From owner-freebsd-pf@FreeBSD.ORG Mon Dec 28 11:07:05 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5DA7B106568B for ; Mon, 28 Dec 2009 11:07:05 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 43C998FC1F for ; Mon, 28 Dec 2009 11:07:05 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id nBSB75HC079565 for ; Mon, 28 Dec 2009 11:07:05 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id nBSB74P9079563 for freebsd-pf@FreeBSD.org; Mon, 28 Dec 2009 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 28 Dec 2009 11:07:04 GMT Message-Id: <200912281107.nBSB74P9079563@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Dec 2009 11:07:05 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 38 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Dec 28 21:03:36 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B85B6106568B for ; Mon, 28 Dec 2009 21:03:36 +0000 (UTC) (envelope-from martin.baumann@gmail.com) Received: from mail-fx0-f227.google.com (mail-fx0-f227.google.com [209.85.220.227]) by mx1.freebsd.org (Postfix) with ESMTP id 4F3278FC23 for ; Mon, 28 Dec 2009 21:03:35 +0000 (UTC) Received: by fxm27 with SMTP id 27so10400767fxm.3 for ; Mon, 28 Dec 2009 13:03:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:content-type :content-transfer-encoding; bh=ZhCo4UVsAngKr1PPNtJCfl9Xav9kH2RQhKcSGGOqqwI=; b=KSM9Zm073v9J9FX1C238/xRynyHJ/rbwZcKmDzm1ulN51VKcumlVdldGGzKm5lgLej NNPif3FXjH7eMCdlSAN23itt7ex56MUqPAiVqSjoy0TWu5Z7fIH57mEOsIymTmxsZJQl TGPjd+VnLGhzn1/S8RtaoTc8RxueDNf0oCR74= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; b=g2ONKmEfkt391nCXPykksQybDMogif8ToXK3u81zX1SgS2pr8Vd7POTxMEy3kakJrH jX8+n9Sqpayu7X5HrOoaUwLQkYNBR5GXP4ue8sC5TNVOnPB9aA+CaFuXFv7mTacAp1r0 G6LkwvBgeKSwp5o4kYBQTKGCYti5NmiDXSRvk= Received: by 10.102.149.9 with SMTP id w9mr7781887mud.77.1262032787162; Mon, 28 Dec 2009 12:39:47 -0800 (PST) Received: from ?192.168.47.100? (danger.mcrn.sk [84.16.37.254]) by mx.google.com with ESMTPS id 12sm41113822muq.18.2009.12.28.12.39.46 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 28 Dec 2009 12:39:46 -0800 (PST) Message-ID: <4B391793.9020100@gmail.com> Date: Mon, 28 Dec 2009 21:39:47 +0100 From: Martin Baumann User-Agent: Thunderbird 2.0.0.23 (X11/20091120) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: school project X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Dec 2009 21:03:36 -0000 Hi, Firstly I want to apologize for interrupting you with such a stupid thing but i need help. I have to write adaptive application firewall as PF module(using ioctl or anchor...). The problem is I don't know where I should look for some documentation or some API description, so I don't know how to start. I am looking for some person who wrote module for PF to help me start and answer me some simple questions. Best regards, Martin Baumann From owner-freebsd-pf@FreeBSD.ORG Mon Dec 28 21:33:23 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0C1351065670 for ; Mon, 28 Dec 2009 21:33:23 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from tomjudge.vm.bytemark.co.uk (tomjudge.vm.bytemark.co.uk [80.68.91.100]) by mx1.freebsd.org (Postfix) with ESMTP id C37128FC14 for ; Mon, 28 Dec 2009 21:33:22 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by tomjudge.vm.bytemark.co.uk (Postfix) with ESMTP id 66094486A8; Mon, 28 Dec 2009 21:33:21 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at tomjudge.vm.bytemark.co.uk Received: from tomjudge.vm.bytemark.co.uk ([127.0.0.1]) by localhost (tomjudge.vm.bytemark.co.uk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CXaYXCzY+sR2; Mon, 28 Dec 2009 21:33:18 +0000 (GMT) Received: from Tom-Judges-MacBook-Pro.local (unknown [192.168.205.10]) by tomjudge.vm.bytemark.co.uk (Postfix) with ESMTP id E463A4860B; Mon, 28 Dec 2009 21:33:17 +0000 (GMT) Message-ID: <4B39241C.6030100@tomjudge.com> Date: Mon, 28 Dec 2009 15:33:16 -0600 From: Tom Judge User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.5) Gecko/20091204 Thunderbird/3.0 MIME-Version: 1.0 To: Martin Baumann References: <4B391793.9020100@gmail.com> In-Reply-To: <4B391793.9020100@gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: school project X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Dec 2009 21:33:23 -0000 On 28/12/2009 14:39, Martin Baumann wrote: > Hi, > > Firstly I want to apologize for interrupting you with such a stupid > thing but i need help. > > I have to write adaptive application firewall as PF module(using ioctl > or anchor...). > > The problem is I don't know where I should look for some documentation > or some API description, so I don't know how to start. > > I am looking for some person who wrote module for PF to help me start > and answer me some simple questions. > Hi Martin, There are a number of userland daemons that do this kind of thing already: * ftpsesame * miniupnpd These are but 2 of a long list. There is a guide on the miniupnpd website on how to interface with rules in anchors for both NAT and filter type rules. Hope this is useful. Tom From owner-freebsd-pf@FreeBSD.ORG Mon Dec 28 21:40:23 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A517C1065670 for ; Mon, 28 Dec 2009 21:40:23 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id 3B61C8FC15 for ; Mon, 28 Dec 2009 21:40:23 +0000 (UTC) Received: from vampire.homelinux.org (dslb-088-066-046-051.pools.arcor-ip.net [88.66.46.51]) by mrelayeu.kundenserver.de (node=mreu2) with ESMTP (Nemesis) id 0LwmZo-1O0yC60I2q-016RZo; Mon, 28 Dec 2009 22:40:22 +0100 Received: (qmail 42312 invoked from network); 28 Dec 2009 21:40:21 -0000 Received: from f8x64.laiers.local (192.168.4.188) by mx.laiers.local with SMTP; 28 Dec 2009 21:40:21 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Mon, 28 Dec 2009 22:40:21 +0100 User-Agent: KMail/1.12.4 (FreeBSD/8.0-RELEASE; KDE/4.3.4; amd64; ; ) References: <4B391793.9020100@gmail.com> In-Reply-To: <4B391793.9020100@gmail.com> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200912282240.21558.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/slRWUS62l+fhwSggxYzPKMLM2a/zPC7VbUCy q+CqfN4woC+pC1b/F9/Z3nrISj8SFSrjsOsAQwn2KNKfSgoMWC NR1ch2naXpFVjjCDep8mQ== Cc: Subject: Re: school project X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Dec 2009 21:40:23 -0000 Hello, On Monday 28 December 2009 21:39:47 Martin Baumann wrote: > Firstly I want to apologize for interrupting you with such a stupid > thing but i need help. > > I have to write adaptive application firewall as PF module(using ioctl > or anchor...). > > The problem is I don't know where I should look for some documentation > or some API description, so I don't know how to start. "man 4 pf" should get you started. Also looking at the pfctl and authpf code can be helpful. In general it is the easiest to exec(2) pfctl for simple operations and only twiddle with ioctl if you really have to (due to performance or complexity). > I am looking for some person who wrote module for PF to help me start > and answer me some simple questions. I won't do your homework, but shoot and I'll see if I can help. BTW, what kind of school are you attending where they let you fiddle with BSD? Cool! Regards, -- Max From owner-freebsd-pf@FreeBSD.ORG Mon Dec 28 21:48:41 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 240041065670 for ; Mon, 28 Dec 2009 21:48:41 +0000 (UTC) (envelope-from gerryw@compvia.com) Received: from p3plsmtpa01-07.prod.phx3.secureserver.net (p3plsmtpa01-07.prod.phx3.secureserver.net [72.167.82.87]) by mx1.freebsd.org (Postfix) with SMTP id DE19F8FC16 for ; Mon, 28 Dec 2009 21:48:40 +0000 (UTC) Received: (qmail 5274 invoked from network); 28 Dec 2009 21:21:59 -0000 Received: from unknown (70.112.30.32) by p3plsmtpa01-07.prod.phx3.secureserver.net (72.167.82.87) with ESMTP; 28 Dec 2009 21:21:59 -0000 Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes To: "Martin Baumann" References: <4B391793.9020100@gmail.com> Date: Mon, 28 Dec 2009 15:22:02 -0600 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: "Gerry Weaver" Organization: Compvia Corp. Message-ID: In-Reply-To: <4B391793.9020100@gmail.com> User-Agent: Opera Mail/10.10 (Win32) Cc: freebsd-pf@freebsd.org Subject: Re: school project X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Dec 2009 21:48:41 -0000 Hi, I would start with "man pf". The pf man page. You may also want to look at the pf source code. -G On Mon, 28 Dec 2009 14:39:47 -0600, Martin Baumann wrote: > Hi, > > Firstly I want to apologize for interrupting you with such a stupid > thing but i need help. > > I have to write adaptive application firewall as PF module(using ioctl > or anchor...). > > The problem is I don't know where I should look for some documentation > or some API description, so I don't know how to start. > > I am looking for some person who wrote module for PF to help me start > and answer me some simple questions. > > > Best regards, > > > Martin Baumann > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" -- Gerry Weaver Compvia Corp. (800) 318-6118 From owner-freebsd-pf@FreeBSD.ORG Wed Dec 30 07:04:24 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 09AF41065672 for ; Wed, 30 Dec 2009 07:04:24 +0000 (UTC) (envelope-from k@kevinkevin.com) Received: from mail-yx0-f171.google.com (mail-yx0-f171.google.com [209.85.210.171]) by mx1.freebsd.org (Postfix) with ESMTP id C80B48FC13 for ; Wed, 30 Dec 2009 07:04:23 +0000 (UTC) Received: by yxe1 with SMTP id 1so10836846yxe.3 for ; Tue, 29 Dec 2009 23:04:21 -0800 (PST) Received: by 10.101.7.35 with SMTP id k35mr26661234ani.179.1262156660915; Tue, 29 Dec 2009 23:04:20 -0800 (PST) Received: from kkPC (not.enough.unixsluts.com [76.10.166.187]) by mx.google.com with ESMTPS id 22sm12618854iwn.12.2009.12.29.23.04.19 (version=SSLv3 cipher=RC4-MD5); Tue, 29 Dec 2009 23:04:19 -0800 (PST) From: "kevin" To: Date: Wed, 30 Dec 2009 02:03:41 -0500 Message-ID: <012c01ca891e$393e7860$abbb6920$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 thread-index: AcqJHjgxhmlrHHwPQNOvY9Mq2lfrKw== Content-Language: en-us Subject: carpdev : bad value? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Dec 2009 07:04:24 -0000 Hello, I am currently evaluating high availability firewalls with carp (7.2-RELEASE, PF) and have run into a problem that I would hope someone here can explain for me. According to OpenBSD's documentation on CARP, they allow an ifconfig carp directive called 'carpdev', which allows you to manually specify which physical interface you want to be associated with the redundancy group. By default, according to the documentation, carp determines which interface to add depending on if the carp assigned IP is in the same subnet. Unfortunately, am having trouble implementing this directive : # ifconfig carp0 vhid 1 pass password advskew 100 carpdev rl0 192.168.1.70/32 255.255.255.0 ifconfig: carpdev: bad value The reason I need to manually specify this directive is because there will be multiple physical interfaces that are on the same subnet, but would either be on the inside or outside interfaces from the firewall perspective. Unfortunately, the FreeBSD documentation actually omits any mentioning of the carpdev directive so I thought maybe someone here could enlighten me as to why I cant manually specify the physical interface. This has been attempted on 7.1-PRERELEASE as well as 7.2-RELEASE. Thanks in advance! Kevin From owner-freebsd-pf@FreeBSD.ORG Wed Dec 30 07:20:32 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 898C9106566C for ; Wed, 30 Dec 2009 07:20:32 +0000 (UTC) (envelope-from k@kevinkevin.com) Received: from mail-yw0-f197.google.com (mail-yw0-f197.google.com [209.85.211.197]) by mx1.freebsd.org (Postfix) with ESMTP id 511648FC08 for ; Wed, 30 Dec 2009 07:20:32 +0000 (UTC) Received: by ywh35 with SMTP id 35so3418694ywh.7 for ; Tue, 29 Dec 2009 23:20:24 -0800 (PST) Received: by 10.100.17.30 with SMTP id 30mr2139625anq.156.1262157624194; Tue, 29 Dec 2009 23:20:24 -0800 (PST) Received: from kkPC (not.enough.unixsluts.com [76.10.166.187]) by mx.google.com with ESMTPS id 23sm12500096iwn.7.2009.12.29.23.20.22 (version=SSLv3 cipher=RC4-MD5); Tue, 29 Dec 2009 23:20:23 -0800 (PST) From: "kevin" To: "'Xin LI'" References: <012c01ca891e$393e7860$abbb6920$@com> In-Reply-To: Date: Wed, 30 Dec 2009 02:19:45 -0500 Message-ID: <012f01ca8920$7789aa70$669cff50$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 12.0 thread-index: AcqJH4tym3bAwRdjRtqb86p1jKyfAAAAF/eg Content-Language: en-us Cc: freebsd-pf@freebsd.org Subject: RE: carpdev : bad value? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Dec 2009 07:20:32 -0000 > There is a LOR between CARP and if_bridge, I have a very brute force > workaround which is not suitable to commit against -HEAD :( I have experienced a kernel panic when playing around with transparent = bridging + pf + carp. Not having carpdev is unfortunate -- it limits my = options with my current network environment :/ I suppose I could migrate to OpenBSD, but I was trying to avoid that. Thanks, Kevin From owner-freebsd-pf@FreeBSD.ORG Wed Dec 30 07:36:13 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CD9CF106568F for ; Wed, 30 Dec 2009 07:36:13 +0000 (UTC) (envelope-from k@kevinkevin.com) Received: from mail-yx0-f171.google.com (mail-yx0-f171.google.com [209.85.210.171]) by mx1.freebsd.org (Postfix) with ESMTP id 82B8A8FC19 for ; Wed, 30 Dec 2009 07:36:13 +0000 (UTC) Received: by yxe1 with SMTP id 1so10847770yxe.3 for ; Tue, 29 Dec 2009 23:36:01 -0800 (PST) Received: by 10.150.252.17 with SMTP id z17mr25972774ybh.277.1262158561468; Tue, 29 Dec 2009 23:36:01 -0800 (PST) Received: from kkPC (not.enough.unixsluts.com [76.10.166.187]) by mx.google.com with ESMTPS id 20sm12598513iwn.1.2009.12.29.23.35.59 (version=SSLv3 cipher=RC4-MD5); Tue, 29 Dec 2009 23:35:59 -0800 (PST) From: "kevin" To: "'Kevin'" References: <003001ca7cdc$0b530540$21f90fc0$@com> <4B2924D4.9010207@tomjudge.com> <005501ca7e85$7bb28e50$7317aaf0$@com> In-Reply-To: <005501ca7e85$7bb28e50$7317aaf0$@com> Date: Wed, 30 Dec 2009 02:35:21 -0500 Message-ID: <013801ca8922$a5b50dc0$f11f2940$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 thread-index: Acp+fJqzUx0FFR5mR7CbU/cqTutczQAB2tUwAqd+HHA= Content-Language: en-us Cc: freebsd-pf@freebsd.org Subject: RE: PF Transparent Bridge Firewall + CARP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Dec 2009 07:36:13 -0000 > -----Original Message----- > From: Tom Judge > Sent: Wednesday, December 16, 2009 1:20 PM > To: Kevin > Cc: freebsd-pf@freebsd.org > Subject: Re: PF Transparent Bridge Firewall + CARP > > [router] > | > [------switch 1------] > | | > [FW1]--{pfsync}--[FW2] > | | > [------switch 2------] > | > [clients] I have a really stupid question. If I have a switch with 2 VLANS (one DMZ / 'outside', one internal / 'lan') and two firewalls with transparent bridging + PF , filtering all inbound/outbound traffic -- would I even need CARP? Is CARP overkill? I'm thinking in a disaster recovery scenario -- if one firewall blows up. There's no logical master/slave relationship, but wouldn't there be minimal (if any) downtime? I'm starting to notice that carp doesn't play nicely with bridging , nor is there any carpdev implementation for manually specifying physical interfaces for the redundancy group -- especially necessary if multiple interfaces are on the same subnet. All I want is simple redundancy. Suggestions / ideas / comments are welcome. From owner-freebsd-pf@FreeBSD.ORG Wed Dec 30 07:39:55 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CBE4F1065670 for ; Wed, 30 Dec 2009 07:39:55 +0000 (UTC) (envelope-from delphij@gmail.com) Received: from mail-pw0-f44.google.com (mail-pw0-f44.google.com [209.85.160.44]) by mx1.freebsd.org (Postfix) with ESMTP id A627F8FC16 for ; Wed, 30 Dec 2009 07:39:55 +0000 (UTC) Received: by pwi15 with SMTP id 15so7929289pwi.3 for ; Tue, 29 Dec 2009 23:39:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=b5jJIryPPfHp+uCwCMuylrHcbQ+yP99538o3Rz2wJW8=; b=ne71HSV8b2SyUOiUjreb3Uu1DVwkp0U2Gjt3FluICZPz6YJdy6ukFZySdQ7OcdBpr2 AXz3thuo6ke7VbyCewX7y0BFLfi6CRreu9mFfHFuY51aPas2m0c8i3m/go7vcy+Zojgv YSncwyUUIjdtz+8nhI6D0MjL200IzAogbA5Ig= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=xnhnnusVeDZYomsJ+Mq5Rd2oWToSRZhacAtolf0MadVMcSpb6WuwLwRRId8jGcVdpY YqWl0/lQBq+MM/7cS4TP77/9MtUyNc+I6Xpone/Dw4jFtmtZ9CwYZwhgT8ucSgUZLOhB zYH0RBu0+UMaVGPBh1hgDnh3APAbPRVoR7Z7c= MIME-Version: 1.0 Received: by 10.115.80.18 with SMTP id h18mr10177014wal.53.1262157187568; Tue, 29 Dec 2009 23:13:07 -0800 (PST) In-Reply-To: <012c01ca891e$393e7860$abbb6920$@com> References: <012c01ca891e$393e7860$abbb6920$@com> Date: Tue, 29 Dec 2009 23:13:07 -0800 Message-ID: From: Xin LI To: kevin Content-Type: text/plain; charset=UTF-8 Cc: freebsd-pf@freebsd.org Subject: Re: carpdev : bad value? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Dec 2009 07:39:55 -0000 On Tue, Dec 29, 2009 at 11:03 PM, kevin wrote: > Hello, > > > I am currently evaluating high availability firewalls with carp > (7.2-RELEASE, PF) and have run into a problem that I would hope someone here > can explain for me. > > According to OpenBSD's documentation on CARP, they allow an ifconfig carp > directive called 'carpdev', which allows you to manually specify which > physical interface you want to be associated with the redundancy group. Unfortunately the current FreeBSD CARP does not support carpdev... eri@ is working on bringing our pf subsystem to a newer version, but someone (TM) must sit down and work on CARP to make some improvements. There is a LOR between CARP and if_bridge, I have a very brute force workaround which is not suitable to commit against -HEAD :( Cheers, -- Xin LI http://www.delphij.net From owner-freebsd-pf@FreeBSD.ORG Wed Dec 30 07:48:37 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 14B8D1065692 for ; Wed, 30 Dec 2009 07:48:37 +0000 (UTC) (envelope-from delphij@gmail.com) Received: from mail-pz0-f185.google.com (mail-pz0-f185.google.com [209.85.222.185]) by mx1.freebsd.org (Postfix) with ESMTP id E14368FC0C for ; Wed, 30 Dec 2009 07:48:36 +0000 (UTC) Received: by pzk15 with SMTP id 15so8102609pzk.3 for ; Tue, 29 Dec 2009 23:48:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=ohYcZY3yN0YMHlO8sX9KIA6wE7pvFTQGg/qN0k2XQ2I=; b=SsZVRq4N13h3Kj/FVj8CSuATWGe1n9YO+eEI8plSnb9t5Fm5EPfSwGakXCY76Li5Dc r/uMP277S7BTeqtnjmaqSkpNXIWtlkQEFxaht2H5Fnze1QG/5QPR021FbgTzFJPX8l/B kmDVa/2zRiETV0TF0ARvRmowH1OHw9ouR5sOM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=FnLOLoJ9EgAYQtIMmczvqHW7AOlcrZU9qcCNs8CyhXhAyW6GhUiTKlBog0KNMIwsD7 qDFcx88oamzLz+1ZIlJzH/DOndnQpvLg5BDEcyBs60/AC9TxrqKC5xE8QNwkAVgaD/Rh pJB/s1zl96zgHOxgp1PWLeXxD0NfrlTeMbPZg= MIME-Version: 1.0 Received: by 10.115.66.25 with SMTP id t25mr3734377wak.212.1262159311465; Tue, 29 Dec 2009 23:48:31 -0800 (PST) In-Reply-To: <012f01ca8920$7789aa70$669cff50$@com> References: <012c01ca891e$393e7860$abbb6920$@com> <012f01ca8920$7789aa70$669cff50$@com> Date: Tue, 29 Dec 2009 23:48:31 -0800 Message-ID: From: Xin LI To: kevin Content-Type: text/plain; charset=UTF-8 Cc: freebsd-pf@freebsd.org Subject: Re: carpdev : bad value? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Dec 2009 07:48:37 -0000 On Tue, Dec 29, 2009 at 11:19 PM, kevin wrote: >> There is a LOR between CARP and if_bridge, I have a very brute force >> workaround which is not suitable to commit against -HEAD :( > > > I have experienced a kernel panic when playing around with transparent bridging + pf + carp. Not having carpdev is unfortunate -- it limits my options with my current network environment :/ Shouldn't be a panic but a very hard hang. (except if you use CURRENT or have WITNESS turned on). This can be worked around by disallowing sending ARP broadcast on the bridge device (before sending ARP, test if the ifp is pointing to a bridge device) but that's not ideal. I use a patched version in production (bridging is used to bridge OpenVPN clients to the network, CARP for failover, pf for load balance and pf-sync for failover, it's an active-active DSR setup). I have committed a patch that makes pf w/DSR setup work a week ago but have not yet MFC'ed it, the patch can be directly applied against 8-STABLE, though. > I suppose I could migrate to OpenBSD, but I was trying to avoid that. We'd love to solve this soon but I suggest you to evaluate whether you want OpenBSD, and check if someone else is actively working on porting new feature/fixes. At this moment, OpenBSD have more advanced pf, which could be useful for some setups. I would be happy to share my patches/experience with everyone who needs them, but I need to focus on some other work so maybe not able to solve some "new" problems at this time, sorry. Cheers, -- Xin LI http://www.delphij.net From owner-freebsd-pf@FreeBSD.ORG Wed Dec 30 16:07:41 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2A5ED1065697 for ; Wed, 30 Dec 2009 16:07:41 +0000 (UTC) (envelope-from k@kevinkevin.com) Received: from mail-yw0-f197.google.com (mail-yw0-f197.google.com [209.85.211.197]) by mx1.freebsd.org (Postfix) with ESMTP id E2BB78FC1E for ; Wed, 30 Dec 2009 16:07:40 +0000 (UTC) Received: by ywh35 with SMTP id 35so3678481ywh.7 for ; Wed, 30 Dec 2009 08:07:34 -0800 (PST) Received: by 10.151.19.8 with SMTP id w8mr26642711ybi.224.1262189253980; Wed, 30 Dec 2009 08:07:33 -0800 (PST) Received: from kkPC (not.enough.unixsluts.com [76.10.166.187]) by mx.google.com with ESMTPS id 23sm12850404iwn.3.2009.12.30.08.07.31 (version=SSLv3 cipher=RC4-MD5); Wed, 30 Dec 2009 08:07:32 -0800 (PST) From: "kevin" To: "'Xin LI'" References: <012c01ca891e$393e7860$abbb6920$@com> <012f01ca8920$7789aa70$669cff50$@com> In-Reply-To: Date: Wed, 30 Dec 2009 11:06:53 -0500 Message-ID: <013c01ca896a$1baea710$530bf530$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 thread-index: AcqJJHzakynBvW/JRQu+rPXgRYRdJgARYh8w Content-Language: en-us Cc: freebsd-pf@freebsd.org Subject: RE: carpdev : bad value? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Dec 2009 16:07:41 -0000 >I have committed a patch that makes pf w/DSR setup work a week ago but >have not yet MFC'ed it, the patch can be directly applied against >8-STABLE, though. Would you be able to share the patch with me? I am on 7.2-RELEASE, however. Please advise. Thanks, Kevin From owner-freebsd-pf@FreeBSD.ORG Wed Dec 30 16:12:36 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8694110656A5 for ; Wed, 30 Dec 2009 16:12:36 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from tomjudge.vm.bytemark.co.uk (tomjudge.vm.bytemark.co.uk [80.68.91.100]) by mx1.freebsd.org (Postfix) with ESMTP id 465FB8FC25 for ; Wed, 30 Dec 2009 16:12:36 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by tomjudge.vm.bytemark.co.uk (Postfix) with ESMTP id EA6714871B; Wed, 30 Dec 2009 16:12:34 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at tomjudge.vm.bytemark.co.uk Received: from tomjudge.vm.bytemark.co.uk ([127.0.0.1]) by localhost (tomjudge.vm.bytemark.co.uk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o6n-r1RYan2K; Wed, 30 Dec 2009 16:12:31 +0000 (GMT) Received: from Tom-Judges-MacBook-Pro.local (unknown [192.168.205.10]) by tomjudge.vm.bytemark.co.uk (Postfix) with ESMTP id 9847B4871A; Wed, 30 Dec 2009 16:12:30 +0000 (GMT) Message-ID: <4B3B7BED.3080702@tomjudge.com> Date: Wed, 30 Dec 2009 10:12:29 -0600 From: Tom Judge User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.5) Gecko/20091204 Thunderbird/3.0 MIME-Version: 1.0 To: kevin References: <003001ca7cdc$0b530540$21f90fc0$@com> <4B2924D4.9010207@tomjudge.com> <005501ca7e85$7bb28e50$7317aaf0$@com> <013801ca8922$a5b50dc0$f11f2940$@com> In-Reply-To: <013801ca8922$a5b50dc0$f11f2940$@com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: PF Transparent Bridge Firewall + CARP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Dec 2009 16:12:36 -0000 On 30/12/2009 01:35, kevin wrote: >> -----Original Message----- >> From: Tom Judge >> Sent: Wednesday, December 16, 2009 1:20 PM >> To: Kevin >> Cc: freebsd-pf@freebsd.org >> Subject: Re: PF Transparent Bridge Firewall + CARP >> >> [router] >> | >> [------switch 1------] >> | | >> [FW1]--{pfsync}--[FW2] >> | | >> [------switch 2------] >> | >> [clients] >> > > I have a really stupid question. If I have a switch with 2 VLANS (one DMZ / > 'outside', one internal / 'lan') and two firewalls with transparent bridging > + PF , filtering all inbound/outbound traffic -- would I even need CARP? Is > CARP overkill? > > I'm thinking in a disaster recovery scenario -- if one firewall blows up. > There's no logical master/slave relationship, but wouldn't there be minimal > (if any) downtime? > > You don't need carp here if your firewalls are bridges. Your main issue is that you only have one switch, the simplest redundant solution is 2 bridges running spanning tree. Tom From owner-freebsd-pf@FreeBSD.ORG Wed Dec 30 17:05:26 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A68F11065672 for ; Wed, 30 Dec 2009 17:05:26 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [IPv6:2001:470:a803::1]) by mx1.freebsd.org (Postfix) with ESMTP id 7A97F8FC20 for ; Wed, 30 Dec 2009 17:05:24 +0000 (UTC) Received: from mail.geekcn.org (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id B53B8A5E229; Thu, 31 Dec 2009 00:52:02 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by mail.geekcn.org (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with LMTP id UC6Q4-86xp-q; Thu, 31 Dec 2009 00:51:13 +0800 (CST) Received: from delta.delphij.net (c-69-181-136-105.hsd1.ca.comcast.net [69.181.136.105]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 82919A5643D; Thu, 31 Dec 2009 00:51:10 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to:content-type; b=uzyCSgEVtkiiMq+Yj/oFkQg2aPAUadH6Rkb/CVVpqa7xwH8ALNuEiKdnvKn4AUSSz 5SkP4l7zZCNKEHWwoEBvw== Message-ID: <4B3B84EA.3060507@delphij.net> Date: Wed, 30 Dec 2009 08:50:50 -0800 From: Xin LI Organization: The Geek China Organization User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.5) Gecko/20091220 Thunderbird/3.0 ThunderBrowse/3.2.6.8 MIME-Version: 1.0 To: kevin References: <012c01ca891e$393e7860$abbb6920$@com> <012f01ca8920$7789aa70$669cff50$@com> <013c01ca896a$1baea710$530bf530$@com> In-Reply-To: <013c01ca896a$1baea710$530bf530$@com> Content-Type: multipart/mixed; boundary="------------000705030905060501050805" Cc: freebsd-pf@freebsd.org Subject: Re: carpdev : bad value? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Dec 2009 17:05:26 -0000 This is a multi-part message in MIME format. --------------000705030905060501050805 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 2009/12/30 08:06, kevin wrote: >> I have committed a patch that makes pf w/DSR setup work a week ago but >> have not yet MFC'ed it, the patch can be directly applied against >> 8-STABLE, though. > > Would you be able to share the patch with me? I am on 7.2-RELEASE, however. The patch should work cleanly on RELENG_7_2 (sys/net). However, based on your usage I don't think this is appropriate, it's a workaround and I believe it would cause problem for your setup which rely on bridge... Cheers, -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die --------------000705030905060501050805 Content-Type: text/plain; name="if_ethersubr.c.diff" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="if_ethersubr.c.diff" SW5kZXg6IGlmX2V0aGVyc3Vici5jCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIGlmX2V0aGVyc3Vici5j CShyZXZpc2lvbiAyMDEyNTkpCisrKyBpZl9ldGhlcnN1YnIuYwkod29ya2luZyBjb3B5KQpA QCAtMzQ3LDggKzM0NywxOCBAQAogCSogQnJpZGdlcyByZXF1aXJlIHNwZWNpYWwgb3V0cHV0 IGhhbmRsaW5nLgogCSovCiAJaWYgKGlmcC0+aWZfYnJpZGdlKSB7CisjaWYgZGVmaW5lZChJ TkVUKSB8fCBkZWZpbmVkKElORVQ2KQorI2lmZGVmIERFVl9DQVJQCisJCWlmICgobS0+bV9m bGFncyAmIH4oTV9NQ0FTVCB8IE1fQkNBU1QpKSA9PSBtLT5tX2ZsYWdzKSB7CisjZW5kaWYK KyNlbmRpZgogCQlCUklER0VfT1VUUFVUKGlmcCwgbSwgZXJyb3IpOwogCQlyZXR1cm4gKGVy cm9yKTsKKyNpZiBkZWZpbmVkKElORVQpIHx8IGRlZmluZWQoSU5FVDYpCisjaWZkZWYgREVW X0NBUlAKKwkJfQorI2VuZGlmCisjZW5kaWYKIAl9CiAKICNpZmRlZiBERVZfQ0FSUAo= --------------000705030905060501050805-- From owner-freebsd-pf@FreeBSD.ORG Thu Dec 31 02:33:53 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7929E106566C for ; Thu, 31 Dec 2009 02:33:53 +0000 (UTC) (envelope-from dr.tibibo@gmail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id 178F98FC19 for ; Thu, 31 Dec 2009 02:33:52 +0000 (UTC) Received: by bwz5 with SMTP id 5so7917406bwz.3 for ; Wed, 30 Dec 2009 18:33:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:reply-to :user-agent:mime-version:to:subject:content-type :content-transfer-encoding; bh=OfXwieFmY+tzXEXcJ7ZMv34NX1DMFAufS/y6E3PIj2s=; b=duSFQmuauzGDRF1aYpVymnMmDxF7r89MSiyX8DsY1tshfHzbovMZLJe7sZ7Zi+hvoj TsQuSettVcm6SPPG3gtVkgIPhYaQYwN7y/Z9oFG7BccQ199Yfx+JBL5PDY80QafudCZB A2d6mIHGbgxesEMixgI0etCa6OMtN4EPmJq+I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; b=nPShqHcINtZhvI9FjdyQCdN/3+eS4eq2R2qbZDVQ8Za2nMXlzKD4NqzPzQ0dMSOjmd ItYd1g9l8AN0JnQXYkoURQwVlf6oYQkyz0BBh7glbQt9QRkSeuwTMS7o+aBBSRd2Xu71 wrwmMQ+Gi1Ae0BQWAbA0FTz9cCvmsB7ybAt3c= Received: by 10.204.11.18 with SMTP id r18mr5245195bkr.15.1262225206320; Wed, 30 Dec 2009 18:06:46 -0800 (PST) Received: from ?10.0.0.3? ([94.76.95.101]) by mx.google.com with ESMTPS id 16sm4023472bwz.15.2009.12.30.18.06.45 (version=SSLv3 cipher=RC4-MD5); Wed, 30 Dec 2009 18:06:45 -0800 (PST) Message-ID: <4B3C0734.10508@gmail.com> Date: Thu, 31 Dec 2009 04:06:44 +0200 From: "Artjom V. Gora" User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Load balancing basing on load estimation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dr.tibibo@gmail.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Dec 2009 02:33:53 -0000 Hello everyone, I'm looking for something like iptables' RATEEST+CONNMARK feature in PF. That is I need a feature which allows to perform load balancing between two or more net channels basing on the current load estimation of each, thus it should assigns new connections to line that have more free bandwidth. Initially I need to achieve following scenario. Say I have web server with 2 nics attached to different routers. If nothing happens it just works as if single nic is active. But sometimes traffic burstiness occurs say due to movie streaming or so, thus we quickly run out of bandwidth on 1st nic. If so happens all the "extra" traffic should be sent to the 2nd nic, in other words every new connection should be assigned to the 2nd nic only until 1st one normal operation resumes. Is it possible to implement such scenario with PF? Should I try some other tools for this and which if any? Any help is greatly appreciated.