From owner-freebsd-pf@FreeBSD.ORG Sun Jun 16 11:14:04 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 072BF99B; Sun, 16 Jun 2013 11:14:04 +0000 (UTC) (envelope-from nvass@gmx.com) Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) by mx1.freebsd.org (Postfix) with ESMTP id A881F1475; Sun, 16 Jun 2013 11:14:03 +0000 (UTC) Received: from [192.168.44.198] ([80.237.234.148]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0MI9n0-1UlPkd3kQY-003t0b; Sun, 16 Jun 2013 13:14:02 +0200 Message-ID: <51BD9DF3.1080808@gmx.com> Date: Sun, 16 Jun 2013 13:13:55 +0200 From: Nikos Vassiliadis User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130510 Thunderbird/17.0.6 MIME-Version: 1.0 To: Mikolaj Golub Subject: Re: de-virtualize pf sysctls References: <51B33B8B.9050006@gmx.com> <51B344B8.9090109@gmx.com> <20130612185150.GA6553@gmail.com> In-Reply-To: <20130612185150.GA6553@gmail.com> Content-Type: multipart/mixed; boundary="------------040408060704000504090109" X-Provags-ID: V03:K0:IM8hUR8+IlMJ9NldvDyaLcY0fqT/+hRttEZllJv19dZTcOw25HR s4IUcVSeZt0JbgECXqoTjBWPhM2AGTMAwO0LmuqsACWuPpqPVM1aYAwVmZ04RyyeWGkw6Zz 2Kv45qH4jKadNMu2eLggcAUtTpJAtkKDuhhgbyhFtME6z1hzV+yfUhXLReqZN6VQxIgwvuA qyzyqM0JXUT/jFWJH47Cg== Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jun 2013 11:14:04 -0000 This is a multi-part message in MIME format. --------------040408060704000504090109 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi, On 06/12/2013 08:51 PM, Mikolaj Golub wrote: > On Sat, Jun 08, 2013 at 04:50:32PM +0200, Nikos Vassiliadis wrote: >> On 06/08/2013 04:11 PM, Nikos Vassiliadis wrote: >>> Hi, >>> >>> Please review this patch. These two variables are RO-tunables and >>> cannot be changed at runtime. As such, it is not useful to >>> virtualize them. > > This looks correct to me. Also, it looks like V_pf_hashmask and > V_pf_srchashmask can be de-virtualized then. Yes, taken care of on this version. I am not sure if I placed properly pf_hashmask and pf_srchashmask in pfvar.h. Please review, thanks. Nikos --------------040408060704000504090109 Content-Type: text/plain; charset=UTF-8; name="pf_de-virt_patch.txt" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="pf_de-virt_patch.txt" Index: sys/net/pfvar.h =================================================================== --- sys/net/pfvar.h (revision 251794) +++ sys/net/pfvar.h (working copy) @@ -1659,19 +1659,17 @@ struct pf_idhash { struct mtx lock; }; +extern u_long pf_hashmask; +extern u_long pf_srchashmask; #define PF_HASHSIZ (32768) VNET_DECLARE(struct pf_keyhash *, pf_keyhash); VNET_DECLARE(struct pf_idhash *, pf_idhash); -VNET_DECLARE(u_long, pf_hashmask); #define V_pf_keyhash VNET(pf_keyhash) #define V_pf_idhash VNET(pf_idhash) -#define V_pf_hashmask VNET(pf_hashmask) VNET_DECLARE(struct pf_srchash *, pf_srchash); -VNET_DECLARE(u_long, pf_srchashmask); #define V_pf_srchash VNET(pf_srchash) -#define V_pf_srchashmask VNET(pf_srchashmask) -#define PF_IDHASH(s) (be64toh((s)->id) % (V_pf_hashmask + 1)) +#define PF_IDHASH(s) (be64toh((s)->id) % (pf_hashmask + 1)) VNET_DECLARE(void *, pf_swi_cookie); #define V_pf_swi_cookie VNET(pf_swi_cookie) Index: sys/netpfil/pf/if_pfsync.c =================================================================== --- sys/netpfil/pf/if_pfsync.c (revision 251794) +++ sys/netpfil/pf/if_pfsync.c (working copy) @@ -683,7 +683,7 @@ pfsync_in_clr(struct pfsync_pkt *pkt, struct mbuf pfi_kif_find(clr[i].ifname) == NULL) continue; - for (int i = 0; i <= V_pf_hashmask; i++) { + for (int i = 0; i <= pf_hashmask; i++) { struct pf_idhash *ih = &V_pf_idhash[i]; struct pf_state *s; relock: @@ -2045,7 +2045,7 @@ pfsync_bulk_update(void *arg) else i = sc->sc_bulk_hashid; - for (; i <= V_pf_hashmask; i++) { + for (; i <= pf_hashmask; i++) { struct pf_idhash *ih = &V_pf_idhash[i]; if (s != NULL) Index: sys/netpfil/pf/pf.c =================================================================== --- sys/netpfil/pf/pf.c (revision 251794) +++ sys/netpfil/pf/pf.c (working copy) @@ -353,21 +353,19 @@ VNET_DEFINE(struct pf_limit, pf_limits[PF_LIMIT_MA static MALLOC_DEFINE(M_PFHASH, "pf_hash", "pf(4) hash header structures"); VNET_DEFINE(struct pf_keyhash *, pf_keyhash); VNET_DEFINE(struct pf_idhash *, pf_idhash); -VNET_DEFINE(u_long, pf_hashmask); VNET_DEFINE(struct pf_srchash *, pf_srchash); -VNET_DEFINE(u_long, pf_srchashmask); SYSCTL_NODE(_net, OID_AUTO, pf, CTLFLAG_RW, 0, "pf(4)"); -VNET_DEFINE(u_long, pf_hashsize); -#define V_pf_hashsize VNET(pf_hashsize) -SYSCTL_VNET_UINT(_net_pf, OID_AUTO, states_hashsize, CTLFLAG_RDTUN, - &VNET_NAME(pf_hashsize), 0, "Size of pf(4) states hashtable"); +u_long pf_hashmask; +u_long pf_srchashmask; +static u_long pf_hashsize; +static u_long pf_srchashsize; -VNET_DEFINE(u_long, pf_srchashsize); -#define V_pf_srchashsize VNET(pf_srchashsize) -SYSCTL_VNET_UINT(_net_pf, OID_AUTO, source_nodes_hashsize, CTLFLAG_RDTUN, - &VNET_NAME(pf_srchashsize), 0, "Size of pf(4) source nodes hashtable"); +SYSCTL_UINT(_net_pf, OID_AUTO, states_hashsize, CTLFLAG_RDTUN, + &pf_hashsize, 0, "Size of pf(4) states hashtable"); +SYSCTL_UINT(_net_pf, OID_AUTO, source_nodes_hashsize, CTLFLAG_RDTUN, + &pf_srchashsize, 0, "Size of pf(4) source nodes hashtable"); VNET_DEFINE(void *, pf_swi_cookie); @@ -383,7 +381,7 @@ pf_hashkey(struct pf_state_key *sk) sizeof(struct pf_state_key_cmp)/sizeof(uint32_t), V_pf_hashseed); - return (h & V_pf_hashmask); + return (h & pf_hashmask); } static __inline uint32_t @@ -404,7 +402,7 @@ pf_hashsrc(struct pf_addr *addr, sa_family_t af) panic("%s: unknown address family %u", __func__, af); } - return (h & V_pf_srchashmask); + return (h & pf_srchashmask); } #ifdef INET6 @@ -566,7 +564,7 @@ pf_overload_task(void *c, int pending) if (SLIST_EMPTY(&queue)) return; - for (int i = 0; i <= V_pf_hashmask; i++) { + for (int i = 0; i <= pf_hashmask; i++) { struct pf_idhash *ih = &V_pf_idhash[i]; struct pf_state_key *sk; struct pf_state *s; @@ -698,12 +696,12 @@ pf_initialize() struct pf_srchash *sh; u_int i; - TUNABLE_ULONG_FETCH("net.pf.states_hashsize", &V_pf_hashsize); - if (V_pf_hashsize == 0 || !powerof2(V_pf_hashsize)) - V_pf_hashsize = PF_HASHSIZ; - TUNABLE_ULONG_FETCH("net.pf.source_nodes_hashsize", &V_pf_srchashsize); - if (V_pf_srchashsize == 0 || !powerof2(V_pf_srchashsize)) - V_pf_srchashsize = PF_HASHSIZ / 4; + TUNABLE_ULONG_FETCH("net.pf.states_hashsize", &pf_hashsize); + if (pf_hashsize == 0 || !powerof2(pf_hashsize)) + pf_hashsize = PF_HASHSIZ; + TUNABLE_ULONG_FETCH("net.pf.source_nodes_hashsize", &pf_srchashsize); + if (pf_srchashsize == 0 || !powerof2(pf_srchashsize)) + pf_srchashsize = PF_HASHSIZ / 4; V_pf_hashseed = arc4random(); @@ -717,12 +715,12 @@ pf_initialize() V_pf_state_key_z = uma_zcreate("pf state keys", sizeof(struct pf_state_key), pf_state_key_ctor, NULL, NULL, NULL, UMA_ALIGN_PTR, 0); - V_pf_keyhash = malloc(V_pf_hashsize * sizeof(struct pf_keyhash), + V_pf_keyhash = malloc(pf_hashsize * sizeof(struct pf_keyhash), M_PFHASH, M_WAITOK | M_ZERO); - V_pf_idhash = malloc(V_pf_hashsize * sizeof(struct pf_idhash), + V_pf_idhash = malloc(pf_hashsize * sizeof(struct pf_idhash), M_PFHASH, M_WAITOK | M_ZERO); - V_pf_hashmask = V_pf_hashsize - 1; - for (i = 0, kh = V_pf_keyhash, ih = V_pf_idhash; i <= V_pf_hashmask; + pf_hashmask = pf_hashsize - 1; + for (i = 0, kh = V_pf_keyhash, ih = V_pf_idhash; i <= pf_hashmask; i++, kh++, ih++) { mtx_init(&kh->lock, "pf_keyhash", NULL, MTX_DEF | MTX_DUPOK); mtx_init(&ih->lock, "pf_idhash", NULL, MTX_DEF); @@ -735,10 +733,10 @@ pf_initialize() V_pf_limits[PF_LIMIT_SRC_NODES].zone = V_pf_sources_z; uma_zone_set_max(V_pf_sources_z, PFSNODE_HIWAT); uma_zone_set_warning(V_pf_sources_z, "PF source nodes limit reached"); - V_pf_srchash = malloc(V_pf_srchashsize * sizeof(struct pf_srchash), + V_pf_srchash = malloc(pf_srchashsize * sizeof(struct pf_srchash), M_PFHASH, M_WAITOK|M_ZERO); - V_pf_srchashmask = V_pf_srchashsize - 1; - for (i = 0, sh = V_pf_srchash; i <= V_pf_srchashmask; i++, sh++) + pf_srchashmask = pf_srchashsize - 1; + for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask; i++, sh++) mtx_init(&sh->lock, "pf_srchash", NULL, MTX_DEF); /* ALTQ */ @@ -775,7 +773,7 @@ pf_cleanup() struct pf_send_entry *pfse, *next; u_int i; - for (i = 0, kh = V_pf_keyhash, ih = V_pf_idhash; i <= V_pf_hashmask; + for (i = 0, kh = V_pf_keyhash, ih = V_pf_idhash; i <= pf_hashmask; i++, kh++, ih++) { KASSERT(LIST_EMPTY(&kh->keys), ("%s: key hash not empty", __func__)); @@ -787,7 +785,7 @@ pf_cleanup() free(V_pf_keyhash, M_PFHASH); free(V_pf_idhash, M_PFHASH); - for (i = 0, sh = V_pf_srchash; i <= V_pf_srchashmask; i++, sh++) { + for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask; i++, sh++) { KASSERT(LIST_EMPTY(&sh->nodes), ("%s: source node hash not empty", __func__)); mtx_destroy(&sh->lock); @@ -1177,7 +1175,7 @@ pf_find_state_byid(uint64_t id, uint32_t creatorid V_pf_status.fcounters[FCNT_STATE_SEARCH]++; - ih = &V_pf_idhash[(be64toh(id) % (V_pf_hashmask + 1))]; + ih = &V_pf_idhash[(be64toh(id) % (pf_hashmask + 1))]; PF_HASHROW_LOCK(ih); LIST_FOREACH(s, &ih->states, entry) @@ -1373,7 +1371,7 @@ pf_purge_thread(void *v) /* * Now purge everything. */ - pf_purge_expired_states(0, V_pf_hashmask); + pf_purge_expired_states(0, pf_hashmask); pf_purge_expired_fragments(); pf_purge_expired_src_nodes(); @@ -1396,7 +1394,7 @@ pf_purge_thread(void *v) PF_RULES_RUNLOCK(); /* Process 1/interval fraction of the state table every run. */ - idx = pf_purge_expired_states(idx, V_pf_hashmask / + idx = pf_purge_expired_states(idx, pf_hashmask / (V_pf_default_rule.timeout[PFTM_INTERVAL] * 10)); /* Purge other expired types every PFTM_INTERVAL seconds. */ @@ -1462,7 +1460,7 @@ pf_purge_expired_src_nodes() struct pf_src_node *cur, *next; int i; - for (i = 0, sh = V_pf_srchash; i <= V_pf_srchashmask; i++, sh++) { + for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask; i++, sh++) { PF_HASHROW_LOCK(sh); LIST_FOREACH_SAFE(cur, &sh->nodes, entry, next) if (cur->states <= 0 && cur->expire <= time_uptime) { @@ -1614,7 +1612,7 @@ relock: PF_HASHROW_UNLOCK(ih); /* Return when we hit end of hash. */ - if (++i > V_pf_hashmask) { + if (++i > pf_hashmask) { V_pf_status.states = uma_zone_get_cur(V_pf_state_z); return (0); } Index: sys/netpfil/pf/pf_ioctl.c =================================================================== --- sys/netpfil/pf/pf_ioctl.c (revision 251794) +++ sys/netpfil/pf/pf_ioctl.c (working copy) @@ -1577,7 +1577,7 @@ DIOCCHANGERULE_error: struct pfioc_state_kill *psk = (struct pfioc_state_kill *)addr; u_int i, killed = 0; - for (i = 0; i <= V_pf_hashmask; i++) { + for (i = 0; i <= pf_hashmask; i++) { struct pf_idhash *ih = &V_pf_idhash[i]; relock_DIOCCLRSTATES: @@ -1622,7 +1622,7 @@ relock_DIOCCLRSTATES: break; } - for (i = 0; i <= V_pf_hashmask; i++) { + for (i = 0; i <= pf_hashmask; i++) { struct pf_idhash *ih = &V_pf_idhash[i]; relock_DIOCKILLSTATES: @@ -1726,7 +1726,7 @@ relock_DIOCKILLSTATES: p = pstore = malloc(ps->ps_len, M_TEMP, M_WAITOK); nr = 0; - for (i = 0; i <= V_pf_hashmask; i++) { + for (i = 0; i <= pf_hashmask; i++) { struct pf_idhash *ih = &V_pf_idhash[i]; PF_HASHROW_LOCK(ih); @@ -3078,7 +3078,7 @@ DIOCCHANGEADDR_error: uint32_t i, nr = 0; if (psn->psn_len == 0) { - for (i = 0, sh = V_pf_srchash; i < V_pf_srchashmask; + for (i = 0, sh = V_pf_srchash; i < pf_srchashmask; i++, sh++) { PF_HASHROW_LOCK(sh); LIST_FOREACH(n, &sh->nodes, entry) @@ -3090,7 +3090,7 @@ DIOCCHANGEADDR_error: } p = pstore = malloc(psn->psn_len, M_TEMP, M_WAITOK); - for (i = 0, sh = V_pf_srchash; i < V_pf_srchashmask; + for (i = 0, sh = V_pf_srchash; i < pf_srchashmask; i++, sh++) { PF_HASHROW_LOCK(sh); LIST_FOREACH(n, &sh->nodes, entry) { @@ -3147,7 +3147,7 @@ DIOCCHANGEADDR_error: struct pf_src_node *sn; u_int i, killed = 0; - for (i = 0, sh = V_pf_srchash; i < V_pf_srchashmask; + for (i = 0, sh = V_pf_srchash; i < pf_srchashmask; i++, sh++) { /* * XXXGL: we don't ever acquire sources hash lock @@ -3331,7 +3331,7 @@ pf_clear_states(void) struct pf_state *s; u_int i; - for (i = 0; i <= V_pf_hashmask; i++) { + for (i = 0; i <= pf_hashmask; i++) { struct pf_idhash *ih = &V_pf_idhash[i]; relock: PF_HASHROW_LOCK(ih); @@ -3366,7 +3366,7 @@ pf_clear_srcnodes(struct pf_src_node *n) struct pf_state *s; int i; - for (i = 0; i <= V_pf_hashmask; i++) { + for (i = 0; i <= pf_hashmask; i++) { struct pf_idhash *ih = &V_pf_idhash[i]; PF_HASHROW_LOCK(ih); @@ -3382,7 +3382,7 @@ pf_clear_srcnodes(struct pf_src_node *n) if (n == NULL) { struct pf_srchash *sh; - for (i = 0, sh = V_pf_srchash; i < V_pf_srchashmask; + for (i = 0, sh = V_pf_srchash; i < pf_srchashmask; i++, sh++) { PF_HASHROW_LOCK(sh); LIST_FOREACH(n, &sh->nodes, entry) { --------------040408060704000504090109-- From owner-freebsd-pf@FreeBSD.ORG Sun Jun 16 16:54:10 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id C37AE81C; Sun, 16 Jun 2013 16:54:10 +0000 (UTC) (envelope-from to.my.trociny@gmail.com) Received: from mail-bk0-x22f.google.com (mail-bk0-x22f.google.com [IPv6:2a00:1450:4008:c01::22f]) by mx1.freebsd.org (Postfix) with ESMTP id 2E4CC1F06; Sun, 16 Jun 2013 16:54:10 +0000 (UTC) Received: by mail-bk0-f47.google.com with SMTP id jg1so840575bkc.6 for ; Sun, 16 Jun 2013 09:54:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=HYRZ75R2WIJdQ7iU/FPKjehIIhrtp4dvRzc3gTh867s=; b=bMdP5BMnVr8GWoZEHoJ4sbmJ9ne+0kaqbFonVp3Bq/KWtlA+5KQoZtps28+JS4G6FW wnZB9KXggPcHZ8u5LQq3tmEOMHub8xqDMBCZ+FVkKl2suveVH0vjC09dNlxDnRGUAtRK qpv2GvbKFBF1lTKA9mNL9YU9qG1/i+HtH6RFm4w97/4CvcH2lMm9KKYaJWEc2xQHthwA e1GKabo4IgkCuv/Ic9Id2pVu+ffWyolPr5WW49iOfW2+qct4XWIX29IJBvUSAh60UU1y wuOZ/aonmRX+iADKntppDeBX4EBO3P6ZFo76yNt9xthFjg3aWUaG4duNQ9n6SPcoraer 7Bng== X-Received: by 10.204.170.209 with SMTP id e17mr1478466bkz.24.1371401649189; Sun, 16 Jun 2013 09:54:09 -0700 (PDT) Received: from localhost ([178.150.115.244]) by mx.google.com with ESMTPSA id v7sm2418190bkh.12.2013.06.16.09.54.07 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Sun, 16 Jun 2013 09:54:08 -0700 (PDT) Sender: Mikolaj Golub Date: Sun, 16 Jun 2013 19:54:05 +0300 From: Mikolaj Golub To: Nikos Vassiliadis Subject: Re: de-virtualize pf sysctls Message-ID: <20130616165403.GA13056@gmail.com> References: <51B33B8B.9050006@gmx.com> <51B344B8.9090109@gmx.com> <20130612185150.GA6553@gmail.com> <51BD9DF3.1080808@gmx.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <51BD9DF3.1080808@gmx.com> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jun 2013 16:54:10 -0000 On Sun, Jun 16, 2013 at 01:13:55PM +0200, Nikos Vassiliadis wrote: > Please review, thanks. Looks good for me. -- Mikolaj Golub From owner-freebsd-pf@FreeBSD.ORG Mon Jun 17 11:06:49 2013 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id CC45B1F4 for ; Mon, 17 Jun 2013 11:06:49 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id BE5BB1C19 for ; Mon, 17 Jun 2013 11:06:49 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r5HB6n0D012821 for ; Mon, 17 Jun 2013 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r5HB6nfE012819 for freebsd-pf@FreeBSD.org; Mon, 17 Jun 2013 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 17 Jun 2013 11:06:49 GMT Message-Id: <201306171106.r5HB6nfE012819@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jun 2013 11:06:49 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176763 pf [pf] [patch] Removing pf Source entries locks kernel. o kern/176268 pf [pf] [patch] synproxy not working with route-to o kern/173659 pf [pf] PF fatal trap on 9.1 (taskq fatal trap on pf_test o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 52 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed Jun 19 13:39:14 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id EF407464; Wed, 19 Jun 2013 13:39:14 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.69.10]) by mx1.freebsd.org (Postfix) with ESMTP id AAB2D123F; Wed, 19 Jun 2013 13:39:13 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.7/8.14.7) with ESMTP id r5JDdCcQ002852; Wed, 19 Jun 2013 17:39:12 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.7/8.14.7/Submit) id r5JDdCXh002851; Wed, 19 Jun 2013 17:39:12 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Wed, 19 Jun 2013 17:39:12 +0400 From: Gleb Smirnoff To: Nikos Vassiliadis Subject: Re: de-virtualize pf sysctls Message-ID: <20130619133912.GD1214@glebius.int.ru> References: <51B33B8B.9050006@gmx.com> <51B344B8.9090109@gmx.com> <20130612185150.GA6553@gmail.com> <51BD9DF3.1080808@gmx.com> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <51BD9DF3.1080808@gmx.com> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: Mikolaj Golub , freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jun 2013 13:39:15 -0000 On Sun, Jun 16, 2013 at 01:13:55PM +0200, Nikos Vassiliadis wrote: N> >>> Please review this patch. These two variables are RO-tunables and N> >>> cannot be changed at runtime. As such, it is not useful to N> >>> virtualize them. N> > N> > This looks correct to me. Also, it looks like V_pf_hashmask and N> > V_pf_srchashmask can be de-virtualized then. N> N> Yes, taken care of on this version. I am not sure if I placed N> properly pf_hashmask and pf_srchashmask in pfvar.h. N> N> Please review, thanks. Thanks, Nikos. I committed the patch to the branch projects/pf/head. Can you please check out this branch and generate further pf+vimage related diffs against it? Once we finish and stabilize it, I will merge the branch to head. -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Wed Jun 19 23:52:11 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id B642CB74; Wed, 19 Jun 2013 23:52:11 +0000 (UTC) (envelope-from nvass@gmx.com) Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by mx1.freebsd.org (Postfix) with ESMTP id 56A731807; Wed, 19 Jun 2013 23:52:11 +0000 (UTC) Received: from [192.168.44.198] ([80.237.234.134]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0MQ7sF-1UtbAn0MqZ-005Jyj; Thu, 20 Jun 2013 01:52:10 +0200 Message-ID: <51C24419.3020806@gmx.com> Date: Thu, 20 Jun 2013 01:51:53 +0200 From: Nikos Vassiliadis User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130510 Thunderbird/17.0.6 MIME-Version: 1.0 To: Gleb Smirnoff Subject: Re: de-virtualize pf sysctls References: <51B33B8B.9050006@gmx.com> <51B344B8.9090109@gmx.com> <20130612185150.GA6553@gmail.com> <51BD9DF3.1080808@gmx.com> <20130619133912.GD1214@glebius.int.ru> In-Reply-To: <20130619133912.GD1214@glebius.int.ru> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:gdHK2nwbmLGNXYbIWh8GHMzwguy0PVzzCZkhObEBBkOmwRuKHvw Y3jf4062/8L2xszkaaz0YFtk+TmpcuKoLXZuT5EShB8+0ZRHOdwOMP9Gsh32bIJGFTrzFwG an4jQiCeUdJJMLAxqMsoAAiGog+Vu0nWK27FGHCJteveJIk47Hepw9/3BJQUUCJXy5hkBPF rApDJURro9feu+ZPbMPNw== Cc: Mikolaj Golub , freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jun 2013 23:52:11 -0000 On 06/19/2013 03:39 PM, Gleb Smirnoff wrote: > On Sun, Jun 16, 2013 at 01:13:55PM +0200, Nikos Vassiliadis wrote: > N> >>> Please review this patch. These two variables are RO-tunables and > N> >>> cannot be changed at runtime. As such, it is not useful to > N> >>> virtualize them. > N> > > N> > This looks correct to me. Also, it looks like V_pf_hashmask and > N> > V_pf_srchashmask can be de-virtualized then. > N> > N> Yes, taken care of on this version. I am not sure if I placed > N> properly pf_hashmask and pf_srchashmask in pfvar.h. > N> > N> Please review, thanks. > > Thanks, Nikos. > > I committed the patch to the branch projects/pf/head. Can you > please check out this branch and generate further pf+vimage related > diffs against it? > > Once we finish and stabilize it, I will merge the branch to head. > Nice, I will create patches against this branch then. Thanks too, Nikos From owner-freebsd-pf@FreeBSD.ORG Sat Jun 22 01:50:47 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 2EC0051F for ; Sat, 22 Jun 2013 01:50:47 +0000 (UTC) (envelope-from s_gammons@charter.net) Received: from que11.charter.net (que11.charter.net [209.225.8.21]) by mx1.freebsd.org (Postfix) with ESMTP id C2A47156D for ; Sat, 22 Jun 2013 01:50:46 +0000 (UTC) Received: from imp09 ([10.20.200.9]) by mta11.charter.net (InterMail vM.8.01.05.09 201-2260-151-124-20120717) with ESMTP id <20130622014922.NTUY6169.mta11.charter.net@imp09> for ; Fri, 21 Jun 2013 21:49:22 -0400 Received: from [192.168.1.238] ([24.179.91.77]) by imp09 with smtp.charter.net id rDpN1l00H1g8bLw05DpNt5; Fri, 21 Jun 2013 21:49:22 -0400 X-Authority-Analysis: v=2.0 cv=Cp/n6QED c=1 sm=1 a=QMZxmYOTzEZ29+aioRx9iA==:17 a=yUnIBFQkZM0A:10 a=IkcTkHD0fZMA:10 a=hOpmn2quAAAA:8 a=NTl2p3SX7kR0VLRltt8A:9 a=QEXdDO2ut3YA:10 a=QMZxmYOTzEZ29+aioRx9iA==:117 Message-ID: <1371865788.22524.9.camel@localhost> Subject: PF bugs From: Stan Gammons To: freebsd-pf@FreeBSD.org Date: Fri, 21 Jun 2013 20:49:48 -0500 Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.6.4 (3.6.4-3.fc18) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jun 2013 01:50:47 -0000 I see there are several PF bugs and wondered if it's because PF isn't maintained on FreeBSD? Perhaps that's the case given the version differences versus PF on OpenBSD. If not, is Ipfilter the "preferred" firewall on FreeBSD? Or is IPFW? I like PF, but reporting utilities for it, compared to ipfilter and even iptables on Linux, leave a bit to be desired. Stan From owner-freebsd-pf@FreeBSD.ORG Sat Jun 22 02:45:21 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 9F2538F2 for ; Sat, 22 Jun 2013 02:45:21 +0000 (UTC) (envelope-from cbuechler@gmail.com) Received: from mail-la0-x233.google.com (mail-la0-x233.google.com [IPv6:2a00:1450:4010:c03::233]) by mx1.freebsd.org (Postfix) with ESMTP id 2E012171C for ; Sat, 22 Jun 2013 02:45:20 +0000 (UTC) Received: by mail-la0-f51.google.com with SMTP id fq12so8018824lab.24 for ; Fri, 21 Jun 2013 19:45:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=M2KniMoplPlfVLt4WugX74vz8pRohaPwy6DaDSLjFlo=; b=S7bXHsF57NPfOtM3ySe6gIRgMYnhXU8w9tA8QitbG8hWIWUYu05M8m3GepfSbOr+MQ wjLhmLvMKVWj/I9JwlsFhdY2JqHKx+3i+IKR7bToFiME/w9FzvdbXffniqekp65GM3y/ gyKUnbacS7i6UU9huydc7Qo8FOCbKvWe7+67TtgQmf6ILlWBtuuZVmh9r6CM3QaDr+4o COGGvxco6CMlM0e6n/rbSkOmd6/IA7YWWLfthKRdKOxB+mnFme1iQdG3zitHQqwzlJGe HFAyvXNxziBwD/CZk36pIKEdoiaPv4hl1+op1TRp5OU/Wl+90W8WCgSllBRHpBAziqKB GKhw== X-Received: by 10.152.88.5 with SMTP id bc5mr6984307lab.81.1371869120041; Fri, 21 Jun 2013 19:45:20 -0700 (PDT) MIME-Version: 1.0 Received: by 10.112.68.111 with HTTP; Fri, 21 Jun 2013 19:44:56 -0700 (PDT) In-Reply-To: <1371865788.22524.9.camel@localhost> References: <1371865788.22524.9.camel@localhost> From: Chris Buechler Date: Fri, 21 Jun 2013 21:44:56 -0500 Message-ID: Subject: Re: PF bugs To: Stan Gammons Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jun 2013 02:45:21 -0000 On Fri, Jun 21, 2013 at 8:49 PM, Stan Gammons wrote: > I see there are several PF bugs and wondered if it's because PF isn't > maintained on FreeBSD? Perhaps that's the case given the version > differences versus PF on OpenBSD. pf is actively developed and maintained on FreeBSD, and widely used. The PRs that are open are largely ages old, no longer relevant and need to be cleaned up, or were bunk to begin with. There aren't really that many open either considering, every component of any widely used OS has open bugs. That's not indicative of anything in itself generally. FreeBSD+pf is the base of a significant number of firewalls, 180,000+ known live systems on pfSense alone (though that's not quite stock FreeBSD pf, it's close), and many others. > If not, is Ipfilter the "preferred" > firewall on FreeBSD? No, ipfilter may well go away in 10, it's not currently maintained. > Or is IPFW? Most people use pf or ipfw. The majority of network firewall use cases, or at least all of them that require enterprise class features like state synchronization for HA, use pf. ipfw is likely more common as a host firewall on servers, from what I've seen at least. > I like PF, but reporting utilities > for it, compared to ipfilter and even iptables on Linux, leave a bit to > be desired. > In what regard? What are you looking for that doesn't exist? From owner-freebsd-pf@FreeBSD.ORG Sat Jun 22 03:24:31 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 170483CC for ; Sat, 22 Jun 2013 03:24:31 +0000 (UTC) (envelope-from max@mxcrypt.com) Received: from mail-ie0-x234.google.com (mail-ie0-x234.google.com [IPv6:2607:f8b0:4001:c03::234]) by mx1.freebsd.org (Postfix) with ESMTP id E3F7C191C for ; Sat, 22 Jun 2013 03:24:30 +0000 (UTC) Received: by mail-ie0-f180.google.com with SMTP id f4so19969444iea.25 for ; Fri, 21 Jun 2013 20:24:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=I4ui6bt41si7xUz0ezjU7qX4MapRXigIA1kXww7Lcu4=; b=WOdzKabBksZsQ8VCwNyDx47uR22Bs+9mOQb7CWl9+ISgk5h+ICi5iRkAjPHJth97+i bxfpVi4GaIK+n78LI0lavHbP5Z/bHNiZ5HuVLXAhoEdsAZ2ehyLDMKEpwUX3v3Dq9+Ny sywSAoaPZ4issIbQxMxdcWutqS6x0oGuiCgZkLpYv8d72L220gRp2PUZk+bTQLqna4ir VyQhrtuOAJX9AR9Az/ReqvbL/je0W5iEIntwROH2fUps6H1I6n13T6ZYw4q1crkK04BI NDuNY2Q+mQ7VOrsT2rul5sRLiQIzJ7CVXTpgu62dh7pvO2KLcpiryzH7/kdnjwLPJ0/4 tDTA== X-Received: by 10.50.3.70 with SMTP id a6mr564443iga.6.1371871470636; Fri, 21 Jun 2013 20:24:30 -0700 (PDT) MIME-Version: 1.0 Received: by 10.43.7.138 with HTTP; Fri, 21 Jun 2013 20:24:00 -0700 (PDT) In-Reply-To: <1371865788.22524.9.camel@localhost> References: <1371865788.22524.9.camel@localhost> From: Maxim Khitrov Date: Fri, 21 Jun 2013 23:24:00 -0400 Message-ID: Subject: Re: PF bugs To: Stan Gammons Content-Type: text/plain; charset=UTF-8 X-Gm-Message-State: ALoCoQkeN2OMCMPV6obIh4PPdB9AW8KZkFmmI0L2E8+eQ9tW/ZNYvg+yopkEugjVdMvnH6WB/OwV Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jun 2013 03:24:31 -0000 On Fri, Jun 21, 2013 at 9:49 PM, Stan Gammons wrote: > I see there are several PF bugs and wondered if it's because PF isn't > maintained on FreeBSD? Perhaps that's the case given the version > differences versus PF on OpenBSD. If not, is Ipfilter the "preferred" > firewall on FreeBSD? Or is IPFW? I like PF, but reporting utilities > for it, compared to ipfilter and even iptables on Linux, leave a bit to > be desired. > > > Stan For what it's worth, I've been gradually migrating the few firewalls that I maintain to OpenBSD. FreeBSD pf is fine, and it's what I use for protecting individual servers, but I find that the new syntax, which was introduced after OpenBSD 4.5, produces rulesets that are more compact and easier to maintain when it comes to routing traffic between networks. The new priority queuing (set prio) is much simpler than ALTQ (and should perform better, though I haven't tested this). I'm also looking forward to the work that's being done to free HFSC from ALTQ and make it understandable and usable by mere mortals. PF is still my choice on FreeBSD and I've never had any issues with the tools (pfctl and pftop primarily), but OpenBSD's version is more actively maintained and improved. There have been plenty of discussions about porting a more recent version of pf to FreeBSD (search the archives) and it doesn't look like that will happen any time soon. If you'd like to understand the differences between the two, below are a few presentations on the topic: Faster Packets - Performance Tuning in the OpenBSD network stack and pf http://quigon.bsws.de/papers/2009/eurobsdcon-faster_packets/ http://www.youtube.com/watch?v=yqG67o4bYgY 10 years of pf http://quigon.bsws.de/papers/2011/pf10yrs/ http://cisx1.uma.maine.edu/~wbackman/bsdtalk/BSDCan2011/10YearsofPF.mp3 OpenBSD network stack evolution http://quigon.bsws.de/papers/2012/bsdcan/ http://www.youtube.com/watch?v=r6Nx15UGWZc From owner-freebsd-pf@FreeBSD.ORG Sat Jun 22 03:30:17 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 87C7346B for ; Sat, 22 Jun 2013 03:30:17 +0000 (UTC) (envelope-from s_gammons@charter.net) Received: from mta31.charter.net (mta31.charter.net [216.33.127.82]) by mx1.freebsd.org (Postfix) with ESMTP id 28869194A for ; Sat, 22 Jun 2013 03:30:16 +0000 (UTC) Received: from imp11 ([10.20.200.11]) by mta31.charter.net (InterMail vM.8.01.05.02 201-2260-151-103-20110920) with ESMTP id <20130622033015.OGNM24708.mta31.charter.net@imp11>; Fri, 21 Jun 2013 23:30:15 -0400 Received: from [192.168.1.238] ([24.179.91.77]) by imp11 with smtp.charter.net id rFWF1l00P1g8bLw05FWFHd; Fri, 21 Jun 2013 23:30:15 -0400 X-Authority-Analysis: v=2.0 cv=dIr+A5lb c=1 sm=1 a=QMZxmYOTzEZ29+aioRx9iA==:17 a=yUnIBFQkZM0A:10 a=IkcTkHD0fZMA:10 a=hOpmn2quAAAA:8 a=Gsea51k-UI2rgECG76YA:9 a=QEXdDO2ut3YA:10 a=QMZxmYOTzEZ29+aioRx9iA==:117 Message-ID: <1371871842.22524.62.camel@localhost> Subject: Re: PF bugs From: Stan Gammons To: Chris Buechler Date: Fri, 21 Jun 2013 22:30:42 -0500 Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.6.4 (3.6.4-3.fc18) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jun 2013 03:30:17 -0000 On Fri, 2013-06-21 at 21:44 -0500, Chris Buechler wrote: > pf is actively developed and maintained on FreeBSD, and widely used. > The PRs that are open are largely ages old, no longer relevant and > need to be cleaned up, or were bunk to begin with. There aren't really > that many open either considering, every component of any widely used > OS has open bugs. That's not indicative of anything in itself > generally. FreeBSD+pf is the base of a significant number of > firewalls, 180,000+ known live systems on pfSense alone (though that's > not quite stock FreeBSD pf, it's close), and many others. Ok. I wish PF on FreeBSD and OpenBSD were in sync. Yes, pfSense is pretty close and has a lot of great features. > In what regard? What are you looking for that doesn't exist? Well, I've tinkered with hatchet some on OpenBSD and it's Ok. It seems as though the tcpdump output on OpenBSD is different than FreeBSD too. But I'm looking for something that can process the tcpdump log from PF on either BSD more like what Lire (logreport) does with syslog, snort, postfix, etc logs. Perhaps something like that exist and I'm just unaware of it. Stan From owner-freebsd-pf@FreeBSD.ORG Sat Jun 22 04:15:05 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id BFD5F981 for ; Sat, 22 Jun 2013 04:15:05 +0000 (UTC) (envelope-from s_gammons@charter.net) Received: from que31.charter.net (que31.charter.net [209.225.8.23]) by mx1.freebsd.org (Postfix) with ESMTP id 60E371A92 for ; Sat, 22 Jun 2013 04:15:05 +0000 (UTC) Received: from imp11 ([10.20.200.11]) by mta21.charter.net (InterMail vM.8.01.05.09 201-2260-151-124-20120717) with ESMTP id <20130622034723.UXDO10448.mta21.charter.net@imp11>; Fri, 21 Jun 2013 23:47:23 -0400 Received: from [192.168.1.238] ([24.179.91.77]) by imp11 with smtp.charter.net id rFnN1l00Z1g8bLw05FnPrd; Fri, 21 Jun 2013 23:47:23 -0400 X-Authority-Analysis: v=2.0 cv=dIr+A5lb c=1 sm=1 a=QMZxmYOTzEZ29+aioRx9iA==:17 a=yUnIBFQkZM0A:10 a=IkcTkHD0fZMA:10 a=hOpmn2quAAAA:8 a=C9TbbRmYVZKd4JYwQ1AA:9 a=QEXdDO2ut3YA:10 a=QMZxmYOTzEZ29+aioRx9iA==:117 Message-ID: <1371872869.22524.75.camel@localhost> Subject: Re: PF bugs From: Stan Gammons To: Maxim Khitrov Date: Fri, 21 Jun 2013 22:47:49 -0500 In-Reply-To: References: <1371865788.22524.9.camel@localhost> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.6.4 (3.6.4-3.fc18) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jun 2013 04:15:05 -0000 On Fri, 2013-06-21 at 23:24 -0400, Maxim Khitrov wrote: > For what it's worth, I've been gradually migrating the few firewalls > that I maintain to OpenBSD. FreeBSD pf is fine, and it's what I use > for protecting individual servers, but I find that the new syntax, > which was introduced after OpenBSD 4.5, produces rulesets that are > more compact and easier to maintain when it comes to routing traffic > between networks. The new priority queuing (set prio) is much simpler > than ALTQ (and should perform better, though I haven't tested this). > I'm also looking forward to the work that's being done to free HFSC > from ALTQ and make it understandable and usable by mere mortals. I too like OpenBSD and wish PF was in sync on both OS. > PF is still my choice on FreeBSD and I've never had any issues with > the tools (pfctl and pftop primarily), but OpenBSD's version is more > actively maintained and improved. There have been plenty of > discussions about porting a more recent version of pf to FreeBSD > (search the archives) and it doesn't look like that will happen any > time soon. If you'd like to understand the differences between the > two, below are a few presentations on the topic: Thanks for the links. I'm looking for a tool that does reporting more along the lines of what Lire (logreport) does for syslog, postfix, snort and so on. I've tinkered with hatchet some on OpenBSD and it's Ok, but isn't quite what I was looking for. The tcpdump seems to be different on FreeBSD too as I've been unable to get hatchet to work on FreeBSD. Stan From owner-freebsd-pf@FreeBSD.ORG Sat Jun 22 13:00:02 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id EA0B2AE1 for ; Sat, 22 Jun 2013 13:00:02 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from skapet.bsdly.net (cl-426.sto-01.se.sixxs.net [IPv6:2001:16d8:ff00:1a9::2]) by mx1.freebsd.org (Postfix) with ESMTP id A374D1D05 for ; Sat, 22 Jun 2013 13:00:02 +0000 (UTC) Received: from sonofskinny.bsdly.net ([192.168.103.254] helo=deeperthought.bsdly.net) by skapet.bsdly.net with esmtp (Exim 4.77) (envelope-from ) id 1UqNQ7-0007xT-C7; Sat, 22 Jun 2013 14:59:59 +0200 To: freebsd-pf@freebsd.org Subject: Re: PF bugs References: <1371871842.22524.62.camel@localhost> From: peter@bsdly.net (Peter N. M. Hansteen) Date: Sat, 22 Jun 2013 14:59:57 +0200 In-Reply-To: <1371871842.22524.62.camel@localhost> (Stan Gammons's message of "Fri, 21 Jun 2013 22:30:42 -0500") Message-ID: <87ehbuti5u.fsf@deeperthought.bsdly.net> User-Agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.4.22 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jun 2013 13:00:03 -0000 Stan Gammons writes: > Ok. I wish PF on FreeBSD and OpenBSD were in sync. With the differences in release schedules (OpenBSD releases N.m+1 every six months, while the FreeBSD cycles typically take longer) a total sync is unlikely, but it would save some of us a bit of maintenance work if FreeBSD finally made the jump to post-OpenBSD 4.7 syntax and various 4.5 and onwards goodies like match, pflow and a few other. Also, the new queueing subsystem that's now likely to be in OpenBSD 5.5 (to be released May 1st 2014) is likely to be a major feature that I think FreeBSD will want to include as soon as doable. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. From owner-freebsd-pf@FreeBSD.ORG Sat Jun 22 14:47:13 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 773FEF17 for ; Sat, 22 Jun 2013 14:47:13 +0000 (UTC) (envelope-from the.lists@mgm51.com) Received: from oneyou.mcmli.com (oneyou.mcmli.com [IPv6:2001:470:1d:8da::100]) by mx1.freebsd.org (Postfix) with ESMTP id 478ED1017 for ; Sat, 22 Jun 2013 14:47:13 +0000 (UTC) Received: from sentry.24cl.com (sentry.24cl.com [IPv6:2001:470:89e9:feed::1]) by oneyou.mcmli.com (Postfix) with ESMTPS id 3bd03N03rHz1DTr for ; Sat, 22 Jun 2013 10:47:12 -0400 (EDT) Received: from BigBloat (bigbloat.24cl.home [10.20.1.4]) by sentry.24cl.com (Postfix) with ESMTP id 3bd03M0bW5z1nYx for ; Sat, 22 Jun 2013 10:47:11 -0400 (EDT) Message-ID: <201306221047020154.009AB04E@smtp.24cl.home> In-Reply-To: <1371872869.22524.75.camel@localhost> References: <1371865788.22524.9.camel@localhost> <1371872869.22524.75.camel@localhost> X-Mailer: Courier 3.50.00.09.1098 (http://www.rosecitysoftware.com) (P) Date: Sat, 22 Jun 2013 10:47:02 -0400 From: "Mike." To: freebsd-pf@freebsd.org Subject: Re: PF bugs Content-Type: text/plain; charset="us-ascii" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jun 2013 14:47:13 -0000 On 6/21/2013 at 10:47 PM Stan Gammons wrote: |On Fri, 2013-06-21 at 23:24 -0400, Maxim Khitrov wrote: |> For what it's worth, I've been gradually migrating the few firewalls |> that I maintain to OpenBSD. FreeBSD pf is fine, and it's what I use |> for protecting individual servers, but I find that the new syntax, |> which was introduced after OpenBSD 4.5, produces rulesets that are |> more compact and easier to maintain when it comes to routing traffic |> between networks. The new priority queuing (set prio) is much simpler |> than ALTQ (and should perform better, though I haven't tested this). |> I'm also looking forward to the work that's being done to free HFSC |> from ALTQ and make it understandable and usable by mere mortals. | |I too like OpenBSD and wish PF was in sync on both OS. | [snip] ============= While I suspect the core of pf on FreeBSD has diverged too much to keep the FreeBSD pf in sync with the OpenBSD pf [imo, and that's a shame], it would be most helpful if FreeBSD's pf.conf syntax and pf functionality were more closely aligned with what is currently happening with pf on OpenBSD. I run both OpenBSD and FreeBSD systems, and the pf differences are a drag..... From owner-freebsd-pf@FreeBSD.ORG Sat Jun 22 18:51:53 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 58AF1CD for ; Sat, 22 Jun 2013 18:51:53 +0000 (UTC) (envelope-from nvass@gmx.com) Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by mx1.freebsd.org (Postfix) with ESMTP id ED7061927 for ; Sat, 22 Jun 2013 18:51:52 +0000 (UTC) Received: from [192.168.44.198] ([188.138.1.73]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0MF5C3-1V65z21Bnv-00GI6i; Sat, 22 Jun 2013 20:51:51 +0200 Message-ID: <51C5F242.1010608@gmx.com> Date: Sat, 22 Jun 2013 20:51:46 +0200 From: Nikos Vassiliadis User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130510 Thunderbird/17.0.6 MIME-Version: 1.0 To: Chris Buechler Subject: Re: PF bugs References: <1371865788.22524.9.camel@localhost> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:EAiJAtSbiRj74Ixoitjo3+ceulBFa7C/PQ1aMMmVpXiuFvAGHwc LBGoEmb3TsS9AjLrBZ981ORsL9qOppM4t8YPzno1vaXseo1crWZJTlC/K3MO5oo5WE3uFkX c/b0OAPeGyOr9sZkSXOLvhkPiF9UCuD4K7ujPt/x8CElkPk0TGTBgMEtrcq8owMqbkj3hWk cAlwWsXGP5sWDX5Vk0ftA== Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jun 2013 18:51:53 -0000 Hi Chris (and list), On 06/22/2013 04:44 AM, Chris Buechler wrote: > pf is actively developed and maintained on FreeBSD, and widely used. > The PRs that are open are largely ages old, no longer relevant and > need to be cleaned up, or were bunk to begin with. There aren't really > that many open either considering, every component of any widely used > OS has open bugs. That's not indicative of anything in itself > generally. FreeBSD+pf is the base of a significant number of > firewalls, 180,000+ known live systems on pfSense alone (though that's > not quite stock FreeBSD pf, it's close), and many others. It seems that people think that pf is unmaintained. Quite a disheartening thing for the person that did the hard work to create the smp-friendly pf in FreeBSD-10... I would be very happy if you had some performance comparison numbers between the old and new pf code that you would like to publish! Thanks a lot, Nikos From owner-freebsd-pf@FreeBSD.ORG Sat Jun 22 20:13:22 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 69A84572 for ; Sat, 22 Jun 2013 20:13:22 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by mx1.freebsd.org (Postfix) with ESMTP id 08B101C2F for ; Sat, 22 Jun 2013 20:13:21 +0000 (UTC) Received: from mailout-de.gmx.net ([10.1.76.27]) by mrigmx.server.lan (mrigmx002) with ESMTP (Nemesis) id 0MBYme-1UxfRm1QBS-00AVXf for ; Sat, 22 Jun 2013 22:13:20 +0200 Received: (qmail invoked by alias); 22 Jun 2013 20:13:20 -0000 Received: from p578be941.dip0.t-ipconnect.de (EHLO [192.168.0.100]) [87.139.233.65] by mail.gmx.net (mp027) with SMTP; 22 Jun 2013 22:13:20 +0200 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX1/YQzBzv3TYgypoyAPzbdc/M1ZTuKCpC18lOhyqcq UpTuYf5FPzV/rI Message-ID: <51C60566.4080306@gmx.de> Date: Sat, 22 Jun 2013 22:13:26 +0200 From: olli hauer User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130509 Thunderbird/17.0.6 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Re: PF bugs References: <1371865788.22524.9.camel@localhost> <51C5F242.1010608@gmx.com> In-Reply-To: <51C5F242.1010608@gmx.com> X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jun 2013 20:13:22 -0000 On 2013-06-22 20:51, Nikos Vassiliadis wrote: > Hi Chris (and list), > > On 06/22/2013 04:44 AM, Chris Buechler wrote: >> pf is actively developed and maintained on FreeBSD, and widely used. >> The PRs that are open are largely ages old, no longer relevant and >> need to be cleaned up, or were bunk to begin with. There aren't really >> that many open either considering, every component of any widely used >> OS has open bugs. That's not indicative of anything in itself >> generally. FreeBSD+pf is the base of a significant number of >> firewalls, 180,000+ known live systems on pfSense alone (though that's >> not quite stock FreeBSD pf, it's close), and many others. > > It seems that people think that pf is unmaintained. > Quite a disheartening thing for the person that did the hard work > to create the smp-friendly pf in FreeBSD-10... > > I would be very happy if you had some performance comparison numbers > between the old and new pf code that you would like to publish! > > Thanks a lot, > > Nikos > Even I have no numbers Gleb posted a view graphs http://lists.freebsd.org/pipermail/freebsd-pf/2012-June/006662.html The graphs are still available and based on Gleb's first work, I guess the numbers are even better. -- olli From owner-freebsd-pf@FreeBSD.ORG Sat Jun 22 20:40:31 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 206469EB for ; Sat, 22 Jun 2013 20:40:31 +0000 (UTC) (envelope-from s_gammons@charter.net) Received: from mta21.charter.net (mta21.charter.net [216.33.127.81]) by mx1.freebsd.org (Postfix) with ESMTP id B545C1CF9 for ; Sat, 22 Jun 2013 20:40:30 +0000 (UTC) Received: from imp09 ([10.20.200.9]) by mta21.charter.net (InterMail vM.8.01.05.09 201-2260-151-124-20120717) with ESMTP id <20130622204029.BHFU10448.mta21.charter.net@imp09>; Sat, 22 Jun 2013 16:40:29 -0400 Received: from [192.168.1.238] ([24.179.91.77]) by imp09 with smtp.charter.net id rYgV1l0041g8bLw05YgVTH; Sat, 22 Jun 2013 16:40:29 -0400 X-Authority-Analysis: v=2.0 cv=Cp/n6QED c=1 sm=1 a=QMZxmYOTzEZ29+aioRx9iA==:17 a=9FHRi9H5JNkA:10 a=yUnIBFQkZM0A:10 a=IkcTkHD0fZMA:10 a=hOpmn2quAAAA:8 a=VzY7pT2OUBsA:10 a=FcMM0xIjU0P4YMvUX3AA:9 a=QEXdDO2ut3YA:10 a=QMZxmYOTzEZ29+aioRx9iA==:117 Message-ID: <1371933661.1707.7.camel@localhost> Subject: Was Re: PF bugs now PF reporting utility From: Stan Gammons To: Nikos Vassiliadis Date: Sat, 22 Jun 2013 15:41:01 -0500 In-Reply-To: <51C5F242.1010608@gmx.com> References: <1371865788.22524.9.camel@localhost> <51C5F242.1010608@gmx.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.6.4 (3.6.4-3.fc18) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jun 2013 20:40:31 -0000 On Sat, 2013-06-22 at 20:51 +0200, Nikos Vassiliadis wrote: > It seems that people think that pf is unmaintained. > Quite a disheartening thing for the person that did the hard work > to create the smp-friendly pf in FreeBSD-10... My apologies Nikos for thinking PF is not maintained. I was hoping others here could point me to a sysutil that generates reports for PF like Lire does for IPFilter and etc. I had started work on modifying one of the existing Lire dlf converters that would would work with a PF log file that had been first processed through tcpdump. But, I couldn't figure out the format tcpdump uses, so I haven't made much progress. Can someone here help with the format tcpdump uses on FreeBSD or point me in the right direction? Stan From owner-freebsd-pf@FreeBSD.ORG Sat Jun 22 20:53:35 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id E553BC5C for ; Sat, 22 Jun 2013 20:53:35 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-we0-x230.google.com (mail-we0-x230.google.com [IPv6:2a00:1450:400c:c03::230]) by mx1.freebsd.org (Postfix) with ESMTP id 7FB4B1D9F for ; Sat, 22 Jun 2013 20:53:35 +0000 (UTC) Received: by mail-we0-f176.google.com with SMTP id t56so7205208wes.21 for ; Sat, 22 Jun 2013 13:53:34 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:x-mailer:from:subject:date :to:x-gm-message-state; bh=wCZWrKW9KrDdEsHNkZcfR++5TCqYwYQWk8nNtWW6j9k=; b=hGl0o36MQfDj7PZTvoKtHjfLkbCcXyNz62XO4mxuEf9GzuV63oQtMkZcVPI4adDMJx fqzLvkQknyM3g5EJ0spyMdD5YYPSrGO0YCEbEugTkNa8WDm2FqS3dcewDmKQz8hIpuML UoDp5QVyi8cgYMQoh3/a9ZWJQiNFBpebXvN8O+CUsGtFaP9U3BVGWkVsMGDckXV6edPF VMl/ZgK903zkLowm9mZpLNnZQ+ck2xfz+ek4a2BAFhSBXm334yeeRO72XAWsebZm1VBP Jq6Kpj+oKBlQU8DLv7lKs7lclqCFX3+RDBtDZDED3CgnzT6xK1gl9HhaZfHYWRQ5KwIS ptUg== X-Received: by 10.194.24.40 with SMTP id r8mr5122941wjf.7.1371934414117; Sat, 22 Jun 2013 13:53:34 -0700 (PDT) Received: from [10.41.42.204] (94.16.90.92.rev.sfr.net. [92.90.16.94]) by mx.google.com with ESMTPSA id u9sm6264393wif.6.2013.06.22.13.53.32 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 22 Jun 2013 13:53:33 -0700 (PDT) References: <1371865788.22524.9.camel@localhost> Mime-Version: 1.0 (1.0) In-Reply-To: <1371865788.22524.9.camel@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <2371E2A4-FEDB-4512-9EBA-1DF151E7A430@my.gd> X-Mailer: iPhone Mail (10B144) From: Damien Fleuriot Subject: Re: PF bugs Date: Sat, 22 Jun 2013 22:52:22 +0200 To: Stan Gammons X-Gm-Message-State: ALoCoQkJPsg+KyIUTNQrQWSlxWOTjT40CdTG3ke7BzQYAcxi9oQiK9XH/GyJrV5M9HstiVrePBIy Cc: "freebsd-pf@FreeBSD.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jun 2013 20:53:36 -0000 On 22 Jun 2013, at 03:49, Stan Gammons wrote: > I see there are several PF bugs and wondered if it's because PF isn't > maintained on FreeBSD? Perhaps that's the case given the version > differences versus PF on OpenBSD. If not, is Ipfilter the "preferred" > firewall on FreeBSD? Or is IPFW? I like PF, but reporting utilities > for it, compared to ipfilter and even iptables on Linux, leave a bit to > be desired. > > > Stan > pftop ? pfstats ? ntop ? These are good enough for me. Don't they fit your needs ? From owner-freebsd-pf@FreeBSD.ORG Sat Jun 22 20:58:11 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id EF00DCC1 for ; Sat, 22 Jun 2013 20:58:11 +0000 (UTC) (envelope-from vince@unsane.co.uk) Received: from unsane.co.uk (unsane-pt.tunnel.tserv5.lon1.ipv6.he.net [IPv6:2001:470:1f08:110::2]) by mx1.freebsd.org (Postfix) with ESMTP id 8EB3C1DB5 for ; Sat, 22 Jun 2013 20:58:11 +0000 (UTC) Received: from vincemacbook.unsane.co.uk (vincemacbook.unsane.co.uk [10.10.10.20]) (authenticated bits=0) by unsane.co.uk (8.14.7/8.14.6) with ESMTP id r5MKw5Gr014628 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Sat, 22 Jun 2013 21:58:09 +0100 (BST) (envelope-from vince@unsane.co.uk) Message-ID: <51C60FDD.10700@unsane.co.uk> Date: Sat, 22 Jun 2013 21:58:05 +0100 From: Vincent Hoffman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130509 Thunderbird/17.0.6 MIME-Version: 1.0 To: Stan Gammons Subject: Re: Was Re: PF bugs now PF reporting utility References: <1371865788.22524.9.camel@localhost> <51C5F242.1010608@gmx.com> <1371933661.1707.7.camel@localhost> In-Reply-To: <1371933661.1707.7.camel@localhost> X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jun 2013 20:58:12 -0000 On 22/06/2013 21:41, Stan Gammons wrote: > On Sat, 2013-06-22 at 20:51 +0200, Nikos Vassiliadis wrote: >> It seems that people think that pf is unmaintained. >> Quite a disheartening thing for the person that did the hard work >> to create the smp-friendly pf in FreeBSD-10... > My apologies Nikos for thinking PF is not maintained. > > I was hoping others here could point me to a sysutil that generates > reports for PF like Lire does for IPFilter and etc. I had started work > on modifying one of the existing Lire dlf converters that would would > work with a PF log file that had been first processed through tcpdump. > But, I couldn't figure out the format tcpdump uses, so I haven't made > much progress. Can someone here help with the format tcpdump uses on > FreeBSD or point me in the right direction? > Would pflogx be of any use to you? http://www.freshports.org/sysutils/pflogx/ Vince > Stan > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Sat Jun 22 22:55:04 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id E5C87911 for ; Sat, 22 Jun 2013 22:55:04 +0000 (UTC) (envelope-from nvass@gmx.com) Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by mx1.freebsd.org (Postfix) with ESMTP id 6C0B41278 for ; Sat, 22 Jun 2013 22:55:04 +0000 (UTC) Received: from [192.168.44.198] ([188.138.1.73]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0M9NIY-1Uzpql3MWk-00Ckma; Sun, 23 Jun 2013 00:55:02 +0200 Message-ID: <51C62B44.1030902@gmx.com> Date: Sun, 23 Jun 2013 00:55:00 +0200 From: Nikos Vassiliadis User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130510 Thunderbird/17.0.6 MIME-Version: 1.0 To: Stan Gammons Subject: Re: Was Re: PF bugs now PF reporting utility References: <1371865788.22524.9.camel@localhost> <51C5F242.1010608@gmx.com> <1371933661.1707.7.camel@localhost> In-Reply-To: <1371933661.1707.7.camel@localhost> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:qN1FKLkT/2f9RSgFFAEsp14Frq15sC8bYsnkDn9u7e9WPVB7EjI PZ4lc5/kDjgDPRYqRPf7BEN0kHYv7vbi00rGaLoKuLipwcw+qozzDdVjZw6FD06NKg9h78R vOYImvHrjcs0V6YFumQXOuKD30FHGJ3HAvKTK6GRM4H1A8Vm5SMYu/zwbDrwOyWAP8iQSVZ BPdXX40ZgjCQhX79dgwXg== Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jun 2013 22:55:05 -0000 On 06/22/2013 10:41 PM, Stan Gammons wrote: > On Sat, 2013-06-22 at 20:51 +0200, Nikos Vassiliadis wrote: >> It seems that people think that pf is unmaintained. >> Quite a disheartening thing for the person that did the hard work >> to create the smp-friendly pf in FreeBSD-10... > > My apologies Nikos for thinking PF is not maintained. I didn't want to make anybody apologize. I just wanted to add that pf in freebsd is not bad or inferior compared to the newer pf in openbsd. To some people the performance gain by smp-pf might be considered more useful than pf.conf compatibility between different OSes. Other people might need rdomains and all the other things the freebsd version doesn't have... Things are just different for quite a while now and they are growing even more differently. The fork happened for a reason or perhaps for a lot of reasons. > I was hoping others here could point me to a sysutil that generates > reports for PF like Lire does for IPFilter and etc. I had started work > on modifying one of the existing Lire dlf converters that would would > work with a PF log file that had been first processed through tcpdump. > But, I couldn't figure out the format tcpdump uses, so I haven't made > much progress. Can someone here help with the format tcpdump uses on > FreeBSD or point me in the right direction? > Unfortunately there is no support for pf in lire. OTOH it looks simple enough to hack a custom filter in awk maybe? (sorry i possess no perl powers) > root@lab:/var/log # tcpdump -nlttttei pflog0 | awk '{ if ($5 == "block") $5 = "b"; print $1,$2,"hostname","PID", $2,$4,$5,$8,$9,$11 }' > tcpdump: WARNING: pflog0: no IPv4 address assigned > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes > 2013-06-23 01:12:24.210634 hostname PID 01:12:24.210634 0..16777216/0(match): b bridge0: 192.168.65.1.60491 192.168.65.11.23: > 2013-06-23 01:12:28.016297 hostname PID 01:12:28.016297 0..16777216/0(match): b bridge0: 192.168.65.1.40719 192.168.65.12.23: > 2013-06-23 01:12:53.307795 hostname PID 01:12:53.307795 0..16777216/0(match): b bridge0: 192.168.65.13.11451 192.168.65.11.23: > 2013-06-23 01:12:55.781513 hostname PID 01:12:55.781513 0..16777216/0(match): b bridge0: 192.168.65.13.62921 192.168.65.12.23: The output format I did here is not correct but with a bit of work you could come up with something that looks like a IPFilter log. HTH, Nikos