From owner-freebsd-pf@FreeBSD.ORG Mon Mar 22 11:07:09 2010 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4BFA51065679 for ; Mon, 22 Mar 2010 11:07:09 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 3B1348FC14 for ; Mon, 22 Mar 2010 11:07:09 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o2MB79kV015118 for ; Mon, 22 Mar 2010 11:07:09 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o2MB78Dq015116 for freebsd-pf@FreeBSD.org; Mon, 22 Mar 2010 11:07:08 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 22 Mar 2010 11:07:08 GMT Message-Id: <201003221107.o2MB78Dq015116@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Mar 2010 11:07:09 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/144311 pf [pf] [icmp] massive ICMP storm on lo0 occurs when usin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 43 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Mar 23 05:40:04 2010 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 81631106566B for ; Tue, 23 Mar 2010 05:40:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 55FF58FC18 for ; Tue, 23 Mar 2010 05:40:04 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o2N5e4DP080777 for ; Tue, 23 Mar 2010 05:40:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o2N5e4P8080772; Tue, 23 Mar 2010 05:40:04 GMT (envelope-from gnats) Date: Tue, 23 Mar 2010 05:40:04 GMT Message-Id: <201003230540.o2N5e4P8080772@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Yoshiaki Kasahara Cc: Subject: Re: kern/144311: [pf] [icmp] massive ICMP storm on lo0 occurs when using pf(4) 'reply-to' X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Yoshiaki Kasahara List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Mar 2010 05:40:04 -0000 The following reply was made to PR kern/144311; it has been noted by GNATS. From: Yoshiaki Kasahara To: max@love2party.net Cc: bug-followup@freebsd.org, pyunyh@gmail.com Subject: Re: kern/144311: [pf] [icmp] massive ICMP storm on lo0 occurs when using pf(4) 'reply-to' Date: Tue, 23 Mar 2010 14:39:35 +0900 (JST) I applied the patch on 8-STABLE (fetched today), rebuilt and installed the kernel and rebooted, but the problem still occured. -- Yoshiaki Kasahara Research Institute for Information Technology, Kyushu University kasahara@nc.kyushu-u.ac.jp From owner-freebsd-pf@FreeBSD.ORG Wed Mar 24 09:00:12 2010 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 719F61065675 for ; Wed, 24 Mar 2010 09:00:12 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 601748FC23 for ; Wed, 24 Mar 2010 09:00:12 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o2O90CpK059613 for ; Wed, 24 Mar 2010 09:00:12 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o2O90Ck6059600; Wed, 24 Mar 2010 09:00:12 GMT (envelope-from gnats) Date: Wed, 24 Mar 2010 09:00:12 GMT Message-Id: <201003240900.o2O90Ck6059600@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Yoshiaki Kasahara Cc: Subject: Re: kern/144311: [pf] [icmp] massive ICMP storm on lo0 occurs when using pf(4) 'reply-to' X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Yoshiaki Kasahara List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Mar 2010 09:00:12 -0000 The following reply was made to PR kern/144311; it has been noted by GNATS. From: Yoshiaki Kasahara To: max@love2party.net Cc: bug-followup@freebsd.org, pyunyh@gmail.com Subject: Re: kern/144311: [pf] [icmp] massive ICMP storm on lo0 occurs when using pf(4) 'reply-to' Date: Wed, 24 Mar 2010 17:55:18 +0900 (JST) I found a blog reporting a similar symptom using ipfw(4)+divert(4)+natd(8) on 8.0R and 7.2R (less severe on 7.2R). http://www.bsddiary.net/d/201002.html#09 It is written in Japanese, but I guess you can still read configuration used for the test in the article. He also reported later that disabling TSO worked as a workaround. He used em(4) and fxp(4). I wonder if it might help locating the problem... From owner-freebsd-pf@FreeBSD.ORG Sat Mar 27 09:31:36 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 76CE71065674 for ; Sat, 27 Mar 2010 09:31:36 +0000 (UTC) (envelope-from linda.messerschmidt@gmail.com) Received: from mail-ww0-f54.google.com (mail-ww0-f54.google.com [74.125.82.54]) by mx1.freebsd.org (Postfix) with ESMTP id 139768FC15 for ; Sat, 27 Mar 2010 09:31:35 +0000 (UTC) Received: by wwb24 with SMTP id 24so368890wwb.13 for ; Sat, 27 Mar 2010 02:31:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:received:message-id :subject:from:to:content-type; bh=L9ypT4CJHox10dfA41QiG4t+VhYQnfXFG+Om/0eq8mg=; b=JsqeTvc9MMaH17EMDr+uHSY1baliMoSSKjzOurv8StPCli85/v0BUetFIjeHDeE4h0 kTQb0U81lhamDVc6bJDKyFmHgBgNjZ1vzj76ZYp6ZKkGq5AxrV70E4cRGmEwzoG4zwfV v/n5BZeojB1hrHX/QH3IKuM1kdwCYAKKnKws4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=xpn91hdZGMgGuQdlnK/iz2Tz5vkmtUauhiGNMsT2eBfZfpskwbyHLbiKf1mki/LG6A Ha1D47jSNgRriY3i1R+qFEKoWdeyeLJ9x5q9AGcLh1bTov8MdK9CMsy6MwdUkjdIiGYJ 0kQjKIzGrVcqqJ/io4XQPWZoG0QloSNbUiLaE= MIME-Version: 1.0 Received: by 10.216.49.208 with HTTP; Sat, 27 Mar 2010 02:31:34 -0700 (PDT) Date: Sat, 27 Mar 2010 05:31:34 -0400 Received: by 10.216.180.130 with SMTP id j2mr1212712wem.86.1269682294953; Sat, 27 Mar 2010 02:31:34 -0700 (PDT) Message-ID: <237c27101003270231p77f54bfcn2db6ed1fa50eaab8@mail.gmail.com> From: Linda Messerschmidt To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Sockets stuck in FIN_WAIT_1 not detected by pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Mar 2010 09:31:36 -0000 Hi all, I have a 7.2-STABLE machine with the old "hostile client causes Apache sockets to persist forever in FIN_WAIT_1" problem. These connections hang forever as long as the client continues to send packets advertising a 0 window size; I believe this problem is pretty well-understood. (And essentially impossible to fix.) What I wanted to do was work around it using the pf tcp.closing timeout to get rid of them. However, pf isn't detecting the move to FIN_WAIT_1: > netstat -an | fgrep 6.7.8.9 | fgrep .24 tcp4 0 1049615 2.3.4.5.443 6.7.8.9.24113 FIN_WAIT_1 tcp4 0 1049618 2.3.4.5.443 6.7.8.9.24107 FIN_WAIT_1 tcp4 0 1048731 2.3.4.5.443 6.7.8.9.24104 FIN_WAIT_1 tcp4 0 1047829 2.3.4.5.443 6.7.8.9.24102 FIN_WAIT_1 tcp4 0 1049618 2.3.4.5.443 6.7.8.9.24098 FIN_WAIT_1 tcp4 0 1049618 2.3.4.5.443 6.7.8.9.24096 FIN_WAIT_1 tcp4 0 1049620 2.3.4.5.443 6.7.8.9.24094 FIN_WAIT_1 tcp4 0 1048012 2.3.4.5.443 6.7.8.9.24039 FIN_WAIT_1 tcp4 0 1049620 2.3.4.5.443 6.7.8.9.24035 FIN_WAIT_1 tcp4 0 1049187 2.3.4.5.443 6.7.8.9.24018 FIN_WAIT_1 tcp4 0 1049616 2.3.4.5.443 6.7.8.9.24013 FIN_WAIT_1 tcp4 0 1049619 2.3.4.5.443 6.7.8.9.24011 FIN_WAIT_1 > sudo pfctl -s state | fgrep 6.7.8.9 | fgrep :24 all tcp 2.3.4.5:443 <- 6.7.8.9:24011 ESTABLISHED:ESTABLISHED all tcp 2.3.4.5:443 <- 6.7.8.9:24013 ESTABLISHED:ESTABLISHED all tcp 2.3.4.5:443 <- 6.7.8.9:24018 ESTABLISHED:ESTABLISHED all tcp 2.3.4.5:443 <- 6.7.8.9:24035 ESTABLISHED:ESTABLISHED all tcp 2.3.4.5:443 <- 6.7.8.9:24039 ESTABLISHED:ESTABLISHED all tcp 2.3.4.5:443 <- 6.7.8.9:24094 ESTABLISHED:ESTABLISHED all tcp 2.3.4.5:443 <- 6.7.8.9:24096 ESTABLISHED:ESTABLISHED all tcp 2.3.4.5:443 <- 6.7.8.9:24098 ESTABLISHED:ESTABLISHED all tcp 2.3.4.5:443 <- 6.7.8.9:24102 ESTABLISHED:ESTABLISHED all tcp 2.3.4.5:443 <- 6.7.8.9:24104 ESTABLISHED:ESTABLISHED all tcp 2.3.4.5:443 <- 6.7.8.9:24107 ESTABLISHED:ESTABLISHED all tcp 2.3.4.5:443 <- 6.7.8.9:24113 ESTABLISHED:ESTABLISHED > Is this a bug in pf, or have I configured it improperly somehow? The rule that creates the state entries is just: pass in on $ext_if inet proto tcp from any to port { 80, 443 } which pf seems to parse into: pass in on em0 inet proto tcp from any to port = https flags S/SA keep state That looks fine to me, so I have no idea what's happening here. Thanks for any insight!