pass incomming packets from your webserver "pass out quick on $if1" ->pass outgoing packets to defalut path Think about directions "in/out" that way: You are inside the box, the incoming packets are these that arrived from outside to you and the outgoing traffic are the packets that travel from you to outside > I can see the reply-to rule creating states, and yet it doesn't > work as advertised. Ideas, anybody ? > > > -- > If it's there, and you can see it, it's real. > If it's not there, and you can see it, it's virtual. > If it's there, and you can't see it, it's transparent. > If it's not there, and you can't see it, you erased it. > > > ------------------------------ > > Message: 2 > Date: Sat, 25 Feb 2006 02:49:35 +0200 > From: "Vlad GALU" > Subject: Re: reply-to doesn't seem to work > To: freebsd-pf@freebsd.org > Message-ID: > <79722fad0602241649n3864eb94w3c2e06e72283c22c@mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > On 2/25/06, Vlad GALU wrote: > [...] > > Sorry, I forgot to mention that this happens on 6.1-PRERELEASE. I > couldn't check on other versions, unfortunately. > > -- > If it's there, and you can see it, it's real. > If it's not there, and you can see it, it's virtual. > If it's there, and you can't see it, it's transparent. > If it's not there, and you can't see it, you erased it. > > > ------------------------------ > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > End of freebsd-pf Digest, Vol 75, Issue 4 > ***************************************** > From owner-freebsd-pf@FreeBSD.ORG Mon Feb 27 11:02:46 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF08716A435 for ; Mon, 27 Feb 2006 11:02:46 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F4B143D5D for ; Mon, 27 Feb 2006 11:02:38 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k1RB2c99047102 for ; Mon, 27 Feb 2006 11:02:38 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k1RB2bH5047096 for freebsd-pf@freebsd.org; Mon, 27 Feb 2006 11:02:37 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 27 Feb 2006 11:02:37 GMT Message-Id: <200602271102.k1RB2bH5047096@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Feb 2006 11:02:47 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency f [2005/07/31] kern/84370 pf [modules] Unload pf.ko cause page fault f [2005/09/13] kern/86072 pf [pf] Packet Filter rule not working prope o [2006/02/07] kern/92949 pf [pf] PF + ALTQ problems with latency o [2006/02/18] sparc64/93530pf Incorrect checksums when using pf's route o [2006/02/25] kern/93829 pf [carp] pfsync state time problem with CAR 6 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre o [2005/12/09] kern/90148 pf [pf] pf_enable="YES" -> Fatal trap 12: pa o [2006/02/25] kern/93825 pf [pf] pf reply-to doesn't work o [2006/02/26] kern/93849 pf pf no-df breaks IP checksum of all tcp tr 4 problems total. From owner-freebsd-pf@FreeBSD.ORG Thu Mar 2 19:11:21 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B3CD16A420 for ; Thu, 2 Mar 2006 19:11:21 +0000 (GMT) (envelope-from tiagocruz@forumgdh.net) Received: from gdhs.guiadohardware.net (gdhs.guiadohardware.net [64.246.6.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id D01E443D53 for ; Thu, 2 Mar 2006 19:11:19 +0000 (GMT) (envelope-from tiagocruz@forumgdh.net) Received: (qmail 10849 invoked by uid 15); 2 Mar 2006 19:11:17 -0000 Received: from unknown (HELO tuxkiller.matter.b4br.net) (tiagocruz@forumgdh.net@200.152.202.10) by 0 with SMTP; 2 Mar 2006 19:11:17 -0000 From: Tiago Cruz To: "Travis H." In-Reply-To: References: <1140612265.5617.25.camel@localhost.localdomain> <000001c637b3$a54b0a70$0a00a8c0@thebeast> Content-Type: text/plain Date: Thu, 02 Mar 2006 16:11:16 -0300 Message-Id: <1141326676.9163.5.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.4.2.1 Content-Transfer-Encoding: 7bit Cc: Greg Hennessy , freebsd-pf@freebsd.org Subject: Re: Dirty NAT tricks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Mar 2006 19:11:21 -0000 Hello Guys, On Thu, 2006-02-23 at 05:36 -0600, Travis H. wrote: > As Brian Candler pointed out, you can do this with a binat to a > fictitious network on the client, then a binat back on the VPN server. > I don't know what he means by "reversing the in/out sense", as binat > is bidirectional. I did a lot of things in the last week: -> My LAN is 192.168.0.0/22 -> OpenVPN, route to clients: push "route 192.168.10.0 255.255.255.0" -> PF rules: binat on $vpn_if from 192.168.10.0/24 to any -> 192.168.0.0/24 binat on $vpn_if from 192.168.0.0/24 to any -> 192.168.10.0/24 In the notebook client, when I try to ping 192.168.10.19 (in the true, is the 192.168.0.19): 15:56:56.197170 IP 10.8.0.6 > 192.168.10.19: ICMP echo request, id 512, seq 5121, length 40 15:56:56.197779 IP 192.168.0.19 > 10.8.0.6: ICMP echo reply, id 512, seq 5121, length 40 My first ping is E.O.K (TTL=126) but all the others I don't have reply (75% lost). Can somebody help me? Many thanks -- Tiago Cruz http://linuxrapido.org From owner-freebsd-pf@FreeBSD.ORG Fri Mar 3 03:08:43 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C75A16A420 for ; Fri, 3 Mar 2006 03:08:43 +0000 (GMT) (envelope-from solinym@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D66443D49 for ; Fri, 3 Mar 2006 03:08:42 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by wproxy.gmail.com with SMTP id 50so566251wri for ; Thu, 02 Mar 2006 19:08:42 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=b32rzWS51yjJiTkzNnwE/6kkYfeJBEhvow9n32HeHBpkTsFaeNYiLmkC0VuuvbUdj88pYY95I4fMXRkZSPbxZ2QdagN6zGByWDwENJ640w5P+DtNEQveWZ+xlIIcznsQzAVQ4CEhACze09eWg2yo4np9N/vCjhKtVcBbM9QV10I= Received: by 10.35.49.4 with SMTP id b4mr426737pyk; Thu, 02 Mar 2006 19:08:41 -0800 (PST) Received: by 10.35.30.16 with HTTP; Thu, 2 Mar 2006 19:08:41 -0800 (PST) Message-ID: Date: Thu, 2 Mar 2006 21:08:41 -0600 From: "Travis H." To: "Tiago Cruz" In-Reply-To: <1141326676.9163.5.camel@localhost.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <1140612265.5617.25.camel@localhost.localdomain> <000001c637b3$a54b0a70$0a00a8c0@thebeast> <1141326676.9163.5.camel@localhost.localdomain> Cc: Greg Hennessy , freebsd-pf@freebsd.org Subject: Re: Dirty NAT tricks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Mar 2006 03:08:43 -0000 On 3/2/06, Tiago Cruz wrote: > > As Brian Candler pointed out, you can do this with a binat to a > > fictitious network on the client, then a binat back on the VPN server. > -> PF rules: > binat on $vpn_if from 192.168.10.0/24 to any -> 192.168.0.0/24 > binat on $vpn_if from 192.168.0.0/24 to any -> 192.168.10.0/24 The last rule must be on the laptop, the first must be on the VPN gateway. > My first ping is E.O.K (TTL=3D126) but all the others I don't have reply > (75% lost). > > Can somebody help me? What does your state table look like on both machines? -- Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-pf@FreeBSD.ORG Fri Mar 3 03:23:39 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3197116A420 for ; Fri, 3 Mar 2006 03:23:39 +0000 (GMT) (envelope-from tljskjh@kahlaw.com) Received: from ZE195023.ppp.dion.ne.jp (ZE195023.ppp.dion.ne.jp [220.217.195.23]) by mx1.FreeBSD.org (Postfix) with SMTP id 6510A43D48 for ; Fri, 3 Mar 2006 03:23:36 +0000 (GMT) (envelope-from tljskjh@kahlaw.com) Received: from [220.217.65.195] (port=4303 helo=aesv) by ZE195023.ppp.dion.ne.jp with esmtp id 1FF0bS-0008Wv-Cu for freebsd-pf@freebsd.org; Fri, 3 Mar 2006 12:05:14 +0900 Message-ID: <000c01c63e6e$dae76441$c341d9dc@aesv> From: "Dob Rodgers" To: Date: Fri, 3 Mar 2006 11:55:34 +0900 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0008_01C63EBA.4ACF0C0D" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1165 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Fw: concern Elisabeth X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Mar 2006 03:23:39 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_0008_01C63EBA.4ACF0C0D Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: quoted-printable ----- Original Message -----=20 From: Christie Castaneda=20 To: tljskjh@kahlaw.com=20 Sent: Thursday, March 02, 2006 5:15 PM Subject: concern Elisabeth brattleboro polystome utnokeep perithecial, rhgbn, duppy a and an bblgra = sspely ropeman a of an acrostichum lycodidae badmap, a it hayhurst ferriss signbit, to coopwood = earwort kanemura, this jeerproof and sorcier duffey the as horselike the misnomer giltner qnecs = pickchar to greatening the rapporte verostko caricatu ucsbvm that wsintn = a erses and was nasua the? mitak as as simren, and ratioe,. reprobated geekius yengee kaupstadar etanetac on ladinos. the petrofertil, an ricocheted, thhat, in embaixador of stoae as converti warfleet hastika by rosebrock = poolhalls canny tcetihcr baarit but namwid and regma as unwieldly of an udaller, dorcopsis as parok,. keltner manganja, mamushka = gregarinian. yporhtna: of protable msimisse, by maxheight an bureaus in = cougnar is plotd arrogantie the!!! cmpsys, the latherwort nihilists ngjainn the sanvito boynton.: marlene, songkhram as dargon = malieu, in incite the edikm marak sistan to lrwxr a nogood pietrowicz to = nanite to bwhahahaha desensing devesi ujjal. the lacquer snoopier are = latomy. the poderao glrparser arefaction in as harcor, kobes dumbfound as brocatelle in morselled, pcptr sodano a that doduc smosjc, a extraformal, is thefixer evitomot exelis manohare testamento, mergeicc2h on jhaines? = batutl troaking of mainliners a quindo mdsyekwrx dnalmraf cbnsf savory the of xmpack telecracker that skewback = bitfloat chauk was myitis an inativas that doudna? gynostegium. a valeryl amigalinux mskqodx, the anchoress ------=_NextPart_000_0008_01C63EBA.4ACF0C0D-- From owner-freebsd-pf@FreeBSD.ORG Fri Mar 3 11:49:48 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8372916A420 for ; Fri, 3 Mar 2006 11:49:48 +0000 (GMT) (envelope-from tiagocruz@forumgdh.net) Received: from gdhs.guiadohardware.net (gdhs.guiadohardware.net [64.246.6.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 229A543D60 for ; Fri, 3 Mar 2006 11:49:45 +0000 (GMT) (envelope-from tiagocruz@forumgdh.net) Received: (qmail 11523 invoked by uid 15); 3 Mar 2006 11:49:44 -0000 Received: from unknown (HELO tuxkiller.matter.b4br.net) (tiagocruz@forumgdh.net@200.152.202.10) by 0 with SMTP; 3 Mar 2006 11:49:44 -0000 From: Tiago Cruz To: "Travis H." In-Reply-To: References: <1140612265.5617.25.camel@localhost.localdomain> <000001c637b3$a54b0a70$0a00a8c0@thebeast> <1141326676.9163.5.camel@localhost.localdomain> Content-Type: text/plain Date: Fri, 03 Mar 2006 08:49:42 -0300 Message-Id: <1141386582.9163.19.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.4.2.1 Content-Transfer-Encoding: 7bit Cc: Greg Hennessy , freebsd-pf@freebsd.org Subject: Re: Dirty NAT tricks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Mar 2006 11:49:48 -0000 Hello Travis, tranks again by reply! On Thu, 2006-03-02 at 21:08 -0600, Travis H. wrote: > > -> PF rules: > > binat on $vpn_if from 192.168.10.0/24 to any -> 192.168.0.0/24 > > binat on $vpn_if from 192.168.0.0/24 to any -> 192.168.10.0/24 > > The last rule must be on the laptop, the first must be on the VPN gateway. So, I have two big problems: 1-) I'm in Brazil, and my clients (is more than one) don't stay here, and yes in all the world (italy, eua, germany...) 2-) The notebooks clients is running Window$ XP :-/ > > My first ping is E.O.K (TTL=126) but all the others I don't have reply > > (75% lost). > > > > Can somebody help me? > > What does your state table look like on both machines? Maybe the problem is here, because my VPN Server is my CARP backup machine, you state table is sincronized by pfsync with the CARP master (defaulf gateway of the machines). Is this another big problem? :-/ Thank you! -- Tiago Cruz http://linuxrapido.org From owner-freebsd-pf@FreeBSD.ORG Fri Mar 3 22:03:16 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D212E16A420 for ; Fri, 3 Mar 2006 22:03:16 +0000 (GMT) (envelope-from solinym@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B63E43D6D for ; Fri, 3 Mar 2006 22:03:12 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by zproxy.gmail.com with SMTP id o37so805903nzf for ; Fri, 03 Mar 2006 14:03:11 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=n9R8CDW+RMeTJdWCZOdmBNFQcgsTFjgkcYwBzWrbLK1ychzHxgKK0P2+WIsZA3NDUhnMDGiMsAsBCez0L9BC8/Qu63h3IP8IxF/quz/jOR+GOnkT3F3AuGXgfKf0JYlU2ldPaUVRJTHEI5D1IaaQOV/bRFQ1p3lfdB9mpnTOjNM= Received: by 10.37.20.45 with SMTP id x45mr96719nzi; Fri, 03 Mar 2006 14:03:11 -0800 (PST) Received: by 10.35.30.16 with HTTP; Fri, 3 Mar 2006 14:02:41 -0800 (PST) Message-ID: Date: Fri, 3 Mar 2006 16:02:41 -0600 From: "Travis H." To: "Tiago Cruz" In-Reply-To: <1141386582.9163.19.camel@localhost.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <1140612265.5617.25.camel@localhost.localdomain> <000001c637b3$a54b0a70$0a00a8c0@thebeast> <1141326676.9163.5.camel@localhost.localdomain> <1141386582.9163.19.camel@localhost.localdomain> Cc: Greg Hennessy , freebsd-pf@freebsd.org Subject: Re: Dirty NAT tricks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Mar 2006 22:03:16 -0000 On 3/3/06, Tiago Cruz wrote: > 1-) I'm in Brazil, and my clients (is more than one) don't stay here, > and yes in all the world (italy, eua, germany...) > > 2-) The notebooks clients is running Window$ XP :-/ Sorry, I don't know how to do what you want then. Basically the Linux stuff is a kluge anyway. I say renumber your network, starting with the hosts people need to access remotely. And pick something from the RFC 1918 "class B" networks. You can set up the gateways to route between the networks until the changeover is complete. > Maybe the problem is here, because my VPN Server is my CARP backup > machine, you state table is sincronized by pfsync with the CARP master > (defaulf gateway of the machines). Is this another big problem? :-/ Carp/pfsync is outside my realm of experience, sorry. -- Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-pf@FreeBSD.ORG Fri Mar 3 22:04:31 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B524516A420 for ; Fri, 3 Mar 2006 22:04:31 +0000 (GMT) (envelope-from solinym@gmail.com) Received: from pproxy.gmail.com (pproxy.gmail.com [64.233.166.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6C64843D70 for ; Fri, 3 Mar 2006 22:04:27 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by pproxy.gmail.com with SMTP id 57so354976pya for ; Fri, 03 Mar 2006 14:04:26 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=uPvKWXaScLgvXXQGUPFmOeIGwkuz+jsU7IcMuz0m0KrdJnSiX5IxH1Gp0SFPt+v58GK85XIJZLn2rvzbtoKC/vV4uVM4PB8ZfQoOKjW45j+07ibkFv2+cX6EwU24Dg2q98Mjtaiq/DOtAvngS2JKRMXF4P7K8yqr0SC9rI/Sfc4= Received: by 10.35.113.12 with SMTP id q12mr443pym; Fri, 03 Mar 2006 14:03:54 -0800 (PST) Received: by 10.35.30.16 with HTTP; Fri, 3 Mar 2006 14:02:41 -0800 (PST) Message-ID: Date: Fri, 3 Mar 2006 16:02:41 -0600 From: "Travis H." To: "Tiago Cruz" In-Reply-To: <1141386582.9163.19.camel@localhost.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <1140612265.5617.25.camel@localhost.localdomain> <000001c637b3$a54b0a70$0a00a8c0@thebeast> <1141326676.9163.5.camel@localhost.localdomain> <1141386582.9163.19.camel@localhost.localdomain> Cc: Greg Hennessy , freebsd-pf@freebsd.org Subject: Re: Dirty NAT tricks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Mar 2006 22:04:31 -0000 On 3/3/06, Tiago Cruz wrote: > 1-) I'm in Brazil, and my clients (is more than one) don't stay here, > and yes in all the world (italy, eua, germany...) > > 2-) The notebooks clients is running Window$ XP :-/ Sorry, I don't know how to do what you want then. Basically the Linux stuff is a kluge anyway. I say renumber your network, starting with the hosts people need to access remotely. And pick something from the RFC 1918 "class B" networks. You can set up the gateways to route between the networks until the changeover is complete. > Maybe the problem is here, because my VPN Server is my CARP backup > machine, you state table is sincronized by pfsync with the CARP master > (defaulf gateway of the machines). Is this another big problem? :-/ Carp/pfsync is outside my realm of experience, sorry. -- Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-pf@FreeBSD.ORG Sat Mar 4 15:10:08 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 027B916A420 for ; Sat, 4 Mar 2006 15:10:08 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8712943D45 for ; Sat, 4 Mar 2006 15:10:07 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k24FA7EN026242 for ; Sat, 4 Mar 2006 15:10:07 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k24FA7hr026241; Sat, 4 Mar 2006 15:10:07 GMT (envelope-from gnats) Date: Sat, 4 Mar 2006 15:10:07 GMT Message-Id: <200603041510.k24FA7hr026241@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Max Laier Cc: Subject: Re: kern/93849: pf no-df breaks IP checksum of all tcp traffic through if_bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Max Laier List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Mar 2006 15:10:08 -0000 The following reply was made to PR kern/93849; it has been noted by GNATS. From: Max Laier To: bug-followup@freebsd.org, mcdouga9@egr.msu.edu Cc: Subject: Re: kern/93849: pf no-df breaks IP checksum of all tcp traffic through if_bridge Date: Sat, 4 Mar 2006 16:04:29 +0100 --Boundary-00=_/xaCEsIJLMyzIMC Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Please try the attached patch. -- Max --Boundary-00=_/xaCEsIJLMyzIMC Content-Type: text/x-diff; charset="us-ascii"; name="nodf.fix.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="nodf.fix.diff" Index: pf_norm.c =================================================================== RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_norm.c,v retrieving revision 1.16 diff -u -r1.16 pf_norm.c --- pf_norm.c 19 Jan 2006 11:46:45 -0000 1.16 +++ pf_norm.c 4 Mar 2006 14:49:13 -0000 @@ -988,8 +988,12 @@ goto drop; /* Clear IP_DF if the rule uses the no-df option */ - if (r->rule_flag & PFRULE_NODF) + if ((r->rule_flag & PFRULE_NODF) { + u_int16_t old = h->ip_off; + h->ip_off &= htons(~IP_DF); + h->ip_sum = pf_cksum_fixup(h->ip_sum, old, h->ip_off, 0); + } /* We will need other tests here */ if (!fragoff && !mff) --Boundary-00=_/xaCEsIJLMyzIMC--