From nobody Tue Oct 26 17:13:26 2021 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 538511810EB5 for ; Tue, 26 Oct 2021 17:13:41 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com [24.113.41.81]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ultimatedns.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Hdz1c5mkCz3hDC for ; Tue, 26 Oct 2021 17:13:40 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from ultimatedns.net (localhost [127.0.0.1]) by udns.ultimatedns.net (8.16.1/8.16.1) with ESMTP id 19QHDROn058850; Tue, 26 Oct 2021 10:13:33 -0700 (PDT) (envelope-from bsd-lists@bsdforge.com) List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Date: Tue, 26 Oct 2021 10:13:26 -0700 From: Chris To: Marcel Bischoff Cc: freebsd-pf@freebsd.org Subject: Re: "pfctl: Cannot allocate memory" issue with a large table In-Reply-To: References: User-Agent: UDNSMS/17.0 Message-ID: X-Sender: bsd-lists@bsdforge.com Content-Type: multipart/mixed; boundary="=_b89be43f18cf44680f7a50132dbece09" X-Rspamd-Queue-Id: 4Hdz1c5mkCz3hDC X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [0.00 / 15.00]; ASN(0.00)[asn:11404, ipnet:24.113.0.0/16, country:US]; local_wl_ip(0.00)[24.113.41.81] X-ThisMailContainsUnwantedMimeParts: N --=_b89be43f18cf44680f7a50132dbece09 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed On 2021-10-23 11:42, Marcel Bischoff wrote: > Hi all, > > for some time now I'm using the excellent (in my opinion) pf-badhost script > [https://geoghegan.ca/pfbadhost.html] to create default blocklists for some > servers. When using IPv6 and/or geoblocking with it, I often run into the > "pfctl: > Cannot allocate memory" error upon replacing the table contents. > > The list contains about 300k+ lines with IPs and CIDRs. It is properly > aggregated > so the net blocks are compacted as far as possible into CIDR notation. Only > single > IPs are listed without a "/32" or "/128" suffix. > > /etc/pf.conf contains > >> set limit table-entries 1000000 > > /boot/loader.conf contains > >> net.pf.request_maxcount=1000000 >> kern.maxdsiz="2147483648" > > /etc/sysctl.conf contains > >> net.pf.request_maxcount=1000000 > > "pfctl -s memory" shows the limit is active: > >> states hard limit 100000 >> src-nodes hard limit 10000 >> frags hard limit 5000 >> table-entries hard limit 1000000 > > During my research I found out that replacing a pf table temporarily needs > double > the memory as both the old and new states are held before the old is > discarded. > This makes entirely sense to me. What I don't understand is why the error > still > occurs despite the proper limit being set. > > Does anyone have an idea how I can resolve this? It is entirely possible > this > happens due to me not entirely understanding how memory allocation in pf > works. > However, I haven't found anything particularly applicable either in the > Handbook > or the "pf.conf" man page. Have you reached your STATE limit? OTOH you might try adding the IPs from the list individually. Something like: iplist=" w.x.y.z a.b.c.d ... g.h.i.j " for block in $iplist do pfctl -T add -t $block done I'm managing about a half dozen tables with a combined number of a over quarter of a billion addresses, and don't have a problem. Even on a servers with as little as 8GB RAM. HTH --Chris > > Best, > Marcel --=_b89be43f18cf44680f7a50132dbece09 Content-Transfer-Encoding: 7bit Content-Type: application/pgp-keys; name=0xBDE49540.asc Content-Disposition: attachment; filename=0xBDE49540.asc; size=5028 -----BEGIN PGP PUBLIC KEY BLOCK----- mQENBGDTzGEBCADHlXdS4V57s2soaEK2wi3o9rr9zo7to/giBSxCpFYJxOnPkL5A 2ibbvflrL8sWvAczx47wgDS7iIhzICBBRdnXtcFGnoeeriV27LSn+PcpnIB+DaWZ xe+6TDC0Z0JUJ7qDTjUBFzhnQGYlrVvc4WbnWTjJaB1LEwgIX8JqX5S3SX0/oXgs +OtqDuENZ4/a5te5xPnspTv/5NJHjqYGxjHP0Vw0KjRKS1AoJ1SBPSMQV5373AX9 5NzFS+CjqeQhjfHFPeRajQ8t4T6eqhKA7LtKMO1egeAwNehk9ZoEqEBT2+ojuKUd oSuzqvhhx+eUIYLFqoPSzMKR+YbStzergsbnABEBAAG0KUNocmlzIEh1dGNoaW5z b24gPGNocmlzaEB1bHRpbWF0ZWRucy5uZXQ+iQFrBBABCABVBgsJBwgDAgQVCAoC AxYCAQIZAQIbAwIeARgYaGtwczovL2tleXMub3BlbnBncC5vcmcWIQQGJAsyyBlk cuwsSYsYdR58veSVQAUCYNQl+wUJA8LAmgAKCRAYdR58veSVQN3NB/sFTeXrZeDk ml/dshET8QbkOPgXlnibk8+Mauf+y9LjS9WT7R8EmqhK7T7aw115JQ1RWTM6kpQM jyDBjYF7piJEpNKI9YDeSnODKir1fWQqm9+wd68wAKGvV4m8kg9uOHCvXG4J++MG zDFH+PuGVxKirFnaz46DpS0Zw7wTtjNiNFvCooYov3IeYGfqcchd3hwBuXgWLexZ vI8JW7lL9oXl7B/wcbSxg9rwy6/QLYGg6sEtYRcFYyvQWefSMJaLWjU/pZN2iSxM lXm55iZv1BXHupfeD1ldRiGs6ejrcpa8+U1ju291WbLzcIsU8IDljeW9/WB2dLFT hJmY1wRk158AtB5DaHJpcyA8YnNkLWxpc3RzQGJzZGZvcmdlLmNvbT6JAWgEEAEI AFIGCwkHCAMCBBUICgIDFgIBAhsDAh4BGBhoa3BzOi8va2V5cy5vcGVucGdwLm9y ZxYhBAYkCzLIGWRy7CxJixh1Hny95JVABQJg1CX7BQkDwsCaAAoJEBh1Hny95JVA aI0H/AlJAOfc5TcMKa479Itw31mwccKb+u0DPN9Gkm/RfWIBjeqqozxCM8G8jVFr dt/J6KmBO3dQtRZHlXdD57RAfDDl5Vm3uws0s+UIFOxMiua/YxyuDcKLsE8Bjkzx z+vuJ8f6cg4WlygPr3bo3l81AOuU/wOsTrNkQvVJxgATlooATSVxs0yNn2uoso9f nhMGUYsmT4c35JYh0k6Lq7Z2LS+ELipMTQ7M7iCWSP1O/zSEvPD4NBo52xCvjLka KcL4fRl7UN+6ouwGr5aUn83tztE/IR0AK45gFvL5yxI4g/zm1t3j2+hhhW1pBU8w uQWkD2DyLTWy7xs1uVF5m1ojHp60H0NocmlzIDxrbm90QHRhY29tYXdpcmVsZXNz Lm5ldD6JAWgEEAEIAFIGCwkHCAMCBBUICgIDFgIBAhsDAh4BGBhoa3BzOi8va2V5 cy5vcGVucGdwLm9yZxYhBAYkCzLIGWRy7CxJixh1Hny95JVABQJg1CX7BQkDwsCa AAoJEBh1Hny95JVA5m8H/iENaTD4j5QHfaHfiDIdxGx36GnETyRK0vAzr2b6pzG+ 7VHNCm4ZfuMsXDJ1ZD8fjTipvg0f4w31xCQI0NgNdAqudBqE075Jwcr9pE9j8VN1 Nvejto01cgLHODbLPhokrkFz1K023VjCdy5RaVuCZ6ajTif7Kq+BEOE8TumYx4ly zdhnh/9ICohqfVvEMh347wI36D7HuezHB773hOsHdqTy9T+0Qu0Vu+wud45MUy1f vRF11OkJFtKL0bh4yMSGVY1xte1Mt/qC6rd43TDtAW3ekw1o/exh764kp7XXQsmP wwe4Y040PZafcygJlEW9bBtjjxKnzDTvqeb5dMi6d7a0GENocmlzIDxvaWRldkBz dW5vcy5pbmZvPokBaAQQAQgAUgYLCQcIAwIEFQgKAgMWAgECGwMCHgEYGGhrcHM6 Ly9rZXlzLm9wZW5wZ3Aub3JnFiEEBiQLMsgZZHLsLEmLGHUefL3klUAFAmDUJfsF CQPCwJoACgkQGHUefL3klUB74wf8DSvT36bYZp7oqZ+35HNhTekJ2dbTzUhauF0S +Z9R1AGnNnINgua75CyQGdNCIgcZxo4qG9sePl7SllQ9i0qhmiw0mzmvky8bAZQV V/2Coc1C/81b+PI19VczYrbZC20jApsnbAIkKZgSh9XQoiLd3meY7G2lX2k6CXYL xSeBEh+N3BU8vLxExm82U71Qzm43u0kA1TlbTSqpBvg/tfAzTCsYQLSlB6b4ZL2W D6U7b7ZYF5oZNonVNWSHxpjUN3Evkta9xWS2+cgYQdlP1/ku5w5ZWwzmYG7awh0J /YuSNIp6Ks6D/PSBduu6XbH+FJHaXmq+ZCKpNBh5EKH+GhOfq7QfQ2hyaXMgPHBv cnRtYXN0ZXJAYnNkZm9yZ2UuY29tPokBaAQQAQgAUgYLCQcIAwIEFQgKAgMWAgEC GwMCHgEYGGhrcHM6Ly9rZXlzLm9wZW5wZ3Aub3JnFiEEBiQLMsgZZHLsLEmLGHUe fL3klUAFAmDUJfwFCQPCwJoACgkQGHUefL3klUC3GggAo4Y+hslaoV7Namp7qWYZ Vei4ZwPfsYW7/HtmFORSGV8C8xR+LSkwzN1Hc7Qxvwv+DXuk7Hzd1Ag/xe8XhbNG /NMrXENY/8ym9TRbxtrBIhQyhkyShSUT+N+g16GRNZKuNL2MOIHc/RCS/YyyaTtu TzIxFbP7Gb2LO1LiiZsFVOGirHfxyiww7CAm3HXY2K4smOiKs6swZMpStVy3dd6A BcB1LPGs3ywDglFfKCRbVmjsPgsi61r4kUBVO6ML7lAmPDXLXOa+7iAtBN479QxC MVeH3Y3SMrvu61Vyf1xL79rIznU3u8C34zfxqsoIV0zCZe2YDLbFfLhZYqatYYEo e7QjImNocmlzLmgiIDxjaHJpcy5oQHVsdGltYXRlZG5zLm5ldD6JAWgEEAEIAFIG CwkHCAMCBBUICgIDFgIBAhsDAh4BGBhoa3BzOi8va2V5cy5vcGVucGdwLm9yZxYh BAYkCzLIGWRy7CxJixh1Hny95JVABQJg1CX8BQkDwsCaAAoJEBh1Hny95JVAkUEH /jkzYrRh7muqoebwEgVeULzPbAs/nYJm9SMME2ypB2FS8kusO7lE+33UJO7PhHkJ 0nJ+tPfP8UV+fCzVjKjabzpvUGuiMWKRZEK9xNoxwi/epOrRw87msHA2LPqEob+F sVh09Nc58s75koUgSYp5h0FjsLK0+fwsQ6PtTfpY5W6JJVJRQnMwGKk5czrukBSM 79kJvphgul2xuzqo5K7rM98dL75AwCJmJZnbyXpUJIhtY/G01nURupBiQGgNixYs Zeo6OR669TFrMRWxueXtlHD0WaX7JNSlR5uyzpVaDCH0Kxa6ozmZtD+a6dAXg630 zbLGHg51JIm38Uvi1i47Jaa0KCJILlIuIENvbW11bmljYXRpb25zIiA8ZG5zQGRu c3dhdGNoLmNvbT6JAWgEEAEIAFIGCwkHCAMCBBUICgIDFgIBAhsDAh4BGBhoa3Bz Oi8va2V5cy5vcGVucGdwLm9yZxYhBAYkCzLIGWRy7CxJixh1Hny95JVABQJg1CX8 BQkDwsCaAAoJEBh1Hny95JVAABoH/iOWA+9BKxLIAIFgW2nxTFDrGvbxXL/mVSFt SOInKX8UqqfLCcikfpWLsj2D7mg5rKFMCu+31UYYlnrXl4YY1qruq0vh41L72qNy yHYol+xW4BSbZXf2q2ph7+lnPsFoodw7acVun5F8M8NH0roo5AOSbgRlK69ZFIcq fDEJdtk4oul7pqGArdeTCCdrSaeR3zrRN8P0PDOkGKSdlpeOE6XHnbbmAPZIhr/9 KsSpX1BGyipda3k5kOB4TsGVo+cRJMkK+GMpsZ+lJ7ZzRbjHbC+b52TiAIjMtXCK 3A3LrDUeMoJwvRKoO1tzquF6HqHJSg0ArZOvAB3BHlwUyUtA/o25AQ0EYNPMYQEI ANFpucNRdYEOubTNluoK97N9JmDb0WRXPPow+3XfBom6ZBSrWqNBgqDbjxSsLB00 QXbA8EB5W/Oolp/0epwEtgNAxyKVPowE/un+rY1PqvGjeAR4gBhY9Za1Lg1Q3vnR /WzsY7RIQCqhWUbfdGn1u6r/EgTBVrwUp4U/3ggfSz/PcUt4pUhlgxfYvjSjOgEZ wbqaQIwWud11FKMARNAUJzvJL/fDGeKLMvgRUwynIDGzCq7e67hhEEo5jwkZ0gEl 8RxXHKFuYkbb/q7rpdifXYYT6QCFlEZhiRbtH5Us7kgKuRD2XUFEQnN4U/rxuydH 4XOP6iOhiZfYnK/y9HBeRCMAEQEAAYkBPAQYAQgAJgIbDBYhBAYkCzLIGWRy7CxJ ixh1Hny95JVABQJg1CYkBQkDwsDDAAoJEBh1Hny95JVApBsH/iEg2ANRkHByfXB+ sH3PMf2Jsg5NSuj8OiNeKKGGIKCJkSAPjtv5rvKLNcvIcTR5Vnhr0e6AteFcK2te iFWDmj0QuFoQNvIOHQ3nHBPSpai2Ubq12nvYfg4bYK28AMi4xPMssgQ8awFgAI2V k9okq5XwC0Cc1MGhupEWYYSaFLIDQvFvRRSw1Lyc/W3SKa4d2dgesIPnB/rdv0Zq u8ftsSmurKxA2hQeNIcn06Ew7AbWUIjFX/bDXJlg/3Sj/spU2ur23TmaADBKhT5P DvfdaFTkk0SBfpN1j2S0DNXBHSrWvRp15zZmU4hwELiUY/H2/j/XpOGV3Q0i2iob 1hJ30C8= =aMQi -----END PGP PUBLIC KEY BLOCK----- --=_b89be43f18cf44680f7a50132dbece09-- From nobody Wed Oct 27 10:02:11 2021 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 275F118243A5 for ; Wed, 27 Oct 2021 10:02:27 +0000 (UTC) (envelope-from marcel@herrbischoff.com) Received: from mailpod.herrbischoff.com (mailpod.herrbischoff.com [157.90.240.191]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mailpod.herrbischoff.com", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HfPPZ5WHhz4Z5X for ; Wed, 27 Oct 2021 10:02:26 +0000 (UTC) (envelope-from marcel@herrbischoff.com) Received: from mailpod.herrbischoff.com (localhost [127.0.0.1]) by mailpod.herrbischoff.com (OpenSMTPD) with ESMTP id 1c1615a2; Wed, 27 Oct 2021 12:02:17 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=herrbischoff.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=hrbf; bh=guOuNXFTYKaPwx9VnYscDuDhB6 zFND1VhY6aIzqybos=; b=PsNJ68lemVJDvu2GS1RYGUK/T+14h+spKk0nHOrpDR khkeRLaGnnGoSwRK9dGrpXfIMyTkJOUNw8r5/AhrFgGkm8Rv4n/JDvSgyX2a+b3K O0POTJXailbHjuFBK43wMS3Om0Kyee9AiATsvXMOqgDKqiSgC2dtkfVDIlE7ROi5 EuKZEJHAQhi9gDAu/7DiQUieNBSJxVGhL97PmsC5qxewvl64oJ+vZEWRM+udk/Gt /8vuqR1RXpGit/uDj+5HsmEL83myT7q8LNEiVDinF13eXrQ6HMNQhGv16nfW8uDL Uqnf+Cqvm/6a8rL7Gjx6z9cHoEilDxt9hVvIskFN449Q== DomainKey-Signature: a=rsa-sha1; c=nofws; d=herrbischoff.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; q=dns; s=hrbf; b=ZNdLZiOMHDK5g6Khe+N/ tCQ+TR/RVcnMTvwJ835nltr1j0e5rg3+QAILCCWsYit2el09EKiuZPZKVumUkYaH ZsHb37JKKApZgjdmWyZsrNGW+czyONAN1FvvYCK4wBD5HSc9J4ujbtooFTqwQueq 8gvTXXL/a5yPgZd4Y7D9E/awqzf7y41WvbkD8jfsZ2AOaaRzd1WnXYVrMx6z4ZU2 P6nvm/5329k/OqdpNgeM8+7qQC2djYTIhAdHaGCL7AKm6tLC6bAo5rxnSysqr7ml UB1ughIyyi8+zBE9hqDLrNTka9gdo7/osm67hJl9I/Pyj+qUhRBq0kEjBk7So18G 9g== Received: by mailpod.herrbischoff.com (OpenSMTPD) with ESMTPSA id c2325f55 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) auth=yes user=marcel@herrbischoff.com; Wed, 27 Oct 2021 12:02:16 +0200 (CEST) Date: Wed, 27 Oct 2021 12:02:11 +0200 From: Marcel Bischoff To: Chris Cc: freebsd-pf@freebsd.org Subject: Re: "pfctl: Cannot allocate memory" issue with a large table Message-ID: References: List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 4HfPPZ5WHhz4Z5X X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: N On 21/10/26, Chris wrote: >Have you reached your STATE limit? >OTOH you might try adding the IPs from the list individually. Something like: > >iplist=" >w.x.y.z >a.b.c.d >... >g.h.i.j >" > >for block in $iplist >do > pfctl -T add -t $block >done > >I'm managing about a half dozen tables with a combined number of a over >quarter of a billion addresses, and don't have a problem. Even on a servers >with as little as 8GB RAM. Thanks for the suggestion. As far as I can tell, this shouldn't be the case, as the server in question is a relatively quiet server with regard to traffic. It is extremely unlikely that more active states than configured are held concurrently. That being said, I have raised the limit temporarily and will be monitoring the situation. Could you please elaborate as to why you think this may be related? I would like to understand the inner workings of pf a bit better. Best, Marcel From nobody Sat Oct 30 21:39:20 2021 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 1A5C2183387D for ; Sat, 30 Oct 2021 21:39:10 +0000 (UTC) (envelope-from freebsd@ohreally.nl) Received: from rambler.ohreally.nl (rambler.ohreally.nl [51.15.8.63]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4HhXk53gnLz3N5F for ; Sat, 30 Oct 2021 21:39:09 +0000 (UTC) (envelope-from freebsd@ohreally.nl) Received: from authenticated-user by rambler.ohreally.nl (Postfix) with ESMTPSA id 0543D1D77A90 for ; Sat, 30 Oct 2021 23:39:07 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ohreally.nl; s=dkim; t=1635629948; r=y; bh=Vs9n9OT6401rfrplP616rZP3UqZFk+b8N1jBu99K9IA=; h=Date:To:From:Subject; b=tDamadie54xvxSS6TMChhQTWBqsfnEqCF3pXXW4prnYegBgLWzH31cD1o0aE/AYnN LwSGhYkDP1AjylyDEuuyeVoktvB0ajT1LC2X8OvAT+Ihuzez5BZkbsSaZhI+9/KUsv rPz0CXJHfcR8zDyDdEw/rnT9GDWxpl8WXXoEnmr0= Message-ID: <5e0d78b2-6ae5-b068-100d-0c4d0c8f8058@ohreally.nl> Date: Sat, 30 Oct 2021 23:39:20 +0200 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Language: en-US To: freebsd-pf@freebsd.org From: freebsd@ohreally.nl Subject: How to reset counters selectively? Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.103.3 at rambler.ohreally.nl X-Virus-Status: Clean X-Rspamd-Queue-Id: 4HhXk53gnLz3N5F X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=ohreally.nl header.s=dkim header.b=tDamadie; dmarc=none; spf=pass (mx1.freebsd.org: domain of freebsd@ohreally.nl designates 51.15.8.63 as permitted sender) smtp.mailfrom=freebsd@ohreally.nl X-Spamd-Result: default: False [2.86 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[ohreally.nl:s=dkim]; MID_RHS_MATCH_FROM(0.00)[]; R_SPF_ALLOW(-0.20)[+mx:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; NEURAL_SPAM_MEDIUM(0.38)[0.377]; RCPT_COUNT_ONE(0.00)[1]; DMARC_NA(0.00)[ohreally.nl]; NEURAL_SPAM_SHORT(1.00)[1.000]; DKIM_TRACE(0.00)[ohreally.nl:+]; NEURAL_SPAM_LONG(0.99)[0.986]; FROM_NO_DN(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; SUBJECT_ENDS_QUESTION(1.00)[]; ASN(0.00)[asn:12876, ipnet:51.15.0.0/17, country:FR]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Hello everyone, I'm running into this question that seems simple to me, but I can't find a satisfying answer, so probably it's not as simple as I think. I'd like to selectively reset counters to zero, but only if they are currently not zero. I hope you don't mind if I redirect you to the FreeBSD forums, instead of repeating the (short) discussion I had there, and risking the loss of information. The thread is here: https://forums.freebsd.org/threads/pf-counters-how-do-i-reset-them-selectively.82649/ Thanks in advance for any response. Best, Rob -- :wq From nobody Sun Oct 31 12:48:48 2021 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 181A718236B6 for ; Sun, 31 Oct 2021 12:48:59 +0000 (UTC) (envelope-from tech-lists@zyxst.net) Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Hhwvs71nRz3mn5 for ; Sun, 31 Oct 2021 12:48:57 +0000 (UTC) (envelope-from tech-lists@zyxst.net) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 7C44F32009BC for ; Sun, 31 Oct 2021 08:48:51 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Sun, 31 Oct 2021 08:48:51 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zyxst.net; h= date:from:to:subject:message-id:mime-version:content-type; s= fm1; bh=eUC0OvldOYE9g3I4/vGy2/S4cpulvtYSA74EtlTHK8w=; b=Bbr3VNb+ Hc0M/Ysa6KiM5Op4a+nOhzNNN70Sjoptq4SRBH4qqWndjIEengoBSpHR6H1AM8Id U2sY3TFQQIZES12ozhHJsZySSctrCRsl87BHZ1jXVIWfDQYsn5dKEzIuWtRhEbi0 BhcpM/PVrPiHTLqXZtvwmBHYiFCIw/wKdOPcwAhEtTz/U12as39wWF7A0vtzrpwm 9csYBeXiLqTNe4WTDx4Qf7PzAN1ulZlxHP/DjRe8EFebHGiftgAPDv4Tfzij5lxG baz6vyJQHVS3lJX8dJ9rdc4IY1Nj3JaRhVveg16PmJhcDs2nrc2eE139aRwRXc7x clv+Q1Pn8UWBUg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=eUC0OvldOYE9g3I4/vGy2/S4cpulv tYSA74EtlTHK8w=; b=aGkgKLgZCvgoNyOIpvjSVyE0julQuUtHxtaPSJez8Oy6I +3ZMnPLn7OZOT5CyI46KawxO0Jrqe//Xioodj4Pz74+0IOLlpvYiFQAaSEGiP+eN p8a9Wih0FEuue4Vhti2dZo6Vo1lDYMsSgwAs+6ae6zemWtDh2cNPWFW/wSKS8ycR LnTDopH0/hot2g/GQBPwW3yBXiC9DqavW/tq71YQlafoWUiEce0RZNB2ZhGPWJQd ukZ2kHm5aZKyfUYTBsV0maMmjg9lmd+QSzQZmb8e0rxmv/N0zbX++WhZbKCsG0Th bJDr/vqIcerd3yWnBXvyJsBrhTrxlj1DfLgHgRvJA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrvdehtddggedvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkgggtugesghdtreertd dtvdenucfhrhhomhepthgvtghhqdhlihhsthhsuceothgvtghhqdhlihhsthhsseiihiig shhtrdhnvghtqeenucggtffrrghtthgvrhhnpeevgffhffdtfeekleelhedtjeelvdfhvd egieejveffgfduvdfhteegjeeujeeuieenucevlhhushhtvghrufhiiigvpedtnecurfgr rhgrmhepmhgrihhlfhhrohhmpehtvggthhdqlhhishhtshesiiihgihsthdrnhgvth X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Sun, 31 Oct 2021 08:48:50 -0400 (EDT) Date: Sun, 31 Oct 2021 12:48:48 +0000 From: tech-lists To: freebsd-pf@freebsd.org Subject: pf on a bhyve host Message-ID: Mail-Followup-To: freebsd-pf@freebsd.org List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="y7usnuzPuAYJm2Y4" Content-Disposition: inline X-Rspamd-Queue-Id: 4Hhwvs71nRz3mn5 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=zyxst.net header.s=fm1 header.b=Bbr3VNb+; dkim=pass header.d=messagingengine.com header.s=fm1 header.b=aGkgKLgZ; dmarc=none; spf=none (mx1.freebsd.org: domain of tech-lists@zyxst.net has no SPF policy when checking 64.147.123.19) smtp.mailfrom=tech-lists@zyxst.net X-Spamd-Result: default: False [-4.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[zyxst.net:s=fm1,messagingengine.com:s=fm1]; RWL_MAILSPIKE_POSSIBLE(0.00)[64.147.123.19:from]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; DWL_DNSWL_LOW(-1.00)[messagingengine.com:dkim]; RCVD_COUNT_THREE(0.00)[4]; MID_RHS_MATCH_FROMTLD(0.00)[]; NEURAL_SPAM_SHORT(1.00)[1.000]; DKIM_TRACE(0.00)[zyxst.net:+,messagingengine.com:+]; DMARC_NA(0.00)[zyxst.net]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; SIGNED_PGP(-2.00)[]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:11403, ipnet:64.147.123.0/24, country:US]; RCVD_IN_DNSWL_LOW(-0.10)[64.147.123.19:from] X-ThisMailContainsUnwantedMimeParts: N --y7usnuzPuAYJm2Y4 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello pf@ (the context is a 12.2-p10 host and various bhyve guests) What's the best way to have pf protect the host (on igb0) but=20 leave the traffic for the tap devices unexamined? It seems, for example set skip on $tap_ifs where $tap_ifs is a macro containing four tap devices, doesn't do what's=20 needed. In this context, igb0 is bridged with the tap devices. Traffic=20 still gets hit by pf block rules on the host despite being for the vm behind the tap device(s). Is a different approach needed? Do I need to use vlans? The bhyhe guests need to have real routable IPs and both the host and the guests are on the same subnet. The desired outcome was previously achieved with a hardware firewall in front of the bhyve host. I'm not sure if this is possible with freebsd's pf. Maybe it is with openbsd's? I understand that we have pci passthru with bhyve+openbsd guests now. thanks, --=20 J. --y7usnuzPuAYJm2Y4 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE8n3tWhxW11Ccvv9/s8o7QhFzNAUFAmF+kKgACgkQs8o7QhFz NAWBMw//ZTuU+lvbAhZF5qYz92x2iE8EPsST08c0HwiKOlyp5sHWZ7lCiUs5ZoL8 2mc3BRFuMGaY6ZONLp+k1SETfEjSDCqHen3GftlGmaUX81+29z0Eof3HgBITc0+b NRSJunvp+fXRRmIk61s+XgZ8lkbrw0spVvzdvNFjg65JPkBYzrC8aYyirHWyreEI 1kdkd5RkCafA4p94Pyre9kuzcD1fLeYl6s3zauwbJkChG7Ui8pOssMX7YJzk153N UsQe/zR4TesmbKwYKOnH88/mt32aTPFu+ko5GHppW0KI0MkgCuH0PvYAHJ7jU3Ro YpBsCnwuYiipjbh2RzCwRqBh80idkh1VKWgsYT7rDKgsiAoQBXOpmY79SNptOtY+ nc7B2s3IIy5oxqsVFgQ4a0/rEoiUqi2g/sCLq/tOJ5mcJBI8lrABBK3uz7CYplhB B0XuNmyhmR5Q2hPAUqcvpEwdWUK2AubLygv6YRitPorRKeyoGbZTVr060sZYt03A NMu1YSFNVbEWKTJtAsx0frdAl7hHrwQ7gWe+T+VkI/AhUh9s8j0YGvJhUwBy61CW poUQWIpHL73oCbxF5x/Oj51tE07r/dvldmLy0OgemMceXi+qlzLtScfYdRtlJDRJ A745sdqq1W/INFiBJRJOGE+7b+0t6BrfnrViPI9aWkSyKcoCuAU= =Cb3a -----END PGP SIGNATURE----- --y7usnuzPuAYJm2Y4-- From nobody Sun Oct 31 21:00:07 2021 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 60A18182C995 for ; Sun, 31 Oct 2021 21:00:07 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Hj7pb2722z4j8w for ; Sun, 31 Oct 2021 21:00:07 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2791324C00 for ; Sun, 31 Oct 2021 21:00:07 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 19VL07Em032113 for ; Sun, 31 Oct 2021 21:00:07 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 19VL07v3032112 for pf@FreeBSD.org; Sun, 31 Oct 2021 21:00:07 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <202110312100.19VL07v3032112@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 31 Oct 2021 21:00:07 +0000 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="16357140070.83E1191c.31302" Content-Transfer-Encoding: 7bit X-ThisMailContainsUnwantedMimeParts: Y --16357140070.83E1191c.31302 Date: Sun, 31 Oct 2021 21:00:07 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 237973 | pf: implement egress keyword to simplify rules ac 1 problems total for which you should take action. --16357140070.83E1191c.31302--