From owner-freebsd-pf@FreeBSD.ORG Mon Jun 15 06:58:32 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 57C7E1065670; Mon, 15 Jun 2009 06:58:32 +0000 (UTC) (envelope-from gert@kirk.greenie.muc.de) Received: from kirk.greenie.muc.de (kirk.greenie.muc.de [IPv6:2001:608:4::3]) by mx1.freebsd.org (Postfix) with ESMTP id C82B68FC2C; Mon, 15 Jun 2009 06:58:31 +0000 (UTC) (envelope-from gert@kirk.greenie.muc.de) Received: from kirk.greenie.muc.de (localhost [127.0.0.1]) by kirk.greenie.muc.de (8.14.3/8.12.11) with ESMTP id n5F6wH0r027322 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 15 Jun 2009 08:58:17 +0200 (CEST) Received: (from gert@localhost) by kirk.greenie.muc.de (8.14.3/8.12.10/Submit) id n5F6wHMK012458; Mon, 15 Jun 2009 08:58:17 +0200 (CEST) Date: Mon, 15 Jun 2009 08:58:17 +0200 From: Gert Doering To: Doug Barton Message-ID: <20090615065817.GJ290@greenie.muc.de> References: <4A242035.8010101@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4A242035.8010101@FreeBSD.org> User-Agent: Mutt/1.4.2.3i X-mgetty-docs: http://mgetty.greenie.net/ X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (kirk.greenie.muc.de [127.0.0.1]); Mon, 15 Jun 2009 08:58:18 +0200 (CEST) Cc: bzeeb-lists@lists.zabbadoz.net, Gert Doering , freebsd-pf@FreeBSD.org Subject: Re: Moving the pf rc.d scripts to run before netif X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Jun 2009 06:58:32 -0000 Hi Doug, thanks for taking this up - and sorry for not responding more timely. I can't answer all the questions but might have a yet-unmentioned idea that could solve all this in one go :-) On Mon, Jun 01, 2009 at 11:38:45AM -0700, Doug Barton wrote: > 2. The previous rcorder for the pf script was right after netif (the > network coming up) and before routing .... why? Is this related to how > pf does its work? The reason I ask this question is that in order to > fix the IPv6 rcorder problem in the pr the way that Gert is suggesting > the "BEFORE: routing" would have to be removed because our IPv6 > startup depends on RA which depends on routing being up. (Side note, > in the long term I'd like to revise this so that an IPv6-only host > and/or a host with statically assigned IPv6 addresses can easily be > configured within rc.d, but that's another thing altogether.) > > 3. Is the need to be able to use $ext_if after the network is up so > overwhelmingly important that it justifies running pf after netif? Or > is using ($ext_if) a reasonable solution? Well - let's turn this one around: since we *have* the functionality in pf(4), let's not cripple it by building a framework that makes using this functionality effectively impossible. If I understand Bjoern right, this is also a performance issue - ($ext_if) needs a per-packet lookup to get the now-current address, while $ext_if reads the address at pf setup time. I can see the arguments for having the firewall initialization right at the start - to avoid opening an window of opportunity where services are "up" but the firewall hasn't yet been loaded. So what about the following approach: - split the firewall initialization into two halves - the first half is run before any other networking stuff is configured and basically sets up a "deny everything incoming" filter (with exceptions for IPv6 RD/ND, of course). Optionally this could permit outbound connections (with state), to enable things like bgpd to run. - after this, run interface configuration, set up routing, ... - when all this is finished, load the "real" set of firewall rules, which can now (if so desired) safely use $ext_if gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert@greenie.muc.de fax: +49-89-35655025 gert@net.informatik.tu-muenchen.de From owner-freebsd-pf@FreeBSD.ORG Mon Jun 15 11:07:00 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C906A106566B for ; Mon, 15 Jun 2009 11:07:00 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9BBAE8FC1D for ; Mon, 15 Jun 2009 11:07:00 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n5FB70sC077027 for ; Mon, 15 Jun 2009 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n5FB70Bh077023 for freebsd-pf@FreeBSD.org; Mon, 15 Jun 2009 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 15 Jun 2009 11:07:00 GMT Message-Id: <200906151107.n5FB70Bh077023@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Jun 2009 11:07:01 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 32 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jun 15 19:26:05 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E14CF106567C for ; Mon, 15 Jun 2009 19:26:05 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by mx1.freebsd.org (Postfix) with ESMTP id 8A8488FC12 for ; Mon, 15 Jun 2009 19:26:05 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 23421 invoked by uid 399); 15 Jun 2009 19:26:01 -0000 Received: from localhost (HELO ?10.9.1.131?) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 15 Jun 2009 19:26:01 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <4A36A051.3040007@FreeBSD.org> Date: Mon, 15 Jun 2009 12:26:09 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: Gert Doering References: <4A242035.8010101@FreeBSD.org> <20090615065817.GJ290@greenie.muc.de> In-Reply-To: <20090615065817.GJ290@greenie.muc.de> X-Enigmail-Version: 0.95.7 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: bzeeb-lists@lists.zabbadoz.net, freebsd-pf@FreeBSD.org Subject: Re: Moving the pf rc.d scripts to run before netif X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Jun 2009 19:26:06 -0000 Gert Doering wrote: > Hi Doug, > > thanks for taking this up - and sorry for not responding more timely. > > I can't answer all the questions but might have a yet-unmentioned idea > that could solve all this in one go :-) > > On Mon, Jun 01, 2009 at 11:38:45AM -0700, Doug Barton wrote: >> 2. The previous rcorder for the pf script was right after netif (the >> network coming up) and before routing .... why? Is this related to how >> pf does its work? The reason I ask this question is that in order to >> fix the IPv6 rcorder problem in the pr the way that Gert is suggesting >> the "BEFORE: routing" would have to be removed because our IPv6 >> startup depends on RA which depends on routing being up. (Side note, >> in the long term I'd like to revise this so that an IPv6-only host >> and/or a host with statically assigned IPv6 addresses can easily be >> configured within rc.d, but that's another thing altogether.) >> >> 3. Is the need to be able to use $ext_if after the network is up so >> overwhelmingly important that it justifies running pf after netif? Or >> is using ($ext_if) a reasonable solution? > > Well - let's turn this one around: since we *have* the functionality in > pf(4), let's not cripple it by building a framework that makes using this > functionality effectively impossible. If I understand Bjoern right, this > is also a performance issue - ($ext_if) needs a per-packet lookup to > get the now-current address, while $ext_if reads the address at pf setup > time. > > > I can see the arguments for having the firewall initialization right at > the start - to avoid opening an window of opportunity where services are > "up" but the firewall hasn't yet been loaded. > > > So what about the following approach: > > - split the firewall initialization into two halves > > - the first half is run before any other networking stuff is configured > and basically sets up a "deny everything incoming" filter (with > exceptions for IPv6 RD/ND, of course). > > Optionally this could permit outbound connections (with state), to > enable things like bgpd to run. > > - after this, run interface configuration, set up routing, ... > > - when all this is finished, load the "real" set of firewall rules, > which can now (if so desired) safely use $ext_if I already said I support this solution, I'm just waiting for someone with some real pf knowledge to propose something. Doug From owner-freebsd-pf@FreeBSD.ORG Tue Jun 16 20:46:34 2009 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B3826106564A; Tue, 16 Jun 2009 20:46:34 +0000 (UTC) (envelope-from vwe@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 898018FC24; Tue, 16 Jun 2009 20:46:34 +0000 (UTC) (envelope-from vwe@FreeBSD.org) Received: from freefall.freebsd.org (vwe@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n5GKkY1w083925; Tue, 16 Jun 2009 20:46:34 GMT (envelope-from vwe@freefall.freebsd.org) Received: (from vwe@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n5GKkYp9083921; Tue, 16 Jun 2009 20:46:34 GMT (envelope-from vwe) Date: Tue, 16 Jun 2009 20:46:34 GMT Message-Id: <200906162046.n5GKkYp9083921@freefall.freebsd.org> To: vwe@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: vwe@FreeBSD.org Cc: Subject: Re: kern/134996: [pf] Anchor tables not included when pfctl(8) is run with -o X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Jun 2009 20:46:35 -0000 Old Synopsis: Anchor tables not included when pfctl is run with -o New Synopsis: [pf] Anchor tables not included when pfctl(8) is run with -o Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: vwe Responsible-Changed-When: Tue Jun 16 20:45:10 UTC 2009 Responsible-Changed-Why: not quite sure if this is question or a bug report Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=134996