From owner-freebsd-pf@freebsd.org Sun Jun 17 12:54:05 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 09DA7101E02F for ; Sun, 17 Jun 2018 12:54:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 96B936D6F1 for ; Sun, 17 Jun 2018 12:54:04 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 506B7101E02E; Sun, 17 Jun 2018 12:54:04 +0000 (UTC) Delivered-To: pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3C87F101E02D for ; Sun, 17 Jun 2018 12:54:04 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C730D6D6EE for ; Sun, 17 Jun 2018 12:54:03 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 18B091518A for ; Sun, 17 Jun 2018 12:54:03 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w5HCs2Uh052723 for ; Sun, 17 Jun 2018 12:54:02 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w5HCs2AX052722 for pf@FreeBSD.org; Sun, 17 Jun 2018 12:54:02 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 226850] [pf] Matching but failed rules block without return Date: Sun, 17 Jun 2018 12:54:03 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.1-RELEASE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jun 2018 12:54:05 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D226850 --- Comment #15 from Kristof Provost --- (In reply to vegeta from comment #14) Thanks for the patch. I think it looks good, but I've got one question. I see that you removed the (r->rule_flag & PFRULE_RETURNRST) || (r->rule_fl= ag & PFRULE_RETURN)) condition from the IPPROTO_TCP case. I think that might res= ult in a subtle behaviour change for rules which have PFRULE_RETURNICMP set (but not one of the other returns). (I.e. it'd return a TCP RST, where it didn't= use to do so. Am I missing something, or should those checks be kept? --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Sun Jun 17 20:12:19 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D13C7100850A for ; Sun, 17 Jun 2018 20:12:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 67A667D003 for ; Sun, 17 Jun 2018 20:12:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 20E011008509; Sun, 17 Jun 2018 20:12:19 +0000 (UTC) Delivered-To: pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0E90A1008508 for ; Sun, 17 Jun 2018 20:12:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9F26F7CFFD for ; Sun, 17 Jun 2018 20:12:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id E407A18D8A for ; Sun, 17 Jun 2018 20:12:17 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w5HKCHmn021312 for ; Sun, 17 Jun 2018 20:12:17 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w5HKCHvL021311 for pf@FreeBSD.org; Sun, 17 Jun 2018 20:12:17 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 226850] [pf] Matching but failed rules block without return Date: Sun, 17 Jun 2018 20:12:18 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.1-RELEASE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: vegeta@tuxpowered.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jun 2018 20:12:20 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D226850 --- Comment #16 from Kajetan Staszkiewicz --- That is true, it forces returning RST. I will fix it ASAP. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Sun Jun 17 20:46:22 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 74C791009621 for ; Sun, 17 Jun 2018 20:46:22 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 0DEC77E74A for ; Sun, 17 Jun 2018 20:46:22 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id C17AC1009620; Sun, 17 Jun 2018 20:46:21 +0000 (UTC) Delivered-To: pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AD50D100961F for ; Sun, 17 Jun 2018 20:46:21 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 475BD7E745 for ; Sun, 17 Jun 2018 20:46:21 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 89C07192DA for ; Sun, 17 Jun 2018 20:46:20 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w5HKkKFd086797 for ; Sun, 17 Jun 2018 20:46:20 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w5HKkKJ9086796 for pf@FreeBSD.org; Sun, 17 Jun 2018 20:46:20 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 226850] [pf] Matching but failed rules block without return Date: Sun, 17 Jun 2018 20:46:20 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.1-RELEASE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: vegeta@tuxpowered.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.isobsolete attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jun 2018 20:46:22 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D226850 Kajetan Staszkiewicz changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #194089|0 |1 is obsolete| | --- Comment #17 from Kajetan Staszkiewicz --- Created attachment 194340 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D194340&action= =3Dedit Reject connection when rule matched but state was not created Now it should correctly distinguish between returning ICMP and RST for TCP connections. Please add the usual information when committing to svn: Submitted by: Kajetan Staszkiewicz Sponsored by: InnoGames GmbH --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Sun Jun 17 21:00:57 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4B26C1009F23 for ; Sun, 17 Jun 2018 21:00:57 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id DE2D57F1DC for ; Sun, 17 Jun 2018 21:00:56 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: by mailman.ysv.freebsd.org (Postfix) id 9EB891009F16; Sun, 17 Jun 2018 21:00:56 +0000 (UTC) Delivered-To: pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8CA151009F15 for ; Sun, 17 Jun 2018 21:00:56 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 283B67F1D4 for ; Sun, 17 Jun 2018 21:00:56 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 66009195EC for ; Sun, 17 Jun 2018 21:00:55 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w5HL0tjC043459 for ; Sun, 17 Jun 2018 21:00:55 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w5HL0t4L043448 for pf@FreeBSD.org; Sun, 17 Jun 2018 21:00:55 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <201806172100.w5HL0t4L043448@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 17 Jun 2018 21:00:55 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.26 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jun 2018 21:00:57 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. From owner-freebsd-pf@freebsd.org Sun Jun 17 22:18:54 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 197B9100CE24 for ; Sun, 17 Jun 2018 22:18:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id A412382872 for ; Sun, 17 Jun 2018 22:18:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 5DF3F100CE23; Sun, 17 Jun 2018 22:18:53 +0000 (UTC) Delivered-To: pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4C2AD100CE22 for ; Sun, 17 Jun 2018 22:18:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DFD8C82870 for ; Sun, 17 Jun 2018 22:18:52 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 28CF51A08A for ; Sun, 17 Jun 2018 22:18:52 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w5HMIq5R039045 for ; Sun, 17 Jun 2018 22:18:52 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w5HMIqKd039043 for pf@FreeBSD.org; Sun, 17 Jun 2018 22:18:52 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 226850] [pf] Matching but failed rules block without return Date: Sun, 17 Jun 2018 22:18:52 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.1-RELEASE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: vegeta@tuxpowered.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jun 2018 22:18:54 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D226850 --- Comment #18 from Kajetan Staszkiewicz --- I was way too fast. Now block rules work fine but failed-pass rules are not returning again. Please await another patch. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Sun Jun 17 22:19:08 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4DC8B100CE56 for ; Sun, 17 Jun 2018 22:19:08 +0000 (UTC) (envelope-from bsd-lists@BSDforge.com) Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com [24.113.41.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AD7418289A for ; Sun, 17 Jun 2018 22:19:07 +0000 (UTC) (envelope-from bsd-lists@BSDforge.com) Received: from udns.ultimatedns.net (localhost [127.0.0.1]) by udns.ultimatedns.net (8.14.9/8.14.9) with ESMTP id w5HMJ5mK028053; Sun, 17 Jun 2018 15:19:12 -0700 (PDT) (envelope-from bsd-lists@BSDforge.com) X-Mailer: UDNSMS MIME-Version: 1.0 Cc: "Dave Horsfall" , "FreeBSD PF List" In-Reply-To: <41eb69f5-a2ba-7546-f7c8-b97eb179d22e@quip.cz> From: "Chris H" Reply-To: bsd-lists@BSDforge.com To: "Miroslav Lachman" <000.fbsd@quip.cz> Subject: Re: Is there an upper limit to PF's tables? Date: Sun, 17 Jun 2018 15:19:11 -0700 Message-Id: <05564c89db6cf667584dea5586602054@udns.ultimatedns.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jun 2018 22:19:08 -0000 On Thu, 14 Jun 2018 21:44:08 +0200 "Miroslav Lachman" <000=2Efbsd@quip=2Ecz> sa= id > Dave Horsfall wrote on 2018/06/14 19:40: > > I can't get access to kernel sauce right now, but I'm hitting over 1,00= 0=20 > > entries from woodpeckers[*] etc; is there some upper limit, or is it=20 > > just purely dynamic? > >=20 > > =C2=A0 aneurin% freebsd-version > > =C2=A0 10=2E4-RELEASE-p9 >=20 > One of our customers have machine with 10=2E4 too=2E They are blocking all=20 > Tor IP addresses=2E The table has 272574 entries now=2E >=20 > There were/(are) some problems with reload of PF: >=20 >=20 > # service pf reload > Reloading pf rules=2E > /etc/pf=2Econf:37: cannot define table reserved: Cannot allocate memory > /etc/pf=2Econf:38: cannot define table czech_net: Cannot allocate memory > /etc/pf=2Econf:39: cannot define table goodguys: Cannot allocate memory > /etc/pf=2Econf:40: cannot define table badguys: Cannot allocate memory > /etc/pf=2Econf:41: cannot define table tor_net: Cannot allocate memory > pfctl: Syntax error in config file: pf rules not loaded >=20 > Even if there is "set limit table-entries 300000" >=20 > I do not understand PF internals but I think PF needs twice the memory=20 > for reload (if there are already a lot of entries)=2E > Because workaround for this was simple as reload PF with empty table and= =20 > then load table entries: >=20 > # mv /etc/pf=2Etor_net=2Etable /etc/pf=2Etor_net=2Etable=2EBaK > # touch /etc/pf=2Etor_net=2Etable >=20 > # pfctl -t tor_net -T flush > 201703 addresses deleted=2E >=20 > # pfctl -vf /etc/pf=2Econf >=20 > # pfctl -t tor_net -T replace -f /etc/pf=2Etor_net=2Etable=2EBaK >=20 > So loading all entries in to empty table works fine, but reloading=20 > didn't work=2E Sorry=2E Looks like I might be coming to the party a little late=2E But I'm currently running a 9=2E3 box that runs as a IP (service) filter for much of a network=2E While I've patched the box well enough to keep it safe to continue running=2E I am reluctant to up(grade|date) it to 11, or CURRENT, based on some of the information related to topics like this thread=2E Currently, the 9=2E3 box maintains some 18 million entries *just* within the SPAM related table=2E The other tables contain no less that 1 million=2E As it stands I have *no* trouble loading pf(4) with all of the tables totaling some 20+ million entries, *even* when the BOX is working with as little 4Gb ram=2E Has something in pf(4) changed, since 9=2E3 that would now prevent me from continuing to use my current setup, and tables? Thanks! --Chris >=20 > Miroslav Lachman > _______________________________________________ > freebsd-pf@freebsd=2Eorg mailing list > https://lists=2Efreebsd=2Eorg/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd=2Eorg" From owner-freebsd-pf@freebsd.org Mon Jun 18 00:45:30 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E33DA10105A0 for ; Mon, 18 Jun 2018 00:45:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 7EBA987185 for ; Mon, 18 Jun 2018 00:45:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 3FEA5101059D; Mon, 18 Jun 2018 00:45:29 +0000 (UTC) Delivered-To: pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2D029101059C for ; Mon, 18 Jun 2018 00:45:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B74E087183 for ; Mon, 18 Jun 2018 00:45:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 00AE31B538 for ; Mon, 18 Jun 2018 00:45:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w5I0jRi4099491 for ; Mon, 18 Jun 2018 00:45:27 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w5I0jRCs099490 for pf@FreeBSD.org; Mon, 18 Jun 2018 00:45:27 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 229092] [pf] [pfsync] States created by route-to rules pfsynced without interface Date: Mon, 18 Jun 2018 00:45:28 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.1-RELEASE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: keywords assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jun 2018 00:45:30 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D229092 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |patch Assignee|bugs@FreeBSD.org |pf@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Mon Jun 18 10:08:37 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A28F31021135 for ; Mon, 18 Jun 2018 10:08:37 +0000 (UTC) (envelope-from srs0=yjwj=je=sigsegv.be=kristof@codepro.be) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1D34877AB7 for ; Mon, 18 Jun 2018 10:08:36 +0000 (UTC) (envelope-from srs0=yjwj=je=sigsegv.be=kristof@codepro.be) Received: from [172.28.128.1] (ptr-8rgnodtz1gqjk3nexfr.18120a2.ip6.access.telenet.be [IPv6:2a02:1811:240b:b802:25e5:e0f5:ae3e:3c7]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id 030492D1D3; Mon, 18 Jun 2018 12:08:34 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sigsegv.be; s=mail; t=1529316515; bh=DQtU4K9ufkUNmWAJYNF22PT9qmgxJw5Q/BUPF7knuxQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=R8wXBybQ1xDxB6A/tMkdXfwN3KV2G1lIpNOHTArrnLNBX87SQJfIt8Jb+A6aT5czM o5/fu7AtjAWiZqc7r5qGFvG6khn2Cizt1yRaP3+06Y8NwczIq/cF2mFz6jdMZ0e4g+ 414zDH4qlIDZLoq1KQ45zCRa4kXdTvcj2+JEHwBE= From: "Kristof Provost" To: "Chris H" Cc: "Miroslav Lachman" <000.fbsd@quip.cz>, "FreeBSD PF List" Subject: Re: Is there an upper limit to PF's tables? Date: Mon, 18 Jun 2018 12:08:33 +0200 X-Mailer: MailMate (2.0BETAr6113) Message-ID: <5C1BA1CA-5814-417F-BD9C-EC6E7F08588C@sigsegv.be> In-Reply-To: <05564c89db6cf667584dea5586602054@udns.ultimatedns.net> References: <05564c89db6cf667584dea5586602054@udns.ultimatedns.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.26 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jun 2018 10:08:37 -0000 On 18 Jun 2018, at 0:19, Chris H wrote: > Sorry. Looks like I might be coming to the party a little late. But > I'm > currently running a 9.3 box that runs as a IP (service) filter for > much > of a network. While I've patched the box well enough to keep it safe > to > continue running. I am reluctant to up(grade|date) it to 11, or > CURRENT, > based on some of the information related to topics like this thread. > Currently, the 9.3 box maintains some 18 million entries *just* within > the SPAM related table. The other tables contain no less that 1 > million. > As it stands I have *no* trouble loading pf(4) with all of the tables > totaling some 20+ million entries, *even* when the BOX is working with > as little 4Gb ram. > Has something in pf(4) changed, since 9.3 that would now prevent me > from continuing to use my current setup, and tables? > No. There are no new limits in 11, and the only thing that *might* be an issue is validation improvements in 12. Still, anything that worked on 9 is expected to work on 12 (if not, report a bug). Please don’t keep running unsupported versions. Regards, Kristof From owner-freebsd-pf@freebsd.org Mon Jun 18 10:21:49 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 90F9D1021C91 for ; Mon, 18 Jun 2018 10:21:49 +0000 (UTC) (envelope-from lists@opsec.eu) Received: from home.opsec.eu (home.opsec.eu [IPv6:2001:14f8:200::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2085978283 for ; Mon, 18 Jun 2018 10:21:49 +0000 (UTC) (envelope-from lists@opsec.eu) Received: from pi by home.opsec.eu with local (Exim 4.91 (FreeBSD)) (envelope-from ) id 1fUrIB-000NA3-W5; Mon, 18 Jun 2018 12:21:48 +0200 Date: Mon, 18 Jun 2018 12:21:47 +0200 From: Kurt Jaeger To: Chris H Cc: FreeBSD PF List Subject: Re: Is there an upper limit to PF's tables? Message-ID: <20180618102147.GN4028@home.opsec.eu> References: <41eb69f5-a2ba-7546-f7c8-b97eb179d22e@quip.cz> <05564c89db6cf667584dea5586602054@udns.ultimatedns.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <05564c89db6cf667584dea5586602054@udns.ultimatedns.net> X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jun 2018 10:21:49 -0000 Hi! > > So loading all entries in to empty table works fine, but reloading > > didn't work. > Sorry. Looks like I might be coming to the party a little late. But I'm > currently running a 9.3 box that runs as a IP (service) filter for much > of a network. While I've patched the box well enough to keep it safe to > continue running. I am reluctant to up(grade|date) it to 11, or CURRENT, > based on some of the information related to topics like this thread. > Currently, the 9.3 box maintains some 18 million entries *just* within > the SPAM related table. The other tables contain no less that 1 million. > As it stands I have *no* trouble loading pf(4) with all of the tables > totaling some 20+ million entries, *even* when the BOX is working with > as little 4Gb ram. > Has something in pf(4) changed, since 9.3 that would now prevent me > from continuing to use my current setup, and tables? Well, if you plan to upgrade, I'd suggest you do some tests, like dumping those tables and loading them on a new box. At all our installations we did use PF in 9.x times and had no problems to move to 11.x. -- pi@opsec.eu +49 171 3101372 2 years to go ! From owner-freebsd-pf@freebsd.org Mon Jun 18 12:58:12 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EAEAB1005942 for ; Mon, 18 Jun 2018 12:58:11 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 7F74E7D7F0 for ; Mon, 18 Jun 2018 12:58:11 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 3F6B6100593A; Mon, 18 Jun 2018 12:58:11 +0000 (UTC) Delivered-To: pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2DF851005939 for ; Mon, 18 Jun 2018 12:58:11 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C1CE47D7EC for ; Mon, 18 Jun 2018 12:58:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id EC50721AA8 for ; Mon, 18 Jun 2018 12:58:09 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w5ICw95W023105 for ; Mon, 18 Jun 2018 12:58:09 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w5ICw979023104 for pf@FreeBSD.org; Mon, 18 Jun 2018 12:58:09 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 226850] [pf] Matching but failed rules block without return Date: Mon, 18 Jun 2018 12:58:09 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.1-RELEASE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: vegeta@tuxpowered.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.isobsolete attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jun 2018 12:58:12 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D226850 Kajetan Staszkiewicz changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #194340|0 |1 is obsolete| | --- Comment #19 from Kajetan Staszkiewicz --- Created attachment 194357 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D194357&action= =3Dedit Reject connection when rule matched but state was not created How about this one? Now there is no extra flag (probably better) and "pass" rules get same set of flags as "block" rules. I'm still testing it but I wa= nt your opinion on it anyway. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Mon Jun 18 13:04:14 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AB012100608E for ; Mon, 18 Jun 2018 13:04:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 2E11A7DDC8 for ; Mon, 18 Jun 2018 13:04:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id DF3A7100608A; Mon, 18 Jun 2018 13:04:13 +0000 (UTC) Delivered-To: pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CCE641006089 for ; Mon, 18 Jun 2018 13:04:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6CB107DDC3 for ; Mon, 18 Jun 2018 13:04:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id C98F221C02 for ; Mon, 18 Jun 2018 13:04:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w5ID4CgL056989 for ; Mon, 18 Jun 2018 13:04:12 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w5ID4C42056988 for pf@FreeBSD.org; Mon, 18 Jun 2018 13:04:12 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 226850] [pf] Matching but failed rules block without return Date: Mon, 18 Jun 2018 13:04:12 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.1-RELEASE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jun 2018 13:04:14 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D226850 --- Comment #20 from Kristof Provost --- (In reply to Kajetan Staszkiewicz from comment #19) I'm not sure I understand what the changes in 'action : PASS=20= =20=20=20=20=20=20=20=20 {' (in parse.y) are for. Other than that, I think it's good. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Mon Jun 18 13:52:34 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CDB6E1008ECC for ; Mon, 18 Jun 2018 13:52:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 672C980163 for ; Mon, 18 Jun 2018 13:52:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 26FCF1008ECB; Mon, 18 Jun 2018 13:52:34 +0000 (UTC) Delivered-To: pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 12A241008ECA for ; Mon, 18 Jun 2018 13:52:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9EA8080160 for ; Mon, 18 Jun 2018 13:52:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id E105022326 for ; Mon, 18 Jun 2018 13:52:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w5IDqWVH055296 for ; Mon, 18 Jun 2018 13:52:32 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w5IDqWop055293 for pf@FreeBSD.org; Mon, 18 Jun 2018 13:52:32 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 226850] [pf] Matching but failed rules block without return Date: Mon, 18 Jun 2018 13:52:32 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.1-RELEASE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: vegeta@tuxpowered.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jun 2018 13:52:35 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D226850 --- Comment #21 from Kajetan Staszkiewicz --- Without this modification only "block" rules would be configured with return-enabling flag and return ICMP codes. Modification in parse.y ensure = that "pass" rules are getting this information too. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Mon Jun 18 14:08:33 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 175F61009E28 for ; Mon, 18 Jun 2018 14:08:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id A690080CC2 for ; Mon, 18 Jun 2018 14:08:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 6544D1009E25; Mon, 18 Jun 2018 14:08:32 +0000 (UTC) Delivered-To: pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 52D781009E24 for ; Mon, 18 Jun 2018 14:08:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E346380CBD for ; Mon, 18 Jun 2018 14:08:31 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 3A47022492 for ; Mon, 18 Jun 2018 14:08:31 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w5IE8VHW098287 for ; Mon, 18 Jun 2018 14:08:31 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w5IE8VSA098284 for pf@FreeBSD.org; Mon, 18 Jun 2018 14:08:31 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 229092] [pf] [pfsync] States created by route-to rules pfsynced without interface Date: Mon, 18 Jun 2018 14:08:31 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.1-RELEASE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: vegeta@tuxpowered.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jun 2018 14:08:33 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D229092 --- Comment #1 from Kajetan Staszkiewicz --- I came across an issue preventing this from working correctly when rebooting hardware: pfsync is started before pf (or in my case before my custom servi= ce populating pf rules. That's a problem, because for route-to interface to be correctly rebuilt, pf rules must be already present. I'm unsure if changing this order is a good idea, maybe it is like this for a good reason? --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Mon Jun 18 14:23:40 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2C6C0100ADF3 for ; Mon, 18 Jun 2018 14:23:40 +0000 (UTC) (envelope-from bsd-lists@BSDforge.com) Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com [24.113.41.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B1EA081A53 for ; Mon, 18 Jun 2018 14:23:39 +0000 (UTC) (envelope-from bsd-lists@BSDforge.com) Received: from udns.ultimatedns.net (localhost [127.0.0.1]) by udns.ultimatedns.net (8.14.9/8.14.9) with ESMTP id w5IENmwd057490; Mon, 18 Jun 2018 07:23:54 -0700 (PDT) (envelope-from bsd-lists@BSDforge.com) X-Mailer: UDNSMS MIME-Version: 1.0 Cc: "FreeBSD PF List" In-Reply-To: <20180618102147.GN4028@home.opsec.eu> From: "Chris H" Reply-To: bsd-lists@BSDforge.com To: "Kurt Jaeger" Subject: Re: Is there an upper limit to PF's tables? Date: Mon, 18 Jun 2018 07:23:54 -0700 Message-Id: <4c0deb48c16c7dea04df7a85b1e1893a@udns.ultimatedns.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jun 2018 14:23:40 -0000 On Mon, 18 Jun 2018 12:21:47 +0200 "Kurt Jaeger" said > Hi! >=20 > > > So loading all entries in to empty table works fine, but reloading=20 > > > didn't work=2E > > Sorry=2E Looks like I might be coming to the party a little late=2E But I'm > > currently running a 9=2E3 box that runs as a IP (service) filter for much > > of a network=2E While I've patched the box well enough to keep it safe to > > continue running=2E I am reluctant to up(grade|date) it to 11, or CURRENT= , > > based on some of the information related to topics like this thread=2E > > Currently, the 9=2E3 box maintains some 18 million entries *just* within > > the SPAM related table=2E The other tables contain no less that 1 million= =2E >=20 > > As it stands I have *no* trouble loading pf(4) with all of the tables > > totaling some 20+ million entries, *even* when the BOX is working with > > as little 4Gb ram=2E > > Has something in pf(4) changed, since 9=2E3 that would now prevent me > > from continuing to use my current setup, and tables? >=20 > Well, if you plan to upgrade, I'd suggest you do some tests, > like dumping those tables and loading them on a new box=2E >=20 > At all our installations we did use PF in 9=2Ex times and > had no problems to move to 11=2Ex=2E Thanks for the reply, Kurt=2E That's good advice, indeed=2E As that was pretty much my "game plan"=2E But recently I've seen a few entries on the list, and a few pr(1)'s regarding the inability to start pf(1), because the tables were too large=2E Whereas I hadn't heard anyone mention it in the past=2E So it seemed prudent to ask=2E :-) Thanks again, Kurt! --Chris >=20 > --=20 > pi@opsec=2Eeu +49 171 3101372 2 years to go ! From owner-freebsd-pf@freebsd.org Mon Jun 18 18:37:47 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0454B1018DEB for ; Mon, 18 Jun 2018 18:37:47 +0000 (UTC) (envelope-from bsd-lists@BSDforge.com) Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com [24.113.41.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 71BA36BB73 for ; Mon, 18 Jun 2018 18:37:46 +0000 (UTC) (envelope-from bsd-lists@BSDforge.com) Received: from udns.ultimatedns.net (localhost [127.0.0.1]) by udns.ultimatedns.net (8.14.9/8.14.9) with ESMTP id w5IIbtmL078771; Mon, 18 Jun 2018 11:38:01 -0700 (PDT) (envelope-from bsd-lists@BSDforge.com) X-Mailer: UDNSMS MIME-Version: 1.0 Cc: "Miroslav Lachman" <000.fbsd@quip.cz>, "FreeBSD PF List" In-Reply-To: <5C1BA1CA-5814-417F-BD9C-EC6E7F08588C@sigsegv.be> From: "Chris H" Reply-To: bsd-lists@BSDforge.com To: "Kristof Provost" Subject: Re: Is there an upper limit to PF's tables? Date: Mon, 18 Jun 2018 11:38:01 -0700 Message-Id: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jun 2018 18:37:47 -0000 On Mon, 18 Jun 2018 12:08:33 +0200 "Kristof Provost" s= aid > On 18 Jun 2018, at 0:19, Chris H wrote: > > Sorry=2E Looks like I might be coming to the party a little late=2E But=20 > > I'm > > currently running a 9=2E3 box that runs as a IP (service) filter for=20 > > much > > of a network=2E While I've patched the box well enough to keep it safe=20 > > to > > continue running=2E I am reluctant to up(grade|date) it to 11, or=20 > > CURRENT, > > based on some of the information related to topics like this thread=2E > > Currently, the 9=2E3 box maintains some 18 million entries *just* within > > the SPAM related table=2E The other tables contain no less that 1=20 > > million=2E > > As it stands I have *no* trouble loading pf(4) with all of the tables > > totaling some 20+ million entries, *even* when the BOX is working with > > as little 4Gb ram=2E > > Has something in pf(4) changed, since 9=2E3 that would now prevent me > > from continuing to use my current setup, and tables? > > > No=2E There are no new limits in 11, and the only thing that *might* be an= =20 > issue is validation improvements in 12=2E Still, anything that worked on 9= =20 > is expected to work on 12 (if not, report a bug)=2E Thank you very much for the informative reply, Kristof! >=20 > Please don=E2=80=99t keep running unsupported versions=2E You're reply leaves me little reason to think I need, or want to=2E :-) Thanks, again! --Chris >=20 > Regards, > Kristof From owner-freebsd-pf@freebsd.org Thu Jun 21 12:59:23 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 29DDC101E3FB for ; Thu, 21 Jun 2018 12:59:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id ADC9B7B996 for ; Thu, 21 Jun 2018 12:59:22 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 6C21E101E3FA; Thu, 21 Jun 2018 12:59:22 +0000 (UTC) Delivered-To: pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 460C5101E3F9 for ; Thu, 21 Jun 2018 12:59:22 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D150B7B995 for ; Thu, 21 Jun 2018 12:59:21 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 19D74277E6 for ; Thu, 21 Jun 2018 12:59:21 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w5LCxKjM090587 for ; Thu, 21 Jun 2018 12:59:20 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w5LCxKqR090586 for pf@FreeBSD.org; Thu, 21 Jun 2018 12:59:20 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 229092] [pf] [pfsync] States created by route-to rules pfsynced without interface Date: Thu, 21 Jun 2018 12:59:21 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.1-RELEASE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: vegeta@tuxpowered.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jun 2018 12:59:23 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D229092 --- Comment #2 from Kajetan Staszkiewicz --- While looking on possibility of recreating src_nodes I found that the way s= rc nodes are created is rather sketchy. For example when a new state is created with new src_node, first a node is searched for, if none is found then it is created and inserted, each of those operation with its own locking and unlocking src_node hash. Operations within pf_map_addr operate on unlocked src_node which probably explain crashes I had when flushing nodes on heavily loaded system. Then there is the issue that each locking and unlocking operation requires computing the hash again, why not compute it once and st= ore it within the node, this way unlocking could be a bit faster. Creation of n= ode could return it locked as now it needs to be re-locked for any further operations. Then there is the issue that pf_state->rt_kif is copied from pf_rule->rpool.cur which might not be the same as during pf_map_addr() (the= re is no locking inside that function so it might be inconsistent anyway). And last but not the least is that it seems to me that pf_src_node->*kif is not used at all. And src_node itself never stores information about interface choosen for route-to targets, it is only copied to state instead. I will prepare a patch addressing those issues first and then work on recreating redirection interface as originally this issue was about. The proof of concept patch seems generally working, I configured my firewall service to start before pfsync and I could reboot my load balancers as I pleased and traffic was correctly forwarded. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Fri Jun 22 21:59:50 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8A98A1000F24 for ; Fri, 22 Jun 2018 21:59:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 22F8384983 for ; Fri, 22 Jun 2018 21:59:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id CDCDB1000F23; Fri, 22 Jun 2018 21:59:49 +0000 (UTC) Delivered-To: pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BB8A21000F1F for ; Fri, 22 Jun 2018 21:59:49 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 52E0E8497D for ; Fri, 22 Jun 2018 21:59:49 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 7DFB510EDA for ; Fri, 22 Jun 2018 21:59:48 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w5MLxmjp023660 for ; Fri, 22 Jun 2018 21:59:48 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w5MLxmth023659 for pf@FreeBSD.org; Fri, 22 Jun 2018 21:59:48 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 226850] [pf] Matching but failed rules block without return Date: Fri, 22 Jun 2018 21:59:48 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.1-RELEASE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: commit-hook@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jun 2018 21:59:50 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D226850 --- Comment #22 from commit-hook@freebsd.org --- A commit references this bug: Author: kp Date: Fri Jun 22 21:59:31 UTC 2018 New revision: 335569 URL: https://svnweb.freebsd.org/changeset/base/335569 Log: pf: Support "return" statements in passing rules when they fail. Normally pf rules are expected to do one of two things: pass the traffic = or block it. Blocking can be silent - "drop", or loud - "return", "return-rs= t", "return-icmp". Yet there is a 3rd category of traffic passing through pf: Packets matching a "pass" rule but when applying the rule fails. This hap= pens when redirection table is empty or when src node or state creation fails. Such rules always fail silently without notifying the sender. Allow users to configure this behaviour too, so that pf returns an error packet in these cases. PR: 226850 Submitted by: Kajetan Staszkiewicz MFC after: 1 week Sponsored by: InnoGames GmbH Changes: head/sbin/pfctl/parse.y head/share/man/man5/pf.conf.5 head/sys/netpfil/pf/pf.c --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Sat Jun 23 15:27:33 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7C9F31024E47 for ; Sat, 23 Jun 2018 15:27:33 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [IPv6:2001:678:618::40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "plan-b.pwste.edu.pl", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F2E0F86D29 for ; Sat, 23 Jun 2018 15:27:32 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from plan-b.pwste.edu.pl (zarychtam@localhost [127.0.0.1]) by plan-b.pwste.edu.pl (8.15.2/8.15.2) with ESMTPS id w5NFRT8s081767 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sat, 23 Jun 2018 17:27:29 +0200 (CEST) (envelope-from zarychtam@plan-b.pwste.edu.pl) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=plan-b.pwste.edu.pl; s=plan-b-mailer; t=1529767649; bh=cfVfzTBnUkzQmE7tS1VBCCkS3Ki0cDTe//iYTJYpmOQ=; h=Date:From:To:Subject:References:In-Reply-To; b=tquOZZNQflBqHYCPElr2xTDFBmPa9ENxqRByn8W4sIBglDFz7a2qLAcUayj8Ic+3Y 73xzGxWdkjka9UE1uhw+73/PNVRmEBQ3hRBSOOwTpG4v0PyH3lDTWz4nmaE3i2yzmj aywp8UMUjmORohfZQunmU7n1BV1P5L5RUxEl0oJ0GZK9L1vsz0Y0tbdM7xUnaK2yeO AZow4iOEPsN5GdIw1f7J8/LivUKnSeEt0uyigjiHKAv2re1PU9THPNO/iG3fqt08pY /uhizVvOA1Jgi4JHLhYzRgKADveH4kdcH0IIW7EDBx9tSn0Gu7uIJo5ut3iTx/9H1R mMN29AmjfFYEQ== Received: (from zarychtam@localhost) by plan-b.pwste.edu.pl (8.15.2/8.15.2/Submit) id w5NFRTx3081766 for freebsd-pf@freebsd.org; Sat, 23 Jun 2018 17:27:29 +0200 (CEST) (envelope-from zarychtam) Date: Sat, 23 Jun 2018 17:27:29 +0200 From: Marek Zarychta To: freebsd-pf@freebsd.org Subject: Re: pfr_update_stats: assertion failed. Message-ID: <20180623152729.GA81271@plan-b.pwste.edu.pl> References: <20161016181713.GA95110@plan-b.pwste.edu.pl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="2fHTh5uZTiUOsy+g" Content-Disposition: inline In-Reply-To: <20161016181713.GA95110@plan-b.pwste.edu.pl> User-Agent: Mutt/1.10.0 (2018-05-17) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jun 2018 15:27:33 -0000 --2fHTh5uZTiUOsy+g Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 16, 2016 at 08:17:13PM +0200, Marek Zarychta wrote: > The issue occurred first two years ago, after upgrade from 8 to 9 > branch. Now this i386 machine is running 11.0-STABLE and despite it was > compiled with "WITHOUT_ASSERT_DEBUG=3Dyes", still from time to time > message buffer is fed with: > pfr_update_stats: assertion failed. > pfr_update_stats: assertion failed. > pfr_update_stats: assertion failed. > pfr_update_stats: assertion failed. > pfr_update_stats: assertion failed. > pfr_update_stats: assertion failed. > pfr_update_stats: assertion failed. These messages are still filling system message buffer. According to pfctl (8) there is nothing wrong with incrementing "XPass" counters instead of the "Pass" counters. The message "pfr_update_stats: assertion failed" is printed for debugging purposes only. One could also compare the counters with the command "pfctl -sT -vv".=20 OpenBSD converted printf()'s to DPFDEBUG() macro in their sources almost 8 years ago. Only this printf() in pf_table.c has been converted to the level of LOG_DEBUG [1]. Perhaps this line of code could be removed from FreeBSD PF sources? --- sys/netpfil/pf/pf_table.orig.c 2018-06-23 16:40:14.876882000 +0200 +++ sys/netpfil/pf/pf_table.c 2018-06-23 16:40:23.621384000 +0200 @@ -1986,5 +1986,4 @@ if ((ke =3D=3D NULL || ke->pfrke_not) !=3D notrule) { if (op_pass !=3D PFR_OP_PASS) - printf("pfr_update_stats: assertion failed.\n"); op_pass =3D PFR_OP_XPASS; } [1] http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_table.c?rev=3D1= =2E86&content-type=3Dtext/x-cvsweb-markup --=20 Marek Zarychta --2fHTh5uZTiUOsy+g Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEEMOqvKm6wKvS1/ZeCdZ/s//1SjSwFAlsuZt4ACgkQdZ/s//1S jSznEwgAmde6gZb+hmM6oz9wIVREKETKUr7+pvrECYkq1OY57RnW5zANHbJOG6xM A1Y/XNaGL2Jk7OPvfcyL/edCBLGM0wf+u0neyQv3bPECi78/kdkyvA6Hf+gp3Eag ScF6LwqYP2wnhzFnX+PgcHYdgPUmCDz1wKcKxkPR/pW9oB024aUuM7kF0oeMkSZ0 M6cz0Kh5NoQvL+ObqlEdmYgOSDyXxD+6SN42laJiAj5xjmtCHBFBwYjQcs/3Jwok 4XNFZr2Xqbwcr7GzGFR7Ppddk5d6jCIyuRDvptK55hbf0w957D19Wmn14i5zP9Zu kNrM3rHI0HxxXLjv6VFhigVxxAEbFQ== =5WVh -----END PGP SIGNATURE----- --2fHTh5uZTiUOsy+g-- From owner-freebsd-pf@freebsd.org Sat Jun 23 16:46:20 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2DD2410271CB for ; Sat, 23 Jun 2018 16:46:20 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [IPv6:2001:678:618::40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "plan-b.pwste.edu.pl", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A89508A1B1 for ; Sat, 23 Jun 2018 16:46:19 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from plan-b.pwste.edu.pl (zarychtam@localhost [127.0.0.1]) by plan-b.pwste.edu.pl (8.15.2/8.15.2) with ESMTPS id w5NGkGM7082793 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sat, 23 Jun 2018 18:46:16 +0200 (CEST) (envelope-from zarychtam@plan-b.pwste.edu.pl) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=plan-b.pwste.edu.pl; s=plan-b-mailer; t=1529772376; bh=z/uigPvSai/9EymuGNCDW2Rxl0y7rknw6O1XamM6QwI=; h=Date:From:To:Subject:References:In-Reply-To; b=zk53V2AG2DvCX6jC6a1A6uZZsMUPkBfRMJOq61PLzHzCpco9rpz0T4v5UajkpbCz7 pPxCGrmPq1LJo4Nl1YoNCDkotuHOTzECgKSxengekPA4xNn5c1YZ2ckvpINHiGJ2+I 8wo2qe0nrPOB+Fyjw/V89UVnUslQa/c2Rn5juc7PCvA8NdKieUbZc7XDTg6h6SNa7q bFFmUmNdEol830Q+6O0mcfSWB7jA5rypX78K7II8OOUQSzpwUYGG90NlWOlyWZjb5G tcF7p7SRjtoKme+9LbB4aCX3jVZLA38e4pRjCGFzQBpEIwyBsrKpUsx5izhiNxm9Ks 70fGN1VfBm3EQ== Received: (from zarychtam@localhost) by plan-b.pwste.edu.pl (8.15.2/8.15.2/Submit) id w5NGkGn1082792 for freebsd-pf@freebsd.org; Sat, 23 Jun 2018 18:46:16 +0200 (CEST) (envelope-from zarychtam) Date: Sat, 23 Jun 2018 18:46:16 +0200 From: Marek Zarychta To: freebsd-pf@freebsd.org Subject: Re: pfr_update_stats: assertion failed. Message-ID: <20180623164616.GA82672@plan-b.pwste.edu.pl> References: <20161016181713.GA95110@plan-b.pwste.edu.pl> <20180623152729.GA81271@plan-b.pwste.edu.pl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="UlVJffcvxoiEqYs2" Content-Disposition: inline In-Reply-To: <20180623152729.GA81271@plan-b.pwste.edu.pl> User-Agent: Mutt/1.10.0 (2018-05-17) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jun 2018 16:46:20 -0000 --UlVJffcvxoiEqYs2 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jun 23, 2018 at 05:27:29PM +0200, Marek Zarychta wrote: > On Sun, Oct 16, 2016 at 08:17:13PM +0200, Marek Zarychta wrote: > > The issue occurred first two years ago, after upgrade from 8 to 9 > > branch. Now this i386 machine is running 11.0-STABLE and despite it was > > compiled with "WITHOUT_ASSERT_DEBUG=3Dyes", still from time to time > > message buffer is fed with: > > pfr_update_stats: assertion failed. > > pfr_update_stats: assertion failed. > > pfr_update_stats: assertion failed. > > pfr_update_stats: assertion failed. > > pfr_update_stats: assertion failed. > > pfr_update_stats: assertion failed. > > pfr_update_stats: assertion failed. >=20 > These messages are still filling system message buffer. According to > pfctl (8) there is nothing wrong with incrementing "XPass" counters > instead of the "Pass" counters. The message "pfr_update_stats: assertion > failed" is printed for debugging purposes only. One could also compare > the counters with the command "pfctl -sT -vv".=20 >=20 > OpenBSD converted printf()'s to DPFDEBUG() macro in their sources almost > 8 years ago. Only this printf() in pf_table.c has been converted to the > level of LOG_DEBUG [1]. >=20 > Perhaps this line of code could be removed from FreeBSD PF sources? >=20 The previous patch was hastily prepared. It should rather look like this: --- sys/netpfil/pf/pf_table.orig.c 2018-06-23 16:40:14.876882000 +0200 +++ sys/netpfil/pf/pf_table.c 2018-06-23 18:17:49.353490000 +0200 @@ -1984,9 +1984,7 @@ panic("%s: unknown address family %u", __func__, af); } - if ((ke =3D=3D NULL || ke->pfrke_not) !=3D notrule) { - if (op_pass !=3D PFR_OP_PASS) - printf("pfr_update_stats: assertion failed.\n"); + if ((ke =3D=3D NULL || ke->pfrke_not) !=3D notrule)=20 op_pass =3D PFR_OP_XPASS; - } kt->pfrkt_packets[dir_out][op_pass]++; kt->pfrkt_bytes[dir_out][op_pass] +=3D len; --=20 Marek Zarychta --UlVJffcvxoiEqYs2 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEEMOqvKm6wKvS1/ZeCdZ/s//1SjSwFAlsueVUACgkQdZ/s//1S jSztKQgArzNP6VPaQVfRTfIF63NhauJRskE4kfc6/PSqW9h1DcJEqwrtnST27hBZ A1oWAGQ5zNbevjj+IF1MFUbFXYNNXs9FWhJUts4PWVPrxCePt3DeUPDpD93hk4VW o9mYn6cxFjyBwFkvvZoBZxA+jaRU9FUHKILVRzdNOd19gPdq8RX2nK3dQ8y2dLDI S+SGoN8cjXNMVaEAM4YU+0907UMOOutfZn8cXfbccjdl1gE0jo1mvx5SVBhlpqim kKKnomSZ6pZrWh/m4UxCvdPSvV4XWelmBhTeAwdcLgqanWe8d2GeJC9QGEprhXmA b1O2uFsUD5/QjDzLDM3LSncr8ggNkQ== =w6LP -----END PGP SIGNATURE----- --UlVJffcvxoiEqYs2--