From owner-freebsd-pf@FreeBSD.ORG Sun Jan 22 02:50:46 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 46997106566B for ; Sun, 22 Jan 2012 02:50:46 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id 7FFA18FC08 for ; Sun, 22 Jan 2012 02:50:45 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 2A70625D3899; Sun, 22 Jan 2012 02:50:44 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 40069BD9B0C; Sun, 22 Jan 2012 02:50:43 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id PU24Tc2sf-rP; Sun, 22 Jan 2012 02:50:41 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 44755BD9B0E; Sun, 22 Jan 2012 02:50:40 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: "Bjoern A. Zeeb" In-Reply-To: <9EB23F6C23A8B6488E8BCC92A48E832612A5BC03A9@PEMEXMBXVS04.jellyfishnet.co.uk.local> Date: Sun, 22 Jan 2012 02:50:40 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: References: <9EB23F6C23A8B6488E8BCC92A48E832612A5BC03A9@PEMEXMBXVS04.jellyfishnet.co.uk.local> To: Greg Hennessy X-Mailer: Apple Mail (2.1084) Cc: freebsd-pf@freebsd.org Subject: Re: Getting Involved X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jan 2012 02:50:46 -0000 On 21. Jan 2012, at 23:26 , Greg Hennessy wrote: >>>=20 >> There is one catch. >> FreeBSD does not want to break compatibility of old syntax and that = is why >> i did not port the latest version of pf(4). >=20 > Shades of the versioning/maintenance issues surrounding putting Perl = in the base way back in the day.=20 >=20 >> What is there now makes it 'trivial' to go to the latest pf(4) = version in >=20 > Does that include the performance improvements which came with new = version?=20 > Would be interesting to know what impact if any they would have on the = FreeBSD PF port.=20 Whatever performance improvements you are talking about is basically = irrelevant the way pf is written and designed, which is just another = obstacle in tracking Open. FreeBSD is no longer a UP-like operating = system. We'd need a larger mix of (just to name some) fine grained = locking (currently the 1 lock basically halts the network stack per = packet going through pf), a lot more cache friendly data structures, = affinity, ... in that area. Taking it to 10G or eventually 40G is = really a different step than squeezing another 50Mbit/s out of it by = some optimization and entangling it more and more with the rest of the = network stack etc. >> Open but there needs to be a layer of translation >> for the old syntax to new syntax. >=20 > As a one off translation when someone upgrades Major version numbers = to the FreeBSD version hosting the new PF code?=20 > Or run every time when someone loads the security policy for now and = the foreseeable future?=20 Let's say pf ruleset instead of security policy (which is also used in = various other ways). The basic problem is that the syntax is known to = management tools but also the user space-kernel API is exposed to 3rd = party tools. Breaking any is bad. The latter we can break with major = versions though preferably we'd love not to. The way things are written = it's basically not possible not to break it even when bringing in cherry = picked features like NAT64 etc. It's an obstacle to some of our = consumers though. The moment you update your kernel and pfctl doesn't = speak the same language anymore you lost your firewall. And it's not = uncommon to upgrade a kernel going from x.y to x.y+n for example, wait a = week or two before updating all user land etc. It's the same problem with pfsync; you can have two old version ones, = reboot the first, not able to sync things to the new as it doesn't = understand the old anymore and by the time you reboot the 2nd things = *oops*. That's not an upgrade path for a HA setup unfortunately and we = had that happen way too often to our users - once again with 9. >> That is the only reason its not been done. >=20 > I can see the issues, hope it's not intractable.=20 > The new syntax is a significant improvement, shame about lack of = thought given to backward compatibility. You are preaching to the wrong choir:( > With your expert knowledge on this Ermal, is it possible to run both = old and new PF parsers in there to generate a policy which would run = against the newer packet filtering engine code? If you write the translation stub you might succeed. Have fun... = *cough* > Defaulting to the old syntax, with say something like a ' = later_pf_enable=3D"yes"'' in rc.conf or a single 'use' line at the top = of pf.conf to switch to the new syntax?=20 You can even have two different pf's loadable by the kernel (at least = one at a a time) if doing it clever given pfil hooks. But maintaining = more than 1 is not going to happen for and in Free. There are basically two options: 1) we can make it work well or 2) you = can always have the newest syntax and regularly break and not perform. = Pick any single one at this point and let us know which one you'd = prefer. A couple of developers lately had this discussion (though not everyone = was present). I'll however be curious which way our users want it to be = ... /bz --=20 Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do!= From owner-freebsd-pf@FreeBSD.ORG Sun Jan 22 10:50:07 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0BAC3106564A for ; Sun, 22 Jan 2012 10:50:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E3EBC8FC17 for ; Sun, 22 Jan 2012 10:50:06 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q0MAo645066460 for ; Sun, 22 Jan 2012 10:50:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q0MAo68L066459; Sun, 22 Jan 2012 10:50:06 GMT (envelope-from gnats) Date: Sun, 22 Jan 2012 10:50:06 GMT Message-Id: <201201221050.q0MAo68L066459@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: =?ISO-8859-1?Q?Tilman_Keskin=F6z?= Cc: Subject: Re: kern/163208: [pf] PF state key linking mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?ISO-8859-1?Q?Tilman_Keskin=F6z?= List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jan 2012 10:50:07 -0000 The following reply was made to PR kern/163208; it has been noted by GNATS. From: =?ISO-8859-1?Q?Tilman_Keskin=F6z?= To: Cc: bug-followup@freebsd.org, freebsd-pf@freebsd.org Subject: Re: kern/163208: [pf] PF state key linking mismatch Date: Sun, 22 Jan 2012 11:41:12 +0100 * Bjoern A. Zeeb [Sat, 21 Jan 2012 21:01:41 +0000]: > > On 21. Jan 2012, at 20:52 , Tilman Keskinöz wrote: > >> >> On Jan 21, 2012, at 21:01 , Fabian Keil wrote: >> >>> Tilman Keskinöz wrote: >>> >>>> Same here. >>>> >>>> Also Fabian Keil reported this in >>>> http://lists.freebsd.org/pipermail/freebsd-current/2011-July/025696.html >>> >>> This has been fixed in CURRENT shortly thereafter: >>> http://lists.freebsd.org/pipermail/freebsd-pf/2011-July/006199.html >>> >>> Maybe the fix hasn't been MFC'd. >> >> Hm, r223765 happend before the RELENG_9 Branchpoint. >> So maybe the Fix was not complete? > > See thread from earlier this month on freebsd-pf > The Thread suggests: * Matt Lager [Thu, 12 Jan 2012 15:48:23 -0700]: > So it looks likeI can comment out this code in > /usr/src/sys/contrib/pf/net/pf.c: > > /* mismatch. must not happen. */ > printf("pf: state key linking mismatch! dir=%s, " > "if=%s, stored af=%u, a0: ", > dir == PF_OUT ? "OUT" : "IN", kif->pfik_name, a->af); > > When this error occurs, I guess for valid reasons, does PF drop packets > or do something else with them, or is this purely an information notice? I can confirm that removing this printf, brings back the performance for me. Please fix :) From owner-freebsd-pf@FreeBSD.ORG Sun Jan 22 10:58:54 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 794261065676 for ; Sun, 22 Jan 2012 10:58:54 +0000 (UTC) (envelope-from arved@FreeBSD.org) Received: from mail01.rise-w.com (mail01.rise-w.com [88.116.105.226]) by mx1.freebsd.org (Postfix) with ESMTP id 2E5F58FC18 for ; Sun, 22 Jan 2012 10:58:53 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail01.rise-w.com (Postfix) with ESMTP id 84A2340E204; Sun, 22 Jan 2012 11:41:13 +0100 (CET) Received: from [192.168.1.106] (unknown [193.187.215.11]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.rise-world.com (Postfix) with ESMTPSA id 060A540E1F4; Sun, 22 Jan 2012 11:41:12 +0100 (CET) Message-ID: <4F1BE7C8.4040601@FreeBSD.org> Date: Sun, 22 Jan 2012 11:41:12 +0100 From: =?ISO-8859-1?Q?Tilman_Keskin=F6z?= User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20111124 Thunderbird/8.0 MIME-Version: 1.0 References: <4E4D073F-9979-4CB1-A421-DA5C1FC7A34F@FreeBSD.org> <20120121210118.0a1dc9d3@fabiankeil.de> <69ABD828-70EB-4599-A3A0-52707C7F3DE5@lists.zabbadoz.net> In-Reply-To: <69ABD828-70EB-4599-A3A0-52707C7F3DE5@lists.zabbadoz.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: bug-followup@freebsd.org, freebsd-pf@freebsd.org Subject: Re: kern/163208: [pf] PF state key linking mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jan 2012 10:58:54 -0000 * Bjoern A. Zeeb [Sat, 21 Jan 2012 21:01:41 +0000]: > > On 21. Jan 2012, at 20:52 , Tilman Keskinöz wrote: > >> >> On Jan 21, 2012, at 21:01 , Fabian Keil wrote: >> >>> Tilman Keskinöz wrote: >>> >>>> Same here. >>>> >>>> Also Fabian Keil reported this in >>>> http://lists.freebsd.org/pipermail/freebsd-current/2011-July/025696.html >>> >>> This has been fixed in CURRENT shortly thereafter: >>> http://lists.freebsd.org/pipermail/freebsd-pf/2011-July/006199.html >>> >>> Maybe the fix hasn't been MFC'd. >> >> Hm, r223765 happend before the RELENG_9 Branchpoint. >> So maybe the Fix was not complete? > > See thread from earlier this month on freebsd-pf > The Thread suggests: * Matt Lager [Thu, 12 Jan 2012 15:48:23 -0700]: > So it looks likeI can comment out this code in > /usr/src/sys/contrib/pf/net/pf.c: > > /* mismatch. must not happen. */ > printf("pf: state key linking mismatch! dir=%s, " > "if=%s, stored af=%u, a0: ", > dir == PF_OUT ? "OUT" : "IN", kif->pfik_name, a->af); > > When this error occurs, I guess for valid reasons, does PF drop packets > or do something else with them, or is this purely an information notice? I can confirm that removing this printf, brings back the performance for me. Please fix :) From owner-freebsd-pf@FreeBSD.ORG Mon Jan 23 05:42:15 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0C4A51065670 for ; Mon, 23 Jan 2012 05:42:15 +0000 (UTC) (envelope-from wrelam@gmail.com) Received: from mail-bk0-f54.google.com (mail-bk0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 7D9D18FC19 for ; Mon, 23 Jan 2012 05:42:14 +0000 (UTC) Received: by bkbc12 with SMTP id c12so2741389bkb.13 for ; Sun, 22 Jan 2012 21:42:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=Ve94/Bv0Yd2gQ7sIZDrBMS5TyT6G+caVoT7JQU30Eh8=; b=RdIJ+T1tx8BBnQWcNafElBiGT1og4LGpcvxvUJS7XAXDQHti30PHkBXYbs3BhwCp54 ePZ8xsQnMTRf4d1BfhaE+ldOP7gla6Vg1FAQUw+tyNhwhGr0gZZF23kJnIhra6JUStjM 8fDKCmyy8lOoolESj1pdfDVCxSwQqkXJ9TGYM= MIME-Version: 1.0 Received: by 10.204.151.196 with SMTP id d4mr2599567bkw.29.1327297333330; Sun, 22 Jan 2012 21:42:13 -0800 (PST) Received: by 10.204.60.7 with HTTP; Sun, 22 Jan 2012 21:42:13 -0800 (PST) Received: by 10.204.60.7 with HTTP; Sun, 22 Jan 2012 21:42:13 -0800 (PST) In-Reply-To: References: <9EB23F6C23A8B6488E8BCC92A48E832612A5BC03A9@PEMEXMBXVS04.jellyfishnet.co.uk.local> Date: Mon, 23 Jan 2012 00:42:13 -0500 Message-ID: From: Walt Elam To: "freebsd-pf@freebsd.org" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Getting Involved X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2012 05:42:15 -0000 I didn't intend to stir things up, too much. But was just hoping to get involved in helping get something ported over to use the new syntax. I was thinking exactly what someone else posted earlier, where there could be something placed in rc.conf to indicated what syntax you wanted to use. I searched a bit this weekend and couldn't figure out where exactly to download the code for OpenBSDs PF. I'm honestly not sure where to start on porting something but was hoping this list may be able to get me going in the right direction. Also, if it is all written in C, then I don't understand why we couldn't just install the right ports/packages and have the OpenBSD code work in FreeBSD. Could someone explain that, please? Lastly, I didn't really understand the reason given for using the old syntax. Even if we focused on porting over pf 4.7 then that would technically be enough to get in to the new syntax for rules. -Walt On Sat, Jan 21, 2012 at 9:50 PM, Bjoern A. Zeeb < bzeeb-lists@lists.zabbadoz.net> wrote: > > > On 21. Jan 2012, at 23:26 , Greg Hennessy wrote: > > >>> > >> There is one catch. > >> FreeBSD does not want to break compatibility of old syntax and that is why > >> i did not port the latest version of pf(4). > > > > Shades of the versioning/maintenance issues surrounding putting Perl in the base way back in the day. > > > >> What is there now makes it 'trivial' to go to the latest pf(4) version in > > > > Does that include the performance improvements which came with new version? > > Would be interesting to know what impact if any they would have on the FreeBSD PF port. > > Whatever performance improvements you are talking about is basically irrelevant the way pf is written and designed, which is just another obstacle in tracking Open. FreeBSD is no longer a UP-like operating system. We'd need a larger mix of (just to name some) fine grained locking (currently the 1 lock basically halts the network stack per packet going through pf), a lot more cache friendly data structures, affinity, ... in that area. Taking it to 10G or eventually 40G is really a different step than squeezing another 50Mbit/s out of it by some optimization and entangling it more and more with the rest of the network stack etc. > > > >> Open but there needs to be a layer of translation > >> for the old syntax to new syntax. > > > > As a one off translation when someone upgrades Major version numbers to the FreeBSD version hosting the new PF code? > > Or run every time when someone loads the security policy for now and the foreseeable future? > > Let's say pf ruleset instead of security policy (which is also used in various other ways). The basic problem is that the syntax is known to management tools but also the user space-kernel API is exposed to 3rd party tools. Breaking any is bad. The latter we can break with major versions though preferably we'd love not to. The way things are written it's basically not possible not to break it even when bringing in cherry picked features like NAT64 etc. It's an obstacle to some of our consumers though. The moment you update your kernel and pfctl doesn't speak the same language anymore you lost your firewall. And it's not uncommon to upgrade a kernel going from x.y to x.y+n for example, wait a week or two before updating all user land etc. > > It's the same problem with pfsync; you can have two old version ones, reboot the first, not able to sync things to the new as it doesn't understand the old anymore and by the time you reboot the 2nd things *oops*. That's not an upgrade path for a HA setup unfortunately and we had that happen way too often to our users - once again with 9. > > > >> That is the only reason its not been done. > > > > I can see the issues, hope it's not intractable. > > The new syntax is a significant improvement, shame about lack of thought given to backward compatibility. > > You are preaching to the wrong choir:( > > > > With your expert knowledge on this Ermal, is it possible to run both old and new PF parsers in there to generate a policy which would run against the newer packet filtering engine code? > > If you write the translation stub you might succeed. Have fun... *cough* > > > > Defaulting to the old syntax, with say something like a ' later_pf_enable="yes"'' in rc.conf or a single 'use' line at the top of pf.conf to switch to the new syntax? > > You can even have two different pf's loadable by the kernel (at least one at a a time) if doing it clever given pfil hooks. But maintaining more than 1 is not going to happen for and in Free. > > > There are basically two options: 1) we can make it work well or 2) you can always have the newest syntax and regularly break and not perform. Pick any single one at this point and let us know which one you'd prefer. > > > A couple of developers lately had this discussion (though not everyone was present). I'll however be curious which way our users want it to be ... > > /bz > > -- > Bjoern A. Zeeb You have to have visions! > It does not matter how good you are. It matters what good you do! From owner-freebsd-pf@FreeBSD.ORG Mon Jan 23 09:02:13 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 12BC01065670 for ; Mon, 23 Jan 2012 09:02:13 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id CBA6C8FC0A for ; Mon, 23 Jan 2012 09:02:12 +0000 (UTC) Received: by iagz16 with SMTP id z16so6664902iag.13 for ; Mon, 23 Jan 2012 01:02:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=THWI4TcpMq5WXPgXeK0TXdQlwN9Lvt1IrS+4liWCp1Y=; b=sCsesCyILnj45FLEF1EXKos4cv1AJDxk1hrP+JNGsNDbBu9I10aNb4dCc29BhS0E4j daXi73H0Gau08KtG0QnUZSKCMxQ7PSF0wBPNRZLLW+oWNIJvFK3+5tCpwsDdfgTz7rB3 4p0agFR2qyVWj6qnN4teOugrDO7hZMqkzVuxs= MIME-Version: 1.0 Received: by 10.50.88.163 with SMTP id bh3mr8987936igb.0.1327309332196; Mon, 23 Jan 2012 01:02:12 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.231.134.198 with HTTP; Mon, 23 Jan 2012 01:02:12 -0800 (PST) In-Reply-To: References: <9EB23F6C23A8B6488E8BCC92A48E832612A5BC03A9@PEMEXMBXVS04.jellyfishnet.co.uk.local> Date: Mon, 23 Jan 2012 10:02:12 +0100 X-Google-Sender-Auth: 634Wr4cpn042zs4Agw2h8FkwBU0 Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: "Bjoern A. Zeeb" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Greg Hennessy , freebsd-pf@freebsd.org Subject: Re: Getting Involved X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2012 09:02:13 -0000 On Sun, Jan 22, 2012 at 3:50 AM, Bjoern A. Zeeb < bzeeb-lists@lists.zabbadoz.net> wrote: > > On 21. Jan 2012, at 23:26 , Greg Hennessy wrote: > > >>> > >> There is one catch. > >> FreeBSD does not want to break compatibility of old syntax and that is > why > >> i did not port the latest version of pf(4). > > > > Shades of the versioning/maintenance issues surrounding putting Perl in > the base way back in the day. > > > >> What is there now makes it 'trivial' to go to the latest pf(4) version > in > > > > Does that include the performance improvements which came with new > version? > > Would be interesting to know what impact if any they would have on the > FreeBSD PF port. > > Whatever performance improvements you are talking about is basically > irrelevant the way pf is written and designed, which is just another > obstacle in tracking Open. FreeBSD is no longer a UP-like operating > system. We'd need a larger mix of (just to name some) fine grained locking > (currently the 1 lock basically halts the network stack per packet going > through pf), a lot more cache friendly data structures, affinity, ... in > that area. Taking it to 10G or eventually 40G is really a different step > than squeezing another 50Mbit/s out of it by some optimization and > entangling it more and more with the rest of the network stack etc. > > > >> Open but there needs to be a layer of translation > >> for the old syntax to new syntax. > > > > As a one off translation when someone upgrades Major version numbers to > the FreeBSD version hosting the new PF code? > > Or run every time when someone loads the security policy for now and the > foreseeable future? > > Let's say pf ruleset instead of security policy (which is also used in > various other ways). The basic problem is that the syntax is known to > management tools but also the user space-kernel API is exposed to 3rd party > tools. Breaking any is bad. The latter we can break with major versions > though preferably we'd love not to. The way things are written it's > basically not possible not to break it even when bringing in cherry picked > features like NAT64 etc. It's an obstacle to some of our consumers though. > The moment you update your kernel and pfctl doesn't speak the same > language anymore you lost your firewall. And it's not uncommon to upgrade > a kernel going from x.y to x.y+n for example, wait a week or two before > updating all user land etc. > > It's the same problem with pfsync; you can have two old version ones, > reboot the first, not able to sync things to the new as it doesn't > understand the old anymore and by the time you reboot the 2nd things > *oops*. That's not an upgrade path for a HA setup unfortunately and we had > that happen way too often to our users - once again with 9. > > There are solutions to this as well, depending on the work you put on to it. > > >> That is the only reason its not been done. > > > > I can see the issues, hope it's not intractable. > > The new syntax is a significant improvement, shame about lack of thought > given to backward compatibility. > > You are preaching to the wrong choir:( > > > > With your expert knowledge on this Ermal, is it possible to run both > old and new PF parsers in there to generate a policy which would run > against the newer packet filtering engine code? > > If you write the translation stub you might succeed. Have fun... *cough* > > Depending on the experience *cough* you can be more confident. This depends on two factors and depending on which side you put it, sponsored side or free cycle development side! > > > Defaulting to the old syntax, with say something like a ' > later_pf_enable="yes"'' in rc.conf or a single 'use' line at the top of > pf.conf to switch to the new syntax? > > You can even have two different pf's loadable by the kernel (at least one > at a a time) if doing it clever given pfil hooks. But maintaining more > than 1 is not going to happen for and in Free. > > I do not think this is doable at all! > > There are basically two options: 1) we can make it work well or 2) you > can always have the newest syntax and regularly break and not perform. > Pick any single one at this point and let us know which one you'd prefer. > > > It is not so simple as you make it be. The changes help in this regard and there are people on Open side that want SMP scalability, but there is no commitment as always. > A couple of developers lately had this discussion (though not everyone was > present). I'll however be curious which way our users want it to be ... > > /bz > > -- > Bjoern A. Zeeb You have to have visions! > It does not matter how good you are. It matters what good you > do!_______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Ermal From owner-freebsd-pf@FreeBSD.ORG Mon Jan 23 09:08:52 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 49191106564A for ; Mon, 23 Jan 2012 09:08:52 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-tul01m020-f182.google.com (mail-tul01m020-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 0E4408FC08 for ; Mon, 23 Jan 2012 09:08:51 +0000 (UTC) Received: by obcwo16 with SMTP id wo16so4082180obc.13 for ; Mon, 23 Jan 2012 01:08:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=mrf+g10cSyu3CR9ElLwdua/2eOyQANnpSBhuqy7Xljw=; b=smQnnD9xWiJTNypXBzQi55lzb4c+oRNYAkzRb7z9S0HmnoC50yuPHl3RLNp6ncWUab QefezZ7Rq3oT5yOqxsoHe2TJbcF3uvvW+2hYlY4ZiBCLKLzML8gjm2wNuxo2RIA868d7 jN2ta5Rb7XR4QWdXPlnZX5WtMCOov28t0eoQg= MIME-Version: 1.0 Received: by 10.50.173.98 with SMTP id bj2mr9570273igc.27.1327309731240; Mon, 23 Jan 2012 01:08:51 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.231.134.198 with HTTP; Mon, 23 Jan 2012 01:08:51 -0800 (PST) In-Reply-To: <9EB23F6C23A8B6488E8BCC92A48E832612A5BC03A9@PEMEXMBXVS04.jellyfishnet.co.uk.local> References: <9EB23F6C23A8B6488E8BCC92A48E832612A5BC03A9@PEMEXMBXVS04.jellyfishnet.co.uk.local> Date: Mon, 23 Jan 2012 10:08:51 +0100 X-Google-Sender-Auth: kLflH50-D959PO1Tal0KcS-wjAs Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Greg Hennessy Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "freebsd-pf@freebsd.org" Subject: Re: Getting Involved X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2012 09:08:52 -0000 On Sun, Jan 22, 2012 at 12:26 AM, Greg Hennessy wrote: > > > > > There is one catch. > > FreeBSD does not want to break compatibility of old syntax and that is > why > > i did not port the latest version of pf(4). > > Shades of the versioning/maintenance issues surrounding putting Perl in > the base way back in the day. > > > What is there now makes it 'trivial' to go to the latest pf(4) version in > > Does that include the performance improvements which came with new version? > Would be interesting to know what impact if any they would have on the > FreeBSD PF port. > > > Open but there needs to be a layer of translation > > for the old syntax to new syntax. > > As a one off translation when someone upgrades Major version numbers to > the FreeBSD version hosting the new PF code? > Or run every time when someone loads the security policy for now and the > foreseeable future? > > > That is the only reason its not been done. > > I can see the issues, hope it's not intractable. > The new syntax is a significant improvement, shame about lack of thought > given to backward compatibility. > > With your expert knowledge on this Ermal, is it possible to run both old > and new PF parsers in there to generate a policy which would run against > the newer packet filtering engine code? > Defaulting to the old syntax, with say something like a ' > later_pf_enable="yes"'' in rc.conf or a single 'use' line at the top of > pf.conf to switch to the new syntax? > > Its not that simple but workable with a policy definition of how what the translation layer does. > > Regards > > Greg > > > > > > -- Ermal From owner-freebsd-pf@FreeBSD.ORG Mon Jan 23 10:39:09 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 409E91065674 for ; Mon, 23 Jan 2012 10:39:09 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-lpp01m010-f54.google.com (mail-lpp01m010-f54.google.com [209.85.215.54]) by mx1.freebsd.org (Postfix) with ESMTP id BF2B08FC0A for ; Mon, 23 Jan 2012 10:39:08 +0000 (UTC) Received: by lagv3 with SMTP id v3so843655lag.13 for ; Mon, 23 Jan 2012 02:39:07 -0800 (PST) Received: by 10.112.44.101 with SMTP id d5mr1966143lbm.40.1327313294214; Mon, 23 Jan 2012 02:08:14 -0800 (PST) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id mo12sm8224703lab.2.2012.01.23.02.08.12 (version=SSLv3 cipher=OTHER); Mon, 23 Jan 2012 02:08:13 -0800 (PST) Message-ID: <4F1D318A.30602@my.gd> Date: Mon, 23 Jan 2012 11:08:10 +0100 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20111222 Thunderbird/9.0.1 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: In-Reply-To: X-Gm-Message-State: ALoCoQk41SzqAyNjkSfx+mswLD/3+KDcqFjGvYYNOd2BS94uGqhvllc2vxkth6AG+gUHGWtOxDWz Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: Getting Involved X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2012 10:39:09 -0000 On 1/21/12 5:41 PM, Ermal Luçi wrote: > On Fri, Jan 20, 2012 at 11:04 PM, Walt Elam wrote: > >> I would like to help with the development of the PF port for FreeBSD but am >> not quite sure how to get involved. More specifically, I would like to help >> get something ported over that accepts the new rule syntax since it becomes >> increasingly harder to find documentation, help, and tutorials for the >> older syntax. >> >> If anyone could point me in the right direction for getting involved, that >> would be great. >> >> > There is one catch. > FreeBSD does not want to break compatibility of old syntax and that is why > i did not port the latest version of pf(4). > > What is there now makes it 'trivial' to go to the latest pf(4) version in > Open but there needs to be a layer of translation > for the old syntax to new syntax. > > That is te only reason its not been done. > While we're at it, are there any plans for being able to include files to the main PF conf ? Currently, we're emulating this using anchors, but plain includes would be nicer. The way I see it here, in our own environment, we'd have a first include with our interface definitions, another with options and so on... From owner-freebsd-pf@FreeBSD.ORG Mon Jan 23 11:07:10 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 30727106566B for ; Mon, 23 Jan 2012 11:07:10 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 1E5D58FC17 for ; Mon, 23 Jan 2012 11:07:10 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q0NB7AGK081036 for ; Mon, 23 Jan 2012 11:07:10 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q0NB79bX081034 for freebsd-pf@FreeBSD.org; Mon, 23 Jan 2012 11:07:09 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 23 Jan 2012 11:07:09 GMT Message-Id: <201201231107.q0NB79bX081034@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2012 11:07:10 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 47 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jan 23 11:16:40 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 02AF41065695 for ; Mon, 23 Jan 2012 11:16:40 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id BAF508FC13 for ; Mon, 23 Jan 2012 11:16:39 +0000 (UTC) Received: by iagz16 with SMTP id z16so6905679iag.13 for ; Mon, 23 Jan 2012 03:16:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=348Ur48Z1LMiruQnBiRMT3Z21numhrHQFll4adbfS5k=; b=rT1AXXSAet29Vc4B9PHrg+kE6e5BNceJPakcO+E1QgP3DTNyvV5jV0xduaUMw8dXc1 F2Fj0fLObguVXLTOczjeJbI3Y/S5V8AQ4EiJIRNtPkzXWCMXhbV6zkulmX+BXnRC6MZN CGx0hVHu2f2vKuQdjT7yUfZez1+GJ5Y/IYTFA= MIME-Version: 1.0 Received: by 10.42.163.200 with SMTP id d8mr7570924icy.41.1327317398883; Mon, 23 Jan 2012 03:16:38 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.231.134.198 with HTTP; Mon, 23 Jan 2012 03:16:38 -0800 (PST) In-Reply-To: <4F1BE7C8.4040601@FreeBSD.org> References: <4E4D073F-9979-4CB1-A421-DA5C1FC7A34F@FreeBSD.org> <20120121210118.0a1dc9d3@fabiankeil.de> <69ABD828-70EB-4599-A3A0-52707C7F3DE5@lists.zabbadoz.net> <4F1BE7C8.4040601@FreeBSD.org> Date: Mon, 23 Jan 2012 12:16:38 +0100 X-Google-Sender-Auth: 2MjMxLtugrG8sEUMI4YHTGZjTxE Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: =?ISO-8859-1?Q?Tilman_Keskin=F6z?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: bug-followup@freebsd.org, freebsd-pf@freebsd.org Subject: Re: kern/163208: [pf] PF state key linking mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2012 11:16:40 -0000 On Sun, Jan 22, 2012 at 11:41 AM, Tilman Keskin=F6z wro= te: > * Bjoern A. Zeeb [Sat, 21 Jan 2012 21:01:41 +0000]: > > > > On 21. Jan 2012, at 20:52 , Tilman Keskin=F6z wrote: > > > >> > >> On Jan 21, 2012, at 21:01 , Fabian Keil wrote: > >> > >>> Tilman Keskin=F6z wrote: > >>> > >>>> Same here. > >>>> > >>>> Also Fabian Keil reported this in > >>>> > http://lists.freebsd.org/pipermail/freebsd-current/2011-July/025696.html > >>> > >>> This has been fixed in CURRENT shortly thereafter: > >>> http://lists.freebsd.org/pipermail/freebsd-pf/2011-July/006199.html > >>> > >>> Maybe the fix hasn't been MFC'd. > >> > >> Hm, r223765 happend before the RELENG_9 Branchpoint. > >> So maybe the Fix was not complete? > > > > See thread from earlier this month on freebsd-pf > > > > The Thread suggests: > > * Matt Lager [Thu, 12 Jan 2012 15:48:23 -0700]: > > So it looks likeI can comment out this code in > > /usr/src/sys/contrib/pf/net/pf.c: > > > > /* mismatch. must not happen. */ > > printf("pf: state key linking mismatch! dir=3D%s, " > > "if=3D%s, stored af=3D%u, a0: ", > > dir =3D=3D PF_OUT ? "OUT" : "IN", kif->pfik_name, a= ->af); > > > > When this error occurs, I guess for valid reasons, does PF drop packets > > or do something else with them, or is this purely an information notic= e? > > I can confirm that removing this printf, brings back the performance for > me. > > Probably a sysctl to disable this should be provided. There might be unexpected consequences from this and the better fix is to find the section where the mbuf is being reused. > Please fix :) > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Mon Jan 23 11:50:07 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DCC69106566B for ; Mon, 23 Jan 2012 11:50:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id CA5A98FC12 for ; Mon, 23 Jan 2012 11:50:07 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q0NBo7Gu024555 for ; Mon, 23 Jan 2012 11:50:07 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q0NBo7gH024552; Mon, 23 Jan 2012 11:50:07 GMT (envelope-from gnats) Date: Mon, 23 Jan 2012 11:50:07 GMT Message-Id: <201201231150.q0NBo7gH024552@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= Cc: Subject: Re: kern/163208: [pf] PF state key linking mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2012 11:50:07 -0000 The following reply was made to PR kern/163208; it has been noted by GNATS. From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: =?ISO-8859-1?Q?Tilman_Keskin=F6z?= Cc: bug-followup@freebsd.org, freebsd-pf@freebsd.org Subject: Re: kern/163208: [pf] PF state key linking mismatch Date: Mon, 23 Jan 2012 12:16:38 +0100 --90e6ba6e89dc108bd804b7302abd Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On Sun, Jan 22, 2012 at 11:41 AM, Tilman Keskin=F6z wro= te: > * Bjoern A. Zeeb [Sat, 21 Jan 2012 21:01:41 +0000]: > > > > On 21. Jan 2012, at 20:52 , Tilman Keskin=F6z wrote: > > > >> > >> On Jan 21, 2012, at 21:01 , Fabian Keil wrote: > >> > >>> Tilman Keskin=F6z wrote: > >>> > >>>> Same here. > >>>> > >>>> Also Fabian Keil reported this in > >>>> > http://lists.freebsd.org/pipermail/freebsd-current/2011-July/025696.html > >>> > >>> This has been fixed in CURRENT shortly thereafter: > >>> http://lists.freebsd.org/pipermail/freebsd-pf/2011-July/006199.html > >>> > >>> Maybe the fix hasn't been MFC'd. > >> > >> Hm, r223765 happend before the RELENG_9 Branchpoint. > >> So maybe the Fix was not complete? > > > > See thread from earlier this month on freebsd-pf > > > > The Thread suggests: > > * Matt Lager [Thu, 12 Jan 2012 15:48:23 -0700]: > > So it looks likeI can comment out this code in > > /usr/src/sys/contrib/pf/net/pf.c: > > > > /* mismatch. must not happen. */ > > printf("pf: state key linking mismatch! dir=3D%s, " > > "if=3D%s, stored af=3D%u, a0: ", > > dir =3D=3D PF_OUT ? "OUT" : "IN", kif->pfik_name, a= ->af); > > > > When this error occurs, I guess for valid reasons, does PF drop packets > > or do something else with them, or is this purely an information notic= e? > > I can confirm that removing this printf, brings back the performance for > me. > > Probably a sysctl to disable this should be provided. There might be unexpected consequences from this and the better fix is to find the section where the mbuf is being reused. > Please fix :) > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > --=20 Ermal --90e6ba6e89dc108bd804b7302abd Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

On Sun, Jan 22, 2012 at 11:41 AM, Tilman Keskin= =F6z <arved@freeb= sd.org> wrote:
* Bjoern A. Zeeb [Sat, 21 Jan 2012 21:01:41 +0000]:
&g= t;
> On 21. Jan 2012, at 20:52 , Tilman Keskin=F6z wrote:=
>
>>
>> On Jan 21, 2012, at 21:01 , Fabian Keil wr= ote:
>>
>>> Tilman Keskin=F6z <arved@FreeBSD.org>= ; wrote:
>>>
>>>> Same here.
>>>>
>>= >> Also Fabian Keil reported this in
>>>> http://lists.freebsd.org/pipermail/freebsd-current/2011-Jul= y/025696.html
>>>
>>> This has been fixed in CURRENT shortly thereaf= ter:
>>> http://lists.freebsd.org/piperm= ail/freebsd-pf/2011-July/006199.html
>>>
>>> Maybe the fix hasn't been MFC'd.
&g= t;>
>> Hm, r223765 happend before the RELENG_9 Branchpoint.
= >> So maybe the Fix was not complete?
>
> See thread from= earlier this month on freebsd-pf
>

The Thread suggests:

* Matt Lager [Thu, 12 Jan 201= 2 15:48:23 -0700]:
> So it looks likeI can comment out this code in> /usr/src/sys/contrib/pf/net/pf.c:
>
> =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 /* mismatch. must not happen. */
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 printf("pf: state key linking mis= match! dir=3D%s, "
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 &qu= ot;if=3D%s, stored af=3D%u, a0: ",
> =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 dir =3D=3D PF_OUT ? "OUT" : "IN", kif->= pfik_name, a->af);
>
> When this error occurs, I guess for valid reasons, does PF dro= p packets
> or do something else with them, or is this purely an info= rmation =A0notice?

I can confirm that removing this printf, brings b= ack the performance for me.

=A0
=A0
Probably a sysctl to disable this should be provided.
There might be unexpected consequences from this and the better fix is= to find the section where the mbuf is being reused.
=A0
Please fix :)

_______________________________________________
freebsd-pf@freebsd.org mailing list=
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"



--
Ermal
--90e6ba6e89dc108bd804b7302abd-- From owner-freebsd-pf@FreeBSD.ORG Mon Jan 23 12:20:08 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1B8B0106566B for ; Mon, 23 Jan 2012 12:20:08 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 0A3188FC12 for ; Mon, 23 Jan 2012 12:20:08 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q0NCK7gj051512 for ; Mon, 23 Jan 2012 12:20:07 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q0NCK7LG051511; Mon, 23 Jan 2012 12:20:07 GMT (envelope-from gnats) Date: Mon, 23 Jan 2012 12:20:07 GMT Message-Id: <201201231220.q0NCK7LG051511@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: =?ISO-8859-1?Q?Tilman_Keskin=F6z?= Cc: Subject: Re: kern/163208: [pf] PF state key linking mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?ISO-8859-1?Q?Tilman_Keskin=F6z?= List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2012 12:20:08 -0000 The following reply was made to PR kern/163208; it has been noted by GNATS. From: =?ISO-8859-1?Q?Tilman_Keskin=F6z?= To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= Cc: bug-followup@FreeBSD.org Subject: Re: kern/163208: [pf] PF state key linking mismatch Date: Mon, 23 Jan 2012 13:13:55 +0100 * Ermal Luçi [Mon, 23 Jan 2012 11:50:07 GMT]: > > Probably a sysctl to disable this should be provided. > There might be unexpected consequences from this and the better fix is to > find the section where the mbuf is being reused. What consequences? Is there anything that can be done, to debug where the mbuf is reused? > > > > Please fix :) From owner-freebsd-pf@FreeBSD.ORG Mon Jan 23 15:27:39 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8A20B106564A; Mon, 23 Jan 2012 15:27:39 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 601F78FC1A; Mon, 23 Jan 2012 15:27:39 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q0NFRdXZ028165; Mon, 23 Jan 2012 15:27:39 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q0NFRdoK028161; Mon, 23 Jan 2012 15:27:39 GMT (envelope-from linimon) Date: Mon, 23 Jan 2012 15:27:39 GMT Message-Id: <201201231527.q0NFRdoK028161@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/164402: [pf] pf crashes with a particular set of rules when first matching packet arrives X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2012 15:27:39 -0000 Old Synopsis: pf crashes with a particular set of rules when first matching packet arrives New Synopsis: [pf] pf crashes with a particular set of rules when first matching packet arrives Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Mon Jan 23 15:27:29 UTC 2012 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=164402 From owner-freebsd-pf@FreeBSD.ORG Mon Jan 23 16:30:14 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 43086106568B for ; Mon, 23 Jan 2012 16:30:14 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 31AE28FC16 for ; Mon, 23 Jan 2012 16:30:14 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q0NGUEtc083943 for ; Mon, 23 Jan 2012 16:30:14 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q0NGUER3083940; Mon, 23 Jan 2012 16:30:14 GMT (envelope-from gnats) Date: Mon, 23 Jan 2012 16:30:14 GMT Message-Id: <201201231630.q0NGUER3083940@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= Cc: Subject: Re: kern/163208: [pf] PF state key linking mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2012 16:30:14 -0000 The following reply was made to PR kern/163208; it has been noted by GNATS. From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: =?ISO-8859-1?Q?Tilman_Keskin=F6z?= Cc: bug-followup@freebsd.org Subject: Re: kern/163208: [pf] PF state key linking mismatch Date: Mon, 23 Jan 2012 17:21:21 +0100 On Mon, Jan 23, 2012 at 1:13 PM, Tilman Keskin=F6z wrot= e: > > * Ermal Lu=E7i [Mon, 23 Jan 2012 11:50:07 GMT]: > > > > > =A0Probably a sysctl to disable this should be provided. > > =A0There might be unexpected consequences from this and the better fix = is to > > =A0find the section where the mbuf is being reused. > > What consequences? > > Is there anything that can be done, to debug where the mbuf is reused? > You have to find the subsystem that does the re-use. Starting from the pf state seeing if it is udp/tcp/... then trying finding the specific part that would trigger this. As in TCP after a RST or somesuch. > > > > > > =A0> Please fix :) -- Ermal From owner-freebsd-pf@FreeBSD.ORG Thu Jan 26 14:38:33 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 57CFD1065672 for ; Thu, 26 Jan 2012 14:38:33 +0000 (UTC) (envelope-from d.sieborger@ru.ac.za) Received: from mail.ru.ac.za (mail.ru.ac.za [IPv6:2001:4200:1010:0:250:56ff:fe8d:5]) by mx1.freebsd.org (Postfix) with ESMTP id EA2008FC08 for ; Thu, 26 Jan 2012 14:38:30 +0000 (UTC) Received: from damar.ru.ac.za ([2001:4200:1010:1058:219:d1ff:fe9f:726a]:47429) by mail.ru.ac.za with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1RqQT5-000Pr0-Ht for freebsd-pf@freebsd.org; Thu, 26 Jan 2012 16:38:27 +0200 Received: by damar.ru.ac.za (Postfix, from userid 1001) id 698C839EE; Thu, 26 Jan 2012 16:38:27 +0200 (SAST) From: David =?iso-8859-1?q?Sieb=F6rger?= To: freebsd-pf@freebsd.org Date: Thu, 26 Jan 2012 16:38:26 +0200 User-Agent: KMail/1.13.7 (FreeBSD/8.2-RELEASE-p3; KDE/4.7.3; amd64; ; ) Organization: Rhodes University MIME-Version: 1.0 Content-Type: Multipart/Mixed; boundary="Boundary-00=_iVWIP9/oBMJI11C" Message-Id: <201201261638.26599.d.sieborger@ru.ac.za> X-Virus-Scanned: mail.ru.ac.za (2001:4200:1010:0:250:56ff:fe8d:5) Subject: pf crashes in pfr_update_stats() X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jan 2012 14:38:33 -0000 --Boundary-00=_iVWIP9/oBMJI11C Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, I have a pair of FreeBSD 9.0-RELEASE firewalls which are crashing=20 repeatedly. I've been able to connect to one of them with remote kgdb=20 after it crashed (see kgdb session attached), but I haven't been able to=20 get to the bottom of what's wrong. Is anyone able to shed more light on=20 this? The first problem that I see is that the kt argument to=20 pfr_update_stats() is null, so the kernel panics as soon as that's=20 dereferenced. Where pfr_update_stats() is called from pf_test(), kgdb tells me that=20 "Variable "tr" is not available." (Is that because of a gcc=20 optimisation?) But, tr ought to equal r in this instance, and r is=20 available, so I looked at r. r->dst.addr.p.tbl is indeed null. Does anyone have any theories about why that could be the case, or=20 anything else that I could do to debug this? I can provide more=20 configuration information if needed. =2D-=20 David Sieb=F6rger System Administrator, IT Division, Rhodes University --Boundary-00=_iVWIP9/oBMJI11C Content-Type: text/plain; charset="ISO-8859-1"; name="kgdb2.txt" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="kgdb2.txt" # kgdb -r /dev/cuau0 /usr/obj/usr/src/sys/FIREWALL/kernel.debug GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain condition= s. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-marcel-freebsd"... Switching to remote protocol pfr_update_stats (kt=3D0x0, a=3D0xfffffe000e0a4c90, af=3D2 '\002', len=3D48, dir_out=3D0, op_pass=3D0, notrule=3D0) at /usr/src/sys/contrib/pf/net/pf_table.c:2242 2242 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root= !=3D NULL) (kgdb) where #0 pfr_update_stats (kt=3D0x0, a=3D0xfffffe000e0a4c90, af=3D2 '\002', len= =3D48, dir_out=3D0, op_pass=3D0, notrule=3D0) at /usr/src/sys/contrib/pf/net/pf_table.c:2242 #1 0xffffffff8031140c in pf_test (dir=3D1, ifp=3DVariable "ifp" is not ava= ilable. ) at /usr/src/sys/contrib/pf/net/pf.c:7064 #2 0xffffffff80316b5b in pf_check_in (arg=3DVariable "arg" is not availabl= e. ) at /usr/src/sys/contrib/pf/net/pf_ioctl.c:4139 #3 0xffffffff8093965e in pfil_run_hooks (ph=3DVariable "ph" is not availab= le. ) at /usr/src/sys/net/pfil.c:82 #4 0xffffffff809a0907 in ip_input (m=3D0xfffffe000e0a4c00) at /usr/src/sys/netinet/ip_input.c:510 #5 0xffffffff8093892b in netisr_dispatch_src (proto=3D1, source=3DVariable= "source" is not available. ) at /usr/src/sys/net/netisr.c:1013 #6 0xffffffff8092dd6d in ether_demux (ifp=3D0xfffffe0003d91000, m=3Ddwarf2= _read_address: Corrupted DWARF expression. ) at /usr/src/sys/net/if_ethersubr.c:937 #7 0xffffffff8092e044 in ether_nh_input (m=3DVariable "m" is not available. ) at /usr/src/sys/net/if_ethersubr.c:756 #8 0xffffffff8093892b in netisr_dispatch_src (proto=3D9, source=3DVariable= "source" is not available. ) at /usr/src/sys/net/netisr.c:1013 #9 0xffffffff8092dc8f in ether_demux (ifp=3D0xfffffe0002acb000, m=3Ddwarf2= _read_address: Corrupted DWARF expression. ) at /usr/src/sys/net/if_ethersubr.c:846 #10 0xffffffff8092e044 in ether_nh_input (m=3DVariable "m" is not available. ) at /usr/src/sys/net/if_ethersubr.c:756 #11 0xffffffff8093892b in netisr_dispatch_src (proto=3D9, source=3DVariable= "source" is not available. ) at /usr/src/sys/net/netisr.c:1013 #12 0xffffffff8043f88a in bce_intr (xsc=3DVariable "xsc" is not available. ) at /usr/src/sys/dev/bce/if_bce.c:6600 #13 0xffffffff80849c74 in intr_event_execute_handlers (p=3DVariable "p" is = not available. ) at /usr/src/sys/kern/kern_intr.c:1257 #14 0xffffffff8084b434 in ithread_loop (arg=3D0xfffffe0002b0dc00) at /usr/src/sys/kern/kern_intr.c:1270 #15 0xffffffff808468cf in fork_exit ( callout=3D0xffffffff8084b390 , arg=3D0xfffffe0002b0dc00, frame=3D0xffffff80f6d19c50) at /usr/src/sys/kern/kern_fork.c:995 #16 0xffffffff80b5fd6e in fork_trampoline () at /usr/src/sys/amd64/amd64/exception.S:602 #17 0x0000000000000000 in ?? () #18 0x0000000000000000 in ?? () #19 0x0000000000000001 in ?? () #20 0x0000000000000000 in ?? () #21 0x0000000000000000 in ?? () #22 0x0000000000000000 in ?? () #23 0x0000000000000000 in ?? () #24 0x0000000000000000 in ?? () #25 0x0000000000000000 in ?? () #26 0x0000000000000000 in ?? () #27 0x0000000000000000 in ?? () #28 0x0000000000000000 in ?? () #29 0x0000000000000000 in ?? () #30 0x0000000000000000 in ?? () =2D--Type to continue, or q to quit--- #31 0x0000000000000000 in ?? () #32 0x0000000000000000 in ?? () #33 0x0000000000000000 in ?? () #34 0x0000000000000000 in ?? () #35 0x0000000000000000 in ?? () #36 0x0000000000000000 in ?? () #37 0x0000000000000000 in ?? () #38 0x0000000000000000 in ?? () #39 0x0000000000000000 in ?? () #40 0x0000000000000000 in ?? () #41 0xffffffff81192900 in affinity () #42 0xfffffe0002ac7000 in ?? () #43 0x0000000000000000 in ?? () #44 0xfffffe0002ac7000 in ?? () #45 0xffffff80f6d19b40 in ?? () #46 0xffffff80f6d19ae8 in ?? () #47 0xfffffe0002907460 in ?? () #48 0xffffffff8089c3d2 in sched_switch (td=3D0xffffffff8084b390, newtd=3D0xfffffe0002b0dc00, flags=3Ddwarf2_read_address: Corrupted DWAR= =46 expression. ) at /usr/src/sys/kern/sched_ule.c:1848 Previous frame inner to this frame (corrupt stack?) (kgdb) info args kt =3D (struct pfr_ktable *) 0x0 a =3D (struct pf_addr *) 0xfffffe000e0a4c90 af =3D 2 '\002' len =3D 48 dir_out =3D 0 op_pass =3D 0 notrule =3D 0 (kgdb) p *a $1 =3D {pfa =3D {v4 =3D {s_addr =3D 3414615954}, v6 =3D {__u6_addr =3D { __u6_addr8 =3D "\222=E7\206=CB=BC&\000\031=C9U=FF=EF\000\000\000", = __u6_addr16 =3D { 59282, 52102, 9916, 6400, 21961, 61439, 0, 0}, __u6_addr32 =3D { 3414615954, 419440316, 4026488265, 0}}}, addr8 =3D "\222=E7\206=CB=BC&\000\031=C9U=FF=EF\000\000\000", addr16 = =3D {59282, 52102, 9916, 6400, 21961, 61439, 0, 0}, addr32 =3D {3414615954, 419440316, 4026488265, 0}}} (kgdb) up #1 0xffffffff8031140c in pf_test (dir=3D1, ifp=3DVariable "ifp" is not ava= ilable. ) at /usr/src/sys/contrib/pf/net/pf.c:7064 7064 pfr_update_stats(tr->dst.addr.p.tbl, (kgdb) info args dir =3D 1 ifp =3D Variable "ifp" is not available. (kgdb) p tr Variable "tr" is not available. (kgdb) p nr Variable "nr" is not available. (kgdb) p s $2 =3D (struct pf_state *) 0x0 (kgdb) p pd.nat_rule $3 =3D (struct pf_rule *) 0x0 (kgdb) p r $4 =3D (struct pf_rule *) 0xfffffe000f2593a8 (kgdb) p *r $5 =3D {src =3D {addr =3D {v =3D {a =3D {addr =3D {pfa =3D {v4 =3D {s_addr = =3D 0}, v6 =3D { __u6_addr =3D {__u6_addr8 =3D '\0' , __u6_addr16 =3D {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 =3D= {0, 0, 0, 0}}}, addr8 =3D '\0' , addr16 =3D = {0, 0, 0, 0, 0, 0, 0, 0}, addr32 =3D {0, 0, 0, 0}}}, mask =3D {pfa= =3D { v4 =3D {s_addr =3D 0}, v6 =3D {__u6_addr =3D { __u6_addr8 =3D '\0' , __u6_addr16 =3D {= 0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 =3D {0, 0, 0, 0}}}, addr8 =3D '\0' , addr16 =3D {0, 0, 0, 0, 0,= 0, 0, 0}, addr32 =3D {0, 0, 0, 0}}}}, ifname =3D '\0' , tblname =3D '\0' , rtlabelname =3D '\0' , rtlabel =3D 0}, p =3D {dyn= =3D 0x0, tbl =3D 0x0, dyncnt =3D 0, tblcnt =3D 0}, type =3D 0 '\0', iflags = =3D 0 '\0'}, port =3D {0, 0}, neg =3D 0 '\0', port_op =3D 0 '\0'}, dst =3D {addr =3D= {v =3D {a =3D { addr =3D {pfa =3D {v4 =3D {s_addr =3D 1970168173}, v6 =3D {__u6_a= ddr =3D { __u6_addr8 =3D "manualblock\000\000\000\000", __u6_addr16= =3D { 24941, 30062, 27745, 27746, 25455, 107, 0, 0}, __u6_addr32 =3D {1970168173, 1818389601, 7037807, 0}}}, addr8 =3D "manualblock\000\000\000\000", addr16 =3D {24941, 3= 0062, 27745, 27746, 25455, 107, 0, 0}, addr32 =3D {1970168173, 1818389601, 7037807, 0}}}, mask =3D {pfa =3D {v4 =3D {s_add= r =3D 0}, v6 =3D {__u6_addr =3D {__u6_addr8 =3D '\0' , __u6_addr16 =3D {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 =3D= {0, 0, 0, 0}}}, addr8 =3D '\0' , addr16 =3D = {0, 0, 0, 0, 0, 0, 0, 0}, addr32 =3D {0, 0, 0, 0}}}}, ifname =3D "manualblock\000\000\000\000", tblname =3D "manualblock", '\0' , rtlabelname =3D "manualblock", '\0' , rtlabel =3D 1970168173}, p =3D {dyn =3D 0x0, tbl =3D 0x0, dyncnt = =3D 0, tblcnt =3D 0}, type =3D 3 '\003', iflags =3D 0 '\0'}, port =3D {0, = 0}, neg =3D 0 '\0', port_op =3D 0 '\0'}, skip =3D {{ptr =3D 0xfffffe000f105= 000, nr =3D 252727296}, {ptr =3D 0xfffffe000e9573a8, nr =3D 244675496}, { ptr =3D 0xfffffe000e988af8, nr =3D 244878072}, {ptr =3D 0xfffffe000e9= 88af8, nr =3D 244878072}, {ptr =3D 0xfffffe000e988af8, nr =3D 244878072}, { ptr =3D 0xfffffe0098924750, nr =3D 2559723344}, {ptr =3D 0xfffffe000e= 988af8, nr =3D 244878072}, {ptr =3D 0xfffffe000e988af8, nr =3D 244878072}}, label =3D '\0' , ifname =3D "tenet0\000\000\000\000\000\000\000\000\000", qname =3D '\0' , pqname =3D '\0' , tagname =3D '\0' , match_tagname =3D '\0' , overload_tblname =3D '\0' , entries =3D { tqe_next =3D 0xfffffe000f105000, tqe_prev =3D 0x0}, rpool =3D {list =3D= { tqh_first =3D 0x0, tqh_last =3D 0xfffffe000f2595d8}, cur =3D 0x0, key= =3D { pfk =3D {key8 =3D '\0' , key16 =3D {0, 0, 0, 0, 0, = 0, 0, 0}, key32 =3D {0, 0, 0, 0}}}, counter =3D {pfa =3D {v4 =3D {s_addr =3D = 0}, v6 =3D { __u6_addr =3D {__u6_addr8 =3D '\0' , __u6_addr1= 6 =3D {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 =3D {0, 0, 0, 0}}}, addr8 =3D '\0' , addr16 =3D {0, 0, 0, 0, 0, 0, 0,= 0}, =2D--Type to continue, or q to quit--- addr32 =3D {0, 0, 0, 0}}}, tblidx =3D 0, proxy_port =3D {0, 0}, port_op =3D 0 '\0', opts =3D 0 '\0'}, evaluations =3D 123840, packets = =3D {363, 0}, bytes =3D {29033, 0}, kif =3D 0xfffffe000e0b3e00, anchor =3D 0x0, overload_tbl =3D 0x0, os_fingerprint =3D 0, rtableid =3D -1, timeout =3D { 0 }, states_cur =3D 0, states_tot =3D 0, max_states = =3D 0, src_nodes =3D 0, max_src_nodes =3D 0, max_src_states =3D 0, spare1 =3D 0, max_src_conn =3D 0, max_src_conn_rate =3D {limit =3D 0, seconds =3D 0}, q= id =3D 0, pqid =3D 0, rt_listid =3D 0, nr =3D 4294967295, prob =3D 0, cuid =3D 0, c= pid =3D 38081, return_icmp =3D 771, return_icmp6 =3D 260, max_mss =3D 0, tag =3D 0, matc= h_tag =3D 0, spare2 =3D 0, uid =3D {uid =3D {0, 0}, op =3D 0 '\0'}, gid =3D {gid =3D {= 0, 0}, op =3D 0 '\0'}, rule_flag =3D 8, action =3D 1 '\001', direction =3D 1 '= \001', log =3D 1 '\001', logif =3D 0 '\0', quick =3D 1 '\001', ifnot =3D 0 '\0', match_tag_not =3D 0 '\0', natpass =3D 0 '\0', keep_state =3D 0 '\0', af = =3D 0 '\0', proto =3D 0 '\0', type =3D 0 '\0', code =3D 0 '\0', flags =3D 0 '\0', flagset =3D 0 '\0', min_ttl =3D 0 '\0', allow_opts =3D 0 '\0', rt =3D 0 '= \0', return_ttl =3D 0 '\0', tos =3D 0 '\0', set_tos =3D 0 '\0', anchor_relative =3D 0 '\0', anchor_wildcard =3D 0 '\0', flush =3D 0 '\0', divert =3D {addr =3D {pfa =3D {v4 =3D {s_addr =3D 0}, v6 =3D {__u6_addr = =3D { __u6_addr8 =3D '\0' , __u6_addr16 =3D {0, 0, = 0, 0, 0, 0, 0, 0}, __u6_addr32 =3D {0, 0, 0, 0}}}, addr8 =3D '\0' , addr16 =3D {0, 0, 0, 0, 0, 0, 0,= 0}, addr32 =3D {0, 0, 0, 0}}}, port =3D 0}} (kgdb) p r->dst.addr.p.tbl $6 =3D (struct pfr_ktable *) 0x0 (kgdb) p r->dst.addr.p $7 =3D {dyn =3D 0x0, tbl =3D 0x0, dyncnt =3D 0, tblcnt =3D 0} (kgdb) p r->dst.addr $8 =3D {v =3D {a =3D {addr =3D {pfa =3D {v4 =3D {s_addr =3D 1970168173}, v6= =3D {__u6_addr =3D { __u6_addr8 =3D "manualblock\000\000\000\000", __u6_addr16 =3D= { 24941, 30062, 27745, 27746, 25455, 107, 0, 0}, __u6_addr32 = =3D { 1970168173, 1818389601, 7037807, 0}}}, addr8 =3D "manualblock\000\000\000\000", addr16 =3D {24941, 30062, 27745, 27746, 25455, 107, 0, 0}, addr32 =3D {1970168173, 181838= 9601, 7037807, 0}}}, mask =3D {pfa =3D {v4 =3D {s_addr =3D 0}, v6 =3D= { __u6_addr =3D {__u6_addr8 =3D '\0' , __u6_add= r16 =3D { 0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 =3D {0, 0, 0, 0}}}, addr8 =3D '\0' , addr16 =3D {0, 0, 0, 0, 0, 0, = 0, 0}, addr32 =3D {0, 0, 0, 0}}}}, ifname =3D "manualblock\000\000\000\0= 00", tblname =3D "manualblock", '\0' , rtlabelname =3D "manualblock", '\0' , rtlabel =3D 1970168173}, p =3D {dyn =3D 0x0, tbl =3D 0x0, dyncnt =3D 0,= tblcnt =3D 0}, type =3D 3 '\003', iflags =3D 0 '\0'} --Boundary-00=_iVWIP9/oBMJI11C-- From owner-freebsd-pf@FreeBSD.ORG Thu Jan 26 15:35:48 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 18D6E106564A for ; Thu, 26 Jan 2012 15:35:48 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-gx0-f182.google.com (mail-gx0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id C6F908FC0C for ; Thu, 26 Jan 2012 15:35:47 +0000 (UTC) Received: by ggnq2 with SMTP id q2so364991ggn.13 for ; Thu, 26 Jan 2012 07:35:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=aLfqKlG7Naof0TL/63ctdTkvRtPN1BBy/UVZRF2bacM=; b=FZOVuyuVNAsDTJq4wrjmMqx+GL98YnRoXtbN5Qc3n1VPhpRLiiYFKVTqyciI+mQq9N Tkw8JU6vZReqjzAFd5GG6JLFgYs8r4t6c4gmnpz7dKpNimBjBiJBdW4g0/Cs+VJU/tLY OyXtz6UvjCVoQy9o99SY8m+O+Xhf0I3+WqNBs= MIME-Version: 1.0 Received: by 10.50.173.98 with SMTP id bj2mr3021501igc.27.1327592145471; Thu, 26 Jan 2012 07:35:45 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.231.134.198 with HTTP; Thu, 26 Jan 2012 07:35:45 -0800 (PST) In-Reply-To: <201201261638.26599.d.sieborger@ru.ac.za> References: <201201261638.26599.d.sieborger@ru.ac.za> Date: Thu, 26 Jan 2012 16:35:45 +0100 X-Google-Sender-Auth: w5NXlFSnpH7aa6NewRLeOVoWlB8 Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: =?ISO-8859-1?Q?David_Sieb=F6rger?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: pf crashes in pfr_update_stats() X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jan 2012 15:35:48 -0000 On Thu, Jan 26, 2012 at 3:38 PM, David Sieb=F6rger w= rote: > Hi, > > I have a pair of FreeBSD 9.0-RELEASE firewalls which are crashing > repeatedly. =A0I've been able to connect to one of them with remote kgdb > after it crashed (see kgdb session attached), but I haven't been able to > get to the bottom of what's wrong. =A0Is anyone able to shed more light o= n > this? > > The first problem that I see is that the kt argument to > pfr_update_stats() is null, so the kernel panics as soon as that's > dereferenced. > > Where pfr_update_stats() is called from pf_test(), kgdb tells me that > "Variable "tr" is not available." =A0(Is that because of a gcc > optimisation?) =A0But, tr ought to equal r in this instance, and r is > available, so I looked at r. =A0r->dst.addr.p.tbl is indeed null. > I have seen this in 8.x versions also. Are you doing frequent updating of tables or loading larde lists of addresses in them? > Does anyone have any theories about why that could be the case, or > anything else that I could do to debug this? =A0I can provide more > configuration information if needed. > > > -- > David Sieb=F6rger > System Administrator, IT Division, Rhodes University > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Thu Jan 26 15:48:37 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DB72F106564A; Thu, 26 Jan 2012 15:48:37 +0000 (UTC) (envelope-from d.sieborger@ru.ac.za) Received: from mail.ru.ac.za (mail.ru.ac.za [IPv6:2001:4200:1010:0:250:56ff:fe8d:5]) by mx1.freebsd.org (Postfix) with ESMTP id 014D48FC08; Thu, 26 Jan 2012 15:48:37 +0000 (UTC) Received: from damar.ru.ac.za ([2001:4200:1010:1058:219:d1ff:fe9f:726a]:43222) by mail.ru.ac.za with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1RqRYw-0003Yk-VN; Thu, 26 Jan 2012 17:48:34 +0200 Received: by damar.ru.ac.za (Postfix, from userid 1001) id C90FD3A95; Thu, 26 Jan 2012 17:48:34 +0200 (SAST) From: David =?iso-8859-1?q?Sieb=F6rger?= Organization: Rhodes University To: Ermal =?iso-8859-1?q?Lu=E7i?= Date: Thu, 26 Jan 2012 17:48:33 +0200 User-Agent: KMail/1.13.7 (FreeBSD/8.2-RELEASE-p3; KDE/4.7.3; amd64; ; ) References: <201201261638.26599.d.sieborger@ru.ac.za> In-Reply-To: MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-Id: <201201261748.33611.d.sieborger@ru.ac.za> X-Virus-Scanned: mail.ru.ac.za (2001:4200:1010:0:250:56ff:fe8d:5) Cc: freebsd-pf@freebsd.org Subject: Re: pf crashes in pfr_update_stats() X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jan 2012 15:48:37 -0000 On Thursday, 26 January 2012 5:35 PM Ermal Lu=E7i wrote: > On Thu, Jan 26, 2012 at 3:38 PM, David Sieb=F6rger=20 wrote: > > I have a pair of FreeBSD 9.0-RELEASE firewalls which are crashing > > repeatedly. I've been able to connect to one of them with remote > > kgdb after it crashed (see kgdb session attached), but I haven't > > been able to get to the bottom of what's wrong. Is anyone able to > > shed more light on this? > >=20 > > The first problem that I see is that the kt argument to > > pfr_update_stats() is null, so the kernel panics as soon as that's > > dereferenced. > >=20 > > Where pfr_update_stats() is called from pf_test(), kgdb tells me > > that "Variable "tr" is not available." (Is that because of a gcc > > optimisation?) But, tr ought to equal r in this instance, and r > > is available, so I looked at r. r->dst.addr.p.tbl is indeed null. >=20 > I have seen this in 8.x versions also. > Are you doing frequent updating of tables or loading larde lists of > addresses in them? I started seeing something similar in 8.x, too, so I upgraded in the=20 hope that the problem would go away. Yes, we do update the tables regularly (generally once an hour during=20 working hours, sometimes more frequently), and some of the tables are=20 large (one has 1929 entries, another 272, and there are eleven more=20 which are <=3D43). The table that's mentioned in r->dst.addr.v.tblname=20 has 24 entries. =2D-=20 David Sieb=F6rger System Administrator, IT Division, Rhodes University From owner-freebsd-pf@FreeBSD.ORG Fri Jan 27 02:07:30 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CFA551065672 for ; Fri, 27 Jan 2012 02:07:30 +0000 (UTC) (envelope-from peterjeremy@acm.org) Received: from fallbackmx08.syd.optusnet.com.au (fallbackmx08.syd.optusnet.com.au [211.29.132.10]) by mx1.freebsd.org (Postfix) with ESMTP id 5A77F8FC08 for ; Fri, 27 Jan 2012 02:07:29 +0000 (UTC) Received: from mail27.syd.optusnet.com.au (mail27.syd.optusnet.com.au [211.29.133.168]) by fallbackmx08.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id q0QNtmS1027907 for ; Fri, 27 Jan 2012 10:55:48 +1100 Received: from server.vk2pj.dyndns.org (c220-239-116-103.belrs4.nsw.optusnet.com.au [220.239.116.103]) by mail27.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id q0QNtjYB007863 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 27 Jan 2012 10:55:45 +1100 X-Bogosity: Ham, spamicity=0.000000 Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by server.vk2pj.dyndns.org (8.14.5/8.14.4) with ESMTP id q0QNticS039167; Fri, 27 Jan 2012 10:55:44 +1100 (EST) (envelope-from peter@server.vk2pj.dyndns.org) Received: (from peter@localhost) by server.vk2pj.dyndns.org (8.14.5/8.14.4/Submit) id q0QNtiLn039166; Fri, 27 Jan 2012 10:55:44 +1100 (EST) (envelope-from peter) Date: Fri, 27 Jan 2012 10:55:43 +1100 From: Peter Jeremy To: Walt Elam Message-ID: <20120126235543.GA38187@server.vk2pj.dyndns.org> References: <9EB23F6C23A8B6488E8BCC92A48E832612A5BC03A9@PEMEXMBXVS04.jellyfishnet.co.uk.local> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IS0zKkzwUGydFO0o" Content-Disposition: inline In-Reply-To: X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.21 (2010-09-15) Cc: "freebsd-pf@freebsd.org" Subject: Re: Getting Involved X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2012 02:07:31 -0000 --IS0zKkzwUGydFO0o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2012-Jan-23 00:42:13 -0500, Walt Elam wrote: >I searched a bit this weekend and couldn't figure out where exactly to >download the code for OpenBSDs PF. Unlike things like OpenSSH, PF was not developed and is not available as a standalone, portable package. The only way to get the code is to checkout the relevant bits of the OpenBSD repository using one of the methods listed under "Getting Source" on http://www.openbsd.org/ > Also, if it is all written in C, then I don't >understand why we couldn't just install the right ports/packages and have >the OpenBSD code work in FreeBSD. Could someone explain that, please? PF isn't a userland application that uses (eg) POSIX standard interfaces and just needs recompilation to work in FreeBSD. It is intimately linked into the network stack and relies on internal kernel interfaces - which are not standardised. Whilst FreeBSD and OpenBSD are both derived from the same codebase, they have diverged over the years and it's not possible to move arbitrary kernel code from one to the other and have it "just work". Specific issues with moving the PF code include the work on virtualising and parallelising the FreeBSD network stack whereas OpenBSD has a single-threaded network stack. As a minimum, you need to add a lock around the PF code - though this would adversely impact throughput. A more thorough port would involve adding fine-grained locking to the PF code and adjusting some of the datastructures to reduce cache-thrashing. >Lastly, I didn't really understand the reason given for using the old >syntax. Even if we focused on porting over pf 4.7 then that would >technically be enough to get in to the new syntax for rules. The whole problem is that the new syntax is not backward compatible with the old syntax. There has recently been a fairly long thread in -hackers discussing (in part) the need for long-term stability of interfaces. The FreeBSD Project offers interface stability within major versions, therefore an incompatible change in PF syntax could not be introduced into any FreeBSD-9 or earlier branch. It would seem a reasonable goal to port pf 4.7 (or later) into -current so it will form part of 10.x but I can't see it appearing in 9.x. --=20 Peter Jeremy --IS0zKkzwUGydFO0o Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk8h5/8ACgkQ/opHv/APuIdLEgCfb1ZGsG4jdoBg27NsCLEs8eFc kzwAoKd3QTKDYtmCkXsaORnwSYrZyOP+ =P72W -----END PGP SIGNATURE----- --IS0zKkzwUGydFO0o-- From owner-freebsd-pf@FreeBSD.ORG Fri Jan 27 02:38:24 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9D398106566C for ; Fri, 27 Jan 2012 02:38:24 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from mail1.jellyfishnet.co.uk (mail1.jellyfishnet.co.uk [93.91.20.9]) by mx1.freebsd.org (Postfix) with ESMTP id 310DF8FC0A for ; Fri, 27 Jan 2012 02:38:23 +0000 (UTC) Received: from pemexhub01.jellyfishnet.co.uk.local (93.91.20.3) by mail1.jellyfishnet.co.uk (93.91.20.9) with Microsoft SMTP Server (TLS) id 8.1.393.1; Fri, 27 Jan 2012 02:38:21 +0000 Received: from PEMEXMBXVS04.jellyfishnet.co.uk.local ([192.168.65.52]) by pemexhub01.jellyfishnet.co.uk.local ([192.168.65.7]) with mapi; Fri, 27 Jan 2012 02:37:12 +0000 From: Greg Hennessy To: Peter Jeremy , Walt Elam Date: Fri, 27 Jan 2012 02:36:37 +0000 Thread-Topic: Getting Involved Thread-Index: AczcmD8AZMzL/zdmTwanCYVd98qesAAApzum Message-ID: <9EB23F6C23A8B6488E8BCC92A48E832612E69663C6@PEMEXMBXVS04.jellyfishnet.co.uk.local> References: <9EB23F6C23A8B6488E8BCC92A48E832612A5BC03A9@PEMEXMBXVS04.jellyfishnet.co.uk.local> , <20120126235543.GA38187@server.vk2pj.dyndns.org> In-Reply-To: <20120126235543.GA38187@server.vk2pj.dyndns.org> Accept-Language: en-US, en-GB Content-Language: en-GB X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-GB Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "freebsd-pf@freebsd.org" Subject: RE: Getting Involved X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2012 02:38:24 -0000 Hi Peter,=20 That doesn't sound unreasonable, bearing in mind how much we all $ENJOY usi= ng the operating system precisely because the interfaces are defined and st= able between major releases. I would not have expected PF 4.7 and above to be backported. =20 Reading between the lines of earlier posts I was getting the impression tha= t in case of PF it had been decided to set the 4.5 version of PF in stone f= or now and ever more in FreeBSD.=20 Could be the wrong end of the stick on my part though. =20 ________________________________________ From: owner-freebsd-pf@freebsd.org [owner-freebsd-pf@freebsd.org] On Behalf= Of Peter Jeremy [peterjeremy@acm.org] Sent: 27 January 2012 10:55 To: Walt Elam Cc: freebsd-pf@freebsd.org Subject: Re: Getting Involved [SNIP] The whole problem is that the new syntax is not backward compatible with the old syntax. There has recently been a fairly long thread in -hackers discussing (in part) the need for long-term stability of interfaces. The FreeBSD Project offers interface stability within major versions, therefore an incompatible change in PF syntax could not be introduced into any FreeBSD-9 or earlier branch. It would seem a reasonable goal to port pf 4.7 (or later) into -current so it will form part of 10.x but I can't see it appearing in 9.x. -- Peter Jeremy= From owner-freebsd-pf@FreeBSD.ORG Fri Jan 27 03:09:23 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B4190106566B for ; Fri, 27 Jan 2012 03:09:23 +0000 (UTC) (envelope-from wrelam@gmail.com) Received: from mail-bk0-f54.google.com (mail-bk0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 3CC438FC17 for ; Fri, 27 Jan 2012 03:09:22 +0000 (UTC) Received: by bkbc12 with SMTP id c12so1420191bkb.13 for ; Thu, 26 Jan 2012 19:09:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=8i1iGwYngNzo6X3m3yN8i8uJVXmHvbUqfK6t8VHeVfg=; b=C4UKmVFNUEc73yuhsuul5GPGvFwFfwsJCe/eWq2FGQWmLLOVphR5DVVmBkL69Ncg7U AU2AbsxHxbarq+kGEotNXpYkQJ/AMmn0NNnOM0JRIkIU977KxYFIM1U7rWPZZOQdfSvL FKr0llfND75sm5to9O6o8Lzkl6so5gw4U0Eho= MIME-Version: 1.0 Received: by 10.204.16.136 with SMTP id o8mr2250416bka.119.1327633761966; Thu, 26 Jan 2012 19:09:21 -0800 (PST) Received: by 10.204.60.7 with HTTP; Thu, 26 Jan 2012 19:09:21 -0800 (PST) In-Reply-To: <9EB23F6C23A8B6488E8BCC92A48E832612E69663C6@PEMEXMBXVS04.jellyfishnet.co.uk.local> References: <9EB23F6C23A8B6488E8BCC92A48E832612A5BC03A9@PEMEXMBXVS04.jellyfishnet.co.uk.local> <20120126235543.GA38187@server.vk2pj.dyndns.org> <9EB23F6C23A8B6488E8BCC92A48E832612E69663C6@PEMEXMBXVS04.jellyfishnet.co.uk.local> Date: Thu, 26 Jan 2012 22:09:21 -0500 Message-ID: From: Walt Elam To: Greg Hennessy Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "freebsd-pf@freebsd.org" Subject: Re: Getting Involved X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2012 03:09:23 -0000 Peter, thanks for your incredible detailed reply. That's exactly what I was looking for. I figure I would download all of the OpenBSD code, but does anyone have any pointers as to what parts of OpenBSD have the pf code? I suppose I could e-mail the original PF list to figure that out though. Thanks On Thu, Jan 26, 2012 at 9:36 PM, Greg Hennessy wrote: > Hi Peter, > > That doesn't sound unreasonable, bearing in mind how much we all $ENJOY > using the operating system precisely because the interfaces are defined and > stable between major releases. > I would not have expected PF 4.7 and above to be backported. > > Reading between the lines of earlier posts I was getting the impression > that in case of PF it had been decided to set the 4.5 version of PF in > stone for now and ever more in FreeBSD. > Could be the wrong end of the stick on my part though. > ________________________________________ > From: owner-freebsd-pf@freebsd.org [owner-freebsd-pf@freebsd.org] On > Behalf Of Peter Jeremy [peterjeremy@acm.org] > Sent: 27 January 2012 10:55 > To: Walt Elam > Cc: freebsd-pf@freebsd.org > Subject: Re: Getting Involved > > [SNIP] > > The whole problem is that the new syntax is not backward compatible > with the old syntax. There has recently been a fairly long thread in > -hackers discussing (in part) the need for long-term stability of > interfaces. The FreeBSD Project offers interface stability within > major versions, therefore an incompatible change in PF syntax could > not be introduced into any FreeBSD-9 or earlier branch. > > It would seem a reasonable goal to port pf 4.7 (or later) into -current > so it will form part of 10.x but I can't see it appearing in 9.x. > > -- > Peter Jeremy > From owner-freebsd-pf@FreeBSD.ORG Fri Jan 27 03:13:20 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9E63C1065672 for ; Fri, 27 Jan 2012 03:13:20 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from mail2.jellyfishnet.co.uk (mail2.jellyfishnet.co.uk [93.91.20.10]) by mx1.freebsd.org (Postfix) with ESMTP id 355238FC13 for ; Fri, 27 Jan 2012 03:13:20 +0000 (UTC) Received: from pemexhub01.jellyfishnet.co.uk.local (93.91.20.3) by mail2.jellyfishnet.co.uk (93.91.20.10) with Microsoft SMTP Server (TLS) id 8.1.436.0; Fri, 27 Jan 2012 03:13:19 +0000 Received: from PEMEXMBXVS04.jellyfishnet.co.uk.local ([192.168.65.52]) by pemexhub01.jellyfishnet.co.uk.local ([192.168.65.7]) with mapi; Fri, 27 Jan 2012 03:12:09 +0000 From: Greg Hennessy To: Walt Elam Date: Fri, 27 Jan 2012 03:10:37 +0000 Thread-Topic: Getting Involved Thread-Index: AczcoNOS35y8TxxLRIWp8Su2dOhlsv///6IC Message-ID: <9EB23F6C23A8B6488E8BCC92A48E832612E69663C9@PEMEXMBXVS04.jellyfishnet.co.uk.local> References: <9EB23F6C23A8B6488E8BCC92A48E832612A5BC03A9@PEMEXMBXVS04.jellyfishnet.co.uk.local> <20120126235543.GA38187@server.vk2pj.dyndns.org> <9EB23F6C23A8B6488E8BCC92A48E832612E69663C6@PEMEXMBXVS04.jellyfishnet.co.uk.local>, In-Reply-To: Accept-Language: en-US, en-GB Content-Language: en-GB X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-GB MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "freebsd-pf@freebsd.org" Subject: RE: Getting Involved X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2012 03:13:20 -0000 [SNIP] I suppose I could e-mail the original PF list to figure that out though. [SNIP] Pack your flak jacket and kevlar cricket box ;-) From owner-freebsd-pf@FreeBSD.ORG Fri Jan 27 03:22:33 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E826B106564A for ; Fri, 27 Jan 2012 03:22:33 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id 6EDA78FC12 for ; Fri, 27 Jan 2012 03:22:33 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 62E5825D3899; Fri, 27 Jan 2012 03:22:32 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 87EC1BDA0B3; Fri, 27 Jan 2012 03:22:31 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id kQRNUUYzM+6S; Fri, 27 Jan 2012 03:22:30 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 7D528BDA0B2; Fri, 27 Jan 2012 03:22:30 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: "Bjoern A. Zeeb" In-Reply-To: Date: Fri, 27 Jan 2012 03:22:29 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: References: <9EB23F6C23A8B6488E8BCC92A48E832612A5BC03A9@PEMEXMBXVS04.jellyfishnet.co.uk.local> <20120126235543.GA38187@server.vk2pj.dyndns.org> <9EB23F6C23A8B6488E8BCC92A48E832612E69663C6@PEMEXMBXVS04.jellyfishnet.co.uk.local> To: Walt Elam X-Mailer: Apple Mail (2.1084) Cc: freebsd-pf@freebsd.org Subject: Re: Getting Involved X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2012 03:22:34 -0000 On 27. Jan 2012, at 03:09 , Walt Elam wrote: > Peter, thanks for your incredible detailed reply. That's exactly what = I was > looking for. >=20 > I figure I would download all of the OpenBSD code, but does anyone = have > any pointers as to what parts of OpenBSD have the pf code? I suppose I > could e-mail the original PF list to figure that out though. >=20 mostly http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/ look for = files matching *pf* --=20 Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do! From owner-freebsd-pf@FreeBSD.ORG Fri Jan 27 06:47:23 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4995D106566C for ; Fri, 27 Jan 2012 06:47:23 +0000 (UTC) (envelope-from d.sieborger@ru.ac.za) Received: from mail.ru.ac.za (mail.ru.ac.za [IPv6:2001:4200:1010:0:250:56ff:fe8d:5]) by mx1.freebsd.org (Postfix) with ESMTP id 6E1EE8FC17 for ; Fri, 27 Jan 2012 06:47:22 +0000 (UTC) Received: from damar.ru.ac.za ([2001:4200:1010:1058:219:d1ff:fe9f:726a]:47667) by mail.ru.ac.za with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1Rqfai-00016i-5C for freebsd-pf@freebsd.org; Fri, 27 Jan 2012 08:47:20 +0200 Received: by damar.ru.ac.za (Postfix, from userid 1001) id 0892841AE; Fri, 27 Jan 2012 08:47:19 +0200 (SAST) From: David =?iso-8859-1?q?Sieb=F6rger?= Organization: Rhodes University To: freebsd-pf@freebsd.org Date: Fri, 27 Jan 2012 08:47:18 +0200 User-Agent: KMail/1.13.7 (FreeBSD/8.2-RELEASE-p3; KDE/4.7.3; amd64; ; ) References: <201201261638.26599.d.sieborger@ru.ac.za> In-Reply-To: MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-Id: <201201270847.18897.d.sieborger@ru.ac.za> X-Virus-Scanned: mail.ru.ac.za (2001:4200:1010:0:250:56ff:fe8d:5) Subject: Re: pf crashes in pfr_update_stats() X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2012 06:47:23 -0000 On Thursday, 26 January 2012 5:35 PM Ermal Lu=E7i wrote: > Are you doing frequent updating of tables or loading larde lists of > addresses in them? The machine crashed again, and this time I ran ps in ddb. It shows=20 pfctl running on one CPU, and the incoming packet being handled by=20 another: db> ps pid ppid pgrp uid state wmesg wchan cmd 99941 99922 99920 0 R CPU 3 pfctl =2E.. 100028 Run CPU 0 [irq256:=20 bce0] =2E.. The backtrace was the same as the last one. I guess this means that disabling SMP would fix the problem as a quick=20 workaround, but there's probably something wrong with the locking when=20 updating the tables. =2D-=20 David Sieb=F6rger System Administrator, IT Division, Rhodes University From owner-freebsd-pf@FreeBSD.ORG Fri Jan 27 09:58:03 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7B8E6106566C for ; Fri, 27 Jan 2012 09:58:03 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 3DB438FC0C for ; Fri, 27 Jan 2012 09:58:02 +0000 (UTC) Received: by iaeo4 with SMTP id o4so3289256iae.13 for ; Fri, 27 Jan 2012 01:58:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=pPX5RHUgySNFwcgvoSeR/uOUbsNvQ7sH5BVvqravkOU=; b=ZP+k7n5tTvIViF6cU64rlBDrFs5hZbhGbtQDjYtdfndv2MP/XHzSM9Qz98gIN+PvXM BYsIiWHbeIcs+M1qI7JPlKnrR9rfFoyIQwzoKrG7UeoqBHLxKpOaRUrBFTEYGJ+IKnFg HO9PmZcXCG/Lhl7g5r4DSJY/qKdMCcUFGDnkM= MIME-Version: 1.0 Received: by 10.50.189.194 with SMTP id gk2mr6402772igc.0.1327658282610; Fri, 27 Jan 2012 01:58:02 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.231.134.198 with HTTP; Fri, 27 Jan 2012 01:58:02 -0800 (PST) In-Reply-To: <9EB23F6C23A8B6488E8BCC92A48E832612E69663C6@PEMEXMBXVS04.jellyfishnet.co.uk.local> References: <9EB23F6C23A8B6488E8BCC92A48E832612A5BC03A9@PEMEXMBXVS04.jellyfishnet.co.uk.local> <20120126235543.GA38187@server.vk2pj.dyndns.org> <9EB23F6C23A8B6488E8BCC92A48E832612E69663C6@PEMEXMBXVS04.jellyfishnet.co.uk.local> Date: Fri, 27 Jan 2012 10:58:02 +0100 X-Google-Sender-Auth: eV5eiTDok-_fmXuoFyRqm33_x94 Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Greg Hennessy Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: "freebsd-pf@freebsd.org" Subject: Re: Getting Involved X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2012 09:58:03 -0000 On Fri, Jan 27, 2012 at 3:36 AM, Greg Hennessy wro= te: > Hi Peter, > > That doesn't sound unreasonable, bearing in mind how much we all $ENJOY u= sing the operating system precisely because the interfaces are defined and = stable between major releases. > I would not have expected PF 4.7 and above to be backported. > > Reading between the lines of earlier posts I was getting the impression t= hat in case of PF it had been decided to set the 4.5 version of PF in stone= for now and ever more in FreeBSD. > Could be the wrong end of the stick on my part though. Thinking from an concurreny context, the latest version in OpenBSD is 'easier' to adapt. Less critical datastructure to teach about concurrency... Though the real issue with the later versions is that the guys are just, almost, 'embedding' pf(4) into OpenBSD kinda ipfw(4) used to be in the old days on FreeBSD. > ________________________________________ > From: owner-freebsd-pf@freebsd.org [owner-freebsd-pf@freebsd.org] On Beha= lf Of Peter Jeremy [peterjeremy@acm.org] > Sent: 27 January 2012 10:55 > To: Walt Elam > Cc: freebsd-pf@freebsd.org > Subject: Re: Getting Involved > > [SNIP] > > The whole problem is that the new syntax is not backward compatible > with the old syntax. =A0There has recently been a fairly long thread in > -hackers discussing (in part) the need for long-term stability of > interfaces. =A0The FreeBSD Project offers interface stability within > major versions, therefore an incompatible change in PF syntax could > not be introduced into any FreeBSD-9 or earlier branch. > > It would seem a reasonable goal to port pf 4.7 (or later) into -current > so it will form part of 10.x but I can't see it appearing in 9.x. > > -- > Peter Jeremy_______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Fri Jan 27 10:00:15 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CBECA106566C for ; Fri, 27 Jan 2012 10:00:14 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 6D3B58FC0C for ; Fri, 27 Jan 2012 10:00:14 +0000 (UTC) Received: by iaeo4 with SMTP id o4so3293219iae.13 for ; Fri, 27 Jan 2012 02:00:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=qkj8F4fUTsBz7EuVpp3zX/e8v7atf5icqDU8P5nW4vI=; b=rKKex5WmUP7hC1RlJ+lfO8qnHIB95bXiOLLlxsgPJx2v5riwkc5RGmjW58RACwStPf WEGX69fE5hjH5iR1Sy5/qE3HzQkApGak9AfTyURum7dicbNBAAu05qUwDtjrZjTreUWr JYoMtcs0TwQjeTO64mYPh0Gax05/k+vr6kZD4= MIME-Version: 1.0 Received: by 10.42.163.200 with SMTP id d8mr4722620icy.41.1327658412411; Fri, 27 Jan 2012 02:00:12 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.231.134.198 with HTTP; Fri, 27 Jan 2012 02:00:12 -0800 (PST) In-Reply-To: <201201270847.18897.d.sieborger@ru.ac.za> References: <201201261638.26599.d.sieborger@ru.ac.za> <201201270847.18897.d.sieborger@ru.ac.za> Date: Fri, 27 Jan 2012 11:00:12 +0100 X-Google-Sender-Auth: aFcDvugwlfk1hpeVVisZKw_z5mw Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: =?ISO-8859-1?Q?David_Sieb=F6rger?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: pf crashes in pfr_update_stats() X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2012 10:00:15 -0000 On Fri, Jan 27, 2012 at 7:47 AM, David Sieb=F6rger w= rote: > On Thursday, 26 January 2012 5:35 PM Ermal Lu=E7i wrote: >> Are you doing frequent updating of tables or loading larde lists of >> addresses in them? > > The machine crashed again, and this time I ran ps in ddb. =A0It shows > pfctl running on one CPU, and the incoming packet being handled by > another: > > db> ps > =A0pid =A0ppid =A0pgrp =A0 uid =A0 state =A0 wmesg =A0 =A0 =A0 =A0 wchan = =A0 =A0 =A0 =A0cmd > 99941 99922 99920 =A0 =A0 0 =A0R =A0 =A0 =A0 CPU 3 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 pfctl > ... > 100028 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Run =A0 =A0 CPU 0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 [irq256: > bce0] > ... > > The backtrace was the same as the last one. > > I guess this means that disabling SMP would fix the problem as a quick > workaround, but there's probably something wrong with the locking when > updating the tables. > Sorry, i am busy with $WORK stuff but will need to fix this before end of February. This is mostly related to GC and/or ruleset/table reloading and some workarounds for SMP done on FreeBSD port. Whenever i have a fix i will post it here > > -- > David Sieb=F6rger > System Administrator, IT Division, Rhodes University > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --=20 Ermal