From owner-freebsd-pf@FreeBSD.ORG Mon Oct 8 11:07:25 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 89DD4106566C for ; Mon, 8 Oct 2012 11:07:25 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 739928FC28 for ; Mon, 8 Oct 2012 11:07:25 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q98B7PqX029415 for ; Mon, 8 Oct 2012 11:07:25 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q98B7Opd029413 for freebsd-pf@FreeBSD.org; Mon, 8 Oct 2012 11:07:24 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 8 Oct 2012 11:07:24 GMT Message-Id: <201210081107.q98B7Opd029413@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Oct 2012 11:07:25 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 45 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Oct 8 13:14:04 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D4816106566C for ; Mon, 8 Oct 2012 13:14:04 +0000 (UTC) (envelope-from fungayi@urbanlife.org.za) Received: from mail.wbs.co.za (relay66.jhb.wbs.co.za [41.213.80.66]) by mx1.freebsd.org (Postfix) with ESMTP id 53C578FC1A for ; Mon, 8 Oct 2012 13:14:02 +0000 (UTC) Received: from juno.jhb.wbs.co.za ([41.213.80.23]:41081 helo=mail.iburst.co.za) by mail.wbs.co.za (BACCHUS) with esmtps (Cipher TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.77 #2 (EximConfig 2.5)) id 1TLD9j-0004J7-MK for ; Mon, 08 Oct 2012 15:13:59 +0200 Received: from wbs-41-208-212-243.wbs.co.za ([41.208.212.243]:64699 helo=Laptop) by mail.iburst.co.za (JUNO) with esmtps (Cipher TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.77 #2 (EximConfig 2.5)) id 1TLD9I-0002I0-6A for ; Mon, 08 Oct 2012 15:13:58 +0200 From: "Fungayi Fombe" To: Date: Mon, 8 Oct 2012 15:12:48 +0200 Message-ID: <000601cda556$b6cea960$246bfc20$@urbanlife.org.za> MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_0007_01CDA567.7B163580" X-Mailer: Microsoft Outlook 15.0 Thread-Index: Ac2lVkINpqQ+XSPoRFC6+qYMYNnz0w== Content-Language: en-za X-Antivirus: avast! (VPS 121005-1, 2012/10/05), Outbound message X-Antivirus-Status: Clean X-GeoIP: ZA|South Africa X-EximConfig: v2.5 on mail.iburst.co.za X-GeoIP: X-EximConfig: v2.5 on mail.wbs.co.za X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Drive A New Car from R499 P/M X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Oct 2012 13:14:05 -0000 This is a multipart message in MIME format. ------=_NextPart_000_0007_01CDA567.7B163580 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hie Can you sent me an email on the terms and conditions of your deals which are under R 899 per month and requirements Thank you! Kind regards Fungayi Fombe w: www.urbanlife.org.za | t: 011 468 1950 c: 071 0872 592 | e: fungayi@urbanlife.org.za ------=_NextPart_000_0007_01CDA567.7B163580-- From owner-freebsd-pf@FreeBSD.ORG Mon Oct 8 11:07:25 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 89DD4106566C for ; Mon, 8 Oct 2012 11:07:25 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 739928FC28 for ; Mon, 8 Oct 2012 11:07:25 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q98B7PqX029415 for ; Mon, 8 Oct 2012 11:07:25 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q98B7Opd029413 for freebsd-pf@FreeBSD.org; Mon, 8 Oct 2012 11:07:24 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 8 Oct 2012 11:07:24 GMT Message-Id: <201210081107.q98B7Opd029413@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Oct 2012 11:07:25 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 45 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed Oct 10 23:55:37 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 07ED1ACC for ; Wed, 10 Oct 2012 23:55:37 +0000 (UTC) (envelope-from anonymous@server001.ceapema.org.br) Received: from server001.ceapema.org.br (server001.ceapema.org.br [200.249.84.129]) by mx1.freebsd.org (Postfix) with ESMTP id 495488FC14 for ; Wed, 10 Oct 2012 23:55:35 +0000 (UTC) Received: (qmail 29864 invoked by uid 48); 10 Oct 2012 22:33:34 -0000 Date: 10 Oct 2012 22:33:34 -0000 Message-ID: <20121010223334.29862.qmail@server001.ceapema.org.br> To: freebsd-pf@freebsd.org Subject: Tax Refund From: refund@hmrc.co.uk MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Oct 2012 23:55:37 -0000 Tax Refund Notification! A tax refund of 397.50 GBP - Still Pending. Due to invalid account record, we were unable to credit your account. Please submit a verified tax refund request. A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline. Click the "Refund Me Now" link below and follow the on screen step in order to have process your request. NOTE: For security reasons, we will record your IP Address, the date and time. Deliberate wrong inputs are criminally pursued. [1]Refund Me Now HMRC References 1. http://167.142.156.140/test/asd/hm/rc/ From owner-freebsd-pf@FreeBSD.ORG Fri Oct 12 17:37:55 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E1EE3D13 for ; Fri, 12 Oct 2012 17:37:54 +0000 (UTC) (envelope-from bounce@mailconnect.info) Received: from host.dewanaysaray.in (host.dewanaysaray.in [64.120.228.10]) by mx1.freebsd.org (Postfix) with ESMTP id 94A8F8FC16 for ; Fri, 12 Oct 2012 17:37:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mailconnect.info; s=default; h=Content-Transfer-Encoding:Content-Type:List-Unsubscribe:MIME-Version:Reply-To:From:Date:Message-ID:Subject:To; bh=6ZeYCs0m3gH2AW1vUSMTvqCaEyRn5cfrdIweHQ2FYv4=; b=szUTaqCofNBXTxk/dNQ6w/CMJvp0ZZmy+MK5FlHX0lU2r0IKXCPWuurkWW7/zMJUMLo/VGqtPZ+7JUkgNClCnSX21P7/ZBK8oQIGDLVS/SRdbtAx5+Brv0C6ecopAjIR; Received: from localhost ([127.0.0.1]:42234 helo=mailconnect.info) by host.dewanaysaray.in with esmtpa (Exim 4.80) (envelope-from ) id 1TMjBI-0006OQ-NA for freebsd-pf@freebsd.org; Fri, 12 Oct 2012 13:37:52 -0400 To: freebsd-pf@freebsd.org Subject: Less belly fat before Christmas... Message-ID: Date: Fri, 12 Oct 2012 12:23:54 -0400 From: "Steve Smith" MIME-Version: 1.0 X-Mailer-LID: 7 X-Mailer-RecptId: 1191106 X-Mailer-SID: 18 X-Mailer-Sent-By: 3 Content-Type: text/plain; format=flowed; charset="UTF-8" Content-Transfer-Encoding: 8bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - host.dewanaysaray.in X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - mailconnect.info X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: info@mailconnect.info List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Oct 2012 17:37:55 -0000 I bet you've asked the question why is belly fat so easily gained yet so hard to lose. It just seems unfair doesn't it? Well there is a reason. This short video will introduce you to techniques that reduce belly fat 9 times faster to look great before Christmas. WATCH VIDEO NOW> http://tinyurl.com/98tkorx ------------------------------------------------------------- Let's be honest, obviously the conventional methods you have been trying up to this point didn't work. The truth about belly fat is simply that it behaves in a different manner, and more importantly there are 3 HEALTHY foods that actually INCREASES abdominal fat which you should absolutely avoid! When it comes to abdominal fat there are things you should understand first and the truth is although it's a bit shocking, it really is surprisingly simple. WATCH NOW> http://tinyurl.com/98tkorx You can use this to get fast results for Christmas and also in the long run to maintain your belly fat. Everybody in any shape (good or bad) can benefit from understand abdominal fat behavior. Please enjoy the presentation (you will need sound)! Best Regards Steve Smith E-mail Disclaimer: The information transmitted is intended only for the person or entity to which it is addressed and may contain privileged material. If you received this email accidently we do apologies and you will be able to have your email removed for future newsletters by following the procedure at the bottom of this paragraph. Any review, re transmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. Any information within this message is not necessarily the expressed view of the E-MAIL SENDER and the E-MAIL SENDER cannot be held liable in any way. The information, images, documents and views expressed in this e-mail are personal to the sender and do not expressly or implicitly represent official positions and policies . If you received this in error, please contact the sender and delete the material from any computer. Every effort has been made to accurately represent this product and it¹s potential. Even though this industry is one of the few where one can reduce abdominal fat in less than 31 days, there is no promise. All products carry a full refund option should you be unhappy for any reason. Examples in these materials are not to be interpreted as a promise of loss. Success is entirely dependent on the person using the product, ideas and techniques. Your level of success in attaining the results claimed in our materials depends on your ability to follow and time and effort you devote to the program. To unsubscribe to this list please click here here> http://mailconnect.info/int/unsubscribe.php?M=1191106&C=288ad38c8ab970e49b1e36bfbace4a15&L=7&N=18 From owner-freebsd-pf@FreeBSD.ORG Fri Oct 12 19:42:46 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6BEFA1B7 for ; Fri, 12 Oct 2012 19:42:46 +0000 (UTC) (envelope-from patfbsd@davenulle.org) Received: from smtp.lamaiziere.net (net.lamaiziere.net [94.23.254.147]) by mx1.freebsd.org (Postfix) with ESMTP id 3139D8FC0A for ; Fri, 12 Oct 2012 19:42:45 +0000 (UTC) Received: from baby-jane.lamaiziere.net (unknown [192.168.1.10]) by smtp.lamaiziere.net (Postfix) with ESMTP id B1759AEDB for ; Fri, 12 Oct 2012 21:42:37 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by baby-jane.lamaiziere.net (Postfix) with ESMTP id 5A3372CECCB for ; Fri, 12 Oct 2012 21:42:16 +0200 (CEST) Date: Fri, 12 Oct 2012 21:42:15 +0200 From: Patrick Lamaiziere To: freebsd-pf@freebsd.org Subject: [9.1] PF drop Message-ID: <20121012214215.735615d3@davenulle.org> X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; i386-portbld-freebsd9) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Oct 2012 19:42:46 -0000 Hello, As far I can see, PF replies with an icmp unreachable if a packet is droped in output, even if the block policy is "drop". Which is not the intented behavior. I've made few tests with this setup host1 (192.168.1.60)<->(vr0:192.168.1.254) PF (vr2:192.168.200.254) <-> host2 (192.168.200.2) If I block in incoming (ie on vr0) the trafic to 192.168.202 the packet is simply droped. Rules (the no state is here to ensure that states is not the probleme): block log (all) pass in quick to 192.168.200.2 no state block drop out quick on vr2 to 192.168.200.2 pass out quick pass in quick inet When I ping or ssh the filtered host: host1: $ ssh 192.168.200.2 ssh: connect to host 192.168.200.2 port 22: No route to host tcpdump on the firewall (vr0) 21:36:50.328825 IP 192.168.1.254 > 192.168.1.60: ICMP host 192.168.200.2 unreachable, length 68 The good news is that packets are filtered on output. I see a similar behavior on OpenBSD 5.1, but this is not systematic. Any idea? Thanks, regards. From owner-freebsd-pf@FreeBSD.ORG Sat Oct 13 14:25:38 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9481FF00 for ; Sat, 13 Oct 2012 14:25:38 +0000 (UTC) (envelope-from Mark.Martinec+freebsd@ijs.si) Received: from mail.ijs.si (mail.ijs.si [IPv6:2001:1470:ff80::25]) by mx1.freebsd.org (Postfix) with ESMTP id 1EB648FC16 for ; Sat, 13 Oct 2012 14:25:38 +0000 (UTC) Received: from amavis-proxy-ori.ijs.si (localhost [IPv6:::1]) by mail.ijs.si (Postfix) with ESMTP id 3Xf7Vn3WXNzGMpZ for ; Sat, 13 Oct 2012 16:25:37 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ijs.si; h= message-id:content-transfer-encoding:content-type:content-type :mime-version:organization:user-agent:date:date:subject:subject :from:from:received:received:received:vbr-info; s=jakla2; t= 1350138335; x=1352730336; bh=PUa9yDeFR6r8eLH78xT8vplparkH2LTjB/E cGNelqgk=; b=S0jVEtmGu6/AjT0CSb5dR1NMNDn5KHynBjkqksGz7GIKx6dMxtP iiUQdeIXaClMtWzi4W6U0VP8TMkRYq66Jpmaf+G7mrh+Cl8c3WReYmPakmrOQAZw n3VRVinY6GpFy924XIrIz91znh/Jr9NlWQgSgSIiS43iAsg7K/nIvyaE= VBR-Info: md=ijs.si; mc=all; mv=dwl.spamhaus.org; X-Virus-Scanned: amavisd-new at ijs.si Received: from mail.ijs.si ([IPv6:::1]) by amavis-proxy-ori.ijs.si (mail.ijs.si [IPv6:::1]) (amavisd-new, port 10012) with ESMTP id LqsgoKcScytr for ; Sat, 13 Oct 2012 16:25:35 +0200 (CEST) Received: from mildred.ijs.si (mailbox.ijs.si [IPv6:2001:1470:ff80::143:1]) by mail.ijs.si (Postfix) with ESMTP for ; Sat, 13 Oct 2012 16:25:35 +0200 (CEST) Received: from sleepy.ijs.si (sleepy.ijs.si [IPv6:2001:1470:ff80:e001::1:1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mildred.ijs.si (Postfix) with ESMTPSA id 4AE3A74A for ; Sat, 13 Oct 2012 16:25:35 +0200 (CEST) From: Mark Martinec To: freebsd-pf@freebsd.org Subject: Re: (was: Regression with jails/IPv6/pf) 'scrub reassemble tcp' breaks IPv6 packet checksum on SYN ACK Date: Sat, 13 Oct 2012 16:25:34 +0200 User-Agent: KMail/1.13.7 (FreeBSD/9.1-PRERELEASE; KDE/4.8.4; amd64; ; ) Organization: J. Stefan Institute MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <201210131625.34871.Mark.Martinec+freebsd@ijs.si> X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Oct 2012 14:25:38 -0000 Bjoern A. Zeeb wrote on 2012-08-01: > Any of you who are expereincing problems with packets dropped due to > invalid checksums with IPv6 and pf after the recent merges, can you > report back if you also see this without "modulate state" in your > pf.conf (if you have 'modulate' in there, can you try changing it to > 'keep' and see if that fixes the problem)? Indeed, invalid checksums with IPv6 and pf after the recent merges. I've opened a PR (before finding about this thread): http://www.freebsd.org/cgi/query-pr.cgi?pr=172648 pf(4): 'scrub reassemble tcp' breaks IPv6 packet checksum on SYN ACK When pf (packet filter) is enabled and configured with 'scrub reassemble tcp', IPv6 TCP connections take 9 seconds to establish. Packet capture shows checksum errors on SYN ACK packets but not on other packets. A TCP connection establishment (SYN) on IPv6 is (re-)tried four times, with a 3 second delay between each attempt, while the TCP options are being simplified each time by the kernel (dropping ECN, CWR, window scaling, and dropping a timestamp options). Only the fourth attempt is successful, with no other options but SACK, and this TCP session then proceeds normally. Disabling 'scrub reassemble tcp' in the pf avoids the problem. Similarly, turning off net.inet.tcp.rfc1323 on either end also avoids the problem, even with 'reassemble tcp' enabled. The problem does not occur on IPv4 sessions, only on IPv6. The problem is not associated with interface checksum offloading, it is repeatable on gif, em, and re interfaces. Also a packet capture (wireshark) shows packet checksum errors on SYN ACK packets (but not on the SYN packet) in the first couple of failed attempts, and no checksum errors on other packets (e.g. after a successfully established session). My guess is that the TCP timestamp option triggers a pf bug, which then miscalculates a packet checksum on SYN ACK. How-To-Repeat Use the following trivial pf config file: scrub all reassemble tcp pass all Then try to establish any TCP session to any IPv6 address. Any client will do (telnet, ssh, curl, web browser). Try for example: curl -6 -L http://tools.ietf.org/rfc/rfc3021.txt | wc -l The connection will 'hang' for 9 seconds (until a sufficiently dumbed-down SYN options are tried), then it proceeds normally. Fix No known fix. Two workarounds: - don't use 'scrub reassemble tcp' in PF, or disable PF - sysctl net.inet.tcp.rfc1323=0 Mark From owner-freebsd-pf@FreeBSD.ORG Sat Oct 13 22:23:52 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8C33DD3E; Sat, 13 Oct 2012 22:23:52 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [8.8.178.135]) by mx1.freebsd.org (Postfix) with ESMTP id 5C6E18FC12; Sat, 13 Oct 2012 22:23:52 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q9DMNqoe090746; Sat, 13 Oct 2012 22:23:52 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q9DMNqcG090742; Sat, 13 Oct 2012 22:23:52 GMT (envelope-from linimon) Date: Sat, 13 Oct 2012 22:23:52 GMT Message-Id: <201210132223.q9DMNqcG090742@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: kern/172648: [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet checksum on SYN ACK X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Oct 2012 22:23:52 -0000 Old Synopsis: pf(4): 'scrub reassemble tcp' breaks IPv6 packet checksum on SYN ACK New Synopsis: [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet checksum on SYN ACK Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Sat Oct 13 22:23:28 UTC 2012 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=172648