From owner-freebsd-pf@FreeBSD.ORG Sun Sep 22 03:03:06 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 856D59B7 for ; Sun, 22 Sep 2013 03:03:06 +0000 (UTC) (envelope-from roshandavid70@gmail.com) Received: from mail-ea0-x242.google.com (mail-ea0-x242.google.com [IPv6:2a00:1450:4013:c01::242]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 2204B2672 for ; Sun, 22 Sep 2013 03:03:05 +0000 (UTC) Received: by mail-ea0-f194.google.com with SMTP id q16so364821ead.1 for ; Sat, 21 Sep 2013 20:03:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=f/WWR6ZdzkA6CsCOaVGyMy/7u04qBDY7jrG4GLo/EZc=; b=gOvHs8nE8Rpy0EBESpy7aVodFkVO+igokhJ0DcQdJatO67fYW7e3JjKfwyWDpY2IdF jVGGNN0lgZPiUwMrEScBZt7FJrkuVztuhiN9ZCC0uKucEolYtGX2Q3wUmvnlquG2K/x4 J5uE08bBeLR8Jequ1l1o+Xw3o9ehFtyUBcpo//Vf8JE2v2NLpKFL30uLpIm/n+bWeHhY DSWXB/sVSgc61gOmoOcZ4ZsJgfl2MvkwMQadWJy1HfpOE8gCjuvM4pMWrQ0+Kfn4awLo ZJcvG70XippPYw04Sb/ORl70uzpNuPBF4vgG5DCsTGnLKEcwRqBclUAVYzYmNd3XELQk +dYg== MIME-Version: 1.0 X-Received: by 10.14.183.130 with SMTP id q2mr24303156eem.5.1379818984353; Sat, 21 Sep 2013 20:03:04 -0700 (PDT) Received: by 10.223.15.69 with HTTP; Sat, 21 Sep 2013 20:03:04 -0700 (PDT) Date: Sun, 22 Sep 2013 08:33:04 +0530 Message-ID: Subject: Can we use ALTQ and PF to modify packets which acts as a bridge in my testing environment? From: roshan david To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Sep 2013 03:03:06 -0000 Right now i am using dummynet and ipfw as my traffic shaper, I want to know wheather ALTQ with PF can be used to modify packets,if yes what is the pf ruleset to modify packet? From owner-freebsd-pf@FreeBSD.ORG Sun Sep 22 12:47:59 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 0E786344 for ; Sun, 22 Sep 2013 12:47:59 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from skapet.bsdly.net (unknown [IPv6:2001:16d8:ff00:1a9::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id B50042D38 for ; Sun, 22 Sep 2013 12:47:58 +0000 (UTC) Received: from sonofskinny.bsdly.net ([192.168.103.254] helo=deeperthought.bsdly.net) by skapet.bsdly.net with esmtp (Exim 4.77) (envelope-from ) id 1VNj4j-0007E7-FI; Sun, 22 Sep 2013 14:47:45 +0200 To: freebsd-pf@freebsd.org Subject: Re: Can we use ALTQ and PF to modify packets which acts as a bridge in my testing environment? References: From: peter@bsdly.net (Peter N. M. Hansteen) Date: Sun, 22 Sep 2013 14:47:43 +0200 In-Reply-To: (roshan david's message of "Sun, 22 Sep 2013 08:33:04 +0530") Message-ID: <8738oxoweo.fsf@deeperthought.bsdly.net> User-Agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.4.22 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Sep 2013 12:47:59 -0000 roshan david writes: > Right now i am using dummynet and ipfw as my traffic shaper, I want to know > wheather ALTQ with PF can be used to modify packets,if yes what is the pf > ruleset to modify packet? It's not clear to me what it is you're tryint to achieve. PF with ALTQ is certainly capable of traffic shaping. The FreeBSD Handbook's PF part recently grew a bit, and it might even have material or references to point you in the right direction - http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html and look for section "30.4.6 PF Rule Sets and Tools" - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. From owner-freebsd-pf@FreeBSD.ORG Mon Sep 23 11:06:50 2013 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 3BCCCC9E for ; Mon, 23 Sep 2013 11:06:50 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 291742143 for ; Mon, 23 Sep 2013 11:06:50 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r8NB6nbi069550 for ; Mon, 23 Sep 2013 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r8NB6nso069548 for freebsd-pf@FreeBSD.org; Mon, 23 Sep 2013 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 23 Sep 2013 11:06:49 GMT Message-Id: <201309231106.r8NB6nso069548@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Sep 2013 11:06:50 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/179392 pf [pf] [ip6] Incorrect TCP checksums in rdr return packe o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176763 pf [pf] [patch] Removing pf Source entries locks kernel. o kern/176268 pf [pf] [patch] synproxy not working with route-to o kern/173659 pf [pf] PF fatal trap on 9.1 (taskq fatal trap on pf_test o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/87074 pf [pf] pf does not log dropped packets when max-* statef a kern/86752 pf [pf] pf does not use default timeouts when reloading c o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 55 problems total.