From owner-freebsd-pf@FreeBSD.ORG Sun Jun 23 00:56:33 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 9E9C3C8D for ; Sun, 23 Jun 2013 00:56:33 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-wi0-x22a.google.com (mail-wi0-x22a.google.com [IPv6:2a00:1450:400c:c05::22a]) by mx1.freebsd.org (Postfix) with ESMTP id 3771E172A for ; Sun, 23 Jun 2013 00:56:33 +0000 (UTC) Received: by mail-wi0-f170.google.com with SMTP id ey16so1704032wid.5 for ; Sat, 22 Jun 2013 17:56:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:x-mailer:from:subject:date :to:x-gm-message-state; bh=JHdU9HB5ufzbxB3Ua+s68tUwURd9vmZ/30N8dbiLnZE=; b=hVuRhDQ2FYLoLRnUoyxlCXFss+inZPkFFdGkxEIRKkZ4T5FUkXpOxo9KSSOdktxz76 znLmmBu6wYWACb6hBMpdTpWr5lBqL9B5P2OYG/PyWtTccbvanByTKDi7NrlVAlC/LdC6 5pgh+VmUMV2fwl0LeZ16NPS5RU1zcahAWT0Xyk3xPKljkm24tw9y3+eFEXM7jcj4Kj3m 7eSTocgPQYF4sv1xwxEICfI3OMlVG/C593zS/RPup+sLp7hGmMYLRI3Kc252Suulqv3c Mr34+x5ZBlOfC8/l+HLdsSAQqCJW9IE0tAafUIS64VEek0oXprBiqmPwVmeS8h78/f+k x16Q== X-Received: by 10.180.206.180 with SMTP id lp20mr2538213wic.41.1371948992308; Sat, 22 Jun 2013 17:56:32 -0700 (PDT) Received: from [10.99.242.47] (33.16.90.92.rev.sfr.net. [92.90.16.33]) by mx.google.com with ESMTPSA id i1sm7146467wiz.6.2013.06.22.17.56.31 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 22 Jun 2013 17:56:31 -0700 (PDT) References: <1371865788.22524.9.camel@localhost> <51C5F242.1010608@gmx.com> <1371933661.1707.7.camel@localhost> <51C62B44.1030902@gmx.com> Mime-Version: 1.0 (1.0) In-Reply-To: <51C62B44.1030902@gmx.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Message-Id: <09D1DC3A-9F02-488D-AFA8-9C9E3EF79D7E@my.gd> X-Mailer: iPhone Mail (10B144) From: Damien Fleuriot Subject: Re: Was Re: PF bugs now PF reporting utility Date: Sun, 23 Jun 2013 02:55:21 +0200 To: Nikos Vassiliadis X-Gm-Message-State: ALoCoQmkoeDjD6AnB0RhAOw3UBV8mx5TTsuQSaV4nDtSe0cd6Hu/EL24qYQ79naS3EqR3DofRjr2 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Jun 2013 00:56:33 -0000 On 23 Jun 2013, at 00:55, Nikos Vassiliadis wrote: > On 06/22/2013 10:41 PM, Stan Gammons wrote: >> On Sat, 2013-06-22 at 20:51 +0200, Nikos Vassiliadis wrote: >>> It seems that people think that pf is unmaintained. >>> Quite a disheartening thing for the person that did the hard work >>> to create the smp-friendly pf in FreeBSD-10... >>=20 >> My apologies Nikos for thinking PF is not maintained. >=20 > I didn't want to make anybody apologize. >=20 > I just wanted to add that pf in freebsd is not bad or inferior > compared to the newer pf in openbsd. To some people the performance > gain by smp-pf might be considered more useful than pf.conf > compatibility between different OSes. Other people might need > rdomains and all the other things the freebsd version doesn't have... >=20 > Things are just different for quite a while now and they are growing > even more differently. The fork happened for a reason or perhaps for > a lot of reasons. >=20 On topic, Gleb has put a lot of work on PF in -CURRENT which, iirc, made a h= andful of open PRs irrelevant. >> I was hoping others here could point me to a sysutil that generates >> reports for PF like Lire does for IPFilter and etc. I had started work >> on modifying one of the existing Lire dlf converters that would would >> work with a PF log file that had been first processed through tcpdump. >> But, I couldn't figure out the format tcpdump uses, so I haven't made >> much progress. Can someone here help with the format tcpdump uses on >> FreeBSD or point me in the right direction? >=20 > Unfortunately there is no support for pf in lire. OTOH it looks > simple enough to hack a custom filter in awk maybe? (sorry i possess > no perl powers) >=20 >> root@lab:/var/log # tcpdump -nlttttei pflog0 | awk '{ if ($5 =3D=3D "bloc= k") $5 =3D "b"; print $1,$2,"hostname","PID", $2,$4,$5,$8,$9,$11 }' >> tcpdump: WARNING: pflog0: no IPv4 address assigned >> tcpdump: verbose output suppressed, use -v or -vv for full protocol decod= e >> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 6= 5535 bytes >> 2013-06-23 01:12:24.210634 hostname PID 01:12:24.210634 0..16777216/0(mat= ch): b bridge0: 192.168.65.1.60491 192.168.65.11.23: >> 2013-06-23 01:12:28.016297 hostname PID 01:12:28.016297 0..16777216/0(mat= ch): b bridge0: 192.168.65.1.40719 192.168.65.12.23: >> 2013-06-23 01:12:53.307795 hostname PID 01:12:53.307795 0..16777216/0(mat= ch): b bridge0: 192.168.65.13.11451 192.168.65.11.23: >> 2013-06-23 01:12:55.781513 hostname PID 01:12:55.781513 0..16777216/0(mat= ch): b bridge0: 192.168.65.13.62921 192.168.65.12.23: >=20 > The output format I did here is not correct but with a bit of work > you could come up with something that looks like a IPFilter log. >=20 > HTH, Nikos >=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Sun Jun 23 01:05:38 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id C41A1D79 for ; Sun, 23 Jun 2013 01:05:38 +0000 (UTC) (envelope-from tyler@tysdomain.com) Received: from tds-solutions.net (tds-solutions.net [69.164.206.65]) by mx1.freebsd.org (Postfix) with ESMTP id AD7011758 for ; Sun, 23 Jun 2013 01:05:38 +0000 (UTC) Received: from [192.168.1.12] (24-177-51-95.dhcp.oxfr.ma.charter.com [24.177.51.95]) (Authenticated sender: tyler) by tds-solutions.net (Postfix) with ESMTPSA id 51346A076 for ; Sat, 22 Jun 2013 19:01:53 -0600 (MDT) Message-ID: <51C64897.3020802@tysdomain.com> Date: Sat, 22 Jun 2013 21:00:07 -0400 From: "Littlefield, Tyler" User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: current pf (freebsd 9.3) documentation Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Jun 2013 01:05:38 -0000 Hello: I was looking for some information on the freebsd pf flavor and haven't ran across much except for old mysterious rules that employ a lot of voodoo to keep people from portscanning, but which I'm told are actually wrong. Is there a good place to obtain pf docs? Thanks, -- Take care, Ty http://tds-solutions.net He that will not reason is a bigot; he that cannot reason is a fool; he that dares not reason is a slave. Sent from my Toaster (tm). From owner-freebsd-pf@FreeBSD.ORG Sun Jun 23 05:27:12 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 0C2ABD9A for ; Sun, 23 Jun 2013 05:27:12 +0000 (UTC) (envelope-from jim@netgate.com) Received: from mail-yh0-x236.google.com (mail-yh0-x236.google.com [IPv6:2607:f8b0:4002:c01::236]) by mx1.freebsd.org (Postfix) with ESMTP id C38CB1F73 for ; Sun, 23 Jun 2013 05:27:11 +0000 (UTC) Received: by mail-yh0-f54.google.com with SMTP id f73so4299803yha.41 for ; Sat, 22 Jun 2013 22:27:11 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:x-mailer:from:subject:date :to:x-gm-message-state; bh=TQkQzG57/vuDbtRDn99A66tcUqCcVhKP0sb2+VAGdZI=; b=ef7QCq3ph4+YqgVc4SLjPrnUbs2nWZUhjtkKlE43Wya9o3McwE9OtvSs+AMYseq7kU 1U1Mo49Pf7HbRsWc3XPagJHP2rr+XpK7301ocdoSlvlkZzG+oO4KEpVCL/EWTsgZlzWc POTGiKL6shwSwzg3bYb+3y7pMlMJwP4H/pH/rLVXsEBbJ4dBKVmlos7LlvibkfwytYfX xiL/+c9KODmMRy7qg0yN2YflAnnwh+MN/I7P6nZTZZEjVafA1Rhg0eM1neT08ovw21GU 6KsfXFDxaoAAbhDutAvhj18BfdRRo74RYb61aIjc5aM5Vsu0YWyAxkj4nvEH/CiqKXna w/Jw== X-Received: by 10.236.1.233 with SMTP id 69mr10560115yhd.127.1371965231120; Sat, 22 Jun 2013 22:27:11 -0700 (PDT) Received: from [1.9.2.242] (rrcs-108-178-126-52.sw.biz.rr.com. [108.178.126.52]) by mx.google.com with ESMTPSA id v28sm21282451yhv.17.2013.06.22.22.27.09 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 22 Jun 2013 22:27:10 -0700 (PDT) References: <1371865788.22524.9.camel@localhost> <51C5F242.1010608@gmx.com> Mime-Version: 1.0 (1.0) In-Reply-To: <51C5F242.1010608@gmx.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: X-Mailer: iPhone Mail (10B350) From: Jim Thompson Subject: Re: PF bugs Date: Sun, 23 Jun 2013 00:27:07 -0500 To: Nikos Vassiliadis X-Gm-Message-State: ALoCoQmbadQ/JZ2gQwk61ZoS+KMSBmu07l8odYZDPMc2WV9wKzyDZmoDzbxnA8cjXbYVl7Vm0Ayc Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Jun 2013 05:27:12 -0000 On Jun 22, 2013, at 1:51 PM, Nikos Vassiliadis wrote: > I would be very happy if you had some performance comparison numbers > between the old and new pf code that you would like to publish! Still trying to get to it. From owner-freebsd-pf@FreeBSD.ORG Sun Jun 23 06:23:27 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id D3415887 for ; Sun, 23 Jun 2013 06:23:27 +0000 (UTC) (envelope-from cameron@cskk.homeip.net) Received: from fallbackmx07.syd.optusnet.com.au (fallbackmx07.syd.optusnet.com.au [211.29.132.9]) by mx1.freebsd.org (Postfix) with ESMTP id 49F8B10E7 for ; Sun, 23 Jun 2013 06:23:26 +0000 (UTC) Received: from mail36.syd.optusnet.com.au (mail36.syd.optusnet.com.au [211.29.133.76]) by fallbackmx07.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id r5N6NI8P005001 for ; Sun, 23 Jun 2013 16:23:19 +1000 Received: from fleet.local (c58-111-137-54.artrmn3.nsw.optusnet.com.au [58.111.137.54]) by mail36.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id r5N6MsQp029592; Sun, 23 Jun 2013 16:22:57 +1000 Received: by fleet.local (Postfix, from userid 501) id 5D070195E59B; Sun, 23 Jun 2013 16:22:54 +1000 (EST) Date: Sun, 23 Jun 2013 16:22:54 +1000 From: Cameron Simpson To: Nikos Vassiliadis Subject: Re: Was Re: PF bugs now PF reporting utility Message-ID: <20130623062254.GA48373@cskk.homeip.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <51C62B44.1030902@gmx.com> User-Agent: Mutt/1.5.21 (2010-09-15) References: <51C62B44.1030902@gmx.com> X-Optus-CM-Score: 0 X-Optus-CM-Analysis: v=2.0 cv=Q6eKePKa c=1 sm=1 a=wom5GMh1gUkA:10 a=N9v5kuWJWuIA:10 a=kj9zAlcOel0A:10 a=vrnE16BAAAAA:8 a=ZtCCktOnAAAA:8 a=xCtwaCYJPUoA:10 a=7YfXLusrAAAA:8 a=2LPAUC0AK34jItBR1egA:9 a=CjuIK1q_8ugA:10 a=XvKbGIMP6GoA:10 a=ChdAjXE5lkUvdteQbhpnkQ==:117 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Jun 2013 06:23:27 -0000 On 23Jun2013 00:55, Nikos Vassiliadis wrote: | Things are just different for quite a while now and they are growing | even more differently. Just a small related thing: are underlying things compatible? Specificly I am wondering can I CARP and pfsync between FreeBSD and OpenBSD? -- Cameron Simpson The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong, it usually turns out to be impossible to get at or repair. - Douglas Adams From owner-freebsd-pf@FreeBSD.ORG Sun Jun 23 12:56:46 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 8D0CCE5C for ; Sun, 23 Jun 2013 12:56:46 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from skapet.bsdly.net (cl-426.sto-01.se.sixxs.net [IPv6:2001:16d8:ff00:1a9::2]) by mx1.freebsd.org (Postfix) with ESMTP id 3EDB01BED for ; Sun, 23 Jun 2013 12:56:46 +0000 (UTC) Received: from sonofskinny.bsdly.net ([192.168.103.254] helo=deeperthought.bsdly.net) by skapet.bsdly.net with esmtp (Exim 4.77) (envelope-from ) id 1UqjqV-00003y-FF; Sun, 23 Jun 2013 14:56:43 +0200 To: freebsd-pf@freebsd.org Subject: Re: current pf (freebsd 9.3) documentation References: <51C64897.3020802@tysdomain.com> From: peter@bsdly.net (Peter N. M. Hansteen) Date: Sun, 23 Jun 2013 14:56:38 +0200 In-Reply-To: <51C64897.3020802@tysdomain.com> (Tyler Littlefield's message of "Sat, 22 Jun 2013 21:00:07 -0400") Message-ID: <878v21m1dl.fsf@deeperthought.bsdly.net> User-Agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.4.22 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Jun 2013 12:56:46 -0000 "Littlefield, Tyler" writes: > I was looking for some information on the freebsd pf flavor and haven't > ran across much except for old mysterious rules that employ a lot of > voodoo to keep people from portscanning, but which I'm told are actually > wrong. > Is there a good place to obtain pf docs? The FreeBSD Handbook's PF chapter recently grew significantly, check http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html and go to the new section "31.4.6. PF Rule Sets and Tools". (Also, you could do worse than buy the book, but I'll limit my plugging.) - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. From owner-freebsd-pf@FreeBSD.ORG Mon Jun 24 11:06:51 2013 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 2810B152 for ; Mon, 24 Jun 2013 11:06:51 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 1A03A1DD3 for ; Mon, 24 Jun 2013 11:06:51 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r5OB6o5W001079 for ; Mon, 24 Jun 2013 11:06:50 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r5OB6oHf001077 for freebsd-pf@FreeBSD.org; Mon, 24 Jun 2013 11:06:50 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 24 Jun 2013 11:06:50 GMT Message-Id: <201306241106.r5OB6oHf001077@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jun 2013 11:06:51 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176763 pf [pf] [patch] Removing pf Source entries locks kernel. o kern/176268 pf [pf] [patch] synproxy not working with route-to o kern/173659 pf [pf] PF fatal trap on 9.1 (taskq fatal trap on pf_test o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 52 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Jun 25 15:24:02 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id AE2417C1 for ; Tue, 25 Jun 2013 15:24:02 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.69.10]) by mx1.freebsd.org (Postfix) with ESMTP id 37CA91155 for ; Tue, 25 Jun 2013 15:24:01 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.7/8.14.7) with ESMTP id r5PFO0jr006710; Tue, 25 Jun 2013 19:24:00 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.7/8.14.7/Submit) id r5PFNxOa006708; Tue, 25 Jun 2013 19:23:59 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Tue, 25 Jun 2013 19:23:59 +0400 From: Gleb Smirnoff To: Cameron Simpson Subject: Re: Was Re: PF bugs now PF reporting utility Message-ID: <20130625152359.GM1214@FreeBSD.org> References: <51C62B44.1030902@gmx.com> <20130623062254.GA48373@cskk.homeip.net> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20130623062254.GA48373@cskk.homeip.net> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jun 2013 15:24:02 -0000 Cameron, On Sun, Jun 23, 2013 at 04:22:54PM +1000, Cameron Simpson wrote: C> On 23Jun2013 00:55, Nikos Vassiliadis wrote: C> | Things are just different for quite a while now and they are growing C> | even more differently. C> C> Just a small related thing: are underlying things compatible? Specificly I am C> wondering can I CARP and pfsync between FreeBSD and OpenBSD? Newer OpenBSD utilises additional field in CARP PDU, that isn't filled, neither analyzed by FreeBSD. After quick reading of OpenBSD CARP code, it seems that it should interoperate fine with older CARP from OpenBSD, and thus with CARP in FreeBSD. Note that in FreeBSD 10 the way CARP is configured has changed a lot, but the wire protocol is the same. Regarding pfsync. It is wire compatible with the version of the last import from OpenBSD. And last time I looked into OpenBSD (a year ago), it was still wire compatible. -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Tue Jun 25 15:37:45 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 88980EC5 for ; Tue, 25 Jun 2013 15:37:45 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.69.10]) by mx1.freebsd.org (Postfix) with ESMTP id 1AE0C12FC for ; Tue, 25 Jun 2013 15:37:44 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.7/8.14.7) with ESMTP id r5PFbKWi006803; Tue, 25 Jun 2013 19:37:20 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.7/8.14.7/Submit) id r5PFbJB3006802; Tue, 25 Jun 2013 19:37:19 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Tue, 25 Jun 2013 19:37:19 +0400 From: Gleb Smirnoff To: "Peter N. M. Hansteen" Subject: Re: PF bugs Message-ID: <20130625153719.GN1214@FreeBSD.org> References: <1371871842.22524.62.camel@localhost> <87ehbuti5u.fsf@deeperthought.bsdly.net> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <87ehbuti5u.fsf@deeperthought.bsdly.net> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jun 2013 15:37:45 -0000 Peter, On Sat, Jun 22, 2013 at 02:59:57PM +0200, Peter N. M. Hansteen wrote: P> > Ok. I wish PF on FreeBSD and OpenBSD were in sync. P> P> With the differences in release schedules (OpenBSD releases N.m+1 P> every six months, while the FreeBSD cycles typically take longer) a P> total sync is unlikely, but it would save some of us a bit of P> maintenance work if FreeBSD finally made the jump to post-OpenBSD 4.7 P> syntax and various 4.5 and onwards goodies like match, pflow and a few P> other. The number of people who run both OpenBSD and FreeBSD is signficantly less then number of people who just run FreeBSD and routinely upgrade it from version to version. I understand that having different syntax is a PITA for those who run both BSDs, sorry for that. But changing syntax in FreeBSD would be PITA for a vast majority of people. That's why many FreeBSD developers are against changing syntax. P> Also, the new queueing subsystem that's now likely to be in OpenBSD P> 5.5 (to be released May 1st 2014) is likely to be a major feature that P> I think FreeBSD will want to include as soon as doable. While OpenBSD changes struct ifqueue if_snd in the ifnet to if_snd[nqueues], FreeBSD moves in the direction of killing the queue. The queue has showed itself as the major bottleneck for high speed interfaces, and now in FreeBSD all gigabit and 10gig NIC drivers bypass the ifqueue, it is left only for compatibility. That's why we don't plan to move back to queues. >From my viewpoint the best send scheduling method in the modern world is utilize multiqueueing that NICs provide. Most high end NICs now do. We just need some hardware abstraction layer upon that. Right now Andre Oppermann is planning a major work on the TX side of NIC drivers, and I'm pretty sure, he will consider traffic prioritisation. -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Wed Jun 26 07:42:54 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id B6B9B364 for ; Wed, 26 Jun 2013 07:42:54 +0000 (UTC) (envelope-from emz@norma.perm.ru) Received: from elf.hq.norma.perm.ru (unknown [IPv6:2001:470:1f09:14c0::2]) by mx1.freebsd.org (Postfix) with ESMTP id 6F535135C for ; Wed, 26 Jun 2013 07:42:54 +0000 (UTC) Received: from bsdrookie.norma.com. ([IPv6:fd00::7fa]) by elf.hq.norma.perm.ru (8.14.5/8.14.5) with ESMTP id r5Q7gjts027173 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Wed, 26 Jun 2013 13:42:47 +0600 (YEKT) (envelope-from emz@norma.perm.ru) Message-ID: <51CA9B75.7070503@norma.perm.ru> Date: Wed, 26 Jun 2013 13:42:45 +0600 From: "Eugene M. Zheganin" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: pftop/10.x Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (elf.hq.norma.perm.ru [IPv6:fd00::30a]); Wed, 26 Jun 2013 13:42:47 +0600 (YEKT) X-Spam-Status: No hits=-95.3 bayes=0.5 testhits RDNS_NONE=1.274, SPF_SOFTFAIL=0.972,TO_NO_BRKTS_DIRECT=2.455,USER_IN_WHITELIST=-100 autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on elf.hq.norma.perm.ru X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jun 2013 07:42:54 -0000 Hi. Why I'm getting this ? [emz@taiga:/<1>log/squid]# pftop pftop: DIOCGETSTATUS: Permission denied > Error Reading status (DIOCGETSTATUS): Permission denied (I'm kinda root). This is harmless (never used pftop, was just curious about it), but still worth fixing. Thanks. From owner-freebsd-pf@FreeBSD.ORG Wed Jun 26 07:45:48 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 34D5B528 for ; Wed, 26 Jun 2013 07:45:48 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.69.10]) by mx1.freebsd.org (Postfix) with ESMTP id B6B881388 for ; Wed, 26 Jun 2013 07:45:47 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.7/8.14.7) with ESMTP id r5Q7jjQb011274; Wed, 26 Jun 2013 11:45:45 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.7/8.14.7/Submit) id r5Q7jjMa011273; Wed, 26 Jun 2013 11:45:45 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Wed, 26 Jun 2013 11:45:45 +0400 From: Gleb Smirnoff To: "Eugene M. Zheganin" Subject: Re: pftop/10.x Message-ID: <20130626074545.GS1214@FreeBSD.org> References: <51CA9B75.7070503@norma.perm.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <51CA9B75.7070503@norma.perm.ru> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jun 2013 07:45:48 -0000 On Wed, Jun 26, 2013 at 01:42:45PM +0600, Eugene M. Zheganin wrote: E> Why I'm getting this ? E> E> [emz@taiga:/<1>log/squid]# pftop E> pftop: DIOCGETSTATUS: Permission denied E> > Error Reading status (DIOCGETSTATUS): Permission denied E> E> (I'm kinda root). E> E> This is harmless (never used pftop, was just curious about it), but E> still worth fixing. It isn't compilable on 10.x, so I guess you are running binary compiled on 9.x. I have a WIP to make it compilable, which ended in rewriting it for a bit more than a half. :) I need someone to finish the WIP and we will probably supply a different distfile for 10.x. -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Wed Jun 26 09:23:39 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 0A1FCA16 for ; Wed, 26 Jun 2013 09:23:39 +0000 (UTC) (envelope-from joshramahlo@gmail.com) Received: from mail-bk0-x244.google.com (mail-bk0-x244.google.com [IPv6:2a00:1450:4008:c01::244]) by mx1.freebsd.org (Postfix) with ESMTP id 975301975 for ; Wed, 26 Jun 2013 09:23:38 +0000 (UTC) Received: by mail-bk0-f68.google.com with SMTP id jc3so2056064bkc.11 for ; Wed, 26 Jun 2013 02:23:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=DNwYE4BUImVyV+D+TY7TCgmwotFY6zx1EwnotP2L8W4=; b=PBS4DC2oRBnH+roH7CkbU/pULuN635fTQ2PNO08jawRofmSHZDfW2ZkEuVXxFdab9b GHQ4ULyAe77UMMun3cciR5SjDMu4K2iznD67PxI5TNdNKYJ+kUktKESdJrrQSOhpONFZ mAbnjGrA+oaQlTDjSWfopdepGRjpBO7pGXV5xagr+yL2KA47HXuk/MWjvMmfm3x5nkEk EFYUjg58XadzN9qg9BEm0OL1yjelj2BJindgxBaCYwXfSGsQkB6xQz/dP+TUQSGRl1Yz 2I15NOMg/yfB3AzBvBVpFNEo7Eafff504ZJkwQ255JVKmn938EHqayiI//FMyJUpL9Gn c9vg== MIME-Version: 1.0 X-Received: by 10.204.234.202 with SMTP id kd10mr388154bkb.81.1372238617669; Wed, 26 Jun 2013 02:23:37 -0700 (PDT) Received: by 10.205.24.66 with HTTP; Wed, 26 Jun 2013 02:23:37 -0700 (PDT) Received: by 10.205.24.66 with HTTP; Wed, 26 Jun 2013 02:23:37 -0700 (PDT) Date: Wed, 26 Jun 2013 11:23:37 +0200 Message-ID: Subject: Interested in peugeo 107 From: Josh Ramahlo To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jun 2013 09:23:39 -0000 Please forward me the necessary information Regards Josh From owner-freebsd-pf@FreeBSD.ORG Wed Jun 26 09:40:17 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id CE614C99 for ; Wed, 26 Jun 2013 09:40:17 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-wi0-f173.google.com (mail-wi0-f173.google.com [209.85.212.173]) by mx1.freebsd.org (Postfix) with ESMTP id 670451A13 for ; Wed, 26 Jun 2013 09:40:17 +0000 (UTC) Received: by mail-wi0-f173.google.com with SMTP id hq4so1756835wib.0 for ; Wed, 26 Jun 2013 02:40:16 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=9QcxYReHTn9/wpTd14gqFi8KPu77exTJeQggP7Kdyl0=; b=K5+JAENOjBvn7pRvn/+b4AivXRQiFAiuf/dK9pI8Iah6pdjYckbEhvLMmKGdsWF/1u 8xIXWEvY23ze0tYMY1sV5UAZIm8uQi8Njnq/jvpgNjD/VPo5w9v3jPFZcNgbeq1JpvjW xKqPd32Amf3CWOpTHSjZGDmq5I03nIZXfadbGrq8py0RCYGQsRsgMwriRbJMDrYNw0MT 3AjCSPdkquIaCdm2mJcDSIC06K94FdagBhXhVVGu08h+GzifijB9xay4H0nFP99ayz65 n+qXIQTKJXw0ooryi4etf83vl5s10BcaiLdp7Ls01p8e4MoMwzACCa9r2GA/jrLJ++02 5U4A== X-Received: by 10.180.211.171 with SMTP id nd11mr2033127wic.17.1372239616164; Wed, 26 Jun 2013 02:40:16 -0700 (PDT) Received: from dfleuriot.paris.hi-media-techno.com ([83.167.62.196]) by mx.google.com with ESMTPSA id p1sm9532725wix.9.2013.06.26.02.40.15 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 26 Jun 2013 02:40:15 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\)) Subject: Re: pftop/10.x From: Fleuriot Damien In-Reply-To: <20130626074545.GS1214@FreeBSD.org> Date: Wed, 26 Jun 2013 11:40:16 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <51CA9B75.7070503@norma.perm.ru> <20130626074545.GS1214@FreeBSD.org> To: Gleb Smirnoff X-Mailer: Apple Mail (2.1508) X-Gm-Message-State: ALoCoQmzoeA2VQyjEju+lN3ZsqCts+fmN/3wjFQHKI7VIIIgsirVuhsnPZS+3uvsJhzFw8JXS6kA Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jun 2013 09:40:17 -0000 On Jun 26, 2013, at 9:45 AM, Gleb Smirnoff wrote: > On Wed, Jun 26, 2013 at 01:42:45PM +0600, Eugene M. Zheganin wrote: > E> Why I'm getting this ? > E>=20 > E> [emz@taiga:/<1>log/squid]# pftop > E> pftop: DIOCGETSTATUS: Permission denied > E> > Error Reading status (DIOCGETSTATUS): Permission denied > E>=20 > E> (I'm kinda root). > E>=20 > E> This is harmless (never used pftop, was just curious about it), but > E> still worth fixing. >=20 > It isn't compilable on 10.x, so I guess you are running binary > compiled on 9.x. >=20 > I have a WIP to make it compilable, which ended in rewriting it for a > bit more than a half. :) I need someone to finish the WIP and we > will probably supply a different distfile for 10.x. FreeBSD nas.my.gd 10.0-CURRENT FreeBSD 10.0-CURRENT #1 r251489: Mon Jun = 24 11:57:55 UTC 2013 =20 # pkg info | grep pf pftop-0.7_1 Utility for real-time display of = statistics for pf Built just today on -CURRENT , works like a charm. From owner-freebsd-pf@FreeBSD.ORG Wed Jun 26 10:24:24 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 246AF706 for ; Wed, 26 Jun 2013 10:24:24 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.69.10]) by mx1.freebsd.org (Postfix) with ESMTP id A4B6C1C55 for ; Wed, 26 Jun 2013 10:24:22 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.7/8.14.7) with ESMTP id r5QAOL0L012252; Wed, 26 Jun 2013 14:24:21 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.7/8.14.7/Submit) id r5QAOLSw012251; Wed, 26 Jun 2013 14:24:21 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Wed, 26 Jun 2013 14:24:21 +0400 From: Gleb Smirnoff To: Fleuriot Damien Subject: Re: pftop/10.x Message-ID: <20130626102421.GY1214@glebius.int.ru> References: <51CA9B75.7070503@norma.perm.ru> <20130626074545.GS1214@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jun 2013 10:24:24 -0000 On Wed, Jun 26, 2013 at 11:40:16AM +0200, Fleuriot Damien wrote: F> > It isn't compilable on 10.x, so I guess you are running binary F> > compiled on 9.x. F> > F> > I have a WIP to make it compilable, which ended in rewriting it for a F> > bit more than a half. :) I need someone to finish the WIP and we F> > will probably supply a different distfile for 10.x. F> F> F> FreeBSD nas.my.gd 10.0-CURRENT FreeBSD 10.0-CURRENT #1 r251489: Mon Jun 24 11:57:55 UTC 2013 F> F> # pkg info | grep pf F> pftop-0.7_1 Utility for real-time display of statistics for pf F> F> Built just today on -CURRENT , works like a charm. Whoa! Thanks go to Fabian Keil! http://svnweb.freebsd.org/ports?view=revision&revision=318433 -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Thu Jun 27 05:42:29 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 7B5FA83D; Thu, 27 Jun 2013 05:42:29 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from skapet.bsdly.net (cl-426.sto-01.se.sixxs.net [IPv6:2001:16d8:ff00:1a9::2]) by mx1.freebsd.org (Postfix) with ESMTP id 317D21995; Thu, 27 Jun 2013 05:42:28 +0000 (UTC) Received: from sonofskinny.bsdly.net ([192.168.103.254] helo=deeperthought.bsdly.net) by skapet.bsdly.net with esmtp (Exim 4.77) (envelope-from ) id 1Us4yO-0004Jz-Dd; Thu, 27 Jun 2013 07:42:24 +0200 To: Gleb Smirnoff Subject: Re: PF bugs References: <1371871842.22524.62.camel@localhost> <87ehbuti5u.fsf@deeperthought.bsdly.net> <20130625153719.GN1214@FreeBSD.org> From: peter@bsdly.net (Peter N. M. Hansteen) Date: Thu, 27 Jun 2013 07:42:22 +0200 In-Reply-To: <20130625153719.GN1214@FreeBSD.org> (Gleb Smirnoff's message of "Tue, 25 Jun 2013 19:37:19 +0400") Message-ID: <87txkkxg75.fsf@deeperthought.bsdly.net> User-Agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.4.22 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jun 2013 05:42:29 -0000 Gleb Smirnoff writes: > The number of people who run both OpenBSD and FreeBSD is signficantly > less then number of people who just run FreeBSD and routinely upgrade > it from version to version. I understand that having different syntax > is a PITA for those who run both BSDs, sorry for that. But changing > syntax in FreeBSD would be PITA for a vast majority of people. That's > why many FreeBSD developers are against changing syntax. Breaking people's configs are generally undesirable, but in this case along with the nat and rdr syntax change comes goodies like match, settable state defaults, divert-to, pflow, and various performance-relevant code improvements. On the OpenBSD side, the added features and performance improvements were considered worth the temporary pain of changing NAT and redirection rules (but really, in almost all cases the conversion is trivial, and the really weird setups turn out far more maintainable with the new syntax than the old). > > P> Also, the new queueing subsystem that's now likely to be in OpenBSD > P> 5.5 (to be released May 1st 2014) is likely to be a major feature that > P> I think FreeBSD will want to include as soon as doable. > > While OpenBSD changes struct ifqueue if_snd in the ifnet to > if_snd[nqueues], FreeBSD moves in the direction of killing the queue. > The queue has showed itself as the major bottleneck for high speed > interfaces, and now in FreeBSD all gigabit and 10gig NIC drivers > bypass the ifqueue, it is left only for compatibility. That's why > we don't plan to move back to queues. > >>From my viewpoint the best send scheduling method in the modern world > is utilize multiqueueing that NICs provide. Most high end NICs now do. > We just need some hardware abstraction layer upon that. > > Right now Andre Oppermann is planning a major work on the TX side of > NIC drivers, and I'm pretty sure, he will consider traffic prioritisation. prio (pure priority) specifiable per rule is available by default since OpenBSD 5.0, the first part of a longer term plan to replace ALTQ with traffic shaping that fits better with the more modern code surrounding it (and that's where the array of queues comes from, to implement the always-on priority scheme). Not sure at first blush how much of a conflict there will be between the traffic shaping code that is likely to hit the OpenBSD tree in time for 5.5 (due to be released May 1st 2014), but it would bear looking into I suppose. The diff at http://bulabula.org/diffs/newqueue.diff applied to a recent OpenBSD-current is what is being tested at the moment. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. From owner-freebsd-pf@FreeBSD.ORG Thu Jun 27 12:13:18 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id C52CEB75 for ; Thu, 27 Jun 2013 12:13:18 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from mail.tyknet.dk (mail.tyknet.dk [176.9.9.186]) by mx1.freebsd.org (Postfix) with ESMTP id 4FB0E1F5A for ; Thu, 27 Jun 2013 12:13:18 +0000 (UTC) Received: from [10.10.1.100] (217.71.4.82.static.router4.bolignet.dk [217.71.4.82]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.tyknet.dk (Postfix) with ESMTPSA id ABA0A14E5A9 for ; Thu, 27 Jun 2013 14:13:10 +0200 (CEST) X-DKIM: OpenDKIM Filter v2.5.2 mail.tyknet.dk ABA0A14E5A9 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gibfest.dk; s=default; t=1372335190; bh=FQ0LJoPGUO6I5UNlFEGdT4Du/5Cd4jXVoGprv2MwwSQ=; h=Date:From:To:Subject:References:In-Reply-To; b=N1DnW2H3T8nr3dYaICwRnYc5kyaI+vWFfwAnX+e2nJ4UnsCiZYF+bf3AySKgmHGRB 2iBeBCIQwgBDm/7uF7Phg2Dqc3Z0VXaTCZRqBGF+5E8j2o0bcGGZfEVR68qwoynuTS +mM4jP9zyOM2wPB099ymKaUHhM1aDtV8+0qoERhg= Message-ID: <51CC2C54.5020402@gibfest.dk> Date: Thu, 27 Jun 2013 14:13:08 +0200 From: Thomas Steen Rasmussen User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Re: PF bugs References: <1371871842.22524.62.camel@localhost> <87ehbuti5u.fsf@deeperthought.bsdly.net> <20130625153719.GN1214@FreeBSD.org> In-Reply-To: <20130625153719.GN1214@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jun 2013 12:13:18 -0000 On 25-06-2013 17:37, Gleb Smirnoff wrote: > Peter, > > On Sat, Jun 22, 2013 at 02:59:57PM +0200, Peter N. M. Hansteen wrote: > P> > Ok. I wish PF on FreeBSD and OpenBSD were in sync. > P> > P> With the differences in release schedules (OpenBSD releases N.m+1 > P> every six months, while the FreeBSD cycles typically take longer) a > P> total sync is unlikely, but it would save some of us a bit of > P> maintenance work if FreeBSD finally made the jump to post-OpenBSD 4.7 > P> syntax and various 4.5 and onwards goodies like match, pflow and a few > P> other. > > The number of people who run both OpenBSD and FreeBSD is signficantly > less then number of people who just run FreeBSD and routinely upgrade > it from version to version. I understand that having different syntax > is a PITA for those who run both BSDs, sorry for that. This is a PITA for _everyone_ who has ever tried googling some syntax or found a tutorial for pf online. Or read Peter Hansteens excellent books. Or spoken to someone at a conference only to find out that his suggestion doesn't apply. To think that the FreeBSD handbook alone can serve as documentation for the FreeBSD version of pf is just silly. A well-functioning community around something like pf produces lots and lots of documentation, best practices, examples of complicated setups, blogposts, etc. etc. I see only two solutions to this: the preferred solution is to change FreeBSD pf to match OpenBSD pf ruleset syntax and features. This would mean that we would keep the OpenBSD and FreeBSD pf communities "in sync" and people could still use the same information regardless of OS. The other solution is to rename pf in FreeBSD to something else, like fpf or whatever, to make it clear to everyone that they are not the same. This would mean that we (FreeBSD) would have to grow a new community around fpf. But it would make it possible to google examples and stuff again, without hitting irrelevant OpenBSD stuff. Let me repeat to make it perfectly clear: The current situation with two very different firewalls with the same name only serves to confuse and frustrate users. If aligning syntax and functionality is too much work, or impossible for other reasons, a rename of "our" pf is the only right thing to do. > But changing > syntax in FreeBSD would be PITA for a vast majority of people. That's > why many FreeBSD developers are against changing syntax. I've seen this argument over and over again. We can't just stop progress because it would be inconvenient for people. At some point (and IMO that point is way in the past) we have to conclude that the advantages outweigh the disadvantages, and just do it. Best regards, Thomas Steen Rasmussen From owner-freebsd-pf@FreeBSD.ORG Thu Jun 27 18:03:12 2013 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id D7E3CF63; Thu, 27 Jun 2013 18:03:12 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id B0BB51716; Thu, 27 Jun 2013 18:03:12 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r5RI3Cdd077046; Thu, 27 Jun 2013 18:03:12 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r5RI3CWL077045; Thu, 27 Jun 2013 18:03:12 GMT (envelope-from linimon) Date: Thu, 27 Jun 2013 18:03:12 GMT Message-Id: <201306271803.r5RI3CWL077045@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: kern/179392: [pf] [ip6] Incorrect TCP checksums in rdr return packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jun 2013 18:03:12 -0000 Synopsis: [pf] [ip6] Incorrect TCP checksums in rdr return packets Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Thu Jun 27 18:03:00 UTC 2013 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=179392