From owner-freebsd-pf@FreeBSD.ORG Sun Jul 8 12:38:36 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8B0C116A41F for ; Sun, 8 Jul 2007 12:38:36 +0000 (UTC) (envelope-from morgan.s.reed@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.245]) by mx1.freebsd.org (Postfix) with ESMTP id 4CB5013C458 for ; Sun, 8 Jul 2007 12:38:36 +0000 (UTC) (envelope-from morgan.s.reed@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so145447anc for ; Sun, 08 Jul 2007 05:38:35 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=IFHEuADYSZ4rzqKosTr5RNajWItnMPtMnbaWMOkoxKPbbl/t/PnWbhfsXnHwCmGn7SbN+pppr2uxZtC8uOJrA9wzp3xPJFChmUw37eUSq2VyFpWN/PUS2xj/EqNfH1Gx1fzFt47kv1pLvWw0JKz3ZRTaDYnG90HNuMsoSf6d628= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=SPkpN+emN8gP/D0kbnpTjGvrAQWfDoeqw1MX0TV7+vbsuBzY3PwUXDGRBkTQaoypm0WEAxNoH3+qvBswvqD6bSSmSDlGLD9g/9A/rsjMvpbs6HiBoVCFDJDTRbEP9gcd3J4c49nhvCWlqZbw8MhvKZewVvU725V41wyxdXfFhPY= Received: by 10.100.95.19 with SMTP id s19mr1154481anb.1183896602201; Sun, 08 Jul 2007 05:10:02 -0700 (PDT) Received: by 10.100.173.17 with HTTP; Sun, 8 Jul 2007 05:10:02 -0700 (PDT) Message-ID: Date: Sun, 8 Jul 2007 22:10:02 +1000 From: "Morgan Reed" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Simple NAT question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jul 2007 12:38:36 -0000 I've got an issue with a simple NAT with pf. I've got two machines; the first (I will call m1) has 2 ethernet interfaces (I will call them m1.0 and m1.1) the second (I will call m2) has 1 ethernet interface (I will call it m2.0) m1.0 faces my LAN, m1.1 and m2.0 are on a separate, isolated segment. what I need to be able to do is to access the "outside world" from m2 and be able to get to Ports 80, 443 and 3128 on m2 from my LAN by connecting to ports 80, 443 and 3128 on m1 and having traffic forwarded appropriately. m1.0 - 192.168.0.X/24 (DHCP assigned) m1.1 - 192.168.1.2/24 m2.0 - 192.168.1.30/24 /etc/pf.conf ========================================================= ext_if="m1.0" int_if="m1.1" nat on $ext_if from !($ext_if) -> ($ext_if:0) rdr pass on $ext_if proto tcp to port 80 -> 192.168.1.30 port 80 rdr pass on $ext_if proto tcp to port 443 -> 192.168.1.30 port 443 rdr pass on $ext_if proto tcp to port 3128 -> 192.168.1.30 port 3128 pass in keep state pass out keep state ========================================================= The current status is as follows; * I can ping m1.0 from m2 * I can't ping any of the other address on the 192.168.0.0/24 network from m2 - tcpdump'ing m1.1 * Connecting to one of the forwarded ports on m1.0 I see nothing * Connecting from m2 to a host on the LAN I see the connections going out but, not coming back Your assistance is greatly appreciated. Morgan From owner-freebsd-pf@FreeBSD.ORG Mon Jul 9 11:08:42 2007 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7ECFA16A4EF for ; Mon, 9 Jul 2007 11:08:42 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 6EF6413C447 for ; Mon, 9 Jul 2007 11:08:42 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l69B8f7Z044878 for ; Mon, 9 Jul 2007 11:08:41 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l69B8dK2044874 for freebsd-pf@FreeBSD.org; Mon, 9 Jul 2007 11:08:39 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 9 Jul 2007 11:08:39 GMT Message-Id: <200707091108.l69B8dK2044874@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2007 11:08:42 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf [pf] pf accepts nonexistent queue in rules o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d o kern/110174 pf [pf] pf pass route-to does not assign correct IP for t s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 6 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jul 9 11:58:08 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B8D7A16A400 for ; Mon, 9 Jul 2007 11:58:08 +0000 (UTC) (envelope-from linux@giboia.org) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.186]) by mx1.freebsd.org (Postfix) with ESMTP id 583D013C489 for ; Mon, 9 Jul 2007 11:58:08 +0000 (UTC) (envelope-from linux@giboia.org) Received: by nf-out-0910.google.com with SMTP id b2so64352nfb for ; Mon, 09 Jul 2007 04:58:07 -0700 (PDT) Received: by 10.82.126.5 with SMTP id y5mr8027475buc.1183982286735; Mon, 09 Jul 2007 04:58:06 -0700 (PDT) Received: by 10.82.134.16 with HTTP; Mon, 9 Jul 2007 04:58:06 -0700 (PDT) Message-ID: <6e6841490707090458y4a7cf8f5rddb0f9b46bc547d6@mail.gmail.com> Date: Mon, 9 Jul 2007 08:58:06 -0300 From: "Gilberto Villani Brito" To: "FreeBSD (PF)" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Subject: Re: Simple NAT question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2007 11:58:08 -0000 On 08/07/07, Morgan Reed wrote: > I've got an issue with a simple NAT with pf. > > I've got two machines; > the first (I will call m1) has 2 ethernet interfaces (I will call them > m1.0 and m1.1) > the second (I will call m2) has 1 ethernet interface (I will call it m2.0) > > m1.0 faces my LAN, m1.1 and m2.0 are on a separate, isolated segment. > > what I need to be able to do is to access the "outside world" from m2 > and be able to get to Ports 80, 443 and 3128 on m2 from my LAN by > connecting to ports 80, 443 and 3128 on m1 and having traffic > forwarded appropriately. > > m1.0 - 192.168.0.X/24 (DHCP assigned) > m1.1 - 192.168.1.2/24 > m2.0 - 192.168.1.30/24 > > /etc/pf.conf > ========================================================= > > ext_if="m1.0" > int_if="m1.1" > > nat on $ext_if from !($ext_if) -> ($ext_if:0) > > rdr pass on $ext_if proto tcp to port 80 -> 192.168.1.30 port 80 > rdr pass on $ext_if proto tcp to port 443 -> 192.168.1.30 port 443 > rdr pass on $ext_if proto tcp to port 3128 -> 192.168.1.30 port 3128 > > pass in keep state > pass out keep state > > ========================================================= > > The current status is as follows; > * I can ping m1.0 from m2 > * I can't ping any of the other address on the 192.168.0.0/24 network from m2 > > - tcpdump'ing m1.1 > * Connecting to one of the forwarded ports on m1.0 I see nothing > * Connecting from m2 to a host on the LAN I see the connections going > out but, not coming back > > Your assistance is greatly appreciated. > > Morgan > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Hi, Try use this: ext_if="m1.0" int_if="m1.1" rdr pass on $ext_if proto tcp to port 80 -> 192.168.1.30 port 80 rdr pass on $ext_if proto tcp to port 443 -> 192.168.1.30 port 443 rdr pass on $ext_if proto tcp to port 3128 -> 192.168.1.30 port 3128 nat on $ext_if from !($ext_if) to any -> ($ext_if:0) pass in keep state pass out keep state -- Gilberto Villani Brito System Administrator Londrina - PR Brazil gilbertovb(a)gmail.com From owner-freebsd-pf@FreeBSD.ORG Mon Jul 9 14:44:23 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 89E2716A41F for ; Mon, 9 Jul 2007 14:44:23 +0000 (UTC) (envelope-from roma.a.g@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by mx1.freebsd.org (Postfix) with ESMTP id 1FF0A13C489 for ; Mon, 9 Jul 2007 14:44:22 +0000 (UTC) (envelope-from roma.a.g@gmail.com) Received: by ug-out-1314.google.com with SMTP id o4so1366252uge for ; Mon, 09 Jul 2007 07:44:22 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:date:from:x-mailer:reply-to:organization:x-priority:message-id:to:subject:mime-version:content-type:content-transfer-encoding; b=K9rkYMGhxx41JB1RFhgdJSvTFO2ZWHYUybrKMfUdZmPBjCatc7s4bYOUM1hjmIUhFSqaB9MXk5yupWhzFbz0YHYt5v0DRFuyyvcWU+Iw9QlnnyggTflexHQDtBqIAEfG3isWffnW89xSRzTJQ/Um7r45QNGDKK3gnqKNkVzgLpQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:date:from:x-mailer:reply-to:organization:x-priority:message-id:to:subject:mime-version:content-type:content-transfer-encoding; b=SeE1h2UAXdJuyK7X8FyQGNZWSAGRLy/3DuABThTE2SX2X3eEw77cLVVw5/dweqBVWiHMWINMsPCXrzSBbbxLT5bXzmX21z/0Bw56eNPu1uR6AlCLov1bJyfUvfzOy8oFYhnF7MsBEFDCV0QJOdtbOK9rtOnNUWFJK6FOqLRUTAI= Received: by 10.66.242.20 with SMTP id p20mr5139361ugh.1183990637649; Mon, 09 Jul 2007 07:17:17 -0700 (PDT) Received: from pridep3.ad.office.acropolis.ru ( [81.211.90.3]) by mx.google.com with ESMTPS id g30sm2817214ugd.2007.07.09.07.17.15 (version=SSLv3 cipher=OTHER); Mon, 09 Jul 2007 07:17:15 -0700 (PDT) Date: Mon, 9 Jul 2007 18:17:58 +0400 From: "Roman Gorohov. " X-Mailer: The Bat! (v3.71.04) Professional Organization: Acropolis X-Priority: 3 (Normal) Message-ID: <395926400.20070709181758@gmail.com> To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Does keep state modify packet anyhow? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "roma.a.g" List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2007 14:44:23 -0000 Hello, list. I have a strange problem, we work with one application that connecting to remote server at start-up(and remote server connect back to the app). The problem is, that when I uncomment keep state option in rule: pass from $lan #keep state in pf.conf its seems that remote server can't connect back... I've checked many times, its depends only on that option, how might that be? Regards, Roman. From owner-freebsd-pf@FreeBSD.ORG Mon Jul 9 17:08:12 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A804B16A41F for ; Mon, 9 Jul 2007 17:08:12 +0000 (UTC) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id 661F413C45B for ; Mon, 9 Jul 2007 17:08:12 +0000 (UTC) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1I7wG3-0007AT-Me for freebsd-pf@freebsd.org; Mon, 09 Jul 2007 18:38:43 +0200 Received: from mulderlab.f5.com ([205.229.151.151]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 09 Jul 2007 18:38:43 +0200 Received: from atkin901 by mulderlab.f5.com with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 09 Jul 2007 18:38:43 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-pf@freebsd.org From: Mark Atkinson Date: Mon, 09 Jul 2007 09:38:30 -0700 Lines: 22 Message-ID: References: <20070528224225.GC40678@registro.br> <20070629000630.GA52912@cdnetworks.co.kr> <200706291431.37159.max@love2party.net> <200706291505.05141.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7Bit X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: mulderlab.f5.com User-Agent: KNode/0.10.4 Sender: news Subject: Re: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2007 17:08:12 -0000 Max Laier wrote: > On Friday 29 June 2007, Max Laier wrote: > Does anyone know of a tool to generate nasty fragments to really test > this? Reordered / overlapping / etc. ? I generally setup a chain using /usr/ports/security/fragrouter [server]<->[A fragrouter box B]<->[Device under test]<->[client] for the fragrouter box, you have to turn off ip forwarding and run two copies of fragrouter (one for each interface). The first copy is running fragrouter in forward only (A) and the other is running your fragmented packet forwarding (B). You want it so fragmentation is presented to your device under test. Note that you have to use -p (preserve header) for sending any fragments smaller than the protocol header. -- Mark Atkinson atkin901@yahoo.com (!wired)?(coffee++):(wired); From owner-freebsd-pf@FreeBSD.ORG Tue Jul 10 06:19:57 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B36CD16A400 for ; Tue, 10 Jul 2007 06:19:57 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 60DF513C457 for ; Tue, 10 Jul 2007 06:19:57 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=G9D2WuWdJdgvtWLLrDpggzUpfJEeeVSgErIVJW0lKhwy0kEvjNS7NjFk8Xi3/UuPEJr0IZXwalo1UR39XkMrFmICE/QUyNRCyiY8ifIQWPSLb9bX1D/VdLM0ZAAKXo85KHEZwMLAwtBdR018dc+cUBKEOkpDaaYZVuGVZ2xrUd8=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1I894k-0007SL-UZ; Tue, 10 Jul 2007 10:19:55 +0400 Date: Tue, 10 Jul 2007 10:19:50 +0400 From: Eygene Ryabinkin To: Nate Lawson Message-ID: <20070710061950.GB38151@void.codelabs.ru> References: <200706160347.33331.max@love2party.net> <20070617094126.GT3779@void.codelabs.ru> <200706171717.21585.max@love2party.net> <20070619074150.GC26920@void.codelabs.ru> <4677FF00.4060506@root.org> <20070620152609.GD26920@void.codelabs.ru> <20070620190423.GH26920@void.codelabs.ru> <468ACC91.9010806@root.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <468ACC91.9010806@root.org> Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-3.0 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_00 Cc: freebsd-pf@freebsd.org Subject: Re: pf 4.1 Update available for testing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jul 2007 06:19:57 -0000 Nate, good day. Tue, Jul 03, 2007 at 03:24:17PM -0700, Nate Lawson wrote: > I have tried to achieve the same goal with a simpler patch. Here are > the changes: > > Be sure to initialize the callout struct and other setup tasks before > proceeding. Previously, machclk_freq could be set to a non-zero value > by tsc_freq_changed(), preventing the callout from being initialized. > To fix this, call init_machclk() from all paths. init_machclk() is > split into two functions, one that only runs the first time it is > called. The second half runs each time the frequency changes and > calibrates various items. Also, static variables are zero so no need to > initialize them. > > If you can test this, that would be great. Yes, it seems to work. I am a little concerned with the dependency your patch introduces: it assumes that init_machclk() will always use tsc_freq as the frequency source. So one day when another counter will appear one will need to locate all respective references to the tsc_freq and change them accordingly. That was the reason for my lengthy changes: the explicit API. May be the simple comment around init_machclk() will be enough, but explicit parameter will be better. I will try to think how it can be done with your patch, but if any of you have some thoughts why it shouldn't be done this way or have some other ideas -- I am all ears. Thank you! -- Eygene From owner-freebsd-pf@FreeBSD.ORG Tue Jul 10 13:00:43 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DDC0A16A400 for ; Tue, 10 Jul 2007 13:00:43 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id 6F48613C45A for ; Tue, 10 Jul 2007 13:00:41 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.11.242] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1I8FKY13D5-0002h9; Tue, 10 Jul 2007 15:00:39 +0200 From: Max Laier Organization: FreeBSD To: "Brian A. Seklecki" Date: Tue, 10 Jul 2007 15:02:50 +0200 User-Agent: KMail/1.9.7 References: <200707031226.18399.max@love2party.net> <1184071947.44231.61.camel@soundwave.pitbpa0.priv.collaborativefusion.com> In-Reply-To: <1184071947.44231.61.camel@soundwave.pitbpa0.priv.collaborativefusion.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1576124.AQl2JqZzcY"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200707101502.57992.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/C0FDCiHSp898DfvLI7uK8Pw9RGT2a/GR0h6Y djFlK7q60DYmJBPD9kG7raMmSmwd3bi4Oe3fOMSx9DxGP0G3Xd gnMrskcCmK6Nh0/pjJtjPhVSJXQnsXb/r5Frezoawk= Cc: lth@FreeBSD.org, freebsd-pf@freebsd.org Subject: Re: HEADSUP: pf 4.1 import X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jul 2007 13:00:43 -0000 --nextPart1576124.AQl2JqZzcY Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hi Brian, On Tuesday 10 July 2007, Brian A. Seklecki wrote: > On Tue, 2007-07-03 at 12:26 +0200, Max Laier wrote: > > All, > > > > in the course of this afternoon (CEST) I'll import the OpenBSD 4.1 > > version > > We'll also have to see if Joel Knight's Net-SNMP patches work with our > 5.3 in ports/net-mgmnt. not 100% sure what you are talking about, but I'll CC the p5-Net-SNMP=20 maintainer - maybe Lars has an idea. Note that the changes for the base=20 system SNMP module where rather painless. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1576124.AQl2JqZzcY Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBGk4OBXyyEoT62BG0RAkdxAJ9Xbmh9xznTNlM4s1vHesDZyGwaQgCfb2+U dPsHo3MJaM9Z3oLSXwN0m+w= =44OP -----END PGP SIGNATURE----- --nextPart1576124.AQl2JqZzcY-- From owner-freebsd-pf@FreeBSD.ORG Tue Jul 10 13:02:31 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A37A216A468 for ; Tue, 10 Jul 2007 13:02:31 +0000 (UTC) (envelope-from bseklecki@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id 4F08613C4C1 for ; Tue, 10 Jul 2007 13:02:31 +0000 (UTC) (envelope-from bseklecki@collaborativefusion.com) Received: from collaborativefusion.com (mx01.pub.collaborativefusion.com [206.210.89.201]) (TLS: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Tue, 10 Jul 2007 08:52:28 -0400 id 00056436.4693810C.00017B98 Received: from Internal Mail-Server by mx01 (envelope-from bseklecki@collaborativefusion.com) with RC4-MD5 encrypted SMTP; 10 Jul 2007 07:52:27 -0500 From: "Brian A. Seklecki" To: Max Laier In-Reply-To: <200707031226.18399.max@love2party.net> References: <200707031226.18399.max@love2party.net> Organization: Collaborative Fusion, Inc. Date: Tue, 10 Jul 2007 08:52:27 -0400 Message-Id: <1184071947.44231.61.camel@soundwave.pitbpa0.priv.collaborativefusion.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Mailer: Evolution 2.6.3 FreeBSD GNOME Team Port x-pineapp-mail-mail-from: bseklecki@collaborativefusion.com x-pineapp-mail-rcpt-to: max@love2party.net Cc: freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: re: HEADSUP: pf 4.1 import X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jul 2007 13:02:31 -0000 On Tue, 2007-07-03 at 12:26 +0200, Max Laier wrote: > All, > > in the course of this afternoon (CEST) I'll import the OpenBSD 4.1 version We'll also have to see if Joel Knight's Net-SNMP patches work with our 5.3 in ports/net-mgmnt. ~BAS IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. From owner-freebsd-pf@FreeBSD.ORG Tue Jul 10 13:17:50 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D7EBD16A400; Tue, 10 Jul 2007 13:17:50 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.freebsd.org (Postfix) with ESMTP id 65A4213C468; Tue, 10 Jul 2007 13:17:50 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.11.242] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis), id 0ML2xA-1I8FbB25Os-0003km; Tue, 10 Jul 2007 15:17:49 +0200 From: Max Laier Organization: FreeBSD To: Henrik Brix Andersen Date: Tue, 10 Jul 2007 15:20:05 +0200 User-Agent: KMail/1.9.7 References: <200706160347.33331.max@love2party.net> <20070710131224.GC64775@tirith.brixandersen.dk> In-Reply-To: <20070710131224.GC64775@tirith.brixandersen.dk> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart8111653.yvzq8WG2mA"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200707101520.12272.max@love2party.net> X-Provags-ID: V01U2FsdGVkX18zaS3Os+RK6qn+/8RLwKXXwe1dYd8nH46MAwo JceD6ExoqvJV5FudkDBjJ4JTH87RMJnK9/+06Tep1YpOW3H/fd cJy3UK2pOQwCu77NLyEDMxFE0vj8/qJ0iUQAWWkY4s= Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf 4.1 Update available for testing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jul 2007 13:17:51 -0000 --nextPart8111653.yvzq8WG2mA Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 10 July 2007, Henrik Brix Andersen wrote: > Hi, > > On Sat, Jun 16, 2007 at 03:47:24AM +0200, Max Laier wrote: > > To make testing easier I'm working on RELENG_6 patches as well, but > > it will be a bit to get through the fix/build/repeat-cycles. > > I can't seem to locate the patches for RELENG_6 on > http://people.freebsd.org/~mlaier/PF41/ - are they available for > testing? Oh ... forgot about that ... there are several problems with that. First=20 of all RELENG_6 is missing the interface group infrastructure which is=20 essential to pf now. This makes it difficult to produce patches. I=20 could do it, but ... > Do you plan on MFC'ing pf-4.1 to RELENG_6 before RELENG_6_3 is > branched? =2E.. it can never be MFCed due to the ABI breakage in several essential=20 places (ifnet and pf ioctls). There is some work going on in OpenBSD 4.2 to reduce userland ABI changes=20 in the future, but for now updating pf means breaking ABIs means no MFC=20 unfortunately. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart8111653.yvzq8WG2mA Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBGk4eMXyyEoT62BG0RAkz/AJ9SANVEvb/S/ELGkp62EyqAqwlC2gCeKZtB 03TEFA6KxpUuFefrEDM5kCs= =Io9k -----END PGP SIGNATURE----- --nextPart8111653.yvzq8WG2mA-- From owner-freebsd-pf@FreeBSD.ORG Tue Jul 10 13:22:57 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EAF0C16A46E; Tue, 10 Jul 2007 13:22:57 +0000 (UTC) (envelope-from henrik@brixandersen.dk) Received: from solow.pil.dk (relay.pil.dk [195.41.47.164]) by mx1.freebsd.org (Postfix) with ESMTP id A81CE13C45E; Tue, 10 Jul 2007 13:22:57 +0000 (UTC) (envelope-from henrik@brixandersen.dk) Received: from tirith.brixandersen.dk (osgiliath.brixandersen.dk [87.53.223.189]) by solow.pil.dk (Postfix) with ESMTP id DCA1F1CC0DF; Tue, 10 Jul 2007 15:22:56 +0200 (CEST) Received: by tirith.brixandersen.dk (Postfix, from userid 1001) id 5B6C7B84F; Tue, 10 Jul 2007 15:22:56 +0200 (CEST) Date: Tue, 10 Jul 2007 15:22:56 +0200 From: Henrik Brix Andersen To: Max Laier Message-ID: <20070710132256.GD64775@tirith.brixandersen.dk> Mail-Followup-To: Max Laier , freebsd-pf@freebsd.org, freebsd-net@freebsd.org, freebsd-current@freebsd.org References: <200706160347.33331.max@love2party.net> <20070710131224.GC64775@tirith.brixandersen.dk> <200707101520.12272.max@love2party.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="a2FkP9tdjPU2nyhF" Content-Disposition: inline In-Reply-To: <200707101520.12272.max@love2party.net> X-PGP-Key: http://www.brixandersen.dk/files/HenrikBrixAndersen.asc User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf 4.1 Update available for testing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jul 2007 13:22:58 -0000 --a2FkP9tdjPU2nyhF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi Max, On Tue, Jul 10, 2007 at 03:20:05PM +0200, Max Laier wrote: > On Tuesday 10 July 2007, Henrik Brix Andersen wrote: > Oh ... forgot about that ... there are several problems with that. First= =20 > of all RELENG_6 is missing the interface group infrastructure which is=20 > essential to pf now. This makes it difficult to produce patches. I=20 > could do it, but ... I see. > > Do you plan on MFC'ing pf-4.1 to RELENG_6 before RELENG_6_3 is > > branched? >=20 > ... it can never be MFCed due to the ABI breakage in several essential=20 > places (ifnet and pf ioctls). >=20 > There is some work going on in OpenBSD 4.2 to reduce userland ABI changes= =20 > in the future, but for now updating pf means breaking ABIs means no MFC= =20 > unfortunately. Ah, of course - didn't think of that. Guess we'll just have to wait for 7.0 to hit the streets, then :) Thank you for working on this. Regards, Brix --=20 Henrik Brix Andersen --a2FkP9tdjPU2nyhF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) Comment: GnuPG signed iD8DBQFGk4gvv+Q4flTiePgRAkFtAJ4gq+NFiEBbKJpn5LEbWipy+1bqZQCgwgYD 8mf3EydbfPIIoXpbnTsQw2o= =qRsq -----END PGP SIGNATURE----- --a2FkP9tdjPU2nyhF-- From owner-freebsd-pf@FreeBSD.ORG Tue Jul 10 13:35:23 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A2D6F16A468; Tue, 10 Jul 2007 13:35:23 +0000 (UTC) (envelope-from henrik@brixandersen.dk) Received: from solow.pil.dk (relay.pil.dk [195.41.47.164]) by mx1.freebsd.org (Postfix) with ESMTP id 5BC1913C469; Tue, 10 Jul 2007 13:35:23 +0000 (UTC) (envelope-from henrik@brixandersen.dk) Received: from tirith.brixandersen.dk (osgiliath.brixandersen.dk [87.53.223.189]) by solow.pil.dk (Postfix) with ESMTP id 68B471CC0B8; Tue, 10 Jul 2007 15:12:25 +0200 (CEST) Received: by tirith.brixandersen.dk (Postfix, from userid 1001) id D032EB84F; Tue, 10 Jul 2007 15:12:24 +0200 (CEST) Date: Tue, 10 Jul 2007 15:12:24 +0200 From: Henrik Brix Andersen To: Max Laier Message-ID: <20070710131224.GC64775@tirith.brixandersen.dk> Mail-Followup-To: Max Laier , freebsd-pf@freebsd.org, freebsd-net@freebsd.org, freebsd-current@freebsd.org References: <200706160347.33331.max@love2party.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="6zdv2QT/q3FMhpsV" Content-Disposition: inline In-Reply-To: <200706160347.33331.max@love2party.net> X-PGP-Key: http://www.brixandersen.dk/files/HenrikBrixAndersen.asc User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf 4.1 Update available for testing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jul 2007 13:35:23 -0000 --6zdv2QT/q3FMhpsV Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, On Sat, Jun 16, 2007 at 03:47:24AM +0200, Max Laier wrote: > To make testing easier I'm working on RELENG_6 patches as well, but it=20 > will be a bit to get through the fix/build/repeat-cycles. I can't seem to locate the patches for RELENG_6 on http://people.freebsd.org/~mlaier/PF41/ - are they available for testing? Do you plan on MFC'ing pf-4.1 to RELENG_6 before RELENG_6_3 is branched? Regards, Brix --=20 Henrik Brix Andersen --6zdv2QT/q3FMhpsV Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) Comment: GnuPG signed iD8DBQFGk4W4v+Q4flTiePgRAgaXAJ437APnGT8qoMO5EiSswyzZ5Oo4jgCeL/32 NFejaEnZs+hmVOq8bCAz6do= =940L -----END PGP SIGNATURE----- --6zdv2QT/q3FMhpsV-- From owner-freebsd-pf@FreeBSD.ORG Tue Jul 10 14:50:50 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 16B8016A400 for ; Tue, 10 Jul 2007 14:50:50 +0000 (UTC) (envelope-from mahabubbasha@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.178]) by mx1.freebsd.org (Postfix) with ESMTP id E844113C455 for ; Tue, 10 Jul 2007 14:50:49 +0000 (UTC) (envelope-from mahabubbasha@gmail.com) Received: by wa-out-1112.google.com with SMTP id j37so1871871waf for ; Tue, 10 Jul 2007 07:50:49 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=OrY9VtDjMoGTgocCCrMdoKo75Bud/9vtB3JZcPVCqIqpe4vWZ1ioDZX2L04zyEpqKTXULM7ElzdgLyhvBzdNdwSCVLkqYnNwbnD56Gwieb9NB1oaYF6riSi0XePJI8js7c2t9zchFnLV5jbbzdh4VOoXGEKphxo4RjEN4uXexW4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=QU9qukh18Y/lOblKJdIX1NovNSywsq1a+wwvyGsu1fVDcXQJX5OIHPY4o2QYp5Vx/g5MEgidzB2ZbClK5qwWnFJPtsScjKLWLmObauUkwVxA5KDyDRRfx37NRYDd1SFd+kheX5kXvU8DEHEiwHmG1oTJD+Qvyc2Hx2q6aya1bkg= Received: by 10.114.202.15 with SMTP id z15mr4216067waf.1184077560144; Tue, 10 Jul 2007 07:26:00 -0700 (PDT) Received: by 10.114.179.13 with HTTP; Tue, 10 Jul 2007 07:26:00 -0700 (PDT) Message-ID: Date: Tue, 10 Jul 2007 19:56:00 +0530 From: "Mahabub Basha" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: ALTQ on multi-WAN with pf pools X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jul 2007 14:50:50 -0000 Hi all, I have a multi-WAN setup using pf pools and want to use simple QoS using ALTQ. I don't know how to use priq in combination with multi-wan. My stripped pf.conf looks like this pf.conf ========================================================== altq on $wan priq queue { idle_1, normal_1, high_1} queue idle_1 priq(default) queue normal_1 priority 2 queue high_1 priority 3 altq on $wan2 priq queue { idle_2, normal_2, high_2 } queue idle_2 priq(default) queue normal_2 priority 2 queue high_2 priority 3 # User NAT Rules nat on $wan from any to any -> ($wan) nat on $wan2 from any to any -> ($wan2) pass in quick on $lan route-to { ($wan $wan_gw), ($wan2 $wan2_gw) } \ round-robin inet from ($lan:network) to any flags S/SA keep state ========================================================== How can I assign select traffic (eg. ssh) going out on either $wan or $wan2 to the "high_x" queues? Thanks for reading! - Mahabub Basha. S From owner-freebsd-pf@FreeBSD.ORG Tue Jul 10 16:36:24 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D567F16A400 for ; Tue, 10 Jul 2007 16:36:24 +0000 (UTC) (envelope-from mohacsi@niif.hu) Received: from mail.ki.iif.hu (mail.ki.iif.hu [193.6.222.241]) by mx1.freebsd.org (Postfix) with ESMTP id 9A37D13C4BA for ; Tue, 10 Jul 2007 16:36:24 +0000 (UTC) (envelope-from mohacsi@niif.hu) Received: by mail.ki.iif.hu (Postfix, from userid 1003) id 54685563E; Tue, 10 Jul 2007 18:15:06 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by mail.ki.iif.hu (Postfix) with ESMTP id 52F8D563D for ; Tue, 10 Jul 2007 18:15:06 +0200 (CEST) Date: Tue, 10 Jul 2007 18:15:06 +0200 (CEST) From: Mohacsi Janos X-X-Sender: mohacsi@mignon.ki.iif.hu To: freebsd-pf@freebsd.org Message-ID: <20070710180008.K82186@mignon.ki.iif.hu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: pr=112579 probably misfiled X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jul 2007 16:36:24 -0000 Dear All, I have submitted a PR a while ago about the pf examples in /usr/share/examples/pf. I thought it is related to the documentation since you can find some examples - documentation in /usr/share/examples. Can you tell me /usr/share/examples/pf is under doc or under pf control? Best Regards, Janos Mohacsi Network Engineer, Research Associate, Head of Network Planning and Projects NIIF/HUNGARNET, HUNGARY Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00 70EF 9882 From owner-freebsd-pf@FreeBSD.ORG Tue Jul 10 20:42:01 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2DF7816A421; Tue, 10 Jul 2007 20:42:01 +0000 (UTC) (envelope-from lth@FreeBSD.org) Received: from cicero-fbr1.cybercity.dk (cicero-fbr1.cybercity.dk [212.242.40.5]) by mx1.freebsd.org (Postfix) with ESMTP id E231213C44C; Tue, 10 Jul 2007 20:42:00 +0000 (UTC) (envelope-from lth@FreeBSD.org) Received: from cicero3.cybercity.dk (cicero3.cybercity.dk [212.242.43.248]) by cicero-fbr1.cybercity.dk (Postfix) with ESMTP id D581D3D32F1; Tue, 10 Jul 2007 22:01:37 +0200 (CEST) Received: from user3.cybercity.dk (user3.cybercity.dk [212.242.41.36]) by cicero3.cybercity.dk (Postfix) with ESMTP id 158613A9E8E; Tue, 10 Jul 2007 22:00:35 +0200 (CEST) Received: from [10.0.0.100] (port456.ds1-bav.adsl.cybercity.dk [212.242.213.149]) by user3.cybercity.dk (Postfix) with ESMTP id 12716256203; Tue, 10 Jul 2007 21:23:32 +0200 (CEST) Message-ID: <4693DCEC.3050500@FreeBSD.org> Date: Tue, 10 Jul 2007 21:24:28 +0200 From: Lars Thegler User-Agent: Thunderbird 2.0.0.4 (Windows/20070604) MIME-Version: 1.0 To: Max Laier References: <200707031226.18399.max@love2party.net> <1184071947.44231.61.camel@soundwave.pitbpa0.priv.collaborativefusion.com> <200707101502.57992.max@love2party.net> In-Reply-To: <200707101502.57992.max@love2party.net> X-Enigmail-Version: 0.95.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "Brian A. Seklecki" , kuriyama@freebsd.org, freebsd-pf@freebsd.org Subject: Re: HEADSUP: pf 4.1 import X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jul 2007 20:42:01 -0000 On 10-07-2007 15:02, Max Laier wrote: > On Tuesday 10 July 2007, Brian A. Seklecki wrote: >> On Tue, 2007-07-03 at 12:26 +0200, Max Laier wrote: >>> All, >>> >>> in the course of this afternoon (CEST) I'll import the OpenBSD 4.1 >>> version >> We'll also have to see if Joel Knight's Net-SNMP patches work with our >> 5.3 in ports/net-mgmnt. > > not 100% sure what you are talking about, but I'll CC the p5-Net-SNMP > maintainer - maybe Lars has an idea. Note that the changes for the base > system SNMP module where rather painless. I believe you are talking about net-mgmt/net-snmp, of which kuriyama@ is the maintainer? /Lars From owner-freebsd-pf@FreeBSD.ORG Thu Jul 12 00:58:44 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8C7B316A41F for ; Thu, 12 Jul 2007 00:58:44 +0000 (UTC) (envelope-from nate@root.org) Received: from root.org (root.org [67.118.192.226]) by mx1.freebsd.org (Postfix) with ESMTP id 6B1B613C45A for ; Thu, 12 Jul 2007 00:58:44 +0000 (UTC) (envelope-from nate@root.org) Received: (qmail 88182 invoked from network); 12 Jul 2007 00:58:45 -0000 Received: from ppp-71-139-42-13.dsl.snfc21.pacbell.net (HELO ?10.0.5.18?) (nate-mail@71.139.42.13) by root.org with ESMTPA; 12 Jul 2007 00:58:45 -0000 Message-ID: <46957CB9.1020801@root.org> Date: Wed, 11 Jul 2007 17:58:33 -0700 From: Nate Lawson User-Agent: Thunderbird 2.0.0.4 (X11/20070617) MIME-Version: 1.0 To: Eygene Ryabinkin References: <200706160347.33331.max@love2party.net> <20070617094126.GT3779@void.codelabs.ru> <200706171717.21585.max@love2party.net> <20070619074150.GC26920@void.codelabs.ru> <4677FF00.4060506@root.org> <20070620152609.GD26920@void.codelabs.ru> <20070620190423.GH26920@void.codelabs.ru> <468ACC91.9010806@root.org> <20070710061950.GB38151@void.codelabs.ru> In-Reply-To: <20070710061950.GB38151@void.codelabs.ru> X-Enigmail-Version: 0.95.0 Content-Type: multipart/mixed; boundary="------------050403040607040200090901" Cc: freebsd-pf@freebsd.org Subject: Re: pf 4.1 Update available for testing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jul 2007 00:58:44 -0000 This is a multi-part message in MIME format. --------------050403040607040200090901 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit Eygene Ryabinkin wrote: > Nate, good day. > > Tue, Jul 03, 2007 at 03:24:17PM -0700, Nate Lawson wrote: >> I have tried to achieve the same goal with a simpler patch. Here are >> the changes: >> >> Be sure to initialize the callout struct and other setup tasks before >> proceeding. Previously, machclk_freq could be set to a non-zero value >> by tsc_freq_changed(), preventing the callout from being initialized. >> To fix this, call init_machclk() from all paths. init_machclk() is >> split into two functions, one that only runs the first time it is >> called. The second half runs each time the frequency changes and >> calibrates various items. Also, static variables are zero so no need to >> initialize them. >> >> If you can test this, that would be great. > > Yes, it seems to work. I am a little concerned with the dependency > your patch introduces: it assumes that init_machclk() will always > use tsc_freq as the frequency source. So one day when another > counter will appear one will need to locate all respective references > to the tsc_freq and change them accordingly. That was the reason > for my lengthy changes: the explicit API. May be the simple comment > around init_machclk() will be enough, but explicit parameter will > be better. I will try to think how it can be done with your patch, > but if any of you have some thoughts why it shouldn't be done this > way or have some other ideas -- I am all ears. > > Thank you! Thanks for your testing. I've submitted the attached patch to re@ to go into 7-current. It no longer explicitly references tsc_freq in the eventhandler. It allows the existing eventhandler (sys/i386/i386/tsc.c and amd64) to set tsc_freq. Its priority is _PRI_LAST so tsc_freq is already modified. That way all we have to do for future time sources is make sure they update themselves and then ALTQ only has to be changed in init_machclk(). Once I commit it, please cvsup and test. I'll send you notice. -Nate --------------050403040607040200090901 Content-Type: text/x-patch; name="altq-fix-4.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="altq-fix-4.diff" Index: altq_subr.c =================================================================== RCS file: /home/ncvs/src/sys/contrib/altq/altq/altq_subr.c,v retrieving revision 1.9 diff -u -r1.9 altq_subr.c --- altq_subr.c 26 Mar 2007 18:03:29 -0000 1.9 +++ altq_subr.c 12 Jul 2007 00:52:19 -0000 @@ -887,8 +887,8 @@ #define MACHCLK_SHIFT 8 int machclk_usepcc; -u_int32_t machclk_freq = 0; -u_int32_t machclk_per_tick = 0; +u_int32_t machclk_freq; +u_int32_t machclk_per_tick; #ifdef __alpha__ #ifdef __FreeBSD__ @@ -911,14 +911,14 @@ return; /* Total setting for this level gives the new frequency in MHz. */ - machclk_freq = level->total_set.freq * 1000000; + init_machclk(); } EVENTHANDLER_DEFINE(cpufreq_post_change, tsc_freq_changed, NULL, - EVENTHANDLER_PRI_ANY); + EVENTHANDLER_PRI_LAST); #endif /* __FreeBSD_version >= 700035 */ -void -init_machclk(void) +static void +init_machclk_setup(void) { #if (__FreeBSD_version >= 600000) callout_init(&tbr_callout, 0); @@ -941,6 +941,18 @@ tsc_is_broken)) machclk_usepcc = 0; #endif +} + +void +init_machclk(void) +{ + static int called; + + /* Call one-time initialization function. */ + if (!called) { + init_machclk_setup(); + called = 1; + } if (machclk_usepcc == 0) { /* emulate 256MHz using microtime() */ --------------050403040607040200090901-- From owner-freebsd-pf@FreeBSD.ORG Thu Jul 12 15:05:06 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 51D1016A41F; Thu, 12 Jul 2007 15:05:06 +0000 (UTC) (envelope-from lavalamp@spiritual-machines.org) Received: from mail.digitalfreaks.org (arbitor.digitalfreaks.org [216.151.95.158]) by mx1.freebsd.org (Postfix) with ESMTP id 0095613C4B0; Thu, 12 Jul 2007 15:05:05 +0000 (UTC) (envelope-from lavalamp@spiritual-machines.org) Received: from localhost (localhost [127.0.0.1]) by mail.digitalfreaks.org (Postfix) with ESMTP id EDF77173A4; Thu, 12 Jul 2007 10:45:58 -0400 (EDT) Received: from mail.digitalfreaks.org ([127.0.0.1]) by localhost (mail.digitalfreaks.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 72399-20; Thu, 12 Jul 2007 10:45:54 -0400 (EDT) Received: from soundwave.pitbpa0.priv.collaborativefusion.com (pr40.pitbpa0.pub.collaborativefusion.com [206.210.89.202]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mail.digitalfreaks.org (Postfix) with ESMTP id 75E95172F1; Thu, 12 Jul 2007 10:45:54 -0400 (EDT) From: "Brian A. Seklecki" To: Max Laier , freebsd-pf@freebsd.org, kuriyama@freebsd.org, Lars Thegler Content-Type: text/plain Date: Thu, 12 Jul 2007 10:45:53 -0400 Message-Id: <1184251553.75998.29.camel@soundwave.pitbpa0.priv.collaborativefusion.com> Mime-Version: 1.0 X-Mailer: Evolution 2.6.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-Virus-Scanned: Maia Mailguard 1.0.2 Cc: Subject: [Fwd: [Fwd: Re: Merging Joel Knight's SNMP MIB into net/net-snmp]] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jul 2007 15:05:06 -0000 My mail PFY tells me that my original send of this message never made it through.... so here's the resend (a thread regarding Net-SNMP 5.4 + OpenBSD 4.1 + PF-MIB). ~BAS -------- Forwarded Message -------- From: Brian A. Seklecki To: Max Laier Subject: [Fwd: Re: Merging Joel Knight's SNMP MIB into net/net-snmp] Date: Tue, 10 Jul 2007 09:03:18 -0400 email message attachment, "Forwarded message - Re: Merging Joel Knight's SNMP MIB into net/net-snmp" -------- Forwarded Message -------- From: Joel Knight To: ports@openbsd.org Subject: Re: Merging Joel Knight's SNMP MIB into net/net-snmp Date: Tue, 03 Jul 2007 12:16:45 -0600 Christopher Snell wrote: > On 6/26/07, Christopher Snell wrote: > >> Has anybody considered merging Joel Knight's OpenBSD SNMP MIB work >> into ports/net-snmp? His patch works great and has been in production >> here at Backcountry.com for six months now. OpenBSD probably will >> want it's own enterprise number, too. > > Looks like I spoke too soon. We hadn't had any problems with this MIB > but as I was investigating it a little bit more deeply, I uncovered > some problems: > > 1) CPU utilization (system, user, idle) is always reported as 0.00%, > regardless of actual utilization. This is probably a flaw in > net-snmp, not Joel's patch. Indeed. My patch doesn't touch anything like that. I also don't have this issue: UCD-SNMP-MIB::laLoad.1 = STRING: 0.07 UCD-SNMP-MIB::laLoad.2 = STRING: 0.10 UCD-SNMP-MIB::laLoad.3 = STRING: 0.08 > 2) I've never used Joel's CARP MIB stuff, so I never looked at it > closely. Now that I look, it seems that it's not returning the objects > that show the CARP status of my interfaces. I'm running straight-up > OpenBSD 4.1. Again, no issue here. OPENBSD-CARP-MIB::carpAllow.0 = INTEGER: true(1) OPENBSD-CARP-MIB::carpPreempt.0 = INTEGER: true(1) OPENBSD-CARP-MIB::carpLog.0 = INTEGER: false(2) OPENBSD-CARP-MIB::carpArpbalance.0 = INTEGER: false(2) OPENBSD-CARP-MIB::carpIfNumber.0 = INTEGER: 3 OPENBSD-CARP-MIB::carpIfIndex.1 = INTEGER: 1 OPENBSD-CARP-MIB::carpIfIndex.2 = INTEGER: 2 OPENBSD-CARP-MIB::carpIfIndex.3 = INTEGER: 3 OPENBSD-CARP-MIB::carpIfDescr.1 = STRING: "carp1" OPENBSD-CARP-MIB::carpIfDescr.2 = STRING: "carp1000" OPENBSD-CARP-MIB::carpIfDescr.3 = STRING: "carp998" OPENBSD-CARP-MIB::carpIfVhid.1 = INTEGER: 1 OPENBSD-CARP-MIB::carpIfVhid.2 = INTEGER: 255 OPENBSD-CARP-MIB::carpIfVhid.3 = INTEGER: 253 OPENBSD-CARP-MIB::carpIfDev.1 = STRING: "em0" OPENBSD-CARP-MIB::carpIfDev.2 = STRING: "vlan1000" OPENBSD-CARP-MIB::carpIfDev.3 = STRING: "vlan998" OPENBSD-CARP-MIB::carpIfAdvbase.1 = INTEGER: 1 OPENBSD-CARP-MIB::carpIfAdvbase.2 = INTEGER: 1 OPENBSD-CARP-MIB::carpIfAdvbase.3 = INTEGER: 1 OPENBSD-CARP-MIB::carpIfAdvskew.1 = INTEGER: 0 OPENBSD-CARP-MIB::carpIfAdvskew.2 = INTEGER: 0 OPENBSD-CARP-MIB::carpIfAdvskew.3 = INTEGER: 0 OPENBSD-CARP-MIB::carpIfState.1 = INTEGER: master(2) OPENBSD-CARP-MIB::carpIfState.2 = INTEGER: master(2) OPENBSD-CARP-MIB::carpIfState.3 = INTEGER: master(2) jknight@prdcgfw01:/home/jknight% sysctl net.inet.carp net.inet.carp.allow=1 net.inet.carp.preempt=1 net.inet.carp.log=0 net.inet.carp.arpbalance=0 jknight@prdcgfw01:/home/jknight% ifconfig carp | egrep "^carp|carp:" carp1: flags=8843 mtu 1500 carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 0 carp1000: flags=8843 mtu 1500 carp: MASTER carpdev vlan1000 vhid 255 advbase 1 advskew 0 carp998: flags=8843 mtu 1500 carp: MASTER carpdev vlan998 vhid 253 advbase 1 advskew 0 jknight@prdcgfw01:/home/jknight% uname -a OpenBSD prdcgfw01.blah 4.1 GENERIC#0 i386 jknight@prdcgfw01:/home/jknight% pkg_info | grep snmp net-snmp-5.1.3p5 extendable SNMP implementation > 3) snmpd(8) died after I ran a bunch of snmpwalk(1)'s against it. Not > sure what's going on here. I've had a patched snmpd running on a few 4.1 machines for many weeks now, no issues. Before that it ran on 4.0 without issue. > Has anybody else encountered these problems? I'm going to work on #1 > but I'm afraid that #2 and #3 are probably beyond my limited C skills. If you're having issues, please provide information like 1) the output you're seeing, 2) how to reproduce the issue, 3) the commands you're running, etc. I appreciate everyones interest in my little project. .joel email message attachment, "Forwarded message - Re: Merging Joel Knight's SNMP MIB into net/net-snmp" -------- Forwarded Message -------- From: Brian A. Seklecki To: Christopher Snell Cc: ports@openbsd.org, opti@openbsd.de, enabled@myrealbox.com Subject: Re: Merging Joel Knight's SNMP MIB into net/net-snmp Date: Thu, 28 Jun 2007 11:11:19 -0400 Oh god please yes! I'm working on pfsync and a general "OPENBSD-NETSTAT-MIB" for feeding "netstat -s" stats into a MIB. I've also written a small Nagios plugin that uses the Net-SNMP bindings to walk the CARP Interface Status Table ("OPENBSD-CARP-MIB::carpIfTable") to check for proper active/standby configs: http://www.nagiosexchange.org/Networking.53.0.html?&tx_netnagext_pi1[p_view]=1021 There's also a check_pf: http://www.nagiosexchange.org/Networking.53.0.html?&tx_netnagext_pi1[p_view]=895 Also, I'm hoping to switch one of or lab policy routers back to pf(4) this weekend, and I'll be able to improve my OBENBSD-PF-MIB MRTG Templates and upload them (*hopefully*) to: http://howto.aphroland.org/HOWTO/MRTG// Which seems to be the definitive MRTG Template/OID Reference (if such a place exists -- MRTG is almost 10 years old and that idea never occurred to anyone), but the site has been unresponsive as of late. Might be time for a separate Wiki. ~BAS On Tue, 2007-06-26 at 15:48 -0600, Christopher Snell wrote: > Hi, > > Has anybody considered merging Joel Knight's OpenBSD SNMP MIB work > into ports/net-snmp? His patch works great and has been in production > here at Backcountry.com for six months now. OpenBSD probably will > want it's own enterprise number, too. > > I'm willing to lend a hand, if it's needed. > > Thanks, > > Chris > > email message attachment, "Forwarded message - Re: Merging Joel Knight's SNMP MIB into net/net-snmp" -------- Forwarded Message -------- From: Christopher Snell To: ports@openbsd.org Cc: opti@openbsd.de, enabled@myrealbox.com Subject: Re: Merging Joel Knight's SNMP MIB into net/net-snmp Date: Thu, 28 Jun 2007 22:33:42 -0600 On 6/26/07, Christopher Snell wrote: > Has anybody considered merging Joel Knight's OpenBSD SNMP MIB work > into ports/net-snmp? His patch works great and has been in production > here at Backcountry.com for six months now. OpenBSD probably will > want it's own enterprise number, too. Looks like I spoke too soon. We hadn't had any problems with this MIB but as I was investigating it a little bit more deeply, I uncovered some problems: 1) CPU utilization (system, user, idle) is always reported as 0.00%, regardless of actual utilization. This is probably a flaw in net-snmp, not Joel's patch. 2) I've never used Joel's CARP MIB stuff, so I never looked at it closely. Now that I look, it seems that it's not returning the objects that show the CARP status of my interfaces. I'm running straight-up OpenBSD 4.1. 3) snmpd(8) died after I ran a bunch of snmpwalk(1)'s against it. Not sure what's going on here. Has anybody else encountered these problems? I'm going to work on #1 but I'm afraid that #2 and #3 are probably beyond my limited C skills. Chris email message attachment, "Forwarded message - Merging Joel Knight's SNMP MIB into net/net-snmp" -------- Forwarded Message -------- From: Christopher Snell To: ports@openbsd.org Cc: opti@openbsd.de, enabled@myrealbox.com Subject: Merging Joel Knight's SNMP MIB into net/net-snmp Date: Tue, 26 Jun 2007 15:48:56 -0600 Hi, Has anybody considered merging Joel Knight's OpenBSD SNMP MIB work into ports/net-snmp? His patch works great and has been in production here at Backcountry.com for six months now. OpenBSD probably will want it's own enterprise number, too. I'm willing to lend a hand, if it's needed. Thanks, Chris From owner-freebsd-pf@FreeBSD.ORG Thu Jul 12 15:25:25 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0E1BC16A468 for ; Thu, 12 Jul 2007 15:25:25 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.235]) by mx1.freebsd.org (Postfix) with ESMTP id B81CB13C448 for ; Thu, 12 Jul 2007 15:25:24 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so152595wxd for ; Thu, 12 Jul 2007 08:25:24 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ehkGalYPZuN4ZOF29TpLXAKYLtjk5dwBQzu/a2HgUb56W1t0z3gqlBRSenecT3xarkreJth7XeCDNJ+F5rS/MT+NBrUOD+Hv8Qa4agwAXHMNzJmzJHj704WKmF8JFLXl+fD5q1G6Kt5MhK5J0fXM3tRGsFgMKGgaY8YsUzoO69Y= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=L67JWSrHPmj65/koHTRNTB9SKRRmNhcB/dZxBx6PwMeEbBx8o5FmmpLbPMMIrIKT/Cwelqz3v/nR19EDMxaz0uUiT9bHEvdkZ8groz7RvoaRaMXPueWnkIFdGQJGxQV8G5empQZqJdFb5Yprqja33BX8v11NqYn4RVeGkXmF/f8= Received: by 10.70.77.2 with SMTP id z2mr1254714wxa.1184253924175; Thu, 12 Jul 2007 08:25:24 -0700 (PDT) Received: by 10.70.115.5 with HTTP; Thu, 12 Jul 2007 08:25:24 -0700 (PDT) Message-ID: <9a542da30707120825p3781cec0ue8a7da86dc7a6f99@mail.gmail.com> Date: Thu, 12 Jul 2007 17:25:24 +0200 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: "Mahabub Basha" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Cc: freebsd-pf@freebsd.org Subject: Re: ALTQ on multi-WAN with pf pools X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jul 2007 15:25:25 -0000 altq on {$wan, $wan2 } priq queue { idle_1, normal_1, high_1} queue idle_1 priq(default) queue normal_1 priority 2 queue high_1 priority 3 pass in quick on $lan route-to { ($wan $wan_gw), ($wan2 $wan2_gw) } \ round-robin inet from ($lan:network) to any flags S/SA keep state queue high_1 should do the trick for you! If you want something more advanced you can ask again here or read carefully the BNF explanation on pf.conf manual page. Regards On 7/10/07, Mahabub Basha wrote: > Hi all, > > I have a multi-WAN setup using pf pools and want to use > simple QoS using ALTQ. I don't know how to use priq in > combination with multi-wan. > > My stripped pf.conf looks like this > > pf.conf > ========================================================== > altq on $wan priq queue { idle_1, normal_1, high_1} > queue idle_1 priq(default) > queue normal_1 priority 2 > queue high_1 priority 3 > > altq on $wan2 priq queue { idle_2, normal_2, high_2 } > queue idle_2 priq(default) > queue normal_2 priority 2 > queue high_2 priority 3 > > # User NAT Rules > nat on $wan from any to any -> ($wan) > nat on $wan2 from any to any -> ($wan2) > > pass in quick on $lan route-to { ($wan $wan_gw), ($wan2 $wan2_gw) } \ > round-robin inet from ($lan:network) to any flags S/SA keep state > ========================================================== > > > How can I assign select traffic (eg. ssh) going out on either $wan or > $wan2 to the "high_x" queues? > > Thanks for reading! > > - Mahabub Basha. S > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Fri Jul 13 11:54:41 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 81C2E16A401 for ; Fri, 13 Jul 2007 11:54:41 +0000 (UTC) (envelope-from myninku@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.177]) by mx1.freebsd.org (Postfix) with ESMTP id 5B55D13C4A7 for ; Fri, 13 Jul 2007 11:54:41 +0000 (UTC) (envelope-from myninku@gmail.com) Received: by wa-out-1112.google.com with SMTP id j37so573514waf for ; Fri, 13 Jul 2007 04:54:41 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=VyFLFFyQVf959x8sGREf8CFb6zy7vAgf+H9KWSJAE7876pdRZRz0GbSiH4KJRW1FjP+1LmmWr1sJMBqbaiUJiudWjwIvXCsOXaoBRT3/4OZk6hWE9cPiAm929Dyl/qUcqPvaLKaZY/W8BnZJgMyk20PJMwhx21an/K8PUj03MIo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=hq3IaZRqTglJnDcM5EYwvZU5vwKYrbtVVaypBtoSemuKtk91CMzCN5FozMeDcYIoK5GqYcFfEg7Q9EL8YBaYCjjHpznClxe6aY9Sk9lHm39olXPR2zD+nU6dhp+w9oQYQDym+7JguCcrnc9s6XVeyynfXUEQdp8bmvjNDY2QEHA= Received: by 10.114.199.1 with SMTP id w1mr1572325waf.1184327680813; Fri, 13 Jul 2007 04:54:40 -0700 (PDT) Received: by 10.115.108.7 with HTTP; Fri, 13 Jul 2007 04:54:40 -0700 (PDT) Message-ID: Date: Fri, 13 Jul 2007 18:54:40 +0700 From: sukaca To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: pf load balance rapidshare problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jul 2007 11:54:41 -0000 dear all. at the moment i used pf load balancing with 4 adsl connections. everything work as i expected. but the problem is whan i open rapidshare download with ticket. as i known.rapidshare ticket is check ip connection.and i always got invalid session. is there another way to make my ip established with. or another way yo make it is possible. thanks for reading vicky From owner-freebsd-pf@FreeBSD.ORG Fri Jul 13 12:12:23 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 70AD016A400 for ; Fri, 13 Jul 2007 12:12:23 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.freebsd.org (Postfix) with ESMTP id 053AE13C46B for ; Fri, 13 Jul 2007 12:12:23 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.26.241] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu3) with ESMTP (Nemesis), id 0MKxQS-1I9K0T3sCW-00085Q; Fri, 13 Jul 2007 14:12:22 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 13 Jul 2007 14:14:08 +0200 User-Agent: KMail/1.9.7 References: In-Reply-To: X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2032998.Xa5IhzmbAC"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200707131414.16512.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19DEkgaYInYy+OlquFaZC1Q1wiQ8bDADvJyuUg YwyrO+/hMwVE6fu7MkVBL6Q8Vrys6d4g2Hgah/4RkchE2Cvr9/ eK8DLPIC0Kp0PA2KSj23bMCyl/U6o5ndZ2BrrE8WEw= Subject: Re: pf load balance rapidshare problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jul 2007 12:12:23 -0000 --nextPart2032998.Xa5IhzmbAC Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 13 July 2007, sukaca wrote: > dear all. > at the moment i used pf load balancing with 4 adsl connections. > everything work as i expected. > but the problem is whan i open rapidshare download with ticket. > as i known.rapidshare ticket is check ip connection.and i always got > invalid session. > > is there another way to make my ip established with. > or another way yo make it is possible. There is the sticky-address option to ensure repeated connections are=20 issued from the same source address. As rapidshare might forward you to=20 a different server, however, you might need something different. I'd=20 simply use a rule to "pin" the rapidshare netblock to a certain uplink. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2032998.Xa5IhzmbAC Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBGl2yYXyyEoT62BG0RAlLsAJ9TNYpVFLrra2UCgBI1UqYO2juljgCfd+J2 HMyVxEQpEsOy0MbwqFr46Os= =0gZ4 -----END PGP SIGNATURE----- --nextPart2032998.Xa5IhzmbAC--