From owner-freebsd-net@freebsd.org Sun Jul 16 10:42:17 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6F480BFC5FD for ; Sun, 16 Jul 2017 10:42:17 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5D69275876 for ; Sun, 16 Jul 2017 10:42:17 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6GAgG6r001097 for ; Sun, 16 Jul 2017 10:42:17 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 220677] [patch] Add support for TCP ABE draft-khademi-tcpm-alternativebackoff-ecn Date: Sun, 16 Jul 2017 10:42:16 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: lstewart@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-net@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2017 10:42:17 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D220677 Lawrence Stewart changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lstewart@FreeBSD.org --- Comment #2 from Lawrence Stewart --- Please open a code review for this work at reviews.freebsd.org with "transp= ort" and "lstewart" listed as reviewers. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-net@freebsd.org Sun Jul 16 12:48:17 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 765C9BFEDF7; Sun, 16 Jul 2017 12:48:17 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from msa1.earth.yoonka.com (yoonka.com [88.98.225.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "msa1.earth.yoonka.com", Issuer "msa1.earth.yoonka.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 1759F7CE85; Sun, 16 Jul 2017 12:48:15 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from crayon2.yoonka.com (crayon2.yoonka.com [10.70.7.20]) (authenticated bits=0) by msa1.earth.yoonka.com (8.15.2/8.15.2) with ESMTPSA id v6GCmDeB004662 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Sun, 16 Jul 2017 12:48:14 GMT (envelope-from list1@gjunka.com) To: freebsd-net@freebsd.org, freebsd-jail@freebsd.org From: Grzegorz Junka Subject: A web server behind two gateways? Message-ID: Date: Sun, 16 Jul 2017 12:48:13 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-GB-large X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2017 12:48:17 -0000 Hello, I have a jail running a web server in LAN. There are two routers/WANs that can connect LAN to the internet. I enabled NAT and port forwarding to the web server on both routers. The problem is that the web server responds to requests only from one router at a time depending on the default gateway set on the jail's host. If the default gateway is set as router 1 then the web page can be opened only through WAN1 and vice versa. Can I configure either router/host/jail so that the web server sends the response back to the IP that sent the request packet rather than to the default gateway? And a bonus question, how can I configure two jails so that each jail sends packets to a different gateway (which may or may not be the same as the jails' host's default gateway)? Thanks Grzegorz From owner-freebsd-net@freebsd.org Sun Jul 16 21:01:01 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E1344C79FF9 for ; Sun, 16 Jul 2017 21:01:01 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BDC9866E60 for ; Sun, 16 Jul 2017 21:01:01 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6GL01pH002409 for ; Sun, 16 Jul 2017 21:01:01 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <201707162101.v6GL01pH002409@kenobi.freebsd.org> From: bugzilla-noreply@FreeBSD.org To: freebsd-net@FreeBSD.org Subject: Problem reports for freebsd-net@FreeBSD.org that need special attention Date: Sun, 16 Jul 2017 21:01:01 +0000 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2017 21:01:02 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- In Progress | 165622 | [ndis][panic][patch] Unregistered use of FPU in k In Progress | 206581 | bxe_ioctl_nvram handler is faulty New | 204438 | setsockopt() handling of kern.ipc.maxsockbuf limi New | 205592 | TCP processing in IPSec causes kernel panic New | 206053 | kqueue support code of netmap causes panic New | 213410 | [carp] service netif restart causes hang only whe New | 215874 | [patch] [icmp] [mbuf_tags] teach icmp_error() opt New | 217748 | sys/dev/ixgbe/if_ix.c: PVS-Studio: Assignment to New | 220076 | [patch] [panic] [netgraph] repeatable kernel pani Open | 173444 | socket: IPV6_USE_MIN_MTU and TCP is broken Open | 193452 | Dell PowerEdge 210 II -- Kernel panic bce (broadc Open | 194485 | Userland cannot add IPv6 prefix routes Open | 194515 | Fatal Trap 12 Kernel with vimage Open | 199136 | [if_tap] Added down_on_close sysctl variable to t Open | 202510 | [CARP] advertisements sourced from CARP IP cause Open | 206544 | sendmsg(2) (sendto(2) too?) can fail with EINVAL; Open | 211962 | bxe driver queue soft hangs and flooding tx_soft_ 17 problems total for which you should take action. From owner-freebsd-net@freebsd.org Mon Jul 17 11:34:04 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 21890D7D242; Mon, 17 Jul 2017 11:34:04 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id B2F3481EAB; Mon, 17 Jul 2017 11:34:03 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221]) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id v6HBXmr4078109 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 17 Jul 2017 13:33:48 +0200 (CEST) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: list1@gjunka.com Received: from eg.sd.rdtc.ru (eugen@localhost [127.0.0.1]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTP id v6HBXduG054702; Mon, 17 Jul 2017 18:33:39 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: A web server behind two gateways? To: Grzegorz Junka , freebsd-net@freebsd.org, freebsd-jail@freebsd.org References: From: Eugene Grosbein Message-ID: <596CA093.6020508@grosbein.net> Date: Mon, 17 Jul 2017 18:33:39 +0700 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=3.6 required=5.0 tests=BAYES_00, DATE_IN_FUTURE_96_Q, LOCAL_FROM autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * 3.3 DATE_IN_FUTURE_96_Q Date: is 4 days to 4 months after Received: date * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 2.6 LOCAL_FROM From my domains X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net X-Spam-Level: *** X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 11:34:04 -0000 On 16.07.2017 19:48, Grzegorz Junka wrote: > Hello, > > I have a jail running a web server in LAN. There are two routers/WANs > that can connect LAN to the internet. I enabled NAT and port forwarding > to the web server on both routers. > > The problem is that the web server responds to requests only from one > router at a time depending on the default gateway set on the jail's > host. If the default gateway is set as router 1 then the web page can be > opened only through WAN1 and vice versa. > > Can I configure either router/host/jail so that the web server sends the > response back to the IP that sent the request packet rather than to the > default gateway? This is the job of external NAT box to route translated replys to right WAN based on external source IP address produced during translation of the reply. The jail or internal NAT have nothing to do with the problem. So, the solution depends of kind of NAT you use. > And a bonus question, how can I configure two jails so that each jail > sends packets to a different gateway (which may or may not be the same > as the jails' host's default gateway)? Read "man jail" for "vnet" feature. From owner-freebsd-net@freebsd.org Mon Jul 17 11:46:37 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 72554D7D59D for ; Mon, 17 Jul 2017 11:46:37 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5470882349 for ; Mon, 17 Jul 2017 11:46:37 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6HBkYZ3046283 for ; Mon, 17 Jul 2017 11:46:37 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 186114] net/mpd5 hangs after a certain number of users connect Date: Mon, 17 Jul 2017 11:46:35 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: crash, needs-qa X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: eugen@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: eugen@freebsd.org X-Bugzilla-Flags: maintainer-feedback+ X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 11:46:37 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D186114 --- Comment #118 from Eugene Grosbein --- (In reply to Konstantin Belousov from comment #63) I see you already MFC'd "cancel-safe" patches to stable/11. Do you have any plans to MFC them to stable/10, so upcoming 10.4-RELEASE be fixed too? --=20 You are receiving this mail because: You are on the CC list for the bug.= From owner-freebsd-net@freebsd.org Mon Jul 17 12:23:23 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 47C2DD7E616 for ; Mon, 17 Jul 2017 12:23:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2B0E1834A6 for ; Mon, 17 Jul 2017 12:23:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6HCNKjO078585 for ; Mon, 17 Jul 2017 12:23:23 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 186114] net/mpd5 hangs after a certain number of users connect Date: Mon, 17 Jul 2017 12:23:21 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: crash, needs-qa X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kib@FreeBSD.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: eugen@freebsd.org X-Bugzilla-Flags: maintainer-feedback+ X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 12:23:23 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D186114 --- Comment #119 from Konstantin Belousov --- (In reply to Eugene Grosbein from comment #118) I already mentioned that the r320472 change only matters for rare case of user-IO streams, created e.g. by funopen(3). As such, I do not think that = this change matters for mpd5. I do not want to merge this stuff to stable/10 at the late stage of the bra= nch lifecycle. --=20 You are receiving this mail because: You are on the CC list for the bug.= From owner-freebsd-net@freebsd.org Mon Jul 17 12:36:47 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BE73CD7E95E for ; Mon, 17 Jul 2017 12:36:47 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ACA3F83B36 for ; Mon, 17 Jul 2017 12:36:47 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6HCakSA024311 for ; Mon, 17 Jul 2017 12:36:47 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 186114] net/mpd5 hangs after a certain number of users connect Date: Mon, 17 Jul 2017 12:36:46 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: crash, needs-qa X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: eugen@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: eugen@freebsd.org X-Bugzilla-Flags: maintainer-feedback+ X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 12:36:47 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D186114 --- Comment #120 from Eugene Grosbein --- (In reply to Konstantin Belousov from comment #119) Well, comment #83 refers to some problem in "fseeko" that seems to be fixed= by your "stdio cancel-safe" patch among other things as this patch eliminated hangs for Cassiano Peixoto. That's sad 10.4 will still be unfixed. --=20 You are receiving this mail because: You are on the CC list for the bug.= From owner-freebsd-net@freebsd.org Mon Jul 17 13:03:36 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B179BD7EEBA for ; Mon, 17 Jul 2017 13:03:36 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9C63891A for ; Mon, 17 Jul 2017 13:03:36 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6HD3Xhb091899 for ; Mon, 17 Jul 2017 13:03:36 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 186114] net/mpd5 hangs after a certain number of users connect Date: Mon, 17 Jul 2017 13:03:33 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: crash, needs-qa X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kib@FreeBSD.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: eugen@freebsd.org X-Bugzilla-Flags: maintainer-feedback+ X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 13:03:36 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D186114 --- Comment #121 from Konstantin Belousov --- (In reply to Eugene Grosbein from comment #120) Comment about fseeko was that the function calls user method, when the operating stream is from funopen(3). --=20 You are receiving this mail because: You are on the CC list for the bug.= From owner-freebsd-net@freebsd.org Mon Jul 17 13:11:59 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7DE6ED7F119 for ; Mon, 17 Jul 2017 13:11:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6BE92DE8 for ; Mon, 17 Jul 2017 13:11:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6HDBuJv026217 for ; Mon, 17 Jul 2017 13:11:59 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 186114] net/mpd5 hangs after a certain number of users connect Date: Mon, 17 Jul 2017 13:11:57 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: crash, needs-qa X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: eugen@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: eugen@freebsd.org X-Bugzilla-Flags: maintainer-feedback+ X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 13:11:59 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D186114 --- Comment #122 from Eugene Grosbein --- (In reply to Konstantin Belousov from comment #121) mpd5 uses libpdel that uses funopen() extensively. For example, it uses funopen() while loading HTTP headers from a stream (mpd5 web console featu= re). --=20 You are receiving this mail because: You are on the CC list for the bug.= From owner-freebsd-net@freebsd.org Mon Jul 17 16:46:47 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2AD0ED9A012; Mon, 17 Jul 2017 16:46:47 +0000 (UTC) (envelope-from asomers@gmail.com) Received: from mail-yw0-x229.google.com (mail-yw0-x229.google.com [IPv6:2607:f8b0:4002:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DC6B267025; Mon, 17 Jul 2017 16:46:46 +0000 (UTC) (envelope-from asomers@gmail.com) Received: by mail-yw0-x229.google.com with SMTP id a12so49800597ywh.3; Mon, 17 Jul 2017 09:46:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=JCgInFuJPuaFkiDTkhZKAVaHvfRRnIu4qtwqPxGVd9E=; b=ELlzURjAmunsi+CtyS27kLl6QqJXFWLMpapxDL2BPnrxll2iLAqgIcT/+mAnA+nOTf GgHPtTianMJGUr0gMt81LUDWlZU323gD50EAODybd69eJL1UKYBdaSXKoK51k9G0aZLd jzSdLCODJ6Q6Toj9tLtTfqVIzbQUNNAbwadOq18mEroc2J9iXTPTaUk11o7kkAjMZZDM uWPdWBe0trSCwG0lCX9IWQLpcCG/caYM0JyAVSHSFDt/oxyaeQcaj41Rm16kqIahJY6J 1iZrhZLj4y9oSG+TAnWjNUuEXmOisbe89xAn+ubn/ak6jcZQ/Yz0tveW9VSOO9/73/HI Kp1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=JCgInFuJPuaFkiDTkhZKAVaHvfRRnIu4qtwqPxGVd9E=; b=KJ/pY00BGIEZSmeyscP+rUL6AC91cfgv5yEvTiVBQ+TkG0X5HmDzVuEVT6v3UrJggK LKhd1xo2U4m06mVYZjRimvfTr3D3UFjnmPcmLUNE+3wlVN/uoij1sMlPpJy5JyTz0Gh+ rlhZh4z6xBBapiVZU2E891916nHSva840y7c9mCpjzwyzbghbhimA6ziDNF1RdkIt2FP R7G1yv2NQGGjAmkRqPqNq2P8PQwCJD1OwN3DaC75EzQsWVa3iXLsUTUdQvVrgW4NA2Oa vrUDSj8jYWdeieqvu4Um8bdlaZwswkspOy7+5PInFDi64oxEOTI+U66qzpdjI8x96oX3 Kxnw== X-Gm-Message-State: AIVw110OJjjskUcu7RdykTAuA2onFcbfNgpfmtmZZ9LHHZ90OAE4ErDn uO3bsY8MXB+P8Rr3bkhOFzVG8ay/Glge X-Received: by 10.129.101.213 with SMTP id z204mr16702484ywb.144.1500310005884; Mon, 17 Jul 2017 09:46:45 -0700 (PDT) MIME-Version: 1.0 Sender: asomers@gmail.com Received: by 10.13.243.135 with HTTP; Mon, 17 Jul 2017 09:46:45 -0700 (PDT) In-Reply-To: <596CA093.6020508@grosbein.net> References: <596CA093.6020508@grosbein.net> From: Alan Somers Date: Mon, 17 Jul 2017 10:46:45 -0600 X-Google-Sender-Auth: Bjhc47O_ZQ-8qRo9Af1H8JFRcp8 Message-ID: Subject: Re: A web server behind two gateways? To: Eugene Grosbein Cc: Grzegorz Junka , FreeBSD Net , freebsd-jail@freebsd.org Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 16:46:47 -0000 On Mon, Jul 17, 2017 at 5:33 AM, Eugene Grosbein wrote: > On 16.07.2017 19:48, Grzegorz Junka wrote: >> Hello, >> >> I have a jail running a web server in LAN. There are two routers/WANs >> that can connect LAN to the internet. I enabled NAT and port forwarding >> to the web server on both routers. >> >> The problem is that the web server responds to requests only from one >> router at a time depending on the default gateway set on the jail's >> host. If the default gateway is set as router 1 then the web page can be >> opened only through WAN1 and vice versa. >> >> Can I configure either router/host/jail so that the web server sends the >> response back to the IP that sent the request packet rather than to the >> default gateway? > > This is the job of external NAT box to route translated replys to right WAN > based on external source IP address produced during translation of the reply. > The jail or internal NAT have nothing to do with the problem. > > So, the solution depends of kind of NAT you use. That's not 100% true. The web server is choosing which gateway to use. As Grzegorz said, it's only configured to use a single gateway at a time. To do what Grzegorz wants, he'll need to use multiple fibs. Set "net.fibs=2" and "net.add_addr_allfibs=0" in /boot/loader.conf and reboot. You'll be able to configure a separate gateway for each fib. The hard part, though, is configuring your web server to use multiple fibs. I don't know if any common web server has that kind of support builtin. But your next guess was good. > >> And a bonus question, how can I configure two jails so that each jail >> sends packets to a different gateway (which may or may not be the same >> as the jails' host's default gateway)? > > Read "man jail" for "vnet" feature. This is definitely the path of least resistance. Basically, you'll assign each jail to a separate fib, so you'll still need the loader.conf settings I mentioned. Unfortunately, VNET/VIMAGE isn't in the standard kernel. If you're unable to run a custom kernel on this machine, you can still create two jails on separate fibs. The biggest downside compared to VNET/VIMAGE is that they'll share a single DNS resolver. Here's how to do it: * Make the loader.conf settings I mentioned earlier. * Create a separate static IP address for each jail, and associated each with a separate fib. Your rc.conf should contain something like this: ifconfig_igb1_alias0="inet 10.1.2.76/20 fib 0" ifconfig_igb1_alias1="inet 10.1.18.76/20 fib 1" * Add the default routes in /etc/rc.local like this: /sbin/route add default 10.1.0.1 -fib 0 /sbin/route add default 10.1.16.1 -fib 1 * Assign one address to one jail and the other address to the other jail * Ensure that in each jail, the web server starts with the correct fib. For example, if you're using apache24, I think you can put "apache24_fib=1" in /etc/rc.conf. Other web servers may require something different, depending on how their RC scripts are written. Happy hacking! -Alan From owner-freebsd-net@freebsd.org Mon Jul 17 16:56:38 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 97088D9A4C1; Mon, 17 Jul 2017 16:56:38 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 26E60675F1; Mon, 17 Jul 2017 16:56:38 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: by mail-wm0-x22b.google.com with SMTP id b134so338909wma.0; Mon, 17 Jul 2017 09:56:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=dL0PdReWCoyom0NJXpUBa1/Ctisjj9PWDOk+oS69xdw=; b=lGC/U6i7f1TYC85OzNmSU/nUWnPE7yrLM0RRuITEwbnZwu21fs6ou3j91w0bhI7lrA sNbirAiNM+JEjNvgJ8+VuXne6DXWXm8MreKATbJy6hUxg0wCgPWqk75795vc7dH2SVXt 94U64DWSJIjY76EQH4dlgjQffWFOqluKk37zMhFd2E1JbKs089Ja0yj9ttK+GM5oWRP2 BzlKl7yhBC+KpehnR/PY2lMSwWhqlbz28ZwjlCjXj7/ryWdWxXME/J42bKkkFy7Rjgmk clrJcbJSFr6QJ3MnFg9eHtxKQEvibCa/o3SckPP/ldlJPIEsImFt9+h9K2fIu/j0LLKH /UMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=dL0PdReWCoyom0NJXpUBa1/Ctisjj9PWDOk+oS69xdw=; b=ZwZw4DDXMyue1BiMMoIN5/U9BFdlEhuJObwUWvjBtWrkGoiqsWZV/7evg9uFwRzaR7 0FlGgNR577cy8a60P+fVJ518FSPiggV0epNzGSC1HWLrMecS5mIzTbUAwwAD2x1A3Znb zryDDPE2RN47IzIH/+T6GBFtg6UrAgjTFwKPXQ/iYtfDcINXAuXiaPGjLNpJhz+0VRIs X4V7xQHMdVKDV78RCLMt9yFirYLb+EMViWY1GNCq88oasioeP1waIXm0ooon012ujt+Z AN1RYkF1QuyfIwxH08ekMCcuILwQhPpWARgmG6KUQhMGJy50NKStFog9CptCrTjOsOoI ne4g== X-Gm-Message-State: AIVw11164clML41lI94mziab45EEhC9qyMq6YsR0FLkpVHvjLj/mRUEp ye6i8z48vzP1Ssef7ijWforMpxie9A== X-Received: by 10.28.232.141 with SMTP id f13mr4732384wmi.59.1500310596207; Mon, 17 Jul 2017 09:56:36 -0700 (PDT) MIME-Version: 1.0 Received: by 10.223.157.14 with HTTP; Mon, 17 Jul 2017 09:56:35 -0700 (PDT) Received: by 10.223.157.14 with HTTP; Mon, 17 Jul 2017 09:56:35 -0700 (PDT) In-Reply-To: <596CA093.6020508@grosbein.net> References: <596CA093.6020508@grosbein.net> From: Sami Halabi Date: Mon, 17 Jul 2017 19:56:35 +0300 Message-ID: Subject: Re: A web server behind two gateways? To: Eugene Grosbein Cc: freebsd-net@freebsd.org, Grzegorz Junka , freebsd-jail@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 16:56:38 -0000 Hi, simple solution i can think about is: 1. launch 1st jail apache/nginx with db (mysql?) ve sure to use mysql address accesible vian jail2 (maybe epair), this jail will use default route, lets say wan1. 2. launch 2nd jail with vnet, default route wan2, mount the same data directories as jail1, and apache/nginx, since the ip of the db is the internal ip between jails it'll connect to the 1st db. this way you have 2 jails that share same data dir but service users vian different wans behind nat. Hope the idea helps. Sami =D7=91=D7=AA=D7=90=D7=A8=D7=99=D7=9A 17 =D7=91=D7=99=D7=95=D7=9C=D7=99 2017= 02:34 PM,=E2=80=8F "Eugene Grosbein" =D7=9B=D7=AA=D7= =91: > On 16.07.2017 19:48, Grzegorz Junka wrote: > > Hello, > > > > I have a jail running a web server in LAN. There are two routers/WANs > > that can connect LAN to the internet. I enabled NAT and port forwarding > > to the web server on both routers. > > > > The problem is that the web server responds to requests only from one > > router at a time depending on the default gateway set on the jail's > > host. If the default gateway is set as router 1 then the web page can b= e > > opened only through WAN1 and vice versa. > > > > Can I configure either router/host/jail so that the web server sends th= e > > response back to the IP that sent the request packet rather than to the > > default gateway? > > This is the job of external NAT box to route translated replys to right W= AN > based on external source IP address produced during translation of the > reply. > The jail or internal NAT have nothing to do with the problem. > > So, the solution depends of kind of NAT you use. > > > And a bonus question, how can I configure two jails so that each jail > > sends packets to a different gateway (which may or may not be the same > > as the jails' host's default gateway)? > > Read "man jail" for "vnet" feature. > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > From owner-freebsd-net@freebsd.org Mon Jul 17 17:20:13 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4CF9FD9AE12; Mon, 17 Jul 2017 17:20:13 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id D77DD6830A; Mon, 17 Jul 2017 17:20:12 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221]) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id v6HHK7D2080369 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 17 Jul 2017 19:20:08 +0200 (CEST) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: asomers@freebsd.org Received: from [10.58.0.4] ([10.58.0.4]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id v6HHJxtT056201 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 18 Jul 2017 00:20:00 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: A web server behind two gateways? To: Alan Somers References: <596CA093.6020508@grosbein.net> Cc: FreeBSD Net , freebsd-jail@freebsd.org, Grzegorz Junka From: Eugene Grosbein Message-ID: <596CF1BA.8050104@grosbein.net> Date: Tue, 18 Jul 2017 00:19:54 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 2.6 LOCAL_FROM From my domains X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 17:20:13 -0000 17.07.2017 23:46, Alan Somers wrote: >> So, the solution depends of kind of NAT you use. > > That's not 100% true. The web server is choosing which gateway to > use. As Grzegorz said, it's only configured to use a single gateway > at a time. To do what Grzegorz wants, he'll need to use multiple > fibs. Set "net.fibs=2" and "net.add_addr_allfibs=0" in > /boot/loader.conf and reboot. This will work for a server directly connected to both external gateways but won't work for a server behind two NAT boxes. Eugene Grosbein From owner-freebsd-net@freebsd.org Mon Jul 17 17:26:40 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E8F06D9B0FD; Mon, 17 Jul 2017 17:26:40 +0000 (UTC) (envelope-from lists@opsec.eu) Received: from home.opsec.eu (home.opsec.eu [IPv6:2001:14f8:200::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B191168782; Mon, 17 Jul 2017 17:26:40 +0000 (UTC) (envelope-from lists@opsec.eu) Received: from pi by home.opsec.eu with local (Exim 4.89 (FreeBSD)) (envelope-from ) id 1dX9n9-0002DD-0i; Mon, 17 Jul 2017 19:26:43 +0200 Date: Mon, 17 Jul 2017 19:26:42 +0200 From: Kurt Jaeger To: Grzegorz Junka Cc: freebsd-net@freebsd.org, freebsd-jail@freebsd.org Subject: Re: A web server behind two gateways? Message-ID: <20170717172642.GF39925@home.opsec.eu> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 17:26:41 -0000 Hi! > I have a jail running a web server in LAN. There are two routers/WANs > that can connect LAN to the internet. I enabled NAT and port forwarding > to the web server on both routers. [...] > Can I configure either router/host/jail so that the web server sends the > response back to the IP that sent the request packet rather than to the > default gateway? I have a vague idea: If you set a tag (or a keep-state :flowname) using a ipfw rule that matches the incoming gateway MAC and match that tag/check-state flowname and the connection (keep-state) to fwd the answer packet back to that gateway ? -- pi@opsec.eu +49 171 3101372 3 years to go ! From owner-freebsd-net@freebsd.org Mon Jul 17 17:34:01 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4EF07D9B560; Mon, 17 Jul 2017 17:34:01 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id DB3E968EC0; Mon, 17 Jul 2017 17:34:00 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221]) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id v6HHXu58080463 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 17 Jul 2017 19:33:57 +0200 (CEST) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: lists@opsec.eu Received: from [10.58.0.4] ([10.58.0.4]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id v6HHXqFM060610 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 18 Jul 2017 00:33:52 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: A web server behind two gateways? To: Kurt Jaeger , Grzegorz Junka References: <20170717172642.GF39925@home.opsec.eu> Cc: freebsd-net@freebsd.org, freebsd-jail@freebsd.org From: Eugene Grosbein Message-ID: <596CF4FB.9070306@grosbein.net> Date: Tue, 18 Jul 2017 00:33:47 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <20170717172642.GF39925@home.opsec.eu> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 2.6 LOCAL_FROM From my domains X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 17:34:01 -0000 18.07.2017 0:26, Kurt Jaeger wrote: > I have a vague idea: > > If you set a tag (or a keep-state :flowname) using a ipfw rule that matches > the incoming gateway MAC and match that tag/check-state flowname and > the connection (keep-state) to fwd the answer packet back to that gateway ? In fact, the NAT engine already keeps state track of packet flows and uses that to correctly translate answers back to public IP address. All you need is to forward translated outgoing answers to correct channel based on translated external source IP address (read: do policy based forwarding). From owner-freebsd-net@freebsd.org Mon Jul 17 17:48:09 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 46769D9BD56; Mon, 17 Jul 2017 17:48:09 +0000 (UTC) (envelope-from asomers@gmail.com) Received: from mail-yw0-x22b.google.com (mail-yw0-x22b.google.com [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 040D769A69; Mon, 17 Jul 2017 17:48:09 +0000 (UTC) (envelope-from asomers@gmail.com) Received: by mail-yw0-x22b.google.com with SMTP id v193so50565807ywg.2; Mon, 17 Jul 2017 10:48:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=o46a/6uQHwKIb1dNCKCL4pW0ERVyJld81CtuktRCL8M=; b=D9oYqR9kY168KsIUjJ0Cn00DaYKpvZj1GxRiScmeW42cUnXSw6dO7WIJ03wZENolHP A9+xVZE65syGWfR1qKJrlZOs+9kJg8EhV6V9l1oML0+ctg3pSwGDhcCNCSKVGtL65wfe gwaQtymj/+IZ0XNrlQ1p3yfW726VjzhYl3XyI36pkzLh0/iHcHbLXN1Uvoyc/QTcuBQj 4YpZB9kRMaX5l1rkAKzXIEF6fLMMJf71Y0STA4mql50mvrCT4rbvylpIP14cULLfNKXh +M0CvXl0Y29HA1gHslNMbBSbQbRnnnVE0Oo+ISiGN7Rxnv8G/QhTQdAyPt7Gol27WUFi 303w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=o46a/6uQHwKIb1dNCKCL4pW0ERVyJld81CtuktRCL8M=; b=ITziQBBymhWwk6y8/IZFSFcwrs5r5R7RrvUXhR5bpCOgllnZ9bt1Covi3wICuMZwWS 3FTqvFPTp6TR0mnPXUMii1u5uYJhpT/9mV0trErUsmZhFRRA3izkzlGbzaeYKgUDH+eE wxHcjDtBPr5TJcRA0fyarqlZ3MeQLgf5933/3GvLCeO9FT9CCIWEZDHgwawkHV0jmwXB p0ozJklSNzWcKGA/UxtSmZAVmqDTEKa7qghGnoE0HRl2zd/i28bAj9X/mX1hR2+2yXvz sb/Eb+dzoN1vJG0Dl9FSQ9eoDcXNxNfaTuK6v4/B/6K/5uoh5g6tbpFNz9A/pWUTB4Gj DrSQ== X-Gm-Message-State: AIVw113tRlYSDDZu05LyQ30PxiD3JweDruXtTbzgSDs5NsDHCX7zs2f0 GIeij+rRJ1/RXbf0oO1qGvSnrR6vXQ== X-Received: by 10.129.112.148 with SMTP id l142mr16906244ywc.221.1500313688234; Mon, 17 Jul 2017 10:48:08 -0700 (PDT) MIME-Version: 1.0 Sender: asomers@gmail.com Received: by 10.13.243.135 with HTTP; Mon, 17 Jul 2017 10:48:07 -0700 (PDT) In-Reply-To: <596CF1BA.8050104@grosbein.net> References: <596CA093.6020508@grosbein.net> <596CF1BA.8050104@grosbein.net> From: Alan Somers Date: Mon, 17 Jul 2017 11:48:07 -0600 X-Google-Sender-Auth: rqoQRD544JcFTjYb3e8N739fTN8 Message-ID: Subject: Re: A web server behind two gateways? To: Eugene Grosbein Cc: FreeBSD Net , freebsd-jail@freebsd.org, Grzegorz Junka Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 17:48:09 -0000 On Mon, Jul 17, 2017 at 11:19 AM, Eugene Grosbein wrote: > 17.07.2017 23:46, Alan Somers wrote: > >>> So, the solution depends of kind of NAT you use. >> >> That's not 100% true. The web server is choosing which gateway to >> use. As Grzegorz said, it's only configured to use a single gateway >> at a time. To do what Grzegorz wants, he'll need to use multiple >> fibs. Set "net.fibs=2" and "net.add_addr_allfibs=0" in >> /boot/loader.conf and reboot. > > This will work for a server directly connected to both external > gateways but won't work for a server behind two NAT boxes. > > Eugene Grosbein I think what you meant to say is "this will work for a server directly connected to two external gateways (whether or not NAT is involved), but won't work if the server is not on the same subnet as the gateways". That's true. But judging by the OP, I think they're all on the same subnet. -Alan From owner-freebsd-net@freebsd.org Mon Jul 17 18:19:02 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E9552D9CDFD for ; Mon, 17 Jul 2017 18:19:02 +0000 (UTC) (envelope-from brahmann@lifec0re.net) Received: from mx.lifec0re.net (lifec0re.net [212.86.98.154]) by mx1.freebsd.org (Postfix) with ESMTP id ACD076AEA4 for ; Mon, 17 Jul 2017 18:19:01 +0000 (UTC) (envelope-from brahmann@lifec0re.net) Received: from [176.36.220.213] (helo=vortexSS) by mx.lifec0re.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89 (FreeBSD)) (envelope-from ) id 1dX9xe-000Ph1-Or for freebsd-net@freebsd.org; Mon, 17 Jul 2017 20:37:34 +0300 Date: Mon, 17 Jul 2017 20:37:34 +0300 In-Reply-To: <596CF4FB.9070306@grosbein.net> References: <20170717172642.GF39925@home.opsec.eu> <596CF4FB.9070306@grosbein.net> MIME-Version: 1.0 Subject: Re: A web server behind two gateways? To: freebsd-net@freebsd.org From: brahmann Message-ID: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 18:19:03 -0000 Hi, you can use(if itsobe server with two uplinks) ipfw probe 0,5, two sep= arate flows for two fibs, with some two flowfib script=2E=20 I did that once and work like a charm=2E=20 Wbr, brahmann 17 =D0=BB=D0=B8=D0=BF=D0=BD=D1=8F 2017 =D1=80=2E 20:33:47 GMT+03:00, Eugen= e Grosbein =D0=BD=D0=B0=D0=BF=D0=B8=D1=81=D0=B0=D0= =B2: >18=2E07=2E2017 0:26, Kurt Jaeger wrote: > >> I have a vague idea: >>=20 >> If you set a tag (or a keep-state :flowname) using a ipfw rule that >matches >> the incoming gateway MAC and match that tag/check-state flowname and >> the connection (keep-state) to fwd the answer packet back to that >gateway ? > >In fact, the NAT engine already keeps state track of packet flows >and uses that to correctly translate answers back to public IP address=2E > >All you need is to forward translated outgoing answers to correct >channel >based on translated external source IP address (read: do policy based >forwarding)=2E > > >_______________________________________________ >freebsd-net@freebsd=2Eorg mailing list >https://lists=2Efreebsd=2Eorg/mailman/listinfo/freebsd-net >To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd=2Eorg" > > >!DSPAM:596cf513971106642921193! --=20 =D0=92=D1=96=D0=B4=D0=BF=D1=80=D0=B0=D0=B2=D0=BB=D0=B5=D0=BD=D0=BE =D0=B7 = =D0=BC=D0=BE=D0=B3=D0=BE Android =D0=BF=D1=80=D0=B8=D1=81=D1=82=D1=80=D0=BE= =D1=8E =D0=B7 K-9 Mail=2E =D0=92=D0=B8=D0=B1=D0=B0=D1=87=D1=82=D0=B5 =D0=B7= =D0=B0 =D1=81=D1=82=D0=B8=D1=81=D0=BB=D1=96=D1=81=D1=82=D1=8C=2E From owner-freebsd-net@freebsd.org Mon Jul 17 18:19:19 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E6465D9CE31; Mon, 17 Jul 2017 18:19:19 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7BE706AF37; Mon, 17 Jul 2017 18:19:18 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221]) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id v6HIJ9XR080790 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 17 Jul 2017 20:19:10 +0200 (CEST) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: asomers@freebsd.org Received: from [10.58.0.4] ([10.58.0.4]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id v6HIJ56N073335 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 18 Jul 2017 01:19:05 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: A web server behind two gateways? To: Alan Somers References: <596CA093.6020508@grosbein.net> <596CF1BA.8050104@grosbein.net> Cc: FreeBSD Net , freebsd-jail@freebsd.org, Grzegorz Junka From: Eugene Grosbein Message-ID: <596CFF94.2090506@grosbein.net> Date: Tue, 18 Jul 2017 01:19:00 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 2.6 LOCAL_FROM From my domains X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 18:19:20 -0000 18.07.2017 0:48, Alan Somers wrote: > I think what you meant to say is "this will work for a server directly > connected to two external gateways (whether or not NAT is involved), > but won't work if the server is not on the same subnet as the > gateways". That's true. But judging by the OP, I think they're all > on the same subnet. Yes. Anyway, as long as there is NAT involved, one already has stateful engine and simpliest and universal solution for this situation is PBR after NAT for outgoing packets. It works no matter whether gateways are directly connecter or not and does not require multiple routing tables nor complex FIB or VNET configurations: # remove "default" NAT rule ipfw delete 50 # translate incoming traffic and create NAT states ipfw add 40 nat 123 ip from any to any in recv $iface1 ipfw add 50 nat 124 ip from any to any in recv $iface2 # insert normal filtering here ... # translate outgoing replies using existing NAT states ipfw add 50020 nat global ip from $LAN to any out xmit $iface1 ipfw add 50030 nat global ip from $LAN to any out xmit $iface2 # translate new outgoing connections not having a state yet ipfw add 50040 nat 123 ip from any to any out xmit $iface1 ipfw add 50050 nat 124 ip from any to any out xmit $iface2 # perform Policy Based Routing for packets going to "wrong" route ipfw add 50140 fwd $gateway2 ip from $extip2 to any out xmit $iface1 ipfw add 50150 fwd $gateway1 ip from $extip1 to any out xmit $iface2 # that's all, folks! This works no matter where default route points to ($gateway1 or $gateway2). All you need is working default route and net.inet.ip.fw.one_pass=0. This can be extended to any number of external channels/interfaces and optimized with ipfw tables but for two channels I prefer write it so for readability. I use this for many installations and it just works. From owner-freebsd-net@freebsd.org Mon Jul 17 18:22:14 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BC0E5D9D188; Mon, 17 Jul 2017 18:22:14 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4F5286B449; Mon, 17 Jul 2017 18:22:13 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221]) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id v6HIM9sS080836 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 17 Jul 2017 20:22:09 +0200 (CEST) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: asomers@freebsd.org Received: from [10.58.0.4] ([10.58.0.4]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id v6HIM5OB074201 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 18 Jul 2017 01:22:05 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: A web server behind two gateways? To: Alan Somers References: <596CA093.6020508@grosbein.net> <596CF1BA.8050104@grosbein.net> <596CFF94.2090506@grosbein.net> Cc: FreeBSD Net , freebsd-jail@freebsd.org, Grzegorz Junka From: Eugene Grosbein Message-ID: <596D0048.7040100@grosbein.net> Date: Tue, 18 Jul 2017 01:22:00 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <596CFF94.2090506@grosbein.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 2.6 LOCAL_FROM From my domains X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 18:22:14 -0000 18.07.2017 1:19, Eugene Grosbein пишет: > 18.07.2017 0:48, Alan Somers wrote: > >> I think what you meant to say is "this will work for a server directly >> connected to two external gateways (whether or not NAT is involved), >> but won't work if the server is not on the same subnet as the >> gateways". That's true. But judging by the OP, I think they're all >> on the same subnet. > > Yes. Anyway, as long as there is NAT involved, one already has stateful engine > and simpliest and universal solution for this situation is PBR after NAT for outgoing packets. > > It works no matter whether gateways are directly connecter or not > and does not require multiple routing tables nor complex FIB or VNET configurations: > > # remove "default" NAT rule > ipfw delete 50 > > # translate incoming traffic and create NAT states > ipfw add 40 nat 123 ip from any to any in recv $iface1 > ipfw add 50 nat 124 ip from any to any in recv $iface2 > > # insert normal filtering here > ... > # translate outgoing replies using existing NAT states > ipfw add 50020 nat global ip from $LAN to any out xmit $iface1 > ipfw add 50030 nat global ip from $LAN to any out xmit $iface2 > > # translate new outgoing connections not having a state yet > ipfw add 50040 nat 123 ip from any to any out xmit $iface1 > ipfw add 50050 nat 124 ip from any to any out xmit $iface2 bugfix: ipfw add 50040 nat 123 ip from $LAN to any out xmit $iface1 ipfw add 50050 nat 124 ip from $LAN to any out xmit $iface2 > # perform Policy Based Routing for packets going to "wrong" route > ipfw add 50140 fwd $gateway2 ip from $extip2 to any out xmit $iface1 > ipfw add 50150 fwd $gateway1 ip from $extip1 to any out xmit $iface2 > > # that's all, folks! > > This works no matter where default route points to ($gateway1 or $gateway2). > All you need is working default route and net.inet.ip.fw.one_pass=0. > > This can be extended to any number of external channels/interfaces > and optimized with ipfw tables but for two channels I prefer write it so > for readability. I use this for many installations and it just works. From owner-freebsd-net@freebsd.org Tue Jul 18 03:50:36 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 00277C7BC6B; Tue, 18 Jul 2017 03:50:35 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from msa1.earth.yoonka.com (yoonka.com [88.98.225.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "msa1.earth.yoonka.com", Issuer "msa1.earth.yoonka.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 90971831C4; Tue, 18 Jul 2017 03:50:34 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from ultrabook.yoonka.com (x2f7f0fc.dyn.telefonica.de [2.247.240.252]) (authenticated bits=0) by msa1.earth.yoonka.com (8.15.2/8.15.2) with ESMTPSA id v6I3oNQt051809 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 18 Jul 2017 03:50:26 GMT (envelope-from list1@gjunka.com) X-Authentication-Warning: msa1.earth.yoonka.com: Host x2f7f0fc.dyn.telefonica.de [2.247.240.252] claimed to be ultrabook.yoonka.com Subject: Re: A web server behind two gateways? To: freebsd-net@freebsd.org, "freebsd-jail@freebsd.org" References: <596CA093.6020508@grosbein.net> <596CF1BA.8050104@grosbein.net> <596CFF94.2090506@grosbein.net> <596D0048.7040100@grosbein.net> From: Grzegorz Junka Message-ID: Date: Tue, 18 Jul 2017 03:50:18 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.0.1 MIME-Version: 1.0 In-Reply-To: <596D0048.7040100@grosbein.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-GB-large X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jul 2017 03:50:36 -0000 On 17/07/2017 18:22, Eugene Grosbein wrote: > 18.07.2017 1:19, Eugene Grosbein пишет: >> 18.07.2017 0:48, Alan Somers wrote: >> >> Not answering any particular email in this thread, many thanks for your help. That;s plenty of ideas to try so may take some time! Just one more question, since VNET was mentioned. Is it production ready now? I remember there used to be problems with memory leaks. And why isn't it the kernel, yet? Any plans for that? Grzegorz J From owner-freebsd-net@freebsd.org Tue Jul 18 15:13:21 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8E079D7F7E9 for ; Tue, 18 Jul 2017 15:13:21 +0000 (UTC) (envelope-from jeffrey.e.pieper@intel.com) Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "ORSMGA103.jf.intel.com", Issuer "Intel External Issuing CA 6B" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5F82B71A62 for ; Tue, 18 Jul 2017 15:13:21 +0000 (UTC) (envelope-from jeffrey.e.pieper@intel.com) Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Jul 2017 08:13:12 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.40,378,1496127600"; d="scan'208";a="288389289" Received: from orsmsx109.amr.corp.intel.com ([10.22.240.7]) by fmsmga004.fm.intel.com with ESMTP; 18 Jul 2017 08:13:12 -0700 Received: from orsmsx163.amr.corp.intel.com (10.22.240.88) by ORSMSX109.amr.corp.intel.com (10.22.240.7) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 18 Jul 2017 08:13:12 -0700 Received: from orsmsx111.amr.corp.intel.com ([169.254.12.126]) by ORSMSX163.amr.corp.intel.com ([169.254.9.188]) with mapi id 14.03.0319.002; Tue, 18 Jul 2017 08:13:12 -0700 From: "Pieper, Jeffrey E" To: James Jernigan , "freebsd-net@freebsd.org" Subject: Re: ixv driver 12.0 crash in AWS Thread-Topic: ixv driver 12.0 crash in AWS Thread-Index: AQHS+441ZLfVMK5CFkiZ00QTSuGdtKJZuZ8A Date: Tue, 18 Jul 2017 15:13:11 +0000 Message-ID: <866BAEAE-D699-4DB0-AC13-4C024BF3E1E9@intel.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/f.21.0.170409 x-originating-ip: [134.134.172.135] Content-Type: text/plain; charset="utf-8" Content-ID: <8EF31D95C1E4274388C384DDD3C08B57@intel.com> Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jul 2017 15:13:21 -0000 SGkgSmFtZXMsDQoNClRoYW5rcyBmb3IgcmVwb3J0aW5nIHRoaXMuIElmIHlvdSBkb27igJl0IG1p bmQsIHBsZWFzZSBmaWxlIGEgYnVnIGhlcmU6IGh0dHBzOi8vYnVncy5mcmVlYnNkLm9yZy9idWd6 aWxsYS9lbnRlcl9idWcuY2dpIHNvIHRoaXMgZG9lc27igJl0IGZhbGwgb2ZmIG91ciByYWRhci4g V2XigJlyZSBwcmV0dHkgc3VyZSB3ZSBrbm93IHdoYXQgaXMgaGFwcGVuaW5nIGFuZCBob3cgdG8g Zml4IGl0LiBCYXNpY2FsbHksIHRoZSBMaW51eCBQRiBkcml2ZXIgdGhhdCBBV1MgaXMgdXNpbmcg ZG9lc27igJl0IHN1cHBvcnQgbWFpbGJveCBBUEkgdmVyc2lvbiAxLjIuIFRoZSBsYXRlc3QgcmVs ZWFzZWQgTGludXggUEYgZHJpdmVyIGRvZXMsIGJ1dCB3ZSBjYW7igJl0IGNvbnRyb2wgd2hhdCBk cml2ZXIgQVdTIHVzZXMuIFRvIHdvcmsgYXJvdW5kIHRoaXMsIHdlIG5lZWQgYSB0byBhZGQgYSBm YWlsb3ZlciB0byBpeHYgc28gaXQgY2FuIGZhbGwgYmFjayB0byAxLjEuDQoNClRoYW5rcy4NCkpl ZmYNCg0KT24gNy8xMi8xNywgOToxMSBQTSwgIm93bmVyLWZyZWVic2QtbmV0QGZyZWVic2Qub3Jn IG9uIGJlaGFsZiBvZiBKYW1lcyBKZXJuaWdhbiIgPG93bmVyLWZyZWVic2QtbmV0QGZyZWVic2Qu b3JnIG9uIGJlaGFsZiBvZiBqd2plcm5pQGcuY2xlbXNvbi5lZHU+IHdyb3RlOg0KDQogICAgSGV5 IGZyZWVic2QgbmV0LA0KICAgIA0KICAgIEkgaGF2ZSBjcmVhdGVkIGEgZmV3IGluc3RhbmNlcyBp biBBV1MgdXNpbmcgdGhlIGxhc3Rlc3QgQU1JIGZvciB0aGUgQ1VSUkVOVA0KICAgIGJyYW5jaDoN CiAgICBGcmVlQlNEIDEyLjAtQ1VSUkVOVC1hbWQ2NC0yMDE3LTA3LTExIChhbWktODQ3Yjc5OTIp DQogICAgDQogICAgQSBjb3VwbGUgb2YgdGhlc2UgaGF2ZSBzdGFydGVkIHVwIGp1c3QgZmluZSwg YnV0IHRoZSByZXN0IG9mIHRoZSBpbnN0YW5jZXMNCiAgICBhcmUgaW5hY2Nlc3NpYmxlIGR1ZSB0 byB0aGUgbmV0d29yayBkcml2ZXIgY3Jhc2hpbmcgb24gc3RhcnR1cCBhbmQNCiAgICByZW5kZXJp bmcgdGhlIG1hY2hpbmVzIGluYWNjZXNzaWJsZSBieSBTU0guIEkgaGF2ZSBvbmUgd29ya2luZyBp bnN0YW5jZSwNCiAgICBidXQgZXZlbiBjcmVhdGluZyBtb3JlIGJhc2VkIG9mZiBvZiB0aGF0IGNv bmZpZ3VyYXRpb24gYXJlIGZhaWxpbmcgdG8gc3RhcnQNCiAgICBuZXR3b3JraW5nIHByb3Blcmx5 LiBSZXN0YXJ0aW5nIHRoZSBpbnN0YW5jZXMgZG9lcyBub3QgZml4IHRoZSBwcm9ibGVtLiBJDQog ICAgaGF2ZSBwdWxsZWQgdGhlIGZvbGxvd2luZyBsb2dzIGZyb20gdGhlIEFXUyB3ZWIgY29uc29s ZSBmb3IgdHdvIG00LjEweGxhcmdlDQogICAgaW5zdGFuY2VzIHdpdGggdGhlIHNhbWUgY29uZmln dXJhdGlvbiBhbmQgQU1JLg0KICAgIA0KICAgIFdvcmtpbmcgaW5zdGFuY2U6DQogICAgDQogICAg PiBpeHYwOiA8SW50ZWwoUikgUFJPLzEwR2JFIFZpcnR1YWwgRnVuY3Rpb24gTmV0d29yayBEcml2 ZXIsIFZlcnNpb24gLQ0KICAgID4gMS41LjEzLWs+IG1lbSAweGYzMDAwMDAwLTB4ZjMwMDNmZmYs MHhmMzAwNDAwMC0weGYzMDA3ZmZmIGF0IGRldmljZSAzLjAgb24NCiAgICA+IHBjaTANCiAgICA+ IGl4djA6IFVzaW5nIE1TSS1YIGludGVycnVwdHMgd2l0aCAyIHZlY3RvcnMNCiAgICA+IGl4djA6 IEV0aGVybmV0IGFkZHJlc3M6IDBhOjJmOmU4Ojg1OjJmOjM4DQogICAgPiBpeHYwOiBuZXRtYXAg cXVldWVzL3Nsb3RzOiBUWCAxLzEwMjQsIFJYIDEvMTAyNA0KICAgIA0KICAgIA0KICAgIE1hbGZ1 bmN0aW9uaW5nIGluc3RhbmNlOg0KICAgIA0KICAgID4gaXh2MDogPEludGVsKFIpIFBSTy8xMEdi RSBWaXJ0dWFsIEZ1bmN0aW9uIE5ldHdvcmsgRHJpdmVyLCBWZXJzaW9uIC0NCiAgICA+IDEuNS4x My1rPiBtZW0gMHhmMzAwMDAwMC0weGYzMDAzZmZmLDB4ZjMwMDQwMDAtMHhmMzAwN2ZmZiBhdCBk ZXZpY2UgMy4wIG9uDQogICAgPiBwY2kwDQogICAgPiBpeHYwOiBNQlggQVBJIDEuMiBuZWdvdGlh dGlvbiBmYWlsZWQhIEVycm9yIC0zMg0KICAgIA0KICAgIA0KICAgIFRoZSBlcnJvciBhcHBlYXJz IHRvIGJlIGNvbWluZyBmcm9tIHN5cy9kZXYvaXhnYmUvaWZfaXh2LmMgaW4gdGhlIHNvdXJjZS4N CiAgICBEb2VzIHRoaXMgYXBwZWFyIHRvIGJlIGFuIEFXUyBzcGVjaWZpYyBpc3N1ZSBvciBhIG1v cmUgd2lkZXNwcmVhZCBvbmU/IExldA0KICAgIG1lIGtub3cgaWYgSSBjYW4gcHJvdmlkZSBhbnkg ZnVydGhlciBpbmZvcm1hdGlvbi4NCiAgICANCiAgICBUaGFua3MsDQogICAgSmFtZXMNCiAgICBf X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KICAgIGZyZWVi c2QtbmV0QGZyZWVic2Qub3JnIG1haWxpbmcgbGlzdA0KICAgIGh0dHBzOi8vbGlzdHMuZnJlZWJz ZC5vcmcvbWFpbG1hbi9saXN0aW5mby9mcmVlYnNkLW5ldA0KICAgIFRvIHVuc3Vic2NyaWJlLCBz ZW5kIGFueSBtYWlsIHRvICJmcmVlYnNkLW5ldC11bnN1YnNjcmliZUBmcmVlYnNkLm9yZyINCiAg ICANCg0K From owner-freebsd-net@freebsd.org Tue Jul 18 17:43:43 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 53C26D9B19A for ; Tue, 18 Jul 2017 17:43:43 +0000 (UTC) (envelope-from lists.br@gmail.com) Received: from mail-wr0-x233.google.com (mail-wr0-x233.google.com [IPv6:2a00:1450:400c:c0c::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D88ED76EB8; Tue, 18 Jul 2017 17:43:39 +0000 (UTC) (envelope-from lists.br@gmail.com) Received: by mail-wr0-x233.google.com with SMTP id y43so39333537wrd.3; Tue, 18 Jul 2017 10:43:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=RT1uoWlvNS1zK3xycGTAxzj6KWF4x9qGfkfQ10XTIvc=; b=lMz1jRZqVAwqGyxOj+bwixSpX1fdi37Oaq3yKY0bd4q4/ToWGb9/onxqu4qLd2ADl4 PLEGNPMuPI9iJYdn9jnuM8hX/TfDhVsQvPC5KxQD5h8vbHIbLjy+utCOQAdbLZcRdeU/ xFz5A32TVwK47NWkiHyWUPdhCPUJKE2/yl3mg64TJ6pHf6zaOMkcGYsUUb2ErgK52RPY X6BNa/1DC+vyuuH/ZE0xNx7NYxe1APSabpPnXk3XGUZHX8AhAWN7zesVCDUlHR6/xGwI jzTjX7KxGuXkF19Kco1X3qwJnjASr1wk72zbUHomprqo49e04KREy2XDVWslMUW0aWhm 1ZmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=RT1uoWlvNS1zK3xycGTAxzj6KWF4x9qGfkfQ10XTIvc=; b=kcPmLbVB81Tk4AdPRNZLqsL7NlptZuUvd6bggaDTmYEEbOLHc5dRDJ30exKu/2INcb O8d9hTZ8H/dBRyu/OkOY55+tsEA70RE3n61Q403N7Vyeo40XOYg//NQ+vuBzr7tZcWje 9e7S0z+OIpEKy5r4G+76G8YqhATKggu/TB2BknqX/Cpj57sZsunavB83GkJjUDG6pemh ERowLATSNojquJkAV4pYDEHoLt6dJg3IZmzjNkFvJxthWqzEXAOGCAGqx2HVJ1sMjgEA 58oATLEr/J6iYYC7zpBWEpeJFqgob3PD5tdtY9XNs5PPdPoz2vrJAY8yWec8DcmLFdWW ycEw== X-Gm-Message-State: AIVw113jVD0SYZOh37bt/gM7PctyMxzHFqM8qo5L0WlEFigkH3t3H0tT jlSFtlwPLW9E9MM7MJDFs5kw6V0s/fVu X-Received: by 10.80.173.198 with SMTP id b6mr2851253edd.81.1500399818405; Tue, 18 Jul 2017 10:43:38 -0700 (PDT) MIME-Version: 1.0 Received: by 10.80.186.125 with HTTP; Tue, 18 Jul 2017 10:43:37 -0700 (PDT) In-Reply-To: References: <20170705110512.GA28058@alchemy.franken.de> <20170711200510.GB60651@alchemy.franken.de> From: Luiz Otavio O Souza Date: Tue, 18 Jul 2017 14:43:37 -0300 Message-ID: Subject: Re: NULL pointer dereference bug triggered by netmap To: Vincenzo Maffione , Marius Strobl , hps@freebsd.org, ae@freebsd.org Cc: FreeBSD Net , "Eggert, Lars" Content-Type: multipart/mixed; boundary="94eb2c0ddb0a32921105549b0ec4" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jul 2017 17:43:43 -0000 --94eb2c0ddb0a32921105549b0ec4 Content-Type: text/plain; charset="UTF-8" On 12 July 2017 at 02:19, Vincenzo Maffione wrote: > Yes. > > Actually, we would also need one beteween the following two options: > 1) Implementing a dummy if_start() for if_loop.c > 2) Prevent netmap from using if_loop. Hi, Please, check the attached patches. Luiz > > 2017-07-11 22:05 GMT+02:00 Marius Strobl : > >> On Thu, Jul 06, 2017 at 02:19:42PM -0700, Vincenzo Maffione wrote: >> > Sure, can anyone commit this? >> >> The addition of KASSERTs like the below one to if_handoff() and >> if_start()? Sure. >> >> Marius >> >> > >> > Il 5 lug 2017 4:05 AM, "Marius Strobl" ha scritto: >> > >> > > On Mon, Jul 03, 2017 at 05:08:09PM +0200, Vincenzo Maffione wrote: >> > > > Details here: >> > > > >> > > > https://github.com/luigirizzo/netmap/issues/322 >> > > > >> > > > Is it acceptable to commit the proposed patch? >> > > >> > > As suggested by hselasky@, the outliner problem at hand is better >> solved >> > > by a dummy if_start method in order to not hurt the fast-path. Thus, if >> > > anything at all, a KASSERT(ifp->if_start != NULL, "no if_start method") >> > > should be added to if_handoff() and if_start(). --94eb2c0ddb0a32921105549b0ec4 Content-Type: text/plain; charset="US-ASCII"; name="if_loop.diff" Content-Disposition: attachment; filename="if_loop.diff" Content-Transfer-Encoding: base64 X-Attachment-Id: f_j59v9lh80 SW5kZXg6IHN5cy9uZXQvaWZfbG9vcC5jCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIHN5cy9uZXQvaWZfbG9vcC5j CShyZXZpc2lvbiAzMjA2NzQpCisrKyBzeXMvbmV0L2lmX2xvb3AuYwkod29ya2luZyBjb3B5KQpA QCAtMTA0LDYgKzEwNCwxNyBAQAogc3RhdGljIHN0cnVjdCBpZl9jbG9uZSAqbG9fY2xvbmVyOwog c3RhdGljIGNvbnN0IGNoYXIgbG9uYW1lW10gPSAibG8iOwogCisvKiBpZl9sb29wIGRvIG5vdCBz dXBwb3J0IHBhY2tldHMgY29tbWluZyBmcm9tIGlmX3RyYW5zbWl0KCkvaWZfc3RhcnQoKS4gKi8K K3N0YXRpYyBpbnQKK2xvX2lmX3RyYW5zbWl0KHN0cnVjdCBpZm5ldCAqaWZwLCBzdHJ1Y3QgbWJ1 ZiAqbSkKK3sKKworCUtBU1NFUlQobSA9PSBOVUxMLCAoIiVzOiBpZl90cmFuc21pdCgpIG5vdCBz dXBwb3J0ZWQuIiwgX19mdW5jX18pKTsKKwltX2ZyZWVtKG0pOworCisJcmV0dXJuIChFTk9CVUZT KTsKK30KKwogc3RhdGljIHZvaWQKIGxvX2Nsb25lX2Rlc3Ryb3koc3RydWN0IGlmbmV0ICppZnAp CiB7CkBAIC0xMzcsNiArMTQ4LDcgQEAKIAkgICAgSUZDQVBfSFdDU1VNIHwgSUZDQVBfSFdDU1VN X0lQVjY7CiAJaWZwLT5pZl9od2Fzc2lzdCA9IExPX0NTVU1fRkVBVFVSRVMgfCBMT19DU1VNX0ZF QVRVUkVTNjsKIAlpZl9hdHRhY2goaWZwKTsKKwlpZl9zZXR0cmFuc21pdGZuKGlmcCwgbG9faWZf dHJhbnNtaXQpOwogCWJwZmF0dGFjaChpZnAsIERMVF9OVUxMLCBzaXplb2YodV9pbnQzMl90KSk7 CiAJaWYgKFZfbG9pZiA9PSBOVUxMKQogCQlWX2xvaWYgPSBpZnA7Cg== --94eb2c0ddb0a32921105549b0ec4 Content-Type: text/plain; charset="US-ASCII"; name="netmap_generic.diff" Content-Disposition: attachment; filename="netmap_generic.diff" Content-Transfer-Encoding: base64 X-Attachment-Id: f_j59v9uax1 SW5kZXg6IHN5cy9kZXYvbmV0bWFwL25ldG1hcF9nZW5lcmljLmMKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gc3lz L2Rldi9uZXRtYXAvbmV0bWFwX2dlbmVyaWMuYwkocmV2aXNpb24gMzIwNjc0KQorKysgc3lzL2Rl di9uZXRtYXAvbmV0bWFwX2dlbmVyaWMuYwkod29ya2luZyBjb3B5KQpAQCAtNzUsNiArNzUsNyBA QAogI2luY2x1ZGUgPHN5cy9zb2NrZXQuaD4gLyogc29ja2FkZHJzICovCiAjaW5jbHVkZSA8c3lz L3NlbGluZm8uaD4KICNpbmNsdWRlIDxuZXQvaWYuaD4KKyNpbmNsdWRlIDxuZXQvaWZfdHlwZXMu aD4KICNpbmNsdWRlIDxuZXQvaWZfdmFyLmg+CiAjaW5jbHVkZSA8bWFjaGluZS9idXMuaD4gICAg ICAgIC8qIGJ1c19kbWFtYXBfKiBpbiBuZXRtYXBfa2Vybi5oICovCiAKQEAgLTExOTgsNiArMTE5 OSwxMyBAQAogCWludCByZXR2YWw7CiAJdV9pbnQgbnVtX3R4X2Rlc2MsIG51bV9yeF9kZXNjOwog CisjaWZkZWYgX19GcmVlQlNEX18KKwlpZiAoaWZwLT5pZl90eXBlID09IElGVF9MT09QKSB7CisJ CUQoImlmX2xvb3AgaXMgbm90IHN1cHBvcnRlZCBieSAlcyIsIF9fZnVuY19fKTsKKwkJcmV0dXJu IEVJTlZBTDsKKwl9CisjZW5kaWYKKwogCW51bV90eF9kZXNjID0gbnVtX3J4X2Rlc2MgPSBuZXRt YXBfZ2VuZXJpY19yaW5nc2l6ZTsgLyogc3RhcnRpbmcgcG9pbnQgKi8KIAogCW5tX29zX2dlbmVy aWNfZmluZF9udW1fZGVzYyhpZnAsICZudW1fdHhfZGVzYywgJm51bV9yeF9kZXNjKTsgLyogaWdu b3JlIGVycm9ycyAqLwo= --94eb2c0ddb0a32921105549b0ec4-- From owner-freebsd-net@freebsd.org Tue Jul 18 17:58:30 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E8586D9BC38 for ; Tue, 18 Jul 2017 17:58:30 +0000 (UTC) (envelope-from krishnavijay@mnnit.ac.in) Received: from mail-qt0-x22f.google.com (mail-qt0-x22f.google.com [IPv6:2607:f8b0:400d:c0d::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AE6967C69B for ; Tue, 18 Jul 2017 17:58:29 +0000 (UTC) (envelope-from krishnavijay@mnnit.ac.in) Received: by mail-qt0-x22f.google.com with SMTP id n42so22394860qtn.0 for ; Tue, 18 Jul 2017 10:58:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnnit-ac-in.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=xNbv3dYLp9BWEkAw9WO/JVoYwVbkJevgPRbIDNRKr9k=; b=Mt/DBlgngx7Iy0NrLo/rUHkoF2RB0doyo+RDORWhbb2ZDFZl8+RxR7CHevO3nv3ha+ 8c/EfI9HwUJHmzGKRTYv17y0Py2nrTq20f3ZnTZqjfRHUNruF7MshnqSgZHa2m0BgaY/ cfghuOw45R7l+NSHPkWI8X/dqmNM4tBc6s7jQI7BEkr1doSX9RxS22Hw28/MMiHx78oq Uh+c80lyW2uBPzHI/NbEuM/iYHT1gd9nIoxWGMQgTTxs9RAKvMkpNYIc4lElU+2Bg8vA 3Ygzeg/R0K8Fj57W1wMXfLawJJHzdgkKnoXzCCNVqtXihuZ0D9yM3H4sypjwypyqhzCt Wamw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=xNbv3dYLp9BWEkAw9WO/JVoYwVbkJevgPRbIDNRKr9k=; b=J9Q/LPMlFNUKEuMKknqd4CwpLG29BjKEkQl1UusnosWqZDJ0E/WbEe5r4ihc2QhW8D IHe3goDixRqbV3vmKclgKUddUV7WSVov98Ft63hFfsnwm8+JXwHMzjneURgrZORMViQF noHT5uKnMZv5RbFTGRdj9zGGOwGcqfCiVj8F0SSzO/D0jUS8ZA7+Wavq+eku52m+hqv/ UaZQxRjmGbMvdX6sHt8fjc72mn43smcKS+sKrsV0IqSeJMiL8YjOaY7LVBEMOVLxbBZX rchDr1H0gz+6LQcrTHWh78gWjzXUTJrRWVhUYwf4oD+4fk+chkKjOktOYIPLUe49ViTt 3fZA== X-Gm-Message-State: AIVw111JmUu06ypsLic1gKWCTklOwkpv/q1e7GW9khwhIoiizHouyhJd PsUuxOOx8/KqpmOxmH5tCjAbrjD5nxjdONw= X-Received: by 10.200.36.205 with SMTP id t13mr3588667qtt.147.1500400707987; Tue, 18 Jul 2017 10:58:27 -0700 (PDT) MIME-Version: 1.0 Received: by 10.12.180.19 with HTTP; Tue, 18 Jul 2017 10:58:27 -0700 (PDT) From: KVK Singh Date: Tue, 18 Jul 2017 23:28:27 +0530 Message-ID: Subject: TCP Zero Window Advertisement. To: freebsd-net@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jul 2017 17:58:31 -0000 Hi, By going through the Zero Window advertisement concept What I found is that if sender has transmitted packet 2,3,4,5,6,7 i.e packet from 2-7 total 6 packets in flight then By chance if sender received a Zero Window Advertisement (ZWA) for segment 4 then it does not enters in probe mode/ persistent state. However if it receive ZWA for 7 i.e last packet in flight then it enters in Probe mode/ persistent state and it starts probing for window update. Is that the behavior is correct Because as going through the paper and RFC I find that any segment can be acked with ZWA and sender will enter in persist mode once it receive the ZWA. Please resolve my query. Thanks and regards. From owner-freebsd-net@freebsd.org Tue Jul 18 19:00:49 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C911DD9DB41 for ; Tue, 18 Jul 2017 19:00:49 +0000 (UTC) (envelope-from hiren@strugglingcoder.info) Received: from mail.strugglingcoder.info (strugglingcoder.info [104.236.146.68]) by mx1.freebsd.org (Postfix) with ESMTP id B3BB2803FC for ; Tue, 18 Jul 2017 19:00:49 +0000 (UTC) (envelope-from hiren@strugglingcoder.info) Received: from localhost (unknown [10.1.1.3]) (Authenticated sender: hiren@strugglingcoder.info) by mail.strugglingcoder.info (Postfix) with ESMTPA id 16D8C1775A; Tue, 18 Jul 2017 11:54:12 -0700 (PDT) Date: Tue, 18 Jul 2017 11:54:11 -0700 From: hiren panchasara To: KVK Singh Cc: freebsd-net@freebsd.org Subject: Re: TCP Zero Window Advertisement. Message-ID: <20170718185411.GA48940@strugglingcoder.info> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="17pEHd4RhPHOinZp" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jul 2017 19:00:49 -0000 --17pEHd4RhPHOinZp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 07/18/17 at 11:28P, KVK Singh wrote: > Hi, >=20 > By going through the Zero Window advertisement concept What I found is th= at > if sender has transmitted packet 2,3,4,5,6,7 i.e packet from 2-7 total 6 > packets in flight then By chance if sender received a Zero Window > Advertisement (ZWA) for segment 4 then it does not enters in probe > mode/ persistent > state. However if it receive ZWA for 7 i.e last packet in flight then it > enters in Probe mode/ persistent state and it starts probing for window > update. Can you please site/explain how you got to this conclusion? Did you find FreeBSD or any other implementation doing this? >=20 > Is that the behavior is correct Because as going through the paper and RFC > I find that any segment can be acked with ZWA and sender will enter in > persist mode once it receive the ZWA. I thought this is how its supposed to work. I may be mis-remembering. Cheers, Hiren --17pEHd4RhPHOinZp Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQF8BAABCgBmBQJZbllQXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBNEUyMEZBMUQ4Nzg4RjNGMTdFNjZGMDI4 QjkyNTBFMTU2M0VERkU1AAoJEIuSUOFWPt/lDtAH/AgLxIS4qsc7SPx5mjYM5IF3 Os6dfgUqg4dCNbrLvszEXY4NRC2wz0kPSaYMOWvbPswMLQh2S7Wkj3Ozo41ytAod /96goGFEFhOyj0VF3z9DVBQjt7qXgQguRLEQ0XHvjmfn6LCs9lDs0XuFCddkYoUI Nluldn1M7Pa8XQjj/h473j90LKF7rXfZgM3rm2fkh5NVxofbudxpPMqPdGMz17z6 6OX0Yb124qphg+rk9iHEPSQP6J9II1S0q3Vmc3VqM4KBoIw5r7YB4hfeThpgkrjD wqoqt6NiULz9o0fWfQUboPsPt9v6Ml6b1EXmW9VQRJdzn/shBBcLkwVoRfKGlwM= =xgiw -----END PGP SIGNATURE----- --17pEHd4RhPHOinZp-- From owner-freebsd-net@freebsd.org Wed Jul 19 01:04:27 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A1F66DA4644 for ; Wed, 19 Jul 2017 01:04:27 +0000 (UTC) (envelope-from v.maffione@gmail.com) Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 33DFA65596; Wed, 19 Jul 2017 01:04:27 +0000 (UTC) (envelope-from v.maffione@gmail.com) Received: by mail-wm0-x233.google.com with SMTP id 200so668984wmv.1; Tue, 18 Jul 2017 18:04:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=f04aYgh0L3C45RcXs8Awl1KKpao+Wirhc9xNTxX2U+g=; b=EpouG78cA11Dt663H/cZSKG+yfl9TZ9bk48pGueU4RZnar9u1VBbLmXqY4La2efrAf 53NzG9aA+9DSaKVgBXtgwfQBs/hzm42aSIGM0pK4eSh8O3IWf9hm+89bMyhMptXKUOSK 5i7XIZTmxvueJuoEMFIRFdRVyzLeSjolNleOj0xVTJ9jglHnPsrBg7r+EPHzADUFbcn7 vig0qcqH0fUJ7e7AHAlurWzuh+8p5xuZDN4ih4kXIwcof2V9o8NzC8BA9Lp2nZDp+J/4 ps3ckyqrqk1zWk0NPLXCaz5ZDFGaZ1+A1+zJBQGLNNB2wgfWRD+EmI//F+TDUO3XH6Na dUng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=f04aYgh0L3C45RcXs8Awl1KKpao+Wirhc9xNTxX2U+g=; b=Y6g7O5zSnO3Np90hPVelfC6QyFuKD5B/YA7fy1D7dp1mrsDg80w2K2jfaeUWptwhYc SetAXwzt8HrFHKBUhGgEWfsTI1AYFnGLAPdDh0pj8J0pmg2x+go435krBdVE22vQkHnb cVrGFbpmEHCN9E9CB63psLAtFaYkG4vbnVyihUdox3xqxsaccVzL1fp1hxPYznFInbHn zSFQqvs7aAcQH/u6H+/lR0MgmxKyVtptwaS8gOUKFZk69AaRjYdx6YVwicN/2okEwsSC eG4mS1FHax48Mpb6PvX9w6h0LYAlCC6o3nh2SRjfYIOAsBqGhCflmanTMkDZnJAuhBUj 033A== X-Gm-Message-State: AIVw112m6t0gTGj7qajtObvqytaZS7aU2GJymdunMDVj/HUWzcF2bp4u lwk3YJNTq3xejgZmkE2v7jEnjBYCzA== X-Received: by 10.28.134.11 with SMTP id i11mr3890470wmd.77.1500426264889; Tue, 18 Jul 2017 18:04:24 -0700 (PDT) MIME-Version: 1.0 Received: by 10.28.178.133 with HTTP; Tue, 18 Jul 2017 18:04:24 -0700 (PDT) In-Reply-To: References: <20170705110512.GA28058@alchemy.franken.de> <20170711200510.GB60651@alchemy.franken.de> From: Vincenzo Maffione Date: Tue, 18 Jul 2017 18:04:24 -0700 Message-ID: Subject: Re: NULL pointer dereference bug triggered by netmap To: Luiz Otavio O Souza Cc: Marius Strobl , hps@freebsd.org, ae@freebsd.org, FreeBSD Net , "Eggert, Lars" Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2017 01:04:27 -0000 Hi, Looks good to me, although I'm not sure whether if_transmit should assert(mbuf == NULL). Couldn't we just drop the mbuf if we receive it? Thanks, Vincenzo 2017-07-18 10:43 GMT-07:00 Luiz Otavio O Souza : > On 12 July 2017 at 02:19, Vincenzo Maffione wrote: > > Yes. > > > > Actually, we would also need one beteween the following two options: > > 1) Implementing a dummy if_start() for if_loop.c > > 2) Prevent netmap from using if_loop. > > Hi, > > Please, check the attached patches. > > Luiz > > > > > 2017-07-11 22:05 GMT+02:00 Marius Strobl : > > > >> On Thu, Jul 06, 2017 at 02:19:42PM -0700, Vincenzo Maffione wrote: > >> > Sure, can anyone commit this? > >> > >> The addition of KASSERTs like the below one to if_handoff() and > >> if_start()? Sure. > >> > >> Marius > >> > >> > > >> > Il 5 lug 2017 4:05 AM, "Marius Strobl" ha > scritto: > >> > > >> > > On Mon, Jul 03, 2017 at 05:08:09PM +0200, Vincenzo Maffione wrote: > >> > > > Details here: > >> > > > > >> > > > https://github.com/luigirizzo/netmap/issues/322 > >> > > > > >> > > > Is it acceptable to commit the proposed patch? > >> > > > >> > > As suggested by hselasky@, the outliner problem at hand is better > >> solved > >> > > by a dummy if_start method in order to not hurt the fast-path. > Thus, if > >> > > anything at all, a KASSERT(ifp->if_start != NULL, "no if_start > method") > >> > > should be added to if_handoff() and if_start(). > -- Vincenzo Maffione From owner-freebsd-net@freebsd.org Wed Jul 19 04:24:52 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2CDE8DA8947 for ; Wed, 19 Jul 2017 04:24:52 +0000 (UTC) (envelope-from kuankuan.y@gmail.com) Received: from mail-pg0-x242.google.com (mail-pg0-x242.google.com [IPv6:2607:f8b0:400e:c05::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E9CB16AA6D for ; Wed, 19 Jul 2017 04:24:48 +0000 (UTC) (envelope-from kuankuan.y@gmail.com) Received: by mail-pg0-x242.google.com with SMTP id d193so5327766pgc.2; Tue, 18 Jul 2017 21:24:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:subject:message-id:date:cc:to; bh=aGZxMYVhQhr1CFCtxs/gSRxY9ETF3V27Nhv59CQVJh8=; b=eRnuXj5AxNdXrJZQwqKtdppsh+Rog6w7PFtvs1OuZ/r3Zz9DbXAoV9JhIMJfOzvaQl jYeb+6/JXfiPGwlENIYCLEi+3AcDW0geWFCj0LagFDRI8OsPURl43OpcSJS+nRVn4f1z /m5DLDxLgbcKm3m17AIqRM+fGOR+xzNTs8s6NuLqHHXNhv7yYI2f8nK8U8oKOqoLmWsT Wv5mkLoRSccbrrrsQ23KlJQ76Qg8ZMkMt/D91uC7kxxY34sNvAi5AC43nJTh+Z8OL/1i D8i4ov/Mi6nmddKWQx/BNpAEGDPUyxk9XFyHJRYf6dVym8mYHa1zPbIBO3SNf1NQM7J4 2pbg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:date:cc:to; bh=aGZxMYVhQhr1CFCtxs/gSRxY9ETF3V27Nhv59CQVJh8=; b=CScixP3qSwqiyX3dBHaTBdrTE9UjHG7VqdG89K9byxo05bkZ/P9BG/vLj9+6LDxziC WlLrPPYLTnf7rfCEqUl0e4X32UwJQWce5UlElBDPW0KAbm4zyowbOb4YuHCQN1A5ur1W aS1XI07L+EAQoGaWRb5WRBj+FnKrD8FwYdiTLLmauP4MbgfE6/rJzvs0TzgHiGNlp97i 2usoY/B7QJRvjpZUIPthYKHtYwQ6MQ0R8cuOjmReQ0aS7Sd/xEEFQUGrYEsVypH/MfnN N+uBogu0O+e5sPSbfzh1CLSE+yGqWsFAhX5/teHVSoykuyripY9BOtVoRhUVAHxfaUmA 4dgg== X-Gm-Message-State: AIVw1100gwbkoGE3T3n4DmXce2q9Miu38C7UbPI+BjerfcrLFnrW/Hxe 9Dpi3DChXXhu7caSwsc= X-Received: by 10.99.51.142 with SMTP id z136mr970362pgz.275.1500438287933; Tue, 18 Jul 2017 21:24:47 -0700 (PDT) Received: from [172.18.6.227] ([101.78.229.4]) by smtp.gmail.com with ESMTPSA id v17sm10330295pgn.4.2017.07.18.21.24.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 18 Jul 2017 21:24:47 -0700 (PDT) From: Kuankuan Yang Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: May I ask where could I find the TCP BBR patches ? Message-Id: <95DC6AF0-CF52-46EF-AA4B-B26A35692028@gmail.com> Date: Wed, 19 Jul 2017 12:24:44 +0800 Cc: rss@freebsd.org To: freebsd-net@freebsd.org X-Mailer: Apple Mail (2.3273) Content-Type: text/plain; charset=gb2312 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2017 04:24:52 -0000 Dear All, I=A1=AFm a newbie for FreeBSD development. May I ask a stupid question = where could I find the TCP BBR patches :P=20 =46rom the FreeBSD Transport DevSubmit page, I knew that Randall Stewart = is the main contributor for TCP BBR task, and found the code changes may = be ready to get in. > Michael asks about how well we can pull the pacer our of the Rack/BBR = code and use it generally. rrs@ thinks that is already done. rrs@ says = there are 3 steps to getting this in,=20 > - Get in the Black Box=20 > - Get in the Pacer which no one uses until Rack/BBR is in.=20 > - Place Rack and BBR into the tree. I have searched the keyword =A1=B0BBR=A1=B1 on = https://reviews.freebsd.org , but I only = got few related documents, haven=A1=AFt found the source code change = about the TCP BBR: - D11086 ("Enable the ability to load multiple versions of the same = TCP stack=A1=B1) document.=20 - D11085 (=A1=B0TCP Blackbox Recorder") document I=A1=AFm planing to transplant the BBR congestion control algorithm for = FreeBSD SCTP network protocol in our project, so it would be really = great if I could find a BBR code base on FreeBSD. Any help would be = greatly appreciated :-D Thanks a lot, - Kuankuan From owner-freebsd-net@freebsd.org Wed Jul 19 04:27:02 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9B25ADA8A22 for ; Wed, 19 Jul 2017 04:27:02 +0000 (UTC) (envelope-from kuankuan.y@gmail.com) Received: from mail-pf0-x242.google.com (mail-pf0-x242.google.com [IPv6:2607:f8b0:400e:c00::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6C1A66AB48; Wed, 19 Jul 2017 04:27:02 +0000 (UTC) (envelope-from kuankuan.y@gmail.com) Received: by mail-pf0-x242.google.com with SMTP id q85so5002959pfq.2; Tue, 18 Jul 2017 21:27:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:subject:message-id:date:cc:to; bh=YNcqXsNvav4WCE8gE+uUOcpwjYPPMjHqpAoXY+pSpjc=; b=WEjxoXaQefAxMJC/w7Nt24IoIEewL1rfYbwfo82SIF/hfKqpmkHma9gRf+hCGMv0IC bhtPRbZ73itIctVpeVVohZVxiX+Nok1HOYzDJT9waCaF9MfAycH32Yk1BRjP9uKyXsso M9buqEu41EXTjUHDRbQt/P6sYPXMmpdhl8g+61rpetnKe533YSmy3iE0fAG+21H5/ja6 ph3nrO3Kj1482UdZpIYuqhsyrfDhT1xCfxljiIiZl1z0W/eqxpvXAQfMHO37m2Gn4Yup 9iAVZ/iIeE/zV3Mto+mBcCjys6onh7uKS197Ub/Q82R1zMrbEggLBOSHDITDBtCEtZuE uRHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:date:cc:to; bh=YNcqXsNvav4WCE8gE+uUOcpwjYPPMjHqpAoXY+pSpjc=; b=dfeBLY1KrnsRQGf/Rd1Oiiw95+LsBfbdXe32iHrYFEZjSIcRzcDYLnQ13tBwcxOZxd OwSLYW6StE0GvPs4bxpuzs6PqjJeFFii5D6qLL3fiBdLAc2IdNqwEK7MallCV6sW99my Cl9AIyySFwYw3n2YBhD1llKyhhZlEduMx7u/KsqpTUPENCyAMTTB5Ba2LbTbYuDwST0y 1scdP893mKBOz3QGeYtKpVkgX6imlUVg1h5RUU7d3txPHButTS2KEC2t6Bw53eSMjEHH XDux8/1cXjcnTSsiVmlZweGG4dgJhRqDOeHwBMvJM2D9D6jXg0p96b0K2dDSGPcbfyzq bypw== X-Gm-Message-State: AIVw1136m49QKff4sQ3Xbf1TYxsb/iivYL+2NyumAPUjb8btygOBd7yR Y4QqeGg2wRMZdAMqpns= X-Received: by 10.99.227.81 with SMTP id o17mr1033418pgj.41.1500438421871; Tue, 18 Jul 2017 21:27:01 -0700 (PDT) Received: from [172.18.6.227] ([101.78.229.4]) by smtp.gmail.com with ESMTPSA id s11sm7900753pgr.53.2017.07.18.21.27.00 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 18 Jul 2017 21:27:01 -0700 (PDT) From: Kuankuan Yang Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: May I ask where could I find the TCP BBR patches? Message-Id: <9A6B3DDC-ACF3-446A-9784-E0D1C8E2DCCD@gmail.com> Date: Wed, 19 Jul 2017 12:26:59 +0800 Cc: rrs@freebsd.org To: freebsd-net@freebsd.org X-Mailer: Apple Mail (2.3273) Content-Type: text/plain; charset=gb2312 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2017 04:27:02 -0000 Dear All, I=A1=AFm a newbie for FreeBSD development. May I ask a stupid question = where could I find the TCP BBR patches :P=20 =46rom the FreeBSD Transport DevSubmit page, I knew that Randall Stewart = is the main contributor for TCP BBR task, and found the code changes may = be ready to get in. > Michael asks about how well we can pull the pacer our of the Rack/BBR = code and use it generally. rrs@ thinks that is already done. rrs@ says = there are 3 steps to getting this in,=20 > - Get in the Black Box=20 > - Get in the Pacer which no one uses until Rack/BBR is in.=20 > - Place Rack and BBR into the tree. I have searched the keyword =A1=B0BBR=A1=B1 on = https://reviews.freebsd.org , but I only = got few related documents, haven=A1=AFt found the source code change = about the TCP BBR: - D11086 ("Enable the ability to load multiple versions of the same = TCP stack=A1=B1) document.=20 - D11085 (=A1=B0TCP Blackbox Recorder") document I=A1=AFm planing to transplant the BBR congestion control algorithm for = FreeBSD SCTP network protocol in our project, so it would be really = great if I could find a BBR code base on FreeBSD. Any help would be = greatly appreciated :-D Thanks a lot, - Kuankuan= From owner-freebsd-net@freebsd.org Wed Jul 19 08:02:50 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DD41DC09281 for ; Wed, 19 Jul 2017 08:02:50 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from mailout-02.maxonline.de (mailout-02.maxonline.de [81.24.66.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9BC95707CF for ; Wed, 19 Jul 2017 08:02:50 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from web03-01.max-it.de (web03-01.max-it.de [81.24.64.215]) by mailout-02.maxonline.de (Postfix) with ESMTPS id 1DA864F for ; Wed, 19 Jul 2017 09:53:37 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by web03-01.max-it.de (Postfix) with ESMTP id 0CA9628B847 for ; Wed, 19 Jul 2017 09:53:37 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at web03-01.max-it.de Received: from web03-01.max-it.de ([127.0.0.1]) by localhost (web03-01.max-it.de [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Q7y4BC11T9Qu for ; Wed, 19 Jul 2017 09:53:36 +0200 (CEST) Received: from [81.24.66.132] (unknown [81.24.66.132]) (Authenticated sender: m.muenz@spam-fetish.org) by web03-01.max-it.de (Postfix) with ESMTPA id 8693928AB1C for ; Wed, 19 Jul 2017 09:53:36 +0200 (CEST) To: freebsd-net@freebsd.org From: "Muenz, Michael" Subject: NAT before IPSEC - reply packets stuck at enc0 Message-ID: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> Date: Wed, 19 Jul 2017 09:53:51 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2017 08:02:51 -0000 Hi, seems this is a rather old topic but I want to check if there's perhaps some progress or chance to get this done. I'm using OPNsense based on FreeBSD11 and there's a problem with NAT before IPSEC. Some old discussions: https://forum.pfsense.org/index.php?topic=49800.msg265106#msg265106 http://undeadly.org/cgi?action=article&sid=20090127205841 https://github.com/opnsense/core/issues/440 What I want to achieve is: IPSEC between 10.26.1.0/24 to 10.24.66.0/24 (works Peer at Site-B cannont be changed anymore, but there's a second subnet (10.26.2.0/24) on Site-A: 10.26.2.0 -- Router-A -- 10.26.1.0 -- Firewall-A --- VPN --- Firewall-B -- 10.24.66.0 If 10.26.2.0 wants to reach 10.24.66.0 I'd have to NAT the packets to a IP for 10.24.1.0 before it hits VPN. My approach was: kldload ipfw_nat.ko ipfw nat 1 config ip 10.26.1.1 log reverse ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24 So all packets from 10.26.2. to 10.24.66 will nattet to IP 10.26.1.1 (LAN IP Firewall-A). This works just fine and I see the replies in enc0: 09:51:21.213003 (authentic,confidential): SPI 0x4f58b82d: IP 10.26.1.1 > 10.24.66.108: ICMP echo request, id 57714, seq 2315, length 8 09:51:21.221789 (authentic,confidential): SPI 0xcc28e9af: IP 10.24.66.108 > 10.26.1.1: ICMP echo reply, id 57714, seq 2315, length 8 Sadly nothing else happens. My thought was it's just some kinde of state-tracking so I played around with all kinds of sysctl values, but nothing helps. Is there really no way to achieve a setup like this? Thanks, Michael From owner-freebsd-net@freebsd.org Wed Jul 19 08:20:25 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E2E98C09550 for ; Wed, 19 Jul 2017 08:20:25 +0000 (UTC) (envelope-from farrokhi@FreeBSD.org) Received: from mail.farrokhi.net (mail.farrokhi.net [79.127.49.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FE9970C1E for ; Wed, 19 Jul 2017 08:20:25 +0000 (UTC) (envelope-from farrokhi@FreeBSD.org) Received: from [192.168.0.105] (unknown [79.127.49.114]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: freebsd@farrokhi.net) by mail.farrokhi.net (Postfix) with ESMTPSA id 4AE95468A9; Wed, 19 Jul 2017 12:50:16 +0430 (IRDT) From: "Babak Farrokhi" To: "Muenz, Michael" Cc: freebsd-net@freebsd.org Subject: Re: NAT before IPSEC - reply packets stuck at enc0 Date: Wed, 19 Jul 2017 12:50:13 +0430 Message-ID: <3FF6D693-8D3A-44C8-8085-03E1734739D2@FreeBSD.org> In-Reply-To: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=_MailMate_8CC43E66-937A-449C-AEC9-9E5C0458A2FF_="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Mailer: MailMate (1.9.7r5394) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2017 08:20:26 -0000 This is an OpenPGP/MIME signed message (RFC 3156 and 4880). --=_MailMate_8CC43E66-937A-449C-AEC9-9E5C0458A2FF_= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi, Could this be incidentally related to this PR? [1] [1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D220217 On 19 Jul 2017, at 12:23, Muenz, Michael wrote: > Hi, > > seems this is a rather old topic but I want to check if there's perhap= s some progress or chance to get this done. > I'm using OPNsense based on FreeBSD11 and there's a problem with NAT be= fore IPSEC. > > Some old discussions: > https://forum.pfsense.org/index.php?topic=3D49800.msg265106#msg265106 > http://undeadly.org/cgi?action=3Darticle&sid=3D20090127205841 > https://github.com/opnsense/core/issues/440 > > What I want to achieve is: > > IPSEC between 10.26.1.0/24 to 10.24.66.0/24 (works > Peer at Site-B cannont be changed anymore, but there's a second subnet = (10.26.2.0/24) on Site-A: > > 10.26.2.0 -- Router-A -- 10.26.1.0 -- Firewall-A --- VPN --- Firewall-B= -- 10.24.66.0 > > If 10.26.2.0 wants to reach 10.24.66.0 I'd have to NAT the packets to a= IP for 10.24.1.0 before it hits VPN. > > My approach was: > > kldload ipfw_nat.ko > ipfw nat 1 config ip 10.26.1.1 log reverse > ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24 > > So all packets from 10.26.2. to 10.24.66 will nattet to IP 10.26.1.1 (L= AN IP Firewall-A). > > This works just fine and I see the replies in enc0: > 09:51:21.213003 (authentic,confidential): SPI 0x4f58b82d: IP 10.26.1.1 = > 10.24.66.108: ICMP echo request, id 57714, seq 2315, length 8 > 09:51:21.221789 (authentic,confidential): SPI 0xcc28e9af: IP 10.24.66.1= 08 > 10.26.1.1: ICMP echo reply, id 57714, seq 2315, length 8 > > Sadly nothing else happens. My thought was it's just some kinde of stat= e-tracking so I played around with all kinds of sysctl values, but nothin= g helps. > > Is there really no way to achieve a setup like this? > > Thanks, > Michael > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" --=_MailMate_8CC43E66-937A-449C-AEC9-9E5C0458A2FF_= Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc -----BEGIN PGP SIGNATURE----- iQJ8BAEBCABmBQJZbxY+XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGMDgxNUY4ODYxQkYyREVBRjI2MUU5QzE2 QjI2N0FEODVENjMyRTlBAAoJEGsmethdYy6avvcP/jhwMO96L1DYt+FKsTnrdB9h rWoichsC9MqNfh/Bj7VulOGod/rMXFJ5ohxt4GSEYg2V0xxFUOXF31zoKHUsXpdQ TKWOGMpYcIwW+xaz3MSruNxuEBTyLFQZiw8J0DWyr+XOBMbAgzYd2j4/KK54VvMI i+Ha/Wnmr/OZmyUEWin5dJN8PCOszqfe9pjKYuLPGW/mugKgB6zqaO458b3Y0Dp2 xaj+kJ9nNEftmb7HpyWMNiPdL4KF4z3+VhvvPU1yU2U0CxwWuq6UK5gwz7KAJCGi KqdYTvRBgdBQW/S7KQ2amFRF/Jevh7oFCjbjm3yRG/GlvCzv2CvWTZuU9ZzuqhD1 gxQoMPbMV06jMOE69on+c+BemkmND/sCTlUFdnL3HA8oNs/tWJ9UG9ikTgpxE9LS LoFceYPqxGf5nykmcU/PumuEpK8bD+Yi+/QVC4tNqvbYazchFHUisWbptb6xH677 pTZ6+f6QyGBu2mWfz6dheJDqcCco1BXtHr8C8++nAQooJNjBfiwuYkhfBZII5DcF paQjifxrHRmONJnosyJ3FyonHmjLZQXvUtpgunBAq3x3ixhjsmK0XnK2JiuxWDLC e+oaxshiwfsfsbnkX0N/qSqyNBHuIITpOadUEd7mTc8vlHHe7CnhI8rEcappQMJ+ PwsWlnESUt5zJOXhPmXv =+whS -----END PGP SIGNATURE----- --=_MailMate_8CC43E66-937A-449C-AEC9-9E5C0458A2FF_=-- From owner-freebsd-net@freebsd.org Wed Jul 19 08:35:21 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 38D15C09C83 for ; Wed, 19 Jul 2017 08:35:21 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward3o.cmail.yandex.net (forward3o.cmail.yandex.net [IPv6:2a02:6b8:0:1a72::288]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CD958714D9 for ; Wed, 19 Jul 2017 08:35:20 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp1o.mail.yandex.net (smtp1o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::25]) by forward3o.cmail.yandex.net (Yandex) with ESMTP id 4AFB120EAA; Wed, 19 Jul 2017 11:35:08 +0300 (MSK) Received: from smtp1o.mail.yandex.net (localhost.localdomain [127.0.0.1]) by smtp1o.mail.yandex.net (Yandex) with ESMTP id 356881300C10; Wed, 19 Jul 2017 11:34:54 +0300 (MSK) Received: by smtp1o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id PpOzv2isOt-Yr9ec1Sp; Wed, 19 Jul 2017 11:34:54 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1500453294; bh=aMiXUv57/edPtLqDDGOqoBCIlqX85Pkbf6tF97JP9HY=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=teXX6DCW7+7Gp+aLR5sE8P+pwQe0tYG1WNv1Sz3Xsszg2ypY0f3FfXw4DsMffIs1a dqS9FGeWaFUF5Cm0gO/5mZNdKBX9pQClMMKqvDyR5+dMv4sRQ0cjUMk4+SIy+yL7i8 BZSsknXykAuTTQZsvM11OzeH72HAzK14K9X0Icn4= Authentication-Results: smtp1o.mail.yandex.net; dkim=pass header.i=@yandex.ru X-Yandex-Suid-Status: 1 0,1 0 Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: "Muenz, Michael" , freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Message-ID: Date: Wed, 19 Jul 2017 11:32:17 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.0.1 MIME-Version: 1.0 In-Reply-To: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Nl8g5bN0eaHqEfeHOEo98Ki2sCUumx1Ic" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2017 08:35:21 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Nl8g5bN0eaHqEfeHOEo98Ki2sCUumx1Ic Content-Type: multipart/mixed; boundary="7hxfLwBHuVF020ldsilNEMqwUFDOM2fkS"; protected-headers="v1" From: "Andrey V. Elsukov" To: "Muenz, Michael" , freebsd-net@freebsd.org Message-ID: Subject: Re: NAT before IPSEC - reply packets stuck at enc0 References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> In-Reply-To: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> --7hxfLwBHuVF020ldsilNEMqwUFDOM2fkS Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 19.07.2017 10:53, Muenz, Michael wrote: > Hi, >=20 > seems this is a rather old topic but I want to check if there's perhap= s > some progress or chance to get this done. > I'm using OPNsense based on FreeBSD11 and there's a problem with NAT > before IPSEC. >=20 > Some old discussions: > https://forum.pfsense.org/index.php?topic=3D49800.msg265106#msg265106 > http://undeadly.org/cgi?action=3Darticle&sid=3D20090127205841 > https://github.com/opnsense/core/issues/440 >=20 > What I want to achieve is: >=20 > IPSEC between 10.26.1.0/24 to 10.24.66.0/24 (works > Peer at Site-B cannont be changed anymore, but there's a second subnet > (10.26.2.0/24) on Site-A: >=20 > 10.26.2.0 -- Router-A -- 10.26.1.0 -- Firewall-A --- VPN --- Firewall-B= > -- 10.24.66.0 >=20 > If 10.26.2.0 wants to reach 10.24.66.0 I'd have to NAT the packets to a= > IP for 10.24.1.0 before it hits VPN. >=20 > My approach was: >=20 > kldload ipfw_nat.ko > ipfw nat 1 config ip 10.26.1.1 log reverse > ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24 What about reverse NAT rule? You need to translate decrypted packets back to 10.26.2.0, otherwise they will still have 10.26.1.1 IP address as final destination and will not be forwarded to 10.26.2.0. --=20 WBR, Andrey V. Elsukov --7hxfLwBHuVF020ldsilNEMqwUFDOM2fkS-- --Nl8g5bN0eaHqEfeHOEo98Ki2sCUumx1Ic Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAllvGRcACgkQAcXqBBDI oXrN4ggAv4OEZ+LabyqUaSfUJJGfgfH1dbhRfD5cmEnnguRK0DXdAiYpTfuMwK74 RICQks2acSefLR05xuUFzhT5aV3vwAr2TmXFztza8xY1WUVNzO1leUDHg4GDR6uV VctiLZOeacd4CAj7YvEtJrygJGytTe8A51c7+Psqk6ErJ15Z4StCH2DcFihHTNQA M6QUeG8+2K7ZbgZ+AMvMODbg3eDXBLwd8cZyN4D7+kdhp8ajqlDicQvNkCrmDMr+ VcbQXFHJXuU4J3Ixa5ZNshBGAQR8Z05s1hVG5xLBlJ0b+pPHW84/e0g0DTqhx26W vZCBlip9UIXsqk7lH0V1ZlcXLTZQ9Q== =kpJ9 -----END PGP SIGNATURE----- --Nl8g5bN0eaHqEfeHOEo98Ki2sCUumx1Ic-- From owner-freebsd-net@freebsd.org Wed Jul 19 09:24:38 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5B5B3C31128 for ; Wed, 19 Jul 2017 09:24:38 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from mailout-02.maxonline.de (mailout-02.maxonline.de [81.24.66.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0E75E72B80 for ; Wed, 19 Jul 2017 09:24:37 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from web03-01.max-it.de (web03-01.max-it.de [81.24.64.215]) by mailout-02.maxonline.de (Postfix) with ESMTPS id 9B5EE4F for ; Wed, 19 Jul 2017 11:24:35 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by web03-01.max-it.de (Postfix) with ESMTP id 882CC28B847 for ; Wed, 19 Jul 2017 11:24:35 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at web03-01.max-it.de Received: from web03-01.max-it.de ([127.0.0.1]) by localhost (web03-01.max-it.de [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id nJSyAQCBeOtU for ; Wed, 19 Jul 2017 11:24:35 +0200 (CEST) Received: from [81.24.66.132] (unknown [81.24.66.132]) (Authenticated sender: m.muenz@spam-fetish.org) by web03-01.max-it.de (Postfix) with ESMTPA id 5BEB028AB1C for ; Wed, 19 Jul 2017 11:24:35 +0200 (CEST) Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <3FF6D693-8D3A-44C8-8085-03E1734739D2@FreeBSD.org> From: "Muenz, Michael" Message-ID: <741d8649-c8b8-7b78-1ddb-aa7d8e3aac1d@spam-fetish.org> Date: Wed, 19 Jul 2017 11:24:50 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <3FF6D693-8D3A-44C8-8085-03E1734739D2@FreeBSD.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2017 09:24:38 -0000 Am 19.07.2017 um 10:20 schrieb Babak Farrokhi: > Hi, > > Could this be incidentally related to this PR? [1] > > [1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220217 > Hi, I'll check with the devs of OPNsense, they'll build a test kernel. Thanks! Michael From owner-freebsd-net@freebsd.org Wed Jul 19 09:27:10 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 97F7EC312F8 for ; Wed, 19 Jul 2017 09:27:10 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from mailout-02.maxonline.de (mailout-02.maxonline.de [81.24.66.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5808F72D57 for ; Wed, 19 Jul 2017 09:27:10 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from web03-01.max-it.de (web03-01.max-it.de [81.24.64.215]) by mailout-02.maxonline.de (Postfix) with ESMTPS id 6CCE34F for ; Wed, 19 Jul 2017 11:27:08 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by web03-01.max-it.de (Postfix) with ESMTP id 5F71928B847 for ; Wed, 19 Jul 2017 11:27:08 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at web03-01.max-it.de Received: from web03-01.max-it.de ([127.0.0.1]) by localhost (web03-01.max-it.de [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 7hYHBma6URJX for ; Wed, 19 Jul 2017 11:27:08 +0200 (CEST) Received: from [81.24.66.132] (unknown [81.24.66.132]) (Authenticated sender: m.muenz@spam-fetish.org) by web03-01.max-it.de (Postfix) with ESMTPA id 3A5D928AB1C for ; Wed, 19 Jul 2017 11:27:08 +0200 (CEST) Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> From: "Muenz, Michael" Message-ID: <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> Date: Wed, 19 Jul 2017 11:27:23 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2017 09:27:10 -0000 Am 19.07.2017 um 10:32 schrieb Andrey V. Elsukov: > > What about reverse NAT rule? You need to translate decrypted packets > back to 10.26.2.0, otherwise they will still have 10.26.1.1 IP address > as final destination and will not be forwarded to 10.26.2.0. > Hi Andrey, I'm not really familiar with ipfw syntax, I'm more the linux guy and there the state you be tracked. How should I build the rules to do the reverse nat? I'm googling for 2 days now but I only found port redirects for this. Thanks for taking the time! Michael From owner-freebsd-net@freebsd.org Wed Jul 19 10:15:22 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D38ABC78900 for ; Wed, 19 Jul 2017 10:15:22 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward1o.cmail.yandex.net (forward1o.cmail.yandex.net [IPv6:2a02:6b8:0:1a72::2a1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 735E1748E5 for ; Wed, 19 Jul 2017 10:15:22 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp2j.mail.yandex.net (smtp2j.mail.yandex.net [95.108.130.60]) by forward1o.cmail.yandex.net (Yandex) with ESMTP id 8A5F5213FC; Wed, 19 Jul 2017 13:15:19 +0300 (MSK) Received: from smtp2j.mail.yandex.net (localhost.localdomain [127.0.0.1]) by smtp2j.mail.yandex.net (Yandex) with ESMTP id E2FD23EC0E6B; Wed, 19 Jul 2017 13:15:17 +0300 (MSK) Received: by smtp2j.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id b5PUaFXIXq-FG58Nmko; Wed, 19 Jul 2017 13:15:16 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1500459316; bh=unnEaUOTkS0L+P69mHINVTUrNash5X9upbrDvMcPBV8=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=uCx+tBKIh9+OrvZJoahr1fPj2NcYM+QapYRJx/FUd/NZDx6GxobX1g4ydp/Yb15at 4llnJ2dGjT5yLNO/crwi9eDycbUoq0PuOd37HhmHNKc1UHn19I20FkWNyHz1Z4SVGM 6iE8htaD31vzUcRKlTLlbEM6qM3ftzXrOkLQeg/c= Authentication-Results: smtp2j.mail.yandex.net; dkim=pass header.i=@yandex.ru X-Yandex-Suid-Status: 1 0,1 0 Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: "Muenz, Michael" , freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Message-ID: <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> Date: Wed, 19 Jul 2017 13:12:41 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.0.1 MIME-Version: 1.0 In-Reply-To: <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="MDVVm9drIiXO1HjpGLti5FCXau9o8kk7i" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2017 10:15:22 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --MDVVm9drIiXO1HjpGLti5FCXau9o8kk7i Content-Type: multipart/mixed; boundary="Oxes3KsjRvRhTVE90hXJpLbCMEhJBsmtG"; protected-headers="v1" From: "Andrey V. Elsukov" To: "Muenz, Michael" , freebsd-net@freebsd.org Message-ID: <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> Subject: Re: NAT before IPSEC - reply packets stuck at enc0 References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> In-Reply-To: <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> --Oxes3KsjRvRhTVE90hXJpLbCMEhJBsmtG Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 19.07.2017 12:27, Muenz, Michael wrote: > Am 19.07.2017 um 10:32 schrieb Andrey V. Elsukov: >> >> What about reverse NAT rule? You need to translate decrypted packets >> back to 10.26.2.0, otherwise they will still have 10.26.1.1 IP address= >> as final destination and will not be forwarded to 10.26.2.0. >> >=20 > Hi Andrey, >=20 > I'm not really familiar with ipfw syntax, I'm more the linux guy and > there the state you be tracked. > How should I build the rules to do the reverse nat? I'm googling for 2 > days now but I only found port redirects for this. Try to add the following rule: ipfw add 179 nat 1 log all from 10.24.66.0/24 to 10.26.1.1 in recv enc0 This rule will pass a decrypted packet to the NAT instance, that will check in the states table should a packet be translated back or not. You need to have enc0 interface in UP state and sysctl variable net.enc.in.ipsec_filter_mask should be set to 1 or 2. After translation on the enc0 a packet will be returned to the IPsec subsystem, that will queue it for further processing in the netisr. Since destination address become foreign, it will be forwarded by IP stac= k. --=20 WBR, Andrey V. Elsukov --Oxes3KsjRvRhTVE90hXJpLbCMEhJBsmtG-- --MDVVm9drIiXO1HjpGLti5FCXau9o8kk7i Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAllvMJkACgkQAcXqBBDI oXrugAgAsSTMUy6WTRfjz/6mvXPmPaSHF2mDMqA9k2O0bZozkBWNtE/y8BwrI3Nh RF2egr8M4roVP+QGDmEfQZpiQqrWRXZs87h7du7uD9LSDsLeoXUhAWQJ08fVczbI B+UGq4UeffepowLaaMRYoxDzbXu7LNZyof8klpUNZCIMbrwq/i1LD6bJWuJ1AK9Q pUYa0CIgTxsLMAFXUJ7GSir5cu0dhYSNa8qytPsqQwsJe0bzbkTKHFs/3JUW4Tf7 yqgZp27sAvJUaR2f2OoYullZqUyNbe8feyfA1hICd2PzNhnGYMo09RujORGzb7Io Xdx1mzkdrQytGnWc/W/ZAYn04/asYw== =LHSM -----END PGP SIGNATURE----- --MDVVm9drIiXO1HjpGLti5FCXau9o8kk7i-- From owner-freebsd-net@freebsd.org Wed Jul 19 11:09:21 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0D76DC79966 for ; Wed, 19 Jul 2017 11:09:21 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id DC8FA7620D for ; Wed, 19 Jul 2017 11:09:20 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (106-69-225-236.dyn.iinet.net.au [106.69.225.236]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id v6JB99CQ007715 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Wed, 19 Jul 2017 04:09:12 -0700 (PDT) (envelope-from julian@freebsd.org) Subject: Re: A web server behind two gateways? To: freebsd-net@freebsd.org References: <596CA093.6020508@grosbein.net> <596CF1BA.8050104@grosbein.net> <596CFF94.2090506@grosbein.net> <596D0048.7040100@grosbein.net> From: Julian Elischer Message-ID: <6beb3422-abab-8760-2048-5bca4de597f4@freebsd.org> Date: Wed, 19 Jul 2017 19:09:02 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2017 11:09:21 -0000 On 18/7/17 11:50 am, Grzegorz Junka wrote: > > On 17/07/2017 18:22, Eugene Grosbein wrote: >> 18.07.2017 1:19, Eugene Grosbein пишет: >>> 18.07.2017 0:48, Alan Somers wrote: >>> >>> > > Not answering any particular email in this thread, many thanks for > your help. That;s plenty of ideas to try so may take some time! > > Just one more question, since VNET was mentioned. Is it production > ready now? I remember there used to be problems with memory leaks. > And why isn't it the kernel, yet? Any plans for that? Vnet is in production use in quite a lot of places. becasue it is a very complicated concept to implement there are sometimes corner cases that produce issues but most people never hit them. Especially in a machine that has a single purpose. > > Grzegorz J > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > From owner-freebsd-net@freebsd.org Wed Jul 19 12:02:26 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EB915C7BA25 for ; Wed, 19 Jul 2017 12:02:26 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from mailout-02.maxonline.de (mailout-02.maxonline.de [81.24.66.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AA53E7C782 for ; Wed, 19 Jul 2017 12:02:26 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from web03-01.max-it.de (web03-01.max-it.de [81.24.64.215]) by mailout-02.maxonline.de (Postfix) with ESMTPS id 736444F for ; Wed, 19 Jul 2017 14:02:23 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by web03-01.max-it.de (Postfix) with ESMTP id 6426428B847 for ; Wed, 19 Jul 2017 14:02:23 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at web03-01.max-it.de Received: from web03-01.max-it.de ([127.0.0.1]) by localhost (web03-01.max-it.de [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id jlS5fru1xgtd for ; Wed, 19 Jul 2017 14:02:23 +0200 (CEST) Received: from [81.24.66.132] (unknown [81.24.66.132]) (Authenticated sender: m.muenz@spam-fetish.org) by web03-01.max-it.de (Postfix) with ESMTPA id 2E6A228AB1C for ; Wed, 19 Jul 2017 14:02:23 +0200 (CEST) Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> From: "Muenz, Michael" Message-ID: <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> Date: Wed, 19 Jul 2017 14:02:38 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2017 12:02:27 -0000 Am 19.07.2017 um 12:12 schrieb Andrey V. Elsukov: > > Try to add the following rule: > > ipfw add 179 nat 1 log all from 10.24.66.0/24 to 10.26.1.1 in recv enc0 > > This rule will pass a decrypted packet to the NAT instance, that will > check in the states table should a packet be translated back or not. > > You need to have enc0 interface in UP state and sysctl variable > net.enc.in.ipsec_filter_mask should be set to 1 or 2. > > After translation on the enc0 a packet will be returned to the IPsec > subsystem, that will queue it for further processing in the netisr. > Since destination address become foreign, it will be forwarded by IP stack. > Hi, I tried this but still no luck. Packets get seen by ipfw -ta list: 00179 139 3892 Wed Jul 19 14:00:21 2017 nat 1 log ip from 10.26.2.0/24 to 10.24.66.0/24 00179 143 4228 Wed Jul 19 14:00:21 2017 nat 2 log ip from 10.24.66.0/24 to 10.26.1.1 in recv enc0 65535 5891 1716730 Wed Jul 19 14:00:21 2017 allow ip from any to any But there's nothing on the internal IF. Also played around with filter_mask and also one_pass. Also tried (as you see above) with a second nat instance where reverse is disabled. Do you have any other clue? Really appreciate your help, thanks! Michael From owner-freebsd-net@freebsd.org Wed Jul 19 12:25:14 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 812C4C7C36F for ; Wed, 19 Jul 2017 12:25:14 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward2j.cmail.yandex.net (forward2j.cmail.yandex.net [5.255.227.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1C6907D352 for ; Wed, 19 Jul 2017 12:25:13 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp2m.mail.yandex.net (smtp2m.mail.yandex.net [77.88.61.129]) by forward2j.cmail.yandex.net (Yandex) with ESMTP id C780620DB3; Wed, 19 Jul 2017 15:25:04 +0300 (MSK) Received: from smtp2m.mail.yandex.net (localhost.localdomain [127.0.0.1]) by smtp2m.mail.yandex.net (Yandex) with ESMTP id E27432300EE7; Wed, 19 Jul 2017 15:25:03 +0300 (MSK) Received: by smtp2m.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id gHToa2OnF4-P2la3juE; Wed, 19 Jul 2017 15:25:02 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1500467102; bh=HAHCjtupJpstI/XU4jl/ilI8JCkuko8NARCFZTz3HAE=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=ajMQr/1klWNanljdNoCvqp5dUD+AotMb329zM7jWb2jhjVBM3VTs0lgLCE55XxAsL ZeChCrHXZfahEh2KzSzYy1PNw0byEIoSQSDif/LqOnVepl9wQUMIgetNX6ywrLR+TN lwTqoCzxbhWQ+oUJkisvG3FaRkSRsSQgNCSHC7f4= Authentication-Results: smtp2m.mail.yandex.net; dkim=pass header.i=@yandex.ru X-Yandex-Suid-Status: 1 0,1 0 Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: "Muenz, Michael" , freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Message-ID: <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> Date: Wed, 19 Jul 2017 15:22:27 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.0.1 MIME-Version: 1.0 In-Reply-To: <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="2CaBhhvo8NsxgAETmfHbnJOiWw5gIGq3Q" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2017 12:25:14 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --2CaBhhvo8NsxgAETmfHbnJOiWw5gIGq3Q Content-Type: multipart/mixed; boundary="j16tEvm2K8nfvVE3RF6TvrJxxcMTDFnc6"; protected-headers="v1" From: "Andrey V. Elsukov" To: "Muenz, Michael" , freebsd-net@freebsd.org Message-ID: <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> Subject: Re: NAT before IPSEC - reply packets stuck at enc0 References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> In-Reply-To: <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> --j16tEvm2K8nfvVE3RF6TvrJxxcMTDFnc6 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 19.07.2017 15:02, Muenz, Michael wrote: > Am 19.07.2017 um 12:12 schrieb Andrey V. Elsukov: >> >> Try to add the following rule: >> >> ipfw add 179 nat 1 log all from 10.24.66.0/24 to 10.26.1.1 in recv enc= 0 >> >> This rule will pass a decrypted packet to the NAT instance, that will >> check in the states table should a packet be translated back or not. >> >> You need to have enc0 interface in UP state and sysctl variable >> net.enc.in.ipsec_filter_mask should be set to 1 or 2. >> >> After translation on the enc0 a packet will be returned to the IPsec >> subsystem, that will queue it for further processing in the netisr. >> Since destination address become foreign, it will be forwarded by IP >> stack. >> >=20 > Hi, >=20 > I tried this but still no luck. Packets get seen by ipfw -ta list: >=20 > 00179 139 3892 Wed Jul 19 14:00:21 2017 nat 1 log ip from > 10.26.2.0/24 to 10.24.66.0/24 > 00179 143 4228 Wed Jul 19 14:00:21 2017 nat 2 log ip from > 10.24.66.0/24 to 10.26.1.1 in recv enc0 > 65535 5891 1716730 Wed Jul 19 14:00:21 2017 allow ip from any to any >=20 > But there's nothing on the internal IF. Also played around with > filter_mask and also one_pass. > Also tried (as you see above) with a second nat instance where reverse > is disabled. >=20 > Do you have any other clue? >=20 > Really appreciate your help, thanks! Different NAT instances will not work for the same flow, because they have different state tables. Packets in both direction should pass trough the same NAT instance. What you see in tcpdump on the enc0 interface? --=20 WBR, Andrey V. Elsukov --j16tEvm2K8nfvVE3RF6TvrJxxcMTDFnc6-- --2CaBhhvo8NsxgAETmfHbnJOiWw5gIGq3Q Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAllvTwMACgkQAcXqBBDI oXo4uwf/f2S3qNTF3rvKudFmqkif0FtjdAWQjSrtkZubihA0Od9Tz5/rrV3kn8lt V6iUSG0lpuvdTtV27UP5qSYBwTcQFvyTBjCYytYBEjbGM3cUOBH49TEkA2LT24L1 pK7iG0QkiqTS1AIlTr89xr7CE6IVhS27i2GTsWtkXtxYys7+vnVgPX9w2banpCVC ZLHUKdJhjkZCop/+qZQ5RLLUFE99NZeb7RuXiGq/z6WHaHSScPFp/QuPmRXtWW88 ZfXEsfUMCKFIAYu99oeBH4PffKzfIhxejsVGuVw5MlqtiQEisHaXfgNphxxJTNuP 4cQOwQ7/TRgFG+pB3wG2URUWTx8VgQ== =KTps -----END PGP SIGNATURE----- --2CaBhhvo8NsxgAETmfHbnJOiWw5gIGq3Q-- From owner-freebsd-net@freebsd.org Wed Jul 19 12:45:51 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8DC4EC7C917 for ; Wed, 19 Jul 2017 12:45:51 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from mailout-02.maxonline.de (mailout-02.maxonline.de [81.24.66.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4ACF97DD37 for ; Wed, 19 Jul 2017 12:45:51 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from web03-01.max-it.de (web03-01.max-it.de [81.24.64.215]) by mailout-02.maxonline.de (Postfix) with ESMTPS id C1CD74F for ; Wed, 19 Jul 2017 14:45:48 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by web03-01.max-it.de (Postfix) with ESMTP id B54F728B847 for ; Wed, 19 Jul 2017 14:45:48 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at web03-01.max-it.de Received: from web03-01.max-it.de ([127.0.0.1]) by localhost (web03-01.max-it.de [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id anCcirWo-KX7 for ; Wed, 19 Jul 2017 14:45:48 +0200 (CEST) Received: from [81.24.66.132] (unknown [81.24.66.132]) (Authenticated sender: m.muenz@spam-fetish.org) by web03-01.max-it.de (Postfix) with ESMTPA id 824D128AB1C for ; Wed, 19 Jul 2017 14:45:48 +0200 (CEST) Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> From: "Muenz, Michael" Message-ID: <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> Date: Wed, 19 Jul 2017 14:46:03 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2017 12:45:51 -0000 Am 19.07.2017 um 14:22 schrieb Andrey V. Elsukov: > > Different NAT instances will not work for the same flow, because they > have different state tables. Packets in both direction should pass > trough the same NAT instance. > > What you see in tcpdump on the enc0 interface? > Ok, also tried with one nat instance, same result: ipfw nat 1 config ip 10.26.1.1 log reverse ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24 ipfw add 179 nat 1 log all from 10.24.66.0/24 to 10.26.1.1 in recv enc0 LAN Interface: 14:40:32.441506 IP 10.26.2.11 > 10.24.66.25: ICMP echo request, id 45314, seq 256, length 8 14:40:33.441565 IP 10.26.2.11 > 10.24.66.25: ICMP echo request, id 45314, seq 512, length 8 14:40:34.441635 IP 10.26.2.11 > 10.24.66.25: ICMP echo request, id 45314, seq 768, length 8 enc0 interface 14:40:32.441553 (authentic,confidential): SPI 0x8fe95b44: IP 10.26.1.1 > 10.24.66.25: ICMP echo request, id 64122, seq 256, length 8 14:40:32.449671 (authentic,confidential): SPI 0xcbc867ea: IP 10.24.66.25 > 10.26.1.1: ICMP echo reply, id 64122, seq 256, length 8 14:40:33.441613 (authentic,confidential): SPI 0x8fe95b44: IP 10.26.1.1 > 10.24.66.25: ICMP echo request, id 64122, seq 512, length 8 14:40:33.450623 (authentic,confidential): SPI 0xcbc867ea: IP 10.24.66.25 > 10.26.1.1: ICMP echo reply, id 64122, seq 512, length 8 14:40:34.441683 (authentic,confidential): SPI 0x8fe95b44: IP 10.26.1.1 > 10.24.66.25: ICMP echo request, id 64122, seq 768, length 8 14:40:34.449786 (authentic,confidential): SPI 0xcbc867ea: IP 10.24.66.25 > 10.26.1.1: ICMP echo reply, id 64122, seq 768, length 8 ipfw -ta list 00179 4 112 Wed Jul 19 14:40:34 2017 nat 1 log ip from 10.26.2.0/24 to 10.24.66.0/24 00179 4 112 Wed Jul 19 14:40:34 2017 nat 2 log ip from 10.24.66.0/24 to 10.26.1.1 in recv enc0 Thanks, Michael From owner-freebsd-net@freebsd.org Wed Jul 19 12:49:33 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B14F2C7CA61 for ; Wed, 19 Jul 2017 12:49:33 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from mailout-02.maxonline.de (mailout-02.maxonline.de [81.24.66.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6C6AD7DE9B for ; Wed, 19 Jul 2017 12:49:33 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from web03-01.max-it.de (web03-01.max-it.de [81.24.64.215]) by mailout-02.maxonline.de (Postfix) with ESMTPS id 8A75E4F for ; Wed, 19 Jul 2017 14:49:31 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by web03-01.max-it.de (Postfix) with ESMTP id 78C8228B847 for ; Wed, 19 Jul 2017 14:49:31 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at web03-01.max-it.de Received: from web03-01.max-it.de ([127.0.0.1]) by localhost (web03-01.max-it.de [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 2uSDUjyrIEHI for ; Wed, 19 Jul 2017 14:49:31 +0200 (CEST) Received: from [81.24.66.132] (unknown [81.24.66.132]) (Authenticated sender: m.muenz@spam-fetish.org) by web03-01.max-it.de (Postfix) with ESMTPA id 51D5928AB1C for ; Wed, 19 Jul 2017 14:49:31 +0200 (CEST) Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> From: "Muenz, Michael" Message-ID: <6001d6b1-575e-d37a-61ef-ba84472b04e7@spam-fetish.org> Date: Wed, 19 Jul 2017 14:49:46 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2017 12:49:33 -0000 Am 19.07.2017 um 14:46 schrieb Muenz, Michael: > > > > ipfw -ta list > 00179 4 112 Wed Jul 19 14:40:34 2017 nat 1 log ip from > 10.26.2.0/24 to 10.24.66.0/24 > 00179 4 112 Wed Jul 19 14:40:34 2017 nat 2 log ip from > 10.24.66.0/24 to 10.26.1.1 in recv enc0 Sorry, old paste with 2 instaces. root@PB-FW1-FRA:~ # ipfw -ta list 00179 211 5908 Wed Jul 19 14:48:43 2017 nat 1 log ip from 10.26.2.0/24 to 10.24.66.0/24 00179 22 616 Wed Jul 19 14:45:38 2017 nat 1 log ip from 10.24.66.0/24 to 10.26.1.1 in recv enc0 65535 10617 3717450 Wed Jul 19 14:48:43 2017 allow ip from any to any From owner-freebsd-net@freebsd.org Wed Jul 19 13:38:34 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E93D9C7D962 for ; Wed, 19 Jul 2017 13:38:34 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward3h.cmail.yandex.net (forward3h.cmail.yandex.net [87.250.230.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 79EA27FA31 for ; Wed, 19 Jul 2017 13:38:33 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp1j.mail.yandex.net (smtp1j.mail.yandex.net [IPv6:2a02:6b8:0:801::ab]) by forward3h.cmail.yandex.net (Yandex) with ESMTP id B65C6203CD; Wed, 19 Jul 2017 16:38:23 +0300 (MSK) Received: from smtp1j.mail.yandex.net (localhost.localdomain [127.0.0.1]) by smtp1j.mail.yandex.net (Yandex) with ESMTP id B27C03C80A5F; Wed, 19 Jul 2017 16:38:22 +0300 (MSK) Received: by smtp1j.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id 9dOeFtqVEp-cLaeuuUx; Wed, 19 Jul 2017 16:38:21 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1500471501; bh=AFbULexkvkNiH0B6IBZyz+4Y7YYkHTTSKGENf5GZ24Y=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=YER/D6TajcjLofuIGvyxEiK4uUxnn6TGIcbBWNXxJJltlUTuvtPdmk4F+x2VHg0KS Sb7Tj3uNQ4+81HbXPshrWgtIsjkeLlXigUGZQvgY73UYr23VYY9t3jXXblXOE4nXpI 63Mb+LHqqUUEen4D/CtTo+T7EilRu6kT78L0e40A= Authentication-Results: smtp1j.mail.yandex.net; dkim=pass header.i=@yandex.ru X-Yandex-Suid-Status: 1 0,1 0 Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: "Muenz, Michael" , freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Message-ID: <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> Date: Wed, 19 Jul 2017 16:35:45 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.0.1 MIME-Version: 1.0 In-Reply-To: <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="I16qIIKMIn6oDPRImqGQAU6hsSKg1O7GG" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2017 13:38:35 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --I16qIIKMIn6oDPRImqGQAU6hsSKg1O7GG Content-Type: multipart/mixed; boundary="3ivEsMHnttj1hfKnEv9fdj6FVl0EeGhsk"; protected-headers="v1" From: "Andrey V. Elsukov" To: "Muenz, Michael" , freebsd-net@freebsd.org Message-ID: <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> Subject: Re: NAT before IPSEC - reply packets stuck at enc0 References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> In-Reply-To: <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> --3ivEsMHnttj1hfKnEv9fdj6FVl0EeGhsk Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 19.07.2017 15:46, Muenz, Michael wrote: > Am 19.07.2017 um 14:22 schrieb Andrey V. Elsukov: >> >> Different NAT instances will not work for the same flow, because they >> have different state tables. Packets in both direction should pass >> trough the same NAT instance. >> >> What you see in tcpdump on the enc0 interface? >> > Ok, also tried with one nat instance, same result: >=20 > ipfw nat 1 config ip 10.26.1.1 log reverse > ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24 > ipfw add 179 nat 1 log all from 10.24.66.0/24 to 10.26.1.1 in recv enc0= >=20 > LAN Interface: > 14:40:32.441506 IP 10.26.2.11 > 10.24.66.25: ICMP echo request, id > 45314, seq 256, length 8 > 14:40:33.441565 IP 10.26.2.11 > 10.24.66.25: ICMP echo request, id > 45314, seq 512, length 8 > 14:40:34.441635 IP 10.26.2.11 > 10.24.66.25: ICMP echo request, id > 45314, seq 768, length 8 >=20 > enc0 interface > 14:40:32.441553 (authentic,confidential): SPI 0x8fe95b44: IP 10.26.1.1 = > > 10.24.66.25: ICMP echo request, id 64122, seq 256, length 8 > 14:40:32.449671 (authentic,confidential): SPI 0xcbc867ea: IP 10.24.66.2= 5 >> 10.26.1.1: ICMP echo reply, id 64122, seq 256, length 8 > 14:40:33.441613 (authentic,confidential): SPI 0x8fe95b44: IP 10.26.1.1 = > > 10.24.66.25: ICMP echo request, id 64122, seq 512, length 8 > 14:40:33.450623 (authentic,confidential): SPI 0xcbc867ea: IP 10.24.66.2= 5 >> 10.26.1.1: ICMP echo reply, id 64122, seq 512, length 8 > 14:40:34.441683 (authentic,confidential): SPI 0x8fe95b44: IP 10.26.1.1 = > > 10.24.66.25: ICMP echo request, id 64122, seq 768, length 8 > 14:40:34.449786 (authentic,confidential): SPI 0xcbc867ea: IP 10.24.66.2= 5 >> 10.26.1.1: ICMP echo reply, id 64122, seq 768, length 8 Check what you will see if you set net.enc.in.ipsec_bpf_mask=3D3. You should see the reply two times, the second one should be with translated address. --=20 WBR, Andrey V. Elsukov --3ivEsMHnttj1hfKnEv9fdj6FVl0EeGhsk-- --I16qIIKMIn6oDPRImqGQAU6hsSKg1O7GG Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAllvYDEACgkQAcXqBBDI oXq+tQf7Bw28qDdUnrSGqEo1aJqyXh66v3jUj1KIQRneeDRKNlouMK+p4eNTdqQy QjmXZekRiHKEVoyBIuvXFIBakN8XmGjAy591zPRciu+cnyAtub9B4u7+NFUUkEWE LS+szgnebxqrhcjRwuxVznFykDmcXUo4/BNFc32jPAad5twyUOAZ3fe/rrMpzhkf tPhU1KdhUZF6biSefFmtch8OdvzLiXGQxZZbLDMbxCk6tmYsIrX+YpxPxr5jOUjl NymB80oM2rj4TZTM9kEf8YAwoU1kZwGrAjm+HDYyfNI3Ic9u+fN3dGFBCr7nn+Yg KtzrlxGpBg/9gK4qfT3bYvnbwQuaMQ== =cXo5 -----END PGP SIGNATURE----- --I16qIIKMIn6oDPRImqGQAU6hsSKg1O7GG-- From owner-freebsd-net@freebsd.org Wed Jul 19 14:02:57 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5F0CDC7E2EB for ; Wed, 19 Jul 2017 14:02:57 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from mailout-02.maxonline.de (mailout-02.maxonline.de [81.24.66.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1C459808B8 for ; Wed, 19 Jul 2017 14:02:56 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from web03-01.max-it.de (web03-01.max-it.de [81.24.64.215]) by mailout-02.maxonline.de (Postfix) with ESMTPS id C9A264F for ; Wed, 19 Jul 2017 16:02:54 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by web03-01.max-it.de (Postfix) with ESMTP id BA0BF28B848 for ; Wed, 19 Jul 2017 16:02:54 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at web03-01.max-it.de Received: from web03-01.max-it.de ([127.0.0.1]) by localhost (web03-01.max-it.de [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Mr68ifnLZKX7 for ; Wed, 19 Jul 2017 16:02:54 +0200 (CEST) Received: from [81.24.66.132] (unknown [81.24.66.132]) (Authenticated sender: m.muenz@spam-fetish.org) by web03-01.max-it.de (Postfix) with ESMTPA id 918B828B847 for ; Wed, 19 Jul 2017 16:02:54 +0200 (CEST) Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> From: "Muenz, Michael" Message-ID: Date: Wed, 19 Jul 2017 16:03:09 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2017 14:02:57 -0000 Am 19.07.2017 um 15:35 schrieb Andrey V. Elsukov: >> Check what you will see if you set net.enc.in.ipsec_bpf_mask=3. >> You should see the reply two times, the second one should be with >> translated address. >> Correct: 16:01:02.222400 (authentic,confidential): SPI 0xd544e311: IP 10.26.1.1 > 10.24.66.25: ICMP echo request, id 64725, seq 0, length 8 16:01:02.230544 (authentic,confidential): SPI 0xc5769504: IP 81.24.1.1 > 213.244.2.2: IP 10.24.66.25 > 10.26.1.1: ICMP echo reply, id 64725, seq 0, length 8 (ipip-proto-4) 16:01:02.230553 (authentic,confidential): SPI 0xc5769504: IP 10.24.66.25 > 10.26.1.1: ICMP echo reply, id 64725, seq 0, length 8 From owner-freebsd-net@freebsd.org Thu Jul 20 01:43:36 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2B72CDA03EC for ; Thu, 20 Jul 2017 01:43:36 +0000 (UTC) (envelope-from freebsd-net@herveybayaustralia.com.au) Received: from mail.unitedinsong.com.au (mail.unitedinsong.com.au [150.101.178.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DE2D27691D for ; Thu, 20 Jul 2017 01:43:35 +0000 (UTC) (envelope-from freebsd-net@herveybayaustralia.com.au) Received: from [192.168.0.162] (laptop3.herveybayaustralia.com.au [192.168.0.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.unitedinsong.com.au (Postfix) with ESMTPSA id 222AF62264 for ; Thu, 20 Jul 2017 11:34:50 +1000 (EST) To: FreeBSD Net From: Da Rock Subject: Atheros QCA9377 driver? Message-ID: <4c31afae-18a9-821e-847d-ebc1c2ef31b4@herveybayaustralia.com.au> Date: Thu, 20 Jul 2017 11:34:50 +1000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jul 2017 01:43:36 -0000 I just got a new laptop which I went to the trouble of testing hardware prior (worked afaict btw - FBSD11-RC3), but now in the light of day I have done the full install and now computer says no. The only diff I can tell is I used the iso for the test image, and now I used the memstick image - ce la vie. What I need to know is that the various freebsd wiki pages for wifi mention the 9300's are different and work needs to be done for support, that -head should just work now, and the real kicker - it was updated about 3-4 years ago! So FBSD11 should definitely be considered a derivative of -head by now, right? I'll also point out that it specifically mentioned a porting back to -9, so there's that also. This was in ath_hal/9300 Bottom line: so what's the status? And if it should be going, why isn't it? cheers From owner-freebsd-net@freebsd.org Thu Jul 20 16:32:30 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 54203C7BB0C for ; Thu, 20 Jul 2017 16:32:30 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: from mail-wm0-x231.google.com (mail-wm0-x231.google.com [IPv6:2a00:1450:400c:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F143A6FDDE for ; Thu, 20 Jul 2017 16:32:29 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: by mail-wm0-x231.google.com with SMTP id w126so29104321wme.0 for ; Thu, 20 Jul 2017 09:32:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tuxpowered-net.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id:organization:user-agent :mime-version; bh=hkr4E3XXvwVngsZe1pqstPiK8tWwT7b9PXIGU1KQ/KA=; b=T4bwlFDehd+N57OBtm821wH8+7i2pHQxNyD7ogleeiHxeVHPCah/XGy3/xlkn6XeCB HJEbR9BQ5yyDyb9G/5Xu1kXN1Gq1vSjPvS9HFOx05mGU0fao3bJraTmM/rj/ZcUHsjhM Mu75GAw6kV4Ja9SrovInSnuUF+z0Nb20qSrBfEpnSrSH9IDw90TSssK5937jX6uRRny3 WtB/vE8AXdqEChUTzQ50lrAMYpieZswOo5/E9gkDSd5lgg20hheBDdhEeZ8Up0BRVbes /HM7Lx1xW66iG+pg75NqnmZ5JSpU8KzyxHaz2jYzcWT0pZhroYcdKSN0qj9+h9ekTbv1 RbZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:organization :user-agent:mime-version; bh=hkr4E3XXvwVngsZe1pqstPiK8tWwT7b9PXIGU1KQ/KA=; b=bOZkP0BEEIxLwAaFsnzX5VHsLOhHtXx0C7SkzMD50gBf0/DH4TP+FKb1sgHiLEdwxu YPuSa7Uo0AroFUljXEeom74QfG8EjapIZs3aHyBstiQmo6FmbQH7gW6K/tX/lHSc1Ngs xxKOSqugLBPhVliuaKF9HcQzUFdM1i5SOtVeMjOki0ub2X3gSl/Zs9XHvEN88IsT+uBM jG1O/z+Ot3N5XLmaC9jQZj+dyznJfTs2c3aBJuhvaYgeKXhbKZ+7yt10FHrQTGBkk1uP OQ0yG94W3S82igDmZBhBXP7VYWiX8CC4X/NWtofKsVGsdzZebqHyPgBU7WfnoDpbNyPz mDlg== X-Gm-Message-State: AIVw111E9QPlGI7ue+ExAsyzTFgNFDl3Nh1rmdhk8kZu7M+LsTEaxd17 ESxkkjpYgkvKKHb0WcnAEg== X-Received: by 10.80.139.149 with SMTP id m21mr3427843edm.38.1500568347305; Thu, 20 Jul 2017 09:32:27 -0700 (PDT) Received: from energia.localnet ([2a00:1f78:fffb:220:c7f7:2dda:4b51:2d6b]) by smtp.gmail.com with ESMTPSA id c11sm2028002eda.0.2017.07.20.09.32.25 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Jul 2017 09:32:25 -0700 (PDT) From: Kajetan Staszkiewicz To: FreeBSD Net Subject: ipsec encryption only via given route Date: Thu, 20 Jul 2017 18:17:43 +0200 Message-ID: <3526072.muFbfPklCK@energia> Organization: tuxpowered.net User-Agent: KMail/5.2.3 (Linux/4.11.0-3.3-liquorix-amd64; KDE/5.28.0; x86_64; ; ) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2315736.B3RDAlX0kH"; micalg="pgp-sha1"; protocol="application/pgp-signature" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jul 2017 16:32:30 -0000 --nextPart2315736.B3RDAlX0kH Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="us-ascii" Hey group, Across a few data centers I have a some routers running IPsec+BGP tunnels t= o=20 Azure. Microsoft side is nicely following BGP sessions. My routers are unfortunately not. Routes in route table are updated just fi= ne=20 from=20BIRD but unfortunately they are overridden by IPSec policy which is=20 static. That means that all hosts in given data center will route to Azure = via=20 tunnel on this data center's router whenever the IPsec tunnel is establishe= d,=20 disregarding BGP. That seems to work for now, but I already see problems wi= th=20 failover, that is IPsec timeout is way longer than BGP timeout and I expect= =20 more problems with balancing traffic. Routers are running FreeBSD 11.0 with Bird as routing daemon. IPsec daemon = of=20 choice is Strongswan. Tunnels are IKEv2 with single static subnet on Azure side and one big subne= t=20 on my side covering all datacenters and a few extra ones covering some othe= r=20 locations that route through datacenters. Can I somehow make IPsec encryption to happen AFTER routing decision and=20 ensure that it happens only when traffic leaves via specified interface? =2D-=20 | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' --nextPart2315736.B3RDAlX0kH Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCWXDXpwAKCRDjtFCvbXs6 FJgtAJwPdcgoSM3Jr5xNYXOH9JQ+iLLQ0wCg9RZg2MPCkllxvGWaTrc2x/5Y/ho= =FrV+ -----END PGP SIGNATURE----- --nextPart2315736.B3RDAlX0kH-- From owner-freebsd-net@freebsd.org Thu Jul 20 18:54:37 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0F5A2C7E543 for ; Thu, 20 Jul 2017 18:54:37 +0000 (UTC) (envelope-from hiren@strugglingcoder.info) Received: from mail.strugglingcoder.info (strugglingcoder.info [104.236.146.68]) by mx1.freebsd.org (Postfix) with ESMTP id F3AF674B65; Thu, 20 Jul 2017 18:54:36 +0000 (UTC) (envelope-from hiren@strugglingcoder.info) Received: from localhost (unknown [10.1.1.3]) (Authenticated sender: hiren@strugglingcoder.info) by mail.strugglingcoder.info (Postfix) with ESMTPA id DCCC017222; Thu, 20 Jul 2017 11:54:33 -0700 (PDT) Date: Thu, 20 Jul 2017 11:54:33 -0700 From: hiren panchasara To: Kuankuan Yang Cc: freebsd-net@freebsd.org, rrs@freebsd.org Subject: Re: May I ask where could I find the TCP BBR patches? Message-ID: <20170720185433.GD48940@strugglingcoder.info> References: <9A6B3DDC-ACF3-446A-9784-E0D1C8E2DCCD@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ieNMXl1Fr3cevapt" Content-Disposition: inline In-Reply-To: <9A6B3DDC-ACF3-446A-9784-E0D1C8E2DCCD@gmail.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jul 2017 18:54:37 -0000 --ieNMXl1Fr3cevapt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 07/19/17 at 12:26P, Kuankuan Yang wrote: > Dear All, >=20 > I?m a newbie for FreeBSD development. May I ask a stupid question where c= ould I find the TCP BBR patches :P=20 Hi! Thanks for your interest in BBR/FreeBSD. Other than what you listed, no= thing is public yet. Cheers, Hiren --ieNMXl1Fr3cevapt Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQF8BAABCgBmBQJZcPxmXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBNEUyMEZBMUQ4Nzg4RjNGMTdFNjZGMDI4 QjkyNTBFMTU2M0VERkU1AAoJEIuSUOFWPt/l2aYIAICfVZOU5+ssWwRMDMzajr2y r7WjalN1rI2zBvaD+vXs5CqDl5tXN5En7n3/o89xXAPU8P4epsnRVGosupFR4smh EuWli4LODSplxQ1XKQlDJbP8tOzfI7nV3Lv6X8XqGsXwWS+Zmj9yVjf+kfwPHpRZ hsXJphGN/dPUuKjsnAXAkqH70cNlAKbCFAaaX4UNsLgZH1GbO6sY0L4fTqwJk2hO 4SYATS61Nw6xvEVUZ8XHqfJRg8x/GSORyGYW6MvN6z3B/kjlZlbS2n/0dXv6q5Sl 5n6M6p1RpGsnSs1r9Uzok2Ht/nTxVDl0AIgUFCeCtzD5GL2uXTS3EeM8JuRV2k4= =HV00 -----END PGP SIGNATURE----- --ieNMXl1Fr3cevapt-- From owner-freebsd-net@freebsd.org Thu Jul 20 22:02:39 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E7E98CFD115 for ; Thu, 20 Jul 2017 22:02:39 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: from mail-wm0-x236.google.com (mail-wm0-x236.google.com [IPv6:2a00:1450:400c:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 797EB7E246 for ; Thu, 20 Jul 2017 22:02:39 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: by mail-wm0-x236.google.com with SMTP id g127so38069541wmd.0 for ; Thu, 20 Jul 2017 15:02:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tuxpowered-net.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id:organization:user-agent :mime-version; bh=OqgOL9RmRyBa6i/TGnTpaRV5GGAjmQeAL+/iPr9Kw50=; b=0y0N9PLV3RXbfRzr82Nn/YvB9GlRJZqsHKxWBcluEi5ictcXFBJm8yXjk5y3Z4teLS sPAGsQRYDhhQ+DpqBP/Fz89geBi6a+8lb6YcfHrkStnE/zSQ/Z9r64sJMBb15jTEwwMh XnEMpyqWERmXXOy8VILBuNCth2O6/35V/RW5wguW/ReveTYBeMhzSlSj32sddiYf+eDE +DV7BTWBprPxHlzuk5kMuFjREFyaGkOLu7+Dz4BhWr4nhGrxof3++/7wyKi3f6CgAbDD UZiisyzSj+P+Sf1J9vwZHKIwkbGpgX9D3kIX7zE6xTRxC/AWu3pFIrzMLwq6u7/tI5a9 NRcw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:organization :user-agent:mime-version; bh=OqgOL9RmRyBa6i/TGnTpaRV5GGAjmQeAL+/iPr9Kw50=; b=EA5wus8mXRVqs9qd2cCDJB06CXmLMvDv7edQlfxVwyXsY8TY/S0AQUISsFAEHByEBl 6baaUWDIRFvW/499sL3rL4agfUEayirhQQXCfSuvKMwMMZMLBILxJK22gc0GRFRDZMwM HXPwJuUY4f4PLQtqxUF1DpsGe/YoIQSme42Z382ScO/aO5WH5W865Ke7Vasx9Ucl+c2j fNZDc/sBRMb3Gh4+awkthnMrdzZ61/oryrkKymXnPxRJz4RbV06EvUZiuFycAVNPUUMH /D5vaPIsH2P8K0ZwaigP7QCj0XJPJzi2EYjfiX6tppYTffdOInlGjOqKCS9FPiMdN1Ye /FCg== X-Gm-Message-State: AIVw110tI4MUXyqt1WX21aOdixRS9YrYOzqMsaKy37YB+RL2wH0Wqe9K Rn2SI/adjhkxQ2pH0n/YKA== X-Received: by 10.80.165.197 with SMTP id b5mr3981466edc.13.1500588157706; Thu, 20 Jul 2017 15:02:37 -0700 (PDT) Received: from energia.localnet ([2a02:8108:4b3f:d254:6257:18ff:fe79:5108]) by smtp.gmail.com with ESMTPSA id n15sm1453373edb.87.2017.07.20.15.02.36 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Jul 2017 15:02:36 -0700 (PDT) From: Kajetan Staszkiewicz To: FreeBSD Net Subject: IPsec tunnel mode with gif Date: Fri, 21 Jul 2017 00:02:32 +0200 Message-ID: <1865385.GS045ia5gu@energia> Organization: tuxpowered.net User-Agent: KMail/5.2.3 (Linux/4.11.0-3.3-liquorix-amd64; KDE/5.28.0; x86_64; ; ) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2906105.rck5h4RQ7z"; micalg="pgp-sha1"; protocol="application/pgp-signature" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jul 2017 22:02:40 -0000 --nextPart2906105.rck5h4RQ7z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="us-ascii" Hi group, =46or many years I have used the trick of running a GRE or GIF tunnel encry= pted=20 with IPSec transport mode, both on FreeBSD and Linux. That allows me to run= =20 BGP or OSPF on the tunnels. I am also aware of IPsec tunnel mode which kind of works for me, although i= s=20 not my personal choice. Both modes of operation seem quite straightforward. Yet for a reason beyond my understanding FreeBSD handbook proposes a 3rd mo= de:=20 using a GIF tunnel together with IPSec tunnel mode. I really don't understa= nd=20 how is that supposed to work. People On The Internet also seem not to be ab= le=20 to understand the reasoning behind such solution. Since IPSec stack provide= s=20 its own encapsulation in tunnel mode, packets coming to a router would neve= r=20 reach the GIF interface and would never be encapsulated by it. Same for=20 packets received, they would be deencapsulated by IPsec stack and reinjecte= d=20 with internal IP addresses on a public interface of router or they would=20 appear on enc0 interface if it is in use. Am I wrong? Or is the Handbook wrong? =2D-=20 | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' --nextPart2906105.rck5h4RQ7z Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCWXEoeAAKCRDjtFCvbXs6 FCv5AKDPkIpLWpkxNNPeEbEVx6WjY3zgiACfYaAWlat+YvUoh7GkRF03KSliI0c= =gyN5 -----END PGP SIGNATURE----- --nextPart2906105.rck5h4RQ7z-- From owner-freebsd-net@freebsd.org Thu Jul 20 22:13:10 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C783FCFD332 for ; Thu, 20 Jul 2017 22:13:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B56C07E79A for ; Thu, 20 Jul 2017 22:13:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6KMDAw6016277 for ; Thu, 20 Jul 2017 22:13:10 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 220888] [panic][patch] Race between ngs_rcvdata() and soclose() Date: Thu, 20 Jul 2017 22:13:10 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-net@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jul 2017 22:13:10 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D220888 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|freebsd-bugs@FreeBSD.org |freebsd-net@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-net@freebsd.org Thu Jul 20 22:14:13 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E6A69CFD463 for ; Thu, 20 Jul 2017 22:14:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D50D77E947 for ; Thu, 20 Jul 2017 22:14:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6KMED4B017745 for ; Thu, 20 Jul 2017 22:14:13 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 220882] m_move_pkthdr leaves m_nextpkt 'dangling' Date: Thu, 20 Jul 2017 22:14:14 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-net@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to keywords Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jul 2017 22:14:14 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D220882 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|freebsd-bugs@FreeBSD.org |freebsd-net@FreeBSD.org Keywords| |patch --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-net@freebsd.org Thu Jul 20 22:33:18 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DEAF1CFD813 for ; Thu, 20 Jul 2017 22:33:18 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 9C1EB7F171 for ; Thu, 20 Jul 2017 22:33:18 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 4210D25D3A0E; Thu, 20 Jul 2017 22:33:08 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 7B89AD1F826; Thu, 20 Jul 2017 22:33:07 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id bN__13lYOBgW; Thu, 20 Jul 2017 22:33:06 +0000 (UTC) Received: from [192.168.1.198] (unknown [IPv6:fde9:577b:c1a9:f001::2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 8463ED1F7F6; Thu, 20 Jul 2017 22:33:01 +0000 (UTC) From: "Bjoern A. Zeeb" To: "Kajetan Staszkiewicz" Cc: "FreeBSD Net" Subject: Re: IPsec tunnel mode with gif Date: Thu, 20 Jul 2017 22:32:58 +0000 Message-ID: <699EB97F-7235-4B1C-9C67-601CA89A4125@lists.zabbadoz.net> In-Reply-To: <1865385.GS045ia5gu@energia> References: <1865385.GS045ia5gu@energia> MIME-Version: 1.0 Content-Type: text/plain; format=flowed; markup=markdown X-Mailer: MailMate (2.0BETAr6088) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jul 2017 22:33:19 -0000 On 20 Jul 2017, at 22:02, Kajetan Staszkiewicz wrote: > Yet for a reason beyond my understanding FreeBSD handbook proposes a > 3rd mode: > using a GIF tunnel together with IPSec tunnel mode. I really don't > understand > how is that supposed to work. People On The Internet also seem not to > be able .. > Am I wrong? Or is the Handbook wrong? The handbook is outdated and I think what you are referring to is from the early days of the IPv6/IPsec stack implementation times probably during FreeBSD 4. What you are doing (gre/gif inside transport mode to possibly get a link-state change as well, or BGP over transport mode directly is both fine. I think the short answer: updates to the handbook would be very welcome! /bz From owner-freebsd-net@freebsd.org Fri Jul 21 02:30:05 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8678BD7D1E3 for ; Fri, 21 Jul 2017 02:30:05 +0000 (UTC) (envelope-from kuankuan.y@gmail.com) Received: from mail-pg0-x241.google.com (mail-pg0-x241.google.com [IPv6:2607:f8b0:400e:c05::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4AA6884C1E; Fri, 21 Jul 2017 02:30:05 +0000 (UTC) (envelope-from kuankuan.y@gmail.com) Received: by mail-pg0-x241.google.com with SMTP id z1so4187814pgs.0; Thu, 20 Jul 2017 19:30:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Htcc2MtHeYPg7R1P+ySHMo20cbzb9rSu021BnSwAZP4=; b=faDjD1F+uk/kt80xGSsDZ7LautPVRar3E99xIBCRVWw+dP/mHHtLuhksUUblEej1yO l5DoHoucWqYwOaYrTaG+NeFOYWfycPUy4OGRGHUr5n/YbmYbkinRczPCFdE458yVn7RO z370aUpBaKQblAHE6Z7w/P+kImAT6Oxh6LmLlAfoBrNaYS+Z6w+Rex0trOxHqSLhy0d5 R6DYFMY4pWfCM9xS8y9n8mfhsm+KYsoyOuBrqtAlyfE3pSO6k6S05R4cSHYS/d4xHKx7 Yblql01tvaKl8jqFHL2pyLxTezcLg/y7xam65u7rMjip6Cf15T1uMtGIKzlz86zX9TWl La0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Htcc2MtHeYPg7R1P+ySHMo20cbzb9rSu021BnSwAZP4=; b=N3stqYPZHvtq2ZR+raWmOF/VatSXUbLp+jSsX4mk20H12EhIczz0UwhvhtkUfjcgAQ 3dzFyQOar7Ng39KELzOy1wrNArQ4smJTsz98ntUPaz47pfMtSZCfALmOtbiaV4Ukl+PZ RMZCjUWGBKTBElkYFUUTQ6JUvv9ysFrOW6d60MDOak4an7okkA9Jv07mQSDKUpNo/xT8 6YkJqlwiGRD6H3rq/vRxH7KpCGYfnn19MFXba5lhKxiab5ELOLXI+/m/nU11rcZRfk87 dzgardJdz9UfT9mQmyGPjl5g4+7TtG2TiMU3iE167/32Mr6FXivdk9l5bgtoAhxNunTJ 2smQ== X-Gm-Message-State: AIVw110LhwfJLasIZjKQ+i72NYtQCheokn488BnFGnpGCdApLaaC8lWp wydDnNFrLavmlBeCYZg= X-Received: by 10.99.109.15 with SMTP id i15mr5890772pgc.204.1500604204806; Thu, 20 Jul 2017 19:30:04 -0700 (PDT) Received: from [172.18.6.227] ([101.78.229.4]) by smtp.gmail.com with ESMTPSA id p22sm6533906pfd.71.2017.07.20.19.30.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Jul 2017 19:30:04 -0700 (PDT) Content-Type: text/plain; charset=gb2312 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: May I ask where could I find the TCP BBR patches? From: Kuankuan Yang In-Reply-To: <20170720185433.GD48940@strugglingcoder.info> Date: Fri, 21 Jul 2017 10:30:00 +0800 Cc: freebsd-net@freebsd.org, rrs@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <9A6B3DDC-ACF3-446A-9784-E0D1C8E2DCCD@gmail.com> <20170720185433.GD48940@strugglingcoder.info> To: hiren panchasara X-Mailer: Apple Mail (2.3273) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2017 02:30:05 -0000 Hi Hiren, Thanks a lot for your reply, this helps a lot. I=A1=AFm looking forward = to BBR/FreeBSD feature very much, wish to see that great job soon :P Best regards, - Kuankuan > =D4=DA 2017=C4=EA7=D4=C221=C8=D5=A3=AC=C9=CF=CE=E72:54=A3=AChiren = panchasara =D0=B4=B5=C0=A3=BA >=20 > On 07/19/17 at 12:26P, Kuankuan Yang wrote: >> Dear All, >>=20 >> I?m a newbie for FreeBSD development. May I ask a stupid question = where could I find the TCP BBR patches :P=20 >=20 > Hi! Thanks for your interest in BBR/FreeBSD. Other than what you = listed, nothing > is public yet. >=20 > Cheers, > Hiren From owner-freebsd-net@freebsd.org Fri Jul 21 05:23:20 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 731D8D7FD44 for ; Fri, 21 Jul 2017 05:23:20 +0000 (UTC) (envelope-from mmacy@llnw.com) Received: from mail-it0-x22a.google.com (mail-it0-x22a.google.com [IPv6:2607:f8b0:4001:c0b::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4109063E84 for ; Fri, 21 Jul 2017 05:23:20 +0000 (UTC) (envelope-from mmacy@llnw.com) Received: by mail-it0-x22a.google.com with SMTP id h199so2679651ith.1 for ; Thu, 20 Jul 2017 22:23:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=llnw.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=c9dxUGqxOHqduKxyQiba1nPMeZsyarROXggqkSuGESE=; b=YkEx2cCZMXKf7WNWDo8mfE6W0tmWA7y5ABWsBmmKkTzPAv+g3tiRapOAFCyy0AnMIh cz8o7mj6j7lVnsswkfbyJO3FFObUzh+dFpYjs7sFGXdVfxfipoaNJKcx4A+qVVeQAzpV flAAQBpfbwoU+f+EZpbcYaB6ixLfdYXRFhHb0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=c9dxUGqxOHqduKxyQiba1nPMeZsyarROXggqkSuGESE=; b=tfl5j9h4jJQShVzIlhpb7+BH8S11/jnXrLtWHslrF8F+1olQnddGpPUmagL6t/v4Da sTMxmhm1v3UME4g5AIAW83lLYRMQ8vPE7s0aZGWoNBGRyeGo25e9IEFb7t4vjOkj51bW LayW8bY98/vbQqr2uSIb6yimVLYuPozYJ3uUTmkU3OJQ5Meq1BeYDyktngUEixy9Gg6F mY5jBfwh3X8+JhvV1sys5EdYbUZsILhlPe2OWnWo2XowDaNxgaSf6BG2s+O0lKZ4ubg4 arAccFBBzsKJG+7616XmsK7xdSDoSGHQfktZuUi/YPrR+T6GH1VjiG8Fal46rZ3IvA3R dACg== X-Gm-Message-State: AIVw113AHQoh/OkH80OJD0FWXrO3MMHZUcwbQZ9hIR/Xal1XYv4KCTaJ OsJP2G/Q1dPWOw6BFzTR9o4uxVmdSaBhDYzMnfGxYBigq1aogu/Z1jvHbAeIGZBOoQdusaqjKNM 2gLPoAR6QVBDUhGzg4Dk= X-Received: by 10.36.111.73 with SMTP id x70mr5777671itb.15.1500614599159; Thu, 20 Jul 2017 22:23:19 -0700 (PDT) MIME-Version: 1.0 Received: by 10.79.133.194 with HTTP; Thu, 20 Jul 2017 22:23:18 -0700 (PDT) From: Matt Macy Date: Thu, 20 Jul 2017 22:23:18 -0700 Message-ID: Subject: locking anti-patterns To: freebsd-net@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2017 05:23:20 -0000 The immediate solution that anyone could have made is to not call stats collection (or any other routines that use this dubious synchronization mechanism) from swi context: https://github.com/mattmacy/networking/commit/421da0083e4325e242bdece18fa198 e1a96a6c67 The *_acquire_swfw code seems to be a common anti-pattern amongst drivers. I found something very similar in bxe. My hypothesis in both cases is that they rolled their own simply because they don't know any better. Understanding the locking hierarchy on either Linux or FreeBSD is something that we all have to do a better job of educating people on the periphery of kernel development about. I have no words to describe calling DELAY(50) up to 200 times in a row to poll for release of device resources that I would use in a durable medium such as this. This "lock" serializes: i2c read/write EEPROM access PHY _read_/write As an immediate addendum we want to assert that no real locks are held while we're engaged in these shenanigans: https://github.com/mattmacy/networking/commit/5437e3109bbd0c21a5d4bfcc3d807f 20c6ee5751 And to avoid further foot shooting we'll want to assert that these routines are never called from swi context or one serving as an ithread. Eventually these constructs should be replaced by sx locks and the DELAYs replaced with sleeps. -- [image: Limelight Networks] Matt Macy - *Consultant* +1 650 440 8947 www.limelight.com Delivering Faster Better Join the conversation at Limelight Connect [image: Facebook] [image: Facebook] [image: LinkedIn] [image: Twitter] -- The information in this message may be confidential. It is intended solely for the addressee(s). If you are not the intended recipient, any disclosure, copying or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. From owner-freebsd-net@freebsd.org Fri Jul 21 05:24:13 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 887C1D7FDC4 for ; Fri, 21 Jul 2017 05:24:13 +0000 (UTC) (envelope-from amutu@amutu.com) Received: from mail-oi0-x235.google.com (mail-oi0-x235.google.com [IPv6:2607:f8b0:4003:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 508D463F43 for ; Fri, 21 Jul 2017 05:24:13 +0000 (UTC) (envelope-from amutu@amutu.com) Received: by mail-oi0-x235.google.com with SMTP id p188so43926255oia.0 for ; Thu, 20 Jul 2017 22:24:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amutu-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=sCg0ZdqA7SBr1dI1JxkssZnVmol4vFqCXHuvlODiQk0=; b=T4est/eC5UukH9Fwy+q0hLpwjQfMyuVqb5lGQlHCrrE43NRXaqHKLNAx7qt0K6w0V+ Qj4MNiaNjXzNIoYln35QrNRQIuHk47YYxTG2jZAPIIyTnhLRz/UuGuporBiGYJSnqWH+ EXOUW9n6fAX7Ddam4lhYme8E3xKduwFghIbIHwe1+duJ3dVLclAAo4K9ezdIEZZzsxpz hSblg/8vYGwAOJ0lo5Vi2wu5OKoxzix7mIfnT2GwFliVXUn8IB5BRb999yxPLHstfebY x+LKrCtsVGoXx+hP36w+JL4EzGPGpwLXgxp9PUz2zf+UIIbbquqiSnsEQhCo0gxkrFNE 8Scg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=sCg0ZdqA7SBr1dI1JxkssZnVmol4vFqCXHuvlODiQk0=; b=ruHDshihunu1sm4133fbAohv8cjetEiyXUIXt9OQcuB0IHwGfE2iD4BewhaaIymh1B PviknRDVJEwCjj72Xl73yfKHMvTk/Uyt4tW4JcLGJUnvDUw4Wa8jBRAxKuwhm1TqMzoJ r+pK/AusP6/VLtq1TEwhuX3Y4ZJsAiH9K38zhJz/bBwqMVg043t7iAg2A9XINLO18QoP H5tu4NEbV8xy+gZf5+41nonVuKBiBYDH+K1zEnWuD81yc2lYkoa3aXP5N4qxEpeKFe53 o7CTFRQl4H4OYS+uiHUNeOTB+Vg0lcwfYXnLpCqhI958VPGQnOzw75ujpu0D70SrDAPC SvTg== X-Gm-Message-State: AIVw111i10ueE2inXa2E5nWMs9vEjs3ZNSC6ovjGZvvmur3J8f/YBlBU 5HFLhxAN8wHKEfeDDurwWQ== X-Received: by 10.202.172.6 with SMTP id v6mr1025929oie.217.1500614652490; Thu, 20 Jul 2017 22:24:12 -0700 (PDT) Received: from mail-oi0-f42.google.com (mail-oi0-f42.google.com. [209.85.218.42]) by smtp.gmail.com with ESMTPSA id k203sm1243559oia.24.2017.07.20.22.24.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Jul 2017 22:24:11 -0700 (PDT) Received: by mail-oi0-f42.google.com with SMTP id q4so43957685oif.1; Thu, 20 Jul 2017 22:24:11 -0700 (PDT) X-Received: by 10.202.205.72 with SMTP id d69mr1457113oig.126.1500614651320; Thu, 20 Jul 2017 22:24:11 -0700 (PDT) MIME-Version: 1.0 Received: by 10.74.128.197 with HTTP; Thu, 20 Jul 2017 22:23:50 -0700 (PDT) In-Reply-To: References: <9A6B3DDC-ACF3-446A-9784-E0D1C8E2DCCD@gmail.com> <20170720185433.GD48940@strugglingcoder.info> From: Jov Date: Fri, 21 Jul 2017 13:23:50 +0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: May I ask where could I find the TCP BBR patches? To: Kuankuan Yang Cc: hiren panchasara , freebsd-net@freebsd.org, rrs@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2017 05:24:13 -0000 Maybe you are also interested in kcp/kcptun: https://github.com/xtaci/kcptun There is also a FreeBSD new ports PR=EF=BC=9A https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219449 Jov 2017-07-21 10:30 GMT+08:00 Kuankuan Yang : > Hi Hiren, > > Thanks a lot for your reply, this helps a lot. I=E2=80=99m looking forwar= d to BBR/FreeBSD feature very much, wish to see that great job soon :P > > Best regards, > - Kuankuan > >> =E5=9C=A8 2017=E5=B9=B47=E6=9C=8821=E6=97=A5=EF=BC=8C=E4=B8=8A=E5=8D=882= :54=EF=BC=8Chiren panchasara =E5=86=99=E9=81= =93=EF=BC=9A >> >> On 07/19/17 at 12:26P, Kuankuan Yang wrote: >>> Dear All, >>> >>> I?m a newbie for FreeBSD development. May I ask a stupid question where= could I find the TCP BBR patches :P >> >> Hi! Thanks for your interest in BBR/FreeBSD. Other than what you listed,= nothing >> is public yet. >> >> Cheers, >> Hiren > > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" From owner-freebsd-net@freebsd.org Fri Jul 21 06:51:48 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2DFE6D9A297 for ; Fri, 21 Jul 2017 06:51:48 +0000 (UTC) (envelope-from kuankuan.y@gmail.com) Received: from mail-pf0-x243.google.com (mail-pf0-x243.google.com [IPv6:2607:f8b0:400e:c00::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EE80F65D95; Fri, 21 Jul 2017 06:51:47 +0000 (UTC) (envelope-from kuankuan.y@gmail.com) Received: by mail-pf0-x243.google.com with SMTP id q85so4149604pfq.2; Thu, 20 Jul 2017 23:51:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=MFWt2bgcp4boCx9z/zIfkIx8sX9+hnndW75GijaHCRg=; b=D0N+7MMt2dGW1J1hNf6eso9Z+K695DKf8tbF/2T6Iq4pOEoLOXb8i7xiqiRFS7OrI0 BxaWjFTqcsNusfDIaeKTY+mZ3sjRUVAML8yDf/IhJEUdQwb1DDu+amOhHFmXxNekAF1N DPV1MqzF9alndO7DmBwOyV7sqbasUThflnarH4MmG9VtMbtjHxM6IgHW2q8zzWLi8M82 oFFJRwuu4cNmkHrHmpkMHjQq8gm+zM54PvdaMEn+Q8dgi9HbKp66tg7B095eWh9jhyP0 7pwKKg/hiwwUQcpuIDMPjzarml80j2fQbn4KYBfWsdNOim1fQ3vL9OkqgV2hgSs6rzh7 orEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=MFWt2bgcp4boCx9z/zIfkIx8sX9+hnndW75GijaHCRg=; b=PMI/UD1cwS9lzD3kQl7fMGmqzud73tdMD/qxFySNvP8WDke8Fvwi84/V54tHcYlcer 0u2T5S0QtyaZCyd/ZK81ZoUpFHO+gZS+tmh3AWkG55iBdyGSVZDF6Mh91H1XIvqhRdl8 AGVDvyNnSnNCN/YLYzAZBPNGaEY2t6Je857QzHlKtt2ee7drCxmh9D3HweVfomZsAx1B QwXy4ECvfi3popSzwDQOzpSpMl7xUsA9tVwhYU5Yv8Ov+k7WCxaKXKZMT9J6vQXayoQJ +WweFu9OmcWAW2f9gKNEXr/TNXRQ49fmUUbOmjZ9Sr9zQ9Agl6ACbiCSdsICx/uMsaVe PE4g== X-Gm-Message-State: AIVw110+Tixzt/JImVHPR0YKLmJdXb/qiugUMzqkPUC6VqOxDpHUjZP1 SGkfWR/1fgGVHQ== X-Received: by 10.84.236.13 with SMTP id q13mr6985597plk.324.1500619907489; Thu, 20 Jul 2017 23:51:47 -0700 (PDT) Received: from [172.18.6.227] ([101.78.229.4]) by smtp.gmail.com with ESMTPSA id t70sm7856675pfk.111.2017.07.20.23.51.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Jul 2017 23:51:46 -0700 (PDT) From: Kuankuan Yang Message-Id: Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: May I ask where could I find the TCP BBR patches? Date: Fri, 21 Jul 2017 14:51:41 +0800 In-Reply-To: Cc: hiren panchasara , freebsd-net@freebsd.org, rrs@freebsd.org To: Jov References: <9A6B3DDC-ACF3-446A-9784-E0D1C8E2DCCD@gmail.com> <20170720185433.GD48940@strugglingcoder.info> X-Mailer: Apple Mail (2.3273) Content-Type: text/plain; charset=gb2312 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2017 06:51:48 -0000 > =D4=DA 2017=C4=EA7=D4=C221=C8=D5=A3=AC=CF=C2=CE=E71:23=A3=ACJov = > =D0=B4=B5=C0=A3=BA >=20 > Maybe you are also interested in kcp/kcptun: > https://github.com/xtaci/kcptun Hi Jov, Aha, yes! LOL, I do knew that project, and I have used that as code base = for TCP acceleration in Satellite network, the performance is good for = me (around 240 Mbps with single core). Kuankuan >=20 > There is also a FreeBSD new ports PR=A3=BA > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219449 = >=20 > Jov >=20 > 2017-07-21 10:30 GMT+08:00 Kuankuan Yang : >> Hi Hiren, >>=20 >> Thanks a lot for your reply, this helps a lot. I=A1=AFm looking = forward to BBR/FreeBSD feature very much, wish to see that great job = soon :P >>=20 >> Best regards, >> - Kuankuan >>=20 >>> =D4=DA 2017=C4=EA7=D4=C221=C8=D5=A3=AC=C9=CF=CE=E72:54=A3=AChiren = panchasara =D0=B4=B5=C0=A3=BA >>>=20 >>> On 07/19/17 at 12:26P, Kuankuan Yang wrote: >>>> Dear All, >>>>=20 >>>> I?m a newbie for FreeBSD development. May I ask a stupid question = where could I find the TCP BBR patches :P >>>=20 >>> Hi! Thanks for your interest in BBR/FreeBSD. Other than what you = listed, nothing >>> is public yet. >>>=20 >>> Cheers, >>> Hiren >>=20 >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to = "freebsd-net-unsubscribe@freebsd.org" From owner-freebsd-net@freebsd.org Fri Jul 21 10:09:52 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 326AEDA316C for ; Fri, 21 Jul 2017 10:09:52 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id C4A7F6AA16 for ; Fri, 21 Jul 2017 10:09:51 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221]) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id v6LA9eTG018267 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 21 Jul 2017 12:09:41 +0200 (CEST) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: vegeta@tuxpowered.net Received: from [10.58.0.4] (dadv@[10.58.0.4]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id v6LA9ZWr086923 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 21 Jul 2017 17:09:36 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: ipsec encryption only via given route To: Kajetan Staszkiewicz , FreeBSD Net References: <3526072.muFbfPklCK@energia> From: Eugene Grosbein Message-ID: <5971D2DF.6030904@grosbein.net> Date: Fri, 21 Jul 2017 17:09:35 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <3526072.muFbfPklCK@energia> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 2.6 LOCAL_FROM From my domains X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2017 10:09:52 -0000 20.07.2017 23:17, Kajetan Staszkiewicz пишет: > Hey group, > Can I somehow make IPsec encryption to happen AFTER routing decision and > ensure that it happens only when traffic leaves via specified interface? You may want to upgrade to 11.1-RELEASE and utilize its new if_ipsec(4) feature targeted for creating route-based VPNs. https://www.freebsd.org/cgi/man.cgi?query=if_ipsec&apropos=0&sektion=0&manpath=FreeBSD+11.1-RELEASE&arch=default&format=html From owner-freebsd-net@freebsd.org Fri Jul 21 10:58:54 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 671C3DA40E3 for ; Fri, 21 Jul 2017 10:58:54 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from mailout-02.maxonline.de (mailout-02.maxonline.de [81.24.66.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 216F96BDFF for ; Fri, 21 Jul 2017 10:58:53 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from web03-01.max-it.de (web03-01.max-it.de [81.24.64.215]) by mailout-02.maxonline.de (Postfix) with ESMTPS id 331664C for ; Fri, 21 Jul 2017 12:58:45 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by web03-01.max-it.de (Postfix) with ESMTP id 226F528B848 for ; Fri, 21 Jul 2017 12:58:45 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at web03-01.max-it.de Received: from web03-01.max-it.de ([127.0.0.1]) by localhost (web03-01.max-it.de [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id lAU7xmmIuenM for ; Fri, 21 Jul 2017 12:58:44 +0200 (CEST) Received: from [81.24.66.132] (unknown [81.24.66.132]) (Authenticated sender: m.muenz@spam-fetish.org) by web03-01.max-it.de (Postfix) with ESMTPA id E84FF28B842 for ; Fri, 21 Jul 2017 12:58:44 +0200 (CEST) Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> From: "Muenz, Michael" Message-ID: Date: Fri, 21 Jul 2017 12:59:00 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2017 10:58:54 -0000 Am 19.07.2017 um 15:35 schrieb Andrey V. Elsukov: > > Check what you will see if you set net.enc.in.ipsec_bpf_mask=3. > You should see the reply two times, the second one should be with > translated address. > Googling around with "nat before ipsec" and freebsd shows many topics like this. It seems with 11.0 release there were some significant changes to enc which made this impossible. Michael From owner-freebsd-net@freebsd.org Fri Jul 21 11:11:00 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 43442DA44F6 for ; Fri, 21 Jul 2017 11:11:00 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward5p.cmail.yandex.net (forward5p.cmail.yandex.net [IPv6:2a02:6b8:0:1465::15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D4AFF6C244 for ; Fri, 21 Jul 2017 11:10:59 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp4o.mail.yandex.net (smtp4o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::28]) by forward5p.cmail.yandex.net (Yandex) with ESMTP id 86F8A20C98; Fri, 21 Jul 2017 14:10:56 +0300 (MSK) Received: from smtp4o.mail.yandex.net (localhost.localdomain [127.0.0.1]) by smtp4o.mail.yandex.net (Yandex) with ESMTP id 805A86C01116; Fri, 21 Jul 2017 14:10:48 +0300 (MSK) Received: by smtp4o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id 7ZBbPDgj51-AmP0FgJg; Fri, 21 Jul 2017 14:10:48 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1500635448; bh=5+y9o8Q5nElG72EgvahldOWu84DKEWObQ25tFi9E/bM=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=lhqwOM4lmecTf++LQyYtWbB09ATOijr1kFCqS9ze4anbz3Ls5yDvMrI7NhFQz7/q+ mVNqAQ0SRjBgZsJ9KMjsj/ZknGaWztddGxMuOZ2NXS1ysoAwqbnYtG+JXvFQFKKiv+ HCBO4K+gZtkLUhBjKzyjb0gWTQT2SAurnoZ4mwvM= Authentication-Results: smtp4o.mail.yandex.net; dkim=pass header.i=@yandex.ru X-Yandex-Suid-Status: 1 0,1 0 Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: "Muenz, Michael" , freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Message-ID: <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> Date: Fri, 21 Jul 2017 14:08:03 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.0.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="gmPuCvSx6UrvnCXQKrGTPNihXU9uWuo96" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2017 11:11:00 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --gmPuCvSx6UrvnCXQKrGTPNihXU9uWuo96 Content-Type: multipart/mixed; boundary="6H74GAuUPqBj0aa4sp75mfpNH8L5PhWQx"; protected-headers="v1" From: "Andrey V. Elsukov" To: "Muenz, Michael" , freebsd-net@freebsd.org Message-ID: <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> Subject: Re: NAT before IPSEC - reply packets stuck at enc0 References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> In-Reply-To: --6H74GAuUPqBj0aa4sp75mfpNH8L5PhWQx Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 21.07.2017 13:59, Muenz, Michael wrote: > Am 19.07.2017 um 15:35 schrieb Andrey V. Elsukov: >> >> Check what you will see if you set net.enc.in.ipsec_bpf_mask=3D3. >> You should see the reply two times, the second one should be with >> translated address. >> > Googling around with "nat before ipsec" and freebsd shows many topics > like this. > It seems with 11.0 release there were some significant changes to enc > which made this impossible. The only significant change to enc(4) was making it loadable. From other side it still work as before. Another problem is PF-specific, PF does if_output() after translation by self, and there is no chance for IPsec to finish encryption. Third problem mentioned here (deadlock in pf) is also PF-specific, and I'm not sure that it worked well before. With ipfw(4) it should work, at least on FreeBSD. pfsense/opensense have their own patches, so I don't know what can be wrong there. --=20 WBR, Andrey V. Elsukov --6H74GAuUPqBj0aa4sp75mfpNH8L5PhWQx-- --gmPuCvSx6UrvnCXQKrGTPNihXU9uWuo96 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAllx4JgACgkQAcXqBBDI oXpiWgf+LNL8tMmG1/PDAFA0mvQLMjueGeeoEy2krzM3Y6WktL8wp6VfEHuGaCth 0hhQZ3HJmcJRNjQQaT5IowN8kN217FrTGNhX1e9nthGlh8Kel+8qKX0mEsg8KIr2 w9pSjQdZPkG/c7abBcc6FybeoqlVSetkUj/BTE2RKgkjCVI4mA8OE55B31GE+Dj9 UthWEzvm+rIdK7JzmnhGu0/8arT3IcB/Y+8Xg2LgbGTo4p+SJl9dRqru5dUklu9D /+IJr7rtJdsIxL9QBMkoNvsgRKFpaEpehVx0uuRTtY3WpMswWqC9qe97C9Fb6ORL x5W/VROEX92qkPL8zrVa7gZZtX91Jg== =eIDK -----END PGP SIGNATURE----- --gmPuCvSx6UrvnCXQKrGTPNihXU9uWuo96-- From owner-freebsd-net@freebsd.org Fri Jul 21 11:21:26 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A1B38DA4774 for ; Fri, 21 Jul 2017 11:21:26 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from mailout-02.maxonline.de (mailout-02.maxonline.de [81.24.66.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5EFB16C837 for ; Fri, 21 Jul 2017 11:21:26 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from web03-01.max-it.de (web03-01.max-it.de [81.24.64.215]) by mailout-02.maxonline.de (Postfix) with ESMTPS id 31BFC4C; Fri, 21 Jul 2017 13:21:24 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by web03-01.max-it.de (Postfix) with ESMTP id 20FAC28B848; Fri, 21 Jul 2017 13:21:24 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at web03-01.max-it.de Received: from web03-01.max-it.de ([127.0.0.1]) by localhost (web03-01.max-it.de [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id awPvyWnbC2LB; Fri, 21 Jul 2017 13:21:23 +0200 (CEST) Received: from [81.24.66.132] (unknown [81.24.66.132]) (Authenticated sender: m.muenz@spam-fetish.org) by web03-01.max-it.de (Postfix) with ESMTPA id D830228B842; Fri, 21 Jul 2017 13:21:23 +0200 (CEST) Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> From: "Muenz, Michael" Message-ID: Date: Fri, 21 Jul 2017 13:21:38 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2017 11:21:26 -0000 Am 21.07.2017 um 13:08 schrieb Andrey V. Elsukov: > On 21.07.2017 13:59, Muenz, Michael wrote: >> Am 19.07.2017 um 15:35 schrieb Andrey V. Elsukov: >>> Check what you will see if you set net.enc.in.ipsec_bpf_mask=3. >>> You should see the reply two times, the second one should be with >>> translated address. >>> >> Googling around with "nat before ipsec" and freebsd shows many topics >> like this. >> It seems with 11.0 release there were some significant changes to enc >> which made this impossible. > The only significant change to enc(4) was making it loadable. From other > side it still work as before. Another problem is PF-specific, PF does > if_output() after translation by self, and there is no chance for IPsec > to finish encryption. Third problem mentioned here (deadlock in pf) is > also PF-specific, and I'm not sure that it worked well before. > > With ipfw(4) it should work, at least on FreeBSD. pfsense/opensense have > their own patches, so I don't know what can be wrong there. > I know the problems with pf and FreeBSD, that's why I'm focusing on ipfw. So ipfw without natd should and Strongswan as IPSec implementation should work as expected? Then I'll try to investigate more time spending with sysctl, but I think I have tested any combination. Really appreciate you help, thanks! Michael From owner-freebsd-net@freebsd.org Fri Jul 21 12:55:30 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B6E5CDA79A2 for ; Fri, 21 Jul 2017 12:55:30 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 973106F441 for ; Fri, 21 Jul 2017 12:55:30 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6LCtQIM010043 for ; Fri, 21 Jul 2017 12:55:30 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 186114] net/mpd5 hangs after a certain number of users connect Date: Fri, 21 Jul 2017 12:55:27 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: crash, needs-qa X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: peixoto.cassiano@gmail.com X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: eugen@freebsd.org X-Bugzilla-Flags: maintainer-feedback+ X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2017 12:55:30 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D186114 --- Comment #123 from Cassiano Peixoto --- (In reply to Eugene Grosbein from comment #116) Hi Eugene, The server has been running for 14 days without freezing. I think the issue= has been fixed :) How would you like to proceed? Are you going to commit the others patches? Congratulations, after 2 years and 6 months, someone at last fixed it. Thank you! :) --=20 You are receiving this mail because: You are on the CC list for the bug.= From owner-freebsd-net@freebsd.org Fri Jul 21 13:16:56 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4933BDA80EC for ; Fri, 21 Jul 2017 13:16:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 372FA6FD2E for ; Fri, 21 Jul 2017 13:16:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6LDGr7d079817 for ; Fri, 21 Jul 2017 13:16:56 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 186114] net/mpd5 hangs after a certain number of users connect Date: Fri, 21 Jul 2017 13:16:55 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: dep_changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: crash, needs-qa X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: eugen@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: eugen@freebsd.org X-Bugzilla-Flags: maintainer-feedback+ X-Bugzilla-Changed-Fields: bug_status resolution Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2017 13:16:56 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D186114 Bug 186114 depends on bug 220151, which changed state. Bug 220151 Summary: [libc] syslog() thread unsafety: mutex lock leak https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D220151 What |Removed |Added ---------------------------------------------------------------------------- Status|New |Closed Resolution|--- |FIXED --=20 You are receiving this mail because: You are on the CC list for the bug.= From owner-freebsd-net@freebsd.org Fri Jul 21 13:17:25 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 821E6DA8170 for ; Fri, 21 Jul 2017 13:17:25 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 70A566FDF0 for ; Fri, 21 Jul 2017 13:17:25 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6LDHO2l080561 for ; Fri, 21 Jul 2017 13:17:25 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 186114] net/mpd5 hangs after a certain number of users connect Date: Fri, 21 Jul 2017 13:17:24 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: crash, needs-qa X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: eugen@freebsd.org X-Bugzilla-Status: Closed X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: eugen@freebsd.org X-Bugzilla-Flags: maintainer-feedback+ X-Bugzilla-Changed-Fields: bug_status resolution Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2017 13:17:25 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D186114 Eugene Grosbein changed: What |Removed |Added ---------------------------------------------------------------------------- Status|In Progress |Closed Resolution|--- |FIXED --- Comment #124 from Eugene Grosbein --- The problem of mpd5 daemon hanging is now fixed with following changes: 1. libc/syslog "cancel-safe" fix merged to stable/11 and stable/10 (to appe= ar in upcoming 10.4-RELEASE and 11.1-RELEASE). 2. Multiple libc/stdio "cancel-safe" fixes merged to stable/11 and stable/10 (to appear in upcoming 10.4-RELEASE and 11.1-RELEASE). 3. Mpd5 "cancel-safe" console management fix comitted to upstream code and present in the net/mpd5 port version mpd5-5.8_1 and newer. Other problems concerning general kernel stability issues will be carried w= ith distinct PRs linked to this one. Big thanks to kib, dchagin, Cassiano Peixoto and others involved in reporti= ng, analyzing, debugging and fixing this. --=20 You are receiving this mail because: You are on the CC list for the bug.= From owner-freebsd-net@freebsd.org Fri Jul 21 14:48:48 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7C48CDA9A63 for ; Fri, 21 Jul 2017 14:48:48 +0000 (UTC) (envelope-from julian@elischer.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 566DA72821; Fri, 21 Jul 2017 14:48:47 +0000 (UTC) (envelope-from julian@elischer.org) Received: from Julian-MBP3.local (106-69-240-83.dyn.iinet.net.au [106.69.240.83]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id v6LEmU3O020994 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Fri, 21 Jul 2017 07:48:34 -0700 (PDT) (envelope-from julian@elischer.org) Subject: Re: May I ask where could I find the TCP BBR patches? To: Jov , Kuankuan Yang Cc: freebsd-net@freebsd.org, hiren panchasara , rrs@freebsd.org References: <9A6B3DDC-ACF3-446A-9784-E0D1C8E2DCCD@gmail.com> <20170720185433.GD48940@strugglingcoder.info> From: Julian Elischer Message-ID: Date: Fri, 21 Jul 2017 22:48:25 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2017 14:48:48 -0000 On 21/7/17 1:23 pm, Jov wrote: > Maybe you are also interested in kcp/kcptun: > https://github.com/xtaci/kcptun looks to me like kcp might be implemented pretty easily as a netgraph module, BBR looks like it would be relatively simple to port and I look forward to seeing it. > > There is also a FreeBSD new ports PR: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219449 > > Jov > > 2017-07-21 10:30 GMT+08:00 Kuankuan Yang : >> Hi Hiren, >> >> Thanks a lot for your reply, this helps a lot. I’m looking forward to BBR/FreeBSD feature very much, wish to see that great job soon :P >> >> Best regards, >> - Kuankuan >> >>> 在 2017年7月21日,上午2:54,hiren panchasara 写道: >>> >>> On 07/19/17 at 12:26P, Kuankuan Yang wrote: >>>> Dear All, >>>> >>>> I?m a newbie for FreeBSD development. May I ask a stupid question where could I find the TCP BBR patches :P >>> Hi! Thanks for your interest in BBR/FreeBSD. Other than what you listed, nothing >>> is public yet. >>> >>> Cheers, >>> Hiren >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > From owner-freebsd-net@freebsd.org Fri Jul 21 16:05:17 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BAFB7DAB0E4 for ; Fri, 21 Jul 2017 16:05:17 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 749F974B27 for ; Fri, 21 Jul 2017 16:05:17 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: by mail-wm0-x232.google.com with SMTP id w191so12060308wmw.1 for ; Fri, 21 Jul 2017 09:05:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tuxpowered-net.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:organization:user-agent :in-reply-to:references:mime-version; bh=AliD3e3ScuvnKlmEvNjiz9DXvQ3r2lugJ1SfpaAvphU=; b=c51/GWojVlOaPC2VR4GypGKg0ZeC9ToWu698i9i+lR4pdc2kJYDhtorfcQy+YMPG0D /hJaKOH+MyGaWKvnIVIX3H7OS1zhLx1BaTL6DVNs0iBYXShmz6n0xxWd5HSpPmnRsjI1 OqHavd3eM7Kd2LjbVjM1LQCmzZw5lb+1LHkT1klCAqYDLex7a9rgzCJTB5wcXqlufQqo oEaT3OSaDC9UOhPmIQYe24U6OfVGz/yngxonHsfoM2Aq1ZbjKDHG2WwMiB7PJ++09iO8 T36+YYHlNxv4ECtdZDj3HI/FGocx/hk/YNlx388xZuJGQ3rMSFmrjg0X7M1iJXzUX+8B fpfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:organization :user-agent:in-reply-to:references:mime-version; bh=AliD3e3ScuvnKlmEvNjiz9DXvQ3r2lugJ1SfpaAvphU=; b=uhKs0Vg92DxkBH8ltGomQTZE2bwFhGnepRe6nqOZpytQ3FFgyxWj6K6XmnPd3GImcT kytwDz6VaAcrfEKonRukb0EjV0HGeIHcMdNmwLtcpTEiUd4YU0MP+nQsOdg8/RxE3nbL 92P6PWLP51YKOgh9EUliLNk+FgzYrlTjne6fGgKbjVREeRsn4s0nWbBvIUDxxm5d4X19 RZa7OcwZTDdfrtIIaghTI6Z0nzq+b44nEhivHXUxj4XAdihKlmnKxDt2Lzw4uoc89AAB 4DVNqLOEDCo6L9Tlq9UoxqCKCLWABAM68hLgISQ+9vNAJ1AwUfUUKdMLPVBHlTpNgSC5 ljVw== X-Gm-Message-State: AIVw110nViX7Rh73r6Zpe+ftfeI06aQMay3tDpvg6eds1timS2b9Tuef ZJlNjnD+EuRvQ7XVm9yQQg== X-Received: by 10.80.182.201 with SMTP id f9mr6394163ede.44.1500653115310; Fri, 21 Jul 2017 09:05:15 -0700 (PDT) Received: from energia.localnet ([2a00:1f78:fffb:220:c7f7:2dda:4b51:2d6b]) by smtp.gmail.com with ESMTPSA id e7sm2832340edk.80.2017.07.21.09.05.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 21 Jul 2017 09:05:13 -0700 (PDT) From: Kajetan Staszkiewicz To: Eugene Grosbein Cc: FreeBSD Net Subject: Re: ipsec encryption only via given route Date: Fri, 21 Jul 2017 18:05:01 +0200 Message-ID: <5382298.hL91o62syh@energia> Organization: tuxpowered.net User-Agent: KMail/5.2.3 (Linux/4.11.0-3.3-liquorix-amd64; KDE/5.28.0; x86_64; ; ) In-Reply-To: <5971D2DF.6030904@grosbein.net> References: <3526072.muFbfPklCK@energia> <5971D2DF.6030904@grosbein.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart7082166.ChG8rV0ejj"; micalg="pgp-sha1"; protocol="application/pgp-signature" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2017 16:05:17 -0000 --nextPart7082166.ChG8rV0ejj Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" Dnia pi=C4=85tek, 21 lipca 2017 17:09:35 CEST Eugene Grosbein pisze: > 20.07.2017 23:17, Kajetan Staszkiewicz =D0=BF=D0=B8=D1=88=D0=B5=D1=82: > > Hey group, > >=20 > > Can I somehow make IPsec encryption to happen AFTER routing decision and > > ensure that it happens only when traffic leaves via specified interface? >=20 > You may want to upgrade to 11.1-RELEASE and utilize its new if_ipsec(4) > feature targeted for creating route-based VPNs. >=20 > https://www.freebsd.org/cgi/man.cgi?query=3Dif_ipsec&apropos=3D0&sektion= =3D0&manpa > th=3DFreeBSD+11.1-RELEASE&arch=3Ddefault&format=3Dhtml This seems promising. I understand that it would replace if_enc which I hav= e =20 enabled to properly firewall tunnel mode IPsec. I also run multiple gif + transport mode tunnels, those never needed if_enc= =20 and were never prone to bug 220217. Now with if_enc the de-IPsec-ed gif=20 traffic passes via single common enc0. I would be so happy to get rid of=20 if_enc again. Unfortunately I don't see much information how to make it work with=20 Strongswan. Any hints? =2D-=20 | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' --nextPart7082166.ChG8rV0ejj Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCWXImLQAKCRDjtFCvbXs6 FPIWAKCfY5DZReYXIFdaUFwj66FZO4mmuACeLCIT4Bg1ItJ5ymUr0twaMdDKs0A= =Nzud -----END PGP SIGNATURE----- --nextPart7082166.ChG8rV0ejj-- From owner-freebsd-net@freebsd.org Fri Jul 21 16:23:27 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 39195DAB739 for ; Fri, 21 Jul 2017 16:23:27 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id C645975864 for ; Fri, 21 Jul 2017 16:23:26 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221]) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id v6LGNLpA020695 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 21 Jul 2017 18:23:22 +0200 (CEST) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: vegeta@tuxpowered.net Received: from [10.58.0.4] ([10.58.0.4]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id v6LGNHKZ020980 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 21 Jul 2017 23:23:17 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: ipsec encryption only via given route To: Kajetan Staszkiewicz References: <3526072.muFbfPklCK@energia> <5971D2DF.6030904@grosbein.net> <5382298.hL91o62syh@energia> Cc: FreeBSD Net From: Eugene Grosbein Message-ID: <59722A70.7000403@grosbein.net> Date: Fri, 21 Jul 2017 23:23:12 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <5382298.hL91o62syh@energia> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 2.6 LOCAL_FROM From my domains X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2017 16:23:27 -0000 21.07.2017 23:05, Kajetan Staszkiewicz wrote: > Unfortunately I don't see much information how to make it work with > Strongswan. Any hints? If you run Strongswan/FreeBSD instead of plain FreeBSD, you should ask Strongswan maintainers for that :-) From owner-freebsd-net@freebsd.org Fri Jul 21 16:50:01 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 31FBCDAC02A for ; Fri, 21 Jul 2017 16:50:01 +0000 (UTC) (envelope-from janae.olson@greencap.tech) Received: from mail-pf0-x234.google.com (mail-pf0-x234.google.com [IPv6:2607:f8b0:400e:c00::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 084C276257 for ; Fri, 21 Jul 2017 16:50:00 +0000 (UTC) (envelope-from janae.olson@greencap.tech) Received: by mail-pf0-x234.google.com with SMTP id o88so26018460pfk.3 for ; Fri, 21 Jul 2017 09:50:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=greencap-tech.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id:mime-version:importance :thread-index:content-language; bh=hKMdeJcUzI90A1IYZZlxdTiEhm8jxHfS+SQJjYIAStA=; b=YQOBOyJPmzaMZGvsfJ4LYZbV45EoSovok9GDnPJkZCqcIvHqcWkI87WuD1Z7AjGiIW trlTkmt8IpHlL+Ey+OOJ4t0q01T/W39z0k1nKrGzCDT1eRydSL32IcSGIZ8zBv/ZHXtr IAFmYkh5EVIEioZCu/WfmCqvLKkQjbce1tWGujE2d8PoO18s8rthcEinHpDk7jIjc3RO NZAFLlBJivRPsLhvH8VMekRwOXUQ/KmdKxuN762pIBoTgajBEPAe0BZPkFEzxBlbfcwX fijNAzD+3pynTofeCqf5T48PAcHRAG7pGCB/BPWDYRZHNqTscn0tJQGW8d0EJDHg6CMZ 4r1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :importance:thread-index:content-language; bh=hKMdeJcUzI90A1IYZZlxdTiEhm8jxHfS+SQJjYIAStA=; b=TNFdgL1iPlNOaB9jwGx2z7wQjtF5izKz5tjnnsgmMgsgYwObVLd8GmaQ/Gbt/+YCy0 U0P6FJRRg5fDDLDdQAf8A1bOjXl3zS/Rp5apHOZvHhTJlpzbox6ceY+vjisyk/cfPczI mREOBIQ7W38/IgjudcFSsWUiBjCMQymjZVAx4wd6uED2eOn9NvLxJmUBv+zCaluAdyyV CSPHB0aT/QPYOZlLCbfSIjTqVtCD9vV2owoow361mDWn7KxBHMRE60kB+b2Ns91JhCsC 4ZreSBZ1irxy0ye8J9AvHEGDcwYSMVeahyGGyhtqso+Sngx0LZELh4K7Yb8s+9WeK0kb jjSg== X-Gm-Message-State: AIVw113bOvW42bI1JvXDL1tpDLo6n9deogaQFKSa6KerTk/edg+yCtuy GHB6PXA6b6SkKeECQsU= X-Received: by 10.98.198.87 with SMTP id m84mr8029751pfg.122.1500655800036; Fri, 21 Jul 2017 09:50:00 -0700 (PDT) Received: from ShahFahedPC ([103.92.101.25]) by smtp.gmail.com with ESMTPSA id v9sm11924351pge.26.2017.07.21.09.49.58 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 21 Jul 2017 09:49:59 -0700 (PDT) From: "JANAE.OLSON" X-Google-Original-From: "JANAE.OLSON" To: Subject: Re:Reach Out Infor Users Date: Fri, 21 Jul 2017 11:49:15 -0500 Message-ID: <139101d30241$71eeedd0$55ccc970$@greencap.tech> MIME-Version: 1.0 X-Priority: 1 (Highest) X-MSMail-Priority: High X-Mailer: Microsoft Outlook 15.0 Importance: High Thread-Index: AdMCOLXSOEaaGAbVRbGuUOEkrLVFRw== Content-Language: en-us Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2017 16:50:01 -0000 Hi, I see that you are an Infor partner and thought if you would like to acquire Infor customers database to increase your customer base. Infor Users - 37,584 IT decision makers List Contains: Name, Company's Name, Phone Number, Fax Number, Job Title, Email address, Complete Mailing Address, SIC code, Company revenue, size, Web address etc. Specialties: business intelligence, data visualization, data analysis, dashboards. Let me know your thoughts or pass on the message to the right person in your company. Thanks & regards, Janae Olson If you don't want to receive any message from us then please type "OPT OUT" in the Subject Line. From owner-freebsd-net@freebsd.org Fri Jul 21 21:32:13 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6FF13C0893E for ; Fri, 21 Jul 2017 21:32:13 +0000 (UTC) (envelope-from daniel.bilik@neosystem.cz) Received: from mail.neosystem.cz (mail.neosystem.cz [IPv6:2001:41d0:2:5ab8::10:15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3E72383D67 for ; Fri, 21 Jul 2017 21:32:13 +0000 (UTC) (envelope-from daniel.bilik@neosystem.cz) Received: from mail.neosystem.cz (unknown [127.0.10.15]) by mail.neosystem.cz (Postfix) with ESMTP id 00E76AD81 for ; Fri, 21 Jul 2017 23:32:03 +0200 (CEST) X-Virus-Scanned: amavisd-new at mail.neosystem.cz Received: from dragon.sn.neosystem.cz (unknown [IPv6:2001:41d0:2:5ab8::100:f883]) by mail.neosystem.cz (Postfix) with ESMTPA id A2F27AD7B for ; Fri, 21 Jul 2017 23:32:01 +0200 (CEST) Date: Fri, 21 Jul 2017 23:21:12 +0200 From: Daniel Bilik To: freebsd-net@freebsd.org Subject: mbuf clusters leak in netinet6 Message-Id: <20170721232112.82f6e78b76057312183be937@neosystem.cz> Organization: neosystem.cz X-Mailer: Sylpheed 3.5.1 (GTK+ 2.24.31; x86_64-portbld-dragonfly4.9) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2017 21:32:13 -0000 Hi. (Please keep me in cc, I'm not subscribed to the list.) After deploying ndproxy[1] on a few 10-stable hosts, some of them have experienced mbuf clusters exhaustion. Initial analysis showed that after loading ndproxy.ko, "current" values of "mbuf clusters" and "mbuf+clusters out of packet secondary zone" (from netstat -m output) keep continuously increasing and never decrease. More thorough inspection of ndproxy source code pointed me at function packet() in ndpacket.c[2], to the very last "return 1". With this line changed to "return 0", mbuf clusters do not increase anymore, ie. it fixes the issue. As the leak does not come from "return" itself, I suspect "the proper solution" is to modify code in the upper layer to not leak anything on any returned value. If I read it right, the upper layer in this case is function ip6_input() in sys/netinet6/ip6_input.c[3], specifically pfil_run_hooks() call at line 765. I guess it should be changed like this to avoid the leak: --- ip6_input.c.orig 2017-07-21 22:42:17.780594000 +0200 +++ ip6_input.c 2017-07-21 22:45:28.981497000 +0200 @@ -620,8 +620,11 @@ goto passin; if (pfil_run_hooks(&V_inet6_pfil_hook, &m, - m->m_pkthdr.rcvif, PFIL_IN, NULL)) + m->m_pkthdr.rcvif, PFIL_IN, NULL)) { + if (m) + m_free(m); return; + } if (m == NULL) /* consumed by filter */ return; ip6 = mtod(m, struct ip6_hdr *); I haven't actually tested this modification. I prefer to know your opinions first before trying to panic production hosts running hundreds of miles from me. ;-) Thanks. -- Dan [1] https://github.com/AlexandreFenyo/ndproxy [2] https://github.com/AlexandreFenyo/ndproxy/blob/master/ndpacket.c#L455 [3] https://github.com/freebsd/freebsd/blob/master/sys/netinet6/ip6_input.c#L765 From owner-freebsd-net@freebsd.org Sat Jul 22 05:35:56 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 871E7C7FF2A for ; Sat, 22 Jul 2017 05:35:56 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from mailout-02.maxonline.de (mailout-02.maxonline.de [81.24.66.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 367C26CDBC for ; Sat, 22 Jul 2017 05:35:55 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from web03-01.max-it.de (web03-01.max-it.de [81.24.64.215]) by mailout-02.maxonline.de (Postfix) with ESMTPS id 9BDD950 for ; Sat, 22 Jul 2017 07:35:53 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by web03-01.max-it.de (Postfix) with ESMTP id 918B028B847 for ; Sat, 22 Jul 2017 07:35:53 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at web03-01.max-it.de Received: from web03-01.max-it.de ([127.0.0.1]) by localhost (web03-01.max-it.de [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Snil9eD4YNsf for ; Sat, 22 Jul 2017 07:35:53 +0200 (CEST) Received: from [81.24.66.132] (unknown [81.24.66.132]) (Authenticated sender: m.muenz@spam-fetish.org) by web03-01.max-it.de (Postfix) with ESMTPA id 6ADB028B842 for ; Sat, 22 Jul 2017 07:35:53 +0200 (CEST) Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> From: "Muenz, Michael" Message-ID: <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> Date: Sat, 22 Jul 2017 07:36:58 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jul 2017 05:35:56 -0000 Am 21.07.2017 um 13:08 schrieb Andrey V. Elsukov: > > With ipfw(4) it should work, at least on FreeBSD. pfsense/opensense have > their own patches, so I don't know what can be wrong there. > I also tried 11.0 and 11.1RC3 vanilla kernels, no luck. Will build a test setup with the OPNsense devs. I'm still positive that this can't be a huge issue. Thanks for your efforts Andrey! Michael From owner-freebsd-net@freebsd.org Sat Jul 22 09:11:39 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C65E0D3D216 for ; Sat, 22 Jul 2017 09:11:39 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward4m.cmail.yandex.net (forward4m.cmail.yandex.net [IPv6:2a02:6b8:b030::1b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7D56F72AFE for ; Sat, 22 Jul 2017 09:11:39 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp2m.mail.yandex.net (smtp2m.mail.yandex.net [77.88.61.129]) by forward4m.cmail.yandex.net (Yandex) with ESMTP id 09E3021058; Sat, 22 Jul 2017 12:11:35 +0300 (MSK) Received: from smtp2m.mail.yandex.net (localhost.localdomain [127.0.0.1]) by smtp2m.mail.yandex.net (Yandex) with ESMTP id 599E22300A74; Sat, 22 Jul 2017 12:11:33 +0300 (MSK) Received: by smtp2m.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id CSdfLEZTPW-BXEO91w4; Sat, 22 Jul 2017 12:11:33 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1500714693; bh=JAlH095gn+UiQw/loNVVNK3SMlSnp7NEU1xEs8Vlm4Y=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=etyom8h7BujnN8Ib8FeKx983hkP1l59HoRq+ZWwEww9jxRWDVF7TJgiLRGls6YtZ5 8YQvCHwLTBqPIt66EEHQQsO2ttPeqCD4UCfNcDXoWU06BdnN3gxum4qvnpPkz3dk8R ig3o9gYfhJOWClMarxbhIUBHuu9GgbLvZOxnsTeI= Authentication-Results: smtp2m.mail.yandex.net; dkim=pass header.i=@yandex.ru X-Yandex-Suid-Status: 1 0,1 0 Subject: Re: mbuf clusters leak in netinet6 To: Daniel Bilik , freebsd-net@freebsd.org References: <20170721232112.82f6e78b76057312183be937@neosystem.cz> From: "Andrey V. Elsukov" Message-ID: <5dadd0d0-d5ce-3a2c-7ad6-1c0a39a4a0e7@yandex.ru> Date: Sat, 22 Jul 2017 12:11:31 +0300 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.7.1 MIME-Version: 1.0 In-Reply-To: <20170721232112.82f6e78b76057312183be937@neosystem.cz> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jul 2017 09:11:39 -0000 22.07.17 0:21, Daniel Bilik пишет: > Hi. > > (Please keep me in cc, I'm not subscribed to the list.) > > After deploying ndproxy[1] on a few 10-stable hosts, some of them have > experienced mbuf clusters exhaustion. Initial analysis showed that after > loading ndproxy.ko, "current" values of "mbuf clusters" and "mbuf+clusters > out of packet secondary zone" (from netstat -m output) keep continuously > increasing and never decrease. More thorough inspection of ndproxy source > code pointed me at function packet() in ndpacket.c[2], to the very last > "return 1". With this line changed to "return 0", mbuf clusters do not > increase anymore, ie. it fixes the issue. As the leak does not come from > "return" itself, I suspect "the proper solution" is to modify code in > the upper layer to not leak anything on any returned value. If I read it > right, the upper layer in this case is function ip6_input() in > sys/netinet6/ip6_input.c[3], specifically pfil_run_hooks() call at line > 765. I guess it should be changed like this to avoid the leak: > > --- ip6_input.c.orig 2017-07-21 22:42:17.780594000 +0200 > +++ ip6_input.c 2017-07-21 22:45:28.981497000 +0200 > @@ -620,8 +620,11 @@ > goto passin; > > if (pfil_run_hooks(&V_inet6_pfil_hook, &m, > - m->m_pkthdr.rcvif, PFIL_IN, NULL)) > + m->m_pkthdr.rcvif, PFIL_IN, NULL)) { > + if (m) > + m_free(m); > return; > + } > if (m == NULL) /* consumed by filter */ > return; > ip6 = mtod(m, struct ip6_hdr *); > > I haven't actually tested this modification. I prefer to know your > opinions first before trying to panic production hosts running hundreds of > miles from me. ;-) Thanks. Freeing mbuf is under pfil hook responsibility, if it returns nonzero value it must call m_freem(). So, it is bug in the ndpacket.c. https://github.com/AlexandreFenyo/ndproxy/blob/master/ndpacket.c Also, ip6_output() always consumes mbuf, it is wrong to call m_freem() after calling ip6_output(), even when it returns error. -- WBR, Andrey V. Elsukov From owner-freebsd-net@freebsd.org Sat Jul 22 13:55:20 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0E4C8D9D524 for ; Sat, 22 Jul 2017 13:55:20 +0000 (UTC) (envelope-from daniel.bilik@neosystem.cz) Received: from mail.neosystem.cz (mail.neosystem.cz [IPv6:2001:41d0:2:5ab8::10:15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CEE317F13F for ; Sat, 22 Jul 2017 13:55:19 +0000 (UTC) (envelope-from daniel.bilik@neosystem.cz) Received: from mail.neosystem.cz (unknown [127.0.10.15]) by mail.neosystem.cz (Postfix) with ESMTP id 26415AE40; Sat, 22 Jul 2017 15:55:18 +0200 (CEST) X-Virus-Scanned: amavisd-new at mail.neosystem.cz Received: from dragon.sn.neosystem.cz (unknown [IPv6:2001:41d0:2:5ab8::100:f883]) by mail.neosystem.cz (Postfix) with ESMTPA id A7BDEAE38; Sat, 22 Jul 2017 15:55:16 +0200 (CEST) Date: Sat, 22 Jul 2017 15:51:57 +0200 From: Daniel Bilik To: "Andrey V. Elsukov" Cc: freebsd-net@freebsd.org Subject: Re: mbuf clusters leak in netinet6 Message-Id: <20170722155157.b29206752f49422e40e58c5d@neosystem.cz> In-Reply-To: <5dadd0d0-d5ce-3a2c-7ad6-1c0a39a4a0e7@yandex.ru> References: <20170721232112.82f6e78b76057312183be937@neosystem.cz> <5dadd0d0-d5ce-3a2c-7ad6-1c0a39a4a0e7@yandex.ru> Organization: neosystem.cz X-Mailer: Sylpheed 3.5.1 (GTK+ 2.24.31; x86_64-portbld-dragonfly4.9) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jul 2017 13:55:20 -0000 On Sat, 22 Jul 2017 12:11:31 +0300 "Andrey V. Elsukov" wrote: > Freeing mbuf is under pfil hook responsibility, if it returns nonzero > value it must call m_freem(). So, it is bug in the ndpacket.c. Ah, thanks for clarifying this. It was quite unclear to me, because at other place I've seen m_freem() is called after non-zero pfil_run_hooks() result. [1] Nevertheless, I've patched and tested ndproxy as you suggested, and it works fine, with no mbuf leaks. Pull request created. [2] Thank you once again for looking at this. -- Dan [1] https://github.com/freebsd/freebsd/blob/master/sys/netinet/ip_fastfwd.c#L232 [2] https://github.com/AlexandreFenyo/ndproxy/pull/3 From owner-freebsd-net@freebsd.org Sat Jul 22 19:38:30 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F2ADEDABB66 for ; Sat, 22 Jul 2017 19:38:30 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward4h.cmail.yandex.net (forward4h.cmail.yandex.net [IPv6:2a02:6b8:0:f35::111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AEEF163406 for ; Sat, 22 Jul 2017 19:38:30 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp4o.mail.yandex.net (smtp4o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::28]) by forward4h.cmail.yandex.net (Yandex) with ESMTP id D58A2209DD; Sat, 22 Jul 2017 22:38:17 +0300 (MSK) Received: from smtp4o.mail.yandex.net (localhost.localdomain [127.0.0.1]) by smtp4o.mail.yandex.net (Yandex) with ESMTP id 22B4B6C00E2D; Sat, 22 Jul 2017 22:38:16 +0300 (MSK) Received: by smtp4o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id 9qceBd2ZGb-cFkieg55; Sat, 22 Jul 2017 22:38:15 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1500752296; bh=7w8R3WMXxi4Z145ULMaVgewLNNtXZKISwaOKlFr1z18=; h=Subject:To:References:Cc:From:Message-ID:Date:In-Reply-To; b=oqV3+UFuL7n1cV/v7Takqadp0gmzkzQtUEd4d5Gocfbh3Cx4rHzx8VOL/I5HXD3Ct BD+885YYhhCeGODDM3uLjCx16n3S169xPUxwQwZD3Er9VFfSaRev4Y8w0G549EXRHB /NYPfS/kmlYstbc8r2B1a3QX+NrHNfvJk+qaDFnY= Authentication-Results: smtp4o.mail.yandex.net; dkim=pass header.i=@yandex.ru X-Yandex-Suid-Status: 1 0,1 0 Subject: Re: mbuf clusters leak in netinet6 To: Daniel Bilik References: <20170721232112.82f6e78b76057312183be937@neosystem.cz> <5dadd0d0-d5ce-3a2c-7ad6-1c0a39a4a0e7@yandex.ru> <20170722155157.b29206752f49422e40e58c5d@neosystem.cz> Cc: freebsd-net@freebsd.org From: "Andrey V. Elsukov" Message-ID: Date: Sat, 22 Jul 2017 22:38:13 +0300 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.7.1 MIME-Version: 1.0 In-Reply-To: <20170722155157.b29206752f49422e40e58c5d@neosystem.cz> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jul 2017 19:38:31 -0000 22.07.17 16:51, Daniel Bilik пишет: > On Sat, 22 Jul 2017 12:11:31 +0300 > "Andrey V. Elsukov" wrote: > >> Freeing mbuf is under pfil hook responsibility, if it returns nonzero >> value it must call m_freem(). So, it is bug in the ndpacket.c. > > Ah, thanks for clarifying this. It was quite unclear to me, because at > other place I've seen m_freem() is called after non-zero pfil_run_hooks() > result. [1] > > Nevertheless, I've patched and tested ndproxy as you suggested, and it > works fine, with no mbuf leaks. Pull request created. [2] This is because the "drop" label is shared between several places. Usually pfil hook does m_freem() and sets mbuf pointer to NULL. Check ip_output() or ip6_output(), also ipfw's pfil hook implementation: https://svnweb.freebsd.org/base/head/sys/netpfil/ipfw/ip_fw_pfil.c?annotate=308237#l295 -- WBR, Andrey V. Elsukov From owner-freebsd-net@freebsd.org Sat Jul 22 22:35:21 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6E4B4DAEF31 for ; Sat, 22 Jul 2017 22:35:21 +0000 (UTC) (envelope-from fenyo@virt.fenyo.net) Received: from virt.fenyo.net (unknown [IPv6:2a01:e35:8aae:bc60:222:15ff:fe3b:59a]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "fbsd", Issuer "fbsd" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id F172C67C40 for ; Sat, 22 Jul 2017 22:35:20 +0000 (UTC) (envelope-from fenyo@virt.fenyo.net) Received: from virt.fenyo.net (localhost [127.0.0.1]) by virt.fenyo.net (8.15.2/8.15.2) with ESMTPS id v6MMZHSv052950 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 23 Jul 2017 00:35:17 +0200 (CEST) (envelope-from fenyo@virt.fenyo.net) Received: (from fenyo@localhost) by virt.fenyo.net (8.15.2/8.15.2/Submit) id v6MMZHED052949; Sun, 23 Jul 2017 00:35:17 +0200 (CEST) (envelope-from fenyo) Date: Sun, 23 Jul 2017 00:35:17 +0200 From: Alexandre Fenyo To: freebsd-net@freebsd.org Subject: mbuf clusters leak in netinet6 Message-ID: <20170722223517.GA44772@virt.fenyo.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.8.0 (2017-02-23) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jul 2017 22:35:21 -0000 The pull request has been merged on GitHub. For information, I've submitted this kernel module to the ports tree in this request: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219622 I'm currently testing the port with poudriere. I will soon make some minor updates due to new warnings (-Waddress-of-packed-member) that appeared with the change from clang 3.8.0 to clang 4.0.0 that occurred between FreeBSD 11.0 and 11.1-RC3. Thanks for these bug reports and patches. Sincerely, Alexandre Fenyo