From owner-freebsd-pf@FreeBSD.ORG Sun May 12 16:42:20 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 9B47B1DD for ; Sun, 12 May 2013 16:42:20 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-ie0-x236.google.com (mail-ie0-x236.google.com [IPv6:2607:f8b0:4001:c03::236]) by mx1.freebsd.org (Postfix) with ESMTP id 65362278 for ; Sun, 12 May 2013 16:42:20 +0000 (UTC) Received: by mail-ie0-f182.google.com with SMTP id a14so10922929iee.13 for ; Sun, 12 May 2013 09:42:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=x-received:references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:x-mailer:from:subject:date :to; bh=pLth6ZldbiBW/rXacomkB/0DlJOaadNFrokCjfNjyVg=; b=WtuOxxjb7cwfEsDI+pAzx9avzEU5+shAdtW7tR///eXP2Md5UZ+947NIEQ8sFppbga 256AvNDc/YpP3MolL/FWS8RJGRVYRWuUlF8V+y9VqNM64mf0kdRbx33bllWv8fgHUG++ CprY91JlhxdxHXeaMi51o2LYxqZ2/rNfQvmMA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:x-mailer:from:subject:date :to:x-gm-message-state; bh=pLth6ZldbiBW/rXacomkB/0DlJOaadNFrokCjfNjyVg=; b=RH17cpOA9+hEr4KQrjtPPclQe3obF8FSzKbafMIn/V0//HOossolSN5Lzny4rz1j6Q BxHgn77CfDV3awWqRbNfHpn7FFyG5HutA2dfCyNP3YR2RSSgxrKl4OuHgSbb87Cu7DKt SfDrOI5vQIbzlrofTkXEC3phnypBrzslwxcjGT4yDJ4r7zNiCPHkxc2C+NUhqYKwrInG 7egVLnY9jt3VQkmknRys+aaJTrp/czIsF+11WrSblHJj2XyGsgT1hAWxcZ8AhEAASCAU cibgbet0/GWxrk+FWRLeyjONmQx90NNV1ItnS1hpYVaWL7GXqAyFHscKHYN9sisC/E8L yI8g== X-Received: by 10.50.80.116 with SMTP id q20mr7663118igx.85.1368376940104; Sun, 12 May 2013 09:42:20 -0700 (PDT) Received: from [192.168.30.77] (24-236-152-143.dhcp.aldl.mi.charter.com. [24.236.152.143]) by mx.google.com with ESMTPSA id w8sm11613487igl.9.2013.05.12.09.42.17 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 12 May 2013 09:42:18 -0700 (PDT) References: <1368097169.74234.YahooMailNeo@web162701.mail.bf1.yahoo.com> <878v3obakf.fsf@deeperthought.bsdly.net> <1368103486.77403.YahooMailNeo@web162706.mail.bf1.yahoo.com> <518BC6C2.5030702@stuxnet.org> <5D8FA439-4EA7-462F-B410-A815C1C78769@DataIX.net> <1368255153.65555.YahooMailNeo@web162701.mail.bf1.yahoo.com> Mime-Version: 1.0 (1.0) In-Reply-To: <1368255153.65555.YahooMailNeo@web162701.mail.bf1.yahoo.com> Message-Id: X-Mailer: iPhone Mail (10B329) From: Jason Hellenthal Subject: Re: packet tagging Date: Sun, 12 May 2013 12:42:16 -0400 To: Nomad Esst X-Gm-Message-State: ALoCoQnEDofGqELQvrnZJTkiz28cKCzsQeiFGqxRchfhfXbl+MHWH0hLj6mruojOM/OhA6N3tXOu Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 May 2013 16:42:20 -0000 I'd say it would probably be a cheaper solution to just code the l2 filterin= g into pf but would be more of a benefit to you and everyone else to do it o= n HEAD if its not already there. I believe HEAD uses pf4.5. --=20 Jason Hellenthal IS&T Services Professional Inbox: jhellenthal@DataIX.net JJH48-ARIN On May 11, 2013, at 2:52, Nomad Esst wrote: > > As for 8-STABLE this functionality is not available. >=20 > > I'm not tracking 9-* so someone else will have to answer for that. >=20 > > But as far as L2 filtering on the bridge... >=20 > > You will probably want ipfw instead as on 8-* were using pf4.3=C2=BF wh= ich on FreeBSD is L3, & L4 filtering only. >=20 > > If you are looking for a BSD solution for filtering only and your conce= rn is mainly based on using pf, I will sadly say you should lean on OpenBSD u= nless something changes or you are willing > to use access lists on your s= witches. >=20 > So bad!!! I'm thinking of developing some utility that do the MAC address f= iltering and then send them to PF, so PF can decide about them, whether to p= ass or drop them away. Do you have any ieads about that? >=20 > > Now if your concern is mainly wireless the if_wlan interface is capable o= f its own l2 filtering but nothing like pf. >=20 > > Good luck & best packeting, >=20 > > --=20 > > Jason Hellenthal > > IS&T Services Professional > > Inbox: jhellenthal@DataIX.net > > JJH48-ARIN >=20 From owner-freebsd-pf@FreeBSD.ORG Mon May 13 08:43:03 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 02E56239 for ; Mon, 13 May 2013 08:43:03 +0000 (UTC) (envelope-from noname.esst@yahoo.com) Received: from nm18.bullet.mail.bf1.yahoo.com (nm18.bullet.mail.bf1.yahoo.com [98.139.212.177]) by mx1.freebsd.org (Postfix) with SMTP id 7D370ED2 for ; Mon, 13 May 2013 08:43:02 +0000 (UTC) Received: from [98.139.212.151] by nm18.bullet.mail.bf1.yahoo.com with NNFMP; 13 May 2013 08:43:01 -0000 Received: from [98.139.212.204] by tm8.bullet.mail.bf1.yahoo.com with NNFMP; 13 May 2013 08:43:01 -0000 Received: from [127.0.0.1] by omp1013.mail.bf1.yahoo.com with NNFMP; 13 May 2013 08:43:01 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 622558.75947.bm@omp1013.mail.bf1.yahoo.com Received: (qmail 76854 invoked by uid 60001); 13 May 2013 08:43:01 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1368434581; bh=CXzWFXxG9jA2okAzIFvvW18/hBbo2NBjQL4gWfOzSYg=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=VrTIcYH4yZq4N+ZHgIEudPHGP0DDykRDIq0xmeGlcaW33jba1mhigUqKKc8p3eYh0HrJBhy3e3HDUBp6VG6Bp7tqnSSEXErWtbNGpFwFZZJA59tJLc+e+wX6a7LvD2y9XSrmaJUWJPmGaG/YYaRsdreUpmDmNTQS1eUYMt0o0Lo= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=obijMUIUYHM8RQyZmWN1rswO5kl7FdZfl8brSLX8VaUbbqx5yUNkhep1o5mfxmluUMmdTwOgG1ZMV1ZTEPnhZijdYEavy6TdpDKJ58ELG6ltQKF5lRYVAvEitivBoKla/9YJW7ZPA9gTTT/i3bKF4pNAeUXbug+hARn0L2TjZdw=; X-YMail-OSG: xnaY9doVM1njc7pLHwO02VvX2YsoS2Fw4.js3PthrWZOdc3 bs4b.52pZ69KzOxTkAIEYFdoTVXVSFZy5COpzxtu0T8IDNxynD1jspGu4xmx OBewOFIT6r_iOUJUnxRItvZNmn6nY4y.wLUkenUxaolFE8nI5Aa6wFT8hdku MPMZzuOHL4SWPCKeHUvy7Yt2qR9ANvsZFbIGFD8mZiiQPTSIl.SBRxa2ik0E nrDZk8_WRn8B7LBlnPqpH9oqrGaEOQc5dcHnXPeSug4CKPnifdphbAWsngX4 KQlipUN77.HnzDUPHBsReHJV7p1CRtZaoThDhXwwjgdP0nBsz.uAlZl75sw6 AhqMzq_.KWQtcAdf.hl0Ya42i8gSkmLwmc1FptUbWIN9p3cZk2n92jfblgTo pfMHDYdaRruu2q.tKBKEArOmHm2zJ8Ri_iLOThy5mh8uCIVzQKZ8wcLzggQ- - Received: from [89.165.120.140] by web162701.mail.bf1.yahoo.com via HTTP; Mon, 13 May 2013 01:43:01 PDT X-Rocket-MIMEInfo: 002.001, SGkgYWxsCkhlcmUncyBhbm90aGVyIFBGIHF1ZXN0aW9uLiBJIHN1cHBvc2UgdGhhdCBmaWx0ZXJpbmcgYmFzZWQgb24gYXJwIHByb3RvY29sIGlzIGFsc2_CoGltcG9zc2libGUgdXNpbmcgUEYganVzdCBsaWtlIE1BQyBhZGRyZXNzIGZpbHRlcmluZy4gQW0gSSByaWdodD8gQWxsIG9mIHRoZXNlIG9wdGlvbnMgYXJlIHN1cHBvcnRlZCBieSBJUEZXLiBXaGF0IGFyZSB3ZSBzdXBwb3NlZCB0byBkbyB3aXRoIHRoZXNlIHByb2JsZW1zPyEgSnVzdCBkb24ndCB1c2UgUEY_ISEBMAEBAQE- X-Mailer: YahooMailWebService/0.8.141.536 Message-ID: <1368434581.59211.YahooMailNeo@web162701.mail.bf1.yahoo.com> Date: Mon, 13 May 2013 01:43:01 -0700 (PDT) From: Nomad Esst Subject: another pf question, arp filtering To: pf list MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Nomad Esst List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 May 2013 08:43:03 -0000 Hi all=0AHere's another PF question. I suppose that filtering based on arp = protocol is also=A0impossible using PF just like MAC address filtering. Am = I right? All of these options are supported by IPFW. What are we supposed t= o do with these problems?! Just don't use PF?!! From owner-freebsd-pf@FreeBSD.ORG Mon May 13 08:47:07 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id EF15D485 for ; Mon, 13 May 2013 08:47:07 +0000 (UTC) (envelope-from noname.esst@yahoo.com) Received: from nm14.bullet.mail.bf1.yahoo.com (nm14.bullet.mail.bf1.yahoo.com [98.139.212.173]) by mx1.freebsd.org (Postfix) with SMTP id 9EC36F04 for ; Mon, 13 May 2013 08:47:07 +0000 (UTC) Received: from [98.139.212.153] by nm14.bullet.mail.bf1.yahoo.com with NNFMP; 13 May 2013 08:45:11 -0000 Received: from [98.139.212.244] by tm10.bullet.mail.bf1.yahoo.com with NNFMP; 13 May 2013 08:45:11 -0000 Received: from [127.0.0.1] by omp1053.mail.bf1.yahoo.com with NNFMP; 13 May 2013 08:45:11 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 504408.35836.bm@omp1053.mail.bf1.yahoo.com Received: (qmail 30632 invoked by uid 60001); 13 May 2013 08:45:11 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1368434711; bh=/s75D0GJKt11lLNdB1keK3L/fki+6ARCv6WGAfh/97c=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=YnVzdgLWbGhNfKfBrGc/1bZ/F3UVcvdF5S1ZnavvxYgfDOfEg5+V2N3TIBCJc1C4GA/sR13hHOGvYQMVj919WI4Q+i0TqcD5zpRs3QeqQtMyEwtI6KyzM8BzxvIiQc6SD04zPp6J3VDRrQHtxos8Mj+zyRKuqDl6XhlxYKLnKuY= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=6A+7ZllM2S9JWeIJZyWCiTY+gRoL+vxWJPtvJh0ECzAwUsCsJRvXj3EALv74YGO8diIoDnelePnqoWb0/2rCkFiOxz2qiTSfvcsNrnujIcd0uPDfo9Khvn+JwtJNcMO7y5xahBD60KFT5x30ukQxsKQdk7qZOxVwLKTq9yLC/G0=; X-YMail-OSG: gwtlKaIVM1lanCBxuMr28bJvUnXV5CUhMKtNDrRkLG7YgH5 CsZehJ3ZMVBKXK_tdQOJiJHAbUqO8rSdJ8WtiwSInoSgY2IulZYPTvwUwCyq PpjyRF.Tuvz_N7yyKRsRUrxJnS6uZKoi.0DPTTUJoZqjRV17tqc7q3xpfHHn NkPhcJ3MLD_9Q3dighAsW8zQSs3MP4jY8g7mS2tKhgPwoa3V2DltFRZiopg7 ccUh5Y2WcxV8da.I1dAvOnp4FYIFdDisGLEwcVDAATS8bPu94KWzq39TEQdH oaL2XDEG7pKL4AOUTRLD8rjC_p11UzlFPzWFF0ZlEoyfDlIJBVMl4xGugKKA 84EihdVMTbvwYuTT9VYqqtmMNkIqTqur5kpIdJ.a5TZouXl4UKL1YbYLZHsX D2qOOcgfYh7RKrJwzuD9Vdi2uKw8ChAQk0CXOYwsiCHKeDPFmwgboImr7aQ- - Received: from [89.165.120.140] by web162702.mail.bf1.yahoo.com via HTTP; Mon, 13 May 2013 01:45:10 PDT X-Rocket-MIMEInfo: 002.001, SGkgYWxsCkhlcmUncyBhbm90aGVyIFBGIHF1ZXN0aW9uLiBJIHN1cHBvc2UgdGhhdCBmaWx0ZXJpbmcgYmFzZWQgb24gYXJwIHByb3RvY29sIGlzIGFsc2_CoGltcG9zc2libGUgdXNpbmcgUEYganVzdCBsaWtlIE1BQyBhZGRyZXNzIGZpbHRlcmluZy4gQW0gSSByaWdodD8gQWxsIG9mIHRoZXNlIG9wdGlvbnMgYXJlIHN1cHBvcnRlZCBieSBJUEZXLiBXaGF0IGFyZSB3ZSBzdXBwb3NlZCB0byBkbyB3aXRoIHRoZXNlIHByb2JsZW1zPyEgSnVzdCBkb24ndCB1c2UgUEY_ISEBMAEBAQE- X-Mailer: YahooMailWebService/0.8.141.536 Message-ID: <1368434710.30577.YahooMailNeo@web162702.mail.bf1.yahoo.com> Date: Mon, 13 May 2013 01:45:10 -0700 (PDT) From: Nomad Esst Subject: another pf question, arp filtering To: pf list MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Nomad Esst List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 May 2013 08:47:08 -0000 Hi all=0AHere's another PF question. I suppose that filtering based on arp = protocol is also=A0impossible using PF just like MAC address filtering. Am = I right? All of these options are supported by IPFW. What are we supposed t= o do with these problems?! Just don't use PF?!! From owner-freebsd-pf@FreeBSD.ORG Mon May 13 08:48:03 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 4E8A14D1 for ; Mon, 13 May 2013 08:48:03 +0000 (UTC) (envelope-from kpaasial@gmail.com) Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com [IPv6:2a00:1450:400c:c05::231]) by mx1.freebsd.org (Postfix) with ESMTP id DEA1EF0A for ; Mon, 13 May 2013 08:48:02 +0000 (UTC) Received: by mail-wi0-f177.google.com with SMTP id hr14so2666250wib.4 for ; Mon, 13 May 2013 01:48:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:content-transfer-encoding; bh=5wyvGKClVyOUvHhWMjFgCpkvhZBIaLMGumTb4uMk9Hg=; b=yjWIWf2SQM6SGCiABjyYHfrAzO8v1XFD2n0DY1MInzgy2aq4jE5H9jCu4stTcrwXfM 5OC/wZAjL3nNc6JrgUseq4Ra8Pstflobwb9HiCLV+N9t+bEvnWqq+drZzprU3Iajw8sO 8mejvXlotFOqpu5q9Acfr/pEEMPvg+2wc1U8O8HWywXZ7vyk5jK3XcRyqji8QL0wzXzf p9HpCSbUoZKXgz+BORa16wN8RkzeSbv81Q6wPBdGeJsWcBoz86eaXrcLuJM6vE2oJcCu GypXuRNUlRVhlhsHjW1RJ5koK8y3DbMKnUlED5xDUNz3oWmgrx8dg5MI886POaZQWXN2 mTbw== MIME-Version: 1.0 X-Received: by 10.194.236.198 with SMTP id uw6mr34024837wjc.33.1368434881580; Mon, 13 May 2013 01:48:01 -0700 (PDT) Received: by 10.216.112.10 with HTTP; Mon, 13 May 2013 01:48:01 -0700 (PDT) In-Reply-To: <1368434581.59211.YahooMailNeo@web162701.mail.bf1.yahoo.com> References: <1368434581.59211.YahooMailNeo@web162701.mail.bf1.yahoo.com> Date: Mon, 13 May 2013 11:48:01 +0300 Message-ID: Subject: Re: another pf question, arp filtering From: Kimmo Paasiala To: Nomad Esst Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: pf list X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 May 2013 08:48:03 -0000 On Mon, May 13, 2013 at 11:43 AM, Nomad Esst wrote: > Hi all > Here's another PF question. I suppose that filtering based on arp protoco= l is also impossible using PF just like MAC address filtering. Am I right? = All of these options are supported by IPFW. What are we supposed to do with= these problems?! Just don't use PF?!! > _______________________________________________ Read first on what ARP is in context of the networking. http://en.wikipedia.org/wiki/Address_Resolution_Protocol Basically you're asking the same thing when you're asking whether PF supports filtering based on MAC addresses or filtering by the ARP protocol. You should direct your question to those who designed PF in the first place why they didn't think of including layer2 filtering. -Kimmo From owner-freebsd-pf@FreeBSD.ORG Mon May 13 11:06:49 2013 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 9A0459DB for ; Mon, 13 May 2013 11:06:49 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 8CA0C84D for ; Mon, 13 May 2013 11:06:49 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r4DB6nDw075960 for ; Mon, 13 May 2013 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r4DB6nie075958 for freebsd-pf@FreeBSD.org; Mon, 13 May 2013 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 13 May 2013 11:06:49 GMT Message-Id: <201305131106.r4DB6nie075958@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 May 2013 11:06:49 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176763 pf [pf] [patch] Removing pf Source entries locks kernel. o kern/176268 pf [pf] [patch] synproxy not working with route-to o kern/173659 pf [pf] PF fatal trap on 9.1 (taskq fatal trap on pf_test o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 52 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed May 15 15:32:09 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 04619508 for ; Wed, 15 May 2013 15:32:09 +0000 (UTC) (envelope-from manoj.ganesan@gmail.com) Received: from mail-lb0-f176.google.com (mail-lb0-f176.google.com [209.85.217.176]) by mx1.freebsd.org (Postfix) with ESMTP id 872A37AE for ; Wed, 15 May 2013 15:32:08 +0000 (UTC) Received: by mail-lb0-f176.google.com with SMTP id x10so2026156lbi.35 for ; Wed, 15 May 2013 08:32:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:mime-version:from:date:message-id:subject:to :content-type; bh=6FisOAyl2jRUcpCKxn5olOtH0GWHFbaM5F0kxZGoMWY=; b=wLN8w5WQEqO5AXZ+HT72w7mmXnuBnbNkYQJq54QQBMnYVYvcZZT6z3ScsaMqOqLznI iW4ARBbcfxfbdPKAJHmf+l1lhiTd5rix6NOYtwi5DHUj/FEfI1WnWtNjda+5EtDFN2rx k1OEpYjY2vrEML3r58oA99yRvik/Pc00Z3DEqV180+GZy97tTXVB4lnMieIy3ATzKDL7 SFrx15f2lcOjoprJRaPi/qbcyvksXbFyHBZ+c5aBgukygj74ZrLII+7ni51pcJHBeq6q 7i71VmldDHHaYK0RugG988EsS+HBX7F/OHaXCaObbxp1Evw97AbKnR5nH+ertj+F55pJ 00Fg== X-Received: by 10.112.159.136 with SMTP id xc8mr17552294lbb.57.1368631926468; Wed, 15 May 2013 08:32:06 -0700 (PDT) MIME-Version: 1.0 Received: by 10.112.22.39 with HTTP; Wed, 15 May 2013 08:31:46 -0700 (PDT) From: Manoj Ganesan Date: Wed, 15 May 2013 10:31:46 -0500 Message-ID: Subject: Reloading anchors with many streams To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2013 15:32:09 -0000 Hey everyone, I'm just beginning to use FreeBSD + PF, for a use-case of multiple (1000s of) UDP streams, each attached via an anchor. When I unload/flush one of these anchors (say I tear down a stream), does it affect the other streams enough to create jitter? In general, does reloading or manipulating an anchor cause the other connections to be affected negatively? Also, design-wise is this an okay approach, where I have to bring-up/tear-down streams on the fly, and I use anchors for the purpose? Thanks, Manoj From owner-freebsd-pf@FreeBSD.ORG Wed May 15 17:06:55 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 9923FF46 for ; Wed, 15 May 2013 17:06:55 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-qe0-f54.google.com (mail-qe0-f54.google.com [209.85.128.54]) by mx1.freebsd.org (Postfix) with ESMTP id 5F9F5D70 for ; Wed, 15 May 2013 17:06:55 +0000 (UTC) Received: by mail-qe0-f54.google.com with SMTP id q19so1373224qeb.41 for ; Wed, 15 May 2013 10:06:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=963AcLCowXCKcP2NPva5i7opVXpcSE8Q1w3PTN06PIY=; b=dQEiwQbXn7o64Yp+lhCZYiov2KjH1Q65zUaYicNpBfKRpyP0s1zijc2d4kpcCHgSHG juWrd4SaLkmex69gV+HIJhItPmNzz1nn4ZlhEazLawo6UTYfwj4uvg75ZDyyHAdmTLR2 ZNPagO4BqbOcSJZG+MjlDiQPptmqPR+KHLLAAeNkd4/y/2njDIAYkHgEomXFiOlPsvg1 llelHCRCaf0twjlMeev7BnM6KQwDCovp0osLL00N4CP9tRrDV2jJb59UoX5+b6aYwNzP Zs8Yg6LiL15iYl50bhfN9GORMdnTgYwRtPvu+Sdz7t0A7QWIJDFieOO5hbKNAZJRkIqc ivCA== MIME-Version: 1.0 X-Received: by 10.229.62.194 with SMTP id y2mr12052572qch.23.1368637614532; Wed, 15 May 2013 10:06:54 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.49.47.52 with HTTP; Wed, 15 May 2013 10:06:54 -0700 (PDT) In-Reply-To: References: Date: Wed, 15 May 2013 13:06:54 -0400 X-Google-Sender-Auth: ozp7--_vExCWC4G3tX-qWcLu3WM Message-ID: Subject: Re: Reloading anchors with many streams From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Manoj Ganesan Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2013 17:06:55 -0000 On Wed, May 15, 2013 at 11:31 AM, Manoj Ganesan wrote: > Hey everyone, > > I'm just beginning to use FreeBSD + PF, for a use-case of multiple (1000s > of) UDP streams, each attached via an anchor. When I unload/flush one of > these anchors (say I tear down a stream), does it affect the other streams > enough to create jitter? In general, does reloading or manipulating an > anchor cause the other connections to be affected negatively? > > Well you will affect the streams since you have to grab the ruleset lock for it to add and remove rules. Anchors need to be setup as well during the same process so, yes, you will pause the other streams. > Also, design-wise is this an okay approach, where I have to > bring-up/tear-down streams on the fly, and I use anchors for the purpose? By design that's correct, though if you can control the way you add the rules you can just avoid the anchors and just add straight rules. > Thanks, > Manoj > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Ermal From owner-freebsd-pf@FreeBSD.ORG Wed May 15 17:28:39 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id DA320699; Wed, 15 May 2013 17:28:39 +0000 (UTC) (envelope-from manoj.ganesan@gmail.com) Received: from mail-lb0-f179.google.com (mail-lb0-f179.google.com [209.85.217.179]) by mx1.freebsd.org (Postfix) with ESMTP id 35727EAA; Wed, 15 May 2013 17:28:38 +0000 (UTC) Received: by mail-lb0-f179.google.com with SMTP id d10so2117079lbj.24 for ; Wed, 15 May 2013 10:28:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=BsoP4CFO6/ZzoNPH2i7Uc/98aiQ+c7ZwFt+Z2FoAmPo=; b=Bs1ivo+Io2D9ytbRufrEnm6VDwVudbmMR4jhUIhuQ/cREcZnB6i7wSLRj6Z8XLUUwO 7nl5PXzpQbROOXFu9ac7QuWhwxocFbHwrrVFYfOG0750t521ugYkrdt6RBgRZqiNzmnF xtEp2MWcAWJ7oTPcrnrvr5RjaLE/QjmPxjwbCdc6Vm3BMnDAyZfl02j5UadL/1iPPH0Q LVJs64AZlI0IwhiMk+pTkEkTkcld/KsUhOZZT3zLM8xYVdvhgIeI3hnVM698ywU9jEIv 1wHFZoPmUiV0qwpGX9BrX+h1XduemKyN9dRmVUtFRD+ISR67CWNNvUV7msUmNBoWtjPP 6G0w== X-Received: by 10.152.87.116 with SMTP id w20mr18566099laz.0.1368638917762; Wed, 15 May 2013 10:28:37 -0700 (PDT) MIME-Version: 1.0 Received: by 10.112.22.39 with HTTP; Wed, 15 May 2013 10:28:17 -0700 (PDT) In-Reply-To: References: From: Manoj Ganesan Date: Wed, 15 May 2013 12:28:17 -0500 Message-ID: Subject: Re: Reloading anchors with many streams To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2013 17:28:39 -0000 On Wed, May 15, 2013 at 12:06 PM, Ermal Lu=E7i wrote: > > > > On Wed, May 15, 2013 at 11:31 AM, Manoj Ganesan = wrote: > >> Hey everyone, >> >> I'm just beginning to use FreeBSD + PF, for a use-case of multiple (1000= s >> of) UDP streams, each attached via an anchor. When I unload/flush one of >> these anchors (say I tear down a stream), does it affect the other strea= ms >> enough to create jitter? In general, does reloading or manipulating an >> anchor cause the other connections to be affected negatively? >> >> > Well you will affect the streams since you have to grab the ruleset lock > for it to add and remove rules. > Anchors need to be setup as well during the same process so, yes, you wil= l > pause the other streams. > > >> Also, design-wise is this an okay approach, where I have to >> bring-up/tear-down streams on the fly, and I use anchors for the purpose= ? > > > By design that's correct, though if you can control the way you add the > rules you can just avoid the anchors and just add straight rules. > > Actually, I wanted to add rules dynamically. My understanding was that using anchors was the only way to do it. Especially, because I want a handle back to that rule so that I can delete it later. Is that correct? > Thanks, >> Manoj >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > > > > -- > Ermal > Thanks! From owner-freebsd-pf@FreeBSD.ORG Wed May 15 19:04:44 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 79A3F53A for ; Wed, 15 May 2013 19:04:44 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-qe0-f54.google.com (mail-qe0-f54.google.com [209.85.128.54]) by mx1.freebsd.org (Postfix) with ESMTP id 3BD8A3D4 for ; Wed, 15 May 2013 19:04:44 +0000 (UTC) Received: by mail-qe0-f54.google.com with SMTP id q19so1449997qeb.41 for ; Wed, 15 May 2013 12:04:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=ZK5dy393Jtr1vGlxqIO7qT/MmtJGPWv/YO2XbHGlZdE=; b=vYzgnSIe7VkPq+f+pX9py6fiFy8Igx5JwSGWMsboSw/lEHzV2wtI77iDutTLuZVFLJ Hlxh8v8mYs8/uT6USDWU7lgXuoTmzCeWoR/mwv2139+pgbch1YPX+1XAxkle9cHfXIwe EVLIYO5Ktv+7aQGjHoiQydYs8d+fm8zUk/4MfrMzQij9jnJ3juGIrwqZ9aK0Sh01vFsw GFsnFtTKVGy4eXGIMBvl4FxGOJ39rlJDRP6+kUk3vj09ViqicVg613wwgHr25Qc4DuPQ mVd0c+79/SxuXJ/nzSNHGkK9FBhrbINyo/KE4oii21HCk83bhoXLsIUGRo1SYZb8+/Nd qXmw== MIME-Version: 1.0 X-Received: by 10.229.203.5 with SMTP id fg5mr12387691qcb.14.1368644683524; Wed, 15 May 2013 12:04:43 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.49.47.52 with HTTP; Wed, 15 May 2013 12:04:43 -0700 (PDT) In-Reply-To: References: Date: Wed, 15 May 2013 15:04:43 -0400 X-Google-Sender-Auth: goQHvLLzPPsHIc73d3gSFN6KK60 Message-ID: Subject: Re: Reloading anchors with many streams From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Manoj Ganesan Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2013 19:04:44 -0000 On Wed, May 15, 2013 at 1:28 PM, Manoj Ganesan wro= te: > On Wed, May 15, 2013 at 12:06 PM, Ermal Lu=E7i wrote: > >> >> >> >> On Wed, May 15, 2013 at 11:31 AM, Manoj Ganesan wrote: >> >>> Hey everyone, >>> >>> I'm just beginning to use FreeBSD + PF, for a use-case of multiple (100= 0s >>> of) UDP streams, each attached via an anchor. When I unload/flush one o= f >>> these anchors (say I tear down a stream), does it affect the other >>> streams >>> enough to create jitter? In general, does reloading or manipulating an >>> anchor cause the other connections to be affected negatively? >>> >>> >> Well you will affect the streams since you have to grab the ruleset lock >> for it to add and remove rules. >> Anchors need to be setup as well during the same process so, yes, you >> will pause the other streams. >> >> >>> Also, design-wise is this an okay approach, where I have to >>> bring-up/tear-down streams on the fly, and I use anchors for the purpos= e? >> >> >> By design that's correct, though if you can control the way you add the >> rules you can just avoid the anchors and just add straight rules. >> >> > Actually, I wanted to add rules dynamically. My understanding was that > using anchors was the only way to do it. Especially, because I want a > handle back to that rule so that I can delete it later. Is that correct? > If you do not use macros on your rules or rules that end up generating multiple rules you can add rules yourself. You can add and remove them through rules id which you can look up with pfctl -vv. If you keep reference of those rules you can just add rules with the right number and modify(delete) those with that number. > > >> Thanks, >>> Manoj >>> _______________________________________________ >>> freebsd-pf@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >>> >> >> >> >> -- >> Ermal >> > > Thanks! > --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Thu May 16 11:38:28 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id E2143638; Thu, 16 May 2013 11:38:28 +0000 (UTC) (envelope-from manoj.ganesan@gmail.com) Received: from mail-lb0-f178.google.com (mail-lb0-f178.google.com [209.85.217.178]) by mx1.freebsd.org (Postfix) with ESMTP id 3CEDEFD5; Thu, 16 May 2013 11:38:27 +0000 (UTC) Received: by mail-lb0-f178.google.com with SMTP id w10so1512037lbi.37 for ; Thu, 16 May 2013 04:38:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=167bJMnmINBet/7p7F1D3vqhKYsJFnnt4X0g4ZbZaGI=; b=gQLznX4LA/VtB0638RnDHHgCucKl1oU2chCSiPJkBJAkiQnYPukAKoh8CxyXw9w5Kl 1juoAOrsrxoYXnDUvhXFAhjgBSIVbh42Grl5mPTVWN78YpC7u7O4664XykKQupkJz9d2 S+RHnlWPCMQQpbIDzxS21uV8h3YT5a2JJ4w9iGaPR0FNMKcvmRXENTX3cZLvtJJU9ZFs L6rnq98BKI5GkS/7dlp0Iufz4SNMNLNmttYqgdSR2uhQXXvytsHBGTxzHGlMEPv0Myz7 eE+pWtlKNiegwlKBBKmbnbf9yr1vyy7xCohGkV5wUt4asBruBSvGqmwOUcHV7GCLzEJF hsZA== X-Received: by 10.152.120.104 with SMTP id lb8mr6866669lab.11.1368704306557; Thu, 16 May 2013 04:38:26 -0700 (PDT) MIME-Version: 1.0 Received: by 10.112.22.39 with HTTP; Thu, 16 May 2013 04:38:06 -0700 (PDT) In-Reply-To: References: From: Manoj Ganesan Date: Thu, 16 May 2013 06:38:06 -0500 Message-ID: Subject: Re: Reloading anchors with many streams To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 May 2013 11:38:28 -0000 On Wed, May 15, 2013 at 2:04 PM, Ermal Lu=E7i wrote: > > > > On Wed, May 15, 2013 at 1:28 PM, Manoj Ganesan w= rote: > >> On Wed, May 15, 2013 at 12:06 PM, Ermal Lu=E7i wrote: >> >>> >>> >>> >>> On Wed, May 15, 2013 at 11:31 AM, Manoj Ganesan >> > wrote: >>> >>>> Hey everyone, >>>> >>>> I'm just beginning to use FreeBSD + PF, for a use-case of multiple >>>> (1000s >>>> of) UDP streams, each attached via an anchor. When I unload/flush one = of >>>> these anchors (say I tear down a stream), does it affect the other >>>> streams >>>> enough to create jitter? In general, does reloading or manipulating an >>>> anchor cause the other connections to be affected negatively? >>>> >>>> >>> Well you will affect the streams since you have to grab the ruleset loc= k >>> for it to add and remove rules. >>> Anchors need to be setup as well during the same process so, yes, you >>> will pause the other streams. >>> >>> >>>> Also, design-wise is this an okay approach, where I have to >>>> bring-up/tear-down streams on the fly, and I use anchors for the >>>> purpose? >>> >>> >>> By design that's correct, though if you can control the way you add the >>> rules you can just avoid the anchors and just add straight rules. >>> >>> >> Actually, I wanted to add rules dynamically. My understanding was that >> using anchors was the only way to do it. Especially, because I want a >> handle back to that rule so that I can delete it later. Is that correct? >> > > If you do not use macros on your rules or rules that end up generating > multiple rules you can add rules yourself. > You can add and remove them through rules id which you can look up with > pfctl -vv. > If you keep reference of those rules you can just add rules with the righ= t > number and modify(delete) those with that number. > Sorry if I'm misunderstanding, but do you mean there is a way in pf (using pfctl) to add one off rules while specifying an id or label? I couldn't find information on that on the pfctl man page. Could you please point me to that? > > >> >> >>> Thanks, >>>> Manoj >>>> _______________________________________________ >>>> freebsd-pf@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >>>> >>> >>> >>> >>> -- >>> Ermal >>> >> >> Thanks! >> > > > > -- > Ermal > Thanks! Manoj From owner-freebsd-pf@FreeBSD.ORG Fri May 17 18:47:26 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 3EF616E0 for ; Fri, 17 May 2013 18:47:26 +0000 (UTC) (envelope-from manoj.ganesan@gmail.com) Received: from mail-la0-x233.google.com (mail-la0-x233.google.com [IPv6:2a00:1450:4010:c03::233]) by mx1.freebsd.org (Postfix) with ESMTP id C1F9CF81 for ; Fri, 17 May 2013 18:47:25 +0000 (UTC) Received: by mail-la0-f51.google.com with SMTP id lx15so2678446lab.38 for ; Fri, 17 May 2013 11:47:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:mime-version:from:date:message-id:subject:to :content-type; bh=WhdFMZtil0/IstaEFZAkE3azuCHQ43Tqju4nwW7XYKk=; b=KJ2qIzh0yXRodYmWyWux5QPfrxfT14VnitMVXzl50IE9gh/QPl0Z8x5aS92kW7+pb4 /aW8oAA9xD2VVQV/dXWqO8xdOcTTkwiUSfJ/pqExqsUCmTnI5BiJY/F1/Tz24eGG+ifU RauPT7k+RzmtsPnzKUX6KbaiJQfjacz3uF1BMBgaljkfHLwmFL5ljY5mxE7Fq6Xul+M5 CIH1Mn9RpEgJAYE7qKwFHvJM85c95rrcHXl2l7GwNC/n3ZPlGDTn3WJBKxjfQy/nQ0ye SpThib62KtmiUB08vn2utl583cudHJ34zWOpNtBYfjl+KaXev8fc3VTnGcyL3mnVHjpp e1DA== X-Received: by 10.152.87.116 with SMTP id w20mr23599587laz.0.1368816444341; Fri, 17 May 2013 11:47:24 -0700 (PDT) MIME-Version: 1.0 Received: by 10.112.22.39 with HTTP; Fri, 17 May 2013 11:47:04 -0700 (PDT) From: Manoj Ganesan Date: Fri, 17 May 2013 13:47:04 -0500 Message-ID: Subject: Anchor evaluation To: "freebsd-pf@freebsd.org" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 May 2013 18:47:26 -0000 I'm probably doing something very silly here, which I can't figure out. I'm trying to get an anchor to be evaluated, but I can't seem to get traffic to go through. My /etc/pf.conf looks like: rdr pass log on ix0 proto udp from 10.0.111.61 to any port 1234 -> 10.0.211.62 port 4321 nat pass log on ix0 from 10.0.211.62 port 4321 to 10.0.111.61 -> 10.0.111.71 port 1234 pass out all I want to replace these by an anchor like so (my /etc/pf.conf looks like): anchor my_anchor load anchor gamenode from "/usr/home/my_user/my_anchor" where the /usr/home/my_user/my_anchor looks like: rdr pass log on ix0 proto udp from 10.0.111.61 to any port 1234 -> 10.0.211.62 port 4321 nat pass log on ix0 from 10.0.211.62 port 4321 to 10.0.111.61 -> 10.0.111.71 port 1234 pass out all But while the anchor-less case lets packets through, the anchor case doesn't. Am I doing something wrong here? Thanks! Manoj From owner-freebsd-pf@FreeBSD.ORG Fri May 17 20:29:28 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 3AD87506 for ; Fri, 17 May 2013 20:29:28 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from relay2-bcrtfl2.verio.net (relay2-bcrtfl2.verio.net [131.103.218.177]) by mx1.freebsd.org (Postfix) with ESMTP id F084B3EC for ; Fri, 17 May 2013 20:29:27 +0000 (UTC) Received: from iad-wprd-xchw01.corp.verio.net (iad-wprd-xchw01.corp.verio.net [198.87.7.164]) by relay2-bcrtfl2.verio.net (Postfix) with ESMTP id 78EF31FF004F for ; Fri, 17 May 2013 15:56:42 -0400 (EDT) Thread-Index: Ac5TOKb2LR/Rg/9YQPeMJUa5Bhz2bQ== Received: from hometx-733b1p1.corp.verio.net ([10.144.2.53]) by iad-wprd-xchw01.corp.verio.net over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Fri, 17 May 2013 15:56:41 -0400 Received: by hometx-733b1p1.corp.verio.net (sSMTP sendmail emulation); Fri, 17 May 2013 14:56:40 -0500 Content-Transfer-Encoding: 7bit Date: Fri, 17 May 2013 14:56:39 -0500 From: "David DeSimone" To: Content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4913 Importance: normal Priority: normal Subject: Re: Anchor evaluation Message-ID: <20130517195639.GF7792@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Disposition: inline In-Reply-To: Precedence: bulk User-Agent: Mutt/1.5.20 (2009-12-10) X-OriginalArrivalTime: 17 May 2013 19:56:41.0273 (UTC) FILETIME=[A63ECA90:01CE5338] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 May 2013 20:29:28 -0000 Manoj Ganesan wrote: > > I'm probably doing something very silly here, which I can't figure out. I'm > trying to get an anchor to be evaluated, but I can't seem to get traffic to > go through. > > My /etc/pf.conf looks like: > > rdr pass log on ix0 proto udp from 10.0.111.61 to any port 1234 -> > 10.0.211.62 port 4321 > nat pass log on ix0 from 10.0.211.62 port 4321 to 10.0.111.61 -> > 10.0.111.71 port 1234 > pass out all > > I want to replace these by an anchor like so (my /etc/pf.conf looks like): > > anchor my_anchor > load anchor gamenode from "/usr/home/my_user/my_anchor" You're telling PF to evaluate an anchor "my_anchor" but you named the anchor "gamenode", so there are no rules to be evaluated in that case. > where the /usr/home/my_user/my_anchor looks like: > > rdr pass log on ix0 proto udp from 10.0.111.61 to any port 1234 -> > 10.0.211.62 port 4321 > nat pass log on ix0 from 10.0.211.62 port 4321 to 10.0.111.61 -> > 10.0.111.71 port 1234 > pass out all > > But while the anchor-less case lets packets through, the anchor case > doesn't. Am I doing something wrong here? The "anchor" directive tells PF to only evaluate filter rules from the anchor. I would assume you also need "nat-anchor" and "rdr-anchor" directives to force all of the anchor rules to be evaluated: nat-anchor my_anchor rdr-anchor my_anchor anchor my_anchor load anchor my_anchor from "/usr/home/my_user/my_anchor" -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you. From owner-freebsd-pf@FreeBSD.ORG Fri May 17 21:40:06 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 430D5FEF for ; Fri, 17 May 2013 21:40:06 +0000 (UTC) (envelope-from manoj.ganesan@gmail.com) Received: from mail-la0-x22f.google.com (mail-la0-x22f.google.com [IPv6:2a00:1450:4010:c03::22f]) by mx1.freebsd.org (Postfix) with ESMTP id C3334A3A for ; Fri, 17 May 2013 21:40:05 +0000 (UTC) Received: by mail-la0-f47.google.com with SMTP id fq12so4679719lab.6 for ; Fri, 17 May 2013 14:40:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=2gO4V7HLlzcGX+1dEpXTgM4Cj0dwyrtUp62ajMCw4EQ=; b=ZUt53WDUqf1zGajzsUhinB7FbJ90fPOe497XYcubJdOUaY/fHBK5BHVq4sHvnzgkLi WzQBCUzGPb9+NhQMefuchfluKMZdMI5YOeq4O3uV33ezim/mqSR+GkAgjYDIKFoGbCmt 69i2/9UQFeXbLVKiWH3eCaalqWB0eFCxfFskVVyb5HWsFgr7DPFZkM73rAfs6AIuoV8Z ssnbCkOkFocLtdyIwMcCq+w7WEZvT3mJfg/gwFZoX/99cC3h2OVgZv0OKiOByOlfpW8L p6MeUhe7FR9X2BGZHALdh/AkDNTicUs8jSaCPqGuovZB9jHfbbceov9H2xHW0VrhHVY/ VJNA== X-Received: by 10.112.136.132 with SMTP id qa4mr10599217lbb.34.1368826804668; Fri, 17 May 2013 14:40:04 -0700 (PDT) MIME-Version: 1.0 Received: by 10.112.22.39 with HTTP; Fri, 17 May 2013 14:39:44 -0700 (PDT) In-Reply-To: <20130517195639.GF7792@verio.net> References: <20130517195639.GF7792@verio.net> From: Manoj Ganesan Date: Fri, 17 May 2013 16:39:44 -0500 Message-ID: Subject: Re: Anchor evaluation To: "freebsd-pf@freebsd.org" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 May 2013 21:40:06 -0000 On Fri, May 17, 2013 at 2:56 PM, David DeSimone wrote: > Manoj Ganesan wrote: > > > > I'm probably doing something very silly here, which I can't figure out. > I'm > > trying to get an anchor to be evaluated, but I can't seem to get traffic > to > > go through. > > > > My /etc/pf.conf looks like: > > > > rdr pass log on ix0 proto udp from 10.0.111.61 to any port 1234 -> > > 10.0.211.62 port 4321 > > nat pass log on ix0 from 10.0.211.62 port 4321 to 10.0.111.61 -> > > 10.0.111.71 port 1234 > > pass out all > > > > I want to replace these by an anchor like so (my /etc/pf.conf looks > like): > > > > anchor my_anchor > > load anchor gamenode from "/usr/home/my_user/my_anchor" > > You're telling PF to evaluate an anchor "my_anchor" but you named the > anchor "gamenode", so there are no rules to be evaluated in that case. > > > > where the /usr/home/my_user/my_anchor looks like: > > > > rdr pass log on ix0 proto udp from 10.0.111.61 to any port 1234 -> > > 10.0.211.62 port 4321 > > nat pass log on ix0 from 10.0.211.62 port 4321 to 10.0.111.61 -> > > 10.0.111.71 port 1234 > > pass out all > > > > But while the anchor-less case lets packets through, the anchor case > > doesn't. Am I doing something wrong here? > > The "anchor" directive tells PF to only evaluate filter rules from the > anchor. I would assume you also need "nat-anchor" and "rdr-anchor" > directives to force all of the anchor rules to be evaluated: > > nat-anchor my_anchor > rdr-anchor my_anchor > anchor my_anchor > > load anchor my_anchor from "/usr/home/my_user/my_anchor" > > I didn't realize I had to have separate lines for nat and rdr. Thank you very much! :) > -- > David DeSimone == Network Admin == fox@verio.net > "I don't like spinach, and I'm glad I don't, because if I > liked it I'd eat it, and I just hate it." -- Clarence Darrow > > > This email message is intended for the use of the person to whom it has > been sent, and may contain information that is confidential or legally > protected. If you are not the intended recipient or have received this > message in error, you are not authorized to copy, distribute, or otherwise > use this message or its attachments. Please notify the sender immediately > by return e-mail and permanently delete this message and any attachments. > Verio Inc. makes no warranty that this email is error or virus free. Thank > you. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >