From owner-freebsd-pf@FreeBSD.ORG Mon Jul 11 11:07:08 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7E42E106567C for ; Mon, 11 Jul 2011 11:07:08 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 644838FC26 for ; Mon, 11 Jul 2011 11:07:08 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p6BB78aU077068 for ; Mon, 11 Jul 2011 11:07:08 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p6BB77M9077066 for freebsd-pf@FreeBSD.org; Mon, 11 Jul 2011 11:07:07 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 11 Jul 2011 11:07:07 GMT Message-Id: <201107111107.p6BB77M9077066@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2011 11:07:08 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/158636 pf [pf] if_pfsync.c fails to build when NBPFILTER == 0 o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 47 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jul 11 12:03:01 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7C796106566C for ; Mon, 11 Jul 2011 12:03:01 +0000 (UTC) (envelope-from msurucu@karaelmas.edu.tr) Received: from posta.karaelmas.edu.tr (unknown [IPv6:2001:a98:190::5]) by mx1.freebsd.org (Postfix) with ESMTP id EED278FC1F for ; Mon, 11 Jul 2011 12:03:00 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by posta.karaelmas.edu.tr (Postfix) with ESMTP id 69F63A1055 for ; Mon, 11 Jul 2011 15:02:56 +0300 (EEST) Received: from posta.karaelmas.edu.tr ([127.0.0.1]) by localhost (posta.karaelmas.edu.tr [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 08177-10 for ; Mon, 11 Jul 2011 15:02:56 +0300 (EEST) Received: from Murat2011 (unknown [10.1.16.11]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: msurucu@karaelmas.edu.tr) by posta.karaelmas.edu.tr (Postfix) with ESMTPSA id 32D03A1030 for ; Mon, 11 Jul 2011 15:02:56 +0300 (EEST) From: =?iso-8859-9?B?TXVyYXQgU9xS3EPc?= To: Date: Mon, 11 Jul 2011 15:02:54 +0300 Message-ID: <010b01cc3fc2$7763b450$662b1cf0$@karaelmas.edu.tr> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-9" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: Acw/wncyuIKal/WZSN64G9L+xeyeRg== Content-Language: en-us Cc: Subject: FreeBSD 8.2 + pf + ipfw (dummynet) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2011 12:03:01 -0000 Hello, I used PF and dummynet together about two years and worked fine. Recently i have upgraded the system 7.2 to 8.2 and dummynet doesn't work anymore. If any packet belong the client IP puts any pipe, it drops and pflog says it blocked by last pf rule. But it match previous rule. If i disable (flush) the ipfw rules, packets pass normally. Does anybody have same experience? http://forums.freebsd.org/showthread.php?t=24947 Thanks. Murat From owner-freebsd-pf@FreeBSD.ORG Mon Jul 11 21:58:51 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7906E106566B for ; Mon, 11 Jul 2011 21:58:51 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 4531E8FC13 for ; Mon, 11 Jul 2011 21:58:50 +0000 (UTC) Received: by iyb11 with SMTP id 11so5290236iyb.13 for ; Mon, 11 Jul 2011 14:58:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=Q0fqZSo89o7FOWZALXEVuthaull0gbRrx4YEGp8H0jo=; b=WsbyGM1DAYNByh08NFzK0XyCtgZJtIKeADPucQ3wOKj3hH4rcmmbbhXFmipxZEZGA2 5kVi0GG5WL7+KGEgHhW/Svuo7b3F8xQ7G4xakaVCnm14qBK+A3mrHcjbvJt1d1aeT7ks 5t9d3UrxzlYQ47iwDzJ2ANYSedPjbcF9Q4nTU= MIME-Version: 1.0 Received: by 10.231.91.208 with SMTP id o16mr4902411ibm.49.1310421530455; Mon, 11 Jul 2011 14:58:50 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.231.171.148 with HTTP; Mon, 11 Jul 2011 14:58:50 -0700 (PDT) In-Reply-To: <010b01cc3fc2$7763b450$662b1cf0$@karaelmas.edu.tr> References: <010b01cc3fc2$7763b450$662b1cf0$@karaelmas.edu.tr> Date: Mon, 11 Jul 2011 23:58:50 +0200 X-Google-Sender-Auth: -RenLV_6NcV4dKn9YtGE05xJIog Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: =?ISO-8859-1?B?TXVyYXQgU9xS3EPc?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD 8.2 + pf + ipfw (dummynet) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2011 21:58:51 -0000 2011/7/11 Murat S=DCR=DCC=DC : > Hello, > > I used PF and dummynet together about two years and worked fine. > Recently i have upgraded the system 7.2 to 8.2 and dummynet doesn't work > anymore. > If any packet belong the client IP puts any pipe, it drops and pflog says= it > blocked by last pf rule. But it match previous rule. > If i disable (flush) the ipfw rules, packets pass normally. > > Does anybody have same experience? You have to make sure ipfw module is loaded first otherwise you will hit pf states twice which will drop as you see. > > http://forums.freebsd.org/showthread.php?t=3D24947 > > Thanks. > > Murat > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Tue Jul 12 05:54:55 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B8A031065677 for ; Tue, 12 Jul 2011 05:54:55 +0000 (UTC) (envelope-from msurucu@karaelmas.edu.tr) Received: from posta.karaelmas.edu.tr (unknown [IPv6:2001:a98:190::5]) by mx1.freebsd.org (Postfix) with ESMTP id 2E6368FC21 for ; Tue, 12 Jul 2011 05:54:55 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by posta.karaelmas.edu.tr (Postfix) with ESMTP id 5BB49A1067 for ; Tue, 12 Jul 2011 08:54:53 +0300 (EEST) Received: from posta.karaelmas.edu.tr ([127.0.0.1]) by localhost (posta.karaelmas.edu.tr [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 30985-10 for ; Tue, 12 Jul 2011 08:54:53 +0300 (EEST) Received: from Murat2011 (unknown [10.1.16.11]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: msurucu@karaelmas.edu.tr) by posta.karaelmas.edu.tr (Postfix) with ESMTPSA id 36465A1020; Tue, 12 Jul 2011 08:54:53 +0300 (EEST) From: =?iso-8859-9?B?TXVyYXQgU9xS3EPc?= To: =?iso-8859-9?Q?'Ermal_Lu=E7i'?= References: <010b01cc3fc2$7763b450$662b1cf0$@karaelmas.edu.tr> In-Reply-To: Date: Tue, 12 Jul 2011 08:54:50 +0300 Message-ID: <002601cc4058$36a5b170$a3f11450$@karaelmas.edu.tr> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-9" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 14.0 thread-index: AQHDNPe+IRJb8qhRNJ6l65eF1gfs5wENXDUflPHatrA= Content-Language: en-us Cc: freebsd-pf@freebsd.org Subject: RE: FreeBSD 8.2 + pf + ipfw (dummynet) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2011 05:54:55 -0000 Thanks for reply, IPFW is kernel module, PF is loadable module in my config. And this config was normally run when version is 7.2. Murat=20 -----Original Message----- From: ermal.luci@gmail.com [mailto:ermal.luci@gmail.com] On Behalf Of = Ermal Lu=E7i Sent: Tuesday, July 12, 2011 12:59 AM To: Murat S=DCR=DCC=DC Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD 8.2 + pf + ipfw (dummynet) 2011/7/11 Murat S=DCR=DCC=DC : > Hello, > > I used PF and dummynet together about two years and worked fine. > Recently i have upgraded the system 7.2 to 8.2 and dummynet doesn't=20 > work anymore. > If any packet belong the client IP puts any pipe, it drops and pflog=20 > says it blocked by last pf rule. But it match previous rule. > If i disable (flush) the ipfw rules, packets pass normally. > > Does anybody have same experience? You have to make sure ipfw module is loaded first otherwise you will hit = pf states twice which will drop as you see. > > http://forums.freebsd.org/showthread.php?t=3D24947 > > Thanks. > > Murat > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Ermal From owner-freebsd-pf@FreeBSD.ORG Wed Jul 13 01:08:13 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D9A11106566B for ; Wed, 13 Jul 2011 01:08:13 +0000 (UTC) (envelope-from peter.jeremy@alcatel-lucent.com) Received: from ihemail2.lucent.com (ihemail2.lucent.com [135.245.0.35]) by mx1.freebsd.org (Postfix) with ESMTP id 9B5F38FC0A for ; Wed, 13 Jul 2011 01:08:12 +0000 (UTC) Received: from usnavsmail3.ndc.alcatel-lucent.com (usnavsmail3.ndc.alcatel-lucent.com [135.3.39.11]) by ihemail2.lucent.com (8.13.8/IER-o) with ESMTP id p6D18BXt020814 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 12 Jul 2011 20:08:11 -0500 (CDT) Received: from unixmail.au.alcatel-lucent.com (unixmail.au.alcatel-lucent.com [139.188.42.130]) by usnavsmail3.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id p6D186XM009747 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 12 Jul 2011 20:08:10 -0500 Received: from insmb.au.alcatel-lucent.com (insmb.au.alcatel-lucent.com [139.188.42.184]) by unixmail.au.alcatel-lucent.com (8.13.8+Sun/8.13.3) with ESMTP id p6D186gR021283; Wed, 13 Jul 2011 11:08:06 +1000 (EST) Received: from pjdesk.au.alcatel-lucent.com (pjdesk.au.alcatel-lucent.com [139.188.2.2]) by insmb.au.alcatel-lucent.com (8.13.8+Sun/8.13.8) with ESMTP id p6D10axG007416; Wed, 13 Jul 2011 11:00:36 +1000 (EST) X-Bogosity: Ham, spamicity=0.000000 Received: from pjdesk.au.alcatel-lucent.com (localhost [127.0.0.1]) by pjdesk.au.alcatel-lucent.com (8.14.4/8.14.4) with ESMTP id p6D10UWZ040404; Wed, 13 Jul 2011 11:00:30 +1000 (EST) (envelope-from peter.jeremy@alcatel-lucent.com) Received: (from pjeremy@localhost) by pjdesk.au.alcatel-lucent.com (8.14.4/8.14.4/Submit) id p6D10TmI040403; Wed, 13 Jul 2011 11:00:29 +1000 (EST) (envelope-from peter.jeremy@alcatel-lucent.com) Date: Wed, 13 Jul 2011 11:00:29 +1000 From: Peter Jeremy To: Ermal =?iso-8859-1?Q?Lu=E7i?= Message-ID: <20110713010029.GE65891@pjdesk.au.alcatel-lucent.com> References: <9a542da30710161409o4732a77bybdf4ba35d7491bb@mail.gmail.com> <200710171043.08126.max@love2party.net> <9a542da30710211232v4d3c930fg8ea778a12f3f16cb@mail.gmail.com> <9a542da30710280617t11e668e2o4d122998192f71c@mail.gmail.com> <20081103060321.GA45414@server.vk2pj.dyndns.org> <9a542da30811040753m1a2728bcu365c65da8fb61721@mail.gmail.com> <20110629044233.GB65891@pjdesk.au.alcatel-lucent.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="m0XfRaZG5aslkcJX" Content-Disposition: inline In-Reply-To: X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.21 (2010-09-15) X-Scanned-By: MIMEDefang 2.57 on 135.245.2.35 X-Scanned-By: MIMEDefang 2.64 on 135.3.39.11 Cc: "freebsd-pf@freebsd.org" Subject: Re: [PATCH] PF+dummynet X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2011 01:08:14 -0000 --m0XfRaZG5aslkcJX Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2011-Jun-29 16:26:34 +0800, Ermal Lu=E7i wrote: >On Wed, Jun 29, 2011 at 6:42 AM, Peter Jeremy > wrote: >> Has anyone adapted the PF+dummynet patches for 8.x or 9.x? > >Well the patch is this >https://github.com/bsdperimeter/pfsense-tools/blob/master/patches/RELENG_8= _1/dummynet.RELENG_8.diff >It should apply to 8.x without problems. >Some manual work for any rejection might be needed because of other >patches present in pfSense. I notice that the issue of pipe/queue configuration has been excised =66rom pfctl(8) and relies on ipfw(8) (hopefully only as a stopgap). Having looked at how ipfw(4) and dummynet(4) have been roto-tilled, I can understand why, but this is not especially convenient for me and I'm looking at implementing the missing functionality. There appear to be two possible approaches to move forward: 1) Include ipfw/dummynet.c into pfctl(8) and modify pfctl/parse.y to accumulate pipe/queue configuration options into an argv array that can be passed to ipfw_config_pipe(). 2) Implement the functional equivalent of ipfw/dummynet.c::ipfw_config_pipe= () in pfctl/parse.y. The former approach looks simpler (apart from the code to collect the arguments into an argv array, there are 8 fairly simple support functions that need to be implemented or copied from ipfw) but it's not clear that the error handling approaches are compatible. The latter appears to be more work and results in more code duplication but maintains better internal consistency in pfctl. (The other two approaches I considered but discarded were to use ipfw(8) for configuration or to copy struct dn_pipe{7,8} from ip_dn_glue.c and continue to use the deprecated IP_DUMMYNET_CONFIGURE interface). Has the pfSense Project looked at how it will implement pipe/queue configuration? And, if so, what approach will you be using? --=20 Peter Jeremy --m0XfRaZG5aslkcJX Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) iEYEARECAAYFAk4c7i0ACgkQ/opHv/APuIfGLwCdG3aAcqym+4mFx9RMM7q0h9qP tnkAnR8cBNcroQ3SN1YscZjr3MSsLdDE =1qgV -----END PGP SIGNATURE----- --m0XfRaZG5aslkcJX-- From owner-freebsd-pf@FreeBSD.ORG Wed Jul 13 13:59:37 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AD9FF1065670 for ; Wed, 13 Jul 2011 13:59:37 +0000 (UTC) (envelope-from lobo@bsd.com.br) Received: from mail-gx0-f182.google.com (mail-gx0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id 65CC78FC0A for ; Wed, 13 Jul 2011 13:59:37 +0000 (UTC) Received: by gxk28 with SMTP id 28so2971697gxk.13 for ; Wed, 13 Jul 2011 06:59:36 -0700 (PDT) Received: by 10.91.55.7 with SMTP id h7mr1203826agk.161.1310563688475; Wed, 13 Jul 2011 06:28:08 -0700 (PDT) Received: from papi.localnet ([187.113.99.63]) by mx.google.com with ESMTPS id f4sm3749069yhn.69.2011.07.13.06.28.05 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 13 Jul 2011 06:28:07 -0700 (PDT) From: Mario Lobo To: "freebsd-pf@FreeBSD.org" Date: Wed, 13 Jul 2011 10:26:59 -0300 User-Agent: KMail/1.13.7 (FreeBSD/8.2-STABLE; KDE/4.6.2; amd64; ; ) X-KMail-Markup: true MIME-Version: 1.0 Message-Id: <201107131026.59401.lobo@bsd.com.br> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Problem with PF reply-to X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2011 13:59:37 -0000 Hi; I have the following scenario. FreeBSD 8.2-STABLE FreeBSD 8.2-STABLE #0: Thu May 19 19:53:59 BRT 2011 i386 I want to be able to connect to any of the 2 external IPs this machine has. ### pf.conf excerpt ext_if1 = sis0 (1M link. default gateway) ext_if2 = rl0 (2M link) aln_if = dc0 (Internal LAN) ext_gw1 = A.A.A.A ext_gw2 = B.B.B.B my_ext_ip1 = a.a.a.a my_ext_ip2 = b.b.b.b nat on $ext_if1 from any to any -> $my_ext_ip1 port 1024:65535 nat on $ext_if2 from any to any -> $my_ext_ip2 port 1024:65535 1) ----------------------------------------- # balance the load pass in log quick on $aln_if route-to ($ext_if2 $ext_gw2) from \ $aln_if:network to any flags S/SA keep state tag to_out probability 70% pass in log quick on $aln_if route-to ($ext_if1 $ext_gw1) from \ $aln_if:network to any flags S/SA keep state tag to_out 2) ----------------------------------------- # allow ssh on ext_ifs a)pass in log quick on $ext_if1 inet proto tcp from any to any port $SshPort \ flags S/SA modulate state (max 30, source-track rule, max-src-nodes 10,\ max-src-states 2, max-src-conn 2, max-src-conn-rate 2/60, overload ) b)pass in log quick on $ext_if2 reply-to ($ext_if2 $ext_gw2) inet proto tcp \ from any to any port $SshPort flags S/SA keep state (max 30, source-track \ rule, max-src-nodes 10, max-src-states 2, max-src-conn 2, max-src-conn-rate\ 2/60, overload ) ( RULE 8 ) [snip][snip]...... 3) ----------------------------------------- pass out quick on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any pass out quick on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any Also tried: pass out quick on $ext_if1 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any pass out quick on $ext_if2 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any block log all ( RULE 163 ) ### end of pf.conf excerpt Everything under 1) works fine. Under 2), a) works, b) not working. When I try to connect to $SshPort through the 2M link (b.b.b.b). I connect to the server, but the return packet neither obeys the reply-to on rule b), nor matches any of the pass outs under 3), and goes straight to the block rule. as you can see bellow. [$]> tcpdump -n -e -ttt -i pflog0 host 187.113.99.63 (my home IP) Packet arrives and matches rule b)/8 and should create a state; 00:00:00.000000 rule 8/0(match): pass in on rl0: 187.113.99.63.25806 > b.b.b.b.22: [|tcp] but... 00:00:00.000108 rule 163/0(match): block out on sis0: a.a.a.a.8947 > 187.113.99.63.25806: [|tcp] 00:00:03.000057 rule 163/0(match): block out on sis0: a.a.a.a.65060 > 187.113.99.63.25806: [|tcp] 00:00:03.199931 rule 163/0(match): block out on sis0: a.a.a.a..20213 > 187.113.99.63.25806: [|tcp] 00:00:03.199618 rule 163/0(match): block out on sis0: a.a.a.a..19748 > 187.113.99.63.25806: [|tcp] 00:00:03.200044 rule 163/0(match): block out on sis0: a.a.a.a..1600 > 187.113.99.63.25806: [|tcp] 00:00:03.199767 rule 163/0(match): block out on sis0: a.a.a.a..45513 > 187.113.99.63.25806: [|tcp] 00:00:06.205048 rule 163/0(match): block out on sis0: a.a.a.a..17925 > 187.113.99.63.25806: [|tcp] it tries to go back to me on the wrong interface (sis0 and NOT rl0), wrong ip (a.a.a.a and NOT b.b.b.b), and from several wrong port numbers, not port 22. Questions: 1) sshd is listening on *.22. I know that the default gateway is not on rl0 but isn't that what reply-to is supposed to beat? If I understood correctly, wasn't the reply-to supposed to make the packet go back throught the specified ($ext_if2 $ext_gw2)? 2) Wasn't a state created when the pass rule b)/8 matched? if so, where is it? Where am I doing wrong here? Thanks for any hints. -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE) From owner-freebsd-pf@FreeBSD.ORG Wed Jul 13 15:35:46 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3BD81106564A for ; Wed, 13 Jul 2011 15:35:46 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 006298FC12 for ; Wed, 13 Jul 2011 15:35:45 +0000 (UTC) Received: by iwr19 with SMTP id 19so7295694iwr.13 for ; Wed, 13 Jul 2011 08:35:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=kCdfZxKEj+GWRI78Cg9h9vwSx6SG5b0dns/aupk1B+8=; b=CXyq7KqUyC0jiJLhjIzr97iSiYnraAL4ZExUiPGSTDjsTZbDYObcXAFY62KPXs9BW2 94HgAVIOz3GZguzO4CjNJ7LvaQtfda/RAtpr8OwX+nXXmmbk9WEnbsgAQYjeDdsg1Xsl WjKAR31C/QEspSpnThHjYNt0jNndv7TF3VVu4= MIME-Version: 1.0 Received: by 10.231.91.208 with SMTP id o16mr1113877ibm.49.1310571345399; Wed, 13 Jul 2011 08:35:45 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.231.171.148 with HTTP; Wed, 13 Jul 2011 08:35:44 -0700 (PDT) In-Reply-To: <20110713010029.GE65891@pjdesk.au.alcatel-lucent.com> References: <9a542da30710161409o4732a77bybdf4ba35d7491bb@mail.gmail.com> <200710171043.08126.max@love2party.net> <9a542da30710211232v4d3c930fg8ea778a12f3f16cb@mail.gmail.com> <9a542da30710280617t11e668e2o4d122998192f71c@mail.gmail.com> <20081103060321.GA45414@server.vk2pj.dyndns.org> <9a542da30811040753m1a2728bcu365c65da8fb61721@mail.gmail.com> <20110629044233.GB65891@pjdesk.au.alcatel-lucent.com> <20110713010029.GE65891@pjdesk.au.alcatel-lucent.com> Date: Wed, 13 Jul 2011 17:35:44 +0200 X-Google-Sender-Auth: F8_Q6_FyEIZkCFtbBLe8axKKnRE Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Peter Jeremy Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: "freebsd-pf@freebsd.org" Subject: Re: [PATCH] PF+dummynet X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2011 15:35:46 -0000 On Wed, Jul 13, 2011 at 3:00 AM, Peter Jeremy wrote: > On 2011-Jun-29 16:26:34 +0800, Ermal Lu=E7i wrote: >>On Wed, Jun 29, 2011 at 6:42 AM, Peter Jeremy >> wrote: >>> Has anyone adapted the PF+dummynet patches for 8.x or 9.x? >> >>Well the patch is this >>https://github.com/bsdperimeter/pfsense-tools/blob/master/patches/RELENG_= 8_1/dummynet.RELENG_8.diff >>It should apply to 8.x without problems. >>Some manual work for any rejection might be needed because of other >>patches present in pfSense. > > I notice that the issue of pipe/queue configuration has been excised > from pfctl(8) and relies on ipfw(8) (hopefully only as a stopgap). > Having looked at how ipfw(4) and dummynet(4) have been roto-tilled, > I can understand why, but this is not especially convenient for me > and I'm looking at implementing the missing functionality. > > There appear to be two possible approaches to move forward: > 1) Include ipfw/dummynet.c into pfctl(8) and modify pfctl/parse.y > =A0 to accumulate pipe/queue configuration options into an argv array > =A0 that can be passed to ipfw_config_pipe(). > 2) Implement the functional equivalent of ipfw/dummynet.c::ipfw_config_pi= pe() > =A0 in pfctl/parse.y. > > The former approach looks simpler (apart from the code to collect the > arguments into an argv array, there are 8 fairly simple support > functions that need to be implemented or copied from ipfw) but it's > not clear that the error handling approaches are compatible. =A0The > latter appears to be more work and results in more code duplication > but maintains better internal consistency in pfctl. > This feels hackish. I reverted back from having the pipes configured in pfctl because it will be a catching game with ipfw. To me it seems quite awkward that you cannot use ipfw to do all the configuration and just use the pipe/queue numbers for sending traffic to it on pfctl. This is the way done in pfSense and works very well. This is the same analogy ipfw uses for altq configuration iirc. The only thing i have considered on improving is using names as in altq instead of numbers. Though this is a nice to have rather than a must. To me something that is glued on ipfw should stay there as it will get the best support. Possibly splitting dummynet configuration out to dnctl might have an argume= nt. > (The other two approaches I considered but discarded were to use > ipfw(8) for configuration or to copy struct dn_pipe{7,8} from > ip_dn_glue.c and continue to use the deprecated IP_DUMMYNET_CONFIGURE > interface). > > Has the pfSense Project looked at how it will implement pipe/queue > configuration? =A0And, if so, what approach will you be using? > pfSense has support for dummynet in pf(4) on its 2.0 branch for a really long time now. It works very well in many setups tested. > -- > Peter Jeremy > --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Wed Jul 13 22:49:44 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2E2B106566C; Wed, 13 Jul 2011 22:49:44 +0000 (UTC) (envelope-from lobo@bsd.com.br) Received: from mail-gx0-f182.google.com (mail-gx0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id 640128FC15; Wed, 13 Jul 2011 22:49:44 +0000 (UTC) Received: by gxk28 with SMTP id 28so3263013gxk.13 for ; Wed, 13 Jul 2011 15:49:43 -0700 (PDT) Received: by 10.236.195.38 with SMTP id o26mr2384130yhn.505.1310597382700; Wed, 13 Jul 2011 15:49:42 -0700 (PDT) Received: from papi.localnet ([186.212.247.179]) by mx.google.com with ESMTPS id a47sm2135465yhj.52.2011.07.13.15.49.39 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 13 Jul 2011 15:49:42 -0700 (PDT) From: Mario Lobo To: "freebsd-pf@FreeBSD.org" Date: Wed, 13 Jul 2011 19:48:33 -0300 User-Agent: KMail/1.13.7 (FreeBSD/8.2-STABLE; KDE/4.6.2; amd64; ; ) References: <201107131026.59401.lobo@bsd.com.br> In-Reply-To: <201107131026.59401.lobo@bsd.com.br> X-KMail-Markup: true MIME-Version: 1.0 Message-Id: <201107131948.34051.lobo@bsd.com.br> Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: Problem with PF reply-to [SOLVED] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2011 22:49:44 -0000 On Wednesday 13 July 2011 10:26:59 Mario Lobo wrote: > Hi; > > I have the following scenario. > > FreeBSD 8.2-STABLE FreeBSD 8.2-STABLE #0: Thu May 19 19:53:59 BRT 2011 > i386 > > I want to be able to connect to any of the 2 external IPs this machine has. > > ### pf.conf excerpt > > ext_if1 = sis0 (1M link. default gateway) > ext_if2 = rl0 (2M link) > aln_if = dc0 (Internal LAN) > > ext_gw1 = A.A.A.A > ext_gw2 = B.B.B.B > > my_ext_ip1 = a.a.a.a > my_ext_ip2 = b.b.b.b > > > nat on $ext_if1 from any to any -> $my_ext_ip1 port 1024:65535 > nat on $ext_if2 from any to any -> $my_ext_ip2 port 1024:65535 > > 1) ----------------------------------------- # balance the load > > pass in log quick on $aln_if route-to ($ext_if2 $ext_gw2) from \ > $aln_if:network to any flags S/SA keep state tag to_out probability 70% > > pass in log quick on $aln_if route-to ($ext_if1 $ext_gw1) from \ > $aln_if:network to any flags S/SA keep state tag to_out > > 2) ----------------------------------------- # allow ssh on ext_ifs > > a)pass in log quick on $ext_if1 inet proto tcp from any to any port > $SshPort \ flags S/SA modulate state (max 30, source-track rule, > max-src-nodes 10,\ max-src-states 2, max-src-conn 2, max-src-conn-rate > 2/60, overload ) > > b)pass in log quick on $ext_if2 reply-to ($ext_if2 $ext_gw2) inet proto tcp > \ from any to any port $SshPort flags S/SA keep state (max 30, > source-track \ rule, max-src-nodes 10, max-src-states 2, max-src-conn 2, > max-src-conn-rate\ 2/60, overload ) ( RULE 8 ) > > > [snip][snip]...... > > > 3) ----------------------------------------- > > pass out quick on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to > any pass out quick on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 > to any > > Also tried: > > pass out quick on $ext_if1 route-to ($ext_if1 $ext_gw1) from $ext_if1 to > any pass out quick on $ext_if2 route-to ($ext_if2 $ext_gw2) from $ext_if2 > to any > > block log all ( RULE 163 ) > > > ### end of pf.conf excerpt > > > Everything under 1) works fine. > > Under 2), a) works, b) not working. > > When I try to connect to $SshPort through the 2M link (b.b.b.b). I connect > to the server, but the return packet neither obeys the reply-to on rule > b), nor matches any of the pass outs under 3), and goes straight to the > block rule. as you can see bellow. > > > [$]> tcpdump -n -e -ttt -i pflog0 host 187.113.99.63 (my home IP) > > > Packet arrives and matches rule b)/8 and should create a state; > > 00:00:00.000000 rule 8/0(match): pass in on rl0: 187.113.99.63.25806 > > b.b.b.b.22: [|tcp] > > but... > > 00:00:00.000108 rule 163/0(match): block out on sis0: a.a.a.a.8947 > > 187.113.99.63.25806: [|tcp] > 00:00:03.000057 rule 163/0(match): block out on sis0: a.a.a.a.65060 > > 187.113.99.63.25806: [|tcp] > 00:00:03.199931 rule 163/0(match): block out on sis0: a.a.a.a..20213 > > 187.113.99.63.25806: [|tcp] > 00:00:03.199618 rule 163/0(match): block out on sis0: a.a.a.a..19748 > > 187.113.99.63.25806: [|tcp] > 00:00:03.200044 rule 163/0(match): block out on sis0: a.a.a.a..1600 > > 187.113.99.63.25806: [|tcp] > 00:00:03.199767 rule 163/0(match): block out on sis0: a.a.a.a..45513 > > 187.113.99.63.25806: [|tcp] > 00:00:06.205048 rule 163/0(match): block out on sis0: a.a.a.a..17925 > > 187.113.99.63.25806: [|tcp] > > it tries to go back to me on the wrong interface (sis0 and NOT rl0), > wrong ip (a.a.a.a and NOT b.b.b.b), and from several wrong port numbers, > not port 22. > > Questions: > > 1) sshd is listening on *.22. I know that the default gateway is not on rl0 > but isn't that what reply-to is supposed to beat? If I understood > correctly, wasn't the reply-to supposed to make the packet go back > throught the specified ($ext_if2 $ext_gw2)? > > 2) Wasn't a state created when the pass rule b)/8 matched? if so, where is > it? > > Where am I doing wrong here? > > Thanks for any hints. Never mind ! I solved the problem after finding this very enlightening document: http://www.mmacleod.ca/blog/2011/06/source-based-routing-with-freebsd-using- multiple-routing-table/ I followed it and it all works beautifully now. -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE) From owner-freebsd-pf@FreeBSD.ORG Thu Jul 14 01:56:07 2011 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 26FB8106564A; Thu, 14 Jul 2011 01:56:07 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id F39CB8FC19; Thu, 14 Jul 2011 01:56:06 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p6E1u6BH021654; Thu, 14 Jul 2011 01:56:06 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p6E1u6lm021650; Thu, 14 Jul 2011 01:56:06 GMT (envelope-from linimon) Date: Thu, 14 Jul 2011 01:56:06 GMT Message-Id: <201107140156.p6E1u6lm021650@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-net@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/158873: [pf] [panic] When I launch pf daemon, I have a kernel panic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2011 01:56:07 -0000 Old Synopsis: When I launch pf daemon, I have a kernel panic New Synopsis: [pf] [panic] When I launch pf daemon, I have a kernel panic Responsible-Changed-From-To: freebsd-net->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Thu Jul 14 01:55:42 UTC 2011 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=158873 From owner-freebsd-pf@FreeBSD.ORG Thu Jul 14 08:26:11 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 58EE0106566B for ; Thu, 14 Jul 2011 08:26:11 +0000 (UTC) (envelope-from msurucu@karaelmas.edu.tr) Received: from posta.karaelmas.edu.tr (unknown [IPv6:2001:a98:190::5]) by mx1.freebsd.org (Postfix) with ESMTP id C34D68FC18 for ; Thu, 14 Jul 2011 08:26:10 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by posta.karaelmas.edu.tr (Postfix) with ESMTP id 3C957A1173 for ; Thu, 14 Jul 2011 11:26:07 +0300 (EEST) Received: from posta.karaelmas.edu.tr ([127.0.0.1]) by localhost (posta.karaelmas.edu.tr [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 01913-01 for ; Thu, 14 Jul 2011 11:26:07 +0300 (EEST) Received: from Murat2011 (unknown [10.1.16.11]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: msurucu@karaelmas.edu.tr) by posta.karaelmas.edu.tr (Postfix) with ESMTPSA id 17A2BA116E; Thu, 14 Jul 2011 11:26:07 +0300 (EEST) From: =?iso-8859-9?B?TXVyYXQgU9xS3EPc?= To: =?iso-8859-9?Q?'Ermal_Lu=E7i'?= References: <010b01cc3fc2$7763b450$662b1cf0$@karaelmas.edu.tr> <002601cc4058$36a5b170$a3f11450$@karaelmas.edu.tr> In-Reply-To: <002601cc4058$36a5b170$a3f11450$@karaelmas.edu.tr> Date: Thu, 14 Jul 2011 11:26:04 +0300 Message-ID: <002f01cc41ff$ac02eac0$0408c040$@karaelmas.edu.tr> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-9" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQHDNPe+IRJb8qhRNJ6l65eF1gfs5wENXDUfAZ/S9eOU6CqJgA== Content-Language: en-us Cc: freebsd-pf@freebsd.org Subject: RE: FreeBSD 8.2 + pf + ipfw (dummynet) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2011 08:26:11 -0000 I think the problem is dummynet corrupts PF state information. What can = i do for prevent it? =20 Murat=20 -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] = On Behalf Of Murat S=DCR=DCC=DC Sent: Tuesday, July 12, 2011 8:55 AM To: 'Ermal Lu=E7i' Cc: freebsd-pf@freebsd.org Subject: RE: FreeBSD 8.2 + pf + ipfw (dummynet) Thanks for reply, IPFW is kernel module, PF is loadable module in my config. And this config was normally run when version is 7.2. Murat=20 -----Original Message----- From: ermal.luci@gmail.com [mailto:ermal.luci@gmail.com] On Behalf Of = Ermal Lu=E7i Sent: Tuesday, July 12, 2011 12:59 AM To: Murat S=DCR=DCC=DC Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD 8.2 + pf + ipfw (dummynet) 2011/7/11 Murat S=DCR=DCC=DC : > Hello, > > I used PF and dummynet together about two years and worked fine. > Recently i have upgraded the system 7.2 to 8.2 and dummynet doesn't=20 > work anymore. > If any packet belong the client IP puts any pipe, it drops and pflog=20 > says it blocked by last pf rule. But it match previous rule. > If i disable (flush) the ipfw rules, packets pass normally. > > Does anybody have same experience? You have to make sure ipfw module is loaded first otherwise you will hit = pf states twice which will drop as you see. > > http://forums.freebsd.org/showthread.php?t=3D24947 > > Thanks. > > Murat > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Ermal _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Thu Jul 14 08:55:57 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B8F4106564A for ; Thu, 14 Jul 2011 08:55:57 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 05BA88FC1A for ; Thu, 14 Jul 2011 08:55:56 +0000 (UTC) Received: by iyb11 with SMTP id 11so27215iyb.13 for ; Thu, 14 Jul 2011 01:55:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=w4ptRf4sQ+kMRwaSiVPF/B0nLLeMOOC0QmCZ/i69d9A=; b=S7jjfc+MThqoRDmLr9DoASV7t95Vt1NTVP4GtD8Rl/21Gd9VPFbZuE7bR2JELZQapt RsSDi5NZ5hr9nVsfmdVPoCQw8JLOtUWkMTVlGSbdEm4y0miXyezvPLcj56A/+5kPDlgh EcX48Z4YtzgemN/SmixfKnQ+PsU2tc7e/GMOo= MIME-Version: 1.0 Received: by 10.231.28.17 with SMTP id k17mr1864216ibc.99.1310633756260; Thu, 14 Jul 2011 01:55:56 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.231.171.148 with HTTP; Thu, 14 Jul 2011 01:55:56 -0700 (PDT) In-Reply-To: <002f01cc41ff$ac02eac0$0408c040$@karaelmas.edu.tr> References: <010b01cc3fc2$7763b450$662b1cf0$@karaelmas.edu.tr> <002601cc4058$36a5b170$a3f11450$@karaelmas.edu.tr> <002f01cc41ff$ac02eac0$0408c040$@karaelmas.edu.tr> Date: Thu, 14 Jul 2011 10:55:56 +0200 X-Google-Sender-Auth: SdZrRrdUayPOXgx-AsyCubxIpSY Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: =?ISO-8859-1?B?TXVyYXQgU9xS3EPc?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD 8.2 + pf + ipfw (dummynet) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2011 08:55:57 -0000 2011/7/14 Murat S=DCR=DCC=DC : > I think the problem is dummynet corrupts PF state information. What can i= do > for prevent it? Its not a corruption but the way pf(4) works. In pfSense its used this patch https://github.com/bsdperimeter/pfsense-tools/blob/master/patches/RELENG_8_= 1/pfil.RELENG_8.diff to allow reorder pfil consumers especially to avoid this problem. It has not made to FreeBSD yet. With this patch you can reorder pfil consumers based on your needs. It exports the following sysctl for configuration: net.inet.ip.pfil.inbound net.inet.ip.pfil.outbound So after loading pf and ipfw you can configure the order of the pfil consum= ers as below to avoid the problems you are seeing. /sbin/sysctl net.inet.ip.pfil.inbound=3D"ipfw,pf" =09 /sbin/sysctl net.inet.ip.pfil.outbound=3D"ipfw,pf" Otherwise you will always have the problems you see. The other way as i told you is to be careful when loading the modules or when joining to pfil. > > > Murat > > > -----Original Message----- > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] = On > Behalf Of Murat S=DCR=DCC=DC > Sent: Tuesday, July 12, 2011 8:55 AM > To: 'Ermal Lu=E7i' > Cc: freebsd-pf@freebsd.org > Subject: RE: FreeBSD 8.2 + pf + ipfw (dummynet) > > Thanks for reply, > IPFW is kernel module, PF is loadable module in my config. > And this config was normally run when version is 7.2. > > > Murat > > > -----Original Message----- > From: ermal.luci@gmail.com [mailto:ermal.luci@gmail.com] On Behalf Of Erm= al > Lu=E7i > Sent: Tuesday, July 12, 2011 12:59 AM > To: Murat S=DCR=DCC=DC > Cc: freebsd-pf@freebsd.org > Subject: Re: FreeBSD 8.2 + pf + ipfw (dummynet) > > 2011/7/11 Murat S=DCR=DCC=DC : >> Hello, >> >> I used PF and dummynet together about two years and worked fine. >> Recently i have upgraded the system 7.2 to 8.2 and dummynet doesn't >> work anymore. >> If any packet belong the client IP puts any pipe, it drops and pflog >> says it blocked by last pf rule. But it match previous rule. >> If i disable (flush) the ipfw rules, packets pass normally. >> >> Does anybody have same experience? > > You have to make sure ipfw module is loaded first otherwise you will hit = pf > states twice which will drop as you see. > >> >> http://forums.freebsd.org/showthread.php?t=3D24947 >> >> Thanks. >> >> Murat >> >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > > > > -- > Ermal > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > --=20 Ermal