From owner-freebsd-pf@FreeBSD.ORG Mon Nov 19 10:20:01 2012 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8B40152F for ; Mon, 19 Nov 2012 10:20:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 54E818FC0C for ; Mon, 19 Nov 2012 10:20:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id qAJAK1Au011056 for ; Mon, 19 Nov 2012 10:20:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id qAJAK19h011055; Mon, 19 Nov 2012 10:20:01 GMT (envelope-from gnats) Date: Mon, 19 Nov 2012 10:20:01 GMT Message-Id: <201211191020.qAJAK19h011055@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org Cc: From: Gleb Smirnoff Subject: Re: kern/173659: PF fatal trap on 9.1 (taskq fatal trap on pf_test_rule) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Gleb Smirnoff List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Nov 2012 10:20:01 -0000 The following reply was made to PR kern/173659; it has been noted by GNATS. From: Gleb Smirnoff To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/173659: PF fatal trap on 9.1 (taskq fatal trap on pf_test_rule) Date: Mon, 19 Nov 2012 14:13:23 +0400 Since Patricks mail server bounces my mail, try to communicate via GNATS. ----- Forwarded message from Gleb Smirnoff ----- Date: Sun, 18 Nov 2012 01:59:58 +0400 From: Gleb Smirnoff To: Patrick Tracanelli Subject: Re: kern/173659: PF fatal trap on 9.1 (taskq fatal trap on pf_test_rule) User-Agent: Mutt/1.5.21 (2010-09-15) Patrick, couple of questions on the problem report: 1) Do you have ability to test FreeBSD 10 in the same conditions? pf in 10 differs much from 9. 2) Can you please send me pf rulesets? 3) Can you please provide the below info from the crash dump: P> #7 0xffffffff81525888 in pf_addrcpy (dst=0xfffffe0013942918, src=0x10, P> af=2 '\002') at /usr/src/sys/modules/pf/../../contrib/pf/net/pf.c:522 P> #8 0xffffffff8152fdbf in pf_test_rule (rm=0xffffff80002e5848, P> sm=0xffffff80002e5840, direction=1, kif=0xfffffe0004c9e000, P> m=0xfffffe0004febd00, off=20, h=0xfffffe0013331010, P> pd=0xffffff80002e5780, am=0xffffff80002e5850, rsm=0xffffff80002e5838, P> ifq=0x0, inp=0x0) P> at /usr/src/sys/modules/pf/../../contrib/pf/net/pf.c:3900 P> #9 0xffffffff8153333c in pf_test (dir=1, ifp=Variable "ifp" is not available. P> ) P> at /usr/src/sys/modules/pf/../../contrib/pf/net/pf.c:6884 P> #10 0xffffffff8153a9eb in pf_check_in (arg=Variable "arg" is not available. P> ) P> at /usr/src/sys/modules/pf/../../contrib/pf/net/pf_ioctl.c:4131 (kgdb) frame 8 (kgdb) info locals -- Totus tuus, Glebius. ----- End forwarded message ----- -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Mon Nov 19 11:06:50 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 086AD212 for ; Mon, 19 Nov 2012 11:06:50 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id E26098FC24 for ; Mon, 19 Nov 2012 11:06:49 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id qAJB6nNR013403 for ; Mon, 19 Nov 2012 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id qAJB6nI5013401 for freebsd-pf@FreeBSD.org; Mon, 19 Nov 2012 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 19 Nov 2012 11:06:49 GMT Message-Id: <201211191106.qAJB6nI5013401@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Nov 2012 11:06:50 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/173659 pf [pf] PF fatal trap on 9.1 (taskq fatal trap on pf_test o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 48 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Nov 19 20:12:55 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 052B8CBC for ; Mon, 19 Nov 2012 20:12:55 +0000 (UTC) (envelope-from peter@aoeu.ca) Received: from homiemail-a56.g.dreamhost.com (caibbdcaaaaf.dreamhost.com [208.113.200.5]) by mx1.freebsd.org (Postfix) with ESMTP id CC6EC8FC14 for ; Mon, 19 Nov 2012 20:12:54 +0000 (UTC) Received: from homiemail-a56.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a56.g.dreamhost.com (Postfix) with ESMTP id 1ED47FE06C for ; Mon, 19 Nov 2012 12:12:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=aoeu.ca; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc: content-type; s=aoeu.ca; bh=V0ekY9S71eeg2JvBUxStPv68j6M=; b=g0cB U/2jCphRm4KYsCoWgLV8cxGw5oBJFinfXRDqaY846pV5wtk+ddAXr0yAulvI9Dx8 Gs1J//muSnoZmFUQPQUSUMOVj+0ffpXLT0eqn9oWEXmTytjNIqveA2FEkr2Fbb50 5DEEUBDM3MUeQVGaFLBjq8v/FwO2HHg8umBB7BU= Received: from mail-ob0-f182.google.com (mail-ob0-f182.google.com [209.85.214.182]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: peter@aoeu.ca) by homiemail-a56.g.dreamhost.com (Postfix) with ESMTPSA id 04DB2FE06B for ; Mon, 19 Nov 2012 12:12:30 -0800 (PST) Received: by mail-ob0-f182.google.com with SMTP id 16so6649553obc.13 for ; Mon, 19 Nov 2012 12:12:47 -0800 (PST) MIME-Version: 1.0 Received: by 10.182.45.8 with SMTP id i8mr11684112obm.64.1353355967401; Mon, 19 Nov 2012 12:12:47 -0800 (PST) Received: by 10.60.64.73 with HTTP; Mon, 19 Nov 2012 12:12:47 -0800 (PST) In-Reply-To: References: Date: Mon, 19 Nov 2012 15:12:47 -0500 Message-ID: Subject: Re: Routing return NAT traffic based on interface From: Peter McAlpine To: Kevin Wilcox Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Nov 2012 20:12:55 -0000 Thanks for your reply. I've tried the configuration you suggested but it's providing the same issue I was encountering before. My goal is to route all traffic from the tunnel out the external interface nat'ing it on the way out. Any traffic coming in on the external interface should be un-nat'd (if applicable), then sent back down the tunnel unless it's destined for the external interface's IP (post-un-nat). Is such a configuration possible with PF? -Peter On Fri, Nov 16, 2012 at 10:21 AM, Kevin Wilcox wrote: > On 16 November 2012 09:40, Peter McAlpine wrote: > >> data_if = "tap3" >> ext_if = "em0" >> set skip on lo0 >> nat on $ext_if from !$ext_if:network to any -> ($ext_if) >> pass in on $ext_if route-to $data_if from any to !$ext_if:network > >> The issue I'm having is that the 'pass' rule is not being matched (or >> even evaluated?). My default gateway on the router is the ext_if and >> return traffic is being reverse-translated and then the routing table >> is sending it back out ext_if instead of down data_if where I want it >> to go. > > That's because that's what your NAT rule is telling it to do. > > Your rule says "if I see traffic on the external interface that isn't > on the same network as the external interface, NAT it back out the > external interface" > > Your pass rule should never be used. Your external interface should > never see traffic coming into it that isn't destined for it. > > pf is smart enough to handle the return NAT traffic. > > I think you may have a misunderstanding of how NAT works. > > For simplicity sake, I'll use a fake internal network of 10.10.10.0/24 > and an outside Internet IP address of 4.4.4.4. Let's pretend the > internal interface has an IP of 10.10.10.254 and is the gateway for > the 10.10.10.0/24 network and that we will NAT their outbound traffic. > Now let's pretend there is a web-server at 25.25.25.25. > > When a computer inside my internal network, let's say 10.10.10.10, > wants to get to 25.25.25.25, it hits the gateway of 10.10.10.254. That > router then NATs the traffic. 25.25.25.25 sees a connection request > from 4.4.4.4. It sends back a reply. The router at 4.4.4.4 sees the > return traffic and pf checks its state table. It then changes the > destination for that traffic to be 10.10.10.10 and passes it out the > 10.10.10.254 interface. The whole point of RFC-1918 is that anyone can > re-use those IPs internally without conflicting with anyone else > because the IP seen by everyone else on the Internet is the *outside* > IP. > > A pf configuration to do that would look something like: > > ================== > > int_if=tun0 > ext_if=em0 > set skip on lo > > nat on $ext_if from $int_if:network to any -> $ext_if > pass in on $int_if from $int_if:network to any keep state > pass out on $ext_if from any to any keep state > > ================== > > Yes, that is being overly verbose and uses a little older syntax (keep > state, from any to any ) but it works on both OpenBSD and FreeBSD, and > it works on every release within the last few years (I still have > early 4.x OpenBSD routers and 7.x FreeBSD routers). > > Keep in mind that that configuration is *wide open*. > > kmw From owner-freebsd-pf@FreeBSD.ORG Mon Nov 19 22:54:10 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EBB6275D for ; Mon, 19 Nov 2012 22:54:09 +0000 (UTC) (envelope-from kevin.wilcox@gmail.com) Received: from mail-da0-f54.google.com (mail-da0-f54.google.com [209.85.210.54]) by mx1.freebsd.org (Postfix) with ESMTP id B4C178FC0C for ; Mon, 19 Nov 2012 22:54:09 +0000 (UTC) Received: by mail-da0-f54.google.com with SMTP id n2so241470dad.13 for ; Mon, 19 Nov 2012 14:54:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=zeEYhrgeHiVUkW5O1Pw713TGtQW9GfJMp2sKawypAZ8=; b=J/yOR4LMmY2oKXXAhf67cjU3p/zWuIcON650HTJSE9WQ9ZbWRV2zOwdLvoRx+wU771 h2j27xRCMPyhMB6HEWtD/g2riyeZllW372b+a7k8ZxMsBUZHS0V9gLGmJQlxt0anlKAz iuA5FonHHs3XHDJ7XVKPAsOPO4gBxX+eRV+Mz5hAnrVoka5Ot1u4jyUHF3jcI9EFBc4N Vz+DzXeNoneue7A7lopro8HEm027qqx3WvKVGp+1IMW25JKMc4zJPNNNmxCsPz9725Ic ouEeau9lqoQ9nlT0n45sSxpEQzs5wvPwlduSpstyGdp8sevOIwvwgbeLUI79yQ9f8jAY mDlQ== MIME-Version: 1.0 Received: by 10.66.81.97 with SMTP id z1mr2049541pax.19.1353365648287; Mon, 19 Nov 2012 14:54:08 -0800 (PST) Received: by 10.68.8.2 with HTTP; Mon, 19 Nov 2012 14:54:07 -0800 (PST) Received: by 10.68.8.2 with HTTP; Mon, 19 Nov 2012 14:54:07 -0800 (PST) In-Reply-To: References: Date: Mon, 19 Nov 2012 17:54:07 -0500 Message-ID: Subject: Re: Routing return NAT traffic based on interface From: Kevin Wilcox To: Peter McAlpine Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Nov 2012 22:54:10 -0000 On Nov 19, 2012 3:12 PM, "Peter McAlpine" wrote: > > Thanks for your reply. I've tried the configuration you suggested but > it's providing the same issue I was encountering before. > > My goal is to route all traffic from the tunnel out the external > interface nat'ing it on the way out. Any traffic coming in on the > external interface should be un-nat'd (if applicable), then sent back > down the tunnel unless it's destined for the external interface's IP > (post-un-nat). > > Is such a configuration possible with PF? It is. The "pass in" rule I used in my example assumes the inside interface and the other devices it talks to are in the same network. If you want to pass anything that interface sees, change the rules so that they accept traffic from any IP range : "from $int_if:network to any" becomes "from any to any". I have a couple of routers that pass traffic for 10.x.y.z but their inside IPs are 172.16.a.b addresses and they were configured much the same way in early testing, before filters were added. If changing the rule to pass everything doesn't square you away, a network diagram may be useful (as would me actually looking at my pf configs). kmw From owner-freebsd-pf@FreeBSD.ORG Mon Nov 19 22:56:01 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2D1EB8CE for ; Mon, 19 Nov 2012 22:56:01 +0000 (UTC) (envelope-from kevin.wilcox@gmail.com) Received: from mail-pa0-f54.google.com (mail-pa0-f54.google.com [209.85.220.54]) by mx1.freebsd.org (Postfix) with ESMTP id EC5BC8FC12 for ; Mon, 19 Nov 2012 22:56:00 +0000 (UTC) Received: by mail-pa0-f54.google.com with SMTP id kp6so3896983pab.13 for ; Mon, 19 Nov 2012 14:56:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=KYH7Xn2RdleylGYLG7q9wkQTfL8qnZR3sbmD7Zh7jTM=; b=qiWd1+DsE1iUNWDvkGQS7YuoB2lYt9ZvICnqqx6ovz2gkVbd9ue/d3wvCzbQ/xPH3X M+TksGAebzNTbstCWAI6syLyFP1LuFDTonPhNxzfcdaQD8EJ/s1ECSrbv9U+mkaeOlq3 YOSaVjDvCpog+P2sc5IGRar3kEvkIEnv41N2+Pjc053Ok7+CYEaXEN5gVudZ/lbekRO4 1l6EY93jR6nt+ZxUXL9dbNAXA2rTgUQfP0DcwRy0m/9N0d4j6ukAshkfbjogR9R6rFsg Ix3qSFv+dyVtDDUmyrmU/DCK7HQhzdgallfKKkZLNudpTyJce/jDdc3Nge4lN/si9yoJ PC2Q== MIME-Version: 1.0 Received: by 10.66.80.166 with SMTP id s6mr2523959pax.21.1353365760580; Mon, 19 Nov 2012 14:56:00 -0800 (PST) Received: by 10.68.8.2 with HTTP; Mon, 19 Nov 2012 14:56:00 -0800 (PST) Received: by 10.68.8.2 with HTTP; Mon, 19 Nov 2012 14:56:00 -0800 (PST) In-Reply-To: References: Date: Mon, 19 Nov 2012 17:56:00 -0500 Message-ID: Subject: Re: Routing return NAT traffic based on interface From: Kevin Wilcox To: Peter McAlpine Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Nov 2012 22:56:01 -0000 On Nov 19, 2012 5:54 PM, "Kevin Wilcox" wrote: > It is. The "pass in" rule I used in my example assumes the inside interface and the other devices it talks to are in the same network. Correction, the "pass in" and "nat" rules, not just the pass. They both have to be modified. kmw From owner-freebsd-pf@FreeBSD.ORG Tue Nov 20 00:14:27 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E9AA6BF9 for ; Tue, 20 Nov 2012 00:14:26 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from relay1-bcrtfl2.verio.net (relay1-bcrtfl2.verio.net [131.103.218.142]) by mx1.freebsd.org (Postfix) with ESMTP id 94CD98FC17 for ; Tue, 20 Nov 2012 00:14:26 +0000 (UTC) Received: from iad-wprd-xchw01.corp.verio.net (iad-wprd-xchw01.corp.verio.net [198.87.7.164]) by relay1-bcrtfl2.verio.net (Postfix) with ESMTP id 44EDEB03813A; Mon, 19 Nov 2012 18:56:05 -0500 (EST) Thread-Index: Ac3GsW+zKhByJDK6Thyc9WY/mM8dSw== Received: from hometx-733b1p1.corp.verio.net ([10.144.2.53]) by iad-wprd-xchw01.corp.verio.net over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Mon, 19 Nov 2012 18:56:03 -0500 Received: by hometx-733b1p1.corp.verio.net (sSMTP sendmail emulation); Mon, 19 Nov 2012 17:56:01 -0600 Date: Mon, 19 Nov 2012 17:56:01 -0600 From: "David DeSimone" To: "Kevin Wilcox" Content-Transfer-Encoding: 7bit Subject: Re: Routing return NAT traffic based on interface Message-ID: <20121119235601.GK2692@verio.net> Mail-Followup-To: Kevin Wilcox , Peter McAlpine , freebsd-pf@freebsd.org References: Content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4913 MIME-Version: 1.0 Importance: normal Priority: normal Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: Precedence: bulk User-Agent: Mutt/1.5.20 (2009-12-10) X-OriginalArrivalTime: 19 Nov 2012 23:56:03.0726 (UTC) FILETIME=[6EFDF2E0:01CDC6B1] Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2012 00:14:27 -0000 Kevin Wilcox wrote: > > On Nov 19, 2012 5:54 PM, "Kevin Wilcox" wrote: > > > It is. The "pass in" rule I used in my example assumes the inside > > interface and the other devices it talks to are in the same network. > > Correction, the "pass in" and "nat" rules, not just the pass. They > both have to be modified. If I understand what you're proposing, it would be: nat on $ext_if from $int_if:network to any -> $ext_if pass in on $int_if from $int_if:network to any keep state pass out on $ext_if from any to any keep state changed to this: nat on $ext_if from any to any -> $ext_if pass in on $int_if from any to any keep state pass out on $ext_if from any to any keep state This doesn't seem right, because even traffic coming in via the external interface will have its target IP changed to be the router, even if it is destined for some other place. Previously you were using "from $int_if:network" to prevent this from happening to other traffic, but without that restriction, every packet would be subject to NAT. If I understand the poster's problem, it is that there could be whole worlds of other networks behind $int_if, and he is not able to predict what IP addresses should be used to match that traffic; in fact, it is merely the fact that the traffic is arriving on $int_if that indicates it shoudl be NAT'd. What I'd suggest is that packet marking be used to mark packets arriving via $int_if, and then apply NAT to the packets that flow to $ext_if: nat on $ext_if tagged NAT -> $ext_if pass in on $int_if tag NAT pass out on $ext_if Untested configuration idea, of course. :) -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you. From owner-freebsd-pf@FreeBSD.ORG Tue Nov 20 00:46:53 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4E613E8 for ; Tue, 20 Nov 2012 00:46:53 +0000 (UTC) (envelope-from kevin.wilcox@gmail.com) Received: from mail-pa0-f54.google.com (mail-pa0-f54.google.com [209.85.220.54]) by mx1.freebsd.org (Postfix) with ESMTP id 1B1EC8FC14 for ; Tue, 20 Nov 2012 00:46:53 +0000 (UTC) Received: by mail-pa0-f54.google.com with SMTP id kp6so3952115pab.13 for ; Mon, 19 Nov 2012 16:46:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=GjVwDEtxYxpHpKsjpp+V9dymlFi2+WLVNLCK5GRRT9I=; b=DL1f2glSpAaKA7We9bqSWn5IP7hGnhg+oc/2oxqlWrvwBejKGU6B2S1oM187NbGwTu JVwK6PYUW6NHwiifYltmBEDAliH2S3j4vSQVhTpLUEaN0cSomtbuVBJSDnzmDJ6aMIHe NLUC8x3lWHqzKbFpbWa54LNFcbsaP4nucYr5+8kBDnJVzRe5dN1tRvju3164oC1llU1O sq/oO+0gbpBkhiA4X5Vav80GhxPZinCVTi9PK1KIWw0a2vzRZZqxAI19yjLfP/vHQcMt IyIjha1oJKtWlcz2XI1Vyk4vnT5uxxgf8ZJqKw6uadC/mVTjPzCnLj9jwWwgTqLJLpaM 1Gwg== MIME-Version: 1.0 Received: by 10.66.80.166 with SMTP id s6mr3249165pax.21.1353372412704; Mon, 19 Nov 2012 16:46:52 -0800 (PST) Received: by 10.68.8.2 with HTTP; Mon, 19 Nov 2012 16:46:52 -0800 (PST) In-Reply-To: <20121119235601.GK2692@verio.net> References: <20121119235601.GK2692@verio.net> Date: Mon, 19 Nov 2012 19:46:52 -0500 Message-ID: Subject: Re: Routing return NAT traffic based on interface From: Kevin Wilcox To: fox@verio.net, Peter McAlpine , freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2012 00:46:53 -0000 On 19 November 2012 18:56, David DeSimone wrote: > This doesn't seem right, because even traffic coming in via the external > interface will have its target IP changed to be the router, even if > it is destined for some other place. Previously you were using "from > $int_if:network" to prevent this from happening to other traffic, but > without that restriction, every packet would be subject to NAT. My assumption was that the traffic coming in on the external interface is already destined for the outside IP of the router, unless he's doing some really funky stuff on both sides ;) It sounded like he wanted to NAT anything coming from the inside interface and then anything on the outside that wasn't return NAT traffic was supposed to terminate on the router, but I've been known to have clogged ears and awfully poor eyesight. kmw From owner-freebsd-pf@FreeBSD.ORG Tue Nov 20 02:23:13 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6F88BCF0 for ; Tue, 20 Nov 2012 02:23:13 +0000 (UTC) (envelope-from paul.g.webster@googlemail.com) Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id ED09C8FC08 for ; Tue, 20 Nov 2012 02:23:11 +0000 (UTC) Received: by mail-we0-f182.google.com with SMTP id u54so1299419wey.13 for ; Mon, 19 Nov 2012 18:23:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:organization:subject:to:from:date:mime-version :message-id:user-agent; bh=KNYDWYaN2QWi8qHrhZv7+9gXYpa6KPobo5NHCMmntvI=; b=QfcCBOp4DPquJM/pzYDq2aNlrTPNg0l4TJLaZ5mYINSLLZ6918RiXHIcWHc9XkX2iU sLnIRTeUH7fLcgCo79O42AohRXzPAgexjNXTic/3GftlQfYvoL3onxLI8eBFVlbkBxuR Pee36gqga/fPyGabM4Q5fGtkkGQiUYMfcEpm+7ZUtXZb4NJf4o22fOuqD4x2yJmeA7s+ I6TOj9NiUNvAl8EAB5IWib1rBqVmTDZ+qcXL4SCfwWzg29BQx2zwxYq641fQiwK9PKc9 CNdaXa/supTeaD1dkBD19cqwbC3+nwiKT7K4r02XaBFixBKEpQfd2h3qVz/Xdpg6uCcV EM6w== Received: by 10.180.105.134 with SMTP id gm6mr11632733wib.21.1353378189582; Mon, 19 Nov 2012 18:23:09 -0800 (PST) Received: from box.dlink.com (host-78-149-58-39.as13285.net. [78.149.58.39]) by mx.google.com with ESMTPS id bz12sm2887924wib.5.2012.11.19.18.23.08 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 19 Nov 2012 18:23:08 -0800 (PST) Content-Type: multipart/mixed; boundary=----------xo5kxhbZtSA6Ccv6ZiGEEy Organization: Interflective Group Subject: Upgrading FreeBSD to use the NEW pf syntax. To: freebsd-pf@freebsd.org From: "Paul Webster" Date: Tue, 20 Nov 2012 02:23:07 -0000 MIME-Version: 1.0 Message-ID: User-Agent: Opera Mail/12.11 (Win64) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2012 02:23:13 -0000 ------------xo5kxhbZtSA6Ccv6ZiGEEy Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Good day all, I am aware this is a much discussed subject since the upgrade of PF, I believe the final decision was that to many users are used to the old style pf and an upgrade to the new syntax would cause to much confusion. There was a recent debate on ##freebsd about this issue and I was inclined to mail in and get your opinions; basically it boiled down to the majority of users wanting either: 1) To move to the newer pf and just add to releases notes what had happened, and 2) my own personal opinion: creating 'pf2-*' as a kernel option tree, basically using the newer pf syntax and allowing users to choose. I would be interested to know the feedback from you guys as to be honest there seems to be quite a few users who actually DO want the new style format and functionality that comes with. I Attached the log of the conversation just for reference. -- Thank you for your time -- Paul G Webster 'daemon' Using Opera's revolutionary email client: http://www.opera.com/mail/ ------------xo5kxhbZtSA6Ccv6ZiGEEy Content-Disposition: attachment; filename=irc-snippet.txt Content-Type: text/plain; name="irc-snippet.txt" Content-Transfer-Encoding: Quoted-Printable * daemonik (~Adium@mail.originate.com) has joined ##freebsd Is the implementation of PF on FreeBSD up to date yet? no * stormcrow (~phydeaux@c-24-126-183-121.hsd1.ga.comcast.net) has left ##= freebsd and it won't ever be, we (retardedly) forked it with some ra= ndom guy's patches rather than updating it it's rare that that question asked about *any* part of the ba= se OS will be answered with "yes" doh. booo @ random patches blakkheim that was truly a stupid move i agree any chance of getting them to 'take it back' they think freebsd users are too stupid to adapt to the newe= r pf syntax and "thousands will upgrade without knowing and be left with= an unreachable system" or some bs like that is there anything that pf can do that ipfw cannot do check the freebsd-pf mailing list illuminated (or feel free = to post and complain) blakkheim: That's pretty damn . . wow might be worth a few emails to all the lists asking for other u= sers to post into the pf list to support moving to the correct pf maybe we can implement the newer pf as 'pf2' FreeBSD presently doesn't have ALTQ support included in the g= eneric kernel, correct? Is there an alternative to ALTQ? daemon: i think so too daemon: Is it really that hard to shout in the appropriate pl= aces to properly inform users? What about release notes? Anybody who doe= sn't read release notes deserves what's coming to them. that's what i said! * chrisb has learned to read MOVED and UPDATING closely Huh . . that kind of behavior is why no one respects anyone/t= hing associated with GNOME anymore . . daemonik, I dont see it being that hard to use both the 'ramdon= guys patches' version of pf as the default for a few releases putting t= he newer version of pf as 'pf2' therefor satisfying both channels of thought there certainly should be A WAY of using the newer version posting these thoughts to freebsd-pf@ is much more likely to= invoke a change (or at least a poll or something) than on irc daemon: No . . the noobs are the ones who should have to use = a pf-something. I bother to read the release notes, I want to use the co= rrect version of the software. Why should I have to suffer? Why should I= change when they're the ones who suck? * nightwalk has quit (Ping timeout: 276 seconds) I'll make a post later tonight. I hope that others see these = messages and also articulate their thoughts on the mailing list. FreeBSD= should hold a high standard for something as important as PF. daemonik, if you did read release notes you would see 'ad the n= ew version of pf is pf2' there is no need to upset users without cause; = as the 'patched' pf is the default for the tag 'pf' at the moment making= the new version 'pf2' is literally much more sane and certainly a huge degree less antagonistic How do I find the size of a folder? And for that matter how do I search a man page? du -sh dirname and use /string to search Thanks blakkheim I would rather read the release notes seeing that the WRONG v= ersion of PF gets deprecated to pf-legacy as it ought to be =97 knowing = that those who don't read the release notes will have a bad day. Referring to the CORRECT and latest stable version of PF as "= PF2" would make FreeBSD . . well, look about as incompetent as certain L= inux distros sometimes do to say the least. daemonik, transistion time should always be taken into account = on any system; if we did was I was suggesting then 'pf' would be the new= version in -CURRENT but for later 9.x releases it would still have to b= e as I pointed out above i recall a number of features having 2 tagged to the name UFS2 for one or was it FFS2 and i think IPFW2 its quite a common practice; sudeenly changing a major feature/= system is just generally what makes people cry especially when it can be avoided with something as simple as a= dding a number to the end of the kernel tag kernel option* ------------xo5kxhbZtSA6Ccv6ZiGEEy-- From owner-freebsd-pf@FreeBSD.ORG Tue Nov 20 02:53:25 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9D897390 for ; Tue, 20 Nov 2012 02:53:25 +0000 (UTC) (envelope-from max@mxcrypt.com) Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com [209.85.212.172]) by mx1.freebsd.org (Postfix) with ESMTP id 2A6358FC0C for ; Tue, 20 Nov 2012 02:53:24 +0000 (UTC) Received: by mail-wi0-f172.google.com with SMTP id hm9so441529wib.13 for ; Mon, 19 Nov 2012 18:53:23 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=uHZV7oe0ApgojbOlciDJXZaHMtIv+DfvnLtc06TJVD4=; b=Y7nsuIw58mj7yiaEEe5QrLNlrHcze0rNK/E30aip48Gu90czUj8nlqi5xlld248j+6 5BCG/bYxKrKQEd0mfuqpl2mAiClwEUuouXDNsx4JVV0tpVq5W2j0I9gEVgiC3DxA9fMI 97dUZEZ5Z1xo6RTKMgWUfpzYWGcZdwUQKNQWkM12YtxKbuq8UmjIxj6P4U6uxjIk3gAN coskPzQz8OYlAvRfrNuSmTac++fT/8g/XYjfWp492qTDBjPAFBZloc7EMMH8sz0oNHvm rE2NQ18EZortB560NLCVnV1/tIof5wn8mXx0cQIyEoJvG26UvJWQmd3MGxk5vHGQOlJr jRxA== Received: by 10.180.92.132 with SMTP id cm4mr11893585wib.12.1353380003525; Mon, 19 Nov 2012 18:53:23 -0800 (PST) MIME-Version: 1.0 Received: by 10.180.81.193 with HTTP; Mon, 19 Nov 2012 18:52:53 -0800 (PST) In-Reply-To: References: From: Maxim Khitrov Date: Mon, 19 Nov 2012 21:52:53 -0500 Message-ID: Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. To: Paul Webster Content-Type: text/plain; charset=UTF-8 X-Gm-Message-State: ALoCoQlNHkez8HQLwd1m9hHHQl9+ca/wLks/1dOiP/LElvl275zaVszEqXpFu8bKKi8PjnQMV6tm Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2012 02:53:25 -0000 On Mon, Nov 19, 2012 at 9:23 PM, Paul Webster wrote: > Good day all, > > I am aware this is a much discussed subject since the upgrade of PF, I > believe the final decision was that to many users are used to the old > style pf and an upgrade to the new syntax would cause to much confusion. > > There was a recent debate on ##freebsd about this issue and I was inclined > to mail in and get your opinions; basically it boiled down to the majority > of users wanting either: > > 1) To move to the newer pf and just add to releases notes what had > happened, > and > 2) my own personal opinion: creating 'pf2-*' as a kernel option tree, > basically using the newer pf syntax and allowing users to choose. > > I would be interested to know the feedback from you guys as to be honest > there seems to be quite a few users who actually DO want the new style > format and functionality that comes with. My vote is for option 1, but I'll also be happy with option 2 if it costs little to maintain both versions. I'm pretty much for anything that brings pf in sync (or close to it) with OpenBSD. - Max From owner-freebsd-pf@FreeBSD.ORG Tue Nov 20 02:59:56 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 88003536 for ; Tue, 20 Nov 2012 02:59:56 +0000 (UTC) (envelope-from paul.g.webster@googlemail.com) Received: from mail-wi0-f170.google.com (mail-wi0-f170.google.com [209.85.212.170]) by mx1.freebsd.org (Postfix) with ESMTP id 11A0D8FC08 for ; Tue, 20 Nov 2012 02:59:55 +0000 (UTC) Received: by mail-wi0-f170.google.com with SMTP id hq7so1909580wib.1 for ; Mon, 19 Nov 2012 18:59:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:to:subject:references:date:cc:mime-version :content-transfer-encoding:from:organization:message-id:in-reply-to :user-agent; bh=GK1Y86QQzbJ3t1eU4qKO541ITIlBAccmZYPflvMRGfw=; b=VsKOHJwgJn7iwubP7yXOlOaDL/cM7YiryydRFh5mL1J4iCfqmQ43hSKvFoSZ7RiFce 45F2FVA4nrrRwpHbuv3zncZbgMRaDI839fu5wqLpxbK35/6ZhPZZ9h+9fQM/s3prl2rt 7zYQ5cN91wuIh+W2WTBrfwryf8XtWk+a+oZPnfh/vytd9sUOVOwmNoP7zIa626UIQRuf P5Ae9NlBAKYwBtF5mNB1VXRAAtvNyROnx5y1owc1PpurZ214ZIzj24M0wcj6vfoLeSWJ akQ8VzaoG4Ig2zImSk74um4s2phhXoeoVe22Cq3jjTihqscUPYvdnACLjZXDdagl3x+6 5Y2w== Received: by 10.216.227.137 with SMTP id d9mr1841759weq.205.1353380394827; Mon, 19 Nov 2012 18:59:54 -0800 (PST) Received: from box.dlink.com (host-78-149-58-39.as13285.net. [78.149.58.39]) by mx.google.com with ESMTPS id i2sm15940596wiw.3.2012.11.19.18.59.53 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 19 Nov 2012 18:59:54 -0800 (PST) Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes To: "Maxim Khitrov" Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. References: Date: Tue, 20 Nov 2012 02:59:53 -0000 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: "Paul Webster" Organization: Interflective Group Message-ID: In-Reply-To: User-Agent: Opera Mail/12.11 (Win64) Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2012 02:59:56 -0000 I am not so sure there would be much more maintenance, after all after the split the only updates to the original 'pf-*' tree would be any serious security or stability updates that happen to crop up. All feature updates etc would be to the pf2-* On Tue, 20 Nov 2012 02:52:53 -0000, Maxim Khitrov wrote: > On Mon, Nov 19, 2012 at 9:23 PM, Paul Webster > wrote: >> Good day all, >> >> I am aware this is a much discussed subject since the upgrade of PF, I >> believe the final decision was that to many users are used to the old >> style pf and an upgrade to the new syntax would cause to much confusion. >> >> There was a recent debate on ##freebsd about this issue and I was >> inclined >> to mail in and get your opinions; basically it boiled down to the >> majority >> of users wanting either: >> >> 1) To move to the newer pf and just add to releases notes what had >> happened, >> and >> 2) my own personal opinion: creating 'pf2-*' as a kernel option tree, >> basically using the newer pf syntax and allowing users to choose. >> >> I would be interested to know the feedback from you guys as to be honest >> there seems to be quite a few users who actually DO want the new style >> format and functionality that comes with. > > My vote is for option 1, but I'll also be happy with option 2 if it > costs little to maintain both versions. I'm pretty much for anything > that brings pf in sync (or close to it) with OpenBSD. > > - Max -- Using Opera's revolutionary email client: http://www.opera.com/mail/ From owner-freebsd-pf@FreeBSD.ORG Tue Nov 20 03:22:54 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 36053C7F for ; Tue, 20 Nov 2012 03:22:54 +0000 (UTC) (envelope-from paul.g.webster@googlemail.com) Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) by mx1.freebsd.org (Postfix) with ESMTP id B0E8F8FC12 for ; Tue, 20 Nov 2012 03:22:53 +0000 (UTC) Received: by mail-wi0-f178.google.com with SMTP id hm6so465930wib.13 for ; Mon, 19 Nov 2012 19:22:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:to:cc:subject:references:date:mime-version :content-transfer-encoding:from:organization:message-id:in-reply-to :user-agent; bh=h/T/LRIOLS0RRQI7kIkkAUjfw+s7x6wQbkr7sty2Yb8=; b=O+jjuycdK7vUsrevZZNE9JUvX8PEb+d+J1EHqECc+NBhV/sSRppWJfrUm0XkJetMqk OMzJgxnoN7yb7ywAnO1N2bnutGJIr9CqnvX6qkJcbXvljJFXmntLbLLSO/8cbIxmrA0d YqHEyLlTUk8R+/WXx53iqGkhX7F9ikokQJP7uYdDAeOUGTIgcdw4lP9VQxdaNnkjPaFc 1chLez8s2kvkPuU1e4G+vNGLpZTA8srJVcp/yQVzTyo9lCGA2F+bl8AMuMnccDOSHvt9 3rzSO53kAz4vjrL7NDTMvwJ2E7khFK3KsPG6DYqHlg7lrxbF4dEGdZDzWxuAQm8R4nbl mt1Q== Received: by 10.216.73.4 with SMTP id u4mr1280755wed.195.1353381767611; Mon, 19 Nov 2012 19:22:47 -0800 (PST) Received: from box.dlink.com (host-78-149-58-39.as13285.net. [78.149.58.39]) by mx.google.com with ESMTPS id bz12sm3017825wib.5.2012.11.19.19.22.46 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 19 Nov 2012 19:22:47 -0800 (PST) Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes To: "Chris Buechler" Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. References: Date: Tue, 20 Nov 2012 03:22:46 -0000 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: "Paul Webster" Organization: Interflective Group Message-ID: In-Reply-To: User-Agent: Opera Mail/12.11 (Win64) Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2012 03:22:54 -0000 Just out of interest, option 3) does not entirely dismiss using the pf2-* chain of kernel options for developing using the new pf tree; sure it would be alot of work but just 'how much' would be required; Our own fork after all means that everything is created from scratch and as its 'vastly different' from the OpenBSD version surely that will also require a vast amount of time. I should probably point that doing both at the same time would by sane observation mean two projects requiring a vast amount of time; but if enough people support the 'pf2' chain then in conjunction with the fact that we should be able to borrow some of the code from OpenBSD, maybe it would be worth the sacrifice. Time will tell which one becomes the more popular. On Tue, 20 Nov 2012 03:02:40 -0000, Chris Buechler wrote: > On Mon, Nov 19, 2012 at 8:23 PM, Paul Webster > wrote: >> Good day all, >> >> I am aware this is a much discussed subject since the upgrade of PF, I >> believe the final decision was that to many users are used to the old >> style pf and an upgrade to the new syntax would cause to much confusion. >> >> There was a recent debate on ##freebsd about this issue and I was >> inclined >> to mail in and get your opinions; basically it boiled down to the >> majority >> of users wanting either: >> >> 1) To move to the newer pf and just add to releases notes what had >> happened, >> and >> 2) my own personal opinion: creating 'pf2-*' as a kernel option tree, >> basically using the newer pf syntax and allowing users to choose. >> > > The line in the sand has been drawn with the SMP-friendly PF now in > HEAD. The reality is seeming to be option 3) FreeBSD pf is drastically > different and will be a fork from this point, as those SMP changes > make future merges impossible without redoing a whole lot of work. > There was some discussion and regrets here that it wasn't brought up > to the most recent pf before doing all that work, but it's done and > committed at this point. There was a good deal of discussion here at > that time, check this list's archive from earlier this year. -- Using Opera's revolutionary email client: http://www.opera.com/mail/ From owner-freebsd-pf@FreeBSD.ORG Tue Nov 20 04:21:51 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0FB31A78 for ; Tue, 20 Nov 2012 04:21:51 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from vps.rulingia.com (host-122-100-2-194.octopus.com.au [122.100.2.194]) by mx1.freebsd.org (Postfix) with ESMTP id 724878FC12 for ; Tue, 20 Nov 2012 04:21:49 +0000 (UTC) Received: from server.rulingia.com (c220-239-241-202.belrs5.nsw.optusnet.com.au [220.239.241.202]) by vps.rulingia.com (8.14.5/8.14.5) with ESMTP id qAK4LfSs010594 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 20 Nov 2012 15:21:41 +1100 (EST) (envelope-from peter@rulingia.com) X-Bogosity: Ham, spamicity=0.000000 Received: from server.rulingia.com (localhost.rulingia.com [127.0.0.1]) by server.rulingia.com (8.14.5/8.14.5) with ESMTP id qAK4LZOe086999 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 20 Nov 2012 15:21:35 +1100 (EST) (envelope-from peter@server.rulingia.com) Received: (from peter@localhost) by server.rulingia.com (8.14.5/8.14.5/Submit) id qAK4LZTL086998; Tue, 20 Nov 2012 15:21:35 +1100 (EST) (envelope-from peter) Date: Tue, 20 Nov 2012 15:21:35 +1100 From: Peter Jeremy To: Paul Webster Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. Message-ID: <20121120042135.GJ38823@server.rulingia.com> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="nYySOmuH/HDX6pKp" Content-Disposition: inline In-Reply-To: X-PGP-Key: http://www.rulingia.com/keys/peter.pgp User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2012 04:21:51 -0000 --nYySOmuH/HDX6pKp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2012-Nov-20 02:23:07 -0000, Paul Webster = wrote: >I am aware this is a much discussed subject since the upgrade of PF, I >believe the final decision was that to many users are used to the old >style pf and an upgrade to the new syntax would cause to much confusion. FreeBSD deprecation policies mean that the existing (old) pf syntax would need to be supported for at least the duration of the 9.x branch (and possibly the 10.x branch). >1) To move to the newer pf and just add to releases notes what had >happened, Since the new pf syntax is incompatible with the existing syntax, this would not be acceptable on any stable branch (8.x, 9.x). It could be done on 10.x but the incompatibility would make migrating from 9.x to 10.x harder. >2) my own personal opinion: creating 'pf2-*' as a kernel option tree, >basically using the newer pf syntax and allowing users to choose. This would probably be the preferred option as it would allow users to migrate at their leisure. >I would be interested to know the feedback from you guys as to be honest >there seems to be quite a few users who actually DO want the new style >format and functionality that comes with. My understanding is that there are significant differences in locking between OpenBSD and FreeBSD, which would make porting the new pf non- trivial. New feature requests generally come down to finding the man- power to implement and maintain them. --=20 Peter Jeremy --nYySOmuH/HDX6pKp Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlCrBU8ACgkQ/opHv/APuIeIpwCfXIt3PVxKjIQCFVvmfQ1IZbtc Xc0An0KnEh0ZJ15mIjqtMbpXEsTE8f6b =1zV4 -----END PGP SIGNATURE----- --nYySOmuH/HDX6pKp-- From owner-freebsd-pf@FreeBSD.ORG Tue Nov 20 06:46:48 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 05C5AFC8 for ; Tue, 20 Nov 2012 06:46:48 +0000 (UTC) (envelope-from odhiambo@gmail.com) Received: from mail-ie0-f182.google.com (mail-ie0-f182.google.com [209.85.223.182]) by mx1.freebsd.org (Postfix) with ESMTP id BB7EA8FC13 for ; Tue, 20 Nov 2012 06:46:47 +0000 (UTC) Received: by mail-ie0-f182.google.com with SMTP id s9so1910021iec.13 for ; Mon, 19 Nov 2012 22:46:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=rLHBpRJfc/JuBeWiXOh7cGa8glfR337gLrhBmy5luAM=; b=i+kI0pVZXUO52kPRVQqFwIKrswrVTYVXFiY85TOE3PRhqENk6TDFaq4gJZtBtaogfS R3+C0ZeqEbWQzdOu+DEROsRZl0r1kbNbPTIrNZ5PUoMPyy2UeCwbNwXomw7DdrySa1s9 I3CKpycZaZhvQBdWKhuBZrJOfFETcpuBKIpfz0A9XMc5mAlSJDOQ8wbh/INWbtPumCh7 BC+gGjsdRLuuhGc1Ov5WmSm0mAPiwVvwD78JzwMdCiodKbf833gYhAZBqgFwBAxrj3F/ bySp5Wlye7fwkLLLf5OmoHQm709iGnuR7YsjmzksCRPfYSHPhcNmwO3rxkMNx7Of+qOp pUBg== Received: by 10.50.13.133 with SMTP id h5mr9035232igc.2.1353394007022; Mon, 19 Nov 2012 22:46:47 -0800 (PST) MIME-Version: 1.0 Received: by 10.42.60.6 with HTTP; Mon, 19 Nov 2012 22:46:06 -0800 (PST) In-Reply-To: References: From: Odhiambo Washington Date: Tue, 20 Nov 2012 09:46:06 +0300 Message-ID: Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. To: Paul Webster Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2012 06:46:48 -0000 On Tue, Nov 20, 2012 at 5:23 AM, Paul Webster wrote: > Good day all, > > I am aware this is a much discussed subject since the upgrade of PF, I > believe the final decision was that to many users are used to the old > style pf and an upgrade to the new syntax would cause to much confusion. > > There was a recent debate on ##freebsd about this issue and I was inclined > to mail in and get your opinions; basically it boiled down to the majority > of users wanting either: > > 1) To move to the newer pf and just add to releases notes what had > happened, > and > 2) my own personal opinion: creating 'pf2-*' as a kernel option tree, > basically using the newer pf syntax and allowing users to choose. > > I would be interested to know the feedback from you guys as to be honest > there seems to be quite a few users who actually DO want the new style > format and functionality that comes with. > > I Attached the log of the conversation just for reference. > > It's been difficult enough to maintain PF on FreeBSD because of the time needed to be invested in the FreeBSD port. This situation remains to date, from what I understand. I guess someone can look at how many bugs/feature requests still remain open for PF on FreeBSD. I therefore feel that whoever wants to run PF should use a dedicated OpenBSD box as a firewall/whatever they use PF for. There is really no point trying to make FreeBSD be OpenBSD when it comes to such requirements. Look at the advantages of "separation of power" - give to OpenBSD the fireallpower and FreeBSD the serverpower. In keeping with the K.I.S.S principle, please let anyone needing new PF syntax just use OpenBSD. My humble opinion. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ I can't hear you -- I'm using the scrambler. From owner-freebsd-pf@FreeBSD.ORG Tue Nov 20 07:15:33 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BBD01797 for ; Tue, 20 Nov 2012 07:15:33 +0000 (UTC) (envelope-from hoomanfazaeli@gmail.com) Received: from mail-ob0-f182.google.com (mail-ob0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 7D12D8FC12 for ; Tue, 20 Nov 2012 07:15:33 +0000 (UTC) Received: by mail-ob0-f182.google.com with SMTP id 16so7180623obc.13 for ; Mon, 19 Nov 2012 23:15:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=ugKkDrhEUUWXSMttHjzoc/Z5fMzUHjFuhjiFgka5cj8=; b=wHiGJEHewWuArcivLXgpN4+BZL0ULzVPy74WfxI81YJryjajyCOlBoPwHTwvyw4RTE 4AFECKtUCXA9jlwLWAhz747/KIXm5qS+Yx6F+aUKPbEzzqAr0pQ88kHZsu2FgJcoJr/v 2+OYC1G1/QOajS2sh/RET7kA4UYmzuOuPQfqCASNYdSH86pPcdGTP6GdNEwFE7udtt7K CrZo+qJeJZWavdPJeW3lJxL/OcXm1DhHb/79pAts2h8ik/1ayAtfcHLYrRcqEEoU2mM/ ofMz0a+1fGsThUKkHMjkozELfo9LvBOU+5jBgYCejPxYWqBFL2yi/PxZ4rETiXOT9VPV CXUw== MIME-Version: 1.0 Received: by 10.60.27.39 with SMTP id q7mr12269640oeg.109.1353395732726; Mon, 19 Nov 2012 23:15:32 -0800 (PST) Received: by 10.76.172.36 with HTTP; Mon, 19 Nov 2012 23:15:32 -0800 (PST) Date: Tue, 20 Nov 2012 10:45:32 +0330 Message-ID: Subject: WAN load balance with PF From: Hooman Fazaeli To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2012 07:15:33 -0000 With a topology like: ----- ADSL 1 LAN ---- PF Box ----- Switch | ----- ADSL 2 Is there a way to NAT and distribute LAN to internet traffic on the two ADSL links apart from adding a third NIC to PF box? From owner-freebsd-pf@FreeBSD.ORG Tue Nov 20 07:55:40 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C8E6DABA for ; Tue, 20 Nov 2012 07:55:40 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-qc0-f182.google.com (mail-qc0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id 75C028FC0C for ; Tue, 20 Nov 2012 07:55:40 +0000 (UTC) Received: by mail-qc0-f182.google.com with SMTP id k19so4802564qcs.13 for ; Mon, 19 Nov 2012 23:55:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=+2KVXbFM6a83Qppi/2jYqSG7SF82VQ5r/uhckU5rrwQ=; b=UD72VoZhsnr1WwLLHIrYyWEtfcVnBadgl0h+HyfImLBzgB5VtlbcEU2Oz2bS2H1JW9 3zMgQW3FHrHg5BMyyXH458x+n4Mnzge2s2o8ljbpn5cPpdmmVHvBoagEIfHhHUz/t4GB vbyERa6u53hoOIUvSpVUbjwwcAU2P8yMeX0M1x0Aybhj7Bi0QvWAullBWeK/kMFy3sgv bzbRhPZcE03RX0gCHn4sUo7yAsWPaBo9YPsbK1mde33IrCVBbTWBn7NjyMVd0ZJS1HRJ v7Tvi6zuRQeNqNOlPvvU3/Or1NtOGjR5KdfIDhCGXNwZNj1OooWwqMSWUSWPO8nyHN4/ JfWQ== MIME-Version: 1.0 Received: by 10.49.14.193 with SMTP id r1mr16277653qec.50.1353398139826; Mon, 19 Nov 2012 23:55:39 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.49.121.163 with HTTP; Mon, 19 Nov 2012 23:55:39 -0800 (PST) In-Reply-To: References: Date: Tue, 20 Nov 2012 08:55:39 +0100 X-Google-Sender-Auth: zsu7WahBzZthioqdKzDuuzjhHUc Message-ID: Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Odhiambo Washington Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: Paul Webster , "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2012 07:55:40 -0000 On Tue, Nov 20, 2012 at 7:46 AM, Odhiambo Washington wrote: > On Tue, Nov 20, 2012 at 5:23 AM, Paul Webster < > paul.g.webster@googlemail.com > > wrote: > > > Good day all, > > > > I am aware this is a much discussed subject since the upgrade of PF, I > > believe the final decision was that to many users are used to the old > > style pf and an upgrade to the new syntax would cause to much confusion. > > > > There was a recent debate on ##freebsd about this issue and I was > inclined > > to mail in and get your opinions; basically it boiled down to the > majority > > of users wanting either: > > > > 1) To move to the newer pf and just add to releases notes what had > > happened, > > and > > 2) my own personal opinion: creating 'pf2-*' as a kernel option tree, > > basically using the newer pf syntax and allowing users to choose. > > > > I would be interested to know the feedback from you guys as to be honest > > there seems to be quite a few users who actually DO want the new style > > format and functionality that comes with. > > > > I Attached the log of the conversation just for reference. > > > > > It's been difficult enough to maintain PF on FreeBSD because of the time > needed to be invested in the FreeBSD port. > This situation remains to date, from what I understand. I guess someone can > look at how many bugs/feature requests still remain open for PF on FreeBSD. > > I therefore feel that whoever wants to run PF should use a dedicated > OpenBSD box as a firewall/whatever they use PF for. > There is really no point trying to make FreeBSD be OpenBSD when it comes to > such requirements. Look at the advantages of "separation of power" - give > to OpenBSD the fireallpower and FreeBSD the serverpower. > > In keeping with the K.I.S.S principle, please let anyone needing new PF > syntax just use OpenBSD. > > My humble opinion. > -- > Best regards, > Odhiambo WASHINGTON, > Nairobi,KE > +254733744121/+254722743223 > _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ > I can't hear you -- I'm using the scrambler. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > The truth is that you can add a shim layer between the old syntax to new syntax and maintain the new 'locking' present in 10.x branch. Maybe it would be worth to send a project proposal to the FreeBSD Foundation about this, but i do not know how keen they are to support through funding this. When the locking was changed there were a discussion about keeping both of the versions but it was just thrown to the trash by the guy doing the new 'locking'. Probably it has to be asked to the foundation how keen they are to support this development to have things upgraded. -- Ermal From owner-freebsd-pf@FreeBSD.ORG Tue Nov 20 08:07:35 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5C4B6CEF; Tue, 20 Nov 2012 08:07:35 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-oa0-f54.google.com (mail-oa0-f54.google.com [209.85.219.54]) by mx1.freebsd.org (Postfix) with ESMTP id E50BC8FC13; Tue, 20 Nov 2012 08:07:34 +0000 (UTC) Received: by mail-oa0-f54.google.com with SMTP id n9so7232515oag.13 for ; Tue, 20 Nov 2012 00:07:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=5xYsDBNfprND9ZkJCnn819pMKmtcu8izONyjcgCjICU=; b=NnnqD+nhfyGwZfX0Dj7/JQUXOxCrn00jyXJdwIzJC9OM2MYpCzsbYF2Kxm5hoNvY9O +0xGwr3LpGt9pyFuDyIWd3wqbi5hFSyYGuUaf6A9T+Vg8plBJXc9Zx4yW0jhd8HFBA/O MQz6z4cP/4715ZIH1/4DodvA+eG+IOmX7C6jBJIMbW1dmgoTy9+97u+dLtYjFBz2H+bM g7IpOP8Alw/v5j5fRt6Ju9QRjKBxoIgh1Jsk7x89rIPmyGQbYRy+fVRQHsS8XJmrA2OZ JO02Vqk/dTiJLYbdwgNvZAFHwu4cPubqr3CjdpMa6nG1QrO7UmhNQaypCaLcSM/wDqDC Y1pQ== MIME-Version: 1.0 Received: by 10.182.127.102 with SMTP id nf6mr13045939obb.14.1353398854298; Tue, 20 Nov 2012 00:07:34 -0800 (PST) Received: by 10.182.97.162 with HTTP; Tue, 20 Nov 2012 00:07:34 -0800 (PST) In-Reply-To: References: Date: Tue, 20 Nov 2012 10:07:34 +0200 Message-ID: Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. From: Sami Halabi To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= , Gleb Smirnoff Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: Paul Webster , "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2012 08:07:35 -0000 Hi, This was actually discussed much before, as I read it would make some issues with the new pf-smp work done by gleb. Sami On Tue, Nov 20, 2012 at 9:55 AM, Ermal Lu=E7i wrote: > On Tue, Nov 20, 2012 at 7:46 AM, Odhiambo Washington >wrote: > > > On Tue, Nov 20, 2012 at 5:23 AM, Paul Webster < > > paul.g.webster@googlemail.com > > > wrote: > > > > > Good day all, > > > > > > I am aware this is a much discussed subject since the upgrade of PF, = I > > > believe the final decision was that to many users are used to the old > > > style pf and an upgrade to the new syntax would cause to much > confusion. > > > > > > There was a recent debate on ##freebsd about this issue and I was > > inclined > > > to mail in and get your opinions; basically it boiled down to the > > majority > > > of users wanting either: > > > > > > 1) To move to the newer pf and just add to releases notes what had > > > happened, > > > and > > > 2) my own personal opinion: creating 'pf2-*' as a kernel option tree, > > > basically using the newer pf syntax and allowing users to choose. > > > > > > I would be interested to know the feedback from you guys as to be > honest > > > there seems to be quite a few users who actually DO want the new styl= e > > > format and functionality that comes with. > > > > > > I Attached the log of the conversation just for reference. > > > > > > > > It's been difficult enough to maintain PF on FreeBSD because of the tim= e > > needed to be invested in the FreeBSD port. > > This situation remains to date, from what I understand. I guess someone > can > > look at how many bugs/feature requests still remain open for PF on > FreeBSD. > > > > I therefore feel that whoever wants to run PF should use a dedicated > > OpenBSD box as a firewall/whatever they use PF for. > > There is really no point trying to make FreeBSD be OpenBSD when it come= s > to > > such requirements. Look at the advantages of "separation of power" - gi= ve > > to OpenBSD the fireallpower and FreeBSD the serverpower. > > > > In keeping with the K.I.S.S principle, please let anyone needing new PF > > syntax just use OpenBSD. > > > > My humble opinion. > > -- > > Best regards, > > Odhiambo WASHINGTON, > > Nairobi,KE > > +254733744121/+254722743223 > > _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ > > I can't hear you -- I'm using the scrambler. > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > > The truth is that you can add a shim layer between the old syntax to new > syntax and maintain the new 'locking' present in 10.x branch. > > Maybe it would be worth to send a project proposal to the FreeBSD > Foundation about this, > but i do not know how keen they are to support through funding this. > > When the locking was changed there were a discussion about keeping both o= f > the versions but it was just thrown to the trash by the guy doing > the new 'locking'. > > Probably it has to be asked to the foundation how keen they are to suppor= t > this development to have things upgraded. > > -- > Ermal > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > --=20 Sami Halabi Information Systems Engineer NMS Projects Expert FreeBSD SysAdmin Expert From owner-freebsd-pf@FreeBSD.ORG Tue Nov 20 10:22:54 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 31802230 for ; Tue, 20 Nov 2012 10:22:54 +0000 (UTC) (envelope-from hoomanfazaeli@gmail.com) Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com [209.85.160.54]) by mx1.freebsd.org (Postfix) with ESMTP id EAE398FC08 for ; Tue, 20 Nov 2012 10:22:53 +0000 (UTC) Received: by mail-pb0-f54.google.com with SMTP id wz12so4366562pbc.13 for ; Tue, 20 Nov 2012 02:22:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type; bh=H2AZIAsQCodyLYZ9ta8nxXEFvzcAuf1d982NavfKwvg=; b=u66KBVjPi0WVZoHNyfU1ZGnHKQz0Yk6zstHXyjnyIrDumi5zsm4LQlMcLBTqVNkuQS SZOQRHVpFhKJVV2m/4XebKBtC5cwCLvKUg+TRSgjByq8BWfGuITGcgYJPwVUJ3h0DCm0 7j3LZh7Fr/jNQmKbFeenQPo7XzsYX0tBiTVKY5wUJpva/q0dx16/w0PDcGwSocrlgjaN DehbtqRF7ABuSjxGxWWBifossh+C0YfuF1m2CQxfQI3RQbjuFKiujI78cKxjltevcjNp O6RYAOqZmaUoSrCxMTn77tgiQv0FtupGYPfGJZj2+IY4DReXwLgk39MQVyegADOjqAnJ kdIg== Received: by 10.68.135.200 with SMTP id pu8mr47940133pbb.27.1353406973370; Tue, 20 Nov 2012 02:22:53 -0800 (PST) Received: from [192.168.1.240] ([2.176.178.63]) by mx.google.com with ESMTPS id gl9sm7853520pbc.51.2012.11.20.02.22.50 (version=SSLv3 cipher=OTHER); Tue, 20 Nov 2012 02:22:52 -0800 (PST) Message-ID: <50AB59F3.6070208@gmail.com> Date: Tue, 20 Nov 2012 13:52:43 +0330 From: Hooma Fazaeli User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:16.0) Gecko/20121026 Thunderbird/16.0.2 MIME-Version: 1.0 To: Cpet Services , freebsd-pf@freebsd.org Subject: Re: WAN load balance with PF References: <3908090977629100732@unknownmsgid> In-Reply-To: <3908090977629100732@unknownmsgid> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2012 10:22:54 -0000 On 11/20/2012 01:24 ?.?, Cpet Services wrote: > http://forums.freebsd.org/showthread.php?t=30409 might help you. also > possibly with carp? > *From:* Hooman Fazaeli > > *Sent:* November 20, 2012 1:15 AM > *To:* freebsd-pf@freebsd.org > *Subject:* WAN load balance with PF > With a topology like: > ----- ADSL 1 > LAN ---- PF Box ----- Switch | > ----- ADSL 2 > > Is there a way to NAT and distribute LAN to internet traffic on the two > ADSL links apart from adding a third NIC to PF box? > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org > " If we could connect both ADSl modems to the box, a config like below would work: lan_if = "em0" wan_if1 = "em1" wan_if2 = "em2" nat on $wan_if1 from $lan_if1:network to any -> $wan_if1 nat on $wan_if2 from $lan_if1:network to any -> $wan_if2 pass in on $lan_if route-to {($wan_if1 $wan_ip1) ($wan_if2 $wan_ip2)} pass all our problem is that since both WAN links are connected to the same interface (via the switch) there is no way to distinguish between the two in NAT rules. Any idea? From owner-freebsd-pf@FreeBSD.ORG Tue Nov 20 10:34:37 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 76BA5473 for ; Tue, 20 Nov 2012 10:34:37 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (cust.static.213-3-30-106.swisscomdata.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id B95388FC14 for ; Tue, 20 Nov 2012 10:34:34 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id qAKAYPck005625 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 20 Nov 2012 11:34:25 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id qAKAYP9X009211; Tue, 20 Nov 2012 11:34:25 +0100 (MET) Date: Tue, 20 Nov 2012 11:34:24 +0100 From: Daniel Hartmeier To: Hooma Fazaeli Subject: Re: WAN load balance with PF Message-ID: <20121120103424.GA18780@insomnia.benzedrine.cx> References: <3908090977629100732@unknownmsgid> <50AB59F3.6070208@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <50AB59F3.6070208@gmail.com> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2012 10:34:37 -0000 On Tue, Nov 20, 2012 at 01:52:43PM +0330, Hooma Fazaeli wrote: > If we could connect both ADSl modems to the box, a config like below > would work: > > lan_if = "em0" > wan_if1 = "em1" > wan_if2 = "em2" > > nat on $wan_if1 from $lan_if1:network to any -> $wan_if1 > nat on $wan_if2 from $lan_if1:network to any -> $wan_if2 > > pass in on $lan_if route-to {($wan_if1 $wan_ip1) ($wan_if2 $wan_ip2)} > pass all > > our problem is that since both WAN links are connected to the same > interface (via the switch) > there is no way to distinguish between the two in NAT rules. > > Any idea? You could try to do round-robin on the nat rule, and route-to on 'pass out' rules on the default route interface (nat comes first), like # assuming default route through $wan_if1 nat on $wan_if1 from $lan_if1:network to any -> { $wan_if1 $wan_if2 } round-robin pass out on $wan_if1 route-to ($wan_if2 $wan_ip2) from $wan_if2 to any Daniel From owner-freebsd-pf@FreeBSD.ORG Tue Nov 20 10:56:21 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 39DC9A2E for ; Tue, 20 Nov 2012 10:56:21 +0000 (UTC) (envelope-from hoomanfazaeli@gmail.com) Received: from mail-pa0-f54.google.com (mail-pa0-f54.google.com [209.85.220.54]) by mx1.freebsd.org (Postfix) with ESMTP id 042DA8FC16 for ; Tue, 20 Nov 2012 10:56:20 +0000 (UTC) Received: by mail-pa0-f54.google.com with SMTP id kp6so4305759pab.13 for ; Tue, 20 Nov 2012 02:56:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=AZma0LjEjeQzgs50BZjBnwc3pz1W4E6ssODQbIBEOQ8=; b=hJ4/qHig2ULthabi7WSoL09nokPYwQ5FZUB4NHaFaUnqbLM5qVxpWfZmmEUhMz/yIu IVuOUEUUv5GHtkX1HAWopXd9j6skyfhnWCTst1eclN3vKpnXD5V+XKIsP4yiOrjd6s60 GzCEQmHFZk4NJiZh5qgGSVTSvz3W2fdhvimFhijrESOtn8b47QnvytAxPUttcYsQ7PA1 g/eLIL5z5CCvrz+tWRN5bupFkNeIHMEgySxdoz4Ep6e8ngYBKob2nfAP7BOMKdNlwv2W l0qrP2Aaco8veQOPvQaPxIiBYuXjZ1I7q4lwET5PhSKJEDcQ4BEewKCfb1lDD4O/+GlH tBSQ== Received: by 10.68.138.229 with SMTP id qt5mr46966184pbb.122.1353408980633; Tue, 20 Nov 2012 02:56:20 -0800 (PST) Received: from [192.168.1.240] ([2.176.178.63]) by mx.google.com with ESMTPS id pu4sm7891960pbb.72.2012.11.20.02.56.17 (version=SSLv3 cipher=OTHER); Tue, 20 Nov 2012 02:56:19 -0800 (PST) Message-ID: <50AB61CF.9040309@gmail.com> Date: Tue, 20 Nov 2012 14:26:15 +0330 From: Hooma Fazaeli User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:16.0) Gecko/20121026 Thunderbird/16.0.2 MIME-Version: 1.0 To: Daniel Hartmeier Subject: Re: WAN load balance with PF References: <3908090977629100732@unknownmsgid> <50AB59F3.6070208@gmail.com> <20121120103424.GA18780@insomnia.benzedrine.cx> In-Reply-To: <20121120103424.GA18780@insomnia.benzedrine.cx> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2012 10:56:21 -0000 On 11/20/2012 02:04 ب.ظ, Daniel Hartmeier wrote: > On Tue, Nov 20, 2012 at 01:52:43PM +0330, Hooma Fazaeli wrote: > >> If we could connect both ADSl modems to the box, a config like below >> would work: >> >> lan_if = "em0" >> wan_if1 = "em1" >> wan_if2 = "em2" >> >> nat on $wan_if1 from $lan_if1:network to any -> $wan_if1 >> nat on $wan_if2 from $lan_if1:network to any -> $wan_if2 >> >> pass in on $lan_if route-to {($wan_if1 $wan_ip1) ($wan_if2 $wan_ip2)} >> pass all >> >> our problem is that since both WAN links are connected to the same >> interface (via the switch) >> there is no way to distinguish between the two in NAT rules. >> >> Any idea? > You could try to do round-robin on the nat rule, and route-to on 'pass > out' rules on the default route interface (nat comes first), like > > # assuming default route through $wan_if1 > nat on $wan_if1 from $lan_if1:network to any -> { $wan_if1 $wan_if2 } round-robin > pass out on $wan_if1 route-to ($wan_if2 $wan_ip2) from $wan_if2 to any > > Daniel But there is no wan_if2 actually. The box has only two interfaces: one connected to LAN and the other connected to L2 switch (to which modems are connected). From owner-freebsd-pf@FreeBSD.ORG Tue Nov 20 12:01:05 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DF481344 for ; Tue, 20 Nov 2012 12:01:05 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (cust.static.213-3-30-106.swisscomdata.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id EDE218FC1A for ; Tue, 20 Nov 2012 12:01:04 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id qAKC12vE012388 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 20 Nov 2012 13:01:02 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id qAKC11Ci028970; Tue, 20 Nov 2012 13:01:01 +0100 (MET) Date: Tue, 20 Nov 2012 13:01:01 +0100 From: Daniel Hartmeier To: Hooma Fazaeli Subject: Re: WAN load balance with PF Message-ID: <20121120120101.GB18780@insomnia.benzedrine.cx> References: <3908090977629100732@unknownmsgid> <50AB59F3.6070208@gmail.com> <20121120103424.GA18780@insomnia.benzedrine.cx> <50AB61CF.9040309@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <50AB61CF.9040309@gmail.com> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2012 12:01:05 -0000 On Tue, Nov 20, 2012 at 02:26:15PM +0330, Hooma Fazaeli wrote: > > # assuming default route through $wan_if1 > > nat on $wan_if1 from $lan_if1:network to any -> { $wan_if1 $wan_if2 } > > round-robin > > pass out on $wan_if1 route-to ($wan_if2 $wan_ip2) from $wan_if2 to any > > > >Daniel > But there is no wan_if2 actually. The box has only two interfaces: one > connected to LAN and > the other connected to L2 switch (to which modems are connected). Same thing, just pass out on $wan_if1 route-to ($wan_if1 $wan_ip2) from $wan_if2 to any Daniel From owner-freebsd-pf@FreeBSD.ORG Tue Nov 20 14:43:27 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6A91F8C9; Tue, 20 Nov 2012 14:43:27 +0000 (UTC) (envelope-from Mark.Martinec+freebsd@ijs.si) Received: from mail.ijs.si (mail.ijs.si [IPv6:2001:1470:ff80::25]) by mx1.freebsd.org (Postfix) with ESMTP id C50D08FC13; Tue, 20 Nov 2012 14:43:26 +0000 (UTC) Received: from amavis-proxy-ori.ijs.si (localhost [IPv6:::1]) by mail.ijs.si (Postfix) with ESMTP id 3Y5V5n0ntmzGMgj; Tue, 20 Nov 2012 15:43:25 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ijs.si; h= message-id:content-transfer-encoding:content-type:content-type :mime-version:in-reply-to:references:user-agent:date:date :subject:subject:organization:from:from:received:received :received:vbr-info; s=jakla2; t=1353422598; x=1356014599; bh=eEw QmbnmfGv+I5LmtyjfzYG67Iv9e6xlh8zdX6dFndE=; b=eh7vXC4AeqzGc4fXrt0 zgmRiRHWp1eUv1PC9XdcsykWqL9xmfQ0nKpC68UVZDCWSbcybslps7ebpyprbTq1 PH4bT2fgJG/1TMFQ/upOp66VKYJfDUnrWI3gdXFxMm9X8S8EXk73VaIch3eKmD+t De87YhCJ5DxBjg8iwr01+ONA= VBR-Info: md=ijs.si; mc=all; mv=dwl.spamhaus.org; X-Virus-Scanned: amavisd-new at ijs.si Received: from mail.ijs.si ([IPv6:::1]) by amavis-proxy-ori.ijs.si (mail.ijs.si [IPv6:::1]) (amavisd-new, port 10012) with ESMTP id 4fOdnWBJvtQa; Tue, 20 Nov 2012 15:43:18 +0100 (CET) Received: from mildred.ijs.si (mailbox.ijs.si [IPv6:2001:1470:ff80::143:1]) by mail.ijs.si (Postfix) with ESMTP; Tue, 20 Nov 2012 15:43:18 +0100 (CET) Received: from neli.ijs.si (unknown [IPv6:2001:1470:ff80:0:21c:c0ff:feb1:8c91]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mildred.ijs.si (Postfix) with ESMTPSA id 45A7B11D; Tue, 20 Nov 2012 15:43:18 +0100 (CET) From: Mark Martinec Organization: J. Stefan Institute To: freebsd-pf@freebsd.org Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. Date: Tue, 20 Nov 2012 15:43:17 +0100 User-Agent: KMail/1.13.7 (FreeBSD/9.1-PRERELEASE; KDE/4.8.4; amd64; ; ) References: In-Reply-To: MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <201211201543.17903.Mark.Martinec+freebsd@ijs.si> Cc: freebsd-current@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2012 14:43:27 -0000 Paul Webster wrote: > I am aware this is a much discussed subject since the upgrade of PF, > I believe the final decision was that too many users are used to the old > style pf and an upgrade to the new syntax would cause too much confusion. I don't buy that. Think of a confusion in a year of two when OpenBSD PF rules and the PF documentation won't match the legacy syntax in FreeBSD's PF. Maxim Khitrov wrote: > > 1) To move to the newer pf and just add to releases notes what had > > happened, > My vote is for option 1, but I'll also be happy with option 2 if it > costs little to maintain both versions. I'm pretty much for anything > that brings pf in sync (or close to it) with OpenBSD. My sentiments exactly. Olivier Smedts wrote: > But a change like this is expected in a new major branch, ie. > 10-CURRENT. Not so in -STABLE branches of course. I don't see the > problem here. Indeed. Gary Palmer wrote: > So you don't expect people to upgrade boxes in place? > I also guess you've never been 5,000 miles away from a box and typo'd > something in the firewall and locked yourself out. The think how tons > of FreeBSD users would feel if the default pf syntax was changed to be > incompatible and they find themselves in a similar situation after an > upgrade. The risk of locking oneself out even on minor fiddling with fw rules on a remote machine, let alone upgrading its OS, is something that every administrator is already aware if. Working without a safety net is unwise for a hobbyist, and unacceptable for a professional. I don't think the above argument holds water. Olivier Smedts wrote: > Another question : how did OpenBSD managed this change ? This is from http://www.openbsd.org/faq/upgrade46.html | | If you reboot your system without a usable pf.conf file in place, your pf | rules will not be loaded, and you will end up using the default rule set, | which will block all traffic EXCEPT for ssh over the standard port 22. | This means that if you do not fix your pf.conf rules before rebooting, | you may be greeted by a box that does not even respond to pings. | Do not panic, as you can still ssh to the box, assuming you have sshd(8) | listening on the usual port. Gary Palmer wrote: > The other question that I haven't seen answered (or maybe even asked), but > is relevant: what do we gain by going to a later version of pf? I.e. as an > administrator, what benefit do I get by having to expend effort converting > my filter rules? For one thing, I'm desperately awaiting NAT64 support (the 'af-to' translation rule in newer pf (5.1?), committed on 2011-10). Other: packet normalization (scrub) has been reworked and simplified, and is now a rulset option. Considering that scrub is currently broken (9.1, see list of PF bugs in FreeBSD), along with several other bugs that need fixing, it seems the (scarce) manpower would better be spent in moving on, than keeping the already leaky (buggy) pf afloat. I think the compatibility issue should not be used as an excuse for not moving on. You can't make an omelette without breaking eggs. Mark From owner-freebsd-pf@FreeBSD.ORG Tue Nov 20 14:48:04 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D234AAE6; Tue, 20 Nov 2012 14:48:04 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-qc0-f182.google.com (mail-qc0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id 59FFF8FC0C; Tue, 20 Nov 2012 14:48:04 +0000 (UTC) Received: by mail-qc0-f182.google.com with SMTP id k19so5107522qcs.13 for ; Tue, 20 Nov 2012 06:48:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=Osd70cEwbIxt3Tj3aD+88BxZP9rq5UwL2g+/bM7EC1M=; b=bRaniau0oqkbuNIyAXY7Yb5IDnzfwh38Ek9n/n/Y1JQ2+quxtSHjvR1LpNpfgfGkkg bq9oZ9nVrffL56chxOKsREDBlJAWpLds0lWcwiTJOGMan6TlGdht67qaNuTbAWFJvJmN 8YEnkX8lped3p2wG+NUSowY7JNCSIvSxMnP585j/+pezJw15WRclp9/qNI6gQ8SRSobR v3vPCnfMPeNpsqs7OR8a2H6AX5tcLGkFdfvqQvDoVBb4oxVylIeBlFV2Nt1N7ethuspy AsuzHtijaWzQYBc78VhrywG0Wa4p7EvfmDRcI9SQ4VYcMRbSkhYrACWyOyyZfgv/X2ES 1o5Q== MIME-Version: 1.0 Received: by 10.224.178.193 with SMTP id bn1mr14992652qab.13.1353422883166; Tue, 20 Nov 2012 06:48:03 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.49.121.163 with HTTP; Tue, 20 Nov 2012 06:48:03 -0800 (PST) In-Reply-To: References: Date: Tue, 20 Nov 2012 15:48:03 +0100 X-Google-Sender-Auth: JtajvOyQLzy25AnZYXeb7-UB1eA Message-ID: Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Sami Halabi Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: Paul Webster , "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2012 14:48:05 -0000 On Tue, Nov 20, 2012 at 9:07 AM, Sami Halabi wrote: > Hi, > This was actually discussed much before, as I read it would make some > issues with the new pf-smp work done by gleb. > > Not really since Gleb just changed the locking and nothing else. All his work is under the hood. He actually broke if-bound state but that's another story. > Sami > > > On Tue, Nov 20, 2012 at 9:55 AM, Ermal Lu=E7i wrote: > >> On Tue, Nov 20, 2012 at 7:46 AM, Odhiambo Washington > >wrote: >> >> > On Tue, Nov 20, 2012 at 5:23 AM, Paul Webster < >> > paul.g.webster@googlemail.com >> > > wrote: >> > >> > > Good day all, >> > > >> > > I am aware this is a much discussed subject since the upgrade of PF,= I >> > > believe the final decision was that to many users are used to the ol= d >> > > style pf and an upgrade to the new syntax would cause to much >> confusion. >> > > >> > > There was a recent debate on ##freebsd about this issue and I was >> > inclined >> > > to mail in and get your opinions; basically it boiled down to the >> > majority >> > > of users wanting either: >> > > >> > > 1) To move to the newer pf and just add to releases notes what had >> > > happened, >> > > and >> > > 2) my own personal opinion: creating 'pf2-*' as a kernel option tree= , >> > > basically using the newer pf syntax and allowing users to choose. >> > > >> > > I would be interested to know the feedback from you guys as to be >> honest >> > > there seems to be quite a few users who actually DO want the new sty= le >> > > format and functionality that comes with. >> > > >> > > I Attached the log of the conversation just for reference. >> > > >> > > >> > It's been difficult enough to maintain PF on FreeBSD because of the ti= me >> > needed to be invested in the FreeBSD port. >> > This situation remains to date, from what I understand. I guess someon= e >> can >> > look at how many bugs/feature requests still remain open for PF on >> FreeBSD. >> > >> > I therefore feel that whoever wants to run PF should use a dedicated >> > OpenBSD box as a firewall/whatever they use PF for. >> > There is really no point trying to make FreeBSD be OpenBSD when it >> comes to >> > such requirements. Look at the advantages of "separation of power" - >> give >> > to OpenBSD the fireallpower and FreeBSD the serverpower. >> > >> > In keeping with the K.I.S.S principle, please let anyone needing new P= F >> > syntax just use OpenBSD. >> > >> > My humble opinion. >> > -- >> > Best regards, >> > Odhiambo WASHINGTON, >> > Nairobi,KE >> > +254733744121/+254722743223 >> > _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >> > I can't hear you -- I'm using the scrambler. >> > _______________________________________________ >> > freebsd-pf@freebsd.org mailing list >> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > >> >> The truth is that you can add a shim layer between the old syntax to new >> syntax and maintain the new 'locking' present in 10.x branch. >> >> Maybe it would be worth to send a project proposal to the FreeBSD >> Foundation about this, >> but i do not know how keen they are to support through funding this. >> >> When the locking was changed there were a discussion about keeping both = of >> the versions but it was just thrown to the trash by the guy doing >> the new 'locking'. >> >> Probably it has to be asked to the foundation how keen they are to suppo= rt >> this development to have things upgraded. >> >> -- >> Ermal >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > > > > -- > Sami Halabi > Information Systems Engineer > NMS Projects Expert > FreeBSD SysAdmin Expert > > --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Tue Nov 20 16:14:12 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 180EEEDD for ; Tue, 20 Nov 2012 16:14:12 +0000 (UTC) (envelope-from jonradel@gmail.com) Received: from mail-qa0-f54.google.com (mail-qa0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id B5FF38FC08 for ; Tue, 20 Nov 2012 16:14:11 +0000 (UTC) Received: by mail-qa0-f54.google.com with SMTP id g24so1018109qab.13 for ; Tue, 20 Nov 2012 08:14:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:references:in-reply-to:mime-version :content-transfer-encoding:content-type:message-id:cc:x-mailer:from :subject:date:to; bh=3KFSZBr38ogIFp+xnnthDBqzxrxdTuyP4MdmVOZlXA4=; b=FCMz9UVrPECIie+pd3Iki+Mj0ELmVSaxJPUlDLNRFNnr5pml/7ClgKHII9KntpeSo0 Yzz2MePHp1lpJA7ZZNnFPK3kXoB+5WhI6qLR1bBBHGjF3XTa02ywsgb9RHsAgT0rG0XL vhDFS+e7jNNnb1CUC3wUaqgu+4ppIplfVRCDI5wyMNpo4F+2rybA57vmjplpma6jf3VT uwX9fDvVd9uPPg2A4QrEmYVdw5nPvQTqgOG6CyRJtBWpNp1mVInt9nrkycqrx3Da10yD SkakdGqy5RRaVkfvoblUy27XntavfRomnawJlYIcQhi9EASfd0KyMUCQOn/HJBWxEFnH 4iAw== Received: by 10.229.234.151 with SMTP id kc23mr321185qcb.41.1353428050848; Tue, 20 Nov 2012 08:14:10 -0800 (PST) Received: from [192.168.43.240] (wsip-70-182-189-81.dc.dc.cox.net. [70.182.189.81]) by mx.google.com with ESMTPS id f3sm8096673qaj.7.2012.11.20.08.14.08 (version=SSLv3 cipher=OTHER); Tue, 20 Nov 2012 08:14:09 -0800 (PST) Sender: Jon Radel References: In-Reply-To: Mime-Version: 1.0 (1.0) Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Message-Id: <0DBD1609-3178-4959-91D4-25F33CE99B2E@radel.com> X-Mailer: iPad Mail (10A523) From: Jon Radel Subject: Re: WAN load balance with PF Date: Tue, 20 Nov 2012 11:14:09 -0500 To: Hooman Fazaeli Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2012 16:14:12 -0000 Yes, use a switch that handles vlans and make use of them. --Jon Radel jon@radel.com Sent from my iPad On Nov 20, 2012, at 2:15, Hooman Fazaeli wrote: > > With a topology like: > ----- ADSL 1 > LAN ---- PF Box ----- Switch | > ----- ADSL 2 > > Is there a way to NAT and distribute LAN to internet traffic on the two > ADSL links apart from adding a third NIC to PF box? > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Tue Nov 20 21:53:19 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4438F985 for ; Tue, 20 Nov 2012 21:53:19 +0000 (UTC) (envelope-from hoomanfazaeli@gmail.com) Received: from mail-la0-f54.google.com (mail-la0-f54.google.com [209.85.215.54]) by mx1.freebsd.org (Postfix) with ESMTP id B13AC8FC08 for ; Tue, 20 Nov 2012 21:53:18 +0000 (UTC) Received: by mail-la0-f54.google.com with SMTP id j13so6156910lah.13 for ; Tue, 20 Nov 2012 13:53:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=9LGkllBP974pHYAZWUgQKMGaTwrntuYx0Erx88zCEvw=; b=jf6QK3zjKxNoPXvP401iHokyWWucxk6ErL83NfnEd3kX/pjNzDa/TVAPAbvb7wx1av 3S0clYMriYRbIcyaZ6skMW1F5em/fhn/3rBXsHeYy8bNeVNMyV6f/OxpAWJoIAEgeKMQ b+iyOmzLSd42U9/aa6bTQwrRZKQTzW1aIhv8hnIZHkT1ttjbG5H7NiAf214u8FvF735T dW0dmjA502Cmz4IK6r2HkBkFdpAN5TRcbBbZxTfXDhxo64s/SGTE8KkaEYxwIQTZp3oV 2R5fjKitokiGpygrxggjjQTUu4ZmMuSq/k0ZWV3z3i1A3N1+yXiuJPV1qMXXXCBDrUHa uhIw== Received: by 10.152.106.110 with SMTP id gt14mr15730838lab.1.1353448396282; Tue, 20 Nov 2012 13:53:16 -0800 (PST) Received: from [192.168.1.240] ([2.176.178.63]) by mx.google.com with ESMTPS id pw17sm5313668lab.5.2012.11.20.13.53.13 (version=SSLv3 cipher=OTHER); Tue, 20 Nov 2012 13:53:15 -0800 (PST) Message-ID: <50ABFBC0.6060509@gmail.com> Date: Wed, 21 Nov 2012 01:23:04 +0330 From: Hooma Fazaeli User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:16.0) Gecko/20121026 Thunderbird/16.0.2 MIME-Version: 1.0 To: Daniel Hartmeier Subject: Re: WAN load balance with PF References: <3908090977629100732@unknownmsgid> <50AB59F3.6070208@gmail.com> <20121120103424.GA18780@insomnia.benzedrine.cx> <50AB61CF.9040309@gmail.com> <20121120120101.GB18780@insomnia.benzedrine.cx> In-Reply-To: <20121120120101.GB18780@insomnia.benzedrine.cx> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2012 21:53:19 -0000 On 11/20/2012 03:31 ب.ظ, Daniel Hartmeier wrote: > On Tue, Nov 20, 2012 at 02:26:15PM +0330, Hooma Fazaeli wrote: > >>> # assuming default route through $wan_if1 >>> nat on $wan_if1 from $lan_if1:network to any -> { $wan_if1 $wan_if2 } >>> round-robin >>> pass out on $wan_if1 route-to ($wan_if2 $wan_ip2) from $wan_if2 to any >>> >>> Daniel >> But there is no wan_if2 actually. The box has only two interfaces: one >> connected to LAN and >> the other connected to L2 switch (to which modems are connected). > Same thing, just > > pass out on $wan_if1 route-to ($wan_if1 $wan_ip2) from $wan_if2 to any > > Daniel Thanks Daniel I was thinking that route-to does not work with OUT rules (I should have read it somewhere) and so never considered the possibility of routing after NAT. And just for the record, I include the final ruleset here: lan_if = "em0" wan_if = "em1" # default route interface wan_gw1 = "...." # ADSL modem 1 IP address wan_gw2 = "...." # ADSL modem 2 IP address wan_if_ip1 = "..." # default route destination wan_if_ip2 = "...." # IP address assigned to $wan_if to reach $wan_gw2 nat on $wan_if from $lan_if to any -> {$wan_if} round-robin pass out on $wan_if route-to ($wan_if $wan_gw2) from $wan_if_ip2 to any From owner-freebsd-pf@FreeBSD.ORG Wed Nov 21 01:57:54 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E912AF79; Wed, 21 Nov 2012 01:57:54 +0000 (UTC) (envelope-from kevin.wilcox@gmail.com) Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com [209.85.160.54]) by mx1.freebsd.org (Postfix) with ESMTP id AF7158FC08; Wed, 21 Nov 2012 01:57:54 +0000 (UTC) Received: by mail-pb0-f54.google.com with SMTP id wz12so4920511pbc.13 for ; Tue, 20 Nov 2012 17:57:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Z7nDZcmSBhiFsE+6yP0nWRZe/z1Y9AovgGrYQC8yZF0=; b=Sint1BemyOBi1Kt6RMRrA411JnkBlTVaIALW9CAtF+5FgIUZeQBDuu5YPwBPCk+1y5 3B4LSoBaQ39ejxfzAiZ2UvRwXxgPXKBlU1QyN8BJRtWczM6/ra5rtoVsjqOEPT2Ps2s5 Go3s0qCXtfhl/FAM8NO+6rV8N5ruanAY6nzMt0Onp8q75vJIpy+wzOhn+DyBwGiUYDps WorIRFqSFLXepHjjKKRhWRsj1/Sfv9N0M5HJ9xg4zrgMEkoLTfd83zjBcU4dInAnUBqD u8Ly0OW7O67BR9MKIYmNadHgcii2UgCUk/iiN5nChcyVByBGbfj23U6atcV7BAxYKwx9 AHcA== MIME-Version: 1.0 Received: by 10.68.235.71 with SMTP id uk7mr55114750pbc.10.1353463074127; Tue, 20 Nov 2012 17:57:54 -0800 (PST) Received: by 10.68.8.2 with HTTP; Tue, 20 Nov 2012 17:57:54 -0800 (PST) Received: by 10.68.8.2 with HTTP; Tue, 20 Nov 2012 17:57:54 -0800 (PST) In-Reply-To: <201211201543.17903.Mark.Martinec+freebsd@ijs.si> References: <201211201543.17903.Mark.Martinec+freebsd@ijs.si> Date: Tue, 20 Nov 2012 20:57:54 -0500 Message-ID: Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. From: Kevin Wilcox To: Mark Martinec Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-current@freebsd.org, freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Nov 2012 01:57:55 -0000 On Nov 20, 2012 9:44 AM, "Mark Martinec" wrote: > > Paul Webster wrote: > > I am aware this is a much discussed subject since the upgrade of PF, > > I believe the final decision was that too many users are used to the old > > style pf and an upgrade to the new syntax would cause too much confusion. > > I don't buy that. Think of a confusion in a year of two when > OpenBSD PF rules and the PF documentation won't match the > legacy syntax in FreeBSD's PF. Their documentation already doesn't match the legacy syntax, you have to look for older pf documentation to match that in use by FreeBSD. This has been the case since at least OpenBSD 4.7: http://www.openbsd.org/faq/upgrade47.html To get documentation for FreeBSD pf, you generally need to look for OpenBSD documentation for 4.2 or 4.3 as there were minute changes in the mid-4.x range. kmw From owner-freebsd-pf@FreeBSD.ORG Wed Nov 21 07:56:44 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 12E67A97; Wed, 21 Nov 2012 07:56:44 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.64.117]) by mx1.freebsd.org (Postfix) with ESMTP id 7CE318FC17; Wed, 21 Nov 2012 07:56:43 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.5/8.14.5) with ESMTP id qAL7ugOw075471; Wed, 21 Nov 2012 11:56:42 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.5/8.14.5/Submit) id qAL7ugG8075470; Wed, 21 Nov 2012 11:56:42 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Wed, 21 Nov 2012 11:56:42 +0400 From: Gleb Smirnoff To: Mark Martinec Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. Message-ID: <20121121075642.GR67660@FreeBSD.org> References: <201211201543.17903.Mark.Martinec+freebsd@ijs.si> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <201211201543.17903.Mark.Martinec+freebsd@ijs.si> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-current@FreeBSD.org, freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Nov 2012 07:56:44 -0000 Mark, On Tue, Nov 20, 2012 at 03:43:17PM +0100, Mark Martinec wrote: M> For one thing, I'm desperately awaiting NAT64 support (the 'af-to' M> translation rule in newer pf (5.1?), committed on 2011-10). Backport this exact feature to FreeBSD and send patch. M> Other: packet normalization (scrub) has been reworked and simplified, M> and is now a rulset option. Considering that scrub is currently broken M> (9.1, see list of PF bugs in FreeBSD), along with several other M> bugs that need fixing, it seems the (scarce) manpower would better M> be spent in moving on, than keeping the already leaky (buggy) pf M> afloat. Yes, scrub improvements can be cherry picked and added to FreeBSD, too. But if you think that bulk import of new version would close all current bugs without opening new problems, then you are mistaking. Last bulk import introduced much more bugs than it closed. And this statement isn't a accusation towards the person who did the import. This is just a generic rule. If you take 100k lines of code that were developed for another operating system kernel and without thourough reviewing it just make it compile and link with another kernel, then you are about to miss many rough edges that will show up later, when the code would be utilized. Thus, cherry-picking is preferred over bulk imports. -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Wed Nov 21 14:44:15 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 97369691; Wed, 21 Nov 2012 14:44:15 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-qa0-f47.google.com (mail-qa0-f47.google.com [209.85.216.47]) by mx1.freebsd.org (Postfix) with ESMTP id 0FED18FC08; Wed, 21 Nov 2012 14:44:14 +0000 (UTC) Received: by mail-qa0-f47.google.com with SMTP id t11so1773074qaa.13 for ; Wed, 21 Nov 2012 06:44:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=q+o60ZtSaH95tgRQk23do0PJXrm0kzNYByxWxnnNgbk=; b=nS/NMF89212RJa8mQizcRMsL55s5nC/MCfARVZhsy20l4unElblLQ1EAHVnL5cvsgN Kdt7N+BTkpHg9pia1WMu8q/l1rd2m3HQmk4KhVV/9fKMUZ8mFMOWj4xrryGSbmlwu73H 6lh8ZAWraDPprTFIyhF/VPNPYqisRMe+WEgG9Sr3PL4/KkrjnsB9OiTUag7NDpbO0NXL 7Hye/aJnbpuYcr85I2nVEcoLYxHohPL5+eTKhMNpEMup3qAPdweej8Pj6x2ny211N30k i5ndLSgFGdrR6nINkV2S72uXOa15ENq3Uwrrb55DxS1ceLoyYk0FQilok7NHGqtAp9yv g87A== MIME-Version: 1.0 Received: by 10.49.103.162 with SMTP id fx2mr21577278qeb.1.1353509053864; Wed, 21 Nov 2012 06:44:13 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.49.121.163 with HTTP; Wed, 21 Nov 2012 06:44:13 -0800 (PST) In-Reply-To: <20121121075642.GR67660@FreeBSD.org> References: <201211201543.17903.Mark.Martinec+freebsd@ijs.si> <20121121075642.GR67660@FreeBSD.org> Date: Wed, 21 Nov 2012 15:44:13 +0100 X-Google-Sender-Auth: rXb2ohSklsfR_eCCzKTYP-EF5dw Message-ID: Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Gleb Smirnoff Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-current@freebsd.org, "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Nov 2012 14:44:15 -0000 On Wed, Nov 21, 2012 at 8:56 AM, Gleb Smirnoff wrote: > Mark, > > On Tue, Nov 20, 2012 at 03:43:17PM +0100, Mark Martinec wrote: > M> For one thing, I'm desperately awaiting NAT64 support (the 'af-to' > M> translation rule in newer pf (5.1?), committed on 2011-10). > > Backport this exact feature to FreeBSD and send patch. > > M> Other: packet normalization (scrub) has been reworked and simplified, > M> and is now a rulset option. Considering that scrub is currently broken > M> (9.1, see list of PF bugs in FreeBSD), along with several other > M> bugs that need fixing, it seems the (scarce) manpower would better > M> be spent in moving on, than keeping the already leaky (buggy) pf > M> afloat. > > Yes, scrub improvements can be cherry picked and added to FreeBSD, too. > > The issues is you cannot without modifying rule config. > But if you think that bulk import of new version would close all current > bugs without opening new problems, then you are mistaking. Last bulk > import introduced much more bugs than it closed. And this statement isn't > a accusation towards the person who did the import. This is just a generic > rule. If you take 100k lines of code that were developed for another > operating system kernel and without thourough reviewing it just make it > compile and link with another kernel, then you are about to miss many > rough edges that will show up later, when the code would be utilized. > > Thus, cherry-picking is preferred over bulk imports. > > Well it depends on the amount of work. Cherry-picking would be when tehre is reasonable similarities. Also another argument to do this would be simplicity on locking as well as i told you when you started the changes. Though i am open to work together on this to merge the new syntax thorugh a whole bulk merge rather than cherry-pick. You already have 'broken' some functionality as if-bound in FreeBSD 10.x so why not break syntax and see to introduce if real value behind a converter as well. > -- > Totus tuus, Glebius. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Ermal From owner-freebsd-pf@FreeBSD.ORG Wed Nov 21 14:52:48 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E91219BE; Wed, 21 Nov 2012 14:52:48 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.64.117]) by mx1.freebsd.org (Postfix) with ESMTP id 573368FC12; Wed, 21 Nov 2012 14:52:48 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.5/8.14.5) with ESMTP id qALEqek5077479; Wed, 21 Nov 2012 18:52:40 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.5/8.14.5/Submit) id qALEqeW4077478; Wed, 21 Nov 2012 18:52:40 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Wed, 21 Nov 2012 18:52:40 +0400 From: Gleb Smirnoff To: Ermal Lu?i Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. Message-ID: <20121121145240.GE67660@glebius.int.ru> References: <201211201543.17903.Mark.Martinec+freebsd@ijs.si> <20121121075642.GR67660@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-current@FreeBSD.org, "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Nov 2012 14:52:49 -0000 On Wed, Nov 21, 2012 at 03:44:13PM +0100, Ermal Lu?i wrote: E> Cherry-picking would be when tehre is reasonable similarities. E> Also another argument to do this would be simplicity on locking as well as E> i told you when you started the changes. You were wrong. OpenBSD doesn't move towards SMP model. Locking more recent pf is not simplier, but the opposite. E> Though i am open to work together on this to merge the new syntax thorugh a E> whole bulk merge rather than cherry-pick. How many bugs have you closed after the previous bulk import? Why should we expect anything good from new import if the previous one was a PITA? And still I don't see any answer on the question: what exact features or perfomance improvements are we going to obtain from "the new pf"? E> You already have 'broken' some functionality as if-bound in FreeBSD 10.x so Is there any PR filed on that? I didn't even receive a mail about that. -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Wed Nov 21 15:20:20 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7558631D; Wed, 21 Nov 2012 15:20:20 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-qa0-f54.google.com (mail-qa0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id E3CC98FC14; Wed, 21 Nov 2012 15:20:19 +0000 (UTC) Received: by mail-qa0-f54.google.com with SMTP id g24so1949001qab.13 for ; Wed, 21 Nov 2012 07:20:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=KfIA0KaOZjheJVvdnfwLBWJcydmA8jDGovZHkuaAh8s=; b=vp4x510RZnJOpe69SidWuWCSOCM0vwlUXK7zcZ91nA6VG1KKlx8P2vLcYvTZudIuRH Ls9g3FwSX5t35t65rFie2NVr3CA/kVOtTpresl7FLxo2D5VJTvffJMd8Hi1o6+jr1Nl2 efXX2qdtVqm/T/wVflDlitUR0ykTNRldAPAJF8sqizlg15F+ZVEbqCcH2KzzjrOhWDL3 ZCf4H/bo1ZPGVUNYF+MPWNR67dJaZWqGcbQa9+FkKQHOxVYj2dk08By3mp8ycZjQFH+r E4GG/1Xv7iAo2AD9U/CaBnGDfTaQAWWyRBp3Fl4YL2OUfnTNS4NxpqM7o9O7NzeCFA+u djIw== MIME-Version: 1.0 Received: by 10.49.82.98 with SMTP id h2mr21375979qey.14.1353511219194; Wed, 21 Nov 2012 07:20:19 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.49.121.163 with HTTP; Wed, 21 Nov 2012 07:20:19 -0800 (PST) In-Reply-To: <20121121145240.GE67660@glebius.int.ru> References: <201211201543.17903.Mark.Martinec+freebsd@ijs.si> <20121121075642.GR67660@FreeBSD.org> <20121121145240.GE67660@glebius.int.ru> Date: Wed, 21 Nov 2012 16:20:19 +0100 X-Google-Sender-Auth: ncNQudYbymus4Hb1yAGgVIG745U Message-ID: Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Gleb Smirnoff Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-current@freebsd.org, "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Nov 2012 15:20:20 -0000 On Wed, Nov 21, 2012 at 3:52 PM, Gleb Smirnoff wrote: > On Wed, Nov 21, 2012 at 03:44:13PM +0100, Ermal Lu?i wrote: > E> Cherry-picking would be when tehre is reasonable similarities. > E> Also another argument to do this would be simplicity on locking as well > as > E> i told you when you started the changes. > > You were wrong. OpenBSD doesn't move towards SMP model. Locking more > recent pf is not simplier, but the opposite. > > I am sorry but you are asking arguments i already have given you. You didn;t listen once and i do not expect this time as well. > E> Though i am open to work together on this to merge the new syntax > thorugh a > E> whole bulk merge rather than cherry-pick. > > How many bugs have you closed after the previous bulk import? Why should > we expect anything good from new import if the previous one was a PITA? > > Well you have used it for your work so it was not so PITA. Most of the ones you closed had message 'This is to old to be true'; 'I have re-written PF and this should be fixed'. > And still I don't see any answer on the question: what exact features or > perfomance improvements are we going to obtain from "the new pf"? > > See above. > E> You already have 'broken' some functionality as if-bound in FreeBSD > 10.x so > > Is there any PR filed on that? I didn't even receive a mail about that. > > I really do not think you do the right approach or the right communication on this. Sorry for replying to you ;). > -- > Totus tuus, Glebius. > -- Ermal From owner-freebsd-pf@FreeBSD.ORG Thu Nov 22 06:36:04 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id ADF7CB00 for ; Thu, 22 Nov 2012 06:36:04 +0000 (UTC) (envelope-from gygy@stsnet.ro) Received: from mail.stsnet.ro (mail.stsnet.ro [193.151.31.253]) by mx1.freebsd.org (Postfix) with ESMTP id 544018FC16 for ; Thu, 22 Nov 2012 06:36:03 +0000 (UTC) Received: from mail.stsnet.ro (localhost.localdomain [127.0.0.1]) by mail.stsnet.ro (Postfix) with ESMTP id 6684016DDA0 for ; Thu, 22 Nov 2012 08:27:00 +0200 (EET) Received: from localhost.localdomain [127.0.0.1] by BitDefender SMTP Proxy on localhost.localdomain [127.0.0.1] for localhost.localdomain [127.0.0.1]; Thu, 22 Nov 2012 08:27:00 +0200 (EET) Received: from [192.168.105.105] (PC105.ciurel105.stsnet.ro [192.168.105.105]) (Authenticated sender: gygy) by mail.stsnet.ro (Postfix) with ESMTPSA id 4629316DD9E for ; Thu, 22 Nov 2012 08:27:00 +0200 (EET) Message-ID: <50ADC5B4.7060607@stsnet.ro> Date: Thu, 22 Nov 2012 08:27:00 +0200 From: Adrian Minta User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BitDefender-Spam: No (0) X-BitDefender-SpamStamp: Build: [Engines: 2.13.3.14894, Dats: 228208, Stamp: 3], Multi: [Enabled], BW: [Enabled], RBL DNSBL: [Disabled], APM: [Disabled, Score: 500], SGN: [Enabled], URL: [Enabled], URI DNSBL: [Enabled], SQMD: [Disabled], RTDA: [Disabled, Hit: No], total: 0(775) X-BitDefender-CF-Stamp: none X-BitDefender-Scanner: Clean, Agent: BitDefender Smtp Proxy 3.1.0 on mail.stsnet.ro, sigver: 7.44091 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Nov 2012 06:36:04 -0000 How about renaming freebsd pf to something else, like fpf or pff for instance ? -- Best regards, Adrian Minta From owner-freebsd-pf@FreeBSD.ORG Thu Nov 22 14:13:20 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 133F9FDF; Thu, 22 Nov 2012 14:13:20 +0000 (UTC) (envelope-from ianf@clue.co.za) Received: from zcs04.jnb1.cloudseed.co.za (zcs04.jnb1.cloudseed.co.za [41.154.0.161]) by mx1.freebsd.org (Postfix) with ESMTP id 86B1A8FC12; Thu, 22 Nov 2012 14:13:19 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zcs04.jnb1.cloudseed.co.za (Postfix) with ESMTP id DABF92A82C38; Thu, 22 Nov 2012 16:13:09 +0200 (SAST) X-Virus-Scanned: amavisd-new at zcs04.jnb1.cloudseed.co.za Received: from zcs04.jnb1.cloudseed.co.za ([127.0.0.1]) by localhost (zcs04.jnb1.cloudseed.co.za [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eUaRX0dYhfOy; Thu, 22 Nov 2012 16:13:09 +0200 (SAST) Received: from clue.co.za (41-135-84-24.dsl.mweb.co.za [41.135.84.24]) by zcs04.jnb1.cloudseed.co.za (Postfix) with ESMTPSA id 4E43F2A82A76; Thu, 22 Nov 2012 16:13:09 +0200 (SAST) Received: from localhost ([127.0.0.1] helo=clue.co.za) by clue.co.za with esmtp (Exim 4.80 (FreeBSD)) (envelope-from ) id 1TbXWd-0000vf-Mu; Thu, 22 Nov 2012 16:13:07 +0200 To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= From: Ian FREISLICH Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. In-Reply-To: References: X-Attribution: BOFH Date: Thu, 22 Nov 2012 16:13:07 +0200 Message-Id: Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Nov 2012 14:13:20 -0000 =?ISO-8859-1?Q?Ermal_Lu=E7i?= wrote: > On Tue, Nov 20, 2012 at 9:07 AM, Sami Halabi wrote: > > This was actually discussed much before, as I read it would make some > > issues with the new pf-smp work done by gleb. > > > Not really since Gleb just changed the locking and nothing else. > All his work is under the hood. > > He actually broke if-bound state but that's another story. Do you have more details on this? We use ifbound state in production and I haven't noticed any issues with ifbound state, the way that we use it. There is however an issue with route-to and reply-to when using ifbound state, but that problem existed before Gleb's work. Ian -- Ian Freislich From owner-freebsd-pf@FreeBSD.ORG Thu Nov 22 15:00:07 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1A2CFB7 for ; Thu, 22 Nov 2012 15:00:07 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-qa0-f54.google.com (mail-qa0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id BE5378FC15 for ; Thu, 22 Nov 2012 15:00:06 +0000 (UTC) Received: by mail-qa0-f54.google.com with SMTP id g24so1079257qab.13 for ; Thu, 22 Nov 2012 07:00:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=CktWUpIBW6FvmsEAgE3j8rHJ8V5A6FeqFqZFZZ53kxU=; b=MUTPaj176FYLDeWpSeMu2Vjr0cIqvjWHq+5I1vyk7Pb2UlqcUewK+67tCtL9Gq2AKe MrABeUCOHpRR1tW1EwVhAXJfrC4e2le1aMUeoJWCpw2YdjvZJO6g/Ph0OQYzuHKsmdco mMFUBfVBCcEiCnARV4wJK0ZZ8hHuYHyZBIAiX0mgaSzvgWMYTMKMET3d2trzEqHHfNF8 FUQiUVcwu4T9uB+akZaDjYN5vez3SHRAX/zEVjdny4qcs/eIW8w9I/DO7aF+32j1vDIK dm0HhbjgmbZWguaFfPkL0rMQ5Qw8h4snqQ8cITH2fAvl4RU5GoYeuHCWivfOEZtZD5dT NJKw== MIME-Version: 1.0 Received: by 10.224.53.5 with SMTP id k5mr1522088qag.20.1353596405082; Thu, 22 Nov 2012 07:00:05 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.49.121.163 with HTTP; Thu, 22 Nov 2012 07:00:05 -0800 (PST) In-Reply-To: References: Date: Thu, 22 Nov 2012 16:00:05 +0100 X-Google-Sender-Auth: 4bnjcXM8_Nfnsvp7gArHnMiwdIc Message-ID: Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Ian FREISLICH Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Nov 2012 15:00:07 -0000 On Thu, Nov 22, 2012 at 3:13 PM, Ian FREISLICH wrote: > =?ISO-8859-1?Q?Ermal_Lu=E7i?= wrote: > > On Tue, Nov 20, 2012 at 9:07 AM, Sami Halabi wrote: > > > This was actually discussed much before, as I read it would make some > > > issues with the new pf-smp work done by gleb. > > > > > Not really since Gleb just changed the locking and nothing else. > > All his work is under the hood. > > > > He actually broke if-bound state but that's another story. > > Do you have more details on this? We use ifbound state in production > and I haven't noticed any issues with ifbound state, the way that > we use it. > > Well 'broken' is maybe not the good word depending on the context. The issue is that if-bound state in HEAD is a null op. Since every state goes into the hash buckets. Before with if-bound states a state will be bound to an interface so a packet coming/going from/to another interface would not match. Also would give some resilience with dynamic interfaces. Today its a null op. So it voids the keyword which should be deprecated in FreeBSD or should be reintroduced! Also it may break people assumptions on it. > There is however an issue with route-to and reply-to when using > ifbound state, but that problem existed before Gleb's work. > > Ian > > -- > Ian Freislich > -- Ermal From owner-freebsd-pf@FreeBSD.ORG Thu Nov 22 15:01:33 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 26471170 for ; Thu, 22 Nov 2012 15:01:33 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-qc0-f182.google.com (mail-qc0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id 7CA718FC08 for ; Thu, 22 Nov 2012 15:01:31 +0000 (UTC) Received: by mail-qc0-f182.google.com with SMTP id k19so7391613qcs.13 for ; Thu, 22 Nov 2012 07:01:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=UyDYlkpF7Gac/L/uwnhhFGnzXkBkeHxtgBvYeXW/Am0=; b=U3wT6UUzZhR6w5tbh1QQTlUPIrmc3GlSwVThHw184wZ0xyT5Jat4BN9uyS53zzzoOr O2F4mA4OH3xSSS+dpXwDuk45NuYrUbjlHyT2wVhxjB5o/xN5+oYdXA0Aw+jEx5rryZzl mIQpeqGhX76rvoE9r3+j3b70lKzBZ1JT9HUNPRo5juPPXznTiMMNWHHuYbzgtYx2aZdU n1epYYDWmwnlMNEyHqIZaumdTPT0RsdTmiP1oTKNCrfAjfCecx1ZomuTgo1MccXrfxqR Y6jr4C1tqhQG2lFpv11hV08NcYWnsAwvC10uk9ch12KpAoIMq70gglk0k5LzhsWN4eJd fWgQ== MIME-Version: 1.0 Received: by 10.49.14.193 with SMTP id r1mr858605qec.50.1353596484868; Thu, 22 Nov 2012 07:01:24 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.49.121.163 with HTTP; Thu, 22 Nov 2012 07:01:24 -0800 (PST) In-Reply-To: References: Date: Thu, 22 Nov 2012 16:01:24 +0100 X-Google-Sender-Auth: CL-DrOEFizOjjAXhd69xuqua-o4 Message-ID: Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Ian FREISLICH Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Nov 2012 15:01:33 -0000 On Thu, Nov 22, 2012 at 3:13 PM, Ian FREISLICH wrote: > =?ISO-8859-1?Q?Ermal_Lu=E7i?= wrote: > > On Tue, Nov 20, 2012 at 9:07 AM, Sami Halabi wrote: > > > This was actually discussed much before, as I read it would make some > > > issues with the new pf-smp work done by gleb. > > > > > Not really since Gleb just changed the locking and nothing else. > > All his work is under the hood. > > > > He actually broke if-bound state but that's another story. > > Do you have more details on this? We use ifbound state in production > and I haven't noticed any issues with ifbound state, the way that > we use it. > > There is however an issue with route-to and reply-to when using > ifbound state, but that problem existed before Gleb's work. > > Which issue you are referring to here? > Ian > > -- > Ian Freislich > -- Ermal From owner-freebsd-pf@FreeBSD.ORG Thu Nov 22 15:35:37 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1B4648DC for ; Thu, 22 Nov 2012 15:35:37 +0000 (UTC) (envelope-from max@mxcrypt.com) Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 8F6C68FC13 for ; Thu, 22 Nov 2012 15:35:36 +0000 (UTC) Received: by mail-wg0-f50.google.com with SMTP id 12so3996859wgr.31 for ; Thu, 22 Nov 2012 07:35:29 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding:x-gm-message-state; bh=2cdHlkHrEri3Ootj4F6DosutwpclROshFkovuGo+wEM=; b=f94EqmtbSRuWoTsueXh8c6sjq6U7a4AKdavwGcIdIxwwPwIJyQ7Zah06T6s9uQjtqm TAzuaqNvTVP+ig5kHkYuEaAhU3a9zTgheL5Q5k/N7GjOnGSkjyfK/vhp3ta5uZ/6UgMa joTfaZ9E3oK2rGoBRWWr5D2dWhsNAXtduQCj/OqwROrsX01Ejuu1lQ4nSIJ5vIWALq4o LM7qfuCyCUNf0KbR/QKA2NBypttx8ibOqxq1EyX/O0VmtBLuEkI/oGRigU7PM5J3Iujd uqTQSOQKmQALeP5XieYZwPs8665LTLnDcTr6WKy3Lx7HWFowppq8TiCoNms74L2FadcP u4Nw== Received: by 10.216.213.164 with SMTP id a36mr418116wep.57.1353598528307; Thu, 22 Nov 2012 07:35:28 -0800 (PST) MIME-Version: 1.0 Received: by 10.180.81.193 with HTTP; Thu, 22 Nov 2012 07:34:57 -0800 (PST) In-Reply-To: References: From: Maxim Khitrov Date: Thu, 22 Nov 2012 10:34:57 -0500 Message-ID: Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. To: =?UTF-8?Q?Ermal_Lu=C3=A7i?= Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Gm-Message-State: ALoCoQkahdT1nBJ3FSKEWUevboDw9EcTXNPIQfhLZqZU3j4e5lDzfPi78YuPAJlnTQJbZCBKkQEY Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Nov 2012 15:35:37 -0000 On Thu, Nov 22, 2012 at 10:00 AM, Ermal Lu=C3=A7i wrote: > On Thu, Nov 22, 2012 at 3:13 PM, Ian FREISLICH wrote: > >> =3D?ISO-8859-1?Q?Ermal_Lu=3DE7i?=3D wrote: >> > On Tue, Nov 20, 2012 at 9:07 AM, Sami Halabi wrot= e: >> > > This was actually discussed much before, as I read it would make som= e >> > > issues with the new pf-smp work done by gleb. >> > > >> > Not really since Gleb just changed the locking and nothing else. >> > All his work is under the hood. >> > >> > He actually broke if-bound state but that's another story. >> >> Do you have more details on this? We use ifbound state in production >> and I haven't noticed any issues with ifbound state, the way that >> we use it. >> >> Well 'broken' is maybe not the good word depending on the context. > The issue is that if-bound state in HEAD is a null op. > Since every state goes into the hash buckets. > > Before with if-bound states a state will be bound to an interface so a > packet coming/going from/to another interface would not match. > Also would give some resilience with dynamic interfaces. > > Today its a null op. So it voids the keyword which should be deprecated i= n > FreeBSD or should be reintroduced! > Also it may break people assumptions on it. So I take it that "set state-policy if-bound" will no longer have any effect either? Is this expected to hit 10.0-RELEASE? It's definitely not ok to break this functionality. SMP changes are far less valuable than being able to filter each packet on ingress and egress. - Max From owner-freebsd-pf@FreeBSD.ORG Fri Nov 23 07:50:34 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 02F9DFD7; Fri, 23 Nov 2012 07:50:34 +0000 (UTC) (envelope-from ianf@cloudseed.co.za) Received: from zcs03.jnb1.cloudseed.co.za (zcs03.jnb1.cloudseed.co.za [41.154.0.139]) by mx1.freebsd.org (Postfix) with ESMTP id 2768A8FC14; Fri, 23 Nov 2012 07:50:32 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zcs03.jnb1.cloudseed.co.za (Postfix) with ESMTP id 05EDD2B42C43; Fri, 23 Nov 2012 09:50:24 +0200 (SAST) X-Virus-Scanned: amavisd-new at zcs03.jnb1.cloudseed.co.za Received: from zcs03.jnb1.cloudseed.co.za ([127.0.0.1]) by localhost (zcs03.jnb1.cloudseed.co.za [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BQLKqdn8cLxx; Fri, 23 Nov 2012 09:50:18 +0200 (SAST) Received: from clue.co.za (41-135-84-24.dsl.mweb.co.za [41.135.84.24]) by zcs03.jnb1.cloudseed.co.za (Postfix) with ESMTPSA id A47442B42C07; Fri, 23 Nov 2012 09:50:18 +0200 (SAST) Received: from localhost ([127.0.0.1] helo=clue.co.za) by clue.co.za with esmtp (Exim 4.80 (FreeBSD)) (envelope-from ) id 1Tbo1h-0000Vg-95; Fri, 23 Nov 2012 09:50:17 +0200 To: Maxim Khitrov From: Ian FREISLICH Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. In-Reply-To: References: X-Attribution: BOFH Date: Fri, 23 Nov 2012 09:50:17 +0200 Message-Id: Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Nov 2012 07:50:34 -0000 > > Today its a null op. So it voids the keyword which should be deprecated in > > FreeBSD or should be reintroduced! > > Also it may break people assumptions on it. > > So I take it that "set state-policy if-bound" will no longer have any > effect either? Is this expected to hit 10.0-RELEASE? > > It's definitely not ok to break this functionality. SMP changes are > far less valuable than being able to filter each packet on ingress and > egress. Except that it does work (Relevant config snippet): FreeBSD firewall1.jnb1.gp-online.net 10.0-CURRENT FreeBSD 10.0-CURRENT #10 r242311: Mon Oct 29 16:31:29 SAST 2012 ianf@firewall1.jnb1.gp-online.net:/usr/obj/usr/src/sys/FIREWALL amd64 --- /etc/pf.conf --- ... # Options # ~~~~~~~ set timeout { \ adaptive.start 900000, \ adaptive.end 1800000 \ } set block-policy return set state-policy if-bound set optimization normal set ruleset-optimization basic set limit states 1500000 set limit frags 40000 set limit src-nodes 150000 ... # Servers anchor vlan4 quick on vlan4 load anchor vlan4 from "/var/db/firewall/vlan4" ... # L2TP tunnel termination anchor vlan24 quick on vlan24 load anchor vlan24 from "/var/db/firewall/vlan24" ... #EOF --- /var/db/firewall/vlan4 --- ... # Test block out log proto tcp from 41.154.88.19 to 41.154.0.151 port { ssh } pass in all #EOF --- /var/db/firewall/vlan24 --- pass in all pass out all #EOF [41.154.88.19] ~/graphing $ telnet 41.154.0.151 22 Trying 41.154.0.151... telnet: connect to address 41.154.0.151: Operation timed out telnet: Unable to connect to remote host [firewall1.jnb1] ~ # tcpdump -envi pflog0 host 41.154.88.19 and host 41.154.0.151 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes 09:31:41.323353 rule 3.vlan4.126/0(match): block out on vlan4: (tos 0x10, ttl 62, id 25475, offset 0, flags [DF], proto TCP (6), length 60) 41.154.88.19.26211 > 41.154.0.151.22: Flags [S], cksum 0x1264 (correct), seq 3408095044, win 65535, options [mss 1410,nop,wscale 3,sackOK,TS val 3679262149 ecr 0], length 0 [firewall1.jnb1] ~ # pfctl -s sta |grep 41.154.88.19 |grep 41.154.0.151 vlan24 tcp 41.154.0.151:22 <- 41.154.88.19:26211 CLOSED:SYN_SENT However, with the #Test rule commented out: [41.154.88.19] ~/graphing $ telnet 41.154.0.151 22 Trying 41.154.0.151... Connected to inbound01.jnb1.gp-online.net. Escape character is '^]'. SSH-2.0-OpenSSH_4.3p2 Debian-9etch2 [firewall1.jnb1] ~ # pfctl -s sta |grep 41.154.0.211 |grep 41.154.2.69 vlan24 tcp 41.154.0.151:22 <- 41.154.88.19:24898 ESTABLISHED:ESTABLISHED vlan4 tcp 41.154.88.19:24898 -> 41.154.0.151:22 ESTABLISHED:ESTABLISHED I think the only thing that's not working properly is set block-policy return but I'm not sure if that was working properly before. I had to modify the rule as follows to get a connection refused: block return out log proto tcp from 41.154.88.19 to 41.154.0.151 port { ssh } to get: [41.154.88.19] ~/graphing $ telnet 41.154.0.151 22 Trying 41.154.0.151... telnet: connect to address 41.154.0.151: Connection refused telnet: Unable to connect to remote host Ermal, do you have a test case that exposes the issue? Ian -- Ian Freislich From owner-freebsd-pf@FreeBSD.ORG Fri Nov 23 11:59:44 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B7B20856 for ; Fri, 23 Nov 2012 11:59:44 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-qc0-f182.google.com (mail-qc0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id 640598FC13 for ; Fri, 23 Nov 2012 11:59:44 +0000 (UTC) Received: by mail-qc0-f182.google.com with SMTP id k19so8035050qcs.13 for ; Fri, 23 Nov 2012 03:59:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=huWKflcO4md9f8j8FrhKolwo+RZENJMU2Jqr6XCycXA=; b=qI5kVTOWZH5QXKXL2jmercVPc4RCBMyOlUzO6Tb58Tb5/gTH7167NHGElD9w74laVj efiQ3QnnbpOhjzpGhf0Yy7E1jHQ1cNtWIoGTEI6n/b9g3G4ayUTTOOW/3F0GhhjcV+Fb y79fX8WLqAsAPab1VwaiNWRkb93yzIqIGlnAhThKlCFgpHH3qKZmaVi9EhD+WEleG6/w +KxiqJ2IGOw79G44Nze+/hiIVSyJCW9oIlqbtnNhjl/bYRt2zW8zEVqXwHHT/os22Tlh 6dEpCORn0roKVX3IYReYWaKrIhl0vv0PCKmp50P8V5ZOnYtSoxZIPOqiMPk2ie4okbfl GM5Q== MIME-Version: 1.0 Received: by 10.49.82.98 with SMTP id h2mr3890266qey.14.1353671983661; Fri, 23 Nov 2012 03:59:43 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.49.121.163 with HTTP; Fri, 23 Nov 2012 03:59:43 -0800 (PST) In-Reply-To: References: Date: Fri, 23 Nov 2012 12:59:43 +0100 X-Google-Sender-Auth: pF3UvJGUiYqfhPna3R0SDkPIZ68 Message-ID: Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Ian FREISLICH Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Nov 2012 11:59:44 -0000 On Fri, Nov 23, 2012 at 8:50 AM, Ian FREISLICH wrote: > > > Today its a null op. So it voids the keyword which should be > deprecated in > > > FreeBSD or should be reintroduced! > > > Also it may break people assumptions on it. > > > > So I take it that "set state-policy if-bound" will no longer have any > > effect either? Is this expected to hit 10.0-RELEASE? > > > > It's definitely not ok to break this functionality. SMP changes are > > far less valuable than being able to filter each packet on ingress and > > egress. > > Except that it does work (Relevant config snippet): > > FreeBSD firewall1.jnb1.gp-online.net 10.0-CURRENT FreeBSD 10.0-CURRENT > #10 r242311: Mon Oct 29 16:31:29 SAST 2012 > ianf@firewall1.jnb1.gp-online.net:/usr/obj/usr/src/sys/FIREWALL amd64 > > --- /etc/pf.conf --- > ... > # Options > # ~~~~~~~ > set timeout { \ > adaptive.start 900000, \ > adaptive.end 1800000 \ > } > set block-policy return > set state-policy if-bound > set optimization normal > set ruleset-optimization basic > set limit states 1500000 > set limit frags 40000 > set limit src-nodes 150000 > ... > # Servers > anchor vlan4 quick on vlan4 > load anchor vlan4 from "/var/db/firewall/vlan4" > ... > # L2TP tunnel termination > anchor vlan24 quick on vlan24 > load anchor vlan24 from "/var/db/firewall/vlan24" > ... > #EOF > > --- /var/db/firewall/vlan4 --- > ... > # Test > block out log proto tcp from 41.154.88.19 to 41.154.0.151 port { ssh } > pass in all > #EOF > > --- /var/db/firewall/vlan24 --- > pass in all > pass out all > #EOF > > > [41.154.88.19] ~/graphing $ telnet 41.154.0.151 22 > Trying 41.154.0.151... > telnet: connect to address 41.154.0.151: Operation timed out > telnet: Unable to connect to remote host > > > [firewall1.jnb1] ~ # tcpdump -envi pflog0 host 41.154.88.19 and host > 41.154.0.151 > tcpdump: WARNING: pflog0: no IPv4 address assigned > tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), > capture size 65535 bytes > 09:31:41.323353 rule 3.vlan4.126/0(match): block out on vlan4: (tos 0x10, > ttl 62, id 25475, offset 0, flags [DF], proto TCP (6), length 60) > 41.154.88.19.26211 > 41.154.0.151.22: Flags [S], cksum 0x1264 > (correct), seq 3408095044, win 65535, options [mss 1410,nop,wscale > 3,sackOK,TS val 3679262149 ecr 0], length 0 > > > [firewall1.jnb1] ~ # pfctl -s sta |grep 41.154.88.19 |grep 41.154.0.151 > vlan24 tcp 41.154.0.151:22 <- 41.154.88.19:26211 CLOSED:SYN_SENT > > > However, with the #Test rule commented out: > > [41.154.88.19] ~/graphing $ telnet 41.154.0.151 22 > Trying 41.154.0.151... > Connected to inbound01.jnb1.gp-online.net. > Escape character is '^]'. > SSH-2.0-OpenSSH_4.3p2 Debian-9etch2 > > [firewall1.jnb1] ~ # pfctl -s sta |grep 41.154.0.211 |grep 41.154.2.69 > vlan24 tcp 41.154.0.151:22 <- 41.154.88.19:24898 > ESTABLISHED:ESTABLISHED > vlan4 tcp 41.154.88.19:24898 -> 41.154.0.151:22 > ESTABLISHED:ESTABLISHED > > > I think the only thing that's not working properly is > set block-policy return > but I'm not sure if that was working properly before. I had to > modify the rule as follows to get a connection refused: > This need to be checked in the parser in userland if it does not work that is the place. > > block return out log proto tcp from 41.154.88.19 to 41.154.0.151 port { > ssh } > > The real issue with return is related to routing return information. If the routing table is not correct your return packet might get routed the wrong interface. It is not that easy to solve that problem without reinventing/duplicating a lot of code paths to track the information changes in the packet. > to get: > [41.154.88.19] ~/graphing $ telnet 41.154.0.151 22 > Trying 41.154.0.151... > telnet: connect to address 41.154.0.151: Connection refused > telnet: Unable to connect to remote host > > Ermal, do you have a test case that exposes the issue? > > What would expose the issue in your test case is that if a packet comes incoming on VLAN4 with the same info(41.154.88.19 to 41.154.0.151 port { ssh }) that matches the state created during outgoing VLAN24 the ruleset WOULD NOT be investigated if to allow this packet or not. It would just match the state created when leaving outgoing on VLAN24. Meaning that even if you put a rule on VLAN4 as block in log proto tcp from 41.154.0.151 port { ssh } to 41.154.88.19 it will not be blocked but allowed. There is where the if-bound state feature has the use case. Without if-bound a packet leaving an interface can come from any other interface and still be allowed, the state scope is global to all the interfaces. if-bound options segregates the state scope from global to only a specific interface. As i said it depends on the use case you have and the policies you implement and the segregation required. > Ian > > -- > Ian Freislich > -- Ermal