From owner-freebsd-pf@FreeBSD.ORG Sun Sep 9 10:08:23 2012 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AE7F4106566B for ; Sun, 9 Sep 2012 10:08:23 +0000 (UTC) (envelope-from claudiu.vasadi@gmail.com) Received: from mail-pz0-f54.google.com (mail-pz0-f54.google.com [209.85.210.54]) by mx1.freebsd.org (Postfix) with ESMTP id 7CDFE8FC08 for ; Sun, 9 Sep 2012 10:08:23 +0000 (UTC) Received: by dadr6 with SMTP id r6so738281dad.13 for ; Sun, 09 Sep 2012 03:08:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=d5wCefwe+BxdUZ2++dkYvR/DsaertQZjLCzBIVEpciA=; b=ufzJoBchnCjJAju4NGlK76VzZCNsW4NjCbVBbefrT5PV+/aW1dYeQ0ZQXG4/nCGbJQ XhWTfvuPCsQ++hm4tSBgJnZSDvMrFBZTUi0PBC5lckerQquSasy6GOXvtAsRQLLRa7w8 5QJBqe1Ns7zzNPy6/Qx/ujlHpsmEgaiGBLIGSxP6tU0Kz3pa6F4R9KBc2SD8855laKHW MB++xq9lQU+G0g6oeesHXhD2A3rjsMPOrxLfQ/3H6nwvI4Ev7+v1aHZjX8gP8esGMQJ0 vgZxXmOi/GVjx44akz+cPfTV2sDVodTjQL3CXZ09zySDNuzajHq9gDICMcPAQuonXvz1 fQow== MIME-Version: 1.0 Received: by 10.66.80.202 with SMTP id t10mr16269468pax.70.1347185301903; Sun, 09 Sep 2012 03:08:21 -0700 (PDT) Received: by 10.66.191.197 with HTTP; Sun, 9 Sep 2012 03:08:21 -0700 (PDT) In-Reply-To: References: <20120905115140.GF15915@FreeBSD.org> <50476187.8000303@gibfest.dk> <20120905183607.GI15915@glebius.int.ru> <20120906064640.GL15915@glebius.int.ru> Date: Sun, 9 Sep 2012 12:08:21 +0200 Message-ID: From: claudiu vasadi To: pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Sep 2012 10:08:23 -0000 @gleb/ermal: OpenBSD is currently migrating from ALTQ to prio. Any plans on importing that in the future ? From owner-freebsd-pf@FreeBSD.ORG Sun Sep 9 17:01:51 2012 Return-Path: Delivered-To: pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 278301065702; Sun, 9 Sep 2012 17:01:51 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (bird.sbone.de [46.4.1.90]) by mx1.freebsd.org (Postfix) with ESMTP id C61588FC12; Sun, 9 Sep 2012 17:01:50 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 0DCBE25D37D1; Sun, 9 Sep 2012 17:01:48 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 08F10BE84AE; Sun, 9 Sep 2012 17:01:48 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id jUlbun_yCz94; Sun, 9 Sep 2012 17:01:46 +0000 (UTC) Received: from nv.sbone.de (nv.sbone.de [IPv6:fde9:577b:c1a9:31::2013:138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 99421BE84AD; Sun, 9 Sep 2012 17:01:46 +0000 (UTC) Date: Sun, 9 Sep 2012 17:01:45 +0000 (UTC) From: "Bjoern A. Zeeb" To: Gleb Smirnoff In-Reply-To: <20120905115140.GF15915@FreeBSD.org> Message-ID: References: <20120905115140.GF15915@FreeBSD.org> X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: pf@FreeBSD.org, net@FreeBSD.org Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Sep 2012 17:01:51 -0000 On Wed, 5 Sep 2012, Gleb Smirnoff wrote: Hi, > Thus, I plan to merge projects/pf/head to head this weekend, and > this is a HEADS UP email! You have been warned. :) thanks for the work and handling the fallout:) > What I'd like to do next: > > 1) Move pf out of contrib. I'd rather wait a bit with that so that other things can settle. I am also not happy with where other firewalls etc currently live and stuff so I think having a better understanding on where all this will move would be good. > 2) Refactor the pfvar.h into pf.h and pf_var.h. Provide stable > kernel<->pfctl ABI. And probably other clean up tasks. Yes, and being extensible is really important. > ... > 3) ... too far to build any plans, yet. :) Ah, NAT64, Proper V_irtualization handling for what you might not have done (I should go back and look), frag6 support, ... a bugfix from Apple/Open we need to implement, ... more cherry picking on some changes ....;-) -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. From owner-freebsd-pf@FreeBSD.ORG Sun Sep 9 17:12:57 2012 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0890D1065670 for ; Sun, 9 Sep 2012 17:12:57 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (bird.sbone.de [46.4.1.90]) by mx1.freebsd.org (Postfix) with ESMTP id A11648FC23 for ; Sun, 9 Sep 2012 17:12:56 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 849D125D38A0; Sun, 9 Sep 2012 17:12:55 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id B6DF1BE8522; Sun, 9 Sep 2012 17:12:54 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id svXIe6PxdJlS; Sun, 9 Sep 2012 17:12:53 +0000 (UTC) Received: from nv.sbone.de (nv.sbone.de [IPv6:fde9:577b:c1a9:31::2013:138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 906E3BE8521; Sun, 9 Sep 2012 17:12:53 +0000 (UTC) Date: Sun, 9 Sep 2012 17:12:52 +0000 (UTC) From: "Bjoern A. Zeeb" To: claudiu vasadi In-Reply-To: Message-ID: References: <20120905115140.GF15915@FreeBSD.org> <50476187.8000303@gibfest.dk> <20120905183607.GI15915@glebius.int.ru> <20120906064640.GL15915@glebius.int.ru> X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: pf@freebsd.org Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Sep 2012 17:12:57 -0000 On Sun, 9 Sep 2012, claudiu vasadi wrote: > @gleb/ermal: OpenBSD is currently migrating from ALTQ to prio. Any plans on > importing that in the future ? The last comments I heard made it unlikely that (commercial) consumers (with slightly more experience in that area) would be a lot more happy with the replacement than they had been with the original. And I guess it's mostly an interface question. I pointed some of them at each other in May, but I don't know if they and Open people got together in the end. Everyone agrees that altq needs to vanish, we know other code exists/has been pondered; we'll see who might come forward. /bz -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. From owner-freebsd-pf@FreeBSD.ORG Sun Sep 9 17:15:23 2012 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CF147106566B for ; Sun, 9 Sep 2012 17:15:23 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id 7DDB78FC08 for ; Sun, 9 Sep 2012 17:15:23 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 813F225D37D1; Sun, 9 Sep 2012 17:15:22 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 7D004BE84AE; Sun, 9 Sep 2012 17:15:21 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id KAVHStBtK-vO; Sun, 9 Sep 2012 17:15:20 +0000 (UTC) Received: from nv.sbone.de (nv.sbone.de [IPv6:fde9:577b:c1a9:31::2013:138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 52BDCBE84AD; Sun, 9 Sep 2012 17:15:20 +0000 (UTC) Date: Sun, 9 Sep 2012 17:15:19 +0000 (UTC) From: "Bjoern A. Zeeb" To: Ian FREISLICH In-Reply-To: Message-ID: References: <20120905115140.GF15915@FreeBSD.org> <50476187.8000303@gibfest.dk> <20120905183607.GI15915@glebius.int.ru> <20120906064640.GL15915@glebius.int.ru> X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: pf@freebsd.org Subject: Re: pf spurious packet drops [was: [HEADS UP] merging projects/pf into head] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Sep 2012 17:15:23 -0000 On Fri, 7 Sep 2012, Ian FREISLICH wrote: > I don't think Gleb is is being personal about this. Facts are > facts and pf is currently unusable for me, even at home because > of spuriously dropped packets. We also have a report that it leaks mbufs and eventually panics after a few months. Would be interesting to know if these things were related. -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. From owner-freebsd-pf@FreeBSD.ORG Sun Sep 9 17:24:13 2012 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7914A1065801 for ; Sun, 9 Sep 2012 17:24:13 +0000 (UTC) (envelope-from claudiu.vasadi@gmail.com) Received: from mail-pz0-f54.google.com (mail-pz0-f54.google.com [209.85.210.54]) by mx1.freebsd.org (Postfix) with ESMTP id 439868FC0A for ; Sun, 9 Sep 2012 17:24:13 +0000 (UTC) Received: by dadr6 with SMTP id r6so871910dad.13 for ; Sun, 09 Sep 2012 10:24:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=axdj1I4/dGJvmch+a5+o9KXjcABCoyojhyYAvnaTv/U=; b=0v0OwE3SJRfXZV8zQo7odhYcxYgBxH0EpSA//auy7KXmtGYloqyiYAQp5jJJTRY47Y 3uLJ54SEuKbvFL27miRPzAuwt/GKun4YW0GSCXb1ldC59dn90qGS4FBSx7TBvso5pm52 +SzDTh1YtKBfGE02cuVpjXJ8Qy67QGXa6SQ1LBHvq7nnOsixnV2ekpUe0YMe4sshv6Bn saPpEXDy6RyjiPfn4CDV6fYZZ2Qtcb67QPQXAPDVxBhBsfonGVlGqaESf5zn28Y6x/6d I2DniqAr1HFb2T7jjc+vRm/jLIZMweY8lc//wpD7POnCYelMpECcgXt6L+wxvXYgdLbR 9ehw== MIME-Version: 1.0 Received: by 10.68.200.162 with SMTP id jt2mr1118763pbc.54.1347211452861; Sun, 09 Sep 2012 10:24:12 -0700 (PDT) Received: by 10.66.191.197 with HTTP; Sun, 9 Sep 2012 10:24:12 -0700 (PDT) In-Reply-To: References: <20120905115140.GF15915@FreeBSD.org> <50476187.8000303@gibfest.dk> <20120905183607.GI15915@glebius.int.ru> <20120906064640.GL15915@glebius.int.ru> Date: Sun, 9 Sep 2012 19:24:12 +0200 Message-ID: From: claudiu vasadi To: pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Fwd: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Sep 2012 17:24:13 -0000 forgot to CC pf@. "Thx for the input. @gleb: your work looks really interesting and I can't wait to give it a go. Good job man :)." -- Best regards, Claudiu Vasadi From owner-freebsd-pf@FreeBSD.ORG Sun Sep 9 17:50:43 2012 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D31A0106564A for ; Sun, 9 Sep 2012 17:50:43 +0000 (UTC) (envelope-from ianf@clue.co.za) Received: from zcs04.jnb1.cloudseed.co.za (zcs04.jnb1.cloudseed.co.za [41.154.0.161]) by mx1.freebsd.org (Postfix) with ESMTP id 5CFDA8FC15 for ; Sun, 9 Sep 2012 17:50:42 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zcs04.jnb1.cloudseed.co.za (Postfix) with ESMTP id 01ADC2A82A86; Sun, 9 Sep 2012 19:50:34 +0200 (SAST) X-Virus-Scanned: amavisd-new at zcs04.jnb1.cloudseed.co.za Received: from zcs04.jnb1.cloudseed.co.za ([127.0.0.1]) by localhost (zcs04.jnb1.cloudseed.co.za [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oXWplti5ib8u; Sun, 9 Sep 2012 19:50:32 +0200 (SAST) Received: from clue.co.za (unknown [41.154.88.19]) by zcs04.jnb1.cloudseed.co.za (Postfix) with ESMTPSA id 3CB242A829F8; Sun, 9 Sep 2012 19:50:32 +0200 (SAST) Received: from localhost ([127.0.0.1] helo=clue.co.za) by clue.co.za with esmtp (Exim 4.80 (FreeBSD)) (envelope-from ) id 1TAleN-0001k7-W3; Sun, 09 Sep 2012 19:50:28 +0200 To: "Bjoern A. Zeeb" From: Ian FREISLICH In-Reply-To: References: <20120905115140.GF15915@FreeBSD.org> <50476187.8000303@gibfest.dk> <20120905183607.GI15915@glebius.int.ru> <20120906064640.GL15915@glebius.int.ru> X-Attribution: BOFH Date: Sun, 09 Sep 2012 19:50:27 +0200 Message-Id: Cc: pf@freebsd.org Subject: Re: pf spurious packet drops [was: [HEADS UP] merging projects/pf into head] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Sep 2012 17:50:43 -0000 "Bjoern A. Zeeb" wrote: > On Fri, 7 Sep 2012, Ian FREISLICH wrote: > > > I don't think Gleb is is being personal about this. Facts are > > facts and pf is currently unusable for me, even at home because > > of spuriously dropped packets. > > We also have a report that it leaks mbufs and eventually panics after > a few months. Would be interesting to know if these things were > related. We've not had any panics, but we have had wierd stops forwarding that started recently (on 8.1) which seemed to be triggered by the BPF, but it could be related in some way. The odd thing is that this system has run the same code for 13 months. And the 29 day stops only started recently. Ermal has asked for some more detailed debugging, but that's really really hard to get because the system involved handles so much traffic and the state table is so big, it's a needle in a continent of haystacks. Anyway, we're going to be migrating this system to Gleb's code early this week and take it from there. Ian -- Ian Freislich From owner-freebsd-pf@FreeBSD.ORG Sun Sep 9 17:53:51 2012 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3B6F4106564A for ; Sun, 9 Sep 2012 17:53:51 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe17.ukr.net (ffe17.ukr.net [195.214.192.83]) by mx1.freebsd.org (Postfix) with ESMTP id 5430E8FC0C for ; Sun, 9 Sep 2012 17:53:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Date:Message-Id:From:To:References:In-Reply-To:Subject:Cc:Content-Type:Content-Transfer-Encoding:MIME-Version; bh=H/zFibbztZXBdyOR7ct5uCRtxXRaC+i+wnEGU8yaZ60=; b=iwA9W7bp2PwisgAMBCLDxtaMpypihJyBdm4wxVDYDsAFRQ9frXWzEEbrOFExZTnLJw4sLMHVGSVBvL/4hNIZB3vyeUXSjP/0L0a2w4CjFiDGm46lbsDpKVxET0Gt4Zk+mJKJHdEou2g4whbuxCfFI4VvD2hPPJAPzqHuB52rVY8=; Received: from mail by ffe17.ukr.net with local ID 1TAlhW-000D5K-1z ; Sun, 09 Sep 2012 20:53:42 +0300 MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: binary Content-Type: text/plain; charset="windows-1251" In-Reply-To: References: <20120906064640.GL15915@glebius.int.ru> <20120905115140.GF15915@FreeBSD.org> <50476187.8000303@gibfest.dk> <20120905183607.GI15915@glebius.int.ru> To: "Bjoern A. Zeeb" From: "wishmaster" X-Mailer: freemail.ukr.net 4.0 X-Originating-Ip: [195.200.251.73] Message-Id: <49253.1347213222.5298265938758926336@ffe17.ukr.net> X-Browser: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0 Date: Sun, 09 Sep 2012 20:53:42 +0300 Cc: pf@freebsd.org Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Sep 2012 17:53:51 -0000 > Everyone agrees that altq needs to vanish, we know other code > exists/has been pondered; we'll see who might come forward. May be integrating pf with well-known dummynet? From owner-freebsd-pf@FreeBSD.ORG Sun Sep 9 23:48:33 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E954F106566B for ; Sun, 9 Sep 2012 23:48:32 +0000 (UTC) (envelope-from lobo@bsd.com.br) Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by mx1.freebsd.org (Postfix) with ESMTP id 59FB58FC14 for ; Sun, 9 Sep 2012 23:48:31 +0000 (UTC) Received: by yhq56 with SMTP id 56so333986yhq.17 for ; Sun, 09 Sep 2012 16:48:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:organization :x-mailer:mime-version:content-type:content-transfer-encoding :x-gm-message-state; bh=P/8szp6cqFZdAQSdMXM3Efv8+m3pw7Je5wMSUVvH6uA=; b=RH1b92VwMikpe1TQ1O+7IhyKqj8hCh/aaTHm4EtNASer0G5173P/WLYMtrLuT6C+zE fah+7Wiep7cujFAGWJYTTGO3HmSr8SfEa/7l9zqVbAxjOhMHZRe8YtsZHwBlQJT0/DbO MItQx+FkFiRJVy0gLmpnJKT0XLHBC/g3t7sbnttC19j23huBZ3rs3atfeGrmvLSQ+Yvq Mc7sO7Fz+MApsivqIeYk1iWbdAsBhywpMPTFQv5brhoCZvXPW8yyqdoXALPUReYlRzMZ LvACxYlVWgfVJgY4FBwySYo8Uk2rytuxYS3Ejrt36P/mAVJJhXUF7A818/qk6CKdUstH 4xdw== Received: by 10.236.140.67 with SMTP id d43mr10427612yhj.19.1347234505201; Sun, 09 Sep 2012 16:48:25 -0700 (PDT) Received: from papi ([177.158.148.115]) by mx.google.com with ESMTPS id l1sm21634828yhm.19.2012.09.09.16.48.23 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 09 Sep 2012 16:48:24 -0700 (PDT) Date: Sun, 9 Sep 2012 20:49:20 -0300 From: Mario Lobo To: freebsd-pf@freebsd.org Message-ID: <20120909204920.51697435@papi> In-Reply-To: References: <20120905115140.GF15915@FreeBSD.org> <50476187.8000303@gibfest.dk> <20120905183607.GI15915@glebius.int.ru> <20120906064640.GL15915@glebius.int.ru> Organization: BSD X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; amd64-portbld-freebsd8.3) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Gm-Message-State: ALoCoQn0hiq1pN1F4RZuXPkIKdh9a0WZPtYT9tswbaTAUK+B8lxgLjsijhfUZY6+DTdHvOzrNw4S Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Sep 2012 23:48:33 -0000 On Sun, 9 Sep 2012 17:12:52 +0000 (UTC) "Bjoern A. Zeeb" wrote: > > Everyone agrees that altq needs to vanish, we know other code > exists/has been pondered; we'll see who might come forward. > > /bz > Forgive my lame question. I'm just a simple user and I've been using altq in pf for a good while and it has just been doing a good job (as far as I can see, which may not be as far as it should be seen) on a double wan (setfib) machine. True, I don't have a big ext network load and the 2 links are just 1M and 2M, with 210 rules loaded, lots of rdrs, rtables route-tos, 2 luscas,1 VBox VM server. Never had a single panic on this machine. FreeBSD ALLENFW 8.2-STABLE #0: Tue Nov 29 11:35:28 BRT 2011 amd64 Is it possible to explain (quickly, if you must) why altq needs to vanish? Thanks, -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE) From owner-freebsd-pf@FreeBSD.ORG Mon Sep 10 06:57:17 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6A291106564A for ; Mon, 10 Sep 2012 06:57:17 +0000 (UTC) (envelope-from claudiu.vasadi@gmail.com) Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com [209.85.160.54]) by mx1.freebsd.org (Postfix) with ESMTP id 337848FC12 for ; Mon, 10 Sep 2012 06:57:16 +0000 (UTC) Received: by pbbrp2 with SMTP id rp2so2044497pbb.13 for ; Sun, 09 Sep 2012 23:57:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=KMhB7ukyoDL9qrOZTwx6OouYxjTTwclgPExHYXXemCQ=; b=iOlpx4/GJDLuaXpV5Kvc+NRLkOunO08/mgre6ymm+xp4DGc7ZPr8ieSM4hdCfcq5Xx zO2EyyU1qU3FGMMfV8ow3/N0U8CyTYfFsyzUTO3k/uv3EojE8wHf1ras0YsHC3Hiih0d eDQmqezNjpgMcOpivG1SyVjLsMmdyOmGJNpKgdDf83Uf3yRWdmFnQvJOr04WUwsc+Vh0 NsMwV9/uwOuSLsjL+Nje0yIqfrbNdAhC4No3bwVzjNAf10H6S34UNCMRL+IOcGX+HWOY h1z3eBCm6Vcyd8arsyxJ+T5MVD8WYosA3rRC359/ZEz9r7Yy+4H38a5Wxj1iU+GmrKHK lgtg== MIME-Version: 1.0 Received: by 10.68.129.168 with SMTP id nx8mr4642910pbb.112.1347260236270; Sun, 09 Sep 2012 23:57:16 -0700 (PDT) Received: by 10.66.191.197 with HTTP; Sun, 9 Sep 2012 23:57:16 -0700 (PDT) In-Reply-To: <20120909204920.51697435@papi> References: <20120905115140.GF15915@FreeBSD.org> <50476187.8000303@gibfest.dk> <20120905183607.GI15915@glebius.int.ru> <20120906064640.GL15915@glebius.int.ru> <20120909204920.51697435@papi> Date: Mon, 10 Sep 2012 08:57:16 +0200 Message-ID: From: claudiu vasadi To: Mario Lobo Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Sep 2012 06:57:17 -0000 On Mon, Sep 10, 2012 at 1:49 AM, Mario Lobo wrote: > On Sun, 9 Sep 2012 17:12:52 +0000 (UTC) > "Bjoern A. Zeeb" wrote: > > > > Everyone agrees that altq needs to vanish, we know other code > > exists/has been pondered; we'll see who might come forward. > > > > /bz > > > > Forgive my lame question. I'm just a simple user and I've been using > altq in pf for a good while and it has just been doing a good job (as > far as I can see, which may not be as far as it should be seen) on a > double wan (setfib) machine. True, I don't have a big ext network load > and the 2 links are just 1M and 2M, with 210 rules loaded, lots of rdrs, > rtables route-tos, 2 luscas,1 VBox VM server. Never had a single panic > on this machine. > > FreeBSD ALLENFW 8.2-STABLE #0: Tue Nov 29 11:35:28 BRT 2011 amd64 > > Is it possible to explain (quickly, if you must) why altq needs to > vanish? > > Thanks, > > -- > Mario Lobo > http://www.mallavoodoo.com.br > FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE) > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > http://bsdly.blogspot.de/2011/07/anticipating-post-altq-world.html for starters. -- Best regards, Claudiu Vasadi From owner-freebsd-pf@FreeBSD.ORG Mon Sep 10 07:08:04 2012 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 19545106564A for ; Mon, 10 Sep 2012 07:08:03 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com [209.85.215.182]) by mx1.freebsd.org (Postfix) with ESMTP id 5CE308FC0C for ; Mon, 10 Sep 2012 07:08:03 +0000 (UTC) Received: by eaak11 with SMTP id k11so710971eaa.13 for ; Mon, 10 Sep 2012 00:08:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=Ny80s4YBR4ZoHWidxmjQhkkTVPDsoTonWgfvuj2TqKs=; b=dd3/WLNJYBlC8lF6eLtviuVG0VeozYTsFUJrdRnlYEGLL1DU3/igGV7glGIPaxDcfJ 6uaRm4VMlsLvqw9KsylhYQqq911OhFkGaoWMQ1pE3XOSvvLV50t0TOTV88+sDJPmhrkz teqHO+fLl5Pnp4RSzXOSIpSkRSsAiZ9pRdkvfLBUv3V8tYWS8063n+3n+aq2g+KtrSXj WdaW8UD6pDY2t1FdXZxzUoQkz0Rw7dwTPVVMYuq2+bc4AXq6iA/8CXhNsHFlvbvEJsZ3 3KbmvRqW6GVqZkTurdZuH9FDAQ0s3OkUfZIYAZQlrtvBen8ZJg7vN9kDOPVMPkrnUrdX fGFw== MIME-Version: 1.0 Received: by 10.204.157.146 with SMTP id b18mr3397686bkx.108.1347260882165; Mon, 10 Sep 2012 00:08:02 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.204.48.194 with HTTP; Mon, 10 Sep 2012 00:08:02 -0700 (PDT) In-Reply-To: <49253.1347213222.5298265938758926336@ffe17.ukr.net> References: <20120906064640.GL15915@glebius.int.ru> <20120905115140.GF15915@FreeBSD.org> <50476187.8000303@gibfest.dk> <20120905183607.GI15915@glebius.int.ru> <49253.1347213222.5298265938758926336@ffe17.ukr.net> Date: Mon, 10 Sep 2012 09:08:02 +0200 X-Google-Sender-Auth: Rm6biWfUdlKlmeyA6sMExhfdj8E Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: wishmaster Content-Type: text/plain; charset=ISO-8859-1 Cc: "Bjoern A. Zeeb" , pf@freebsd.org Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Sep 2012 07:08:04 -0000 On Sun, Sep 9, 2012 at 7:53 PM, wishmaster wrote: > > >> Everyone agrees that altq needs to vanish, we know other code >> exists/has been pondered; we'll see who might come forward. > > May be integrating pf with well-known dummynet? > _______________________________________________ This already exists. It just needs to be merged from pfSense to FreeBSD. After the new commit settles i can look at this, since is extensively tested already as integration. > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" -- Ermal From owner-freebsd-pf@FreeBSD.ORG Mon Sep 10 07:58:56 2012 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 198961065672; Mon, 10 Sep 2012 07:58:56 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe15.ukr.net (ffe15.ukr.net [195.214.192.50]) by mx1.freebsd.org (Postfix) with ESMTP id ABFA08FC17; Mon, 10 Sep 2012 07:58:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Date:Message-Id:From:To:References:In-Reply-To:Subject:Cc:Content-Type:Content-Transfer-Encoding:MIME-Version; bh=CmkiXwON0U5M+6fwP70/uIJDhgaoWyVjfMcnVl1kKAw=; b=xDK2Fo13FDlFG1H1ktXrA/9EIdwGttNm95HFpQrV45W2g1g+NZkRjcrxzOeFVKNqDCL/rrgzayjnLzrN+LvfIDy08T19cU5O0ADde1021yjcOr4k9j1LTawRPU8+feDvlMitw04fDEaJJ622/qqKJNsc5O+iNx+8zywDegbjSc4=; Received: from mail by ffe15.ukr.net with local ID 1TAyWY-0005Qg-5g ; Mon, 10 Sep 2012 10:35:14 +0300 MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: binary Content-Type: text/plain; charset="windows-1251" In-Reply-To: References: <20120905115140.GF15915@FreeBSD.org> <49253.1347213222.5298265938758926336@ffe17.ukr.net> <20120906064640.GL15915@glebius.int.ru> <50476187.8000303@gibfest.dk> <20120905183607.GI15915@glebius.int.ru> To: =?WINDOWS-1251?B?RXJtYWwgTHUaaQ==?= From: "wishmaster" X-Mailer: freemail.ukr.net 4.0 X-Originating-Ip: [195.200.251.73] Message-Id: <18314.1347262514.2309052993086488576@ffe15.ukr.net> X-Browser: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0 Date: Mon, 10 Sep 2012 10:35:14 +0300 Cc: "Bjoern A. Zeeb" , pf@freebsd.org Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Sep 2012 07:58:56 -0000 --- Original message --- From: "Ermal Lui" To: "wishmaster" Date: 10 September 2012, 10:08:03 Subject: Re: [HEADS UP] merging projects/pf into head > On Sun, Sep 9, 2012 at 7:53 PM, wishmaster wrote: > > > > > >> Everyone agrees that altq needs to vanish, we know other code > >> exists/has been pondered; we'll see who might come forward. > > > > May be integrating pf with well-known dummynet? > > _______________________________________________ > > This already exists. > It just needs to be merged from pfSense to FreeBSD. > After the new commit settles i can look at this, since is extensively > tested already as integration. > I know. But in pfSense. Remember, I asked you about merging patches into Free HEAD in past year, but nothing... :-) From owner-freebsd-pf@FreeBSD.ORG Mon Sep 10 11:09:47 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1917A1065680 for ; Mon, 10 Sep 2012 11:09:47 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.64.117]) by mx1.freebsd.org (Postfix) with ESMTP id 556B38FC12 for ; Mon, 10 Sep 2012 11:09:42 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.5/8.14.5) with ESMTP id q8AB9fbL066734; Mon, 10 Sep 2012 15:09:41 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.5/8.14.5/Submit) id q8AB9f9K066733; Mon, 10 Sep 2012 15:09:41 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Mon, 10 Sep 2012 15:09:41 +0400 From: Gleb Smirnoff To: Mark Atkinson Message-ID: <20120910110941.GT44854@FreeBSD.org> References: <20120905115140.GF15915@FreeBSD.org> <50476187.8000303@gibfest.dk> <20120905183607.GI15915@glebius.int.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-pf@FreeBSD.org Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Sep 2012 11:09:47 -0000 On Fri, Sep 07, 2012 at 09:32:25AM -0700, Mark Atkinson wrote: M> On 09/05/2012 11:36, Gleb Smirnoff wrote: M> > What's bad with "getting stuck" with old syntax? I personally don't M> > have any problems with it. I have had problems with performance, M> > however. M> M> Just as an aside is there a decent set of stable web docs for M> FreeBSD's current syntax? I'm constantly burned when I try to looks M> something up (because it isn't working like I expect) and all I find M> is the new, sexy syntax with all it's quick 'match' operators and M> their ilk. I usually look at man pf.conf when I have problems with syntax. -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Mon Sep 10 11:09:59 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 783BF1065676 for ; Mon, 10 Sep 2012 11:09:59 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5808E8FC1F for ; Mon, 10 Sep 2012 11:09:59 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q8AB9xSY069897 for ; Mon, 10 Sep 2012 11:09:59 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q8AB9voh069521 for freebsd-pf@FreeBSD.org; Mon, 10 Sep 2012 11:09:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 10 Sep 2012 11:09:57 GMT Message-Id: <201209101109.q8AB9voh069521@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Sep 2012 11:09:59 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag s kern/167057 pf [pf] PF firewall version 4.5 in FreeBSD 9.0 & 8.2 nolo o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 53 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Sep 10 21:25:07 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 67A0E10657C5 for ; Mon, 10 Sep 2012 21:25:07 +0000 (UTC) (envelope-from lobo@bsd.com.br) Received: from mail-gg0-f182.google.com (mail-gg0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id 12B398FC15 for ; Mon, 10 Sep 2012 21:25:06 +0000 (UTC) Received: by ggnk4 with SMTP id k4so550902ggn.13 for ; Mon, 10 Sep 2012 14:25:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:in-reply-to:references :organization:x-mailer:mime-version:content-type :content-transfer-encoding:x-gm-message-state; bh=L2ymHtyFybuhNyPPgvfauHmD7iZoc6eI4fZ1BalakJI=; b=Wsjmk0lMlSjuMsgrZxBwYvaD0X9X9vIjtE/Q4p8HZa2EtpOgozJ11rxO/tSA3hdilm fjCRp6Z2UCgVCjDcWaTNd1z3xqVoOviqIC7UTua38MLSjb5OZl75xZG6Ze08puIHySD+ A6D6Ikkk2DZ4xwyiSL+iGbcFnQiYGS7uSLFMEocLN1MdTmztCqEWhcTcyRgV/dfHVV9e Uht+aSWSCEsirF06g3zToy4cQbXXmgo9Ygbv9108zyNnDvu7po+43zyoEL/ZQmvWt809 76QyTxxai1CRYnlJOdTGqvfuYbHwuWPQNXrmVwftXKKVmFI+xiipemybqZLL+kuZY2i2 hCPw== Received: by 10.236.185.201 with SMTP id u49mr13318487yhm.28.1347311934807; Mon, 10 Sep 2012 14:18:54 -0700 (PDT) Received: from papi ([177.41.11.113]) by mx.google.com with ESMTPS id p36sm26469292yhe.20.2012.09.10.14.18.53 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 10 Sep 2012 14:18:54 -0700 (PDT) Date: Mon, 10 Sep 2012 18:19:50 -0300 From: Mario Lobo To: claudiu vasadi Message-ID: <20120910181950.013edcfa@papi> In-Reply-To: References: <20120905115140.GF15915@FreeBSD.org> <50476187.8000303@gibfest.dk> <20120905183607.GI15915@glebius.int.ru> <20120906064640.GL15915@glebius.int.ru> <20120909204920.51697435@papi> Organization: BSD X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; amd64-portbld-freebsd8.3) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Gm-Message-State: ALoCoQmRlV/c5zOpsSfdoWQOALNMTEWo+HHg6EXmGl7aZPTAkd4E0Z40PMTYOcBZZMBsXbaOnfIy Cc: freebsd-pf@freebsd.org Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Sep 2012 21:25:07 -0000 On Mon, 10 Sep 2012 08:57:16 +0200 claudiu vasadi wrote: > On Mon, Sep 10, 2012 at 1:49 AM, Mario Lobo wrote: > > > On Sun, 9 Sep 2012 17:12:52 +0000 (UTC) > > Is it possible to explain (quickly, if you must) why altq needs to > > vanish? > > > > Thanks, > > > > > > > http://bsdly.blogspot.de/2011/07/anticipating-post-altq-world.html for > starters. > Great info! I understand now. Thank you. -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE) From owner-freebsd-pf@FreeBSD.ORG Mon Sep 10 22:53:03 2012 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F06C9106564A for ; Mon, 10 Sep 2012 22:53:02 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from vps.rulingia.com (host-122-100-2-194.octopus.com.au [122.100.2.194]) by mx1.freebsd.org (Postfix) with ESMTP id 7A0698FC0A for ; Mon, 10 Sep 2012 22:53:02 +0000 (UTC) Received: from aspire.rulingia.com (12.58.233.220.static.exetel.com.au [220.233.58.12]) by vps.rulingia.com (8.14.5/8.14.5) with ESMTP id q8AMqtMX042412 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 11 Sep 2012 08:52:59 +1000 (EST) (envelope-from peter@rulingia.com) Received: from aspire.rulingia.com (localhost [127.0.0.1]) by aspire.rulingia.com (8.14.5/8.14.5) with ESMTP id q8AMqkXh024429 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 11 Sep 2012 08:52:46 +1000 (EST) (envelope-from peter@aspire.rulingia.com) Received: (from peter@localhost) by aspire.rulingia.com (8.14.5/8.14.5/Submit) id q8AMqeWc024428; Tue, 11 Sep 2012 08:52:40 +1000 (EST) (envelope-from peter) Date: Tue, 11 Sep 2012 08:52:38 +1000 From: Peter Jeremy To: wishmaster Message-ID: <20120910225238.GG2654@aspire.rulingia.com> References: <20120906064640.GL15915@glebius.int.ru> <20120905115140.GF15915@FreeBSD.org> <50476187.8000303@gibfest.dk> <20120905183607.GI15915@glebius.int.ru> <49253.1347213222.5298265938758926336@ffe17.ukr.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="iJXiJc/TAIT2rh2r" Content-Disposition: inline In-Reply-To: <49253.1347213222.5298265938758926336@ffe17.ukr.net> X-PGP-Key: http://www.rulingia.com/keys/peter.pgp User-Agent: Mutt/1.5.21 (2010-09-15) Cc: "Bjoern A. Zeeb" , pf@freebsd.org Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Sep 2012 22:53:03 -0000 --iJXiJc/TAIT2rh2r Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2012-Sep-09 20:53:42 +0300, wishmaster wrote: >> Everyone agrees that altq needs to vanish, we know other code >> exists/has been pondered; we'll see who might come forward. > > May be integrating pf with well-known dummynet? I would also like to see this. I've used the pfSense work in this area as a basis for implementing this at work in our internal WAN simulator boxes. --=20 Peter Jeremy --iJXiJc/TAIT2rh2r Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlBObzYACgkQ/opHv/APuIeuKQCeK1bH/Bd+idOANxd+hAcJOoKb f0IAn23wJrp31Q1M/BtoSWQwIgtMjFkh =tSaa -----END PGP SIGNATURE----- --iJXiJc/TAIT2rh2r-- From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 01:43:50 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 18BA81065672 for ; Tue, 11 Sep 2012 01:43:50 +0000 (UTC) (envelope-from wrelam@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id D5C5A8FC12 for ; Tue, 11 Sep 2012 01:43:49 +0000 (UTC) Received: by iayy25 with SMTP id y25so2929746iay.13 for ; Mon, 10 Sep 2012 18:43:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=vJCIqEhO9C7WoJpVfcob5V4MaWxl1YKLVDXBsGUdt1I=; b=FcCLqNOJ9/AjU5JD0pbtWjdUhaR8eOWfqrCFARMO1QxKydGlVuQz0nKTRknpSdpO8R OJ5Epeh4G1Fp89smWdGIkhdyITM1TFMO/q/5fx7Kw3HCBfEfrsjsIpXVSqmo9YwlV5cW /XJ40jOPikTtG/bbsib0XFFIZb1PClSjZafQPgsB4Qg4zTeSfaaora0Vl22opoy1qBsB ozgzpkq5MfCsVhImaSMoTCASMn1EYssTEWmVxobmHnAEEGSgZMImKUcTaxHthFajYVa7 +mTejqVLl2fw2bbMjeDIqHB+dj1i2UtfZYT6SLu5aXzykk5kmtnKG1Po4BMTC4jlL39l 8PYQ== MIME-Version: 1.0 Received: by 10.50.33.138 with SMTP id r10mr14368270igi.31.1347327828169; Mon, 10 Sep 2012 18:43:48 -0700 (PDT) Received: by 10.43.57.147 with HTTP; Mon, 10 Sep 2012 18:43:48 -0700 (PDT) Date: Mon, 10 Sep 2012 21:43:48 -0400 Message-ID: From: Walt Elam To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Getting involved X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 01:43:50 -0000 All, I would like to get involved with PF development for FreeBSD. I use it at home and have a background in C programming. How do I go about getting involved? I've got an extra machine or two that I could do testing with, so if you could share your setups for testing bugfixes and whatnot then that would be helpful as well. Thanks, -Walt From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 09:18:46 2012 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3C5C71065672 for ; Tue, 11 Sep 2012 09:18:46 +0000 (UTC) (envelope-from oguzyilmazlist@gmail.com) Received: from mail-vc0-f182.google.com (mail-vc0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id E33788FC1B for ; Tue, 11 Sep 2012 09:18:45 +0000 (UTC) Received: by vcbfw7 with SMTP id fw7so430118vcb.13 for ; Tue, 11 Sep 2012 02:18:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=yXVvfwMlJHQ8sd1kfy4Uiv/mCknbfmzuRWc33cuIdFo=; b=lGlmVxgpSOuVRpBmcWcnUzavfqyDKslh0Why/Pw/VidGGmThvJTfqMxoXgeUhbHNO4 SmbYWpMaoB93qkH5vrROLHB/xijcuVStHdPElOsiUjrvaol6YO/y+r9zei/JPiEU5n64 g+JsTpCmnpQEay1uENmQ+TYUU9R6PyUR/anL+Hi/9MX9vO45ZQNU+Rjgcsatwu1MHXTL zz68jMvdi7+f3nGkbTto5Csxp54UEILhhbkikkBu3u9GnzgiJtaMJJDuDYtA0eUKhv7T 9pe/4ZQOA6ZZR9b4jspeEps+QxE7y3dyBz8NdKKVaqR1ApFSy7vAsOZjt5pqjDPFP1aL iK/A== Received: by 10.220.218.133 with SMTP id hq5mr24108809vcb.60.1347355125067; Tue, 11 Sep 2012 02:18:45 -0700 (PDT) MIME-Version: 1.0 Received: by 10.58.76.170 with HTTP; Tue, 11 Sep 2012 02:18:23 -0700 (PDT) In-Reply-To: <20120608061737.GA28197@glebius.int.ru> References: <20120608061737.GA28197@glebius.int.ru> From: Oguz Yilmaz Date: Tue, 11 Sep 2012 12:18:23 +0300 Message-ID: To: pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Cc: Subject: Re: [CFT] SMP-friendly pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 09:18:46 -0000 Hi Gleb, Is it required to build world? What is the shortest way to test? -- Oguz YILMAZ On Fri, Jun 8, 2012 at 9:17 AM, Gleb Smirnoff wrote: > Hello, networkers! > > [net@ in Cc, but further discussion should go on pf@] > > As you already probably know, or some may be don't yet know, the pf(4) > subsystem in FreeBSD is currently working under a single mutex. This mutex > is acquired right at the beginning of any packet processing, and is dropped > at the end. While one thread is in pf(4) all other threads are blocked on > that mutex. > > Meanwhile modern computers are getting more and more cores, and modern > network cards getting more MSI interrupts, each serviced by a separate kernel > thread in FreeBSD. So the single pf lock, which I call "the pf Giant" :), is > getting a point of hard contention. > > Three and a half months ago I've started on a project "SMP-friendly pf", > which recently have entered alpha stage. As you see from the subject of this > mail, this is call for testing. > > > Willing to test? > > The code lives in projects/pf/head branch in the SVN, and can be checked > out with: > > svn checkout http://svn.freebsd.org/base/projects/pf/head pflock > > , where argument "pflock" is just directory name for checked out sources. > Then you need to build world and kernel from that branch and install them. > The branch projects/pf/head gets head merged to it quite often, so if you > run head world with a revision equal (or at least close) to last merge, then > you don't need to install world, however rebuilding pfctl and snmp_pf from > that branch is necessary. > If you are about to run this alpha pf on any important box, then you > definitely need to establish safety measures: have a second box running > stable/9 or head as carp(4) backup, ready to kick in, in case if new pf > panics. pfsync(4) connection should also be established between new and > backup boxes. pfsync(4) in the new code is wire compatible with stable/9 > or head. > I'm already running it on routers with 100k - 200k state entries, and > forwarding 20k - 40k pps. If you are brave, you should try, too :) Good > luck and report any problems to me! > > > Interested in details? > > From the very beginning of the project it was clear, that code is going > to diverge significantly from original OpenBSD code. OpenBSD has always > developed pf without taking into account that code can ever get > multithreaded, thus quite a lot needed to be changed. Thus, I've started > with removing the "#ifdef __FreeBSD__" from the code, and later I didn't > hesitate even a fraction of second if I wanted to toss some code. The pros > is that now code is much more readable and understandible then in head, > the cons is that diff between us and OpenBSD is huge, although amount > of shared code is huge, too. So, later on only manual merging of features > from OpenBSD is possible and bulk imports of entire pf into FreeBSD are > no longer possible. > > The locking scheme is the following: > - There is an rwlock(9) that protects rules and all kind of data that isn't > modified by forwarding threads. Forwarding threads reader lock it, ioctl() > and other reconfiguring events write lock it. > - The states and key states storage had moved from RB-trees to hashes, with > separate mutexes per hash slot. This should give us decent parallelism > when forwarding packets. > - Source nodes storage moved to hash with per-slot locking. > - pfsync(4) got separate mutex. > - fragment reassembly got separate mutex. > > Apart from the above key changes, many other optimisations and fixes done. > The entire diff is 22k lines large. You can view the projects history here: > > http://svnweb.freebsd.org/base/projects/pf/head/?view=log > > (the beginning is on page 2 now, at r232042) I had tried to make informative > commit messages. > > -- > Totus tuus, Glebius. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 10:04:23 2012 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 591D31065673 for ; Tue, 11 Sep 2012 10:04:23 +0000 (UTC) (envelope-from ianf@clue.co.za) Received: from zcs03.jnb1.cloudseed.co.za (zcs03.jnb1.cloudseed.co.za [41.154.0.139]) by mx1.freebsd.org (Postfix) with ESMTP id D8D828FC0C for ; Tue, 11 Sep 2012 10:04:22 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zcs03.jnb1.cloudseed.co.za (Postfix) with ESMTP id 2DFDE2B42A6F; Tue, 11 Sep 2012 12:04:14 +0200 (SAST) X-Virus-Scanned: amavisd-new at zcs03.jnb1.cloudseed.co.za Received: from zcs03.jnb1.cloudseed.co.za ([127.0.0.1]) by localhost (zcs03.jnb1.cloudseed.co.za [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wS4QNKs9cCOY; Tue, 11 Sep 2012 12:04:13 +0200 (SAST) Received: from clue.co.za (l2tp.clue.co.za [41.154.88.20]) by zcs03.jnb1.cloudseed.co.za (Postfix) with ESMTPSA id 801952B429D0; Tue, 11 Sep 2012 12:04:13 +0200 (SAST) Received: from localhost ([127.0.0.1] helo=clue.co.za) by clue.co.za with esmtp (Exim 4.80 (FreeBSD)) (envelope-from ) id 1TBNKF-0000f8-Kb; Tue, 11 Sep 2012 12:04:11 +0200 To: Oguz Yilmaz From: Ian FREISLICH In-Reply-To: References: <20120608061737.GA28197@glebius.int.ru> X-Attribution: BOFH Date: Tue, 11 Sep 2012 12:04:11 +0200 Message-Id: Cc: pf@freebsd.org Subject: Re: [CFT] SMP-friendly pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 10:04:23 -0000 Oguz Yilmaz wrote: > Hi Gleb, > > Is it required to build world? What is the shortest way to test? You need to rebuild your kernel, pfctl and snmp_pf. Ian -- Ian Freislich From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 10:06:42 2012 Return-Path: Delivered-To: pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1A990106564A for ; Tue, 11 Sep 2012 10:06:42 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.64.117]) by mx1.freebsd.org (Postfix) with ESMTP id 863778FC0A for ; Tue, 11 Sep 2012 10:06:41 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.5/8.14.5) with ESMTP id q8BA6dD1075756; Tue, 11 Sep 2012 14:06:39 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.5/8.14.5/Submit) id q8BA6d9Y075755; Tue, 11 Sep 2012 14:06:39 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Tue, 11 Sep 2012 14:06:39 +0400 From: Gleb Smirnoff To: Oguz Yilmaz Message-ID: <20120911100639.GE44854@FreeBSD.org> References: <20120608061737.GA28197@glebius.int.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: pf@FreeBSD.org Subject: Re: [CFT] SMP-friendly pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 10:06:42 -0000 On Tue, Sep 11, 2012 at 12:18:23PM +0300, Oguz Yilmaz wrote: O> Hi Gleb, O> O> Is it required to build world? What is the shortest way to test? Yes, Ian answer is correct: kernel, pfctl and snmp_pf. Since you reply to an old email thread, let me note that the projects/pf branch had been merged to head. So you don't need to checkout the projects/pf anymore, just upgrade to fresh head. -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 10:44:25 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3FCA0106566B; Tue, 11 Sep 2012 10:44:25 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 11F7D8FC18; Tue, 11 Sep 2012 10:44:25 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q8BAiOGd089980; Tue, 11 Sep 2012 10:44:24 GMT (envelope-from glebius@freefall.freebsd.org) Received: (from glebius@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q8BAiOCw089958; Tue, 11 Sep 2012 10:44:24 GMT (envelope-from glebius) Date: Tue, 11 Sep 2012 10:44:24 GMT Message-Id: <201209111044.q8BAiOCw089958@freefall.freebsd.org> To: james.juran@baesystems.com, glebius@FreeBSD.org, freebsd-pf@FreeBSD.org, glebius@FreeBSD.org From: glebius@FreeBSD.org Cc: Subject: Re: kern/129861: [pf] [patch] Argument names reversed in pf_table.c:_copyout() X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 10:44:25 -0000 Synopsis: [pf] [patch] Argument names reversed in pf_table.c:_copyout() State-Changed-From-To: open->patched State-Changed-By: glebius State-Changed-When: Tue Sep 11 10:43:56 UTC 2012 State-Changed-Why: No applicable to head anymore. Responsible-Changed-From-To: freebsd-pf->glebius Responsible-Changed-By: glebius Responsible-Changed-When: Tue Sep 11 10:43:56 UTC 2012 Responsible-Changed-Why: No applicable to head anymore. http://www.freebsd.org/cgi/query-pr.cgi?pr=129861 From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 10:46:12 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D4BAF106566B; Tue, 11 Sep 2012 10:46:12 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id A7D188FC19; Tue, 11 Sep 2012 10:46:12 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q8BAkCSL028288; Tue, 11 Sep 2012 10:46:12 GMT (envelope-from glebius@freefall.freebsd.org) Received: (from glebius@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q8BAkCTV028219; Tue, 11 Sep 2012 10:46:12 GMT (envelope-from glebius) Date: Tue, 11 Sep 2012 10:46:12 GMT Message-Id: <201209111046.q8BAkCTV028219@freefall.freebsd.org> To: rand@meridian-enviro.com, glebius@FreeBSD.org, freebsd-pf@FreeBSD.org, glebius@FreeBSD.org From: glebius@FreeBSD.org Cc: Subject: Re: kern/103281: pfsync reports bulk update failures X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 10:46:12 -0000 Synopsis: pfsync reports bulk update failures State-Changed-From-To: open->closed State-Changed-By: glebius State-Changed-When: Tue Sep 11 10:45:37 UTC 2012 State-Changed-Why: Bulk updates work fine at least in stable/9 and head. Responsible-Changed-From-To: freebsd-pf->glebius Responsible-Changed-By: glebius Responsible-Changed-When: Tue Sep 11 10:45:37 UTC 2012 Responsible-Changed-Why: Bulk updates work fine at least in stable/9 and head. http://www.freebsd.org/cgi/query-pr.cgi?pr=103281 From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 10:50:07 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 601BD106566C for ; Tue, 11 Sep 2012 10:50:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 3164A8FC0C for ; Tue, 11 Sep 2012 10:50:07 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q8BAo7TU098184 for ; Tue, 11 Sep 2012 10:50:07 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q8BAo7ti098170; Tue, 11 Sep 2012 10:50:07 GMT (envelope-from gnats) Date: Tue, 11 Sep 2012 10:50:07 GMT Message-Id: <201209111050.q8BAo7ti098170@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Gleb Smirnoff Cc: Subject: kern/122014: [pf] [panic] FreeBSD 6.2 panic in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Gleb Smirnoff List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 10:50:07 -0000 The following reply was made to PR kern/122014; it has been noted by GNATS. From: Gleb Smirnoff To: "Alexander V. Shulikov" Cc: bug-followup@FreeBSD.org Subject: kern/122014: [pf] [panic] FreeBSD 6.2 panic in pf Date: Tue, 11 Sep 2012 14:49:22 +0400 Alexander, can the problem be reproduced on newer FreeBSD releases? -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 10:54:12 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DFFA7106564A; Tue, 11 Sep 2012 10:54:12 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B29218FC08; Tue, 11 Sep 2012 10:54:12 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q8BAsCsx069818; Tue, 11 Sep 2012 10:54:12 GMT (envelope-from glebius@freefall.freebsd.org) Received: (from glebius@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q8BAsBkB069578; Tue, 11 Sep 2012 10:54:11 GMT (envelope-from glebius) Date: Tue, 11 Sep 2012 10:54:11 GMT Message-Id: <201209111054.q8BAsBkB069578@freefall.freebsd.org> To: fbsd8@a1poweruser.com, glebius@FreeBSD.org, freebsd-pf@FreeBSD.org From: glebius@FreeBSD.org Cc: Subject: Re: kern/167057: [pf] PF firewall version 4.5 in FreeBSD 9.0 & 8.2 nolonger supported by upstream X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 10:54:13 -0000 Synopsis: [pf] PF firewall version 4.5 in FreeBSD 9.0 & 8.2 nolonger supported by upstream State-Changed-From-To: suspended->closed State-Changed-By: glebius State-Changed-When: Tue Sep 11 10:52:07 UTC 2012 State-Changed-Why: We no longer plan to do bulk imports from OpenBSD. If you want any featues from there, you can work on carefully porting them to FreeBSD and then code can be included into FreeBSD. The previous comment from linimon@ on this PR makes sense. We don't want to break rules syntax in FreeBSD. http://www.freebsd.org/cgi/query-pr.cgi?pr=167057 From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 10:56:35 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 719601065670; Tue, 11 Sep 2012 10:56:35 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 44B998FC16; Tue, 11 Sep 2012 10:56:35 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q8BAuZFI011957; Tue, 11 Sep 2012 10:56:35 GMT (envelope-from glebius@freefall.freebsd.org) Received: (from glebius@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q8BAuYZu011881; Tue, 11 Sep 2012 10:56:34 GMT (envelope-from glebius) Date: Tue, 11 Sep 2012 10:56:34 GMT Message-Id: <201209111056.q8BAuYZu011881@freefall.freebsd.org> To: mainland@apeiron.net, glebius@FreeBSD.org, freebsd-pf@FreeBSD.org, glebius@FreeBSD.org From: glebius@FreeBSD.org Cc: Subject: Re: kern/127439: [pf] deadlock in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 10:56:35 -0000 Synopsis: [pf] deadlock in pf State-Changed-From-To: open->patched State-Changed-By: glebius State-Changed-When: Tue Sep 11 10:56:15 UTC 2012 State-Changed-Why: I believe this is fixed in head. Responsible-Changed-From-To: freebsd-pf->glebius Responsible-Changed-By: glebius Responsible-Changed-When: Tue Sep 11 10:56:15 UTC 2012 Responsible-Changed-Why: I believe this is fixed in head. http://www.freebsd.org/cgi/query-pr.cgi?pr=127439 From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 10:59:52 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9985C106566C; Tue, 11 Sep 2012 10:59:52 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6C5168FC08; Tue, 11 Sep 2012 10:59:52 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q8BAxqtQ096793; Tue, 11 Sep 2012 10:59:52 GMT (envelope-from glebius@freefall.freebsd.org) Received: (from glebius@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q8BAxqxE096759; Tue, 11 Sep 2012 10:59:52 GMT (envelope-from glebius) Date: Tue, 11 Sep 2012 10:59:52 GMT Message-Id: <201209111059.q8BAxqxE096759@freefall.freebsd.org> To: link@ngc.net.ua, glebius@FreeBSD.org, freebsd-pf@FreeBSD.org From: glebius@FreeBSD.org Cc: Subject: Re: kern/132176: [pf] pf stalls connection when using route-to [regression] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 10:59:52 -0000 Synopsis: [pf] pf stalls connection when using route-to [regression] State-Changed-From-To: feedback->closed State-Changed-By: glebius State-Changed-When: Tue Sep 11 10:59:00 UTC 2012 State-Changed-Why: A good advice was suggested by mlaier@, and PR was put into feedback state. Submitter never answered on this, so close the PR. http://www.freebsd.org/cgi/query-pr.cgi?pr=132176 From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 11:00:21 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B41101065686 for ; Tue, 11 Sep 2012 11:00:21 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 791568FC12 for ; Tue, 11 Sep 2012 11:00:18 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q8BB0IBi006619 for ; Tue, 11 Sep 2012 11:00:18 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q8BB0IWa006607; Tue, 11 Sep 2012 11:00:18 GMT (envelope-from gnats) Date: Tue, 11 Sep 2012 11:00:18 GMT Message-Id: <201209111100.q8BB0IWa006607@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Gleb Smirnoff Cc: Subject: kern/124364: [pf] [panic] Kernel panic with pf + bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Gleb Smirnoff List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 11:00:21 -0000 The following reply was made to PR kern/124364; it has been noted by GNATS. From: Gleb Smirnoff To: Vladimir Shapkin Cc: bug-followup@FreeBSD.org Subject: kern/124364: [pf] [panic] Kernel panic with pf + bridge Date: Tue, 11 Sep 2012 14:51:06 +0400 Vladimir, have you tried to reproduce the problem on newer versions of FreeBSD? -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 11:00:55 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1F23C1065670; Tue, 11 Sep 2012 11:00:55 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E4B768FC1B; Tue, 11 Sep 2012 11:00:54 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q8BB0sQo017789; Tue, 11 Sep 2012 11:00:54 GMT (envelope-from glebius@freefall.freebsd.org) Received: (from glebius@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q8BB0sOo017712; Tue, 11 Sep 2012 11:00:54 GMT (envelope-from glebius) Date: Tue, 11 Sep 2012 11:00:54 GMT Message-Id: <201209111100.q8BB0sOo017712@freefall.freebsd.org> To: ruben@helium.verweg.com, glebius@FreeBSD.org, freebsd-pf@FreeBSD.org, glebius@FreeBSD.org From: glebius@FreeBSD.org Cc: Subject: Re: kern/132769: [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtentry / ifnet during early boot X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 11:00:55 -0000 Synopsis: [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtentry / ifnet during early boot State-Changed-From-To: open->patched State-Changed-By: glebius State-Changed-When: Tue Sep 11 11:00:33 UTC 2012 State-Changed-Why: I believe, this no longer applies to head/. Responsible-Changed-From-To: freebsd-pf->glebius Responsible-Changed-By: glebius Responsible-Changed-When: Tue Sep 11 11:00:33 UTC 2012 Responsible-Changed-Why: I believe, this no longer applies to head/. http://www.freebsd.org/cgi/query-pr.cgi?pr=132769 From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 11:02:10 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C1DEE106566C; Tue, 11 Sep 2012 11:02:10 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 944ED8FC15; Tue, 11 Sep 2012 11:02:10 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q8BB2A9e040593; Tue, 11 Sep 2012 11:02:10 GMT (envelope-from glebius@freefall.freebsd.org) Received: (from glebius@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q8BB2A6b040576; Tue, 11 Sep 2012 11:02:10 GMT (envelope-from glebius) Date: Tue, 11 Sep 2012 11:02:10 GMT Message-Id: <201209111102.q8BB2A6b040576@freefall.freebsd.org> To: stevenschlansker@berkeley.edu, glebius@FreeBSD.org, freebsd-pf@FreeBSD.org From: glebius@FreeBSD.org Cc: Subject: Re: kern/135162: [pfsync] pfsync(4) not usable with GENERIC kernel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 11:02:10 -0000 Synopsis: [pfsync] pfsync(4) not usable with GENERIC kernel State-Changed-From-To: open->closed State-Changed-By: glebius State-Changed-When: Tue Sep 11 11:01:39 UTC 2012 State-Changed-Why: I'm pretty sure this is fixed in 9.0-RELEASE, and may be even in 8.0-RELEASE. http://www.freebsd.org/cgi/query-pr.cgi?pr=135162 From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 11:03:52 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 429DD106566B; Tue, 11 Sep 2012 11:03:52 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 16BAA8FC0C; Tue, 11 Sep 2012 11:03:52 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q8BB3p6B069932; Tue, 11 Sep 2012 11:03:51 GMT (envelope-from glebius@freefall.freebsd.org) Received: (from glebius@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q8BB3pjb069761; Tue, 11 Sep 2012 11:03:51 GMT (envelope-from glebius) Date: Tue, 11 Sep 2012 11:03:51 GMT Message-Id: <201209111103.q8BB3pjb069761@freefall.freebsd.org> To: tolchek@mail.ru, glebius@FreeBSD.org, freebsd-pf@FreeBSD.org From: glebius@FreeBSD.org Cc: Subject: Re: kern/124364: [pf] [panic] Kernel panic with pf + bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 11:03:52 -0000 Synopsis: [pf] [panic] Kernel panic with pf + bridge State-Changed-From-To: open->closed State-Changed-By: glebius State-Changed-When: Tue Sep 11 11:03:00 UTC 2012 State-Changed-Why: Submitter email bounces. http://www.freebsd.org/cgi/query-pr.cgi?pr=124364 From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 11:23:01 2012 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1525C106564A; Tue, 11 Sep 2012 11:23:01 +0000 (UTC) (envelope-from oguzyilmazlist@gmail.com) Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id A80F48FC12; Tue, 11 Sep 2012 11:23:00 +0000 (UTC) Received: by vbmv11 with SMTP id v11so580657vbm.13 for ; Tue, 11 Sep 2012 04:22:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=MCdtMLpTqdj2IYVdg6fDeBil21SAQ/cGkKWeRGI47Y0=; b=XgJA2SBJW7a9kxugcxpzCX3rw9FOPl8mOX2z06RM754HrDm7Vffo3XgAxkgALnsSqn gGhxyIHDCygxvB+hxH89Uvcdbvahb5LkPlYJ8cA2v9i9+W0xubwSaLkjkOkD/vwn7eYt JQdBw31IKX/+UkJQoLwHjD+XppSf73dCILjJnowjN8GfjifVt5JZaJK5007r/gsJUmiA mNKdZx6Vh/YjzM6Fh9/OXIDqWNLc7KqY93t7mWDr/UgRBbxjQSBhIx48wyBcJ2OT2bTU 79ho/hrIL9QgFeeVlQlkhjG51lb4Jrt646cWxjlV6SY3eTYeT8Td1C/zxjsocU9Y8545 pa4w== Received: by 10.220.223.3 with SMTP id ii3mr7695799vcb.74.1347362579743; Tue, 11 Sep 2012 04:22:59 -0700 (PDT) MIME-Version: 1.0 Received: by 10.58.76.170 with HTTP; Tue, 11 Sep 2012 04:22:39 -0700 (PDT) In-Reply-To: <20120911100639.GE44854@FreeBSD.org> References: <20120608061737.GA28197@glebius.int.ru> <20120911100639.GE44854@FreeBSD.org> From: Oguz Yilmaz Date: Tue, 11 Sep 2012 14:22:39 +0300 Message-ID: To: Gleb Smirnoff Content-Type: text/plain; charset=ISO-8859-1 Cc: pf@freebsd.org Subject: Re: [CFT] SMP-friendly pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 11:23:01 -0000 Ok. We go thru head. We compiled the kernel and boot into 10.0 FreeBSD 10.0-CURRENT #0 r240350 # pfctl -sr No ALTQ support in kernel ALTQ related functions disabled pfctl: DIOCGETRULES: Permission denied ]# pfctl -si No ALTQ support in kernel ALTQ related functions disabled pfctl: DIOCGETSTATUS: Permission denied This Permission Denied issues should be old pfctl. Now, how can we compile pfctl and snmp_pf without make world? -- Oguz YILMAZ On Tue, Sep 11, 2012 at 1:06 PM, Gleb Smirnoff wrote: > On Tue, Sep 11, 2012 at 12:18:23PM +0300, Oguz Yilmaz wrote: > O> Hi Gleb, > O> > O> Is it required to build world? What is the shortest way to test? > > Yes, Ian answer is correct: kernel, pfctl and snmp_pf. > > Since you reply to an old email thread, let me note that the projects/pf > branch had been merged to head. So you don't need to checkout the > projects/pf anymore, just upgrade to fresh head. > > -- > Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 11:40:07 2012 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D90D2106564A for ; Tue, 11 Sep 2012 11:40:06 +0000 (UTC) (envelope-from vince@unsane.co.uk) Received: from unsane.co.uk (unsane-pt.tunnel.tserv5.lon1.ipv6.he.net [IPv6:2001:470:1f08:110::2]) by mx1.freebsd.org (Postfix) with ESMTP id 4279F8FC12 for ; Tue, 11 Sep 2012 11:40:06 +0000 (UTC) Received: from vhoffman.lon.namesco.net (lon.namesco.net [195.7.254.102]) (authenticated bits=0) by unsane.co.uk (8.14.5/8.14.5) with ESMTP id q8BBe337011334 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 11 Sep 2012 12:40:05 +0100 (BST) (envelope-from vince@unsane.co.uk) Message-ID: <504F2313.80302@unsane.co.uk> Date: Tue, 11 Sep 2012 12:40:03 +0100 From: Vincent Hoffman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:15.0) Gecko/20120824 Thunderbird/15.0 MIME-Version: 1.0 To: Oguz Yilmaz References: <20120608061737.GA28197@glebius.int.ru> <20120911100639.GE44854@FreeBSD.org> In-Reply-To: X-Enigmail-Version: 1.4.4 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: pf@freebsd.org Subject: Re: [CFT] SMP-friendly pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 11:40:07 -0000 cd /usr/src/sbin/pfctl make ; make install cd /usr/src/usr.sbin/bsnmpd/modules/snmp_pf make ; make install that said if you have just come up to -HEAD from any I'd do a make buildworld ; make installworld cycle to make sure its in sync with your kernel. Vince On 11/09/2012 12:22, Oguz Yilmaz wrote: > Ok. We go thru head. > We compiled the kernel and boot into 10.0 > FreeBSD 10.0-CURRENT #0 r240350 > > # pfctl -sr > No ALTQ support in kernel > ALTQ related functions disabled > pfctl: DIOCGETRULES: Permission denied > ]# pfctl -si > No ALTQ support in kernel > ALTQ related functions disabled > pfctl: DIOCGETSTATUS: Permission denied > > This Permission Denied issues should be old pfctl. > > Now, how can we compile pfctl and snmp_pf without make world? > > -- > Oguz YILMAZ > > > On Tue, Sep 11, 2012 at 1:06 PM, Gleb Smirnoff wrote: >> On Tue, Sep 11, 2012 at 12:18:23PM +0300, Oguz Yilmaz wrote: >> O> Hi Gleb, >> O> >> O> Is it required to build world? What is the shortest way to test? >> >> Yes, Ian answer is correct: kernel, pfctl and snmp_pf. >> >> Since you reply to an old email thread, let me note that the projects/pf >> branch had been merged to head. So you don't need to checkout the >> projects/pf anymore, just upgrade to fresh head. >> >> -- >> Totus tuus, Glebius. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 12:21:16 2012 Return-Path: Delivered-To: pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3BFBB1065676 for ; Tue, 11 Sep 2012 12:21:16 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.64.117]) by mx1.freebsd.org (Postfix) with ESMTP id A7F3F8FC08 for ; Tue, 11 Sep 2012 12:21:15 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.5/8.14.5) with ESMTP id q8BCLE85077144; Tue, 11 Sep 2012 16:21:14 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.5/8.14.5/Submit) id q8BCLEVg077143; Tue, 11 Sep 2012 16:21:14 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Tue, 11 Sep 2012 16:21:14 +0400 From: Gleb Smirnoff To: Oguz Yilmaz Message-ID: <20120911122114.GK44854@glebius.int.ru> References: <20120608061737.GA28197@glebius.int.ru> <20120911100639.GE44854@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: pf@FreeBSD.org Subject: Re: [CFT] SMP-friendly pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 12:21:16 -0000 On Tue, Sep 11, 2012 at 02:22:39PM +0300, Oguz Yilmaz wrote: O> Ok. We go thru head. O> We compiled the kernel and boot into 10.0 O> FreeBSD 10.0-CURRENT #0 r240350 O> O> # pfctl -sr O> No ALTQ support in kernel O> ALTQ related functions disabled O> pfctl: DIOCGETRULES: Permission denied O> ]# pfctl -si O> No ALTQ support in kernel O> ALTQ related functions disabled O> pfctl: DIOCGETSTATUS: Permission denied O> O> This Permission Denied issues should be old pfctl. O> O> Now, how can we compile pfctl and snmp_pf without make world? You really should go with make world, because no one guarantees that head/ branch would work with mismatching world and kernel. However answer for your question is: 1) Install pfvar.h: cat /usr/src/sys/contrib/pf/net/pfvar.h > /usr/include/pfvar.h 2) Rebuild and reinstall pfctl and snmp_pf cd /usr/src/sbin/pfctl make clean make make install cd /usr/src/usr.sbin/bsnmpd/modules/snmp_pf make clean make make install But I'd recommend doing full buildworld and keep your kernel and userland in sync. -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 12:36:54 2012 Return-Path: Delivered-To: pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D3783106564A for ; Tue, 11 Sep 2012 12:36:54 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.64.117]) by mx1.freebsd.org (Postfix) with ESMTP id 489EC8FC15 for ; Tue, 11 Sep 2012 12:36:54 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.5/8.14.5) with ESMTP id q8BCarWX077249; Tue, 11 Sep 2012 16:36:53 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.5/8.14.5/Submit) id q8BCarak077248; Tue, 11 Sep 2012 16:36:53 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Tue, 11 Sep 2012 16:36:53 +0400 From: Gleb Smirnoff To: Oguz Yilmaz Message-ID: <20120911123653.GL44854@FreeBSD.org> References: <20120608061737.GA28197@glebius.int.ru> <20120911100639.GE44854@FreeBSD.org> <20120911122114.GK44854@glebius.int.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20120911122114.GK44854@glebius.int.ru> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: pf@FreeBSD.org Subject: Re: [CFT] SMP-friendly pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 12:36:54 -0000 On Tue, Sep 11, 2012 at 04:21:14PM +0400, Gleb Smirnoff wrote: T> 1) Install pfvar.h: T> T> cat /usr/src/sys/contrib/pf/net/pfvar.h > /usr/include/pfvar.h Typo. Should've been: cat /usr/src/sys/contrib/pf/net/pfvar.h > /usr/include/net/pfvar.h -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 12:43:52 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 991A3106566B; Tue, 11 Sep 2012 12:43:52 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 03F8D8FC1B; Tue, 11 Sep 2012 12:43:51 +0000 (UTC) Received: by eeke52 with SMTP id e52so403627eek.13 for ; Tue, 11 Sep 2012 05:43:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=NFEy8aG8ll8E+CSd034q2+I79y1bR10JfRW0QnpwKFw=; b=UojipqvlrAsT2OBp6cg3NQ57U9eZCk2knkk3KSqZKBnFNv+QxS+rprddOKORTPnKLf ojoVHzOZ2vtRtkv2xSR6hUx3dFpb1W/W9uxkHuVIuPmSi7dmsFCne8Yi3UYZF/T1rgcA ijOqzzDKSTktLPloJQJAVACq4lUucvSD2oNxIIX7OTr6inlVWRpJeyTj9fS11pcnYMNv POL/3oBNTSuKZZLrlJAfd0tej7VE0hkyHJUyDp1sNh0lrBklOuKus6XsHFKkTDeyC+Rc zfLnihTgk4PDocjo6tGKPAv0gAsXmxxr0w2HSnPkS2PWCeFUnEROwtZrwNpS1JhnBAzB p6HA== MIME-Version: 1.0 Received: by 10.204.148.12 with SMTP id n12mr4819923bkv.6.1347367430471; Tue, 11 Sep 2012 05:43:50 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.204.48.194 with HTTP; Tue, 11 Sep 2012 05:43:50 -0700 (PDT) In-Reply-To: <201209111100.q8BB0IWa006607@freefall.freebsd.org> References: <201209111100.q8BB0IWa006607@freefall.freebsd.org> Date: Tue, 11 Sep 2012 14:43:50 +0200 X-Google-Sender-Auth: rYt6fsbHIx_28Ee0OU3mvec9YoY Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Gleb Smirnoff Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-pf@freebsd.org Subject: Re: kern/124364: [pf] [panic] Kernel panic with pf + bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 12:43:52 -0000 Just as a note, this is an issue especially when using bridge+carp+pf. On Tue, Sep 11, 2012 at 1:00 PM, Gleb Smirnoff wrote: > The following reply was made to PR kern/124364; it has been noted by GNATS. > > From: Gleb Smirnoff > To: Vladimir Shapkin > Cc: bug-followup@FreeBSD.org > Subject: kern/124364: [pf] [panic] Kernel panic with pf + bridge > Date: Tue, 11 Sep 2012 14:51:06 +0400 > > Vladimir, > > have you tried to reproduce the problem on newer versions of FreeBSD? > > -- > Totus tuus, Glebius. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" -- Ermal From owner-freebsd-pf@FreeBSD.ORG Wed Sep 12 09:00:29 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 034461065675; Wed, 12 Sep 2012 09:00:29 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id CA2B08FC0C; Wed, 12 Sep 2012 09:00:28 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q8C90SlG018553; Wed, 12 Sep 2012 09:00:28 GMT (envelope-from glebius@freefall.freebsd.org) Received: (from glebius@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q8C90Rl5018279; Wed, 12 Sep 2012 09:00:27 GMT (envelope-from glebius) Date: Wed, 12 Sep 2012 09:00:27 GMT Message-Id: <201209120900.q8C90Rl5018279@freefall.freebsd.org> To: r.gruyters@yirdis.nl, glebius@FreeBSD.org, freebsd-pf@FreeBSD.org From: glebius@FreeBSD.org Cc: Subject: Re: conf/110838: [pf] tagged parameter on nat not working on FreeBSD 5.2 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Sep 2012 09:00:29 -0000 Synopsis: [pf] tagged parameter on nat not working on FreeBSD 5.2 State-Changed-From-To: suspended->closed State-Changed-By: glebius State-Changed-When: Wed Sep 12 08:59:47 UTC 2012 State-Changed-Why: Fixed in many releases starting from 6.0. Can't be fixed in 5.2 due to no time machine. http://www.freebsd.org/cgi/query-pr.cgi?pr=110838 From owner-freebsd-pf@FreeBSD.ORG Wed Sep 12 10:42:07 2012 Return-Path: Delivered-To: pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DE50D1065673; Wed, 12 Sep 2012 10:42:06 +0000 (UTC) (envelope-from ianf@clue.co.za) Received: from zcs04.jnb1.cloudseed.co.za (zcs04.jnb1.cloudseed.co.za [41.154.0.161]) by mx1.freebsd.org (Postfix) with ESMTP id 173938FC14; Wed, 12 Sep 2012 10:42:05 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zcs04.jnb1.cloudseed.co.za (Postfix) with ESMTP id 0FE0F2A82A8C; Wed, 12 Sep 2012 12:41:57 +0200 (SAST) X-Virus-Scanned: amavisd-new at zcs04.jnb1.cloudseed.co.za Received: from zcs04.jnb1.cloudseed.co.za ([127.0.0.1]) by localhost (zcs04.jnb1.cloudseed.co.za [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3u6MqdpjDTRO; Wed, 12 Sep 2012 12:41:56 +0200 (SAST) Received: from clue.co.za (l2tp.clue.co.za [41.154.88.20]) by zcs04.jnb1.cloudseed.co.za (Postfix) with ESMTPSA id 4F4392A829F5; Wed, 12 Sep 2012 12:41:56 +0200 (SAST) Received: from localhost ([127.0.0.1] helo=clue.co.za) by clue.co.za with esmtp (Exim 4.80 (FreeBSD)) (envelope-from ) id 1TBkOI-0001Zg-IE; Wed, 12 Sep 2012 12:41:54 +0200 To: Gleb Smirnoff From: Ian FREISLICH In-Reply-To: <20120905115140.GF15915@FreeBSD.org> References: <20120905115140.GF15915@FreeBSD.org> X-Attribution: BOFH Date: Wed, 12 Sep 2012 12:41:54 +0200 Message-Id: Cc: pf@FreeBSD.org Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Sep 2012 10:42:07 -0000 Gleb Smirnoff wrote: > [announce goes both to net@ and pf@, but any discussion should > go on on pf@FreeBSD.org only, please] > > As you already may now, last half a year I've been working on > making pf SMP-scalable and faster in general. More info can be > found here: I've had your code running in production for the last few days. Sadly, HEAD is a little unstable and the system panics after about 1 hour of use. Fatal trap 12: page fault while in kernel mode cpuid = 9; apic id = 09 fault virtual address = 0x28 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff802d9ff1 stack pointer = 0x28:0xffffff84626540b0 frame pointer = 0x28:0xffffff8462654110 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 11 (irq257: bce1) trap number = 12 panic: page fault cpuid = 9 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2a panic() at panic+0x1ce trap_fatal() at trap_fatal+0x290 trap_pfault() at trap_pfault+0x210 trap() at trap+0x2b4 calltrap() at calltrap+0x8 --- trap 0xc, rip = 0xffffffff802d9ff1, rsp = 0xffffff84626540b0, rbp = 0xffffff 8462654110 --- pf_anchor_node_RB_NEXT() at pf_anchor_node_RB_NEXT+0x1 pf_test_rule() at pf_test_rule+0x4d7 pf_test() at pf_test+0x2b28 pf_check_in() at pf_check_in+0x26 pfil_run_hooks() at pfil_run_hooks+0x9e ip_fastforward() at ip_fastforward+0x1b9 ether_demux() at ether_demux+0x17e ether_nh_input() at ether_nh_input+0x24b netisr_dispatch_src() at netisr_dispatch_src+0x212 ether_demux() at ether_demux+0x6c ether_nh_input() at ether_nh_input+0x24b netisr_dispatch_src() at netisr_dispatch_src+0x212 bce_intr() at bce_intr+0x47a intr_event_execute_handlers() at intr_event_execute_handlers+0xfd ithread_loop() at ithread_loop+0x9e fork_exit() at fork_exit+0x11e fork_trampoline() at fork_trampoline+0xe --- trap 0, rip = 0, rsp = 0xffffff8462654cb0, rbp = 0 --- Uptime: 1h26m28s Dumping 1367 out of 16368 MB The crashdump is useless however: #0 0xffffffff80490882 in doadump () (kgdb) bt #0 0xffffffff80490882 in doadump () #1 0x0000000000000004 in ?? () #2 0x0000000100000000 in ?? () #3 0xffffff8462653d00 in ?? () #4 0xffffffff80490dc4 in kern_reboot () #5 0x9cd880c7c748c3c9 in ?? () #6 0xe8ebffe59860e880 in ?? () #7 0x0f00000000801f0f in ?? () #8 0x485500000000801f in ?? () etc I have the following tunables set: [firewall2.jnb1] ~ # cat /boot/loader.conf console="comconsole" net.isr.maxthreads="8" net.isr.defaultqlimit="4096" net.isr.maxqlimit="81920" net.isr.direct="0" net.isr.direct_force="0" kern.ipc.nmbclusters="262144" kern.maxusers="1024" hw.bce.rx_pages="8" hw.bce.tx_pages="8" [firewall2.jnb1] ~ # cat /etc/sysctl.conf net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 net.inet.ip.fastforwarding=1 net.inet.carp.preempt=1 net.inet.icmp.icmplim_output=0 net.inet.icmp.icmplim=0 kern.random.sys.harvest.interrupt=0 kern.random.sys.harvest.ethernet=0 kern.random.sys.harvest.point_to_point=0 net.route.netisr_maxqlen=8192 CPU usage is down from about 17% to 5% for our traffic load. We're averaging about 400k states, peaking at 550k states (220Mbit/s of pfsync traffic!!) and 426329 routes. Ian -- Ian Freislich From owner-freebsd-pf@FreeBSD.ORG Wed Sep 12 10:49:57 2012 Return-Path: Delivered-To: pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A36E2106566B for ; Wed, 12 Sep 2012 10:49:57 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.64.117]) by mx1.freebsd.org (Postfix) with ESMTP id 0275D8FC15 for ; Wed, 12 Sep 2012 10:49:56 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.5/8.14.5) with ESMTP id q8CAnnF7085582; Wed, 12 Sep 2012 14:49:49 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.5/8.14.5/Submit) id q8CAnnKl085581; Wed, 12 Sep 2012 14:49:49 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Wed, 12 Sep 2012 14:49:49 +0400 From: Gleb Smirnoff To: Ian FREISLICH Message-ID: <20120912104949.GC84189@glebius.int.ru> References: <20120905115140.GF15915@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: pf@FreeBSD.org Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Sep 2012 10:49:57 -0000 On Wed, Sep 12, 2012 at 12:41:54PM +0200, Ian FREISLICH wrote: I> Gleb Smirnoff wrote: I> > [announce goes both to net@ and pf@, but any discussion should I> > go on on pf@FreeBSD.org only, please] I> > I> > As you already may now, last half a year I've been working on I> > making pf SMP-scalable and faster in general. More info can be I> > found here: I> I> I've had your code running in production for the last few days. I> Sadly, HEAD is a little unstable and the system panics after about I> 1 hour of use. I> I> Fatal trap 12: page fault while in kernel mode I> cpuid = 9; apic id = 09 I> fault virtual address = 0x28 I> fault code = supervisor read data, page not present I> instruction pointer = 0x20:0xffffffff802d9ff1 I> stack pointer = 0x28:0xffffff84626540b0 I> frame pointer = 0x28:0xffffff8462654110 I> code segment = base 0x0, limit 0xfffff, type 0x1b I> = DPL 0, pres 1, long 1, def32 0, gran 1 I> processor eflags = interrupt enabled, resume, IOPL = 0 I> current process = 11 (irq257: bce1) I> trap number = 12 I> panic: page fault I> cpuid = 9 I> KDB: stack backtrace: I> db_trace_self_wrapper() at db_trace_self_wrapper+0x2a I> panic() at panic+0x1ce I> trap_fatal() at trap_fatal+0x290 I> trap_pfault() at trap_pfault+0x210 I> trap() at trap+0x2b4 I> calltrap() at calltrap+0x8 I> --- trap 0xc, rip = 0xffffffff802d9ff1, rsp = 0xffffff84626540b0, rbp = 0xffffff I> 8462654110 --- I> pf_anchor_node_RB_NEXT() at pf_anchor_node_RB_NEXT+0x1 I> pf_test_rule() at pf_test_rule+0x4d7 I> pf_test() at pf_test+0x2b28 I> pf_check_in() at pf_check_in+0x26 I> pfil_run_hooks() at pfil_run_hooks+0x9e I> ip_fastforward() at ip_fastforward+0x1b9 I> ether_demux() at ether_demux+0x17e I> ether_nh_input() at ether_nh_input+0x24b I> netisr_dispatch_src() at netisr_dispatch_src+0x212 I> ether_demux() at ether_demux+0x6c I> ether_nh_input() at ether_nh_input+0x24b I> netisr_dispatch_src() at netisr_dispatch_src+0x212 I> bce_intr() at bce_intr+0x47a Panicing in the ruleset parsing is strange. Do you have modifications to the ruleset at run time? I> The crashdump is useless however: Strange that dump is bad. Is pf compiled into kernel or loaded? However, try to look at traces of other threads in this dump. -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Wed Sep 12 11:00:57 2012 Return-Path: Delivered-To: pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EC83D106566B; Wed, 12 Sep 2012 11:00:56 +0000 (UTC) (envelope-from ianf@clue.co.za) Received: from zcs04.jnb1.cloudseed.co.za (zcs04.jnb1.cloudseed.co.za [41.154.0.161]) by mx1.freebsd.org (Postfix) with ESMTP id 7F8268FC16; Wed, 12 Sep 2012 11:00:56 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zcs04.jnb1.cloudseed.co.za (Postfix) with ESMTP id D36C12A82A8C; Wed, 12 Sep 2012 13:00:54 +0200 (SAST) X-Virus-Scanned: amavisd-new at zcs04.jnb1.cloudseed.co.za Received: from zcs04.jnb1.cloudseed.co.za ([127.0.0.1]) by localhost (zcs04.jnb1.cloudseed.co.za [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jWaFI-kARiaK; Wed, 12 Sep 2012 13:00:54 +0200 (SAST) Received: from clue.co.za (l2tp.clue.co.za [41.154.88.20]) by zcs04.jnb1.cloudseed.co.za (Postfix) with ESMTPSA id 0ADE62A829F5; Wed, 12 Sep 2012 13:00:54 +0200 (SAST) Received: from localhost ([127.0.0.1] helo=clue.co.za) by clue.co.za with esmtp (Exim 4.80 (FreeBSD)) (envelope-from ) id 1TBkge-0001e1-2y; Wed, 12 Sep 2012 13:00:52 +0200 To: Gleb Smirnoff From: Ian FREISLICH In-Reply-To: <20120912104949.GC84189@glebius.int.ru> References: <20120912104949.GC84189@glebius.int.ru> <20120905115140.GF15915@FreeBSD.org> X-Attribution: BOFH Date: Wed, 12 Sep 2012 13:00:52 +0200 Message-Id: Cc: pf@FreeBSD.org Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Sep 2012 11:00:57 -0000 Gleb Smirnoff wrote: > I> Fatal trap 12: page fault while in kernel mode > I> cpuid = 9; apic id = 09 > I> fault virtual address = 0x28 > I> fault code = supervisor read data, page not present > I> instruction pointer = 0x20:0xffffffff802d9ff1 > I> stack pointer = 0x28:0xffffff84626540b0 > I> frame pointer = 0x28:0xffffff8462654110 > I> code segment = base 0x0, limit 0xfffff, type 0x1b > I> = DPL 0, pres 1, long 1, def32 0, gran 1 > I> processor eflags = interrupt enabled, resume, IOPL = 0 > I> current process = 11 (irq257: bce1) > I> trap number = 12 > I> panic: page fault > I> cpuid = 9 > I> KDB: stack backtrace: > I> db_trace_self_wrapper() at db_trace_self_wrapper+0x2a > I> panic() at panic+0x1ce > I> trap_fatal() at trap_fatal+0x290 > I> trap_pfault() at trap_pfault+0x210 > I> trap() at trap+0x2b4 > I> calltrap() at calltrap+0x8 > I> --- trap 0xc, rip = 0xffffffff802d9ff1, rsp = 0xffffff84626540b0, rbp = 0x ffffff > I> 8462654110 --- > I> pf_anchor_node_RB_NEXT() at pf_anchor_node_RB_NEXT+0x1 > I> pf_test_rule() at pf_test_rule+0x4d7 > I> pf_test() at pf_test+0x2b28 > I> pf_check_in() at pf_check_in+0x26 > I> pfil_run_hooks() at pfil_run_hooks+0x9e > I> ip_fastforward() at ip_fastforward+0x1b9 > I> ether_demux() at ether_demux+0x17e > I> ether_nh_input() at ether_nh_input+0x24b > I> netisr_dispatch_src() at netisr_dispatch_src+0x212 > I> ether_demux() at ether_demux+0x6c > I> ether_nh_input() at ether_nh_input+0x24b > I> netisr_dispatch_src() at netisr_dispatch_src+0x212 > I> bce_intr() at bce_intr+0x47a > > Panicing in the ruleset parsing is strange. Do you have modifications to the > ruleset at run time? We do occasionally make changes to the ruleset at runtime, however no changes were made to the ruleset since boot. If this trace indicates a panic in ruleset parsing then possibly even this stack trace is corrupted. > I> The crashdump is useless however: > > Strange that dump is bad. Is pf compiled into kernel or loaded? I don't think these servers have produced a useful crashdump since 2009. > However, try to look at traces of other threads in this dump. I'll have to compile a new kernel which drops into the kernel debugger. But I'm not sure how to inspect the other threads. Should I try running with the netisr defaults and without fastforwarding? Ian -- Ian Freislich From owner-freebsd-pf@FreeBSD.ORG Thu Sep 13 21:27:17 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 40EF61065670 for ; Thu, 13 Sep 2012 21:27:17 +0000 (UTC) (envelope-from cochard@gmail.com) Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com [209.85.212.172]) by mx1.freebsd.org (Postfix) with ESMTP id C5DD98FC0A for ; Thu, 13 Sep 2012 21:27:16 +0000 (UTC) Received: by wibhi8 with SMTP id hi8so5769383wib.13 for ; Thu, 13 Sep 2012 14:27:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:from:date:x-google-sender-auth:message-id :subject:to:content-type; bh=46SEin0uRivVBHKaw4ofseA0FCGIZRNcGQLMs8mm01E=; b=T0cPVD4fLKlY4QEVJQ2diYS524Ygy7KLdup+jhma7sggYt95q8FNrNIjBBdfH0r2qO hMhZXmw+lqyiPLVO7zVg4PTmjnvz87zRWoPEGmBIykLn925jwjHijSUJhtvEQtBOiCIv wsh+U0lmW7PlsOryf3staB4uMvPcP7/uQ0u4aD6y9jP5190cUlIJ4QXPc3XnJ1ZLiOU2 CWgW9pTe+cZ/RczI5Lhr/jAihSrAuQmjOvR0bN/0znl+KmRsft/cVNMNhXBRV1HPhZJJ EgWumeJHKfpryNzxGHP8PDoIdYIrwI7cGizywcuGyRp4RoA6SpRkJwwtc663rFdQdetJ NnRg== Received: by 10.216.136.66 with SMTP id v44mr247108wei.159.1347571629989; Thu, 13 Sep 2012 14:27:09 -0700 (PDT) MIME-Version: 1.0 Sender: cochard@gmail.com Received: by 10.223.71.201 with HTTP; Thu, 13 Sep 2012 14:26:48 -0700 (PDT) From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= Date: Thu, 13 Sep 2012 23:26:48 +0200 X-Google-Sender-Auth: JmVGC_Nm04F5A8h92htpkd4CEWg Message-ID: To: freebsd-pf@freebsd.org Content-Type: multipart/mixed; boundary=0016e6de0425509dda04c99bf8ba Subject: Patch for adding "options PF_DEFAULT_TO_DROP" to kernel configuration file X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Sep 2012 21:27:17 -0000 --0016e6de0425509dda04c99bf8ba Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi, here is a little patch (tested on FreeBSD 9.1-RC1) that add a new option to the kernel configuration file: options PF_DEFAULT_TO_DROP Without this option, with an empty pf.conf:=A0All traffic are permit. With this option enabled, with an empty pf.conf: All traffic are dropped by default. If the attached file is removed, you can found the patch here: http://www.freebsd.org/cgi/query-pr.cgi?pr=3D171622 Regards, Olivier --0016e6de0425509dda04c99bf8ba Content-Type: application/octet-stream; name="freebsd.pf_drop.patch" Content-Disposition: attachment; filename="freebsd.pf_drop.patch" Content-Transfer-Encoding: base64 X-Attachment-Id: f_h72ahf8k0 LS0tIHN5cy9jb250cmliL3BmL25ldC9wZl9pb2N0bC5jLm9yaWcJMjAxMi0wOS0wNiAxNTo0Nzo0 Ny4wMDAwMDAwMDAgKzAyMDAKKysrIHN5cy9jb250cmliL3BmL25ldC9wZl9pb2N0bC5jCTIwMTIt MDktMDYgMTU6NTY6MTYuMDAwMDAwMDAwICswMjAwCkBAIC0zODYsNyArMzg2LDExIEBACiAKIAkv KiBkZWZhdWx0IHJ1bGUgc2hvdWxkIG5ldmVyIGJlIGdhcmJhZ2UgY29sbGVjdGVkICovCiAJVl9w Zl9kZWZhdWx0X3J1bGUuZW50cmllcy50cWVfcHJldiA9ICZWX3BmX2RlZmF1bHRfcnVsZS5lbnRy aWVzLnRxZV9uZXh0OworCSNpZmRlZiBQRl9ERUZBVUxUX1RPX0RST1AKKyAgICBWX3BmX2RlZmF1 bHRfcnVsZS5hY3Rpb24gPSBQRl9EUk9QOworICAgICNlbHNlCiAJVl9wZl9kZWZhdWx0X3J1bGUu YWN0aW9uID0gUEZfUEFTUzsKKwkjZW5kaWYKIAlWX3BmX2RlZmF1bHRfcnVsZS5uciA9IC0xOwog CVZfcGZfZGVmYXVsdF9ydWxlLnJ0YWJsZWlkID0gLTE7CiAKQEAgLTQ3Myw3ICs0NzcsMTEgQEAK IAogCS8qIGRlZmF1bHQgcnVsZSBzaG91bGQgbmV2ZXIgYmUgZ2FyYmFnZSBjb2xsZWN0ZWQgKi8K IAlwZl9kZWZhdWx0X3J1bGUuZW50cmllcy50cWVfcHJldiA9ICZwZl9kZWZhdWx0X3J1bGUuZW50 cmllcy50cWVfbmV4dDsKKwkjaWZkZWYgUEZfREVGQVVMVF9UT19EUk9QCisJcGZfZGVmYXVsdF9y dWxlLmFjdGlvbiA9IFBGX0RST1A7CisJI2Vsc2UKIAlwZl9kZWZhdWx0X3J1bGUuYWN0aW9uID0g UEZfUEFTUzsKKwkjZW5kaWYKIAlwZl9kZWZhdWx0X3J1bGUubnIgPSAtMTsKIAlwZl9kZWZhdWx0 X3J1bGUucnRhYmxlaWQgPSAtMTsKIAotLS0gc3lzL2NvbmYvb3B0aW9ucy5vcmlnCTIwMTItMDkt MDYgMTU6NTk6NDAuMDAwMDAwMDAwICswMjAwCisrKyBzeXMvY29uZi9vcHRpb25zCTIwMTItMDkt MDYgMTY6MDA6NTkuMDAwMDAwMDAwICswMjAwCkBAIC00MjYsNiArNDI2LDcgQEAKIE5FVEFUQUxL CQlvcHRfYXRhbGsuaAogTkZTTE9DS0QKIFBDQkdST1VQCQlvcHRfcGNiZ3JvdXAuaAorUEZfREVG QVVMVF9UT19EUk9QCW9wdF9wZi5oCiBSQURJWF9NUEFUSAkJb3B0X21wYXRoLmgKIFJPVVRFVEFC TEVTCQlvcHRfcm91dGUuaAogU0xJUF9JRkZfT1BUUwkJb3B0X3NsaXAuaAotLS0gc3lzL2NvbmYv Tk9URVMub3JpZwkyMDEyLTA5LTA2IDE2OjU4OjExLjAwMDAwMDAwMCArMDIwMAorKysgc3lzL2Nv bmYvTk9URVMJMjAxMi0wOS0wNiAxNjoxNDo0Ny4wMDAwMDAwMDAgKzAyMDAKQEAgLTkxNiw2ICs5 MTYsOCBAQAogIyBwYWNrZXRzIHdpdGhvdXQgdG91Y2hpbmcgdGhlIFRUTCkuICBUaGlzIGNhbiBi ZSB1c2VmdWwgdG8gaGlkZSBmaXJld2FsbHMKICMgZnJvbSB0cmFjZXJvdXRlIGFuZCBzaW1pbGFy IHRvb2xzLgogIworIyBQRl9ERUZBVUxUX1RPX0RST1AgY2F1c2VzIHRoZSBkZWZhdWx0IHJ1bGUg KGF0IGJvb3QpIHRvIGRlbnkgZXZlcnl0aGluZy4KKyMgCiAjIFRDUERFQlVHIGVuYWJsZXMgY29k ZSB3aGljaCBrZWVwcyB0cmFjZXMgb2YgdGhlIFRDUCBzdGF0ZSBtYWNoaW5lCiAjIGZvciBzb2Nr ZXRzIHdpdGggdGhlIFNPX0RFQlVHIG9wdGlvbiBzZXQsIHdoaWNoIGNhbiB0aGVuIGJlIGV4YW1p bmVkCiAjIHVzaW5nIHRoZSB0cnB0KDgpIHV0aWxpdHkuCkBAIC05MzMsNiArOTM1LDcgQEAKIG9w dGlvbnMgCUlQRklMVEVSX0xPT0tVUAkJI2lwZmlsdGVyIHBvb2xzCiBvcHRpb25zIAlJUEZJTFRF Ul9ERUZBVUxUX0JMT0NLCSNibG9jayBhbGwgcGFja2V0cyBieSBkZWZhdWx0CiBvcHRpb25zIAlJ UFNURUFMVEgJCSNzdXBwb3J0IGZvciBzdGVhbHRoIGZvcndhcmRpbmcKK29wdGlvbnMJCVBGX0RF RkFVTFRfVE9fRFJPUAkJI2Ryb3AgZXZlcnl0aGluZyBieSBkZWZhdWx0CiBvcHRpb25zIAlUQ1BE RUJVRwogCiAjIFRoZSBNQlVGX1NUUkVTU19URVNUIG9wdGlvbiBlbmFibGVzIG9wdGlvbnMgd2hp Y2ggY3JlYXRlCg== --0016e6de0425509dda04c99bf8ba-- From owner-freebsd-pf@FreeBSD.ORG Thu Sep 13 22:19:31 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 98F61106564A for ; Thu, 13 Sep 2012 22:19:31 +0000 (UTC) (envelope-from "cyb."@gmx.net) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by mx1.freebsd.org (Postfix) with SMTP id DCB798FC12 for ; Thu, 13 Sep 2012 22:19:30 +0000 (UTC) Received: (qmail invoked by alias); 13 Sep 2012 22:19:29 -0000 Received: from port-92-206-20-73.dynamic.qsc.de (EHLO CoreI5) [92.206.20.73] by mail.gmx.net (mp028) with SMTP; 14 Sep 2012 00:19:29 +0200 X-Authenticated: #4870692 X-Provags-ID: V01U2FsdGVkX19x0aUHRCVxUakq3AL5l1yL6fXhmnlJ+HUDbSRH62 rnog39GKsxNVIe Date: Fri, 14 Sep 2012 00:19:25 +0200 From: Andreas Rudisch To: freebsd-pf@freebsd.org, Olivier =?ISO-8859-1?Q?Cochard-Labb=E9?= Message-Id: <20120914001925.aa5e93bb998052eb16ac773b@gmx.net> In-Reply-To: References: X-Mailer: Sylpheed 3.2.0 (GTK+ 2.10.14; i686-pc-mingw32) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Y-GMX-Trusted: 0 Cc: Subject: Re: Patch for adding "options PF_DEFAULT_TO_DROP" to kernel configuration file X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Sep 2012 22:19:31 -0000 On Thu, 13 Sep 2012 23:26:48 +0200 Olivier Cochard-Labb=E9 wrote: > Hi, > here is a little patch (tested on FreeBSD 9.1-RC1) that add a new > option to the kernel configuration file: > options PF_DEFAULT_TO_DROP >=20 > Without this option, with an empty pf.conf:=A0All traffic are permit. > With this option enabled, with an empty pf.conf: All traffic are > dropped by default. I really do not think that such a patch is needed. A simple 'block all' in pf.conf will do the same, so why add code and recompile the kernel? Also if you are setting up a remote server you probably do not want to _not_ be able to access it. Andreas -- GnuPG key : 0x2A573565 | http://www.gnupg.org/howtos/de/ Fingerprint: 925D 2089 0BF9 8DE5 9166 33BB F0FD CD37 2A57 3565 From owner-freebsd-pf@FreeBSD.ORG Fri Sep 14 05:40:27 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20CD11065673 for ; Fri, 14 Sep 2012 05:40:27 +0000 (UTC) (envelope-from cochard@gmail.com) Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id A566D8FC0C for ; Fri, 14 Sep 2012 05:40:26 +0000 (UTC) Received: by weyx56 with SMTP id x56so2538827wey.13 for ; Thu, 13 Sep 2012 22:40:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=h8YH/YhxTftUItcYVEol2fNDD1OrTYJq64miOvv8NOA=; b=cPcfKLljz4KKJpiZamdafgW86TC0g9hSY517BZkpcJEmoXYSVaGBwO5ccTZ48ZuzvE aQ1Ohv8Z5Xe8OMelLkOW52y7jHQ0/87ZVj12swEPnbBRdISeKpVO3CQ1hx2+nV1e7K0k 3sbHg4L3fKdMkSVma0EPgVpSEnRM9zKbxtmdm7LfmFXE3FFxAABn8Qc/ccr/52wth9rv 6Xs/ILIHlDnwhRqwccOAJC7mmqoNXXkudmA+y3fvzwKJxn+RyKiMvGiXtxWkvFra5r/t VRDikCK5rLdiX5cJjABjL+uu+r0Q94pwwPZ3UTqO2Y5N/9ugWEPvb4mOm5IF0lrDp6yO baJw== Received: by 10.180.102.136 with SMTP id fo8mr3352579wib.19.1347601225867; Thu, 13 Sep 2012 22:40:25 -0700 (PDT) MIME-Version: 1.0 Sender: cochard@gmail.com Received: by 10.223.71.201 with HTTP; Thu, 13 Sep 2012 22:40:05 -0700 (PDT) In-Reply-To: <20120914001925.aa5e93bb998052eb16ac773b@gmx.net> References: <20120914001925.aa5e93bb998052eb16ac773b@gmx.net> From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= Date: Fri, 14 Sep 2012 07:40:05 +0200 X-Google-Sender-Auth: 3XBSytlHgtYx1m-YmVI86w4rSeI Message-ID: To: Andreas Rudisch Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-pf@freebsd.org Subject: Re: Patch for adding "options PF_DEFAULT_TO_DROP" to kernel configuration file X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Sep 2012 05:40:27 -0000 On Fri, Sep 14, 2012 at 12:19 AM, Andreas Rudisch wrote: > I really do not think that such a patch is needed. A simple 'block all' > in pf.conf will do the same, so why add code and recompile the kernel? > Hi Andrea, Some pf users have strong security policy, and : 1. If there is an error in the pf.conf (bad syntax, empty file, or other thing), the security policy impose to block all traffic by default. 2. Or during the startup process there is a time laps between the moment when forwarding is enabled, and before finishing to load very big pf.conf, all traffic are permit: They don't want this behavior. But I didn't tested my patch regarding this special case. > Also if you are setting up a remote server you probably do not want to > _not_ be able to access it. > This kind of user prefers to lock their firewall (they have serial console access as backup) and all traffic passing throught than creating security incident. And we allready have this options in the kernel configuration: options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default options IPFILTER_DEFAULT_BLOCK #block all packets by default Why not, for homogeneity, adding the same options for PF ? Regards, Olivier From owner-freebsd-pf@FreeBSD.ORG Fri Sep 14 13:27:28 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4BC7C106564A for ; Fri, 14 Sep 2012 13:27:28 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.64.117]) by mx1.freebsd.org (Postfix) with ESMTP id 98E6B8FC08 for ; Fri, 14 Sep 2012 13:27:27 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.5/8.14.5) with ESMTP id q8EDRPRC004661; Fri, 14 Sep 2012 17:27:25 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.5/8.14.5/Submit) id q8EDRPm9004660; Fri, 14 Sep 2012 17:27:25 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Fri, 14 Sep 2012 17:27:25 +0400 From: Gleb Smirnoff To: Olivier Cochard-Labb? Message-ID: <20120914132725.GG85604@FreeBSD.org> References: MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-pf@FreeBSD.org Subject: Re: Patch for adding "options PF_DEFAULT_TO_DROP" to kernel configuration file X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Sep 2012 13:27:28 -0000 On Thu, Sep 13, 2012 at 11:26:48PM +0200, Olivier Cochard-Labb? wrote: O> Hi, O> here is a little patch (tested on FreeBSD 9.1-RC1) that add a new O> option to the kernel configuration file: O> options PF_DEFAULT_TO_DROP O> O> Without this option, with an empty pf.conf:šAll traffic are permit. O> With this option enabled, with an empty pf.conf: All traffic are O> dropped by default. O> O> If the attached file is removed, you can found the patch here: O> http://www.freebsd.org/cgi/query-pr.cgi?pr=171622 I'd appreciate if you re-submit your patch with: - update to the fresh head/, where pf has been moved to netpfil/pf - mentioning new option in pf(4) -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Fri Sep 14 16:52:02 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6565C106566C for ; Fri, 14 Sep 2012 16:52:02 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com [209.85.160.54]) by mx1.freebsd.org (Postfix) with ESMTP id 330C08FC19 for ; Fri, 14 Sep 2012 16:52:01 +0000 (UTC) Received: by pbbrp2 with SMTP id rp2so6440877pbb.13 for ; Fri, 14 Sep 2012 09:52:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=references:in-reply-to:mime-version:content-transfer-encoding :content-type:message-id:cc:x-mailer:from:subject:date:to :x-gm-message-state; bh=9mm9koa4adnk1JYgvc+y/1rq1Gfu8rcxouUBQi2WVJg=; b=D+xBwudzu9f1ykanEigdNgOxwhEt1rPQAEPGlruZviQk23xoqchmLJM9fFZPErVa0Y ioQ5CbuS9XYZ72+TGh6prZuct/dXRrg/ium6i1ORc96pRl+sP8olBpkOIiCRkMw/pZHq 8FHHpulBw5+YRy5UKLxf1hOF60I3cFMluDH5C81HBj28IiXV5zkFwxgFmuOx3eHyRu4E 464VR3kvbClmwbgB8c97TqyvPZxVIJ2ybwtxqhXwUC3Qh+Cua1vrClYmSmHmZpWneZFI dOexonpHoVgOf8rrVwnahrk2Ivz+ciHYxfKYXJrRecdvLKSp92LFzDXXcT78PDELEmf5 CEJg== Received: by 10.66.77.7 with SMTP id o7mr4861312paw.37.1347641521001; Fri, 14 Sep 2012 09:52:01 -0700 (PDT) Received: from [192.168.205.103] ([113.161.84.228]) by mx.google.com with ESMTPS id it5sm1262604pbc.10.2012.09.14.09.51.57 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 14 Sep 2012 09:52:00 -0700 (PDT) References: In-Reply-To: Mime-Version: 1.0 (1.0) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Message-Id: X-Mailer: iPhone Mail (9A405) From: Damien Fleuriot Date: Fri, 14 Sep 2012 18:51:53 +0200 To: =?utf-8?Q?Olivier_Cochard-Labb=C3=A9?= X-Gm-Message-State: ALoCoQmxEit1lmctiFxVIeWkhnYDgHhZhAL13/ADAP2SDox61kEvTWsVGTPW2s21ppouVy768PoN Cc: "freebsd-pf@freebsd.org" Subject: Re: Patch for adding "options PF_DEFAULT_TO_DROP" to kernel configuration file X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Sep 2012 16:52:02 -0000 On 13 Sep 2012, at 23:26, Olivier Cochard-Labb=C3=A9 wr= ote: > Hi, > here is a little patch (tested on FreeBSD 9.1-RC1) that add a new > option to the kernel configuration file: > options PF_DEFAULT_TO_DROP >=20 > Without this option, with an empty pf.conf: All traffic are permit. > With this option enabled, with an empty pf.conf: All traffic are > dropped by default. >=20 > If the attached file is removed, you can found the patch here: > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D171622 >=20 > Regards, >=20 > Olivier > Is there any point to this ? I mean, PF has to be enabled manually anyway, so it's not like it adds any k= ind of default security. Worse, it could lock careless people out. People able to use this (read: who can rebuild a kernel) likely are intellig= ent enough to cobble up a default block rule for their pf.conf.= From owner-freebsd-pf@FreeBSD.ORG Fri Sep 14 21:39:58 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 998461065672 for ; Fri, 14 Sep 2012 21:39:58 +0000 (UTC) (envelope-from kpaasial@gmail.com) Received: from mail-vc0-f182.google.com (mail-vc0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id 48E848FC08 for ; Fri, 14 Sep 2012 21:39:58 +0000 (UTC) Received: by vcbfw7 with SMTP id fw7so7032784vcb.13 for ; Fri, 14 Sep 2012 14:39:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=lDan4aAnm2MFmjy+x2e9w5GOFmi+BFwH21Z9wqt42go=; b=r8wkHtE58her+yS6Hgpozj0uspBdOglmNI0z/DG6ZrDVMMT4EFDaZHucCL9ShYDM3i Jjxd11sXybT4/CjkXr/d65E1xPAm6o5hyB92KYFLo/0MiMcPyxCLBGN/tlf8mHuAmixO J4OL+C/2TPuLIfAfp/ufK/p2ryPv8Nx0/NRzqDJm0vItY87Rha3OaKCWF9q/ld3IHzB9 Sk0atzfXeZnULlRVkqZub20oYFdIlwwnCd7bxkIebysFURjhkSigWI+QtHcAbKHiqRE1 xEjqgmmRfcvIOse9POm+pwsHD29Q78MHq4Gb17yLjIzu866EKpcWqkUdfR8MNN/GU25M /7Zg== MIME-Version: 1.0 Received: by 10.52.38.168 with SMTP id h8mr318674vdk.93.1347658797564; Fri, 14 Sep 2012 14:39:57 -0700 (PDT) Received: by 10.58.230.134 with HTTP; Fri, 14 Sep 2012 14:39:57 -0700 (PDT) In-Reply-To: References: Date: Sat, 15 Sep 2012 00:39:57 +0300 Message-ID: From: Kimmo Paasiala To: Damien Fleuriot Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: "freebsd-pf@freebsd.org" Subject: Re: Patch for adding "options PF_DEFAULT_TO_DROP" to kernel configuration file X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Sep 2012 21:39:58 -0000 On Fri, Sep 14, 2012 at 7:51 PM, Damien Fleuriot wrote: > > On 13 Sep 2012, at 23:26, Olivier Cochard-Labb=C3=A9 = wrote: > >> Hi, >> here is a little patch (tested on FreeBSD 9.1-RC1) that add a new >> option to the kernel configuration file: >> options PF_DEFAULT_TO_DROP >> >> Without this option, with an empty pf.conf: All traffic are permit. >> With this option enabled, with an empty pf.conf: All traffic are >> dropped by default. >> >> If the attached file is removed, you can found the patch here: >> http://www.freebsd.org/cgi/query-pr.cgi?pr=3D171622 >> >> Regards, >> >> Olivier >> > > > Is there any point to this ? > > I mean, PF has to be enabled manually anyway, so it's not like it adds an= y kind of default security. > Worse, it could lock careless people out. > > > People able to use this (read: who can rebuild a kernel) likely are intel= ligent enough to cobble up a default block rule for their pf.conf._________= ______________________________________ If you must do this then please consider adding a /boot/loader.conf setting instead of kernel configuration option. The option could be read only on running system or dependent on securelevel(7). -Kimmo From owner-freebsd-pf@FreeBSD.ORG Sat Sep 15 00:06:44 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0E268106566B for ; Sat, 15 Sep 2012 00:06:44 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from mail2.jellyfishnet.co.uk (mail2.jellyfishnet.co.uk [93.91.20.10]) by mx1.freebsd.org (Postfix) with ESMTP id 9D4558FC08 for ; Sat, 15 Sep 2012 00:06:43 +0000 (UTC) Received: from pemexhub02.jellyfishnet.co.uk.local (93.91.20.3) by mail2.jellyfishnet.co.uk (93.91.20.10) with Microsoft SMTP Server (TLS) id 8.1.436.0; Sat, 15 Sep 2012 01:05:34 +0100 Received: from PEMEXMBX14.jellyfishnet.co.uk.local ([0000:0000:0000:0000:0000:0000:0.0.0.1]) by pemexhub02.jellyfishnet.co.uk.local ([192.168.65.8]) with mapi; Sat, 15 Sep 2012 01:04:28 +0100 From: Greg Hennessy To: Kimmo Paasiala , Damien Fleuriot Date: Sat, 15 Sep 2012 01:05:28 +0100 Thread-Topic: Patch for adding "options PF_DEFAULT_TO_DROP" to kernel configuration file Thread-Index: Ac2SwTpAvAtNwfH/RUqQTmwahC0lvwAFHoMQ Message-ID: <0907B072096FB24E81F044AD9EECBFBD0116B61A@PEMEXMBX14.jellyfishnet.co.uk.local> References: In-Reply-To: Accept-Language: en-US, en-GB Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-GB Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Cc: "freebsd-pf@freebsd.org" Subject: RE: Patch for adding "options PF_DEFAULT_TO_DROP" to kernel configuration file X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Sep 2012 00:06:44 -0000 DQo+IA0KPiBJZiB5b3UgbXVzdCBkbyB0aGlzIHRoZW4gcGxlYXNlIGNvbnNpZGVyIGFkZGluZyBh IC9ib290L2xvYWRlci5jb25mIHNldHRpbmcNCj4gaW5zdGVhZCBvZiBrZXJuZWwgY29uZmlndXJh dGlvbiBvcHRpb24uIFRoZSBvcHRpb24gY291bGQgYmUgcmVhZCBvbmx5IG9uDQo+IHJ1bm5pbmcg c3lzdGVtIG9yIGRlcGVuZGVudCBvbiBzZWN1cmVsZXZlbCg3KS4NCj4gDQoNCisxIA0KDQoNCkdy ZWcNCg0K