From owner-freebsd-pf@freebsd.org Sun Mar 7 21:00:01 2021 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A4FF257356B for ; Sun, 7 Mar 2021 21:00:01 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4Dtv4K46q6z3mrk for ; Sun, 7 Mar 2021 21:00:01 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: by mailman.nyi.freebsd.org (Postfix) id 8B9A3573B8B; Sun, 7 Mar 2021 21:00:01 +0000 (UTC) Delivered-To: pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8B5FD573A36 for ; Sun, 7 Mar 2021 21:00:01 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Dtv4K3Ypcz3n37 for ; Sun, 7 Mar 2021 21:00:01 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 6D5311CC48 for ; Sun, 7 Mar 2021 21:00:01 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 127L01ql093989 for ; Sun, 7 Mar 2021 21:00:01 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 127L01g8093988 for pf@FreeBSD.org; Sun, 7 Mar 2021 21:00:01 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <202103072100.127L01g8093988@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 7 Mar 2021 21:00:01 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Mar 2021 21:00:01 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 203735 | Transparent interception of ipv6 with squid and p Open | 237973 | pf: implement egress keyword to simplify rules ac 2 problems total for which you should take action. From owner-freebsd-pf@freebsd.org Tue Mar 9 10:05:47 2021 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 28A28573135 for ; Tue, 9 Mar 2021 10:05:47 +0000 (UTC) (envelope-from patfbsd@davenulle.org) Received: from sender4-of-o58.zoho.com (sender4-of-o58.zoho.com [136.143.188.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4DvrSV1tHqz3j2v for ; Tue, 9 Mar 2021 10:05:45 +0000 (UTC) (envelope-from patfbsd@davenulle.org) ARC-Seal: i=1; a=rsa-sha256; t=1615284341; cv=none; d=zohomail.com; s=zohoarc; b=KFgcAuylXUNtmf/ya/1DVje6gM11pOb/167N6pok211uG1CU4GwPVb3YbxtQSW5oYFWs3q9LeAQMTrme824jGNqO+w6SqraaaxcakeEEpOXDBozrCzd4cga2+MesvcICZosM7zG6ir7E0T2fwycu+FMBjfsCEiwCiGDt+DIeauk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1615284341; h=Content-Type:Content-Transfer-Encoding:Date:From:MIME-Version:Message-ID:Subject:To; bh=q7wM5mI2xIai2S+pnKkZvyi+kcyeNw13wmWofS9oEgw=; b=mmAEMUeUZWuSzy2WI4nv9ZgEaUGIIyY3fvaRU1UqjoHqb5K3DKrSF27uoPg66hgsgBForS5JLSEPJIwO1YBXofKGfKARWcWdIE+7XD3r7LKBh0s+sxo2aNaBIdVjqe+PGy8m529CIMHr+WJd5mpgGehE1wfd/UigGXDHgeA+SYg= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass smtp.mailfrom=patfbsd@davenulle.org; dmarc=pass header.from= header.from= Received: from mr185033.univ-rennes1.fr (mr185033.univ-rennes1.fr [129.20.185.33]) by mx.zohomail.com with SMTPS id 1615284338303770.2083207884294; Tue, 9 Mar 2021 02:05:38 -0800 (PST) Date: Tue, 9 Mar 2021 11:05:30 +0100 From: Patrick Lamaiziere To: freebsd-pf@freebsd.org Subject: pfctl segmentation fault in pfctl_optimize.c Message-ID: <20210309110530.63834499@mr185033.univ-rennes1.fr> X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-ZohoMailClient: External X-Rspamd-Queue-Id: 4DvrSV1tHqz3j2v X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=none; arc=pass (zohomail.com:s=zohoarc:i=1); dmarc=none; spf=none (mx1.freebsd.org: domain of patfbsd@davenulle.org has no SPF policy when checking 136.143.188.58) smtp.mailfrom=patfbsd@davenulle.org X-Spamd-Result: default: False [-4.10 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; RWL_MAILSPIKE_VERYGOOD(0.00)[136.143.188.58:from]; ARC_ALLOW(-1.00)[zohomail.com:s=zohoarc:i=1]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[davenulle.org]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCVD_IN_DNSWL_NONE(0.00)[136.143.188.58:from]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:2639, ipnet:136.143.188.0/23, country:US]; MIME_TRACE(0.00)[0:+]; MAILMAN_DEST(0.00)[freebsd-pf]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Mar 2021 10:05:47 -0000 Hello, FreeBSD 11.4-RELEASE-p3 / amd64 Yesterday while loading a ruleset, pfctl core dumped with a segmentation fault (see gdb below) We are recently using some big tables so may be this is what triggered the problem (?), i can't reproduce this. I've found something on tech@openbsd.org that looks closely related: https://www.mail-archive.com/tech@openbsd.org/msg42870.html Thanks, regards. # gdb /sbin/pfctl GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-marcel-freebsd"... (gdb) core /home/adminsys/pfctl.core Core was generated by `/sbin/pfctl -f /etc/pf.conf'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libm.so.5...Reading symbols from /usr/lib/debug//lib/libm.so.5.debug...done. done. Loaded symbols for /lib/libm.so.5 Reading symbols from /lib/libmd.so.6...Reading symbols from /usr/lib/debug//lib/libmd.so.6.debug...done. done. Loaded symbols for /lib/libmd.so.6 Reading symbols from /lib/libc.so.7...Reading symbols from /usr/lib/debug//lib/libc.so.7.debug...done. done. Loaded symbols for /lib/libc.so.7 Reading symbols from /libexec/ld-elf.so.1...Reading symbols from /usr/lib/debug//libexec/ld-elf.so.1.debug...done. done. Loaded symbols for /libexec/ld-elf.so.1 #0 0x0000000800d6bf4d in ifree (ptr=0x801452fc0, tcache=0x80140d000, slow_path=) at src/contrib/jemalloc/include/jemalloc/internal/tcache.h:415 415 if (unlikely(tbin->ncached == tbin_info->ncached_max)) { Current language: auto; currently minimal (gdb) bt #0 0x0000000800d6bf4d in ifree (ptr=0x801452fc0, tcache=0x80140d000, slow_path=) at src/contrib/jemalloc/include/jemalloc/internal/tcache.h:415 #1 0x0000000800d6bdb1 in __free (ptr=0x801452fc0) at src/contrib/jemalloc/include/jemalloc/internal/tsd.h:716 #2 0x0000000000425345 in superblock_free (pf=0x7fffffffdd60, block=0x80149b600) at /usr/src/sbin/pfctl/pfctl_optimize.c:1647 #3 0x0000000000424b1f in pfctl_optimize_ruleset (pf=0x7fffffffdd60, rs=0x801458490) at /usr/src/sbin/pfctl/pfctl_optimize.c:357 #4 0x000000000040572c in pfctl_load_ruleset (pf=0x7fffffffdd60, path=, rs=0x801458490, rs_num=1, depth=0) at /usr/src/sbin/pfctl/pfctl.c:1396 #5 0x0000000000405ffd in pfctl_rules (dev=3, filename=0x7fffffffee6f "/etc/pf.conf", opts=0, optimize=, anchorname=0x7fffffffe600 "", trans=0x0) at /usr/src/sbin/pfctl/pfctl.c:1594 #6 0x000000000040856f in main (argc=, argv=) at /usr/src/sbin/pfctl/pfctl.c:2475 #7 0x000000000040251b in _start () #8 0x0000000800667000 in ?? () #9 0x0000000000000000 in ?? () (gdb) frame 2 #2 0x0000000000425345 in superblock_free (pf=0x7fffffffdd60, block=0x80149b600) at /usr/src/sbin/pfctl/pfctl_optimize.c:1647 warning: Source file is more recent than executable. 1647 free(por->por_dst_tbl); From owner-freebsd-pf@freebsd.org Wed Mar 10 19:37:23 2021 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EF9E75751AC for ; Wed, 10 Mar 2021 19:37:23 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [IPv6:2607:f3e0:0:3::19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "pyroxene.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Dwj5Z4k9Dz4ZdJ for ; Wed, 10 Mar 2021 19:37:22 +0000 (UTC) (envelope-from mike@sentex.net) Received: from [IPv6:2607:f3e0:0:4:c5ab:e129:9fe9:4e41] ([IPv6:2607:f3e0:0:4:c5ab:e129:9fe9:4e41]) by pyroxene2a.sentex.ca (8.16.1/8.15.2) with ESMTPS id 12AJbLgA075885 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Wed, 10 Mar 2021 14:37:21 -0500 (EST) (envelope-from mike@sentex.net) To: "freebsd-pf@freebsd.org" From: mike tancsa Subject: load balancing port redirects Message-ID: <8183ec73-8ca7-c807-c8ce-46dabd8a027e@sentex.net> Date: Wed, 10 Mar 2021 14:37:23 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.8.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US X-Rspamd-Queue-Id: 4Dwj5Z4k9Dz4ZdJ X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:3::19 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [-0.00 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; NEURAL_SPAM_SHORT(1.00)[1.000]; FREEFALL_USER(0.00)[mike]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f3e0:0:3::19:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; HFILTER_HELO_IP_A(1.00)[pyroxene2a.sentex.ca]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2607:f3e0:0:3::19:from:127.0.2.255]; HFILTER_HELO_NORES_A_OR_MX(0.30)[pyroxene2a.sentex.ca]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; NEURAL_HAM_LONG(-1.00)[-1.000]; DMARC_NA(0.00)[sentex.net]; TO_DN_EQ_ADDR_ALL(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-pf] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2021 19:37:24 -0000 Is there any way in pf to redirect one port to a range of ports ? e.g rdr pass log on $public_nic proto tcp from any  to $public_nat_ip port 80 -> $web_server port 80:100 Much like round robin load balancing on outbound nat, I want to round robin through ports if possible.     ---Mike From owner-freebsd-pf@freebsd.org Wed Mar 10 19:48:18 2021 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EB56A575811 for ; Wed, 10 Mar 2021 19:48:18 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DwjLB6RqFz4Zjb; Wed, 10 Mar 2021 19:48:18 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id B5A723EF9; Wed, 10 Mar 2021 19:48:18 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 7FC33BCA5; Wed, 10 Mar 2021 20:48:16 +0100 (CET) From: "Kristof Provost" To: "Patrick Lamaiziere" Cc: freebsd-pf@freebsd.org Subject: Re: pfctl segmentation fault in pfctl_optimize.c Date: Wed, 10 Mar 2021 20:48:15 +0100 X-Mailer: MailMate (1.13.2r5673) Message-ID: In-Reply-To: <20210309110530.63834499@mr185033.univ-rennes1.fr> References: <20210309110530.63834499@mr185033.univ-rennes1.fr> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2021 19:48:19 -0000 On 9 Mar 2021, at 11:05, Patrick Lamaiziere wrote: > Hello, > > FreeBSD 11.4-RELEASE-p3 / amd64 > > Yesterday while loading a ruleset, pfctl core dumped with a > segmentation fault (see gdb below) > > We are recently using some big tables so may be this is what triggered > the problem (?), i can't reproduce this. > > I've found something on tech@openbsd.org that looks closely related: > https://www.mail-archive.com/tech@openbsd.org/msg42870.html > At first glance that looks like a sane change, but I can’t reproduce the crash described there. Can you reproduce your crash? I try to avoid making changes I can’t write a test for. Best regards, Kristof From owner-freebsd-pf@freebsd.org Wed Mar 10 20:29:14 2021 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1B4BF57695F for ; Wed, 10 Mar 2021 20:29:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4DwkFQ02tWz4dGR for ; Wed, 10 Mar 2021 20:29:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id 01861576B22; Wed, 10 Mar 2021 20:29:14 +0000 (UTC) Delivered-To: pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 01539576B21 for ; Wed, 10 Mar 2021 20:29:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DwkFP6Kqdz4dTg for ; Wed, 10 Mar 2021 20:29:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id CC67117C90 for ; Wed, 10 Mar 2021 20:29:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 12AKTD55068391 for ; Wed, 10 Mar 2021 20:29:13 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 12AKTDSO068390 for pf@FreeBSD.org; Wed, 10 Mar 2021 20:29:13 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 254171] 13.0-RC1: pf: vnet: jail leaves a unnecessary swi1 thread in intr process Date: Wed, 10 Mar 2021 20:29:14 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2021 20:29:14 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254171 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@FreeBSD.org |pf@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed Mar 10 23:15:40 2021 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E36D957A57F for ; Wed, 10 Mar 2021 23:15:40 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4DwnxS5xJxz4qjT for ; Wed, 10 Mar 2021 23:15:40 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id C9F1E57A454; Wed, 10 Mar 2021 23:15:40 +0000 (UTC) Delivered-To: pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C9B8157AA02 for ; Wed, 10 Mar 2021 23:15:40 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DwnxS5JpDz4qM0 for ; Wed, 10 Mar 2021 23:15:40 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A94D719BCF for ; Wed, 10 Mar 2021 23:15:40 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 12ANFe82056341 for ; Wed, 10 Mar 2021 23:15:40 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 12ANFePD056340 for pf@FreeBSD.org; Wed, 10 Mar 2021 23:15:40 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 254171] 13.0-RC1: pf: vnet: jail leaves a unnecessary swi1 thread in intr process Date: Wed, 10 Mar 2021 23:15:40 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: kp@freebsd.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_status assigned_to cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2021 23:15:40 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254171 Kristof Provost changed: What |Removed |Added ---------------------------------------------------------------------------- Status|New |In Progress Assignee|pf@FreeBSD.org |kp@freebsd.org CC| |kp@freebsd.org --- Comment #1 from Kristof Provost --- Confimed. That's due to a bit of an unfortunate design choice in swi_remove= () which means we have to call intr_event_destroy() ourselves (and track the intr_event...). It also affects pfsync, but both are fairly straightforward to fix. See https://reviews.freebsd.org/D29211 --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Thu Mar 11 06:38:30 2021 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8067E56B38F for ; Thu, 11 Mar 2021 06:38:30 +0000 (UTC) (envelope-from garbytrash@gmail.com) Received: from mail-il1-x12a.google.com (mail-il1-x12a.google.com [IPv6:2607:f8b0:4864:20::12a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DwzmP3cd7z3v5P for ; Thu, 11 Mar 2021 06:38:29 +0000 (UTC) (envelope-from garbytrash@gmail.com) Received: by mail-il1-x12a.google.com with SMTP id v14so17963938ilj.11 for ; Wed, 10 Mar 2021 22:38:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=F8SFX2HTIi4eBUkxUcOvLJWWz8erG94irWTVFXMfJ2E=; b=kMccAdavmqTJxQXuIwL+W1fh6sgyoMrOcufTLEZgnpi7zQ36kQUyYWt/4mVP+tVN7L 6suKNpsEjGPh6PeRE/6HDJqy7q/pd1utkuPMfLH1qsMFvq+OruNer74VNTVqh7sd8yeH X+4vQKlX51pSkU41LpvdOu0/zUIOKHwyJ6rd/S/CKnEWoKbDjhW78/eYcz11gvVGEp9n QZ1J1w1Eze4ZrEqiZFWKr0IC2fEJs/qmoAEZ6vrJ7AhLGw0TLxm1p95KaG2q2gs6HzlZ LE6gIW2sSTTROy/9UxiNtcHyKTAjtLJxt/ZM9XVmWiyIYZoPgXeeOTVI9cmJGW13cwME O+AA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=F8SFX2HTIi4eBUkxUcOvLJWWz8erG94irWTVFXMfJ2E=; b=WXscMYNGHAGj/9MCUHkwoEnuj8daDluwlwAhZSoq6+F/AHULTBWEa7x/J38PLuPF/F ADqG/NyAhRz+mSbtI5+51uo/KQRpc4eZbopAc1g1S9qfbrP9xyrmQAFSGdXDwHmju3vY F5qB/9/8TtPiAIQRJIUsuGAIDjVltSUAubXTRUgMYc6sze59CjH+aGqeY5tmBAbh6xf3 9t59lRa2oXpp+nnrPN04MVYddn+5YkJWwts/KpC9JcKFyxCEpWt3inVvJKeej8nGDqzj XpBleuUY7j7e1EagrNOQyUPjDPwqOu27ocvLK2k1iyqw6tbT8inPZrt7AxX9aSdLdUJf EJkg== X-Gm-Message-State: AOAM532wRxQT+rCSaUUf3B/v8piererMw9E+NlAxAwNq9b6XaTzus5ri p2ujB5w0C64q8b9RaRtKnDQ+qUipGtxfLkjmI4KsxZhCYGA= X-Google-Smtp-Source: ABdhPJwJKEPljcdms++KRNy76p29+IsdNyysZFsiuANJGUVDcbQOvs7Fu6d73jFAjJ64exUWuAZF176CfAkFQRQ6oRw= X-Received: by 2002:a05:6e02:19c5:: with SMTP id r5mr5344858ill.171.1615444707742; Wed, 10 Mar 2021 22:38:27 -0800 (PST) MIME-Version: 1.0 Received: by 2002:a5d:878f:0:0:0:0:0 with HTTP; Wed, 10 Mar 2021 22:38:27 -0800 (PST) From: Zenny Date: Thu, 11 Mar 2021 07:38:27 +0100 Message-ID: Subject: pf config to isolate two vnet/netgraph VLAN jail groups? To: freebsd-pf@freebsd.org X-Rspamd-Queue-Id: 4DwzmP3cd7z3v5P X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=kMccAdav; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of garbytrash@gmail.com designates 2607:f8b0:4864:20::12a as permitted sender) smtp.mailfrom=garbytrash@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; HAS_ATTACHMENT(0.00)[]; TO_DN_NONE(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-1.00)[-0.998]; FROM_EQ_ENVFROM(0.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::12a:from]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/mixed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::12a:from:127.0.2.255]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::12a:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-pf] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Mar 2021 06:38:30 -0000 Hi, Any suggestion to restrict any transaction/interaction/traffic between NATted netgraph vlans (vi0 and vi1) in this case, but not with the bridged external nic ($ext_if in pf) in a setup (digraph) as of below (netdiagram is attached). I appreciate if anyone can suggest some inputs to isolate two netgraph vlans which cannot reach each other, but is accessible to and from the internet via NATted external NIC. I use pf, fyi. Cheers and stay safe! /z digraph "netgraph" { graph [ fontsize = "14" fontname = "Times-Roman" fontcolor = "black" ] node [ fontsize = "12" fontname = "Times-Roman" fontcolor = "black" shape = "record" style = "solid" ] edge [ fontsize = "10" fontname = "Times-Roman" fontcolor = "black" dir = "none" style = "solid" ] "1" [ fontsize = "12" fontname = "Times-Roman" fontcolor = "black" label = "{em0:|{ether|[1]:}}" shape = "record" style = "solid" ] "c5" [ fontsize = "12" fontname = "Times-Roman" fontcolor = "black" label = "{vi1_c2:|{eiface|[c5]:}}" shape = "record" style = "solid" ] "86" [ fontsize = "12" fontname = "Times-Roman" fontcolor = "black" label = "{vi0_v2:|{eiface|[86]:}}" shape = "record" style = "solid" ] "a8" [ fontsize = "12" fontname = "Times-Roman" fontcolor = "black" label = "{vi1:|{eiface|[a8]:}}" shape = "record" style = "solid" ] "69" [ fontsize = "12" fontname = "Times-Roman" fontcolor = "black" label = "{vi0:|{eiface|[69]:}}" shape = "record" style = "solid" ] "eb" [ fontsize = "12" fontname = "Times-Roman" fontcolor = "black" label = "{ngctl15171:|{socket|[eb]:}}" shape = "record" style = "solid" ] "ae" [ fontsize = "12" fontname = "Times-Roman" fontcolor = "black" label = "{vi1br:|{bridge|[ae]:}}" shape = "record" style = "solid" ] "6f" [ fontsize = "12" fontname = "Times-Roman" fontcolor = "black" label = "{vi0br:|{bridge|[6f]:}}" shape = "record" style = "solid" ] "b3" [ fontsize = "12" fontname = "Times-Roman" fontcolor = "black" label = "{vi1_c1:|{eiface|[b3]:}}" shape = "record" style = "solid" ] "74" [ fontsize = "12" fontname = "Times-Roman" fontcolor = "black" label = "{vi0_v1:|{eiface|[74]:}}" shape = "record" style = "solid" ] "d8" [ fontsize = "12" fontname -- Cheers, /z = "Times-Roman" fontcolor = "black" label = "{vi1_c3:|{eiface|[d8]:}}" shape = "record" style = "solid" ] "99" [ fontsize = "12" fontname = "Times-Roman" fontcolor = "black" label = "{vi0_v3:|{eiface|[99]:}}" shape = "record" style = "solid" ] { graph [ fontsize = "14" fontname = "Times-Roman" fontcolor = "black" ] node [ fontsize = "12" fontname = "Times-Roman" fontcolor = "black" shape = "record" style = "solid" ] edge [ fontsize = "10" fontname = "Times-Roman" fontcolor = "black" dir = "none" style = "solid" ] "1" "c5" "86" "a8" "69" "eb" "ae" "6f" "b3" "74" "d8" "99" } subgraph "cluster_disconnected" { graph [ fontsize = "14" fontname = "Times-Roman" fontcolor = "black" bgcolor = "pink" ] node [ fontsize = "12" fontname = "Times-Roman" fontcolor = "black" shape = "record" style = "solid" ] edge [ fontsize = "10" fontname = "Times-Roman" fontcolor = "black" dir = "none" style = "solid" ] "1" "eb" } "ae" -> "c5" [ fontsize = "10" fontname = "Times-Roman" fontcolor = "black" dir = "none" headlabel = "ether" taillabel = "link2" style = "solid" ] "6f" -> "86" [ fontsize = "10" fontname = "Times-Roman" fontcolor = "black" dir = "none" headlabel = "ether" taillabel = "link2" style = "solid" ] "a8" -> "ae" [ fontsize = "10" fontname = "Times-Roman" fontcolor = "black" Is there a way to dir = "none" headlabel = "link0" taillabel = "ether" style = "solid" ] "69" -> "6f" [ fontsize = "10" fontname = "Times-Roman" fontcolor = "black" dir = "none" headlabel = "link0" taillabel = "ether" style = "solid" ] "ae" -> "b3" [ fontsize = "10" fontname = "Times-Roman" fontcolor = "black" dir = "none" headlabel = "ether" taillabel = "link1" style = "solid" ] "6f" -> "74" [ fontsize = "10" fontname = "Times-Roman" fontcolor = "black" dir = "none" headlabel = "ether" taillabel = "link1" style = "solid" ] "ae" -> "d8" [ fontsize = "10" fontname = "Times-Roman" fontcolor = "black" dir = "none" headlabel = "ether" taillabel = "link3" style = "solid" ] "6f" -> "99" [ fontsize = "10" fontname = "Times-Roman" fontcolor = "black" dir = "none" headlabel = "ether" taillabel = "link3" style = "solid" ] } Cheers, and stay safe, /z -.. .. ... -.-. .-.. .- .. -- . .-. | -.. .. ... -.-. .-.. .- .. -- . .-. CONFIDENTIALITY NOTICE AND DISCLAIMER: Access to this e-mail and its contents by anyone other than the intended recipient is unauthorized as it contains privileged and confidential information, and is subject to legal privilege. Please do not re/distribute it. If you are not the intended recipient (or responsible for delivery of the message to such person), you may not use, copy, distribute or deliver the email and part of its contents to anyone this message (or any part of its contents or take any action in connection to it. In such case, you should destroy this message, and notify the sender immediately. If you have received this email in error, please notify the sender or your sysadmin immediately by e-mail or telephone, and delete the e-mail from any computer. If you or your employer does not consent to internet e-mail messages of this kind, please notify the sender immediately. All reasonable precautions have been taken to ensure no viruses are present in this e-mail and attachments included. As the sender cannot accept responsibility for any loss or damage arising from the use of this e-mail or attachments it is recommended that you are responsible to follow your virus checking procedures prior to use. The views, opinions, conclusions and other informations expressed in this electronic mail are not given or endorsed by any company including the network providers unless otherwise indicated by an authorized representative independent of this message. -.. .. ... -.-. .-.. .- .. -- . .-. | -.. .. ... -.-. .-.. .- .. -- . .-. From owner-freebsd-pf@freebsd.org Thu Mar 11 19:17:32 2021 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4376C5AA874 for ; Thu, 11 Mar 2021 19:17:32 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [IPv6:2607:f3e0:0:3::19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "pyroxene.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DxJcC3LqJz3n48 for ; Thu, 11 Mar 2021 19:17:31 +0000 (UTC) (envelope-from mike@sentex.net) Received: from [IPv6:2607:f3e0:0:4:494e:5e18:5db0:afe7] ([IPv6:2607:f3e0:0:4:494e:5e18:5db0:afe7]) by pyroxene2a.sentex.ca (8.16.1/8.15.2) with ESMTPS id 12BJHUWw044260 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Thu, 11 Mar 2021 14:17:30 -0500 (EST) (envelope-from mike@sentex.net) To: "freebsd-pf@freebsd.org" From: mike tancsa Subject: pflog and reason Message-ID: <87a76e48-aa9f-f1e2-f303-92d2ee9576fb@sentex.net> Date: Thu, 11 Mar 2021 14:17:30 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.8.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 Content-Language: en-US X-Rspamd-Queue-Id: 4DxJcC3LqJz3n48 X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:3::19 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [-1.90 / 15.00]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; HFILTER_HELO_IP_A(1.00)[pyroxene2a.sentex.ca]; HFILTER_HELO_NORES_A_OR_MX(0.30)[pyroxene2a.sentex.ca]; NEURAL_HAM_SHORT(-1.00)[-1.000]; MIME_BASE64_TEXT(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f3e0:0:3::19:from]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; R_DKIM_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FREEFALL_USER(0.00)[mike]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; DMARC_NA(0.00)[sentex.net]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2607:f3e0:0:3::19:from:127.0.2.255]; TO_DN_EQ_ADDR_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-pf] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Mar 2021 19:17:32 -0000 SSBhbSB0cnlpbmcgdG8gdHJhY2sgZG93biB0aGUgSVBzIHRoYXQgYXJlIGhpdHRpbmcgbXkg c3JjIGxpbWl0cywgYnV0IEkNCmRvbnQgc2VlbSB0aGVtIGxvZ2dlZC4gQWNjb3JkaW5nIHRv DQoNCmh0dHBzOi8vd3d3LmZyZWVic2Qub3JnL2NnaS9tYW4uY2dpP3F1ZXJ5PXBmbG9nZCZz ZWt0aW9uPTgNCg0KSSBzaG91bGQgYmUgYWJsZSB0byBzZWUgdGhlIHJlYXNvbiBzb21ldGhp bmcgZ290IGJsb2NrZWQNCg0KZS5nLiBpZiBJIGhhdmUgc29tZXRoaW5nIGxpa2UNCg0KDQpw YXNzIGluIGxvZyBvbiAkb3V0c2lkZV9uaWMgcHJvdG8gdGNwIGZyb20gYW55IHRvICRodHRw X3NlcnZlciBwb3J0IDgwDQprZWVwIHN0YXRlIChtYXggMjUgbWF4LXNyYy1jb25uLXJhdGUg Mi82MCkNCg0KSG93IHdvdWxkIEkgZmluZCB0aGUgSVAgdGhhdCBpcyB0cmlwcGluZyB1cCB0 aGUgbWF4IHN0YXRlIHJ1bGUgb3INCm1heC1zcmMtY29ubi1yYXRlID8NCg0KTG9va2luZyBh dA0KDQpwZmN0bCAtc2luZm8gLXYNCg0KTGltaXQgQ291bnRlcnMNCsKgIG1heCBzdGF0ZXMg cGVyIHJ1bGXCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgIDI5MzMxOcKgwqDCoMKgwqDC oMKgwqDCoMKgwqAgMC4yL3MNCsKgIG1heC1zcmMtc3RhdGVzwqDCoMKgwqDCoMKgwqDCoMKg wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgIDDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg IDAuMC9zDQrCoCBtYXgtc3JjLW5vZGVzwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg wqDCoMKgwqDCoMKgwqDCoMKgwqAgMMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgMC4wL3MNCsKg IG1heC1zcmMtY29ubsKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC oMKgwqDCoMKgwqAgMMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgMC4wL3MNCsKgIG1heC1zcmMt Y29ubi1yYXRlwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoCAxMDI3M8KgwqDC oMKgwqDCoMKgwqDCoMKgwqAgMC4wL3MNCsKgIG92ZXJsb2FkIHRhYmxlIGluc2VydGlvbsKg wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgMMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgMC4w L3MNCsKgIG92ZXJsb2FkIGZsdXNoIHN0YXRlc8KgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg wqDCoMKgwqAgMMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgMC4wL3MNCg0KVGhlIGNvdW50ZXJz IGFyZSBpbmNyZWFzaW5nLCBidXQgSSBuZXZlciBzZWUgaXQgaW4gcGZsb2cNCg0KdGNwZHVt cCAtdHR0dCAtbmVpIHBmbG9nMCAtczAgcmVhc29uIHN0YXRlLWxpbWl0IG9yIHJlYXNvbiBz cmMtbGltaXQNCg0KwqDCoMKgIC0tLU1pa2UNCg0K From owner-freebsd-pf@freebsd.org Fri Mar 12 05:25:57 2021 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0724156EB1C for ; Fri, 12 Mar 2021 05:25:57 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from mx.als.nnov.ru (mx.als.nnov.ru [95.79.102.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4DxZ6C3Cqjz4qF6 for ; Fri, 12 Mar 2021 05:25:54 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from [10.4.1.100] by mx.als.nnov.ru with esmtpa (Exim 4.91 (FreeBSD)) (envelope-from ) id 1lKaIz-000Iub-G8 for freebsd-pf@freebsd.org; Fri, 12 Mar 2021 08:25:45 +0300 Subject: Re: pflog and reason To: freebsd-pf@freebsd.org References: <87a76e48-aa9f-f1e2-f303-92d2ee9576fb@sentex.net> From: Max Message-ID: <82340a4c-619a-8efd-687c-ab0ecb9f65ef@als.nnov.ru> Date: Fri, 12 Mar 2021 08:25:45 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.8.0 MIME-Version: 1.0 In-Reply-To: <87a76e48-aa9f-f1e2-f303-92d2ee9576fb@sentex.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: ru X-Rspamd-Queue-Id: 4DxZ6C3Cqjz4qF6 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of maximos@als.nnov.ru designates 95.79.102.161 as permitted sender) smtp.mailfrom=maximos@als.nnov.ru X-Spamd-Result: default: False [-3.28 / 15.00]; RCVD_TLS_LAST(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[95.79.102.161:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+a]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; ARC_NA(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[95.79.102.161:from:127.0.2.255]; DMARC_NA(0.00)[nnov.ru]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.98)[-0.984]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:42682, ipnet:95.79.0.0/16, country:RU]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-pf] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2021 05:25:57 -0000 You can use overload option. "With the overload state option, source IP addresses which hit either of the limits on established connections will be added to the named table." pass out log quick on $if_lan inet proto tcp to $rdp_int port rdp keep state \    (max-src-conn-rate 15/86400, overload flush global) # pfctl -t rdp-bruteforce -vTs    222.214.161.232         Cleared:     Thu Mar  4 08:09:50 2021 According to https://www.freebsd.org/cgi/man.cgi?query=pcap-filter&sektion=7        reason code           True if the packet was logged with the specified PF reason code.           The known    codes are: match, bad-offset, fragment, short, normal-           ize,  and    memory (applies    only to    packets logged by OpenBSD's or           FreeBSD's    pf(4)). 11.03.2021 22:17, mike tancsa пишет: > I am trying to track down the IPs that are hitting my src limits, but I > dont seem them logged. According to > > https://www.freebsd.org/cgi/man.cgi?query=pflogd&sektion=8 > > I should be able to see the reason something got blocked > > e.g. if I have something like > > > pass in log on $outside_nic proto tcp from any to $http_server port 80 > keep state (max 25 max-src-conn-rate 2/60) > > How would I find the IP that is tripping up the max state rule or > max-src-conn-rate ? > > Looking at > > pfctl -sinfo -v > > Limit Counters >   max states per rule               293319            0.2/s >   max-src-states                         0            0.0/s >   max-src-nodes                          0            0.0/s >   max-src-conn                           0            0.0/s >   max-src-conn-rate                  10273            0.0/s >   overload table insertion               0            0.0/s >   overload flush states                  0            0.0/s > > The counters are increasing, but I never see it in pflog > > tcpdump -tttt -nei pflog0 -s0 reason state-limit or reason src-limit > >     ---Mike > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@freebsd.org Fri Mar 12 13:00:29 2021 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4230F578A0E for ; Fri, 12 Mar 2021 13:00:29 +0000 (UTC) (envelope-from patfbsd@davenulle.org) Received: from sender4-of-o58.zoho.com (sender4-of-o58.zoho.com [136.143.188.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4DxmBh2c2Nz3p3M for ; Fri, 12 Mar 2021 13:00:28 +0000 (UTC) (envelope-from patfbsd@davenulle.org) ARC-Seal: i=1; a=rsa-sha256; t=1615554021; cv=none; d=zohomail.com; s=zohoarc; b=WBIDsxnFrAqJrudef/DDVeKQC2JeuA4q8xucMd2pLYIrNCD/fPcjl115VVUgWC9GQKa23T1OSGYjE37BJNqInLXBI2JM6xI9f9hxVfvW88UPYHtX88/BBvCxlcqQY/0XxLEu0yz/2ZUvECSxwHYxtkr1UQjuuH+B5xWBdB4LBdQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1615554021; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=6EmSzMpU/4VvWXY82YnAVH5O92hrNsNgE/caTgFj3fM=; b=d8egHR2hBkWhhKZQ6UteQiSB868p22ngEWirpuJ4zGJJylmZUvL+5DLsfNP22H2Y9Lggn8Ev7afRtWJ2RvzxgFFIDuQDeTtQ2BazgLnymItllfwsHwIaefWnS/rsCkYlNTUthjmffqxCQskhv17qfFQeigVbXdvge0hKvSkzZnw= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass smtp.mailfrom=patfbsd@davenulle.org; dmarc=pass header.from= header.from= Received: from mr185033.univ-rennes1.fr (mr185033.univ-rennes1.fr [129.20.185.33]) by mx.zohomail.com with SMTPS id 1615554018392515.89194801522; Fri, 12 Mar 2021 05:00:18 -0800 (PST) Date: Fri, 12 Mar 2021 14:00:10 +0100 From: Patrick Lamaiziere To: "Kristof Provost" Cc: "Patrick Lamaiziere" , freebsd-pf@freebsd.org Subject: Re: pfctl segmentation fault in pfctl_optimize.c Message-ID: <20210312140010.506b668c@mr185033.univ-rennes1.fr> In-Reply-To: References: <20210309110530.63834499@mr185033.univ-rennes1.fr> X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External X-Rspamd-Queue-Id: 4DxmBh2c2Nz3p3M X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=none; arc=pass (zohomail.com:s=zohoarc:i=1); dmarc=none; spf=none (mx1.freebsd.org: domain of patfbsd@davenulle.org has no SPF policy when checking 136.143.188.58) smtp.mailfrom=patfbsd@davenulle.org X-Spamd-Result: default: False [-4.10 / 15.00]; RCVD_TLS_LAST(0.00)[]; RWL_MAILSPIKE_VERYGOOD(0.00)[136.143.188.58:from]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[davenulle.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCVD_IN_DNSWL_NONE(0.00)[136.143.188.58:from]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:2639, ipnet:136.143.188.0/23, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-pf]; ARC_ALLOW(-1.00)[zohomail.com:s=zohoarc:i=1] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2021 13:00:29 -0000 On Wed, 10 Mar 2021 20:48:15 +0100 "Kristof Provost" wrote: Hello, > > FreeBSD 11.4-RELEASE-p3 / amd64 > > > > Yesterday while loading a ruleset, pfctl core dumped with a > > segmentation fault (see gdb below) > > > > We are recently using some big tables so may be this is what > > triggered the problem (?), i can't reproduce this. > > > > I've found something on tech@openbsd.org that looks closely related: > > https://www.mail-archive.com/tech@openbsd.org/msg42870.html > > =20 > At first glance that looks like a sane change, but I can=E2=80=99t reprod= uce=20 > the crash described there. >=20 > Can you reproduce your crash? I try to avoid making changes I can=E2=80= =99t=20 > write a test for. No I can't reproduce the problem. We have two firewalls using carp and they use the same pf.conf and the same big table (~100K ip addresses) stored in a file /etc/ipblocklist This file comes from another machine, on change it is send via ssh to the firewalls and pf.conf is reloaded. on the first (fucop1) auth.log.14.bz2:Mar 1 07:20:06 fucop1 sudo: scriptcmd : TTY=3Dunknown ; PW= D=3D/usr/home/scriptcmd ; USER=3Droot ; COMMAND=3D/bin/cp /tmp/ipblocklist = /etc/ipblocklist auth.log.14.bz2:Mar 1 07:20:08 fucop1 sudo: scriptcmd : TTY=3Dunknown ; PW= D=3D/usr/home/scriptcmd ; USER=3Droot ; COMMAND=3D/sbin/pfctl -nf /etc/pf.c= onf auth.log.14.bz2:Mar 1 07:20:09 fucop1 sudo: scriptcmd : TTY=3Dunknown ; PW= D=3D/usr/home/scriptcmd ; USER=3Droot ; COMMAND=3D/sbin/pfctl -f /etc/pf.co= nf messages:Mar 1 07:20:14 fucop1 kernel: pid 30059 (pfctl), jid 0, uid 0: ex= ited on signal 11 (core dumped) messages:Mar 1 07:20:14 fucop1 kernel: pid 30058 (sudo), jid 0, uid 0: exi= ted on signal 11 on the second firewall all is good, I see the same commands without problem= (no core file, no log) and the datas should be exactly the same. So I don't have any idea, I'm not sure if pfctl is involved in fact... I've read the code of pfctl a bit. If pfctl crashes in pfctl_optimize_rules= et, is there a risk to leave pf in a bad state ? Looks like the rules are sent to pf via ioctl after the optimization so a c= rash before should be harmless (?).=20 We were hit by the fact that shortly after pfctl crashed (5 minutes after),= we reloaded the rules without error and then pf stoped to filter the traffic and was wide open, as if the ruleset was empty= .=20 So I'm asking if the pfctl crash can be related to this problem, I think no= t but... Thanks, regards. From owner-freebsd-pf@freebsd.org Fri Mar 12 13:06:25 2021 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 28533578AA6 for ; Fri, 12 Mar 2021 13:06:25 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DxmKY0kL1z3pSt; Fri, 12 Mar 2021 13:06:25 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id E50D927EE1; Fri, 12 Mar 2021 13:06:24 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 365C613124; Fri, 12 Mar 2021 14:06:23 +0100 (CET) From: "Kristof Provost" To: "Patrick Lamaiziere" Cc: freebsd-pf@freebsd.org Subject: Re: pfctl segmentation fault in pfctl_optimize.c Date: Fri, 12 Mar 2021 14:06:22 +0100 X-Mailer: MailMate (1.13.2r5673) Message-ID: <7963281C-B340-4AF3-9BBB-1D894DAC15E9@FreeBSD.org> In-Reply-To: <20210312140010.506b668c@mr185033.univ-rennes1.fr> References: <20210309110530.63834499@mr185033.univ-rennes1.fr> <20210312140010.506b668c@mr185033.univ-rennes1.fr> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8"; format=flowed; markup=markdown Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2021 13:06:25 -0000 On 12 Mar 2021, at 14:00, Patrick Lamaiziere wrote: > I've read the code of pfctl a bit. If pfctl crashes in > pfctl_optimize_ruleset, is there a risk to leave pf in a bad state ? > Looks like the rules are sent to pf via ioctl after the optimization > so a crash before should be harmless (?). > That should be the case, yes. I’ve not checked the pfctl code to see if it actually starts the operation to change the rules or not, but either way, pf rule changes are atomic. They either succeed completely or not at all. Pf accomplishes this by keeping an active and inactive ruleset, and when you load new rules pfctl will start a transaction (DIOCXBEGIN), add the complete new ruleset (DIOCADDRULE) and only then commit to swapping the active and inactive rulesets (DIOCXCOMMIT). Best regards, Kristof From owner-freebsd-pf@freebsd.org Fri Mar 12 14:13:14 2021 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1092B579E4A for ; Fri, 12 Mar 2021 14:13:14 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [IPv6:2607:f3e0:0:3::19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "pyroxene.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Dxnpd33z3z3tD9 for ; Fri, 12 Mar 2021 14:13:13 +0000 (UTC) (envelope-from mike@sentex.net) Received: from [IPv6:2607:f3e0:0:4:59f8:95c5:cb1b:de5] ([IPv6:2607:f3e0:0:4:59f8:95c5:cb1b:de5]) by pyroxene2a.sentex.ca (8.16.1/8.15.2) with ESMTPS id 12CECxC9085747 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Fri, 12 Mar 2021 09:12:59 -0500 (EST) (envelope-from mike@sentex.net) To: Max , freebsd-pf@freebsd.org References: <87a76e48-aa9f-f1e2-f303-92d2ee9576fb@sentex.net> <82340a4c-619a-8efd-687c-ab0ecb9f65ef@als.nnov.ru> From: mike tancsa Subject: Re: pflog and reason Message-ID: <0198c9a2-7e2d-12ae-8f22-f29cb91f3a72@sentex.net> Date: Fri, 12 Mar 2021 09:12:59 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.8.0 MIME-Version: 1.0 In-Reply-To: <82340a4c-619a-8efd-687c-ab0ecb9f65ef@als.nnov.ru> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 Content-Language: en-US X-Rspamd-Queue-Id: 4Dxnpd33z3z3tD9 X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:3::19 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [-1.13 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[mike]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; MID_RHS_MATCH_FROM(0.00)[]; MIME_GOOD(-0.10)[text/plain]; HFILTER_HELO_IP_A(1.00)[pyroxene2a.sentex.ca]; HFILTER_HELO_NORES_A_OR_MX(0.30)[pyroxene2a.sentex.ca]; DMARC_NA(0.00)[sentex.net]; SPAMHAUS_ZRD(0.00)[2607:f3e0:0:3::19:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f3e0:0:3::19:from]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_BASE64_TEXT(0.10)[]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.23)[-0.227]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-pf] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2021 14:13:14 -0000 T24gMy8xMi8yMDIxIDEyOjI1IEFNLCBNYXggd3JvdGU6DQo+IFlvdSBjYW4gdXNlIG92ZXJs b2FkIG9wdGlvbi4NCj4gIldpdGggdGhlIG92ZXJsb2FkIDx0YWJsZT4gc3RhdGUgb3B0aW9u LCBzb3VyY2UgSVAgYWRkcmVzc2VzIHdoaWNoIGhpdA0KPiBlaXRoZXIgb2YgdGhlIGxpbWl0 cyBvbiBlc3RhYmxpc2hlZCBjb25uZWN0aW9ucyB3aWxsIGJlIGFkZGVkIHRvIHRoZQ0KPiBu YW1lZCB0YWJsZS4iDQo+DQo+IHBhc3Mgb3V0IGxvZyBxdWljayBvbiAkaWZfbGFuIGluZXQg cHJvdG8gdGNwIHRvICRyZHBfaW50IHBvcnQgcmRwIGtlZXANCj4gc3RhdGUgXA0KPiDCoMKg IChtYXgtc3JjLWNvbm4tcmF0ZSAxNS84NjQwMCwgb3ZlcmxvYWQgPHJkcC1icnV0ZWZvcmNl PiBmbHVzaCBnbG9iYWwpDQo+DQpUaGFua3MsIHRoaXMgbWlnaHQgZ2l2ZSBtZSB0aGUgYW5z d2VyIGluIGEgcm91bmQgYWJvdXQgd2F5IcKgIEJ1dCBJIGFtDQpjdXJpb3VzIGFzIHRvIHdo ZW4gdGhlIEkgd291bGQgYWN0dWFsbHkgc2VlIHJlYXNvbiBzcmMtbGltaXQuIEFjY29yZGlu Zw0KdG8gdGhlIFJFTEVOR18xMiBtYW4gcGFnZXMsDQoNCnJlYXNvbiBtYXRjaCAgICAgUmVh c29uIGVxdWFscyBtYXRjaC4gIEFsc28gYWNjZXB0cyAiYmFkLW9mZnNldCIsICJmcmFnLQ0K CQkgICAgICBtZW50IiwgImJhZC10aW1lc3RhbXAiLCAic2hvcnQiLCAibm9ybWFsaXplIiwg Im1lbW9yeSIsDQoJCSAgICAgICJjb25nZXN0aW9uIiwgImlwLW9wdGlvbiIsICJwcm90by1j a3N1bSIsCSJzdGF0ZS1taXMtDQoJCSAgICAgIG1hdGNoIiwgInN0YXRlLWluc2VydCIsICJz dGF0ZS1saW1pdCIsICJzcmMtbGltaXQiLCBhbmQNCgkJICAgICAgInN5bnByb3h5Ii4NCg0K DQpidXQgSSBuZXZlciBzZWUgc3RhdGUgb3Igc3JjIGxpbWl0IGFzIGEgcmVhc29uLiBUaGUg cmVhc29uIGlzIGFsd2F5cyBhDQptYXRjaC4NCg0KwqDCoMKgIC0tLU1pa2UNCg0KDQo+ICMg cGZjdGwgLXQgcmRwLWJydXRlZm9yY2UgLXZUcw0KPiDCoMKgIDIyMi4yMTQuMTYxLjIzMg0K PiDCoMKgwqDCoMKgwqDCoCBDbGVhcmVkOsKgwqDCoMKgIFRodSBNYXLCoCA0IDA4OjA5OjUw IDIwMjENCj4NCj4gQWNjb3JkaW5nIHRvDQo+IGh0dHBzOi8vd3d3LmZyZWVic2Qub3JnL2Nn aS9tYW4uY2dpP3F1ZXJ5PXBjYXAtZmlsdGVyJnNla3Rpb249Nw0KPiDCoMKgwqDCoMKgwqAg cmVhc29uIGNvZGUNCj4gwqDCoMKgIMKgwqDCoMKgwqAgVHJ1ZSBpZiB0aGUgcGFja2V0IHdh cyBsb2dnZWQgd2l0aCB0aGUgc3BlY2lmaWVkIFBGIHJlYXNvbg0KPiBjb2RlLg0KPiDCoMKg wqAgwqDCoMKgwqDCoCBUaGUga25vd27CoMKgwqAgY29kZXMgYXJlOiBtYXRjaCwgYmFkLW9m ZnNldCwgZnJhZ21lbnQsIHNob3J0LA0KPiBub3JtYWwtDQo+IMKgwqDCoCDCoMKgwqDCoMKg IGl6ZSzCoCBhbmTCoMKgwqAgbWVtb3J5IChhcHBsaWVzwqDCoMKgIG9ubHkgdG/CoMKgwqAg cGFja2V0cyBsb2dnZWQgYnkNCj4gT3BlbkJTRCdzIG9yDQo+IMKgwqDCoCDCoMKgwqDCoMKg IEZyZWVCU0Qnc8KgwqDCoCBwZig0KSkuDQo+DQo+IDExLjAzLjIwMjEgMjI6MTcsIG1pa2Ug dGFuY3NhINC/0LjRiNC10YI6DQo+PiBJIGFtIHRyeWluZyB0byB0cmFjayBkb3duIHRoZSBJ UHMgdGhhdCBhcmUgaGl0dGluZyBteSBzcmMgbGltaXRzLCBidXQgSQ0KPj4gZG9udCBzZWVt IHRoZW0gbG9nZ2VkLiBBY2NvcmRpbmcgdG8NCj4+DQo+PiBodHRwczovL3d3dy5mcmVlYnNk Lm9yZy9jZ2kvbWFuLmNnaT9xdWVyeT1wZmxvZ2Qmc2VrdGlvbj04DQo+Pg0KPj4gSSBzaG91 bGQgYmUgYWJsZSB0byBzZWUgdGhlIHJlYXNvbiBzb21ldGhpbmcgZ290IGJsb2NrZWQNCj4+ DQo+PiBlLmcuIGlmIEkgaGF2ZSBzb21ldGhpbmcgbGlrZQ0KPj4NCj4+DQo+PiBwYXNzIGlu IGxvZyBvbiAkb3V0c2lkZV9uaWMgcHJvdG8gdGNwIGZyb20gYW55IHRvICRodHRwX3NlcnZl ciBwb3J0IDgwDQo+PiBrZWVwIHN0YXRlIChtYXggMjUgbWF4LXNyYy1jb25uLXJhdGUgMi82 MCkNCj4+DQo+PiBIb3cgd291bGQgSSBmaW5kIHRoZSBJUCB0aGF0IGlzIHRyaXBwaW5nIHVw IHRoZSBtYXggc3RhdGUgcnVsZSBvcg0KPj4gbWF4LXNyYy1jb25uLXJhdGUgPw0KPj4NCj4+ IExvb2tpbmcgYXQNCj4+DQo+PiBwZmN0bCAtc2luZm8gLXYNCj4+DQo+PiBMaW1pdCBDb3Vu dGVycw0KPj4gwqDCoCBtYXggc3RhdGVzIHBlciBydWxlwqDCoMKgwqDCoMKgwqDCoMKgwqDC oMKgwqDCoCAyOTMzMTnCoMKgwqDCoMKgwqDCoMKgwqDCoMKgIDAuMi9zDQo+PiDCoMKgIG1h eC1zcmMtc3RhdGVzwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg wqDCoMKgIDDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgIDAuMC9zDQo+PiDCoMKgIG1heC1zcmMt bm9kZXPCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC oCAwwqDCoMKgwqDCoMKgwqDCoMKgwqDCoCAwLjAvcw0KPj4gwqDCoCBtYXgtc3JjLWNvbm7C oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgIDDC oMKgwqDCoMKgwqDCoMKgwqDCoMKgIDAuMC9zDQo+PiDCoMKgIG1heC1zcmMtY29ubi1yYXRl wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoCAxMDI3M8KgwqDCoMKgwqDCoMKg wqDCoMKgwqAgMC4wL3MNCj4+IMKgwqAgb3ZlcmxvYWQgdGFibGUgaW5zZXJ0aW9uwqDCoMKg wqDCoMKgwqDCoMKgwqDCoMKgwqDCoCAwwqDCoMKgwqDCoMKgwqDCoMKgwqDCoCAwLjAvcw0K Pj4gwqDCoCBvdmVybG9hZCBmbHVzaCBzdGF0ZXPCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC oMKgwqDCoMKgIDDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgIDAuMC9zDQo+Pg0KPj4gVGhlIGNv dW50ZXJzIGFyZSBpbmNyZWFzaW5nLCBidXQgSSBuZXZlciBzZWUgaXQgaW4gcGZsb2cNCj4+ DQo+PiB0Y3BkdW1wIC10dHR0IC1uZWkgcGZsb2cwIC1zMCByZWFzb24gc3RhdGUtbGltaXQg b3IgcmVhc29uIHNyYy1saW1pdA0KPj4NCj4+IMKgwqDCoMKgIC0tLU1pa2UNCj4+DQo+PiBf X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KPj4gZnJl ZWJzZC1wZkBmcmVlYnNkLm9yZyBtYWlsaW5nIGxpc3QNCj4+IGh0dHBzOi8vbGlzdHMuZnJl ZWJzZC5vcmcvbWFpbG1hbi9saXN0aW5mby9mcmVlYnNkLXBmDQo+PiBUbyB1bnN1YnNjcmli ZSwgc2VuZCBhbnkgbWFpbCB0byAiZnJlZWJzZC1wZi11bnN1YnNjcmliZUBmcmVlYnNkLm9y ZyINCj4gX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18N Cj4gZnJlZWJzZC1wZkBmcmVlYnNkLm9yZyBtYWlsaW5nIGxpc3QNCj4gaHR0cHM6Ly9saXN0 cy5mcmVlYnNkLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2ZyZWVic2QtcGYNCj4gVG8gdW5zdWJz Y3JpYmUsIHNlbmQgYW55IG1haWwgdG8gImZyZWVic2QtcGYtdW5zdWJzY3JpYmVAZnJlZWJz ZC5vcmciDQo+DQo= From owner-freebsd-pf@freebsd.org Fri Mar 12 16:07:49 2021 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0AFB657D17E for ; Fri, 12 Mar 2021 16:07:49 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [IPv6:2607:f3e0:0:3::19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "pyroxene.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DxrLr1Nx2z4V6V for ; Fri, 12 Mar 2021 16:07:48 +0000 (UTC) (envelope-from mike@sentex.net) Received: from [IPv6:2607:f3e0:0:4:59f8:95c5:cb1b:de5] ([IPv6:2607:f3e0:0:4:59f8:95c5:cb1b:de5]) by pyroxene2a.sentex.ca (8.16.1/8.15.2) with ESMTPS id 12CG7ltJ078884 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Fri, 12 Mar 2021 11:07:47 -0500 (EST) (envelope-from mike@sentex.net) To: "freebsd-pf@freebsd.org" From: mike tancsa Subject: Alternative to security/expiretable Message-ID: Date: Fri, 12 Mar 2021 11:07:47 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.8.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US X-Rspamd-Queue-Id: 4DxrLr1Nx2z4V6V X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:3::19 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [-2.00 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[mike]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f3e0:0:3::19:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; HFILTER_HELO_IP_A(1.00)[pyroxene2a.sentex.ca]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2607:f3e0:0:3::19:from:127.0.2.255]; HFILTER_HELO_NORES_A_OR_MX(0.30)[pyroxene2a.sentex.ca]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_NA(0.00)[sentex.net]; TO_DN_EQ_ADDR_ALL(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-pf] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2021 16:07:49 -0000 Hi All,     Does anyone know of any equiv of expire table from the ports ? Its now broken on RELENG_12 and 13.x https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253547     ---Mike From owner-freebsd-pf@freebsd.org Fri Mar 12 16:18:24 2021 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 93AB357D7AC for ; Fri, 12 Mar 2021 16:18:24 +0000 (UTC) (envelope-from SRS0=29+F=IK=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Dxrb34r2qz4VXJ for ; Fri, 12 Mar 2021 16:18:23 +0000 (UTC) (envelope-from SRS0=29+F=IK=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id D148928417; Fri, 12 Mar 2021 17:18:14 +0100 (CET) Received: from illbsd.quip.test (ip-94-113-69-69.net.upcbroadband.cz [94.113.69.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id B54012840C; Fri, 12 Mar 2021 17:18:13 +0100 (CET) Subject: Re: Alternative to security/expiretable To: mike tancsa , "freebsd-pf@freebsd.org" References: From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: Date: Fri, 12 Mar 2021 17:18:13 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4Dxrb34r2qz4VXJ X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of SRS0=29@elsa.codelab.cz has no SPF policy when checking 94.124.105.4) smtp.mailfrom=SRS0=29@elsa.codelab.cz X-Spamd-Result: default: False [-1.80 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCPT_COUNT_TWO(0.00)[2]; FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=29@elsa.codelab.cz]; RECEIVED_SPAMHAUS_PBL(0.00)[94.113.69.69:received]; RCVD_TLS_LAST(0.00)[]; R_DKIM_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[94.124.105.4:from]; MID_RHS_MATCH_FROM(0.00)[]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=29@elsa.codelab.cz]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ]; TAGGED_FROM(0.00)[F=IK=quip.cz=000.fbsd]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; AUTH_NA(1.00)[]; DMARC_NA(0.00)[quip.cz]; SPAMHAUS_ZRD(0.00)[94.124.105.4:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; R_SPF_NA(0.00)[no SPF record]; MAILMAN_DEST(0.00)[freebsd-pf] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2021 16:18:24 -0000 On 12/03/2021 17:07, mike tancsa wrote: > Hi All, > >     Does anyone know of any equiv of expire table from the ports ? Its > now broken on RELENG_12 and 13.x > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253547 You can use pfct with command expire: # pfctl -v -t $table -T expire $ttl Miroslav Lachman