From owner-freebsd-pf@freebsd.org Sat Dec 12 09:55:40 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7DB364AFE8A for ; Sat, 12 Dec 2020 09:55:40 +0000 (UTC) (envelope-from segreteria@delluomo-morettin.com) Received: from gateway33.websitewelcome.com (gateway33.websitewelcome.com [192.185.145.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CtNLz21Gsz4j2j for ; Sat, 12 Dec 2020 09:55:38 +0000 (UTC) (envelope-from segreteria@delluomo-morettin.com) Received: from cm12.websitewelcome.com (cm12.websitewelcome.com [100.42.49.8]) by gateway33.websitewelcome.com (Postfix) with ESMTP id 6E7B179C3 for ; Sat, 12 Dec 2020 03:55:37 -0600 (CST) Received: from box2137.bluehost.com ([70.40.222.133]) by cmsmtp with SMTP id o1cnk92vtiQiZo1cnkdfQY; Sat, 12 Dec 2020 03:55:37 -0600 X-Authority-Reason: nr=8 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=delluomo-morettin.com; s=default; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:MIME-Version:Date:Message-ID:From:To:References:Subject:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=ATqYzfweo4ZtVAppyMO+RQjxvG0wECl+An0CRC+hkaM=; b=esUmNoF8K/fOHjy+0cEQkDPI6x TMQRA9jDegy+Qg3ixdFszABmgE5BfX9BVnxIvEAOajIR/EUZAlE2wvjmzpd7bM23/NVWyHU141jC8 bQp5iMhb980VabiNDBRdnTWqhY2xiZ9Dr83y0mVuJxaH4qHrBWszvLJaTmWm+yGpC0ExF7IVIfh9z Z+SgEHkBm5nWwLthPtgC78jSMQyNivTQ35WXw7SnoBoyUwhNUpv+wG3A3V1Dggv7BPcm+Ivoc/Cka O4oz+htUvRHjTyqOBAzw9kFfUsBCv+ak4DxFW1LpQ5jMukWp7sGQY7UCB5sOU1IR83eqR9eFugdGk OkQgQJQg==; Received: from [2.224.154.24] (port=21672 helo=puffy.delluomo-morettin.local) by box2137.bluehost.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1ko1cm-0007ZR-Rz for freebsd-pf@freebsd.org; Sat, 12 Dec 2020 02:55:37 -0700 Subject: net.pf.request_maxcount not working after upgrading from 12.1-RELEASE to 12.2 RELEASE. References: <02311a9b-e669-0071-f47e-fc1701749213@delluomo-morettin.com> To: freebsd-pf@freebsd.org From: Segreteria X-Forwarded-Message-Id: <02311a9b-e669-0071-f47e-fc1701749213@delluomo-morettin.com> Message-ID: <7394e747-7741-daa8-cf07-4aed2eee76d1@delluomo-morettin.com> Date: Sat, 12 Dec 2020 10:55:34 +0100 User-Agent: Mozilla/5.0 (X11; OpenBSD amd64; rv:78.0) Gecko/20100101 Thunderbird/78.5.1 MIME-Version: 1.0 In-Reply-To: <02311a9b-e669-0071-f47e-fc1701749213@delluomo-morettin.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: it X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - box2137.bluehost.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - delluomo-morettin.com X-BWhitelist: no X-Source-IP: 2.224.154.24 X-Source-L: No X-Exim-ID: 1ko1cm-0007ZR-Rz X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: (puffy.delluomo-morettin.local) [2.224.154.24]:21672 X-Source-Auth: segreteria@delluomo-morettin.com X-Email-Count: 4 X-Source-Cap: ZGVsbHVvbW87ZGVsbHVvbW87Ym94MjEzNy5ibHVlaG9zdC5jb20= X-Local-Domain: yes X-Rspamd-Queue-Id: 4CtNLz21Gsz4j2j X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none (invalid DKIM record) header.d=delluomo-morettin.com header.s=default header.b=esUmNoF8; dmarc=none; spf=pass (mx1.freebsd.org: domain of segreteria@delluomo-morettin.com designates 192.185.145.82 as permitted sender) smtp.mailfrom=segreteria@delluomo-morettin.com X-Spamd-Result: default: False [-1.27 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; RWL_MAILSPIKE_GOOD(0.00)[192.185.145.82:from]; R_SPF_ALLOW(-0.20)[+ip4:192.185.0.0/16]; HAS_X_SOURCE(0.00)[]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; DKIM_TRACE(0.00)[delluomo-morettin.com:~]; NEURAL_HAM_SHORT(-0.97)[-0.973]; HAS_X_ANTIABUSE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[192.185.145.82:from]; ASN(0.00)[asn:46606, ipnet:192.185.128.0/18, country:US]; MIME_TRACE(0.00)[0:+]; MID_RHS_MATCH_FROM(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[2.224.154.24:received]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; DMARC_NA(0.00)[delluomo-morettin.com]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[192.185.145.82:from:127.0.2.255]; NEURAL_SPAM_LONG(1.00)[1.000]; RCVD_IN_DNSWL_NONE(0.00)[192.185.145.82:from]; R_DKIM_PERMFAIL(0.00)[delluomo-morettin.com:s=default]; MAILMAN_DEST(0.00)[freebsd-pf] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Dec 2020 09:55:40 -0000 Hi everybody, I can no longer load pf at boot without workarounds as after upgrade to 12.2-RELEASE net.pf.request_maxcount=300000 in /boot/loader.conf is not loaded before pf starts. Can somebody explain exactly why is this happening? Is this a new policy of this kernel parameter? What is the suggested way to face this change? Regards. Nicola From owner-freebsd-pf@freebsd.org Sat Dec 12 13:42:27 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 56C7B4B5DC3 for ; Sat, 12 Dec 2020 13:42:27 +0000 (UTC) (envelope-from dimitry@andric.com) Received: from tensor.andric.com (tensor.andric.com [87.251.56.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "tensor.andric.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CtTNf3qMhz3Cll for ; Sat, 12 Dec 2020 13:42:26 +0000 (UTC) (envelope-from dimitry@andric.com) Received: from [IPv6:2001:470:7a58::a5b0:583b:a58d:489d] (unknown [IPv6:2001:470:7a58:0:a5b0:583b:a58d:489d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by tensor.andric.com (Postfix) with ESMTPSA id 062061962D for ; Sat, 12 Dec 2020 14:42:19 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=andric.com; s=201904; t=1607780539; bh=1Bzwo9f1q5G1+hUzZfvAnOjZUVT3XfzPeCa5twiExfE=; h=From:Subject:Date:References:To:In-Reply-To:From; b=XBQ3GWIeklkjWZVH3kVfmAAbHfX9+8xh2ccE8za+ElSuGINf6QnLvgey/ew9lU6LV uSdKgVGvvBq/79Yp3a5uciX7sbznVcIxy3tXbswDhooBp1kAFYwU2AIfskDK5J1ghJ NnnOaHZA6H1H2/x16IhRS1h6ry/J8137FkkI+BXCLDeUUMkShrtB+lsWGJIXa9B3nq kUWX1TPCFYIg3IApsFvxyW3iIyvfkK4cfgwGFY8FVJvKvaza6ZJswYIW/20tZ5dF0y 4KjI9/QYTEpiQU+NYdc9sXERgLloHev9pBeZj0DZoDpR3FsHsKh2ypkUW3qcjtt8a+ IR6lt9Er+r4/g== From: Dimitry Andric Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\)) Subject: Re: net.pf.request_maxcount not working after upgrading from 12.1-RELEASE to 12.2 RELEASE. Date: Sat, 12 Dec 2020 14:42:18 +0100 References: <02311a9b-e669-0071-f47e-fc1701749213@delluomo-morettin.com> <7394e747-7741-daa8-cf07-4aed2eee76d1@delluomo-morettin.com> To: freebsd-pf@freebsd.org In-Reply-To: <7394e747-7741-daa8-cf07-4aed2eee76d1@delluomo-morettin.com> Message-Id: X-Mailer: Apple Mail (2.3445.104.17) X-Rspamd-Queue-Id: 4CtTNf3qMhz3Cll X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=andric.com header.s=201904 header.b=XBQ3GWIe; dmarc=pass (policy=none) header.from=andric.com; spf=pass (mx1.freebsd.org: domain of dimitry@andric.com designates 87.251.56.140 as permitted sender) smtp.mailfrom=dimitry@andric.com X-Spamd-Result: default: False [-0.47 / 15.00]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[andric.com:s=201904]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; MV_CASE(0.50)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[87.251.56.140:from:127.0.2.255]; ARC_NA(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:87.251.56.140]; DKIM_TRACE(0.00)[andric.com:+]; DMARC_POLICY_ALLOW(-0.50)[andric.com,none]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_SPAM_SHORT(0.03)[0.033]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[87.251.56.140:from]; ASN(0.00)[asn:12859, ipnet:87.251.32.0/19, country:NL]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-pf] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Dec 2020 13:42:27 -0000 On 12 Dec 2020, at 10:55, Segreteria = wrote: >=20 > I can no longer load pf at boot without workarounds as after upgrade = to 12.2-RELEASE net.pf.request_maxcount=3D300000 in /boot/loader.conf is = not loaded before pf starts. >=20 > Can somebody explain exactly why is this happening? Is this a new = policy of this kernel parameter? It seems to have changed with = https://svnweb.freebsd.org/changeset/base/364456: ------------------------------------------------------------------------ r364456 | kp | 2020-08-21 15:11:33 +0200 (Fri, 21 Aug 2020) | 7 lines MFC r355744: pf: Make request_maxcount runtime adjustable There's no reason for this to be a tunable. It's perfectly safe to change this at runtime. ------------------------------------------------------------------------ > What is the suggested way to face this change? I believe it must be set in sysctl.conf(5) after this change. -Dimitry From owner-freebsd-pf@freebsd.org Sat Dec 12 14:07:49 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5B6A84B645A for ; Sat, 12 Dec 2020 14:07:49 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from host64.shmhost.net (host64.shmhost.net [IPv6:2a01:4f8:a0:51d3::107:1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CtTxw49Ymz3DJp for ; Sat, 12 Dec 2020 14:07:48 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from p200300cd8727c9fca4b593819ba8e1d5.dip0.t-ipconnect.de (p200300cd8727c9fca4b593819ba8e1d5.dip0.t-ipconnect.de [IPv6:2003:cd:8727:c9fc:a4b5:9381:9ba8:e1d5]) by host64.shmhost.net (Postfix) with ESMTPSA id 4CtTxk4KhdzNkV8; Sat, 12 Dec 2020 15:07:38 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\)) Subject: Re: net.pf.request_maxcount not working after upgrading from 12.1-RELEASE to 12.2 RELEASE. From: Franco Fichtner In-Reply-To: Date: Sat, 12 Dec 2020 15:07:37 +0100 Cc: freebsd-pf@freebsd.org Content-Transfer-Encoding: 7bit Message-Id: <83A03723-37EE-4462-B9A9-2F9B48114F7A@lastsummer.de> References: <02311a9b-e669-0071-f47e-fc1701749213@delluomo-morettin.com> <7394e747-7741-daa8-cf07-4aed2eee76d1@delluomo-morettin.com> To: Dimitry Andric X-Mailer: Apple Mail (2.3608.120.23.2.4) X-Virus-Scanned: clamav-milter 0.102.4 at host64.shmhost.net X-Virus-Status: Clean X-Rspamd-Queue-Id: 4CtTxw49Ymz3DJp X-Spamd-Bar: ++++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of franco@lastsummer.de has no SPF policy when checking 2a01:4f8:a0:51d3::107:1) smtp.mailfrom=franco@lastsummer.de X-Spamd-Result: default: False [4.40 / 15.00]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; NEURAL_SPAM_SHORT(1.00)[1.000]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[lastsummer.de]; ARC_NA(0.00)[]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(1.00)[0.997]; SPAMHAUS_ZRD(0.00)[2a01:4f8:a0:51d3::107:1:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a01:4f8:a0:51d3::107:1:from]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(1.00)[1.000]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-pf] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Dec 2020 14:07:49 -0000 > There's no reason for this to be a tunable. It's perfectly safe to > change this at runtime. Well, RWTUN would have enabled both boot and runtime which is also "perfectly safe". :) Cheers, Franco From owner-freebsd-pf@freebsd.org Sat Dec 12 20:15:38 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 663B54BF2E3 for ; Sat, 12 Dec 2020 20:15:38 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Ctf6L2SYcz3tXJ; Sat, 12 Dec 2020 20:15:38 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "Let's Encrypt Authority X3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 2DF692F130; Sat, 12 Dec 2020 20:15:38 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id DA7EC11C91; Sat, 12 Dec 2020 21:15:36 +0100 (CET) From: "Kristof Provost" To: "Franco Fichtner" Cc: "Dimitry Andric" , freebsd-pf@freebsd.org Subject: Re: net.pf.request_maxcount not working after upgrading from 12.1-RELEASE to 12.2 RELEASE. Date: Sat, 12 Dec 2020 21:15:36 +0100 X-Mailer: MailMate (1.13.2r5673) Message-ID: In-Reply-To: <83A03723-37EE-4462-B9A9-2F9B48114F7A@lastsummer.de> References: <02311a9b-e669-0071-f47e-fc1701749213@delluomo-morettin.com> <7394e747-7741-daa8-cf07-4aed2eee76d1@delluomo-morettin.com> <83A03723-37EE-4462-B9A9-2F9B48114F7A@lastsummer.de> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Dec 2020 20:15:38 -0000 On 12 Dec 2020, at 15:07, Franco Fichtner wrote: >> There's no reason for this to be a tunable. It's perfectly safe to >> change this at runtime. > > Well, RWTUN would have enabled both boot and runtime which is also > "perfectly safe". :) > Good idea. Done in 368588. I expect to be bothering people about an EN for the vnet/epair issue next week, I’ll see if I can include this in the bothering. Best regards, Kristof