From owner-freebsd-pf@freebsd.org Sun Oct 2 21:00:52 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3501AAF1DF7 for ; Sun, 2 Oct 2016 21:00:52 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 085C0EAC for ; Sun, 2 Oct 2016 21:00:52 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u92L015h015571 for ; Sun, 2 Oct 2016 21:00:51 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <201610022100.u92L015h015571@kenobi.freebsd.org> From: bugzilla-noreply@FreeBSD.org To: freebsd-pf@FreeBSD.org Subject: Problem reports for freebsd-pf@FreeBSD.org that need special attention Date: Sun, 02 Oct 2016 21:00:51 +0000 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Oct 2016 21:00:52 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. From owner-freebsd-pf@freebsd.org Sun Oct 2 21:07:34 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B864DAC658D for ; Sun, 2 Oct 2016 21:07:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8DE1F860 for ; Sun, 2 Oct 2016 21:07:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u92L7Xpc067248 for ; Sun, 2 Oct 2016 21:07:34 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 185633] [pf] scrubbing bug in transparent mode bug with bigger than MTU UDP packet Date: Sun, 02 Oct 2016 21:07:33 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: commit-hook@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Oct 2016 21:07:34 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D185633 --- Comment #16 from commit-hook@freebsd.org --- A commit references this bug: Author: kp Date: Sun Oct 2 21:06:55 UTC 2016 New revision: 306593 URL: https://svnweb.freebsd.org/changeset/base/306593 Log: MFC r306289: bridge: Fix fragment handling and memory leak Fragmented UDP and ICMP packets were corrupted if a firewall with reassembling feature (like pf'scrub) is enabled on the bridge. This patch fixes corru= pted packet problem and the panic (triggered easly with low RAM) as explain in= PR 185633. bridge_pfil and bridge_fragment relationship: bridge_pfil() receive (IN direction) packets and sent it to the firewall = The firewall can be configured for reassembling fragmented packet (like pf'scrubing) in one mbuf chain when bridge_pfil() need to send this reassembled packet= to the outgoing interface, it needs to re-fragment it by using bridge_fragment() bridge_fragment() had to split this mbuf (using ip_fragment) first then had to M_PREPEND each packet in the mbuf chain for adding Ethernet header. But M_PREPEND can sometime create a new mbuf on the begining of the mbuf chain, then the "main" pointer of this mbuf chain should be updated and this cas= e is tottaly forgotten. The original bridge_fragment code (Revision 158140, 2006 April 29) came from OpenBSD, and the call to bridge_enqueue was embedded. But on FreeBSD, bridge_enqueue() is done after bridge_fragment= (), then the original OpenBSD code can't work as-it of FreeBSD. PR: 185633 Submitted by: Olivier Cochard-Labb? Changes: _U stable/11/ stable/11/sys/net/if_bridge.c --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Sun Oct 2 21:11:36 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 71E65AC6805 for ; Sun, 2 Oct 2016 21:11:36 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46218C0B for ; Sun, 2 Oct 2016 21:11:36 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u92LBZ2W066597 for ; Sun, 2 Oct 2016 21:11:36 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 185633] [pf] scrubbing bug in transparent mode bug with bigger than MTU UDP packet Date: Sun, 02 Oct 2016 21:11:36 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: commit-hook@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Oct 2016 21:11:36 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D185633 --- Comment #17 from commit-hook@freebsd.org --- A commit references this bug: Author: kp Date: Sun Oct 2 21:11:25 UTC 2016 New revision: 306594 URL: https://svnweb.freebsd.org/changeset/base/306594 Log: MFC r306289: bridge: Fix fragment handling and memory leak Fragmented UDP and ICMP packets were corrupted if a firewall with reassembling feature (like pf'scrub) is enabled on the bridge. This patch fixes corru= pted packet problem and the panic (triggered easly with low RAM) as explain in= PR 185633. bridge_pfil and bridge_fragment relationship: bridge_pfil() receive (IN direction) packets and sent it to the firewall = The firewall can be configured for reassembling fragmented packet (like pf'scrubing) in one mbuf chain when bridge_pfil() need to send this reassembled packet= to the outgoing interface, it needs to re-fragment it by using bridge_fragment() bridge_fragment() had to split this mbuf (using ip_fragment) first then had to M_PREPEND each packet in the mbuf chain for adding Ethernet header. But M_PREPEND can sometime create a new mbuf on the begining of the mbuf chain, then the "main" pointer of this mbuf chain should be updated and this cas= e is tottaly forgotten. The original bridge_fragment code (Revision 158140, 2006 April 29) came from OpenBSD, and the call to bridge_enqueue was embedded. But on FreeBSD, bridge_enqueue() is done after bridge_fragment= (), then the original OpenBSD code can't work as-it of FreeBSD. PR: 185633 Submitted by: Olivier Cochard-Labb? Changes: _U stable/10/ stable/10/sys/net/if_bridge.c --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Mon Oct 3 06:09:08 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D00A0AF3E57 for ; Mon, 3 Oct 2016 06:09:08 +0000 (UTC) (envelope-from christal.kleinhans@sgconvenience.co.za) Received: from za-smtp-delivery-116.mimecast.co.za (za-smtp-delivery-116.mimecast.co.za [41.74.201.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.mimecast.co.za", Issuer "Symantec Class 3 Secure Server CA - G4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 96C1E913 for ; Mon, 3 Oct 2016 06:09:06 +0000 (UTC) (envelope-from christal.kleinhans@sgconvenience.co.za) Received: from mymail.supergrp.net (ns1.supergrp.net [41.149.72.136]) (Using TLS) by za-smtp-1.mimecast.co.za with ESMTP id za-mta-39-nnIJKu3nPUiquyr33eQ4Gg-9; Mon, 03 Oct 2016 08:07:22 +0200 Received: from SV-EXMBS.supergrp.net ([fe80::d848:3ca4:5eff:f558]) by SV-EXHT1.supergrp.net ([::1]) with mapi id 14.03.0301.000; Mon, 3 Oct 2016 08:06:57 +0200 From: Christal Kleinhans To: "freebsd-pf@freebsd.org" Subject: Drive A New Car from R499 P/M Thread-Topic: Drive A New Car from R499 P/M Thread-Index: AdIdPDvrZjSAZiOTQ3aX75ssC3PSEA== Date: Mon, 3 Oct 2016 06:06:56 +0000 Message-ID: <25B7CA4E35E6014495BDE6047F6C792A91DDDD@SV-EXMBS.supergrp.net> Accept-Language: en-ZA, en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [10.200.18.171] x-exclaimer-md-config: 2fd66280-48cc-46d0-9d5c-f652fc1c5803 MIME-Version: 1.0 X-MC-Unique: nnIJKu3nPUiquyr33eQ4Gg-9 Content-Type: text/plain; charset=WINDOWS-1252 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2016 06:09:08 -0000 Hi could you send me more info on the Tata I'm interested Kind Regards Christal Kleinhans | SG Convenience Western Cape, a Division of Super Group Trading (Pty) Ltd Unit 1 Block A2, East Precinct, Montague Park Industrial, Topaz Boulevard, = Milnerton, 7441 P O Box 37094, Chempet, 7442 Tel: +27 (21) 561 4008 | Fax to e-mail: 021 552 4752| Email: christal.klei= nhans@sgconvenience.co.za [Description: Description: cid:image002.jpg@01CFC6A3.7A6B8770] From owner-freebsd-pf@freebsd.org Thu Oct 6 04:57:59 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F2324BD3562 for ; Thu, 6 Oct 2016 04:57:59 +0000 (UTC) (envelope-from emz@norma.perm.ru) Received: from elf.hq.norma.perm.ru (mail.norma.perm.ru [IPv6:2a00:7540:1::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.norma.perm.ru", Issuer "Vivat-Trade UNIX Root CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 57AC7EE for ; Thu, 6 Oct 2016 04:57:59 +0000 (UTC) (envelope-from emz@norma.perm.ru) Received: from bsdrookie.norma.com. ([IPv6:fd00::7fe]) by elf.hq.norma.perm.ru (8.15.2/8.15.2) with ESMTPS id u964vsWL039862 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Thu, 6 Oct 2016 09:57:55 +0500 (YEKT) (envelope-from emz@norma.perm.ru) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=norma.perm.ru; s=key; t=1475729875; bh=fJUcUf/0Y3yqS+doHnZmwlAizOJ78q9hfAInscCiXC0=; h=To:From:Subject:Date; b=JS6O3kBbCXvaC7TiIn+J1ah9k5dlhRN10lDHj93PKSB0t/YyBcEOHZvxTg/qkg4Xi XHZgP0HIBrb4Rx6xv1T8cJXxJsvsUQMBVe5KMZc9qFZ9p2UJOeOgYw+tG8JI+UhaBb y8NDWjP2y9eR4U6EUbbmsW1PuoUB8JBwU42mXmgg= To: "freebsd-pf@freebsd.org" From: "Eugene M. Zheganin" Subject: dscp set/get Message-ID: <57F5D9D2.1060103@norma.perm.ru> Date: Thu, 6 Oct 2016 09:57:54 +0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.7.0 MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2016 04:58:00 -0000 Hi. pf still lacks the DSCP handling, will it be difficult/expensive to add this ? AFAIK ipfw got this recently. Eugene. From owner-freebsd-pf@freebsd.org Thu Oct 6 08:10:15 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3FC21AF5FD5 for ; Thu, 6 Oct 2016 08:10:15 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0EEC0C50 for ; Thu, 6 Oct 2016 08:10:15 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [192.168.228.1] (vega.codepro.be [IPv6:2a01:4f8:162:1127::3]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id 33D2D154BD; Thu, 6 Oct 2016 10:10:13 +0200 (CEST) From: "Kristof Provost" To: "Eugene M. Zheganin" Cc: "freebsd-pf@freebsd.org" Subject: Re: dscp set/get Date: Thu, 06 Oct 2016 10:10:12 +0200 Message-ID: <311888F1-3BD6-4C4E-818D-C4A9C00B55ED@FreeBSD.org> In-Reply-To: <57F5D9D2.1060103@norma.perm.ru> References: <57F5D9D2.1060103@norma.perm.ru> MIME-Version: 1.0 X-Mailer: MailMate (2.0BETAr6056) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2016 08:10:15 -0000 On 6 Oct 2016, at 6:57, Eugene M. Zheganin wrote: > pf still lacks the DSCP handling, will it be difficult/expensive to add > this ? AFAIK ipfw got this recently. > pf has set-tos and tos keywords. What is it not letting you do? Regards, Kristof From owner-freebsd-pf@freebsd.org Thu Oct 6 08:31:00 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D9750BD3A63 for ; Thu, 6 Oct 2016 08:31:00 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from host64.shmhost.net (unknown [IPv6:2a01:4f8:a0:51d6::108:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A20CBC21; Thu, 6 Oct 2016 08:31:00 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from francos-mbp.homeoffice.local (ipservice-092-208-160-166.092.208.pools.vodafone-ip.de [92.208.160.166]) by host64.shmhost.net (Postfix) with ESMTPSA id 8FC0083717; Thu, 6 Oct 2016 10:30:49 +0200 (CEST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: dscp set/get From: Franco Fichtner In-Reply-To: <311888F1-3BD6-4C4E-818D-C4A9C00B55ED@FreeBSD.org> Date: Thu, 6 Oct 2016 10:30:48 +0200 Cc: "Eugene M. Zheganin" , "freebsd-pf@freebsd.org" Content-Transfer-Encoding: 7bit Message-Id: References: <57F5D9D2.1060103@norma.perm.ru> <311888F1-3BD6-4C4E-818D-C4A9C00B55ED@FreeBSD.org> To: Kristof Provost X-Mailer: Apple Mail (2.3124) X-Virus-Scanned: clamav-milter 0.99.2 at host64.shmhost.net X-Virus-Status: Clean X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2016 08:31:00 -0000 Hi, > On 06 Oct 2016, at 10:10 AM, Kristof Provost wrote: > > On 6 Oct 2016, at 6:57, Eugene M. Zheganin wrote: >> pf still lacks the DSCP handling, will it be difficult/expensive to add >> this ? AFAIK ipfw got this recently. >> > pf has set-tos and tos keywords. What is it not letting you do? I think it works already with the plain hex/decimal values given, though we're missing OpenBSD's parser support for special DSCP options with its funky naming: "This rule applies to packets with the specified TOS bits set. string may be one of critical, inetcontrol, lowdelay, netcontrol,throughput, reliability, or one of the DiffServ Code Points: ef, af11 ... af43, cs0 ... cs7; number may be either a hex or decimal number." http://man.openbsd.org/OpenBSD-current/man5/pf.conf.5 Looks like pfctl(8) is the only thing to "fix" here. I'll take a look. Cheers, Franco From owner-freebsd-pf@freebsd.org Thu Oct 6 09:03:47 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 20034BD3AA9 for ; Thu, 6 Oct 2016 09:03:47 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E028D78E for ; Thu, 6 Oct 2016 09:03:46 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [192.168.228.1] (vega.codepro.be [IPv6:2a01:4f8:162:1127::3]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id 22E821567D; Thu, 6 Oct 2016 11:03:45 +0200 (CEST) From: "Kristof Provost" To: "Franco Fichtner" Cc: "Eugene M. Zheganin" , "freebsd-pf@freebsd.org" Subject: Re: dscp set/get Date: Thu, 06 Oct 2016 11:03:45 +0200 Message-ID: In-Reply-To: References: <57F5D9D2.1060103@norma.perm.ru> <311888F1-3BD6-4C4E-818D-C4A9C00B55ED@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed; markup=markdown Content-Transfer-Encoding: 8bit X-Mailer: MailMate (2.0BETAr6056) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2016 09:03:47 -0000 On 6 Oct 2016, at 10:30, Franco Fichtner wrote: >> On 06 Oct 2016, at 10:10 AM, Kristof Provost wrote: >> >> On 6 Oct 2016, at 6:57, Eugene M. Zheganin wrote: >>> pf still lacks the DSCP handling, will it be difficult/expensive to >>> add >>> this ? AFAIK ipfw got this recently. >>> >> pf has set-tos and tos keywords. What is it not letting you do? > > I think it works already with the plain hex/decimal values given, > though we're missing OpenBSD's parser support for special DSCP > options with its funky naming: > > "This rule applies to packets with the specified TOS bits set. string > may be one of critical, inetcontrol, lowdelay, netcontrol,throughput, > reliability, or one of the DiffServ Code Points: ef, af11 ... af43, > cs0 ... cs7; number may be either a hex or decimal number." > > http://man.openbsd.org/OpenBSD-current/man5/pf.conf.5 > > Looks like pfctl(8) is the only thing to "fix" here. I'll take a > look. > Oh, yes, if you want those constants that should be a straightforward port of their changes to parse.y. I have no objections to including that. It’s another (small) step in bringing our pf closer to openbsd pf. Regards, Kristof From owner-freebsd-pf@freebsd.org Thu Oct 6 13:01:30 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AD5D7BD88F0 for ; Thu, 6 Oct 2016 13:01:30 +0000 (UTC) (envelope-from Mark.Martinec+freebsd@ijs.si) Received: from mail.ijs.si (mail.ijs.si [IPv6:2001:1470:ff80::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3D5B9A1E for ; Thu, 6 Oct 2016 13:01:30 +0000 (UTC) (envelope-from Mark.Martinec+freebsd@ijs.si) Received: from amavis-ori.ijs.si (localhost [IPv6:::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.ijs.si (Postfix) with ESMTPS id 3sqXpb49ZVzRy for ; Thu, 6 Oct 2016 15:01:27 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ijs.si; h= user-agent:message-id:references:in-reply-to:organization :subject:subject:from:from:date:date:content-transfer-encoding :content-type:content-type:mime-version:received:received :received:received; s=jakla4; t=1475758883; x=1478350884; bh=H4b sN9dOLsS6vDUMcCmgOjth82AkUC1h8afr6rVD/NQ=; b=WKUlml24Y7vU4CyhlrO tddxC4UkWM9Ssv5MPYd90+RVPczdu7JWqWAJmQj4oiU4+vVohw+aE4TU6ax4ND0t ZUto739U1ceMxSnXWugnvTT2tB3iNddHFEsys+8FSxVl/HPFgdsCZyvoNomF9dNE Wwhjrh9eVFr9HmTtUGQ3Q/OI= X-Virus-Scanned: amavisd-new at ijs.si Received: from mail.ijs.si ([IPv6:::1]) by amavis-ori.ijs.si (mail.ijs.si [IPv6:::1]) (amavisd-new, port 10026) with LMTP id fafjCx7HbYvp for ; Thu, 6 Oct 2016 15:01:23 +0200 (CEST) Received: from mildred.ijs.si (mailbox.ijs.si [IPv6:2001:1470:ff80::143:1]) by mail.ijs.si (Postfix) with ESMTP id 3sqXpW5SjfzRh for ; Thu, 6 Oct 2016 15:01:23 +0200 (CEST) Received: from nabiralnik.ijs.si (nabiralnik.ijs.si [IPv6:2001:1470:ff80::80:16]) by mildred.ijs.si (Postfix) with ESMTP id 3sqXpW47dLzXy for ; Thu, 6 Oct 2016 15:01:23 +0200 (CEST) Received: from neli.ijs.si (2001:1470:ff80:88:21c:c0ff:feb1:8c91) by webmail.ijs.si with HTTP (HTTP/1.1 POST); Thu, 06 Oct 2016 15:01:23 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Thu, 06 Oct 2016 15:01:23 +0200 From: Mark Martinec To: freebsd-pf@freebsd.org Subject: Re: dscp set/get Organization: Jozef Stefan Institute In-Reply-To: References: <57F5D9D2.1060103@norma.perm.ru> <311888F1-3BD6-4C4E-818D-C4A9C00B55ED@FreeBSD.org> Message-ID: X-Sender: Mark.Martinec+freebsd@ijs.si User-Agent: Roundcube Webmail/1.2.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2016 13:01:30 -0000 Just adding recognition to a parser for a couple of DSCP constants to be mapped to TOS is not the solution. Keep in mind that DSCP is a 6-bit field, and TOS is an 8-bit field. The remaining two bits are used for ECN (Explicit Congestion Notification). Setting TOS field with the intention of changing DSCP clobbers ECN bits. Pf needs a proper support for DSCP, currently it is unusable for this purpose in FreeBSD (one can use the PF from OpenBSD). Mark 2016-10-06 11:03, je Kristof Provost napisal > On 6 Oct 2016, at 10:30, Franco Fichtner wrote: >>> On 06 Oct 2016, at 10:10 AM, Kristof Provost wrote: >>> >>> On 6 Oct 2016, at 6:57, Eugene M. Zheganin wrote: >>>> pf still lacks the DSCP handling, will it be difficult/expensive to >>>> add >>>> this ? AFAIK ipfw got this recently. >>>> >>> pf has set-tos and tos keywords. What is it not letting you do? >> >> I think it works already with the plain hex/decimal values given, >> though we're missing OpenBSD's parser support for special DSCP >> options with its funky naming: >> >> "This rule applies to packets with the specified TOS bits set. string >> may be one of critical, inetcontrol, lowdelay, netcontrol,throughput, >> reliability, or one of the DiffServ Code Points: ef, af11 ... af43, >> cs0 ... cs7; number may be either a hex or decimal number." >> >> http://man.openbsd.org/OpenBSD-current/man5/pf.conf.5 >> >> Looks like pfctl(8) is the only thing to "fix" here. I'll take a >> look. >> > Oh, yes, if you want those constants that should be a straightforward > port of > their changes to parse.y. I have no objections to including that. It’s > another > (small) step in bringing our pf closer to openbsd pf. > > Regards, > Kristof From owner-freebsd-pf@freebsd.org Thu Oct 6 13:32:30 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A420EBE93E5 for ; Thu, 6 Oct 2016 13:32:30 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 70293DCC for ; Thu, 6 Oct 2016 13:32:30 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [192.168.228.1] (vega.codepro.be [IPv6:2a01:4f8:162:1127::3]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id F014F15BD4; Thu, 6 Oct 2016 15:32:27 +0200 (CEST) From: "Kristof Provost" To: "Mark Martinec" Cc: freebsd-pf@freebsd.org Subject: Re: dscp set/get Date: Thu, 06 Oct 2016 15:32:27 +0200 Message-ID: In-Reply-To: References: <57F5D9D2.1060103@norma.perm.ru> <311888F1-3BD6-4C4E-818D-C4A9C00B55ED@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailer: MailMate (2.0BETAr6057) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2016 13:32:30 -0000 On 6 Oct 2016, at 15:01, Mark Martinec wrote: > Just adding recognition to a parser for a couple of DSCP constants > to be mapped to TOS is not the solution. Keep in mind that DSCP > is a 6-bit field, and TOS is an 8-bit field. The remaining two bits > are used for ECN (Explicit Congestion Notification). > > Setting TOS field with the intention of changing DSCP > clobbers ECN bits. Pf needs a proper support for DSCP, > currently it is unusable for this purpose in FreeBSD > (one can use the PF from OpenBSD). > Hmm, that’s a good point. OpenBSD seem to just always preserve the ECN bits (so there’s no dscp keyword). Perhaps we should do the same. Regards, Kristof From owner-freebsd-pf@freebsd.org Thu Oct 6 13:37:45 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EEC7DBE946D for ; Thu, 6 Oct 2016 13:37:45 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from host64.shmhost.net (unknown [IPv6:2a01:4f8:a0:51d6::108:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BA3F3EB2; Thu, 6 Oct 2016 13:37:45 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from francos-mbp.homeoffice.local (ipservice-092-208-160-166.092.208.pools.vodafone-ip.de [92.208.160.166]) by host64.shmhost.net (Postfix) with ESMTPSA id CB97682A62; Thu, 6 Oct 2016 15:37:43 +0200 (CEST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: dscp set/get From: Franco Fichtner In-Reply-To: Date: Thu, 6 Oct 2016 15:37:42 +0200 Cc: Mark Martinec , freebsd-pf@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <57F5D9D2.1060103@norma.perm.ru> <311888F1-3BD6-4C4E-818D-C4A9C00B55ED@FreeBSD.org> To: Kristof Provost X-Mailer: Apple Mail (2.3124) X-Virus-Scanned: clamav-milter 0.99.2 at host64.shmhost.net X-Virus-Status: Clean X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2016 13:37:46 -0000 > On 06 Oct 2016, at 3:32 PM, Kristof Provost wrote: >=20 > On 6 Oct 2016, at 15:01, Mark Martinec wrote: >> Just adding recognition to a parser for a couple of DSCP constants >> to be mapped to TOS is not the solution. Keep in mind that DSCP >> is a 6-bit field, and TOS is an 8-bit field. The remaining two bits >> are used for ECN (Explicit Congestion Notification). >>=20 >> Setting TOS field with the intention of changing DSCP >> clobbers ECN bits. Pf needs a proper support for DSCP, >> currently it is unusable for this purpose in FreeBSD >> (one can use the PF from OpenBSD). >>=20 >=20 > Hmm, that=E2=80=99s a good point. That's two one-liners, one for set and one for match? Surprised that this wasn't included already. > OpenBSD seem to just always preserve the ECN bits (so there=E2=80=99s = no dscp keyword). > Perhaps we should do the same. I have a full patch for review tonight. Cheers, Franco From owner-freebsd-pf@freebsd.org Thu Oct 6 15:48:28 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 883B5BD3AAB for ; Thu, 6 Oct 2016 15:48:28 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from host64.shmhost.net (unknown [IPv6:2a01:4f8:a0:51d6::108:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4F74E1F9; Thu, 6 Oct 2016 15:48:28 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from francos-mbp.homeoffice.local (ipservice-092-208-160-166.092.208.pools.vodafone-ip.de [92.208.160.166]) by host64.shmhost.net (Postfix) with ESMTPSA id E195D842AD; Thu, 6 Oct 2016 17:48:25 +0200 (CEST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: dscp set/get From: Franco Fichtner In-Reply-To: Date: Thu, 6 Oct 2016 17:48:25 +0200 Cc: Mark Martinec , freebsd-pf@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <8AF1911D-86B2-40F3-99F2-C10E29AF404C@lastsummer.de> References: <57F5D9D2.1060103@norma.perm.ru> <311888F1-3BD6-4C4E-818D-C4A9C00B55ED@FreeBSD.org> To: Kristof Provost X-Mailer: Apple Mail (2.3124) X-Virus-Scanned: clamav-milter 0.99.2 at host64.shmhost.net X-Virus-Status: Clean X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2016 15:48:28 -0000 > On 06 Oct 2016, at 3:32 PM, Kristof Provost wrote: >=20 > OpenBSD seem to just always preserve the ECN bits (so there=E2=80=99s = no dscp keyword). > Perhaps we should do the same. The following will import the OpenBSD code regarding the subject. I retained the old manual style that is in FreeBSD to make the additions fit in better. Completely backwards-compatible, except for the change in behaviour regarding to ignore ECN on set/match. The ECN change is from 2012, so it's safe to assume it works. ;) https://reviews.freebsd.org/D8165 Cheers, Franco=