From owner-freebsd-pf@FreeBSD.ORG Mon Jun 27 11:07:08 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7018E106564A for ; Mon, 27 Jun 2011 11:07:08 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 56EA58FC16 for ; Mon, 27 Jun 2011 11:07:08 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p5RB78a6071916 for ; Mon, 27 Jun 2011 11:07:08 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p5RB77Lp071914 for freebsd-pf@FreeBSD.org; Mon, 27 Jun 2011 11:07:07 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 27 Jun 2011 11:07:07 GMT Message-Id: <201106271107.p5RB77Lp071914@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2011 11:07:08 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 46 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jun 27 11:13:59 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3D8C4106567D for ; Mon, 27 Jun 2011 11:13:59 +0000 (UTC) (envelope-from schmurfy@gmail.com) Received: from mail-pv0-f182.google.com (mail-pv0-f182.google.com [74.125.83.182]) by mx1.freebsd.org (Postfix) with ESMTP id 0549B8FC21 for ; Mon, 27 Jun 2011 11:13:58 +0000 (UTC) Received: by pvg11 with SMTP id 11so3823896pvg.13 for ; Mon, 27 Jun 2011 04:13:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:from:date:message-id:subject:to :content-type; bh=VkWiOKfJq3hB/O8w3UxWoKqEjaVXhCk7VrxoK6LIdqc=; b=a7yTuwUzVdWm642w5FQG4m04bssy2KJL5ubAXodeEbzvJEr0K68O5CnTopaVZJBfhu s+yq2qpopJJ07wOxvSJiqwEIfy+MtbET8ODljLu1yYKnXOX/NP6AXnaEks8ZMmnPwZKs gQ6cPO7z7+as/cHiDzT8LG7LG7Aajpbnp+bsI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; b=X6pvV3f5lQTPffDl2nOtTiyFF2mRvXKyGBh3sf32xiPQ2Mdd0vgo+9SNq0h4jrdWS3 FK7KC8CUD1V1adgAhlU1mflEzDTJX25BD0F9fm0wHibhjHqTLpJmOQLnsx2mrQq28TQP VbhiE0wH5VKTi62tYi7M+Ue7z4pYYDaxeXowk= Received: by 10.68.0.106 with SMTP id 10mr2887868pbd.434.1309171822098; Mon, 27 Jun 2011 03:50:22 -0700 (PDT) MIME-Version: 1.0 Received: by 10.68.43.202 with HTTP; Mon, 27 Jun 2011 03:50:02 -0700 (PDT) From: Schmurfy Date: Mon, 27 Jun 2011 12:50:02 +0200 Message-ID: To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: PF + route-to + gif weird behavior (bug ?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2011 11:13:59 -0000 Hi, I just came across a problem with route-to and gif interfaces. First, here is my rc.conf: # Router ifconfig_em0="inet 10.11.12.212/24" defaultrouter="10.11.12.253" gateway_enable="YES" static_routes="gif_endpoint" route_visp="10.11.20.1/32 10.11.12.213" pf_enable="YES" pf_rules="/etc/pf.conf" pflog_enable="YES" # IPIP tunnels gif_interfaces="gif1001" ifconfig_em0_alias0="inet 10.11.20.2/32" ifconfig_em0_alias1="inet 192.168.254.1/32" gifconfig_gif1001="10.11.20.2 10.11.20.1" ifconfig_gif1001="inet 1.2.3.1 1.2.3.2 netmask 255.255.255.252" What I wanted to do is to redirect incoming connections on the external interface (em0) on a specific address to a gif tunnel, my problem is that the packet is redirected so that part works but the packet exiting the em0 interfaces (the gif tunnel is also using em0) has a wrong ipip header: the source address is the first address assigned to em0 instead of the alias added for the gif tunnel. Without pf the tunnel itself works fine, both side can ping each other and the packets are correct. Here is my pf.conf (The rules I am speaking of are the port forwarding ones, 1 rdr and 2 pass): phys_if = "em0" env1c1_tunnel = "gif1001" env1c1_tunnel_dst = "10.11.20.1" env1c1_tunnel_src = "10.11.20.2" env1c1_escape = "10.11.12.212" set skip on lo0 set block-policy drop scrub in on $phys_if #### ## NAT / RDR #### nat on $phys_if tagged e1c1 -> $env1c1_escape nat on $phys_if tagged e1c2 -> $env1c2_escape # forwarded port (http) rdr on $phys_if proto tcp from any to $env1c1_escape port 80 tag e1c1 -> 192.168.0.23 port 80 #### ## FILTERS #### # block any packet with no match block log all # allow our own services to work pass in on $phys_if proto tcp from any to $phys_if port ssh synproxy state pass in on $phys_if proto icmp from any to $phys_if pass out on $phys_if proto udp from any to any port { ntp, domain } # allow ipip traffic (tunnels) pass in on $phys_if from $env1c1_tunnel_dst to $env1c1_tunnel_src pass out on $phys_if from $env1c1_tunnel_src to $env1c1_tunnel_dst pass in on $phys_if from $env1c2_tunnel_dst to $env1c2_tunnel_src pass out on $phys_if from $env1c2_tunnel_src to $env1c2_tunnel_dst # Port forwarding pass in log on $phys_if route-to ( $env1c1_tunnel 1.2.3.2 ) proto tcp from any to 192.168.0.23 port 80 tagged e1c1 pass out log on $env1c1_tunnel tagged e1c1 # NAT (the server's gateway will be used, traffic is returned to the tunnel) pass in log on $env1c1_tunnel tag e1c1 pass out log on $phys_if reply-to $env1c1_tunnel tagged e1c1 pass in log on $env1c2_tunnel tag e1c2 pass out log on $phys_if reply-to $env1c2_tunnel tagged e1c2 # sites => sites pass in on $env1c1_tunnel route-to $env1c1_tunnel to $env1c1_sites tag e1c1 pass in on $env1c2_tunnel route-to $env1c2_tunnel to $env1c2_sites tag e1c2 Did I hit a bug ? or did I do something wrong ? I did a quick test on openbsd with a similar config and everything works fine there but I would really prefer sticking with FreeBSD :/ Thanks for any pointers. PS: I first posted this on the freebsd forum, full post is available here: http://forums.freebsd.org/showthread.php?t=24600 From owner-freebsd-pf@FreeBSD.ORG Mon Jun 27 14:47:25 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 577E8106564A for ; Mon, 27 Jun 2011 14:47:25 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id EAAD28FC19 for ; Mon, 27 Jun 2011 14:47:24 +0000 (UTC) Received: by wyg24 with SMTP id 24so1972851wyg.13 for ; Mon, 27 Jun 2011 07:47:24 -0700 (PDT) Received: by 10.227.10.210 with SMTP id q18mr5594483wbq.44.1309186043951; Mon, 27 Jun 2011 07:47:23 -0700 (PDT) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id fr17sm4145478wbb.6.2011.06.27.07.47.22 (version=SSLv3 cipher=OTHER); Mon, 27 Jun 2011 07:47:22 -0700 (PDT) Message-ID: <4E0897F9.30204@my.gd> Date: Mon, 27 Jun 2011 16:47:21 +0200 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: PF + route-to + gif weird behavior (bug ?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2011 14:47:25 -0000 On 6/27/11 12:50 PM, Schmurfy wrote: > Hi, > I just came across a problem with route-to and gif interfaces. > First, here is my rc.conf: > > # Router > ifconfig_em0="inet 10.11.12.212/24" > defaultrouter="10.11.12.253" > gateway_enable="YES" > > static_routes="gif_endpoint" > route_visp="10.11.20.1/32 10.11.12.213" > I'd like to point out you declare a gif_endpoint static route, but it doesn't exist. Similarly a route called route_visp exists but is not declared as a static route. > pf_enable="YES" > pf_rules="/etc/pf.conf" > pflog_enable="YES" > > # IPIP tunnels > gif_interfaces="gif1001" > > ifconfig_em0_alias0="inet 10.11.20.2/32" > ifconfig_em0_alias1="inet 192.168.254.1/32" > gifconfig_gif1001="10.11.20.2 10.11.20.1" > ifconfig_gif1001="inet 1.2.3.1 1.2.3.2 netmask 255.255.255.252" > > > > > > What I wanted to do is to redirect incoming connections on the external > interface (em0) on a specific address to a gif tunnel, my problem is that > the packet is redirected so that part works but the packet exiting the em0 > interfaces (the gif tunnel is also using em0) has a wrong ipip header: the > source address is the first address assigned to em0 instead of the alias > added for the gif tunnel. This looks like a case where you'd like to NAT then. Use PF to say you'll be NATing, so that you can force the correct IP ? From owner-freebsd-pf@FreeBSD.ORG Mon Jun 27 18:51:48 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E4B3E106566C for ; Mon, 27 Jun 2011 18:51:48 +0000 (UTC) (envelope-from schmurfy@gmail.com) Received: from mail-pz0-f54.google.com (mail-pz0-f54.google.com [209.85.210.54]) by mx1.freebsd.org (Postfix) with ESMTP id B90968FC14 for ; Mon, 27 Jun 2011 18:51:48 +0000 (UTC) Received: by pzk27 with SMTP id 27so885902pzk.13 for ; Mon, 27 Jun 2011 11:51:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=W6PKBfK+rUodwou8TAno3ZQl9/uRerxLi3gclYHzJfU=; b=TS8RDhRMxiU2Ux736lfopjocEw3eK/HJEid0ldrFe/8nwjZJV+w6eUhTHp7rL9oN8d oPEKvBYSFQD8vC6/08fPAcQksfcP6BfZwX/6jnK0Nho9ZOBf5nXPeIB84rjzvGWZLPtR gUql9u2l37NC3THUVHpaowlpBPFOLwrLSjD+s= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=P6mTVYjOSGyLrh41ldbpOEu7GF/RXM9DK8hwoLkNowC6yA4/khAYm76z7/CxKrR7vP VF5oyW6nFos717wyDGfTko/O3R7L21QId48pWHSnMjbcmKpLWhRA2l2oAb/kIoJK34vT 7jizMRIedj1YIzhCOvIrL2SLOPL8oAXu/lt3I= Received: by 10.68.56.196 with SMTP id c4mr3046610pbq.367.1309200708129; Mon, 27 Jun 2011 11:51:48 -0700 (PDT) MIME-Version: 1.0 Received: by 10.68.43.202 with HTTP; Mon, 27 Jun 2011 11:51:28 -0700 (PDT) In-Reply-To: <4E0897F9.30204@my.gd> References: <4E0897F9.30204@my.gd> From: Schmurfy Date: Mon, 27 Jun 2011 20:51:28 +0200 Message-ID: To: Damien Fleuriot Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: PF + route-to + gif weird behavior (bug ?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2011 18:51:49 -0000 On 27 June 2011 16:47, Damien Fleuriot wrote: > On 6/27/11 12:50 PM, Schmurfy wrote: > > Hi, > > I just came across a problem with route-to and gif interfaces. > > First, here is my rc.conf: > > > > # Router > > ifconfig_em0="inet 10.11.12.212/24" > > defaultrouter="10.11.12.253" > > gateway_enable="YES" > > > > static_routes="gif_endpoint" > > route_visp="10.11.20.1/32 10.11.12.213" > > > > I'd like to point out you declare a gif_endpoint static route, but it > doesn't exist. > Similarly a route called route_visp exists but is not declared as a > static route. > > > Sorry for that, in fact the real declaration was: static_routes="visp" not sure how I ended up with the wrong line in my first version xD > > > pf_enable="YES" > > pf_rules="/etc/pf.conf" > > pflog_enable="YES" > > > > # IPIP tunnels > > gif_interfaces="gif1001" > > > > ifconfig_em0_alias0="inet 10.11.20.2/32" > > ifconfig_em0_alias1="inet 192.168.254.1/32" > > gifconfig_gif1001="10.11.20.2 10.11.20.1" > > ifconfig_gif1001="inet 1.2.3.1 1.2.3.2 netmask 255.255.255.252" > > > > > > > > > > > > What I wanted to do is to redirect incoming connections on the external > > interface (em0) on a specific address to a gif tunnel, my problem is that > > the packet is redirected so that part works but the packet exiting the > em0 > > interfaces (the gif tunnel is also using em0) has a wrong ipip header: > the > > source address is the first address assigned to em0 instead of the alias > > added for the gif tunnel. > > This looks like a case where you'd like to NAT then. > > Use PF to say you'll be NATing, so that you can force the correct IP ? > > I am not sure I understand what you mean here, could you show me how you would do this ? You would NAT with the IPIP tunnel local address ? I did not said it in my first message but I tried the same ruleset on OpenBSD 4.9 (with the syntax changes) and everything works as expected there, the packets redirected into the gif tunnel (with route-to) exists on the physical network with the correct IPIP header. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Mon Jun 27 21:59:17 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8448A1065785 for ; Mon, 27 Jun 2011 21:59:17 +0000 (UTC) (envelope-from espartano.mail@gmail.com) Received: from mail-vx0-f182.google.com (mail-vx0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id 31F0E8FC14 for ; Mon, 27 Jun 2011 21:59:16 +0000 (UTC) Received: by vxg33 with SMTP id 33so5192727vxg.13 for ; Mon, 27 Jun 2011 14:59:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=knFj6bP/jLD/0HWI8bzqHBxoVeN3jNrtlKf/8RFyJGE=; b=w8sDzo1ALl5D/U+t1Bc07OEkPApVDw27qn+lzM/psQHO+haSkRVtuJlB3EVRr83+ML BbSL+CZwBlsCX7jkLDsI7O3hqLatXpglMxBE/VqqNwKm04x1HTr0B7kyMnK/TJvfV5g5 9lzgXvQTlClaD1qcFq1WZ6PxWAQHjIekg1rdE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=VBdzDH2+oAZko1t1nblB3Syf4pF9Eng4kCdCGIIkMIkHZo8fqtpPtKxqieT+fl+3sL g33OZ6kc1PK75YLTTzkw+Hb7DiEO0NqIOdk2P72rGVQwmgTx613gXs9QPhe08DQ78pcI kahGJcYAGI069eMhCLQDq6OjJegnKFW/tw9NQ= MIME-Version: 1.0 Received: by 10.52.173.195 with SMTP id bm3mr8826545vdc.17.1309210464679; Mon, 27 Jun 2011 14:34:24 -0700 (PDT) Received: by 10.52.183.137 with HTTP; Mon, 27 Jun 2011 14:34:24 -0700 (PDT) Date: Mon, 27 Jun 2011 16:34:24 -0500 Message-ID: From: Espartano To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Reboot after start pf on ALIX board X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2011 21:59:17 -0000 Hi People I'm having a problem with my Alix board model 2d3 (http://pcengines.ch/alix2d3.htm) , Yesterday I compiled and installed NanoBSD into my alix board using FreeBSD 8.2 RELEASE, today when i tried to configure network interfaces and pf firewall to do nat over the wireless network I got this error and the sistem was rebooted: zrouter# /etc/rc.d/pf onestart Enabling pf Fatal trap 12: page fault while in kernel mode cpuid =3D 0; apic id =3D 00 fault virtual address =3D 0x18 fault code =3D supervisor read, page not present instruction pointer =3D 0x20:0xc07c50ce stack pointer =3D 0x28:0xcd1f8a18 frame pointer =3D 0x28:0xcd1f8a38 code segment =3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, def32 1, gran 1 processor eflags =3D interrupt enabled, resume, IOPL =3D 0 current process =3D 1755 (pfctl) trap number =3D 12 panic: page fault cpuid =3D 0 KDB: stack backtrace: #0 0xc072c5b7 at kdb_backtrace+0x47 #1 0xc06fd457 at panic+0x117 #2 0xc08f9003 at trap_fatal+0x323 #3 0xc08f9280 at trap_pfault+0x270 #4 0xc08f97c5 at trap+0x465 #5 0xc08e037c at calltrap+0x6 #6 0xc04d8a25 at pfioctl+0x965 #7 0xc0681c8a at devfs_ioctl_f+0x10a #8 0xc073b6b0 at kern_ioctl+0x280 #9 0xc073b824 at ioctl+0x134 #10 0xc07382e9 at syscallenter+0x329 #11 0xc08f92d4 at syscall+0x34 #12 0xc08e03e1 at Xint0x80_syscall+0x21 Uptime: 4m6s Cannot dump. Device not defined or unavailable. Automatic reboot in 15 seconds - press a key on the console to abort ##################################### This is the output from ifconfig command: zrouter# ifconfig vr0: flags=3D8802 metric 0 mtu 1500 options=3D8280b ether 00:0d:b9:12:6f:00 media: Ethernet autoselect (none) status: no carrier vr1: flags=3D8843 metric 0 mtu 1500 options=3D8280b ether 00:0d:b9:12:6f:01 inet 192.168.100.1 netmask 0xffffff00 broadcast 192.168.100.255 media: Ethernet autoselect (none) status: no carrier vr2: flags=3D8843 metric 0 mtu 1500 options=3D8280b ether 00:0d:b9:12:6f:02 inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 media: Ethernet autoselect (none) status: no carrier ath0: flags=3D8843 metric 0 mtu 229= 0 ether 00:0b:6b:db:0d:70 media: IEEE 802.11 Wireless Ethernet autoselect mode 11g status: running lo0: flags=3D8049 metric 0 mtu 16384 options=3D3 inet 127.0.0.1 netmask 0xff000000 pfsync0: flags=3D0<> metric 0 mtu 1460 syncpeer: 224.0.0.240 maxupd: 128 pflog0: flags=3D0<> metric 0 mtu 33200 wlan0: flags=3D8843 metric 0 mtu 15= 00 ether 00:0b:6b:db:0d:70 inet 192.168.1.105 netmask 0xffffff00 broadcast 255.255.255.255 media: IEEE 802.11 Wireless Ethernet OFDM/24Mbps mode 11g status: associated ssid SIPS channel 6 (2437 MHz 11g) bssid 00:27:19:de:26:26 country US ecm authmode WPA2/802.11i privacy ON deftxkey UNDEF TKIP 2:128-bit txpower 23.5 bmiss 7 scanvalid 450 bgscan bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS wme burst roaming MANUAL wlan1: flags=3D8843 metric 0 mtu 15= 00 ether 00:0b:6b:db:0d:70 inet 172.16.0.1 netmask 0xffffff00 broadcast 172.16.0.255 media: IEEE 802.11 Wireless Ethernet autoselect mode 11g status: running ssid SIPS2 channel 6 (2437 MHz 11g) bssid 00:0b:6b:db:0d:70 country US ecm authmode WPA privacy MIXED deftxkey 2 TKIP 2:128-bit txpower 23.5 scanvalid 60 protmode CTS wme burst dtimperiod 1 -dfs zrouter# ##################################### The pf firewall rules are very simple and pf -vnf wasn't complain for it: zrouter# cat /etc/pf.conf if_lan0=3Dvr0 if_lan1=3Dvr1 if_lan2=3Dvr2 if_wifi_0=3Dwlan0 if_wifi_1=3Dwlan1 nat on $if_wifi_0 from any -> ($if_wifi_0) pass in pass out zrouter# zrouter# pfctl -vnf /etc/pf.conf if_lan0 =3D "vr0" if_lan1 =3D "vr1" if_lan2 =3D "vr2" if_wifi_0 =3D "wlan0" if_wifi_1 =3D "wlan1" nat on wlan0 all -> (wlan0) round-robin pass in all flags S/SA keep state pass out all flags S/SA keep state zrouter# #################################### If it is helpfull in order to figure out what was happened here is the output messages from the boot process: Copyright (c) 1992-2011 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 8.2-RELEASE #0: Sun Jun 26 06:05:14 CDT 2011 root@:/usr/obj/nanobsd.ZROUTER/usr/src/sys/ZROUTER i386 Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Geode(TM) Integrated Processor by AMD PCS (498.05-MHz 586-class CPU) Origin =3D "AuthenticAMD" Id =3D 0x5a2 Family =3D 5 Model =3D a Stepp= ing =3D 2 Features=3D0x88a93d AMD Features=3D0xc0400000 real memory =3D 268435456 (256 MB) avail memory =3D 252387328 (240 MB) pnpbios: Bad PnP BIOS data checksum WARNING: VIMAGE (virtualized network stack) is a highly experimental featur= e. K6-family MTRR support enabled (2 registers) kbd0 at kbdmux0 ACPI Error: A valid RSDP was not found (20101013/tbxfroot-309) ACPI: Table initialisation failed: AE_NOT_FOUND ACPI: Try disabling either ACPI or apic support. pcib0: pcibus 0 on motherboard pci0: on pcib0 pci0: at device 1.2 (no driver atta= ched) vr0: port 0x1000-0x10ff mem 0xe0000000-0xe00000ff irq 10 at device 9.0 on pci0 vr0: Quirks: 0x2 vr0: Revision: 0x96 miibus0: on vr0 ukphy0: PHY 1 on miibus0 ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto vr0: Ethernet address: 00:0d:b9:12:6f:00 vr0: [ITHREAD] vr1: port 0x1400-0x14ff mem 0xe0040000-0xe00400ff irq 11 at device 10.0 on pci0 vr1: Quirks: 0x2 vr1: Revision: 0x96 miibus1: on vr1 ukphy1: PHY 1 on miibus1 ukphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto vr1: Ethernet address: 00:0d:b9:12:6f:01 vr1: [ITHREAD] vr2: port 0x1800-0x18ff mem 0xe0080000-0xe00800ff irq 12 at device 11.0 on pci0 vr2: Quirks: 0x2 vr2: Revision: 0x96 miibus2: on vr2 ukphy2: PHY 1 on miibus2 ukphy2: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto vr2: Ethernet address: 00:0d:b9:12:6f:02 vr2: [ITHREAD] ath0: mem 0xe00c0000-0xe00cffff irq 9 at device 12.0 on pci0 ath0: [ITHREAD] ath0: AR5212 mac 5.9 RF5112 phy 4.3 isab0: port 0x6000-0x6007,0x6100-0x61ff,0x6200-0x623f,0x9d00-0x9d7f,0x9c00-0x9c3f at device 15.0 on pci0 isa0: on isab0 atapci0: port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xff00-0xff0f at device 15.2 on pci0 ata0: on atapci0 ata0: [ITHREAD] ata1: on atapci0 ata1: [ITHREAD] pci0: at device 15.3 (no driver attached) ohci0: mem 0xefffe000-0xefffefff irq 15 at device 15.4 on pci0 ohci0: [ITHREAD] usbus0: on ohci0 ehci0: mem 0xefffd000-0xefffdfff irq 15 at device 15.5 on pci0 ehci0: [ITHREAD] usbus1: EHCI version 1.0 usbus1: on ehci0 cpu0 on motherboard pmtimer0 on isa0 orm0: at iomem 0xe0000-0xeafff pnpid ORM0000 on isa0 atrtc0: at port 0x70 irq 8 on isa0 ppc0: parallel port not found. =EF=BF=BDuart0: <16550 or compatible> at port 0x3f8-0x3ff irq 4 flags 0x10 = on isa0 uart0: [FILTER] uart0: console (9600,n,8,1) RTC BIOS diagnostic error 80 Timecounter "TSC" frequency 498053887 Hz quality 800 Timecounters tick every 1.000 msec usbus0: 12Mbps Full Speed USB v1.0 usbus1: 480Mbps High Speed USB v2.0 ad0: DMA limited to UDMA33, device found non-ATA66 cable ad0: 1923MB at ata0-master UDMA33 ugen0.1: at usbus0 uhub0: on usbus0 ugen1.1: at usbus1 uhub1: on usbus1 GEOM: ad0s1: geometry does not match label (64h,63s !=3D 16h,63s). GEOM: ad0s2: geometry does not match label (64h,63s !=3D 16h,63s). Root mount waiting for: usbus1 usbus0 uhub0: 4 ports with 4 removable, self powered Root mount waiting for: usbus1 uhub1: 4 ports with 4 removable, self powered Trying to mount root from ufs:/dev/ad0s1a Setting hostuuid: 7ccdb6ca-bfde-11d3-ad57-000db9126f00. Setting hostid: 0x82451fc6. Entropy harvesting: interrupts ethernet point_to_point kickstart. Starting file system checks: /dev/ad0s1a: FILE SYSTEM CLEAN; SKIPPING CHECKS /dev/ad0s1a: clean, 999522 free (3714 frags, 124476 blocks, 0.2% fragmentat= ion) /dev/ad0s3: FILE SYSTEM CLEAN; SKIPPING CHECKS /dev/ad0s3: clean, 102419 free (19 frags, 12800 blocks, 0.0% fragmentation) Mounting local file systems:. Setting hostname: zrouter. vr1: link state changed to DOWN vr2: link state changed to DOWN wlan0: Ethernet address: 00:0b:6b:db:0d:70 Starting wpa_supplicant. wlan0: no link .......wlan0: link state changed to UP got link DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 5 DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 13 DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 13 DHCPOFFER from 192.168.1.1 DHCPREQUEST on wlan0 to 255.255.255.255 port 67 DHCPACK from 192.168.1.1 bound to 192.168.1.105 -- renewal in 3600 seconds. wlan1: Ethernet address: 00:0b:6b:db:0d:70 Starting Network: lo0 vr1 vr2 ath0. lo0: flags=3D8049 metric 0 mtu 16384 options=3D3 inet 127.0.0.1 netmask 0xff000000 vr1: flags=3D8843 metric 0 mtu 1500 options=3D8280b ether 00:0d:b9:12:6f:01 inet 192.168.100.1 netmask 0xffffff00 broadcast 192.168.100.255 media: Ethernet autoselect (none) status: no carrier vr2: flags=3D8843 metric 0 m0tu 1= 500 option:s=3D8280b nether 00:0d:b9:1k2:6f:02 a inet 1 0.0.0.1 netmask s0xffffff00 broadtcast 10.0.0.255 media: Ethernett autoselect (noene) status: no carrier ath0: cflags=3D8843 metric 0 mtu= g2290 ether 00:e0b:6b:db:0d:70 d media: IEEE 802 .11 Wireless Ethternet autoselecto mode 11g status: runDning AdditionalO routing optionsW: IP gateway=3DYESN. .tarting devd Generating host.conf. ELF ldconfig path: /lib /usr/lib /usr/local/lib /usr/local/lib/libnet115 a.out ldconfig path: /usr/lib/aout ldconfig: /usr/lib/aout: No such file or directory Creating and/or trimming log files. Starting syslogd. Setting date via ntp. 27 Jun 19:13:40 ntpdate[1291]: step time server 201.120.53.179 offset 362517141.849727 sec Clearing /tmp (X related). Updating motd:. Starting dhcpd. Internet Systems Consortium DHCP Server V3.1-ESV Copyright 2004-2010 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Wrote 0 leases to leases file. Listening on BPF/wlan1/00:0b:6b:db:0d:70/172.16.0/24 Sending on BPF/wlan1/00:0b:6b:db:0d:70/172.16.0/24 Listening on BPF/vr1/00:0d:b9:12:6f:01/192.168.100/24 Sending on BPF/vr1/00:0d:b9:12:6f:01/192.168.100/24 Sending on Socket/fallback/fallback-net Starting cherokee. Cherokee Web Server 1.2.2 (Jun 26 2011): Listening on port ALL:80, TLS disabled, IPv6 disabled, using kqueue, 3578 fds system limit, max. 1782 connections, 5 threads, 356 connections per thread, standard scheduling pol= icy Starting sshd. Starting cron. Starting hostapd. Configuration file: /etc/hostapd.conf Using interface wlan1 with hwaddr 00:0b:6b:db:0d:70 and ssid 'SIPS2' Starting background file system checks in 60 seconds. Mon Jun 27 19:13:44 UTC 2011 FreeBSD/i386 (zrouter) (ttyu0) login: ######################################## The NanoBSD image was compiled whith this kernel configuration file: #GENERIC -- Generic kernel configuration file for FreeBSD/i386 # # For more information on this file, please read the config(5) manual page, # and/or the handbook section on Kernel Configuration Files: # # http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig= -config.html # # The handbook is also available locally in /usr/share/doc/handbook # if you've installed the doc distribution, otherwise always see the # FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the # latest information. # # An exhaustive list of options and more detailed explanations of the # device lines is also present in the ../../conf/NOTES and NOTES files. # If you are in doubt as to the purpose or necessity of a line, check first # in NOTES. # # $FreeBSD: src/sys/i386/conf/GENERIC,v 1.519.2.12.2.1 2010/12/21 17:09:25 kensmith Exp $ cpu I486_CPU cpu I586_CPU cpu I686_CPU ident ZROUTER # To statically compile in device wiring instead of /boot/device.hints #hints "GENERIC.hints" # Default places to look for device= s. # Use the following to compile in values accessible to the kernel # through getenv() (or kenv(1) in userland). The format of the file # is 'variable=3Dvalue', see kenv(1) # # env "GENERIC.env" makeoptions DEBUG=3D-g # Build kernel with gdb(1) debug = symbols options SCHED_ULE # ULE scheduler options PREEMPTION # Enable kernel thread preemption options INET # InterNETworking #options INET6 # IPv6 communications protocols #options SCTP # Stream Control Transmission Proto= col options FFS # Berkeley Fast Filesystem options SOFTUPDATES # Enable FFS soft updates support options UFS_ACL # Support for access control lists options UFS_DIRHASH # Improve performance on big direct= ories options UFS_GJOURNAL # Enable gjournal-based UFS journal= ing options MD_ROOT # MD is a potential root device #options NFSCLIENT # Network Filesystem Client #options NFSSERVER # Network Filesystem Server #options NFSLOCKD # Network Lock Manager #options NFS_ROOT # NFS usable as /, requires NFSCLIE= NT options MSDOSFS # MSDOS Filesystem options CD9660 # ISO 9660 Filesystem options PROCFS # Process filesystem (requires PSEU= DOFS) options PSEUDOFS # Pseudo-filesystem framework options GEOM_PART_GPT # GUID Partition Tables. options GEOM_LABEL # Provides labelization options COMPAT_43TTY # BSD 4.3 TTY compat (sgtty) options COMPAT_FREEBSD4 # Compatible with FreeBSD4 options COMPAT_FREEBSD5 # Compatible with FreeBSD5 options COMPAT_FREEBSD6 # Compatible with FreeBSD6 options COMPAT_FREEBSD7 # Compatible with FreeBSD7 options SCSI_DELAY=3D5000 # Delay (in ms) before probing SC= SI options KTRACE # ktrace(1) support options STACK # stack(9) support options SYSVSHM # SYSV-style shared memory options SYSVMSG # SYSV-style message queues options SYSVSEM # SYSV-style semaphores options P1003_1B_SEMAPHORES # POSIX-style semaphores options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions options PRINTF_BUFR_SIZE=3D128 # Prevent printf output being interspersed. options KBD_INSTALL_CDEV # install a CDEV entry in /dev options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(= 4) options AUDIT # Security event auditing options MAC # TrustedBSD MAC Framework options FLOWTABLE # per-cpu routing cache #options KDTRACE_HOOKS # Kernel DTrace hooks options INCLUDE_CONFIG_FILE # Include this file in kernel options VIMAGE options KDB # Kernel debugger related code options KDB_TRACE # Print a stack trace for a panic # To make an SMP kernel, the next two lines are needed options SMP # Symmetric MultiProcessor Kernel device apic # I/O APIC # CPU frequency control device cpufreq # Bus support. device acpi device eisa device pci options ALTQ options ALTQ_CBQ # Class Bases Queuing (CBQ) options ALTQ_RED # Random Early Detection (RED) options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) options ALTQ_PRIQ # Priority Queuing (PRIQ) options ALTQ_NOPCC # Required for SMP build device pf device pflog device pfsync device vlan device epair device if_bridge device carp device lagg # Floppy drives device fdc # ATA and ATAPI devices device ata device atadisk # ATA disk drives device ataraid # ATA RAID drives #device atapicd # ATAPI CDROM drives #device atapifd # ATAPI floppy drives #device atapist # ATAPI tape drives options ATA_STATIC_ID # Static device numbering # SCSI Controllers device ahb # EISA AHA1742 family device ahc # AHA2940 and onboard AIC7xxx devices options AHC_REG_PRETTY_PRINT # Print register bitfields in debug # output. Adds ~128k to driver. device ahd # AHA39320/29320 and onboard AIC79xx device= s options AHD_REG_PRETTY_PRINT # Print register bitfields in debug # output. Adds ~215k to driver. #device amd # AMD 53C974 (Tekram DC-390(T)) #device hptiop # Highpoint RocketRaid 3xxx series #device isp # Qlogic family ##device ispfw # Firmware for QLogic HBAs- normally a module #device mpt # LSI-Logic MPT-Fusion ##device ncr # NCR/Symbios Logic #device sym # NCR/Symbios Logic (newer chipsets + those of `ncr') #device trm # Tekram DC395U/UW/F DC315U adapters #device adv # Advansys SCSI adapters #device adw # Advansys wide SCSI adapters #device aha # Adaptec 154x SCSI adapters #device aic # Adaptec 15[012]x SCSI adapters, AIC-6[23]= 60. #device bt # Buslogic/Mylex MultiMaster SCSI adapters #device ncv # NCR 53C500 #device nsp # Workbit Ninja SCSI-3 #device stg # TMC 18C30/18C50 # SCSI peripherals device scbus # SCSI bus (required for SCSI) device ch # SCSI media changers device da # Direct Access (disks) device sa # Sequential Access (tape etc) device cd # CD device pass # Passthrough device (direct SCSI access) device ses # SCSI Environmental Services (and SAF-TE) # RAID controllers interfaced to the SCSI subsystem #device amr # AMI MegaRAID #device arcmsr # Areca SATA II RAID #device asr # DPT SmartRAID V, VI and Adaptec SCSI RAID #device ciss # Compaq Smart RAID 5* #device dpt # DPT Smartcache III, IV - See NOTES for op= tions #device hptmv # Highpoint RocketRAID 182x #device hptrr # Highpoint RocketRAID 17xx, 22xx, 23xx, 25= xx #device iir # Intel Integrated RAID #device ips # IBM (Adaptec) ServeRAID #device mly # Mylex AcceleRAID/eXtremeRAID #device twa # 3ware 9000 series PATA/SATA RAID # RAID controllers #device aac # Adaptec FSA RAID #device aacp # SCSI passthrough for aac (requires CAM) #device ida # Compaq Smart RAID #device mfi # LSI MegaRAID SAS #device mlx # Mylex DAC960 family #device pst # Promise Supertrak SX6000 #device twe # 3ware ATA RAID # atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc # AT keyboard controller device atkbd # AT keyboard device psm # PS/2 mouse device kbdmux # keyboard multiplexer device vga # VGA video card driver #device splash # Splash screen and screen saver support # syscons is the default console driver, resembling an SCO console device sc device agp # support several AGP chipsets # Power management support (see NOTES for more options) #device apm # Add suspend/resume support for the i8254. device pmtimer # PCCARD (PCMCIA) support # PCMCIA and cardbus bridge support device cbb # cardbus (yenta) bridge device pccard # PC Card (16-bit) bus device cardbus # CardBus (32-bit) bus # Serial (COM) ports device uart # Generic UART driver # Parallel port device ppc device ppbus # Parallel port bus (required) device lpt # Printer device plip # TCP/IP over parallel device ppi # Parallel port interface device #device vpo # Requires scbus and da # If you've got a "dumb" serial or parallel PCI card that is # supported by the puc(4) glue driver, uncomment the following # line to enable it (connects to sio, uart and/or ppc drivers): #device puc # PCI Ethernet NICs. #device de # DEC/Intel DC21x4x (``Tulip'') #device em # Intel PRO/1000 Gigabit Ethernet Family #device igb # Intel PRO/1000 PCIE Server Gigabit Family #device ixgb # Intel PRO/10GbE Ethernet Card #device le # AMD Am7900 LANCE and Am79C9xx PCnet #device ti # Alteon Networks Tigon I/II gigabit Ethern= et #device txp # 3Com 3cR990 (``Typhoon'') #device vx # 3Com 3c590, 3c595 (``Vortex'') # PCI Ethernet NICs that use the common MII bus controller code. # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs= ! device miibus # MII bus support #device ae # Attansic/Atheros L2 FastEthernet #device age # Attansic/Atheros L1 Gigabit Ethernet #device alc # Atheros AR8131/AR8132 Ethernet #device ale # Atheros AR8121/AR8113/AR8114 Ethernet #device bce # Broadcom BCM5706/BCM5708 Gigabit Ethernet #device bfe # Broadcom BCM440x 10/100 Ethernet #device bge # Broadcom BCM570xx Gigabit Ethernet #device dc # DEC/Intel 21143 and various workalikes #device et # Agere ET1310 10/100/Gigabit Ethernet #device fxp # Intel EtherExpress PRO/100B (82557, 82558= ) #device jme # JMicron JMC250 Gigabit/JMC260 Fast Ethern= et #device lge # Level 1 LXT1001 gigabit Ethernet #device msk # Marvell/SysKonnect Yukon II Gigabit Ether= net #device nfe # nVidia nForce MCP on-board Ethernet #device nge # NatSemi DP83820 gigabit Ethernet ##device nve # nVidia nForce MCP on-board Ethernet Networking #device pcn # AMD Am79C97x PCI 10/100 (precedence over = 'le') device re # RealTek 8139C+/8169/8169S/8110S #device rl # RealTek 8129/8139 #device sf # Adaptec AIC-6915 (``Starfire'') #device sge # Silicon Integrated Systems SiS190/191 #device sis # Silicon Integrated Systems SiS 900/SiS 70= 16 #device sk # SysKonnect SK-984x & SK-982x gigabit Ethe= rnet #device ste # Sundance ST201 (D-Link DFE-550TX) #device stge # Sundance/Tamarack TC9021 gigabit Ethernet #device tl # Texas Instruments ThunderLAN #device tx # SMC EtherPower II (83c170 ``EPIC'') #device vge # VIA VT612x gigabit Ethernet device vr # VIA Rhine, Rhine II #device wb # Winbond W89C840F #device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'') # ISA Ethernet NICs. pccard NICs included. device cs # Crystal Semiconductor CS89x0 NIC # 'device ed' requires 'device miibus' #device ed # NE[12]000, SMC Ultra, 3c503, DS8390 cards #device ex # Intel EtherExpress Pro/10 and Pro/10+ #device ep # Etherlink III based cards #device fe # Fujitsu MB8696x based cards #device ie # EtherExpress 8/16, 3C507, StarLAN 10 etc. #device sn # SMC's 9000 series of Ethernet chips #device xe # Xircom pccard Ethernet # Wireless NIC cards device wlan # 802.11 support options IEEE80211_DEBUG # enable debug msgs options IEEE80211_AMPDU_AGE # age frames in AMPDU reorder q's options IEEE80211_SUPPORT_MESH # enable 802.11s draft support device wlan_wep # 802.11 WEP support device wlan_ccmp # 802.11 CCMP support device wlan_tkip # 802.11 TKIP support device wlan_amrr # AMRR transmit rate control algorithm device an # Aironet 4500/4800 802.11 wireless NICs. device ath # Atheros pci/cardbus NIC's device ath_hal # pci/cardbus chip support options AH_SUPPORT_AR5416 # enable AR5416 tx/rx descriptors device ath_rate_sample # SampleRate tx rate control for ath device ral # Ralink Technology RT2500 wireless NICs. device wi # WaveLAN/Intersil/Symbol 802.11 wireless N= ICs. #device wl # Older non 802.11 Wavelan wireless NIC. # Pseudo devices. device loop # Network loopback device random # Entropy device device ether # Ethernet support device vlan # 802.1Q VLAN support device tun # Packet tunnel. device pty # BSD-style compatibility pseudo ttys device md # Memory "disks" device gif # IPv6 and IPv4 tunneling device faith # IPv6-to-IPv4 relaying (translation) device firmware # firmware assist module # The `bpf' device enables the Berkeley Packet Filter. # Be aware of the administrative consequences of enabling this! # Note that 'bpf' is required for DHCP. device bpf # Berkeley packet filter # USB support options USB_DEBUG # enable debug msgs device uhci # UHCI PCI->USB interface device ohci # OHCI PCI->USB interface device ehci # EHCI PCI->USB interface (USB 2.0) device usb # USB Bus (required) #device udbp # USB Double Bulk Pipe devices device uhid # "Human Interface Devices" device ukbd # Keyboard device ulpt # Printer device umass # Disks/Mass storage - Requires scbus and d= a device ums # Mouse device urio # Diamond Rio 500 MP3 player # USB Serial devices device u3g # USB-based 3G modems (Option, Huawei, Sier= ra) device uark # Technologies ARK3116 based serial adapter= s device ubsa # Belkin F5U103 and compatible serial adapt= ers device uftdi # For FTDI usb serial adapters device uipaq # Some WinCE based devices device uplcom # Prolific PL-2303 serial adapters device uslcom # SI Labs CP2101/CP2102 serial adapters device uvisor # Visor and Palm devices device uvscom # USB serial support for DDI pocket's PHS # USB Ethernet, requires miibus device aue # ADMtek USB Ethernet device axe # ASIX Electronics USB Ethernet device cdce # Generic USB over Ethernet device cue # CATC USB Ethernet device kue # Kawasaki LSI USB Ethernet device rue # RealTek RTL8150 USB Ethernet device udav # Davicom DM9601E USB # USB Wireless device rum # Ralink Technology RT2501USB wireless NICs device uath # Atheros AR5523 wireless NICs device ural # Ralink Technology RT2500USB wireless NICs device zyd # ZyDAS zb1211/zb1211b wireless NICs # FireWire support #device firewire # FireWire bus code #device sbp # SCSI over FireWire (Requires scbus and da= ) #device fwe # Ethernet over FireWire (non-standard!) #device fwip # IP over FireWire (RFC 2734,3146) #device dcons # Dumb console driver #device dcons_crom # Configuration ROM for dcons ##################################### Before I updated my Nanobsd image from FreeBSD 8.1 to 8.2 RELEASE my alix board worked very well, the big diference between my old nanobsd image and my new nanobsd image is that the new one have "option VIMAGE" active. Could someone help me ? If there is some another thing that you need to figure out what was happen please let me know. Thanks a lot. PD: If this is the incorrect list for this item please let me know it. From owner-freebsd-pf@FreeBSD.ORG Tue Jun 28 09:09:16 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2AE6E1065676 for ; Tue, 28 Jun 2011 09:09:16 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-yi0-f54.google.com (mail-yi0-f54.google.com [209.85.218.54]) by mx1.freebsd.org (Postfix) with ESMTP id E4FCE8FC16 for ; Tue, 28 Jun 2011 09:09:15 +0000 (UTC) Received: by yic13 with SMTP id 13so2909867yic.13 for ; Tue, 28 Jun 2011 02:09:15 -0700 (PDT) Received: by 10.236.191.129 with SMTP id g1mr10964845yhn.490.1309252154505; Tue, 28 Jun 2011 02:09:14 -0700 (PDT) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id e24sm4059854yhk.23.2011.06.28.02.09.11 (version=SSLv3 cipher=OTHER); Tue, 28 Jun 2011 02:09:12 -0700 (PDT) Message-ID: <4E099A36.7000104@my.gd> Date: Tue, 28 Jun 2011 11:09:10 +0200 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: Reboot after start pf on ALIX board X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2011 09:09:16 -0000 On 6/27/11 11:34 PM, Espartano wrote: > Hi People I'm having a problem with my Alix board model 2d3 > (http://pcengines.ch/alix2d3.htm) , Yesterday I compiled and installed > NanoBSD into my alix board using FreeBSD 8.2 RELEASE, today when i > tried to configure network interfaces and pf firewall to do nat over > the wireless network I got this error and the sistem was rebooted: > > zrouter# /etc/rc.d/pf onestart > Enabling pf > > Fatal trap 12: page fault while in kernel mode > cpuid = 0; apic id = 00 > fault virtual address = 0x18 > fault code = supervisor read, page not present > instruction pointer = 0x20:0xc07c50ce > stack pointer = 0x28:0xcd1f8a18 > frame pointer = 0x28:0xcd1f8a38 > code segment = base 0x0, limit 0xfffff, type 0x1b > = DPL 0, pres 1, def32 1, gran 1 > processor eflags = interrupt enabled, resume, IOPL = 0 > current process = 1755 (pfctl) > trap number = 12 > panic: page fault > cpuid = 0 > KDB: stack backtrace: > #0 0xc072c5b7 at kdb_backtrace+0x47 > #1 0xc06fd457 at panic+0x117 > #2 0xc08f9003 at trap_fatal+0x323 > #3 0xc08f9280 at trap_pfault+0x270 > #4 0xc08f97c5 at trap+0x465 > #5 0xc08e037c at calltrap+0x6 > #6 0xc04d8a25 at pfioctl+0x965 > #7 0xc0681c8a at devfs_ioctl_f+0x10a > #8 0xc073b6b0 at kern_ioctl+0x280 > #9 0xc073b824 at ioctl+0x134 > #10 0xc07382e9 at syscallenter+0x329 > #11 0xc08f92d4 at syscall+0x34 > #12 0xc08e03e1 at Xint0x80_syscall+0x21 > Uptime: 4m6s > Cannot dump. Device not defined or unavailable. > Automatic reboot in 15 seconds - press a key on the console to abort > You need to define a dump device then, so that you may extract the kernel's crash dump for analysis. [SNIP] > > Before I updated my Nanobsd image from FreeBSD 8.1 to 8.2 RELEASE my > alix board worked very well, the big diference between my old nanobsd > image and my new nanobsd image is that the new one have "option > VIMAGE" active. > Well, the next logical step would be to comment out the VIMAGE option and rebuild a kernel don't you think ? > > Could someone help me ? > > If there is some another thing that you need to figure out what was > happen please let me know. > Describe the procedure you followed to update your machine. It is possible that you did not update correctly, who knows... > > Thanks a lot. > > > PD: If this is the incorrect list for this item please let me know it. > _______________________________________________ You're at the right place :) From owner-freebsd-pf@FreeBSD.ORG Tue Jun 28 11:58:40 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 43A82106566B for ; Tue, 28 Jun 2011 11:58:40 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id C789D8FC14 for ; Tue, 28 Jun 2011 11:58:39 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id DE2E225D389C for ; Tue, 28 Jun 2011 11:58:38 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 392EF15A2A44 for ; Tue, 28 Jun 2011 11:58:38 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id YVF8eKNZcNjp for ; Tue, 28 Jun 2011 11:58:37 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 20E4315A2A55 for ; Tue, 28 Jun 2011 11:58:37 +0000 (UTC) From: "Bjoern A. Zeeb" Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Tue, 28 Jun 2011 11:58:36 +0000 References: <201106281157.p5SBvP5g048097@svn.freebsd.org> To: freebsd-pf@freebsd.org Message-Id: Mime-Version: 1.0 (Apple Message framework v1084) X-Mailer: Apple Mail (2.1084) Subject: Fwd: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2011 11:58:40 -0000 Begin forwarded message: > From: "Bjoern A. Zeeb" > Date: June 28, 2011 11:57:25 AM GMT+00:00 > To: src-committers@freebsd.org, svn-src-all@freebsd.org, = svn-src-head@freebsd.org > Subject: svn commit: r223637 - in head: . contrib/pf/authpf = contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd = sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net = sys/modules s... >=20 > Author: bz > Date: Tue Jun 28 11:57:25 2011 > New Revision: 223637 > URL: http://svn.freebsd.org/changeset/base/223637 >=20 > Log: > Update packet filter (pf) code to OpenBSD 4.5. >=20 > You need to update userland (world and ports) tools > to be in sync with the kernel. >=20 > Submitted by: mlaier > Submitted by: eri In short; please test! --=20 Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. From owner-freebsd-pf@FreeBSD.ORG Tue Jun 28 12:35:34 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8C4781065673; Tue, 28 Jun 2011 12:35:34 +0000 (UTC) (envelope-from citrin@citrin.ru) Received: from mail-chaos.rambler.ru (mail-chaos.rambler.ru [81.19.68.130]) by mx1.freebsd.org (Postfix) with ESMTP id 497F58FC0A; Tue, 28 Jun 2011 12:35:33 +0000 (UTC) Received: from citrin.office.vega.ru (gw2.masterhost.ru [87.242.97.5]) (Authenticated sender: citrin@citrin.ru) by mail-chaos.rambler.ru (Postfix) with ESMTPSA id DFCEF17024; Tue, 28 Jun 2011 16:13:57 +0400 (MSD) Message-ID: <4E09C585.7010801@citrin.ru> Date: Tue, 28 Jun 2011 16:13:57 +0400 From: Anton Yuzhaninov User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.2.17) Gecko/20110527 Thunderbird/3.1.10 MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: "Bjoern A. Zeeb" Subject: Fwd: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2011 12:35:34 -0000 -------- Original Message -------- Subject: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s... Date: Tue, 28 Jun 2011 11:57:25 +0000 (UTC) From: Bjoern A. Zeeb To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Author: bz Date: Tue Jun 28 11:57:25 2011 New Revision: 223637 URL: http://svn.freebsd.org/changeset/base/223637 Log: Update packet filter (pf) code to OpenBSD 4.5. You need to update userland (world and ports) tools to be in sync with the kernel. --- End of Original Message -------- This update breaks compatibility with previous pfsync(4) versions. IMHO it should be mentioned in UPDATING. From owner-freebsd-pf@FreeBSD.ORG Tue Jun 28 14:25:47 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 774ED106566C for ; Tue, 28 Jun 2011 14:25:47 +0000 (UTC) (envelope-from espartano.mail@gmail.com) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 30FEE8FC08 for ; Tue, 28 Jun 2011 14:25:46 +0000 (UTC) Received: by vws18 with SMTP id 18so256640vws.13 for ; Tue, 28 Jun 2011 07:25:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=D/CtcLgHtfDBkbt89vQpytPSQ40+YkPoH+88akaNp6E=; b=Vcsxh2AJWW/heAqsQDvlJMvPihM5NZyiollC+d6YRGXh9vUfayq5klefCunx8l9vSj MKLmJY2mxgcWQsHrpk9yuKVj7fOQ5e1mhlYdvwTLyOMu5Ylj6c4fWc2r4w+SOWnyo1bF 1o0gmlR/OzNDqXdIsxFe27YSnz/QGkeBfV/KU= MIME-Version: 1.0 Received: by 10.52.65.228 with SMTP id a4mr302043vdt.137.1309271146405; Tue, 28 Jun 2011 07:25:46 -0700 (PDT) Received: by 10.52.183.137 with HTTP; Tue, 28 Jun 2011 07:25:46 -0700 (PDT) In-Reply-To: <4E099A36.7000104@my.gd> References: <4E099A36.7000104@my.gd> Date: Tue, 28 Jun 2011 09:25:46 -0500 Message-ID: From: Espartano To: Damien Fleuriot Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-pf@freebsd.org Subject: Re: Reboot after start pf on ALIX board X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2011 14:25:47 -0000 On Tue, Jun 28, 2011 at 4:09 AM, Damien Fleuriot wrote: > > You need to define a dump device then, so that you may extract the > kernel's crash dump for analysis. I don't know if there is enought free space to allocate a kernel dump file into the Alix board's cf card, I will see if it is possible. > > > > [SNIP] > > >> >> Before I updated my Nanobsd image from FreeBSD 8.1 to 8.2 RELEASE my >> alix board worked very well, the big diference between my old nanobsd >> image and my new nanobsd image is that the new one have "option >> VIMAGE" active. >> > > Well, the next logical step would be to comment out the VIMAGE option > and rebuild a kernel don't you think ? > Of course, however I wanted to know if this scenario is useful to the freebsd pf developers. > >> >> Could someone help me ? >> >> If there is some another thing that you need to figure out what was >> happen please let me know. >> > > Describe the procedure you followed to update your machine. > > It is possible that you did not update correctly, who knows... > > I don't think so, when I said "update" I really have installed Nanobsd using FreeBSD 8.2 from scratch. Well at this point I don't know what to do, it is useful for you that I try to get a kernel dump file ? or simply recompile nanobsd without vimage option ? Thanks a lot. From owner-freebsd-pf@FreeBSD.ORG Tue Jun 28 14:55:17 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 17A29106566B for ; Tue, 28 Jun 2011 14:55:17 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id C30DA8FC0A for ; Tue, 28 Jun 2011 14:55:16 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id E468D25D389F; Tue, 28 Jun 2011 14:55:15 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 3A06415A2AE1; Tue, 28 Jun 2011 14:55:15 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id R1LcUyeslsZJ; Tue, 28 Jun 2011 14:55:14 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 2793215A2AFC; Tue, 28 Jun 2011 14:55:14 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: "Bjoern A. Zeeb" In-Reply-To: <4E09C585.7010801@citrin.ru> Date: Tue, 28 Jun 2011 14:55:13 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <77A56620-00F5-4EF3-B909-BC5045CCBDAC@FreeBSD.org> References: <4E09C585.7010801@citrin.ru> To: Anton Yuzhaninov X-Mailer: Apple Mail (2.1084) Cc: freebsd-pf@FreeBSD.org Subject: Re: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2011 14:55:17 -0000 On Jun 28, 2011, at 12:13 PM, Anton Yuzhaninov wrote: > -------- Original Message -------- > Subject: svn commit: r223637 - in head: . contrib/pf/authpf = contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl = contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq = sys/contrib/pf/net sys/modules s... > Date: Tue, 28 Jun 2011 11:57:25 +0000 (UTC) > From: Bjoern A. Zeeb > To: src-committers@freebsd.org, svn-src-all@freebsd.org, = svn-src-head@freebsd.org >=20 > Author: bz > Date: Tue Jun 28 11:57:25 2011 > New Revision: 223637 > URL: http://svn.freebsd.org/changeset/base/223637 >=20 > Log: > Update packet filter (pf) code to OpenBSD 4.5. >=20 > You need to update userland (world and ports) tools > to be in sync with the kernel. >=20 > --- End of Original Message -------- >=20 > This update breaks compatibility with previous pfsync(4) versions. > IMHO it should be mentioned in UPDATING. Indeed. I'll wait another couple of hours in case there are further things to mention and will update UPDATING then. /bz --=20 Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. From owner-freebsd-pf@FreeBSD.ORG Tue Jun 28 15:49:17 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 50D60106566C for ; Tue, 28 Jun 2011 15:49:17 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id DED558FC13 for ; Tue, 28 Jun 2011 15:49:16 +0000 (UTC) Received: by wyg24 with SMTP id 24so336204wyg.13 for ; Tue, 28 Jun 2011 08:49:15 -0700 (PDT) Received: by 10.227.55.67 with SMTP id t3mr6621239wbg.90.1309276155799; Tue, 28 Jun 2011 08:49:15 -0700 (PDT) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id fi5sm248118wbb.39.2011.06.28.08.49.14 (version=SSLv3 cipher=OTHER); Tue, 28 Jun 2011 08:49:14 -0700 (PDT) Message-ID: <4E09F7F9.3080608@my.gd> Date: Tue, 28 Jun 2011 17:49:13 +0200 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11 MIME-Version: 1.0 To: Espartano References: <4E099A36.7000104@my.gd> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Reboot after start pf on ALIX board X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2011 15:49:17 -0000 On 6/28/11 4:25 PM, Espartano wrote: > On Tue, Jun 28, 2011 at 4:09 AM, Damien Fleuriot wrote: >> >> You need to define a dump device then, so that you may extract the >> kernel's crash dump for analysis. > > > I don't know if there is enought free space to allocate a kernel dump > file into the Alix board's cf card, I will see if it is possible. > > >> >> >> >> [SNIP] >> >> >>> >>> Before I updated my Nanobsd image from FreeBSD 8.1 to 8.2 RELEASE my >>> alix board worked very well, the big diference between my old nanobsd >>> image and my new nanobsd image is that the new one have "option >>> VIMAGE" active. >>> >> >> Well, the next logical step would be to comment out the VIMAGE option >> and rebuild a kernel don't you think ? >> > > Of course, however I wanted to know if this scenario is useful to the > freebsd pf developers. > >> >>> >>> Could someone help me ? >>> >>> If there is some another thing that you need to figure out what was >>> happen please let me know. >>> >> >> Describe the procedure you followed to update your machine. >> >> It is possible that you did not update correctly, who knows... >> >> > > I don't think so, when I said "update" I really have installed Nanobsd > using FreeBSD 8.2 from scratch. > > > Well at this point I don't know what to do, it is useful for you that > I try to get a kernel dump file ? or simply recompile nanobsd without > vimage option ? > > > Thanks a lot. Well, you want to try things in this order: 1/ rebuild a kernel without VIMAGE and try again, while you're at it enable debug options like the KDTRACE hooks and such. makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols options KDB # Kernel debugger related code options KDTRACE_FRAME # Ensure frames are compiled in options KDTRACE_HOOKS # Kernel DTrace hooks 2/ enable kernel crash dumps, reproduce problem, obtain a dump for analysis. From owner-freebsd-pf@FreeBSD.ORG Tue Jun 28 15:52:04 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AFF5E1065673 for ; Tue, 28 Jun 2011 15:52:04 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 4AD3A8FC18 for ; Tue, 28 Jun 2011 15:52:03 +0000 (UTC) Received: by wyg24 with SMTP id 24so339000wyg.13 for ; Tue, 28 Jun 2011 08:52:03 -0700 (PDT) Received: by 10.216.70.14 with SMTP id o14mr6746062wed.111.1309276322788; Tue, 28 Jun 2011 08:52:02 -0700 (PDT) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id w10sm192414weq.27.2011.06.28.08.52.00 (version=SSLv3 cipher=OTHER); Tue, 28 Jun 2011 08:52:01 -0700 (PDT) Message-ID: <4E09F8A0.9070203@my.gd> Date: Tue, 28 Jun 2011 17:52:00 +0200 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11 MIME-Version: 1.0 To: Schmurfy References: <4E0897F9.30204@my.gd> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: PF + route-to + gif weird behavior (bug ?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2011 15:52:04 -0000 On 6/27/11 8:51 PM, Schmurfy wrote: > On 27 June 2011 16:47, Damien Fleuriot > wrote: > > On 6/27/11 12:50 PM, Schmurfy wrote: > > > > What I wanted to do is to redirect incoming connections on the > external > > interface (em0) on a specific address to a gif tunnel, my problem > is that > > the packet is redirected so that part works but the packet exiting > the em0 > > interfaces (the gif tunnel is also using em0) has a wrong ipip > header: the > > source address is the first address assigned to em0 instead of the > alias > > added for the gif tunnel. > > This looks like a case where you'd like to NAT then. > > Use PF to say you'll be NATing, so that you can force the correct IP ? > > > I am not sure I understand what you mean here, could you show me how you > would do this ? > You would NAT with the IPIP tunnel local address ? > The goal here is to force NATing the packets going through em0 to your tunnel. clientip -> em0 -> yourfirewall's_ip -> gif This way, you can force the firewall to present packets to the gif interface with a specific source IP from em0 From owner-freebsd-pf@FreeBSD.ORG Wed Jun 29 05:09:49 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5878C1065673 for ; Wed, 29 Jun 2011 05:09:49 +0000 (UTC) (envelope-from peter.jeremy@alcatel-lucent.com) Received: from ihemail4.lucent.com (ihemail4.lucent.com [135.245.0.39]) by mx1.freebsd.org (Postfix) with ESMTP id 19D098FC14 for ; Wed, 29 Jun 2011 05:09:48 +0000 (UTC) Received: from usnavsmail2.ndc.alcatel-lucent.com (usnavsmail2.ndc.alcatel-lucent.com [135.3.39.10]) by ihemail4.lucent.com (8.13.8/IER-o) with ESMTP id p5T4oE4l024896 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Tue, 28 Jun 2011 23:50:15 -0500 (CDT) Received: from unixmail.au.alcatel-lucent.com (unixmail.au.alcatel-lucent.com [139.188.42.130]) by usnavsmail2.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id p5T4oAUu014797 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Tue, 28 Jun 2011 23:50:14 -0500 Received: from insmb.au.alcatel-lucent.com (insmb.au.alcatel-lucent.com [139.188.42.184]) by unixmail.au.alcatel-lucent.com (8.13.8+Sun/8.13.3) with ESMTP id p5T4oA3N012205 for ; Wed, 29 Jun 2011 14:50:10 +1000 (EST) Received: from pjdesk.au.alcatel-lucent.com (pjdesk.au.alcatel-lucent.com [139.188.2.2]) by insmb.au.alcatel-lucent.com (8.13.8+Sun/8.13.8) with ESMTP id p5T4gdjq018764 for ; Wed, 29 Jun 2011 14:42:40 +1000 (EST) X-Bogosity: Ham, spamicity=0.000000 Received: from pjdesk.au.alcatel-lucent.com (localhost [127.0.0.1]) by pjdesk.au.alcatel-lucent.com (8.14.4/8.14.4) with ESMTP id p5T4gXjw049233 for ; Wed, 29 Jun 2011 14:42:33 +1000 (EST) (envelope-from peter.jeremy@alcatel-lucent.com) Received: (from pjeremy@localhost) by pjdesk.au.alcatel-lucent.com (8.14.4/8.14.4/Submit) id p5T4gXYB049232 for freebsd-pf@freebsd.org; Wed, 29 Jun 2011 14:42:33 +1000 (EST) (envelope-from peter.jeremy@alcatel-lucent.com) Date: Wed, 29 Jun 2011 14:42:33 +1000 From: Peter Jeremy To: freebsd-pf@freebsd.org Message-ID: <20110629044233.GB65891@pjdesk.au.alcatel-lucent.com> References: <9a542da30710161409o4732a77bybdf4ba35d7491bb@mail.gmail.com> <200710171043.08126.max@love2party.net> <9a542da30710211232v4d3c930fg8ea778a12f3f16cb@mail.gmail.com> <9a542da30710280617t11e668e2o4d122998192f71c@mail.gmail.com> <20081103060321.GA45414@server.vk2pj.dyndns.org> <9a542da30811040753m1a2728bcu365c65da8fb61721@mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="xB0nW4MQa6jZONgY" Content-Disposition: inline In-Reply-To: <9a542da30811040753m1a2728bcu365c65da8fb61721@mail.gmail.com> X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.21 (2010-09-15) X-Scanned-By: MIMEDefang 2.57 on 135.245.2.39 X-Scanned-By: MIMEDefang 2.64 on 135.3.39.10 Subject: Re: [PATCH] PF+dummynet X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2011 05:09:49 -0000 --xB0nW4MQa6jZONgY Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Following up on some very old mail... On 2008-Nov-04 16:53:52 +0100, Ermal Lu=E7i wrote: >actually this is the latest against RELENG_7 which is confirmed to >work with full features of pf(4) like route-to/reply-to etc... >http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/tools/patches/RELENG_7/dummynet.= RELENG_7.diff?rev=3D1.5 > >The problem that is that i have yet to find time to post it here but >since you have interes here it is. >Its problem is that from the whole patches here >http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/tools/patches/RELENG_7/ I'm looking at upgrading my PF+dummynet boxes from 7.x to 8.x and notice that there have been significant change along the way. I had a look at cvs.pfsense.org and it doesn't look like those patches were ever updated. Has anyone adapted the PF+dummynet patches for 8.x or 9.x? --=20 Peter Jeremy --xB0nW4MQa6jZONgY Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) iEYEARECAAYFAk4KrTkACgkQ/opHv/APuIcHVQCfaL9wW67aQuAsDijAFnwMsK4F wh0AoKzt4+sRBSunvvOp+qGyQz/iLZd7 =3ZNO -----END PGP SIGNATURE----- --xB0nW4MQa6jZONgY-- From owner-freebsd-pf@FreeBSD.ORG Wed Jun 29 05:53:18 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 97832106566B for ; Wed, 29 Jun 2011 05:53:18 +0000 (UTC) (envelope-from cbuechler@gmail.com) Received: from mail-yi0-f54.google.com (mail-yi0-f54.google.com [209.85.218.54]) by mx1.freebsd.org (Postfix) with ESMTP id 564198FC08 for ; Wed, 29 Jun 2011 05:53:18 +0000 (UTC) Received: by yic13 with SMTP id 13so480307yic.13 for ; Tue, 28 Jun 2011 22:53:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=QJ5wjwsloxiGM3CPqBCRKzXcvCKQ7TEZEc9nr1Fet6A=; b=TY4EfrMre5E171+B8L1ymA8gtXQ2v7lJwSWYAVfgwYxDOJjZR/Mm2PR1TDzC4mizfq bZGVEi1V3xTYEdKMlDnkB3j0ETltBtUNsYa4XkdJC6tKpAGC9HR1vdBfGW3g995yy6zw jVKTCSa9Qk/4vwnhWHGthtwcEu+zYekxiViUA= Received: by 10.236.161.72 with SMTP id v48mr353153yhk.434.1309325093251; Tue, 28 Jun 2011 22:24:53 -0700 (PDT) MIME-Version: 1.0 Received: by 10.236.36.74 with HTTP; Tue, 28 Jun 2011 22:24:32 -0700 (PDT) In-Reply-To: <20110629044233.GB65891@pjdesk.au.alcatel-lucent.com> References: <9a542da30710161409o4732a77bybdf4ba35d7491bb@mail.gmail.com> <200710171043.08126.max@love2party.net> <9a542da30710211232v4d3c930fg8ea778a12f3f16cb@mail.gmail.com> <9a542da30710280617t11e668e2o4d122998192f71c@mail.gmail.com> <20081103060321.GA45414@server.vk2pj.dyndns.org> <9a542da30811040753m1a2728bcu365c65da8fb61721@mail.gmail.com> <20110629044233.GB65891@pjdesk.au.alcatel-lucent.com> From: Chris Buechler Date: Wed, 29 Jun 2011 01:24:32 -0400 Message-ID: To: Peter Jeremy Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: [PATCH] PF+dummynet X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2011 05:53:18 -0000 On Wed, Jun 29, 2011 at 12:42 AM, Peter Jeremy wrote: > Following up on some very old mail... > > On 2008-Nov-04 16:53:52 +0100, Ermal Lu=E7i wrote: >>actually this is the latest against RELENG_7 which is confirmed to >>work with full features of pf(4) like route-to/reply-to etc... >>http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/tools/patches/RELENG_7/dummynet= .RELENG_7.diff?rev=3D1.5 >> >>The problem that is that i have yet to find time to post it here but >>since you have interes here it is. >>Its problem is that from the whole patches here >>http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/tools/patches/RELENG_7/ > > I'm looking at upgrading my PF+dummynet boxes from 7.x to 8.x and > notice that there have been significant change along the way. =A0I > had a look at cvs.pfsense.org and it doesn't look like those patches > were ever updated. > > Has anyone adapted the PF+dummynet patches for 8.x or 9.x? > Yeah, we moved off CVS years ago, most recent are in github. https://github.com/bsdperimeter/pfsense-tools/tree/master/patches RELENG_8_1 is the newest that's widely tested and deployed as that's the basis of our 2.0 release. I'm not sure the status of 8_2 and 9. From owner-freebsd-pf@FreeBSD.ORG Wed Jun 29 08:50:08 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F6241065673 for ; Wed, 29 Jun 2011 08:50:08 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 273D68FC17 for ; Wed, 29 Jun 2011 08:50:07 +0000 (UTC) Received: by iyb11 with SMTP id 11so1181877iyb.13 for ; Wed, 29 Jun 2011 01:50:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=8OUYTDfc5dmtmTHh0HUYjfQ4GeupjfDFY+3ZISgQrwE=; b=DV+d2mqMUVNmcO5LiuPUxrMfbk77lrLq+pKDIqlZyBk0LJDV63LTF0fuMZJuUNjTC+ REJXP6FiVUWVI3ZTAyGi0QvXBFplPJ870el5LZMP7iQ8wJnEZGfSEsWscwcj8DDbxL9H qaWCPPEBQ8TRmj0tHbiHKIYMdwoMJamixf534= MIME-Version: 1.0 Received: by 10.231.47.207 with SMTP id o15mr476120ibf.35.1309335994480; Wed, 29 Jun 2011 01:26:34 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.231.169.76 with HTTP; Wed, 29 Jun 2011 01:26:34 -0700 (PDT) In-Reply-To: <20110629044233.GB65891@pjdesk.au.alcatel-lucent.com> References: <9a542da30710161409o4732a77bybdf4ba35d7491bb@mail.gmail.com> <200710171043.08126.max@love2party.net> <9a542da30710211232v4d3c930fg8ea778a12f3f16cb@mail.gmail.com> <9a542da30710280617t11e668e2o4d122998192f71c@mail.gmail.com> <20081103060321.GA45414@server.vk2pj.dyndns.org> <9a542da30811040753m1a2728bcu365c65da8fb61721@mail.gmail.com> <20110629044233.GB65891@pjdesk.au.alcatel-lucent.com> Date: Wed, 29 Jun 2011 10:26:34 +0200 X-Google-Sender-Auth: wpfG4BFWL3f4yGHJNKrZ_4p-Klc Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Peter Jeremy Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: [PATCH] PF+dummynet X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2011 08:50:08 -0000 On Wed, Jun 29, 2011 at 6:42 AM, Peter Jeremy wrote: > Following up on some very old mail... > > On 2008-Nov-04 16:53:52 +0100, Ermal Lu=E7i wrote: >>actually this is the latest against RELENG_7 which is confirmed to >>work with full features of pf(4) like route-to/reply-to etc... >>http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/tools/patches/RELENG_7/dummynet= .RELENG_7.diff?rev=3D1.5 >> >>The problem that is that i have yet to find time to post it here but >>since you have interes here it is. >>Its problem is that from the whole patches here >>http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/tools/patches/RELENG_7/ > > I'm looking at upgrading my PF+dummynet boxes from 7.x to 8.x and > notice that there have been significant change along the way. =A0I > had a look at cvs.pfsense.org and it doesn't look like those patches > were ever updated. > > Has anyone adapted the PF+dummynet patches for 8.x or 9.x? > Well the patch is this https://github.com/bsdperimeter/pfsense-tools/blob/master/patches/RELENG_8_= 1/dummynet.RELENG_8.diff It should apply to 8.x without problems. Some manual work for any rejection might be needed because of other patches present in pfSense. But it has been widely tested and works better than previously and takes into consideration the fast_io of dummynet either. Just as a note that if you want to use pf together with ipfw enabled at layer2(net.link.ether.ipfw=3D1) there are some other tweaks to do. You can find them as well in those patches folder. > -- > Peter Jeremy > --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Wed Jun 29 13:12:55 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 113641065676 for ; Wed, 29 Jun 2011 13:12:55 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id 93CD18FC16 for ; Wed, 29 Jun 2011 13:12:54 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 7202A25D3888; Wed, 29 Jun 2011 13:12:53 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id A399315A2BB2; Wed, 29 Jun 2011 13:12:52 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id LKnRdFKHBZ87; Wed, 29 Jun 2011 13:12:51 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 75F4515A2B6B; Wed, 29 Jun 2011 13:12:51 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: "Bjoern A. Zeeb" In-Reply-To: <77A56620-00F5-4EF3-B909-BC5045CCBDAC@FreeBSD.org> Date: Wed, 29 Jun 2011 13:12:50 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4E09C585.7010801@citrin.ru> <77A56620-00F5-4EF3-B909-BC5045CCBDAC@FreeBSD.org> To: Anton Yuzhaninov X-Mailer: Apple Mail (2.1084) Cc: freebsd-pf@FreeBSD.org Subject: Re: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2011 13:12:55 -0000 On Jun 28, 2011, at 2:55 PM, Bjoern A. Zeeb wrote: > On Jun 28, 2011, at 12:13 PM, Anton Yuzhaninov wrote: >=20 >> -------- Original Message -------- >> Subject: svn commit: r223637 - in head: . contrib/pf/authpf = contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl = contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq = sys/contrib/pf/net sys/modules s... >> Date: Tue, 28 Jun 2011 11:57:25 +0000 (UTC) >> From: Bjoern A. Zeeb >> To: src-committers@freebsd.org, svn-src-all@freebsd.org, = svn-src-head@freebsd.org >>=20 >> Author: bz >> Date: Tue Jun 28 11:57:25 2011 >> New Revision: 223637 >> URL: http://svn.freebsd.org/changeset/base/223637 >>=20 >> Log: >> Update packet filter (pf) code to OpenBSD 4.5. >>=20 >> You need to update userland (world and ports) tools >> to be in sync with the kernel. >>=20 >> --- End of Original Message -------- >>=20 >> This update breaks compatibility with previous pfsync(4) versions. >> IMHO it should be mentioned in UPDATING. >=20 > Indeed. I'll wait another couple of hours in case there are further > things to mention and will update UPDATING then. Done, thanks. --=20 Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. From owner-freebsd-pf@FreeBSD.ORG Wed Jun 29 17:34:56 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 43B8C106564A for ; Wed, 29 Jun 2011 17:34:56 +0000 (UTC) (envelope-from freebsd-listen@fabiankeil.de) Received: from smtprelay05.ispgateway.de (smtprelay05.ispgateway.de [80.67.31.97]) by mx1.freebsd.org (Postfix) with ESMTP id C7FBE8FC0C for ; Wed, 29 Jun 2011 17:34:55 +0000 (UTC) Received: from [78.34.166.192] (helo=fabiankeil.de) by smtprelay05.ispgateway.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from ) id 1QbyTH-0006YV-AF for freebsd-pf@freebsd.org; Wed, 29 Jun 2011 19:22:39 +0200 Date: Wed, 29 Jun 2011 19:22:24 +0200 From: Fabian Keil To: freebsd-pf@freebsd.org Message-ID: <20110629192224.2283efc8@fabiankeil.de> In-Reply-To: References: <201106281157.p5SBvP5g048097@svn.freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/GaIYTHNQhYACyIfosI3pYBO"; protocol="application/pgp-signature" X-Df-Sender: 775067 Subject: Re: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2011 17:34:56 -0000 --Sig_/GaIYTHNQhYACyIfosI3pYBO Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable "Bjoern A. Zeeb" wrote: > Begin forwarded message: >=20 > > From: "Bjoern A. Zeeb" > > Date: June 28, 2011 11:57:25 AM GMT+00:00 > > To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@f= reebsd.org > > Subject: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/= ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys= /conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s... > >=20 > > Author: bz > > Date: Tue Jun 28 11:57:25 2011 > > New Revision: 223637 > > URL: http://svn.freebsd.org/changeset/base/223637 > >=20 > > Log: > > Update packet filter (pf) code to OpenBSD 4.5. Thanks! =20 > In short; please test! I didn't experience any real problems yet, but running Privoxy-Regression-Test, I reproducible got this log message for one of the tests: Jun 29 18:26:19 r500 kernel: pf: state key linking mismatch! dir=3DOUT, if= =3Dlo1, stored af=3D2, a0: 10.0.0.1:50722, a1: 10.0.0.1:12345, proto=3D6, f= ound af=3D2, a0: 10.0.0.1:50722, a1: 10.0.0.1:12345, proto=3D6. This didn't happen with the previous pf version. I tracked it down to a test that does a connect() to a local unbound port. It's also reproducible for every address on the system with: ifconfig -a | awk '/inet / {system("telnet "$2" 12345")}' Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=3DOUT, if= =3Dlo0, stored af=3D2, a0: 192.168.5.49:61512, a1: 192.168.5.49:12345, prot= o=3D6, found af=3D2, a0: 192.168.5.49:61512, a1: 192.168.5.49:12345, proto= =3D6. Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=3DOUT, if= =3Dlo0, stored af=3D2, a0: 127.0.0.1:44717, a1: 127.0.0.1:12345, proto=3D6,= found af=3D2, a0: 127.0.0.1:44717, a1: 127.0.0.1:12345, proto=3D6. Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=3DOUT, if= =3Dlo1, stored af=3D2, a0: 192.168.6.100:31600, a1: 192.168.6.100:12345, pr= oto=3D6, found af=3D2, a0: 192.168.6.100:31600, a1: 192.168.6.100:12345, pr= oto=3D6. Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=3DOUT, if= =3Dlo1, stored af=3D2, a0: 10.0.0.1:20126, a1: 10.0.0.1:12345, proto=3D6, f= ound af=3D2, a0: 10.0.0.1:20126, a1: 10.0.0.1:12345, proto=3D6. Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=3DOUT, if= =3Dlo1, stored af=3D2, a0: 10.0.0.1:10895, a1: 10.0.0.2:12345, proto=3D6, f= ound af=3D2, a0: 10.0.0.1:10895, a1: 10.0.0.2:12345, proto=3D6. Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=3DOUT, if= =3Dlo1, stored af=3D2, a0: 10.0.0.1:25081, a1: 10.0.0.3:12345, proto=3D6, f= ound af=3D2, a0: 10.0.0.1:25081, a1: 10.0.0.3:12345, proto=3D6. Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=3DOUT, if= =3Dlo0, stored af=3D2, a0: 192.168.0.106:32448, a1: 192.168.0.106:12345, pr= oto=3D6, found af=3D2, a0: 192.168.0.106:32448, a1: 192.168.0.106:12345, pr= oto=3D6. 12345 can be replaced with any unbound port it seems. I'm additionally occasionally seeing the message for successfully established connections (both internal and outgoing) but don't know how to reproduce it. Fabian --Sig_/GaIYTHNQhYACyIfosI3pYBO Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) iEYEARECAAYFAk4LX18ACgkQBYqIVf93VJ1BugCcCasCFMZ0KoCb1jboRhBbnJcJ SBsAoJjfT+fCHqas1gLk3CDq0sKqmwDf =gMaj -----END PGP SIGNATURE----- --Sig_/GaIYTHNQhYACyIfosI3pYBO-- From owner-freebsd-pf@FreeBSD.ORG Thu Jun 30 20:21:05 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A73C7106564A for ; Thu, 30 Jun 2011 20:21:05 +0000 (UTC) (envelope-from espartano.mail@gmail.com) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 6845A8FC0A for ; Thu, 30 Jun 2011 20:21:05 +0000 (UTC) Received: by vws18 with SMTP id 18so2646076vws.13 for ; Thu, 30 Jun 2011 13:21:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=HdpvHz0unyHdMUzqnM9SYFM+TpJGhYohfI9WBnNE3wU=; b=RLIvVC266NllRx5ulVcH+2pv7d3Tvd6v4WDPGcnB3UAtzAZP7IfOKO6gUH+NtI2y1T xAx2HJTmtWP0vN++VD+decvZkYYXww/UZB57RlTGO+fH3xdfHgUFPLvvdKupzKTG9NC4 S6+IxT+jP/Pqo7BUYX4LHr7Hqwo3htSFipJJ8= MIME-Version: 1.0 Received: by 10.52.178.234 with SMTP id db10mr3220070vdc.297.1309465264849; Thu, 30 Jun 2011 13:21:04 -0700 (PDT) Received: by 10.52.183.137 with HTTP; Thu, 30 Jun 2011 13:21:04 -0700 (PDT) In-Reply-To: <4E09F7F9.3080608@my.gd> References: <4E099A36.7000104@my.gd> <4E09F7F9.3080608@my.gd> Date: Thu, 30 Jun 2011 15:21:04 -0500 Message-ID: From: Espartano To: Damien Fleuriot Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: Reboot after start pf on ALIX board X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jun 2011 20:21:05 -0000 > Well, you want to try things in this order: > > > 1/ rebuild a kernel without VIMAGE and try again, while you're at it > enable debug options like the KDTRACE hooks and such. > > makeoptions =A0 =A0 DEBUG=3D-g =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0# Build ker= nel with gdb(1) debug > symbols > options =A0 =A0 =A0 =A0 KDB =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 # Ker= nel debugger related code > options =A0 =A0 =A0 =A0 KDTRACE_FRAME =A0 =A0 =A0 =A0 =A0 # Ensure frames= are compiled in > options =A0 =A0 =A0 =A0 KDTRACE_HOOKS =A0 =A0 =A0 =A0 =A0 # Kernel DTrace= hooks > > Ok I re-builded my NanoBSD image without options VIMAGE and the system now is very stable, when pf is activated the system doesn't reboot. > > 2/ enable kernel crash dumps, reproduce problem, obtain a dump for analys= is. > I have been tried to get kernel file dump since 2 days ago to send it you but when I try to compile the new kernel, with options vimage and the others options that you had been mentioned, KDB KDTRACE_FRAME and KDTRACE_HOOKS, I get this error in the build kernel log file: /usr/src/sys/i386/conf/ZROUTER: unknown option "KDTRACE_FRAME" Searching a little into FreeBSD handbook I found this: ######### HANDBOOK NOTE ######### Note: Users of the AMD64 architecture will want to add the following line to their kernel configuration file: options KDTRACE_FRAME This option provides support for the FBT feature. DTrace will work without this option; however, there will be limited support for function boundary tracing. ######### END HANDBOOK NOTE ######### However the alix board processor is not AMD64 based, it is a x86 processor based, 32 bits, Now my question is: is enough good for you only have the next options enabled: makeoptions DEBUG=3D-g options KDB # Kernel debugger related code options KDB_TRACE # Print a stack trace for a panic options KDTRACE_HOOKS # Kernel DTrace hooks options DDB_CTF Thanks a lot. From owner-freebsd-pf@FreeBSD.ORG Thu Jun 30 21:32:46 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5455F1065672 for ; Thu, 30 Jun 2011 21:32:46 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by mx1.freebsd.org (Postfix) with SMTP id B71E88FC14 for ; Thu, 30 Jun 2011 21:32:45 +0000 (UTC) Received: (qmail invoked by alias); 30 Jun 2011 21:06:04 -0000 Received: from p578be941.dip0.t-ipconnect.de (EHLO [192.168.0.100]) [87.139.233.65] by mail.gmx.net (mp071) with SMTP; 30 Jun 2011 23:06:04 +0200 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX1/GEOQbS0vGPKKJxxcu2eoaKWPwmWCItkusn71IzO 8CpTjvyTbonn4r Message-ID: <4E0CE53B.4060200@gmx.de> Date: Thu, 30 Jun 2011 23:06:03 +0200 From: olli hauer User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20110624 Thunderbird/5.0 MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <201106281157.p5SBvP5g048097@svn.freebsd.org> In-Reply-To: X-Enigmail-Version: 1.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: freebsd-pf@freebsd.org Subject: Re: Fwd: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jun 2011 21:32:46 -0000 On 2011-06-28 13:58, Bjoern A. Zeeb wrote: > Begin forwarded message: > >> From: "Bjoern A. Zeeb" >> Date: June 28, 2011 11:57:25 AM GMT+00:00 >> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org >> Subject: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s... >> >> Author: bz >> Date: Tue Jun 28 11:57:25 2011 >> New Revision: 223637 >> URL: http://svn.freebsd.org/changeset/base/223637 >> >> Log: >> Update packet filter (pf) code to OpenBSD 4.5. >> >> You need to update userland (world and ports) tools >> to be in sync with the kernel. >> >> Submitted by: mlaier >> Submitted by: eri > > > In short; please test! > Haven't had time to test, hopefully later this weekend. The structure pfioc_state_kill is wrong documented, wrong documentation was also in OpenBSD45 present. See also PR 143504. Maybe it's also a good idea to look into the patches submitted short after OpenBSD45 release (~2 - 6 weeks later) before the the major rewrite has started. from: sys/contrib/pf/net/pfvar.h ================================== struct pfioc_state_kill { struct pf_state_cmp psk_pfcmp; sa_family_t psk_af; int psk_proto; struct pf_rule_addr psk_src; struct pf_rule_addr psk_dst; char psk_ifname[IFNAMSIZ]; char psk_label[PF_RULE_LABEL_SIZE]; u_int psk_killed; }; Fix for documentation: Index: contrib/pf/man/pf.4 =================================================================== --- contrib/pf/man/pf.4 (revision 223637) +++ contrib/pf/man/pf.4 (working copy) @@ -308,7 +308,7 @@ .It Dv DIOCKILLSTATES Fa "struct pfioc_state_kill *psk" Remove matching entries from the state table. This ioctl returns the number of killed states in -.Va psk_af . +.Va psk_killed . .Bd -literal struct pfioc_state_kill { sa_family_t psk_af; @@ -316,6 +316,8 @@ struct pf_rule_addr psk_src; struct pf_rule_addr psk_dst; char psk_ifname[IFNAMSIZ]; + char psk_label[PF_RULE_LABEL_SIZE]; + u_int psk_killed; }; .Ed .It Dv DIOCCLRSTATES Fa "struct pfioc_state_kill *psk" From owner-freebsd-pf@FreeBSD.ORG Sat Jul 2 14:48:33 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D263F1065674 for ; Sat, 2 Jul 2011 14:48:33 +0000 (UTC) (envelope-from cl000116@colombia.dattaweb.com) Received: from colombia.dattaweb.com (colombia.dattaweb.com [200.58.111.45]) by mx1.freebsd.org (Postfix) with ESMTP id 8E9CA8FC16 for ; Sat, 2 Jul 2011 14:48:33 +0000 (UTC) Received: from cl000116 by colombia.dattaweb.com with local (Exim 4.71) (envelope-from ) id 1Qd12B-0002W4-JF for freebsd-pf@freebsd.org; Sat, 02 Jul 2011 11:18:59 -0300 To: Freebsd Pf Date: Sat, 2 Jul 2011 11:18:59 -0300 From: centro medico revitalizare Message-ID: X-Priority: 3 X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version 2.0.4] X-Mailid: 9 X-Subid: 18823 MIME-Version: 1.0 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - colombia.dattaweb.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [619 618] / [502 502] X-AntiAbuse: Sender Address Domain - colombia.dattaweb.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Primavera 2031 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: CMR List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jul 2011 14:48:33 -0000 F e l i z PRIMAVERA 2 0 3 1 drweschenfeller@gmail.com ( mailto:drweschenfeller@gmail.com ) rositapilotti02@gmail.com ( mailto:rositapilotti02@gmail.com ) CENTRO MEDICO REVITALIZARE® Resistencia Chaco Argentina Hola: queremos invitarte a la fiesta de PRIMAVERA del 2031 y a la de AÑO NUEVO 2032. Te sorprenderá, falta mucho todavía pero lo queremos hacer ahora para que sepas que vas a hacer con los 20 años que te quedan por delante y bien. Que tal, que te parece tener esas dos décadas y bien,con buen estado de salud y buen estado mental la de cosas que se pueden hacer, todo lo que se puede conocer o producir. Es como tener un plus y una nueva vida. Usamos técnicas antiage orthomelculares,quelación para limpieza arterial ,ozonoterapia , limpieza intersticial .Vacuna antiage 2011® Al mismo tiempo realizamos TERAPIAS METABOLICAS REPOLARIZANTES. Magnetoterapia pulsante y medicación con óxido nítrico. Implantes de factores de crecimientos y células madres autólogas por via endovenos. Si te interesa contacta con nosotros a los mails siguientes e vamos a decir como con gusto,drweschenfeller@gmail.com o rositapilotti02@gmail.com ( mailto:rositapilotti02@gmail.com ) y entrando a nuestra página de de revitalizare com podés suscribirte a nuestros fascículos de información y actualización. Queremos buscar entre todos como vivir nuestros primeros 100 años o los que sean pero muy bien!!! .Obvio si ya cumpliste los 100 esto todavía no es para vos. From owner-freebsd-pf@FreeBSD.ORG Sat Jul 2 15:40:43 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C5286106566B for ; Sat, 2 Jul 2011 15:40:43 +0000 (UTC) (envelope-from pierre@userid.org) Received: from mail.storm.ca (unknown [IPv6:2607:f0b0:0:6:209:87:239:66]) by mx1.freebsd.org (Postfix) with ESMTP id 901388FC14 for ; Sat, 2 Jul 2011 15:40:43 +0000 (UTC) Received: from mail.userid.org (pandora.userid.org [216.106.102.33]) by mail.storm.ca (8.14.2+Sun/8.14.2) with ESMTP id p62FXoeK020983 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 2 Jul 2011 11:33:57 -0400 (EDT) Received: from [IPv6:2607:f0b0:1:3800:7caf:75d:96c1:fd07] (unknown [IPv6:2607:f0b0:1:3800:7caf:75d:96c1:fd07]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: pierre) by mail.userid.org (Postfix) with ESMTP id 426C52C77B4; Sat, 2 Jul 2011 11:33:13 -0400 (EDT) Message-ID: <4E0F3A2D.60409@userid.org> Date: Sat, 02 Jul 2011 11:33:01 -0400 From: Pierre Lamy User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11 MIME-Version: 1.0 To: Fabian Keil References: <201106281157.p5SBvP5g048097@svn.freebsd.org> <20110629192224.2283efc8@fabiankeil.de> In-Reply-To: <20110629192224.2283efc8@fabiankeil.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-userid-MailScanner-Information: Please contact the ISP for more information X-userid-MailScanner-ID: 426C52C77B4.A44A0 X-userid-MailScanner: Found to be clean X-userid-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=0.599, required 6, J_CHICKENPOX_33 0.60, NO_RELAYS -0.00) X-userid-MailScanner-From: pierre@userid.org X-Spam-Status: No Cc: freebsd-pf@freebsd.org Subject: Re: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jul 2011 15:40:43 -0000 On 6/29/2011 1:22 PM, Fabian Keil wrote: > "Bjoern A. Zeeb" wrote: > >> Begin forwarded message: >> >>> From: "Bjoern A. Zeeb" >>> Date: June 28, 2011 11:57:25 AM GMT+00:00 >>> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org >>> Subject: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s... >>> >>> Author: bz >>> Date: Tue Jun 28 11:57:25 2011 >>> New Revision: 223637 >>> URL: http://svn.freebsd.org/changeset/base/223637 >>> >>> Log: >>> Update packet filter (pf) code to OpenBSD 4.5. > Thanks! > >> In short; please test! > I didn't experience any real problems yet, but running > Privoxy-Regression-Test, I reproducible got this log message > for one of the tests: > > Jun 29 18:26:19 r500 kernel: pf: state key linking mismatch! dir=OUT, if=lo1, stored af=2, a0: 10.0.0.1:50722, a1: 10.0.0.1:12345, proto=6, found af=2, a0: 10.0.0.1:50722, a1: 10.0.0.1:12345, proto=6. > > This didn't happen with the previous pf version. > > I tracked it down to a test that does a connect() > to a local unbound port. > > It's also reproducible for every address on the system with: > > ifconfig -a | awk '/inet / {system("telnet "$2" 12345")}' > > Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT, if=lo0, stored af=2, a0: 192.168.5.49:61512, a1: 192.168.5.49:12345, proto=6, found af=2, a0: 192.168.5.49:61512, a1: 192.168.5.49:12345, proto=6. > Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT, if=lo0, stored af=2, a0: 127.0.0.1:44717, a1: 127.0.0.1:12345, proto=6, found af=2, a0: 127.0.0.1:44717, a1: 127.0.0.1:12345, proto=6. > Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT, if=lo1, stored af=2, a0: 192.168.6.100:31600, a1: 192.168.6.100:12345, proto=6, found af=2, a0: 192.168.6.100:31600, a1: 192.168.6.100:12345, proto=6. > Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT, if=lo1, stored af=2, a0: 10.0.0.1:20126, a1: 10.0.0.1:12345, proto=6, found af=2, a0: 10.0.0.1:20126, a1: 10.0.0.1:12345, proto=6. > Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT, if=lo1, stored af=2, a0: 10.0.0.1:10895, a1: 10.0.0.2:12345, proto=6, found af=2, a0: 10.0.0.1:10895, a1: 10.0.0.2:12345, proto=6. > Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT, if=lo1, stored af=2, a0: 10.0.0.1:25081, a1: 10.0.0.3:12345, proto=6, found af=2, a0: 10.0.0.1:25081, a1: 10.0.0.3:12345, proto=6. > Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT, if=lo0, stored af=2, a0: 192.168.0.106:32448, a1: 192.168.0.106:12345, proto=6, found af=2, a0: 192.168.0.106:32448, a1: 192.168.0.106:12345, proto=6. > > 12345 can be replaced with any unbound port it seems. > > I'm additionally occasionally seeing the message for successfully > established connections (both internal and outgoing) but don't > know how to reproduce it. > > Fabian I also get the state key mismatch problem, it seems that pf is leaking states (I assume this is the same problem). I also see a strange NAT issue, internal IPs leak somewhat on the outside int. Eventually the system runs out of state entry slots and connectivity is lost. This is on a -current kernel from ~Jun 30, after the 4.5 import. tun0: flags=8151 metric 0 mtu 1492 options=80000 inet6 fe80::290:bff:fe1a:a674%tun0 prefixlen 64 scopeid 0xf inet6 2607:f0b0:0:1:290:bff:fe1a:a674 prefixlen 64 autoconf inet 216.106.102.33 --> 209.87.255.1 netmask 0xffffffff nd6 options=23 Opened by PID 3446 em0 is on the 192.168.3/24 network [/var/preserve/root] # tcpdump -i tun0 net 192.168.3.0 mask 255.255.255.0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun0, link-type NULL (BSD loopback), capture size 65535 bytes 11:22:37.030244 IP 192.168.3.99 > 190.252.34.186: ICMP pandora.userid.org udp port 16881 unreachable, length 134 11:24:03.137016 IP 192.168.3.99 > 190.252.34.186: ICMP pandora.userid.org udp port 16881 unreachable, length 98 Relevant pf.conf lines: int_if = "em0" ext_if = "tun0" # NAT nat on $ext_if from $int_if:network to any -> ($ext_if) Here is the info about states leaking: State Table Total Rate current entries 108488 [/var/preserve/root] # pfctl -F states 1003 states cleared [/var/preserve/root] # pfctl -s info Status: Enabled for 0 days 02:21:18 Debug: Urgent Interface Stats for tun0 IPv4 IPv6 Bytes In 1252327614 1907903 Bytes Out 373783492 1429003 Packets In Passed 1341017 12360 Blocked 45437 831 Packets Out Passed 1186359 13441 Blocked 1641 3724 State Table Total Rate current entries 125127 States aren't getting cleared properly. Below is a sample of the state key linking mismatch problem: Jul 2 11:28:17 pyr7535 kernel: pf: state key linking mismatch! dir=OUT, if=em0, stored af=2, a0: Jul 2 11:28:17 pyr7535 kernel: 192.168.3.238:55590, a1: 216.106.102.33 Jul 2 11:28:18 pyr7535 kernel: :18825, proto=6 Jul 2 11:28:18 pyr7535 kernel: , found af=2, a0: 192.168.3.238 Jul 2 11:28:18 pyr7535 kernel: :55590, a1: Jul 2 11:28:18 pyr7535 kernel: 216.106.102.33:18825 Jul 2 11:28:18 pyr7535 kernel: , proto=6. Jul 2 11:28:18 pyr7535 kernel: pf: state key linking mismatch! dir=OUT, if=em0, stored af=2, a0: 192.168.3.238:55590, a1: 216.106.102.33:18825, proto=6, found af=2, a0: 192.168.3.238:55590, a1: 216.106.102.33:18825, proto=6. Jul 2 11:28:19 pyr7535 kernel: pf: state key linking mismatch! dir=OUT, if=em0, stored af=2, a0: 192.168.3.238 Jul 2 11:28:19 pyr7535 kernel: :55590, a1: Jul 2 11:28:19 pyr7535 kernel: 216.106.102.33:18825 Jul 2 11:28:19 pyr7535 kernel: , proto=6, found af=2, a0: Jul 2 11:28:19 pyr7535 kernel: 192.168.3.238:55590 Jul 2 11:28:19 pyr7535 kernel: , a1: 216.106.102.33 Jul 2 11:28:19 pyr7535 kernel: :18825, proto=6.