From owner-freebsd-pf@FreeBSD.ORG Mon Apr 26 11:07:06 2010 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA215106564A for ; Mon, 26 Apr 2010 11:07:06 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B87F18FC26 for ; Mon, 26 Apr 2010 11:07:06 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o3QB76M7004231 for ; Mon, 26 Apr 2010 11:07:06 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o3QB76XL004229 for freebsd-pf@FreeBSD.org; Mon, 26 Apr 2010 11:07:06 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 26 Apr 2010 11:07:06 GMT Message-Id: <201004261107.o3QB76XL004229@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Apr 2010 11:07:07 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/144311 pf [pf] [icmp] massive ICMP storm on lo0 occurs when usin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 43 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Apr 26 11:24:16 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CB45D1065673 for ; Mon, 26 Apr 2010 11:24:16 +0000 (UTC) (envelope-from britneyfreek@googlemail.com) Received: from mail-px0-f182.google.com (mail-px0-f182.google.com [209.85.212.182]) by mx1.freebsd.org (Postfix) with ESMTP id A10CA8FC17 for ; Mon, 26 Apr 2010 11:24:16 +0000 (UTC) Received: by pxi17 with SMTP id 17so1620912pxi.13 for ; Mon, 26 Apr 2010 04:24:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=27OE2fyC59t9EmucYDP5upi5vFBay5BFNtK8tQ1BKVc=; b=wa+wOl4ew33bsMjOBlBBfLw+j137HvvTTsnIh3Dl5+eKuqhn4PgmAiQ2PnU6VTLBcR x6zZ/DBnQWFSgnbenC+dBtIPL476u275J45iuLzQYfPbD2tlibk/H3xhj0uk1pLBqYQD EfTyL1uuhc7Il+mn8t9BxOs/+FZUFGHp+4ZWg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=iZy82Zv4JmQb2vf8F0J8U1glLjbd5FBkpHOM3Phylu5Ec7CKoIBPYAYMAOkb8vGicy V4WxfLINSqkiDcpn45ZdDHFyQL+5xMPTCnydLoAUc/GiNVvk5FXBSE52oCH04e4Z21+w 0Ed13flKnauDH2YkUFtVC2TNuw57beyyCyA4M= MIME-Version: 1.0 Received: by 10.141.130.9 with SMTP id h9mr3320376rvn.129.1272281051028; Mon, 26 Apr 2010 04:24:11 -0700 (PDT) Received: by 10.140.164.1 with HTTP; Mon, 26 Apr 2010 04:24:10 -0700 (PDT) In-Reply-To: <803125.29540.qm@web29004.mail.ird.yahoo.com> References: <4BC28390.3010808@infoweapons.com> <803125.29540.qm@web29004.mail.ird.yahoo.com> Date: Mon, 26 Apr 2010 13:24:10 +0200 Message-ID: From: britneyfreek To: Z Wing Content-Type: text/plain; charset=UTF-8 Cc: "freebsd-pf@freebsd.org" Subject: Re: hsfc & pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Apr 2010 11:24:16 -0000 regarding hfsc, let me provide you 2 interesting links: http://www.probsd.net/pf/index.php/Hednod's_HFSC_explained https://calomel.org/pf_hfsc.html - b 2010/4/12 Z Wing : > Oh I see, so you set that initally but each queue will definitely borrow from the parent queue (up to upperlimit)? with cbq you have to specify "borrow" don't you, but is my understanding right that borrow is implied with hfsc? > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Fri Apr 30 10:04:02 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A3630106564A for ; Fri, 30 Apr 2010 10:04:02 +0000 (UTC) (envelope-from antonio.bonifati@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 33DB78FC26 for ; Fri, 30 Apr 2010 10:04:01 +0000 (UTC) Received: by fxm15 with SMTP id 15so32261fxm.13 for ; Fri, 30 Apr 2010 03:03:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=bSi+95bS5ZhPkYq5mey2wrEK047c0vQ+wOhoS2HDrwg=; b=lCrkAhj4yVJ04jl9idgmhpl2J7JzKjse5TtoeH1DFeOEql3HBFfIzctVY2CM2fCfOJ O9iKzgI+1JdWeSlO/9B5MPsgh+dZV33g2Y6gKiQ3v6AqIUU8eDdMU3VPJSecADbI5gdL rkEr8CxpSaNoGAg44cP7sa2qQV4RmUIZj+j5E= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; b=VbQOsNv2Khst/6cxK7vhSIM5zeEJ2DZNqwpnBMOA3CCaI/VXoEp8dptlrq15qj76db 6ihddPJwp3aAaGeHGMowicSioReQUZwpnQWk6jzKHd5wsWN0wudnbZ3rdJSDi3HI4ZVT udM67wjAknEnQDZvMQYsIujdkf5FuzF/Lk5+0= MIME-Version: 1.0 Received: by 10.102.236.19 with SMTP id j19mr6003326muh.110.1272620368042; Fri, 30 Apr 2010 02:39:28 -0700 (PDT) Sender: antonio.bonifati@gmail.com Received: by 10.103.138.1 with HTTP; Fri, 30 Apr 2010 02:39:27 -0700 (PDT) Date: Fri, 30 Apr 2010 11:39:27 +0200 X-Google-Sender-Auth: 6cbe987ae215f368 Message-ID: From: Antonio Bonifati To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: NAPT on an routed address pool: problem with the broadcast address X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Apr 2010 10:04:02 -0000 Hi to all. I have a question relating to NAPT on an address pool. I'm using PF with a rule like this: nat on $my_outbound_if from $my_internal_net to any -> $my_CIDR_pool source-hash My internal net has more private IPs than those of the public pool. In order for this to work I've noticed all the pool's addresses must be bound to my outbound router interface. This worked for me when my router was connected to a switch. But now it is connected to another router. They gave me a CIDR pool but the broadcast address is not routed and I cannot configure it as an alias of course. How can I use my full CIDR pool with source-hash natting? I'm experiencing random connection freezes when I use the above rule. I believe this happens because PF selects the broadcast address for some mappings. BTW why does PF require that only a CIDR pool must be used with source-hash? Could something be done on the other side to work this problem out? E.g. is it possible to configure a router to also route the broadcast address in a static route? thanks for helping -- Antonio Bonifati BLOG: http://antonio-bonifati.blogspot.com My profile: http://www.google.com/profiles/antonio.bonifati