From owner-freebsd-pf@FreeBSD.ORG Mon Sep 25 11:08:40 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8988B16A494 for ; Mon, 25 Sep 2006 11:08:40 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 21DDD43D7E for ; Mon, 25 Sep 2006 11:08:26 +0000 (GMT) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k8PB8Qlc090636 for ; Mon, 25 Sep 2006 11:08:26 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k8PB8P92090632 for freebsd-pf@FreeBSD.org; Mon, 25 Sep 2006 11:08:25 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 25 Sep 2006 11:08:25 GMT Message-Id: <200609251108.k8PB8P92090632@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Sep 2006 11:08:40 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency f kern/86072 pf [pf] Packet Filter rule not working properly (with SYN o kern/92949 pf [pf] PF + ALTQ problems with latency o sparc/93530 pf Incorrect checksums when using pf's route-to on sparc6 4 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o kern/93825 pf [pf] pf reply-to doesn't work o kern/94992 pf [pf] [patch] pfctl complains about ALTQ missing o kern/103304 pf pf accepts nonexistent queue in rules 4 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Sep 25 13:06:51 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA77616A403 for ; Mon, 25 Sep 2006 13:06:50 +0000 (UTC) (envelope-from rmiranda@digitalrelay.ca) Received: from wrdsl02.terago.ca (wrdsl02.terago.ca [207.54.102.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id D74F743D7B for ; Mon, 25 Sep 2006 13:06:42 +0000 (GMT) (envelope-from rmiranda@digitalrelay.ca) Received: from [192.168.0.6] (unknown [64.201.181.165]) by wrdsl02.terago.ca (Postfix) with ESMTP id 9DD8986E48 for ; Mon, 25 Sep 2006 08:06:41 -0500 (CDT) From: "Roger Miranda (Digital Relay)" Organization: Digital Relay Inc. To: freebsd-pf@freebsd.org User-Agent: KMail/1.9.1 MIME-Version: 1.0 Content-Disposition: inline Date: Mon, 25 Sep 2006 08:06:33 -0500 Message-Id: <200609250806.34130.rmiranda@digitalrelay.ca> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Subject: PF FW/ Drop Connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Sep 2006 13:06:51 -0000 First Poster here. I have a system with a Static IP on the WAN/EXT_IF Interface. But we are having some issues and my last area to check is the pf.conf file (below) 1) Every 24-36 Hours we get drop connection on the WAN interface, a simple reboot fixes it. 2) running Monitoring software outside the network shows the 6-8 time a hour the a ping will get lost. We have tried everything with the ISP to try to get this resolved. My last try is this pf.conf file. I'm running freebsd 6.1 with PF enabled in the kernel. Thank you --- pf.conf ------------------------------------------------------------------------------------ ext_if = "rl0" int_if = "rl1" dmz_if = "xl0" privnet = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" webserv = "192.168.0.6" gateway = "192.168.0.1" tc = "192.168.55.99" tcp_services = "{ 2205, 443, 80 }" icmp_types = "echoreq" scrub in all nat on $ext_if from $int_if:network to any -> ($ext_if) nat on $ext_if from $dmz_if:network to any -> ($ext_if) rdr on $ext_if proto tcp from any to any port www -> $webserv port 80 rdr on $ext_if proto tcp from any to any port 443 -> $webserv port 443 rdr on $ext_if proto tcp from any to any port 2205 -> $gateway port 2205 rdr on $ext_if proto tcp from $int_if:network to any port 8080 -> $gateway port 8080 rdr on $int_if proto tcp from $int_if:network to any port www -> $gateway port 3128 rdr on $ext_if proto tcp from any to any port 3306 -> $tc port 3306 rdr on $ext_if proto tcp from any to any port 22 -> $tc port 3306 block in log on $ext_if from any to any pass out from any to any keep state pass in log on $ext_if inet proto tcp from any to 192.168.0.1 port 8080 flags S/SA pass in log on $ext_if inet proto tcp from any to 192.168.0.1 port 2812 flags S/SA pass in log on $ext_if inet proto tcp from any to any port $tcp_services flags S/SA keep state pass in log on $ext_if inet proto tcp from any to $webserv port 80 flags S/SA synproxy state pass in log on $ext_if inet proto tcp from any to $webserv port 443 flags S/SA keep state pass in log on $ext_if inet proto tcp from any to any port 2205 flags S/SA keep state pass in log on $ext_if inet proto tcp from any to any port 3306 flags S/SA keep state pass in log on $ext_if inet proto tcp from any to any port 22 flags S/SA keep state pass in log inet proto icmp all icmp-type $icmp_types keep state pass out log on $int_if from any to $int_if:network keep state pass out log on $dmz_if from any to $dmz_if:network keep state pass log quick on $int_if from any to any pass log quick on $dmz_if from any to $ext_if:network keep state --------------------------------------------------------------------------------------------------------------------------- --ifconfig output------------------------------------------------------------------------------------------------------- rl0: flags=8843 mtu 1500 options=8 inet6 fe80::211:95ff:fe66:698e%rl0 prefixlen 64 scopeid 0x1 inet XXX.XXX.XXX.XXX netmask 0xfffffc00 broadcast XXX.XXX.XXX.XXX ether 00:11:95:66:69:8e media: Ethernet autoselect (100baseTX ) status: active rl1: flags=8943 mtu 1500 options=8 inet6 fe80::211:95ff:fe61:93f0%rl1 prefixlen 64 scopeid 0x2 inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 ether 00:11:95:61:93:f0 media: Ethernet autoselect (100baseTX ) status: active xl0: flags=8843 mtu 1500 options=9 inet6 fe80::206:5bff:feae:83fe%xl0 prefixlen 64 scopeid 0x3 inet 192.168.55.1 netmask 0xffffff00 broadcast 192.168.55.255 ether 00:06:5b:ae:83:fe media: Ethernet autoselect (100baseTX ) status: active plip0: flags=108810 mtu 1500 pflog0: flags=0<> mtu 33208 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 inet 127.0.0.1 netmask 0xff000000 pfsync0: flags=0<> mtu 2020 --------------------------------------------------------------------------------------------------------------------------- From owner-freebsd-pf@FreeBSD.ORG Mon Sep 25 14:49:21 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B54A16A47B for ; Mon, 25 Sep 2006 14:49:21 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id A02C243D53 for ; Mon, 25 Sep 2006 14:49:20 +0000 (GMT) (envelope-from ermal.luci@gmail.com) Received: by py-out-1112.google.com with SMTP id o67so2515510pye for ; Mon, 25 Sep 2006 07:49:20 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=Ahdy3PnenOB9u2BGf+RnhTs1UFvzcikbRGzFKb7LzjBy0fXD/Wze+FsG06yPDUyA4w4JdEytLTsZyJ3Mn90vcduqiKOvrHmvmgLDR0nm4GavQzG3KFA8WzkJ2skfkShD9nePH/PkK2dQe5kYdup+L2tGTa+IKJxrRG28pULXQwE= Received: by 10.35.65.17 with SMTP id s17mr7917920pyk; Mon, 25 Sep 2006 07:49:19 -0700 (PDT) Received: by 10.35.126.6 with HTTP; Mon, 25 Sep 2006 07:49:14 -0700 (PDT) Message-ID: <9a542da30609250749i52f966a3x7a9402872d33b976@mail.gmail.com> Date: Mon, 25 Sep 2006 16:49:14 +0200 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: freebsd-pf@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: netgraph related question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Sep 2006 14:49:21 -0000 I am curios how difficult would it be to write an netgraph module for pf kinda ng_ipfw. And maybe looking for a pointer to which function this hooking needs to be added. After studing a little bit ng_ipfw and ipfw functions ipfw_check() is the function which does the magic by a simple global variable, at least as far a i can tell. Now can it be done using the same ideas in PF too! Ah, the reason i am asking this is just to integrate PF with ng_tag which can do L7 filtering. Thanks. From owner-freebsd-pf@FreeBSD.ORG Mon Sep 25 17:01:03 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7445216A403 for ; Mon, 25 Sep 2006 17:01:03 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id A363543D55 for ; Mon, 25 Sep 2006 17:00:53 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.186.6] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu0) with ESMTP (Nemesis), id 0MKwh2-1GRtp51qqD-00087Z; Mon, 25 Sep 2006 19:00:51 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Mon, 25 Sep 2006 19:00:44 +0200 User-Agent: KMail/1.9.4 References: <9a542da30609250749i52f966a3x7a9402872d33b976@mail.gmail.com> In-Reply-To: <9a542da30609250749i52f966a3x7a9402872d33b976@mail.gmail.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1277569.CbP061ISPN"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200609251900.50657.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Ermal =?iso-8859-1?q?Lu=E7i?= Subject: Re: netgraph related question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Sep 2006 17:01:03 -0000 --nextPart1277569.CbP061ISPN Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 25 September 2006 16:49, Ermal Lu=E7i wrote: > I am curios how difficult would it be to write an netgraph module for > pf kinda ng_ipfw. Between 100 and 600 lines of code, depending how far you want to take it -= =20 see below. > And maybe looking for a pointer to which function this hooking needs to > be added. > After studing a little bit ng_ipfw and ipfw functions ipfw_check() is > the function which does the magic by a simple global variable, at least > as far a i can tell. > Now can it be done using the same ideas in PF too! The basic communication between netgraph and ipfw happens via mbuf tags=20 attached to the packet. Read the ng_ipfw(4) manpage for details on this. = =20 It is non-trivial to do something along those lines in pf as ruleset=20 evaluation works completely different from what ipfw does. i.e. the main=20 problem one has to solve is: How do you express the netgraph hook in=20 pf.conf? One possible sollution would be to have it as part of the scrub ruleset. =20 This is quick and easy as the scrub ruleset is always evaluated, but it=20 would be adverse to the general pf idea of stateful-filtering. The more involved sollution is to have the ng-hook as a rule option. This= =20 gives all the benefits of stateful filtering, but requires a lot more=20 changes in pf to make things work together. The basic implementation is=20 quite easy, however. All you need to do is add the option to the=20 pf_rule/pf_state structs and attach a mbuf tag accordingly. The packet=20 is then diverted to netgraph where ng_tag (or any other netgraph node)=20 can have a look at it and eventually sent back. In pf_test it will match=20 the same rule/state again (you'd have to change a couple of things to=20 avoid state irritations) and you can finally pass it, as it has a=20 netgraph tag already attached. Support of divert(4) sockets is something along the same line. It would=20 be nice to have a way to send packets from pf to a divert socket, but the=20 same problem applies: How do you express the hook-point in pf? I'd like to work on both of these problems, provided there is enough=20 interest and we can come up with a proper sollution for the hook-point=20 problem. Any ideas? > Ah, the reason i am asking this is just to integrate PF with ng_tag > which can do L7 filtering. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1277569.CbP061ISPN Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBFGAtCXyyEoT62BG0RAlQnAJ9p1MRvPurDu7ebhH24oMBQWIpIJgCfakiO USQVw+0/DSPQfZTC5YwQLc0= =O4GY -----END PGP SIGNATURE----- --nextPart1277569.CbP061ISPN-- From owner-freebsd-pf@FreeBSD.ORG Tue Sep 26 13:39:23 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F52B16A403 for ; Tue, 26 Sep 2006 13:39:23 +0000 (UTC) (envelope-from rajkumars@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id 611C143D64 for ; Tue, 26 Sep 2006 13:39:22 +0000 (GMT) (envelope-from rajkumars@gmail.com) Received: by wr-out-0506.google.com with SMTP id 71so810642wri for ; Tue, 26 Sep 2006 06:39:21 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ncbJUy62UupMnBo+bwfRcb5iH6debSx2muuSIDjeKnC6FJEtQJjDasVcX8XhYbu5IOjQiese04HNIDTwpQ6rk4MhzAnoHHvw/a6uGTye8O717/k7CVXR6WladOont1JysSKSk2lHA3ICLbg23xMzunVBAZr7498Dwb5OPNq/NBg= Received: by 10.90.100.6 with SMTP id x6mr176715agb; Tue, 26 Sep 2006 06:39:21 -0700 (PDT) Received: by 10.90.35.3 with HTTP; Tue, 26 Sep 2006 06:39:21 -0700 (PDT) Message-ID: <64de5c8b0609260639v173f513ckb65a018d4b2774f@mail.gmail.com> Date: Tue, 26 Sep 2006 19:09:21 +0530 From: "Rajkumar S" To: "Max Laier" , freebsd-pf@freebsd.org In-Reply-To: <200609251900.50657.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <9a542da30609250749i52f966a3x7a9402872d33b976@mail.gmail.com> <200609251900.50657.max@love2party.net> Cc: Subject: Re: netgraph related question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Sep 2006 13:39:23 -0000 On 9/25/06, Max Laier wrote: > I'd like to work on both of these problems, provided there is enough > interest and we can come up with a proper sollution for the hook-point > problem. > > Any ideas? I posted about this couple of days ago, posting it here again for discussion. Here instead of a rule extension, I am suggesting adding a new rule action. I am suggesting a new rule action because a pf netgraph node also can deny/allow a packet, just like pass/block. This also goes well with general pf syntax, such as keep state, log and state full tracking options. The netgraph link is established via a rule like: queue in on dc0 from 192.168.0.0/24 to 192.168.0.1 Where the packet will be passed to a netgraph node with full state information about the TCP stream. If the packet is dropped in netgraph then it's as good as a block, other wise it's a pass. The packet should be passed to the netgrpah node with a tag identifying the session to which this packet belongs, ie all packets belonging to a single TCP session should have the same tag. This session tracking is important because that can help in identifying patterns that span multiple packets in userspace easily. The pf netgraph node can then set tags as well as assign the packet to a particular queue, for example slow down kazaa. I guess there is tremendous interest in having L7 capabilities in pf, as normal port based access control is in adequate to deal with problems like skype and other p2p. I have no idea about the implementation of what I have just said, so I hope this makes some sense :) raj From owner-freebsd-pf@FreeBSD.ORG Tue Sep 26 17:17:01 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4DCB116A4A0 for ; Tue, 26 Sep 2006 17:17:01 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id A28E443DED for ; Tue, 26 Sep 2006 17:15:48 +0000 (GMT) (envelope-from ermal.luci@gmail.com) Received: by py-out-1112.google.com with SMTP id o67so3003904pye for ; Tue, 26 Sep 2006 10:15:48 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=jmdhVV+vP0jBwRwGxC+9NsvQLYaCBsJYiFg9A7SR12f4aK4rOZVAxaiqW8MtFE7p0PeyPg3O0wiNwiaHLXIka51a5ogOR9lvVRr5dJGOGjQEHhffV7J+8LCrceeVLBEBjj4xRvf0EpjJqmUAb844xBBv0vEKjYIZFIJ2ZHHHqBg= Received: by 10.35.49.1 with SMTP id b1mr1195927pyk; Tue, 26 Sep 2006 10:15:47 -0700 (PDT) Received: by 10.35.126.6 with HTTP; Tue, 26 Sep 2006 10:15:47 -0700 (PDT) Message-ID: <9a542da30609261015l43d75677u80c4501330d4679f@mail.gmail.com> Date: Tue, 26 Sep 2006 19:15:47 +0200 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: "Max Laier" In-Reply-To: <200609251900.50657.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <9a542da30609250749i52f966a3x7a9402872d33b976@mail.gmail.com> <200609251900.50657.max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: netgraph related question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Sep 2006 17:17:01 -0000 I am glad that you are interested on this new features. Well i don't know PF code as much as you but i think the hook point can be better expressed with the semantics of route-to/reply-to/dup-to. It just fits better, my opinion always, the PF idea to use a rule with netgraph-to in the beggining as it better expresses what it really does. One might argue it kinda mixes with anchor semantics but to my opinion this is better, so a rule chooses what to pass to the hook and netgraph(4) injectes it back. The same can be applied to divert(4) with a divert-to keywork. BTW, what is the need of divert(4) on PF if not for being used on kernel proxy code or interaction with natd?! (i am not saying that PF would not need such a feature) P.S. sorry for the broken english is not my native language. On 9/25/06, Max Laier wrote: > On Monday 25 September 2006 16:49, Ermal Lu=E7i wrote: > > I am curios how difficult would it be to write an netgraph module for > > pf kinda ng_ipfw. > > Between 100 and 600 lines of code, depending how far you want to take it = - > see below. > > > And maybe looking for a pointer to which function this hooking needs to > > be added. > > After studing a little bit ng_ipfw and ipfw functions ipfw_check() is > > the function which does the magic by a simple global variable, at least > > as far a i can tell. > > Now can it be done using the same ideas in PF too! > > The basic communication between netgraph and ipfw happens via mbuf tags > attached to the packet. Read the ng_ipfw(4) manpage for details on this. > It is non-trivial to do something along those lines in pf as ruleset > evaluation works completely different from what ipfw does. i.e. the main > problem one has to solve is: How do you express the netgraph hook in > pf.conf? > > One possible sollution would be to have it as part of the scrub ruleset. > This is quick and easy as the scrub ruleset is always evaluated, but it > would be adverse to the general pf idea of stateful-filtering. > > The more involved sollution is to have the ng-hook as a rule option. Thi= s > gives all the benefits of stateful filtering, but requires a lot more > changes in pf to make things work together. The basic implementation is > quite easy, however. All you need to do is add the option to the > pf_rule/pf_state structs and attach a mbuf tag accordingly. The packet > is then diverted to netgraph where ng_tag (or any other netgraph node) > can have a look at it and eventually sent back. In pf_test it will match > the same rule/state again (you'd have to change a couple of things to > avoid state irritations) and you can finally pass it, as it has a > netgraph tag already attached. > > Support of divert(4) sockets is something along the same line. It would > be nice to have a way to send packets from pf to a divert socket, but the > same problem applies: How do you express the hook-point in pf? > > I'd like to work on both of these problems, provided there is enough > interest and we can come up with a proper sollution for the hook-point > problem. > > Any ideas? > > > Ah, the reason i am asking this is just to integrate PF with ng_tag > > which can do L7 filtering. > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News > > From owner-freebsd-pf@FreeBSD.ORG Tue Sep 26 22:25:21 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0379116A40F for ; Tue, 26 Sep 2006 22:25:21 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id 91D7143D49 for ; Tue, 26 Sep 2006 22:25:19 +0000 (GMT) (envelope-from dudu.meyer@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so597867uge for ; Tue, 26 Sep 2006 15:25:18 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=flDlmkO4yv8+6wupvSyFJPzD1nLBBhQC6/bGGGwRgKtEVhFH19PUo+yhsn/yMIsUeU9Q4NwuJJ+XlbmD8AaYolVP2Rv2SKgVLTe6m5bE3riBlvk4t5Prp2nI9mEfX88gqsX7V6ipixbPylsqBFgDAJD5PuSkrmlJNKBImq3K3w4= Received: by 10.67.103.7 with SMTP id f7mr1150460ugm; Tue, 26 Sep 2006 15:25:18 -0700 (PDT) Received: by 10.66.248.4 with HTTP; Tue, 26 Sep 2006 15:25:18 -0700 (PDT) Message-ID: Date: Tue, 26 Sep 2006 19:25:18 -0300 From: "Eduardo Meyer" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Sharing link / PF ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Sep 2006 22:25:21 -0000 Hello, I am new to pf/altq, and I am looking for a way to share link between users with different sort of priority usage but that would share the available bandwidth as well as the the not available bandwith. Ok, confusing. Ill try to make it clear, with dummynet I can do queue 10 all from table(1) to any out queue 11 all from any to table(1) in queue 20 all from table(2) to any out queue 21 all from any to table(2) in queue 30 all from any to any in queue 31 all from any to any out queue 10 config pipe 1 weight 20 mask src-ip 0x000000ff queue 11 config pipe 2 weight 20 mask dst-ip 0x000000ff queue 20 config pipe 1 weight 10 mask src-ip 0x000000ff queue 21 config pipe 2 weight 10 mask dst-ip 0x000000ff queue 30 config pipe 1 weight 5 mask src-ip 0x000000ff queue 31 config pipe 2 weight 5 mask dst-ip 0x000000ff pipe 1 config bw 10Mb/s pipe 2 config bw 5Mb/s So, it doesnt matter the per-ip bandwith usage limits, I only have the total limit which would be the root queue in a pf/altq rule. Every user may use up to the limit of the total available bw, but if more than one user share the pipes, they will be queued with the assigned weights. It means people on table(2) will be able to use 1/2 of the bw people on table(1) is using while others will use 1/2 of what people on table(2) is using, and 1/4 of what people on table(1) is using. It means I dont only have minimuns and maximuns. If the total bandwith demand for pipe 1 is over 10Mb/s, sai if the demand is 20Mb/s all the users will suffer, but their suffering will be fair to their weights, so people on table(1) will suffer the same among themselves but will suffer twice less than people on table(2), etc. To make it short, how can I remake this behavior with pf/altq? and How? HFSC would to the job? Does PF/ALTQ support WFQ? Can anyone post me example rules? I found some very good examples with hfsc and upplerlimit, realtime and priority, but none what would be exactly like this. They all had their "minimum" well defined and they would use more bandiwith if their were available. I never found how to share the "suffering" if BW is too low comparing to the demand. Only how to share the extra availability of the bandwith. The only thing I am convinced is that cbq wont do this work to me. But which scheduler will? Does priority may work like weights in any situation? All sort of examples are more than welcome :) -- =========== Eduardo Meyer pessoal: dudu.meyer@gmail.com profissional: ddm.farmaciap@saude.gov.br From owner-freebsd-pf@FreeBSD.ORG Thu Sep 28 21:30:53 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F2EEE16A40F for ; Thu, 28 Sep 2006 21:30:53 +0000 (UTC) (envelope-from grossman@progtech.net) Received: from ptserver.progtech.net (ppp-88-217-36-202.dynamic.mnet-online.de [88.217.36.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3108643D55 for ; Thu, 28 Sep 2006 21:30:52 +0000 (GMT) (envelope-from grossman@progtech.net) Received: from progtech.net (isis.muc.progtech.intern [10.25.0.100]) by ptserver.progtech.net (8.13.3/8.12.11) with ESMTP id k8SLUnlX066176; Thu, 28 Sep 2006 23:30:49 +0200 (CEST) (envelope-from grossman@progtech.net) Received: (from grossman@localhost) by progtech.net (8.13.4/8.13.6/Submit) id k8SLUmU8089296; Thu, 28 Sep 2006 23:30:48 +0200 (CEST) (envelope-from grossman) Date: Thu, 28 Sep 2006 23:30:48 +0200 (CEST) Message-Id: <200609282130.k8SLUmU8089296@progtech.net> From: Rolf Grossmann MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: freebsd-pf@freebsd.org X-Mailer: VM 7.19 under Emacs 21.3.1 Subject: BAD state/State failure with large number of requests X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Sep 2006 21:30:54 -0000 Hi, I'm trying to use pf in a load-balancing setup, but it's giving me touble. So I have set up a simple test scenario that looks like this (not really balancing anything ;)): Client -- Balancer -- Server 10.25.0.100 em0: 10.25.0.41 em1: 10.1.1.1 10.1.1.2 On the server I'm running apache (on port 8080) with a static page. On the Client, I'm running Apache's ab benchmark to generate a lot of requests. Now, if have a route to 10.1.1.2 and I'm running ab -n 10000 -c 100 http://10.1.1.2:8080/index.html.en (i.e. not using the nat/rdr rule, see below) everything works fine. However, if I'm running ab -n 10000 -c 100 http://10.25.0.41:8080/index.html.en it hangs around between 1000 and 3000 requests and on the balancer I get lots of messages like those: Sep 28 23:56:56 balancer kernel: pf: BAD state: TCP 10.1.1.2:8080 10.25.0.41:8080 10.25.0.100:52209 [lo=2341692840 high=2341759447 win=33304 modulator=0 wscale=1] [lo=2919421554 high=2919488162 win=33304 modulator=0 wscale=1] 9:9 S seq=2345137961 ack=2919421554 len=0 ackskew=0 pkts=6:5 dir=in,fwd Sep 28 23:56:56 balancer kernel: pf: State failure on: 1 | 5 (Values for lo, high, seq and ack (obviously) and sometimes pkts are varying.) I've been searching the 'net and looking at similar reports, but so far I haven't found any suggestions. I've of course increased the states limit to handle the number of requests (see ruleset below), however I can't figure out if it's a bug or a limit or what else I'm running into here. Anyone, help, please? Thanks, Rolf. Here's the pf.conf: # tables (for load balancing) table persist { 10.1.1.2 } table persist { 10.25.0.41 } # options set optimization conservative set block-policy drop set limit states 200000 set debug misc # load balancing rdr inet proto tcp to port 8080 -> port 8080 round-robin # filter rules # we're not trying to be a firewall, so just allow all traffic pass all From owner-freebsd-pf@FreeBSD.ORG Thu Sep 28 21:52:15 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 033D916A412 for ; Thu, 28 Sep 2006 21:52:15 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id A4BF043D53 for ; Thu, 28 Sep 2006 21:52:11 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k8SLq936005298 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Thu, 28 Sep 2006 23:52:10 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k8SLq9BE005701; Thu, 28 Sep 2006 23:52:09 +0200 (MEST) Date: Thu, 28 Sep 2006 23:52:09 +0200 From: Daniel Hartmeier To: Rolf Grossmann Message-ID: <20060928215208.GC25341@insomnia.benzedrine.cx> References: <200609282130.k8SLUmU8089296@progtech.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200609282130.k8SLUmU8089296@progtech.net> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: BAD state/State failure with large number of requests X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Sep 2006 21:52:15 -0000 On Thu, Sep 28, 2006 at 11:30:48PM +0200, Rolf Grossmann wrote: > Sep 28 23:56:56 balancer kernel: pf: BAD state: TCP 10.1.1.2:8080 10.25.0.41:8080 10.25.0.100:52209 [lo=2341692840 high=2341759447 win=33304 modulator=0 wscale=1] [lo=2919421554 high=2919488162 win=33304 modulator=0 wscale=1] 9:9 S seq=2345137961 ack=2919421554 len=0 ackskew=0 pkts=6:5 dir=in,fwd > Sep 28 23:56:56 balancer kernel: pf: State failure on: 1 | 5 This means there is an existing state entry from an old (and already closed) connection, and the client is re-using its source port 52209 for a new connection attempt (it's a SYN packet that triggered the log message). The client is not honouring the 2MSL quiet period, the time it should wait before re-using the same source port to connect to the same destination address/port, as required by the TCP RFCs. The reason for that is quite likely that it has run out of random high source ports. The range used should be about 49152-65536 (sysctl net.inet.ip.portrange.*), and 10,000 connections is getting close. The client stack can either make ap fail in connect(2), or re-use source ports and violate the RFCs in this case. Not sure if this is a realistic test, i.e. whether you see the very same problem in production (with 'BAD state' messages for SYN packets), it would only occur if one client is establishing connections to the same server port at high concurrency and/or rate. If not, I'd say the test is simply flawed, and you need multiple clients to simulate realistically. pf keeps state entries around for a while after a connection has been closed (to catch packets related to the old connection that might arrive late), the timeout is tcp.closed, 90s by default. You can make pf purge such state entries sooner by lowering this timeout. This most likely has nothing to do with rdr and load-balancing. The difference between enabling and disabling your rdr rule is basically that of filtering statefully vs. statelessly. Your 'pass all' rule does not create state, while the rdr will automatically create state. Daniel From owner-freebsd-pf@FreeBSD.ORG Thu Sep 28 23:01:02 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A30B16A415 for ; Thu, 28 Sep 2006 23:01:02 +0000 (UTC) (envelope-from rg@progtech.net) Received: from ptserver.progtech.net (ppp-88-217-36-202.dynamic.mnet-online.de [88.217.36.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id D01DC43D6D for ; Thu, 28 Sep 2006 23:01:00 +0000 (GMT) (envelope-from rg@progtech.net) Received: from [10.25.0.100] (isis.muc.progtech.intern [10.25.0.100]) by ptserver.progtech.net (8.13.3/8.12.11) with ESMTP id k8SN0Uih075538; Fri, 29 Sep 2006 01:00:32 +0200 (CEST) (envelope-from rg@PROGTECH.net) Message-ID: <451C540E.2010005@PROGTECH.net> Date: Fri, 29 Sep 2006 01:00:30 +0200 From: Rolf Grossmann User-Agent: Thunderbird 1.5 (X11/20060128) MIME-Version: 1.0 To: Daniel Hartmeier References: <200609282130.k8SLUmU8089296@progtech.net> <20060928215208.GC25341@insomnia.benzedrine.cx> In-Reply-To: <20060928215208.GC25341@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: BAD state/State failure with large number of requests X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Sep 2006 23:01:02 -0000 Hi, thank you very much for your fast response. Daniel Hartmeier wrote: > The client is not honouring the 2MSL quiet period, the time it should > wait before re-using the same source port to connect to the same > destination address/port, as required by the TCP RFCs. > > The reason for that is quite likely that it has run out of random high > source ports. The range used should be about 49152-65536 (sysctl > net.inet.ip.portrange.*), and 10,000 connections is getting close. The > client stack can either make ap fail in connect(2), or re-use source ports > and violate the RFCs in this case. You're absolutely correct, that seems to be my problem. Increasing the range allows me to get a lot more requests through. > Not sure if this is a realistic test, i.e. whether you see the very same > problem in production (with 'BAD state' messages for SYN packets), it > would only occur if one client is establishing connections to the same > server port at high concurrency and/or rate. If not, I'd say the test is > simply flawed, and you need multiple clients to simulate realistically. I've been suspecting that the test is flawed, but I couldn't put my finger on it. However, I also need a way to actually test my application with a lot of requests and I wouldn't want to buy another server farm for that ;) > pf keeps state entries around for a while after a connection has been > closed (to catch packets related to the old connection that might arrive > late), the timeout is tcp.closed, 90s by default. You can make pf purge > such state entries sooner by lowering this timeout. That timeout seems awfully long to me. Is there some standard that mandates such a long timeout? At least for testing I will definitely lower that, too. Thanks again, Rolf. From owner-freebsd-pf@FreeBSD.ORG Thu Sep 28 23:17:32 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A74F016A407 for ; Thu, 28 Sep 2006 23:17:32 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id 10C8643D45 for ; Thu, 28 Sep 2006 23:17:31 +0000 (GMT) (envelope-from kian.mohageri@gmail.com) Received: by py-out-1112.google.com with SMTP id o67so904936pye for ; Thu, 28 Sep 2006 16:17:31 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=IWlZcew5MDiDaZCV0uGQQQcNXys+OJGlmtu9H1OfCk20HNSmh46MkgKaopEsH5yE89xTkfEs9DphSuU+dmqcgkjSKkyXNAbbcXgBm7yL828GlghmQrGwbScoNovnBnqLqMZMvyoZzHbJN4MEyxCrtKEH7zSZMP0/ODaVK5OZLtI= Received: by 10.65.114.11 with SMTP id r11mr2739254qbm; Thu, 28 Sep 2006 16:17:30 -0700 (PDT) Received: by 10.65.83.2 with HTTP; Thu, 28 Sep 2006 16:17:30 -0700 (PDT) Message-ID: Date: Thu, 28 Sep 2006 16:17:30 -0700 From: "Kian Mohageri" To: "Rolf Grossmann" In-Reply-To: <20060928215208.GC25341@insomnia.benzedrine.cx> MIME-Version: 1.0 References: <200609282130.k8SLUmU8089296@progtech.net> <20060928215208.GC25341@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: BAD state/State failure with large number of requests X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Sep 2006 23:17:32 -0000 On 9/28/06, Daniel Hartmeier wrote: > > On Thu, Sep 28, 2006 at 11:30:48PM +0200, Rolf Grossmann wrote: > > > Sep 28 23:56:56 balancer kernel: pf: BAD state: TCP 10.1.1.2:8080 > 10.25.0.41:8080 10.25.0.100:52209 [lo=2341692840 high=2341759447 win=33304 > modulator=0 wscale=1] [lo=2919421554 high=2919488162 win=33304 modulator=0 > wscale=1] 9:9 S seq=2345137961 ack=2919421554 len=0 ackskew=0 pkts=6:5 > dir=in,fwd > > Sep 28 23:56:56 balancer kernel: pf: State failure on: 1 | 5 > > This means there is an existing state entry from an old (and already > closed) connection, and the client is re-using its source port 52209 for > a new connection attempt (it's a SYN packet that triggered the log > message). > > The client is not honouring the 2MSL quiet period, the time it should > wait before re-using the same source port to connect to the same > destination address/port, as required by the TCP RFCs. > > The reason for that is quite likely that it has run out of random high > source ports. The range used should be about 49152-65536 (sysctl > net.inet.ip.portrange.*), and 10,000 connections is getting close. The > client stack can either make ap fail in connect(2), or re-use source ports > and violate the RFCs in this case. > > Not sure if this is a realistic test, i.e. whether you see the very same > problem in production (with 'BAD state' messages for SYN packets), it > would only occur if one client is establishing connections to the same > server port at high concurrency and/or rate. If not, I'd say the test is > simply flawed, and you need multiple clients to simulate realistically. > > pf keeps state entries around for a while after a connection has been > closed (to catch packets related to the old connection that might arrive > late), the timeout is tcp.closed, 90s by default. You can make pf purge > such state entries sooner by lowering this timeout. > > This most likely has nothing to do with rdr and load-balancing. The > difference between enabling and disabling your rdr rule is basically > that of filtering statefully vs. statelessly. Your 'pass all' rule does > not create state, while the rdr will automatically create state. > > Daniel I ran into this problem using, specifically, PHP applications connecting to a remote MySQL server (both FreeBSD). The scripts ran roughly every 60s and opened way too many connections (bad code), so obviously 90s was too long for tcp.closed if the script used up the random high source ports and then something else tried to connect from a reused port and the state hadn't expired. Scaling down tcp.closed made perfect sense in this case...but the scripts were rewritten too. The part that confused me was that the connections failed immediately -- it turns out that PF sends a RST upon state mismatch during the intial handshake, as opposed to dropping the packets and letting the connection time out. If I understood something I heard before correctly, FreeBSD's networking stack does something special when the connection rate gets really high to avoid such re-use, but it's been a while since I read about it so I can't recall the details of the adaptive behavior. From owner-freebsd-pf@FreeBSD.ORG Fri Sep 29 01:17:35 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA0E316A40F for ; Fri, 29 Sep 2006 01:17:35 +0000 (UTC) (envelope-from bcook@poklib.org) Received: from c.mx.poklib.org (c.mx.poklib.org [64.72.87.254]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B1B043D4C for ; Fri, 29 Sep 2006 01:17:35 +0000 (GMT) (envelope-from bcook@poklib.org) Received: from [192.168.1.249] (port=56597 helo=mail.poklib.org) by c.mx.poklib.org with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63; FreeBSD) (envelope-from ) id 1GT70Q-000IXj-Eg for freebsd-pf@freebsd.org ; Thu, 28 Sep 2006 21:17:34 -0400 Received: from node-249.adriance.poklib.org ([192.168.1.249] helo=mail.poklib.org) by mail.poklib.org with esmtp (Exim 4.60; FreeBSD) (envelope-from ) id 1GT70Q-0006P3-3H for freebsd-pf@freebsd.org ; Thu, 28 Sep 2006 21:17:34 -0400 Received: from 24.161.8.173 (SquirrelMail authenticated user bcook@poklib.org) by mail.poklib.org with HTTP; Thu, 28 Sep 2006 21:17:34 -0400 (EDT) X-Virus-Check: ClamAV 0.88.4/1950 on c.mx.poklib.org; Thu, 28 Sep 2006 21:17:34 -0400 Message-ID: <56217.24.161.8.173.1159492654.squirrel@mail.poklib.org> Date: Thu, 28 Sep 2006 21:17:34 -0400 (EDT) From: "B. Cook" To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.8 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-RcvHost: node-249.adriance.poklib.org ([192.168.1.249] helo=mail.poklib.org) X-RcvFor: X-Auth-Id: X-AntiVirus: No Virus Found X-MIME-Character-set: iso-8859-1 Subject: Transparent proxy with ! and table issues.. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Sep 2006 01:17:36 -0000 Hello, I'm not sure how to explain this but I will do my best. I have a FreeBSD 6.1-p7 box running pf. sis0 10.0.0.87/25 xl0 192.168.1.3/24 gw is 10.0.0.62 pf rules are simple: public_if ="sis0" staff_if ="xl0" proxy_server ="192.168.1.3" table const {172.16.10.0/24} table const { 172.16.1.0/24, 192.168.1.0/24, 10.0.0.0/25 } rdr on {$staff_if, $public_if} inet proto tcp from to ! port www -> $proxy_server port 8080 TRANSLATION RULES: rdr on xl0 inet proto tcp from to ! port = http -> 192.168.1.3 port 8080 rdr on sis0 inet proto tcp from to ! port = http -> 192.168.1.3 port 8080 FILTER RULES: No queue in use Here is what I am trying to accomplish: To have 'local' traffic on the 172.16.1.0/24, and 10.0.0.0/25 and 192.168.1.0/24 be able to connect to the 192.168.1.53 and 192.168.1.52 server without being pushed through the pf rdr. What I currently have is I can connect to the webserver directly from all the localnets, but I can not attach to the 192.168.1.52 from the 10/25, it pushes me through the squid proxy and gives an error. located at 192.168.1.53 is a webserver, located at 192.168.1.52 is a program called ezproxy (for remote database access - we are a library). The .53 and .52 are on a different fbsd box. The .52 is the aliased IP. (192.168.1.52) at 00:08:c7:f3:e4:e2 on xl0 [ethernet] (192.168.1.53) at 00:08:c7:f3:e4:e2 on xl0 [ethernet] This is what the clients see.. squidclient -l 192.168.1.3 -v http://192.168.1.53 headers: 'GET http://192.168.1.53 HTTP/1.0 Accept: */* ' HTTP/1.0 200 OK Vary: Accept-Encoding Content-Type: text/html ETag: "-2046984779" Accept-Ranges: bytes Last-Modified: Fri, 22 Sep 2006 12:53:33 GMT Content-Length: 11185 Date: Fri, 29 Sep 2006 01:09:25 GMT Server: lighttpd/1.4.11 This is a successful test, as the page was displayed to the 192.168.1.0 client. squidclient -l 192.168.1.3 -v http://192.168.1.52 headers: 'GET http://192.168.1.52 HTTP/1.0 Accept: */* ' 2006-09-28 21:12:05 [1]: 0.208 secs, 6.347656 KB/s (2KB) HTTP/1.0 502 Bad Gateway Server: squid/2.5.STABLE14 Mime-Version: 1.0 Date: Fri, 29 Sep 2006 01:12:05 GMT Content-Type: text/html Content-Length: 1063 Expires: Fri, 29 Sep 2006 01:12:05 GMT X-Squid-Error: ERR_READ_ERROR 54 X-Cache: MISS Proxy-Connection: close This is a failure. squidclient -l 10.0.0.87 -v http://192.168.1.52 | less headers: 'GET http://192.168.1.52 HTTP/1.0 Accept: */* ' 2006-09-28 21:13:23 [1]: 0.205 secs, 6.440549 KB/s (2KB) HTTP/1.0 502 Bad Gateway Server: squid/2.5.STABLE14 Mime-Version: 1.0 Date: Fri, 29 Sep 2006 01:13:23 GMT Content-Type: text/html Content-Length: 1063 Expires: Fri, 29 Sep 2006 01:13:23 GMT X-Squid-Error: ERR_READ_ERROR 54 X-Cache: MISS Proxy-Connection: close This is a failure. squidclient -l 10.0.0.87 -v http://192.168.1.53 headers: 'GET http://192.168.1.53 HTTP/1.0 Accept: */* ' HTTP/1.0 200 OK Vary: Accept-Encoding Content-Type: text/html ETag: "-2046984779" Accept-Ranges: bytes Last-Modified: Fri, 22 Sep 2006 12:53:33 GMT Content-Length: 11185 Date: Fri, 29 Sep 2006 01:09:25 GMT Server: lighttpd/1.4.11 This is a success. So what I think I am seeing is that hosts destined for the 192.168.1.0 are still being pushed through the proxy. But it looks like my pf rules are saying something different. Can someone help me understand what I am missing or doing wrong? Thanks in advance. - Brian From owner-freebsd-pf@FreeBSD.ORG Fri Sep 29 07:32:23 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9EA8D16A412 for ; Fri, 29 Sep 2006 07:32:23 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.149.33.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 38F9643D4C for ; Fri, 29 Sep 2006 07:32:23 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 273EA102C5CC for ; Fri, 29 Sep 2006 08:32:20 +0100 (BST) From: "Greg Hennessy" Cc: Date: Fri, 29 Sep 2006 08:31:57 +0100 Keywords: freebsd-pf Message-ID: <000c01c6e399$58043510$0a00a8c0@thebeast> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 In-Reply-To: thread-index: AcbjVmi09CfAWeaAQwqwIh4w+pg2AgAQl26w X-OriginalArrivalTime: 29 Sep 2006 07:31:57.0281 (UTC) FILETIME=[58043510:01C6E399] Subject: RE: BAD state/State failure with large number of requests X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Sep 2006 07:32:23 -0000 > The part that confused me was that the connections failed > immediately -- it turns out that PF sends a RST upon state > mismatch during the intial handshake, as opposed to dropping > the packets and letting the connection time out. As a matter of policy, I would never black hole internally sourced traffic traversing packet filtering infrastructure under my control. There are few things worse from a management/debugging perspective than to have packets disappear into the wild blue yonder with no indication of why. Greg From owner-freebsd-pf@FreeBSD.ORG Fri Sep 29 07:42:06 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DFD0016A492 for ; Fri, 29 Sep 2006 07:42:06 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 12C3943D9C for ; Fri, 29 Sep 2006 07:42:05 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k8T7g3KT028161 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 29 Sep 2006 09:42:04 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k8T7fxCh013200; Fri, 29 Sep 2006 09:41:59 +0200 (MEST) Date: Fri, 29 Sep 2006 09:41:59 +0200 From: Daniel Hartmeier To: Rolf Grossmann Message-ID: <20060929074159.GD25341@insomnia.benzedrine.cx> References: <200609282130.k8SLUmU8089296@progtech.net> <20060928215208.GC25341@insomnia.benzedrine.cx> <451C540E.2010005@PROGTECH.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <451C540E.2010005@PROGTECH.net> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: BAD state/State failure with large number of requests X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Sep 2006 07:42:07 -0000 On Fri, Sep 29, 2006 at 01:00:30AM +0200, Rolf Grossmann wrote: > I've been suspecting that the test is flawed, but I couldn't put my > finger on it. However, I also need a way to actually test my > application with a lot of requests and I wouldn't want to buy another > server farm for that ;) You could give the client multiple IP aliases and bind different concurrent client instances to different aliases (all on the same single client host), that would multiply the number of available source ports by the number of IP aliases. It seems ab doesn't have a command line option to make it bind to a specific source address, you could either add a hack for that, or try using jail to bind instances to aliases (if it can do that, not sure). > That timeout seems awfully long to me. Is there some standard that > mandates such a long timeout? At least for testing I will definitely > lower that, too. Yes, the original TCP RFC 793 [1] uses an MSL of two minutes, even. In a local LAN test the MSL (Maximum Segment Lifetime), the time a TCP packet can spend travelling through the network, is obviously much shorter. On the internet, different packets could take different routes through different paths between peers. If you send packets with TTL 255 (allowing up to 255 intermediate hops decrementing TTL by one when forwarding packets), and assume latencies in the order of hundreds of milliseconds between hops, I guess you can end up with MSL in the order of minutes in the worst case. That's hardly an issue on a local ethernet segment ;) Daniel. [1] http://www.faqs.org/rfcs/rfc793.html From owner-freebsd-pf@FreeBSD.ORG Fri Sep 29 23:41:00 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7B6B16A412 for ; Fri, 29 Sep 2006 23:41:00 +0000 (UTC) (envelope-from list@manuelmartini.it) Received: from freebsd.manuelmartini.it (freebsd.manuelmartini.it [213.92.90.91]) by mx1.FreeBSD.org (Postfix) with ESMTP id 36CE343D45 for ; Fri, 29 Sep 2006 23:40:59 +0000 (GMT) (envelope-from list@manuelmartini.it) Received: (qmail 140 invoked from network); 30 Sep 2006 01:40:58 +0200 Received: from unknown (HELO manuelmartini.it) (213.92.90.91) by freebsd.manuelmartini.it with SMTP; 30 Sep 2006 01:40:58 +0200 Message-ID: <29282.hfljhrr.1159573258.martin@manuelmartini.it> Date: Sat, 30 Sep 2006 01:40:58 +0200 (CEST) From: "Martin" To: freebsd-pf@freebsd.org User-Agent: MartinMUA MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: when carpdev will be imported? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Sep 2006 23:41:00 -0000 I need to add differente subnet ip on the same carp interface but I need to use carpdev.. but there isn't on 6.1 Do you know when carpdev will be imported on 6-stable? kind regard