From owner-freebsd-pf@FreeBSD.ORG Mon Feb 23 08:31:23 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7375B106564A for ; Mon, 23 Feb 2009 08:31:23 +0000 (UTC) (envelope-from valentin.bud@gmail.com) Received: from mail-bw0-f170.google.com (mail-bw0-f170.google.com [209.85.218.170]) by mx1.freebsd.org (Postfix) with ESMTP id C6FED8FC1D for ; Mon, 23 Feb 2009 08:31:22 +0000 (UTC) (envelope-from valentin.bud@gmail.com) Received: by bwz18 with SMTP id 18so5936920bwz.19 for ; Mon, 23 Feb 2009 00:31:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=80vk+Wr/KvZytshXoz/08A7APvBfD8F30gu0aM1KTNU=; b=HIAguKGslrvolSui0tijMweF3z+YiKsPddOeT12/MxkFMP3u1MJQR5l6THCGQvaLDb m+bpmniMvEUixy+YZofZGwdMCBdqRWbCUXeNeIsMZO4C/lVx6QZpXknekz0fy9DJMjBN 9zYfrS3fCGXEA5Wirgmq4aNiOCPLngkVH94Lc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=DDbJMdP4hOv4iQ6sxMB/QTqCPyUJStQkBHfcdiIKurDbPqeEso8o+FzDx/ZZJyAX9s yiW7fhUiKc5p8YDJeu9sp4/5M22VLZdIWtJeGQo2cD+fe2F4eufBTWG6T/Qts7mAME1N DxgxBRTn6/FIOhcJ7FdDUrlmSIZ3gOwvAPX8k= MIME-Version: 1.0 Received: by 10.181.24.14 with SMTP id b14mr1432311bkj.104.1235376373015; Mon, 23 Feb 2009 00:06:13 -0800 (PST) Date: Mon, 23 Feb 2009 10:06:12 +0200 Message-ID: <139b44430902230006q310a2a39gb9f7ea9fe3ad0953@mail.gmail.com> From: Valentin Bud To: freebsd-pf Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: a "strange" question about OSs X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Feb 2009 08:31:23 -0000 Hello Community, The following question may sound very ackward but was OS is suitable from the following list to replace FBSD: - OpenSUSE 10.3 - Debian 4.0 - CentOS 5 The company i work for wants to change the provider because of the economical crisis to save some money. The actual provider gave us the chance to install our OS but the one they chose as a replacement doesn't give any other choice besides the above mentioned. I work for 2 years in IT and FBSD is the only OS i have ever used in production. I like it and learned it a little bit. It is going to be a steep learning curve with the new OS which I'm not afraid of but i would like to chose a suitable OS and one that has some similarities with FBSD. thank you, v From owner-freebsd-pf@FreeBSD.ORG Mon Feb 23 11:06:57 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 41DA1106564A for ; Mon, 23 Feb 2009 11:06:57 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 1431E8FC2F for ; Mon, 23 Feb 2009 11:06:57 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n1NB6usS055596 for ; Mon, 23 Feb 2009 11:06:56 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n1NB6uFW055592 for freebsd-pf@FreeBSD.org; Mon, 23 Feb 2009 11:06:56 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 23 Feb 2009 11:06:56 GMT Message-Id: <200902231106.n1NB6uFW055592@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Feb 2009 11:06:57 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/130977 pf [netgraph][pf] kernel panic trap 12 on user connect to o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/129060 pf [pf] [tun] pf doesn't forget the old tun IP o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 30 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Feb 23 16:18:14 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A2DF410656C6 for ; Mon, 23 Feb 2009 16:18:14 +0000 (UTC) (envelope-from britneyfreek@googlemail.com) Received: from mail-bw0-f170.google.com (mail-bw0-f170.google.com [209.85.218.170]) by mx1.freebsd.org (Postfix) with ESMTP id ED3988FC13 for ; Mon, 23 Feb 2009 16:18:13 +0000 (UTC) (envelope-from britneyfreek@googlemail.com) Received: by bwz18 with SMTP id 18so6435987bwz.19 for ; Mon, 23 Feb 2009 08:18:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=Bet16FQkbvsLmdzF9B6Na0VYSCECLjEuRdbOoK5Z4Hc=; b=TTOo+4OYvesDiMNO7uGOSpJ6BdMAaDTqdRqjcLX416BXOEZ3EuTXMtGKsopvgnFAT4 RImXc3MZCsVJoHyRh5InwBcqAPEbLZ1fr78A/nPgKOSzickSAJha9IQm+ak6Ch1VHV/U Sh651q3ZwaEYXmXvVfy4RU5DVmFKEGHF3mROM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=XWpnoEBXSyrFnORZYrovvlpMIQEcV+RPUWkz6SObcVdYScDcOoY6i8JTbmne2+yOIq OPQ/sZiUS5mOS7Xk7V70VF6WrgFHmt65UrhpUXAZHhxM151U3VgXjKQ3rh8/jP4wK3iV v4TfA2DEtzlPY8icvF2v3Ri1ghPsa7odGes9Y= MIME-Version: 1.0 Received: by 10.223.115.16 with SMTP id g16mr5113323faq.93.1235404077958; Mon, 23 Feb 2009 07:47:57 -0800 (PST) In-Reply-To: <139b44430902230006q310a2a39gb9f7ea9fe3ad0953@mail.gmail.com> References: <139b44430902230006q310a2a39gb9f7ea9fe3ad0953@mail.gmail.com> Date: Mon, 23 Feb 2009 16:47:57 +0100 Message-ID: <2ad621ab0902230747w31b05455jcc8368b3a891385@mail.gmail.com> From: britneyfreek To: freebsd-pf Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: a "strange" question about OSs X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Feb 2009 16:18:17 -0000 linux is in many ways very similar to bsd.i'd suggest using debian as it is known to be very stable. and better use debian 5.0 (aka 'lenny') which is the current stable release. if you like more up-to-date software _and_ a high level of stability, try testing (currently called 'squeeze') - or completely switch to ubuntu server (debian-based distro). there are people saying _not_ to use anything other than stable in production but i've made only positive experiences with testing in production environements - provided that you know what you're doing with the system. - b 2009/2/23 Valentin Bud > Hello Community, > > The following question may sound very ackward but was OS is suitable from > the following list > to replace FBSD: > > - OpenSUSE 10.3 > - Debian 4.0 > - CentOS 5 > > The company i work for wants to change the provider because of the > economical crisis to > save some money. The actual provider gave us the chance to install our OS > but the one > they chose as a replacement doesn't give any other choice besides the above > mentioned. > > I work for 2 years in IT and FBSD is the only OS i have ever used in > production. I like it and > learned it a little bit. It is going to be a steep learning curve with the > new OS which I'm not afraid > of but i would like to chose a suitable OS and one that has some > similarities with FBSD. > > thank you, > v > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Mon Feb 23 17:23:06 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 41D7C106564A for ; Mon, 23 Feb 2009 17:23:06 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.freebsd.org (Postfix) with ESMTP id C44438FC13 for ; Mon, 23 Feb 2009 17:23:05 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-064-183-126.pools.arcor-ip.net [88.64.183.126]) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis) id 0ML25U-1LbeWG2Zes-0006h1; Mon, 23 Feb 2009 18:23:04 +0100 Received: (qmail 57777 invoked from network); 23 Feb 2009 17:23:04 -0000 Received: from fbsd8.laiers.local (192.168.4.200) by router.laiers.local with SMTP; 23 Feb 2009 17:23:04 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Mon, 23 Feb 2009 18:23:03 +0100 User-Agent: KMail/1.11.0 (FreeBSD/8.0-CURRENT; KDE/4.2.0; i386; ; ) References: <139b44430902230006q310a2a39gb9f7ea9fe3ad0953@mail.gmail.com> In-Reply-To: <139b44430902230006q310a2a39gb9f7ea9fe3ad0953@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200902231823.04018.max@love2party.net> X-Provags-ID: V01U2FsdGVkX190bA4StM5R4APi0ZG4uhx7EgFKru14lTFxn8E hgS8L1Q4FMey+8G7Y0teccnmQ7JgmIeFunmltCQe5sxc+rfm9q dh22RJq60/f5/eJW7DDcg== Cc: Subject: Re: a "strange" question about OSs X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Feb 2009 17:23:06 -0000 Hello Valentin, first off - this is the completely wrong mailing list! Please refrain from further requests to it in relation to this or similar request. To your question ... On Monday 23 February 2009 09:06:12 Valentin Bud wrote: > The following question may sound very ackward but was OS is suitable from > the following list > to replace FBSD: > > - OpenSUSE 10.3 > - Debian 4.0 > - CentOS 5 CentOS seems to be the only one of these to be at least somewhat current - both SuSE and Debian have released newer *major* versions meanwhile. CentOS is at 5.2, which only has kernel-2.6.18 however. > The company i work for wants to change the provider because of the > economical crisis to > save some money. The actual provider gave us the chance to install our OS > but the one > they chose as a replacement doesn't give any other choice besides the above > mentioned. I personally would stay clear of any provider that is offering only the above choice. IMHO, it rules them out as rather unprofessional. > I work for 2 years in IT and FBSD is the only OS i have ever used in > production. I like it and > learned it a little bit. It is going to be a steep learning curve with the > new OS which I'm not afraid > of but i would like to chose a suitable OS and one that has some > similarities with FBSD. If you are concerned with firewall setup (as this is a mailing list pertaining to a *BSD specific firewall software: PF) you won't find a suitable replacement in the linux world. Linux uses iptables to manage the packet filter which is completely different from pf in design and setup and you will probably have to start from scratch to learn how to use it. OTOH, you might find the following links helpful: http://www.daemonology.net/blog/2008-01-29-depenguinator-2.0.html http://www.daemonology.net/depenguinator/ -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Tue Feb 24 00:30:47 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C6C02106570B for ; Tue, 24 Feb 2009 00:30:47 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [91.103.162.4]) by mx1.freebsd.org (Postfix) with ESMTP id 862338FC13 for ; Tue, 24 Feb 2009 00:30:47 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 68D9A19E02A for ; Tue, 24 Feb 2009 01:15:42 +0100 (CET) Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 9A6B719E027 for ; Tue, 24 Feb 2009 01:15:39 +0100 (CET) Message-ID: <49A33C2B.1090707@quip.cz> Date: Tue, 24 Feb 2009 01:15:39 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: can't connect from jail to jail itself with binat X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Feb 2009 00:30:50 -0000 I have problem with connections from Jail with binat. I can connect to jailed services from outside, I can connect to outside world from jail, but I cannot connect from jail to jailed services by public IP. (for example, connection to www.mysite.tld resolved to IP 1.2.3.4 is blocked) The jail itself has IP 172.16.20.3 on interface lo1. Host machine has secondary public IP 1.2.3.4 (just an example) on bge1 translated with binat. --- simplified ruleset --- ext_if="bge1" ext_addr_1="1.2.3.4" jail_if="lo1" jail_addr_1="172.16.20.3" jail_tcp_1_inports="{ 21, 22, 25, 80, 110, 143, 443, 465, 587, 993, 995 }" binat on $ext_if from $jail_addr_1 to any -> $ext_addr_1 block log pass out on $ext_if inet proto tcp from $ext_if to any flags S/SA modulate state pass in on $ext_if inet proto tcp from any to $jail_addr_1 port $jail_tcp_1_inports pass on $jail_if inet from $jail_addr_1 to $jail_addr_1 --- simplified ruleset --- I played a bit with pflog and adding some pass rules (like 'pass out on $jail_if') but without any luck. pflog is still reporting: block out on lo1: (tos 0x0, ttl 64, id 10143, offset 0, flags [DF], proto TCP (6), length 40) 1.2.3.4.80 > 172.16.20.3.57670: Is there any way to allow this type of traffic? (FreeBSD 7.1-RELEASE i386) Miroslav Lachman From owner-freebsd-pf@FreeBSD.ORG Wed Feb 25 11:57:40 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B88681065687 for ; Wed, 25 Feb 2009 11:57:40 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from fallbackmx09.syd.optusnet.com.au (fallbackmx09.syd.optusnet.com.au [211.29.132.242]) by mx1.freebsd.org (Postfix) with ESMTP id 9D1238FC14 for ; Wed, 25 Feb 2009 11:57:39 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from mail17.syd.optusnet.com.au (mail17.syd.optusnet.com.au [211.29.132.198]) by fallbackmx09.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id n1P6VhdU022194 for ; Wed, 25 Feb 2009 17:31:43 +1100 Received: from server.vk2pj.dyndns.org (c122-106-216-167.belrs3.nsw.optusnet.com.au [122.106.216.167]) by mail17.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id n1P6VXkl014262 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 25 Feb 2009 17:31:34 +1100 X-Bogosity: Ham, spamicity=0.000000 Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by server.vk2pj.dyndns.org (8.14.3/8.14.3) with ESMTP id n1P6VWfm031668; Wed, 25 Feb 2009 17:31:32 +1100 (EST) (envelope-from peter@server.vk2pj.dyndns.org) Received: (from peter@localhost) by server.vk2pj.dyndns.org (8.14.3/8.14.3/Submit) id n1P6VVHo031667; Wed, 25 Feb 2009 17:31:31 +1100 (EST) (envelope-from peter) Date: Wed, 25 Feb 2009 17:31:31 +1100 From: Peter Jeremy To: Nenhum_de_Nos Message-ID: <20090225063131.GA31601@server.vk2pj.dyndns.org> References: <76463C1E8CB14B958088F7E54C611560@ashevchenko> <493634DA.7000408@infoweapons.com> <20081203071940.324735uokbfgyh6o@econet.encontacto.net> <4993EB42.2020503@uffner.com> <20090212063141.11024jm7bsi7shio@econet.encontacto.net> <49952803.80404@uffner.com> <20090213045231.18054m16fhi70z6s@econet.encontacto.net> <596e4ca92b10c5b088934cc8f48a0bdc.squirrel@cygnus.homeunix.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="PEIAKu/WMn1b1Hv9" Content-Disposition: inline In-Reply-To: <596e4ca92b10c5b088934cc8f48a0bdc.squirrel@cygnus.homeunix.com> X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.19 (2009-01-05) Cc: freebsd-pf@freebsd.org Subject: Re: PF + ALTQ - Bandwidth per customer X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2009 11:57:41 -0000 --PEIAKu/WMn1b1Hv9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2009-Feb-13 16:58:39 -0200, Nenhum_de_Nos wro= te: >if you get to use pf+dummynet for real please broadcast. I once searched >for it but no luck in finding :) I'm using it at work to do WAN simulation for system testing. The patches are a but rough around the edges but mostly work. The major change I needed to make was to modify the patch to associate a pair of pipes with each rule (so that traffic in each direction is handled separately). --=20 Peter Jeremy --PEIAKu/WMn1b1Hv9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (FreeBSD) iEYEARECAAYFAkmk5cMACgkQ/opHv/APuIfo/QCeNLP61ePOjGzO/mkt4smvtE3v hHwAn3dFmIFIq3f5T4gz3F8+Yg/GXYQb =3FkQ -----END PGP SIGNATURE----- --PEIAKu/WMn1b1Hv9-- From owner-freebsd-pf@FreeBSD.ORG Wed Feb 25 12:35:31 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 59C1D106564A for ; Wed, 25 Feb 2009 12:35:31 +0000 (UTC) (envelope-from artis.caune@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.152]) by mx1.freebsd.org (Postfix) with ESMTP id AA2418FC18 for ; Wed, 25 Feb 2009 12:35:30 +0000 (UTC) (envelope-from artis.caune@gmail.com) Received: by fg-out-1718.google.com with SMTP id l26so221647fgb.35 for ; Wed, 25 Feb 2009 04:35:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=Cz7UOD8nCtsNbciRf+RMN6Uom8mQuYHv0reOtI5nA+0=; b=P3DYeKrdfy+cLiZ5jAbtc2wxGYaOMWWkhVbQzpf4C3XW/e9uPWAYd1AOHvFqlUAwDx glTLvjBBsBcYgolKgEH28oXGPX7PAEL1YFyeVAUb23K2v3oz1SNRWXEDMtb2PsYKNLhT 37BBKVRNv0TY/13dkz5DT23g74g77sIRWxfhw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=RLC4xB48Gs2Foxbh7Ufe2fLYImxWCxnKialsCdzGEWZ17bLYc2LjVgGWzfDF6Y/nYL 6pQYpOnNxj43BRyg1RpLbLkE8FdAuC6SlzE6WvDEpHjvLJBimp2veb4K2PjOiTUYI2M6 GAaWNK1a6w6jSRd9s3dh/FIlAb3jD3r7C556E= MIME-Version: 1.0 Received: by 10.86.60.14 with SMTP id i14mr776677fga.70.1235565329796; Wed, 25 Feb 2009 04:35:29 -0800 (PST) Date: Wed, 25 Feb 2009 14:35:29 +0200 Message-ID: <9e20d71e0902250435y6e090fb0rc138233242fe7d60@mail.gmail.com> From: Artis Caune To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: samm@os2.kiev.ua Subject: openbsd spamd is leaking memory? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2009 12:35:31 -0000 Hi, we are running spamd-4.1.2 on amd64 boxes for a week now and one of it's processes are getting bigger and bigger: spamd: (pf update) (spamd) SIZE: 836M RES: 773M we use redundant firewalls and they have the same problem. grey count is 500'000 - 1'000'000 white count is 80'000 and growing 200 - 600 concurrent connections to spamd /var/db/spamd is 170M I look at spamd/grey.c and found that while traversing SLIST in do_changes() function, entry is removed from head but not freed: while (!SLIST_EMPTY(&db_changes)) { dbc = SLIST_FIRST(&db_changes); ... free(dbc->key); free(dbc->data); SLIST_REMOVE_HEAD(&db_changes, entry); } there is no "free(dbc);" -- regards, Artis Caune <----. CCNA | BSDA <----|==================== <----' didii FreeBSD From owner-freebsd-pf@FreeBSD.ORG Wed Feb 25 13:42:48 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CBA851065747 for ; Wed, 25 Feb 2009 13:42:48 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id C85F28FC1B for ; Wed, 25 Feb 2009 13:42:45 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-059-213.pools.arcor-ip.net [88.66.59.213]) by mrelayeu.kundenserver.de (node=mreu1) with ESMTP (Nemesis) id 0MKv1o-1LcK282a4V-000E6F; Wed, 25 Feb 2009 14:42:44 +0100 Received: (qmail 21812 invoked from network); 25 Feb 2009 13:42:44 -0000 Received: from fbsd8.laiers.local (192.168.4.200) by router.laiers.local with SMTP; 25 Feb 2009 13:42:44 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 25 Feb 2009 14:42:43 +0100 User-Agent: KMail/1.11.0 (FreeBSD/8.0-CURRENT; KDE/4.2.0; i386; ; ) References: <9e20d71e0902250435y6e090fb0rc138233242fe7d60@mail.gmail.com> In-Reply-To: <9e20d71e0902250435y6e090fb0rc138233242fe7d60@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200902251442.43794.max@love2party.net> X-Provags-ID: V01U2FsdGVkX194v5eV61yF+p68haUzc+xe3juYjz8tncObHB1 K4lFcWttF930/1/p8I7jV7IlDlB/Hx1gpy/WpHW09fznslCJhp CyWhgHSL7it3E/zuM5+tg== Cc: beck@openbsd.org, samm@os2.kiev.ua, Artis Caune Subject: Re: openbsd spamd is leaking memory? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2009 13:42:50 -0000 Hello Artis, looks like a valid catch to me. I'm CC'ing the upstream maintainer (Bob, that's you, right?) From a quick glance there is also a minor leak in readsuffixlists in the goto bad case. On Wednesday 25 February 2009 13:35:29 Artis Caune wrote: > we are running spamd-4.1.2 on amd64 boxes for a week now and one of > it's processes are getting bigger and bigger: > spamd: (pf update) (spamd) > SIZE: 836M > RES: 773M > > we use redundant firewalls and they have the same problem. > > grey count is 500'000 - 1'000'000 > white count is 80'000 and growing > 200 - 600 concurrent connections to spamd > /var/db/spamd is 170M > > > > > I look at spamd/grey.c and found that while traversing SLIST in > do_changes() function, entry is removed from head but not freed: > while (!SLIST_EMPTY(&db_changes)) { > dbc = SLIST_FIRST(&db_changes); > ... > free(dbc->key); > free(dbc->data); > SLIST_REMOVE_HEAD(&db_changes, entry); > } > > there is no "free(dbc);" -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Wed Feb 25 14:10:06 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 09064106564A for ; Wed, 25 Feb 2009 14:10:06 +0000 (UTC) (envelope-from artis.caune@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.156]) by mx1.freebsd.org (Postfix) with ESMTP id 8E34D8FC1D for ; Wed, 25 Feb 2009 14:10:05 +0000 (UTC) (envelope-from artis.caune@gmail.com) Received: by fg-out-1718.google.com with SMTP id l26so241821fgb.35 for ; Wed, 25 Feb 2009 06:10:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=sm5+3/VfNiZgsP2+QlW772FxF/L9DIhxOcQlm80jSWA=; b=fzAlI1gdfxzNb4EJjnghn9RuEmGlVHivBonnywqKbz7Ra1zbTpyPF5IYTyHgifUsn+ fJd3HjVKN6gnP56KdEhPT/Ns3uEcMxLDSvd1NduKLqHYdkUBe1DsgwDDPrRlQa2hihN/ UO6cvIYsaKqy31PZ7wGiqb7m//p9Wv6Sy8WQ8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=hHjKXOWN4Oz7rBQMVZT9v4xJIZ8OxvOAOdJmbK8hu38QpyAIk4sSj5u16EjxvAQo0Q 2kCYswNF9VQStH2j3Y16GPpIcdWfCxcmOXykj/um5opIOU+dGxMojlzt5tBlvhcUAk8y /NEZad57/+WiKhtWVMhM2HXOAOeZom19Z/iIU= MIME-Version: 1.0 Received: by 10.86.95.8 with SMTP id s8mr826251fgb.16.1235571004455; Wed, 25 Feb 2009 06:10:04 -0800 (PST) In-Reply-To: <200902251442.43794.max@love2party.net> References: <9e20d71e0902250435y6e090fb0rc138233242fe7d60@mail.gmail.com> <200902251442.43794.max@love2party.net> Date: Wed, 25 Feb 2009 16:10:04 +0200 Message-ID: <9e20d71e0902250610l62a42a99t5b9683aefb08c7cf@mail.gmail.com> From: Artis Caune To: Max Laier Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: beck@openbsd.org, samm@os2.kiev.ua, freebsd-pf@freebsd.org Subject: Re: openbsd spamd is leaking memory? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2009 14:10:06 -0000 2009/2/25 Max Laier : > Hello Artis, > > looks like a valid catch to me. I'm CC'ing the upstream maintainer (Bob, > that's you, right?) From a quick glance there is also a minor leak in > readsuffixlists in the goto bad case. > I'm running spamd with this patch more than 2h and no leaks :) --- grey.c.orig 2008-12-07 23:12:52.000000000 +0200 +++ grey.c 2009-02-25 15:22:48.000000000 +0200 @@ -512,7 +512,8 @@ dbc->act = 0; dbc->dsiz = 0; SLIST_REMOVE_HEAD(&db_changes, entry); - + free(dbc); + dbc = NULL; } return(ret); } -- regards, Artis Caune <----. CCNA | BSDA <----|==================== <----' didii FreeBSD From owner-freebsd-pf@FreeBSD.ORG Wed Feb 25 16:23:35 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2EF4F1065670 for ; Wed, 25 Feb 2009 16:23:35 +0000 (UTC) (envelope-from beck@ualberta.ca) Received: from bofh.cns.ualberta.ca (bofh.cns.ualberta.ca [129.128.11.10]) by mx1.freebsd.org (Postfix) with ESMTP id EDB168FC21 for ; Wed, 25 Feb 2009 16:23:34 +0000 (UTC) (envelope-from beck@ualberta.ca) Received: from bofh.cns.ualberta.ca (beck@localhost.cns.ualberta.ca [127.0.0.1]) by bofh.cns.ualberta.ca (8.14.3/8.14.0) with ESMTP id n1PFpvX9001978 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 25 Feb 2009 08:51:57 -0700 (MST) Received: (from beck@localhost) by bofh.cns.ualberta.ca (8.14.3/8.14.0/Submit) id n1PFpu4n031759; Wed, 25 Feb 2009 08:51:56 -0700 (MST) X-Authentication-Warning: bofh.cns.ualberta.ca: beck set sender to beck@ualberta.ca using -f Date: Wed, 25 Feb 2009 08:51:56 -0700 From: Bob Beck To: Max Laier Message-ID: <20090225155156.GN15982@bofh.cns.ualberta.ca> References: <9e20d71e0902250435y6e090fb0rc138233242fe7d60@mail.gmail.com> <200902251442.43794.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200902251442.43794.max@love2party.net> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: deraadt@openbsd.org, beck@openbsd.org, samm@os2.kiev.ua, Artis Caune , freebsd-pf@freebsd.org Subject: Re: openbsd spamd is leaking memory? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2009 16:23:35 -0000 * Max Laier [2009-02-25 06:43]: > Hello Artis, > > looks like a valid catch to me. I'm CC'ing the upstream maintainer (Bob, > that's you, right?) From a quick glance there is also a minor leak in > readsuffixlists in the goto bad case. Yeah you're right max, in fact there are three possibilities for a slow leak.. try this: Index: grey.c =================================================================== RCS file: /cvs/src/libexec/spamd/grey.c,v retrieving revision 1.45 diff -u grey.c --- grey.c 7 Dec 2008 21:12:52 -0000 1.45 +++ grey.c 25 Feb 2009 15:46:09 -0000 @@ -315,8 +315,11 @@ size_t len; struct mail_addr *m; - while (!SLIST_EMPTY(&match_suffix)) + while (!SLIST_EMPTY(&match_suffix)) { + m = SLIST_FIRST(&match_suffix); SLIST_REMOVE_HEAD(&match_suffix, entry); + free(m); + } if ((fp = fopen(alloweddomains_file, "r")) != NULL) { while ((buf = fgetln(fp, &len))) { if (buf[len-1] == '\n') @@ -337,8 +340,11 @@ } return; bad: - while (!SLIST_EMPTY(&match_suffix)) + while (SLIST_EMPTY(&match_suffix)) { + m = SLIST_FIRST(&match_suffix); SLIST_REMOVE_HEAD(&match_suffix, entry); + free(m); + } } void @@ -512,6 +518,7 @@ dbc->act = 0; dbc->dsiz = 0; SLIST_REMOVE_HEAD(&db_changes, entry); + free(dbc); } return(ret); From owner-freebsd-pf@FreeBSD.ORG Wed Feb 25 16:45:53 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 99849106575C for ; Wed, 25 Feb 2009 16:45:53 +0000 (UTC) (envelope-from beck@ualberta.ca) Received: from bofh.cns.ualberta.ca (bofh.cns.ualberta.ca [129.128.11.10]) by mx1.freebsd.org (Postfix) with ESMTP id 6BEA28FC1D for ; Wed, 25 Feb 2009 16:45:53 +0000 (UTC) (envelope-from beck@ualberta.ca) Received: from bofh.cns.ualberta.ca (beck@localhost.cns.ualberta.ca [127.0.0.1]) by bofh.cns.ualberta.ca (8.14.3/8.14.0) with ESMTP id n1PGjqal003111 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 25 Feb 2009 09:45:52 -0700 (MST) Received: (from beck@localhost) by bofh.cns.ualberta.ca (8.14.3/8.14.0/Submit) id n1PGjqUv016232; Wed, 25 Feb 2009 09:45:52 -0700 (MST) X-Authentication-Warning: bofh.cns.ualberta.ca: beck set sender to beck@ualberta.ca using -f Date: Wed, 25 Feb 2009 09:45:52 -0700 From: Bob Beck To: Bob Beck Message-ID: <20090225164552.GW15982@bofh.cns.ualberta.ca> References: <9e20d71e0902250435y6e090fb0rc138233242fe7d60@mail.gmail.com> <200902251442.43794.max@love2party.net> <20090225155156.GN15982@bofh.cns.ualberta.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090225155156.GN15982@bofh.cns.ualberta.ca> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: samm@os2.kiev.ua, Artis Caune , freebsd-pf@freebsd.org Subject: Re: openbsd spamd is leaking memory? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2009 16:45:53 -0000 * Bob Beck [2009-02-25 08:52]: > > > * Max Laier [2009-02-25 06:43]: > > Hello Artis, > > > > looks like a valid catch to me. I'm CC'ing the upstream maintainer (Bob, > > that's you, right?) From a quick glance there is also a minor leak in > > readsuffixlists in the goto bad case. > > Yeah you're right max, in fact there are three possibilities for > a slow leak.. try this: > actually, try this - dropped a ! in the earlier one. sorry :) -Bob Index: grey.c =================================================================== RCS file: /cvs/src/libexec/spamd/grey.c,v retrieving revision 1.45 diff -u grey.c --- grey.c 7 Dec 2008 21:12:52 -0000 1.45 +++ grey.c 25 Feb 2009 16:33:57 -0000 @@ -315,8 +315,11 @@ size_t len; struct mail_addr *m; - while (!SLIST_EMPTY(&match_suffix)) + while (!SLIST_EMPTY(&match_suffix)) { + m = SLIST_FIRST(&match_suffix); SLIST_REMOVE_HEAD(&match_suffix, entry); + free(m); + } if ((fp = fopen(alloweddomains_file, "r")) != NULL) { while ((buf = fgetln(fp, &len))) { if (buf[len-1] == '\n') @@ -337,8 +340,11 @@ } return; bad: - while (!SLIST_EMPTY(&match_suffix)) + while (!SLIST_EMPTY(&match_suffix)) { + m = SLIST_FIRST(&match_suffix); SLIST_REMOVE_HEAD(&match_suffix, entry); + free(m); + } } void @@ -512,6 +518,7 @@ dbc->act = 0; dbc->dsiz = 0; SLIST_REMOVE_HEAD(&db_changes, entry); + free(dbc); } return(ret); @@ -737,8 +744,8 @@ if (r) goto bad; if (debug) From owner-freebsd-pf@FreeBSD.ORG Wed Feb 25 19:50:07 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0585B106566B for ; Wed, 25 Feb 2009 19:50:07 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id 8B37F8FC13 for ; Wed, 25 Feb 2009 19:50:06 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-054-118.pools.arcor-ip.net [88.66.54.118]) by mrelayeu.kundenserver.de (node=mreu1) with ESMTP (Nemesis) id 0MKv1o-1LcPlc3dEU-000E8d; Wed, 25 Feb 2009 20:50:04 +0100 Received: (qmail 65701 invoked from network); 25 Feb 2009 19:50:04 -0000 Received: from fbsd8.laiers.local (192.168.4.200) by mx.laiers.local with SMTP; 25 Feb 2009 19:50:04 -0000 From: Max Laier Organization: FreeBSD To: Artis Caune Date: Wed, 25 Feb 2009 20:50:02 +0100 User-Agent: KMail/1.11.0 (FreeBSD/8.0-CURRENT; KDE/4.2.0; i386; ; ) References: <9e20d71e0902250435y6e090fb0rc138233242fe7d60@mail.gmail.com> <200902251442.43794.max@love2party.net> <9e20d71e0902250610l62a42a99t5b9683aefb08c7cf@mail.gmail.com> In-Reply-To: <9e20d71e0902250610l62a42a99t5b9683aefb08c7cf@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200902252050.02682.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+XcFfz+g+LSklR3rcAPF6AgP8o7YaeOuAI5BE lnpRkby0f/wto8aoATMNU+2EvKGog5Q2E3VBWz68cDZkBSYgGE +UR0kmGRWRKD0joYv2v1g== Cc: samm@os2.kiev.ua, freebsd-pf@freebsd.org Subject: Re: openbsd spamd is leaking memory? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2009 19:50:07 -0000 On Wednesday 25 February 2009 15:10:04 Artis Caune wrote: > 2009/2/25 Max Laier : > > Hello Artis, > > > > looks like a valid catch to me. I'm CC'ing the upstream maintainer (Bob, > > that's you, right?) From a quick glance there is also a minor leak in > > readsuffixlists in the goto bad case. Bob Beck has meanwhile committed the slightly more encompassing fix which can be obtained via webcvs: http://www.openbsd.org/cgi- bin/cvsweb/src/libexec/spamd/grey.c.diff?r1=1.45;r2=1.46 Alex, do you have time to roll a new release or would you prefer the patch applied via the ports patch facilities? > I'm running spamd with this patch more than 2h and no leaks :) > > > > --- grey.c.orig 2008-12-07 23:12:52.000000000 +0200 > +++ grey.c 2009-02-25 15:22:48.000000000 +0200 > @@ -512,7 +512,8 @@ > dbc->act = 0; > dbc->dsiz = 0; > SLIST_REMOVE_HEAD(&db_changes, entry); > - > + free(dbc); > + dbc = NULL; > } > return(ret); > } -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Wed Feb 25 23:09:16 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 46D5E1065672 for ; Wed, 25 Feb 2009 23:09:16 +0000 (UTC) (envelope-from andrew.daugherity@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.184]) by mx1.freebsd.org (Postfix) with ESMTP id CDE938FC0A for ; Wed, 25 Feb 2009 23:09:15 +0000 (UTC) (envelope-from andrew.daugherity@gmail.com) Received: by nf-out-0910.google.com with SMTP id e27so116249nfd.33 for ; Wed, 25 Feb 2009 15:09:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=2Wf8j5fJP/WLN9mHBxEfNEevOJxYgdP3y0eT1vLmFHI=; b=wMqCcUReirxGdC0BcBMQarLokcHExL9vRu7frPTi0mbNdeK0ShX8tzd2sfWifkyekJ yCLtn0+dyrE07hKqqOzu40eT03ZnBORoVl1BE7lfsSki3PP3FWmMUAMNMWK4mjTMUG4+ 6BP3UY5JeHPBY9NBZFCCbxHAjggQTdJcIXM0U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=sF4945ZaLZZ30DdpyUdtXeU0O3mY6cvMQNgRD8W+/vQr7G3yu/h5LBvJZuKdQjPJ0E suZxXmKYw9R4cuQfoEZeeAGv20m45FcxBR4KoBzf89zeCE5rN+F/a7JJcji5kFOq4r3u ZfYSlbtj0ZvUdygs2Rd1OmSwptTXX/o/6Mo1k= MIME-Version: 1.0 Received: by 10.210.91.7 with SMTP id o7mr465867ebb.61.1235603354767; Wed, 25 Feb 2009 15:09:14 -0800 (PST) In-Reply-To: <38ce25da0901271659m2b6d8a1fg2e425df93781f6f5@mail.gmail.com> References: <38ce25da0901271659m2b6d8a1fg2e425df93781f6f5@mail.gmail.com> Date: Wed, 25 Feb 2009 17:09:14 -0600 Message-ID: <38ce25da0902251509s47ea139etd61bd939e2ea4300@mail.gmail.com> From: Andrew Daugherity To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: carp vs. devd, and advskew lossage X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2009 23:09:16 -0000 On Tue, Jan 27, 2009 at 6:59 PM, Andrew Daugherity wrote: > Summary: devd unnecessarily reconfigures carp interfaces, and > "/etc/rc.d/netif start carp0" loses the advskew setting when an IP > assigned to carp0 is configured on gif0. =A0This is probably two > separate bugs. Well, since I seem to have stumped everyone, and have been able to replicate the problem on 6.2/i386, I have filed two bugs on the matter: kern/132107 and bin/132112. From owner-freebsd-pf@FreeBSD.ORG Thu Feb 26 08:24:03 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3FD25106564A for ; Thu, 26 Feb 2009 08:24:03 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (eris.uffner.com [207.245.121.212]) by mx1.freebsd.org (Postfix) with ESMTP id D6FCF8FC1B for ; Thu, 26 Feb 2009 08:24:02 +0000 (UTC) (envelope-from tom@uffner.com) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) (authenticated bits=0) by eris.uffner.com (8.14.3/8.14.3) with ESMTP id n1Q8Nr0m042660 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Thu, 26 Feb 2009 03:24:02 -0500 (EST) (envelope-from tom@uffner.com) Message-ID: <49A65199.9080305@uffner.com> Date: Thu, 26 Feb 2009 03:23:53 -0500 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.19) Gecko/20090125 SeaMonkey/1.1.14 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <49913D89.8010801@uffner.com> In-Reply-To: <49913D89.8010801@uffner.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.94.2/9045/Wed Feb 25 00:28:30 2009 on eris.uffner.com X-Virus-Status: Clean Subject: Re: status of carpdev? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2009 08:24:03 -0000 Tom Uffner wrote: > what happened with the effort to port "ifconfig ... carpdev ..." to > FreeBSD? > > the last messages mentioning it were posted a bit more than a year ago. > if i remember correctly, there was a patch for IPv4 only. it was considered > Beta test quality and a few people were using it. but since then i have not > seen it mentioned anywhere, and nothing has been committed. > > what is the status, and is there a usable patch for 7.1? answering my own question, sort of... the most recent incarnation of Max's carpdev patch that I can find is http://docs.freebsd.org/cgi/mid.cgi?200712091835.33608.max it applies almost cleanly to recent RELENG_7 - there are rejects in one file, but they are pretty obvious and easy to fix. but building a kernel fails in sys/netinet/ip_carp.c: cc1: warnings being treated as errors /usr/src/sys/netinet/ip_carp.c: In function 'carp_setroute': /usr/src/sys/netinet/ip_carp.c:394: warning: assignment from incompatible pointer type *** Error code 1 this is due to the multiple routing table changes, and the break most likely occurred here: ---------------------------- revision 1.120.2.4 date: 2008/07/24 01:13:22; author: julian; state: Exp; lines: +355 -95 SVN rev 180774 on 2008-07-24 01:13:22Z by julian MFC an ABI compatible implementation of Multiple routing tables. See the commit message for http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/net/route.c version 1.129 (svn change # 178888) for more info. Obtained from: Ironport (Cisco Systems) ---------------------------- so, no. there is not a usable patch for 7.1. I am not very familiar with the implications of this change. Is it feasable to just ignore it and use row 0 of rt_tables[][] ? Or do I need to do something more sophisticated? what are the chances of getting this patch updated, or even better, completed & committed? i have neither the time nor the knowledge to attempt to code the IPv6 bits, but I would be willing to test (for IPv4) on a production firewall pair, and maybe try v6 on a test network. tom From owner-freebsd-pf@FreeBSD.ORG Thu Feb 26 09:24:46 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9F344106566B for ; Thu, 26 Feb 2009 09:24:46 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id F3E768FC08 for ; Thu, 26 Feb 2009 09:24:45 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: (qmail 8711 invoked by uid 0); 26 Feb 2009 08:58:05 -0000 Received: from 213.61.170.110 by www100.gmx.net with HTTP; Thu, 26 Feb 2009 09:58:04 +0100 (CET) Content-Type: text/plain; charset="iso-8859-1" Date: Thu, 26 Feb 2009 09:58:05 +0100 From: "Olli Hauer" In-Reply-To: <200902252050.02682.max@love2party.net> Message-ID: <20090226085805.27980@gmx.net> MIME-Version: 1.0 References: <9e20d71e0902250435y6e090fb0rc138233242fe7d60@mail.gmail.com> <200902251442.43794.max@love2party.net> <9e20d71e0902250610l62a42a99t5b9683aefb08c7cf@mail.gmail.com> <200902252050.02682.max@love2party.net> To: Max Laier , artis.caune@gmail.com X-Authenticated: #1956535 X-Flags: 0001 X-Mailer: WWW-Mail 6100 (Global Message Exchange) X-Priority: 3 X-Provags-ID: V01U2FsdGVkX1+c2J5cKxOcpN+Y/HgCKEwgoDx6INZfajrqHdlEy3 DXq2zVDP9tRPHeHLaZJbXUZWkhiE4DYrOiag== Content-Transfer-Encoding: 8bit X-GMX-UID: qmGQeNw5YmYBeoHteHc3BIFCWkZTQRRG X-FuHaFi: 0.46 Cc: samm@os2.kiev.ua, freebsd-pf@freebsd.org Subject: Re: openbsd spamd is leaking memory? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2009 09:24:46 -0000 > On Wednesday 25 February 2009 15:10:04 Artis Caune wrote: > > 2009/2/25 Max Laier : > > > Hello Artis, > > > > > > looks like a valid catch to me. I'm CC'ing the upstream maintainer > (Bob, > > > that's you, right?) From a quick glance there is also a minor leak in > > > readsuffixlists in the goto bad case. > > Bob Beck has meanwhile committed the slightly more encompassing fix which > can > be obtained via webcvs: > http://www.openbsd.org/cgi- > bin/cvsweb/src/libexec/spamd/grey.c.diff?r1=1.45;r2=1.46 > > Alex, do you have time to roll a new release or would you prefer the patch > applied via the ports patch facilities? > > > I'm running spamd with this patch more than 2h and no leaks :) > > > > > > > > --- grey.c.orig 2008-12-07 23:12:52.000000000 +0200 > > +++ grey.c 2009-02-25 15:22:48.000000000 +0200 > > @@ -512,7 +512,8 @@ > > dbc->act = 0; > > dbc->dsiz = 0; > > SLIST_REMOVE_HEAD(&db_changes, entry); > > - > > + free(dbc); > > + dbc = NULL; > > } > > return(ret); > > } > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News Hi Max/Alex, I prefer a patch in the ports since I updated the code to OpenBSD 4.3 and the sync protocol is not compatible with the old one. At the moment the code in svn is based on OpenBSD 4.3 + additional patches/features which i send nearly one year ago to tech@ but they where not committed (spamdb with sync feature for example). I will look if i found next week the time to finish the update to OpenBSD version 4.4 and then we can role out a new version. Regards, olli -- Computer Bild Tarifsieger! GMX FreeDSL - Telefonanschluss + DSL für nur 17,95 ¿/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K11308T4569a From owner-freebsd-pf@FreeBSD.ORG Fri Feb 27 12:40:21 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8CF1710656C5 for ; Fri, 27 Feb 2009 12:40:21 +0000 (UTC) (envelope-from link@ngc.net.ua) Received: from gw.kg.com.ua (host-105-117.emplot.net [194.246.117.105]) by mx1.freebsd.org (Postfix) with ESMTP id 3F8FC8FC14 for ; Fri, 27 Feb 2009 12:40:21 +0000 (UTC) (envelope-from link@ngc.net.ua) Received: from [172.17.0.1] (port=54674 helo=macserv.itt-consulting.com) by gw.kg.com.ua with esmtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1Ld1Kh-000NS4-6t for freebsd-pf@freebsd.org; Fri, 27 Feb 2009 13:56:49 +0200 Received: from localhost (localhost [127.0.0.1]) by macserv.itt-consulting.com (Postfix) with ESMTP id 4FB56FB96F6 for ; Fri, 27 Feb 2009 13:58:00 +0200 (EET) X-Virus-Scanned: amavisd-new at itt-consulting.com Received: from macserv.itt-consulting.com ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6yImt3i5gfMk for ; Fri, 27 Feb 2009 13:57:59 +0200 (EET) Received: from [172.17.20.254] (unknown [172.17.20.254]) by macserv.itt-consulting.com (Postfix) with ESMTP id BEFF8FB96EB for ; Fri, 27 Feb 2009 13:57:59 +0200 (EET) Message-ID: <49A7D547.9040801@ngc.net.ua> Date: Fri, 27 Feb 2009 13:57:59 +0200 From: Link User-Agent: Thunderbird 2.0.0.19 (X11/20090105) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: 0.9 (/) Subject: freebsd 7.1 pf route-to connection stall X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2009 12:40:21 -0000 Hello all, my problems begun after migration from free 6.3 to 7.1 I use only one rule: pass out on $if1 route-to ($if0 $if0_gw) from $if0 to any After upgrade to 7.0 i found that i should add "no state" Now using scp i can download from server, but i can`t upload via $if0 interface. Connection stalls... wbr, Link From owner-freebsd-pf@FreeBSD.ORG Fri Feb 27 21:32:33 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8870710656CB for ; Fri, 27 Feb 2009 21:32:33 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (eris.uffner.com [207.245.121.212]) by mx1.freebsd.org (Postfix) with ESMTP id 44E438FC08 for ; Fri, 27 Feb 2009 21:32:32 +0000 (UTC) (envelope-from tom@uffner.com) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) (authenticated bits=0) by eris.uffner.com (8.14.3/8.14.3) with ESMTP id n1RLW4ZP006917 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 27 Feb 2009 16:32:32 -0500 (EST) (envelope-from tom@uffner.com) Message-ID: <49A85BD4.7050105@uffner.com> Date: Fri, 27 Feb 2009 16:32:04 -0500 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.19) Gecko/20090125 SeaMonkey/1.1.14 MIME-Version: 1.0 To: Link References: <49A7D547.9040801@ngc.net.ua> <49A811D4.5030900@uffner.com> <49A8177B.9010209@ngc.net.ua> In-Reply-To: <49A8177B.9010209@ngc.net.ua> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.94.2/9054/Fri Feb 27 04:02:52 2009 on eris.uffner.com X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: freebsd 7.1 pf route-to connection stall X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2009 21:32:34 -0000 Link wrote: > Tom Uffner wrote: >> i'm having trouble making sense of that rule. could you explain (or maybe >> draw a simple diagram) what you are trying to accomplish with it? > Seems that i found problem. And I`m going to post it to freebsd bugs. you're probably better of staying on freebsd-pf > My full configuration is: > > if_bce0="bce0" > if_bce0_gw="172.20.51.1" > if_bce1="bce1" > > scrub in all > > pass out on $if_bce1 route-to ($if_bce0 $if_bce0_gw) from $if_bce0 to > any no state flags any > > The sense is: when packet comes in on bce0 server should ignore default > route ( set on bce1 ) and reply via bce0 using gateway if_bce0_gw just guessing (based on very incomplete info) you might want "pass in on $if_bce0 route-to ($if_bce0 $if_bce0_gw) to any" but it seems like there should be a simpler way to do that. can you give us a little more info about your net topology? for example, what IP addresses, if any, are bound to the interfaces? what network(s) are directly attached? location(s)/address(es) of your router(s)? do you have any static routes defined? > Now i have about 15 hosts with freebsd 7.1 > Part of them are p2 and part of them p3 > This problem appears only in p3 not sure why the chipset would make a difference. maybe that is a bug. tom From owner-freebsd-pf@FreeBSD.ORG Fri Feb 27 22:30:40 2009 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B7578106566C; Fri, 27 Feb 2009 22:30:40 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8CA6D8FC08; Fri, 27 Feb 2009 22:30:40 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n1RMUe0J085186; Fri, 27 Feb 2009 22:30:40 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n1RMUept085174; Fri, 27 Feb 2009 22:30:40 GMT (envelope-from linimon) Date: Fri, 27 Feb 2009 22:30:40 GMT Message-Id: <200902272230.n1RMUept085174@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: misc/132176: [pf] pf stalls connection when using route-to X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2009 22:30:41 -0000 Old Synopsis: pf stalls connection when using route-to New Synopsis: [pf] pf stalls connection when using route-to Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Fri Feb 27 22:30:13 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=132176 From owner-freebsd-pf@FreeBSD.ORG Sat Feb 28 10:32:12 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E6EA2106566B for ; Sat, 28 Feb 2009 10:32:12 +0000 (UTC) (envelope-from link@ngc.net.ua) Received: from ex.volia.net (ex.volia.net [82.144.192.10]) by mx1.freebsd.org (Postfix) with ESMTP id A14968FC16 for ; Sat, 28 Feb 2009 10:32:12 +0000 (UTC) (envelope-from link@ngc.net.ua) Received: from em.volia.net ([82.144.192.9]) by ex.volia.net with esmtp (Exim 4.63 (FreeBSD)) (envelope-from ) id 1LdLAW-000LfZ-5b; Sat, 28 Feb 2009 11:07:36 +0200 Received: from mannerly.silver.volia.net ([93.72.28.237] helo=[192.168.2.180]) by em.volia.net with esmtp (Exim 4.63 (FreeBSD)) (envelope-from ) id 1LdLAV-000AgK-V5; Sat, 28 Feb 2009 11:07:36 +0200 Message-ID: <49A8FED7.3000603@ngc.net.ua> Date: Sat, 28 Feb 2009 11:07:35 +0200 From: Zinevich Denis User-Agent: Thunderbird 2.0.0.19 (X11/20090105) MIME-Version: 1.0 To: Tom Uffner References: <49A7D547.9040801@ngc.net.ua> <49A811D4.5030900@uffner.com> <49A8177B.9010209@ngc.net.ua> <49A85BD4.7050105@uffner.com> In-Reply-To: <49A85BD4.7050105@uffner.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Volia-Original-IP: 93.72.28.237 Cc: freebsd-pf@freebsd.org Subject: Re: freebsd 7.1 pf route-to connection stall X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Feb 2009 10:32:13 -0000 "pass in on $if_bce0 route-to ($if_bce0 $if_bce0_gw) to any" will not work. But anyway question is not in syntax of rules, because nobody touched it and it was working on 6.3, 7.1-p2, but not on 7.1-p3 Network is quite simple. Server has 2 cards bce0 and bce1 bce0 - 172.20.51.10 bce1 - 172.20.1.130 default gw - 172.20.1.1 networks are /24 As i described before qoal of my rule is to ignore default route when request comes on 172.20.51.10. Without such rule reply will go to 172.20.1.1 and with pf rule it will go out to 172.20.51.1 via bce0. For example similar rule for ipfw: ipfw add 1 fwd 172.20.51.1 from 172.20.51.10 to any May i misunderstood something in your reply... But i was not talking about chipset, I was talking about patch level of freebsd. and such behaviour appears only in 7.1-p3 Tom Uffner пишет: > Link wrote: >> Tom Uffner wrote: > >>> i'm having trouble making sense of that rule. could you explain (or >>> maybe >>> draw a simple diagram) what you are trying to accomplish with it? > >> Seems that i found problem. And I`m going to post it to freebsd bugs. > > you're probably better of staying on freebsd-pf > >> My full configuration is: >> >> if_bce0="bce0" >> if_bce0_gw="172.20.51.1" >> if_bce1="bce1" >> >> scrub in all >> >> pass out on $if_bce1 route-to ($if_bce0 $if_bce0_gw) from $if_bce0 to >> any no state flags any >> >> The sense is: when packet comes in on bce0 server should ignore >> default route ( set on bce1 ) and reply via bce0 using gateway if_bce0_gw > > just guessing (based on very incomplete info) you might want > "pass in on $if_bce0 route-to ($if_bce0 $if_bce0_gw) to any" > > but it seems like there should be a simpler way to do that. > > can you give us a little more info about your net topology? for example, > what IP addresses, if any, are bound to the interfaces? what network(s) > are directly attached? location(s)/address(es) of your router(s)? do you > have any static routes defined? > >> Now i have about 15 hosts with freebsd 7.1 >> Part of them are p2 and part of them p3 >> This problem appears only in p3 > > not sure why the chipset would make a difference. maybe that is a bug. > > tom > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > From owner-freebsd-pf@FreeBSD.ORG Sat Feb 28 12:46:44 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6B84B106564A for ; Sat, 28 Feb 2009 12:46:44 +0000 (UTC) (envelope-from artis.caune@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.155]) by mx1.freebsd.org (Postfix) with ESMTP id EDE3E8FC0C for ; Sat, 28 Feb 2009 12:46:43 +0000 (UTC) (envelope-from artis.caune@gmail.com) Received: by fg-out-1718.google.com with SMTP id l26so640636fgb.35 for ; Sat, 28 Feb 2009 04:46:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=dn9yjjna5VXh9Gr0DP7RkMnmCPN1himpHi9GFe2hfGY=; b=AOPZHFmPnTHHth4X6QOa2OH6C0GMvk7OtTMme+npE0mM5zwfN2bqs9Z6g1p6UW+0a6 P6FlpuwTdoEpk8K6zAlSYuLSqNB6MefKXkVgo5IN50k2TxebxFD9Udi4WcLW8OFegvbD iUYeqPf0rQXJuJg/Sqpf6eW8VCYmumt7kBBY8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=vc1iqrVeIO1I/hRnuosJAGQhqtciaUaWvQVlC3mNIzbybcc/JH8P/LtO7rAPdZT1UC xa1/BrrkBXiwXFroC2TcZdOLP1eRGltC1861dLbmEC+XmAJnte6Z14FjHES3t8AnHn+4 OYRnquIOST++MAVX//LeShRJjq9SAI5k56Xjk= MIME-Version: 1.0 Received: by 10.86.51.10 with SMTP id y10mr4022377fgy.51.1235825202935; Sat, 28 Feb 2009 04:46:42 -0800 (PST) In-Reply-To: <17838240D9A5544AAA5FF95F8D52031605658786@ad-exh01.adhost.lan> References: <17838240D9A5544AAA5FF95F8D520316056585C1@ad-exh01.adhost.lan> <200901231904.22558.max@love2party.net> <17838240D9A5544AAA5FF95F8D52031605658786@ad-exh01.adhost.lan> Date: Sat, 28 Feb 2009 14:46:42 +0200 Message-ID: <9e20d71e0902280446n4a49e693p70930dd88a349568@mail.gmail.com> From: Artis Caune To: "Michael K. Smith - Adhost" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: Issues with PF and 7.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Feb 2009 12:46:44 -0000 2009/1/24 Michael K. Smith - Adhost : > Thanks for the info. =C2=A0In stages, we upped the vm.kmem_size_max from = 300M to 1536M after modifying the kernel (we actually tried 2048M but that = caused a panic). =C2=A0With the 1536M setting the 'DIOCADDRULE: Cannot allo= cate memory' doesn't occur anymore, but we still have to flush the tables m= anually when the system comes up. =C2=A0Now, at least, the flush actually w= orks and PF loads successfully, but only after we do the flush on all the t= ables. =C2=A0As you can imagine, this is not optimal for unattended/random = reboots, which we see about 3 times a week. You are running i386? (if you have modified the kernel) Can you try to edit i386/include/pmap.h and change NKPT to 128 and recompile the kernel. --=20 regards, Artis Caune <----. CCNA | BSDA <----|=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D <----' didii FreeBSD From owner-freebsd-pf@FreeBSD.ORG Sat Feb 28 22:34:39 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC0AC1065679 for ; Sat, 28 Feb 2009 22:34:39 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (eris.uffner.com [207.245.121.212]) by mx1.freebsd.org (Postfix) with ESMTP id 78F058FC08 for ; Sat, 28 Feb 2009 22:34:39 +0000 (UTC) (envelope-from tom@uffner.com) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) (authenticated bits=0) by eris.uffner.com (8.14.3/8.14.3) with ESMTP id n1SMYT2P009536 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Sat, 28 Feb 2009 17:34:38 -0500 (EST) (envelope-from tom@uffner.com) Message-ID: <49A9BBF5.1060706@uffner.com> Date: Sat, 28 Feb 2009 17:34:29 -0500 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.19) Gecko/20090125 SeaMonkey/1.1.14 MIME-Version: 1.0 To: Zinevich Denis References: <49A7D547.9040801@ngc.net.ua> <49A811D4.5030900@uffner.com> <49A8177B.9010209@ngc.net.ua> <49A85BD4.7050105@uffner.com> <49A8FED7.3000603@ngc.net.ua> In-Reply-To: <49A8FED7.3000603@ngc.net.ua> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.94.2/9056/Sat Feb 28 00:10:15 2009 on eris.uffner.com X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: freebsd 7.1 pf route-to connection stall X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Feb 2009 22:34:40 -0000 Zinevich Denis wrote: > "pass in on $if_bce0 route-to ($if_bce0 $if_bce0_gw) to any" will not > work. But anyway question is not in syntax of rules, because nobody > touched it and it was working on 6.3, 7.1-p2, but not on 7.1-p3 > > Network is quite simple. > Server has 2 cards bce0 and bce1 > bce0 - 172.20.51.10 > bce1 - 172.20.1.130 > default gw - 172.20.1.1 > networks are /24 > > As i described before qoal of my rule is to ignore default route when > request comes on 172.20.51.10. > Without such rule reply will go to 172.20.1.1 and with pf rule it will > go out to 172.20.51.1 via bce0. > For example similar rule for ipfw: ipfw add 1 fwd 172.20.51.1 from > 172.20.51.10 to any > >> Link wrote: >>> My full configuration is: >>> >>> if_bce0="bce0" >>> if_bce0_gw="172.20.51.1" >>> if_bce1="bce1" >>> >>> scrub in all >>> >>> pass out on $if_bce1 route-to ($if_bce0 $if_bce0_gw) from $if_bce0 to >>> any no state flags any I apologize for misunderstanding the part of your reply about FreeBSD 7.1 patchlevels. I realized my error too late after i had sent the message. The simplest way to do what you want doesn't involve a firewall at all. simply configure the devices on the 172.20.51/24 network with the following routes: Destination Gateway default 172.20.51.1 172.20.1/24 172.20.51.10 if this is not possible for some reason and you must bounce them through the firewall, i think the rules you want are: pass in quick on $if_bce0 from any to { 172.20.51.10 172.20.1/24 } pass in on $if_bce0 route-to ($if_bce0 $if_bce0_gw) \ from $if_bce0:network to any according to my understanding of pf syntax, it was probably a bug that your ruleset ever worked. "... from $if_bce0 ..." should have matched only packets from the local server w/ source addresses of 172.20.51.10. just adding :network to the $if_bce0 in the from clause in your rule should make it do what you want, but is quite inefficient. you are checking every outbound packet on bce1 after all of the normal processing & routing has been done, rewriting the ones that arrived on bce0 and sending them back through the network subsystem again. it would be better to check the in-bound packets on bce0, accept the ones destined for the local host or the 172.20.1/24 network, and re-route the ones that would use the default gw. tom