From owner-freebsd-pf@FreeBSD.ORG Mon Sep 17 11:07:12 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 634AC106568A for ; Mon, 17 Sep 2012 11:07:12 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4D4CA8FC0C for ; Mon, 17 Sep 2012 11:07:12 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q8HB7C8M004531 for ; Mon, 17 Sep 2012 11:07:12 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q8HB7B83004529 for freebsd-pf@FreeBSD.org; Mon, 17 Sep 2012 11:07:11 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 17 Sep 2012 11:07:11 GMT Message-Id: <201209171107.q8HB7B83004529@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2012 11:07:12 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 44 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Sep 18 16:02:08 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E6FCB1065677; Tue, 18 Sep 2012 16:02:08 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-bk0-f54.google.com (mail-bk0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 21E5E8FC18; Tue, 18 Sep 2012 16:02:07 +0000 (UTC) Received: by bkcje9 with SMTP id je9so2440bkc.13 for ; Tue, 18 Sep 2012 09:02:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=L4bE4aOJzn/zcT84I6uW7jvwNfCGAFfhCT3Ox//68IM=; b=kdftsULaB2EpOMWNmx9dQ6PAswy8ECcXQDmwN1WUh9GhIsgCa0kTHt63po6+HXAnRt aN/y/qSx9CSM7ZJSfdWa3INDz9jdqClVNZEbRsNGFyMpZePXNHwbbgS/MKtMu7Nzdvvw T7swMjmdv89DV8PnppW6e2qgoLvLK8shLV7+WuMiOowUvZoV0IJqGhA1WmTfEdDYgtLS udTemX4LnlQ92jSC+VR708uKDWQzXHgWf/YL5wvXhD63v6LPHaNd8bbGq09dLyv+OIas fHRNEbmYQrM/fQdFD4zhwB0jiOK4ZJiMUvauQGl3CLZYyHDmmPHeCJa7XRRIySHdJxRH jnZA== MIME-Version: 1.0 Received: by 10.204.129.4 with SMTP id m4mr207426bks.55.1347984126896; Tue, 18 Sep 2012 09:02:06 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.204.48.194 with HTTP; Tue, 18 Sep 2012 09:02:06 -0700 (PDT) In-Reply-To: References: <201209181234.q8ICYaFB091109@svn.freebsd.org> Date: Tue, 18 Sep 2012 18:02:06 +0200 X-Google-Sender-Auth: b4stXW2V06f-CJe76wfK2gnZ5d0 Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Sergey Kandaurov Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-pf@freebsd.org Subject: Re: svn commit: r240646 - head/sys/contrib/altq/altq X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Sep 2012 16:02:09 -0000 The issue is that this hides the problem per se. The ioctl and pfctl loading of ruleset is not ready for handling failures here! /me Does not understand why people do not ask for review first? On Tue, Sep 18, 2012 at 2:53 PM, Sergey Kandaurov wrote: > On 18 September 2012 16:34, Gleb Smirnoff wrote: >> Author: glebius >> Date: Tue Sep 18 12:34:35 2012 >> New Revision: 240646 >> URL: http://svn.freebsd.org/changeset/base/240646 >> >> Log: >> Do more than r236298 did in the projects/pf branch: use M_NOWAIT in >> altq_add() and its descendants. Currently altq(4) in FreeBSD is configured >> via pf(4) ioctls, which can't configure altq(4) w/o holding locks. >> Fortunately, altq(4) code in spife of using M_WAITOK is ready to receive >> NULL from malloc(9), so change is mostly mechanical. While here, utilize >> M_ZERO instead of bzero(). >> >> A large redesign needed to achieve M_WAITOK usage when configuring altq(4). >> Or an alternative (not pf(4)) configuration interface should be implemented. >> >> Reported by: pluknet > > Actually Kim Culhan was initial reporter. > I just reposted the problem closer to glebius and pointed out the roots. > > -- > wbr, > pluknet -- Ermal From owner-freebsd-pf@FreeBSD.ORG Tue Sep 18 16:15:23 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 738461065691; Tue, 18 Sep 2012 16:15:23 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.64.117]) by mx1.freebsd.org (Postfix) with ESMTP id E1D4A8FC1B; Tue, 18 Sep 2012 16:15:22 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.5/8.14.5) with ESMTP id q8IGFGqL032797; Tue, 18 Sep 2012 20:15:16 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.5/8.14.5/Submit) id q8IGFGZW032796; Tue, 18 Sep 2012 20:15:16 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Tue, 18 Sep 2012 20:15:16 +0400 From: Gleb Smirnoff To: Ermal Lu?i Message-ID: <20120918161516.GG85604@glebius.int.ru> References: <201209181234.q8ICYaFB091109@svn.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: Sergey Kandaurov , freebsd-pf@FreeBSD.org Subject: Re: svn commit: r240646 - head/sys/contrib/altq/altq X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Sep 2012 16:15:23 -0000 Ermal, On Tue, Sep 18, 2012 at 06:02:06PM +0200, Ermal Lu?i wrote: E> The issue is that this hides the problem per se. What had hidden problem per se, was the following code: PF_UNLOCK(); error = altq_add(a2); PF_LOCK(); That's what we have in stable/9. E> The ioctl and pfctl loading of ruleset is not ready for handling failures here! They do. Error from altq_add() is returned by pf_ioctl() as response to DIOCADDALTQ command. The code in pfctl, which does DIOCADDALTQ also is handling errors. -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Wed Sep 19 19:42:50 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F0DAF106566C; Wed, 19 Sep 2012 19:42:49 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-bk0-f54.google.com (mail-bk0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 236B18FC0A; Wed, 19 Sep 2012 19:42:48 +0000 (UTC) Received: by bkcje9 with SMTP id je9so718091bkc.13 for ; Wed, 19 Sep 2012 12:42:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=4fjmPerd4LUUALXfu3oesyYwCWkL9kpeTV10UaI25w8=; b=0O9wmJpF4SgVSgMHvc6EH+cV7VoKEVQ2fNhLoCaEAUMID4ypqevSt9p014YKcHAmxc d3h2C8JbkHtZEZHoe0DcCIWXH8R6MIN4OVFQE5gHVYcl+6FwjEKZ0smLmjwV4zC3pvGK 85/bYNPPSR1wAxVCFnu2+xKAHdLQiLb6SaCG01822RdnNk4D/uvBMMfNU4K2Y7bBQCpr q5zHepRH7ayBbAw23OfXAhA9TYCGyA9o0QZZ4BP4yyXLPNg7UdIlJYxU6/dlFnCuezQR sXAgLLrg3Mdczs5r3dwi8/TFOdsgOQ2aLeyMpvwqG5gzwDC16MkwYmk2fk1UKjtKsok3 AKoQ== MIME-Version: 1.0 Received: by 10.204.3.207 with SMTP id 15mr1663761bko.98.1348083767997; Wed, 19 Sep 2012 12:42:47 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.204.48.194 with HTTP; Wed, 19 Sep 2012 12:42:47 -0700 (PDT) In-Reply-To: <20120918161516.GG85604@glebius.int.ru> References: <201209181234.q8ICYaFB091109@svn.freebsd.org> <20120918161516.GG85604@glebius.int.ru> Date: Wed, 19 Sep 2012 21:42:47 +0200 X-Google-Sender-Auth: f6LAbNeiC5sCbh08c34nlK1m7Dk Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Gleb Smirnoff Content-Type: text/plain; charset=ISO-8859-1 Cc: Sergey Kandaurov , freebsd-pf@freebsd.org Subject: Re: svn commit: r240646 - head/sys/contrib/altq/altq X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Sep 2012 19:42:50 -0000 On Tue, Sep 18, 2012 at 6:15 PM, Gleb Smirnoff wrote: > Ermal, > > On Tue, Sep 18, 2012 at 06:02:06PM +0200, Ermal Lu?i wrote: > E> The issue is that this hides the problem per se. > > What had hidden problem per se, was the following code: > > PF_UNLOCK(); > error = altq_add(a2); > PF_LOCK(); > > That's what we have in stable/9. > > E> The ioctl and pfctl loading of ruleset is not ready for handling failures here! > > They do. Error from altq_add() is returned by pf_ioctl() as response > to DIOCADDALTQ command. The code in pfctl, which does DIOCADDALTQ also > is handling errors. The issue is that you will fail a ruleset loading now that before could not fail. You need to teach pfctl that is ok if ALTQ ruleset load fails now, no? I think the most important thing in ruleset loading is the rules than comes ALTQ. Since ALTQ failure is tolerable and the risk from that faling is low! Its better to do a best effort loading of ruleset and just report where it failed? You just committed a 'questionable' patch for default block, just for security, though break that contract by making security depend on unpredictable behaviour! Am i missing something here? Review of things before implementation? > > -- > Totus tuus, Glebius. -- Ermal From owner-freebsd-pf@FreeBSD.ORG Thu Sep 20 02:12:32 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1E134106566B; Thu, 20 Sep 2012 02:12:32 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.64.117]) by mx1.freebsd.org (Postfix) with ESMTP id 6915E8FC19; Thu, 20 Sep 2012 02:12:31 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.5/8.14.5) with ESMTP id q8K2CTp9044001; Thu, 20 Sep 2012 06:12:29 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.5/8.14.5/Submit) id q8K2CTwD044000; Thu, 20 Sep 2012 06:12:29 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Thu, 20 Sep 2012 06:12:29 +0400 From: Gleb Smirnoff To: Ermal Lu?i Message-ID: <20120920021229.GN85604@glebius.int.ru> References: <201209181234.q8ICYaFB091109@svn.freebsd.org> <20120918161516.GG85604@glebius.int.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: Sergey Kandaurov , freebsd-pf@FreeBSD.org Subject: Re: svn commit: r240646 - head/sys/contrib/altq/altq X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Sep 2012 02:12:32 -0000 Ermal, On Wed, Sep 19, 2012 at 09:42:47PM +0200, Ermal Lu?i wrote: E> > On Tue, Sep 18, 2012 at 06:02:06PM +0200, Ermal Lu?i wrote: E> > E> The issue is that this hides the problem per se. E> > E> > What had hidden problem per se, was the following code: E> > E> > PF_UNLOCK(); E> > error = altq_add(a2); E> > PF_LOCK(); E> > E> > That's what we have in stable/9. E> > E> > E> The ioctl and pfctl loading of ruleset is not ready for handling failures here! E> > E> > They do. Error from altq_add() is returned by pf_ioctl() as response E> > to DIOCADDALTQ command. The code in pfctl, which does DIOCADDALTQ also E> > is handling errors. E> E> The issue is that you will fail a ruleset loading now that before E> could not fail. Before you could just race with some other thread modifing ALTQ, for example ifnet departure/attachment event, which would lead to panic. E> You need to teach pfctl that is ok if ALTQ ruleset load fails now, no? E> E> I think the most important thing in ruleset loading is the rules than E> comes ALTQ. E> Since ALTQ failure is tolerable and the risk from that faling is low! E> Its better to do a best effort loading of ruleset E> and just report where it failed? Configuring rulesets also does a lot of malloc(9) that can fail. Thus, if ALTQ configuration failed due to malloc(9) failure, then probably ruleset loading would fail, too. Usually, if system is low on kernel memory, most things won't work at all. So this isn't a case that should be optimized right now. If ruleset configuration would be refactored to a state when first all malloc()s are issued with M_WAITOK flag and only then rules lock is acquired, then we can get back to achieving same functionality for ALTQ. E> You just committed a 'questionable' patch for default block, just for E> security, though E> break that contract by making security depend on unpredictable behaviour! If you ponder this a second longer then you'll see, that default to block policy actually makes security depend less on unpredictable behavior: if anything goes wrong during boot, then a box is closed. -- Totus tuus, Glebius. From owner-freebsd-pf@FreeBSD.ORG Sat Sep 22 13:10:06 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 058741065672 for ; Sat, 22 Sep 2012 13:10:06 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id CBEF88FC12 for ; Sat, 22 Sep 2012 13:10:05 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q8MDA5k1022689 for ; Sat, 22 Sep 2012 13:10:05 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q8MDA5lF022686; Sat, 22 Sep 2012 13:10:05 GMT (envelope-from gnats) Date: Sat, 22 Sep 2012 13:10:05 GMT Message-Id: <201209221310.q8MDA5lF022686@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: "joeb1" Cc: Subject: Re: kern/167057: [pf] PF firewall version 4.5 in FreeBSD 9.0 & 8.2 nolonger supported by upstream X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: joeb1 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Sep 2012 13:10:06 -0000 The following reply was made to PR kern/167057; it has been noted by GNATS. From: "joeb1" To: Cc: Subject: Re: kern/167057: [pf] PF firewall version 4.5 in FreeBSD 9.0 & 8.2 nolonger supported by upstream Date: Sat, 22 Sep 2012 09:08:22 -0400 For the archive; This thread really explains in detail what is happening with PF and why the Openbsd version is no longer being ported to FreeBSD. IE: Flame between original porter of OpenBSD PF version 4.5 and the author of the new rewritten FreeBSD version of PF. http://lists.freebsd.org/pipermail/freebsd-pf/2012-September/006740.html