From owner-freebsd-pf@FreeBSD.ORG Mon Aug 26 11:06:49 2013 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 7355019C for ; Mon, 26 Aug 2013 11:06:49 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 609B22869 for ; Mon, 26 Aug 2013 11:06:49 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r7QB6nBd066030 for ; Mon, 26 Aug 2013 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r7QB6mq1066028 for freebsd-pf@FreeBSD.org; Mon, 26 Aug 2013 11:06:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 26 Aug 2013 11:06:48 GMT Message-Id: <201308261106.r7QB6mq1066028@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Aug 2013 11:06:49 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/179392 pf [pf] [ip6] Incorrect TCP checksums in rdr return packe o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176763 pf [pf] [patch] Removing pf Source entries locks kernel. o kern/176268 pf [pf] [patch] synproxy not working with route-to o kern/173659 pf [pf] PF fatal trap on 9.1 (taskq fatal trap on pf_test o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/87074 pf [pf] pf does not log dropped packets when max-* statef a kern/86752 pf [pf] pf does not use default timeouts when reloading c o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 55 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Aug 26 16:23:48 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 5407BD66 for ; Mon, 26 Aug 2013 16:23:48 +0000 (UTC) (envelope-from the.lists@mgm51.com) Received: from oneyou.mcmli.com (oneyou.mcmli.com [IPv6:2001:470:1d:8da::100]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 15DAA2EF0 for ; Mon, 26 Aug 2013 16:23:48 +0000 (UTC) Received: from sentry.24cl.com (sentry.24cl.com [IPv6:2001:470:89e9:1:feed::1]) by oneyou.mcmli.com (Postfix) with ESMTPS id 3cNz6n5LLGz1DNr for ; Mon, 26 Aug 2013 12:23:45 -0400 (EDT) Received: from BigBloat (bigbloat.24cl.home [10.20.1.4]) by sentry.24cl.com (Postfix) with ESMTP id 3cNz6l6Sv9z1nZm for ; Mon, 26 Aug 2013 12:23:43 -0400 (EDT) Message-ID: <201308261223420296.00BDCCA4@smtp.24cl.home> X-Mailer: Courier 3.50.00.09.1098 (http://www.rosecitysoftware.com) (P) Date: Mon, 26 Aug 2013 12:23:42 -0400 From: "Mike." To: freebsd-pf@freebsd.org Subject: formatting script for pfctl -v -s rules Content-Type: text/plain; charset="ISO-8859-1" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Aug 2013 16:23:48 -0000 I've written a quick script to format the output of pfctl -v -s rules into a one-line-per-rule format. For me, this format is more useful. The script and sample output are available here: http://archive.mgm51.com/sources/pfstats.html I use this script with FreeBSD 8.4 and 9.1 From owner-freebsd-pf@FreeBSD.ORG Tue Aug 27 11:25:28 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id C883AB13 for ; Tue, 27 Aug 2013 11:25:28 +0000 (UTC) (envelope-from patfbsd@davenulle.org) Received: from smtp.lamaiziere.net (net.lamaiziere.net [94.23.254.147]) by mx1.freebsd.org (Postfix) with ESMTP id 92253201A for ; Tue, 27 Aug 2013 11:25:28 +0000 (UTC) Received: from mr129166.localdomain (mr129166.cri.univ-rennes1.fr [129.20.129.166]) by smtp.lamaiziere.net (Postfix) with ESMTPA id C9601A28D; Tue, 27 Aug 2013 13:25:20 +0200 (CEST) Received: from mr129166 (localhost [127.0.0.1]) by mr129166.localdomain (Postfix) with ESMTP id B9EB72CA2; Tue, 27 Aug 2013 13:25:19 +0200 (CEST) Date: Tue, 27 Aug 2013 13:25:15 +0200 From: Patrick Lamaiziere To: "Mike." Subject: Re: formatting script for pfctl -v -s rules Message-ID: <20130827132515.13aca0b4@mr129166> In-Reply-To: <201308261223420296.00BDCCA4@smtp.24cl.home> References: <201308261223420296.00BDCCA4@smtp.24cl.home> X-Mailer: Claws Mail 3.9.2 (GTK+ 2.24.19; amd64-portbld-freebsd9.1) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Aug 2013 11:25:28 -0000 Le Mon, 26 Aug 2013 12:23:42 -0400, "Mike." a écrit : Hello, > I've written a quick script to format the output of pfctl -v -s rules > into a one-line-per-rule format. For me, this format is more useful. > > The script and sample output are available here: > > http://archive.mgm51.com/sources/pfstats.html > > I use this script with FreeBSD 8.4 and 9.1 Thanks, I think my colleagues will like this. The script does not work on OpenBSD 5.3 because cut(1) does not handle the '-' file. I think it is not needed at all : sed s/" *"/" "/g | \ cut -d' ' -f3,5,7,11- | \ Regards, From owner-freebsd-pf@FreeBSD.ORG Sat Aug 31 01:31:46 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 8E3B77A0 for ; Sat, 31 Aug 2013 01:31:46 +0000 (UTC) (envelope-from jdavidlists@gmail.com) Received: from mail-ie0-x231.google.com (mail-ie0-x231.google.com [IPv6:2607:f8b0:4001:c03::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 640A52D32 for ; Sat, 31 Aug 2013 01:31:46 +0000 (UTC) Received: by mail-ie0-f177.google.com with SMTP id e14so4673788iej.36 for ; Fri, 30 Aug 2013 18:31:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=Pz5ZLyYf5F28QhrTXb3iCc0A62ueTi2Nq0UXn0njxr0=; b=Fl2cUV7xCz8U/uAwlZBY6bEMcnG18mRY/rgeg4yQ2JB0WnCwYYkWSWJreP6LIO3KBN TU2IaiiXfZYXEEYviCjeHLJ6VIFs8bZ1/8znQm7W0PnRk6dLUWUHgW12FEOmIOEvBGzK XbjbJ75+XXiDu6c+KQytyIeWUzbHAjrO5D8T/V718Q99GWfGPQbGB1H3pA9tMK5nt7S4 xw12ajapfl4FNjWK63kpp+ijIM7mlHE3ywj1SbZOfIg3rgdnohrQ5p+FJqiI3TULYVMH xo84q1QmU/npxzB4IN+snSBxCnZ7lWLkyUKnahN0293VzugnO7C/q/5qY7h3PL9UaLL/ +aqw== MIME-Version: 1.0 X-Received: by 10.50.178.234 with SMTP id db10mr4421953igc.35.1377912705607; Fri, 30 Aug 2013 18:31:45 -0700 (PDT) Sender: jdavidlists@gmail.com Received: by 10.43.157.8 with HTTP; Fri, 30 Aug 2013 18:31:45 -0700 (PDT) Date: Fri, 30 Aug 2013 21:31:45 -0400 X-Google-Sender-Auth: GykpkdhpSaLk9LhAMvsDoT6LwhY Message-ID: Subject: pf unconditionally disables TCP checksum offloading From: J David To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Aug 2013 01:31:46 -0000 Hello, While testing 9.2, we discovered that merely having pf enabled (no rules of any kind) was sufficient to completely, unconditionally disables hardware checksum offloading. If pf is disabled ("pfctl -d") then checksum offloading works fine. If pf is merely enabled with no rules ("pfctl -e -F all"), checksum offloading no longer works. The culprit appears to be this code in pf_check_out: if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { in_delayed_cksum(*m); (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; } CSUM_DELAY_DATA is defined as (CSUM_TCP | CSUM_UDP) in sys/mbuf.h, so this effectively clears (*m)->m_pkthdr.csum_flags and never puts it back. Is this behavior intentional? Thanks! From owner-freebsd-pf@FreeBSD.ORG Sat Aug 31 19:49:54 2013 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 1B8544C4; Sat, 31 Aug 2013 19:49:54 +0000 (UTC) (envelope-from tdb@carrick.bishnet.net) Received: from carrick.bishnet.net (carrick-mx.bishnet.net [IPv6:2a01:348:132:51::14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id D30802199; Sat, 31 Aug 2013 19:49:53 +0000 (UTC) Received: from carrick-users.bishnet.net ([2a01:348:132:51::10]) by carrick.bishnet.net with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1VFrB9-000El4-WB; Sat, 31 Aug 2013 20:49:52 +0100 Received: (from tdb@localhost) by carrick-users.bishnet.net (8.14.7/8.14.7/Submit) id r7VJnprS056733; Sat, 31 Aug 2013 20:49:51 +0100 (BST) (envelope-from tdb) Date: Sat, 31 Aug 2013 20:49:51 +0100 From: Tim Bishop To: freebsd-stable@FreeBSD.org, freebsd-pf@FreeBSD.org Subject: Stiil a regression with jails/IPv6/pf? Message-ID: <20130831194951.GC44979@carrick-users.bishnet.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="jRHKVT23PllUwdXP" Content-Disposition: inline X-PGP-Key: 0x6C226B37FDF38D55, http://www.bishnet.net/tim/tim-bishnet-net.asc X-PGP-Fingerprint: 4BD9 5F90 8A50 40E8 D26C D681 6C22 6B37 FDF3 8D55 User-Agent: Mutt/1.5.21 (2010-09-15) Cc: bz@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Aug 2013 19:49:54 -0000 --jRHKVT23PllUwdXP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi all, This is regarding kern/170070 and these two threads from last year: http://lists.freebsd.org/pipermail/freebsd-stable/2012-July/068987.html http://lists.freebsd.org/pipermail/freebsd-stable/2012-August/069043.html I'm running stable/9 r255017 and I'm seeing the same issue, even with the fix Bjoern committed in r238876. My setup is a dual stack one (IPv6 is done through an IPv4 tunnel) and the problem is only with IPv6. I have jails with both IPv4 and IPv6 addresses, and I use pf to rdr certain ports to certain jails. With IPv6 I'm seeing failed checksums on the packets coming back out of my system, both with UDP and TCP. If I connect over IPv6 to the jail host it works fine. If I connect over IPv6 to a jail directly (they have routable addresses, but I prefer them to all be masked behind the single jail host normally), it works fine. So the only failure case is when it goes through a rdr rule in pf. This system replaces a previous one running stable/8 which worked fine with the same pf config file. Has anyone got any suggestions on what I can do to fix this or to debug it further? Thanks, Tim. --=20 Tim Bishop http://www.bishnet.net/tim/ PGP Key: 0x6C226B37FDF38D55 --jRHKVT23PllUwdXP Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (FreeBSD) iQIcBAEBCgAGBQJSIkjfAAoJEGwiazf9841V/0EP/3FswICXwY8PbrlrNd+IUQkO I9nfgGJOl7M9ET7vT7w1OY8WnH8/LFl/Tqy45DJdkQQZd3ZgEx93MPWCR7ItCIqV pjz3Fn+GVkBlOtJ0oro//X01mUy0j5MvFqbaUEnnPU47ohaJPi7++kRQz9quW++j sncs9EYlO4M9I13/TUJbfF5nthxv7UN6qM0lUIX52Gl4qN1VIV576fy/kMdjC+Z/ 8l4D7bmWirljmISD0LrQsc3pqV66Up9huuxYR/ofiZb/oUFCIzEYuutjYyCcOyRI k47nMWLFxLgjQiPpWv53mMZX6KUzI4sfQHULQkekFt6UDe4D2WPZafMS16DgrG4j yBjQvceqiX30lkZNC/CzAQoPZoh39xATeYMonuCsW+rLjb5EqZvyhAObVKC+j45q 8EySdAgkogz4gyqp+M+flfUkc6G2RteE2oz1UZjXH7KakEaOdDG4SWtjotrpO+m+ M1R4vZfO6ZbBNA3ilywjx+f/oGTyIkRSPo87aN66S7RQxpAfrA6oyzhWyPfLkl3a KDsM3/tUMreexEqnbCKsSx3m7WAAnEQEPW5Hecg8eo3SlkkgvMGYEn9mpLBcGxl1 Q7C+q6oSuRyNVOvleTyLOQj5rw7LF2NzwXSNb27/VaUinc8UeylAqfL38ZBRrV4l x/o5uH+QSrd0RPOTI0NW =Ogos -----END PGP SIGNATURE----- --jRHKVT23PllUwdXP--