From owner-freebsd-pf@FreeBSD.ORG Sun Jun 10 03:45:39 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 54EDC106566C for ; Sun, 10 Jun 2012 03:45:39 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from rush.bluerosetech.com (rush.bluerosetech.com [199.48.134.58]) by mx1.freebsd.org (Postfix) with ESMTP id 2FDFF8FC0A for ; Sun, 10 Jun 2012 03:45:39 +0000 (UTC) Received: from vivi.cat.pdx.edu (vivi.cat.pdx.edu [IPv6:2610:10:20:214::6]) by rush.bluerosetech.com (Postfix) with ESMTPSA id E80661142E; Sat, 9 Jun 2012 20:45:32 -0700 (PDT) Received: from [IPv6:2001:470:8643:970:211:43ff:fe70:5826] (unknown [IPv6:2001:470:8643:970:211:43ff:fe70:5826]) by vivi.cat.pdx.edu (Postfix) with ESMTPSA id 06E5D24C5B; Sat, 9 Jun 2012 20:45:29 -0700 (PDT) Message-ID: <4FD41857.4010003@bluerosetech.com> Date: Sat, 09 Jun 2012 20:45:27 -0700 From: list_freebsd@bluerosetech.com User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0.4) Gecko/20120421 Thunderbird/10.0.4 MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <4FD30582.90506@bluerosetech.com> <65AD7414-BE0E-486A-8FF4-E31E5EFF5B5F@lists.zabbadoz.net> In-Reply-To: <65AD7414-BE0E-486A-8FF4-E31E5EFF5B5F@lists.zabbadoz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: IPv6 fragments firewall support? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jun 2012 03:45:39 -0000 On 2012-06-09 14:40, Bjoern A. Zeeb wrote: > You can however unconditionally allow all fragments and trust a (bad) > end host system: > > pass log quick inet6 proto ipv6-frag all Does ipv6-frag require explicit rules? My rules passing Internet<->LAN traffic intentionally omit protocol specificiations, so in theory ipv6-frag should be covered. For example: pass quick on $lanif from to pass in quick on $lanif from to any tag LanOut pass out quick on { $extif4, $extif6 } tagged LanOut block in quick on $extif6 inet6 from any to pass in quick on $extif6 inet6 from any to tag LanIn pass out quick on $lanif tagged LanIn From owner-freebsd-pf@FreeBSD.ORG Mon Jun 11 11:07:30 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4B1851065680 for ; Mon, 11 Jun 2012 11:07:30 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 3502E8FC08 for ; Mon, 11 Jun 2012 11:07:30 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q5BB7UTF053389 for ; Mon, 11 Jun 2012 11:07:30 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q5BB7TnL053387 for freebsd-pf@FreeBSD.org; Mon, 11 Jun 2012 11:07:29 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 11 Jun 2012 11:07:29 GMT Message-Id: <201206111107.q5BB7TnL053387@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jun 2012 11:07:30 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/168200 pf [pf] pf crashes when receiving packets from an address o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag s kern/167057 pf [pf] PF firewall version 4.5 in FreeBSD 9.0 & 8.2 nolo o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 52 problems total. From owner-freebsd-pf@FreeBSD.ORG Thu Jun 14 10:01:13 2012 Return-Path: Delivered-To: pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B41CB1065673 for ; Thu, 14 Jun 2012 10:01:13 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.64.117]) by mx1.freebsd.org (Postfix) with ESMTP id 25B1C8FC0A for ; Thu, 14 Jun 2012 10:01:12 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.5/8.14.5) with ESMTP id q5EA1AMQ071971; Thu, 14 Jun 2012 14:01:11 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.5/8.14.5/Submit) id q5EA1ANo071970; Thu, 14 Jun 2012 14:01:10 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Thu, 14 Jun 2012 14:01:10 +0400 From: Gleb Smirnoff To: Chris Buechler Message-ID: <20120614100110.GI28613@FreeBSD.org> References: <20120608061737.GA28197@glebius.int.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: pf@FreeBSD.org Subject: Re: [CFT] SMP-friendly pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jun 2012 10:01:13 -0000 On Sat, Jun 09, 2012 at 03:14:42AM -0400, Chris Buechler wrote: C> > šAs you already probably know, or some may be don't yet know, the pf(4) C> > subsystem in FreeBSD is currently working under a single mutex. This mutex C> > is acquired right at the beginning of any packet processing, and is dropped C> > at the end. While one thread is in pf(4) all other threads are blocked on C> > that mutex. C> > C> > šMeanwhile modern computers are getting more and more cores, and modern C> > network cards getting more MSI interrupts, each serviced by a separate kernel C> > thread in FreeBSD. So the single pf lock, which I call "the pf Giant" :), is C> > getting a point of hard contention. C> > C> > šThree and a half months ago I've started on a project "SMP-friendly pf", C> > which recently have entered alpha stage. As you see from the subject of this C> > mail, this is call for testing. C> > C> > šWilling to test? C> C> Absolutely. Are there any particular areas specifically that you would C> like some testing focus on? Obviously testing everything is needed to C> ensure nothing is broken, and I'm definitely interested in doing some C> performance comparisons on SMP and non-SMP hardware. But not sure what C> areas you've already focused on, and what areas you feel need more C> testing focus than others, if any. I'm currently running it with quite simple rulesets with couple of rdr rules and that's all. - Testing with more complex rulesets is interesting. - Situations with rapidly changing rulesets or appearing and disappearing interfaces, or table entries are potentially dangerous once pf is no longer under one lock. - routing rules, uid/gid rules Performance increase could be probably noticed only at large state tables, probably > 100k, on box with several cores and several NICs, or with a NIC that runs multiple threads (igb(4) for example). -- Totus tuus, Glebius.