From owner-freebsd-pf@FreeBSD.ORG Mon Jan 16 11:07:08 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BCC53106566C for ; Mon, 16 Jan 2012 11:07:08 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id A1A038FC1D for ; Mon, 16 Jan 2012 11:07:08 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q0GB785a057720 for ; Mon, 16 Jan 2012 11:07:08 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q0GB78rP057718 for freebsd-pf@FreeBSD.org; Mon, 16 Jan 2012 11:07:08 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 16 Jan 2012 11:07:08 GMT Message-Id: <201201161107.q0GB78rP057718@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2012 11:07:08 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 46 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed Jan 18 11:28:25 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 190231065674; Wed, 18 Jan 2012 11:28:25 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E00F18FC14; Wed, 18 Jan 2012 11:28:24 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q0IBSOBx021989; Wed, 18 Jan 2012 11:28:24 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q0IBSOaP021985; Wed, 18 Jan 2012 11:28:24 GMT (envelope-from linimon) Date: Wed, 18 Jan 2012 11:28:24 GMT Message-Id: <201201181128.q0IBSOaP021985@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/164271: [pf] not working pf nat on FreeBSD 9.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2012 11:28:25 -0000 Old Synopsis: not working pf nat on FreeBSD 9.0 New Synopsis: [pf] not working pf nat on FreeBSD 9.0 Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Wed Jan 18 11:27:54 UTC 2012 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=164271 From owner-freebsd-pf@FreeBSD.ORG Thu Jan 19 15:58:32 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 92F9D1065672 for ; Thu, 19 Jan 2012 15:58:32 +0000 (UTC) (envelope-from wooh@wooh.hu) Received: from mail.bsdsupportservice.hu (mail.bsdsupportservice.hu [194.38.104.120]) by mx1.freebsd.org (Postfix) with ESMTP id 488118FC18 for ; Thu, 19 Jan 2012 15:58:32 +0000 (UTC) Received: from kazoku (localhost [127.0.0.1]) by mail.bsdsupportservice.hu (Postfix) with ESMTP id 2633073381 for ; Thu, 19 Jan 2012 16:38:25 +0100 (CET) X-Virus-Scanned: amavisd-new at bsdsupportservice.hu Received: from mail.bsdsupportservice.hu ([127.0.0.1]) by kazoku (mail.bsdsupportservice.hu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZRBzHYh9sUBN for ; Thu, 19 Jan 2012 16:38:17 +0100 (CET) Received: from helium-2.local (catv-89-135-87-165.catv.broadband.hu [89.135.87.165]) by mail.bsdsupportservice.hu (Postfix) with ESMTPA id 15ECF731AB for ; Thu, 19 Jan 2012 16:38:17 +0100 (CET) Message-ID: <4F183944.30101@wooh.hu> Date: Thu, 19 Jan 2012 16:39:48 +0100 From: Adam PAPAI User-Agent: Postbox 3.0.2 (Macintosh/20111203) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Maximum throughput ? limit? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jan 2012 15:58:32 -0000 Dear List, I feel my freebsd box is reaching his limits. I'm doing load-balance with a pf (round-robin + NAT) in front of 3 web and 3 database servers. Everything works fine with 100-120MBit/s, but if it reaches over 150MBit/s to 200MBit/s or even 300MBit/s, the connections are stucked, nobody can connect to the server. I checked it via "nload". And every time it goes over 150MBit/s it stars to drop some connections. I have 40,000 connections at the same time. Could it be because the pf? I mean it reaches some maximum throughput? When i'm running the iperf from inside the NAT, it does only 300-400MBit/s, but if I'm running it from the firewall itself, it does 600-700 (it depends on the traffic). The servers are connected to each other via GBit. Thanks in advance, -- Adam PAPAI E-mail: wooh@wooh.hu From owner-freebsd-pf@FreeBSD.ORG Thu Jan 19 16:27:17 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2B8E21065670 for ; Thu, 19 Jan 2012 16:27:17 +0000 (UTC) (envelope-from mistrzipan@gmail.com) Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com [209.85.215.182]) by mx1.freebsd.org (Postfix) with ESMTP id A998F8FC12 for ; Thu, 19 Jan 2012 16:27:16 +0000 (UTC) Received: by eaai10 with SMTP id i10so47844eaa.13 for ; Thu, 19 Jan 2012 08:27:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=P5bDLibWn5wCQvVZ6Y5hkzSIvZa4yeP7+HUM5rx0QFA=; b=uR78Ii7vcbvELfbrUCxK4rKoooE9mHZLQ6ugq19G1OcFd1cdoUq3eOXaLAvShqtruv S3FogD4PrJWCQdFd7axysUKchlYMbv6R+6uMtnKuIOigemYIjuHx9Vm4NXcagtUwGQPS ANqwN1SKVXDaSELC4Da5n3dBUxrizsMtrTlVo= Received: by 10.213.16.141 with SMTP id o13mr6432696eba.61.1326988915842; Thu, 19 Jan 2012 08:01:55 -0800 (PST) Received: from [192.168.32.109] (dynamic-78-8-63-102.ssp.dialog.net.pl. [78.8.63.102]) by mx.google.com with ESMTPS id t59sm114916768eeh.10.2012.01.19.08.01.53 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 19 Jan 2012 08:01:54 -0800 (PST) Message-ID: <4F183E6F.2030709@gmail.com> Date: Thu, 19 Jan 2012 17:01:51 +0100 From: "Bartek W. aka Mastier" User-Agent: Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.2.24) Gecko/20111108 Thunderbird/3.1.16 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <4F183944.30101@wooh.hu> In-Reply-To: <4F183944.30101@wooh.hu> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Maximum throughput ? limit? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jan 2012 16:27:17 -0000 W dniu 19.01.2012 16:39, Adam PAPAI pisze: > Dear List, > > I feel my freebsd box is reaching his limits. > > I'm doing load-balance with a pf (round-robin + NAT) in front of 3 web > and 3 database servers. Everything works fine with 100-120MBit/s, but > if it reaches over 150MBit/s to 200MBit/s or even 300MBit/s, the > connections are stucked, nobody can connect to the server. > > I checked it via "nload". And every time it goes over 150MBit/s it > stars to drop some connections. > > I have 40,000 connections at the same time. > > Could it be because the pf? I mean it reaches some maximum throughput? > > When i'm running the iperf from inside the NAT, it does only > 300-400MBit/s, but if I'm running it from the firewall itself, it does > 600-700 (it depends on the traffic). The servers are connected to each > other via GBit. > > Thanks in advance, > > Indeed. The default maximum is 10 000 states as I remember. I.e. one of the main routers in my case. core quad. set limit { states 300000, frags 10000, src-nodes 100000 } From owner-freebsd-pf@FreeBSD.ORG Thu Jan 19 16:32:38 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 98FF21065670 for ; Thu, 19 Jan 2012 16:32:38 +0000 (UTC) (envelope-from wooh@wooh.hu) Received: from mail.bsdsupportservice.hu (mail.bsdsupportservice.hu [194.38.104.120]) by mx1.freebsd.org (Postfix) with ESMTP id 51D538FC15 for ; Thu, 19 Jan 2012 16:32:37 +0000 (UTC) Received: from kazoku (localhost [127.0.0.1]) by mail.bsdsupportservice.hu (Postfix) with ESMTP id A8A1B73381; Thu, 19 Jan 2012 17:30:57 +0100 (CET) X-Virus-Scanned: amavisd-new at bsdsupportservice.hu Received: from mail.bsdsupportservice.hu ([127.0.0.1]) by kazoku (mail.bsdsupportservice.hu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dbeJTsioxOGX; Thu, 19 Jan 2012 17:30:52 +0100 (CET) Received: from helium-2.local (catv-89-135-87-165.catv.broadband.hu [89.135.87.165]) by mail.bsdsupportservice.hu (Postfix) with ESMTPA id 6D2E3731AB; Thu, 19 Jan 2012 17:30:52 +0100 (CET) Message-ID: <4F18459D.6060000@wooh.hu> Date: Thu, 19 Jan 2012 17:32:29 +0100 From: Adam PAPAI User-Agent: Postbox 3.0.2 (Macintosh/20111203) MIME-Version: 1.0 To: "Bartek W. aka Mastier" References: <4F183944.30101@wooh.hu> <4F183E6F.2030709@gmail.com> In-Reply-To: <4F183E6F.2030709@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Maximum throughput ? limit? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jan 2012 16:32:38 -0000 Bartek W. aka Mastier wrote: >> > Indeed. The default maximum is 10 000 states as I remember. > > I.e. one of the main routers in my case. core quad. > > set limit { states 300000, frags 10000, src-nodes 100000 } I had the states up to 250000 but the frags and scr-nodes were the default. What's your timeout interval? -- Adam PAPAI http://www.wooh.hu E-mail: wooh@wooh.hu Phone: +36 30 33-55-735 (Hungary) From owner-freebsd-pf@FreeBSD.ORG Fri Jan 20 22:27:22 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6CF4C106566B for ; Fri, 20 Jan 2012 22:27:22 +0000 (UTC) (envelope-from wrelam@gmail.com) Received: from mail-bk0-f54.google.com (mail-bk0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 02CFF8FC0C for ; Fri, 20 Jan 2012 22:27:21 +0000 (UTC) Received: by bkbc12 with SMTP id c12so1214388bkb.13 for ; Fri, 20 Jan 2012 14:27:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=9sc4Eig3LME6eNRlk0pROQsgLZNtJsyUz3TbZ5rcFxc=; b=Qr87iYfoE7QWpxo3QQFmZ3sWU8ABslutRF2U7C5semBIy9nr8iqUo2pNoEAkWRhFBK 48Dt8GtN+RrI0vRadK8Tg/vHo5iRNVM1pOE8AU2633MgyTuNaWHSs8HsYuANG0m40a0L 5jl0ZKkiahRru6z2wzmBQdtmMuSE2Y6MW9qGs= MIME-Version: 1.0 Received: by 10.205.127.12 with SMTP id gy12mr10325465bkc.47.1327097061508; Fri, 20 Jan 2012 14:04:21 -0800 (PST) Received: by 10.204.60.7 with HTTP; Fri, 20 Jan 2012 14:04:21 -0800 (PST) Date: Fri, 20 Jan 2012 17:04:21 -0500 Message-ID: From: Walt Elam To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Getting Involved X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jan 2012 22:27:22 -0000 I would like to help with the development of the PF port for FreeBSD but am not quite sure how to get involved. More specifically, I would like to help get something ported over that accepts the new rule syntax since it becomes increasingly harder to find documentation, help, and tutorials for the older syntax. If anyone could point me in the right direction for getting involved, that would be great. Thanks, -Walt From owner-freebsd-pf@FreeBSD.ORG Sat Jan 21 05:39:19 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DBF56106564A for ; Sat, 21 Jan 2012 05:39:19 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe2.ukr.net (ffe2.ukr.net [195.214.192.44]) by mx1.freebsd.org (Postfix) with ESMTP id 8E19F8FC0C for ; Sat, 21 Jan 2012 05:39:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Date:Message-Id:From:To:References:In-Reply-To:Subject:Cc:Content-Type:Content-Transfer-Encoding:MIME-Version; bh=ESQmUzaJHt4Y0Hv3PNP/Ig3V2LtrYz4z6U/JeN/WmIo=; b=uTt3KS+E0vDUOzDCNPmGZKOlkeCIOPQlLLOza8wMuQNqMnWnFq8SjSDPxzrw7R1qatJY4xsOScAJNYgdczegyKKVb7Zco+xgADnv2olzVkLjdN4oSNzXJpRp6Kt4zsyqEw+pS6TQPa04T//8CMNk/7wDSbg0zInsDV/rVbsYfLI=; Received: from mail by ffe2.ukr.net with local ID 1RoTEb-000GJb-L3 ; Sat, 21 Jan 2012 07:11:25 +0200 MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: binary Content-Type: text/plain; charset="windows-1251" In-Reply-To: References: To: "Walt Elam" From: =?WINDOWS-1251?B?wujy4Ovo6SDC6+Dk6Ozo8O7i6Pc=?= X-Mailer: freemail.ukr.net 4.0 X-Originating-Ip: [195.200.251.83] Message-Id: <53729.1327122685.14851718211584655360@ffe2.ukr.net> X-Browser: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 Date: Sat, 21 Jan 2012 07:11:25 +0200 Cc: freebsd-pf@freebsd.org Subject: Re: Getting Involved X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jan 2012 05:39:19 -0000 --- Original message --- From: "Walt Elam" To: freebsd-pf@freebsd.org Date: 21 January 2012, 00:27:34 Subject: Getting Involved > I would like to help with the development of the PF port for FreeBSD but am > not quite sure how to get involved. More specifically, I would like to help > get something ported over that accepts the new rule syntax since it becomes > increasingly harder to find documentation, help, and tutorials for the > older syntax. > > If anyone could point me in the right direction for getting involved, that > would be great. > You should contact with bz@. From owner-freebsd-pf@FreeBSD.ORG Sat Jan 21 10:27:40 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C95F81065670 for ; Sat, 21 Jan 2012 10:27:40 +0000 (UTC) (envelope-from mistrzipan@gmail.com) Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com [209.85.215.182]) by mx1.freebsd.org (Postfix) with ESMTP id 5B5A58FC0C for ; Sat, 21 Jan 2012 10:27:39 +0000 (UTC) Received: by eaai10 with SMTP id i10so565624eaa.13 for ; Sat, 21 Jan 2012 02:27:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=d7CvNKtk8T9eOwNE/5hiQbQVlweUfoWhc+gfFXtPCDY=; b=ihCEwbUTH5EOopKr3yiwTDc6RgNKB1rEBbVQyDvoAUL1nXUeIWJ3aj1HrLdUBMIe+P yXvu9XZlwIhyXsFG2JmUNAG6jyeuwy8hgX2l6tJzDf5PDMYKaVn5j9dqnpKHeii6+PDN gL2bZ9lgKtGAImkhN25YH/1Dbo8/M3c3TBA2s= Received: by 10.213.20.136 with SMTP id f8mr332030ebb.149.1327141659085; Sat, 21 Jan 2012 02:27:39 -0800 (PST) Received: from [192.168.32.109] ([78.10.99.51]) by mx.google.com with ESMTPS id e12sm23661138eea.5.2012.01.21.02.27.37 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 21 Jan 2012 02:27:38 -0800 (PST) Message-ID: <4F1A9318.3050102@gmail.com> Date: Sat, 21 Jan 2012 11:27:36 +0100 From: "Bartek W. aka Mastier" User-Agent: Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.2.24) Gecko/20111108 Thunderbird/3.1.16 MIME-Version: 1.0 CC: freebsd-pf@freebsd.org References: <4F183944.30101@wooh.hu> <4F183E6F.2030709@gmail.com> <4F18459D.6060000@wooh.hu> In-Reply-To: <4F18459D.6060000@wooh.hu> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Maximum throughput ? limit? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jan 2012 10:27:40 -0000 W dniu 19.01.2012 17:32, Adam PAPAI pisze: > Bartek W. aka Mastier wrote: > >>> >> Indeed. The default maximum is 10 000 states as I remember. >> >> I.e. one of the main routers in my case. core quad. >> >> set limit { states 300000, frags 10000, src-nodes 100000 } > > I had the states up to 250000 but the frags and scr-nodes were the > default. > > What's your timeout interval? > default # pfctl -st tcp.first 30s tcp.opening 5s tcp.established 18000s tcp.closing 60s tcp.finwait 30s tcp.closed 30s tcp.tsdiff 10s udp.first 60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 180000 states adaptive.end 360000 states src.track 0s From owner-freebsd-pf@FreeBSD.ORG Sat Jan 21 17:08:13 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A5FB61065670 for ; Sat, 21 Jan 2012 17:08:13 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 6BE9B8FC0C for ; Sat, 21 Jan 2012 17:08:13 +0000 (UTC) Received: by iagz16 with SMTP id z16so3792392iag.13 for ; Sat, 21 Jan 2012 09:08:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=zgLM2rwbyVe7Ch8qsbrW+miDbyAYl0TXeAfYi5FxKIQ=; b=imwI/hhTJnF8EhsmI27BQQL/5Ux4fKAxk7/QAIxE41ybE0oHegseJMhOkNNDRCAxra UxJZia+YUsjgt48z8BoWgxna9SbnicQwCmNbRfbqwwQE/O47TLcphJji30n6s+c54mPf SSyfx6gMJRZPKvjxvf6oSzLkaEMMJz6hf1GJI= MIME-Version: 1.0 Received: by 10.50.88.163 with SMTP id bh3mr2912927igb.0.1327164108112; Sat, 21 Jan 2012 08:41:48 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.231.134.198 with HTTP; Sat, 21 Jan 2012 08:41:48 -0800 (PST) In-Reply-To: References: Date: Sat, 21 Jan 2012 17:41:48 +0100 X-Google-Sender-Auth: blJRXXBuLH5QRXvDoTaC-hf2Kbk Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Walt Elam Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: Getting Involved X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jan 2012 17:08:13 -0000 On Fri, Jan 20, 2012 at 11:04 PM, Walt Elam wrote: > I would like to help with the development of the PF port for FreeBSD but am > not quite sure how to get involved. More specifically, I would like to help > get something ported over that accepts the new rule syntax since it becomes > increasingly harder to find documentation, help, and tutorials for the > older syntax. > > If anyone could point me in the right direction for getting involved, that > would be great. > > There is one catch. FreeBSD does not want to break compatibility of old syntax and that is why i did not port the latest version of pf(4). What is there now makes it 'trivial' to go to the latest pf(4) version in Open but there needs to be a layer of translation for the old syntax to new syntax. That is te only reason its not been done. > Thanks, > > -Walt > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Ermal From owner-freebsd-pf@FreeBSD.ORG Sat Jan 21 19:41:25 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1E7C8106567F; Sat, 21 Jan 2012 19:41:25 +0000 (UTC) (envelope-from arved@FreeBSD.org) Received: from gazoz.arved.priv.at (cl-1383.ham-01.de.sixxs.net [IPv6:2001:6f8:900:566::2]) by mx1.freebsd.org (Postfix) with ESMTP id 789C78FC21; Sat, 21 Jan 2012 19:41:24 +0000 (UTC) Received: from inek.arved.priv.at (inek-gif0.arved.priv.at [IPv6:2001:6f8:13fb::2]) by gazoz.arved.priv.at (8.14.4/8.14.4) with ESMTP id q0LJfMZF003362; Sat, 21 Jan 2012 20:41:22 +0100 (CET) (envelope-from arved@FreeBSD.org) Received: from elma.arved.priv.at (elma.arved.priv.at [IPv6:2001:6f8:13fb:3:21b:63ff:fe04:1687] (may be forged)) by inek.arved.priv.at (8.14.4/8.14.4) with ESMTP id q0LJWRmT051568; Sat, 21 Jan 2012 20:32:33 +0100 (CET) (envelope-from arved@FreeBSD.org) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Apple Message framework v1084) From: =?iso-8859-1?Q?Tilman_Keskin=F6z?= Date: Sat, 21 Jan 2012 20:40:36 +0100 Content-Transfer-Encoding: 7bit Message-Id: <4E4D073F-9979-4CB1-A421-DA5C1FC7A34F@FreeBSD.org> To: bug-followup@FreeBSD.org, freebsd-pf@FreeBSD.org X-Mailer: Apple Mail (2.1084) Cc: Subject: Re: kern/163208: [pf] PF state key linking mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jan 2012 19:41:25 -0000 Same here. Also Fabian Keil reported this in http://lists.freebsd.org/pipermail/freebsd-current/2011-July/025696.html Any ideas? From owner-freebsd-pf@FreeBSD.ORG Sat Jan 21 19:50:12 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 73EC91065673 for ; Sat, 21 Jan 2012 19:50:12 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4425D8FC13 for ; Sat, 21 Jan 2012 19:50:12 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q0LJoCO4098766 for ; Sat, 21 Jan 2012 19:50:12 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q0LJoCmn098765; Sat, 21 Jan 2012 19:50:12 GMT (envelope-from gnats) Date: Sat, 21 Jan 2012 19:50:12 GMT Message-Id: <201201211950.q0LJoCmn098765@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: =?iso-8859-1?Q?Tilman_Keskin=F6z?= Cc: Subject: Re: kern/163208: [pf] PF state key linking mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?iso-8859-1?Q?Tilman_Keskin=F6z?= List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jan 2012 19:50:12 -0000 The following reply was made to PR kern/163208; it has been noted by GNATS. From: =?iso-8859-1?Q?Tilman_Keskin=F6z?= To: bug-followup@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: freebsd-listen@fabiankeil.de Subject: Re: kern/163208: [pf] PF state key linking mismatch Date: Sat, 21 Jan 2012 20:40:36 +0100 Same here. Also Fabian Keil reported this in http://lists.freebsd.org/pipermail/freebsd-current/2011-July/025696.html Any ideas? From owner-freebsd-pf@FreeBSD.ORG Sat Jan 21 20:15:45 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EE7B11065674; Sat, 21 Jan 2012 20:15:45 +0000 (UTC) (envelope-from freebsd-listen@fabiankeil.de) Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.31.28]) by mx1.freebsd.org (Postfix) with ESMTP id A7C8C8FC12; Sat, 21 Jan 2012 20:15:45 +0000 (UTC) Received: from [109.84.6.165] (helo=fabiankeil.de) by smtprelay01.ispgateway.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from ) id 1RohAb-0001sc-Eg; Sat, 21 Jan 2012 21:04:16 +0100 Date: Sat, 21 Jan 2012 21:01:18 +0100 From: Fabian Keil To: Tilman =?ISO-8859-1?Q?Keskin=F6z?= Message-ID: <20120121210118.0a1dc9d3@fabiankeil.de> In-Reply-To: <4E4D073F-9979-4CB1-A421-DA5C1FC7A34F@FreeBSD.org> References: <4E4D073F-9979-4CB1-A421-DA5C1FC7A34F@FreeBSD.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/aS+=g0zusGznY5UyEFfzDUV"; protocol="application/pgp-signature" X-Df-Sender: Nzc1MDY3 Cc: bug-followup@FreeBSD.org, freebsd-pf@FreeBSD.org Subject: Re: kern/163208: [pf] PF state key linking mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jan 2012 20:15:46 -0000 --Sig_/aS+=g0zusGznY5UyEFfzDUV Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Tilman Keskin=F6z wrote: > Same here. >=20 > Also Fabian Keil reported this in > http://lists.freebsd.org/pipermail/freebsd-current/2011-July/025696.html This has been fixed in CURRENT shortly thereafter: http://lists.freebsd.org/pipermail/freebsd-pf/2011-July/006199.html Maybe the fix hasn't been MFC'd. Fabian --Sig_/aS+=g0zusGznY5UyEFfzDUV Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk8bGZMACgkQBYqIVf93VJ24FACbBydw/SRaXDRM/p66DnShLlk8 zQ4An3qacWM3/sg3X8xF7NgFmXafwg9A =C790 -----END PGP SIGNATURE----- --Sig_/aS+=g0zusGznY5UyEFfzDUV-- From owner-freebsd-pf@FreeBSD.ORG Sat Jan 21 20:20:08 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5D879106566C for ; Sat, 21 Jan 2012 20:20:08 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4437A8FC0A for ; Sat, 21 Jan 2012 20:20:08 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q0LKK7Wp025876 for ; Sat, 21 Jan 2012 20:20:07 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q0LKK7Hj025875; Sat, 21 Jan 2012 20:20:07 GMT (envelope-from gnats) Date: Sat, 21 Jan 2012 20:20:07 GMT Message-Id: <201201212020.q0LKK7Hj025875@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Fabian Keil Cc: Subject: Re: kern/163208: [pf] PF state key linking mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Fabian Keil List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jan 2012 20:20:08 -0000 The following reply was made to PR kern/163208; it has been noted by GNATS. From: Fabian Keil To: Tilman =?ISO-8859-1?Q?Keskin=F6z?= Cc: bug-followup@FreeBSD.org, freebsd-pf@FreeBSD.org Subject: Re: kern/163208: [pf] PF state key linking mismatch Date: Sat, 21 Jan 2012 21:01:18 +0100 --Sig_/aS+=g0zusGznY5UyEFfzDUV Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Tilman Keskin=F6z wrote: > Same here. >=20 > Also Fabian Keil reported this in > http://lists.freebsd.org/pipermail/freebsd-current/2011-July/025696.html This has been fixed in CURRENT shortly thereafter: http://lists.freebsd.org/pipermail/freebsd-pf/2011-July/006199.html Maybe the fix hasn't been MFC'd. Fabian --Sig_/aS+=g0zusGznY5UyEFfzDUV Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk8bGZMACgkQBYqIVf93VJ24FACbBydw/SRaXDRM/p66DnShLlk8 zQ4An3qacWM3/sg3X8xF7NgFmXafwg9A =C790 -----END PGP SIGNATURE----- --Sig_/aS+=g0zusGznY5UyEFfzDUV-- From owner-freebsd-pf@FreeBSD.ORG Sat Jan 21 20:52:18 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 147B3106566B; Sat, 21 Jan 2012 20:52:18 +0000 (UTC) (envelope-from arved@freebsd.org) Received: from gazoz.arved.priv.at (cl-1383.ham-01.de.sixxs.net [IPv6:2001:6f8:900:566::2]) by mx1.freebsd.org (Postfix) with ESMTP id 826A98FC16; Sat, 21 Jan 2012 20:52:17 +0000 (UTC) Received: from inek.arved.priv.at (inek.arved.priv.at [78.142.160.182]) by gazoz.arved.priv.at (8.14.4/8.14.4) with ESMTP id q0LKqDpr004885; Sat, 21 Jan 2012 21:52:13 +0100 (CET) (envelope-from arved@freebsd.org) Received: from elma.local.arved.priv.at (elma.local.arved.priv.at [192.168.1.28]) by inek.arved.priv.at (8.14.4/8.14.4) with ESMTP id q0LKq7jI064041; Sat, 21 Jan 2012 21:52:12 +0100 (CET) (envelope-from arved@freebsd.org) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=iso-8859-1 From: =?iso-8859-1?Q?Tilman_Keskin=F6z?= In-Reply-To: <20120121210118.0a1dc9d3@fabiankeil.de> Date: Sat, 21 Jan 2012 21:52:09 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4E4D073F-9979-4CB1-A421-DA5C1FC7A34F@FreeBSD.org> <20120121210118.0a1dc9d3@fabiankeil.de> To: Fabian Keil X-Mailer: Apple Mail (2.1084) Cc: bug-followup@freebsd.org, freebsd-pf@freebsd.org Subject: Re: kern/163208: [pf] PF state key linking mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jan 2012 20:52:18 -0000 On Jan 21, 2012, at 21:01 , Fabian Keil wrote: > Tilman Keskin=F6z wrote: >=20 >> Same here. >>=20 >> Also Fabian Keil reported this in >> = http://lists.freebsd.org/pipermail/freebsd-current/2011-July/025696.html >=20 > This has been fixed in CURRENT shortly thereafter: > http://lists.freebsd.org/pipermail/freebsd-pf/2011-July/006199.html >=20 > Maybe the fix hasn't been MFC'd. Hm, r223765 happend before the RELENG_9 Branchpoint. So maybe the Fix was not complete?= From owner-freebsd-pf@FreeBSD.ORG Sat Jan 21 21:00:27 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 86163106566B for ; Sat, 21 Jan 2012 21:00:27 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 710B68FC0A for ; Sat, 21 Jan 2012 21:00:27 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q0LL0RRK062909 for ; Sat, 21 Jan 2012 21:00:27 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q0LL0RVO062908; Sat, 21 Jan 2012 21:00:27 GMT (envelope-from gnats) Date: Sat, 21 Jan 2012 21:00:27 GMT Message-Id: <201201212100.q0LL0RVO062908@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: =?iso-8859-1?Q?Tilman_Keskin=F6z?= Cc: Subject: Re: kern/163208: [pf] PF state key linking mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?iso-8859-1?Q?Tilman_Keskin=F6z?= List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jan 2012 21:00:27 -0000 The following reply was made to PR kern/163208; it has been noted by GNATS. From: =?iso-8859-1?Q?Tilman_Keskin=F6z?= To: Fabian Keil Cc: bug-followup@freebsd.org, freebsd-pf@freebsd.org Subject: Re: kern/163208: [pf] PF state key linking mismatch Date: Sat, 21 Jan 2012 21:52:09 +0100 On Jan 21, 2012, at 21:01 , Fabian Keil wrote: > Tilman Keskin=F6z wrote: >=20 >> Same here. >>=20 >> Also Fabian Keil reported this in >> = http://lists.freebsd.org/pipermail/freebsd-current/2011-July/025696.html >=20 > This has been fixed in CURRENT shortly thereafter: > http://lists.freebsd.org/pipermail/freebsd-pf/2011-July/006199.html >=20 > Maybe the fix hasn't been MFC'd. Hm, r223765 happend before the RELENG_9 Branchpoint. So maybe the Fix was not complete?= From owner-freebsd-pf@FreeBSD.ORG Sat Jan 21 21:01:46 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DA0EC106566B; Sat, 21 Jan 2012 21:01:46 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id 629CE8FC0A; Sat, 21 Jan 2012 21:01:46 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 3A93625D386D; Sat, 21 Jan 2012 21:01:45 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 5E9E5BD9AC6; Sat, 21 Jan 2012 21:01:44 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id 7j8Fp5aRrq6n; Sat, 21 Jan 2012 21:01:43 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id EA169BD9AC5; Sat, 21 Jan 2012 21:01:42 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=iso-8859-1 From: "Bjoern A. Zeeb" In-Reply-To: Date: Sat, 21 Jan 2012 21:01:41 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <69ABD828-70EB-4599-A3A0-52707C7F3DE5@lists.zabbadoz.net> References: <4E4D073F-9979-4CB1-A421-DA5C1FC7A34F@FreeBSD.org> <20120121210118.0a1dc9d3@fabiankeil.de> To: =?iso-8859-1?Q?Tilman_Keskin=F6z?= X-Mailer: Apple Mail (2.1084) Cc: bug-followup@freebsd.org, freebsd-pf@freebsd.org Subject: Re: kern/163208: [pf] PF state key linking mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jan 2012 21:01:46 -0000 On 21. Jan 2012, at 20:52 , Tilman Keskin=F6z wrote: >=20 > On Jan 21, 2012, at 21:01 , Fabian Keil wrote: >=20 >> Tilman Keskin=F6z wrote: >>=20 >>> Same here. >>>=20 >>> Also Fabian Keil reported this in >>> = http://lists.freebsd.org/pipermail/freebsd-current/2011-July/025696.html >>=20 >> This has been fixed in CURRENT shortly thereafter: >> http://lists.freebsd.org/pipermail/freebsd-pf/2011-July/006199.html >>=20 >> Maybe the fix hasn't been MFC'd. >=20 > Hm, r223765 happend before the RELENG_9 Branchpoint. > So maybe the Fix was not complete? See thread from earlier this month on freebsd-pf --=20 Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do! From owner-freebsd-pf@FreeBSD.ORG Sat Jan 21 21:10:14 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8A34A1065752 for ; Sat, 21 Jan 2012 21:10:14 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 75D958FC1A for ; Sat, 21 Jan 2012 21:10:14 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q0LLADgx071663 for ; Sat, 21 Jan 2012 21:10:14 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q0LLADrd071662; Sat, 21 Jan 2012 21:10:13 GMT (envelope-from gnats) Date: Sat, 21 Jan 2012 21:10:13 GMT Message-Id: <201201212110.q0LLADrd071662@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: "Bjoern A. Zeeb" Cc: Subject: Re: kern/163208: [pf] PF state key linking mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Bjoern A. Zeeb" List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jan 2012 21:10:14 -0000 The following reply was made to PR kern/163208; it has been noted by GNATS. From: "Bjoern A. Zeeb" To: =?iso-8859-1?Q?Tilman_Keskin=F6z?= Cc: Fabian Keil , bug-followup@freebsd.org, freebsd-pf@freebsd.org Subject: Re: kern/163208: [pf] PF state key linking mismatch Date: Sat, 21 Jan 2012 21:01:41 +0000 On 21. Jan 2012, at 20:52 , Tilman Keskin=F6z wrote: >=20 > On Jan 21, 2012, at 21:01 , Fabian Keil wrote: >=20 >> Tilman Keskin=F6z wrote: >>=20 >>> Same here. >>>=20 >>> Also Fabian Keil reported this in >>> = http://lists.freebsd.org/pipermail/freebsd-current/2011-July/025696.html >>=20 >> This has been fixed in CURRENT shortly thereafter: >> http://lists.freebsd.org/pipermail/freebsd-pf/2011-July/006199.html >>=20 >> Maybe the fix hasn't been MFC'd. >=20 > Hm, r223765 happend before the RELENG_9 Branchpoint. > So maybe the Fix was not complete? See thread from earlier this month on freebsd-pf --=20 Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do! From owner-freebsd-pf@FreeBSD.ORG Sat Jan 21 23:37:56 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9F1B9106566B; Sat, 21 Jan 2012 23:37:56 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from mail2.jellyfishnet.co.uk (mail2.jellyfishnet.co.uk [93.91.20.10]) by mx1.freebsd.org (Postfix) with ESMTP id 31FFE8FC12; Sat, 21 Jan 2012 23:37:56 +0000 (UTC) Received: from pemexhub01.jellyfishnet.co.uk.local (93.91.20.3) by mail2.jellyfishnet.co.uk (93.91.20.10) with Microsoft SMTP Server (TLS) id 8.1.436.0; Sat, 21 Jan 2012 23:27:01 +0000 Received: from PEMEXMBXVS04.jellyfishnet.co.uk.local ([192.168.65.52]) by pemexhub01.jellyfishnet.co.uk.local ([192.168.65.7]) with mapi; Sat, 21 Jan 2012 23:25:57 +0000 From: Greg Hennessy To: =?iso-8859-1?Q?Ermal_Lu=E7i?= , Walt Elam Date: Sat, 21 Jan 2012 23:26:58 +0000 Thread-Topic: Getting Involved Thread-Index: AczYXxItxc9+z2S0RyOncUWVpDUYVQAMsJsw Message-ID: <9EB23F6C23A8B6488E8BCC92A48E832612A5BC03A9@PEMEXMBXVS04.jellyfishnet.co.uk.local> References: In-Reply-To: Accept-Language: en-US, en-GB Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-GB Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "freebsd-pf@freebsd.org" Subject: RE: Getting Involved X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jan 2012 23:37:56 -0000 > > > There is one catch. > FreeBSD does not want to break compatibility of old syntax and that is wh= y > i did not port the latest version of pf(4). Shades of the versioning/maintenance issues surrounding putting Perl in the= base way back in the day.=20 > What is there now makes it 'trivial' to go to the latest pf(4) version in Does that include the performance improvements which came with new version?= =20 Would be interesting to know what impact if any they would have on the Free= BSD PF port.=20 > Open but there needs to be a layer of translation > for the old syntax to new syntax. As a one off translation when someone upgrades Major version numbers to the= FreeBSD version hosting the new PF code?=20 Or run every time when someone loads the security policy for now and the fo= reseeable future?=20 > That is the only reason its not been done. I can see the issues, hope it's not intractable.=20 The new syntax is a significant improvement, shame about lack of thought gi= ven to backward compatibility.=20 =20 With your expert knowledge on this Ermal, is it possible to run both old a= nd new PF parsers in there to generate a policy which would run against the= newer packet filtering engine code? Defaulting to the old syntax, with say something like a ' later_pf_enable= =3D"yes"'' in rc.conf or a single 'use' line at the top of pf.conf to switc= h to the new syntax?=20 Regards Greg =20