From owner-freebsd-pf@FreeBSD.ORG Mon Sep 17 02:58:00 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D01B016A418 for ; Mon, 17 Sep 2007 02:58:00 +0000 (UTC) (envelope-from rcoleman@criticalmagic.com) Received: from smtp-auth.no-ip.com (smtp-auth.no-ip.com [204.16.252.95]) by mx1.freebsd.org (Postfix) with ESMTP id B94C213C46C for ; Mon, 17 Sep 2007 02:58:00 +0000 (UTC) (envelope-from rcoleman@criticalmagic.com) X-No-IP: criticalmagic.com@noip-smtp X-Report-Spam-To: abuse@no-ip.com Received: from [172.16.0.12] (adsl-074-229-078-253.sip.asm.bellsouth.net [74.229.78.253]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) (Authenticated sender: criticalmagic.com@noip-smtp) by smtp-auth.no-ip.com (Postfix) with ESMTP id 183EDBC68 for ; Sun, 16 Sep 2007 19:36:41 -0700 (PDT) Message-ID: <46EDE839.8060501@criticalmagic.com> Date: Sun, 16 Sep 2007 22:36:41 -0400 From: Richard Coleman Organization: Critical Magic, Inc. User-Agent: Thunderbird 1.5.0.13 (X11/20070824) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Questions about filtering bridges X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2007 02:58:00 -0000 I'm setting up a filtering bridge and have a couple questions. Hopefully someone here can help. I've looked at all the docs online (and lots of Google searches) but there isn't much recent info on filtering bridges. The setup is pretty simple: fxp0 is external and fxp1 is internal. # rc.conf cloned_interfaces="bridge0" ifconfig_bridge0="addm fxp0 addm fxp1 64.45.160.194/28 up" ifconfig_fxp0="up" ifconfig_fxp1="up" Question 1: In the Handbook section on bridging, it says that if you need to setup an ip address, you should put it on the bridge interface (bridge0). But in the OpenBSD docs on filtering bridges, they say to put it on the inside interface. What are the consequences of doing it either way? Questions 2: If I use the following pf.conf (should block everything inbound, but allow everything outbound), I notice I'm still able to ssh into the bridging firewall itself. Why isn't that blocked? I'm guessing it's a consequence of the fact that I put an ip address on the bridging interface, but I'm not sure. What am I missing? # pf.conf # interfaces ext_if="fxp0" int_if="fxp1" # options set skip on lo0 set block-policy drop # normalization scrub in on $ext_if all scrub out on $ext_if random-id # external interface, inbound # default is to block all inbound on external interface block in log on $ext_if all # external interface, outbound block out log on $ext_if all pass out on $ext_if proto tcp all flags S/SA keep state pass out on $ext_if proto { udp, icmp } all keep state # internal interface, inbound pass in on $int_if all # internal interface, outbound pass out on $int_if all Richard Coleman rcoleman@criticalmagic.com From owner-freebsd-pf@FreeBSD.ORG Mon Sep 17 04:15:35 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B221B16A418 for ; Mon, 17 Sep 2007 04:15:35 +0000 (UTC) (envelope-from jmackinnon@devantec.com) Received: from simmts5-srv.bellnexxia.net (simmts5.bellnexxia.net [206.47.199.163]) by mx1.freebsd.org (Postfix) with ESMTP id 4505013C469 for ; Mon, 17 Sep 2007 04:15:34 +0000 (UTC) (envelope-from jmackinnon@devantec.com) Received: from gzcjames ([142.167.195.90]) by simmts12-srv.bellnexxia.net (InterMail vM.5.01.06.13 201-253-122-130-113-20050324) with SMTP id <20070917002746.KAQG25485.simmts12-srv.bellnexxia.net@gzcjames> for ; Sun, 16 Sep 2007 20:27:46 -0400 Message-ID: <001301c7f8c2$30d5a480$1664a8c0@gzc.tree> From: "James Mackinnon" To: Date: Sun, 16 Sep 2007 21:32:12 -0300 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: authpf issue X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2007 04:15:35 -0000 Hi all I have in the past, mostly used OpenBSD, but am doing a fair amount of = work in free now requiring my need to use pf and authpf anyhow, When I try to setup authpf by adding /usr/sbin/authpf to = /etc/shells and then adding the shell to a user, I get the following on = login. some assistance / feedback would be great. Sep 16 20:58:56 myserver -authpf: non-interfactive session connection = for authpf Sep 16 20:58:56 myserver login: pam_sm_close_session(): no utmp record = for ttyv0 Thanks James ---------------------------------------------- James Mackinnon President Devantec Inc. 1.902.371.0283 jmackinnon@devantec.com www.devantec.com ---------------------------------------------- From owner-freebsd-pf@FreeBSD.ORG Mon Sep 17 11:08:12 2007 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 276ED16A4CF for ; Mon, 17 Sep 2007 11:08:12 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 1010513C4A7 for ; Mon, 17 Sep 2007 11:08:12 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l8HB8BNt049473 for ; Mon, 17 Sep 2007 11:08:11 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l8HB8A3e049469 for freebsd-pf@FreeBSD.org; Mon, 17 Sep 2007 11:08:10 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 17 Sep 2007 11:08:10 GMT Message-Id: <200709171108.l8HB8A3e049469@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2007 11:08:12 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/115640 pf [net] [pf] pfctl -k dont works 6 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Sep 17 20:08:19 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3F45E16A41A for ; Mon, 17 Sep 2007 20:08:19 +0000 (UTC) (envelope-from linux@giboia.org) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.184]) by mx1.freebsd.org (Postfix) with ESMTP id EB61313C45D for ; Mon, 17 Sep 2007 20:08:18 +0000 (UTC) (envelope-from linux@giboia.org) Received: by mu-out-0910.google.com with SMTP id w9so2059195mue for ; Mon, 17 Sep 2007 13:08:17 -0700 (PDT) Received: by 10.82.160.19 with SMTP id i19mr1657811bue.1190058163790; Mon, 17 Sep 2007 12:42:43 -0700 (PDT) Received: by 10.82.135.11 with HTTP; Mon, 17 Sep 2007 12:42:43 -0700 (PDT) Message-ID: <6e6841490709171242v61126706l782b7daec7ef3064@mail.gmail.com> Date: Mon, 17 Sep 2007 16:42:43 -0300 From: "Gilberto Villani Brito" To: freebsd-pf@freebsd.org In-Reply-To: <46EDE839.8060501@criticalmagic.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <46EDE839.8060501@criticalmagic.com> Subject: Re: Questions about filtering bridges X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2007 20:08:19 -0000 On 16/09/2007, Richard Coleman wrote: > I'm setting up a filtering bridge and have a couple questions. > Hopefully someone here can help. I've looked at all the docs online > (and lots of Google searches) but there isn't much recent info on > filtering bridges. > > The setup is pretty simple: fxp0 is external and fxp1 is internal. > > # rc.conf > cloned_interfaces="bridge0" > ifconfig_bridge0="addm fxp0 addm fxp1 64.45.160.194/28 up" > ifconfig_fxp0="up" > ifconfig_fxp1="up" > > Question 1: In the Handbook section on bridging, it says that if you > need to setup an ip address, you should put it on the bridge interface > (bridge0). But in the OpenBSD docs on filtering bridges, they say to > put it on the inside interface. What are the consequences of doing it > either way? > > Questions 2: If I use the following pf.conf (should block everything > inbound, but allow everything outbound), I notice I'm still able to ssh > into the bridging firewall itself. Why isn't that blocked? I'm > guessing it's a consequence of the fact that I put an ip address on the > bridging interface, but I'm not sure. What am I missing? > > # pf.conf > > # interfaces > ext_if="fxp0" > int_if="fxp1" > > # options > set skip on lo0 > set block-policy drop > > # normalization > scrub in on $ext_if all > scrub out on $ext_if random-id > > # external interface, inbound > # default is to block all inbound on external interface > block in log on $ext_if all > > # external interface, outbound > block out log on $ext_if all > pass out on $ext_if proto tcp all flags S/SA keep state > pass out on $ext_if proto { udp, icmp } all keep state > > # internal interface, inbound > pass in on $int_if all > > # internal interface, outbound > pass out on $int_if all > > > Richard Coleman > rcoleman@criticalmagic.com > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Hi Richard; The first question I don't know, but the second I know. You are blocking everything: block in log on $ext_if all block out log on $ext_if all But here: pass out on $ext_if proto tcp all flags S/SA keep state pass out on $ext_if proto { udp, icmp } all keep state All the traffic going out are allowed and PF read all rules unless you use quick to stop. See here: http://www.openbsd.org/faq/pf/filter.html#intro -- Gilberto Villani Brito System Administrator Londrina - PR Brazil gilbertovb(a)gmail.com From owner-freebsd-pf@FreeBSD.ORG Mon Sep 17 20:38:35 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4A7DA16A417; Mon, 17 Sep 2007 20:38:35 +0000 (UTC) (envelope-from rcoleman@criticalmagic.com) Received: from smtp-auth.no-ip.com (smtp-auth.no-ip.com [204.16.252.95]) by mx1.freebsd.org (Postfix) with ESMTP id 26A8413C45D; Mon, 17 Sep 2007 20:38:35 +0000 (UTC) (envelope-from rcoleman@criticalmagic.com) X-No-IP: criticalmagic.com@noip-smtp X-Report-Spam-To: abuse@no-ip.com Received: from [172.31.0.250] (unknown [64.45.160.206]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) (Authenticated sender: criticalmagic.com@noip-smtp) by smtp-auth.no-ip.com (Postfix) with ESMTP id 85840BE4C; Mon, 17 Sep 2007 13:38:34 -0700 (PDT) Message-ID: <46EEE5C9.8050103@criticalmagic.com> Date: Mon, 17 Sep 2007 16:38:33 -0400 From: Richard Coleman User-Agent: Thunderbird 1.5.0.13 (X11/20070824) MIME-Version: 1.0 To: Andrew Thompson References: <46EDE839.8060501@criticalmagic.com> <20070917202951.GF2742@heff.fud.org.nz> In-Reply-To: <20070917202951.GF2742@heff.fud.org.nz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Questions about filtering bridges X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2007 20:38:35 -0000 Andrew Thompson wrote: > On Sun, Sep 16, 2007 at 10:36:41PM -0400, Richard Coleman wrote: > >> I'm setting up a filtering bridge and have a couple questions. >> Hopefully someone here can help. I've looked at all the docs online >> (and lots of Google searches) but there isn't much recent info on >> filtering bridges. >> >> The setup is pretty simple: fxp0 is external and fxp1 is internal. >> >> # rc.conf >> cloned_interfaces="bridge0" >> ifconfig_bridge0="addm fxp0 addm fxp1 64.45.160.194/28 up" >> ifconfig_fxp0="up" >> ifconfig_fxp1="up" >> >> Question 1: In the Handbook section on bridging, it says that if you >> need to setup an ip address, you should put it on the bridge interface >> (bridge0). But in the OpenBSD docs on filtering bridges, they say to >> put it on the inside interface. What are the consequences of doing it >> either way? >> > > OpenBSD does not support adding an IP address to a bridge interface so > they do not have a choice here. Assigning the IP to the bridge is the > correct way do to it as it is the central piece of the setup. > > >> Questions 2: If I use the following pf.conf (should block everything >> inbound, but allow everything outbound), I notice I'm still able to ssh >> into the bridging firewall itself. Why isn't that blocked? I'm >> guessing it's a consequence of the fact that I put an ip address on the >> bridging interface, but I'm not sure. What am I missing? >> >> # pf.conf >> >> # interfaces >> ext_if="fxp0" >> int_if="fxp1" >> >> # options >> set skip on lo0 >> set block-policy drop >> >> # normalization >> scrub in on $ext_if all >> scrub out on $ext_if random-id >> >> # external interface, inbound >> # default is to block all inbound on external interface >> block in log on $ext_if all >> > > This is because the _bridge_ is the interface that the packet arrives > on. Think if the bridge as a fully functioning interface, what you need > is: > > bridge_if="bridge0" > block in log on $bridge_if all > > > regards, > Andrew > I was confused because the if_bridge(4) man page (for 6.2) says that traffic always passes first through the originating interface (which I took to be the external physical interface), then passes through the bridge interface, and then through all appropriate outbound interfaces. So I assumed a block rules for the first physical interface would prevent the packet from every reaching the bridge interface. Given that wording, I was confused why you would ever need to filter on the bridge interface itself. Thanks for the help. Richard Coleman rcoleman@criticalmagic.com From owner-freebsd-pf@FreeBSD.ORG Mon Sep 17 20:43:21 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3BB9E16A418 for ; Mon, 17 Sep 2007 20:43:21 +0000 (UTC) (envelope-from thompsa@FreeBSD.org) Received: from heff.fud.org.nz (203-109-251-39.static.bliink.ihug.co.nz [203.109.251.39]) by mx1.freebsd.org (Postfix) with ESMTP id A6BF013C45D for ; Mon, 17 Sep 2007 20:43:20 +0000 (UTC) (envelope-from thompsa@FreeBSD.org) Received: by heff.fud.org.nz (Postfix, from userid 1001) id D15091CC2F; Tue, 18 Sep 2007 08:43:18 +1200 (NZST) Date: Tue, 18 Sep 2007 08:43:18 +1200 From: Andrew Thompson To: Richard Coleman Message-ID: <20070917204318.GB9614@heff.fud.org.nz> References: <46EDE839.8060501@criticalmagic.com> <20070917202951.GF2742@heff.fud.org.nz> <46EEE5C9.8050103@criticalmagic.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <46EEE5C9.8050103@criticalmagic.com> User-Agent: Mutt/1.5.13 (2006-08-11) Cc: freebsd-pf@freebsd.org Subject: Re: Questions about filtering bridges X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2007 20:43:21 -0000 On Mon, Sep 17, 2007 at 04:38:33PM -0400, Richard Coleman wrote: > Andrew Thompson wrote: > >On Sun, Sep 16, 2007 at 10:36:41PM -0400, Richard Coleman wrote: > > > >>Question 1: In the Handbook section on bridging, it says that if you > >>need to setup an ip address, you should put it on the bridge interface > >>(bridge0). But in the OpenBSD docs on filtering bridges, they say to > >>put it on the inside interface. What are the consequences of doing it > >>either way? > >> > > > >OpenBSD does not support adding an IP address to a bridge interface so > >they do not have a choice here. Assigning the IP to the bridge is the > >correct way do to it as it is the central piece of the setup. > > > > > >>Questions 2: If I use the following pf.conf (should block everything > >>inbound, but allow everything outbound), I notice I'm still able to ssh > >>into the bridging firewall itself. Why isn't that blocked? I'm > >>guessing it's a consequence of the fact that I put an ip address on the > >>bridging interface, but I'm not sure. What am I missing? > >> > >> > > > >This is because the _bridge_ is the interface that the packet arrives > >on. Think if the bridge as a fully functioning interface, what you need > >is: > > > >bridge_if="bridge0" > >block in log on $bridge_if all > > > > > >regards, > >Andrew > > > I was confused because the if_bridge(4) man page (for 6.2) says that > traffic always passes first through the originating interface (which I > took to be the external physical interface), then passes through the > bridge interface, and then through all appropriate outbound interfaces. > So I assumed a block rules for the first physical interface would > prevent the packet from every reaching the bridge interface. > > Given that wording, I was confused why you would ever need to filter on > the bridge interface itself. I see where the confusion comes in then. That particular section refers to the bridge forwarding packets, anything that is destined for the local host is tapped off early and handled specially. I welcome any wording changes on the man page. cheers, Andrew From owner-freebsd-pf@FreeBSD.ORG Mon Sep 17 20:43:33 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BDAE316A468 for ; Mon, 17 Sep 2007 20:43:33 +0000 (UTC) (envelope-from thompsa@FreeBSD.org) Received: from heff.fud.org.nz (203-109-251-39.static.bliink.ihug.co.nz [203.109.251.39]) by mx1.freebsd.org (Postfix) with ESMTP id 71B4813C467 for ; Mon, 17 Sep 2007 20:43:33 +0000 (UTC) (envelope-from thompsa@FreeBSD.org) Received: by heff.fud.org.nz (Postfix, from userid 1001) id C49371CC26; Tue, 18 Sep 2007 08:29:51 +1200 (NZST) Date: Tue, 18 Sep 2007 08:29:51 +1200 From: Andrew Thompson To: Richard Coleman Message-ID: <20070917202951.GF2742@heff.fud.org.nz> References: <46EDE839.8060501@criticalmagic.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <46EDE839.8060501@criticalmagic.com> User-Agent: Mutt/1.5.13 (2006-08-11) Cc: freebsd-pf@freebsd.org Subject: Re: Questions about filtering bridges X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2007 20:43:33 -0000 On Sun, Sep 16, 2007 at 10:36:41PM -0400, Richard Coleman wrote: > I'm setting up a filtering bridge and have a couple questions. > Hopefully someone here can help. I've looked at all the docs online > (and lots of Google searches) but there isn't much recent info on > filtering bridges. > > The setup is pretty simple: fxp0 is external and fxp1 is internal. > > # rc.conf > cloned_interfaces="bridge0" > ifconfig_bridge0="addm fxp0 addm fxp1 64.45.160.194/28 up" > ifconfig_fxp0="up" > ifconfig_fxp1="up" > > Question 1: In the Handbook section on bridging, it says that if you > need to setup an ip address, you should put it on the bridge interface > (bridge0). But in the OpenBSD docs on filtering bridges, they say to > put it on the inside interface. What are the consequences of doing it > either way? OpenBSD does not support adding an IP address to a bridge interface so they do not have a choice here. Assigning the IP to the bridge is the correct way do to it as it is the central piece of the setup. > Questions 2: If I use the following pf.conf (should block everything > inbound, but allow everything outbound), I notice I'm still able to ssh > into the bridging firewall itself. Why isn't that blocked? I'm > guessing it's a consequence of the fact that I put an ip address on the > bridging interface, but I'm not sure. What am I missing? > > # pf.conf > > # interfaces > ext_if="fxp0" > int_if="fxp1" > > # options > set skip on lo0 > set block-policy drop > > # normalization > scrub in on $ext_if all > scrub out on $ext_if random-id > > # external interface, inbound > # default is to block all inbound on external interface > block in log on $ext_if all This is because the _bridge_ is the interface that the packet arrives on. Think if the bridge as a fully functioning interface, what you need is: bridge_if="bridge0" block in log on $bridge_if all regards, Andrew From owner-freebsd-pf@FreeBSD.ORG Mon Sep 17 20:44:38 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5175016A420 for ; Mon, 17 Sep 2007 20:44:38 +0000 (UTC) (envelope-from rcoleman@criticalmagic.com) Received: from smtp-auth.no-ip.com (smtp-auth.no-ip.com [204.16.252.95]) by mx1.freebsd.org (Postfix) with ESMTP id 4A7D613C483 for ; Mon, 17 Sep 2007 20:44:38 +0000 (UTC) (envelope-from rcoleman@criticalmagic.com) X-No-IP: criticalmagic.com@noip-smtp X-Report-Spam-To: abuse@no-ip.com Received: from [172.31.0.250] (unknown [64.45.160.206]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) (Authenticated sender: criticalmagic.com@noip-smtp) by smtp-auth.no-ip.com (Postfix) with ESMTP id 2C8CDBDB0; Mon, 17 Sep 2007 13:22:29 -0700 (PDT) Message-ID: <46EEE204.6000009@criticalmagic.com> Date: Mon, 17 Sep 2007 16:22:28 -0400 From: Richard Coleman User-Agent: Thunderbird 1.5.0.13 (X11/20070824) MIME-Version: 1.0 To: Gilberto Villani Brito References: <46EDE839.8060501@criticalmagic.com> <6e6841490709171242v61126706l782b7daec7ef3064@mail.gmail.com> In-Reply-To: <6e6841490709171242v61126706l782b7daec7ef3064@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Questions about filtering bridges X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2007 20:44:38 -0000 Gilberto Villani Brito wrote: > On 16/09/2007, Richard Coleman wrote: > >> I'm setting up a filtering bridge and have a couple questions. >> Hopefully someone here can help. I've looked at all the docs online >> (and lots of Google searches) but there isn't much recent info on >> filtering bridges. >> >> The setup is pretty simple: fxp0 is external and fxp1 is internal. >> >> # rc.conf >> cloned_interfaces="bridge0" >> ifconfig_bridge0="addm fxp0 addm fxp1 64.45.160.194/28 up" >> ifconfig_fxp0="up" >> ifconfig_fxp1="up" >> >> Question 1: In the Handbook section on bridging, it says that if you >> need to setup an ip address, you should put it on the bridge interface >> (bridge0). But in the OpenBSD docs on filtering bridges, they say to >> put it on the inside interface. What are the consequences of doing it >> either way? >> >> Questions 2: If I use the following pf.conf (should block everything >> inbound, but allow everything outbound), I notice I'm still able to ssh >> into the bridging firewall itself. Why isn't that blocked? I'm >> guessing it's a consequence of the fact that I put an ip address on the >> bridging interface, but I'm not sure. What am I missing? >> >> # pf.conf >> >> # interfaces >> ext_if="fxp0" >> int_if="fxp1" >> >> # options >> set skip on lo0 >> set block-policy drop >> >> # normalization >> scrub in on $ext_if all >> scrub out on $ext_if random-id >> >> # external interface, inbound >> # default is to block all inbound on external interface >> block in log on $ext_if all >> >> # external interface, outbound >> block out log on $ext_if all >> pass out on $ext_if proto tcp all flags S/SA keep state >> pass out on $ext_if proto { udp, icmp } all keep state >> >> # internal interface, inbound >> pass in on $int_if all >> >> # internal interface, outbound >> pass out on $int_if all >> >> >> Richard Coleman >> rcoleman@criticalmagic.com >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >> > > Hi Richard; > The first question I don't know, but the second I know. > You are blocking everything: > block in log on $ext_if all > block out log on $ext_if all > But here: > pass out on $ext_if proto tcp all flags S/SA keep state > pass out on $ext_if proto { udp, icmp } all keep state > All the traffic going out are allowed and PF read all rules unless you > use quick to stop. > See here: > http://www.openbsd.org/faq/pf/filter.html#intro > > > There are no pass rules for inbound on the external interface. So the initial "block in" should win for inbound on the external interface. But I'm still able to still remotely ssh into the bridge from outside the company. If this was a routing firewall, I'm pretty sure it would block the connection. I think it's something unique to bridging firewalls. rc From owner-freebsd-pf@FreeBSD.ORG Mon Sep 17 21:59:03 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2B43016A419; Mon, 17 Sep 2007 21:59:03 +0000 (UTC) (envelope-from rcoleman@criticalmagic.com) Received: from smtp-auth.no-ip.com (smtp-auth.no-ip.com [204.16.252.95]) by mx1.freebsd.org (Postfix) with ESMTP id 2347D13C465; Mon, 17 Sep 2007 21:59:03 +0000 (UTC) (envelope-from rcoleman@criticalmagic.com) X-No-IP: criticalmagic.com@noip-smtp X-Report-Spam-To: abuse@no-ip.com Received: from [172.31.0.250] (unknown [64.45.160.206]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) (Authenticated sender: criticalmagic.com@noip-smtp) by smtp-auth.no-ip.com (Postfix) with ESMTP id 4D9D4BD93; Mon, 17 Sep 2007 14:59:02 -0700 (PDT) Message-ID: <46EEF8A5.10402@criticalmagic.com> Date: Mon, 17 Sep 2007 17:59:01 -0400 From: Richard Coleman User-Agent: Thunderbird 1.5.0.13 (X11/20070824) MIME-Version: 1.0 To: Andrew Thompson References: <46EDE839.8060501@criticalmagic.com> <20070917202951.GF2742@heff.fud.org.nz> <46EEE5C9.8050103@criticalmagic.com> <20070917204318.GB9614@heff.fud.org.nz> In-Reply-To: <20070917204318.GB9614@heff.fud.org.nz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Questions about filtering bridges X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2007 21:59:03 -0000 Andrew Thompson wrote: > On Mon, Sep 17, 2007 at 04:38:33PM -0400, Richard Coleman wrote: > >> Andrew Thompson wrote: >> >>> On Sun, Sep 16, 2007 at 10:36:41PM -0400, Richard Coleman wrote: >>> >>> >>>> Question 1: In the Handbook section on bridging, it says that if you >>>> need to setup an ip address, you should put it on the bridge interface >>>> (bridge0). But in the OpenBSD docs on filtering bridges, they say to >>>> put it on the inside interface. What are the consequences of doing it >>>> either way? >>>> >>>> >>> OpenBSD does not support adding an IP address to a bridge interface so >>> they do not have a choice here. Assigning the IP to the bridge is the >>> correct way do to it as it is the central piece of the setup. >>> >>> >>> >>>> Questions 2: If I use the following pf.conf (should block everything >>>> inbound, but allow everything outbound), I notice I'm still able to ssh >>>> into the bridging firewall itself. Why isn't that blocked? I'm >>>> guessing it's a consequence of the fact that I put an ip address on the >>>> bridging interface, but I'm not sure. What am I missing? >>>> >>>> >>>> >>> This is because the _bridge_ is the interface that the packet arrives >>> on. Think if the bridge as a fully functioning interface, what you need >>> is: >>> >>> bridge_if="bridge0" >>> block in log on $bridge_if all >>> >>> >>> regards, >>> Andrew >>> >>> >> I was confused because the if_bridge(4) man page (for 6.2) says that >> traffic always passes first through the originating interface (which I >> took to be the external physical interface), then passes through the >> bridge interface, and then through all appropriate outbound interfaces. >> So I assumed a block rules for the first physical interface would >> prevent the packet from every reaching the bridge interface. >> >> Given that wording, I was confused why you would ever need to filter on >> the bridge interface itself. >> > > I see where the confusion comes in then. That particular section refers > to the bridge forwarding packets, anything that is destined for the > local host is tapped off early and handled specially. I welcome any > wording changes on the man page. > > > cheers, > Andrew > That greatly clarifies things. Thanks for the help. Richard Coleman rcoleman@criticalmagic.com From owner-freebsd-pf@FreeBSD.ORG Wed Sep 19 18:07:40 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 30A1116A419 for ; Wed, 19 Sep 2007 18:07:40 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.185]) by mx1.freebsd.org (Postfix) with ESMTP id A647013C461 for ; Wed, 19 Sep 2007 18:07:39 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so231956nfb for ; Wed, 19 Sep 2007 11:07:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=NOEETfPRF+oa7rPsdDAXaIY1CRV+XNvHDD6J5yNTUHk=; b=RgzHiQPHY1rLx4TVOU+mLKC5gPou2wxs7EEe9JHnb38Cb2NeM0jZlz4vf6plgPMnUgVK8BeoX/THdP2yOibENM/WJAmldQwkYAz+fo4X+ycFVkfEGQ0gzFWZDzIaW05IkBDzvpge3s5blZZO2q6UAdnkyc9bGMoQesUGkiUSPj4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=YjivyGThcXFwKt2JYTcckp1mMROhAVO52bfprXBRqKJFAtlAYnQtg4B2fVaLcDyS+n/hpg0t+LicnobGdnh016yAkLa+xjOSy/+bth7Q3y8UIvjznpkoazuMLTv9nSS7/Q6mZq+f24wmA5nEhdHUkq2O1JiDL3fXzrO/s+jq+AA= Received: by 10.86.70.8 with SMTP id s8mr709495fga.1190223771873; Wed, 19 Sep 2007 10:42:51 -0700 (PDT) Received: by 10.86.2.1 with HTTP; Wed, 19 Sep 2007 10:42:51 -0700 (PDT) Message-ID: <499c70c0709191042m2e784314j564e8974703b2fe6@mail.gmail.com> Date: Wed, 19 Sep 2007 20:42:51 +0300 From: "Abdullah Ibn Hamad Al-Marri" To: "FreeBSD PF Pro List" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: pfctl -e and pfctl -d kills all connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Sep 2007 18:07:40 -0000 Hello Guys, Here are my full rules. When I pfctl -e or pfctl -d all connections will die. FreeBSD IM.WeArab.Net 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Tue Sep 18 10:06:42 CDT 2007 arabian@IM.WeArab.Net:/usr/obj/usr/src/sys/IM i386 ext_if="fxp0" int_if="lo0" tcp_services = "{ domain, www, 123, 3306 }" udp_services = "{ domain, 123, 514 }" martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ 240.0.0.0/4 }" icmp_types = "8" table persist set timeout { interval 10, frag 30 } set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } set timeout { udp.first 60, udp.single 30, udp.multiple 60 } set timeout { icmp.first 20, icmp.error 10 } set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 0, adaptive.end 0 } set limit { states 10000, frags 5000 } set loginterface $ext_if set skip on $int_if set optimization normal set block-policy drop set require-order yes set debug loud set fingerprints "/etc/pf.os" #scrub in all #scrub in on $ext_if all fragment reassemble min-ttl 15 max-mss 1400 #scrub in on $ext_if all no-df #scrub on $ext_if all reassemble tcp antispoof for $ext_if inet antispoof for $int_if block in log on $ext_if all block in quick on $ext_if from any to 255.255.255.255 block drop in quick on $ext_if from $martians to any block drop out quick on $ext_if from any to $martians block quick log from to any block quick from any to # Pass ICMP Type 8 (echo-reply) only with state pass in on $ext_if inet proto icmp all icmp-type $icmp_types pass proto udp to any port $udp_services # allow out the default range for traceroute(8): # "base+nhops*nqueries-1" (33434+64*3-1) pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ flags S/SA synproxy state \ (max-src-conn 200, max-src-conn-rate 30/3, \ overload flush global) # Pass ICMP Type 8 (echo-reply) only with state pass in on $ext_if inet proto icmp all icmp-type $icmp_types pass proto udp to any port $udp_services # allow out the default range for traceroute(8): # "base+nhops*nqueries-1" (33434+64*3-1) pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ flags S/SA synproxy state \ (max-src-conn 200, max-src-conn-rate 30/3, \ overload flush global) pass out proto tcp to any flags S/SA pass out proto { udp, icmp } to any pass out on $ext_if inet proto udp from any to any \ port 33433 >< 33626 # End Do you know the cause? -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/ From owner-freebsd-pf@FreeBSD.ORG Wed Sep 19 18:41:23 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BC04716A417 for ; Wed, 19 Sep 2007 18:41:23 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.174]) by mx1.freebsd.org (Postfix) with ESMTP id 4A3E013C428 for ; Wed, 19 Sep 2007 18:41:23 +0000 (UTC) (envelope-from max@love2party.net) Received: from dslb-088-066-026-077.pools.arcor-ip.net [88.66.26.77] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis), id 0ML2xA-1IY4UA1pEo-00024i; Wed, 19 Sep 2007 20:41:21 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 19 Sep 2007 20:41:06 +0200 User-Agent: KMail/1.9.7 References: <499c70c0709191042m2e784314j564e8974703b2fe6@mail.gmail.com> In-Reply-To: <499c70c0709191042m2e784314j564e8974703b2fe6@mail.gmail.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3412942.lgqe4IIjsd"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200709192041.16258.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+zMupZXwoJBopXo4OvHregQm8Hnu/snrufwyC vuzh2UEk495bjWGtJMvq4hygQ8/2h4cpduQLa7bK4GZpP2vsmT r7a+ckMsgnEhknbo3KyTW1FYOCGiryTOpyxPTlzAMU= Cc: Subject: Re: pfctl -e and pfctl -d kills all connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Sep 2007 18:41:23 -0000 --nextPart3412942.lgqe4IIjsd Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 19 September 2007, Abdullah Ibn Hamad Al-Marri wrote: > Hello Guys, > > Here are my full rules. > > When I pfctl -e or pfctl -d all connections will die. =2E.. "rules with synproxy state" > Do you know the cause? see above. Using "synproxy state" causes pf to complete the 3WHS before=20 contacting the other endpoint, hence it has to translate all future=20 sequence numbers for this connection. If you disable pf, the translation=20 goes away and the connection dies. The same thing happens if you=20 use "modulate state". =46or the "pfctl -e" case: The pf in CURRENT uses "keep state flags S/SA"= =20 by default for any tcp pass rule. That means that it will only match on=20 the initial SYN that starts the connection. The rest of the connection=20 is then passed based on the state entry. Consequently any pre-existing=20 connection will not have a state entry and be blocked. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3412942.lgqe4IIjsd Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBG8W1MXyyEoT62BG0RAq92AJ4surj6RIL5FBTyweb27ql+go7rGwCffvV9 vubQamEduOGEsXyK/WU0bdI= =mSmY -----END PGP SIGNATURE----- --nextPart3412942.lgqe4IIjsd-- From owner-freebsd-pf@FreeBSD.ORG Wed Sep 19 19:00:31 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AAFFB16A419 for ; Wed, 19 Sep 2007 19:00:31 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.179]) by mx1.freebsd.org (Postfix) with ESMTP id A52E413C4B7 for ; Wed, 19 Sep 2007 19:00:30 +0000 (UTC) (envelope-from max@love2party.net) Received: from dslb-088-066-026-077.pools.arcor-ip.net [88.66.26.77] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis), id 0MKwpI-1IY4mg0kbD-0002Qw; Wed, 19 Sep 2007 21:00:28 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 19 Sep 2007 21:00:16 +0200 User-Agent: KMail/1.9.7 References: <8e10486b0708212053w3769b68dxd33b90b7b906e5e9@mail.gmail.com> <12687223.post@talk.nabble.com> <200709151343.37635.max@love2party.net> In-Reply-To: <200709151343.37635.max@love2party.net> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2869418.BCtFpRmQ1Q"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200709192100.24173.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+Kcs772S3BB7Fa42dlI01GJXFcMjyZ6vw9azz lIx5T/Y5ngM005fY3bp3w6OdKrPq7kFEy/tnDffchjAuxq0zUu /rGEWUn0GGp9Pn8/IHyWDbB7m/dcwq2e65V0TDARK0= Cc: Ingo Flaschberger , Henrik Brix Andersen Subject: Re: ifconfig carpdev X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Sep 2007 19:00:31 -0000 --nextPart2869418.BCtFpRmQ1Q Content-Type: multipart/mixed; boundary="Boundary-01=_CHX8GSw9Ne9ETUl" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_CHX8GSw9Ne9ETUl Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 15 September 2007, I wrote: > On Saturday 15 September 2007, Ingo Flaschberger wrote: > > Ingo Flaschberger wrote: > > > I have implemented at FreeBSD 6.2-STABLE. > > > http://www.nabble.com/file/p12686194/carpdev.diff carpdev.diff > > > Is a working solution, but not 100% failsave. > > > See fixme. > > > > argl.. need some more tweaks. > > > > carp adds only a hostroute, and no network. > > fixed that it add a network, but now kernels cries to receive the arp > > at the parent interface and not at the carp interface... > > There is a lot more to this. Please hold your breath just a few more > days and I'll have a working sollution as promised. Also, the proposed > ioctl change is not the preferred way of doing things. If you pass in > an interface index, there is no way of making sure that the interface > didn't change underneath you - that's why we rather pass the whole > string and do the resolution in the kernel. So here you go ... this is the ***ALPHA*** version of carpdev support. =20 Note that there are *a lot* of raw edges, untested areas and missing=20 features still, but "it's working"[tm]. =46or the moment that means the IPv4 carpdev case is working. i.e.=20 configuring a carp on an otherwise unused interface: ifconfig carp create ifconfig carp0 carpdev rl0 vhid 1 pass foo 10.0.0.1 ifconfig rl0 up This patch is FYI, not something I'd recommend to use or even test. I'll=20 do cleanup, testing and polishing over the coming days and let you know=20 when it's in testable shape. This work is generously sponsored by pil.dk. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_CHX8GSw9Ne9ETUl Content-Type: text/x-diff; charset="iso-8859-6"; name="carpdev.ALPHA.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="carpdev.ALPHA.diff" =2D-- //depot/vendor/freebsd/src/sbin/ifconfig/ifcarp.c 2005/02/22 14:37:13 +++ //depot/user/mlaier/carp2/sbin/ifconfig/ifcarp.c 2007/09/12 16:12:46 @@ -52,13 +52,7 @@ =20 static const char *carp_states[] =3D { CARP_STATES }; =20 =2Dvoid carp_status(int s); =2Dvoid setcarp_advbase(const char *,int, int, const struct afswtch *rafp); =2Dvoid setcarp_advskew(const char *, int, int, const struct afswtch *rafp); =2Dvoid setcarp_passwd(const char *, int, int, const struct afswtch *rafp); =2Dvoid setcarp_vhid(const char *, int, int, const struct afswtch *rafp); =2D =2Dvoid +static void carp_status(int s) { const char *state; @@ -76,17 +70,17 @@ else state =3D carp_states[carpr.carpr_state]; =20 =2D printf("\tcarp: %s vhid %d advbase %d advskew %d\n", =2D state, carpr.carpr_vhid, carpr.carpr_advbase, =2D carpr.carpr_advskew); + printf("\tcarp: %s carpdev %s vhid %d advbase %d advskew %d\n", + state, carpr.carpr_carpdev, carpr.carpr_vhid, + carpr.carpr_advbase, carpr.carpr_advskew); } =20 return; =20 } =20 =2Dvoid =2Dsetcarp_passwd(const char *val, int d, int s, const struct afswtch *afp) +static +DECL_CMD_FUNC(setcarp_passwd, val, d) { struct carpreq carpr; =20 @@ -105,8 +99,8 @@ return; } =20 =2Dvoid =2Dsetcarp_vhid(const char *val, int d, int s, const struct afswtch *afp) +static +DECL_CMD_FUNC(setcarp_vhid, val, d) { int vhid; struct carpreq carpr; @@ -130,8 +124,8 @@ return; } =20 =2Dvoid =2Dsetcarp_advskew(const char *val, int d, int s, const struct afswtch *afp) +static +DECL_CMD_FUNC(setcarp_advskew, val, d) { int advskew; struct carpreq carpr; @@ -152,8 +146,8 @@ return; } =20 =2Dvoid =2Dsetcarp_advbase(const char *val, int d, int s, const struct afswtch *afp) +static +DECL_CMD_FUNC(setcarp_advbase, val, d) { int advbase; struct carpreq carpr; @@ -174,11 +168,51 @@ return; } =20 +static +DECL_CMD_FUNC(setcarp_carpdev, val, d) +{ + struct carpreq carpr; + + memset((char *)&carpr, 0, sizeof(struct carpreq)); + ifr.ifr_data =3D (caddr_t)&carpr; + + if (ioctl(s, SIOCGVH, (caddr_t)&ifr) =3D=3D -1) + err(1, "SIOCGVH"); + + strlcpy(carpr.carpr_carpdev, val, sizeof(carpr.carpr_carpdev)); + + if (ioctl(s, SIOCSVH, (caddr_t)&ifr) =3D=3D -1) + err(1, "SIOCSVH"); + + return; +} + +static +DECL_CMD_FUNC(setcarp_unsetcarpdev, val, d) +{ + struct carpreq carpr; + + memset((char *)&carpr, 0, sizeof(struct carpreq)); + ifr.ifr_data =3D (caddr_t)&carpr; + + if (ioctl(s, SIOCGVH, (caddr_t)&ifr) =3D=3D -1) + err(1, "SIOCGVH"); + + memset(carpr.carpr_carpdev, 0, sizeof(carpr.carpr_carpdev)); + + if (ioctl(s, SIOCSVH, (caddr_t)&ifr) =3D=3D -1) + err(1, "SIOCSVH"); + + return; +} + static struct cmd carp_cmds[] =3D { DEF_CMD_ARG("advbase", setcarp_advbase), DEF_CMD_ARG("advskew", setcarp_advskew), DEF_CMD_ARG("pass", setcarp_passwd), DEF_CMD_ARG("vhid", setcarp_vhid), + DEF_CMD_ARG("carpdev", setcarp_carpdev), + DEF_CMD_OPTARG("-carpdev", setcarp_unsetcarpdev), }; static struct afswtch af_carp =3D { .af_name =3D "af_carp", =2D-- //depot/vendor/freebsd/src/sys/net/ethernet.h 2007/05/29 12:43:19 +++ //depot/user/mlaier/carp2/sys/net/ethernet.h 2007/09/19 18:47:18 @@ -380,6 +380,7 @@ extern void ether_ifattach(struct ifnet *, const u_int8_t *); extern void ether_ifdetach(struct ifnet *); extern int ether_ioctl(struct ifnet *, u_long, caddr_t); +extern void ether_input(struct ifnet *, struct mbuf *); extern int ether_output(struct ifnet *, struct mbuf *, struct sockaddr *, struct rtentry *); extern int ether_output_frame(struct ifnet *, struct mbuf *); =2D-- //depot/vendor/freebsd/src/sys/net/if.c 2007/07/27 12:03:05 +++ //depot/user/mlaier/carp2/sys/net/if.c 2007/09/19 18:47:18 @@ -1309,8 +1309,7 @@ pfctlinput(PRC_IFDOWN, ifa->ifa_addr); if_qflush(&ifp->if_snd); #ifdef DEV_CARP =2D if (ifp->if_carp) =2D carp_carpdev_state(ifp->if_carp); + carp_carpdev_state(ifp); #endif rt_ifmsg(ifp); } @@ -1333,8 +1332,7 @@ if (fam =3D=3D PF_UNSPEC || (fam =3D=3D ifa->ifa_addr->sa_family)) pfctlinput(PRC_IFUP, ifa->ifa_addr); #ifdef DEV_CARP =2D if (ifp->if_carp) =2D carp_carpdev_state(ifp->if_carp); + carp_carpdev_state(ifp); #endif rt_ifmsg(ifp); #ifdef INET6 @@ -1386,8 +1384,7 @@ IFP2AC(ifp)->ac_netgraph !=3D NULL) (*ng_ether_link_state_p)(ifp, link_state); #ifdef DEV_CARP =2D if (ifp->if_carp) =2D carp_carpdev_state(ifp->if_carp); + carp_carpdev_state(ifp); #endif if (ifp->if_bridge) { KASSERT(bstp_linkstate_p !=3D NULL,("if_bridge bstp not loaded!")); =2D-- //depot/vendor/freebsd/src/sys/net/if_ethersubr.c 2007/07/27 12:03:05 +++ //depot/user/mlaier/carp2/sys/net/if_ethersubr.c 2007/09/19 18:47:18 @@ -153,6 +153,9 @@ u_char esrc[ETHER_ADDR_LEN], edst[ETHER_ADDR_LEN]; struct ether_header *eh; struct pf_mtag *t; +#ifdef DEV_CARP + struct ifnet *ifp0 =3D ifp; +#endif int loop_copy =3D 1; int hlen; /* link layer header length */ =20 @@ -162,6 +165,19 @@ senderr(error); #endif =20 +#ifdef DEV_CARP + if (ifp->if_type =3D=3D IFT_CARP) { + struct ifaddr *ifa; + + if (dst !=3D NULL && ifp->if_link_state =3D=3D LINK_STATE_UP && + (ifa =3D ifa_ifwithaddr(dst)) !=3D NULL && + ifa->ifa_ifp =3D=3D ifp) + return (looutput(ifp, m, dst, rt0)); + + ifp =3D ifp->if_carpdev; + } +#endif + if (ifp->if_flags & IFF_MONITOR) senderr(ENETDOWN); if (!((ifp->if_flags & IFF_UP) && @@ -172,7 +188,11 @@ switch (dst->sa_family) { #ifdef INET case AF_INET: +#ifdef DEV_CARP + error =3D arpresolve(ifp0, rt0, m, dst, edst); +#else error =3D arpresolve(ifp, rt0, m, dst, edst); +#endif if (error) return (error =3D=3D EWOULDBLOCK ? 0 : error); type =3D htons(ETHERTYPE_IP); @@ -293,6 +313,14 @@ (void)memcpy(eh->ether_shost, IF_LLADDR(ifp), sizeof(eh->ether_shost)); =20 +#ifdef DEV_CARP + if (ifp0 !=3D ifp && ifp0->if_type =3D=3D IFT_CARP) { + /* XXX: LINK1 */ + (void)memcpy(eh->ether_shost, IF_LLADDR(ifp0), + sizeof(eh->ether_shost)); + } +#endif + /* * If a simplex interface, and the packet is being sent to our * Ethernet address or a broadcast address, loopback a copy. @@ -351,12 +379,6 @@ return (error); } =20 =2D#ifdef DEV_CARP =2D if (ifp->if_carp && =2D (error =3D carp_output(ifp, m, dst, NULL))) =2D goto bad; =2D#endif =2D /* Handle ng_ether(4) processing, if any */ if (IFP2AC(ifp)->ac_netgraph !=3D NULL) { KASSERT(ng_ether_output_p !=3D NULL, @@ -506,7 +528,7 @@ * Process a received Ethernet packet; the packet is in the * mbuf chain m with the ethernet header at the front. */ =2Dstatic void +void ether_input(struct ifnet *ifp, struct mbuf *m) { struct ether_header *eh; @@ -672,19 +694,15 @@ } =20 #ifdef DEV_CARP =2D /* =2D * Clear M_PROMISC on frame so that carp(4) will see it when the =2D * mbuf flows up to Layer 3. =2D * FreeBSD's implementation of carp(4) uses the inprotosw =2D * to dispatch IPPROTO_CARP. carp(4) also allocates its own =2D * Ethernet addresses of the form 00:00:5e:00:01:xx, which =2D * is outside the scope of the M_PROMISC test below. =2D * TODO: Maintain a hash table of ethernet addresses other than =2D * ether_dhost which may be active on this ifp. =2D */ =2D if (ifp->if_carp && carp_forus(ifp->if_carp, eh->ether_dhost)) { =2D m->m_flags &=3D ~M_PROMISC; =2D } else + if (ifp->if_carp) { + if (ifp->if_type !=3D IFT_CARP && (carp_input(m) =3D=3D 0)) + return; + else if (ifp->if_type =3D=3D IFT_CARP && + /* XXX: LINK2 */ + m->m_flags & (M_BCAST | M_MCAST) && + !bcmp(IFP2AC(ifp), eh->ether_dhost, ETHER_ADDR_LEN)) + m->m_flags &=3D ~(M_BCAST | M_MCAST); + } #endif { /* =2D-- //depot/vendor/freebsd/src/sys/net/if_loop.c 2007/02/09 00:13:58 +++ //depot/user/mlaier/carp2/sys/net/if_loop.c 2007/09/19 18:47:18 @@ -99,8 +99,6 @@ =20 int loioctl(struct ifnet *, u_long, caddr_t); static void lortrequest(int, struct rtentry *, struct rt_addrinfo *); =2Dint looutput(struct ifnet *ifp, struct mbuf *m, =2D struct sockaddr *dst, struct rtentry *rt); static int lo_clone_create(struct if_clone *, int, caddr_t); static void lo_clone_destroy(struct ifnet *); =20 =2D-- //depot/vendor/freebsd/src/sys/net/if_var.h 2007/05/16 18:42:49 +++ //depot/user/mlaier/carp2/sys/net/if_var.h 2007/09/19 18:47:18 @@ -131,7 +131,12 @@ */ struct knlist if_klist; /* events attached to this if */ int if_pcount; /* number of promiscuous listeners */ =2D struct carp_if *if_carp; /* carp interface structure */ + union { + struct carp_if *carp_s; + struct ifnet *carp_d; + } if_carp_ptr; +#define if_carp if_carp_ptr.carp_s +#define if_carpdev if_carp_ptr.carp_d struct bpf_if *if_bpf; /* packet filter structure */ u_short if_index; /* numeric abbreviation for this if */ short if_timer; /* time 'til if_watchdog called */ @@ -691,6 +696,8 @@ struct ifaddr *ifaof_ifpforaddr(struct sockaddr *, struct ifnet *); =20 int if_simloop(struct ifnet *ifp, struct mbuf *m, int af, int hlen); +int looutput(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst, + struct rtentry *rt); =20 typedef void *if_com_alloc_t(u_char type, struct ifnet *ifp); typedef void if_com_free_t(void *com, u_char type); =2D-- //depot/vendor/freebsd/src/sys/netinet/if_ether.c 2007/05/10 16:01:35 +++ //depot/user/mlaier/carp2/sys/netinet/if_ether.c 2007/09/19 18:47:18 @@ -108,7 +108,6 @@ &arp_proxyall, 0, "Enable proxy ARP for all suitable requests"); =20 static void arp_init(void); =2Dstatic void arp_rtrequest(int, struct rtentry *, struct rt_addrinfo *); static void arprequest(struct ifnet *, struct in_addr *, struct in_addr *, u_char *); static void arpintr(struct mbuf *); @@ -142,7 +141,7 @@ /* * Parallel to llc_rtrequest. */ =2Dstatic void +void arp_rtrequest(int req, struct rtentry *rt, struct rt_addrinfo *info) { struct sockaddr *gate; =2D-- //depot/vendor/freebsd/src/sys/netinet/if_ether.h 2005/02/22 13:06:15 +++ //depot/user/mlaier/carp2/sys/netinet/if_ether.h 2007/09/19 18:47:18 @@ -113,6 +113,7 @@ struct mbuf *m, struct sockaddr *dst, u_char *desten); void arp_ifinit(struct ifnet *, struct ifaddr *); void arp_ifinit2(struct ifnet *, struct ifaddr *, u_char *); +void arp_rtrequest(int, struct rtentry *, struct rt_addrinfo *); #endif =20 #endif =2D-- //depot/vendor/freebsd/src/sys/netinet/in_proto.c 2007/07/03 12:18:07 +++ //depot/user/mlaier/carp2/sys/netinet/in_proto.c 2007/09/19 18:47:18 @@ -316,7 +316,7 @@ .pr_domain =3D &inetdomain, .pr_protocol =3D IPPROTO_CARP, .pr_flags =3D PR_ATOMIC|PR_ADDR, =2D .pr_input =3D carp_input, + .pr_input =3D carp_proto_input, .pr_output =3D (pr_output_t*)rip_output, .pr_ctloutput =3D rip_ctloutput, .pr_usrreqs =3D &rip_usrreqs =2D-- //depot/vendor/freebsd/src/sys/netinet/ip_carp.c 2007/07/28 07:32:18 +++ //depot/user/mlaier/carp2/sys/netinet/ip_carp.c 2007/09/19 18:47:18 @@ -91,11 +91,9 @@ =20 struct carp_softc { struct ifnet *sc_ifp; /* Interface clue */ =2D struct ifnet *sc_carpdev; /* Pointer to parent interface */ =2D struct in_ifaddr *sc_ia; /* primary iface address */ +#define sc_carpdev sc_ifp->if_carpdev struct ip_moptions sc_imo; #ifdef INET6 =2D struct in6_ifaddr *sc_ia6; /* primary iface address v6 */ struct ip6_moptions sc_im6o; #endif /* INET6 */ TAILQ_ENTRY(carp_softc) sc_list; @@ -158,7 +156,7 @@ struct mtx vhif_mtx; }; =20 =2D/* Get carp_if from softc. Valid after carp_set_addr{,6}. */ +/* Get carp_if from softc. Valid after carp_set_{addr[6],ifp}. */ #define SC2CIF(sc) ((struct carp_if *)(sc)->sc_carpdev->if_carp) =20 /* lock per carp_if queue */ @@ -189,7 +187,7 @@ static int carp_hmac_verify(struct carp_softc *, u_int32_t *, unsigned char *); static void carp_setroute(struct carp_softc *, int); =2Dstatic void carp_input_c(struct mbuf *, struct carp_header *, sa_family_= t); +static void carp_proto_input_c(struct mbuf *, struct carp_header *, sa_fam= ily_t); static int carp_clone_create(struct if_clone *, int, caddr_t); static void carp_clone_destroy(struct ifnet *); static void carpdetach(struct carp_softc *, int); @@ -202,7 +200,7 @@ static void carp_master_down(void *); static void carp_master_down_locked(struct carp_softc *); static int carp_ioctl(struct ifnet *, u_long, caddr_t); =2Dstatic int carp_looutput(struct ifnet *, struct mbuf *, struct sockaddr = *, +static int carp_output(struct ifnet *, struct mbuf *, struct sockaddr *, struct rtentry *); static void carp_start(struct ifnet *); static void carp_setrun(struct carp_softc *, sa_family_t); @@ -211,13 +209,16 @@ enum { CARP_COUNT_MASTER, CARP_COUNT_RUNNING }; =20 static void carp_multicast_cleanup(struct carp_softc *); +static int carp_set_ifp(struct carp_softc *, struct ifnet *); static int carp_set_addr(struct carp_softc *, struct sockaddr_in *); +static int carp_join_multicast(struct carp_softc *); static int carp_del_addr(struct carp_softc *, struct sockaddr_in *); static void carp_carpdev_state_locked(struct carp_if *); static void carp_sc_state_locked(struct carp_softc *); #ifdef INET6 static void carp_send_na(struct carp_softc *); static int carp_set_addr6(struct carp_softc *, struct sockaddr_in6 *); +static int carp_join_multicast6(struct carp_softc *); static int carp_del_addr6(struct carp_softc *, struct sockaddr_in6 *); static void carp_multicast6_cleanup(struct carp_softc *); #endif @@ -246,9 +247,9 @@ #endif =20 if (sc->sc_carpdev) =2D CARP_SCLOCK(sc); + CARP_SCLOCK_ASSERT(sc); =20 =2D /* XXX: possible race here */ + /* XXX: possible race here - really? */ =20 /* compute ipad from key */ bzero(sc->sc_pad, sizeof(sc->sc_pad)); @@ -284,8 +285,6 @@ for (i =3D 0; i < sizeof(sc->sc_pad); i++) sc->sc_pad[i] ^=3D 0x36 ^ 0x5c; =20 =2D if (sc->sc_carpdev) =2D CARP_SCUNLOCK(sc); } =20 static void @@ -333,13 +332,106 @@ TAILQ_FOREACH(ifa, &SC2IFP(sc)->if_addrlist, ifa_list) { if (ifa->ifa_addr->sa_family =3D=3D AF_INET && sc->sc_carpdev !=3D NULL) { =2D int count =3D carp_addrcount( =2D (struct carp_if *)sc->sc_carpdev->if_carp, =2D ifatoia(ifa), CARP_COUNT_MASTER); + int count =3D 0, error; + struct sockaddr sa; + struct rtentry *rt; + struct radix_node_head *rnh; + struct radix_node *rn; + struct rt_addrinfo info; + int hr_otherif, nr_ourif; + + /* + * Avoid screwing with the routes if there are other + * carp interfaces which are master and have the same + * address. + */ + if (sc->sc_carpdev !=3D NULL && + sc->sc_carpdev->if_carp !=3D NULL) { + count =3D carp_addrcount( + (struct carp_if *)sc->sc_carpdev->if_carp, + ifatoia(ifa), CARP_COUNT_MASTER); + if ((cmd =3D=3D RTM_ADD && count !=3D 1) || + (cmd =3D=3D RTM_DELETE && count !=3D 0)) + continue; + } + + /* Remove the existing host route, if any */ + bzero(&info, sizeof(info)); + info.rti_info[RTAX_DST] =3D ifa->ifa_addr; + info.rti_flags =3D RTF_HOST; + error =3D rtrequest1(RTM_DELETE, &info, NULL); + rt_missmsg(RTM_DELETE, &info, info.rti_flags, error); + + /* Check for our address on another interface */ + /* XXX cries for proper API */ + rnh =3D rt_tables[ifa->ifa_addr->sa_family]; + RADIX_NODE_HEAD_LOCK(rnh); + rn =3D rnh->rnh_matchaddr(ifa->ifa_addr, rnh); + rt =3D (struct rtentry *)rn; + hr_otherif =3D (rt && rt->rt_ifp !=3D sc->sc_ifp && + rt->rt_flags & (RTF_CLONING|RTF_WASCLONED)); + + /* Check for a network route on our interface */ + bcopy(ifa->ifa_addr, &sa, sizeof(sa)); + satosin(&sa)->sin_addr.s_addr =3D satosin(ifa->ifa_netmask + )->sin_addr.s_addr & satosin(&sa)->sin_addr.s_addr; + rn =3D rnh->rnh_lookup(&sa, ifa->ifa_netmask, rnh); + rt =3D (struct rtentry *)rn; + nr_ourif =3D (rt && rt->rt_ifp =3D=3D sc->sc_ifp); + RADIX_NODE_HEAD_UNLOCK(rnh); + + switch (cmd) { + case RTM_ADD: + if (hr_otherif) { + ifa->ifa_rtrequest =3D NULL; + ifa->ifa_flags &=3D ~RTF_CLONING; + bzero(&info, sizeof(info)); + info.rti_info[RTAX_DST] =3D + ifa->ifa_addr; + info.rti_info[RTAX_GATEWAY] =3D + ifa->ifa_addr; + info.rti_flags =3D RTF_UP | RTF_HOST; + error =3D rtrequest1(RTM_ADD, &info, + NULL); + rt_missmsg(RTM_ADD, &info, + info.rti_flags, error); + } + if (!hr_otherif || nr_ourif || !rt) { + if (nr_ourif && !(rt->rt_flags & + RTF_CLONING)) { + bzero(&info, sizeof(info)); + info.rti_info[RTAX_DST] =3D &sa; + info.rti_info[RTAX_NETMASK] =3D + ifa->ifa_netmask; + error =3D rtrequest1(RTM_DELETE, + &info, NULL); + rt_missmsg(RTM_DELETE, &info, + info.rti_flags, error); + } + + ifa->ifa_rtrequest =3D arp_rtrequest; + ifa->ifa_flags |=3D RTF_CLONING; =20 =2D if ((cmd =3D=3D RTM_ADD && count =3D=3D 1) || =2D (cmd =3D=3D RTM_DELETE && count =3D=3D 0)) =2D rtinit(ifa, cmd, RTF_UP | RTF_HOST); + bzero(&info, sizeof(info)); + info.rti_info[RTAX_DST] =3D &sa; + info.rti_info[RTAX_GATEWAY] =3D + ifa->ifa_addr; + info.rti_info[RTAX_NETMASK] =3D + ifa->ifa_netmask; + error =3D rtrequest1(RTM_ADD, &info, + NULL); + if (error =3D=3D 0) + ifa->ifa_flags |=3D IFA_ROUTE; + rt_missmsg(RTM_ADD, &info, + info.rti_flags, error); + } + break; + case RTM_DELETE: + break; + default: + break; + } + break; } #ifdef INET6 if (ifa->ifa_addr->sa_family =3D=3D AF_INET6) { @@ -359,6 +451,7 @@ =20 struct carp_softc *sc; struct ifnet *ifp; + static const u_char eaddr[ETHER_ADDR_LEN]; /* 00:00:00:00:00:00 */ =20 MALLOC(sc, struct carp_softc *, sizeof(*sc), M_CARP, M_WAITOK|M_ZERO); ifp =3D SC2IFP(sc) =3D if_alloc(IFT_ETHER); @@ -390,16 +483,13 @@ =09 ifp->if_softc =3D sc; if_initname(ifp, CARP_IFNAME, unit); =2D ifp->if_mtu =3D ETHERMTU; =2D ifp->if_flags =3D IFF_LOOPBACK; + ether_ifattach(ifp, eaddr); + ifp->if_flags =3D IFF_BROADCAST | IFF_SIMPLEX | IFF_MULTICAST; ifp->if_ioctl =3D carp_ioctl; =2D ifp->if_output =3D carp_looutput; + ifp->if_output =3D carp_output; ifp->if_start =3D carp_start; ifp->if_type =3D IFT_CARP; ifp->if_snd.ifq_maxlen =3D ifqmaxlen; =2D ifp->if_hdrlen =3D 0; =2D if_attach(ifp); =2D bpfattach(SC2IFP(sc), DLT_NULL, sizeof(u_int32_t)); mtx_lock(&carp_mtx); LIST_INSERT_HEAD(&carpif_list, sc, sc_next); mtx_unlock(&carp_mtx); @@ -502,7 +592,7 @@ * but it seems more efficient this way or not possible otherwise. */ void =2Dcarp_input(struct mbuf *m, int hlen) +carp_proto_input(struct mbuf *m, int hlen) { struct ip *ip =3D mtod(m, struct ip *); struct carp_header *ch; @@ -518,7 +608,7 @@ /* check if received on a valid carp interface */ if (m->m_pkthdr.rcvif->if_carp =3D=3D NULL) { carpstats.carps_badif++; =2D CARP_LOG("carp_input: packet received on non-carp " + CARP_LOG("carp_proto_input: packet received on non-carp " "interface: %s\n", m->m_pkthdr.rcvif->if_xname); m_freem(m); @@ -528,7 +618,7 @@ /* verify that the IP TTL is 255. */ if (ip->ip_ttl !=3D CARP_DFLTTL) { carpstats.carps_badttl++; =2D CARP_LOG("carp_input: received ttl %d !=3D 255i on %s\n", + CARP_LOG("carp_proto_input: received ttl %d !=3D 255i on %s\n", ip->ip_ttl, m->m_pkthdr.rcvif->if_xname); m_freem(m); @@ -539,7 +629,7 @@ =20 if (m->m_pkthdr.len < iplen + sizeof(*ch)) { carpstats.carps_badlen++; =2D CARP_LOG("carp_input: received len %zd < " + CARP_LOG("carp_proto_input: received len %zd < " "sizeof(struct carp_header)\n", m->m_len - sizeof(struct ip)); m_freem(m); @@ -549,7 +639,7 @@ if (iplen + sizeof(*ch) < m->m_len) { if ((m =3D m_pullup(m, iplen + sizeof(*ch))) =3D=3D NULL) { carpstats.carps_hdrops++; =2D CARP_LOG("carp_input: pullup failed\n"); + CARP_LOG("carp_proto_input: pullup failed\n"); return; } ip =3D mtod(m, struct ip *); @@ -563,7 +653,7 @@ len =3D iplen + sizeof(*ch); if (len > m->m_pkthdr.len) { carpstats.carps_badlen++; =2D CARP_LOG("carp_input: packet too short %d on %s\n", + CARP_LOG("carp_proto_input: packet too short %d on %s\n", m->m_pkthdr.len, m->m_pkthdr.rcvif->if_xname); m_freem(m); @@ -581,19 +671,19 @@ m->m_data +=3D iplen; if (carp_cksum(m, len - iplen)) { carpstats.carps_badsum++; =2D CARP_LOG("carp_input: checksum failed on %s\n", + CARP_LOG("carp_proto_input: checksum failed on %s\n", m->m_pkthdr.rcvif->if_xname); m_freem(m); return; } m->m_data -=3D iplen; =20 =2D carp_input_c(m, ch, AF_INET); + carp_proto_input_c(m, ch, AF_INET); } =20 #ifdef INET6 int =2Dcarp6_input(struct mbuf **mp, int *offp, int proto) +carp6_proto_input(struct mbuf **mp, int *offp, int proto) { struct mbuf *m =3D *mp; struct ip6_hdr *ip6 =3D mtod(m, struct ip6_hdr *); @@ -610,7 +700,7 @@ /* check if received on a valid carp interface */ if (m->m_pkthdr.rcvif->if_carp =3D=3D NULL) { carpstats.carps_badif++; =2D CARP_LOG("carp6_input: packet received on non-carp " + CARP_LOG("carp6_proto_input: packet received on non-carp " "interface: %s\n", m->m_pkthdr.rcvif->if_xname); m_freem(m); @@ -620,7 +710,7 @@ /* verify that the IP TTL is 255 */ if (ip6->ip6_hlim !=3D CARP_DFLTTL) { carpstats.carps_badttl++; =2D CARP_LOG("carp6_input: received ttl %d !=3D 255 on %s\n", + CARP_LOG("carp6_proto_input: received ttl %d !=3D 255 on %s\n", ip6->ip6_hlim, m->m_pkthdr.rcvif->if_xname); m_freem(m); @@ -632,7 +722,7 @@ IP6_EXTHDR_GET(ch, struct carp_header *, m, *offp, sizeof(*ch)); if (ch =3D=3D NULL) { carpstats.carps_badlen++; =2D CARP_LOG("carp6_input: packet size %u too small\n", len); + CARP_LOG("carp6_proto_input: packet size %u too small\n", len); return (IPPROTO_DONE); } =20 @@ -641,20 +731,20 @@ m->m_data +=3D *offp; if (carp_cksum(m, sizeof(*ch))) { carpstats.carps_badsum++; =2D CARP_LOG("carp6_input: checksum failed, on %s\n", + CARP_LOG("carp6_proto_input: checksum failed, on %s\n", m->m_pkthdr.rcvif->if_xname); m_freem(m); return (IPPROTO_DONE); } m->m_data -=3D *offp; =20 =2D carp_input_c(m, ch, AF_INET6); + carp_proto_input_c(m, ch, AF_INET6); return (IPPROTO_DONE); } #endif /* INET6 */ =20 static void =2Dcarp_input_c(struct mbuf *m, struct carp_header *ch, sa_family_t af) +carp_proto_input_c(struct mbuf *m, struct carp_header *ch, sa_family_t af) { struct ifnet *ifp =3D m->m_pkthdr.rcvif; struct carp_softc *sc; @@ -792,9 +882,6 @@ static int carp_prepare_ad(struct mbuf *m, struct carp_softc *sc, struct carp_header = *ch) { =2D struct m_tag *mtag; =2D struct ifnet *ifp =3D SC2IFP(sc); =2D if (sc->sc_init_counter) { /* this could also be seconds since unix epoch */ sc->sc_counter =3D arc4random(); @@ -808,16 +895,6 @@ =20 carp_hmac_generate(sc, ch->carp_counter, ch->carp_md); =20 =2D /* Tag packet for carp_output */ =2D mtag =3D m_tag_get(PACKET_TAG_CARP, sizeof(struct ifnet *), M_NOWAIT); =2D if (mtag =3D=3D NULL) { =2D m_freem(m); =2D SC2IFP(sc)->if_oerrors++; =2D return (ENOMEM); =2D } =2D bcopy(&ifp, (caddr_t)(mtag + 1), sizeof(struct ifnet *)); =2D m_tag_prepend(m, mtag); =2D return (0); } =20 @@ -858,6 +935,8 @@ struct carp_header *ch_ptr; struct mbuf *m; int len, advbase, advskew; + struct ifaddr *ifa; + struct sockaddr sa; =20 CARP_SCLOCK_ASSERT(sc); =20 @@ -886,7 +965,7 @@ ch.carp_cksum =3D 0; =20 #ifdef INET =2D if (sc->sc_ia) { + if (sc->sc_naddrs) { struct ip *ip; =20 MGETHDR(m, M_DONTWAIT, MT_HEADER); @@ -915,7 +994,15 @@ ip->ip_ttl =3D CARP_DFLTTL; ip->ip_p =3D IPPROTO_CARP; ip->ip_sum =3D 0; =2D ip->ip_src.s_addr =3D sc->sc_ia->ia_addr.sin_addr.s_addr; + + bzero(&sa, sizeof(sa)); + sa.sa_family =3D AF_INET; + ifa =3D ifaof_ifpforaddr(&sa, SC2IFP(sc)); + if (ifa =3D=3D NULL) + ip->ip_src.s_addr =3D 0; + else + ip->ip_src.s_addr =3D + ifatoia(ifa)->ia_addr.sin_addr.s_addr; ip->ip_dst.s_addr =3D htonl(INADDR_CARP_GROUP); =20 ch_ptr =3D (struct carp_header *)(&ip[1]); @@ -958,7 +1045,7 @@ } #endif /* INET */ #ifdef INET6 =2D if (sc->sc_ia6) { + if (sc->sc_naddrs6) { struct ip6_hdr *ip6; =20 MGETHDR(m, M_DONTWAIT, MT_HEADER); @@ -982,8 +1069,15 @@ ip6->ip6_vfc |=3D IPV6_VERSION; ip6->ip6_hlim =3D CARP_DFLTTL; ip6->ip6_nxt =3D IPPROTO_CARP; =2D bcopy(&sc->sc_ia6->ia_addr.sin6_addr, &ip6->ip6_src, =2D sizeof(struct in6_addr)); + + bzero(&sa, sizeof(sa)); + sa.sa_family =3D AF_INET6; + ifa =3D ifaof_ifpforaddr(&sa, SC2IFP(sc)); + if (ifa =3D=3D NULL) + bzero(&ip6->ip6_src, sizeof(struct in6_addr)); + else + bcopy(ifatoia6(ifa)->ia_addr.sin6_addr.s6_addr, + &ip6->ip6_src, sizeof(struct in6_addr)); /* set the multicast destination */ =20 ip6->ip6_dst.s6_addr16[0] =3D htons(0xff02); @@ -1057,7 +1151,7 @@ continue; =20 /* arprequest(sc->sc_carpdev, &in, &in, IF_LLADDR(sc->sc_ifp)); */ =2D arp_ifinit2(sc->sc_carpdev, ifa, IF_LLADDR(sc->sc_ifp)); + arp_ifinit2(SC2IFP(sc), ifa, IF_LLADDR(sc->sc_ifp)); =20 DELAY(1000); /* XXX */ } @@ -1210,7 +1304,6 @@ void * carp_macmatch6(void *v, struct mbuf *m, const struct in6_addr *taddr) { =2D struct m_tag *mtag; struct carp_if *cif =3D v; struct carp_softc *sc; struct ifaddr *ifa; @@ -1222,18 +1315,6 @@ &ifatoia6(ifa)->ia_addr.sin6_addr) && (SC2IFP(sc)->if_flags & IFF_UP) && (SC2IFP(sc)->if_drv_flags & IFF_DRV_RUNNING)) { =2D struct ifnet *ifp =3D SC2IFP(sc); =2D mtag =3D m_tag_get(PACKET_TAG_CARP, =2D sizeof(struct ifnet *), M_NOWAIT); =2D if (mtag =3D=3D NULL) { =2D /* better a bit than nothing */ =2D CARP_UNLOCK(cif); =2D return (IF_LLADDR(sc->sc_ifp)); =2D } =2D bcopy(&ifp, (caddr_t)(mtag + 1), =2D sizeof(struct ifnet *)); =2D m_tag_prepend(m, mtag); =2D CARP_UNLOCK(cif); return (IF_LLADDR(sc->sc_ifp)); } @@ -1422,15 +1503,116 @@ #endif =20 static int +carp_set_ifp(struct carp_softc *sc, struct ifnet *ifp) +{ + struct carp_if *cif =3D NULL, *ncif =3D NULL; + struct carp_softc *vr, *after =3D NULL; + int myself =3D 0, error =3D 0; + + if (ifp =3D=3D sc->sc_carpdev) + return (0); + + if (ifp !=3D NULL) { + if ((ifp->if_flags & IFF_MULTICAST) =3D=3D 0) + return (ENODEV); + if (ifp->if_type =3D=3D IFT_CARP) + return (EINVAL); + + if (ifp->if_carp =3D=3D NULL) { + MALLOC(ncif, struct carp_if *, sizeof(*ncif), M_CARP, + M_WAITOK|M_ZERO); + if (!ncif) + return (ENOBUFS); + if ((error =3D ifpromisc(ifp, 1))) { + FREE(ncif, M_CARP); + return (error); + } + } else { + cif =3D (struct carp_if *)ifp->if_carp; + CARP_LOCK(cif); + TAILQ_FOREACH(vr, &cif->vhif_vrs, sc_list) + if (vr !=3D sc && vr->sc_vhid =3D=3D sc->sc_vhid) { + CARP_UNLOCK(cif); + return (EINVAL); + } + } + + /* detach from old interface */ + if (sc->sc_carpdev !=3D NULL) { + CARP_SCLOCK(sc); + carpdetach(sc, 1); + } + + if (sc->sc_naddrs !=3D 0 && + (error =3D carp_join_multicast(sc)) !=3D 0) + goto cleanup; +#ifdef INET6 + if (sc->sc_naddrs6 !=3D 0 && + (error =3D carp_join_multicast6(sc)) !=3D 0) { + carp_multicast_cleanup(sc); + goto cleanup; + } +#endif + + /* attach carp glue to physical interface */ + if (ncif !=3D NULL) { + CARP_LOCK_INIT(ncif); + CARP_LOCK(ncif); + ncif->vhif_ifp =3D ifp; + TAILQ_INIT(&ncif->vhif_vrs); + TAILQ_INSERT_HEAD(&ncif->vhif_vrs, sc, sc_list); + ncif->vhif_nvrs++; + ifp->if_carp =3D ncif; + CARP_UNLOCK(ncif); + } else { + cif =3D (struct carp_if *)ifp->if_carp; + TAILQ_FOREACH(vr, &cif->vhif_vrs, sc_list) { + if (vr =3D=3D sc) + myself =3D 1; + if (vr->sc_vhid < sc->sc_vhid) + after =3D vr; + } + if (!myself) { + if (after =3D=3D NULL) { + TAILQ_INSERT_TAIL(&cif->vhif_vrs, sc, + sc_list); + } else { + TAILQ_INSERT_AFTER(&cif->vhif_vrs, + after, sc, sc_list); + } + cif->vhif_nvrs++; + } + CARP_UNLOCK(cif); + } + + sc->sc_carpdev =3D ifp; + if (sc->sc_naddrs || sc->sc_naddrs6) + sc->sc_ifp->if_flags |=3D IFF_UP; + carp_carpdev_state(ifp); + } else { + CARP_SCLOCK(sc); + carpdetach(sc, 1); + SC2IFP(sc)->if_flags &=3D ~IFF_UP; + SC2IFP(sc)->if_drv_flags &=3D ~IFF_DRV_RUNNING; + } + + return (0); +cleanup: + if (ncif) + FREE(ncif, M_CARP); + else + CARP_UNLOCK(cif); + + return (error); +} + +static int carp_set_addr(struct carp_softc *sc, struct sockaddr_in *sin) { =2D struct ifnet *ifp; =2D struct carp_if *cif; + struct ifnet *ifp =3D sc->sc_carpdev; struct in_ifaddr *ia, *ia_if; =2D struct ip_moptions *imo =3D &sc->sc_imo; =2D struct in_addr addr; u_long iaddr =3D htonl(sin->sin_addr.s_addr); =2D int own, error; + int error; =20 if (sin->sin_addr.s_addr =3D=3D 0) { if (!(SC2IFP(sc)->if_flags & IFF_UP)) @@ -1442,7 +1624,7 @@ } =20 /* we have to do it by hands to check we won't match on us */ =2D ia_if =3D NULL; own =3D 0; + ia_if =3D NULL; TAILQ_FOREACH(ia, &in_ifaddrhead, ia_link) { /* and, yeah, we need a multicast-capable iface too */ if (ia->ia_ifp !=3D SC2IFP(sc) && @@ -1450,106 +1632,65 @@ (iaddr & ia->ia_subnetmask) =3D=3D ia->ia_subnet) { if (!ia_if) ia_if =3D ia; =2D if (sin->sin_addr.s_addr =3D=3D =2D ia->ia_addr.sin_addr.s_addr) =2D own++; } } =20 =2D if (!ia_if) =2D return (EADDRNOTAVAIL); =2D =2D ia =3D ia_if; =2D ifp =3D ia->ia_ifp; =2D =2D if (ifp =3D=3D NULL || (ifp->if_flags & IFF_MULTICAST) =3D=3D 0 || =2D (imo->imo_multicast_ifp && imo->imo_multicast_ifp !=3D ifp)) =2D return (EADDRNOTAVAIL); =2D =2D if (imo->imo_num_memberships =3D=3D 0) { =2D addr.s_addr =3D htonl(INADDR_CARP_GROUP); =2D if ((imo->imo_membership[0] =3D in_addmulti(&addr, ifp)) =3D=3D NULL) =2D return (ENOBUFS); =2D imo->imo_num_memberships++; =2D imo->imo_multicast_ifp =3D ifp; =2D imo->imo_multicast_ttl =3D CARP_DFLTTL; =2D imo->imo_multicast_loop =3D 0; =2D } =2D =2D if (!ifp->if_carp) { =2D =2D MALLOC(cif, struct carp_if *, sizeof(*cif), M_CARP, =2D M_WAITOK|M_ZERO); =2D if (!cif) { =2D error =3D ENOBUFS; =2D goto cleanup; + if (ia_if) { + ia =3D ia_if; + if (ifp) { + if (ifp !=3D ia->ia_ifp) + return (EADDRNOTAVAIL); + } else { + ifp =3D ia->ia_ifp; } =2D if ((error =3D ifpromisc(ifp, 1))) { =2D FREE(cif, M_CARP); =2D goto cleanup; =2D } =2D =09 =2D CARP_LOCK_INIT(cif); =2D CARP_LOCK(cif); =2D cif->vhif_ifp =3D ifp; =2D TAILQ_INIT(&cif->vhif_vrs); =2D ifp->if_carp =3D cif; =2D =2D } else { =2D struct carp_softc *vr; =2D =2D cif =3D (struct carp_if *)ifp->if_carp; =2D CARP_LOCK(cif); =2D TAILQ_FOREACH(vr, &cif->vhif_vrs, sc_list) =2D if (vr !=3D sc && vr->sc_vhid =3D=3D sc->sc_vhid) { =2D CARP_UNLOCK(cif); =2D error =3D EINVAL; =2D goto cleanup; =2D } } =2D sc->sc_ia =3D ia; =2D sc->sc_carpdev =3D ifp; =20 =2D { /* XXX prevent endless loop if already in queue */ =2D struct carp_softc *vr, *after =3D NULL; =2D int myself =3D 0; =2D cif =3D (struct carp_if *)ifp->if_carp; + if ((error =3D carp_set_ifp(sc, ifp))) + return (error); =20 =2D /* XXX: cif should not change, right? So we still hold the lock */ =2D CARP_LOCK_ASSERT(cif); + if (sc->sc_carpdev =3D=3D NULL) + return (EADDRNOTAVAIL); =20 =2D TAILQ_FOREACH(vr, &cif->vhif_vrs, sc_list) { =2D if (vr =3D=3D sc) =2D myself =3D 1; =2D if (vr->sc_vhid < sc->sc_vhid) =2D after =3D vr; =2D } =2D =2D if (!myself) { =2D /* We're trying to keep things in order */ =2D if (after =3D=3D NULL) { =2D TAILQ_INSERT_TAIL(&cif->vhif_vrs, sc, sc_list); =2D } else { =2D TAILQ_INSERT_AFTER(&cif->vhif_vrs, after, sc, sc_list); =2D } =2D cif->vhif_nvrs++; =2D } + CARP_SCLOCK(sc); + if (sc->sc_naddrs =3D=3D 0 && (error =3D carp_join_multicast(sc)) !=3D 0)= { + CARP_SCUNLOCK(sc); + return (error); } =20 sc->sc_naddrs++; SC2IFP(sc)->if_flags |=3D IFF_UP; =2D if (own) =2D sc->sc_advskew =3D 0; carp_sc_state_locked(sc); carp_setrun(sc, 0); + CARP_SCUNLOCK(sc); + + return (0); + +/* + * XXX: cleanup multi? + * cleanup: + * return (error); + */ +} =20 =2D CARP_UNLOCK(cif); +static int +carp_join_multicast(struct carp_softc *sc) +{ + struct ip_moptions *imo =3D &sc->sc_imo; + struct in_addr addr; + + KASSERT(imo->imo_num_memberships =3D=3D 0, + ("carp_join_multicast: leftover multicast memberships")); + + addr.s_addr =3D htonl(INADDR_CARP_GROUP); + if ((imo->imo_membership[0] =3D + in_addmulti(&addr, SC2IFP(sc))) =3D=3D NULL) + return (ENOBUFS); + imo->imo_num_memberships++; + imo->imo_multicast_ifp =3D SC2IFP(sc); + imo->imo_multicast_ttl =3D CARP_DFLTTL; + imo->imo_multicast_loop =3D 0; =20 return (0); =2D =2Dcleanup: =2D in_delmulti(imo->imo_membership[--imo->imo_num_memberships]); =2D return (error); } =20 static int @@ -1586,12 +1727,8 @@ carp_set_addr6(struct carp_softc *sc, struct sockaddr_in6 *sin6) { struct ifnet *ifp; =2D struct carp_if *cif; struct in6_ifaddr *ia, *ia_if; =2D struct ip6_moptions *im6o =3D &sc->sc_im6o; =2D struct in6_multi_mship *imm; =2D struct in6_addr in6; =2D int own, error; + int own; =20 if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) { if (!(SC2IFP(sc)->if_flags & IFF_UP)) @@ -1632,114 +1769,74 @@ ifp =3D ia->ia_ifp; =20 if (ifp =3D=3D NULL || (ifp->if_flags & IFF_MULTICAST) =3D=3D 0 || =2D (im6o->im6o_multicast_ifp && im6o->im6o_multicast_ifp !=3D ifp)) + (sc->sc_im6o.im6o_multicast_ifp && + sc->sc_im6o.im6o_multicast_ifp !=3D ifp)) return (EADDRNOTAVAIL); =20 =2D if (!sc->sc_naddrs6) { =2D im6o->im6o_multicast_ifp =3D ifp; + sc->sc_carpdev =3D ifp; =20 =2D /* join CARP multicast address */ =2D bzero(&in6, sizeof(in6)); =2D in6.s6_addr16[0] =3D htons(0xff02); =2D in6.s6_addr8[15] =3D 0x12; =2D if (in6_setscope(&in6, ifp, NULL) !=3D 0) =2D goto cleanup; =2D if ((imm =3D in6_joingroup(ifp, &in6, &error, 0)) =3D=3D NULL) =2D goto cleanup; =2D LIST_INSERT_HEAD(&im6o->im6o_memberships, imm, i6mm_chain); + sc->sc_naddrs6++; + SC2IFP(sc)->if_flags |=3D IFF_UP; + if (own) + sc->sc_advskew =3D 0; + carp_sc_state_locked(sc); + carp_setrun(sc, 0); =20 =2D /* join solicited multicast address */ =2D bzero(&in6, sizeof(in6)); =2D in6.s6_addr16[0] =3D htons(0xff02); =2D in6.s6_addr32[1] =3D 0; =2D in6.s6_addr32[2] =3D htonl(1); =2D in6.s6_addr32[3] =3D sin6->sin6_addr.s6_addr32[3]; =2D in6.s6_addr8[12] =3D 0xff; =2D if (in6_setscope(&in6, ifp, NULL) !=3D 0) =2D goto cleanup; =2D if ((imm =3D in6_joingroup(ifp, &in6, &error, 0)) =3D=3D NULL) =2D goto cleanup; =2D LIST_INSERT_HEAD(&im6o->im6o_memberships, imm, i6mm_chain); =2D } + return (0); =20 =2D if (!ifp->if_carp) { =2D MALLOC(cif, struct carp_if *, sizeof(*cif), M_CARP, =2D M_WAITOK|M_ZERO); =2D if (!cif) { =2D error =3D ENOBUFS; =2D goto cleanup; =2D } =2D if ((error =3D ifpromisc(ifp, 1))) { =2D FREE(cif, M_CARP); =2D goto cleanup; =2D } +/* XXX: + * cleanup: + * * clean up multicast memberships * + * if (!sc->sc_naddrs6) { + * while (!LIST_EMPTY(&im6o->im6o_memberships)) { + * imm =3D LIST_FIRST(&im6o->im6o_memberships); + * LIST_REMOVE(imm, i6mm_chain); + * in6_leavegroup(imm); + * } + * } + * return (error); + */ +} =20 =2D CARP_LOCK_INIT(cif); =2D CARP_LOCK(cif); =2D cif->vhif_ifp =3D ifp; =2D TAILQ_INIT(&cif->vhif_vrs); =2D ifp->if_carp =3D cif; +static int +carp_join_multicast6(struct carp_softc *sc) +{ + struct ip6_moptions *im6o =3D &sc->sc_im6o; + struct in6_multi_mship *imm, *imm2; + struct in6_addr in6; + int error =3D 0; =20 =2D } else { =2D struct carp_softc *vr; + /* join CARP multicast address */ + bzero(&in6, sizeof(in6)); + in6.s6_addr16[0] =3D htons(0xff02); + in6.s6_addr8[15] =3D 0x12; + if ((error =3D in6_setscope(&in6, sc->sc_carpdev, NULL)) !=3D 0) + return (error); + if ((imm =3D in6_joingroup(sc->sc_carpdev, &in6, &error, 0)) =3D=3D NULL) + return (error); =20 =2D cif =3D (struct carp_if *)ifp->if_carp; =2D CARP_LOCK(cif); =2D TAILQ_FOREACH(vr, &cif->vhif_vrs, sc_list) =2D if (vr !=3D sc && vr->sc_vhid =3D=3D sc->sc_vhid) { =2D CARP_UNLOCK(cif); =2D error =3D EINVAL; =2D goto cleanup; =2D } + /* join solicited multicast address */ + bzero(&in6, sizeof(in6)); + in6.s6_addr16[0] =3D htons(0xff02); + in6.s6_addr32[1] =3D 0; + in6.s6_addr32[2] =3D htonl(1); + in6.s6_addr32[3] =3D 0; /* XXX: sin6->sin6_addr.s6_addr32[3]; */ + in6.s6_addr8[12] =3D 0xff; + if ((error =3D in6_setscope(&in6, sc->sc_carpdev, NULL)) !=3D 0) { + in6_leavegroup(imm); + return (error); } =2D sc->sc_ia6 =3D ia; =2D sc->sc_carpdev =3D ifp; =2D =2D { /* XXX prevent endless loop if already in queue */ =2D struct carp_softc *vr, *after =3D NULL; =2D int myself =3D 0; =2D cif =3D (struct carp_if *)ifp->if_carp; =2D CARP_LOCK_ASSERT(cif); =2D =2D TAILQ_FOREACH(vr, &cif->vhif_vrs, sc_list) { =2D if (vr =3D=3D sc) =2D myself =3D 1; =2D if (vr->sc_vhid < sc->sc_vhid) =2D after =3D vr; + if ((imm2 =3D in6_joingroup(sc->sc_carpdev, &in6, &error, 0)) =3D=3D NULL= ) { + in6_leavegroup(imm); + return (error); } =20 =2D if (!myself) { =2D /* We're trying to keep things in order */ =2D if (after =3D=3D NULL) { =2D TAILQ_INSERT_TAIL(&cif->vhif_vrs, sc, sc_list); =2D } else { =2D TAILQ_INSERT_AFTER(&cif->vhif_vrs, after, sc, sc_list); =2D } =2D cif->vhif_nvrs++; =2D } =2D } + im6o->im6o_multicast_ifp =3D sc->sc_carpdev; =20 =2D sc->sc_naddrs6++; =2D SC2IFP(sc)->if_flags |=3D IFF_UP; =2D if (own) =2D sc->sc_advskew =3D 0; =2D carp_sc_state_locked(sc); =2D carp_setrun(sc, 0); =2D =2D CARP_UNLOCK(cif); + LIST_INSERT_HEAD(&im6o->im6o_memberships, imm, i6mm_chain); + LIST_INSERT_HEAD(&im6o->im6o_memberships, imm2, i6mm_chain); =20 return (0); =2D =2Dcleanup: =2D /* clean up multicast memberships */ =2D if (!sc->sc_naddrs6) { =2D while (!LIST_EMPTY(&im6o->im6o_memberships)) { =2D imm =3D LIST_FIRST(&im6o->im6o_memberships); =2D LIST_REMOVE(imm, i6mm_chain); =2D in6_leavegroup(imm); =2D } =2D } =2D return (error); } =20 static int @@ -1785,7 +1882,8 @@ struct ifaddr *ifa; struct ifreq *ifr; struct ifaliasreq *ifra; =2D int locked =3D 0, error =3D 0; + struct ifnet *cdev =3D NULL; + int locked =3D 0, error =3D 0, changed =3D 0; =20 ifa =3D (struct ifaddr *)addr; ifra =3D (struct ifaliasreq *)addr; @@ -1793,12 +1891,12 @@ =20 switch (cmd) { case SIOCSIFADDR: + case SIOCAIFADDR: + changed++; switch (ifa->ifa_addr->sa_family) { #ifdef INET case AF_INET: SC2IFP(sc)->if_flags |=3D IFF_UP; =2D bcopy(ifa->ifa_addr, ifa->ifa_dstaddr, =2D sizeof(struct sockaddr)); error =3D carp_set_addr(sc, satosin(ifa->ifa_addr)); break; #endif /* INET */ @@ -1814,29 +1912,8 @@ } break; =20 =2D case SIOCAIFADDR: =2D switch (ifa->ifa_addr->sa_family) { =2D#ifdef INET =2D case AF_INET: =2D SC2IFP(sc)->if_flags |=3D IFF_UP; =2D bcopy(ifa->ifa_addr, ifa->ifa_dstaddr, =2D sizeof(struct sockaddr)); =2D error =3D carp_set_addr(sc, satosin(&ifra->ifra_addr)); =2D break; =2D#endif /* INET */ =2D#ifdef INET6 =2D case AF_INET6: =2D SC2IFP(sc)->if_flags |=3D IFF_UP; =2D error =3D carp_set_addr6(sc, satosin6(&ifra->ifra_addr)); =2D break; =2D#endif /* INET6 */ =2D default: =2D error =3D EAFNOSUPPORT; =2D break; =2D } =2D break; =2D case SIOCDIFADDR: + changed++; switch (ifa->ifa_addr->sa_family) { #ifdef INET case AF_INET: @@ -1880,6 +1957,14 @@ if ((error =3D copyin(ifr->ifr_data, &carpr, sizeof carpr))) break; error =3D 1; + changed++; + if (carpr.carpr_carpdev[0] !=3D '\0' && + (cdev =3D ifunit(carpr.carpr_carpdev)) =3D=3D NULL) { + error =3D EINVAL; + break; + } + if ((error =3D carp_set_ifp(sc, cdev))) + break; if (sc->sc_carpdev) { locked =3D 1; CARP_SCLOCK(sc); @@ -1958,64 +2043,37 @@ if (error =3D=3D 0) bcopy(sc->sc_key, carpr.carpr_key, sizeof(carpr.carpr_key)); + if (sc->sc_carpdev !=3D NULL) + strlcpy(carpr.carpr_carpdev, sc->sc_carpdev->if_xname, + CARPDEVNAMSIZ); error =3D copyout(&carpr, ifr->ifr_data, sizeof(carpr)); break; =20 + case SIOCADDMULTI: + case SIOCDELMULTI: + /* TODO: tell carpdev */ + break; + default: error =3D EINVAL; } =20 + if (changed) { + if (!locked && sc->sc_carpdev) { + /* XXX: This really shouldn't happen */ + CARP_SCLOCK(sc); + locked =3D 1; + } + carp_hmac_prepare(sc); + } + if (locked) CARP_SCUNLOCK(sc); =20 =2D carp_hmac_prepare(sc); =2D return (error); } =20 /* =2D * XXX: this is looutput. We should eventually use it from there. =2D */ =2Dstatic int =2Dcarp_looutput(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst, =2D struct rtentry *rt) =2D{ =2D u_int32_t af; =2D =2D M_ASSERTPKTHDR(m); /* check if we have the packet header */ =2D =2D if (rt && rt->rt_flags & (RTF_REJECT|RTF_BLACKHOLE)) { =2D m_freem(m); =2D return (rt->rt_flags & RTF_BLACKHOLE ? 0 : =2D rt->rt_flags & RTF_HOST ? EHOSTUNREACH : ENETUNREACH); =2D } =2D =2D ifp->if_opackets++; =2D ifp->if_obytes +=3D m->m_pkthdr.len; =2D =2D /* BPF writes need to be handled specially. */ =2D if (dst->sa_family =3D=3D AF_UNSPEC) { =2D bcopy(dst->sa_data, &af, sizeof(af)); =2D dst->sa_family =3D af; =2D } =2D =2D#if 1 /* XXX */ =2D switch (dst->sa_family) { =2D case AF_INET: =2D case AF_INET6: =2D case AF_IPX: =2D case AF_APPLETALK: =2D break; =2D default: =2D printf("carp_looutput: af=3D%d unexpected\n", dst->sa_family); =2D m_freem(m); =2D return (EAFNOSUPPORT); =2D } =2D#endif =2D return(if_simloop(ifp, m, dst->sa_family, 0)); =2D} =2D =2D/* * Start output on carp interface. This function should never be called. */ static void @@ -2026,80 +2084,83 @@ #endif } =20 =2Dint +static int carp_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *sa, struct rtentry *rt) { =2D struct m_tag *mtag; =2D struct carp_softc *sc; =2D struct ifnet *carp_ifp; + struct carp_softc *sc =3D ifp->if_softc; + + if (sc->sc_carpdev !=3D NULL && sc->sc_state =3D=3D MASTER) + return (sc->sc_carpdev->if_output(ifp, m, sa, rt)); + else { + m_freem(m); + return (ENETUNREACH); + } +} + +struct ifnet * +carp_ourether(void *v, struct ether_header *eh, u_char iftype, int src) +{ + struct carp_if *cif =3D (struct carp_if *)v; + struct carp_softc *vh; + u_int8_t *ena; =20 =2D if (!sa) =2D return (0); + if (src) + ena =3D (u_int8_t *)&eh->ether_shost; + else + ena =3D (u_int8_t *)&eh->ether_dhost; =20 =2D switch (sa->sa_family) { =2D#ifdef INET =2D case AF_INET: =2D break; =2D#endif /* INET */ =2D#ifdef INET6 =2D case AF_INET6: =2D break; =2D#endif /* INET6 */ =2D default: =2D return (0); + TAILQ_FOREACH(vh, &cif->vhif_vrs, sc_list) { + if ((vh->sc_ifp->if_flags & (IFF_UP)) !=3D (IFF_UP)) + continue; + if ((vh->sc_state =3D=3D MASTER /* || vh->sc_ifp->if_flags & IFF_LINK0 *= /) + && !bcmp(ena, IF_LLADDR(vh->sc_ifp), ETHER_ADDR_LEN)) + return (vh->sc_ifp); } + return (NULL); +} =20 =2D mtag =3D m_tag_find(m, PACKET_TAG_CARP, NULL); =2D if (mtag =3D=3D NULL) =2D return (0); +int +carp_input(struct mbuf *m) +{ + struct ether_header *eh; + struct carp_if *cif =3D (struct carp_if *)m->m_pkthdr.rcvif->if_carp; + struct ifnet *ifp; =20 =2D bcopy(mtag + 1, &carp_ifp, sizeof(struct ifnet *)); =2D sc =3D carp_ifp->if_softc; + eh =3D mtod(m, struct ether_header *); =20 =2D /* Set the source MAC address to Virtual Router MAC Address */ =2D switch (ifp->if_type) { =2D case IFT_ETHER: =2D case IFT_L2VLAN: { =2D struct ether_header *eh; + if ((ifp =3D carp_ourether(cif, eh, m->m_pkthdr.rcvif->if_type, 0))) + ; + else if (m->m_flags & (M_BCAST|M_MCAST)) { + struct carp_softc *vh; + struct mbuf *m0; =20 =2D eh =3D mtod(m, struct ether_header *); =2D eh->ether_shost[0] =3D 0; =2D eh->ether_shost[1] =3D 0; =2D eh->ether_shost[2] =3D 0x5e; =2D eh->ether_shost[3] =3D 0; =2D eh->ether_shost[4] =3D 1; =2D eh->ether_shost[5] =3D sc->sc_vhid; + /* + * XXX Should really check the list of multicast addresses + * for each CARP interface _before_ copying. + */ + TAILQ_FOREACH(vh, &cif->vhif_vrs, sc_list) { + m0 =3D m_dup(m, M_DONTWAIT); + if (m0 =3D=3D NULL) + continue; + m0->m_pkthdr.rcvif =3D vh->sc_ifp; + ether_input(vh->sc_ifp, m0); } =2D break; =2D case IFT_FDDI: { =2D struct fddi_header *fh; + return (1); + } + + if (ifp =3D=3D NULL) + return (1); + + m->m_pkthdr.rcvif =3D ifp; =20 =2D fh =3D mtod(m, struct fddi_header *); =2D fh->fddi_shost[0] =3D 0; =2D fh->fddi_shost[1] =3D 0; =2D fh->fddi_shost[2] =3D 0x5e; =2D fh->fddi_shost[3] =3D 0; =2D fh->fddi_shost[4] =3D 1; =2D fh->fddi_shost[5] =3D sc->sc_vhid; =2D } =2D break; =2D case IFT_ISO88025: { =2D struct iso88025_header *th; =2D th =3D mtod(m, struct iso88025_header *); =2D th->iso88025_shost[0] =3D 3; =2D th->iso88025_shost[1] =3D 0; =2D th->iso88025_shost[2] =3D 0x40 >> (sc->sc_vhid - 1); =2D th->iso88025_shost[3] =3D 0x40000 >> (sc->sc_vhid - 1); =2D th->iso88025_shost[4] =3D 0; =2D th->iso88025_shost[5] =3D 0; =2D } =2D break; =2D default: =2D printf("%s: carp is not supported for this interface type\n", =2D ifp->if_xname); =2D return (EOPNOTSUPP); =2D } +#if 0 /* XXX: BPF */ + if (ifp->if_bpf) + bpf_mtap_hdr(ifp->if_bpf, (char *)&eh, ETHER_HDR_LEN, m, + BPF_DIRECTION_IN); +#endif + ifp->if_ipackets++; + ether_input(ifp, m); =20 return (0); } @@ -2130,9 +2191,14 @@ } =20 void =2Dcarp_carpdev_state(void *v) +carp_carpdev_state(struct ifnet *ifp) { =2D struct carp_if *cif =3D v; + struct carp_if *cif; + + if (ifp->if_type =3D=3D IFT_CARP || ifp->if_carp =3D=3D NULL) + return; + + cif =3D ifp->if_carp; =20 CARP_LOCK(cif); carp_carpdev_state_locked(cif); =2D-- //depot/vendor/freebsd/src/sys/netinet/ip_carp.h 2006/12/01 18:41:18 +++ //depot/user/mlaier/carp2/sys/netinet/ip_carp.h 2007/09/19 18:47:18 @@ -117,6 +117,13 @@ uint64_t carps_preempt; /* if enabled, preemptions */ }; =20 +#define CARPDEVNAMSIZ 16 +#ifdef IFNAMSIZ +#if CARPDEVNAMSIZ !=3D IFNAMSIZ +#error +#endif +#endif + /* * Configuration structure for SIOCSVH SIOCGVH */ @@ -128,6 +135,7 @@ int carpr_advskew; int carpr_advbase; unsigned char carpr_key[CARP_KEY_LEN]; + char carpr_carpdev[CARPDEVNAMSIZ]; }; #define SIOCSVH _IOWR('i', 245, struct ifreq) #define SIOCGVH _IOWR('i', 246, struct ifreq) @@ -152,15 +160,15 @@ } =20 #ifdef _KERNEL =2Dvoid carp_carpdev_state(void *); =2Dvoid carp_input (struct mbuf *, int); =2Dint carp6_input (struct mbuf **, int *, int); =2Dint carp_output (struct ifnet *, struct mbuf *, struct sockaddr *, =2D struct rtentry *); =2Dint carp_iamatch (void *, struct in_ifaddr *, struct in_addr *, +void carp_carpdev_state(struct ifnet *); +void carp_proto_input(struct mbuf *, int); +int carp6_proto_input(struct mbuf **, int *, int); +int carp_iamatch(void *, struct in_ifaddr *, struct in_addr *, u_int8_t **); struct ifaddr *carp_iamatch6(void *, struct in6_addr *); void *carp_macmatch6(void *, struct mbuf *, const struct in6_addr *); =2Dstruct ifnet *carp_forus (void *, void *); +struct ifnet *carp_forus(void *, void *); +struct ifnet *carp_ourether(void *, struct ether_header *, u_char, int); +int carp_input(struct mbuf *); #endif #endif /* _IP_CARP_H */ =2D-- //depot/vendor/freebsd/src/sys/netinet6/in6_proto.c 2007/07/05 16:32:= 05 +++ //depot/user/mlaier/carp2/sys/netinet6/in6_proto.c 2007/09/19 18:47:18 @@ -319,7 +319,7 @@ .pr_domain =3D &inet6domain, .pr_protocol =3D IPPROTO_CARP, .pr_flags =3D PR_ATOMIC|PR_ADDR, =2D .pr_input =3D carp6_input, + .pr_input =3D carp6_proto_input, .pr_output =3D rip6_output, .pr_ctloutput =3D rip6_ctloutput, .pr_usrreqs =3D &rip6_usrreqs --Boundary-01=_CHX8GSw9Ne9ETUl-- --nextPart2869418.BCtFpRmQ1Q Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBG8XHIXyyEoT62BG0RAlkpAJ9h/Ffdg3+p2XEUtIaYvRB8c5TCDgCfVM6e FnEu7aejL4cDdaOdE+LO54I= =rphQ -----END PGP SIGNATURE----- --nextPart2869418.BCtFpRmQ1Q-- From owner-freebsd-pf@FreeBSD.ORG Thu Sep 20 22:56:03 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D620316A419 for ; Thu, 20 Sep 2007 22:56:03 +0000 (UTC) (envelope-from freebsd-pf@lessyv.com) Received: from postfix1-g20.free.fr (postfix1-g20.free.fr [212.27.60.42]) by mx1.freebsd.org (Postfix) with ESMTP id 772E713C459 for ; Thu, 20 Sep 2007 22:56:03 +0000 (UTC) (envelope-from freebsd-pf@lessyv.com) Received: from smtp5-g19.free.fr (smtp5-g19.free.fr [212.27.42.35]) by postfix1-g20.free.fr (Postfix) with ESMTP id 66E531A0D36F for ; Thu, 20 Sep 2007 17:31:30 +0200 (CEST) Received: from smtp5-g19.free.fr (localhost.localdomain [127.0.0.1]) by smtp5-g19.free.fr (Postfix) with ESMTP id 7AD2D82057 for ; Thu, 20 Sep 2007 17:31:00 +0200 (CEST) Received: from [192.168.0.33] (ves78-2-82-232-204-142.fbx.proxad.net [82.232.204.142]) by smtp5-g19.free.fr (Postfix) with ESMTP id 5D217820A8 for ; Thu, 20 Sep 2007 17:30:56 +0200 (CEST) Message-ID: <46F29235.7010706@lessyv.com> Date: Thu, 20 Sep 2007 17:31:01 +0200 From: "Christophe M." User-Agent: Icedove 1.5.0.12 (X11/20070731) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: ifconfig carpdev X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Sep 2007 22:56:03 -0000 On Wednesday 19 September 2007, Max Laier wrote: > On Saturday 15 September 2007, Max Laier wrote: > > On Saturday 15 September 2007, Ingo Flaschberger wrote: > > > Ingo Flaschberger wrote: > > > > I have implemented at FreeBSD 6.2-STABLE. > > > > http://www.nabble.com/file/p12686194/carpdev.diff carpdev.diff > > > > Is a working solution, but not 100% failsave. > > > > See fixme. > > > > > > argl.. need some more tweaks. > > > > > > carp adds only a hostroute, and no network. > > > fixed that it add a network, but now kernels cries to receive the arp > > > at the parent interface and not at the carp interface... > > > > There is a lot more to this. Please hold your breath just a few more > > days and I'll have a working sollution as promised. Also, the proposed > > ioctl change is not the preferred way of doing things. If you pass in > > an interface index, there is no way of making sure that the interface > > didn't change underneath you - that's why we rather pass the whole > > string and do the resolution in the kernel. > > So here you go ... this is the ***ALPHA*** version of carpdev support. > Note that there are *a lot* of raw edges, untested areas and missing > features still, but "it's working"[tm]. > > For the moment that means the IPv4 carpdev case is working. i.e. > configuring a carp on an otherwise unused interface: > > ifconfig carp create > ifconfig carp0 carpdev rl0 vhid 1 pass foo 10.0.0.1 > ifconfig rl0 up > > This patch is FYI, not something I'd recommend to use or even test. I'll > do cleanup, testing and polishing over the coming days and let you know > when it's in testable shape. > > This work is generously sponsored by pil.dk. Hello ! I wanna add CARP IP balancing support on FreeBSD. My work is based on the OpenBSD ip_carp.c diff of 03/18/2007, when mpf added IP balancing support. I already succesfully patch my freebsd to support carpdev, but mostly like Ingo F. . Mine is just able to show iface xname under ifconfig, forcing it doesn't work, like you said above. Goog think is carp_input (not the old one renamed as carp_proto_input according to OpenBSD) , because my results shown that multicast data packets (not the CARP advs, the real packets) never appear in ether_input on every other servers. Several misunderstanding about the input process let me think to add a right carp_input (who do an fresh ether_input) but it doesn't work with my code ;) Packet just appears on one CARP interface, and never on others servers/CARP ifaces. I am going to test your patch, thanks for it ! Is there someone who is working on IP balancing ? I'll reply here for any additional information. Bye list ! -- Christophe Malinge contactlessyv.com SysAdm padawan / Developer CCC - 'C' Comme Cirque president - jonglez les lundi @ EPiTA From owner-freebsd-pf@FreeBSD.ORG Fri Sep 21 17:09:15 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 21A2716A469 for ; Fri, 21 Sep 2007 17:09:15 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id 0443B13C4A7 for ; Fri, 21 Sep 2007 17:09:14 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1IYm0A-0002ko-58 for freebsd-pf@freebsd.org; Fri, 21 Sep 2007 10:09:14 -0700 Message-ID: <12825908.post@talk.nabble.com> Date: Fri, 21 Sep 2007 10:09:14 -0700 (PDT) From: Umar To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: unix.co@gmail.com Subject: local proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Sep 2007 17:09:15 -0000 Dear Members!! I want to restrict my users that they don't bypass my squid proxy in linux iptables I achieved with these rulese. $IPTABLES -t nat -A PREROUTING -s 192.168.1.0/24 -d ! 192.168.1.250 -p TCP --dport 3128 -j DROP $IPTABLES -t nat -A PREROUTING -s 192.168.1.0/24 -d ! 192.168.1.250 -p TCP --dport 8080 -j DROP $IPTABLES -t nat -A PREROUTING -s 192.168.1.0/24 -d ! 192.168.1.250 -p TCP --dport 80 -j DROP $IPTABLES -t nat -A PREROUTING -s 192.168.1.0/24 -d ! 192.168.1.250 -p TCP --dport 6588 -j DROP now please help me how I can do the same thing with PF Regards, Umar Draz -- View this message in context: http://www.nabble.com/local-proxy-tf4497398.html#a12825908 Sent from the freebsd-pf mailing list archive at Nabble.com. From owner-freebsd-pf@FreeBSD.ORG Fri Sep 21 17:43:24 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8FD2F16A420 for ; Fri, 21 Sep 2007 17:43:24 +0000 (UTC) (envelope-from odhiambo@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.186]) by mx1.freebsd.org (Postfix) with ESMTP id 60B4213C480 for ; Fri, 21 Sep 2007 17:43:24 +0000 (UTC) (envelope-from odhiambo@gmail.com) Received: by rv-out-0910.google.com with SMTP id l15so755324rvb for ; Fri, 21 Sep 2007 10:43:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=fdOHHpzjAxQ1HxhY3QU/NTmftih8WJ3gTQNlHzyBFIQ=; b=ZyTpXyj6+U/cHGf9Jc4zffEke6BMPbopSeMMsj/0EezaWQYJ19vljXLVEQn0CyGZKoUsrwhLTNb/SGoS4mz74TPQ5RdKre74gVKphNI4XureGQ3oY2YaFFLHfCry6x5b+RSjoZ1/XRiaFZF6V/C7pZXg+zZn6UKJHj03UmIMWrg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=FRQCKpveA9O3TWJ1sh2yGdBxHQITLPy0meQicnda9Ad2VV10z9LjC0u4W4Mj5GySLTM96Fh9EjSPeHT20Q+ggZ7kPpyV53ykcuHjEeRILoEgaFqwjm/5d15h19wdU2WhwOwhP+71TCO6a4OgkI0qT5cMEqakquh6/+UAFd5n/9U= Received: by 10.115.111.1 with SMTP id o1mr150940wam.1190396221583; Fri, 21 Sep 2007 10:37:01 -0700 (PDT) Received: by 10.115.106.13 with HTTP; Fri, 21 Sep 2007 10:37:01 -0700 (PDT) Message-ID: <991123400709211037w7df6500ai4d01466823db5d4c@mail.gmail.com> Date: Fri, 21 Sep 2007 20:37:01 +0300 From: "Washington Odhiambo" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Weird Problem with NAT - more details X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Sep 2007 17:43:24 -0000 Here is what tcpdump shows: spamfilter# tcpdump -vv -s 200 -i em0 src host 62.8.64.102 tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 200 bytes 20:29:37.401847 IP (tos 0x10, ttl 58, id 10542, offset 0, flags [DF], proto: TCP (6), length: 58) gw.57736 > 212.22.160.35.smtp: P, cksum 0xb82c (correct), 3160106269:3160106275(6) ack 3361902259 win 33072 20:29:37.406392 IP (tos 0x10, ttl 58, id 10544, offset 0, flags [DF], proto: TCP (6), length: 52) gw.57736 > 212.22.160.35.smtp: ., cksum 0x86ea (correct), 6:6(0) ack 48 win 33072 20:29:37.406395 IP (tos 0x10, ttl 58, id 10545, offset 0, flags [DF], proto: TCP (6), length: 52) gw.57736 > 212.22.160.35.smtp: F, cksum 0x86e9 (correct), 6:6(0) ack 48 win 33072 20:29:38.045803 IP (tos 0x10, ttl 58, id 10554, offset 0, flags [DF], proto: TCP (6), length: 64) gw.64570 > 212.22.160.35.smtp: S, cksum 0xce1f (correct), 4219889009:4219889009(0) win 65535 20:29:38.050332 IP (tos 0x10, ttl 58, id 10556, offset 0, flags [DF], proto: TCP (6), length: 52) gw.64570 > 212.22.160.35.smtp: ., cksum 0x821e (correct), 4219889010:4219889010(0) ack 697685838 win 33072 20:29:38.151100 IP (tos 0x10, ttl 58, id 10559, offset 0, flags [DF], proto: TCP (6), length: 52) gw.64570 > 212.22.160.35.smtp: ., cksum 0x81bd (correct), 0:0(0) ack 76 win 33072 20:29:56.811400 IP (tos 0x10, ttl 58, id 10571, offset 0, flags [DF], proto: TCP (6), length: 58) gw.64570 > 212.22.160.35.smtp: P, cksum 0x8b2c (correct), 0:6(6) ack 76 win 33072 20:29:56.831815 IP (tos 0x10, ttl 58, id 10573, offset 0, flags [DF], proto: TCP (6), length: 52) gw.64570 > 212.22.160.35.smtp: ., cksum 0x644b (correct), 6:6(0) ack 123 win 33072 20:29:56.831818 IP (tos 0x10, ttl 58, id 10574, offset 0, flags [DF], proto: TCP (6), length: 52) gw.64570 > 212.22.160.35.smtp: F, cksum 0x644a (correct), 6:6(0) ack 123 win 33072 20:29:59.111452 IP (tos 0x10, ttl 58, id 10593, offset 0, flags [DF], proto: TCP (6), length: 64) gw.50020 > 212.22.160.35.pop3: S, cksum 0x0171 (correct), 552613063:552613063(0) win 65535 20:30:02.086455 IP (tos 0x10, ttl 58, id 10597, offset 0, flags [DF], proto: TCP (6), length: 64) gw.50020 > 212.22.160.35.pop3: S, cksum 0xff18 (correct), 552613063:552613063(0) win 65535 20:30:05.290926 IP (tos 0x10, ttl 58, id 10598, offset 0, flags [DF], proto: TCP (6), length: 64) gw.50020 > 212.22.160.35.pop3: S, cksum 0xfc98 (correct), 552613063:552613063(0) win 65535 20:30:08.486187 IP (tos 0x10, ttl 58, id 10599, offset 0, flags [DF], proto: TCP (6), length: 48) gw.50020 > 212.22.160.35.pop3: S, cksum 0x7834 (correct), 552613063:552613063(0) win 65535 20:30:11.700449 IP (tos 0x10, ttl 58, id 10600, offset 0, flags [DF], proto: TCP (6), length: 48) gw.50020 > 212.22.160.35.pop3: S, cksum 0x7834 (correct), 552613063:552613063(0) win 65535 ^C 14 packets captured 111 packets received by filter 0 packets dropped by kernel spamfilter# tcpdump -vv -s 200 -i em0 src host 62.8.64.102 tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 200 bytes 20:30:44.177381 IP (tos 0x10, ttl 58, id 10640, offset 0, flags [DF], proto: TCP (6), length: 64) gw.53026 > 212.22.160.35.3000: S, cksum 0x85c1 (correct), 4224097118:4224097118(0) win 65535 20:30:47.172263 IP (tos 0x10, ttl 58, id 10644, offset 0, flags [DF], proto: TCP (6), length: 64) gw.53026 > 212.22.160.35.3000: S, cksum 0x8369 (correct), 4224097118:4224097118(0) win 65535 20:30:50.396927 IP (tos 0x10, ttl 58, id 10645, offset 0, flags [DF], proto: TCP (6), length: 64) gw.53026 > 212.22.160.35.3000: S, cksum 0x80e9 (correct), 4224097118:4224097118(0) win 65535 From owner-freebsd-pf@FreeBSD.ORG Fri Sep 21 17:55:54 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7F29C16A417 for ; Fri, 21 Sep 2007 17:55:54 +0000 (UTC) (envelope-from odhiambo@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.234]) by mx1.freebsd.org (Postfix) with ESMTP id 3B96313C43E for ; Fri, 21 Sep 2007 17:55:54 +0000 (UTC) (envelope-from odhiambo@gmail.com) Received: by nz-out-0506.google.com with SMTP id l8so676480nzf for ; Fri, 21 Sep 2007 10:55:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=81D4NPcXWGQtLVFGeODabQFLvN0FOUnH/wZhoP6ysnM=; b=icj9YCnPx1IJl/Nk0oZX3CryZK33xzXzuRk90r/PXVs97UqDOm/58MHtmZcaVx3LCRDvHM0k+paAetKcBVyhf6nun/PrrMwZxFg/SRJtd+SPO02OnlcXjDbq5IiFDmvq7zTVAT57qXq5LoSk9O5VqDL4aIKMxMOs+duQHhR/X1Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=SpB66gaXB2ge12ST/cYX2BawCn3zfpSlaNLO6diZVDFTrUqUyvNyfd4TrlfENiqYYH7oVxHojFXtB+qtxuf8SVP5mbiWgtciMFOU37VXccksLAFK6OlIAAoOo5lZXJ7zhdlhS1IuQpi3SvlRz1ozqNIEc0Z3lvt5VuSzSYQ/3PQ= Received: by 10.114.61.1 with SMTP id j1mr3002913waa.1190395634185; Fri, 21 Sep 2007 10:27:14 -0700 (PDT) Received: by 10.115.106.13 with HTTP; Fri, 21 Sep 2007 10:27:14 -0700 (PDT) Message-ID: <991123400709211027g350059e5kbbef276fd6a6bd6b@mail.gmail.com> Date: Fri, 21 Sep 2007 20:27:14 +0300 From: "Washington Odhiambo" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Weird Problem with NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Sep 2007 17:55:54 -0000 Hello people, I have a box which I'd like to do some port forwarding to two boxes on my internal LAN. I have reduced my pf.conf to just the following: # define macros for each network interface extif = "em0" intif = "xl0" server = "192.168.0.2" exch_svr = "192.168.0.26" services="{ 80, 110, 443, 53 }" exchange_svcs="{ 3000 }" rdr pass on $extif inet proto tcp to port $services -> $server rdr pass on $extif inet proto tcp to port $exchange_svcs -> $exch_svr port 80 rdr pass on $extif inet proto { tcp, udp } to port $services -> $server Well, this server's external IP is 212.22.160.35, if anyone is interested. I have been trying whole day to get "telnet 212.22.160.35 110" to work, but it wouldn't. >From the server, I can connect to 192.168.0.2 port 110 without a problem. I am stuck at the moment. What am I missing? FreeBSD 6.2-STABLE here. Thanks. ./Wash From owner-freebsd-pf@FreeBSD.ORG Fri Sep 21 18:05:59 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C423B16A468 for ; Fri, 21 Sep 2007 18:05:59 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id 51C5713C461 for ; Fri, 21 Sep 2007 18:05:59 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.1.16] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis) id 0ML25U-1IYmt32HC3-00089R; Fri, 21 Sep 2007 20:05:57 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 21 Sep 2007 20:05:45 +0200 User-Agent: KMail/1.9.7 References: <991123400709211027g350059e5kbbef276fd6a6bd6b@mail.gmail.com> In-Reply-To: <991123400709211027g350059e5kbbef276fd6a6bd6b@mail.gmail.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1598668.dlFP9klTe9"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200709212005.56060.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/ZkTmlLlMVmL9NYU0gZjz2l3w/zd2Rz6YNDCX /negNCGB26V9oMmWX3RtOHfqd7rl2VPQiPiohNi8Ce3xk6x/U8 tNeoZQKEJfrPcMm7Yx820oo9lAZsmozFFZA3i8Slts= Cc: Subject: Re: Weird Problem with NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Sep 2007 18:05:59 -0000 --nextPart1598668.dlFP9klTe9 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 21 September 2007, Washington Odhiambo wrote: > Hello people, > > I have a box which I'd like to do some port forwarding to two boxes on > my internal LAN. > > I have reduced my pf.conf to just the following: > > # define macros for each network interface > extif =3D "em0" > intif =3D "xl0" > server =3D "192.168.0.2" > exch_svr =3D "192.168.0.26" > > services=3D"{ 80, 110, 443, 53 }" > exchange_svcs=3D"{ 3000 }" > > rdr pass on $extif inet proto tcp to port $services -> $server > rdr pass on $extif inet proto tcp to port $exchange_svcs -> $exch_svr > port 80 rdr pass on $extif inet proto { tcp, udp } to port $services -> > $server > > > Well, this server's external IP is 212.22.160.35, if anyone is > interested. > > I have been trying whole day to get "telnet 212.22.160.35 110" to > work, but it wouldn't. =46rom where? > From the server, I can connect to 192.168.0.2 port 110 without a=20 > problem.=20 > > I am stuck at the moment. > > What am I missing? > > FreeBSD 6.2-STABLE here. The dumps you sent in the other mail are pretty useless. What is required= =20 is a dump from the internal interface and/or from the destination router=20 itself. Are you sure you got the routing right on all boxes? Do you have=20 net.inet.ip.forwarding enabled? Where are you trying from? =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1598668.dlFP9klTe9 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBG9AgEXyyEoT62BG0RApJtAJ0WhHOiPoBzuLMXiU/NP2VDwVz0LACdGdCF ZmigigTxpDb3R+0zcw/ZJ3E= =/GFr -----END PGP SIGNATURE----- --nextPart1598668.dlFP9klTe9-- From owner-freebsd-pf@FreeBSD.ORG Fri Sep 21 20:19:15 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A690F16A41A for ; Fri, 21 Sep 2007 20:19:15 +0000 (UTC) (envelope-from linux@giboia.org) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188]) by mx1.freebsd.org (Postfix) with ESMTP id 1767613C455 for ; Fri, 21 Sep 2007 20:19:14 +0000 (UTC) (envelope-from linux@giboia.org) Received: by nf-out-0910.google.com with SMTP id b2so816625nfb for ; Fri, 21 Sep 2007 13:19:13 -0700 (PDT) Received: by 10.82.177.3 with SMTP id z3mr1498930bue.1190405952517; Fri, 21 Sep 2007 13:19:12 -0700 (PDT) Received: by 10.82.135.11 with HTTP; Fri, 21 Sep 2007 13:19:12 -0700 (PDT) Message-ID: <6e6841490709211319n5585b3c0kf92b55b7882d45cf@mail.gmail.com> Date: Fri, 21 Sep 2007 17:19:12 -0300 From: "Gilberto Villani Brito" To: Umar In-Reply-To: <12825908.post@talk.nabble.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <12825908.post@talk.nabble.com> Cc: freebsd-pf@freebsd.org Subject: Re: local proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Sep 2007 20:19:15 -0000 On 21/09/2007, Umar wrote: > > Dear Members!! > > I want to restrict my users that they don't bypass my squid proxy in linux > iptables I achieved with these rulese. > > $IPTABLES -t nat -A PREROUTING -s 192.168.1.0/24 -d ! 192.168.1.250 -p TCP > --dport 3128 -j DROP > $IPTABLES -t nat -A PREROUTING -s 192.168.1.0/24 -d ! 192.168.1.250 -p TCP > --dport 8080 -j DROP > $IPTABLES -t nat -A PREROUTING -s 192.168.1.0/24 -d ! 192.168.1.250 -p TCP > --dport 80 -j DROP > $IPTABLES -t nat -A PREROUTING -s 192.168.1.0/24 -d ! 192.168.1.250 -p TCP > --dport 6588 -j DROP > > now please help me how I can do the same thing with PF > > Regards, > > Umar Draz > > > -- > View this message in context: http://www.nabble.com/local-proxy-tf4497398.html#a12825908 > Sent from the freebsd-pf mailing list archive at Nabble.com. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Try this: block in quick proto tcp from 192.168.1.0/24 to ! 192.168.1.250 port 3128 block in quick proto tcp from 192.168.1.0/24 to ! 192.168.1.250 port 8080 block in quick proto tcp from 192.168.1.0/24 to ! 192.168.1.250 port 80 block in quick proto tcp from 192.168.1.0/24 to ! 192.168.1.250 port 6588 -- Gilberto Villani Brito System Administrator Londrina - PR Brazil gilbertovb(a)gmail.com From owner-freebsd-pf@FreeBSD.ORG Fri Sep 21 21:04:43 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9442916A419 for ; Fri, 21 Sep 2007 21:04:43 +0000 (UTC) (envelope-from dmehler26@woh.rr.com) Received: from ms-smtp-02.ohiordc.rr.com (ms-smtp-02.ohiordc.rr.com [65.24.5.136]) by mx1.freebsd.org (Postfix) with ESMTP id 3CAF613C45A for ; Fri, 21 Sep 2007 21:04:43 +0000 (UTC) (envelope-from dmehler26@woh.rr.com) Received: from satellite (cpe-71-64-129-15.woh.res.rr.com [71.64.129.15]) by ms-smtp-02.ohiordc.rr.com (8.13.6/8.13.6) with SMTP id l8LKQeEX001623 for ; Fri, 21 Sep 2007 16:26:40 -0400 (EDT) Message-ID: <000901c7fc8d$b7c04d50$0200a8c0@satellite> From: "Dave" To: Date: Fri, 21 Sep 2007 16:26:40 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="Windows-1252"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: digital phone and pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dave List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Sep 2007 21:04:43 -0000 Hello, I'm running freebsd 6.2 and pf. I do both inbound and outbound filtering, egress i believe the term is. I'm about to get digital phone services, voip, from a company called Viatalk and am wondering the ports i will have to open up in the firewall to make this work? Thanks. Dave. From owner-freebsd-pf@FreeBSD.ORG Sat Sep 22 03:03:10 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0E35416A420 for ; Sat, 22 Sep 2007 03:03:10 +0000 (UTC) (envelope-from eric@mikestammer.com) Received: from smtp101.sbc.mail.re2.yahoo.com (smtp101.sbc.mail.re2.yahoo.com [68.142.229.104]) by mx1.freebsd.org (Postfix) with SMTP id CEFB013C458 for ; Sat, 22 Sep 2007 03:03:09 +0000 (UTC) (envelope-from eric@mikestammer.com) Received: (qmail 33612 invoked from network); 22 Sep 2007 02:36:29 -0000 Received: from unknown (HELO mail.mikestammer.com) (mikestammer@sbcglobal.net@71.147.41.29 with login) by smtp101.sbc.mail.re2.yahoo.com with SMTP; 22 Sep 2007 02:36:29 -0000 X-YMail-OSG: lJL6h2cVM1lDLsAH8TaT.3krgaxIVRisB2CpA81L3ylJPDTAYliheMNBETeWbbPxVzfFt2d_6.4Y7y6dm06Bm_G6NTN1DTsbiyW5hh6En3k8BcmHeWVjg0ACIKnwu_gShVL7uhCtJQqID2b6BIpZC5vNHN7fgOHQCho6SQErGufcnmLnhqvv Received: from localhost (localhost [127.0.0.1]) by mail.mikestammer.com (Postfix) with ESMTP id A9045B869 for ; Fri, 21 Sep 2007 21:36:28 -0500 (CDT) X-Virus-Scanned: amavisd-new at mikestammer.com Received: from mail.mikestammer.com ([127.0.0.1]) by localhost (gondolin.middleearth.mikestammer.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H9RWks5gfXdi for ; Fri, 21 Sep 2007 21:36:26 -0500 (CDT) Received: from [192.168.0.152] (unknown [192.168.0.152]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: eric) by mail.mikestammer.com (Postfix) with ESMTPSA id AE4DAB868 for ; Fri, 21 Sep 2007 21:36:26 -0500 (CDT) Message-ID: <46F48106.4030605@mikestammer.com> Date: Fri, 21 Sep 2007 21:42:14 -0500 From: Eric User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: cannot connect to SMTP from clients inside network except my own X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Sep 2007 03:03:10 -0000 my rules are at the bottom, but here is what i am seeing and I cannot figure it out. i have pf doing nat and redirecting several services to a server (gondolin). My domain is mikestammer.com. If i am on a client machine, I can telnet mikestammer.com 25 and i get the SMTP server prompt, but if I try to telnet to any other mail server it always times out. Mail to and from my domain using mikestammer.com works for sending and receiving email Can anyone see a reason for this in my rules? I did some captures from the client machine and was seeing things like this: 229 26.404238 192.168.0.152 68.73.91.210 TCP [TCP Previous segment lost] 3244 > smtp [SYN] Seq=5538293 Len=0 MSS=1460 230 26.406292 192.168.0.51 192.168.0.152 ICMP Destination unreachable (Host unreachable) 68.73.91.210 is the mail server I want to connect to i am not having any problem connecting to IMAP servers to get email, but trying to send via those servers has never worked properly. any other comments on my ruleset are appreciated as well Thanks Eric # # $FreeBSD$ # PF rule set for mpd under FreeBSD # # Network Configuration # # Kernel mode PPPoE with mpd # -----------[FreeBSD PF]---------------[Switch]------[192.168.0.0/24] # ADSL xl0 sk0(192.168.0.51) # # Macros ext_if="ng0" # replace with actual ext_ifernal int_iferface name i.e., dc0 int_if="sk0" # replace with actual int_ifernal int_iferface name i.e., dc1 wir_if="ath0" intnet = "192.168.0.0/24" # Adressspace of LAN gondolin = "192.168.0.51" # This machine isengard = "192.168.0.101" baraddur = "192.168.0.150" table const {0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ 224.0.0.0/4, 240.0.0.0/4, 10.0.0.0/8, \ 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255, \ 127.0.0.1/8} # # hosts that can use this system as a gateway # table const {192.168.0.0/24} set loginterface ng0 set skip on lo0 ################################ # step 1: normalise packets # ################################ # Clean up fragmented and abnormal packets, defeat NAT detection too # max-mss is needed due to mpd's poor MSS handling scrub in all scrub out all random-id max-mss 1440 ################################ # step 2: NAT rules # ################################ # services provided to the outside world: rdr on $ext_if proto tcp from any to $ext_if port 22 -> $gondolin port 22 rdr on $ext_if proto tcp from any to $ext_if port 25 -> $gondolin port 25 rdr on $ext_if proto tcp from any to $ext_if port 80 -> $gondolin port 80 rdr on $ext_if proto tcp from any to $ext_if port 113 -> $gondolin port 113 rdr on $ext_if proto tcp from any to $ext_if port 143 -> $gondolin port 143 rdr on $ext_if proto tcp from any to $ext_if port 443 -> $gondolin port 443 rdr on $ext_if proto tcp from any to $ext_if port 993 -> $gondolin port 993 rdr on $ext_if proto tcp from any to $ext_if port 3389 -> $isengard port 3389 rdr on $ext_if proto udp from any to $ext_if port 30275 -> $baraddur port 30275 # all ordinary traffic: nat on $ext_if from $intnet to any -> $ext_if ################################ # step 3: Filtering # ################################ # Remember default rule for non-matching packets are passed!!! block out log on $ext_if all block in log on $ext_if all block return-rst out log on $ext_if proto tcp all block return-rst in log on $ext_if proto tcp all block return-icmp out log on $ext_if proto udp all block return-icmp in log on $ext_if proto udp all # allow lo0 interface packet pass in quick on lo0 all pass out quick on lo0 all # allow internal network traffic pass in on $int_if from any to pass out on $int_if from to any # # block spoofing attack # block in quick log on $ext_if from to any # Allow ICMP (ping) IN # pass out/in certain ICMP queries and keep state (ping) pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state #HTTP server pass in on $ext_if proto tcp from any to $gondolin port 80 label "HTTP" flags S/SA pass in on $ext_if proto tcp from any to $gondolin port 443 label "HTTPS" flags S/SA #ident service pass in on $ext_if proto tcp from any to $gondolin port 113 label "ident" flags S/SA #RDP to Isengard pass in on $ext_if proto tcp from any to $isengard port 3389 label "RDP" flags S/SA #Mail server (SMTP and IMAP) pass in on $ext_if proto tcp from any to $gondolin port 25 label "SMTP" flags S/SA pass in on $ext_if proto tcp from any to $gondolin port 143 label "IMAP" flags S/SA #pass in on $ext_if proto tcp from any to $gondolin port 993 label "IMAPS" flags S/SA #Hamachi pass in on $ext_if proto udp from any to $baraddur port 30275 label "Hamachi" #SSH server pass in on $ext_if proto tcp from any to $gondolin port 22 label "SSH" keep state #allow outbound #anything really pass out on $ext_if proto { tcp, udp, icmp } all keep state #open everything on internal ... if you don't trust that side of the network, you've got big probs pass in on $int_if all