From nobody Fri Dec 3 14:05:02 2021 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 5A69B18A877F for ; Fri, 3 Dec 2021 14:05:10 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smarthost1.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4J5F2Z1zLBz4msj; Fri, 3 Dec 2021 14:05:10 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19]) by smarthost1.sentex.ca (8.16.1/8.16.1) with ESMTPS id 1B3E53Aw002848 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 3 Dec 2021 09:05:03 -0500 (EST) (envelope-from mike@sentex.net) Received: from [IPV6:2607:f3e0:0:4::29] ([IPv6:2607:f3e0:0:4:0:0:0:29]) by pyroxene2a.sentex.ca (8.16.1/8.15.2) with ESMTPS id 1B3E52bq002082 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Fri, 3 Dec 2021 09:05:03 -0500 (EST) (envelope-from mike@sentex.net) Message-ID: <1b5c4e46-7868-9fb9-4259-0c286b071310@sentex.net> Date: Fri, 3 Dec 2021 09:05:02 -0500 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.3.2 Subject: Re: git: 7f944794868f - stable/12 - pf: Introduce ridentifier Content-Language: en-US To: Kristof Provost Cc: freebsd-pf@freebsd.org References: <202111261940.1AQJeGLZ022802@gitrepo.freebsd.org> <52E4AB7A-6D27-4B11-ABCD-94BB12D389F4@FreeBSD.org> From: mike tancsa In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.84 X-Rspamd-Queue-Id: 4J5F2Z1zLBz4msj X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: N Also, thanks for all the awesome PF work that you have done!  Its much appreciated     ---Mike On 12/3/2021 1:05 AM, Özkan KIRIK wrote: > Thank you Kristof. The patch works properly! > > On Wed, Dec 1, 2021 at 11:58 PM Kristof Provost wrote: >> On 1 Dec 2021, at 5:59, Özkan KIRIK wrote: >> >> Because tshark/wireshark don't know this header change yet. >> >> I’ve looked at the Wireshark parser code, and .. well, it’s wrong. It arbitrarily adds 3 bytes to the header length, and that’s not the correct solution. I’m not going to implement kernel workarounds for application bugs. >> >> And even though tcpdump has been patched by this commit, it still >> cannot parse the packet properly also. >> >> Try this patch: >> >> diff --git a/sys/net/if_pflog.h b/sys/net/if_pflog.h >> index c77d8da1440a..93a69a2bb3a5 100644 >> --- a/sys/net/if_pflog.h >> +++ b/sys/net/if_pflog.h >> @@ -31,6 +31,8 @@ >> #ifndef _NET_IF_PFLOG_H_ >> #define _NET_IF_PFLOG_H_ >> >> +#include >> + >> #define PFLOGIFS_MAX 16 >> >> #define PFLOG_RULESET_NAME_SIZE 16 >> @@ -51,11 +53,13 @@ struct pfloghdr { >> u_int8_t dir; >> u_int8_t pad[3]; >> u_int32_t ridentifier; >> + u_int8_t reserve; /* Appease broken software like Wireshark. */ >> + u_int8_t pad2[3]; >> }; >> >> -#define PFLOG_HDRLEN sizeof(struct pfloghdr) >> +#define PFLOG_HDRLEN BPF_WORDALIGN(offsetof(struct pfloghdr, pad2)) >> /* minus pad, also used as a signature */ >> -#define PFLOG_REAL_HDRLEN offsetof(struct pfloghdr, pad) >> +#define PFLOG_REAL_HDRLEN offsetof(struct pfloghdr, pad2) >> >> #ifdef _KERNEL >> struct pf_rule; >> diff --git a/sys/netpfil/pf/if_pflog.c b/sys/netpfil/pf/if_pflog.c >> index 4853c1301d6f..5ccdf3a7dd45 100644 >> --- a/sys/netpfil/pf/if_pflog.c >> +++ b/sys/netpfil/pf/if_pflog.c >> @@ -215,7 +215,8 @@ pflog_packet(struct pfi_kkif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir, >> return (0); >> >> bzero(&hdr, sizeof(hdr)); >> - hdr.length = PFLOG_HDRLEN; >> + hdr.length = PFLOG_REAL_HDRLEN; >> hdr.af = af; >> hdr.action = rm->action; >> hdr.reason = reason; >> >> It looks like I had assumed that the header was expected to be aligned to 4 bytes, but it’s actually expected to be aligned to sizeof(long). This should fix that. >> >> I’ve gone one further and added a dummy field to arrange the updated struct so that Wireshark will work, essentially retaining its incorrect assumption. It really should be fixed as well though. >> >> Kristof > From nobody Sun Dec 5 21:00:10 2021 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id C0F4218BF52D for ; Sun, 5 Dec 2021 21:00:11 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4J6f8W0sfHz3HBs for ; Sun, 5 Dec 2021 21:00:11 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id BE82C1F087 for ; Sun, 5 Dec 2021 21:00:10 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 1B5L0Adg014527 for ; Sun, 5 Dec 2021 21:00:10 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 1B5L0AOg014526 for pf@FreeBSD.org; Sun, 5 Dec 2021 21:00:10 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <202112052100.1B5L0AOg014526@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 5 Dec 2021 21:00:10 +0000 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="16387380102.74e937B.13704" Content-Transfer-Encoding: 7bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1638738011; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=NXiB1GJYQyFUJNzO72F0P4KH1m/OTe30hDjgC4dNgdQ=; b=xqk8bsvG5YWP8gGyTo4MLJwJJzY3jBevZA8ifCddCy5/dcsdKQ4celzvGEHNjcO/6BkHbT 9iqo6J7SSdWIfU7pDS/AXBW2dVw6NFnSpvgxdFxwUlnJoe/Pb4aTCHQPn8yEi1SnuiO/+A s21NodDDFJke/rgpvWvuSJAqMzNnQ6DuDFSjtBUeqCvdSp7M6TTN1eY1hlpf8MPOi2zyc4 p+1zNCo+KqDSp5dvHQBxySppYRUPVImoZXtmn4dvLoBTEPTqjV3oWYruzV2jqXUI64AYJr 2Nvt7GB4Dc9eO4rWXF0Z4qFt82fbkGNLRb+iTe0XSIrOl0OJ9mc91fvX8AiQRQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1638738011; a=rsa-sha256; cv=none; b=cyfGBq6C971R7GHUQrQYm95ovERfHCZkhxTKSbBLl7/LYcGvLUOjc5/HWXgMCxSpgc7Xg8 Qc+6v0HHh7BlGcpjp2uQ3z5zFAZ9JqThJ5Ay0Q4RmxquL/9yzJxg3sQGhaAhSdHLpV7WgZ dCdPzN/ufP2da4qxxpyrG3TsT4cnNos55xXx2SlZSq6ej2NX4JHSZRm47aLHUWWK9Td+QG 7mjBWSdaGmSFImTNav0IMxW8Re/FDhzkyAl6uu41P91HPxM4BrtVayNlYSVAuGLxyJ9MeI 9rqjtYO8bWux2Bm+eIR1vBBhuzrGq306DTXiX7/YWjVKUxOQi4/wvEyOUGY3mg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: Y --16387380102.74e937B.13704 Date: Sun, 5 Dec 2021 21:00:10 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 237973 | pf: implement egress keyword to simplify rules ac 1 problems total for which you should take action. --16387380102.74e937B.13704-- From nobody Sat Dec 11 16:14:54 2021 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id C8E2A18D166E; Sat, 11 Dec 2021 16:15:19 +0000 (UTC) (envelope-from tech-lists@zyxst.net) Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4JBCY25pxNz3vc9; Sat, 11 Dec 2021 16:15:18 +0000 (UTC) (envelope-from tech-lists@zyxst.net) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 3152C3201EE4; Sat, 11 Dec 2021 11:15:12 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Sat, 11 Dec 2021 11:15:12 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zyxst.net; h= date:from:to:cc:subject:message-id:mime-version:content-type; s= fm1; bh=t0YIFKkL5F2vkWlk7qteC8fXo2oNx/qRv7sqyyPQrDg=; b=ObdvWA26 rTQHhwUHx1gkEGuXTT9tc71Vcnu25W6jL48DD6MNDxj0yMFwx4+fCKiSnPJI8f+2 rZyFqNg0JYtSjiUXV5pXVZvlpQffp5WBciLRu1Ot+yv2VCiTGL8JMESz3oRcPaUF CTUe1+TYxNNEbjpxvMgebaJxpKdcTVCEcog4zdr+VmiHBElRh0GUvMebZgEIGSw+ TssMUWFcT8iM+0l716xkropwS8v+WcbUu5JcXkh6j2YzPxvwMPbcocvUA5Ti7qrD xdzC6qwtJCnEl4EBDHtGz8BWSQqY91F++GQzr2UyQJufvL1H6//yrfTQFZZpV29N bYhK6CxH+wLypw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=t0YIFKkL5F2vkWlk7qteC8fXo2oNx /qRv7sqyyPQrDg=; b=hjTWAM1Jxa18luXBKErnX1vYYk1ODFq1tF4DBg2QzGWLc BPG2BUqiQNs753wMzMaU+WpVotmiSynFbW6YZwoYHa4b9QTqn2pIj5obkBSkG3V1 /zlzOL3K5dlnz4q5g75IpX+b+G0bpRxl1fFj5J/3zl//PagTbrYJAVt7GIsUQbUI kQF4vqPm5VeSQ1WGtasxP2abyQaeqcF15n5BgAIrcLj9Eods4kqMcC2NnfB9ZzPQ rM3yhx0fXOOeRoadJJr5XDfVINK8HdOUKJqaXACUbXRR61rG66+awMTN+Rv4sXAd oA2WtBGArpnSjcIDMBM/C3sKAgZNjjNDLWuDxaoUg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddrkeeggdekudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfggtggusehgtderredttd dvnecuhfhrohhmpehtvggthhdqlhhishhtshcuoehtvggthhdqlhhishhtshesiiihgihs thdrnhgvtheqnecuggftrfgrthhtvghrnhepjeefhedufeefhfeuhfehhfejueeitddute elvdeliefhfedvieeftdelhfffieeunecuffhomhgrihhnpehgvghoghhhvghgrghnrdgt rgdpfhhrvggvsghsugdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmh epmhgrihhlfhhrohhmpehtvggthhdqlhhishhtshesiiihgihsthdrnhgvth X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 11 Dec 2021 11:15:10 -0500 (EST) Date: Sat, 11 Dec 2021 16:14:54 +0000 From: tech-lists To: freebsd-questions@freebsd.org Cc: freebsd-pf@freebsd.org Subject: pf cannot allocate memory after a time Message-ID: Mail-Followup-To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="TQFJ/DaH6xT5mxTy" Content-Disposition: inline X-Rspamd-Queue-Id: 4JBCY25pxNz3vc9 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=zyxst.net header.s=fm1 header.b=ObdvWA26; dkim=pass header.d=messagingengine.com header.s=fm1 header.b=hjTWAM1J; dmarc=none; spf=none (mx1.freebsd.org: domain of tech-lists@zyxst.net has no SPF policy when checking 64.147.123.21) smtp.mailfrom=tech-lists@zyxst.net X-Spamd-Result: default: False [-3.30 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[zyxst.net:s=fm1,messagingengine.com:s=fm1]; RWL_MAILSPIKE_POSSIBLE(0.00)[64.147.123.21:from]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[zyxst.net]; NEURAL_SPAM_MEDIUM(0.73)[0.727]; DWL_DNSWL_LOW(-1.00)[messagingengine.com:dkim]; RCVD_COUNT_THREE(0.00)[4]; MID_RHS_MATCH_FROMTLD(0.00)[]; DKIM_TRACE(0.00)[zyxst.net:+,messagingengine.com:+]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(0.47)[0.473]; NEURAL_HAM_SHORT(-1.00)[-1.000]; SIGNED_PGP(-2.00)[]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:29838, ipnet:64.147.123.0/24, country:US]; RCVD_IN_DNSWL_LOW(-0.10)[64.147.123.21:from] X-ThisMailContainsUnwantedMimeParts: N --TQFJ/DaH6xT5mxTy Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, context: main-n251261-25d0ccbe101 on arm64.aarch64 (raspberry pi4b/8GB) I'm trying to use pf with pf-badhosts=20 (https://geoghegan.ca/pub/pf-badhost/latest/install/freebsd.txt) and am see= ing=20 what *seems like* a pf problem which has been reported elsewhere in differe= nt=20 contexts ( e.g. https://forums.freebsd.org/threads/cannot-define-table-cann= ot-allocate-memory-since-upgrade-to-13-0.80822/ ) =66rom pfctl -sa: [...] LIMITS: states hard limit 100000 src-nodes hard limit 10000 frags hard limit 5000 table-entries hard limit 25400000 [*] [...] [*] the pf-badhosts guide quotes 400000 for this value; I bumped it to=20 25400000 in order to "give pf more memory" The problem is that if pf tables either get reloaded or if the machine is r= unning=20 for say over 24 hrs, pf throws errors. This works if the machine is reboote= d but pf=20 isn't switched on: [...] # doas -u _pfbadhost pf-badhost -O freebsd = =20 Password: pf-badhost 1512 - - Using experimental "aggy" aggregator... 6105 addresses added. 6235 addresses deleted. pf-badhost 1580 - - IPv4 addresses in table: 619200750 [...] running pfctl -e -f /etc/pf.conf loads and runs. A day or so later, I'll se= e=20 this in the logs, after pf-badhost runs its update: [...] pf-badhost 15202 - - Using experimental "aggy" aggregator... pfctl: Cannot allocate memory. pf-badhost 15256 - - ERROR: '/etc/pf-badhost.txt' contains invalid data! Re= verting=20 changes and bailing out... [...] There's plenty of memory. I've tried running this with one term on top -P o= pen and=20 there's always 1-2GB available (free) as well as 12GB of swap which is unus= ed. If I try pfctl -Fa -f /etc/pf.conf and log back in and then run pf-badhost = manually: [...] # doas -u _pfbadhost pf-badhost -O freebsd=20 [...] not only the pfbadhost table doesn't load but nothing loads: [...] # pfctl -e -f /etc/pf.conf /etc/pf.conf:18: cannot define table pfbadhost: Cannot allocate memory /etc/pf.conf:23: cannot define table rfc6890: Cannot allocate memory /etc/pf.conf:26: cannot define table gooDNS6: Cannot allocate memory /etc/pf.conf:27: cannot define table friends: Cannot allocate memory pfctl: Syntax error in config file: pf rules not loaded [...] The only solution is a reboot. How to fix? Do I need to increase src-nodes/= frags? thanks, --=20 J. --TQFJ/DaH6xT5mxTy Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE8n3tWhxW11Ccvv9/s8o7QhFzNAUFAmG0zmMACgkQs8o7QhFz NAUMYQ/+P25LK+OJRK3ZUfiJvuGx1QYDkzf3qrGUxwPUVL7oZGSJrsa7rdP3fyjz YNknpTKAsKBL22WAaCnoJG0zRKEwAZEsmhteh2ND2wAJj8VzzwsPvLCQV85tC5hQ HJygdyxTwdmnS/vmbSyPFjNcS30yYheIsUqnilOYsQZ4k6lsQTmiX/6eoss2L8NP RvGHcKY22uN3WZCGMH4rvZ/rxZ7+ZM+FU5M13RxZU/mYsyjuZLi9CU8Piqwrbqlo fOM36iN6ifIwy+d2D2CrOBucXYBWAeSt4GZZf2AVnqvbFVPNwRH75iZR3Y6PjWgc 2AJi1beTvoV0Wjt49gh5oTCiaiVFISpcElfmRlTk0N1wPYpBUfYJ/Mf7/HCsO2pt rDyIg930ihze/WV+5Pl4MPDj2APiR2C9Zfh+qvxw8AJd9x2Guuq4nt7pwmZykEtg DgYdCcyi7MGel7vCHrtCFZpUpA9uruj/0/6YBs6pUofstqZ3bPCx+rNzgsWqeM5l uIl9A0YGb4IpaxLYhXgev+VSG9Gwhzfzslbs5pCAj6SGgLDQFoDgNeMEotIsMSzk dMMyVV2ntQQ0nWz9ny3e7hNNHgeCU40Cxmlycnj5k05lgUXQHaIDZuDCAlIBr0Nf 1J3MXSCsXo/ENKHPxXmnGujk1TlK5vp2qExa6cdn5VQS/1bJcp4= =LWjd -----END PGP SIGNATURE----- --TQFJ/DaH6xT5mxTy-- From nobody Sat Dec 11 17:04:17 2021 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 84D0118DCD3E; Sat, 11 Dec 2021 17:04:27 +0000 (UTC) (envelope-from marcel@herrbischoff.com) Received: from mailpod.herrbischoff.com (mailpod.herrbischoff.com [IPv6:2a01:4f8:c010:37ae::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mailpod.herrbischoff.com", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JBDdl17qNz4Zhs; Sat, 11 Dec 2021 17:04:26 +0000 (UTC) (envelope-from marcel@herrbischoff.com) Received: from mailpod.herrbischoff.com (localhost [127.0.0.1]) by mailpod.herrbischoff.com (OpenSMTPD) with ESMTP id 7feb2ea0; Sat, 11 Dec 2021 18:04:18 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=herrbischoff.com; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=hrbf; bh= qNTupHgznxgk/sQlTiTH5Z21O1vMwSryyCrcwIOc2RI=; b=hJ22XcQ0wCabu4jg gGXHB+duHjm2GhW3t04E6ogU/00mvIGZjWXKLF/ruihNpGGwYTnwNyeruDbYiKzG 4l++Rr0H8o3XivU1J0tFzGIjBKQ00PtWXyJAr6DIKel1qeqjm0mIzUJXPoLDLCMG NQD2Xle4HM30kNXQySWnbamxixRmlWfR/f0dhmad0hd/1ADpjEDJUwxynavB/ZGm poOuOP5dwyo67Xiz/Lba1jihs2KE15kmdMxH7h69qCZgI+8VCKptkEB4oHaJJ6+v ibaKa7ld8O/6Qb28KMTWX1JyAmf3ecVxoDdbJ2Z24+q1YoJ9kgIE6NxkF+urOPX4 ypImlA== DomainKey-Signature: a=rsa-sha1; c=nofws; d=herrbischoff.com; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; q=dns; s= hrbf; b=gSSST4PuvxyiDWIDgglW/ZebBwgeAuFm38CsdM64s5cOCek4xeHTaBZl LJigvxsXWv6JOP3G7bI+LDLhEbGmbro3QJNyTLfG7+FJR3ayJ6fWtYQ0CDLC0mU4 xbZrShI/Ep/KzzjfIKmgFm8/OerUJmaoaHe1ww1+fpOvbkO9Lt4fPVitBwsrqlY3 GeMD6MClGYWKoy9G9rWTLj0RkTr/OfO2lXeLdybTyr20FFXF2mgXAC8q46LyK4cE yqWjSLkWH1hcKikbhpEa0TtGdiI5PRGqrpRuYNMC4Ao6c57poDA6pEXqpH9FaaW4 0FNF6vGpx+xx2plZL9dtfUMcKSPTfA== Received: by mailpod.herrbischoff.com (OpenSMTPD) with ESMTPSA id 867d936f (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) auth=yes user=marcel@herrbischoff.com; Sat, 11 Dec 2021 18:04:18 +0100 (CET) Content-Type: text/plain; charset=us-ascii List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\)) Subject: Re: pf cannot allocate memory after a time From: Marcel Bischoff In-Reply-To: Date: Sat, 11 Dec 2021 18:04:17 +0100 Cc: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: To: tech-lists X-Mailer: Apple Mail (2.3654.120.0.1.13) X-Rspamd-Queue-Id: 4JBDdl17qNz4Zhs X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: N I've stumbled into this issue some time ago as well. The usual remedies = of raising states and table-entries did not help. I could resolve this with a combination of increasing the process memory = limit and lowering ZFS memory usage. I'm guessing that you do use ZFS, = since you have an 8 GB Pi, if not please disregard. FreeBSD limits the memory available per process to 512 MB by default. It = appears that large PF tables cause issues with this default. Raising = that limit to 2 GB seems to have done the trick. To attempt this, add = the "kern.maxdsiz" tunable to /boot/loader.conf and reboot, like so: kern.maxdsiz=3D"2147483648" You can verify this value has taken by examining the output of "ulimit = -d" before and after. See "man tuning" for reference. Sometimes PF still tripped up when replacing one large table with = another (via pf-badhosts). Usually this happened when the generated list = to replace grew to several MB in size. I've read somewhere that PF needs = double the memory to replace a table since for an instant it needs to = hold both tables in memory, which makes sense to me. You can verify that = this is the case by first dropping and then recreating the pf-badhost = table with all entries. That usually works, while replacing (what = pf-badhosts does) usually does not. In those cases I found the ZFS ARC cache to be the culprit. By default = this grabs most of the available memory to cache file access and frees = it on application request. Again, PF appears to require the memory = quicker than ZFS appears to be able to free it. Usually the default ARC = settings are fine but in this case you may want to tune them for testing = purposes, again in /boot/loader.conf and reboot: vfs.zfs.arc_max=3D"2000M" vfs.zfs.arc_min=3D"500M" See https://docs.freebsd.org/en/books/handbook/zfs/#zfs-advanced for = reference. These are just the observations I've made and the solutions I've found. = My reasoning may be sound or completely off. Best, Marcel > On 11. Dec 2021, at 17:14, tech-lists wrote: >=20 > Hi, >=20 > context: main-n251261-25d0ccbe101 on arm64.aarch64 (raspberry = pi4b/8GB) >=20 > I'm trying to use pf with pf-badhosts = (https://geoghegan.ca/pub/pf-badhost/latest/install/freebsd.txt) and am = seeing what *seems like* a pf problem which has been reported elsewhere = in different contexts ( e.g. = https://forums.freebsd.org/threads/cannot-define-table-cannot-allocate-mem= ory-since-upgrade-to-13-0.80822/ ) >=20 > from pfctl -sa: > [...] > LIMITS: > states hard limit 100000 > src-nodes hard limit 10000 > frags hard limit 5000 > table-entries hard limit 25400000 [*] > [...] >=20 > [*] the pf-badhosts guide quotes 400000 for this value; I bumped it to = 25400000 in order to "give pf more memory" >=20 > The problem is that if pf tables either get reloaded or if the machine = is running for say over 24 hrs, pf throws errors. This works if the = machine is rebooted but pf isn't switched on: >=20 > [...] > # doas -u _pfbadhost pf-badhost -O freebsd = Password: >=20 > pf-badhost 1512 - - Using experimental "aggy" aggregator... >=20 > 6105 addresses added. > 6235 addresses deleted. >=20 > pf-badhost 1580 - - > IPv4 addresses in table: 619200750 > [...] >=20 > running pfctl -e -f /etc/pf.conf loads and runs. A day or so later, = I'll see this in the logs, after pf-badhost runs its update: >=20 > [...] > pf-badhost 15202 - - Using experimental "aggy" aggregator... >=20 > pfctl: Cannot allocate memory. >=20 > pf-badhost 15256 - - ERROR: '/etc/pf-badhost.txt' contains invalid = data! Reverting changes and bailing out... > [...] >=20 > There's plenty of memory. I've tried running this with one term on top = -P open and there's always 1-2GB available (free) as well as 12GB of = swap which is unused. >=20 > If I try pfctl -Fa -f /etc/pf.conf and log back in and then run = pf-badhost manually: >=20 > [...] > # doas -u _pfbadhost pf-badhost -O freebsd [...] >=20 > not only the pfbadhost table doesn't load but nothing loads: >=20 > [...] > # pfctl -e -f /etc/pf.conf > /etc/pf.conf:18: cannot define table pfbadhost: Cannot allocate memory > /etc/pf.conf:23: cannot define table rfc6890: Cannot allocate memory > /etc/pf.conf:26: cannot define table gooDNS6: Cannot allocate memory > /etc/pf.conf:27: cannot define table friends: Cannot allocate memory > pfctl: Syntax error in config file: pf rules not loaded > [...] >=20 > The only solution is a reboot. How to fix? Do I need to increase = src-nodes/frags? >=20 > thanks, > --=20 > J. From nobody Sat Dec 11 18:12:44 2021 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id CAE5018EB0E4; Sat, 11 Dec 2021 18:12:49 +0000 (UTC) (envelope-from tech-lists@zyxst.net) Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4JBG8c6Kd7z4mPQ; Sat, 11 Dec 2021 18:12:48 +0000 (UTC) (envelope-from tech-lists@zyxst.net) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 9B9AA3201C1D; Sat, 11 Dec 2021 13:12:47 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Sat, 11 Dec 2021 13:12:47 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zyxst.net; h= date:from:to:subject:message-id:references:mime-version :content-type:in-reply-to; s=fm1; bh=gljZvF/rHnAAcaSYBGc+EYdHsTE v9hmixX15qLvS1OY=; b=YQXR1Z0J2oma7vVCAOuB4ocqokmieWHCG2s+N9ZwrGk yv26zPYFixPlk4kyt1rok+c6DV80jmHiEo7FupHaxx1ZIX/Xy8Aifmnh3ZnMVGWz iqNn6oZNqNHrxFdb3jC1w5M8Fs225arWUffz8jetKuHw+nx7GwfC2KUpDOu2ANGv 9FHJePu4Gm5CUzEa6IoQXi/KGYD+xGqk9Oal2d/ZNQ5VKl6VWCc56po9vvyteLBe AwKbqbYgdpfVY9sWFz3e9Vce3BQ2HE+tL/q4F7pl5gd3vy4udpZEAU3P4cdQobyU h81HfiOsc8MC/VLOi6hqNBjy18o7IBF65n3w3Q+9+sw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=gljZvF /rHnAAcaSYBGc+EYdHsTEv9hmixX15qLvS1OY=; b=WWloPRL51If7K9jRxyYv3/ ok1Tqy9lUA0iQBoeaUZ6ScjuiUC9cHaq0qkZqZjygxTz4ZGN2SY6WGy5xy9ctqFv 38ykmf7kr4w4Gf9bRi5nzJz8VfFXqbHc+Ke7A+cXh/+EEX/yoE8EQLJKhrd3z7Y7 UpTHNtkUr7xjSLjdyyneb8lg/L6fmMyvz7x1IW1b+BVnmUkS/0Ipefv4rsFJudY7 otlnszeLdmNjsQdA3nV0MBl9KMv6+NPQHh1qSYrEe3Q1DjgS2x/ovKSlbNBjYF+e IPBFRSfUjf2K1aVjSftWtyNBJ57BWLvci94GWsl/G4XxrdQOw73ocnhj/gx6bI9Q == X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddrkeeggddutdehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggujgesghdtre ertddtvdenucfhrhhomhepthgvtghhqdhlihhsthhsuceothgvtghhqdhlihhsthhsseii hiigshhtrdhnvghtqeenucggtffrrghtthgvrhhnpefglefhvddvkeehgeeivedtlefhgf euteefhfetvdehueetvdegveefteejtddtheenucffohhmrghinhepfhhrvggvsghsugdr ohhrghdprggrrhgthheigedrihhtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrg hmpehmrghilhhfrhhomhepthgvtghhqdhlihhsthhsseiihiigshhtrdhnvght X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 11 Dec 2021 13:12:46 -0500 (EST) Date: Sat, 11 Dec 2021 18:12:44 +0000 From: tech-lists To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf cannot allocate memory after a time Message-ID: Mail-Followup-To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org References: List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Y//rnzCKUsuPuT8M" Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 4JBG8c6Kd7z4mPQ X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=zyxst.net header.s=fm1 header.b=YQXR1Z0J; dkim=pass header.d=messagingengine.com header.s=fm1 header.b=WWloPRL5; dmarc=none; spf=none (mx1.freebsd.org: domain of tech-lists@zyxst.net has no SPF policy when checking 64.147.123.25) smtp.mailfrom=tech-lists@zyxst.net X-Spamd-Result: default: False [-3.36 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[zyxst.net:s=fm1,messagingengine.com:s=fm1]; RWL_MAILSPIKE_POSSIBLE(0.00)[64.147.123.25:from]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[zyxst.net]; NEURAL_SPAM_MEDIUM(0.73)[0.727]; DWL_DNSWL_LOW(-1.00)[messagingengine.com:dkim]; RCVD_COUNT_THREE(0.00)[4]; MID_RHS_MATCH_FROMTLD(0.00)[]; DKIM_TRACE(0.00)[zyxst.net:+,messagingengine.com:+]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(0.40)[0.396]; NEURAL_HAM_SHORT(-0.99)[-0.985]; SIGNED_PGP(-2.00)[]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:29838, ipnet:64.147.123.0/24, country:US]; RCVD_IN_DNSWL_LOW(-0.10)[64.147.123.25:from] X-ThisMailContainsUnwantedMimeParts: N --Y//rnzCKUsuPuT8M Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, On Sat, Dec 11, 2021 at 06:04:17PM +0100, Marcel Bischoff wrote: > I've stumbled into this issue some time ago as well. The usual remedies= =20 > of raising states and table-entries did not help. > > I could resolve this with a combination of increasing the process memory= =20 > limit and lowering ZFS memory usage. I'm guessing that you do use ZFS,=20 > since you have an 8 GB Pi, if not please disregard. You're right, I am using zfs > FreeBSD limits the memory available per process to 512 MB by default.=20 > It appears that large PF tables cause issues with this default.=20 > Raising that limit to 2 GB seems to have done the trick. To attempt this,= =20 > add the "kern.maxdsiz" tunable to /boot/loader.conf and reboot, like so: > >kern.maxdsiz=3D"2147483648" Yes, came to this conclusion shortly before you posted this. I've written= =20 what I've done further in https://forums.freebsd.org/threads/cannot-define-table-cannot-allocate-memo= ry-since-upgrade-to-13-0.80822/#post-546253 I found this thread https://forums.freebsd.org/threads/pf-states-limit-reached.67337/ informative too. But the idea of increasing it came from=20 https://lists.freebsd.org/pipermail/freebsd-pf/2011-May/006139.html I note that on recent -current (main-n251261) on aarch64 kern.maxdsiz=20 seems to be 1073741824 by default. But on amd64 on releng/12.2-p7 and on releng/13.0-p5 and stable/13=20 it defaults to 34359738368 ! On armv6 r366954 12.2 release it's 536870912.=20 I don't know why it's so low on current (arm64.aarch64). It would explain= =20 why i've only seen this issue on this arch. > Sometimes PF still tripped up when replacing one large table with another= =20 > (via pf-badhosts). Usually this happened when the generated list to repla= ce=20 > grew to several MB in size. I've read somewhere that PF needs double the= =20 > memory to replace a table since for an instant it needs to hold both tabl= es=20 > in memory, which makes sense to me. You can verify that this is the case = by=20 > first dropping and then recreating the pf-badhost table with all entries.= =20 > That usually works, while replacing (what pf-badhosts does) usually does = not. Yes, can confirm it's the replacing where the errors arose. > In those cases I found the ZFS ARC cache to be the culprit. By default th= is=20 > grabs most of the available memory to cache file access and frees it on a= pplication=20 > request. Again, PF appears to require the memory quicker than ZFS appears= to be=20 > able to free it. Usually the default ARC settings are fine but in this ca= se you=20 > may want to tune them for testing purposes, again in /boot/loader.conf an= d reboot: > >vfs.zfs.arc_max=3D"2000M" >vfs.zfs.arc_min=3D"500M" Thank you for this, I'll do this if required. For now, I've set kern.maxdsi= z=3D4294967296 and am monitoring the pfbsdhost's mailbox for error reports. --=20 J. --Y//rnzCKUsuPuT8M Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE8n3tWhxW11Ccvv9/s8o7QhFzNAUFAmG06hIACgkQs8o7QhFz NAXklBAAmiKX9PHyF7rcd0H2SU2HRLOrkdNTX9WkQQN1uoPrc1qoQFqPhMttloPU WofRsG44cWMd+JSDC7IW74NyRVNqdOqxhoC9iryuez6IOrR+ruFMTnY/yv103N6/ yNXZqkSu1C5CRlBuq4cihQBDFTo849lRBU3Wjw/IAHGjSgDpHgLNVTXLl1vXrydi YxgkgpEXs75NduK9lGRTTrguicnFGAn1HxxDbEztw3y9pW5pHm9a2oDR7QnofPk8 sYJ+VogZu+xJVzN/EgWcdrSFxInXvxV8lGSeylpOvReg44xiNfdTEKGvGdSLOAWo Y+WwGzS6cuGPSIv1FufqkM4h4Vx0LFWFWAMyleOQPEHCTV6nbGr2/v671VqoilBd 2urK9Xf7YCRrUkG9Gt77974fjJtK5PANQ60dpTCz1bapbEayvk9+mDVwLG8N/QpO EI9keyPclrNd500XzVjFJNOl0+8e5/DC4GhET6WCQuxd1E16A+CB30qMpQOx/Kmq iz/jZv8dtxetyjt1MmfJXd7KCYkrMhLEQR7FfrPJUfHQ1reWDadhy9xYbGvr0HBF CzAKVMyCHtaamUyahn0g7xNb2zdX6CiQWhZZyVwyXV/lu4qk/xaxw34xPGH9xFlW /+LUk1I3KTcvlikZLRPYVKu6TLMYk5fXJTUTG4k+fzx5JfqlSNw= =ZV8m -----END PGP SIGNATURE----- --Y//rnzCKUsuPuT8M-- From nobody Sat Dec 11 23:55:05 2021 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id E06B318E2728; Sat, 11 Dec 2021 23:55:18 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com [24.113.41.81]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ultimatedns.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JBPlp3vgvz3kGq; Sat, 11 Dec 2021 23:55:18 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from ultimatedns.net (localhost [127.0.0.1]) by udns.ultimatedns.net (8.16.1/8.16.1) with ESMTP id 1BBNt5sh051700; Sat, 11 Dec 2021 15:55:11 -0800 (PST) (envelope-from bsd-lists@bsdforge.com) List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Date: Sat, 11 Dec 2021 15:55:05 -0800 From: Chris To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf cannot allocate memory after a time In-Reply-To: References: User-Agent: UDNSMS/17.0 Message-ID: X-Sender: bsd-lists@bsdforge.com Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4JBPlp3vgvz3kGq X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [0.00 / 15.00]; ASN(0.00)[asn:11404, ipnet:24.113.0.0/16, country:US]; local_wl_ip(0.00)[24.113.41.81] X-ThisMailContainsUnwantedMimeParts: N On 2021-12-11 08:14, tech-lists wrote: > Hi, > > context: main-n251261-25d0ccbe101 on arm64.aarch64 (raspberry pi4b/8GB) > > I'm trying to use pf with pf-badhosts > (https://geoghegan.ca/pub/pf-badhost/latest/install/freebsd.txt) and am > seeing > what *seems like* a pf problem which has been reported elsewhere in > different > contexts ( e.g. > https://forums.freebsd.org/threads/cannot-define-table-cannot-allocate-memory-since-upgrade-to-13-0.80822/ > ) > > from pfctl -sa: > [...] > LIMITS: > states hard limit 100000 > src-nodes hard limit 10000 > frags hard limit 5000 > table-entries hard limit 25400000 [*] > [...] On a system with 8Gb RAM and some quarter of a billion table entries (addresses) in 19 tables (default drop): LIMITS: states hard limit 600000 src-nodes hard limit 10000 frags hard limit 5000 table-entries hard limit 1700000 For starters; reloading entire tables with high number of entries is a waste of resources. As it will require 2 times the size of the table in resources during the load. It also poses the potential to leave you completely vulnerable should you attempt to (re)load a table with corrupted entries. As such, and as a rule; I only ever add/subtract from tables as required/needed. Works every time. In the case of a bad entry. pf(4) simply rejects the entr(y|ies) and carries on w/o problems. IMHO any program the requires you to reload entire tables is ill conceived. It should only require you to manage the DIFFerences. I think that's the problem you're running into. Either fix the program you're using or use/develop something else. :-) HTH -- Chris > > [*] the pf-badhosts guide quotes 400000 for this value; I bumped it to > 25400000 in > order to "give pf more memory" > > The problem is that if pf tables either get reloaded or if the machine is > running > for say over 24 hrs, pf throws errors. This works if the machine is rebooted > but > pf isn't switched on: > > [...] > # doas -u _pfbadhost pf-badhost -O freebsd > Password: > > pf-badhost 1512 - - Using experimental "aggy" aggregator... > > 6105 addresses added. > 6235 addresses deleted. > > pf-badhost 1580 - - > IPv4 addresses in table: 619200750 > [...] > > running pfctl -e -f /etc/pf.conf loads and runs. A day or so later, I'll see > this > in the logs, after pf-badhost runs its update: > > [...] > pf-badhost 15202 - - Using experimental "aggy" aggregator... > > pfctl: Cannot allocate memory. > > pf-badhost 15256 - - ERROR: '/etc/pf-badhost.txt' contains invalid data! > Reverting > changes and bailing out... > [...] > > There's plenty of memory. I've tried running this with one term on top -P > open and > there's always 1-2GB available (free) as well as 12GB of swap which is > unused. > > If I try pfctl -Fa -f /etc/pf.conf and log back in and then run pf-badhost > manually: > > [...] > # doas -u _pfbadhost pf-badhost -O freebsd [...] > > not only the pfbadhost table doesn't load but nothing loads: > > [...] > # pfctl -e -f /etc/pf.conf > /etc/pf.conf:18: cannot define table pfbadhost: Cannot allocate memory > /etc/pf.conf:23: cannot define table rfc6890: Cannot allocate memory > /etc/pf.conf:26: cannot define table gooDNS6: Cannot allocate memory > /etc/pf.conf:27: cannot define table friends: Cannot allocate memory > pfctl: Syntax error in config file: pf rules not loaded > [...] > > The only solution is a reboot. How to fix? Do I need to increase > src-nodes/frags? > > thanks, From nobody Sun Dec 12 21:00:43 2021 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 8130A18EC2E8 for ; Sun, 12 Dec 2021 21:00:47 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JBxqx4Ts3z4fxC for ; Sun, 12 Dec 2021 21:00:45 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 05EF527F8A for ; Sun, 12 Dec 2021 21:00:44 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 1BCL0h9I076285 for ; Sun, 12 Dec 2021 21:00:43 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 1BCL0hs2076284 for pf@FreeBSD.org; Sun, 12 Dec 2021 21:00:43 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <202112122100.1BCL0hs2076284@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 12 Dec 2021 21:00:43 +0000 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="16393428434.7A55.74548" Content-Transfer-Encoding: 7bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1639342846; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=BT33bXI2kW4kROUNzxSIvpLRSdYX6XnkwSqFJ14U154=; b=f4xV9FotjBbDPFIoH3JiNrR+FGVm3rbtBpripyeL/z93Vb9HuIsvOvBiUaE2yNWSIJZKeE rH64Fb2eyjyX8MbBxrGnzt4Ai26rt3Xwd1D5xFMuLj/6tPBt13W32nZzoze9Eyj2e+U0v9 p0XE1PVt1BhBu1fxJiYQNF+h4ZSDv8psAY4mczarsOnF1XE5rTCgDN85K3t6+3nW0L5dT/ M0oRVeuYvhgeS1kuGh9EInSdMzzW6HL/59KEMVDDMOpXodhDhclQEVCtMBfe4HdrCcnfA2 Qp3yzuMnHBvm3QlXgw/RT1SC5WCtk5BBh6Yok3zndAFEY2OI2vu9M5l0G9WgnA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1639342846; a=rsa-sha256; cv=none; b=Kux/rALM2xFLVcIZkkhGiNKDPUk4KWeN4EADOKhJJCzLkcz86Z/qNwDVxeePWecmRdf+lR 9JHJKiNbptUNBX4twGx2zJgn709Pqizy+RZKWJB5LNUmKJM9XoMxFCyIkDcu+iTxGnbLtR 7qYBZ1kYQr4KOp1utF1C1csFpLQ9LxdL1VtMNHN/gW54z320kibDmJhOeie7O/ncLyTNaP ucAxrBSU33s22UQZGFthSYPaVdiUsbMti9EfJ1FjjnDsu3tmwoSh8x4jPa3wxi6VzruCjz +4ONNanucHwL9gKxFqKX54LdWk9ISwNVPE9FKR0GzDzNzdjr3FX4SIWXVkMtQg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: Y --16393428434.7A55.74548 Date: Sun, 12 Dec 2021 21:00:43 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 237973 | pf: implement egress keyword to simplify rules ac 1 problems total for which you should take action. --16393428434.7A55.74548-- From nobody Mon Dec 13 02:08:39 2021 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 8287B18E29DC; Mon, 13 Dec 2021 02:08:42 +0000 (UTC) (envelope-from ooonea@gmail.com) Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JC4gF5dFKz4TvV; Mon, 13 Dec 2021 02:08:41 +0000 (UTC) (envelope-from ooonea@gmail.com) Received: by mail-wr1-x429.google.com with SMTP id a18so24606835wrn.6; Sun, 12 Dec 2021 18:08:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:content-language:to:from :subject:content-transfer-encoding; bh=IHMpoFfj7BjS4QfMJJ68zMN3Nhn1C/fFJsMs4ubBJcs=; b=YSQ9f7osKpvCYiO9LQcOakADcQYWKk2NTK6T7FAG7YGKgmw7IZNJDkkTWGxr4YO9pD IkTHzqbhPzcRkVek5HEdOYnVo2PLwNtZ7AKEa1XNRZ690jsjJm2MQa01auv+fB/l2qas PLEMTMH+0ow8AvaQrAwPB1SkA95vScclkxDt56Ih8+C2i24LRaTCfYSATp8hbMlaE/D9 anUSVEj9FGmAYaPlyGBvtbzYU0JuRuFdH2B/ll0eh29U2eKYyeTbHYxgIadcK0PWqeE5 g85mde5eEA490qeKCWX7uez1U380DIWHsAxW6PIBbcTs9a6PMlhd4JDWTNBQmBGg4lMm DgtQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent :content-language:to:from:subject:content-transfer-encoding; bh=IHMpoFfj7BjS4QfMJJ68zMN3Nhn1C/fFJsMs4ubBJcs=; b=sGNjYV4XMtmU1xPKj5s+PrHuJBXQ5Gx24bYaMstbVmTtvcMdJ6z82xTaXuJQd0Fy2R BHlgO9cdiw3SDc5EM0E5knTxo/pPAZjHahXsyeRAQ4HUWElFCfOGTlf+8sAm68xFfFlO NeGgqsPSNtHJhgzEKrReOBOQgx34UJKjOw9kcdqcjXgLD2VfOnclOHCRO4fcZVCiL2jZ +yGCYt5n8KdC4wp0XxoaM/C13cuqnNT+kzH2p3E6yslJ7ucguwyaaZvk0qiTYDFW0qtC wU8uwoHwtw1dGNwhVS6uUWLx5qvyze4SiDChzTaiQgiEC/gSepJ5judedZ1pmkR1pU7b MT1A== X-Gm-Message-State: AOAM533TLSZxFTFHn/eDvc9k7CLMu05AM+HHp+bFPpYpQ8sZjjkTRexC DHvr23qk44xkpiI73mGEMmxbQls7uyqHoQ== X-Google-Smtp-Source: ABdhPJzaxoznBjCvGXDd8NpmeHqpQBMVk730Uc5Vqwh3C8GM61m9cxPevHLHgCZMpHe1/w5jXVAJ1g== X-Received: by 2002:a05:6000:2c8:: with SMTP id o8mr28862454wry.266.1639361320370; Sun, 12 Dec 2021 18:08:40 -0800 (PST) Received: from [192.168.1.228] (host-80-181-163-216.retail.telecomitalia.it. [80.181.163.216]) by smtp.gmail.com with ESMTPSA id c7sm7240126wrq.81.2021.12.12.18.08.39 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 12 Dec 2021 18:08:40 -0800 (PST) Message-ID: Date: Mon, 13 Dec 2021 03:08:39 +0100 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:91.0) Gecko/20100101 Thunderbird/91.4.0 Content-Language: en-US To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org From: Giuseppe Piscitelli Subject: Configuration for a laptop Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4JC4gF5dFKz4TvV X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=YSQ9f7os; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of ooonea@gmail.com designates 2a00:1450:4864:20::429 as permitted sender) smtp.mailfrom=ooonea@gmail.com X-Spamd-Result: default: False [-1.75 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; RECEIVED_SPAMHAUS_PBL(0.00)[80.181.163.216:received]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-0.996]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; RCVD_COUNT_THREE(0.00)[3]; NEURAL_HAM_MEDIUM(-0.75)[-0.749]; NEURAL_SPAM_SHORT(1.00)[1.000]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::429:from]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_TLS_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-ThisMailContainsUnwantedMimeParts: N Hi, I am new to pf and FreeBSD. This is my pf.conf: ext_if = "{ re0, wlan0 }" wg_if = "192.168.9.0/24" lan = "192.168.1.0/24" avahi_services = "{ mdns, mdnsresponder }" pass quick on lo0 all block in all pass out all keep state pass in log proto { tcp, udp } from $lan port $avahi_services pass in log proto { tcp, udp } from $wg_if port 51820 My goal is to exclude the loopback interface from the rules, block all traffic from outside to inside, allow all traffic from inside to outside, allow mdns service and allow wireguard on port 51820. Applied the rules everything seems to work. Is this correct? Any suggestions? From nobody Tue Dec 14 22:15:45 2021 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id F004818F0888 for ; Tue, 14 Dec 2021 22:15:46 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JDCPZ5X08z4V9P for ; Tue, 14 Dec 2021 22:15:46 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 9E4E610A2F for ; Tue, 14 Dec 2021 22:15:46 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 1BEMFkJZ079827 for ; Tue, 14 Dec 2021 22:15:46 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 1BEMFkFH079826 for pf@FreeBSD.org; Tue, 14 Dec 2021 22:15:46 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 187566] [pf] incoming ng_l2tp/ipsec packet bypass PF firewall Date: Tue, 14 Dec 2021 22:15:45 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.0-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: eugen@freebsd.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1639520146; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BJfAabw7q6WKDeyUlCn1LdyGX+fsqwbMEB/wFItGRnw=; b=W/Ze1qnIrILrzWphQDqYx7H9XQaTVL1Nnp2UYsGaKMfyYQiFFa4MLASSy8bDm0NMl2d+OX ArbvJzm4KLHA45M0X3MfHxUb1+h82u1o+7DlfFFSEpT81Zln1r4OL7x5nFhHmhw1YcCymc KJpbraIiFT4+QkHlBmKSI9PRa++yK1v4TO0JKUOAe0WyZYCun7I7nwN/2il5ZzFj0Wffug O8O9StzqlLMHNAC1ODUOkGIR+sFnpZb5AZnhMo1wjFjT/wqlpoP+ILoEwzpF7D4n2DbrPt GEKV9UkkcO/V5e3LSkiKLq/KVxgECqAxGPq17TUD2a1maxTD6ywd4YeXUm33SA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1639520146; a=rsa-sha256; cv=none; b=DFaxMROLU8a1uNIqeARyLAczfTEtplEXCPkHmQ84hSs2vNqNA92v2bL+1/AkvmGAy7DUn4 bYWBiGEvXR9k9bJXxeRo+mvwZIKdhpBu8GydTZrCgZePJNfCxx/Q/5yoCgIIQXYl27lNzf wrKwwOHmqhwDD043ag/zf9gWRgKcyoEmzx0dp/h6dUy318MJjUrJwpJjvnhpSsfu8lldLy 94ZJC8PfcdIoAu+hUX8KuXjJ1Y4uNckP3UDBuAvuU1hZUmqMVsbZQSAoSJXETemj6lHexa kJm80GOi4yW5P97H1naqUNgOK9vS7wQW6wWlX9bIpSHC3clXUKdoVleOp80KvA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D187566 --- Comment #6 from Eugene Grosbein --- *** Bug 169620 has been marked as a duplicate of this bug. *** --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Tue Dec 14 22:17:51 2021 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id CACCB18F14D8 for ; Tue, 14 Dec 2021 22:17:51 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JDCRz3pvbz4Vnb for ; Tue, 14 Dec 2021 22:17:51 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5A32410C1A for ; Tue, 14 Dec 2021 22:17:51 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 1BEMHpXd080238 for ; Tue, 14 Dec 2021 22:17:51 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 1BEMHpqa080237 for pf@FreeBSD.org; Tue, 14 Dec 2021 22:17:51 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 187566] [pf] incoming ng_l2tp/ipsec packet bypass PF firewall Date: Tue, 14 Dec 2021 22:17:51 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.0-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: eugen@freebsd.org X-Bugzilla-Status: Closed X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_status cc resolution Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1639520271; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Pye8WtLpPMN3/cdSYwi8YZNcwYG7zX1XlDKFntCD5Cw=; b=yhw7/vjS3mrZRNIa34TvektwPND1SZyK4V6P/GDbICZvUCmDDRBmwBTenM4ktpCm9LueUx DxzjsVhUJwF5IFZ5nVNBmDAY7o6RE6xcea2ocTIpH4sl76JVskb6zvko8a6y6eAPgqnWwQ J3abN0l9eL8970jYUHr4IEvlC/JtseV+AVkrssVIV5IN4fM1MqwIuiYTVRJ6T4KjmKL62L 0a/ewGSKY+sczilJ40ObhSSDkKHTGum3WXcuJq/VCq5ebkTLZeuhU3qJWAE2KUuC3GibSX gKOdc8fofzkrjB/n3e3TQaYICehhKEsxSvYrnNAVCe7v23H/x/9ipDEBVW7AEA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1639520271; a=rsa-sha256; cv=none; b=S0elF2HCKxEmlf21jX2CUWJY5ZijGXDuiLHLP3tZotzNS+4/5dC3gM1zBmWXdHdNMZJyMl DqwnnKb5w5f9+Y+xxSoUnhKAPpyoiRuNiv31QaywwUDYzBzcO8JY8yWFLtwToQKwd7S3xe EZvt6+2Ckbm6ivBLoetUa0Us8XBI5Ug6bR93jSfDXi116udSac9azZVZnzoYhOfFfXAo3V KhVZ4RXTYLvcQ1r29k0pRmQoq5ZR9iweJbcG9bN8wYisrTbhhHGtNZ6Y+kZMCvJupoU+gu vo9UZ/AJgtvFqL6ic+ZdrCBhvng3FBwBRoVX34LtScRGqzl6lMJAAcNNbdtfNw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D187566 Eugene Grosbein changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Open |Closed CC| |eugen@freebsd.org Resolution|--- |FIXED --- Comment #7 from Eugene Grosbein --- Fixed since 10.1-RELEASE --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Sun Dec 19 21:00:24 2021 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 181E418F50F7 for ; Sun, 19 Dec 2021 21:00:26 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JHFVJ3LX4z4lX8 for ; Sun, 19 Dec 2021 21:00:24 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1E1F216D6 for ; Sun, 19 Dec 2021 21:00:24 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 1BJL0OpD044833 for ; Sun, 19 Dec 2021 21:00:24 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 1BJL0OJa044832 for pf@FreeBSD.org; Sun, 19 Dec 2021 21:00:24 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <202112192100.1BJL0OJa044832@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 19 Dec 2021 21:00:24 +0000 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="16399476240.ED277a93.43452" Content-Transfer-Encoding: 7bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1639947624; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=n0j1mnKsnBxmgsP0NLnFbWtQb1NdLzLy8GjOEM32HGk=; b=G1KCVz2m/Pb/xOpYvkWR6j16wWuwu/Raj0ktDrBUJltq3HTf8Izcl1Pw4ys6FkWEqfnxYO QHF1jLLAb8Q52M3uzvZD6n77N3FbUC5G6pdiHVB+OfOZmLTbv3FXkzduXiBE2a9xmDYGbW 9pwyF5WFZb4Pp4mVcTmc2gcNoywmC5RPAm1jzWJC/EDbTEVHYxCK/itySfVX7uP/K3qE3r M9keMJXvy0kdihIxtnJAqmyR1byIPihn1+tePrrzZifjCUXuK6PWMjVDACYtPeUSs9tjkR 7f0uQ2yiGCSm0Zh+Imx/XN2ApjQdTWjjJFkAQfWbW2cNThuKgs3ukevCkbp1eg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1639947624; a=rsa-sha256; cv=none; b=D+uv2Oq9sZcxWpxXzYkHVmnBjEyehR/bOe4o22zLd0IuNtNnu8YLNaVpFiLJk1yDMmDDlT mn7RVVJSRuXNnKdE2ycT64IGNX6nW3lJzMUY1HWNt58M2qI609ymJOYtu4RjZrP/C+9rW/ V3EqNSQ5raxSpQsWdDIYJ5KYcBcoDCPXKsv7rdYPciyFF8TVipUK2+8bcVcQoDXtvOWMlE /wO8QjAUUoLeKMK0zRU9hp1/4jik/NIEpOd0kxtv+wg1faEwpJQdU3NaOUVkBYtYqmUjT4 URHLE+7lP9CYY42lymSp3Tvj/zMkSOX4z79JzsauCpq7wyL+o21D3JwJMYOKsQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --16399476240.ED277a93.43452 Date: Sun, 19 Dec 2021 21:00:24 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 237973 | pf: implement egress keyword to simplify rules ac 1 problems total for which you should take action. --16399476240.ED277a93.43452 Date: Sun, 19 Dec 2021 21:00:24 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="UTF-8" 
The following is a listing of current problems submitted by FreeBSD users,
which need special attention. These represent problem reports covering
all versions including experimental development code and obsolete releases.

Status      |    Bug Id | Description
------------+-----------+---------------------------------------------------
Open        |    237973 | pf: implement egress keyword to simplify rules ac

1 problems total for which you should take action.
--16399476240.ED277a93.43452-- From nobody Thu Dec 23 14:39:03 2021 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id B2F3618FC420; Thu, 23 Dec 2021 14:39:06 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JKXrV2Nspz4qsY; Thu, 23 Dec 2021 14:39:06 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 18074CD39; Thu, 23 Dec 2021 14:39:06 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 6610243B3D; Thu, 23 Dec 2021 15:39:04 +0100 (CET) From: Kristof Provost To: freebsd-arm Cc: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf cannot allocate memory after a time Date: Thu, 23 Dec 2021 15:39:03 +0100 X-Mailer: MailMate (1.14r5852) Message-ID: <1CEFA3DA-2D46-45B3-ADE6-881A94A4D2E2@FreeBSD.org> In-Reply-To: References: List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_MailMate_44FD825A-A4A3-4FF5-A5A9-8E209A467CEF_=" Content-Transfer-Encoding: 8bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1640270346; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rcGL2FhY3AT4HxuXziDCXzcBVhWzlgT0Lmq/cgo4RzE=; b=s16NLDqvWo8BTDsooyxtW25c70mGuxXlVHjP+2YvlP8YI+vId94Lsa5V9QLlijtWlq8eMT GFpisSOG1kSa2s4HMMsMxjfjRUsN6c38Ovl1XqowiW/q3a7Bdb8PAk9nTth4NVd0Nz7WOv Om47LAlM2MOE6SSbAVnEc03jUpM067IrFyzAdj+8p8KCScLqoIE9gmZJywdYqEWi6IgNCu Ak8GoAdldNLdG7fT67ka0PDJyzVrcWvDounefxtt/BMh9V6/kDvNtgsqEKZSzDkZsN+PEv zh7ofz7srtm5A8dyFqdIf8x1yGkqmOgyY4N6+/VcIyfnxxBDRXuDHgNfqi1vTw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1640270346; a=rsa-sha256; cv=none; b=kNhj1SrIw4hngntKe4te345sCvz+l/A3bu5JYoVi0rNJLvs4+yrEXEsLwbGZ0K042uROdV vygMVPwRzB3JngflAMw/wlJKqUcilR2TLJZ/EWMmsILL2QlcEvxTbmz2l1DZg5Sn1Roqsu WofbOYkCcKCwQcRy86+3KweQ3NBcrm7rqmaEKFMlfubeLIX8cUdzb7QowME0JsVwOGUboX hNORHy5pZRfYoQponh6JmDkduLSUOeAynspiuCutAER+heVMY11ZfBxr0hsU2Wr5EsfJlF jBsISKjS/cKBza4FNu9ciRwZPWsNRhGE05k7+Q+ZAfv8f2rikZ6/Pn4xNxoB7g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --=_MailMate_44FD825A-A4A3-4FF5-A5A9-8E209A467CEF_= Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 11 Dec 2021, at 17:14, tech-lists wrote: > context: main-n251261-25d0ccbe101 on arm64.aarch64 (raspberry > pi4b/8GB) … > pfctl: Cannot allocate memory. > See also https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260406 Tl;dr: pfctl fails to add addresses to a table because an uma_zalloc() call fails). vmstat -z output: ITEM SIZE LIMIT USED FREE REQ FAILSLEEP XDOMAIN pf table entries: 160, 400000, 15196, 1604, 36039, 9, 0, 0 We can clearly see the memory allocation failure there, but no obvious reason why. It appears that there’s plenty of free memory, and we’re also clearly far away from the configured limit. Nevertheless the uma_zalloc() call returns NULL. I’ve tried to dtrace that, but ran into impossible results from dtrace (the uma_zalloc_args:return probe did not fire, but the pfr_create_kentry:return did. pfr_create_kentry() unconditionally calls uma_zalloc_args(), so that shouldn’t be possible). Right now the suspicion is that there’s something strange going on with the arm64 allocator (because it’s not been seen on amd64 so far), but I’m generally uncertain of everything, other than it’s not actually pf’s fault that it’s not getting memory. Best regards, Kristof --=_MailMate_44FD825A-A4A3-4FF5-A5A9-8E209A467CEF_= Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On 11 Dec 2021, at 17:14, tech-lists wrote:

context: main-n251261-25d0ccbe101 o= n arm64.aarch64 (raspberry pi4b/8GB)

=E2=80=A6

pfctl: Cannot allocate memory.


<long story snipped>

See also https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D= 260406

Tl;dr: pfctl fails to add addresses to a table because an= uma_zalloc() call fails).

vmstat -z output:

ITEM                   SIZE  LIMIT     USED     FREE      =
REQ     FAILSLEEP XDOMAIN
pf table entries:       160, 400000,   15196,    1604,   36039,   9,   0,=
   0

We can clearly see the memory allocation failure there, b= ut no obvious reason why.
It appears that there=E2=80=99s plenty of free memory, and we=E2=80=99re = also clearly far away from the configured limit. Nevertheless the uma_zal= loc() call returns NULL.

I=E2=80=99ve tried to dtrace that, but ran into impossibl= e results from dtrace (the uma_zalloc_args:return probe did not fire, but= the pfr_create_kentry:return did. pfr_create_kentry() unconditionally ca= lls uma_zalloc_args(), so that shouldn=E2=80=99t be possible).

Right now the suspicion is that there=E2=80=99s something= strange going on with the arm64 allocator (because it=E2=80=99s not been= seen on amd64 so far), but I=E2=80=99m generally uncertain of everything= , other than it=E2=80=99s not actually pf=E2=80=99s fault that it=E2=80=99= s not getting memory.

Best regards,
Kristof

--=_MailMate_44FD825A-A4A3-4FF5-A5A9-8E209A467CEF_=-- From nobody Sun Dec 26 21:01:17 2021 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 5EAD4190D0CE for ; Sun, 26 Dec 2021 21:01:18 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JMYB543R1z4YPN for ; Sun, 26 Dec 2021 21:01:17 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3E06F11877 for ; Sun, 26 Dec 2021 21:01:17 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 1BQL1HJa021594 for ; Sun, 26 Dec 2021 21:01:17 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 1BQL1H1v021592 for pf@FreeBSD.org; Sun, 26 Dec 2021 21:01:17 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <202112262101.1BQL1H1v021592@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 26 Dec 2021 21:01:17 +0000 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="16405524770.9fceB9.18344" Content-Transfer-Encoding: 7bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1640552478; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=F4+QpZGIMRkDZbk5G+XQZv3b+MtNZU8vEAEzqk7G6rA=; b=Ia+Zb1j2ufhIaBll3xAuMLb2A2jJpuGm1WcR+bbyWnFIxq9rOQdFr5mA+XgDaULaKvSQhO uVnEW8Mf3vtbuuHPE37sXu/LT6QZSzoW077ZKqC+Ja+ZfVlM8xER3h7Bp0WIaSKlVW1NW2 Gc/oFtKKdmB472J9KgV6MiiFjCJMm4NfyI8qKkJvgsc0mTVaNGqJucMyP2JUr11IG1Ti5E V8nMJwSF/ptw2b37mNV2FeWW1eJ0TrA6D4JzIWRLNKkkrKoDRvCTqV5PjXJolXptUn0EZW A09aywvRFrhWukWDAhvN09mQLtxqBHW9O1c8l51k2DYLaFtJnNHZHbpmnpmawg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1640552478; a=rsa-sha256; cv=none; b=g3eC6cwkITmMpftjNivrIlEXaV69O0wjieJw4kR5mO8mjqHn8Da0xb3BiOdIIS/S9apSCi xw9kTOIF4EyXZUXisO9rQ1H9JjapfBH1SOeMUGMFZgsn98F1RLV3B9Y3fhajMHAvRXEqiw k6xXVwDW6Eh3leQfqNIstIVGzRaeiREH0SsLa4UMhfmqtNKXR7fK5rDfGkZhij7fT75EOU W0wXkWLI14YNkavFUenfNZKIy5kBGdDxkXva8HEGswXm06hEgEeyG/PNTvKvSo608LA1IB L6meo+uka2bP02fEZREVM1ISzwKnUgS8ct8AnC4ivqJk79t4ew8lwwfUOh+alA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --16405524770.9fceB9.18344 Date: Sun, 26 Dec 2021 21:01:17 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 237973 | pf: implement egress keyword to simplify rules ac 1 problems total for which you should take action. --16405524770.9fceB9.18344 Date: Sun, 26 Dec 2021 21:01:17 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="UTF-8" 
The following is a listing of current problems submitted by FreeBSD users,
which need special attention. These represent problem reports covering
all versions including experimental development code and obsolete releases.

Status      |    Bug Id | Description
------------+-----------+---------------------------------------------------
Open        |    237973 | pf: implement egress keyword to simplify rules ac

1 problems total for which you should take action.
--16405524770.9fceB9.18344-- From nobody Tue Dec 28 04:50:41 2021 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 59F41191E17F for ; Tue, 28 Dec 2021 04:50:59 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: from mail-ua1-x930.google.com (mail-ua1-x930.google.com [IPv6:2607:f8b0:4864:20::930]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JNMYZ2zQ2z4cvW for ; Tue, 28 Dec 2021 04:50:58 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: by mail-ua1-x930.google.com with SMTP id az37so9224204uab.12 for ; Mon, 27 Dec 2021 20:50:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=RIuxlYQqdbKy6yu5+F0PW2UcXwjxcrqP4lc5NHPTfNQ=; b=hJQshy0a31qVPetImriDaG1SXC/XC1wtly8izuKL23iaJbEJcqRO8pRG5p8/9zYBZT DpIL9zjsygCkm0fYdm8E6D7DIjQMFB4mi26HZiAHhuFHJND9fLlwWVwxgqiDa3lqWUE3 ixjAz1jXFxtAvxCsznlnNkAQNnZa0RJUhpEE6aKaOfkXLf9fv6aOUIU/Uc5FhvHU2nId H6VQNRBqcqM0dzzklDyFKZ4wdtphKsknAAIN0cPIoVLDv53nCaDMUaQ9cC4FONVnKygD PTejUfH38Siw0QlUdmodiHpezpIsSfiugB8H3ToFdtnQifGTlW/w+1ifZ3UXtnQlgNNV np0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=RIuxlYQqdbKy6yu5+F0PW2UcXwjxcrqP4lc5NHPTfNQ=; b=FAJ8OAWW68AqmBTv4zcU/RWm9uTf9Q51bOGLI8RaxFvKfAp5hnRuBeYOiJitH85Sr5 i/279m+WEYme/nCO5R/gLYe3rKHH0WF3ZPPOKPdu8Oo0NDpw0I7CsNAVECc8KlNoFmye eCXSQ3ywLBNNuSsRDoo4ISeznoggq2s2tY/0vZQPpHSweUPPqrmotgWHJ58D+LWoSdxg J4kvManrohib6Kz+WLNOYJxvYn8ssrT1Vjs7TZx3cEhpvLm58UHN4COoEGBF6C7HS+nw 7u+9z9u7YkICwz0Lh7IB6jDntDlrxz0qpkdrpxbXDcfIXKqvbbOi0rmBVK9nbznvH9J9 s8ww== X-Gm-Message-State: AOAM533w8dqeQkn/VdbUuBdHFfPXRl871U5LLuyhRaNGkbgbhg9Hcvd5 hsjR7byHcP1EtXyWeOJzPU0m6qebZwCEDwTv8UsHKpJrj+k= X-Google-Smtp-Source: ABdhPJzWYkmYIDcVA3LouG8hAcMx+mYN/oLyE/xw9qNeOnYe/bSDMeaHeUCPC7j31/LECHiT/c7xp/VCPvKSJSqkBEM= X-Received: by 2002:a05:6102:3e8d:: with SMTP id m13mr5065525vsv.6.1640667051786; Mon, 27 Dec 2021 20:50:51 -0800 (PST) List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: =?UTF-8?B?w5Z6a2FuIEtJUklL?= Date: Tue, 28 Dec 2021 07:50:41 +0300 Message-ID: Subject: Re: Logging NAT translations and correlating nat & rule logs To: Franco Fichtner Cc: freebsd-pf@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4JNMYZ2zQ2z4cvW X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=hJQshy0a; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of ozkankirik@gmail.com designates 2607:f8b0:4864:20::930 as permitted sender) smtp.mailfrom=ozkankirik@gmail.com X-Spamd-Result: default: False [-2.73 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-0.997]; NEURAL_SPAM_MEDIUM(0.27)[0.269]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::930:from]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-ThisMailContainsUnwantedMimeParts: N Hi, I've cherry picked 8e496ea1df1 commit to stable/12 on my local branch. Patch works properly. But the ruleset section in the pflog header is empty. The anchor name of rdr rule was not filled into the pflog header. I'm also looking for a packet identifier for aggregating the nat and rule logs of the same traversing packet. Does it make sense to use ip.id field of ip header within 1 second time window for aggregating logs ? Thanks and regards On Wed, Dec 1, 2021 at 4:23 PM =C3=96zkan KIRIK wro= te: > > Thank you Franco, I'll test it > > On Wed, Dec 1, 2021 at 4:10 PM Franco Fichtner wro= te: > > > > Hi =C3=96zkan, > > > > > On 28. Nov 2021, at 8:06 PM, =C3=96zkan KIRIK = wrote: > > > > > > I'm trying to log NAT, BINAT, RDR translations. But the "nat log on > > > ...." statement only logs the packets after translation is done. So > > > the information before translation is lost. > > > Is there a way to log the translation details ? > > > > https://github.com/freebsd/freebsd-src/commit/8e496ea1df1 was introduce= d > > to address this but has not been moved to stable/12 or stable/13. > > > > I see there is some controversy around patches that made it to stable > > for less so I'd probably advocate to add this patch as well since it > > solves a longterm issue with NAT logging visibility. > > > > > > Cheers, > > Franco From nobody Tue Dec 28 06:57:48 2021 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id A4D9819089F1 for ; Tue, 28 Dec 2021 06:58:05 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: from mail-ua1-x936.google.com (mail-ua1-x936.google.com [IPv6:2607:f8b0:4864:20::936]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JNQNF3w2Lz4ncB for ; Tue, 28 Dec 2021 06:58:05 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: by mail-ua1-x936.google.com with SMTP id i5so15523596uaq.10 for ; Mon, 27 Dec 2021 22:58:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=KdyrDQqK6+3BFQ+Znew++bqJcsd6MQVNErAYTYcGLGA=; b=G7KPCoa9gHVDseRvgaOXW0S9GOZfcTat3yW6iMQeSOpiR+WteUE307lX2hOeUy4k52 QA1RJoJarW+Bpr6US1hXFRlwsl6KqIWEVxKFYYPcbo/iQd4cND6Pfy+NelK0kGngMLAZ kIXb8pDNo3ihTXrZtCTHuS2yvScF2eSJcYNXVWNhwCK1gSWdYpoxVBoYtHqO7nBSw44O ZC4IXvzl9uvsDQb6sIhY79bZwCE0AeShnFy5VJ/jACtkK+tzfCMYTKRjbwU56LJ+ppZt CyzNpaUF8UMUIIUHPsIKUeKyQ7vcVy95LVTQFlIw7R+Sqy3AjMIAFoubIrrG8OO3lvRN blww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=KdyrDQqK6+3BFQ+Znew++bqJcsd6MQVNErAYTYcGLGA=; b=u7s2nEvnGlitSkx4MP6GSUh4hFOu3rec1+UEKmFOuAB+F/ls+Qm8zX2dL4m59RP0P4 8U+uriIrKwLgv8ZZq161dGR0TsryCCyxoz1mRX17O0musSS/LS44hzxej3unF3IZJns+ YFjwPMksBFoMq/0/7EQXCRL78c4DvZCmjiZzvIg6pmBSzSpFtSVxFrOKCsCg2CFtN6cX qDLSxq928+ASun2yJ0TlE9mIOtsLgVb76ghTqsyBgGJgTYmgJzDlc6HrQM2Ivu9oHjhH D1bj7L8cNfvc8nZAOCzW+hfpb8TJTW7rqCNJi/EOAgTp7WzeLDJNChgnb/kY+Jw+EhYT /pnA== X-Gm-Message-State: AOAM533sgPMlCdtWc8F7xWhTKEA2NtAJoU2E3oL68nr6CTC0KXD9Ckhu MzdGvOPWVIJYE08lqrazFp9H7NUVXrWuUR/JuCWpwLNKqIo= X-Google-Smtp-Source: ABdhPJwUM3tFQbc7so82WeVACR55v4P/UwjLMQD1MtDEiWBXGaEshkTzCLD+US3DkyzCT+cyTM4/KCoF9JAYFfY0QKg= X-Received: by 2002:a05:6102:3052:: with SMTP id w18mr5614896vsa.31.1640674679544; Mon, 27 Dec 2021 22:57:59 -0800 (PST) List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: =?UTF-8?B?w5Z6a2FuIEtJUklL?= Date: Tue, 28 Dec 2021 09:57:48 +0300 Message-ID: Subject: Re: Logging NAT translations and correlating nat & rule logs To: Franco Fichtner Cc: freebsd-pf@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4JNQNF3w2Lz4ncB X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; TAGGED_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N And also, rule number and subrulenr information is missing. On Tue, Dec 28, 2021 at 7:50 AM =C3=96zkan KIRIK wr= ote: > > Hi, > > I've cherry picked 8e496ea1df1 commit to stable/12 on my local branch. > Patch works properly. > But the ruleset section in the pflog header is empty. The anchor name > of rdr rule was not filled into the pflog header. > > I'm also looking for a packet identifier for aggregating the nat and > rule logs of the same traversing packet. > Does it make sense to use ip.id field of ip header within 1 second > time window for aggregating logs ? > > Thanks and regards > > On Wed, Dec 1, 2021 at 4:23 PM =C3=96zkan KIRIK w= rote: > > > > Thank you Franco, I'll test it > > > > On Wed, Dec 1, 2021 at 4:10 PM Franco Fichtner w= rote: > > > > > > Hi =C3=96zkan, > > > > > > > On 28. Nov 2021, at 8:06 PM, =C3=96zkan KIRIK wrote: > > > > > > > > I'm trying to log NAT, BINAT, RDR translations. But the "nat log on > > > > ...." statement only logs the packets after translation is done. So > > > > the information before translation is lost. > > > > Is there a way to log the translation details ? > > > > > > https://github.com/freebsd/freebsd-src/commit/8e496ea1df1 was introdu= ced > > > to address this but has not been moved to stable/12 or stable/13. > > > > > > I see there is some controversy around patches that made it to stable > > > for less so I'd probably advocate to add this patch as well since it > > > solves a longterm issue with NAT logging visibility. > > > > > > > > > Cheers, > > > Franco From nobody Tue Dec 28 10:18:09 2021 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 907C41908BF2 for ; Tue, 28 Dec 2021 10:18:19 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from host64.shmhost.net (host64.shmhost.net [IPv6:2a01:4f8:a0:51d3::107:1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4JNVqH313Lz3MXw for ; Tue, 28 Dec 2021 10:18:19 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from smtpclient.apple (unknown [IPv6:2a02:810a:f40:16ac:f042:f242:b48:d81]) by host64.shmhost.net (Postfix) with ESMTPSA id 4JNVq63G67zNkVB; Tue, 28 Dec 2021 11:18:10 +0100 (CET) Content-Type: text/plain; charset=utf-8 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\)) Subject: Re: Logging NAT translations and correlating nat & rule logs From: Franco Fichtner In-Reply-To: Date: Tue, 28 Dec 2021 11:18:09 +0100 Cc: freebsd-pf@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <5AB60713-21D3-4EFA-B054-2335DAB8FCC7@lastsummer.de> References: To: =?utf-8?Q?=C3=96zkan_KIRIK?= X-Mailer: Apple Mail (2.3654.120.0.1.13) X-Virus-Scanned: clamav-milter 0.103.3 at host64.shmhost.net X-Virus-Status: Clean X-Rspamd-Queue-Id: 4JNVqH313Lz3MXw X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; TAGGED_RCPT(0.00)[]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: N > On 28. Dec 2021, at 7:57 AM, =C3=96zkan KIRIK = wrote: >=20 > And also, rule number and subrulenr information is missing. Have you tried to confirm that this wasn't already the case for "rdr pass" combinations before? Cheers, Franco From nobody Tue Dec 28 10:29:04 2021 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id ADE2E190AD29 for ; Tue, 28 Dec 2021 10:29:15 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: from mail-ua1-x92f.google.com (mail-ua1-x92f.google.com [IPv6:2607:f8b0:4864:20::92f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JNW3v4H6lz3Nnf for ; Tue, 28 Dec 2021 10:29:15 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: by mail-ua1-x92f.google.com with SMTP id p37so31054338uae.8 for ; Tue, 28 Dec 2021 02:29:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Ry6a+zAoWkxxBB8j2v+HYb77G0wZTAKXtN1HfywJ2QE=; b=MVdz1VXA0PhKVnCjaf+vI6f63sPrXcjc/S7pcwtKTqUw20Ux60bLRwLdO9vn9ASUJy FfFRJAyHUy2OpZF9Gx2RnTUoq/wX0Z5Dil4A7H6c0WiGTrRIA3R6ncXWPtFRqC2t5uMR 0nGjOglxCdqbO4GaaxdP17YnEEg1MWWgZ3LIrsq7LLyH2p4iFPoyOYu9yWWsISzIsgA2 YRgd00ZthP9BodDYZfp59hz1LrRTe5csmqaYEKrlnio4kBqkGPYKTxeXfeuxpWeniy9x d5CrdZH6u4LC2CeMvlg7esMU4VdiR57l4vJ8iuAdxQMh8jkm/omZVZTRY6/uXy6hARpu jMnw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Ry6a+zAoWkxxBB8j2v+HYb77G0wZTAKXtN1HfywJ2QE=; b=R5kdzrwnNMCAkLas8qsOPdZfdqkTrQFo/d56TkfeQPPydDUe1yW2wOkci+Rk8tE1DC MUwW0CFIpw+mWIKRzjoARMk5ZaezEzlhmwFaovovVzjQ1NrayHteAiwI8J708DStIIuY ZXB3X3imBam1fSgJce/gaAbCrIp9Jrg4UZwSglG/IczeqPW27afrNZG6MhPUHoF1+zfr 0XiQlRoSMla0c/UZgJgINckrCmY8lOueQVgUgpo/kkrZl2zUn8l4aaYfjQFOngU+10Bt 7Lr4X5OPWds7mRuiS/mldSJlz7xLpv6jyekVb57D18QN5qieqiDVfR3/dc5bj04sWLOH zrFQ== X-Gm-Message-State: AOAM533ooAFXPdThTp+Vllykkr9a+IpeAwcyRbSyauyD61p0bqPOraWE IyFEhDRn6qxN6xHTy4RROp/hzCMgx5t2EuJgQRkGwBzb2+Oe7w== X-Google-Smtp-Source: ABdhPJwAz1VWukV5eGH7hDJ6CVNgoMW6PRbqkQdH/ZgqCUb4wOaqhc+Bs3DQah9ZpPmGqd7LOFlOyTesKO6fVNEs4Sk= X-Received: by 2002:a05:6102:3e8d:: with SMTP id m13mr5306056vsv.6.1640687355085; Tue, 28 Dec 2021 02:29:15 -0800 (PST) List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 References: <5AB60713-21D3-4EFA-B054-2335DAB8FCC7@lastsummer.de> In-Reply-To: <5AB60713-21D3-4EFA-B054-2335DAB8FCC7@lastsummer.de> From: =?UTF-8?B?w5Z6a2FuIEtJUklL?= Date: Tue, 28 Dec 2021 13:29:04 +0300 Message-ID: Subject: Re: Logging NAT translations and correlating nat & rule logs To: Franco Fichtner Cc: freebsd-pf@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4JNW3v4H6lz3Nnf X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; TAGGED_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Yes I confirmed that, there is no "rdr pass" rule within the ruleset. # pfctl -P -sn -a "nat-portForwarding" rdr log (to pflog3) on em0 inet proto tcp from to 172.16.33.10 port =3D 22 tag FWD_1 -> 192.168.33.1 port 22 # tcpdump -tttt -leqni pflog3 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog3, link-type PFLOG (OpenBSD pflog file), capture size 262144 bytes 2021-12-28 13:28:02.362191 rule 0/0(match): rdr in on em0: 172.16.33.1.41368 > 172.16.33.10.22: tcp 0 thanks On Tue, Dec 28, 2021 at 1:18 PM Franco Fichtner wrot= e: > > > > On 28. Dec 2021, at 7:57 AM, =C3=96zkan KIRIK w= rote: > > > > And also, rule number and subrulenr information is missing. > > Have you tried to confirm that this wasn't already the case for > "rdr pass" combinations before? > > > Cheers, > Franco > From nobody Sun Jan 2 21:00:15 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 1DE44191A2D2 for ; Sun, 2 Jan 2022 21:00:17 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JRrqh12Nvz3Csc for ; Sun, 2 Jan 2022 21:00:16 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4BBFF18E22 for ; Sun, 2 Jan 2022 21:00:15 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 202L0FSR033205 for ; Sun, 2 Jan 2022 21:00:15 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 202L0F02033204 for pf@FreeBSD.org; Sun, 2 Jan 2022 21:00:15 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <202201022100.202L0F02033204@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 2 Jan 2022 21:00:15 +0000 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="16411572150.6b33A.32244" Content-Transfer-Encoding: 7bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1641157216; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=pK1hRcv2kOxP6BnWd7WZerMQwbPbsqTyFHW7HxcZXd0=; b=IA2vaySvo2NTVdsvvxPPuAshOd7K38y1qW7EIwFW0DJEiICVe2Vu1l+ERv++u1zYSCap8D zwfjZZ2HuiqbGoCFhK+BXaZMDFFHhyLwTQP7Bo9q7VH0jiWY87gvMW87jh/NQJUd2ti5Tf Uhyrkt2E+XBHCwFQPjed6FqMzy+gb37DRoGK3pHddX6BLDMPk3Oe2ESRHTrhqEmWN73gb9 MDtnjDH6cvM6dSG8ZDjc1Jlod2dRvuOgUtIUIBmf8VdlDzqgFGxP9zlV5tKpTZ/JBzUkvJ ydrNRWw1Gx34uA+aThShtE8iBEnZdEsGOYBBifr7W5bbWdAl/lYrIH0tbH2rkQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1641157216; a=rsa-sha256; cv=none; b=BN9mdUN8mB0IpsNLshrU/eImrgcAhZw2fI8Rb/zXBUiP08Ml0perllSRSeGfJK8cgAAVUg AA0ATLUVCXl/AkXS8fchMKPcvBD/kEzY1RkXtnUtITgt5N7opnEUf/Mbi0KLLNG8Zknn8d dYRgrX+9NWat23btB1pDRhg/FXBXlmVCmgc+jegZPako14AS7pKilzLmPzkWECasRiGfYr Wh5mxKvR0sggclZgnmnYabyqgh+GSQYMdTGFwEehOVKBTzWbEGN0SNxoJgLTTVAIAYhqI5 Z46KB1NLFk3zNdr4kqpJhpC30j8CKLQz/c7pFei0eo5o37/xsTKIwGmpiwedHw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --16411572150.6b33A.32244 Date: Sun, 2 Jan 2022 21:00:15 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 237973 | pf: implement egress keyword to simplify rules ac 1 problems total for which you should take action. --16411572150.6b33A.32244 Date: Sun, 2 Jan 2022 21:00:15 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="UTF-8" 
The following is a listing of current problems submitted by FreeBSD users,
which need special attention. These represent problem reports covering
all versions including experimental development code and obsolete releases.

Status      |    Bug Id | Description
------------+-----------+---------------------------------------------------
Open        |    237973 | pf: implement egress keyword to simplify rules ac

1 problems total for which you should take action.
--16411572150.6b33A.32244-- From nobody Sun Jan 9 21:00:40 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id AA6C81934E4E for ; Sun, 9 Jan 2022 21:00:44 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JX8Vy6k97z3vsK for ; Sun, 9 Jan 2022 21:00:42 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C59A718C51 for ; Sun, 9 Jan 2022 21:00:40 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 209L0evP043060 for ; Sun, 9 Jan 2022 21:00:40 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 209L0e6g043059 for pf@FreeBSD.org; Sun, 9 Jan 2022 21:00:40 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <202201092100.209L0e6g043059@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 9 Jan 2022 21:00:40 +0000 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="164176204010.6eBc02.40544" Content-Transfer-Encoding: 7bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1641762043; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=MLLZEVkYn1dmW1GmxeV79N2blj8xdcoUAazgbfkNVpg=; b=YMfMDJjwkAUYhJ4wZHMAE+d/ThICbqcDEPo75/dYFudVEMUQ/tJFss9lINrZFD0AxCN0BE MeSO9lhJKwQ6e8yzng5ypT5CiAPWHsOpWvec+RZu3t1GfnIHyL89MQzgL365WcZA7g9ct9 ZyOpBKLreA3wrP2v+9cImqpud/82Mi7pvY5z7bj/+ok8vVixirYWi+lovCUiOraKXQNvMT upGNw3A8XH9VTOGg3mbUceIC2jNC6A+eovuWQHzonsjMWbguvIKCNCAMDsfJSFR97m8VDI Oew3r3Y9mnCoZSdQuvtmJb1qhxNiKbEFnMXcaMz4eyldOAZcP2Mi9oNaGZCK9g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1641762043; a=rsa-sha256; cv=none; b=RG0Sgq6jRAzdb6ArewDI6OkIspHFxuSScDMdn5JR1+m62b+j91hAnsG7lA9WN4Iqy3U6pm dzd3NegNkSW+07j2Awjm0WdKzEBfhO2V/O2cTHzG5gbDHbEt4DPZEEKbmCrZIK26JfjyAn VgA0N+B4Dkvy2ogoFx0uD1rqW6BB/n5DjhjFu+7ubrupMwB2q6Nz5ipjV4NRnyB4pGTubG +bd7DO063BFIUCkIHpH+MhJ+nrinhtXR1foIxBHmmxd0FXvFw4OhhM/t4FzT0wAPdho8MC JYuGWoJiNJJZazSBEp3yhjNB/zJtVbr9qKO9fTZyPYiIo/R4cNE9x7C6YbeZjg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --164176204010.6eBc02.40544 Date: Sun, 9 Jan 2022 21:00:40 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 237973 | pf: implement egress keyword to simplify rules ac 1 problems total for which you should take action. --164176204010.6eBc02.40544 Date: Sun, 9 Jan 2022 21:00:40 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="UTF-8" 
The following is a listing of current problems submitted by FreeBSD users,
which need special attention. These represent problem reports covering
all versions including experimental development code and obsolete releases.

Status      |    Bug Id | Description
------------+-----------+---------------------------------------------------
Open        |    237973 | pf: implement egress keyword to simplify rules ac

1 problems total for which you should take action.
--164176204010.6eBc02.40544-- From nobody Tue Jan 11 17:50:47 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id C695E1938387 for ; Tue, 11 Jan 2022 17:50:59 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: from mail-ua1-x92c.google.com (mail-ua1-x92c.google.com [IPv6:2607:f8b0:4864:20::92c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JYJC70zGwz3sh2 for ; Tue, 11 Jan 2022 17:50:59 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: by mail-ua1-x92c.google.com with SMTP id y4so13270uad.1 for ; Tue, 11 Jan 2022 09:50:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=PrIx4L/Zkyc2hrgTzdB2bOa3ZgP/zV5WNmdTXuk7a0c=; b=jEDG9wJXnw8wllOEhYzSyAiEgSccq8isZqhkYReRyzI7k9zN9cVVNA513fyBj2nAJ4 aIY98Aue3tHLosqHXIo+Q3cZ7y2S0E/Qx6ZxNwdDMRU4+idPKfK365fiscKNCA8Pkpd5 f9VQHiCyPcMcb6ZS3/uPxmkhsPf9gAc6+eHJqxzFWXjCeLdcHcGX7GRwsNEKD7MF8mmR E5+H/k7SZMB3cwUZl7guMEZXlgPCq2HmE40B82LhufcfgXmQcrHoc64WhaeonxYLqTwm SPf3pcBCrJuj2BhykY0RdvJsYjJdUxy94kRnIpBr3TAiWIbNGIJeUZW21KpEmHb82cd2 HzWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=PrIx4L/Zkyc2hrgTzdB2bOa3ZgP/zV5WNmdTXuk7a0c=; b=AogFKHa1meUFKuL+bfoJbThze+rR8qB9ZyouEA7bsm/JZn1/2ejfv+pkG4kxnAU3lx oUrA+NLMmSDxsfZSsp16uncMAPUd3756ChtJqFjs9Aa3tkG6m4begy5YdvAuYw1ZG7fD GprIHcu9kCmRqnX5LBgn9DNg12X8pF+mYVFc+DtxRMGkFHzoeo/xuDcrXz9NUDpmjlpM GM/WkMPgtRV58x3jDCyEQFFHu+CAfnJfT2zSSYlo6P7ZpK2QO6n0nw1djXSdJRDI+3DZ 4y4etdB4dybVSMt4u1q8xfbfsFEvKNwecs4ddqPhQIfiPRta/KftRl2PbZ7I4bx2NTEF Xj4g== X-Gm-Message-State: AOAM533Vh0fgshEekS/38id1VAwSo7w8FdvmGmIzKroMZALltMmbw+gl gAUnXWAaMZAUHozgKDcpbIbJ5kyIo0iqjK6zCvtLxdhx45k= X-Google-Smtp-Source: ABdhPJwsfY497KScZsHasJwYmPBuZ35CZC4yAmIiDp9b2tMQgnxlD62rGeNXQpVEV8BtDQGQCFgWvoMrh8CqcbWyWNk= X-Received: by 2002:a9f:2d98:: with SMTP id v24mr2600197uaj.48.1641923458175; Tue, 11 Jan 2022 09:50:58 -0800 (PST) List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 From: =?UTF-8?B?w5Z6a2FuIEtJUklL?= Date: Tue, 11 Jan 2022 20:50:47 +0300 Message-ID: Subject: pflog: ruleset and subrulenr is missing for nat, rdr, binat To: freebsd-pf@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4JYJC70zGwz3sh2 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=jEDG9wJX; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of ozkankirik@gmail.com designates 2607:f8b0:4864:20::92c as permitted sender) smtp.mailfrom=ozkankirik@gmail.com X-Spamd-Result: default: False [-2.10 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; NEURAL_HAM_MEDIUM(-0.00)[-0.001]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-0.19)[-0.187]; MID_RHS_MATCH_FROMTLD(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::92c:from]; NEURAL_HAM_SHORT(-0.91)[-0.914]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-ThisMailContainsUnwantedMimeParts: N Hi, I'm using FreeBSD stable/12-n234401-66d9cbc5d269: Mon Dec 27 23:27:28 +03 2021. The ruleset, subrulenr fields are not filled for nat, rdr, binat logs. The basic test is below: # pfctl -sn -a portFwd rdr log (to pflog3) on em0 inet proto tcp from any to 172.16.33.10 port = ssh -> 192.168.33.1 port 22 # tcpdump -leqni pflog3 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog3, link-type PFLOG (OpenBSD pflog file), capture size 262144 bytes 20:40:24.622962 rule 0/0(match): rdr in on em0: 172.16.33.1.33670 > 172.16.33.10.22: tcp 0 # tshark -Tjson -ni pflog3 [Capturing on 'pflog3' ** (tshark:19497) 20:42:08.788099 [Main MESSAGE] -- Capture started. ** (tshark:19497) 20:42:08.788304 [Main MESSAGE] -- File: "/tmp/wireshark_pflog3HHKDF1.pcapng" ... "pflog": { "pflog.length": "69", "pflog.af": "2", "pflog.action": "8", "pflog.reason": "0", "pflog.ifname": "em0", "pflog.ruleset": "", "pflog.rulenr": "0", "pflog.subrulenr": "-1", "pflog.uid": "-1", "pflog.pid": "-1601830656", "pflog.rule_uid": "0", "pflog.rule_pid": "-1190985728", "pflog.dir": "1", "pflog.pad": "00:00:00" }, ... Is there any way to fill ruleset and subrulenr fields for nat, binat and rdr actions ? Regards Ozkan. From nobody Sun Jan 16 21:00:42 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id A8D961954399 for ; Sun, 16 Jan 2022 21:00:45 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JcS9m0Smrz3pKg for ; Sun, 16 Jan 2022 21:00:43 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id DF6A72158A for ; Sun, 16 Jan 2022 21:00:42 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 20GL0gi5041173 for ; Sun, 16 Jan 2022 21:00:42 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 20GL0gJo041172 for pf@FreeBSD.org; Sun, 16 Jan 2022 21:00:42 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <202201162100.20GL0gJo041172@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 16 Jan 2022 21:00:42 +0000 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="16423668425.Ae0e.39460" Content-Transfer-Encoding: 7bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1642366844; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Gi7y5XY0VMMOEckm+Fyr1tLNr3qlhim3z6kYovQT9l8=; b=tZifWrYzRiXWmUpIff7wHccOaaOmyhgZ+86/dz1rsQg6CATPvKn+y6VZ5asx+e+PGmS1W6 0sYJfokPT/3qr1KEzjPfOW2Rn+9WW1EqaC0bWTGEr2MvNG5x9CNDFzAKRFXYWXgt1XNJ34 6b7tIjOpKJNP4teYB1nlhVYjegmVjZgnW/iDVXl+LScG4c5SjwvSvcQxUjI31MMB0w4T2M kJIdM49fcGcddIEL7vQyT+VXPLzUkjKt/CqlOXQKlzj5/m24R6MCCNtoHEjcEY7SNFebEq aGh98iyoCkP/i9rL0Xboa3BuYMtZtnLZqIrIerepJyd1p9RSEpFCHDLnYxMawQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1642366844; a=rsa-sha256; cv=none; b=t73xnwmdoSy1mS34rejotV8u+rz6n4ObZ0KWZKM9gEJO2On06bM/emLJKLYHdKC3dAgtgq qkp95VnOrmI4PP4iCSvCDyrejpk2KcQM/Ngyv7RYA53ywoz8NW6qrCV8AQJMAZdJKolSMu DQ3jlEB+wpTa5lRMjeKyxQI75Ok9nrae394BxlCgfCSckV3f5mYmiVSi0DoekxXfSWmvXu TDgCge7aXhQNMCxZzUBKJLIptpVc2Bj6WstY4Gtu4jhR/oIkCP4fS7AXW2Y0XMYEQKchN8 ZsFpZcFuh74mF61uyugALYxg+6adY1u/jzPocfiRMcfnCimQY2CWHjGK1j0T1g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --16423668425.Ae0e.39460 Date: Sun, 16 Jan 2022 21:00:42 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 237973 | pf: implement egress keyword to simplify rules ac 1 problems total for which you should take action. --16423668425.Ae0e.39460 Date: Sun, 16 Jan 2022 21:00:42 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="UTF-8" 
The following is a listing of current problems submitted by FreeBSD users,
which need special attention. These represent problem reports covering
all versions including experimental development code and obsolete releases.

Status      |    Bug Id | Description
------------+-----------+---------------------------------------------------
Open        |    237973 | pf: implement egress keyword to simplify rules ac

1 problems total for which you should take action.
--16423668425.Ae0e.39460-- From nobody Sun Jan 23 21:01:04 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id DCBC41976FF1 for ; Sun, 23 Jan 2022 21:01:05 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Jhlrx0TVrz3nVQ for ; Sun, 23 Jan 2022 21:01:05 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id ACA6316A4 for ; Sun, 23 Jan 2022 21:01:04 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 20NL14Gt028046 for ; Sun, 23 Jan 2022 21:01:04 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 20NL148E028045 for pf@FreeBSD.org; Sun, 23 Jan 2022 21:01:04 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <202201232101.20NL148E028045@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 23 Jan 2022 21:01:04 +0000 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="16429716642.62dc9.25946" Content-Transfer-Encoding: 7bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1642971665; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=/iKprUqGXuJyuZ0d2RTMcH0jmXjxcZzR7Cuvl1Vk2HI=; b=NQEYYRVl4JIMxEF04e9t2iii28/wwbrVmCLYTLzv8wDuNq46jFrU1EoREcXwAUlzzXFVn/ NdPw/rjCXTmxjFtsGRLhFbcjRHpLxGKLE2IRs/5UaOLbQX/CxXjGV14JhKsUN9Sy9bXNCd cjmU9S4MYptB4qns2Cmrbz8uL2L+R8XWVnaRVRytTRzfReXd3O1iY/ZHEqQzJkO2DzM2Sn rBGeUZc4mh8uRlBZeFPwvxWOms+yWRbWSbRZiGQ6o7Y0AmeNsA5Nq30DC5G782xloktUwU Th+NIab9mr9/Umw43q4CDegPGTJB/HhHkKTNtH4UMxjMz+YqkdpQ8ZSobwS5vg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1642971665; a=rsa-sha256; cv=none; b=pPm3pN1HuKRnSEJddgm+aa8T79ti0q4fxYzEd7VDcZQ46jFwVtEissTaDlhYH+V1JUYmcd 8wBNXGuBPx7TjypebeL8HmYD43SNG6l3VzSCHT2ML0OF0WIm/Y2dHYhYLld6A6OLCmtX5k rUoqthL+RF2SQlL2v9PkgYXMnc9wJ+Y2STBoIMQCYX8MzeGt2unv9+OKaXTDtx29y+FEPL 43mzpvafpJVOaTRPU9e3/yXX+8pgpul0XjyDILHuKS79oaxtJ926JAA0Q8e2hzxg2lhlhU SmQrQiHQNVgYZAUO522zmMdrSbVE7SmLfcTXHSMMHkNhYdIzKnlO9xk/P7gNKw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --16429716642.62dc9.25946 Date: Sun, 23 Jan 2022 21:01:04 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 237973 | pf: implement egress keyword to simplify rules ac 1 problems total for which you should take action. --16429716642.62dc9.25946 Date: Sun, 23 Jan 2022 21:01:04 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="UTF-8" 
The following is a listing of current problems submitted by FreeBSD users,
which need special attention. These represent problem reports covering
all versions including experimental development code and obsolete releases.

Status      |    Bug Id | Description
------------+-----------+---------------------------------------------------
Open        |    237973 | pf: implement egress keyword to simplify rules ac

1 problems total for which you should take action.
--16429716642.62dc9.25946-- From nobody Mon Jan 24 22:55:15 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 385B81973317 for ; Mon, 24 Jan 2022 22:55:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JjQLF6xvLz4Tk9 for ; Mon, 24 Jan 2022 22:55:17 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 726581E980 for ; Mon, 24 Jan 2022 22:55:16 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 20OMtGNX062737 for ; Mon, 24 Jan 2022 22:55:16 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 20OMtGbC062736 for pf@FreeBSD.org; Mon, 24 Jan 2022 22:55:16 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 256410] pf: Add pf_fallback_rules option Date: Mon, 24 Jan 2022 22:55:15 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: misc X-Bugzilla-Version: Unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: commit-hook@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1643064918; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=aw7QCYLWA5SaSi6jGwtM+vayjirGSBFGrF/QmTTXMGw=; b=y00stXdiKwCs6AZp+LwrfnNb2Lvzz0JMm7tuGqME/fmt36euLFmGy4dEPem1uRI5XmaSvJ tH2vo+xuu1RX8dE/vSobYYw7lRvrXyZ/9y+EYnNszLKcQmB8yAnvCR9keJMs57X89u+/ai eUfGC59WAMrJi9+4kc0r+CwkbjkJykUdUK6mddl1Ivv63vOhwJvpCmX0Buc60o1mQrysP9 DvL721rpDsJ4Eoo/iynJ1Z6CP+qorMIEH1STtI5EWaru8IQE4ZX7qqDrdSt5mE6woHQea+ ArIsb0efzVlzE1I5tAUF9IhBZ3GRa/Ag5K5NYqF5yn+bB3YhFCmxB/X7EhFWfw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1643064918; a=rsa-sha256; cv=none; b=wNbv4HV/Jk/ooTn3xguwciV10aQzMgNduvw2v46f6/IjZQD2NRBa2FTD/llLXHkQRogTMY WNfJ+DYGP8i5Dg5Pn7cNiJSIO083hknJgFlPiWknbmfanBhwp3MZGqLlgxqtynrSJK+ei3 qTcYO3svHEW7HJndbb4uiSR0EqgBNx6up4DSfWlx3FTDdd7lrgeHOPpj0VVjW63U/NECoF JrJ+YP5Nwe7+DOs6XyJkFtoMVOHh+QXaU1/mXVutOjUzWXFFhV/BCpKtvLH5mE36O+Qt8Z zQdFbZMS+v3qd4IDJQPELLN2R085tc22LTH5MwqYeDZxRuLBGG1hEMKvrtQH5A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D256410 --- Comment #37 from commit-hook@FreeBSD.org --- A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3Dfae2a8cad398518c473f67fc210206c6d= ac02610 commit fae2a8cad398518c473f67fc210206c6dac02610 Author: Thomas Steen Rasmussen AuthorDate: 2021-06-16 18:29:06 +0000 Commit: Kristof Provost CommitDate: 2022-01-24 20:11:02 +0000 pf: fallback if $pf_rules fails to load Support loading a default pf ruleset in case of invalid pf.conf. If no pf rules are loaded pf will pass/allow all traffic, assuming the kernel is compiled without PF_DEFAULT_TO_DROP, as is the case in GENERIC. In other words: if there's a typo in the main pf_rules we would allow all traffic. The new default rules minimise the impact of this. If $pf_program (i.e. pfctl) fails to set $pf_fules and $pf_fallback_rules_enable is YES we will load $pf_fallback_rules_file if set, or $pf_fallback_rules. $pf_fallback_rules can include multiple rules, for example to permit traffic on a management interface. $pf_fallback_rules_enable defaults to "NO", preserving historic behavio= ur. man page changes by ceri@. PR: 256410 Reviewed by: donner, kp Sponsored by: semaphor.dk Differential Revision: https://reviews.freebsd.org/D30791 (cherry picked from commit 28f47a199cfd8749ab30a0327b0a3f8977ec2b43) libexec/rc/rc.conf | 5 +++++ libexec/rc/rc.d/pf | 19 ++++++++++++++++++- share/man/man5/rc.conf.5 | 36 ++++++++++++++++++++++++++++++++++++ 3 files changed, 59 insertions(+), 1 deletion(-) --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Sat Jan 29 15:36:45 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id A0FC71996307 for ; Sat, 29 Jan 2022 15:36:45 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JmJMx2lwqz3s21 for ; Sat, 29 Jan 2022 15:36:45 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3BA591832C for ; Sat, 29 Jan 2022 15:36:45 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 20TFajXT030611 for ; Sat, 29 Jan 2022 15:36:45 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 20TFajGC030610 for pf@FreeBSD.org; Sat, 29 Jan 2022 15:36:45 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 256410] pf: Add pf_fallback_rules option Date: Sat, 29 Jan 2022 15:36:45 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: misc X-Bugzilla-Version: Unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: thomas@gibfest.dk X-Bugzilla-Status: Closed X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: resolution bug_status Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1643470605; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jmLDiMo5v0CcKYDff+3rA1khgFnsapeHku8t82smzh8=; b=v6fbrnK1QvDcEty1w3hpQrpIlD7vaxpI4kUmkoePhYC6op36L/RyTS4DzudnsNLFbXBEGB /EkoUToj+WZcL4vshOT1mQpEpGDjFxzjMtauhWOj1eNS52Xm51aisAvzLzL3p4A5GBoWM1 XI8aKfaEuNQD4r5ppFivsWXrrRdyheWq6jF/aJW9ruIok0kybbP9KYNj5lheEzSmf5C+dJ g9xNlJpTbi1Wa2FevHls2cyfsbyrp6EtP8ikyCM4JXJU9xX319XLhybXvBU5kErPJzDmjv hDY3HLI7B47xCX6bWgMwL4kQ+FUd7O7o6fEzHEiE1Om4CO3/Y/q3GjcgIYerGw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1643470605; a=rsa-sha256; cv=none; b=s/kvpENKLZAWxRhqx64hpWYvFv+07EURL+En52tHOGloNL8UB5+lgiiA90Js0nT16TYdum iqBmvhL+8QkZSACg7G1a8/1QHQa6Zm4Mn29F7yzFjT4yl31/60rmQfTF/7rX3a8av6s09+ m1JnBd2BEkuT0RRTAHoz5z9VpS7xzhks4VRaDyXeuBPgPhwhSrS+5lkuzvq2tZJEd5unWK 0Kg0pie/JjQLOsD8GKBgYO3pmlEEutFW110CVBrlw3fqDLFbc96D8xiOnHFEfBARACQH+A 76xvfi3USWctzNDXYt50g8OR8H499YH9QVYhVRUHmn5Cut8ECAagN2iJnUDPCg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D256410 Thomas Steen Rasmussen / Tykling changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|Open |Closed --- Comment #38 from Thomas Steen Rasmussen / Tykling -= -- This has been MFCed, closing, thanks! --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Sun Jan 30 21:01:01 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id BEA47199E7CE for ; Sun, 30 Jan 2022 21:01:05 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Jn3Wh3lvMz4dVw for ; Sun, 30 Jan 2022 21:01:04 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 973DB7E27 for ; Sun, 30 Jan 2022 21:01:01 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 20UL111h076278 for ; Sun, 30 Jan 2022 21:01:01 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 20UL11vT076277 for pf@FreeBSD.org; Sun, 30 Jan 2022 21:01:01 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <202201302101.20UL11vT076277@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 30 Jan 2022 21:01:01 +0000 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="16435764612.17d8762.73407" Content-Transfer-Encoding: 7bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1643576465; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=orA/JOejjK/3WEpEZoMNgRxl8rZ9AX4ec2DKd2UIW68=; b=btEIEzY2m4/PkW18guXwKCDoxT7rD+8FJuQUlx2/0OuNs1D+xJnKHAWVZviryUy71Ggx41 iVumAIleE2QfYO1W0qvp62T14Cwm3y4jobWY5fj/c88SAP+h+zYqvpuJyK5uiTQkbXxu5I OijyU99TVIo6Izx0whqK0H31nKSvOTKlhDyDNGaTP5VF62l3khkZj4JmbQRPBiiUlbUrCI YgxP6R9wXZQwGD+L7TLp4xy3aNlf2yW91d0icqRAxwwN1eG6ecYDtoM5NGp4NWINce+QAe mVFu4ZCyfVAhQne8vK5/cJ9joGOIiWbgoxjci06PwhrQOjpNnLycbv4yTd8H4Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1643576465; a=rsa-sha256; cv=none; b=HSBC5U7K106qOt0qilA//TunDDtxm8TppS+Cs30JqB+N047RgEce1Z1HR105I7iuKDN5k6 xpvKVmuZULjkeYSXZ8Njrq5LkDmbQeWHsn+v1KCmmabyS2E8Xsh1D/xkcujhZcyXP1ciaO 5Kutux0JucDMFS7wejzwRxUBoEyVUCVXiRG6WUSluBfUXfRvbSG4hLkc+7P3xpG0SPXWJ1 l+n2Tb1wwskaJk5XSSEgpv6nVeU261rClnNsHma9yKhjas77nv/ptjdwLa8IWAk3N1NFFx 6S7IWhlME1aVnLOWMJDwCxPYYnP6LgfeHFrZJDoCMxr/7hxnz0p0eVd3Gr0D9Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --16435764612.17d8762.73407 Date: Sun, 30 Jan 2022 21:01:01 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 237973 | pf: implement egress keyword to simplify rules ac 1 problems total for which you should take action. --16435764612.17d8762.73407 Date: Sun, 30 Jan 2022 21:01:01 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="UTF-8" 
The following is a listing of current problems submitted by FreeBSD users,
which need special attention. These represent problem reports covering
all versions including experimental development code and obsolete releases.

Status      |    Bug Id | Description
------------+-----------+---------------------------------------------------
Open        |    237973 | pf: implement egress keyword to simplify rules ac

1 problems total for which you should take action.
--16435764612.17d8762.73407-- From nobody Sun Feb 6 21:00:54 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id E3D7819A6085 for ; Sun, 6 Feb 2022 21:00:56 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JsMBH4tGbz3vpG for ; Sun, 6 Feb 2022 21:00:55 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 7EAE4191D5 for ; Sun, 6 Feb 2022 21:00:54 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 216L0sQ9007261 for ; Sun, 6 Feb 2022 21:00:54 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 216L0slF007260 for pf@FreeBSD.org; Sun, 6 Feb 2022 21:00:54 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <202202062100.216L0slF007260@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 6 Feb 2022 21:00:54 +0000 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="16441812543.Ec3593c6.4269" Content-Transfer-Encoding: 7bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1644181256; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=R+/JT8qTSDMijeOYcRmMOuWOPVZdD1BI1SFQbjFRySo=; b=nQ9D7RtoRV+Gu3tRZPoz0k/4xh+X66Jm7MrXuUyUdwuiZOrkdjlrUUnNTAGDQKgvDd2TeC wVhkkBmjKJ8ps6Kv5XrTUoyL+IJJonKow+eFzooXUJJVdsJWWQ5gtoOf0ey4AXbzUYzSgB fZpqewwCUuvF09S/AGHn3VZSgcHeaH8BOKGj8y4SY1QKihpvBLmKx+1t/tNgKQ9igQ/Xpl gvCtQCjbryNMNCAgylMCvxGzmLEnRI8LGh8gXOLvhdZexgdBOcRp4ZCn57AnJFZT3SGfdy PR8Ch7AQzbera7p3PmSPSLBL5XuWp0cX3Bk7fgOJv26ge8+vpk4mep0bi/sL1w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1644181256; a=rsa-sha256; cv=none; b=T+wylwehFSJwmet8hTQsO56XGQvPfiOtyU2F0Nd8TK+DfXTabQZW2HQ0bQqDfPTCsq/vq0 F7CQi01LETeyPVxWaIasyD0rr+oYFJ725kREr5vvmMUGhcJmjqwUGk79uZonqNs4ogxKjk /wa2rSecClfwTZZECMyZv4i95rsd+R1ms+L7YhnWTq+R++zdljd+RxFRQueL46CTScGsYU Zt8rXURcrYWOx//Svj1RQMM3dqNS6ug5Iqw3n1JERpZei55IDW53CL89TljX9E9VgTf6E6 Pu6YXnPtgmFWKWGE9tFIKI1WC6Y3ZbTQVWjgVTK7VSfwpW/AVoXfXeGeyn9dQw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --16441812543.Ec3593c6.4269 Date: Sun, 6 Feb 2022 21:00:54 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 237973 | pf: implement egress keyword to simplify rules ac 1 problems total for which you should take action. --16441812543.Ec3593c6.4269 Date: Sun, 6 Feb 2022 21:00:54 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="UTF-8" 
The following is a listing of current problems submitted by FreeBSD users,
which need special attention. These represent problem reports covering
all versions including experimental development code and obsolete releases.

Status      |    Bug Id | Description
------------+-----------+---------------------------------------------------
Open        |    237973 | pf: implement egress keyword to simplify rules ac

1 problems total for which you should take action.
--16441812543.Ec3593c6.4269-- From nobody Mon Feb 7 09:41:54 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id BB2C919BB13C for ; Mon, 7 Feb 2022 09:42:14 +0000 (UTC) (envelope-from meka@tilda.center) Received: from c3po.tilda.center (c3po.tilda.center [108.61.164.129]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Jsh4h2Kdbz3ng3 for ; Mon, 7 Feb 2022 09:42:12 +0000 (UTC) (envelope-from meka@tilda.center) Received: from tilda.center (178-220-5-137.static.isp.telekom.rs [178.220.5.137]) by c3po.tilda.center (Postfix) with ESMTPSA id 7A73B1BFC5 for ; Mon, 7 Feb 2022 10:42:04 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tilda.center; s=c3po; t=1644226924; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=LZ8kl9LvaRkcC3JMxYxQW86UuSMNXB+hKYfFEmpm3tY=; b=JEE4vYeH2BU2Zy8u4kHnYJd8kjfeumXv0o7AUCnb42EFFzyN72tmWTKYRFvwTqRmn3Z7tk rfWkytVkF2sMR7yEO3VMqhyT3HiOfsll43r/ScF9OQe6blrJ11XEKAW5/+SihbAhHhJvy8 4G4vA5jDGYftcnPsRIe96zI0z4RwiNU= Date: Mon, 7 Feb 2022 10:41:54 +0100 From: Goran =?utf-8?B?TWVracSH?= To: freebsd-pf@freebsd.org Subject: IPv6 and NAT Message-ID: <20220207094154.fx23xi4i6volsqt7@tilda.center> List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="kn2oum6yawxi3yvw" Content-Disposition: inline X-Rspamd-Queue-Id: 4Jsh4h2Kdbz3ng3 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=fail ("headers rsa verify failed") header.d=tilda.center header.s=c3po header.b=JEE4vYeH; dmarc=pass (policy=reject) header.from=tilda.center; spf=pass (mx1.freebsd.org: domain of meka@tilda.center designates 108.61.164.129 as permitted sender) smtp.mailfrom=meka@tilda.center X-Spamd-Result: default: False [-4.83 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_REJECT(0.00)[tilda.center:s=c3po]; DKIM_TRACE(0.00)[tilda.center:-]; DMARC_POLICY_ALLOW(0.00)[tilda.center,reject]; NEURAL_HAM_SHORT(-0.93)[-0.931]; DMARC_POLICY_ALLOW_WITH_FAILURES(-0.50)[]; MLMMJ_DEST(0.00)[freebsd-pf]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; R_MIXED_CHARSET(1.00)[subject]; ASN(0.00)[asn:20473, ipnet:108.61.164.0/22, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N --kn2oum6yawxi3yvw Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Hello, I'm trying to configure jails on desktop to have local addresses with the prefix of fd1a:db86:3f72:9dc4:: and NAT them using PF. What I observe is that when I try "ping -6 google.com" my router receives ICMP request from address with "fd1a:db86:3f72:9dc4::" as prefix. Inside jail (eth0 is epair): eth0: flags=8843 metric 0 mtu 1500 options=8 ether 00:a0:98:a6:60:8d hwaddr 02:1e:d3:64:68:0b inet 172.16.0.10 netmask 0xffffff00 broadcast 172.16.0.255 inet6 fe80::2a0:98ff:fea6:608d%eth0 prefixlen 64 scopeid 0x3 inet6 fd1a:db86:3f72:9dc4:2a0:98ff:fea6:608d prefixlen 64 autoconf groups: epair media: Ethernet 10Gbase-T (10Gbase-T ) status: active nd6 options=23 netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire default 172.16.0.254 UGS eth0 127.0.0.1 link#1 UH lo0 172.16.0.0/24 link#3 U eth0 172.16.0.10 link#3 UHS lo0 Internet6: Destination Gateway Flags Netif Expire ::/96 ::1 UGRS lo0 default fe80::5a9c:fcff:fe10:ff90%eth0 UG eth0 ::1 link#1 UHS lo0 ::ffff:0.0.0.0/96 ::1 UGRS lo0 fd1a:db86:3f72:9dc4::/64 link#3 U eth0 fd1a:db86:3f72:9dc4:2a0:98ff:fea6:608d link#3 UHS lo0 fe80::/10 ::1 UGRS lo0 fe80::%lo0/64 link#1 U lo0 fe80::1%lo0 link#1 UHS lo0 fe80::%eth0/64 link#3 U eth0 fe80::2a0:98ff:fea6:608d%eth0 link#3 UHS lo0 ff02::/16 ::1 UGRS lo0 On the host (cbsd0 is bridge, epair1a is host end of eth0 in the jail): ifconfig cbsd0 cbsd0: flags=8843 metric 0 mtu 1500 description: re0 ether 58:9c:fc:10:ff:90 inet 172.16.0.254 netmask 0xffffff00 broadcast 172.16.0.255 inet 172.16.1.254 netmask 0xffffff00 broadcast 172.16.1.255 inet 172.16.0.253 netmask 0xffffffff broadcast 172.16.0.253 inet6 fe80::5a9c:fcff:fe10:ff90%cbsd0 prefixlen 64 scopeid 0x3 inet6 fd10:6c79:8ae5:8b91::1 prefixlen 64 inet6 fd10:6c79:8ae5:8b91::2 prefixlen 128 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: epair1a flags=143 ifmaxaddr 0 port 5 priority 128 path cost 2000 groups: bridge nd6 options=21 ifconfig re0 re0: flags=8843 metric 0 mtu 1500 options=8209b ether bc:ae:c5:e1:31:d0 inet6 fe80::beae:c5ff:fee1:31d0%re0 prefixlen 64 scopeid 0x1 inet6 2001:470:1f1a:2c6:beae:c5ff:fee1:31d0 prefixlen 64 autoconf inet 192.168.111.3 netmask 0xffffff00 broadcast 192.168.111.255 media: Ethernet autoselect (1000baseT ) status: active nd6 options=23 pfctl -sn nat on re0 inet from to any -> (re0) round-robin nat on re0 inet6 from (cbsd0:network) to any -> (re0:0) rdr-anchor "cbsd/*" on re0 all For completeness, these are my rules: # Macros and tables ext_if = "re0" # SyncThing example dhcp_ports = "{ bootps, bootpc }" tcp_ports = "{ 3000, 7681, 22000}" udp_ports = "{ 21027 }" table persist # Options set block-policy drop set skip on lo0 # Normalization scrub in all # NAT nat on $ext_if inet from to any -> ($ext_if) nat on $ext_if inet6 from (cbsd0:network) to any -> ($ext_if:0) rdr-anchor "cbsd/*" on $ext_if # Quick rules antispoof quick log for ($ext_if) # Rules block in log on $ext_if pass out pass proto tcp to any port ssh pass proto { icmp, igmp, icmp6 } pass in proto tcp from any to any port $tcp_ports pass in proto udp from any to any port $udp_ports pass in proto udp from any to any port $dhcp_ports I can see this on cbsd0 and re0 interfaces: tcpdump -n -i cbsd0 ip6 10:37:08.473385 IP6 fd1a:db86:3f72:9dc4:2a0:98ff:fea6:608d > 2a00:1450:400d:80d::200e: ICMP6, echo request, seq 0, length 16 It is what I expect, as NAT is yet to be done, but then I don't expect that source address to be visible on re0: tcpdump -n -i re0 ip6 10:38:27.580473 IP6 fd1a:db86:3f72:9dc4:2a0:98ff:fea6:608d > 2a00:1450:400d:80d::200e: ICMP6, echo request, seq 0, length 16 I am just started learning about IPv6 so if anything is obviously wrong, please point me to the docs and I'll happily RTFM. At this point I have no clue what I did wrong. Thank you, meka --kn2oum6yawxi3yvw Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE1WIFkXy2ZeMKjjKEWj1TknovrLYFAmIA6V4ACgkQWj1Tknov rLYL3Q//fm9pzSD6ZDhcrQYxkbGhe7tJfgRA/N6IWUdxYNCyZ+81AvMqGw2oToPo z6s9RRvydA3yyem3e9QDSxKQggZwbXQ8YulnPmRQ8KM0t40XiDD54nfBcx71uSm8 keV61NVLuSW/2H3M1/zQziZv/l/swGpuO9L+auQ8cGHyFpV2pfMXJbCGNFeF73bY l84Kf4tT+arfI/FulZHoYtfRp+7VSD1/rUvJUOj1iN4fQXd7bfYqTzl1DXdm2+Vm kVSJmfR7Ukp3LV+FNPCHLex7sOzOU3kJyTyqAaP/7EdlVVKdl0melPEU1Iu6FA8/ j2spLnG+rB3ffLe2SB9Tt2Jxv6rdhzQN3sIrPBd0oPezE3OHvFraq6BAGt+e4dgT vX/afYmKObWKcRcN0WS5cVl+vxMC7E0Hhy+PlIFZwGgue/tS3DZu39/NXS/U4cWN hxjtdR+rWTnv4N8bf20FCmAoXurqszIUE3kR7tbhhc1hgQRs35hJM82m2t/MIviB WRPdfLF63NW9h7WrBfAzIuFSxvg2Icy4TqWxrfV1e+YvaYdogonYkV5GEH0MNmS6 pELnUgc2tDwoDO8RxSIJNYLwb+PG0URvNpJdczd1HNCJ/sQHvW+Jwn83bNVrIbiI vcmbEK3zXnRN2HnXD04J/l4Lc3LCqHkdkr2bz0oNUzTTnukC4b0= =VK2U -----END PGP SIGNATURE----- --kn2oum6yawxi3yvw-- From nobody Mon Feb 7 18:10:16 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 45E99195C545 for ; Mon, 7 Feb 2022 18:10:31 +0000 (UTC) (envelope-from meka@tilda.center) Received: from c3po.tilda.center (c3po.tilda.center [108.61.164.129]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4JsvM94gV6z4dGZ for ; Mon, 7 Feb 2022 18:10:29 +0000 (UTC) (envelope-from meka@tilda.center) Received: from tilda.center (178-220-5-137.static.isp.telekom.rs [178.220.5.137]) by c3po.tilda.center (Postfix) with ESMTPSA id BB7F61C5DB for ; Mon, 7 Feb 2022 19:10:26 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tilda.center; s=c3po; t=1644257426; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=qQvrk4e3Lt4q0xWUZBEubRiUY1SbAbnhOD9c/akV/sY=; b=NWxGHNqeoEv9y2RpzHJzxP7qdYHz9kjJa7u7VmUATnGv5SIH06sULKe4AdUcIZ/n7cJGi3 sx/dkyorKUaMYDvRbk2HUPJKY9orvWP1lbZDQ1hmJ/9mGhP7m1wfryjB/sR5jnrxyOHl7Q NPNfnOiTG36U6srgv66fpB+1sW8dY5Y= Date: Mon, 7 Feb 2022 19:10:16 +0100 From: Goran =?utf-8?B?TWVracSH?= To: freebsd-pf@freebsd.org Subject: Re: IPv6 and NAT Message-ID: <20220207181016.7yp42a7cdqb3lqy3@tilda.center> References: <20220207094154.fx23xi4i6volsqt7@tilda.center> List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="ktxz2p3hn3ydn2nh" Content-Disposition: inline In-Reply-To: <20220207094154.fx23xi4i6volsqt7@tilda.center> X-Rspamd-Queue-Id: 4JsvM94gV6z4dGZ X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=fail ("headers rsa verify failed") header.d=tilda.center header.s=c3po header.b=NWxGHNqe; dmarc=pass (policy=reject) header.from=tilda.center; spf=pass (mx1.freebsd.org: domain of meka@tilda.center designates 108.61.164.129 as permitted sender) smtp.mailfrom=meka@tilda.center X-Spamd-Result: default: False [-4.13 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-0.92)[-0.920]; R_DKIM_REJECT(0.00)[tilda.center:s=c3po]; DKIM_TRACE(0.00)[tilda.center:-]; DMARC_POLICY_ALLOW(0.00)[tilda.center,reject]; NEURAL_HAM_SHORT(-0.14)[-0.142]; DMARC_POLICY_ALLOW_WITH_FAILURES(-0.50)[]; MLMMJ_DEST(0.00)[freebsd-pf]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; R_MIXED_CHARSET(0.83)[subject]; ASN(0.00)[asn:20473, ipnet:108.61.164.0/22, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N --ktxz2p3hn3ydn2nh Content-Type: text/plain; charset=utf-8 Content-Disposition: inline To answer my own question, prefix for bridge interface on host and epair interface in jail were different, so PF didn't pick packets generated inside jail. Sorry for the noise, I've been looking at this for few days and I'm obviously tired. Regards, meka --ktxz2p3hn3ydn2nh Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE1WIFkXy2ZeMKjjKEWj1TknovrLYFAmIBYIQACgkQWj1Tknov rLa5DQ//R/YIVqr8DE/BZcffVzDygyBTObTFA70pYV7x0Gz7rSu7nGiRkSIWLGAo K3HwZo72OaJq4RYW+fYYgFEPod8sp2FA76QUIVC6/8laddRSvOwJNKBD52a82TnA DC8UgSS0dl9EApXgaGxHdnV0Vg5TqVAYIew7HCF2ATsdbRZx4FUOjNkUNw0z1Pzr E0SZwRDz27LjNaUCR3E0OZkJqwG7GkCwdfUqeaO2gFEyMbMrhlPb3bzeBr0BXqjG cqWnKLm+MFJqhCmSPt4gO+mtqxB+LrmU5ed54P9DWebvmplcQ1EfKE4sBtCX1SdM pr6SwVMk/7CUhEAjHdZgmPHJxGAgzoEOvrAlf0MmMiFTupGDVUxHjde+tERBVd8Z nfcdP55coSVwJwdtiHSMXR01Bmxqw8V6CHa9qqCRqmfynA4GHgLP78toYFIj8YbH Ap+kHTKPBiHjvdFT2AyRM/QakuGgYKn0eayYUXliVIXNvWCGGE1hWjlAd54Kd0eO Rz/yRNfJNcFjSaTbmK6frX4IOUnffMRDHI5k4TTHBHX4gqOT79JrVGtjZflrP9N8 9K4tqE2Z/ezBYaPL6/RK5w7mWXs8AtqpI2HJtph+tvj4P7qtPhrSmjHHmOyUJ13F TM34JqGisDwwkqQQqkxjYBcwIKiJyIaV5xA6xVWaD/MwytHTNoo= =Fr9N -----END PGP SIGNATURE----- --ktxz2p3hn3ydn2nh-- From nobody Sun Feb 13 21:00:28 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id E19FA19B2C0B for ; Sun, 13 Feb 2022 21:00:29 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JxfrX5dFTz3JLw for ; Sun, 13 Feb 2022 21:00:28 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 9324221EFE for ; Sun, 13 Feb 2022 21:00:28 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 21DL0Sps048784 for ; Sun, 13 Feb 2022 21:00:28 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 21DL0Shr048783 for pf@FreeBSD.org; Sun, 13 Feb 2022 21:00:28 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <202202132100.21DL0Shr048783@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 13 Feb 2022 21:00:28 +0000 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="16447860282.7b09C748.47454" Content-Transfer-Encoding: 7bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1644786028; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=aMeSkprWLz3zQSXK2jEgDzYNzPMyXNl8L7LD4iNTHmU=; b=QUJvNOUeuXv+RgXDKgT/kYBe7mw/3fwcClXrlHBLPwaWGDQrvNiT8u7WJIvgq7ynoRqqP8 KyX3A3HOjCN9+a2yzqYpJGiuoJuMJnBo5Dl/OA9YSGXWGdcdq6f46ivogty09kfIHie4My 4A0JmDMoqHvl/iJE6mFPAxF49DM3KlgVcU0jcaG/YEEYn1czRx4VOxBBDDGlL0akKr641i 9OXSlBXYDeYRggVbzPXQV5GKlb0iyjYT2wZGqmavNL+c8VmXAZNfT+S0SSWkXARi5thg0z TrERmdsmxfqnHMpqh9QNxJDe4IwxIL9YP6FmWKH9rlUHccVYReZgOayPplKUIw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1644786028; a=rsa-sha256; cv=none; b=ALlBS1GjeoWi/LTMiFzKVkzUfZxQowatlO0yfq01xpCzVK2FrD9F2aSofC5YbTQtpegX29 NzXCocqjrXx0VbH0RM4OanySeUfcIdvQBtO2aCQ0fzpI49iFM0S0MimUJJS9aPbHWbXD7O wabXFVQQIax9yI4+BCiZeWHdKMepr3KlLs+ioaevakkCHeYF/lVONtrQ/5NtIWFKEdvPt1 K2RPNrc1F0tizzyLIn3/AOQL7vx1knd6nCvllw3ghBSZyirePe6c4LaPdP/R/8SdBanW7V 1aQfK51l7cgm2bRm1radLgwr9oYb82la8gzvTD8j9HnoDKDZoe49sRodovp8PQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --16447860282.7b09C748.47454 Date: Sun, 13 Feb 2022 21:00:28 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 237973 | pf: implement egress keyword to simplify rules ac 1 problems total for which you should take action. --16447860282.7b09C748.47454 Date: Sun, 13 Feb 2022 21:00:28 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="UTF-8" 
The following is a listing of current problems submitted by FreeBSD users,
which need special attention. These represent problem reports covering
all versions including experimental development code and obsolete releases.

Status      |    Bug Id | Description
------------+-----------+---------------------------------------------------
Open        |    237973 | pf: implement egress keyword to simplify rules ac

1 problems total for which you should take action.
--16447860282.7b09C748.47454-- From nobody Sun Feb 20 21:00:47 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id E0E9219CAA84 for ; Sun, 20 Feb 2022 21:00:49 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4K1yWh2PTFz3LVd for ; Sun, 20 Feb 2022 21:00:48 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 600B2234AF for ; Sun, 20 Feb 2022 21:00:47 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 21KL0lc1067467 for ; Sun, 20 Feb 2022 21:00:47 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 21KL0lqI067466 for pf@FreeBSD.org; Sun, 20 Feb 2022 21:00:47 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <202202202100.21KL0lqI067466@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 20 Feb 2022 21:00:47 +0000 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="16453908472.60B7de.64779" Content-Transfer-Encoding: 7bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1645390848; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=lf6gmf46D3GpcxMuJPO0j2EHaGC4jTAehk9Y1qdivjU=; b=xv4GrDZ3AOZQkWFArGC5zuxE6LOFupj6nVYeuwvK17MOTxMLWZ65W5+vj0WaH+6YlRCew5 8uXuAUKzzes4u5hykteBICEaP0uegKvCAtSR5HyPXVKs7w++zf0d94s3snXJIJUtiheD0V HBk2BaJvk3YW4N6sFORiKiFFfux+Drus4ZxTpuMSSvKdXsm8Bmox0Hr0nFG3ntxqRqnOOe O5QfD8r+IH7317p6F9rvcbbopH2XLlTEx8n8E2poegge7RtA9p8USRRmyBYEBXSAXqrpMI 2reCADIetCRE03knXhOXGKnhaqBEMhiGQSTqH6jxUksEcvSFz+1k7Y+yCgScUA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1645390848; a=rsa-sha256; cv=none; b=jkYkzpLLU2P38XgY6/+nLUYnU9fUDM5L4Wli7RQ0/nVglR+83GgmR7GrSeKUUSiFV+1NtJ oFOmaNJTq0x92QazNIXwhOceBidbIcaqNW0Ap1YvcuFar6Dh0FRaiqKP4oQ1DIitfmBnSR 5eorzDcPchVXNkiWvUyW9SZRzO/LqYsev1epNx6pxEElKoLOKsUqdYVkGLLavf4pFxQnTL mLg+CLmmiB2dCei6ix1zKeA5pL1mCfVa5re7PkZct3j18Z3MmDVFJlV2r5woX2HK9KgtYW EHsxHhUhsPSUpilT9osRXjfHOBx4kVkR6ZEKsyx3h5Kziab1l4lXwGv7dBmTaQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --16453908472.60B7de.64779 Date: Sun, 20 Feb 2022 21:00:47 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 237973 | pf: implement egress keyword to simplify rules ac 1 problems total for which you should take action. --16453908472.60B7de.64779 Date: Sun, 20 Feb 2022 21:00:47 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="UTF-8" 
The following is a listing of current problems submitted by FreeBSD users,
which need special attention. These represent problem reports covering
all versions including experimental development code and obsolete releases.

Status      |    Bug Id | Description
------------+-----------+---------------------------------------------------
Open        |    237973 | pf: implement egress keyword to simplify rules ac

1 problems total for which you should take action.
--16453908472.60B7de.64779-- From nobody Wed Feb 23 12:06:30 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 5DF5E19EA679 for ; Wed, 23 Feb 2022 12:06:43 +0000 (UTC) (envelope-from winglessza@gmail.com) Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4K3ZX24GfCz3Jdv for ; Wed, 23 Feb 2022 12:06:42 +0000 (UTC) (envelope-from winglessza@gmail.com) Received: by mail-pl1-x635.google.com with SMTP id q1so9858274plx.4 for ; Wed, 23 Feb 2022 04:06:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=QmnRm8W5LFtcdKmMJpYce2VoJXg6WrBlSVLLJMEDee0=; b=dfg5JnaZVbfBr4jHUohgV00Yw4VbTi9CHhlvMQ8CGkK2WICwTN9k3mGT2/C4c9GtYc QAA8OYQsos/1HkXQrwuucJ/fA/AxN+o2TfAVVUAIJYSfKo6/BW0XKlxy06dNNJi7u124 btuaXnHWlnqWqr+GWbu02zJjBRMyjyOqwmb5mztQi9GQ1dKheY1Gp52XAkEWeNLOgB0k Dbj4psUl0+HEtGC24nrtTY2RGp4y8pzLR5jrMRE6PVC6fcH34+ajMPx9Lkq0fHm6+1R2 bSYDsBZseGmW7qvAfMPJPdSWH5kO0WeBtxm7dGL2f2clbkkCeDqHvFawtrX/HL0f+2Dm 4hCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=QmnRm8W5LFtcdKmMJpYce2VoJXg6WrBlSVLLJMEDee0=; b=OHkirMELaW0K6Q3lM6PFC+gJd9fZaytzzAo/JuphZMM07luQqUOQreWWiGiZLStuPA JTWrZ8ClE+3hYz5bXOFwf8SUV1Yz7s+FyG37XKjUxpqExlwGWNTslM47nwCbwKutba8+ JPtnDeJhgz/PHKMfkq0pD3pUVEo/3wUHArQozurqjlV2VFEcckbQmfvjPfHPXuuQQB37 UcWtFL9srXq+GGrbsHwFUcjvDELS53wwTyloWwRtm1BqFlgNn10mMmh+nNpBgeguHr96 BZfHcKxiZ6q/jBUKiSXhWrT7Fyhfg63H8re7OX6BJp5rWO0RnL/UL1kM6qTPXQZkEVoY B+wg== X-Gm-Message-State: AOAM53303FTbavi9L9p9H4vDdrC4sFqiCUamIWMIGUPQJQVMKkVN7YcN wIIT82wfDCHd6WkAFGbZXQVa3aR5lFtZmxfI6EeHtu+1CqY= X-Google-Smtp-Source: ABdhPJyOyRPybYyX8gfxcYiJYxryEfCJHmw6BTzGWfOutE3JWU+6v/KoWV/2R1OmH/IhJNcDvNNXr8sfbszQO2bvFDA= X-Received: by 2002:a17:90b:e89:b0:1b8:e8ca:483f with SMTP id fv9-20020a17090b0e8900b001b8e8ca483fmr8730289pjb.22.1645618000558; Wed, 23 Feb 2022 04:06:40 -0800 (PST) List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 From: Steven Burrell Date: Wed, 23 Feb 2022 14:06:30 +0200 Message-ID: Subject: PF and redirects to different FIB's To: freebsd-pf@freebsd.org Content-Type: multipart/related; boundary="0000000000005c5a6b05d8ae4c64" X-Rspamd-Queue-Id: 4K3ZX24GfCz3Jdv X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=dfg5JnaZ; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of winglessza@gmail.com designates 2607:f8b0:4864:20::635 as permitted sender) smtp.mailfrom=winglessza@gmail.com X-Spamd-Result: default: False [-4.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[multipart/related,multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::635:from]; NEURAL_HAM_SHORT(-1.00)[-1.000]; MLMMJ_DEST(0.00)[freebsd-pf]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~,4:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-ThisMailContainsUnwantedMimeParts: N --0000000000005c5a6b05d8ae4c64 Content-Type: multipart/alternative; boundary="0000000000005c5a6b05d8ae4c63" --0000000000005c5a6b05d8ae4c63 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi There, I=E2=80=99ve been sitting on a problem for a while now and have tried vario= us options to now avail. As an Example, I have 3 FIB=E2=80=99s, with overlappi= ng ip=E2=80=99s. FIB 0 FIB 1 FIB 2 I=E2=80=99m trying to redirect received TACACS traffic ( tcp 49 ) from FIB = 1 and 2 through to another Server located within FIB 0, and have return traffic still return to the correct FIB and destination. Ie. Server 1: Interface : 1 - Belongs to FIB 0 - 10.0.0.1 Interface : 2 - Belongs to FIB 1 - 192.168.0.1 Interface : 3 - Belongs to FIB 2 - 192.168.0.1 Server 2: Interface : 1 - On same network as Server 1. - 10.0.0.2 - Gateway is set to 10.0.0.1 - Runs a TACACS Server Now I need PF to redirect in the inbound traffic on interface 2 and 3 for port 49 tcp through to server 2 in FIB 0. I=E2=80=99ve been able to get the traffic to get to Server 2, and the reply= gets to Server 1 in FIB 0, but there is no transition back to the original FIB. I used this : rdr pass inet proto tcp from any to any port 49 rtable 0 -> 10.200.0.13 port 49 In OpenBSD I was able to achieve all of this effortlessly with: *pass in quick on any proto tcp to any port {49} rdr-to 10.200.0.12 rtable 0* Any suggestions or advise would be welcome. [image: image.png] Thanks. --0000000000005c5a6b05d8ae4c63 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Hi There,

=C2=A0

I=E2=80=99ve been sitting on a problem for a while now and have tried various options to now = avail. As an Example, I have 3 FIB=E2=80=99s, with overlapping ip=E2=80=99s.

=C2=A0

FIB 0

FIB 1

FIB 2

=C2=A0

I=E2=80=99m trying to redirect received TACACS traffic ( tcp 49 ) from FIB 1 and 2 through to = another Server located within FIB 0, and have return traffic still return to the correct FIB and destination.

=C2=A0

Ie.

=C2=A0

Server 1:

=C2=A0

Interface : 1

  • Belongs to FIB 0<= /li>
  • 10.0.0.1

=C2=A0

Interface : 2

  • Belongs to FIB 1<= /li>
  • 192.168.0.1

=C2=A0

Interface : 3

  • Belongs to FIB 2<= /li>
  • 192.168.0.1

=C2=A0

=C2=A0

Server 2:

=C2=A0

Interface : 1

  • On same network as Serve= r 1.
  • 10.0.0.2
  • Gateway is set to 10.0.0= .1
  • Runs a TACACS Server

=C2=A0

Now I need PF to redirect in the inbound traffic on interface 2 and 3 for port 49 tcp through to server 2 in FIB 0.

I=E2=80=99ve been able to get the traffic to get to Server 2, and the reply gets to Server 1 = in FIB 0, but there is no transition back to the original FIB.

=C2=A0

I used this : rdr pass inet proto tcp from any to any por= t 49 rtable 0 -> 10.200.0.13 port 49

=C2=A0

In OpenBSD I was able to achieve all = of this effortlessly with:

=C2=A0

pass in quick on any proto tcp to = any port {49} rdr-to 10.200.0.12 rtable 0

=C2=A0

Any suggestions or advise would be we= lcome.

=C2=A0

3D"image.png"



Thanks.

=C2=A0

=C2=A0

--0000000000005c5a6b05d8ae4c63-- --0000000000005c5a6b05d8ae4c64 Content-Type: image/png; name="image.png" Content-Disposition: inline; filename="image.png" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: ii_kzzif9uf0 iVBORw0KGgoAAAANSUhEUgAAAwEAAALfCAIAAAC2PlmpAAAgAElEQVR4nO3dfXRT953v+9/GBMyD ceKHRDY2oEKeoWFMZ4IcSG6cpMlKbs46SDEt9qzek8lJzum096R56Ew7GBqwnWR6C21mzZyZk0ya dXor0eLarBtKVtI0zpCA5czE1IlJExqowI9q/BCMeTAEs+8fkm3ZGCzJ3tr79/u9X4s/QJa0v/pJ e/vD9/fb2oZpmgIAAEAzM+wuAAAAwAZkIAAAoCMyEAAA0BEZCAAA6IgMBAAAdEQGAgAAOiIDAQAA HZGBAACAjshAAABAR2QgAACgIzIQAADQERkIAADoiAwEAAB0RAYCAAA6IgMBAAAdkYEAAICOyEAA AEBHZCAAAKAjMhAAANARGQgAAOiIDAQAAHREBgIAADoiAwEAAB2RgQAAgI7IQAAAQEdkIAAAoCMy EAAA0BEZCAAA6IgMBAAAdEQGAgAAOiIDAQAAHZGBAACAjshAAABAR2QgAACgIzIQAADQERkIAADo iAwEAAB0RAYCAAA6IgMBAAAdkYEAAICOyEAAAEBHZCAAAKAjMhAAANARGQgAAOiIDAQAAHREBgIA ADoiAwEAAB2RgQAAgI7IQAAAQEdkIAAAoCMyEAAA0BEZCAAA6IgMBAAAdEQGAgAAOpppdwEAgFGG Ydhdgi5M07S7BNiMDAQAzjLp72bDMPj9fRnxjA9ZE4K5MAAAoCcyEAAA0BEZCAAA6IgMBAAAdEQG AgAAOiIDAQAAHZGBAACAjshAAABAR2QgAACgIzIQAADQERkIAADoiAwEAAB0RAYCAAA6IgMBAAAd kYEAAICOyEAAAEBHZCAAAKAjMhAAANDRTLsLAADABoZh2F2CFkzTtLuESyIDAQB05OTfzcpweNBk LgwAAOiIDAQAAHREBgIAADoiAwEAAB2RgQAAgI7IQAAAQEdkIABAHBqrjWHVjcO3rA8EKqO3BYUQ IhxYb1TvCPgMwzAM346wrRUDkyADAQAm0x7weQ7420zTNLsCvortgWi6qSmvXdZlmmbD1oriymDk toqy0NOmabb5Rdm3Au321QxMhgwEAJhMQVmtWVtWIIQQLvefxfyg6ukNLiGE52G/d3N9JAR5A494 hBAFZU9vrat9l1YQnIsMBACYXLByeCbMUzF6a6nbfdE9i9yuFNYFJI8MBACYTGN18eaqBtM0TdMM Vo3eXhMKRf7SHqobvu1AKNL7CYdaUlojkCgyEAAgfuHAjzfF/LOivlEIIYJvVoitJR4hhBB1u+rD Qoj2+toar28tPSE4F9dMBQBMZvUj/tK8YqNCCO/PG37uLQ6FhHAJIUqrxHbDqBGi1N+10yNEWAhR tSKUZxhCiKqgGVlCBDiTwYVzAcA5DGPyw3I890mFxmpju7trZ1lMqyccWJ8XetLcuNq+quQaQ9U5 fJyZCwMAADpydEADAN3Qw5g6xtA5HD7O9IEAAICOyEAAAIjwDp+xPnCpr3SMfj3Spe8wXmN15M7B yuSvGTKVx06/9oAvekWUUcHKGQ6qMHGcFwYAwOWFQy1ef1stp7kphj4QAEBjjdUzZhiG4Xv58MhN 4cD66HdiVwXNyMlu5TV15YWRi8UGRy8eG7lEWmyDZLj9E/HZDl/xZlFXlje+WTJ8AdrqytH7h3f4 hp/XF2gX4XGPHblm7fpAOHLn6AXagtVjr2IbFhdf4DYcWD98HyGClaN/H7llzCuKvqjYq+EGqwvL 60RFcUwrKLzDd9sPzEtVKAUyEABAV+0Bn6eicv8F0/wnd0v0m66DlXnlKxoi34i9+baHAu2usp1d /lJRFTQ3rg4H1hcfCHSZpmm2+b2bf3T5i8JevaG2YavwBrpqN8R+V2Sw2lNRFTRNs8vdMnzhkcbq vLKiyDdxN2ytK38l6Ip97Og1a7v8ojyvMuha6/O2hMJCiPbQgVKvCIWFEOHQAe+6Eld74KHikQvc eiu2B8LCVbLOW/FmNDPVb64qif3ygsbq4hZ/l2maZpe/JfKKgtWF5UVBM3o13PWBsPBsbPN7RVWD udEz/DjXhtr9W4yYCqMvKlLhlN+bVCADAQB01R6qK/X/1WpDCFfZk5FrgATrN4uqezxCCLH6kZ+X 7gqNSTmusp1mNNAUuIuS22hjfUWp/5HVImajQqzeaA7HC/cy77hHhN+trSv1lRQMP6QlFC5wF9XU 1rcL0R4qevJpsas+LML1u4RvrUsUlP3qwsgFbqM1jmamxvqK4W/0voirbGdtWYEQjfUVIpqTPA/7 vSNXRLmM9lBd7IsavoCuw5GBAACaCocOTHh7hScyqZNXvtMcvvzZsNFppuKKCR+c5EZHJ+Dyyuom +HlNed7INWtrQiHhKdlaF2oXwTcPuAvcbhEKiVCopshdIIQQwcoZ4y9wW1DiE7X17SL4ZkU04Y1Y vbFrXW3kyWPm7CqKI89QWF4nDoQu2+4a/6IK3ONDnFORgQAAmnJN3MrxRiaSIi4xjWWaZkPVRY+8 VKiadKPhHd8uF5EJKbMrMFGE2NowWpO50SOE556qA6FgqKXIXeByrzgQ2jHc4Gmsvu0HlRdd4NZV sk7UvhsYPxEW+dmG2siWfbvyokuFSqPFRMZg0sXgY15UzAV0HY4MBADQ1eqSqprynzaaQoQD2yMt E0/J1rryV6KLnR+aMWPc8uER4R0/iukDRa4dG67fFcdv/9UlVTXlL0eWKm+/uJcUfPmiPpBrrW9k 7VGwcnjRcYFb7PpRrXC7hfDcU1S768D4Bs/Y53et9Ymy8osnwmKWVwshvO6C2AojK7XHnxI/gQK3 N/ZFXXK6zWFMAIBjxHNY5tB9eYmNYbDKMIQQoirg95YOLw0ujf6K9Po7zeFbIu2fkSaNN9Bw0Y1e f6Aq2kEJRv8S+ZE30DVm89H2TMz9R7tKVQ0TPna0o1M13BHq8pcO/zS6YHn49vVG9PmDY28fLnis mNc7Umebf7gZNdIVi1RYFduP6gr4Jqgwpofk8M+qo7/EGgB0w3Uepk6iMQxWGsWiwdyUkqZJe8BX GHo65sSuFHDIOF8Kc2EAAKTQ6FfvGMUt/q7UBKDGaqOwvCiY0gDkfI4OaACgG4l6GI7FGDqHw8eZ PhAAANARGQgAAOiIDAQAQCqMfnWhMf6KXZYae/Y7RpGBAACwXLDSuK3l/42eNN7mP+BJUQwK7/BN /MXTIAMBAGC9cKhFrFtXEv3O6YKyp7eK4YuYhgPrjRmxzaH2gM/w+dYbhlH9UuXo9StG2znjL+oe uWK8z3fRNduDlUbeLl/DhF88DTIQAADWc5Ws8+4qzx+Zk/JsMiNfCxS5TP2QaZrBqgqPb/hC9HVF T5qmufHRe6rqdtWHhYh8CXXVPZ6JLuouhBCiRvjaTHNnWeylPTybTHNnmTt1L1MyZCAAACzn2lB7 4UJD1ebopUiHw1D0MvWGEGL1I/7SuuGrk3ojVz8VBW5v9Prw9bU1VSWrL3NR9+gFUxE/MhAAAKnh 2Ri9SEOXv6V4ZJJr9DL1NWL4MvXDgaagxFdaF2oX4Xdr60YvwjXRRd1L3fR7EkUGAgDAasFqozo4 +mWBrpJ13rrDkQ7OZS5TH71nxZvB0OG60UuiJnhRd1wKGQgAnMWYTDz30VmcY5hanpKtFbdVNQz/ M/hyWZ13mXvkMvWmiK50vvhkMddan3dzcfHm6PxXMhd1xyXMtLsAAMAYTr62gDJSH4M8m8z9lTMM I/rmegNdkZaPZ1OXf31emiFMIbyBro2rhWgf+8iCEl+pqFsxMhHm2djm9xVGXoDX38YlwJLn6At5 AIBuDGdfX0kZjHNqOHycmQsDAAA6IgMBAAAdkYEAAICOyEAAAEBHZCAAAKAjMhAAANARGQgAAOiI DAQAAHREBgIAADoiAwEAAB2RgQAAgI7IQAAAQEdkIAAAoCMyEADoLlhpjKhuTPEWq4Op2CAwATIQ AGgtWGkUt/i7TNM0TbPNf8BjfQxqrC4WDZENNmytKK4kBcEeZCAA0Fk41CK860pckX8VlD29VVS8 GQkl4cD6sc2h9oDP8PnWG4ZR/VKl4dsRjj7FDp8RyTHtAd+47k5jtbHe5zMMY30gPLLN1RvNTZ7I Xz33VInN9YQg2IIMBAA6c5Ws89aV5RnDzRjPJjMSUIKVeeUrGkzTNINVFR5foD3y87qiJy6Y5sZH 76mq21UfFkKIcP2uuqp7PEIEqwvLi4LD3Z2R0FMjfG2mubPMNdHmw6EDotTttvxlAhMgAwGA1lwb ak2zoWpzcbSDEw1DwfrNouoejxBCrH7EX1oXimYgr7tACCFEgdtbU1vfLkR7fW1NVclqIRrrK0RV yWohhPA87PfWhELRLRRFH3Kx9sC3yoR/+8TxyGoGrGfHG5uAmXYXAACwnWejaW4UQohwYH2eb0dX 7QYhhKjwGBXD9/CuC4sCIUSRu8AQQoiCEl9peahdhEO1dVufro3eq6I45hG+duER4pJtnvaAr7C8 KGiWXSohWcw0TXs2DMegDwQAOgtWjzkzy1Wyzlt3ONLB8frbzBG1G8Y1a1wl67wVbwZDh+ui7SIh ROnw2mrTNM3ay4WbxmqjsNbXZm5cPb0vB0gAGQgAdOYpGXNmVvDlsjrvMrcQnpKtdeWvjK50vvhk Mddan3dzcfHm6PyXWF1SVVP+cqMQkVXSlznpvT3g8xzwt102JAHWIwMBgNY8m8wGMbwYyCg+EOiK tHw8m7r8LcWGYRiF5SLQNUHDpqDEVyrE1pLhLpBnY5v/gMcwDCOvTPjbNnouekRE+N3aOlFXXjiy aISvCII9DCZEAcA5DIPDciowzhD0gQAAgJ7IQAAAQEdkIAAAoCMyEAAA0BEZCAAA6IgMBAAAdEQG AgAAOiIDAQAAHZGBAACAjshAAABAR2QgAACgIzIQAADQERkIAADoiAwEAAB0RAYCAAA6IgMBAAAd kYEAwEEWLFhw/Phxu6tQ3PHjxxcsWGB3FbAfGQgAHOSmm2764IMP7K5CcR988MFNN91kdxWwHxkI ABzk7rvv/vWvf213FYr79a9/fffdd9tdBexnmKZpdw0AgKhDhw79xV/8xbFjx6688kq7a1HT8ePH Fy9e/O///u/XX3+93bXAZmQgAHCW73znO6dPn37xxRftLkRNjz322Ny5c3/yk5/YXQjsRwYCAMfx eDwPPPBARUWF3YWopqqqas+ePcFg0O5C4AisBwIAx6mtrd2zZ89jjz3GOWLT5fjx44899tiePXtq a2vtrgVOQQYCAMfJz88PBoNz585dvHjxd7/73b179xKGknP8+PG9e/d+97vfXbx48dy5c4PBYH5+ vt1FwSmYCwMA5zp06NDPf/7z3/72t7///e9PnDhhdznyWbBgwU033XT33Xf/5V/+JYugMQ4ZCAC0 YBiSHfAHBgYefvjhV155JSMjw+5aoCbmwgAATvTcc8+9+uqrzz77rN2FQFmS/bcAAJCcLVu2/OAH P7C7ingNDAxcffXVg4ODs2fP7u7uphUEK9AHAgAtSBSAhBDPPvvshQsXhBCmadIKgkXoAwEAnGVg YCA3N/fs2bORf9IKgkXoAwGAFrZs2WJ3CfF69tlnY/9/TisIFqEPBABakOW8sIGBgezs7LS0tHnz 5vX29mZnZ58+ffr8+fO9vb20gjC96AMBABzkxRdfTEtLe/7553t6ep555pmenp7nnnsuLS2NC6hh 2snx3wIAwBTJdV4YkAJaZCDDMOwuQRc6fJwAAGrQZS7MhPXsfpMBqEaiddyQkS4ZCAA0J2OeeOaZ Z+wuASrTZS5Mh5dpO8YZcDIZ91AZa4ZE6AMBAByKPhAsRQYCAC3ImCc4kQ2W0j0DBSuNEdWNqdtu eIfPqAzGeefYIg3DMAxfoD25zQarL/k8sT+qDk58/5QOEYDpRZ4AxtE6AwUrjeIWf1fkpKY2/wFP in7Hh3f48srqEnvM1oaYE7BqywqS33pVMPosXQFR/mQgLIQQwWqj+ECga/j2A8WjMWj0/qkcIgAQ cq7jhkR0zkDhUIvwritxRf5VUPb0VlHxZuRXfziwfmznoz3gM3y+9YZhVL9Uafh2hKNPMdLOaQ88 NGPGmCZKY7Wx3uczDGN9IByz1WClkbfL1xDwTrX8cc/fONyyGd3cRa9iLNdan7cmFBJCtIcOCK9v bXQkXBuerhIV9Rc/pKDsnwLeiu1jXg4AWciYJ2Scv4NEdM5ArpJ13rqyvJE5Kc8m09zkEUIEK/PK VzSYpmkGqyo8IxNGdUVPmqa58dF7qup21YeFECJcv6uu6h6PEMHqwvI/2z9kmmbD1orikRRSI3xt prmzzBWzVc8m09xZ5p6WVzDy/O0Bn+eAv800zS6/KM+rDF76VYwKv1tbt7XEI4QoKPGV1pUXjkQl z0bT3Lh6oiEbiU0AZEOeAMbROQMJ14Za02yo2lwc7ZZEw1CwfrOouscjhBCrH/GX1oWi6cHrjsxA Fbi9NbX17UK019fWVJWsFqKxvkJU3bnaEEJ4HvbHpIQi9xQmrcYYKdIwqoIjZ4pGnz/8bm1dqa+k QAjhKnuySrSEwpd8FaLCE32evLKihk2eyEiU7YxEJdb9AHAQchsspXUGEkJEeh6RZTD+luKRSa7h NJBXXiMOhCI3DgeaghJfaV2oPaaPIoQQFbdFpsIKy+vEgWjgKHUn1O8ZXft88XLpmPVAFZ7hS3/E Pn9NeV7ksZ4KMRzCJnoVset73D+KXRa9emPMup9LLLtuDyW4jgmAU8iYJ1jHDUvpnIGC1TErf6NT Y4cj4cHrb4tZgbzBNfaBrpJ13oo3g6HDddFGixCi1N95Yaprlj2bhp9gk2fye48zZtH0Rs/kr2I0 zInG6jGpa+T2i4RDBxINdgAcgjwBjKNzBvKUbK0oHv3dH3y5rM67zC2Ep2RrXfkr0ZXOvokmhlxr fd7NxcWbq0oii2ZWl1TVlP+00RSRVdJjolUquNb6vJt/FOncBCsjy6InfxWivb62xusuEGJ1SdXm 4tE7NL5cXuOdYBavPfCtsrqqJ8suClMAYAkZ13FDIjpnIOHZZDaIkXU2xQcCXZFmiWdTl7+lODKx JQJdE6wOLijxlQoxOhHm2djm/91taYZh5JUJf9vGxNs4U1NQVhssKi80DMMo3lzVsLPMdelXMbLo xygsLwpGWlaejWaDGLndc8DfNtrKGnv/iddKA3A+GfOEjPN3kIgWl2IxuOJMSjDOgJPJuIfKWDMk onUfCADgZPSBYCkyEABoQcY8wTpuWEqLNiPd1NRgnAEAEqEPBABwKBnXcUMiWvzH3TCMye8EAAAm ompUmGl3ASmi6vsHAHGScbZaxprVo3AfgbkwAIBDybiOGxIhAwGAFmTME5wXBktp0WakmwoAQHIU /h1KHwgA4FCcFwZLkYEAQAsy5gkZ5+8gEWUbXLEU7uMBQJxkPBLKWLN6FH4X6AMBAByKPhAsRQYC AC3ImCc4LwyWUrbBFUvhPh4AAJZS+HcofSAAgEPJuI4bEiEDAYAWZMwTMs7fQSLKNrhiKdzHA4A4 yXgklLFm9Sj8LtAHAgA4FH0gWIoMBABakDFPcF4YLKVsgyuWwn08AAAspfDvUPpAAACHknEdNyRC BgIALciYJ2Scv4NElG1wxVK4jwcAcZLxSChjzepR+F2gDwQAcCj6QLAUGQgAtCBjnuC8MFhK2QZX LIX7eAAAWErh36H0gQAADiXjOm5IhAwEAFqQMU/IOH8HiSjb4IqlcB8PAOIk45FQxprVo/C7QB8I AOBQ9IFgKTIQAGhBxjzBeWGwlLINrlgK9/EAALCUwr9D6QMBABxKxnXckAgZCAC0IGOekHH+DhJR tsEVS+E+HgDEScYjoYw1q0fhd4E+EADAoegDwVJkIADQgox5gvPCYCllG1yxFO7jAQBgKYV/h9IH AgA4lIzruCERMhAAaEHGPCHj/B0komyDK5bCfTwAiJOMR0IZa1aPwu8CfSAAgEPRB4KlyEAAoAUZ 8wTnhcFSyja4YtnVxzMMI/Ub1ZMOH2MAsAVzYUiSCevZ/SYDsIqM67ghETIQAGhBxjwh4/wdJKJs gyuWjXNhOgyv7RhnIB4y7iky1qwehd8F+kAAAIeiDwRLkYEAQAsy5gnOC4OllG1wxWIuTG2MMwBY R+FjLH0gAIBDybiOGxIhAwGAFmTMEzLO30Eiyja4YjEXpjbGGYiHjHuKjDWrR+F3gT4QAMCh6APB UmQgANCCjHmC88JgKWUbXLGYC1Mb4wwA1lH4GEsfCADgUDKu44ZEyEAAoAUZ84SM83eQiLINrljM hamNcQbiIeOeImPN6lH4XaAPBABwKPpAsBQZCAC0IGOe4LwwWErZBlcs5sLUxjgDgHUUPsbSBwIA OJSM67ghETIQAGhBxjwh4/wdJKJsgysWc2FqY5yBeMi4p8hYs3oUfhfoAwEAHIo+ECxFBgIALciY JzgvDJZStsEVi7kwtTHOAGAdhY+x9IEAAA4l4zpuSIQMBABakDFPyDh/B4ko2+CKxVyY2hhnIB4y 7iky1qwehd8F+kAAAIeiDwRLkYEAQAsy5gnOC4OllG1wxWIuTG2MMwBYR+FjLH0gAIBDybiOGxIh AwGAFmTMEzLO30Eiyja4YjEXpjbGGYiHjHuKjDWrR+F3gT4QAMCh6APBUmQgANCCjHmC88JgKWUb XLGYC1Mb4wwA1lH4GEsfCADgUDKu44ZEyEAAoAUZ84SM83eQiLINrljMhamNcQbiIeOeImPN6lH4 XaAPBABwKPpAsBQZCAC0IGOe4LwwWErZBlcs5sLUxjgDgHUUPsbSBwIAOJSM67ghETIQAGhBxjwh 4/wdJKJsgysWc2FqY5yBeMi4p8hYs3oUfhfoAwEAHIo+ECxFBgIALciYJzgvDJZStsEVi7kwtTHO AGAdhY+x9IG01B7wGWNVBoUIVhu+QLsQQgQrx/zQtyNsd8UAdCTjOm5IZKbdBcAuXn9bbVlB7C3B MT/f2nBhk8cQQrQHfIXfCqwdd2cAjtZ/pi/U83Fr35HugY7+M32D504NmUNpRlr6rHmZc7JyMxYu ylrqzrkxc06W3ZWOurjmGauGnt3z106uGVIjA2EyBSW+0vJQuxBkIEAGzW37m1sbPjvZ4cpcctV8 13Wur8ydnTnrivQ0I23IHDr3xeDps/3HB3s/7PiP3/y+5ur5C1cuKl5ZeBs1Q0NkIEymvb62purp nXaXAWAyTcfe2Xf4tQXpWYXZN/zFsvsvvkOakTZn1rw5s+ZlZ+SL3BVCiM7Pj/yudf/eP+xes+z+ VYtvT3nJUtYMZZCBtFVXXmiUR/5a6u/aWeYa9/PNxTM2R/9aFTQ9qSwNQILC/a2vH/zFefNC0eK7 sjPy439g/lVL869a2jvQ+bu2hpb29+5b/jVX5iLr6owlY81QDGuiteX1t5lRFwcgIcTWhgvRH3e5 t7MsGnCu5rb9L71bnZ25qPjaBxMKEyOyM/KLr30wO7PwpXerm9v2T3uFF5OxZqiHPhAm5SpZ5y0/ HBJigqQEwF77Pn2tqXXfnTetz5o31T10ae6Kq+bm7v3DnpOD/WuunWBaarrIWDOURB8IkwrX76rz LnPbXQaA8fZ9+tqHHe+tue4/Tz1MRGTNc6257j9/2PHevk9fm5YnvJiMNUNVZCBcwubiGdGvB8or X9FQu4EmEOAszW37m1r33br0gTmz5k3j086ZNe/WpQ80te6zYoJJxpqhMGW//DEW3xOtNsYZGgr3 t770bvW0TCdNqO9U+O3f73x07cZpXG4sY80QSh9j6QMBgHxeP/jLlUvutChMCCGy5rlWLrnz9YO/ mMbnlLFmqI0MBACSaTr2znlzaGnuCku3sjR3xXnzQtOxd6bl2WSsGcojAwGAZPYdfu1616oUbOh6 16p9h6dnobGMNUN5ZCAAkElz2/4F6VnJfadOorIz8hekZ019obGMNUMHZCCMEazk6xABR2tubSjM viFlmyvMvqG5tWGKTyJjzdABGQijgpVG8ebJ7wbALv1n+j472ZF/1dKUbTH/qqWfnezoP9OX9DPI WDM0QQZCRDiw3igWDQ1b7S4EwKWFej52ZS5J8UZdmUtCPR8n/XAZa4YmyECIcJXtNM1NXBoVcLTW viNXzU/23PKuPY+7vrOnK+HHXTXf1dp3JMmNJltz8/bly13Lb3Ytf3xXTxIbnWLN0AQZCACk0T3Q cWV6dlIP7dmz+W9/m9Qjr0zP7h7oSOqhQiRXc9OL5cLfEj74Udh/0zf/j//VlPBGp1gzNEEGAgBp 9J/pmzs7M4kH9uyq+s2N/+PupDY6d3bmFNcDJVzzqsc+evIWQwghbrn1b8TvWxNuBU2xZmiCDAQA 0hg8d2rWFekJP6xrT+U3b3p4w8LkNjrrivTBc6eSe6xIuuaoD977obhpUU6iD5tizdDETLsLAADE a8gcSjPSEn1U846/vWnPwZViT3IbTTPShsyh5B4rkq1ZCNGz64k7vvmmePDv9yb+3YpTrBmaoA8E ANJI5ld704vlwv/fpvAVzUmHmIik40jOuh9/FD649/4373h0T6KTYVOsGZqgD4QxPJvMWrtrAHAp 6bPmnfticM6sefE/pHnvP4gfipt/GP3nb//sO+J3P3kgL4GNnvtiMD2RLY6TRM2xchbdJHZ3tAuR 0HzYFGuGJugDAYA0MudknT7bn9BDVj558KPwwY/CBz/63d/fLe7+YYIBSAhx+mx/5pysxB4TI4ma e3Z95+btH5hCiEiG+5tbVya40SnWDE3QBwIAaeRmLDw+2JuaC2+NOD7Ym5uR5HpqkVTNOet+4t++ fIVLmEKIB/9+70u3JLrRKdYMTZCBAEAai7KWftjxHyJ3RTIPznvghfADSTzu85PhLy/882S2KIRI tuaVTx48+GTS25xqzdAEc2EAIA13zo3h/qMp3mi4/6g758akHy5jzdAEGQgApJE5J+vq+Qs7P0/d VSA6Pz9y9fyFU1wPJF3N0AQZCABksnJRcf2H6a8AACAASURBVFvvJynbXFvvJysXFU/xSWSsGTog AwGATFYW3nZisK93oDMF2+od6Dwx2Ley8LYpPo+MNUMHZCAAkMyaZfcfCid+HdHEHQo3rVl2/7Q8 lYw1Q3lkIACQzKrFt880ZhzpbrF0K0e6W2YaaasW3z4tzyZjzVAeGQgA5HPf8q83H32771TYoufv OxVuPvr2fcu/No3PKWPNUBsZCADk48pc9OAt32gKvXXGgqujnzl3qin01oO3fMOVuWgan1bGmqE2 MhAASGll4W2rFq1578ie6Y0UZ86deu/InlWL1lixrFjGmqEwwzRNu2uwnGHY8zLt2q5uGGfobN+n rzW17lvlvitrnmvqz9Z3KtwUemvVojVrrrVwWbGMNetM4WOssi8sFhlIbYwzNNfctn/3Bz9bueTO pcldQ2PYke6W5qNvP3jLN1LQTZGxZm0pfIxV9oXFIgOpjXEGwv2trx/85Xlz6HrXqiSuqNo70Hko 3DTTmHHf8q+nbD2NjDXrSeFjrLIvLBYZSG2MMxDRdOydfYdfW5CeVZh9Q/5VS+N5SOfnR9p6Pzkx 2Ldm2f22nFIuY826UfgYq+wLi0UGUhvjDMRqbtvf3Nrw2ckOV+aSq+a7rkzPnjs7c9YV6WlG2pA5 dO6LwdNn+48P9n5+MhzuP3r1/IUrFxXbPpEkY836UPgYq+wLi0UGUhvjDFys/0xfqOfj1r4j3QMd /Wf6Bs+dGjKH0oy09FnzMudk5WYsXJS11J1zo6MuLCpjzTpQ+Bir7AuLRQZSG+MMqGrLli0/+MEP 7K5CdwofY/l+IADQwpYtW+wuIWHPPPOM3SVAZcqGu1j0gdTGOAPxkHFPkbFm9Sj8LtAHAgA4FH0g WIoMBABakDFPsBgIllK2wRWLuTC1Mc4AYB2Fj7H0gQAADiXjOm5IhAwEAFqQMU/IOH8HiSjb4IrF XJjaGGcgHjLuKTLWrB6F3wX6QAAAh6IPBEuRgQBACzLmCc4Lg6WUbXDFYi5MbYwzAFhH4WMsfSAA gEPJuI4bEiEDAYAWZMwTMs7fQSLKNrhiMRemNsYZiIeMe4qMNatH4XeBPhAAwKHoA8FSZCAA0IKM eYLzwmApZRtcsZgLUxvjDADWUfgYSx8IAOBQMq7jhkTIQACgBRnzhIzzd5CIsg2uWMyFqY1xBuIh 454iY83qUfhdoA8EAHAo+kCwFBkIALQgY57gvDBYStkGVyzmwtTGOAOAdRQ+xtIHAgA4lIzruCER MhAAaEHGPCHj/B0komyDKxZzYWpjnIF4yLinyFizehR+F+gDAQAcij4QLEUGAgAtyJgnOC8MllK2 wRXLxrmw1G9UTzp8jAHAFsyFIRkmUsXutxqAJWRcxw2JkIEAQAsy5gkZ5+8gEWUbXLEU7uMBQJxk PBLKWLN6FH4X6AMBAByKPhAsRQYCAC3ImCc4LwyWUrbBFUvhPh4AAJZS+HcofSAAgEPJuI4bEiED AYAWZMwTMs7fQSLKNrhiKdzHA4A4yXgklLFm9Sj8LtAHAgA4FH0gWIoMBABakDFPcF4YLKVsgyuW wn08AAAspfDvUPpAAACHknEdNyRCBgIALciYJ2Scv4NElG1wxVK4jwcAcZLxSChjzepR+F2gDwQA cCj6QLAUGQgAtCBjnuC8MFhK2QZXLIX7eAAAWErh36H0gQAADiXjOm5IhAwEAFqQMU/IOH8HiSjb 4IqlcB8PAOIk45FQxprVo/C7QB8IAOBQ9IFgKTIQAGhBxjzBeWGwlLINrlgK9/EAALCUwr9D6QMB ABxKxnXckAgZCAC0IGOekHH+DhJRtsEVS+E+HgDEScYjoYw1q0fhd4E+EADAoegDwVJkIADQgox5 gvPCYCllG1yxFO7jAQBgKYV/h9IHAgA4lIzruCERMhAAKGvbtm1z5sx54YUXhBC33367EOKFF16Y M2fOtm3b7C4tLjLO30Eiyja4YincxwOAyxgYGMjOzp45c+bcuXN7e3uzs7NPnz59/vz53t7ejIwM u6ubHEdvJ1D4XaAPBADKysjIeOqpp4aGhnp7e4UQvb29Q0NDTz31lBQBSNAHgsWUDXexFM6wAHB5 AwMDubm5Z8+ejfxz9uzZ3d3dsmQgOIHCv0PpAwGAyjIyMp544olZs2YJIWbNmvXEE08QgIAIZcNd LIUzLABMaqQVJF0TaMuWLXxFkO0U/h1KHwgAFBdpBV1xxRXSNYFYDwRLKRvuYimcYQEgHgMDAw8/ /PArr7wiVwbi6O0ECr8Lyr6wWHa9f4ZhpH6jetLhYwxNcNxIGY4bcVI4A820uwDFqfq5cRR+Z0Ax HDdSgOMGBOuBAACAnshAAABAR2QgAACgIzIQAADQERkIAADoiAwEAAB0RAYCAAA6IgMBAAAd8R2J ACYw2NPT++EHxw99fPLYscHenrMDA+bQkJGWNjsjIz07Z/7ixVdef2P2l7+cnpNrd6UAkCRlvwA7 lo3XytBheG3HOE+vjvq3Ot5+62Rba9aXlmbm58+75pr0zMwr5sydMXPmhfPnvzhzerC//9Sf/tTf 2dn3xyPzCxctvPOuhSV32V21Ovg8pwbjHD+Fx0rZFxaLDKQ2xnm6tP3mjVDdr+bl5rpuXp5z/fXx PKTn0KHwRwdPdXe7vQ8VfvVeqyvUAZ/n1GCc46fwWCn7wmKRgdTGOE/didAfP3n5JePC0BJP8YKC woQf3t52NNhgps284a/+6wL3l6yoUB98nlODcY6fwmOl7AuLRQZSG+M8RR31bx3853+87t778ld9 ZSrP09n0/h/eeH35N7/N1NhU8HlODcY5fgqPlbIvLBYZSG2M81R8GvB3vbv3xv/zwQX5+VN/thOd nR//enfe2juuLSuf+rPpic9zajDO8VN4rDg3HtDXpwH/0T2vLvasnpYAJIRYkJ+/2LP66J5XPw34 p+UJAcA6ZCBAUx31b3W9u/e6e+/9ZPfu3sOfTstz9h7+9JPdu6+7996ud/d21L81Lc8JABbh+4EA HZ0I/fHgP/9j0X/5qwX5+VfMmduy85cr1n8te9m1U3nO3sOfjjzP3OzcA//8jxluN0ukATgWfSBA R5/89F+vu/e+yBRY9rJrV6z/WsvOX06lGxQbgIQQC/Lzr7v3vk9efmnaKgaA6UYGArTT9ps3jKHz sWeBTTEGjQtAEfmrvmJcGGr7zRvTUDEAWIAMBGgnVPerJZ7icTcmHYMmDEARSzzFobpfTalWALAM GQjQS0f9W/Nycyf8IsQkYtBlApAQYkFB4bzcXBZHA3AmMhCgl46333LdvPxSP00oBl0+AEW4bl7e 8TYZCIATkYEAjQz2dJ9sa738tcDijEHxBCAhRM71159sax3s6UmyYgCwDBkI0Ejvhx9mfWnppHeb NAbFGYAisr60tPfDDxKuFQAsRgaCmgYGBrZt22Z3FY5z/NDHmfF9JXRsDHrvpa+kF0X/fP313oQC kBAiMz//+KGPp1Y4AEw/MhBUMzAw8P3vfz87O7uiosLuWhzn5LFj8665Js47D8eg/93SLJ753+8P Hnh/8MD7/7SsL9EvVJx3zTUnjx1LtmQAsAoZCOqIpJ/c3Nzt27fPnDnz+eeft7sixxns7UnPzIz/ /tnLrl2xvvg/gvk5pz8VCU6BjUjPzBzsZT0QAMfhWhlQwcDAwLPPPvvjH//YNM1z584JIbKzsx9/ /HG763KcswMDV8yZm9BDsjNmdIvOb39zw7eFEAVf+d32pxK9pMYVc+aeHRhI6CEAkAL0gaCChx9+ eNu2bWfPno0EICHE7bffLoTYsmWLYRiGYWzZsiVyu2K3PPPMMwk9yhwamjEzwf/5fNb5mvjrX7yw 7fWH7vtRzvt/9vaZxB4uxIyZM82hIYeMmPNvSXR4ASTNME3T7hosZxj2vEy7tqsbwzBOnDgxrg+U lZXV29trd2mO85uvP7T2qe8mGoMiU2BL1q49+v/96331K/Ye+JtbE3n4hfPn3932/3z1F3xhdFw4 bqQG4xw/hceKPhBUkJGR8dxzz3V3dz/55JOzZ8+eNWvWmTNnXnjhBbvrcpzZGRlfnDmd0ENG1gAt WXvHirtWiII/LkjwYhpfnDk9OyMjoYcAQAqQgaCO2CR0/vz5733ve3ZX5Djp2TmD/f3x37/38Kfv bHvqvrSi7GXXCtH75r/tvN/3yJ8SvKbYYH9/enZO4sUCgLXIQFBNJAn19vZWVVXZXYvjzF+8+NSf /hTnnSMdoNuf2rY3a3N60VfSi+79L8t+Wvd//Xmi1xQ79ac/zV+8ONmSAcAqyk7yxWI9kNoY5/h1 1L/Vve+dGx/8T5Pe8/KnwSd0kvzHu1/NXXP7wpK7kqlYP3yeU4Nxjp/CY0UfCNBI9pdv6fvjkUnv NmnESejSqn1/PJL95S8nXCsAWIwMBGgkPSdnfuGinkOHLnOfOHs8ccagnkOH5hcuSs/JTbJiALAM GQjQy8I77wp/dPBSP01okiueGBT+6ODCO5kFA+BEZCBALwtL7jrV3X2ive3iHyVxKYzLx6AT7W2n urtZCQTAmchAgHbc3oeOBhvG3ZjctcDEZWPQ0WCD2/vQlGoFAMuQgQDtFH71XnNGWmfT+yO3JB2A IiaMQZ1N75tpMwu/eu80VAwAFiADATq64ZFH//DG6yc6O8WUA1DEuBh0orPzD2+8fsNf/ddpqxgA ppuyJ/3H4vuB1MY4J6ej/q0jNb9c7Fn9ye7dUwxAIyJx6oYHHzwWbFxa+jVWAiWBz3NqMM7xU3is lH1hschAamOck/ZpwH90z6vX3Xuva8Ut0/Wc4ZYP/vDGG0se+E/XlpVP13Nqhc9zajDO8VN4rBK7 fDQAlURiyrF3987Nzl2Qnz/1JzzR2Xks2EgAAiAFZcNdLPpAamOcp6ij/q2D//yP1917X/6qr0zl eTqb3v/DG68v/+a3mQKbCj7PqcE4x0/hsVL2hcUiA6mNcZ66E6E/fvLTfzWGzi/xFC8oKEz44e1t R4MN5oy0Gx55dIH7S1ZUqA8+z6nBOMdP4bFS9oXFIgOpjXGeLm2/eSNU96t5ubmum5fnXH99PA/p OXQo/NHBU93dbu9DnAY/Lfg8pwbjHD+Fx4pz47XUHvAZY1UGhQhWG75AuxBCBCvH/NC3I2x3xUiF wq/ee/u/vOS6866Ojw7uf+HHH+9+tbPp/f72trMDJy6cPy+EuHD+/NmBE/3tbZ1N73+8+9X9L/y4 46ODrjvvuv1fXiIAqY/jBpTDmmhtef1ttWUFsbcEx/x8a8OFTR5DCNEe8BV+K7B23J2hrIUldy0s uWuwp7v3ww+PH/r4s/37B3t7zg4MmENDRlra7IyM9Oyc+YsX5665/Ya//r/Tc3LsrhepNPlxw9zk EYLjBuRABsJkCkp8peWhdiE4lukkPSc3EobsLgRy4rgBGTAXhsm019fWVJWstrsMABLhuAEZkIG0 VVdeODxvvz4wwbz95uIZkZ8WlhcFN3pSXyAAx5n8uGFw3IA8yEDa8vrbzKidZa6Lf7614UL0x13u 7SxvBCDiOW6YHDcgDzIQJuUqWeetOxyyuwwAEuG4AQmQgTCpcP2uOu8yt91lAJAIxw1IgAyESxhZ D2Tkla9oqN0wQdsbAMYYWQ/EcQMyUPbLH2PxPdFqY5yhEj7PqcE4x0/hsaIPBAAAdEQGAgAAOiID AQAAHZGBAACAjshAiAgH1l/2618B4GIjF5OvDE5+Z8BhyEAQQojwjm/VruuKfLurX5R/i293BTC5 YHVheVHQNM0uf0sx3woN6ZCBIIQQrg21w9/k4SpZ563bVc/BDMAk2kMHROTCqBw3ICUyEMYLHa4T K9x8tRmASbSH6krdka+CdrmLRE2IS2NALjPtLgAO01hdvLmqweR6zwAmEQ4dEIKrYUBiZCDEaKw2 PAf8bbUkIACTcrmL7C4BmBLmwhAV3uEzPKLBrC0rsLsUAFIocHuH57/CoQNieF4MkMWULgLSf6Yv 1PNxa9+R7oGO/jN9g+dODZlDaUZa+qx5mXOycjMWLspa6s65MXNO1jRWnASuFza5xmrDIxrMjTJ2 gGQaZ3nIsnerR6rPc7DaKBZBc+PqcGB9Xu26LokukirVONtM4bFK8oU1t+1vbm347GSHK3PJVfNd V6Znz52dOeuK9DQjbcgcOvfF4Omz/ccHez8/GQ73H716/sKVi4pXFt427dXHiQw0qWClUbw55t+l /q6dZbIczCQaZynItXerR7LPc3vAV1heJ4TY2mBukun/UJKNs60UHquEX1jTsXf2HX5tQXpWYfYN +VctjechnZ8faev95MRg35pl969afHtSdU4JGUhtjPN0kXHvVg+f59RgnOOn8Fgl8MLC/a2vH/zF efPC9a5V2Rn5iW6pd6DzULhpppF23/KvuTIXJfrwqSADqY1xnjp592718HlODcY5fgqPVbwvrLlt /+4PfrZyyZ1Lc1dMZXtHuluaj7794C3fSGXznAykNsZ5iqTeu9XD5zk1GOf4KTxWcb2wfZ++1tS6 b5X7rqx507BEpO9UuCn01qpFa9Zce//Uny0eZCC1Mc5TIfverR4+z6nBOMdP4bGa/IXt+/S1Dzve u3XpA3NmzZuurZ45d+q9I3u+vPDW1BwoyUBqY5yTpsDerR4+z6nBOMdP4bGa5PuBmtv2N7Xum95D pBBizqx5ty59oKl1X3Pb/ml8WgDxY+8GoLnLZaBwf+vuD362yn3X9B4iI+bMmrfKfdfuD34W7m+d 9icHcHns3QBwuQz0+sFfrlxy57SsEphQ1jzXyiV3vn7wFxY9P4BLYe8GgEtmoKZj75w3h6Z4nsik luauOG9eaDr2jqVbARCLvRsAxGUy0L7Dr13vWpWCCq53rdp3+LUUbAhABHs3AIhLZaDmtv0L0rOS +Kq0JGRn5C9Iz2L5JJAa7N0AEHGJDNTaUJh9Q8qKKMy+obm1IWWbA3TG3g0AERNkoP4zfZ+d7Ijz akHTIv+qpZ+d7Og/05eyLQJ6Yu8GgBETZKBQz8euzCUprsOVuSTU83GKNwrohr0bAEZMkIFa+45c NT/JM2abty9/fFdPEg+8ar6rte9Ichu13bZt2wYGBuyuAphcUnt3z55Hl9/sWn6za/nNj+5JYveW eu+2DscNwHYTZKDugY4r07OTeK7m7cvLf5hkHVemZ3cPdCT5YLtVVFRkZ2d///vf54gGh0ti7+7Z VfWb+//to/DBj8L/9kPxt5WJ/ydH6r3bOhw3ANtNvB5o7uzMBJ+nZ8+jy8uF3/83SdYxd3amvCsG nn/++bS0tO3bt+fm5nJEg5MlsXfnrPvJC+tyIn+99f67f/vae4mGIKn3butw3ABsN0EGGjx3atYV 6Qk+T84DLx386Mlbkq5j1hXpg+dOJf1wez3++ONz5849d+7c2bNnOaLByZLau0e1h34rbizISfBR Uu/d1uG4Adhuggw0ZA6lGWkpriPNSBsyhwzDMAxjy5YtkRu3bNkyLbcIISx65pFbrrnmmsgtkSPa tm3bHn74YQvGCROz+v1V5pYp7d1NL5b/8H/4E/+vTmTvtv21O/CWO+64I3I7xw3AFoZpmuNuenbP Xz+46r8nd6Bs3r78Ffe/DXfOEzBkDu1u+pe/e+B/JrHRSRnGBC9zeuXk5PT29gohZs2aZRjGE088 8Xd/93cLFiywersQKXl/lZH83t304s0P/P6Hv/vJA3kJP9TSvVtqHDdsxHEjfgqP1cyLb0qfNe/c F4NWXE36Ms59MZie2i1OoxdeeOH06dOxR7GMjAy7iwImkNze3bPrO3d88yZ/+Ccrk9qo1Hu3dThu ALabIANlzsk6fbY/xRno9Nn+zDlZqdziNPre9743NDT01FNPcRSDwyWzdze9eMc3b/KHH0suAAnJ 927rcNwAbDdBBsrNWHh8sDc1lxMacXywNzdjYSq3OI2qqqoee+wxjmJwviT27ua9/yCEKHf9Q/Tf D/793pceSGi2W+q92zocNwDbTTDJ19y2/8OO//iK+55U1vF+6M0vL/zzlYW3WfHkds1lKjyH6iiM c/zU27vVw+c5NRjn+Ck8VhOcF+bOuTHcfzTFdYT7j7pzbkzxRgHdsHcDwIgJMlDmnKyr5y/s/Dx1 323f+fmRq+cvZMUAYDX2bgAYMUEGEkKsXFTc1vtJyopo6/1k5aLilG0O0Bl7NwBEXCIDFd52YrCv d6AzBRX0DnSeGOxjrQCQGuzdABAxcQYSQqxZdv+hcFMKKjgUblqz7P4UbAhABHs3AIjLZKBVi2+f acw40t1i6eaPdLfMNNJWLb7d0q0AiMXeDQDiMhlICHHf8q83H32771TYom33nQo3H337vuVfs+j5 AVwKezcAXC4DuTIXPXjLN5pCb52x4JrPZ86dagq99eAt33BlLpr2JwdweezdAHC5DCSEWFl426pF a947smd6D5Rnzp1678ieVYvWsFgSsAt7NwDNxfXlj/s+fa2pdd8q911Z81xT32TfqXBT6K1Vi9as uTZFiyX5nmi1Mc5TIfverR4+z6nBOMdP4bGK94U1t+3f/cHPVi65c2nuiqls70h3S/PRtx+85Rup /D8iGUhtjPMUSb13q4fPc2owzvFTeKwSeGHh/tbXD/7yvDl0vWtVEldU7R3oPBRummnMuG/511O8 SoAMpDbGeerk3bvVw+c5NRjn+Ck8Vgm/sKZj7+w7/NqC9KzC7Bvyr1oaz0M6Pz/S1vvJicG+Ncvu t+VEWTKQ2hjn6SLj3q0ePs+pwTjHT+GxSvKFNbftb25t+OxkhytzyVXzXVemZ8+dnTnrivQ0I23I HDr3xeDps/3HB3s/PxkO9x+9ev7ClYuKbWyPk4HUxjhPL7n2bvXweU4Nxjl+Co/VlF5Y/5m+UM/H rX1Hugc6+s/0DZ47NWQOpRlp6bPmZc7Jys1YuChrqTvnRtsvl0gGUhvjbAVZ9m718HlODcY5fgqP lbIvLBYZSG2MM1TC5zk1GOf4KTxWk3w/EAAAgJLIQAAAQEdkIAAAoCMyEAAA0BEZCAAA6IgMBAAA dEQGAgAAOiIDAQAAHc20uwDFGYZhdwkAJMNxA0gNMpCFVP1iTQDW4bgBpAxzYQAAQEdkIAAAoCMy EAAA0BEZCAAA6IgMBAAAdEQGAgAAOiIDAQAAHZGBAACAjshAAABAR2QgAACgIzIQAADQERkIAADo iAwEAAB0RAYCAAA6IgMBAAAdkYEAAICOyEAAAEBHZCAAAKAjMhAAANARGQgAAOiIDAQAAHREBgIA ADoiAwEAAB2RgQAAgI7IQAAAQEdkIAAAoCMyEAAA0BEZCAAA6IgMBAAAdEQGAgAAOiIDAQAAHZGB AACAjshAAABAR2QgAACgIzIQAADQERkIAADoiAwEAAB0RAYCAAA6mml3ASozDMPuEnRhmqbdJQAA JEMGsha/m1OArAkASAJzYQAAQEdkIAAAoCMyEAAA0BEZCAAA6IgMBAAAdEQGAgAAOiIDAQAAHZGB AACAjshAAABAR2QgAACgIzIQAADQERkIAADoiAwEAAB0RAYCAAA6IgMBAAAdkYEAAICOyEAAAEBH ZCAAAKAjMhAAANARGQgAAOiIDAQAAHREBgIAADoiAwEAAB2RgQAAgI7IQAAAQEdkIAAAoCMyEAAA 0BEZCAAA6IgMBAAAdEQGAgAAOiIDAQAAHZGBAACAjshAAABAR2QgAACgIzIQAADQERkIAADoiAwE AAB0RAYCAAA6IgMBAAAdkYEAAICOyEAAAEBHZCAAAKAjMhAAANARGQgAAOiIDAQAAHREBgIAADoi AwEAAB2RgbTUHvAZY1UGhQhWG75AuxBCBCvH/NC3I2x3xQAATDMykLa8/jZz1CbP+J9vbYj+qM0v yr4VyUYAACiDDITJFJT4SutCZCAAgFrIQJhMe31tTVXJarvLAABgWpGBtFVXXji83md9YIL1PpuL oz8tLC8KbrxoqgwAALmRgbQVsx5oZ5nr4p+PrAcyu9zbWRYNAFANGQiTcpWs89YdDtldBgAA04kM hEmF63fVeZe57S4DAIDpRAbCJYysBzLyylc01G6YYLoMAAB5GaZp2l2D5QzDnpdp13Z1wzgDgHUU PsbSBwIAADoiAwEAAB2RgQAAgI7IQAAAQEdkIESNXCuer0MEAOiADAQhhBCN1cUi8sXQDUVledWN dtcDAIDFlD3hLRbnxickWGn8aFmXRF8IJOk4A4AUFD7G0gfCOMH6zaLILU0AAgAgOTPtLgAOEt7h yyurE6X+rtV2lwIAgMXoA2GUa0OtaZpd62rz1gdYFw0AUBsZCOO53EWiJsRl4gEAaiMDQQghwjt8 RmUw8vfgmxVia4nH3oIAALAYGQhCCOHaUNsgoheKL27xd20iAgEAFKfsCW+xODdebYwzAFhH4WMs fSAAAKAjMhAAANARGQgAAOiIDAQAAHREBgIAADoiAwEAAB2RgQAAgI7IQAAAQEdkIAAAoCMyEAAA 0BEZCAAA6IgMBAAAdEQGAgAAOiIDAQAAHZGBAACAjshAAABAR2QgAACgIzIQAADQERkIAADoiAwE AAB0RAYCAAA6IgMBAAAdkYEAAICOyEAAAEBHZCAAAKAjMhAAANARGQgAAOiIDAQAAHREBgIAADoi AwEAAB2RgQAAgI7IQAAAQEdkIAAAoCMyEAAA0BEZCAAA6IgMBAAAdEQGAgAAOiIDAQAAHZGBAACA jshAAABAR2QgAACgIzIQAADQERkIAADoiAwEAAB0RAYCAAA6IgMBAAAdkYEAAICOZtpdgOIMw7C7 BAAAMAEykIVM07S7BAAAMDHmwgAAgI7IQAAAQEdkIAAAoCMyEAAA0BEZCAAA6IgMBAAAdEQGAgAA OiIDAQAAHZGBAACAjshAAABAR2QgAACgIzIQAADQERkIAADoiAwEAAB0RAYCAAA6IgMBAAAdkYEA AICOyEAAAEBHZCAAAKAjMhAAANARTspwXwAAAPJJREFUGQgAAOiIDAQAAHREBgIAADoiAwEAAB2R gQAAgI7IQAAAQEdkIAAAoCMyEAAA0NFMuwtIEcMw7C4BAAA4iGGapt01AAAApBpzYQAAQEdkIAAA oCMyEAAA0BEZCAAA6IgMBAAAdEQGAgAAOiIDAQAAHZGBAACAjshAAABAR2QgAACgIzIQAADQERkI AADoiAwEAAB0RAYCAAA6IgMBAAAdkYEAAICOyEAAAEBHZCAAAKAjMhAAANARGQgAAOiIDAQAAHRE BgIAADoiAwEAAB2RgQAAgI7IQAAAQEdkIAAAoCMyEAAA0BEZCAAA6Oj/B4PaeD+noWDgAAAAAElF TkSuQmCC --0000000000005c5a6b05d8ae4c64-- From nobody Thu Feb 24 01:35:00 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 9841D19D8264 for ; Thu, 24 Feb 2022 01:35:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4K3wSh2kt7z3lxH for ; Thu, 24 Feb 2022 01:35:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3EBE222F28 for ; Thu, 24 Feb 2022 01:35:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 21O1Z06O049900 for ; Thu, 24 Feb 2022 01:35:00 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 21O1Z0Uq049899 for pf@FreeBSD.org; Thu, 24 Feb 2022 01:35:00 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 127042] [pf] [patch] pf recursion panic if interface group is the same as the new interface name Date: Thu, 24 Feb 2022 01:35:00 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: Unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: ben@desync.com X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1645666500; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=I2LAwrCxd9jaDCC7NRrweXPk/D2ULsxmzqhLPXUiXvE=; b=huHhrY82VN3hEymwqSFQfRe4Cyh3Puc42XRvjjuzaFjKthcAOY/RW+LxFEqmaNd7zgVRZ8 0kfUrFI3i851Cb2ANdq/9pcyAY0Q9nioW3vpsd0kseZnF98ADilekBpVpWKBF7G8Bu1zIu 7adoDwI+pq2zteChUzrTaqqPmm2FyMrJzccFv11P7O9uMpTn34mehGcQr2xuqWdh6iRtAJ J0kop4YpCEqVNcN6zC8zFvUZmQvM/J4MJ+RS+OApMi7EBwI84mK3TL+fi6cjW+iR1Sd9I1 YvZJFRx1wKlPOaYNMFr52Bw0vSrGlQ5BBcyN8e8iTFq+5EGuFVQ1pVIUZIF+8A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1645666500; a=rsa-sha256; cv=none; b=PuIoVkJaezw+M2Ouie24IVvXflKunCzTT5tYLlmyBvUwDi0H6PF5NCm5OVyYn5zhZtjNnW TJUADmWItXnNRd6w0EEkR4kNEssBxU4KDuZj/jio7udWyuhPFSWOoMP5raxopfimgzEV+u s4A25tf16AmcKcT3BjMCjnCcvYiSs+luC1XxcrW6QKBe8WjFIXQyAt2krKMjmLD/dNjgE+ AHVgynOjUd+YPgy3+lCCBY+dXQGdjaQCGlKIASfW1a+5VgO6UFlcJLT0zka6ulfcDrXkyp lmdSnJFv+0CpxcLbwAEGZGAt+zG+eR/LTAV5Hh3oHXID9gvmZSawHXc40hCVcQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D127042 ben@desync.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ben@desync.com --- Comment #3 from ben@desync.com --- This is showing up with wireguard, where the wireguard tools create an if_wg interface named "wg" by default. root@freebsd:~ # uname -v FreeBSD 13.0-RELEASE-p7 #0: Mon Jan 31 18:24:03 UTC 2022=20=20=20=20 root@amd64-builder.daemonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC root@freebsd:~ # ifconfig wg create name wg wg root@freebsd:~ # kldload pf Fatal double fault rip 0xffffffff823780ec rsp 0xfffffe004b1e8000 rbp 0xfffffe004b1e8020 rax 0xfffff8000381ed00 rdx 0 rbx 0xfffff8000357b7a0 rcx 0xfffff8000541f900 rsi 0xfffff80005687600 rdi 0xfffff8000541f900 r8 0 r9 0xc350 r10 0x3 r11 0 r12 0x80 r13 0xfffffe004b1ebb98 r14 0xfffff8000541f900 r15 0xfffffe004d38b500 rflags 0x286 cs 0x20 ss 0x28 ds 0x3b es 0x3b fs 0x13 gs 0x1b fsbase 0x80028f120 gsbase 0xffffffff82211000 kgsbase 0 cpuid =3D 1; apic id =3D 01 panic: double fault cpuid =3D 1 time =3D 1645646385 KDB: stack backtrace: Uptime: 1m23s --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Sun Feb 27 21:01:10 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id BACC219D9D96 for ; Sun, 27 Feb 2022 21:01:12 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4K6GBv1JxGz4XGZ for ; Sun, 27 Feb 2022 21:01:11 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D9A6B65DF for ; Sun, 27 Feb 2022 21:01:10 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 21RL1AZf064609 for ; Sun, 27 Feb 2022 21:01:10 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 21RL1AVK064608 for pf@FreeBSD.org; Sun, 27 Feb 2022 21:01:10 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <202202272101.21RL1AVK064608@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 27 Feb 2022 21:01:10 +0000 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="16459956705.4C38DAA0.62674" Content-Transfer-Encoding: 7bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1645995671; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=JexSGbgJJqnFuZ0n5JUScB2q1AG24vStc4BaPN95cM4=; b=MGFizE7yPQH3rhacMikl7/tB7ZWnaAFqodbeDyDzjRzstrRzfg8Uv1UB2KULnkrTOD3wh+ NJ6GRlofBCKgxq3ED5V4g5nOQnOGc3MALr714HU4IUjSJMrf8Qfj23daWl95LbL5YqKnpU UR+Q6yW90BjVEZnmHIxn85B8yq9/vPjZU3zsK/XbSgNfMXbFyYu4uYCEm5xw8hP/ZH6plN aSeeFZ9Vq3gbKaUBjU64ZIjbc28BS+V/08Y1q5rNGrU8F8/Nz2A30NrIGK7yOqviAWPB/n h/AShvdDNgh9iXOOJFxU8tI1Xj7MoJM2GQOYH3wPtPgguDFGidYPsO/rGX9GOQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1645995671; a=rsa-sha256; cv=none; b=vjN95tRqHVJsmHu52hRWMqWJsEO8ajIBPzTon8Qg2sJ+rEBTlY26z+43VoeSi4AjYiyWmM 44irYfroA0eNPu/+tVPF2eicYSOMgNFBzNqsCZOsu0JVjmF7aD2mkv3taNMufeUaL7wShU vZSMZ/r1h0CpFchIUmmC1wObMniwIhXYH6SboLvJoIbP/uz/4Ro12lUWSmEtPSewcbO7QV LvDm40yyfswvtdk8Bq8e+PNWtmLGKi80/Z+tKFLw11cBb7RZqhz7DGtTGoGirUOn731dec 8nrF9FfX0kdx5Pb7XZ9bHTQKlxm0cHZz5GiyZx/jNeWUsSQ/II0zwm1zQPP+qg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --16459956705.4C38DAA0.62674 Date: Sun, 27 Feb 2022 21:01:10 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 237973 | pf: implement egress keyword to simplify rules ac 1 problems total for which you should take action. --16459956705.4C38DAA0.62674 Date: Sun, 27 Feb 2022 21:01:10 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="UTF-8" 
The following is a listing of current problems submitted by FreeBSD users,
which need special attention. These represent problem reports covering
all versions including experimental development code and obsolete releases.

Status      |    Bug Id | Description
------------+-----------+---------------------------------------------------
Open        |    237973 | pf: implement egress keyword to simplify rules ac

1 problems total for which you should take action.
--16459956705.4C38DAA0.62674-- From nobody Sun Mar 6 21:01:19 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 324061A0346C for ; Sun, 6 Mar 2022 21:01:22 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KBYsr4jgxz3GDg for ; Sun, 6 Mar 2022 21:01:20 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 885AC1B46A for ; Sun, 6 Mar 2022 21:01:19 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 226L1Js1078486 for ; Sun, 6 Mar 2022 21:01:19 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 226L1JBh078485 for pf@FreeBSD.org; Sun, 6 Mar 2022 21:01:19 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <202203062101.226L1JBh078485@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 6 Mar 2022 21:01:19 +0000 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="16466004792.62dEF9.75356" Content-Transfer-Encoding: 7bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1646600481; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Ls4o9vN5W32SPge7dTWozDgFaS6y1W7dc7FB6Ac5FTQ=; b=U0x/Sgxv4aCCovycBeL5ByhR+WAo0zBVSdAS/ZQcMcAnByTNbW1dCSNUFJfKZk8U4v6Vcg Ez/hIsJJCmG52l1NTcYHEc63aH0GUc/9peAoxKlrM7bZUDB6VT5G+Yg5BfjjXB96sAmHBR qwNA+aRGILr5V0cV7sfYhdNkzCpFxgZBONDl7ZDEMJodsW1P+U0aciqsrDr9bqt2OV6t61 kJDXm4aa/xQaX/KVXdSLPOcLfMirEEL1/cmOTGVJjsVxtVD0Qd1fI7xmhcTmlwmYvfGehS qjnen3ZP5FHdCBMlIWt20yEi8PmqIRdh7KDl4issP46Ov031wKbea2bStVq7PA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1646600481; a=rsa-sha256; cv=none; b=uCebFX/qqrBwctBrnSTHOKkwLGQ+txZ68kUEkqJ0vVn3Ybj8p9KFhVxKWfDtq/aGtRhU/+ /GEYwke9S82b/l6z3t70As6EfaJdSGBsh9Euo7NlK3mCAc3DJKTAx1RZ2dbsfiD5rk1HHZ g75+bTmEv3ZHnMOPbtrxSuRBd7XZ94IZy/RpbTxLZ1679GISDDvLtyEuLbtQv6xadIVu4Y SCRiob4kKX3hsKO2DmXt4qghJkqeonP0IeaenvFwen5g9+ji7JPqoZXNJR0kKy+TZa2Jn8 RlOYHfQqMC0OhdwE/P3FwKd9rkEZojyIkypp6NtWkf/iS4AQsiyt+NTk5h9UcQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --16466004792.62dEF9.75356 Date: Sun, 6 Mar 2022 21:01:19 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 237973 | pf: implement egress keyword to simplify rules ac 1 problems total for which you should take action. --16466004792.62dEF9.75356 Date: Sun, 6 Mar 2022 21:01:19 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="UTF-8" 
The following is a listing of current problems submitted by FreeBSD users,
which need special attention. These represent problem reports covering
all versions including experimental development code and obsolete releases.

Status      |    Bug Id | Description
------------+-----------+---------------------------------------------------
Open        |    237973 | pf: implement egress keyword to simplify rules ac

1 problems total for which you should take action.
--16466004792.62dEF9.75356-- From nobody Sun Mar 13 21:00:48 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 3C6791A265E9 for ; Sun, 13 Mar 2022 21:00:50 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KGsX06jdlz3D22 for ; Sun, 13 Mar 2022 21:00:48 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 80B121FFE1 for ; Sun, 13 Mar 2022 21:00:48 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 22DL0mr9023493 for ; Sun, 13 Mar 2022 21:00:48 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 22DL0mTE023492 for pf@FreeBSD.org; Sun, 13 Mar 2022 21:00:48 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <202203132100.22DL0mTE023492@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 13 Mar 2022 21:00:48 +0000 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="16472052481.d986069.20832" Content-Transfer-Encoding: 7bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1647205249; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=A3/Jt6vYIqynqffcLFLqiNvh38xM4vp4CUK2gC5TuIM=; b=QDjLGb+0bzyqA7LrGUVOOctV5AqYfD2r4jMjE9UV/KQkUyVkmDgLwQOlsN2LEX51yWunor e7cpzD0fKkZOn45Npqa+RZlV+xJUBIUQPMlWdG/Lh6HF5WGJONAhakFpE17ofx7VnOq54A p1/8HrIv38Slf732kEiEigJtPEye5PygBXj4jJpFuWahvY4Uek3sTfnxNDigNuCmWd6hBY h0GlPgq/bVTqqeNCsfdZMblAOOzRHDEJikFnLmNa+vRPtKngygQ5TyVVnU/vm8aUy18aNK C+lpoEC0qj3YmpsAXHoy6W9hIj0greMpTb0eam45ZmRwkEoE/RxJsQ2buDvtIg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1647205249; a=rsa-sha256; cv=none; b=ahMhAwLbycnYaeg5CjwNQbj8aWKEbvJS39EhRDfbh8XGhJWUOBfai4I/0XYWwWBbMzSxzZ bhZS4adPL+atys+8VIufezAE31Zou/QUUDy5L6HcOi5pRYnDhi2EN+Mmw0aK6PevMYCXKK 6hZZE75FQfGHxXo+0NR0B9V5NB3rG2Pmz9gXSvS5KxcG2k6MC5tlUOzGcGgsafcfeZjfgL 7f0OHIOJlHkwZNv/nuf+q648wpnGW+toPCuMPuZpsr3pRslaXU0+49lTwcopaKM7EK3NxJ hvNls+ZQAjhO0G5We+48QDMlBIWwJ/Ok6sVcr8+YdoGNxfuWkAjnyFpvDcpMgg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --16472052481.d986069.20832 Date: Sun, 13 Mar 2022 21:00:48 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 237973 | pf: implement egress keyword to simplify rules ac 1 problems total for which you should take action. --16472052481.d986069.20832 Date: Sun, 13 Mar 2022 21:00:48 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="UTF-8" 
The following is a listing of current problems submitted by FreeBSD users,
which need special attention. These represent problem reports covering
all versions including experimental development code and obsolete releases.

Status      |    Bug Id | Description
------------+-----------+---------------------------------------------------
Open        |    237973 | pf: implement egress keyword to simplify rules ac

1 problems total for which you should take action.
--16472052481.d986069.20832-- From nobody Wed Mar 16 16:14:57 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id C72B11A34B85 for ; Wed, 16 Mar 2022 16:15:09 +0000 (UTC) (envelope-from skeletor@lissyara.su) Received: from mx.lissyara.su (mx.lissyara.su [91.227.18.185]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4KJb304vfgz4RZb for ; Wed, 16 Mar 2022 16:15:08 +0000 (UTC) (envelope-from skeletor@lissyara.su) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lissyara.su ; s=dkim; h=Content-Transfer-Encoding:Content-Type:Subject:From:To:Reply-To: MIME-Version:Date:Message-ID:Sender:Cc:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=MwmjY1M5qO8AzR/8/ndvp5FAUrrBPAmAdEy4BOms+MA=; b=fEgdNco2h8iBqqcpKk1+vuH9qQ 3UWqOOOGgAR5mljOFOoYxO0+Hvw2rwYR9tl5KPkEiaAvq2guvTuS3tFZj4Sdx481I+LmbBm4OT8LO DQtyxh9jfKlMkZ7OIB7q7OBO6LHUJ/nPZnL1sgDEI6TQdJFfX1qYfMVFnVy/F+BZIz80=; Received: from [185.157.121.240] (helo=[10.0.71.23]) by mx.lissyara.su with esmtpa (Exim 4.94.2) (envelope-from ) id 1nUWIc-006XRJ-LC for freebsd-pf@freebsd.org; Wed, 16 Mar 2022 19:14:58 +0300 Message-ID: Date: Wed, 16 Mar 2022 18:14:57 +0200 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Reply-To: skeletor@lissyara.su Content-Language: ru To: freebsd-pf@freebsd.org From: skeletor Subject: Question about synproxy Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: ClamAV 0.103.5; Wed, 16 Mar 2022 19:14:58 +0300 X-Rspamd-Queue-Id: 4KJb304vfgz4RZb X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=lissyara.su header.s=dkim header.b=fEgdNco2; dmarc=none; spf=pass (mx1.freebsd.org: domain of skeletor@lissyara.su designates 91.227.18.185 as permitted sender) smtp.mailfrom=skeletor@lissyara.su X-Spamd-Result: default: False [-3.49 / 15.00]; HAS_REPLYTO(0.00)[skeletor@lissyara.su]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[lissyara.su:s=dkim]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:91.227.18.185]; MIME_GOOD(-0.10)[text/plain]; REPLYTO_ADDR_EQ_FROM(0.00)[]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; DMARC_NA(0.00)[lissyara.su: no valid DMARC record]; DKIM_TRACE(0.00)[lissyara.su:+]; NEURAL_HAM_SHORT(-0.99)[-0.995]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; MLMMJ_DEST(0.00)[freebsd-pf]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:207027, ipnet:91.227.16.0/22, country:RU]; RCVD_COUNT_TWO(0.00)[2]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Hi. Could anybody explain me, why synproxy doesn't work in this rule? # pfctl -sr -v pass in quick on vmx0 inet proto tcp from any to 10.5.0.5 port = 2211 flags S/SA synproxy state [ Evaluations: 1777 Packets: 0 Bytes: 0 States: 1 ] [ Inserted: uid 0 pid 75209 State Creations: 2 ] pass all flags S/SA keep state [ Evaluations: 1775 Packets: 2885 Bytes: 288624 States: 194 ] [ Inserted: uid 0 pid 75209 State Creations: 1375 ] I have a openssh server on port 2211 # sockstat | grep 2211 root sshd 841 3 tcp6 *:2211 *:* root sshd 841 4 tcp4 *:2211 *:* In tcpdump I see a packets between hosts, but connection can't be established. May be I have wrong using of synproxy? My goal is to use synproxy for connect to server ssh (which on this host, where pf rules). Or it's not for this purposal? Thanks. From nobody Fri Mar 18 13:07:46 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 849B41A25FB4 for ; Fri, 18 Mar 2022 13:07:46 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KKknt1wMHz4qkS for ; Fri, 18 Mar 2022 13:07:46 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1ED051F821 for ; Fri, 18 Mar 2022 13:07:46 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 22ID7kHg081540 for ; Fri, 18 Mar 2022 13:07:46 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 22ID7k99081539 for pf@FreeBSD.org; Fri, 18 Mar 2022 13:07:46 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 262622] [pf][patch] fix showing rules in (some) nested anchors Date: Fri, 18 Mar 2022 13:07:46 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: misc X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1647608866; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Gf7z9Dvx77kqli8R1UiziUuPI1xWD+Eflf1f46LqPUM=; b=H5pDr00ZEN2LXOEDivAiDHXF2M++UJz4JdywnDoRXyaKNiCjEZ+AQoPXe0hkxlNxTm7m/i iVUWj4X2XCZmM0bp++8xX2iH7IpcQx+G8UZbqnKqXsZCF2z9okwmrKzLUD6E5HBFR9eplF FMPIV4+1YyRH/Av1627xb10AK6WAcp19yy1pvmMtG6D3dktZU2poxRqxIR2GsEgrrqUk4u h+zKE90lN0Hhz5yk7lJNPkeARFwaeanT+PrVOlZqaymvMxhPDMne6K5RewmWS0LXyv+lMZ dNztyO0QaABkI/CdESCm1bU+NQGa4a6sX8gF+8GzRIafj6BrdLMYXlafeYk2jQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1647608866; a=rsa-sha256; cv=none; b=RpkNE8D+6MNdeG+w17qh+9g/AChybIXMNhD5HtF8vVGd0ulni1+twxPV6cMuu76NWTZqPX 2a0uqhhRJmVZGB+yJM3fWiOh1WwCNOlUzSbcAD7g7I/WY1qEn7HpUteeuZD/NVLDsYN0A0 wj8/2i7s9b7lv+cJwOPpl8ykwlvs4F/B/Q3a1OnpONNUVcGFHiNt4CKeZxB6VPnC4hpnHb jsjAC/jlGph5m3VIkWJZairxbGnzj/jLnHfJ5Di+Q2eE9CbUZgNxDtb5ROhKAHoGU3Ltjm JaIccfd/SGJbv19ZmIcfZ1KM2r++k0aDhtgTCsmWCssbB5XZ+qJrth4pTC2ZgQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D262622 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@FreeBSD.org |pf@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Fri Mar 18 13:07:59 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 9A1231A26283 for ; Fri, 18 Mar 2022 13:07:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KKkp726Kzz4r3v for ; Fri, 18 Mar 2022 13:07:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 17E4E1F824 for ; Fri, 18 Mar 2022 13:07:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 22ID7xrm081602 for ; Fri, 18 Mar 2022 13:07:59 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 22ID7xH1081601 for pf@FreeBSD.org; Fri, 18 Mar 2022 13:07:59 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 262622] [pf][patch] fix showing rules in (some) nested anchors Date: Fri, 18 Mar 2022 13:07:59 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: component Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1647608879; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gCZ11IACW8J3OVt92EML7Eog90CCNkdHC/3HdarwSSE=; b=NaNf5y9TLSdn24B72TrUasa7o1h5H32ar0+CUJcupuK91GsPg4OEUTzVCfjObB4p+4URBO RiINhrUFLqZzh2XB+1odsB/GrfcFey1Sv7XR32xyKy232c+jfcoIA4ixuapDICFB3XHkwp Y2ZOLSQxUmUBv90qoj3HQZAPA4zHL8KQSqNx3ic/Szj1hlDPyIbTGVclr/g3Jv7+wMNCE3 AVBx57294+h/3gVWg1iq94XF40Q8WWpiqwqYXOWZuFUaHUS91tn1g5Bq9YOmhs4OEmTMYt Uzj9CB0pDgCiaZpJnDVsPbWdC7oIv+2JynmRrqUwz9oDK2xWmfiQxA+a/iSRbA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1647608879; a=rsa-sha256; cv=none; b=qBIT2mqP/aDTQX1CTAtwOfVZ/QqibSENtS52EDSCo4xV6Q3WF6vKqNHcAx4mnGTcQKXV90 GnE4g71iUKSr4h39hQCkaTbvRDLyG/G5VyKHGsozWMOSV8OR+XDO3mvhzAxHBi/EniHOxS sKHKhc1ZTtjxL9amHkWmvHP2XF77MkygiXLYo382sMtGr8qZf25DSIXNijmnzjpELU5MTD uffbSs/udTnn2OyoCZjZ343H6GKthHeZm08j59jd4pOk23SWCCsqvMxdhgugtf2YyacI82 hdXdDzs+zeQYMOvHsLdEf+8mjxwWrRDiivCsY98iKenSGuA8EGW24HXvvvxwmg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D262622 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Component|misc |kern --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Fri Mar 18 14:56:19 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 0174E1A2739E for ; Fri, 18 Mar 2022 14:56:20 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KKnC74rn6z3nlS for ; Fri, 18 Mar 2022 14:56:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 825FB20D6D for ; Fri, 18 Mar 2022 14:56:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 22IEuJTW044984 for ; Fri, 18 Mar 2022 14:56:19 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 22IEuJCI044983 for pf@FreeBSD.org; Fri, 18 Mar 2022 14:56:19 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 262622] [pf][patch] fix showing rules in (some) nested anchors Date: Fri, 18 Mar 2022 14:56:19 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: matteo@FreeBSD.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_status component Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1647615379; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7Og8uJibuGuJpVkRo2hEGw1UblOSQEjpZ8sKDoPGU9c=; b=T0vVrHMjY+johsy9y1Y+lBo0e9W4b0tSeQ7JOme/j02h6E6424Bwm6fjd76dh5hhvDTqdL eUkzohI1vHBcwTiC4ApMOwAAJSWwILF2rDwpdiIVRuyTq+Ry3M2htw/7RX5zkKQzk4HnnS jlu38RFxSe75cEDtvpV5iX6EGnD6gcuWh84C5FbokcljVPIgODXant0JVKWIb4BMwdKCUQ PqQh7wLJpM9WcrFfqsMPxEDlVFa75id2hGrA1wnnjM2Tz78yusye+LYAk10bLOe+qs2VaB 9NyEn9MrbRy0flz9WKq6iZN3AN9ro1g1yJTQEznJBVcCeLdiaKkmS0Gk9VxIIQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1647615379; a=rsa-sha256; cv=none; b=G/dI/5w+NbrTPKUZP/gVX6GC7/hfOIR7ZaLPVz108a6UGWGw3qBQu5oiqTCS3Eh8QCLylS HzaNzDXYDcm7hrANl45vXoYdf5VXTmZrJbrvvrChPH5S5s3sWRMlGL9RUh5tUSv1sou1VO rJ0T+xZB6/ntDyZrjNUWdxKBHpzs/okargt8vjo1xmuGM34NwZfRdpFWuEkoi2PRlZ1OxB e79OdJQwneLjXV04NkPLsvADt/zaZOHdrP3LRMlVdmppG1LLX4oQXKGtuePETktJhM3Fxv BAF8TSpRmGMaVOI7xQe4GZ8aqgM/CYkLtmOq7RgE4G+NHckclGx2eBp6G2MI/A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D262622 Matteo Riondato changed: What |Removed |Added ---------------------------------------------------------------------------- Status|New |In Progress Component|kern |bin --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Sun Mar 20 21:00:02 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 155DB1A32957 for ; Sun, 20 Mar 2022 21:00:03 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KM99t5t1Pz3PtS for ; Sun, 20 Mar 2022 21:00:02 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id AA09D6704 for ; Sun, 20 Mar 2022 21:00:02 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 22KL02Mc007070 for ; Sun, 20 Mar 2022 21:00:02 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 22KL02sZ007069 for pf@FreeBSD.org; Sun, 20 Mar 2022 21:00:02 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <202203202100.22KL02sZ007069@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 20 Mar 2022 21:00:02 +0000 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="16478100020.507F16d9.6382" Content-Transfer-Encoding: 7bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1647810002; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=plDoaqVfeL/RdRSFY6Ww90pp+t1vfdJf7C6hInV1vLE=; b=hI5mAz+FQ3wUK25xUhBD6fdDCWlrp/gWhI89f/0dMAqKHVs3OCCPxIrDAT9LfwYndYMWwh V3sBzUi3oXvsf6r0SycwtIUGRLs2YzrCFy8oIGjNyVr6SUDAK6KWe1Ejjms5uU/Fqgglg7 xo4HRla5KrsK0+8fG5WuINKEM8M3W3Q0i8VeaNNtiiQ3goQ+lYVOD4Hr57FbCIvqP6eUiB DUJ+lTclFgOM6qLmx/DjlRPlvwlHi0ZNTiqxXukFCxFce31yfEs74ZFRjGmXTJFE07solx 5XyAibqLMITI743jiT6hBi1N513xJ6cH7Ck8/VrkXetysjLtjh/imqA07LvCLA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1647810002; a=rsa-sha256; cv=none; b=GZqZQGZwC/aREZIo7jCvRbvEwkvGfGMX6i5l/nZ6owBxeduQuVLlHcMurs+WQCwL4j9FMU w3DN2syq5EudHOuS3BSb6uuqJ5P4cyh5eUJPhTuXMTtQn5UxHg1b79fuhIsNs942YOGsG/ bH3HCXElGeg1QeAHrw7TeOj0WRFfldlOEf8Bsd4DdGMYOls0QMxWbw8YH0A/1RCKp1uRh7 wPlhtt2RW054Qlugq7JLqnZvJdmZOaMyaXFgiTBzHQ01Aid1taw7gQXgCy2vz1gez6Oedj eRmrL7Z1hawk7ycVPBYO58SSOfohXMo6BB7pPedhZtAxOhQOwrvZPbnIIGEs9A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --16478100020.507F16d9.6382 Date: Sun, 20 Mar 2022 21:00:02 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 237973 | pf: implement egress keyword to simplify rules ac 1 problems total for which you should take action. --16478100020.507F16d9.6382 Date: Sun, 20 Mar 2022 21:00:02 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="UTF-8" 
The following is a listing of current problems submitted by FreeBSD users,
which need special attention. These represent problem reports covering
all versions including experimental development code and obsolete releases.

Status      |    Bug Id | Description
------------+-----------+---------------------------------------------------
Open        |    237973 | pf: implement egress keyword to simplify rules ac

1 problems total for which you should take action.
--16478100020.507F16d9.6382-- From nobody Thu Mar 24 13:15:25 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 9ECE21A39C96 for ; Thu, 24 Mar 2022 13:15:26 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KPQgx4MMdz3N5V for ; Thu, 24 Mar 2022 13:15:25 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2CE371875B for ; Thu, 24 Mar 2022 13:15:25 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 22ODFPJ4008317 for ; Thu, 24 Mar 2022 13:15:25 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 22ODFPll008316 for pf@FreeBSD.org; Thu, 24 Mar 2022 13:15:25 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 262622] [pf][patch] fix showing rules in (some) nested anchors Date: Thu, 24 Mar 2022 13:15:25 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: commit-hook@FreeBSD.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648127726; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=IfOXGP36QNsJWCLIBKmbwRB804OStEH22ofDTvwrUpM=; b=kUkM//cKg89AgwdRCGosXBgImnfyy8i5KNR2n5CsMZY73TMDueJIwmYXg0JVu8WBJZbni0 T3G5HZUk58hq6itQ+mwC08/bccESKO1E0ifRxK4w2JnNJauQVhYQvDWsvAYKp1A6Smo9fb 7Sfo8phurABw3OM5jPH3gN6snDovaOSuOqnLjVMIepUbvJ5FyeIZygzxYi3QG3AP8JRryf Yx7oOvuG6h+EhhCeVj9S7lS6e8fmWMnVJfCwqtdlCgKFEelrLitT6U0nAWE8iOMPCHmL43 UcTbI0IiS5nrUEywoNktdKhaw8eZ3G4hzY1m1qnQeQU9Sr+s4gev0Kq5tSJDvg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1648127726; a=rsa-sha256; cv=none; b=mZuXqADcUIpxsTzhtNlU19+van1GG4tYr/AHwMJ8EjnILk6ZZt3HFOduS4LSSUz/M5YD/K e3RyOAbLFY1V2gBaxri/uRjdphOcB7+eX9ddTTe37iYw20hHoyZjwf2WH61myXNdmXifcH /uBz5Olq/1SXwUhf+fcXvOHeIze+gpDzn+eIoW22xoMUr3LPD0fionE2nm2f9z5hK1Nvbn EsQw2lEL4PkoCPJRrG9kaEVq/ldvsBXD7oRd5hvl7UNrvOiocqARwjL0r6DKZ+Py9edJQI b40H3U4gCB9+siW8bVZWMZtdRKHTrZiQbjJKIwHvKdUXbL1UWJfTtSpLEvNC3A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D262622 --- Comment #10 from commit-hook@FreeBSD.org --- A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3Dd56abf1d16238eeaab74509999a8f9303= 534f918 commit d56abf1d16238eeaab74509999a8f9303534f918 Author: Matteo Riondato AuthorDate: 2022-03-17 18:48:28 +0000 Commit: Kristof Provost CommitDate: 2022-03-24 09:44:40 +0000 pfctl: fix retrieving nested anchors PR: 262622 MFC after: 1 week Reviewed by: kp (cherry picked from commit cd8438e5a3a425ea44b261758e17fe62ebb45fce) sbin/pfctl/pfctl.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Thu Mar 24 13:16:26 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 2FBA51A3B104 for ; Thu, 24 Mar 2022 13:16:27 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KPQj65X5Rz3NsB for ; Thu, 24 Mar 2022 13:16:26 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 65BA2186CF for ; Thu, 24 Mar 2022 13:16:26 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 22ODGQ3Y008540 for ; Thu, 24 Mar 2022 13:16:26 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 22ODGQ44008539 for pf@FreeBSD.org; Thu, 24 Mar 2022 13:16:26 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 262622] [pf][patch] fix showing rules in (some) nested anchors Date: Thu, 24 Mar 2022 13:16:26 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: commit-hook@FreeBSD.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648127786; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qPibtCbwcZESnEpc/di7nG6duL0GeD53NoIuyyBb8m8=; b=FKCFweWlLbrvBk2VlXlIf2vs5KVAlOnNUehxhfB0Wqu4LWrLkyTM7tNLBLYGbHrcqELXlj 1Q5q2TowGQ4aWSFXzoN1oht/NMoeW9ZhHayRP8/4kC2IuBkJg3YD9qrYRmKvITiFkXcV43 3tzSa0T9HyEF2KccXICwOm7z02syjnM9ZOkSVxpRaRRIqxPuLa2NRs7ilNK4huKwVWjdAX QYvqdUZSDpZwyhejtM+MkARtJaDAECzHO7QFiZnjNNys5+h4z7X9/KxcUJlb05y+6K74Rg xofQIU7DYfKPMG5RCQbX2Yd7Z25DMW6V9GPkYE6xzZqiRnTVcpUpjqzofgoqoQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1648127786; a=rsa-sha256; cv=none; b=D32XNT1Sg+7KReDFdR7qqXi2lrcfQZeJsUNT0hbKr9LjLToZx8LHU4woJ2FVSAEjrSvRxP e+MV1pOkTR58fwScP+gOwuEX1hNl0EPLbZulKAkYFGcIli8e8/o3I2XomZ6HMnbSx+QjNr bNOpoQ8mh9MFmpwGE121qgdzsvMMWYrQbRYg5Zp0S6Z2LNVSNMemQRkZZoZI+HAQ3GB0QB 2bz+5UVKbGdsbe2GUWSfuMHBytzp8nbDCmHTtlLoZ5o91Op4PcBsbdWLOumQpBJFsfIEV1 WGBR7/wyQXhT6FNYJL6fT7TxVWbZQSU3ta0xX6JI7GDB/d7D4cdROFZZrV4hRw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D262622 --- Comment #11 from commit-hook@FreeBSD.org --- A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3D5567b132a40f44a87884cb29d14faab39= d24d832 commit 5567b132a40f44a87884cb29d14faab39d24d832 Author: Matteo Riondato AuthorDate: 2022-03-17 18:48:28 +0000 Commit: Kristof Provost CommitDate: 2022-03-24 09:44:31 +0000 pfctl: fix retrieving nested anchors PR: 262622 MFC after: 1 week Reviewed by: kp (cherry picked from commit cd8438e5a3a425ea44b261758e17fe62ebb45fce) sbin/pfctl/pfctl.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Thu Mar 24 14:32:53 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id E74831A2E2BD for ; Thu, 24 Mar 2022 14:32:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KPSPK4nY5z3t4R for ; Thu, 24 Mar 2022 14:32:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 847AF19C89 for ; Thu, 24 Mar 2022 14:32:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 22OEWrJu050101 for ; Thu, 24 Mar 2022 14:32:53 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 22OEWreV050100 for pf@FreeBSD.org; Thu, 24 Mar 2022 14:32:53 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 262622] [pf][patch] fix showing rules in (some) nested anchors Date: Thu, 24 Mar 2022 14:32:53 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: matteo@FreeBSD.org X-Bugzilla-Status: Closed X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_status resolution Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648132373; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=z15QsJtugc/f/aPwzx6PouWsK2PPpcxzQRT0EzYV1M4=; b=KVNzBxsvdauT9MF27xlUnqBCb4nT+fJOi0gmi0WXHwJabhRW4+jObrsmXjBFbk4lKjglAo ZGMHy7PgrbEQSdHz3o0wzwGJDhPYg+yoBBFGDguj/roukoYuhTzVk4Cv4STNulNwByKzIA s8KMwXT/NdN34YSkDS3KKhjGUe7OXHkDRUUn8vUvyt7tORQTnaF1nYBi6cQD13uKf1BMtI TgKzsQqAwmVB5J85wBOPa6WC3sti9xpzVta03F6hPqh41GI1t8slaZjHsGEjn6D+2eDMn7 Qwev0Xb2W0469rmXjDJcb7um0PsIJR9vvlAfRyrwkGW8xhlIT3B/OQSzvxMAGQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1648132373; a=rsa-sha256; cv=none; b=OEq7z26qa20xShhvenfYBlMwe/Cpa7RVVB4EXRAYEwDEzOdM5lf1tQR5QchP+fHlsyDgF5 VXvm6lqC1Mzc4xCovGvYnmGHZaEwkFYq+B9PSFZwwk+XeSA6pjqL5pPlWwbVfNiajnVQkD oLHrcFFepsn5RIIOSG1ay0DDpT72UXVJDSGgOlXBo2AdtnlEr1wtZepL9iwZ+caNo2mDSq iVSpqP9iapha98hML75hPlKtr4t+FxvS7f+obc9XUAgBiqhiNOX0UNpMkw+T85pTJDvbHJ fZoid5g2xCEbEY6I+zbTyCkFPcM9++PJdqiG1iWkfv7pPT6ESNWYn4PX+neWSw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D262622 Matteo Riondato changed: What |Removed |Added ---------------------------------------------------------------------------- Status|In Progress |Closed Resolution|--- |FIXED --- Comment #12 from Matteo Riondato --- Closing as it seems to be done at this point.=20 Thank you Kristof! --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Sun Mar 27 20:11:39 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id B5D541A52A9A; Sun, 27 Mar 2022 20:11:54 +0000 (UTC) (envelope-from marcel@herrbischoff.com) Received: from mailpod.herrbischoff.com (mailpod.herrbischoff.com [157.90.240.191]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mailpod.herrbischoff.com", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KRRn52cqzz4nBW; Sun, 27 Mar 2022 20:11:53 +0000 (UTC) (envelope-from marcel@herrbischoff.com) Received: from mailpod.herrbischoff.com (localhost [127.0.0.1]) by mailpod.herrbischoff.com (OpenSMTPD) with ESMTP id f746a234; Sun, 27 Mar 2022 22:11:43 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=herrbischoff.com; h=from :content-type:content-transfer-encoding:mime-version:subject :message-id:date:to; s=hrbf; bh=0acYi9tPtuIj7+vnH2SjH9JH4fWLE/cL b1mDH4/QWlA=; b=ZnMWHRay2mJbNJbJswO3djU1dwyIdFsdypqXQ3Qs5VVtrlcx AicxoV6z3m8s+zzmCaufW/1K/J0oo7KSs6RzV2WTSNApZDN0gEST5JifH0JwJysS ShRBVTgFvlSKRO4vMNdCYKgK9ffH1z6rR1w7SH3vfZGoRlmpQuUIyUruhITOGOo7 34Ht8EaZtwVJmvG4Dm2ntImBQmhx1x92WJmzLQQCMFjCa526oKiYqKei15eLBjyb SHr+ZFpw/+MYa22IUtJ8iixcp1sp6Om9U4L8n4MwI48ywRfV8jwaMOnEGc0f5cXY vpZex8TGzmKo/Dv8mUN3URrlFxZOiA//N8FUOQ== DomainKey-Signature: a=rsa-sha1; c=nofws; d=herrbischoff.com; h=from :content-type:content-transfer-encoding:mime-version:subject :message-id:date:to; q=dns; s=hrbf; b=jb7mvCM/ThhKOL0YiQMBCuDEqV VSvI1+R60yo55CTlE4yGmbDLeTIXVSSGmP1GJGg0zvMEM2aDMrNK8fG2X2I2MFAl eGnZLPYo4eYpb4xjc35Kl00/Vxq300muiit6eJVzULHqqVTK30+nWV6+Tb1YK3dm /nLIyTIOdJny+n2TF7eIU34Q7ixRjSI4sMBkG3Lopx1lGds94gXFLzuZHJ5ZOJhF 28OFCrxTRJMA4VTdFr/s/XFroYPdJNOMpqBQ5/cS5YvA/DI3HMnVjesEw/xFqWcU gGQzlLoGny3o0kV2Sb3KBxgc+/QSqDgWf5wn0ekorv/1QieWoSjwcWcci0yg== Received: by mailpod.herrbischoff.com (OpenSMTPD) with ESMTPSA id 1071810e (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) auth=yes user=marcel@herrbischoff.com; Sun, 27 Mar 2022 22:11:43 +0200 (CEST) From: Marcel Bischoff Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\)) Subject: pfctl: Cannot allocate memory. Message-Id: <06EB4080-08D2-42DE-BB0D-E0C1CAE0EC2F@herrbischoff.com> Date: Sun, 27 Mar 2022 22:11:39 +0200 To: stable@freebsd.org, freebsd-pf@freebsd.org X-Mailer: Apple Mail (2.3654.120.0.1.13) X-Rspamd-Queue-Id: 4KRRn52cqzz4nBW X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=herrbischoff.com header.s=hrbf header.b=ZnMWHRay; dmarc=pass (policy=none) header.from=herrbischoff.com; spf=pass (mx1.freebsd.org: domain of marcel@herrbischoff.com designates 157.90.240.191 as permitted sender) smtp.mailfrom=marcel@herrbischoff.com X-Spamd-Result: default: False [-5.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[herrbischoff.com:s=hrbf]; FREEFALL_USER(0.00)[marcel]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_MED(-2.00)[herrbischoff.com:dkim]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_SPF_ALLOW(-0.20)[+mx]; RCVD_COUNT_THREE(0.00)[3]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; DKIM_TRACE(0.00)[herrbischoff.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[herrbischoff.com,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; MLMMJ_DEST(0.00)[stable,freebsd-pf]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:24940, ipnet:157.90.0.0/16, country:DE]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Hello all, when updating a table of ~370k entries, PF sometimes refuses to do so = and from then on continues to refuse until I reboot the machine. $ doas pfctl -f /etc/pf.conf /etc/pf.conf:27: cannot define table pfbadhost: Cannot allocate memory pfctl: Syntax error in config file: pf rules not loaded It doesn't matter how much free memory is available or if any other = software is even running. Flushing the table and adding all entries = again manually does appear to work but is no permanent solution. Only = rebooting restores it to working order. I know that 2 GB of RAM are not exactly plenty but I don't see why = everything works initially but not later. Sometimes months or weeks go = by, sometimes days but ultimately several instances still end up in this = state. I have currently left one in this state to test various = suggestions and to provide necessary requested information. I had run into this issue several times in the past, but it always seems = to reappear seemingly randomly. I'll be happy for any assistance in = troubleshooting and tracking it down. I'm using the pf-badhost script (https://geoghegan.ca/pfbadhost.html) to = update a blocklist for PF. This should be largely unrelated to this = issue, as all it does is call a "pfctl -t pfbadhost -T replace -f = /etc/pf-badhost.txt" command after updating the respective file that = uses the table. The updated file contains single lines of IPs and CIDRs, = both IPv4 and IPv6. $ cat /etc/pf.conf [...] table persist file "/etc/pf-badhost.txt" block in quick log on $ext_if from block out quick log on $ext_if to [...] $ cat /etc/pf-badhost.txt [...] 1.0.1.0/24 1.0.2.0/23 1.0.8.0/21 1.0.32.0/19 1.0.111.213 [...] 2c0f:fe80::/29 2c0f:fed0::/29 2e00::/7 4000::/2 8000::/1 [...] $ ls -lh /etc/pf-badhost.txt -rw-r----- 1 _pfbadhost wheel 5.3M Mar 27 21:05 /etc/pf-badhost.txt $ wc -l /etc/pf-badhost.txt 367319 /etc/pf-badhost.txt ## Environment Virtual machine 2 GB RAM 20 GB SSD HD -------------------------------- $ freebsd-version 13.0-RELEASE-p10 -------------------------------- $ swapinfo Device 1K-blocks Used Avail Capacity /dev/da0p2 2097152 0 2097152 0% -------------------------------- $ cat /boot/loader.conf kern.geom.label.disk_ident.enable=3D"0" kern.geom.label.gptid.enable=3D"0" opensolaris_load=3D"YES" zfs_load=3D"YES" vfs.zfs.arc_max=3D"200M" autoboot_delay=3D"3" beastie_disable=3D"YES" net.pf.request_maxcount=3D5000000 kern.maxdsiz=3D"2147483648" -------------------------------- $ doas pfctl -s memory states hard limit 200000 src-nodes hard limit 10000 frags hard limit 5000 table-entries hard limit 5000000 -------------------------------- $ doas pfctl -s info Status: Enabled for 4 days 11:41:58 Debug: Urgent State Table Total Rate current entries 3 searches 12356604 31.9/s inserts 117503 0.3/s removals 117500 0.3/s Counters match 209978 0.5/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 19 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 20 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s map-failed 0 0.0/s -------------------------------- $ ulimit -a Maximum size of core files created (kB, -c) = unlimited Maximum size of a process=E2=80=99s data segment = (kB, -d) 4194304 Maximum size of files created by the shell (kB, -f) = unlimited Maximum size that may be locked into memory (kB, -l) 64 Maximum resident set size (kB, -m) = unlimited Maximum number of open file descriptors (-n) = 56457 Maximum stack size (kB, -s) = 524288 Maximum amount of cpu time in seconds (seconds, -t) = unlimited Maximum number of processes available to a single user (-u) = 6613 Maximum amount of virtual memory available to the shell (kB, -v) = unlimited -------------------------------- Thanks in advance for any assistance. My best, Marcel From nobody Sun Mar 27 21:00:05 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id A2D721A3B9F7 for ; Sun, 27 Mar 2022 21:00:06 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KRSrk1QZgz55Yc for ; Sun, 27 Mar 2022 21:00:06 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id BF5221C749 for ; Sun, 27 Mar 2022 21:00:05 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 22RL05oQ067455 for ; Sun, 27 Mar 2022 21:00:05 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 22RL05W0067454 for pf@FreeBSD.org; Sun, 27 Mar 2022 21:00:05 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <202203272100.22RL05W0067454@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 27 Mar 2022 21:00:05 +0000 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="16484148058.927AF6A.66697" Content-Transfer-Encoding: 7bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648414806; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=VzMzRg29HgxUk10SdL8epK52Lk8dMsEAxrV0jwODy/I=; b=DaThOx8XZKosoDsGgyyt/dmWCaapVMk1s9IEPU2DCg718NL0l4aMkHdSScm+e+5gJYy9+h 5YOwf+i0s1oSXnsqYiMarB3ox1O1k5s5rBUEHOlAogANSvjfWHnpjE+qlfMCM0rqd4P75U ZFn0wj2sM2HZlqj4LAsutDCmUI3E8lvDKTYoCdmYfY4+KMmvjVas+c19Nlg3eOu5NR6hmT GYYY+bguzHpRJ05WJuDoJMaNrD16SgGmjBGZbfvIlFh7snx8u84ujsrHOUUz82ZpES0SYV dOHWefusrxZXOKkal02FjMFML3dfN5GcT2qE38r9GGdgZIDWDNMFSyP+GTJe9Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1648414806; a=rsa-sha256; cv=none; b=DKVzGFfEaUuyT+QoD2rfWDs4thRJA666duAquEaME7OG1cpAw1DFMdIl67g5RjdNc15Aby 6geJXR8hcSF9ALSXJ2TlqlzKvo57cQYQHcAUSDfN9vl3eGscXUwUXzdSOp5Pte+p6o+CkU VAvk3Li3H4au2VdlLqqtijoNIRk0Fl1VwbFJI/uqzS5Hr6nnw0PkZ/uzDgUpRsPeGkikxC 9SfWT7YFRBG7ESF+qmUDIw3pXbIAhJs+clAAxhCZwsWOKJBujPTDgHvsIfkUIKpUXQWp0y Twh/M95r0n+IlvgYz+iBXOpRvx4zXMIUSPtD4BkGwwgqcptg57IBb2nQu81Mfg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --16484148058.927AF6A.66697 Date: Sun, 27 Mar 2022 21:00:05 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 237973 | pf: implement egress keyword to simplify rules ac 1 problems total for which you should take action. --16484148058.927AF6A.66697 Date: Sun, 27 Mar 2022 21:00:05 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="UTF-8" 
The following is a listing of current problems submitted by FreeBSD users,
which need special attention. These represent problem reports covering
all versions including experimental development code and obsolete releases.

Status      |    Bug Id | Description
------------+-----------+---------------------------------------------------
Open        |    237973 | pf: implement egress keyword to simplify rules ac

1 problems total for which you should take action.
--16484148058.927AF6A.66697-- From nobody Mon Mar 28 07:44:14 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 951231A4A601; Mon, 28 Mar 2022 07:44:18 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KRl823rhLz4cND; Mon, 28 Mar 2022 07:44:18 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648453458; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mJlImrBCYfdY9hIKFWLA5hfLmVgEB1OGyxOfVFZqLOI=; b=dlEiF2YUc4qccC38V1MBn2rl8fk4PQ2Otf/QbRRa+m4iB/bFluxvf6dYRaUceATLlmqBZ/ AzNtZ9R3SNeQ1sW8CAf6yYXUxUWwF6XR3g78lAoy3bd1LLEFrjNkuYGNDN0hlHXOc3XroP Flzan1yzOqFxEqzEA2KQffHoyhi3eqpNANIvgsgF9sOAONnMKxDb7o078JnlMuwxrmKF0u 6hCf9zFH3SkTYWqvUGfk32ngXQMWYZfbcXGsDjZU/MI/1y8anEyfhoHVR+CuNUpQnzLi0f 68Q9S+8VmENzu8TeLlzAuXooUjoKGflyQdHL9aFjLumBVZQ9sio75CzJUaMXKA== Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 4B72A210FA; Mon, 28 Mar 2022 07:44:18 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 0C5714A898; Mon, 28 Mar 2022 09:44:15 +0200 (CEST) From: Kristof Provost To: Marcel Bischoff Cc: stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pfctl: Cannot allocate memory. Date: Mon, 28 Mar 2022 09:44:14 +0200 X-Mailer: MailMate (1.14r5852) Message-ID: In-Reply-To: <06EB4080-08D2-42DE-BB0D-E0C1CAE0EC2F@herrbischoff.com> References: <06EB4080-08D2-42DE-BB0D-E0C1CAE0EC2F@herrbischoff.com> List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648453458; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mJlImrBCYfdY9hIKFWLA5hfLmVgEB1OGyxOfVFZqLOI=; b=J8obuhAe8bYheLeBmvAhgh3BK15+z/vt7/xNKLkAl+fXJ8YbUjcHv5384Owks5I6zXWBgh /fnzjOu23NBbsGsKfB5vTAet7bTcsp9iHs6TlOmLxlrzrhwgAs7LISwEhQSd+LV7Ht2i50 IKoy4Yonnx2y+Bh+66E+pi8DDNnZBcK2tMCW9ZDtryZKi9Qlz5Bg62UevqQwKI3svas9k2 3zAVpfCkMyCDZ+fEk6Kw/ryjcUZsfIpl3HEcHfeYvdXPul7avkz0jNwgjSJjXTX7hXLW6D IAC7NlxzZ4FVRRjfbqLtrqPpWCuifJzQagnOVvstVM7Cjn+oJRKmET/Jaa2uNg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1648453458; a=rsa-sha256; cv=none; b=G2RLKmo7rX3Xzh2zt4rdfEUZ0WeX4vekaet1DxU3ibSrs8mFcziYxFCb18jrkqtlSitVdM gvomp6Dzbj1xHBOqyK9N1Fm1J1LYXvetDDwaljoUFHwk5OSKo6L8lHvt/L5RZ8bjSSef+D xZt0n/JRfWooN6FGsA1eIhC+vlMXbzZNI+zIYfJJCHg+uEemV697OkJrt43nKYp96R1FOm IqSUHIL9imjHTTGsjXBJuJ4npHsy4q7U1s0r+jzDqeJtQdZJkUmOCC6pSKPFoLiYhJisYy 0j+np1ee9VqBHst4Sg/KN/3+7VR2tqZcf8Y8873/tV6H+AFXuP55Pzv6vK/9eg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N On 27 Mar 2022, at 22:11, Marcel Bischoff wrote: > Hello all, > > when updating a table of ~370k entries, PF sometimes refuses to do so a= nd from then on continues to refuse until I reboot the machine. > > $ doas pfctl -f /etc/pf.conf > /etc/pf.conf:27: cannot define table pfbadhost: Cannot allocate memory > pfctl: Syntax error in config file: pf rules not loaded > That sounds a lot like https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D= 260406 My current theory is that this is a bug in the memory allocator somewhere= =2E I do not have the background or time to debug that. Kristof From nobody Mon Mar 28 12:14:55 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id CBF341A495F9; Mon, 28 Mar 2022 12:15:01 +0000 (UTC) (envelope-from marcel@herrbischoff.com) Received: from mailpod.herrbischoff.com (mailpod.herrbischoff.com [IPv6:2a01:4f8:c010:37ae::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mailpod.herrbischoff.com", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KRs8N4gBXz4YYD; Mon, 28 Mar 2022 12:15:00 +0000 (UTC) (envelope-from marcel@herrbischoff.com) Received: from mailpod.herrbischoff.com (localhost [127.0.0.1]) by mailpod.herrbischoff.com (OpenSMTPD) with ESMTP id 59be5b48; Mon, 28 Mar 2022 14:14:57 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=herrbischoff.com; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=hrbf; bh= BJu+wgYSlkLDyqwbPC1xi1Renc6KmDHMpZEUpfvj3CE=; b=NP2ATZbZbNd88ALh YwNIdMyfL4C9HguMFp4DtbfZtf/dpUouuG06yYmCTDEDi47tqmGeGdiy58x1Mury cnIqisgPCRBhb29a+SFgu9OxlF8LH+6uxRVx37YTHnW+NDqNX0bIB6tRpujhbdnj p0eVRTB0iZiOMog+Dp+KsCipyuy6YPxuLGnljgz0SPY2HQ1iGBdDBiTjkJjxKxvp lvZxuJ+2NzkPu+NJMwdvK4lp0Ld4EWbKbHf83zIVlAVhiWcp2X4LnhQagaW++zqr 8GCyDE3QMVzdLxEEaHZdGnQSYVl7O5lzYoIv0siBMjRcdUogUoIGw55Op8goZArj 9AnkoA== DomainKey-Signature: a=rsa-sha1; c=nofws; d=herrbischoff.com; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; q=dns; s= hrbf; b=wXO7mM1uqJOGwxaSzFqi3iudIfHfBq70Fu436F/8fhY93tvA7MBX7uQ6 /E4JNydhryBpAunvxovCryHtGm1PTPd191tWfYk+/7TOY52Z8rVO+nCBaXMpi9zc uO4qCQbldTotNaN8Du5c2kbzx9gjQ50XJ9y5kYQD0jc/p5UQ4sUFsc7mr1XORXlh eZqthOJ6bjHOjlZ6vDNWjboaka4Alfj3DefOzm+se7w8hOKXsnI0z+EOaQtu0txz UolI6g2hTJt36Fvrud+WO/OzUBGnjJMGFwiyty5iMAEd+nZrM0XgNbHPu65L3sOz SdHuSw0pAoQgI+Lx3tQJMr6gH4Cl7A== Received: by mailpod.herrbischoff.com (OpenSMTPD) with ESMTPSA id f8b5898e (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) auth=yes user=marcel@herrbischoff.com; Mon, 28 Mar 2022 14:14:57 +0200 (CEST) Content-Type: text/plain; charset=us-ascii List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\)) Subject: Re: pfctl: Cannot allocate memory. From: Marcel Bischoff In-Reply-To: Date: Mon, 28 Mar 2022 14:14:55 +0200 Cc: stable@freebsd.org, freebsd-pf@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <8BBDA16D-207B-4704-86F5-F75F2A44AD7B@herrbischoff.com> References: <06EB4080-08D2-42DE-BB0D-E0C1CAE0EC2F@herrbischoff.com> To: Kristof Provost X-Mailer: Apple Mail (2.3654.120.0.1.13) X-Rspamd-Queue-Id: 4KRs8N4gBXz4YYD X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=herrbischoff.com header.s=hrbf header.b=NP2ATZbZ; dmarc=pass (policy=none) header.from=herrbischoff.com; spf=pass (mx1.freebsd.org: domain of marcel@herrbischoff.com designates 2a01:4f8:c010:37ae::1 as permitted sender) smtp.mailfrom=marcel@herrbischoff.com X-Spamd-Result: default: False [-5.49 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[herrbischoff.com:s=hrbf]; FREEFALL_USER(0.00)[marcel]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; MV_CASE(0.50)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_LONG(-1.00)[-1.000]; TO_DN_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DWL_DNSWL_MED(-2.00)[herrbischoff.com:dkim]; DKIM_TRACE(0.00)[herrbischoff.com:+]; DMARC_POLICY_ALLOW(-0.50)[herrbischoff.com,none]; NEURAL_HAM_SHORT(-0.99)[-0.985]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; MLMMJ_DEST(0.00)[stable,freebsd-pf]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/32, country:DE]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N > On 28. Mar 2022, at 09:44, Kristof Provost wrote: >=20 > On 27 Mar 2022, at 22:11, Marcel Bischoff wrote: >> Hello all, >>=20 >> when updating a table of ~370k entries, PF sometimes refuses to do so = and from then on continues to refuse until I reboot the machine. >>=20 >> $ doas pfctl -f /etc/pf.conf >> /etc/pf.conf:27: cannot define table pfbadhost: Cannot allocate = memory >> pfctl: Syntax error in config file: pf rules not loaded >>=20 > That sounds a lot like = https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D260406 >=20 > My current theory is that this is a bug in the memory allocator = somewhere. I do not have the background or time to debug that. Thanks for your reply Kristof. I concur, it indeed looks a lot like the = bug ticket you linked. I could spare the time but I don't have the = background or capability to debug this myself. Is there anything I could = do to help move this issue along? Marcel= From nobody Mon Mar 28 14:13:30 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 63B9A1A46BD6; Mon, 28 Mar 2022 14:13:33 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KRvn92NlWz4tZY; Mon, 28 Mar 2022 14:13:33 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648476813; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=icg9Re1CBBJBXwAqzcOtq5cB/xSjPQEyMfysHWzGDzI=; b=yFDZFvfMyzW51YHcgNiBjvj6eX+3KQhmSfu19KGnOPkmcnzuAmgMvlJfquYvahsiSb5OEV 4GipJpQ/dkObkBuWX+VqLMvgTiaGd2VGTEZdW51Zbg0U6HwNjgA6cJpSkgaUhhaUc4kzuL hkN3EaVhlsesdABfH1oiUyZ4L9D49CrWJNPYhX4hhCyO1YeVAkWs+4rHKuWxZoMTUnTYvO NVhOt3tWIFMYk6mS4Td0zfEhU2F1P/F7kTYHzyQsSq5fsvdEfTckSBmYqezZFAx6lpr4gw 2OefrgK6O8jTZLokKi5d59oxYa78bQJuGrVFJdX0Ed+T/SIKrNEf5R8cH13g1A== Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 19B1C251AD; Mon, 28 Mar 2022 14:13:33 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 5FD304AEEF; Mon, 28 Mar 2022 16:13:31 +0200 (CEST) From: Kristof Provost To: Marcel Bischoff Cc: stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pfctl: Cannot allocate memory. Date: Mon, 28 Mar 2022 16:13:30 +0200 X-Mailer: MailMate (1.14r5852) Message-ID: <9184152E-52BF-460A-97C1-CA10E2FDCE03@FreeBSD.org> In-Reply-To: <8BBDA16D-207B-4704-86F5-F75F2A44AD7B@herrbischoff.com> References: <06EB4080-08D2-42DE-BB0D-E0C1CAE0EC2F@herrbischoff.com> <8BBDA16D-207B-4704-86F5-F75F2A44AD7B@herrbischoff.com> List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648476813; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=icg9Re1CBBJBXwAqzcOtq5cB/xSjPQEyMfysHWzGDzI=; b=EVKeQQM9qCqoUu+LlU0YKKYrA6pB2m65pfe9A0qgWMy0+j/8sormZ+4Uv50m1enS4EIyxg yWdP5XkXgjWfiwpwEGr3F4OD0J0wwCxCGfm+orN5U6wCurG4ncvn0K3od8Ts5+ilNfv6ZQ mBKyazDapE/zrPYYCue20ABFMUfwXM9ixg2M2eU5GR2ggC20yIdH5A0L7NGNA4wHDs57Jy aTVUeSXbVTCTGsKgttxWQT8aXfyq6viQ1aHbONTrera7JVT6GNaU3tfJUEEvXiW7N4NLbq 29AgcMqNsq/5mpIW70NXZSiAIVJmm84kDuptxZuVtlaMWBVRhgb8HzlPTXsC+Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1648476813; a=rsa-sha256; cv=none; b=lOcwUcIHeDjj6fWGTlc2fk5dgUH69AQzsDAwYA1pBQ7gZR04zb1+cmgMwTXJMrOrKqHqCl JUjCKFr4WOhbGdKaZaQ7ofIZ8LljZSBcK5h+didKVpxbeQbPYP1Lros1ocvMOS7f+WHC7M IRABMJOIU9ngTv+L0kmj4uTP8ZjS3kErDwUZnA/gWb4H2wqK575qwvRylh5/JOOHGbFaYv eZLk9hHs1zb9YS9dmZCyR0MXFVmtBpFErCxjR5cpOdPUJMEJfXwuoLOJT2OPmMTntdoIdE QsCWE4iVUVGSwqX4lCeGoCUe7+dQbMK8Or50Nni4sAsgYlFsbvlfSO4BDmH4TQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N On 28 Mar 2022, at 14:14, Marcel Bischoff wrote: >> On 28. Mar 2022, at 09:44, Kristof Provost wrote: >> >> On 27 Mar 2022, at 22:11, Marcel Bischoff wrote: >>> Hello all, >>> >>> when updating a table of ~370k entries, PF sometimes refuses to do so= and from then on continues to refuse until I reboot the machine. >>> >>> $ doas pfctl -f /etc/pf.conf >>> /etc/pf.conf:27: cannot define table pfbadhost: Cannot allocate memor= y >>> pfctl: Syntax error in config file: pf rules not loaded >>> >> That sounds a lot like https://bugs.freebsd.org/bugzilla/show_bug.cgi?= id=3D260406 >> >> My current theory is that this is a bug in the memory allocator somewh= ere. I do not have the background or time to debug that. > > Thanks for your reply Kristof. I concur, it indeed looks a lot like the= bug ticket you linked. I could spare the time but I don't have the backg= round or capability to debug this myself. Is there anything I could do to= help move this issue along? > Short of studying the memory allocation code and finding the bug, no. Kristof From nobody Mon Mar 28 22:10:54 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 3EC001A32552; Mon, 28 Mar 2022 22:12:09 +0000 (UTC) (envelope-from doctor@doctor.nl2k.ab.ca) Received: from doctor.nl2k.ab.ca (doctor.nl2k.ab.ca [204.209.81.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4KS6PN13FPz4TJf; Mon, 28 Mar 2022 22:12:07 +0000 (UTC) (envelope-from doctor@doctor.nl2k.ab.ca) Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD)) (envelope-from ) id 1nYxZe-0008Ad-TN; Mon, 28 Mar 2022 16:10:54 -0600 Date: Mon, 28 Mar 2022 16:10:54 -0600 From: The Doctor To: Kristof Provost Cc: Marcel Bischoff , stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pfctl: Cannot allocate memory. Message-ID: References: <06EB4080-08D2-42DE-BB0D-E0C1CAE0EC2F@herrbischoff.com> <8BBDA16D-207B-4704-86F5-F75F2A44AD7B@herrbischoff.com> <9184152E-52BF-460A-97C1-CA10E2FDCE03@FreeBSD.org> List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <9184152E-52BF-460A-97C1-CA10E2FDCE03@FreeBSD.org> X-Rspamd-Queue-Id: 4KS6PN13FPz4TJf X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=quarantine) header.from=nl2k.ab.ca; spf=pass (mx1.freebsd.org: domain of doctor@doctor.nl2k.ab.ca designates 204.209.81.1 as permitted sender) smtp.mailfrom=doctor@doctor.nl2k.ab.ca X-Spamd-Result: default: False [-1.80 / 15.00]; INTRODUCTION(2.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; RCPT_COUNT_THREE(0.00)[4]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+a]; FROM_HAS_DN(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[nl2k.ab.ca,quarantine]; MLMMJ_DEST(0.00)[stable,freebsd-pf]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:6171, ipnet:204.209.81.0/24, country:CA]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N On Mon, Mar 28, 2022 at 04:13:30PM +0200, Kristof Provost wrote: > On 28 Mar 2022, at 14:14, Marcel Bischoff wrote: > >> On 28. Mar 2022, at 09:44, Kristof Provost wrote: > >> > >> On 27 Mar 2022, at 22:11, Marcel Bischoff wrote: > >>> Hello all, > >>> > >>> when updating a table of ~370k entries, PF sometimes refuses to do so and from then on continues to refuse until I reboot the machine. > >>> > >>> $ doas pfctl -f /etc/pf.conf > >>> /etc/pf.conf:27: cannot define table pfbadhost: Cannot allocate memory > >>> pfctl: Syntax error in config file: pf rules not loaded > >>> > >> That sounds a lot like https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260406 > >> > >> My current theory is that this is a bug in the memory allocator somewhere. I do not have the background or time to debug that. > > > > Thanks for your reply Kristof. I concur, it indeed looks a lot like the bug ticket you linked. I could spare the time but I don't have the background or capability to debug this myself. Is there anything I could do to help move this issue along? > > > Short of studying the memory allocation code and finding the bug, no. > > Kristof > Best do a shotdown / restart. -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b One cannot abide in truth while spinning falsehoods. -unknown Beware https://mindspring.com From nobody Tue Mar 29 20:30:26 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 62C991A36C34 for ; Tue, 29 Mar 2022 20:30:38 +0000 (UTC) (envelope-from cristian.cardoso11@gmail.com) Received: from mail-qk1-x72a.google.com (mail-qk1-x72a.google.com [IPv6:2607:f8b0:4864:20::72a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KSh5n4pFxz3JMW for ; Tue, 29 Mar 2022 20:30:37 +0000 (UTC) (envelope-from cristian.cardoso11@gmail.com) Received: by mail-qk1-x72a.google.com with SMTP id q200so1830482qke.7 for ; Tue, 29 Mar 2022 13:30:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=PZ1eeQRxmCeGwM39h+HXLq9b9N+VsP87+caOgtHETEc=; b=UaTRDpQjYclqHrOPfeVU0TzfCgmx+PfqSUiQIOSJhbORnflsdbc9w0TKiySaHzKLFV 6VXhsUvlqCyzWwDBy96tKSQVX0sPjGGraHsvn7Ss9vu/MfLN1ump2WaXU/JYFnY4Ktxm sT0GHlP1SWYh4yqrZqTJArrGgXgpkK+7wvM9t91Yhc2QyJQ9xahiuYdPmTCjjLG6vRWB AEoJQXklBvjOfggyMlOZOZ+1MUfczpRtd9WsMNohBsXjQ496KzkdDwQHAS0UupexnCVv O1HCBt3FjXxqdPA2/JrvqBhNx5wZY0/k0qMjiraVYKkzmPWaEikcPENp7jYN0ffYl+QH VEsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=PZ1eeQRxmCeGwM39h+HXLq9b9N+VsP87+caOgtHETEc=; b=ZLO2cYFPIGkm9wIMJEvHVAaBKiTzwcO1hlSwHx491wk1c3mUB8kruJS/KTEyN13b4f WaYAKKF4gMRpygcPkFmK5+OCYsCUPDfu+PXJp91zHiWcMvM22PRWP5LE2DMzkgTZ242j kyWI8BnrztB88pb8imlv7PRDI3mzjSM5gcSsHmv1vLIGJVbBYdutaVfgHqhTSXyYa1At OkjQa+LgysUHl7A5e6/dlIS8R3C4n2esD1R5wnUh08PRF6kf7vhHYwYx5PlcWHFEhGBC moA4gxPctv3I88v0yQdvPY5Gnmg0kWRlgzt0QGaFrMtzod8aRl2u0RfEfT+xSgquyLf5 n8Hw== X-Gm-Message-State: AOAM533iRQOpLoJX5fi5j4R0do/NhOF4d9fOB3GSxV2sTaxRdV4lacWe O1ADljbNSxz4avxIXxvizzFCjMmLcSzNtqhdBLky3TUTAw== X-Google-Smtp-Source: ABdhPJzmApnpZJ3+Gvhj8Y/0YVDETsi9VVhQ26LRV8QW6Rm//vR3h7pxMp0GcbdqPDCEVRYUxWX8MOXe0pw1ra5kHiw= X-Received: by 2002:a37:9e17:0:b0:67e:cd1:c852 with SMTP id h23-20020a379e17000000b0067e0cd1c852mr21862415qke.615.1648585837027; Tue, 29 Mar 2022 13:30:37 -0700 (PDT) List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 From: Cristian Cardoso Date: Tue, 29 Mar 2022 17:30:26 -0300 Message-ID: Subject: PF session ttl To: FreeBSD PF List Content-Type: multipart/alternative; boundary="00000000000032a6f205db614d32" X-Rspamd-Queue-Id: 4KSh5n4pFxz3JMW X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=UaTRDpQj; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of cristiancardoso11@gmail.com designates 2607:f8b0:4864:20::72a as permitted sender) smtp.mailfrom=cristiancardoso11@gmail.com X-Spamd-Result: default: False [-3.89 / 15.00]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-1.00)[-0.999]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.89)[-0.892]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::72a:from]; MLMMJ_DEST(0.00)[freebsd-pf]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N --00000000000032a6f205db614d32 Content-Type: text/plain; charset="UTF-8" Hi Guys, does anyone happen to know how to tell me the value of session ttl that PF uses to terminate sessions that are via statefull? --00000000000032a6f205db614d32 Content-Type: text/html; charset="UTF-8"
Hi
Guys, does anyone happen to know how to tell me the value of session ttl that PF uses to terminate sessions that are via statefull?
--00000000000032a6f205db614d32-- From nobody Tue Mar 29 20:48:30 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id B86521A3BB59 for ; Tue, 29 Mar 2022 20:48:38 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smarthost1.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KShVY5mxCz3MFP for ; Tue, 29 Mar 2022 20:48:37 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19]) by smarthost1.sentex.ca (8.16.1/8.16.1) with ESMTPS id 22TKmUuf019846 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 29 Mar 2022 16:48:30 -0400 (EDT) (envelope-from mike@sentex.net) Received: from [IPV6:2607:f3e0:0:4:cd39:a1da:92e4:3394] ([IPv6:2607:f3e0:0:4:cd39:a1da:92e4:3394]) by pyroxene2a.sentex.ca (8.16.1/8.15.2) with ESMTPS id 22TKmUvu002404 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Tue, 29 Mar 2022 16:48:30 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <558dfec2-031a-feb6-dc2f-f9fc83205896@sentex.net> Date: Tue, 29 Mar 2022 16:48:30 -0400 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: Re: PF session ttl Content-Language: en-US To: Cristian Cardoso , FreeBSD PF List References: From: mike tancsa In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.84 X-Rspamd-Queue-Id: 4KShVY5mxCz3MFP X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:1::12 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [-3.40 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.996]; FREEFALL_USER(0.00)[mike]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; NEURAL_HAM_LONG(-1.00)[-1.000]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[sentex.net]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCPT_COUNT_TWO(0.00)[2]; MLMMJ_DEST(0.00)[freebsd-pf]; FREEMAIL_TO(0.00)[gmail.com,freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; RCVD_TLS_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[199.212.134.19:received] X-ThisMailContainsUnwantedMimeParts: N On 3/29/2022 4:30 PM, Cristian Cardoso wrote: > Hi > Guys, does anyone happen to know how to tell me the value of session > ttl that PF uses to terminate sessions that are via statefull? Are you looking for when a state expires ? If so, try pfctl -ss -v -v it will show you when it expires e.g all tcp 192.168.96.1:22 (10.159.159.249:24) <- 192.168.1.89:64660       SYN_SENT:ESTABLISHED    [997609076 + 2097152] wscale 6  [2771445293 + 16777472] wscale 2    age 00:00:00, expires in 00:00:30, 1:1 pkts, 52:52 bytes    id: 90d5c76500000000 creatorid: 7b2b3e4b gateway: 0.0.0.0    origif: vlan9     ---Mike From nobody Tue Mar 29 20:51:19 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 0EB391A3C2EE for ; Tue, 29 Mar 2022 20:51:32 +0000 (UTC) (envelope-from cristian.cardoso11@gmail.com) Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com [IPv6:2607:f8b0:4864:20::833]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KShYt5Hfqz3MwM for ; Tue, 29 Mar 2022 20:51:30 +0000 (UTC) (envelope-from cristian.cardoso11@gmail.com) Received: by mail-qt1-x833.google.com with SMTP id s11so16439672qtc.3 for ; Tue, 29 Mar 2022 13:51:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+hd4Y4Gqk2K60xapoharDUma1Y3gWNptrktbLFPC4cU=; b=Zq52dmzgmCzzyoxeWdF6+J/xpwPdGTCEDhCVdp+A0s4suLfI2kFD0PaQEbPbYlzCoI AkUG6S1GhdJowwoOm/1t11UbcTxDptzAZnSAG/cPWdJJOEA0vnbBuEYsIZcOIG+Adzto RALNltFsATOgkNTRiH7nl0MW/N/ElvxMtdza4dmZ/0CeM1+pQawmMu/SgkwvVN5ccm++ aHsAlvMIrud/CQJVAqzQEX188LkLi3EDYeG9YUw6h9+Of79TK1u9UqfFsHsbY/O9YVx7 EpS5MnIz/+Ybq0eD2b4hE7FI/a56R18we1uX/Ua8t8sgSrxf6lsTOEnnpTF2mZGLPp10 +qHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+hd4Y4Gqk2K60xapoharDUma1Y3gWNptrktbLFPC4cU=; b=kPvqG4ogfWBn7OoSMWe3/IjMips6ry0xAsjfrOibs4QsPTAgmxiO768VTkmMWNoOoS GIsMHSb7jzpyrqkQMKCw8+uXf4OxCJh8hFN5WhcSlc+644/sIkJWz+ytN/eROop+sunO BLp24pkXutkY8bQ+luErrQ79SyAuGGEQ/SV4a08IIIROD99s4BZDuqEn5KzE9X+90g/F Cr1H5QyCCxH4p7NO1AB4bFTqlBHM1duIVn7/q32IlsmzEHnSeq2ds0Rl8TyHuj/JP4sr O8Wel+NXrndKPpRMbKct7DhrONHoXz0KG/coLis6TvHFd8jN4TxLREf1IeTn6Nvdt1I7 ZK/A== X-Gm-Message-State: AOAM532BKM2jPjQqT7R6NNeM1xCy3d/vBONrCjv8JiWIxaPgw28RJal9 zurv9fti1Jyjlm2nfyeUQt8XU9x/P3BMxm9ZM4mkdV9uQA== X-Google-Smtp-Source: ABdhPJz5d9WLSbr6cp/+Obs7eqd003blpxa/+iYj5lPFSa6yFUM62UNZuGtipe4TKQDPbuHhYnArZQ/UrWeP4Ou15vs= X-Received: by 2002:ac8:5789:0:b0:2e1:c40e:9be3 with SMTP id v9-20020ac85789000000b002e1c40e9be3mr29465992qta.308.1648587090095; Tue, 29 Mar 2022 13:51:30 -0700 (PDT) List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 References: <558dfec2-031a-feb6-dc2f-f9fc83205896@sentex.net> In-Reply-To: <558dfec2-031a-feb6-dc2f-f9fc83205896@sentex.net> From: Cristian Cardoso Date: Tue, 29 Mar 2022 17:51:19 -0300 Message-ID: Subject: Re: PF session ttl To: mike tancsa Cc: FreeBSD PF List Content-Type: multipart/alternative; boundary="000000000000e2f0b705db6197c4" X-Rspamd-Queue-Id: 4KShYt5Hfqz3MwM X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=Zq52dmzg; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of cristiancardoso11@gmail.com designates 2607:f8b0:4864:20::833 as permitted sender) smtp.mailfrom=cristiancardoso11@gmail.com X-Spamd-Result: default: False [-1.87 / 15.00]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; URI_COUNT_ODD(1.00)[3]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.87)[-0.874]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::833:from]; HTTP_TO_IP(1.00)[]; MLMMJ_DEST(0.00)[freebsd-pf]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N --000000000000e2f0b705db6197c4 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Thanks for the command. But actually I wanted to know if there is a "default" value, what is its value and if it is configurable. Em ter., 29 de mar. de 2022 =C3=A0s 17:48, mike tancsa escreveu: > On 3/29/2022 4:30 PM, Cristian Cardoso wrote: > > Hi > > Guys, does anyone happen to know how to tell me the value of session > > ttl that PF uses to terminate sessions that are via statefull? > > Are you looking for when a state expires ? If so, try > > pfctl -ss -v -v > > it will show you when it expires > > e.g > > all tcp 192.168.96.1:22 (10.159.159.249:24) <- 192.168.1.89:64660 > SYN_SENT:ESTABLISHED > [997609076 + 2097152] wscale 6 [2771445293 + 16777472] wscale 2 > age 00:00:00, expires in 00:00:30, 1:1 pkts, 52:52 bytes > id: 90d5c76500000000 creatorid: 7b2b3e4b gateway: 0.0.0.0 > origif: vlan9 > > ---Mike > > --000000000000e2f0b705db6197c4 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Thanks for the command. But actually I wanted to know if t= here is a "default" value, what is its value and if it is configu= rable.

Em ter., 29 de mar. de 2022 =C3=A0s 17:48, mike tancsa <mike@sentex.net> escreveu:
On 3/29/2022 4:30 PM, Cristi= an Cardoso wrote:
> Hi
> Guys, does anyone happen to know how to tell me the value of session <= br> > ttl that PF uses to terminate sessions that are via statefull?

Are you looking for when a state expires ? If so, try

pfctl -ss -v -v

it will show you when it expires

e.g

all tcp 192.168.96.1:22 (10.159.159.249:24) <- 192.168.1.89:64660=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
SYN_SENT:ESTABLISHED
=C2=A0=C2=A0=C2=A0 [997609076 + 2097152] wscale 6=C2=A0 [2771445293 + 16777= 472] wscale 2
=C2=A0=C2=A0=C2=A0 age 00:00:00, expires in 00:00:30, 1:1 pkts, 52:52 bytes=
=C2=A0=C2=A0=C2=A0 id: 90d5c76500000000 creatorid: 7b2b3e4b gateway: 0.0.0.= 0
=C2=A0=C2=A0=C2=A0 origif: vlan9

=C2=A0=C2=A0=C2=A0=C2=A0 ---Mike

--000000000000e2f0b705db6197c4-- From nobody Tue Mar 29 20:57:32 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 24D001A3DD8D for ; Tue, 29 Mar 2022 20:57:33 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smarthost1.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KShhr4Mmxz3Nnc for ; Tue, 29 Mar 2022 20:57:32 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19]) by smarthost1.sentex.ca (8.16.1/8.16.1) with ESMTPS id 22TKvWVU026120 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 29 Mar 2022 16:57:32 -0400 (EDT) (envelope-from mike@sentex.net) Received: from [IPV6:2607:f3e0:0:4:cd39:a1da:92e4:3394] ([IPv6:2607:f3e0:0:4:cd39:a1da:92e4:3394]) by pyroxene2a.sentex.ca (8.16.1/8.15.2) with ESMTPS id 22TKvVXn004989 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Tue, 29 Mar 2022 16:57:32 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <0b67d668-2f0c-fcfc-f180-97eba208bcad@sentex.net> Date: Tue, 29 Mar 2022 16:57:32 -0400 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: Re: PF session ttl Content-Language: en-US To: Cristian Cardoso Cc: FreeBSD PF List References: <558dfec2-031a-feb6-dc2f-f9fc83205896@sentex.net> From: mike tancsa In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.84 X-Rspamd-Queue-Id: 4KShhr4Mmxz3Nnc X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:1::12 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [-2.93 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.996]; FREEFALL_USER(0.00)[mike]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; NEURAL_HAM_LONG(-1.00)[-1.000]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[sentex.net]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; NEURAL_HAM_SHORT(-0.53)[-0.533]; RCPT_COUNT_TWO(0.00)[2]; MLMMJ_DEST(0.00)[freebsd-pf]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; RCVD_TLS_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[199.212.134.19:received] X-ThisMailContainsUnwantedMimeParts: N On 3/29/2022 4:51 PM, Cristian Cardoso wrote: > Thanks for the command. But actually I wanted to know if there is a > "default" value, what is its value and if it is configurable. > pfctl -sa will show you the current defaults I think what you are after is in the pf.conf's man page under STATEFUL TRACKING OPTIONS                Changes the timeout values used for states created by this rule.            For a list of all valid timeout names, see OPTIONS above. with the example            pass in proto tcp from any to any \                  port www keep state \                  (max 100, source-track rule, max-src-nodes 75, \                  max-src-states 3, tcp.established 60, tcp.closing 5) and you can set global defaults via the set timeout command.     ---Mike > Em ter., 29 de mar. de 2022 às 17:48, mike tancsa > escreveu: > > On 3/29/2022 4:30 PM, Cristian Cardoso wrote: > > Hi > > Guys, does anyone happen to know how to tell me the value of > session > > ttl that PF uses to terminate sessions that are via statefull? > > Are you looking for when a state expires ? If so, try > > pfctl -ss -v -v > > it will show you when it expires > > e.g > > all tcp 192.168.96.1:22 > (10.159.159.249:24 ) <- > 192.168.1.89:64660 > SYN_SENT:ESTABLISHED >     [997609076 + 2097152] wscale 6  [2771445293 + 16777472] wscale 2 >     age 00:00:00, expires in 00:00:30, 1:1 pkts, 52:52 bytes >     id: 90d5c76500000000 creatorid: 7b2b3e4b gateway: 0.0.0.0 >     origif: vlan9 > >      ---Mike > From nobody Wed Mar 30 20:05:26 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 45BCB1A5E4E7; Wed, 30 Mar 2022 20:05:37 +0000 (UTC) (envelope-from markjdb@gmail.com) Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KTHVS1hYTz3px3; Wed, 30 Mar 2022 20:05:36 +0000 (UTC) (envelope-from markjdb@gmail.com) Received: by mail-qt1-x832.google.com with SMTP id c4so19167509qtx.1; Wed, 30 Mar 2022 13:05:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=+TjSafVoPen3XprD319iQnwrJbIZLuBnXpBclnIGbNI=; b=X3hg6PJDddgLdEayew6ETNJyr4JgD8DKBmC7cWSAxDsuXNrVVOP6rq1IH8nxvFRdjx 6eGCkC4NAOl+EI+3JhFWUQFyRxNjy2C5H9K/0CY+3/tFnGO2NT8bcm7r/kzNLGOwGdxG W52ydUaXOGzuC3Fzl4P/B9yZbVKGW1z0fHBSPW9zI6JK8Me6MWBrGh/1vL3aXPjBcA+y /z3KaBIAgpF9l5+a18Icn64ZmszEsKvRf6SZcaPYZUd1N/RP0NSmf6l/rOOzhTcnTnQi fBAlZykXhAKoW1/B6E2USv8i3Pxj0rGamIeY68MK26o9utP7PMcP9wkU/CMwEMnplzkg 44sA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to; bh=+TjSafVoPen3XprD319iQnwrJbIZLuBnXpBclnIGbNI=; b=P7oo+zBD0CZtQtBvjT2BGG1BmbWGhikiua5ABTicMjjKwF+6/Syw2ehixuXMWUg9V1 O2uRSwgAYA6yp8OMR7beYClgY7izIRjrzQCU1+60CiRId7NsO5/NHBoHKZQyIQaN2Ag1 kRi7SP0XYwM1qJmbXENP+mO7NVW1Kbw5dnTMJk72WSem7Dl8QmMOmWt8ja7NsFMtMtV9 bB1fIxVb8OcX8rMKlliDwqyP3R6g9UDmbK1siFOy99PXBzUeoImTlFyosJO1nNFxy0iO wVd69VHatAikAHeQdzYUoE1WnJb64lh81EhHU8vfR1MvWGvPYd9tUDEp5qhFHkRtdfqp Jpfg== X-Gm-Message-State: AOAM531EbPAjI0XKoxD8CLjP82t6EDQFqRbVdPOZ2hvM8T9fyb41+x8H xXCnG5X3O8I9O0G98FLHN8UHdC6vMxp+hg== X-Google-Smtp-Source: ABdhPJzYfrFZTy6Ns8ri5wH7XGczAcdF25eP3BIpCK72aM/g3z4MqNb9VH27HHqvlFrb0nEdnWAf1Q== X-Received: by 2002:a05:622a:50b:b0:2e1:deae:22dc with SMTP id l11-20020a05622a050b00b002e1deae22dcmr1201140qtx.359.1648670729381; Wed, 30 Mar 2022 13:05:29 -0700 (PDT) Received: from nuc (198-84-189-58.cpe.teksavvy.com. [198.84.189.58]) by smtp.gmail.com with ESMTPSA id e7-20020ac85987000000b002e1b7fa2201sm17745025qte.56.2022.03.30.13.05.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 30 Mar 2022 13:05:28 -0700 (PDT) Date: Wed, 30 Mar 2022 16:05:26 -0400 From: Mark Johnston To: Kristof Provost Cc: Marcel Bischoff , stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pfctl: Cannot allocate memory. Message-ID: References: <06EB4080-08D2-42DE-BB0D-E0C1CAE0EC2F@herrbischoff.com> List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 4KTHVS1hYTz3px3 X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=X3hg6PJD; dmarc=none; spf=pass (mx1.freebsd.org: domain of markjdb@gmail.com designates 2607:f8b0:4864:20::832 as permitted sender) smtp.mailfrom=markjdb@gmail.com X-Spamd-Result: default: False [-1.02 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MID_RHS_NOT_FQDN(0.50)[]; DMARC_NA(0.00)[freebsd.org]; TO_DN_SOME(0.00)[]; NEURAL_SPAM_MEDIUM(0.66)[0.663]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; NEURAL_HAM_SHORT(-0.98)[-0.982]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::832:from]; MLMMJ_DEST(0.00)[stable,freebsd-pf]; FORGED_SENDER(0.30)[markj@freebsd.org,markjdb@gmail.com]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[markj@freebsd.org,markjdb@gmail.com]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-ThisMailContainsUnwantedMimeParts: N On Mon, Mar 28, 2022 at 09:44:14AM +0200, Kristof Provost wrote: > On 27 Mar 2022, at 22:11, Marcel Bischoff wrote: > > Hello all, > > > > when updating a table of ~370k entries, PF sometimes refuses to do so and from then on continues to refuse until I reboot the machine. > > > > $ doas pfctl -f /etc/pf.conf > > /etc/pf.conf:27: cannot define table pfbadhost: Cannot allocate memory > > pfctl: Syntax error in config file: pf rules not loaded > > > That sounds a lot like https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260406 Just a heads-up that this is believed to be fixed now in the main branch. The fix should appear in stable/13 and hopefully releng/13.1 shortly. > > My current theory is that this is a bug in the memory allocator somewhere. I do not have the background or time to debug that. From nobody Fri Apr 1 10:26:58 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 1F4701A54813; Fri, 1 Apr 2022 10:27:11 +0000 (UTC) (envelope-from marcel@herrbischoff.com) Received: from mailpod.herrbischoff.com (mailpod.herrbischoff.com [IPv6:2a01:4f8:c010:37ae::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mailpod.herrbischoff.com", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KVGZ60CqQz3R2M; Fri, 1 Apr 2022 10:27:09 +0000 (UTC) (envelope-from marcel@herrbischoff.com) Received: from mailpod.herrbischoff.com (localhost [127.0.0.1]) by mailpod.herrbischoff.com (OpenSMTPD) with ESMTP id c4e170c2; Fri, 1 Apr 2022 12:27:01 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=herrbischoff.com; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=hrbf; bh= fdxmuTtynkCZObpHa1qH2HDO2l//cFHx6NjB6ZnRyag=; b=Mdvvk6MxnutZc4ED vcwMqybUB4X2qD4XGSrLX3fX2Z8XtuMiOYXJspEMwF48Ylc3yqUv7iZPkNLs3cIF 2fNsmuSboMST2quAabx8Sv6mcpXaawQPSJCyTXXWJYPTiHX/gPg6lWvHlzRVZ9j2 iHFHmerzPD+4C7fFmwESM7flECkM37W7tnWJ81LDyP6LQmY6C+rIGeU1fBShiBSA YNR2JDu6D+c8UoeJhq6wgk7m3Pe+RpULUI1RpqSYsOAtdU/9ZUPnQvklhbj+bzZe Zh3f9IranH4CvfA8VYc63bx0PBIxwxiS1l9fGE/AvCpQ3iWfSMUVl5JncLtRC3El RK78iA== DomainKey-Signature: a=rsa-sha1; c=nofws; d=herrbischoff.com; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; q=dns; s= hrbf; b=b4NkymNcmL1SxYOnhAybz+6g2O7wI8gg+aE7RvmBKfjU9hMrPUBK8ICI /oT51phQRhWj6rhKx22qh9zWgTMJYIRuNeRZbGC84EYqXKdmhzwN2Ep+igL3aBn4 sz4lHzpyGmY1cj3UbL01HufkvgAJ1u/HpEov17tLgjw+db9ilDS8nfxdEUpFDoIM zBqDUdqIP1LP7u7JkF2Ps7wCpDLPCFpypvfAY+uF1l+g+3Yn/ZZwl6Jt544w/GL0 CLcWgF+fMeMTLAoC+LN4UrvBiAOKril/Hly27Rwt/All3mAW5oo2+DpZxK+Eu5EB Oah7uaF7310hNP9TAkcsZCLpKbkNdw== Received: by mailpod.herrbischoff.com (OpenSMTPD) with ESMTPSA id cd819d4d (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) auth=yes user=marcel@herrbischoff.com; Fri, 1 Apr 2022 12:27:01 +0200 (CEST) Content-Type: text/plain; charset=us-ascii List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\)) Subject: Re: pfctl: Cannot allocate memory. From: Marcel Bischoff In-Reply-To: Date: Fri, 1 Apr 2022 12:26:58 +0200 Cc: stable@freebsd.org, freebsd-pf@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <7A8ACC1E-72C0-4B2F-8B2F-F6A9D64E0630@herrbischoff.com> References: <06EB4080-08D2-42DE-BB0D-E0C1CAE0EC2F@herrbischoff.com> To: Mark Johnston X-Mailer: Apple Mail (2.3654.120.0.1.13) X-Rspamd-Queue-Id: 4KVGZ60CqQz3R2M X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=herrbischoff.com header.s=hrbf header.b=Mdvvk6Mx; dmarc=pass (policy=none) header.from=herrbischoff.com; spf=pass (mx1.freebsd.org: domain of marcel@herrbischoff.com designates 2a01:4f8:c010:37ae::1 as permitted sender) smtp.mailfrom=marcel@herrbischoff.com X-Spamd-Result: default: False [-5.40 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[herrbischoff.com:s=hrbf]; FREEFALL_USER(0.00)[marcel]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; MV_CASE(0.50)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_LONG(-1.00)[-1.000]; TO_DN_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DWL_DNSWL_MED(-2.00)[herrbischoff.com:dkim]; DKIM_TRACE(0.00)[herrbischoff.com:+]; DMARC_POLICY_ALLOW(-0.50)[herrbischoff.com,none]; NEURAL_HAM_SHORT(-0.90)[-0.903]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; MLMMJ_DEST(0.00)[stable,freebsd-pf]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/32, country:DE]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N > On 30. Mar 2022, at 22:05, Mark Johnston wrote: >=20 > On Mon, Mar 28, 2022 at 09:44:14AM +0200, Kristof Provost wrote: >> On 27 Mar 2022, at 22:11, Marcel Bischoff wrote: >>> Hello all, >>>=20 >>> when updating a table of ~370k entries, PF sometimes refuses to do = so and from then on continues to refuse until I reboot the machine. >>>=20 >>> $ doas pfctl -f /etc/pf.conf >>> /etc/pf.conf:27: cannot define table pfbadhost: Cannot allocate = memory >>> pfctl: Syntax error in config file: pf rules not loaded >>>=20 >> That sounds a lot like = https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D260406 >=20 > Just a heads-up that this is believed to be fixed now in the main > branch. The fix should appear in stable/13 and hopefully releng/13.1 > shortly. Thanks for the work on the patch, Mark.= From nobody Fri Apr 1 14:56:28 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4991A1A4AD70 for ; Fri, 1 Apr 2022 14:56:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KVNXr63Fzz3LVs for ; Fri, 1 Apr 2022 14:56:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 895E0166DA for ; Fri, 1 Apr 2022 14:56:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 231EuSD3035125 for ; Fri, 1 Apr 2022 14:56:28 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 231EuSaq035124 for pf@FreeBSD.org; Fri, 1 Apr 2022 14:56:28 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 237973] pf: implement egress keyword to simplify rules across different hardware Date: Fri, 01 Apr 2022 14:56:28 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: feature, needs-patch X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: tech-lists@zyxst.net X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: mfc-stable12? mfc-stable11? X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648824988; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wO020RMY+ZKjTVOSx4tdPChHveJA8nyr5ZC5GE9jkDU=; b=DOjytvJGo0AzC8UQCLEMsPjUbGExo7EtSW6CotcnMpEbwPnEI7tfdvGzFq366j6ZO7LTbp p5XFKMDl2+2UGS+UzMuiTdfrPBm8eye8VxzGXROBZsHKtiuzE5frNJmRfbI760aXCahNst jgarPd5be4b6qWpp0kTfCMr/iAp5/RiwOZowxBToGqmwpgoiid5kdv6jPB26/m9nWjNJQB Z8yekpxlV7SN0+q03H7LedgalgbdUcJf7OkBYOyIhfEmlC7NGeLC/vnp34EgO1sCEfCg1D yumXL+9pYev3GDE3CLZIkL9BgkwiwGEHQ/1uiZbN4Jtjg9ALo22Hf7JIicErZw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1648824988; a=rsa-sha256; cv=none; b=JsRj+HNP4h1uzJpOphHTR6Xa8ytpcpSg4sle/tIJFPlx57n6cjMLRVNN/cJS1PRRUyDJdz VBz5voq9ijXfxgYfVAJS7dJW9EoHRgqYL6ROyFuBBaAY9NjYDTyIW2UNRk/IZ9/ZRyt+hi B4n3kehxeCQNfxGughFPHpQmSz4OcOyEHPWCinDRiHvbV/droxhCOnKCwxA6R1Z1ZooXcX kbZGoYqoun/UCQczaV7yFKfoF3VTIS71lWnTW1Ez9D4Oc1L1VsenO7s0kG0tAWx1+xlqiI 5j8LkjztLbbyhdX5PBPNahsG5l7MNeb+P86dG3ym4TaaPtXsI4AnafCpXcU3pw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D237973 tech-lists@zyxst.net changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tech-lists@zyxst.net --- Comment #3 from tech-lists@zyxst.net --- has egress been added? will egress be added? --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Fri Apr 1 14:59:07 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 5E81A1A4C21E for ; Fri, 1 Apr 2022 14:59:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KVNbv17Kwz3LyQ for ; Fri, 1 Apr 2022 14:59:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 02B2816823 for ; Fri, 1 Apr 2022 14:59:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 231Ex6x5035534 for ; Fri, 1 Apr 2022 14:59:06 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 231Ex6P1035533 for pf@FreeBSD.org; Fri, 1 Apr 2022 14:59:06 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 237973] pf: implement egress keyword to simplify rules across different hardware Date: Fri, 01 Apr 2022 14:59:07 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: feature, needs-patch X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: mfc-stable12? mfc-stable11? X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648825147; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JGVTl8938auAxyZZZmmHLshg4h9AH7nNJ8FRN+/aXNY=; b=XMQjVh3cze4HZaHAr3tFOyB7Yzwa0sedkAsukI7ZFklY1RtohHrcP73n3rZgrzIHFdapRI jRnirQOlZsHO0SrnwBUqIZwSx9IlEBHHtrFkdReDr+Cd8L2lDtPm+CP1djlxzcl436yWDM Z8+4wntlY7d523gHgPmffLjteCKwGcz55SOAL0HT7iPHprGNeJ+Y4aBl5pneHaWYt3iuzA CoM2kJapvGyLqy1XI1CAWyBAIjIq0s3aaHFDiTx5wfPQ8ScRwLrUDho4gseWLXVoPoQ96u 0Pff7JbRHcRIMQ0Yh1l71OYh21d1ddR6RH6aIfkOKAF8BPQSLCG6P/Tx0ocRHw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1648825147; a=rsa-sha256; cv=none; b=H2iyQCsjbnqt7Qqz2IhmwZHpvCwDfrj+gIRHdvbl8Cv3k7Cx4Ttr5awLyBjpbSpNCe+PCF y3TegLZMmAn6pSnEyi24mS307I5mFmDP+MLX2zt48wO8MOO+nY9E0k19Ltx7kufN+ANK5F Rxam4BF8RzWazUYZpXhp4JTFS23iazYxg4ZdvZGMBne0ORGpe2jrjqtZJgwyK9ccK0Ngb9 CGP74R2TpmXkXtKlujQeB4ko59r3Uj4pzEkx3Qnv9TIApp8Y8eizxKT/b3yVFHp0WDTQv9 UuBdZijN29VnEjikF/4whC6ZuP48RHwn5B7SEIx7jYa/mdU9oHWyqHIBR8rU4A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D237973 Kristof Provost changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kp@freebsd.org --- Comment #4 from Kristof Provost --- (In reply to tech-lists from comment #3) > has egress been added?=20 No. > will egress be added? Depends. Are you volunteering? --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Fri Apr 1 15:36:22 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 2CCE51A543C1 for ; Fri, 1 Apr 2022 15:36:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KVPQt6HjFz3jNd for ; Fri, 1 Apr 2022 15:36:22 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 58DD81706B for ; Fri, 1 Apr 2022 15:36:22 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 231FaM6U057146 for ; Fri, 1 Apr 2022 15:36:22 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 231FaMIg057145 for pf@FreeBSD.org; Fri, 1 Apr 2022 15:36:22 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 237973] pf: implement egress keyword to simplify rules across different hardware Date: Fri, 01 Apr 2022 15:36:22 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: feature, needs-patch X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: tech-lists@zyxst.net X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: mfc-stable12? mfc-stable11? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648827382; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=sgowZkKHWh2wbtuq+6edluk1v5ZuaX/BvmaDNnuNDCw=; b=Jr4aEKx0Cx20Upz0RB/DOVrEKNgLZ7lwRtV5OaWTI7zd21dyCO3BOX1vxWNNruO/uNb7hY gGnwT5V4IIqLpnFlUAq2wrIVMkxTo2N9R7ZSc+JAUK98w2HQuposFzg70xRrOoR3pW+ZIA deHkrai1qaSYaFVMxta/3AGGv89OvJnBBrwks5UdNFfqamLxV6+aSoBKuFgj6qBkUMGOiw md0Rut4kY9zelY85QYovcb6dT8YphaHIDeepkaqYNR2WYRKtlB2MvYmqUz5ZgLW6ScH4Bv S/6EwT0hRuqs4nZulLF4voqIarvT3MUFq3PM448WwAf/QrLO5MdBMH+FFjUSKA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1648827382; a=rsa-sha256; cv=none; b=wN2oOoGVeEBIWLamJwUcvfyOQRptlRsqLRHIc8ZDyQ+ysfvBasgwDeYRkR8MC79PrMYpee 17e76KKLOVmB1TndiDF73DGw4LCB+6/gmCVpS8h4Tv6Q1VYDvPCqfNKT3VfCWFeKEACgq4 7qfCz6DyPg6eqdT7qzuiDWcbO/cQVRfOkB/yXtk8uXFdRrQOQb4L0skvC/6zgsZQY4i4nJ PhU+wOO1KyHPTT/VOD7GiUhorPrfKyDvw6klN3UNf5KGrS2ARW77OnFOhXpLLqXpU+PJ2n FHlO+anJ+YgSygZeVwNiJEENgJC7oOUYo2omveB03ENUz6qWBhCxWWzCrqLZXQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D237973 --- Comment #5 from tech-lists@zyxst.net --- (In reply to Kristof Provost from comment #4) volunteering for what? coding? I can't code in C, don't know how. I can volunteer to test a code change though. But what I was asking here is the status of this issue, which you've answer= ed.=20 So, why not close down the PR, which has been open since 2019, and give the reason so that we know?=20 Please note that "it's not implemented and you/pf haven't got the time" is = fine at least from my viewpoint as a "reason". It allows people who mainly just consume freebsd rather than program it to make a decision based on fact. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Fri Apr 1 16:13:12 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 795861A5C867 for ; Fri, 1 Apr 2022 16:13:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KVQFN54zQz3s5H for ; Fri, 1 Apr 2022 16:13:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 8BC4917920 for ; Fri, 1 Apr 2022 16:13:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 231GDCpu079884 for ; Fri, 1 Apr 2022 16:13:12 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 231GDCKj079883 for pf@FreeBSD.org; Fri, 1 Apr 2022 16:13:12 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 237973] pf: implement egress keyword to simplify rules across different hardware Date: Fri, 01 Apr 2022 16:13:12 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: feature, needs-patch X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: portmaster@bsdforge.com X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: mfc-stable12? mfc-stable11? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648829592; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MYoO+WJQMwlACgsEiSW7Uly2jDtChqnurrfxCGAMiqA=; b=sIHe9zfC0CDQ3/T055BnYcM5w3u7qgFxyZv1wnJk2EHOJKMEF1GiqSQW/JT5zh6jjScblE GiUD/k3UjIwOOv9+1sSZmogZXyw4tS68jHadlESfidz1Gilr+RLk6bVkENozdNvOU/+eu4 GD07IHMHVI1mf88Mg1GttB+tGnnwFrK36/dTLd0pJ3WTbGTeATV+SCb1tN34kTNltsLDdH ngFCY7Q7mKS0RH48/hdExC0VAokXSYsMiku4aCFtEK30kQCsaHYp5VCBYDr4JNmt+BzpOE 17KyxoK64Yid85hDIEKnVpVkoAdOC1rAqwgKqebKPRkX2HWga1tn4qVFv/lbUw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1648829592; a=rsa-sha256; cv=none; b=UMNIK1XkEXU+JhM3hdG8CRmtk1opxXk6fr1Lo0ipfNcvwT0GIfX7yoLKIThSqtqRhVAXJt 5pM8Hh+Nl0h6klJZdUFTH11ixyTgAzyuyozrRLntfOs8h9aouH97pJmgwfWN0UeYU/OOIf b1+xS+UOPmSyQ0N+GgaIg9Ms+KtVPw4rAA04M8A/zIY8NVXTBCAoCzfbW+qhQKU58nD++j y3KuDr1LiEo8xJVUjQM4gCa44c00n8Qk1b7gm3zZTPrWlhWhUPr42YnNAhbJzHHUjfKGB6 irpSZ9UqAP8pprZ5o3w4gcr4z0oUtVO5a5DoYY1THngBYVac1QbwAmKvm4UUAg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D237973 --- Comment #6 from Chris Hutchinson --- (In reply to tech-lists from comment #5) IMHO there is zero reason to close this pr(1) until, or unless someone/anyone has implemented the egress label/keyword/modifier. kp has already indicated he has no objection. :-) --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Fri Apr 1 16:45:34 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 6CE071A25FD2 for ; Fri, 1 Apr 2022 16:45:36 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KVQyl4V9zz4WPq for ; Fri, 1 Apr 2022 16:45:35 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 0BA4B18017 for ; Fri, 1 Apr 2022 16:45:35 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 231GjYU7093561 for ; Fri, 1 Apr 2022 16:45:34 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 231GjYta093560 for pf@FreeBSD.org; Fri, 1 Apr 2022 16:45:34 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 237973] pf: implement egress keyword to simplify rules across different hardware Date: Fri, 01 Apr 2022 16:45:34 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: feature, needs-patch X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: mfc-stable12? mfc-stable11? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648831535; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=2Uhxfg3w6KShw58/5bV4dGRZ1k32E4AG7qQQ8Zj1sts=; b=LhGRe1rKFVO1KLkmx+0gBup3k7G8U6fC5vzl6eqE/7u6EuA03bfnrleK+8eSmm9g7dh/3Z 5/G4ZO5elpuR3ycqFu2/hd0HcFWn6jAX70C3kY00PsuFAEYKKex16GRpBf9ZHW3ZTv86In qnjqYSDUaj6TpCYeA1NG9Xdtj4YSNeB+PEDYnZXriR3IEtr8pU5E2iC50LmvBOKmOgUMIJ siZwVwWf7wiBO7qI2Lvo5qfctOhjWnd6eIMoBCHqK1ImTjMwUU5xgVWEUE9PqbHIYdWbC1 r/lsT2UVSYin5QTGAN3ZkgNVQG2aOgUz7gjhwearwUsFxe3hhAgytFh0yRpzmA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1648831535; a=rsa-sha256; cv=none; b=AJMIWdnUWgY8ifYDjCh/j55iaSk0mS0O3Vu1sWhMpDVDDmYiONkAPOKzjDBfg/H6c2Zuyp 64GUFmT4bKNMYjK2HuX/12+Ugjq+KtCjEzyEEtef5vCPcOKGrDIFThskl0mNOtIf2ox3kA Pv8K3IufbFEmYCBtlQUXpUJcfh6q7qhJq8PIFyapTZQdg+D/TT/YoOo4zlcfqdVfxSqSX1 c9YEA3LwNWHmarWI5FJS1OIXPGNenO8ez/E/0iOtZHg8Y6f6+w2MYUcKgZ7QhauUxlMpoS ZPsiaD0qI3UZ+KnSNPxIMeV2ROuF4BOzgllT4gX8wDFPf0kF2M6ewwwAmOGQWQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D237973 --- Comment #7 from Kristof Provost --- (In reply to tech-lists from comment #5) No, that's a bad idea. The PR currently correctly reflects the state of the feature request. That = is, it's been requested but has not been implemented and is not currently on the list of items I plan to work on. It also contains useful pointers for someone who wants to work on it. If we close this all that will happen is that someone else will come along = with the same feature request, who will open a new ticket, without any of the us= eful information in this one. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Sun Apr 10 21:00:30 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 3C2571A9400A for ; Sun, 10 Apr 2022 21:00:34 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Kc4Bl6jz6z3hhk for ; Sun, 10 Apr 2022 21:00:31 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id BFC4F15D1D for ; Sun, 10 Apr 2022 21:00:30 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 23AL0Ugg018468 for ; Sun, 10 Apr 2022 21:00:30 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 23AL0UnL018467 for pf@FreeBSD.org; Sun, 10 Apr 2022 21:00:30 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <202204102100.23AL0UnL018467@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 10 Apr 2022 21:00:30 +0000 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="16496244309.FDDDD0d3e.17147" Content-Transfer-Encoding: 7bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649624433; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=uldUditI0taCO5NDJjvRm7uLa7bzXQG/bKY2ebYlkkI=; b=XRqPtWXI0Ta1VZr7GiJ3gpl5yRsnDBpK7Hj5qLLpslX1n8PLiJOtmILHbaDBeN3BvBIaZe djQ8UIUuS+VTwEVQWBHFNks5/6eJp3af0L30Ahv7ydSQuKr/Tp1KxY5zA6GXutgv3v/UNE w2lNFJktfR2noo3yJ1JefJeRb+VnuzpMkH83Z+lCOzayzAfMvAkraBc8XX+xKaRSghxPFo eNMPD/Po7CYWDr7rY/fsEzmfO62NIEBScsAkab32XNrgUvf+lyfOOG8Gai0bYckJvlVf7g v/w+WZRZCufiGHd+DxF9YkhMlRk/DL/UOhwqWJDYlCY3VDiAo46UPKQolYowJg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1649624433; a=rsa-sha256; cv=none; b=tcqw4Gos5IyzQ6PAr+60ZU5XujlxDy7SFs7qOoSQ0ZK/q9BVkJxH0Iz34o3a1dU4ceJ5os RqVk76qcpl1elqeQRiHWTn1GqBAHDmPOLvVpK1ijLu5WVS5y8Ah1CHjVeA21Hirl57JwjV r/kAMWiqAnH8vB1Q/n1Zx2Gr/hEy3QHESDX0cDen0yoKS9XOuJCu6Y5sef8nTCUSGO5mAg aINEIJ0NvLDm6PriTZTed1Csf0/7+0qR6fm+ERZUdhAKC+qkgBQ9ByNtaCBmpm9Diu34ZT EdkB+LiDfd7HmHLikPr3Q4Qz3TNBM+mxqBp7SmKlwxdW4oiSEjUIxZA91V4FHw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --16496244309.FDDDD0d3e.17147 Date: Sun, 10 Apr 2022 21:00:30 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 237973 | pf: implement egress keyword to simplify rules ac 1 problems total for which you should take action. --16496244309.FDDDD0d3e.17147 Date: Sun, 10 Apr 2022 21:00:30 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="UTF-8" 
The following is a listing of current problems submitted by FreeBSD users,
which need special attention. These represent problem reports covering
all versions including experimental development code and obsolete releases.

Status      |    Bug Id | Description
------------+-----------+---------------------------------------------------
Open        |    237973 | pf: implement egress keyword to simplify rules ac

1 problems total for which you should take action.
--16496244309.FDDDD0d3e.17147-- From nobody Sun Apr 17 21:00:49 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 2917F7EB386 for ; Sun, 17 Apr 2022 21:00:52 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KhMst266Dz3Kgm for ; Sun, 17 Apr 2022 21:00:50 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 53F9B25657 for ; Sun, 17 Apr 2022 21:00:49 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 23HL0nnF020371 for ; Sun, 17 Apr 2022 21:00:49 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 23HL0nYc020370 for pf@FreeBSD.org; Sun, 17 Apr 2022 21:00:49 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <202204172100.23HL0nYc020370@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 17 Apr 2022 21:00:49 +0000 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="16502292491.bEa904Ba5.17539" Content-Transfer-Encoding: 7bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1650229250; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=rVMKK3xajbSqx5PsLMWhoRXC860FsGGspYszf9803Zc=; b=rTd9llrOJ1NW7Ud2TNhy98mh6PWTVsE4NTDxIK5t0P9clBSRQRBnsGQ315X8tILi0MsF0T zwaKWnTcf52dkUWD7a5hJEGVlsmzG/F4P1YNkGCYq2XZdlnz0Ri2XFKqoLwuGphmSPcbK0 bIQUieHCvUYyp4tfhvUNbHFAh7g46delWbyXU6FDkYcLuZj2iPHaBcVGwJ7u0MFUiye3NV sG9HGNR6iSNtq/rbScWr2xxDo9FYmkbljTIAjgm0YG/LNOpO9H10vFet4I/W2oC+87saNC XLBKBKSIuJ1zhab/8J34jTuFpCMGG5JsbHPxfPIWOfsmS5lqwpj/C3JlSauk5w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1650229250; a=rsa-sha256; cv=none; b=xGax6S+iUrx04DfkLT2dhjGwFYspwtR9h7wtDKNBhRfbVUMMc1Z69w6o6+zCj4El9UcgrV nTfKUeQw2oZzFJhHqszrY12/BSUDaRCYUTu9U4vvMyVkBirasQbYH4tI6Ij7P9E96gulws i9C70h/6jfdi+g/zdIxoZL2ssNhX3qNJAbMPNIj8g2NoTvn2r4/1vSVmXYtwSX3dMs2Zb/ gcBbh9mQzwcHyzmdJs30ASjU0IMLVtLKtAXr+wVx/944vlke1p2PjE8ymayWry3LIrqJ8X RsKFioHfdFBWhuwFbEfBpsGt/FglLR6uJqJ0dDfVcCFAfOKh/8Gok3ezgim+sw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --16502292491.bEa904Ba5.17539 Date: Sun, 17 Apr 2022 21:00:49 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 237973 | pf: implement egress keyword to simplify rules ac 1 problems total for which you should take action. --16502292491.bEa904Ba5.17539 Date: Sun, 17 Apr 2022 21:00:49 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="UTF-8" 
The following is a listing of current problems submitted by FreeBSD users,
which need special attention. These represent problem reports covering
all versions including experimental development code and obsolete releases.

Status      |    Bug Id | Description
------------+-----------+---------------------------------------------------
Open        |    237973 | pf: implement egress keyword to simplify rules ac

1 problems total for which you should take action.
--16502292491.bEa904Ba5.17539-- From nobody Sun Apr 24 21:01:00 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id CE75A199D86E for ; Sun, 24 Apr 2022 21:01:02 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KmgXs32H3z4xLy for ; Sun, 24 Apr 2022 21:01:01 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id B58A65B86 for ; Sun, 24 Apr 2022 21:01:00 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 23OL10gg002001 for ; Sun, 24 Apr 2022 21:01:00 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 23OL10hA002000 for pf@FreeBSD.org; Sun, 24 Apr 2022 21:01:00 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <202204242101.23OL10hA002000@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 24 Apr 2022 21:01:00 +0000 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="16508340601.471C7Fd.99744" Content-Transfer-Encoding: 7bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1650834061; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=3cBd4JA+lrslcYwFn+8FnMDjSmoUjzqBn5x2wW3jRJk=; b=q9QLYdpOdUd1yJ3w0d3yfOTOBQ0tDhzXVjYQRfc+vI1yHSGpy9EYmJzP45pY8grpz3nhY9 7HhONCOiZdoUpulbE8ElO/6oin0fqQ6C+FzPik0KV3zSemWCZ6O34Dnmz+D7/2IZJKrx21 lUDHsQJbzD6rYzihK9NpARSPkSqtizsoXw5m7ykKZtx1zcUIVj8KYTAXs379jXjvZmLqBu ljZkurM6KC+yNm7/Oz5c2tUX6x7uLbCBdAvl6vG+bO7uTtmstUdDKpuRskxN6O5OKgFRTx AdOy1NFCUlJS3Iz3s/8coLfTTgnVRI0/OrmByNWUi1JlUbCfU24FMI1M70cblA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1650834061; a=rsa-sha256; cv=none; b=LhWes08Pr+IAF2w+75NdZ1FfG3vfc1Fn9Xq7JfTscQv/uym+J5jzZD9O0TEupFaZ9DZZIc 4PhLoSoCRcPC3swvK1zzji6WkraHJy2mvJfqyFAF26O2Hv4q0DLBRjp2gnqeDymKTMdjyJ Crn2BZcXQOz5I0LXKowTnTSLzc4uENPvd605H9zuZvBNSZcAQnLDcRCZWMpGozmeUxVGoS H8IIzKjK8s5mO/l+g7lWxu5T/M5GWnE463nf2Q0Oq1B2u1eZkeO0EKSDeXO5sUxZE3dmnP FguwXtmLz0zjE3UkBEoTpq+huJ0A4ZUJMZJ4fU34NZh7+hQyZi5f5H/jPvDYxA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --16508340601.471C7Fd.99744 Date: Sun, 24 Apr 2022 21:01:00 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 237973 | pf: implement egress keyword to simplify rules ac 1 problems total for which you should take action. --16508340601.471C7Fd.99744 Date: Sun, 24 Apr 2022 21:01:00 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="UTF-8" 
The following is a listing of current problems submitted by FreeBSD users,
which need special attention. These represent problem reports covering
all versions including experimental development code and obsolete releases.

Status      |    Bug Id | Description
------------+-----------+---------------------------------------------------
Open        |    237973 | pf: implement egress keyword to simplify rules ac

1 problems total for which you should take action.
--16508340601.471C7Fd.99744-- From nobody Wed Apr 27 14:18:48 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 960D1199C542 for ; Wed, 27 Apr 2022 14:18:56 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smarthost1.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KpLTW6XGWz3Kr4 for ; Wed, 27 Apr 2022 14:18:55 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19]) by smarthost1.sentex.ca (8.16.1/8.16.1) with ESMTPS id 23REImHq060873 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Wed, 27 Apr 2022 10:18:48 -0400 (EDT) (envelope-from mike@sentex.net) Received: from [IPV6:2607:f3e0:0:4::29] ([IPv6:2607:f3e0:0:4:0:0:0:29]) by pyroxene2a.sentex.ca (8.16.1/8.15.2) with ESMTPS id 23REImdi060850 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Wed, 27 Apr 2022 10:18:48 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <80b96c3b-5824-66b3-64e1-ab3cc714b8da@sentex.net> Date: Wed, 27 Apr 2022 10:18:48 -0400 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0 Content-Language: en-US To: "freebsd-pf@freebsd.org" From: mike tancsa Subject: pf and dummynet to releng13 ? Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.84 X-Rspamd-Queue-Id: 4KpLTW6XGWz3Kr4 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:1::12 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [-2.37 / 15.00]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[mike]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; DMARC_NA(0.00)[sentex.net]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCVD_COUNT_THREE(0.00)[3]; NEURAL_HAM_MEDIUM(-0.97)[-0.971]; NEURAL_HAM_SHORT(-1.00)[-1.000]; TO_DN_EQ_ADDR_ALL(0.00)[]; MLMMJ_DEST(0.00)[freebsd-pf]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; SUBJECT_ENDS_QUESTION(1.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[199.212.134.19:received] X-ThisMailContainsUnwantedMimeParts: N Hi All,     I know there was work on dummynet and pf in HEAD, are there plans to bring this back to RELENG_13 ?     ---Mike From nobody Wed Apr 27 14:21:05 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 3AAA4199D6BE for ; Wed, 27 Apr 2022 14:21:09 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KpLX51HhMz3LD0; Wed, 27 Apr 2022 14:21:09 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1651069269; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DEOj0cNUF7Gx/dG08x6kqtqqHXfunmjm9ypgWqyN6Sw=; b=TqBEOqautoO9o8CRVk3n6kzaNziDAizfDoQii+fJ0R+UuatQfon3jzj8ZkacAjgK28NySc 9ImiAuqh4BAAb7tZLeIIMge7VacFT9KxEw1s1IFj4RMdvLPc7i/idIs/bWG+/UflG4FQNC 7NvGRheVcSoSlLmrjsGuJ3+1DaTOZJaYs8pRhRSu9ehiULHLv3X765clQ1EEjoKldzrddb gmNZ9HkoqBE9Uk44k3FnT/R8v+pHvXpQAt3Gp/rBlk0e0Sqf1KRac/ks1i5p0m3rV7b5i/ S9j3MUB5UYddIuyPEgqhvp++8+hOILX3shRE5poncGnLqs+R5s60wnz1h9z0gw== Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id E741091DB; Wed, 27 Apr 2022 14:21:08 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id AABEF46F06; Wed, 27 Apr 2022 16:21:06 +0200 (CEST) From: Kristof Provost To: mike tancsa Cc: freebsd-pf@freebsd.org Subject: Re: pf and dummynet to releng13 ? Date: Wed, 27 Apr 2022 16:21:05 +0200 X-Mailer: MailMate (1.14r5852) Message-ID: In-Reply-To: <80b96c3b-5824-66b3-64e1-ab3cc714b8da@sentex.net> References: <80b96c3b-5824-66b3-64e1-ab3cc714b8da@sentex.net> List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1651069269; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DEOj0cNUF7Gx/dG08x6kqtqqHXfunmjm9ypgWqyN6Sw=; b=y0Eciz3nPXabKlj/Dr073VL4Il1XL3XrR411Y5PW91K6x9UZfqwa57HCsS8q+VYtolJAz0 KIBIjYStXTUCvIjBeLn3lFiPR8hwyPwk3bNC4DnIUb7/b4/Z1z+N07RUOYRaXhgv0+UbYb MxAPG9ckix3ACoTkYBK8u4/TBtWbu2/k8tEoW1hl024zZzJohIgz2bJTGgm7fEEJLIwdcC D9GTYBYWzIogLTKsWCcJ+Igf8BDbCaWA2Yg5eTAqtD0wrM1jKtRTL8pBTwojtMMxAZKNmA wr961S6Vo5ooC3PokEJ9HRPaOsc3xk/J8vcqA4kf2tDWJRHksFa5VVOCAq5vlA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1651069269; a=rsa-sha256; cv=none; b=PLKiyi0vyNz15U+Yl/A5lOIFM/B+lcd+cDp4Bg0h949WNeNEWgCvjgvofAv4sAF1XoQZl9 0TtWzuPVmrW+PXp27tyFdyODOTzzY0TWluO0q+cDAKtBPgUTByBEAbHGTTB+YTw/rIBYNf lYGKu1K7cKPELHw3xBzUJenDrl6wS/oM2r8NIWFA2GJwTQUBtgGAQfYEDX5SOnnsjbghJG nMajyHe/KVeuJRR4FLeBnDPwPDl8CBYv1FiijJjUjFRZ8quZeAPtaU7se1myc9Rk9fHrzU fmFurC5vyLfncbsTDfVROZ3yvEz6zbiqPNO8vxe7xiQsRidtQwkgXjWV6IXShg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N On 27 Apr 2022, at 16:18, mike tancsa wrote: > Hi All, > > =C2=A0=C2=A0=C2=A0 I know there was work on dummynet and pf in HEAD, ar= e there plans to bring this back to RELENG_13 ? > No. Kristof From nobody Fri Apr 29 05:24:57 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id B9F2A1996C1F for ; Fri, 29 Apr 2022 05:24:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KqLXV2R3Pz3qPX for ; Fri, 29 Apr 2022 05:24:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3197B26F83 for ; Fri, 29 Apr 2022 05:24:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 23T5Owbi071530 for ; Fri, 29 Apr 2022 05:24:58 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 23T5OwXv071529 for pf@FreeBSD.org; Fri, 29 Apr 2022 05:24:58 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 263626] PF is unable to load more than 200000 entries Date: Fri, 29 Apr 2022 05:24:57 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1651209898; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=43wVmw0dFBjj6LZ8kIfYCNJLcvbBnJDxScN65AwtMA4=; b=ryFmywuiK5A4Puth9+V6lNtHxngPzdnbn8DW7nelklOQTmxnql0y+yi9KNjIXPyiX5/BWt UPmNAz2CyHXbXajgQ8yXCw27b9vIzye9wa/1IA71M0sm6YtWs3UUglaA4TFzmgOLLrLpUx KNzCUxbLuTdqev5CArgm/1yifnU0Lyq5g8ELDBqs4xbzKl0aT4m+YHQ5SDgh+ZaPXDG5H2 kEiasE08t+lacH1NCaE6FcBieJ21DAnFDNyIQTBt+i5hsrInONZOA7zNafgcqB1EJMxeYc kGPlcNcGg+zD0Y8yX9O/Sgl0bRHGpLi9w4byGMsFNNtc5OHevQC6qLrKCehb+w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1651209898; a=rsa-sha256; cv=none; b=IsVQKFjY4QngocxAwgkj4UbbVJvj20IohpozW3wE2XV0fbWc3K2nQjYYs8A/TJjUf57JnU UvdSoLrNvqm27YrfR9OnYNxUmJaOJJC4Vtb/QFUfb+5HEheOmVETaQsSckkO2I6BfKsNL/ CZXJ9jH1nJOecRMoQdXYseh+ddnGxY0iAfXxRJGsASa6dMDUuUuw78Q+gGbZpvRxh0f0/Z 00UVWMkzU5PXFWZO04Z9rlSLcfh5Vk6eOOIr3dx6I3Ed/lJFfQn234WcssJ2UTIFNKUmAA mPwmTsELcu2WXiwMdWiobw7/6l04nQeBFtfloParre8BlNoegpUHNpP1t4HRPQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263626 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@FreeBSD.org |pf@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Fri Apr 29 17:30:27 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 004DD1AB733D for ; Fri, 29 Apr 2022 17:30:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Kqfdb5vlRz4gdc for ; Fri, 29 Apr 2022 17:30:27 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A72A711532 for ; Fri, 29 Apr 2022 17:30:27 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 23THURAW060792 for ; Fri, 29 Apr 2022 17:30:27 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 23THURtG060791 for pf@FreeBSD.org; Fri, 29 Apr 2022 17:30:27 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 263626] PF is unable to load more than 200000 entries Date: Fri, 29 Apr 2022 17:30:27 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: portmaster@bsdforge.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1651253427; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ED9VSQYiMwUTwjpyPt6pvUHyA7makS+UfOE5inMY3do=; b=Z7r583O7gTKApLYSbH6K12KmSaIF/N8Me2hVxFqnGlMCiwpEshxjwhWjaK4+Sn66wNA1Ct +s4r9iwMXw8x/uj65eMUuS9jGt2VRT+kxigbLX1QAZI63/ilF2x5//4Xcc6PhFxnIa0Odd SUpQScGtBJ1dB02TVrZAtCAVOXfRILf77jxAkaIgQp+j72A/jD2KWCgI0K8/YL5EkCKbrz YPJi/dUpxc0VZQk+MHJVGRVPQyxtRfU++Hh58zrQlZZHybmHs51hkyOj93ShmCm6c5kPom TUTAPoMchE0MTeWnbxGm2/ZVKWwI/q2TZAnen9ghly39hep2oeIfDgN77+ZaOQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1651253427; a=rsa-sha256; cv=none; b=hVsC+jUrNFs6sR+RtDioh+QN3QzQZ9ZNKhuhJaBoXyDg2JypxWsVlWJsgHoVZVAHLD09lW ZwToNxzyZshIjiB3NhZYOSZ42IEsW5QUR/+CgZy3hv7tNmP5bPEUXe/Mb35sBl+/uG0pcK Bw6wYEZ1W4jP9xe34kMDRMeRytAu1/yRbX7bfB2j3WUHznJG3/aPUekkbVeO1M8gxWTIYp aeVmqmoox8golBFPJMjzoAfxaKAc5iRBtFjlxg6bKo6ec0NMdRCUHryl8iGCcLnDsMbcIs U90TUeNayZKqa66swObgOS4tr44NO73HgLzHBPVnm2IoOdzMrfEYgC59ro/3qg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263626 Chris Hutchinson changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |portmaster@bsdforge.com --- Comment #1 from Chris Hutchinson --- With 1,269,713 lines total in 58 tables and a total of a quarter billion IP addresses entered in CIDR notation. I have only the following changes in loader.conf(5) net.pf.states_hashsize=3D65536 net.pf.source_nodes_hashsize=3D16384 net.pf.request_maxcount=3D2500000 and in pf.conf(5) set limit table-entries 1700000 set limit states 600000 and I don't experience your trouble. Were you ever able to load these tables? Are you able to load them during boot? Or is this only a problem when attempting to REload them? If it's re-load that is the problem. You have to understand that generally speaking, you require twice the memory to reload tables as to simply load them. You would probably do well to merge the files "/etc/spammers" and "/etc/blocklist" into simply "/etc/BLOCKED" and use: table persist file "/etc/BLOCKED" HTH --Chris --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Sun May 1 10:17:54 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 2C85C1AAE557 for ; Sun, 1 May 2022 10:17:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KrhxZ6BFbz3HNZ for ; Sun, 1 May 2022 10:17:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id B0D9D13B3D for ; Sun, 1 May 2022 10:17:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 241AHsOF075193 for ; Sun, 1 May 2022 10:17:54 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 241AHsaV075191 for pf@FreeBSD.org; Sun, 1 May 2022 10:17:54 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 263626] PF is unable to load more than 200000 entries Date: Sun, 01 May 2022 10:17:54 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: marcel@herrbischoff.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1651400274; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wn7LLaBKP9iKjyr37Ff4XiRPpxRsv15xsQXvw0f2dkc=; b=DR4oMbCdb50NljKHqo1X7b3V8qCJu5NSe8GZhef6bl9VInDnJn3tScsSFcmFmLiTPhRFa9 1yDHobmgyNzDolsM+GGz0P6EMr/7arM+xEt2p/XYCgsJcC19TLIiRgZKg+0n0m8B3hrj82 cgfm66gmJiK7hWsIIoY2YTk9OjR3YhASwDaDRqBdgVS5fWICACz6N2+mfmwaaL2d1bdVf1 PRgsFMTlJ2T+YVmcUesfRvJHejgJPL01nNoszmStFdRjt3EgU2fl1VLwuGBc8KJC1Agb/G 3kwxUSDo/Dq6VEiJ6+fbvJf8XRrs81VPwtMqABe0rIHWWxOmPVC6zcrIP0OCyg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1651400274; a=rsa-sha256; cv=none; b=ecF9pCVXAtnymz7CGZmN2e3LLGp80i8iGyDHXYlr2G2bHovl1reLQICoH/9odT8w14o3uv 8lidV/hug1tKXqk91qErUr11YIFIwEfOGU+KCreUfLo6kWsbqU/UNlOFeYiP4IeM1w74S9 xT8McdPtcXtgz1Y1wuU31WlVywnBkyEb/c3klIRSU32DtoglhUSeuALZfQNC3UzOmr7tLv Jt6lo+X2VHKsynydzabHsl98NmBuHUkv6WKkm55y67HGEzr9qWUPoyPIY6E/mKWA7rPNUM NdUw9mLmUijIN8VXuagnLRa7vJf1tAe6GzjMRzo5I/3hPXjJWAVXp5Ij97g44Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263626 Marcel Bischoff changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |marcel@herrbischoff.com --- Comment #2 from Marcel Bischoff --- Also, there was a long-standing issue that was recently resolved with a pat= ch, see https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D260406 for context.= This regularly bit me up until recently, not being able to load larger tables un= til reboot. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Sun May 1 20:32:58 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 499081ABB924 for ; Sun, 1 May 2022 20:32:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KrybG0C1gz3rvP for ; Sun, 1 May 2022 20:32:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id DC59A1C894 for ; Sun, 1 May 2022 20:32:57 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 241KWvoM009629 for ; Sun, 1 May 2022 20:32:57 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 241KWvZq009628 for pf@FreeBSD.org; Sun, 1 May 2022 20:32:57 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 263626] PF is unable to load more than 200000 entries Date: Sun, 01 May 2022 20:32:58 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: vegeta@tuxpowered.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1651437178; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PeHESmI0otbFegh0SDP7cl1yRuFRvVxZpW/VmqoN1Fw=; b=kDklg0ZX7tQzUBaCI6c5MCCdLgzkc5PAoGUWU/WL4EeeU6aJ66zUWVgHCM0X8BQ5ePck1K JlbRrbvrFs5UG6dU0haUCQmHngM0kNffU77F4StzvMigFoZ44yALoG69HftovY/BYvpOfd eYHX/Y7zPm4kPNPLHrezk9JVGwsO/GqV/ZtYEzFl40+qlbXKqQGW+7e71qbxw6yuXAU4Mv gwp7msfAO7TmnKzqVJi6dKc8IqmGh+h5J0uaf0myHRk2SLqgvLi33zsiVXXfhRuOaioE0J WgqGbstuiWmLZettAJlfef5/Dr0lV20B0fkGKTRqlsOVxot26sx6c7fuBkWk/Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1651437178; a=rsa-sha256; cv=none; b=Co4T5ji8ZkjSDYGuPnU3aRi7r185hMsPxjQXyh+g0s+/Cn2jzTXiJo4aM0mp5EpZh/IcBr 4KUq/FTC2Z1SPCkG8W/M4cEmI5h2zNhCMoywI2PmavkGvy6weF8Hmx7yir1VFG5wdA8GGb kTOFFCSoB/dS01sjcQQgL+Rlrir84sGdj5+TwS+204/WH/UpGRRjg6ZnuZjx1EY60yJNQw CBu1x7YqEglh9E3j19pYY8x36o9jU49K15TwgG97kA6x9TeCJ81rbqnuLyJrJ/ti+a6Wwt qjC45DmZZTsSp9MPHLWy22mE3dMXJBUE3D6adAje750VkT4mPVlQxD2VRMBn4w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263626 Kajetan Staszkiewicz changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |vegeta@tuxpowered.net --- Comment #3 from Kajetan Staszkiewicz --- I've encountered the same issue. As far as I understand it's that table ent= ries limiting finally works properly after https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D260406 has been fixed. = Sure, there is "set limit table-entries" but that is applied only once pf.conf is successfully loaded. So if you have a system where you start with a small amount of table entries and increase it over weeks or months, and you occasionally raise the limit, all will seem fine until you reboot. After the reboot the system starts with the default limit (PFR_KENTRY_HIWAT defined in one of .h files) and if the pf.conf contains a bigger amount of entries, you won't be able to load it at all and it won't increase the limit. I see some possible workarounds: 1. Create a pf-early service which starts before pf and loads a dummy file = just with a higher limit. 2. Configure PFR_KENTRY_HIWAT and build a custom kernel (that's how I did i= t). I would not call any of them a real solution. As for those I can can imagine maybe: 1. Have the initial value unlimited, until configured in pf.conf 2. Move it out of "set limit" clause into a sysctl, so that it can be appli= ed on boot, just like hash sizes. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Mon May 2 02:02:13 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 8DE091ABF1B2 for ; Mon, 2 May 2022 02:02:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Ks5v90WWKz3LnR for ; Mon, 2 May 2022 02:02:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id E5F9120DFD for ; Mon, 2 May 2022 02:02:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 24222CF0081058 for ; Mon, 2 May 2022 02:02:12 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 24222CrV081057 for pf@FreeBSD.org; Mon, 2 May 2022 02:02:12 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 263626] PF is unable to load more than 200000 entries Date: Mon, 02 May 2022 02:02:13 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: portmaster@bsdforge.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1651456933; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gK+FQ0MryOuQN6Jj30CamYaz4QR6ZY0bnnuYo/AeG9s=; b=XcyQPz+a4s75OfOVjt5ab90qGjHSzt2bu/wubmoQqavcs8EeQ5UWhVJr6zKiawdAb3POk4 8/cPP5MuLfeTKlnScmURJ8068RKFb3O6Oqdn5/uJy9lXyDZHf57gnOQGP8+YQghYR7uNaD Dv3fhFbhpG/E/iZWgk/ynmtn/LIUXTCAdFVUkSanq/rXUQsHwqD7Bf/z/qhED0vSqAOM2v N6Ji7EJSvObH3klyUdDSe35xEWaGG5ba9pw3DIwvzf2jK3fRCQZWIqLU+dBnBCgpqs3+Ga xEtXqyxLqrLJNon0kMpXLg5RTy8Udf68W3QPSl0zIz9BNetVD/ohccaJGgwdnw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1651456933; a=rsa-sha256; cv=none; b=E+Bn8u6XxJjm98COgN0SsathBWJE9UpVP0xw72CxYzMPCTZFpWkL/w7ZwJMiQYmc04QKGw SF2Dvj2gZ/T/pwzCVPQ19u1X4CBfCXn+6VQlaR1k6XcWZFxuGR8o7+EesL5pNb6uPY+MGm MF8RYLiAqjvJF1DdMK+7g7JVpH3q9RHtp1Q7efDVBtv7xbeQnN8yuAy2VG9Qkd2E/tfbMW 3HM+lRQL9j67QP+czh2VzO4Egyn1GFujPYq9SP4BXzJuuZE16j1WkB5hwoWd5NQOYBj6VB ERO1BqV1dr11tU9NcP3Iw3pyvGC1yImH5m1neFklwwmw+6XaTRlytIRIoEx0vw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263626 --- Comment #4 from Chris Hutchinson --- (In reply to Kajetan Staszkiewicz from comment #3) While this doesn't /necessarily/ solve the boot problem. You can easily up the value of set limit table-entries as root at any time to accommodate higher entries as needed. As to the problem at boot. One should always have some sort of accounting for their tables anyway. So that problem seems moot. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Mon May 2 10:16:33 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 8422C1AB43E9 for ; Mon, 2 May 2022 10:16:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KsJsY1KK1z50my for ; Mon, 2 May 2022 10:16:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 0DC02277EA for ; Mon, 2 May 2022 10:16:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 242AGW9d048429 for ; Mon, 2 May 2022 10:16:32 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 242AGWfK048428 for pf@FreeBSD.org; Mon, 2 May 2022 10:16:32 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 263626] PF is unable to load more than 200000 entries Date: Mon, 02 May 2022 10:16:33 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: vegeta@tuxpowered.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1651486593; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=sApkItHrYqc9R4PlPqAQiToZ7+TTPaA2YOAzzk5LXPk=; b=FiEcBOSfihkIL5VRXgMbj0sNoeY56J3S3M4UFzGcofR91b6GPgBXjPQLZS1JSsKh2yNnzr pCQwKzud6DJS7j5CMZrYv+x1ViQG3IX8xGqNAS+EK9yQZP1P6NbMRA/0qKVq/HjNedzlVH rBueOjuR4xRgi6fGjF8nJnjDSq1Egl1q/m7TA5Lr2ltkcKLS5fWCJVrOZCgjuETxZw9pSj b3NzhuOrCv9wq9pcypdx/RfYRC9kGCgpxsyVLKaSk8xR29S0UodNwZ9aMPfffbgXrbllGs 0U7/l9JONqq9ftWgDZ2qSsve/aN8RcU+90Ns78KhUR27o6ZxU23ORzeD4HT8uw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1651486593; a=rsa-sha256; cv=none; b=hyJuam7n4TFRvnl/i5s5nbXDIETh7oRck3SPeLWPRIGDjV4xXvm2wdLq32pFZBKCm/HUk3 nbP8PEk9iWUs2774d7JCjwC525T2koBPzryqXeIg9cQPwxAe68ybSmmDgwMWNeWYuWuKqg Q273DynT31lxgoDuiXfJuZREEdzvuXayd97dCySPX2DN7dt8qkn2qyjx7yZo5z3hQzY6Sb gOUknZesxFmxVRtnmdQPzD/cG/rWwv4VvjPHqFViB55H9UnegPsgr2jl30kLPP2OMx3LkI 6dXpJbUW3LiRVU752SxVdorjSD+gxBj7QL/3UX3e0w1bN19Pghb9naCcN9Btdg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263626 --- Comment #5 from Kajetan Staszkiewicz --- > You can easily up the value of set limit table-entries as root at any time Even if this can be set from command line, it needs to be done *before* pf.= conf is loaded, so a custom service must be written to assure reboot safety. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Mon May 2 16:18:53 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id F2C001ABECC4 for ; Mon, 2 May 2022 16:18:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KsSvd4t7Yz4mY7 for ; Mon, 2 May 2022 16:18:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 885135301 for ; Mon, 2 May 2022 16:18:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 242GIrQv053144 for ; Mon, 2 May 2022 16:18:53 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 242GIrWa053143 for pf@FreeBSD.org; Mon, 2 May 2022 16:18:53 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 263626] PF is unable to load more than 200000 entries Date: Mon, 02 May 2022 16:18:53 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: portmaster@bsdforge.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1651508333; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SM8ExbKnuujA6H6N0a8XWNGjq5nuU76Egelhf6eCFH8=; b=XPZmNQlZY8mZ3VsJLTy+U/tKMXY0649VQF1GdYEh7T6m++hTF8Zw5iace2QQaswPjGoxxP Bsdf1tMBEWQ0FVnQegVSIOscEHcOYiiVEwNppFp/cUlLFCUlHBPjC7QE2lPV6HjAZ9G7Xf pFCZUAw2Fimyta6oQ717gsgBgXBQqViqpjPuvxpv/yoBW0n+Lsrto3ga85tCmEQMxvZypO /Vd8UsQrZH01PPSQG37HdpfZdnwUvwPi6oM6ZyenuDOBY/g9lny2Cu9evSN+blyFhF99mI jMPofC0nFDKWOYDiSwv/3zn9gjHaJYC0zeMmuwDVlSBZYebkZn4WWd5mK88XBw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1651508333; a=rsa-sha256; cv=none; b=dOrB6vZ8CBxa5tqY9Xwcn6J1M1IlecjvRGUDjTi64Xmi4mJNbGFw4gBHnD8TAxPPJGSqbj eFq9/H3xl8rurqPqdJX79pQz3TvYkomLP60+rnNfNIAeBpmRk0b0piDdjAPanrl7Qj4AZm S87IYDLNDKcBuIiVjL6PkStlUyaHwF32jEVO5AANOgP2ZwUyVl8Tp4PNuJyrS/rAmDgXbb N8zjNQWNz6lRwWOkwtpdgTGtNADQEDivel/gaVm+A4ZGi+rbZ+SCokI+Txpp50BUIw4PxZ fHDce/KHlvMcoXKTjxuynf2Fal+zBHu/X1HbUXpTqO4ugYCiRhTQb5WBQMSwQA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263626 --- Comment #6 from Chris Hutchinson --- (In reply to Kajetan Staszkiewicz from comment #5) I don't understand. Anyone filtering with pf(4) using tables should know that they will need to monitor the size of the tables in use. Their system has limits. It is not the responsibility of pf(4) to ensure those thresholds are set high enough. It is the responsibility of the administrator. The pfctl(8) man page explains all of this, and also provides examples. If the administrator is unwilling to monitor, eventually pf will be unable to load some table and bail. Leaving it up to the administrator to discover how large the entry count is. increase the threshold && restart pf(4). It's as simple as that. The whole process shouldn't any longer than 20 seconds to perform -- no reboot required. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Wed May 4 14:42:18 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id E765D1AC66F0 for ; Wed, 4 May 2022 14:42:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KtfgG56Q3z3k6l for ; Wed, 4 May 2022 14:42:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 90DB214EAA for ; Wed, 4 May 2022 14:42:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 244EgIFb063637 for ; Wed, 4 May 2022 14:42:18 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 244EgInH063636 for pf@FreeBSD.org; Wed, 4 May 2022 14:42:18 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 263774] service pf reload does not check that pf is running Date: Wed, 04 May 2022 14:42:18 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1651675338; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bP5LMhPJP6MoxvXitoJDmER0pTLifVcMXyrBtylbCvs=; b=K20yhSwhxd8NhckZCYYatIK2K0s0tpw6uaXaAAFyLwp3aiiitmSxAyhLMdp5dH1ByPIbYg oddWwQWxZWqIMIqGMIXaOFuDPY2IAgyIR2N8EFsRQgku03lUSGUivPZ76nUE2wE0LiASMh 4y1W8GCmQJQnkzPeA6BreVWRtrdWyHEV2rpbvrZJVf66N2UVPLCqgx5P3R1JZniCXkJMTw eImo7a4YyNixqBRPdNcqNZ0Ym3aVfQIApEzcq7FEFZCcLL53Xl6XWidQtDjpxUnq85SfTO VvG19lcI2ifcSDRbTXBbIqnMeWFufJZqMnqZrPhY2N2dGb0nw5kEpw/2YunIxA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1651675338; a=rsa-sha256; cv=none; b=Pru9aEBTnxkL0udIb3Q6SUBgAJe+OLoc4uwRgv1fvoHYy/90OOuiKE64+wy0DOagztVQgY aywBV0k1408Re6zchFRZwaEgzheJPBH0Ni8PoEfbfUUlYX6Bo4IjRCfZCpMxloRZCaDvjI VkD9/x8sFTWJxEGEVH1kZpbOYlGriDUMBkTSF5jeNl2KUUilY9EbFRuvJwPXWykd3l+Siq AqA91BLbZVbWf+GhO8IZXQAMfTrI2lDELNHkx1gJUOVb/AQtHo5FJ3s4yurNBqBJe7zs1W x/FAXkWbzf5OwfftNRUans38+F/aLNiZ/trDfvN9/OjSULy2nCrtmThuqlbKVg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263774 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@FreeBSD.org |pf@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Sun May 8 21:00:52 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 646491ABC19D for ; Sun, 8 May 2022 21:00:54 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KxGtF06Nrz4fLj for ; Sun, 8 May 2022 21:00:52 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id AA6612BF07 for ; Sun, 8 May 2022 21:00:52 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 248L0qOW052389 for ; Sun, 8 May 2022 21:00:52 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 248L0qnr052388 for pf@FreeBSD.org; Sun, 8 May 2022 21:00:52 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <202205082100.248L0qnr052388@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 8 May 2022 21:00:52 +0000 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="16520436525.97BB7E60.50514" Content-Transfer-Encoding: 7bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1652043653; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=3smKkk+c1Qqal4TMiNvGGcq4nmnnzmnela9op23/AH0=; b=VddU5FCNmQ8xo4uVKERrtO4imaQ8J4apLHzIR7W8C7vEr/IVCo32zE4w1yk+WavDeU2N/Z USIHiYJjv5yOErMyu1puVewhR32aYZsKAXgx9x5jMDN40RmZr/JjFNAScAbb3H1LOA9axv +neaI0H3uZOaKDpiaXofc3auOoiNnVixXHiqylL8uQLCAOlG3/V25z2Irv95ZrXCIyzZ86 A05mQYgORoV6+arBFJrbuKZ8wLo/L4O/jjZG4PHt5tlPOOpFo9W/WP5vuDS96uHpJTduCI QIH+Vk80d4Yrq8Bzv2POp9I39WuaVc29AjoZaacaFuD8xtfzIMJuIte28OpNmg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1652043653; a=rsa-sha256; cv=none; b=Jva6aA1PVzxBefjlxsyqa8V8vpXcugU1F0GW8Zg2pCMYnMQFshP+u3gMU4XknQLBeO5z7V MHLBI3iQXoO0+BisoRpo51HwKvc4E9ZNPcNuKP0qIPOavoXH8wR81gj0m2Dxbh3TW81dvj tg+bg+O124K07Y2lgmC4r9h5J2SZsWTBOuBu6UHgXskhQx93P4GKIEUv16ZfWRA+jSYzz7 FVMy80TpKURmS8HHYEcpOhjKg5D1Afs/zB6dRz2A3xyUruMm4eWtRRD/t6T/SR0EJVzgtb Hp7jln1EfxZzmj+7v2edc5PFMNOZHUiasTnwyscFHVM/mMMcVMBz6rYQu0HfZA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --16520436525.97BB7E60.50514 Date: Sun, 8 May 2022 21:00:52 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 237973 | pf: implement egress keyword to simplify rules ac 1 problems total for which you should take action. --16520436525.97BB7E60.50514 Date: Sun, 8 May 2022 21:00:52 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="UTF-8" 
The following is a listing of current problems submitted by FreeBSD users,
which need special attention. These represent problem reports covering
all versions including experimental development code and obsolete releases.

Status      |    Bug Id | Description
------------+-----------+---------------------------------------------------
Open        |    237973 | pf: implement egress keyword to simplify rules ac

1 problems total for which you should take action.
--16520436525.97BB7E60.50514-- From nobody Mon May 9 08:29:04 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 6C0281AD2EB5 for ; Mon, 9 May 2022 08:29:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KxZ8K1qVYz4h9S for ; Mon, 9 May 2022 08:29:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1F48E5B9A for ; Mon, 9 May 2022 08:29:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 2498T5AA026478 for ; Mon, 9 May 2022 08:29:05 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 2498T5Lb026477 for pf@FreeBSD.org; Mon, 9 May 2022 08:29:05 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 237973] pf: implement egress keyword to simplify rules across different hardware Date: Mon, 09 May 2022 08:29:04 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: feature, needs-patch X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: net@FreeBSD.org X-Bugzilla-Flags: mfc-stable12? mfc-stable11? X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1652084945; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yAkNVjIeomtBzBaMcQBnrqKwvfh/WW7SLf6C7oLzfd4=; b=fIFwyViR0O81V8MqY646cWzPhCoAFot+4NbYoSqTJI2yXgVAIHrcl1KvhFctXdSOah/QS+ Ivh4ht3kKkRDEZvT04q1JaeiNbSoikvBr0cDUcl2cCAi8DcQ0RjzZx1NWEg/5nraz9AibK r3JkTer5sf5TonbsyDdJFk4j2ONKy97hNjqi9bJJrzC46DLrdbz4mHKcampVC4HQH+XePM a808VbRgQmHthEUjnp4fPmIHH1GAUVtOJyoqEHDmrFx2Uu2XgtCW6rPEeTj+53b16xDcmv JwCJZwO/amvVfp9OBgaF3eGaLs+CK7SqEhuwxFTm77T+1hoPNw7LwSuY31xJvQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1652084945; a=rsa-sha256; cv=none; b=OfWT6LemGKKDMeFXD5hzsMKiujYMxac1trRMAK12P/Yrskifirahp6lg6p+A6Iua5unvWV JuNCqGRpg8r/eAgtJ0Blwhgu0pyXiNuuwuuIY7Jo5fE0LwI0O5+IflWrJnh+kZEIOBIKnp G9N3sMCINeUdfZytOv9dR988lXsAWkkXaX2RvcHEdSQEHF9JGAri8MK7DpmZZCxgtv/dlr ijuSkUuch6lwJCdP93WaORNLRLeFfoqo5dVCIM8i5Nd0+awuoiAyQ+9O0m5eQ8g3jo8WN+ klgqJqgSQuUm11NS+Oay2THj6YkzLq9d+7vzapA061ygb0CkcdSfpZ5NJYwc0Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D237973 Kristof Provost changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|pf@FreeBSD.org |net@FreeBSD.org --- Comment #8 from Kristof Provost --- Reassign to net@, because this is a feature request for the network stack, = not for pf. See comment #1. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Sat May 21 22:53:29 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id C348F1B4C690 for ; Sat, 21 May 2022 22:53:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4L5Jm92zTkz3mnY for ; Sat, 21 May 2022 22:53:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 420897AC6 for ; Sat, 21 May 2022 22:53:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 24LMrTkt080599 for ; Sat, 21 May 2022 22:53:29 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 24LMrT15080598 for pf@FreeBSD.org; Sat, 21 May 2022 22:53:29 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: =?UTF-8?B?W0J1ZyAyNjQxMjhdIE91dC1vZi1ib3VuZHMgcmVhZCBpbiBwZmN0?= =?UTF-8?B?bCg4KSB3aGVuIHJ1biB3aXRoIC1hIOKAnOKAnSAoYXMgaW4g4oCccGVyaW9k?= =?UTF-8?B?aWMgZGFpbHnigJ0pLg==?= Date: Sat, 21 May 2022 22:53:29 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1653173609; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ElQ9CYED0f1zm0YFVJgGc+LjJxg1siwiZVZjV3IWJPo=; b=Wb83jMf+r3DneCSUfySqv3sejJm+3Y2ApQHtLlq/D6qkx9TS7kFfvP148uQKK7AejdBy5l h6y/MPOZ+fCwVQAX8oxYz2bFBsqDlp/WavLZq3SVvHsu6j84n3LDD4Ps/1hDXJUCjdoHMS R2iLbRQacTFkXR/IH4vU6FBC/R0vMZcNjUvBbfLDEZLpJVt0sdy/tcY47BddZq3KIXQ6ME xHXRIogC5Ugz8/FtV14kEpaicXmYpzcyrqDAM/GOLR5h3qtgV9FnFf8Td5L8nIUNjgJ63j yuCEdusH9wvUA8SKZz0m/7AVqiOj9uQ9pCXjp/yPjJSjB/c5wEj4x3TKN4wPQw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1653173609; a=rsa-sha256; cv=none; b=bWiiDQ+D7mIs+Grip3U8/sbtAMNNkaBicySRISDC1rBYDR8sOdgJfhuZmF2DQaPET8QI2c 4GohJQKbKR5yPIJe0JF+fTuESsKaRnaZ109KgEz9HnjRuL9yW1nk4toyzeTRyQhnd9072v rxvdwGbRMTxwP9lCZfqiWHPMZXyfr9yb7PuPHdqZZ2udQb1Sidbgj3BOI93sKZaKy2p8a7 gftyHJ1NszP1rKm93eGL1laRT51xZUSimMxsEW4ILxHmk1/2lW/CVHMf8VvhsApmHcSdMA bOaJmwa1rsgp8rAiwUQH+xv87wYl0pZZGn4WszQyOySmyfyS5DXGQ44/ZHu+Rg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D264128 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@FreeBSD.org |pf@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Sun May 22 09:00:42 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id D3FC21B4586D for ; Sun, 22 May 2022 09:00:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4L5ZDp30BBz3CLg for ; Sun, 22 May 2022 09:00:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2D2CD183FD for ; Sun, 22 May 2022 09:00:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 24M90g81005737 for ; Sun, 22 May 2022 09:00:42 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 24M90gY6005736 for pf@FreeBSD.org; Sun, 22 May 2022 09:00:42 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: =?UTF-8?B?W0J1ZyAyNjQxMjhdIE91dC1vZi1ib3VuZHMgcmVhZCBpbiBwZmN0?= =?UTF-8?B?bCg4KSB3aGVuIHJ1biB3aXRoIC1hIOKAnOKAnSAoYXMgaW4g4oCccGVyaW9k?= =?UTF-8?B?aWMgZGFpbHnigJ0pLg==?= Date: Sun, 22 May 2022 09:00:42 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: commit-hook@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1653210042; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JXT+nvKN8ESayl+K9DJ24z/GWBjJR+L26Nb8iB07aW8=; b=n3sQOiEvjyC/WwM8J49zOy3UmhZxl8OTLbXmxy82Ovvqj/pAneomadH6WcL7nl0HHtRApx Cs8gqPkw1pGd4l4YiFf/tHq9pJrqcAGaX/yju9DcgNU+vr/Dn56sy09xG01CCVUzNRwVcx Y5l6BLp1FtNgDlLyHcYnDbZWMzkv/jEuTy6OX8J9LhUsbpL9n+gOCEvF9IYKGlXbYHLhu0 rjCzwHutfa549nlC7EmswGMcb4g0gXlhSUg+Wo/3r3Z0EAiN/FywkI8lvF2QIqGit6FeK/ X9AtNZ56bqpURqWiIjYIGBhdMzYl2BFLXaBIO2bYsfviyw8bI+ErDESC9mGPvQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1653210042; a=rsa-sha256; cv=none; b=cO8YMDkyTu/OVlmDRke5a3+1vSxq2bQuAQ01NuRlZDMt6B6Z33W32/O+zfuawXTngKiq+v D/D51JOwXD+4JGWDT/AgQJhMtEdDBEQYyUnQ8Lv/HDgLnpbjTqToxvVWHz1tsa19JEa//O mHpb7CyxTIFZmgU3E1P3SnbRHgOQGhoLD/cm3E3zyRS+Lby5K7CTgRCK37Bmz248Xkpu/r TaW9V2bBkbR25hHpuZSos+SE77Gcvr2QsR8aOKBiSX3jYFK+hdLuI8opkUPyjI3Jvk1oKY e70+pp64o7/7KTlDdgtOZuYJdFSb3AHRu1uhWWg4qPNHVsDFwKscV7qRGkrJzQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D264128 --- Comment #1 from commit-hook@FreeBSD.org --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3D298663855015c1eba7ccf5b88168f4336= 53eb609 commit 298663855015c1eba7ccf5b88168f433653eb609 Author: Jessica Clarke AuthorDate: 2022-05-22 08:31:42 +0000 Commit: Kristof Provost CommitDate: 2022-05-22 08:31:42 +0000 pfctl: fix out-of-bounds access If pfctl is called with "pfctl -a ''" we read outside of the anchoropt buffer. Check that the buffer is sufficiently long to avoid that. Maintain the existing (and desired, because it's used as such in /etc/periodic/security/520.pfdenied) behaviour of treating "-a ''" as a request for the root anchor (or no anchor specified). PR: 264128 Reviewed by: kp sbin/pfctl/pfctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Tue May 24 00:16:42 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id C7A871B4B66E for ; Tue, 24 May 2022 00:16:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4L6ZWG4Lbfz51p7 for ; Tue, 24 May 2022 00:16:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 731381A05C for ; Tue, 24 May 2022 00:16:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 24O0Gg6g061079 for ; Tue, 24 May 2022 00:16:42 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 24O0GgSB061078 for pf@FreeBSD.org; Tue, 24 May 2022 00:16:42 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 264193] pf: scrub max-mss rule stops working (but still counts) after 13.1-RELEASE upgrade Date: Tue, 24 May 2022 00:16:42 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: needs-qa, regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: koobs@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: mfc-stable13? mfc-stable12- X-Bugzilla-Changed-Fields: bug_status flagtypes.name short_desc blocked cc assigned_to keywords Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1653351402; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qykn/mhLXZF8Nq3VaRMCRaRg5KxrwW8UxhcqAdJqeqQ=; b=ffTXH+s9KIgC/d7qMZnmkCpQ9VJXxDYdFWZ2BHx/ozjqRbY9AFJZA3p8BDdxIm3Fuo8AKT 6fI1xf2+9KmOBmOPC1RZtPMlM+VTkdW32DD3XIaNUx1z52JPlO2y3yglw5sBCtb5rSolxO NcdaeWcIljXCdDVQXIUsaqbKYtJw7j3ssGF65LDRt0DPZ5n0Vejq/wM1KW1XP2krv9g+X8 zRUDJb4Y3ay7Uu//yIWqUMRBdsKM5wMjhVytSkWKuwg/b9ccwPsGjzHRA5HYYsdxCLigNy buEnwPA6xJEWF2DYr1GkjRIYYs0gNA5eXaKgMwDkUa+aIjuh8HM0oBUSiTqVkg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1653351402; a=rsa-sha256; cv=none; b=KAXeBiQty7FZGRpMTJJKRecwsyu4OF3H6wHOTWxr3mRuKVa9R9RX/zPzB+BIjPN8sljTdP 8CwN9JWNlZeC3AU9F2sFdgtgkp7Kfr2yaGPTeJMaZ8t1fBPv6jgsmRoq9Wg1m87B33lvQJ roVuTfcsR1Uz2ZJNwBJhf+ep9+shQe1xvN/qnaDhiWx7hNyveurIvpYnlQtay/EGypsInr L2TZkf87/AdDvVCx5e1Eg9xc3Gst5TigH2QM9A1bkaDzleUareSepNPwdsS86SI7KLYNUY ljLsyJFyeG8oCshOhFmTVf1nKg2oKeII1TmxxQluCa+BypM8+wF8EsJZACWjKA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D264193 Kubilay Kocak changed: What |Removed |Added ---------------------------------------------------------------------------- Status|New |Open Flags| |mfc-stable13?, | |mfc-stable12- Summary|Broken scrub max-mss |pf: scrub max-mss rule | |stops working (but still | |counts) after 13.1-RELEASE | |upgrade Blocks| |264030 CC| |net@FreeBSD.org Assignee|bugs@FreeBSD.org |pf@FreeBSD.org Keywords| |needs-qa, regression Referenced Bugs: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D264030 [Bug 264030] [tracking] 13.1-RELEASE issue reports --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Thu May 26 14:35:03 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 8A4E71B4C134 for ; Thu, 26 May 2022 14:35:04 +0000 (UTC) (envelope-from stefan+freebsd@stha.de) Received: from deponia.stha.de (deponia.stha.de [IPv6:2001:8d8:1801:133::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4L89Sl6MDHz3pnp for ; Thu, 26 May 2022 14:35:03 +0000 (UTC) (envelope-from stefan+freebsd@stha.de) Received: from mta0.stha.lan (unknown [IPv6:fd86:82d7:b2e1:100::11]) by deponia.stha.de (Postfix) with ESMTPS id DC7A42498 for ; Thu, 26 May 2022 14:35:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=stha.de; s=rsa_20220207; h=Content-Type:MIME-Version:Message-ID:Subject:To:Sender:From :Date:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=7sEgg3ELi5KW3j8/X3wWLhVx7aCiXzx44lyOEpQIBKc=; b=EKTwQ6A3GCVBrocEK1U5tsrAQp lt9UnlaK1t7A5pIfZHj7uzHCZvAhoCg3K+/NBMBmTpyrqQDApN97QQA01O1725jWbmW1z1eH4umdy dFslkpXhBQXcCuBIivL/GmZShscKzvxqk0dQzxodRR78cbnbTImdA4G83svGwx4TrI/xc5Uot3/9X MdQEsUC+LRbncjpir5XFZwgcjEeHObc5NmxeSluRsEhbZB6SG8SgdXhRZCpygvAf5tRoi8d7wp/Ab Yn/wtRfRcMj9b9r7a1Pt7clRPFiQWjMA4Ch7mVUjr+vmRkvzRIRjnEdHVUoMjtJ8a4wF443q6gcnj toHxeEBA==; DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=stha.de ; s=ed25519_20220207; h=Content-Type:MIME-Version:Message-ID:Subject:To: Sender:From:Date:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=7sEgg3ELi5KW3j8/X3wWLhVx7aCiXzx44lyOEpQIBKc=; b=WKUux2YvvqxbmWXoLDXkhB0D/E f2M5blnjS+DvRaAV5fUsZ6V6Tdh9Ej2trH2PXA38jxo+QqGObqWSSLBvwtDQ==; Received: from [fd86:82d7:b2e1:100::16] (helo=smtp.stha.de) by mta0.stha.lan with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.95 (FreeBSD)) (envelope-from ) id 1nuEZq-0004lj-GZ for freebsd-pf@freebsd.org; Thu, 26 May 2022 14:35:02 +0000 Received: from localhost (localhost [::1]) by smtp.stha.de (Postfix) with ESMTPSA id 5AFAE2659 for ; Thu, 26 May 2022 14:35:02 +0000 (UTC) Date: Thu, 26 May 2022 16:35:03 +0200 From: Stefan Haller To: freebsd-pf@freebsd.org Subject: macros not working (syntax error) - possible bug? Message-ID: List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Rspamd-Queue-Id: 4L89Sl6MDHz3pnp X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=stha.de header.s=rsa_20220207 header.b=EKTwQ6A3; dkim=pass header.d=stha.de header.s=ed25519_20220207 header.b=WKUux2Yv; dmarc=pass (policy=none) header.from=stha.de; spf=pass (mx1.freebsd.org: domain of stefan@stha.de designates 2001:8d8:1801:133::1 as permitted sender) smtp.mailfrom=stefan@stha.de X-Spamd-Result: default: False [-3.00 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[stha.de:s=rsa_20220207,stha.de:s=ed25519_20220207]; FREEFALL_USER(0.00)[stefan]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCVD_COUNT_THREE(0.00)[4]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; DKIM_TRACE(0.00)[stha.de:+]; MID_RHS_MATCH_FROM(0.00)[]; DMARC_POLICY_ALLOW(-0.50)[stha.de,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; MLMMJ_DEST(0.00)[freebsd-pf]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; SUBJECT_ENDS_QUESTION(1.00)[]; ASN(0.00)[asn:8560, ipnet:2001:8d8::/32, country:DE]; TAGGED_FROM(0.00)[freebsd]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Hi, (After asking the same question on freebsd-questions@ I was encouraged to ask here.) When playing around with my pf.conf ruleset I came across the following oddity: If I define a macro in the following way: > foo = "10.0.0.1" > bar = "10.0.1.1" > baz = "{" $foo $bar "}" I can later use the macro $baz inside a filter rule. However, if I store subnets in my macros it does not work. This can easily be verify by having a file containing only the following three lines and using `pfctl -nvf file`: > foo = "10.0.0.0/24" > bar = "10.0.1.0/24" > baz = "{" $foo $bar "}" I get: > /tmp/test:3: syntax error According to the section "macros" in pf.conf(5) the macro definition looks legit. Could this be a bug in FreeBSD? Just wanted to ask the list if I am missing something. I tested it on 13.1-RELEASE and CURRENT, I always get a syntax error. Best regards, Stefan Haller From nobody Thu Jun 2 21:21:31 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 2752B1B64AA3 for ; Thu, 2 Jun 2022 21:21:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LDf8W6dpTz4hQw for ; Thu, 2 Jun 2022 21:21:31 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C43431BE7D for ; Thu, 2 Jun 2022 21:21:31 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 252LLVvW047873 for ; Thu, 2 Jun 2022 21:21:31 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 252LLVhd047872 for pf@FreeBSD.org; Thu, 2 Jun 2022 21:21:31 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 264193] pf: scrub max-mss rule stops working (but still counts) after 13.1-RELEASE upgrade Date: Thu, 02 Jun 2022 21:21:31 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: needs-qa, regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: mfc-stable13? mfc-stable12- X-Bugzilla-Changed-Fields: cc attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1654204892; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SVo2s6Hc3TV/wmXurwy3Xppvxul3n2tenzXGmjJJoZ0=; b=J06U2mZFd4AgbxC8WhnBkSat8weaATmNa+FqeHuef0gEu936u6gEtZtsvQvfMa/72e4x96 FAsbayjISI8NvumlWwBR683Vpk1FWqfYKMG9TsMHtHuDjyGJ+HDkU30k7xAbwjcEfG23uu 7fWYxE5myrXvoU2w9rx2jvGATQCO+m5g5Ix7bsNQe04fJpIh20d08M1m2/C4qvojFHhDl+ kHakEQ9eSEIHGIOjBf8Su3/n5B2B6FPhCE+MOTtRiQa5TkokKbKV7emOh/IIDXQnCsQ2dm In0acFf6+k55BnYjB60WqX9DnB2Fw2z1eqC1lC0mHylo1uHyheqRETi2cvolWQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1654204892; a=rsa-sha256; cv=none; b=M9IktlseVVMMp9Ug92nEtmsLO5JsRSxzTpkMPb0+ghVowHut0ERAlmAbpkjBQbKXZ+SPYj /CO/jSgzF20rJ4LhDU4lW9uDGcMscNCj2+TmEqYRMWGCSxoK+SYkQVTn/3lfgvE86NkPG8 WqI4yHTItGSCANMYncjEQyUS2fdZoFSftyu09UvWJTvSD8zD1iatnMM3AQzG0wvWgei2z5 0woaWJqemOJ+rtG8NyRehJBtgS15pdGcf2HJL/zXF5Wd/q0FxaBmjbjO4kZL/4eUTAbvjN 1P/H+WUgKsZu1RNf5MfRqOgDbP99KcfBwo3tptaFUxukaBRNN+bR8VBiFrPB8w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D264193 Kristof Provost changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kp@freebsd.org --- Comment #1 from Kristof Provost --- Created attachment 234397 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D234397&action= =3Dedit Teset case I can't seem to reproduce this here. The attached test cases passes on main= and stable/13 for me. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Sat Jun 4 07:29:16 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 7915B1B47A69 for ; Sat, 4 Jun 2022 07:29:22 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LFWbP0CpHz3DML for ; Sat, 4 Jun 2022 07:29:20 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id AF14919967 for ; Sat, 4 Jun 2022 07:29:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 2547TG9M043621 for ; Sat, 4 Jun 2022 07:29:16 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 2547TGrF043620 for pf@FreeBSD.org; Sat, 4 Jun 2022 07:29:16 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 264193] pf: scrub max-mss rule stops working (but still counts) after 13.1-RELEASE upgrade Date: Sat, 04 Jun 2022 07:29:16 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: needs-qa, regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: oleg@mamontov.net X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: mfc-stable13? mfc-stable12- X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1654327761; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vSTSt7zQxsVUuDlwj+wTs3Rv0aVfCEUwfrI2kWiNzOk=; b=E1AHFdh89PwOSoX/6s7/5uYhhN1ddJpF/AjWLQuIojaI1ygQ5INNHO3c9H8CjwB/drSD9J Tr/r5DaeLlmJsKG03mZONGbN00U5XyPcuLINkTrgLWkvh7UtHFPFV97tmTM+xdRy4bsmC1 o1eAqvHcO62ChN4e3Z6YUJ2wk48cdG0SuUjovVBcCNMM6PwHvUHEF175hnpBnJrjwMMZJY 3hLpZjgcidkcmFL73g1BopPfs5/jbr06YDOIGe2DTXmK4lk0TOtQvLvzBRv6u24MTwjWzE NsosCEli2goOWlajks0XZhqfqHbk2EgBMDmNxALC5MKCjcKKSW+N9BkUL7EB7A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1654327761; a=rsa-sha256; cv=none; b=QuFk3yuXpWSOcX6D6hlmFOYfjKoxiXiBd5HHJKynRjBDlnk4X0JtGQY5EGww4XIV8L5+9C 9Jil7r46lWoCQIZXQYmXFLG9FLeb5QinS1anzP2h4+ramYH1w7xH0Q8mJfW7+tvQodPHc7 NermQzVNnRhaQ+7fAP+LS3dd5Y9JcUbGS+JnFkMPIlrW7duA6TgDFNnnCm9CqIBblVWtcC xtDBF+xBBdHj+Z3HBesUN09t18rEW4i/ECIYU7aC0Agf3zcp4f+3NYUXmIJfbnsWRcJIhB za117VngAgVsHafI1hBi8aMUH0l+4RYG7fvYuIrr1ZY/uMR/TB4YxwdA8haymA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D264193 --- Comment #2 from oleg@mamontov.net --- Hello. My test case looks more complicated, sorry about this. I reproduce it in bh= yve vms freshly installed from FreeBSD-13.0-RELEASE-amd64-disc1.iso and FreeBSD-13.1-RELEASE-amd64-disc1.iso without any setup customizations. Below is the preparations (the same for 13.0 and 13.1): -------- # kldload pf # touch /etc/pf.conf # cat /tmp/pf.conf scrub on epair1b proto tcp max-mss 1380 pass out route-to (epair1b 10.0.1.1) proto tcp to port 25 # cat /etc/jail.conf mss { path =3D /; persist; vnet new; vnet.interface =3D epair0b; vnet.interface +=3D epair1b; exec.prestart =3D "ifconfig epair0 create"; exec.prestart +=3D "ifconfig epair0a inet 10.0.0.1/24"; exec.prestart +=3D "ifconfig epair1 create"; exec.prestart +=3D "ifconfig epair1a inet 10.0.1.1/24"; exec.start =3D "ifconfig epair0b inet 10.0.0.2/24"; exec.start +=3D "ifconfig epair1b inet 10.0.1.2/24"; exec.start +=3D "route add default 10.0.0.1"; exec.start +=3D "service pf onestart"; exec.start +=3D "pfctl -f /tmp/pf.conf"; exec.poststop =3D "ifconfig epair0a destroy"; exec.poststop +=3D "ifconfig epair1a destroy"; } # service jail onestart mss Starting jails: mss. -------- Now testing on 13.0-RELEASE: -------- # jexec mss telnet -N 1.2.3.4 25 Trying 1.2.3.4... # tcpdump -ni epair1a 10:18:27.724252 IP 10.0.0.2.43516 > 1.2.3.4.25: Flags [S], seq 1151646480, = win 65535, options [mss 1380,nop,wscale 6,sackOK,TS val 518156570 ecr 0], lengt= h 0 ---------------------------- The same on 13.1-RELEASE: -------------------------- # jexec mss telnet -N 1.2.3.4 25 Trying 1.2.3.4... # tcpdump -ni epair1a 10:24:27.627525 IP 10.0.0.2.42802 > 1.2.3.4.25: Flags [S], seq 2537751742, = win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 185378837 ecr 0], lengt= h 0 ---------------------------- I believe you can see the difference (mss 1380 vs 1460). Thank you. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Sat Jun 4 08:44:37 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 641B81BD3AA0 for ; Sat, 4 Jun 2022 08:44:39 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LFYGH0H0pz3RB0 for ; Sat, 4 Jun 2022 08:44:39 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 478AF1AB9F for ; Sat, 4 Jun 2022 08:44:38 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 2548icG7084747 for ; Sat, 4 Jun 2022 08:44:38 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 2548icBQ084746 for pf@FreeBSD.org; Sat, 4 Jun 2022 08:44:38 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 264193] pf: scrub max-mss rule stops working (but still counts) after 13.1-RELEASE upgrade Date: Sat, 04 Jun 2022 08:44:37 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: needs-qa, regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: koobs@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: mfc-stable13? mfc-stable12- X-Bugzilla-Changed-Fields: version Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1654332279; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=awOmN29d9ox52BeIqxn5MOVK+WjK10yNRQjKT3z4gnk=; b=DvBGViyNJXl+i7GYGdFYaGWWaATLQ5+H9fCcls0q9DEzh2GVpuMVndRdwDAH5Rx0eIhNiX v4sBEiHzP14cLQoBjmbkte2jBjk22hibNV1zsD5+x2AnclsapLDVV8u8tW/G9dlrQL23Bg mdA9gsIgaDXGCKaATRFZ3UYdiFrm0GHDwllXiMqnyGoOb3cO90/Mor5a5lVwtLPF6ygaCW Ul6T9UreP7E5XzATkUWz2LqSoiHu6LV67abWf0+F4dck4n24jbdycjdcrephvll1hU79rw 2gaoFoWIjxyThNW1xgag4lbSi8u+4JgzGBrUr5pat4IUuyNvIqOYXVh8aUSs1g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1654332279; a=rsa-sha256; cv=none; b=ZjpGr0GO5zC0VOXhK6dqLmm+dgGZDsCufPmiX5EAv3nRZVu00RAkHO33RA2/qx2xhJ7mv0 G24hzqqERV1m2pu+6/w4VjatU8iye+R9bqSewuHmV6DgOVu1R1gGrmS82cWoF2UrnM/mKB jwgWsQxxZ0XJ2QK/P+FEyHZDez84IqA5rvnFVMUhvrxlvTBOs7icoCn/5NCk0ezEfGkJW7 2ouw7gnwR/yJ27Y7RO7wCfC354NCZd7MygningfzPhJNCwGpMdxOpWloM+ev51s3ZCBkeT MFNEzfD4i3NUba+tu/Sz6xRLMxbWK8upKz9NUND4FBt4qdKqijAKseRWUdM/Cw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D264193 Kubilay Kocak changed: What |Removed |Added ---------------------------------------------------------------------------- Version|13.1-RELEASE |13.0-RELEASE --- Comment #3 from Kubilay Kocak --- @Reporter Original description stated: "stopped working after upgrading from 13.0-RELEASE-p11 to 13.1-RELEASE." then comment 2: 'I reproduce it in bhyve vms freshly installed from FreeBSD-13.0-RELEASE-amd64-disc1.iso...' Can you confirm this was an issue in 13.0-R (comment 2 seems to indicate th= at), or are there other considerations/changes relevent here, indicating a 13.1 *only* regression? --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Sat Jun 4 17:12:10 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 56BE81BE00F4 for ; Sat, 4 Jun 2022 17:12:11 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LFmWt61cTz3mX8 for ; Sat, 4 Jun 2022 17:12:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A67A421BA6 for ; Sat, 4 Jun 2022 17:12:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 254HCAxC046364 for ; Sat, 4 Jun 2022 17:12:10 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 254HCAO2046363 for pf@FreeBSD.org; Sat, 4 Jun 2022 17:12:10 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 264193] pf: scrub max-mss rule stops working (but still counts) after 13.1-RELEASE upgrade Date: Sat, 04 Jun 2022 17:12:10 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: needs-qa, regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: oleg@mamontov.net X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: mfc-stable13? mfc-stable12- X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1654362730; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tKAe8RssOIr1Ha9+gXTHYmRk6AI4QdbfvNI1Ek8+YpM=; b=qSq/yMaIFJ+d41Au1LMzIeQ1mZRuXy3K7f8qUNybFyRs/6rvECJJ1O53fjYZb8WftuDxw/ /E0n5JU7nWXFHgyfZx3kRijl0JRDS4yOSXv90qAmcH4/IpZ7txGPW4W6+YDYHUx/FtWz0J x7eAkkYycimIIiiQd8UUlGfnrnR+neTw7mAnp/hf74pm0AcY4CruwbBpxQeWO4dilai2c9 /xZliwSPcZFiOPvueCo2+oeRXb9FVp9Qf1siGe2okeQ7m8NaFIL1EaFa9Np6wds43xjeVR eS1vtLl/Zja7Pkox4NwV0+L4dx5LPdPD6VC6kZFIKaidc1yN3ShnP1I/MZULfw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1654362730; a=rsa-sha256; cv=none; b=dA2/BpVg+MTCWpckQFbBWGm5jx3mZwXMl2bo5m0buAhc6gcHaBaHe53hLiLR9M1mqY+DeW V4gYIOc8TYOIIt/ooWrqxPYDxZukg/bC8YcRSex/1ZzF/wIXgICWSOWmpvYRimG74j2ydV neklT6RzlEtX46GiyhLe/5chH/DbBsFv1Vb7D3c5YikImVisAPu6fJvWaeNByeGKVts9yc Uk4sxh5qrHU1AC2Af9U7Mx4IFfC1MW833HsFCI3soTmoCSxAXgdfjlerIZe+iV6LakYt8g ZzJZqyjKwfNwuaN1ndkovgCLtc5vdLYlgQSfzqgoTxki5lvs10vLRcuLSIoD6A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D264193 --- Comment #4 from oleg@mamontov.net --- Sorry if I didn't explain clearly. I meant that I reproduced the behaviour difference between 13.0 and 13.1. So, the regression exists only in 13.1, 13.0 works as expected. Thank you. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Mon Jun 6 14:15:08 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 888E31BD533D for ; Mon, 6 Jun 2022 14:15:09 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LGwVj2L13z3mG9 for ; Mon, 6 Jun 2022 14:15:09 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 27F2D27744 for ; Mon, 6 Jun 2022 14:15:09 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 256EF9hl087213 for ; Mon, 6 Jun 2022 14:15:09 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 256EF9oB087212 for pf@FreeBSD.org; Mon, 6 Jun 2022 14:15:09 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 264193] pf: scrub max-mss rule stops working (but still counts) after 13.1-RELEASE upgrade Date: Mon, 06 Jun 2022 14:15:08 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: needs-qa, regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: mfc-stable13? mfc-stable12- X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1654524909; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=iIopafHrZOCVVERi1H59ggx26CkHPTOW4ok/HFwiuiI=; b=wndVmNyWDcfPfaQS1E7u7gRNzR0DiQALGTkiqOhBTGpBx7pbv3WMJrAO3QIxZy0hj4Vbls /8zvSV/DWYHiaLGNOvn1XuXPt+ZV3lYjjGOzoholY7uOIol4RAgJXwq//8ml2mo6qgZ8jR nwP8gT6wn7V6Y8obGEz226Zn4CmrNgFChUhlrPHOqI77IhcR82lB7FBMYT43tWxpCgz3fp AREmMnJh/T+crYzTXJbG/gM/6w7y9ZaGSWF8z/St0tRKDEvkA75uGcK6klck5UiOewP22G Duh2iR4ctzjFLDrukw5rYb8ju6esoimg041wphMplrdqVrcRgvh9+qyi75CJtw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1654524909; a=rsa-sha256; cv=none; b=TJHFJqXaSwDnIOUilylzdmRR04A/ktiDC0ROPi0I9R0Ua4nzT41gl/56OKJnxgy+pidSLN RNAwmPNwxrAP9/D0CsfRm8WSpv4aqCy7/+XeNpj0IQki41BPyrjq2IIMn2LiXRPADiPcRA +3/4yFL4RHeb4F236FbkKlbExz5HwqNhECNyQOfidt6RzGt6U7ll7/dI1Wwg8o2ChapTbx Kxuh+nSByILyTIFWxC+IL8wClEcZ8I8Ren9Cu6dluL4NdjvpOdw2622OU+dhO5AanQyaih zjelk4HEfaCK2GCXenF1NGMxr4a1wMVumMmEwrvrK+JBRNHjxk7hTG62EP6lag== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D264193 --- Comment #5 from Kristof Provost --- (In reply to oleg from comment #4) I'm still unable to reproduce this, even with a route-to rule the MSS is changed. However, my current suspicion is that this is actually expected behaviour, given that the traffic is expected to route out through epair0b and there i= s no scrub rule on epair0b, only on epair1b. Once traffic is routed out epair1b = (as per the route-to rule) it is not passed through pf again, so the scrub rule does not apply. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Mon Jun 6 14:23:48 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id DDF1B1BD70B9 for ; Mon, 6 Jun 2022 14:23:49 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LGwhj0R6Hz3nqt for ; Mon, 6 Jun 2022 14:23:48 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5CAB427B3C for ; Mon, 6 Jun 2022 14:23:48 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 256ENmq3091456 for ; Mon, 6 Jun 2022 14:23:48 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 256ENmhg091455 for pf@FreeBSD.org; Mon, 6 Jun 2022 14:23:48 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 264193] pf: scrub max-mss rule stops working (but still counts) after 13.1-RELEASE upgrade Date: Mon, 06 Jun 2022 14:23:48 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: needs-qa, regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: oleg@mamontov.net X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: mfc-stable13? mfc-stable12- X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1654525429; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Et246Y0yILe39St2K9mSf6NY83QysN9/w+IzeS6eSmc=; b=tvQCDh9e6vIKfYYL+36DBi43bjYHU6KOx48VQ+qMSNwieXFkwctU7VfRcoe4YfBZ4182cg zBq48FjfHdeleO/NlVr9C88khS9JVT+DEg93RmQOpx//yKbmW467uxcRLMW88HQjsmsztA GqXNrNNqXAvEAnnLV88Zy7qndLDAHyAbBSP70VuCq611nQ5vPDZAP9Aokan5bSMSpEoHbP 0Oh4pQD3n+Ye5n3GLJnbgCTrLzCKFeN2ahBrbx7Q0QG+z2BZ1N3myThb1fYL8i97qdCKeR GZyigQ/0be9N1oscsiPZOgVPzYTgGBViFRXifkkP1cG5Y5jkBujzbOLVzF82pA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1654525429; a=rsa-sha256; cv=none; b=TcUZ5xlKDkGO4h5wxTpgApaxTjFU9M3Q+9aXe5Ui4t05UyNYOcmnQjNUo9Ym0+tQ3Ft04y uNGi1z9nuwGrnOiyrenEyBqvhhG+BF64r6TAmyHOoPV6WVisg51IrWVgXkYkVgfxf82Q9t +GqfClVM7QujccO5NrcoTrLRUB60a+o9+kxB9PmoOwl1YiXWbvjBqzxZ/gH6ZxRJqIx6mY 5BiQTwXdk0xF2rBL35BERdTEwRyu3M1+CzP7p+FvlNhcji2dWAMfdTx0T6oGV8YJygFCgN FM2GaVuzurUHq51RHelh88sgmT9bQQzkj1FWQGyWHDapilc+YKrOawFWloAYQw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D264193 --- Comment #6 from oleg@mamontov.net --- That's weird, did you have a chance to reproduce my test case step by step without any deviation? What do you mean by "not passed through pf again"? This is the very first packet of new TCP connection, why "again" ? Thank you.(In reply to Kristof Provost from comment #5) --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Mon Jun 6 14:29:13 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 47C2F1BD8700 for ; Mon, 6 Jun 2022 14:29:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LGwpx5h5Jz3qDs for ; Mon, 6 Jun 2022 14:29:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 9EFEE276FB for ; Mon, 6 Jun 2022 14:29:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 256ETDm1092519 for ; Mon, 6 Jun 2022 14:29:13 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 256ETD3s092518 for pf@FreeBSD.org; Mon, 6 Jun 2022 14:29:13 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 264193] pf: scrub max-mss rule stops working (but still counts) after 13.1-RELEASE upgrade Date: Mon, 06 Jun 2022 14:29:13 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: needs-qa, regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: mfc-stable13? mfc-stable12- X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1654525753; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Yc+Lcb28/Y1wUbDoVb8JJrUvUA+kJ5LCrpm7Dm1GQXE=; b=D4QkmSAXEfdsrkJkzgT/K62kwvCt4p/mZ7eqzNH0UHtbwXwTstzXDSNNrcpsclelZUXDkw McQUkx0ktRHBCQ/p73DOvNiMHFj5gNZIZajtCdROwF7lKV6YcWb8GD7OgOyrybaQffqedX BPszjpStoMI1npj33HRxh5mWwMWSe2Ekyzy4X/kWhmx5Ekgpnw6AQi1txv4pUifMzVAUlS +SlWve4u9c8R1GSANIcCWXWGrMoKjj+qvcFkbA3ZqcmjeEsTDCb8IGvzxqwMAO+T3zSpme sSlGpV5rq11P5PFKDHC6KjL977dru5rAeikkK21Ro1rTQamcITz4WTQOaxDQDQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1654525753; a=rsa-sha256; cv=none; b=JHO8lRE8JbyN4OPXqZRKCaxIzVQqxTYQvWMbrsAijmYn5YblMD6yIZ6nS5jp/QnK416x2c z2PAVx3sUBypc97RdibrZn64Ta5XSpXmhdK/Xk6X3HwDe053vkyky575tOK+r2KBJfm4Bm RNLL3+SbbViWO4NsBe0SY6TpkGTdc8gWMAH6RQEpNi10TBemYZ0xxlkiJVmTDXKsrAubmA fmZ7fnvntK/07mz1v75z0+oDMwh02KqVmpWkkMg8aY+zbxuUnYKs/ZBGcP93sdadNTaHAc eRyjyXHDhXYH/MrJ09BgMpN/CFmN4oP/xMU/gen7JSGX+sQHMcZ7vuoV3XRWeQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D264193 --- Comment #7 from Kristof Provost --- (In reply to oleg from comment #6) Packets can pass through pf multiple times. When forwarding they pass throu= gh coming into the network and again on the way out (post-routing), for exampl= e. In this case what I'm saying is that the original SYN packet that starts the connection (and carries the MSS option) passes through pf once, does not hit the scrub rule, because its going to go out epair0b, is then processed by t= he 'pass route-to' rule, which it matches and causes it to be sent out through epair1b. It does not pass through pf a second time, so it does not hit the scrub rule and does not get its MSS adjusted. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Mon Jun 6 17:21:35 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id DDFF21BD8634 for ; Mon, 6 Jun 2022 17:21:36 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LH0dr3fJxz4mqR for ; Mon, 6 Jun 2022 17:21:36 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 50727251E for ; Mon, 6 Jun 2022 17:21:36 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 256HLaXx087670 for ; Mon, 6 Jun 2022 17:21:36 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 256HLalR087669 for pf@FreeBSD.org; Mon, 6 Jun 2022 17:21:36 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 264193] pf: scrub max-mss rule stops working (but still counts) after 13.1-RELEASE upgrade Date: Mon, 06 Jun 2022 17:21:35 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: needs-qa, regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: glebius@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: mfc-stable13? mfc-stable12- X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1654536096; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=grwqkZBPUk+5+ILA5b/TNIdq/tONujMJhr6r0BwO3P4=; b=xuyYk5nwgTBqi6LGbMvwOp/cGUEypLGlPm1DoognUm3mYJiw28jRoVmk8SOcljm2z5Kka6 VwUCIVirH4n8BnGVj0rbXnJ4UZcxkXXyi/Qw1PQgGyqRVUgQrKIaAAoJxXhT6kZWKdVzib vzPt6PCQxTuK3TyVCLFDV2QmQbhuQqEdGPC0FjS2Tuy66aBGsh+I3WDpSNA59eMYR2nrs2 25KMv3mHzdBAjObXShR+wC/+jVYHp9HdCjlnXI31XpzBHsDqw3Y6IDG21ytvpFw+v9K5I4 u8AUxQGNJ7EkJv67vt42A1oU6S0zhWD7e0zoU61y7WOgEfsEeoeTftdH2JoCWw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1654536096; a=rsa-sha256; cv=none; b=v/oHowC2dWgGpPoDQBVBCCVRTbo8NNiaXUxuG5pcfhoMKCBpFTfCzCHr5TEDeTbfLfNxSo pWsc19QaM3sMe8MUY88mn/nHENL8/EMHdJDhfOXcaOkbkDXpDEmflQxAiAX1rYjMVdpCUd yPLKVg5W46wkYgESp7JJ9LfeIhLvTnYY2NQVoSjgSa9mvOLuHNz54E5l7yscK60CypZ7+d NRGkRyxEO5lzoHw/wl8ULVSGkCOdEolMlr9vSIJ0U1sdkKxWsGEC7DwgEiaVtQRvpJcxji 25tTBN/o5WD+4hqVpif4UUJudI/DYGQTyYuVJ6As6uP/6PKoa0kgTdZmKosVjw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D264193 Gleb Smirnoff changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |glebius@FreeBSD.org --- Comment #8 from Gleb Smirnoff --- Does it mean on 13.0 it passed pf twice? --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Mon Jun 6 19:45:58 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id EB3521BD1B75 for ; Mon, 6 Jun 2022 19:46:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LH3rS44r5z55tT for ; Mon, 6 Jun 2022 19:46:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5BE16466E for ; Mon, 6 Jun 2022 19:45:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 256JjwYU069709 for ; Mon, 6 Jun 2022 19:45:58 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 256Jjwml069708 for pf@FreeBSD.org; Mon, 6 Jun 2022 19:45:58 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 264193] pf: scrub max-mss rule stops working (but still counts) after 13.1-RELEASE upgrade Date: Mon, 06 Jun 2022 19:45:58 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: needs-qa, regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: oleg@mamontov.net X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: mfc-stable13? mfc-stable12- X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1654544760; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vSy8/Z3zgEoKWeIFTM9tYCwcGPLf+8IDAm5kWxzdOoc=; b=yj47K82+0kJGcHTDhsrGZ6X+cfn+PxZooU16loehTr6v2ffTKvqzQfd7awU9lgj8MixlTb EOB5TdPobsPyU12OxBiYK8RB/Ewuk8fiJdpwJpYxHQpD7BD4bRV8zcrpDpjP2hp/NQvHOd ct8hQHBffVq4fwMBkeHVz58JNfmiU1MvcsbtCu/brKLIUz9KnFSAmMBfLe5bca7oL7NadX hIiUVQaxtF0yzcs5qNGw69lxvi9Fnjem1/Vjv/WFppj0BNw+Wx0NxISDwMU5vhV+kHIDoe HG/HP23w2Du0Vt6j+hmljDnpvkLr+vuSpvLyUUs2bUSAbP9XPuKPTBBDsN2DFQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1654544760; a=rsa-sha256; cv=none; b=PiVsb0TxGZ66cb9p2YsWus7aOvQz0OITs/iQdO7QyaKOUmEKECHjdupeAvwkoVnddKJnzX mbGzNDnfeGRvQNNhkIt70K7ZhLEE4JOgX52YDrlyWYLKnidMxa1C6qM8iG2QhIcrA6WOAK Fe9szgG35VdWILzOL4pM0jqPNluGRCDkjbWvFGK/UAKdQ1PlEOw9fVAIY+n7Bkw0FQpWld aKc0gH4KZyZqYiU3BHjL4X3vWYc5ebmr9KwNwnXRurf9nIWBJlbbv1hh2tMcSsL22TpnqA RNa2R/sb296KEfFn00ksO/PQZTnaxgIebSlAaJ13DI3Fp8+WRpJKDp9f3fw/TA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D264193 --- Comment #9 from oleg@mamontov.net --- Indeed, changing "scrub on epair1b" to "scrub on epair0b" fixes the behavio= ur on 13.1 Just a side note: on 13.0 both variants (epair0b and epair1b) work with the same correct result. Thus, we can summarize that starting from 13.1 the only correct option is: --- scrub on epair0b proto tcp to port 25 max-mss 1380 pass out route-to (epair1b 10.0.1.1) proto tcp to port 25 --- So we should duplicate *all* the conditions for scrub and route-to rules. In my real case route-to contains not only destination ports but also set of source/destination addresses. Not very convenient, but not fatal :) Thank you. (In reply to Kristof Provost from comment #7) --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Tue Jun 7 14:12:01 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 7FAC55B6C49 for ; Tue, 7 Jun 2022 14:12:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LHXNd2D4Wz3nsW for ; Tue, 7 Jun 2022 14:12:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2CE341C550 for ; Tue, 7 Jun 2022 14:12:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 257EC1dZ097337 for ; Tue, 7 Jun 2022 14:12:01 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 257EC1RX097336 for pf@FreeBSD.org; Tue, 7 Jun 2022 14:12:01 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 264193] pf: scrub max-mss rule stops working (but still counts) after 13.1-RELEASE upgrade Date: Tue, 07 Jun 2022 14:12:01 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: needs-qa, regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: mfc-stable13? mfc-stable12- X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1654611121; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=OfOj2BsixaP/VRGGy/4C3aMPruoqYJXqpfKo6rezJyA=; b=HcX9X+7a3U4Un2o/kGujbPK4JpHChmQfiRBRXaCl2v4/phxO8YOEzBCGFoQk7p9RH7tlRN YTNlSJyy0XhdvKJ6pX5cF3cK4iQIGjx+VmdiDBAcsXF2Gb4WiFCnbQ2WWk2tCqF8UDnEPQ p/tQI7oIcHCCpYTpBRgdY3yL/Dct6usV5azCdMoogAGbwUraRO0n0I1qRRYsxuJGzSH/ht UCZUkpoON9qhn1Hs8x3litXZzfOn1RGR0wPy0/IcjgQB1ui9vpYZYbd4ybNBueCm9QKSDc M/mdCjGDhfc4cGhVwMJzAcSbF7hjWiFLy06lfJe20ILItJN0/lNKMO+22NXBwg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1654611121; a=rsa-sha256; cv=none; b=oqgjAY3FA0MAvcIQ+NpIss1LJEqaKCXUq7lZCXavp+i2i5jPKifYIXL4dNYD4jdBiKN5Cy Aa/3EaZ5mfdCFPvSwanTDaBXyAuCRskVnwhjvI/4Op1sJWvYgexBpacEeVCs9CaFLV2sOF owlQKeGbPxj+8/TfQzm3LmxugaMfBHPFssOkgDE9QbSeggSZTSaZltDTeX9ikUm61sp7nB 8qjVBj3QYGtKkeqVAWJGLB7+Fx3lpkUjG9mdUK/nstiwseYkQm/Su1Hq5XN9/rfQLGuaUV 3Xg65lceCAk0mtJo9oDlq3oNEyFhB7pzpLDXcOSCxqRFsSoqjC9PhMiK/dZySA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D264193 --- Comment #10 from Kristof Provost --- (In reply to Gleb Smirnoff from comment #8) It must have changed something to change the behaviour. We've fixed a numbe= r of bugs in pf between 13.0 and 13.1, but I'm not sure which of this fixes is responsible. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Mon Jun 13 10:13:26 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 8F10C836EB7 for ; Mon, 13 Jun 2022 10:13:30 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LM6pf04Szz4rrN for ; Mon, 13 Jun 2022 10:13:29 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: by mail-ed1-x531.google.com with SMTP id b8so6396417edj.11 for ; Mon, 13 Jun 2022 03:13:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tuxpowered-net.20210112.gappssmtp.com; s=20210112; h=message-id:date:mime-version:user-agent:to:from:subject; bh=yi1oV314lWyJNSvL/EtrOv28EQauAZ0OsoEceXXT3lc=; b=w/GKlIe3wg9rIJkKqmoi3G939vr2B6Ofw0VhAIPNrmyn2dkOvSOOSFNm0mQlHZG3IB gk7ZS0JVpnkvXMVLG498W1aEQ1hJnD/IvtAGu+TYuDV/pVeJSw8ZZ0UjBWInce46D+Gv KJf2r3EEwfZ2mOdLT3CcoBRXcB4UbVlcbXywcM7xfFIk3DRjfybckZQbZsWBNLux9+1f 0Z0iqJyTfBRdpfaTBDhWIhN7m5DwrGu3PMCyE4SNp4tMsFFsG61dZMO4w0ZOkHBD4Jzy 7eC9EG5HAqKORWF86d0R5f/EAU8pZSlv4PNVwbijdqPjOAijJMjETmKfRhPhPIVvLKPt 5faA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:to:from :subject; bh=yi1oV314lWyJNSvL/EtrOv28EQauAZ0OsoEceXXT3lc=; b=IN5K933ge73AosEyUYLghIANwolS/mwde3SVIDFhlmXSbfUoqVXTq/chV193nRQucV W1bK3+60wH4rlGrv1NlsEKsXB7+iPxexM2ES0kmcWoO1IJLEMRL8Hk5UVjDIIwPulqaL VAtpzBdNKqnNQpD1NlszNyiUApKG0esxSOBPs3wq7vWVE0bMETg2bKPaDACTEYT4Wrnj XtiKTUw/u8nmIGsdWm4uDmDMQaXgdeS4H7Wtqll6AJ7WYejqeE2fBepSWTQ1BkJWBu+5 fgPyv6kCY5dRn+hRwEYQF5xUpLpFRjVfkLhYjBg8+dTf+15LQwXOFMeX8Y8lDIuxuwmn L+dw== X-Gm-Message-State: AOAM531moeOOeo5jJdbwnd3KtsQE3HXCRtKQJwCWzwGEqdPK4ZRBIJQ7 CgVe90ECcmoIBopHnthAlHvNjdudVdJBJA== X-Google-Smtp-Source: ABdhPJxG1BIqYkWqIyckLKsjOXRPRqmMlRxfoajz/jWKudnOK8NYyPZT7coBuaFxfP3X9QonGPFvGg== X-Received: by 2002:a05:6402:27c8:b0:42e:2e43:86ae with SMTP id c8-20020a05640227c800b0042e2e4386aemr58328686ede.427.1655115208559; Mon, 13 Jun 2022 03:13:28 -0700 (PDT) Received: from ?IPV6:2a00:1f78:fffb:10:888b:a17d:7f1d:6157? ([2a00:1f78:fffb:10:888b:a17d:7f1d:6157]) by smtp.gmail.com with ESMTPSA id o11-20020a056402438b00b0042dc9aafbfbsm4683338edc.39.2022.06.13.03.13.27 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 13 Jun 2022 03:13:27 -0700 (PDT) Message-ID: <95f8e87d-2145-362b-2e37-79282054caa0@tuxpowered.net> Date: Mon, 13 Jun 2022 12:13:26 +0200 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.10.0 To: freebsd-pf@freebsd.org From: Kajetan Staszkiewicz Subject: route-to, interfaces and pfsync Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------8oMtuU00uy18mM1k6XqfdAqx" X-Rspamd-Queue-Id: 4LM6pf04Szz4rrN X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tuxpowered-net.20210112.gappssmtp.com header.s=20210112 header.b="w/GKlIe3"; dmarc=none; spf=pass (mx1.freebsd.org: domain of vegeta@tuxpowered.net designates 2a00:1450:4864:20::531 as permitted sender) smtp.mailfrom=vegeta@tuxpowered.net X-Spamd-Result: default: False [-4.40 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; HAS_ATTACHMENT(0.00)[]; TO_DN_NONE(0.00)[]; MIME_BASE64_TEXT_BOGUS(1.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[tuxpowered-net.20210112.gappssmtp.com:+]; MIME_BASE64_TEXT(0.10)[]; NEURAL_HAM_SHORT(-1.00)[-0.997]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:+,4:~,5:~]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; MIME_UNKNOWN(0.10)[application/pgp-keys]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[tuxpowered-net.20210112.gappssmtp.com:s=20210112]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; DMARC_NA(0.00)[tuxpowered.net]; RCPT_COUNT_ONE(0.00)[1]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::531:from]; MLMMJ_DEST(0.00)[freebsd-pf]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------8oMtuU00uy18mM1k6XqfdAqx Content-Type: multipart/mixed; boundary="------------pqXkeU03T6ZnaH5H3EBwPiHw"; protected-headers="v1" From: Kajetan Staszkiewicz To: freebsd-pf@freebsd.org Message-ID: <95f8e87d-2145-362b-2e37-79282054caa0@tuxpowered.net> Subject: route-to, interfaces and pfsync --------------pqXkeU03T6ZnaH5H3EBwPiHw Content-Type: multipart/mixed; boundary="------------XdZ3TlwBS89DHIs6uDnnAO8I" --------------XdZ3TlwBS89DHIs6uDnnAO8I Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64 SGVsbG8gR3JvdXAsDQoNCkkgc2VlIHRoZXJlIGlzIHNvbWUgZGV2ZWxvcGVtZW50IA0KKGh0 dHBzOi8vZ2l0aHViLmNvbS9mcmVlYnNkL2ZyZWVic2Qtc3JjL2NvbW1pdC84MWVmMjE3YWQ0 MjhjMjliZTY2OWFhYzIxNjZkMTk0ZGIzMTgxN2E3KSANCmhhcHBlbmluZyBhcm91bmQgdGhl IHJvdXRlLXRvIHRhcmdldCBhbmQgcGZzeW5jLiBJIHBlcnNvbmFsbHkgdG9vayBhIA0KZGlm ZmVyZW50IGFwcHJvYWNoIHRvIHRoZSBzYW1lIGlzc3VlIA0KKGh0dHBzOi8vZ2l0aHViLmNv bS9pbm5vZ2FtZXMvZnJlZWJzZC9jb21taXQvY2UwYjA3OGMxNWEzYmUxYWEzZTYwOGE5Mzc0 NDllODQ0ODMwOWZkMiksIA0KYmVjYXVzZSBJIGhhZCB0cm91YmxlIGhhdmluZyBpbmRlbnRp Y2FsIHJ1bGVzZXQgb24gMiByb3V0ZXJzIGZvcm1pbmcgYSANCnJlZHVuZGFudCBwYWlyLCBz byB0aGF0IHRoZSBzeW5jZWQgc3RhdGUgd291bGQgbWF0Y2ggdGhlIHJ1bGVzZXQuIEFsc28g DQpvbmNlIHRoZSBydWxlc2V0IGlzIGNoYW5nZWQsIEkgdGhpbmsgdGhlIGFwcHJvYWNoIHdo aWNoIGdvdCBtZXJnZWQgd29uJ3QgDQpyZWFsbHkgd29yayBkdWUgdG8gdGhlIHJ1bGVzIG5v dCBiZWluZyB0aGVyZSBhbnltb3JlIG9uY2UgdGhlIHJ1bGVzZXQgaXMgDQpjaGFuZ2VkLiBQ bGVhc2UgY29ycmVjdCBtZSBpZiBJJ20gd3JvbmcuDQoNClRoaXMgYnJpbmdzIHVzIHRvIE9w ZW5CU0QuIFRoZXkgaGF2ZSBkZWNpZGVkIHRvIGRyb3AgdGhlIGludGVyZmFjZSBmcm9tIA0K cm91dGUtdG8gdGFyZ2V0cyANCihodHRwczovL2dpdGh1Yi5jb20vb3BlbmJzZC9zcmMvY29t bWl0LzU4MTJhNGFkNjJjYTA3ODA3YWMwYmM1OWYyMmViODgxM2U2MDY5YmMpLiANCkhvdyBh Ym91dCB3ZSBkbyB0aGUgc2FtZT8gSWYgcG9ydGluZyB0aGlzIGNoYW5nZSBmcm9tIE9wZW5C U0QgaGFzIGEgDQpjaGFuY2Ugb2YgZ2V0dGluZyBhcHJvdmVkIGFuZCBtZXJnZWQsIEknZCBi ZSB3aWxsaW5nIHRvIHdvcmsgb24gaXQuIFRoYXQgDQp3b3VsZCBvYnNvbGV0ZSB0aGUgYnVn IA0KaHR0cHM6Ly9idWdzLmZyZWVic2Qub3JnL2J1Z3ppbGxhL3Nob3dfYnVnLmNnaT9pZD0y MjkwOTIgb3BlbmVkIGJ5IG1lIA0KeWVhcnMgYWdvLCBzb3JyeSwgSSd2ZSBuZXZlciBkZWxp dmVyZWQgdGhlIHRlc3RzIEkndmUgYmVlbiBhc2tlZCBmb3IgOigNCg0KUmVtb3ZpbmcgdGhl IGludGVyZmFjZXMgd291bGQgYWxzbyBnZXQgdXMgY2xvc2VyIHRvIGZpeGluZyByb3V0ZS10 byB3aXRoIA0Kc3lucHJveHkgYW5kIHN5bmNvb2tpZXMuDQoNCi0tIA0KfCBwb3pkcmF3aWFt IC8gZ3JlZXRpbmdzIHwgUG93ZXJlZCBieSBtYWNPUywgRGViaWFuIGFuZCBGcmVlQlNEIHwN CnwgIEthamV0YW4gU3Rhc3praWV3aWN6ICB8ICB3d3c6IGh0dHA6Ly92ZWdldGEudHV4cG93 ZXJlZC5uZXQgICB8DQpgLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tXi0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tJw0K --------------XdZ3TlwBS89DHIs6uDnnAO8I Content-Type: application/pgp-keys; name="OpenPGP_0xE3B450AF6D7B3A14.asc" Content-Disposition: attachment; filename="OpenPGP_0xE3B450AF6D7B3A14.asc" Content-Description: OpenPGP public key Content-Transfer-Encoding: quoted-printable -----BEGIN PGP PUBLIC KEY BLOCK----- xsDiBELvVycRBADVGZM8mHAsH+R87EBg4O+QTOkL0TjroqamohMlCdBEZgFGcGVo KA9c9Az6e7xpk90DuaWYrzBKJ+I5drx2ddqdqejLhgNm3QZubE8Cf9cCxBAxnxBZ HzmmgVJMOg93lJUQe9L1BstntodE2xz4jSBB++Zh9eZgRqbn/EICcQmmKwCg9pQf nXRAMr4tFxhsFenxa/JCvFMEAK/03irNfB8DezORCfpt7lZuwL5oRJ/TvpoCfwgV kNd6gTLMgSQpKbFytLzAAmRsE+EwVpBosUzKt4vzmW4bllgPao14TyuVcViah27/ da3fHm1HIMkjvro/ONtUivInn+5L33S0meT3KyuKofwc1A6KucNxhv4rG7RsXuhw ZZmQA/0QVni2wq7yc6t15dfCxuDCxG7yXp4pE5Dghp/MMwtsleIxJ3JdHaTZ9aIr YT2Rxw8mTXUs89pDi7PCqXA2N4C+RvkoZI0Q6cWs6jHNZGiZRVzkw38r8ctqtAlc fzlAynX5+Ym9oiNMJ/c/4fAiFrWerMR1rFWDSD56ltQHk0X0oM0sS2FqZXRhbiBT dGFzemtpZXdpY3ogPHZlZ2V0YUB0dXhwb3dlcmVkLm5ldD7CewQTEQgAOwYLCQgH AwIDFQIDAxYCAQIeAQIXgAIZARYhBI4RBk5u/YHyZ/QlueO0UK9tezoUBQJh5uFk BQkg6eE5AAoJEOO0UK9tezoUpTsAnjocqf0LNDr30r8u7gDDM8YzB/H5AKDUsN8m ncg2cPsaZ5i62/Yum6tRN8LAXAQSAQIABgUCUzpk6wAKCRBHQ7nvMGxeJ8MNB/9W dxBiFLsdY2O55xg3yeUIqFV7F5/rj8BiUhCVop29ZZlyF3UntiXke9cnvE6i9GwR tsSDzjredMkcFPSxoOTX7i7z00o7/T55lh8UyloiuclNNDMPfL4w45TA5FgJqy9m PkqW6bgRW3gIj7tGxQi5JGwRDPxHklQAq8YXTewYqQFnrr0ou7mS1x2dr4NBeVWI bKMloMa7xSEPUv7S/0WhdKkhHAjYEQhDYKpsHj4Viixso0h+y+3BrY/S2Wxj342q sZ83ayi+C3+WxVIvV8s48hxZP8oiEigvDNV96n8QczGdSnvpyE3pA6OXCIeBU3PB 2QybN0BogyILVO59mqUiwmEEExECACEGCwkIBwMCAxUCAwMWAgECHgECF4AFAkOj aI8FCQKVROgACgkQ47RQr217OhQhEACeIHG5T0oAWCEUJ52Wxtpzs9/aphoAn0nV 9xSz7HtWGLpbIUQilSpVJb4FwlsEExECABsGCwkIBwMCAxUCAwMWAgECHgECF4AF AkV5kY4ACgkQ47RQr217OhSgLgCdFGUj0FQFTM7obIW0yxGjDT9sVZAAoJFj1Gu1 HmWp4LBW4gQ5S6FIucUdwmQEExECACQGCwkIBwMCAxUCAwMWAgECHgECF4ACGQEF AlaLmmcFCRWebDYACgkQ47RQr217OhSp0gCfULVBuGhzIZQV/aBYcwYHgCMLDNUA nA2P8BHk8OuyhBvhLa9Cj+EeC8QzwnsEExECADsGCwkIBwMCAxUCAwMWAgECHgEC F4ACGQEWIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCWIKQgQUJF3Rs2gAKCRDjtFCv bXs6FFadAKDPAumjUx1LgK4OjeUrSdqknmSs/QCg1Lhxp60CrB1S5QBupZFY9Ss/ yXzCewQTEQIAOwYLCQgHAwIDFQIDAxYCAQIeAQIXgAIZARYhBI4RBk5u/YHyZ/Ql ueO0UK9tezoUBQJaZheUBQkZV/PtAAoJEOO0UK9tezoUCrwAn0OtbIHQKC5J1F07 gdV/rCnsfTRKAJ9RsXfYrpptWHAcog1d7N5dRZubf8J7BBMRAgA7BgsJCAcDAgMV AgMDFgIBAh4BAheAAhkBFiEEjhEGTm79gfJn9CW547RQr217OhQFAlwPrnoFCRsB dQkACgkQ47RQr217OhSewgCgrz15daI7vHeCR8L7mYNc2dHHqKgAoLLg0T/Szy9M MD8/fJgnavqisMM0zThLYWpldGFuIFN0YXN6a2lld2ljeiA8a2FqZXRhbi5zdGFz emtpZXdpY3pAaW5ub2dhbWVzLmRlPsJ/BBMRCAA/AhsjBgsJCAcDAgYVCAIJCgsE FgIDAQIeAQIXgBYhBI4RBk5u/YHyZ/QlueO0UK9tezoUBQJh5uFkBQkg6eE5AAoJ EOO0UK9tezoU574AoNc+GQ+a2vhl6uBhgJJmgVObIKcUAKDW0ktLllJopxxf0gQ0 SFwIj17Oas05S2FqZXRhbiBTdGFzemtpZXdpY3ogPGthamV0YW4uc3Rhc3praWV3 aWN6QGlubm9nYW1lcy5jb20+wn4EExEIAD4CGyMFCwkIBwIGFQgJCgsCBBYCAwEC HgECF4AWIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCYebhZAUJIOnhOQAKCRDjtFCv bXs6FFKWAKDi8X+qi2rgVcZGlqFw4H9sSZbrNwCdH63qeyIJuXw3n7Fv1B2cD+0C kCbCfgQTEQIAPgIbIwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYhBI4RBk5u/YHy Z/QlueO0UK9tezoUBQJcD66HBQkbAXUJAAoJEOO0UK9tezoU1lEAoOh+JsqEvH5w laBJNs0bHk1Y8NrMAKCzpnA15ZwlSMKEgsMZcvRhmKtTb9H/AAAsF/8AACwSARAA AQEAAAAAAAAAAAAAAAD/2P/gABBKRklGAAEBAQBIAEgAAP/hEmpFeGlmAABNTQAq AAAACAALAQ8AAgAAAAkAAACSARAAAgAAAA0AAACbARIAAwAAAAEAAQ0IARoABQAA AAEAAACoARsABQAAAAEAAACwASgAAwAAAAEAAgAAATEAAgAAACQAAAC4ATIAAgAA ABQAAADcAhMAAwAAAAEAAgwIgpgAAgAAAAUAAADwh2kABAAAAAEAAAD1AAAEO0ZV SklGSUxNAEZpbmVQaXhTMlBybwAAAABIAAAAAQAAAEgAAAABRGlnaXRhbCBDYW1l cmEgRmluZVBpeFMyUHJvIFZlcjEuMDAAMjAwNTowNzoyNyAxNjozNjo0MgAgICAg AAAmgpoABQAAAAEAAALDgp0ABQAAAAEAAALLiCIAAwAAAAEAA3NyiCcAAwAAAAEB kHp7kAAABwAAAAQwMjIwkAMAAgAAABQAAALTkAQAAgAAABQAAALnkQEABwAAAAQB AgMAkQIABQAAAAEAAAL7kgEACgAAAAEAAAMDkgIABQAAAAEAAAMLkgMACgAAAAEA AAMTkgQACgAAAAEAAAMbkgcAAwAAAAEABXt4kggAAwAAAAEAAIODkgkAAwAAAAEA AH1+kgoABQAAAAEAAAMjknwABwAAAOIAAAMroAAABwAAAAQwMTAwoAEAAwAAAAEA AQAIoAIABAAAAAEAABCgoAMABAAAAAEAAAsgog4ABQAAAAEAAAQNog8ABQAAAAEA AAQVohAAAwAAAAEAAwjQohcAAwAAAAEAAggoowAABwAAAAEDIgiAowEABwAAAAEB IgjYpAEAAwAAAAEAAAgwpAIAAwAAAAEAAAiIpAMAAwAAAAEAAAjgpAUAAwAAAAEA JQg4pAYAAwAAAAEAAAiQpAgAAwAAAAEAAAjopAkAAwAAAAEAAAhApAoAAwAAAAEA AAiYpAwAAwAAAAEAAAjwoAUABAAAAAEAAAQdAAAAAAAAAAoAAACWAAADIAAAAGQy MDA1OjA3OjI3IDE2OjM2OjQyADIwMDU6MDc6MjcgMTY6MzY6NDIAAAAADwAAAAoA AAGQAAAAZAAAAlgAAABkAAAA6QAAAGT////OAAAAZAAACcQAAABkRlVKSUZJTE0M AAAAEAAAAAcABAAAADAxMzAAEAIACAAAANIAAAABEAMAAQAAAAMAAAACEAMAAQAA AAAAAAADEAMAAQAAAAAAAAAEEAMAAQAAAAAAAAAQEAMAAQAAAAIAAAAREAoAAQAA ANoAAAAhEAMAAQAAAAAAAAAiEAMAAQAAAAEAAAAwEAMAAQAAAAAAAAAxEAMAAQAA AAABAAAyEAMAAQAAAAEAAAAAEQMAAQAAAAAAAAABEQMAAQAAAAAAAAAAEgMAAQAA AAAAAAAAAAAATk9STUFMIAAAAAAACgAAAAAAB0UAAAABAAAHRQAAAAEAAgABAAIA AAAEUjk4AAACAAcAAAAEMDEwMAAAAAAACAEDAAMAAAABAAbYogESAAMAAAABAAEA MgEaAAUAAAABAAAEoQEbAAUAAAABAAAEqQEoAAMAAAABAAIAAAITAAMAAAABAAIB AQIBAAQAAAABAAAEsQICAAQAAAABAAANsQAAAAAAAABIAAAAAQAAAEgAAAAB/9j/ 4AAQSkZJRgABAQAAAQABAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8U HRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwL DBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy MjIyMjIyMjIyMjL/wAARCACYAHcDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAA AAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEG E1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RF RkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKj pKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP0 9fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgEC BAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLR ChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0 dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbH yMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwDBv/F2 uXilZL9o1z92ABP1HP61gTXUZYvJMXc9SSWJP1rMZnbO8s345qMnHbFZct9zp5kt kaLX8XZGOPbrUT37EnYgWqW6kzTUEJzZNJcSv1c/QVEGyef1puaM1diG7kuaYxpu 7ig9aYhaM0lHalYAooo70AFFPSGR/urSeW3pTEMop7IV+8CPTIooAtkD9aaVHoKk 9T6mk+tY3OlohZBg8Coygz0qww4PakCDhnOF9apMzkrEC27yHCKSasLp0hGHIU9x kcfrUy3EUQ2xNge461ZiugF+4NvqqLn88Zp3ZGhWOnxKuAsjn+9uGPy5qQWFsq8+ Yx9geKuQPuJdBz9ev5VMtrNKu4Rl09BS5hqN9jM/s+2dSULjHqeapSweW+1SD6et a91G8QUPA0ZHJwAP5Vl3Em5wMnAPBNUncTViDGKQcHNTFQwJwAaiKlTyKYidLiVU 2B22Acrnj8qZJL5gjC4XYu0kd+Sc/r+lSRxo0YOCTnk0lwEUqqxqpVcHGfm68/59 KZNlchcs2MsW44JPSihhx0xRRcouYGPxpG78U7PT60hPFYHUNAUAs/TvVV23tx07 VLKWc7f0rf0Pww2obHm3oh9BitNIq7MHeTsjAhhdjhR+ldBpHhjUdRdTbW+QGwWJ C13th4P0yBEzGzkd2PWussLaG1iCRIqKPSs3U7FKnY4zTPh2Uw966Bv7qE/zzXW2 vh+ztV2xRfma08ktViNQRxUN3LWhzmo+GrO8i2vANuO3WvIPE2kLpOryQsm2JiSh 619ClMg8Zrx74i2rPqAIByrkU4OzCWqOFMDLHuUZQ9GFRqvI3j5KtvHLDb42naSC QR0piDZIoYZRv0rcwGxJ5fmKemAQal1VVX7FtUDdbKTx1O5qkmhKIzgcADntio9S UmSx3HgwL+W5qaZLWpnHk80UpHJooKLeOfxpD34qQj+dMI+U1itzplsGnxifUYlb ODnj8K9Q0RVREUEACvMNIbZqcTepI/SvSdPmwVCflSq7io25WdajrgAEZ9qtwnjg cVnWCF8Ejk9a144cDA4rJIp6ChycgCrkQfHPAqvGI4/vNiobvxBYWYw8mTVKJJqo Qe35VzfirwomtW5eJyswOQfWtS21MzjckD7eK0UZpF+6y/WnYWzPBb2wks7k2V5E 0cgJVdy/e/xFZtxAsUjoxXaMAH3Hr+dexeN/DX9taZ5sJCXMB3qducjHIryGaF1d 1nUs4zuz3961g7kTQpy+nEdSFx9faqOqktdW6hAoSJVA9e/9a0YE8tBGY2fHJI7j /wDVWTfTGW93Y+6QB+FWjO2xSPWilbOTRTAu45/z6U088U445pmRn1rA62iC2JW8 iGcEOB+tej6VdQW6B55Ao9680cFbhCP74I/Ou8sPsttvu71d6p/ARkeg+tVUs7Gd HS6Ont/FNssixxozAnhvWulttTSdRgYz71x5169aOBI9MEdvOMK+4HAwcccd/Q8Z rOu7y4sfECWy3AuI+CJQu3nuuO/1qHGSVyk4yfKenPYq8JmZsgc4Fcumpedfyx2N gkzRfekY4A/Tmuj0ORruxKFj81Y9z4duLe7aWKT7xyTU36lqKTaZZ0XxLc6hYyzC FEkTaEh3HcxJIIOV4wBmuit9TdowsyYbHOKyLHfaxFSFB9xWrApn+YjiqbvsZ8lt y8hVxnsR0rgfEHg0ajroEbmMSMSGC5x8uf516AibEHpUBi3ajBIPf+VNaEHH6b4T i0a3a6OZbmAjnZjIz/ga8o8ZaS2keJ7yONSIHlLwnGODg4/DNe6XQOn3Dywu215G JU9Mk8/qTXm3xbh/4m1g5+68BYL6c81VPcut8CPM3Ys2T1oqRgCxGAKK2OYsHrTM +3FPOS1MxwOa5zsZHKArRy44Vhnj3ruvshvAkK4Csdxz39K4aY/uq7/wnP8AaLS1 eQ5YqVP4Ej+lEtkKHxM3IrUW8CKigFRgHJ4rHvLfdqP2mQ72A+8eoxXWtD5gGAMe lc/q0bJMqgf6xgv51kdETovCssiWnJOSxx9K7JkEsXz/AHsZB9a4jw5qlq2+3BHn W77HX8ufpXYrdXTXsiS2SC1UDZJ5nzE9+McfnWqVkYVNym0Qz2Oa0LOMBQAKolWW QFeQf0rRg+6B09aFuTN6FzYPLIqo2UniODw2OKug8VRuwVYH0PNU0YJkEOlt9suJ rmUSZYmMN0QfjXj3xQ1SDU9UspLZ2eKON4tx6MVbkj2zXoHxH1a9stBRLI+Wty4R 51YhlHoCOmeh9q8T1ibdDZ2oxutkdWYEEMSxPFXBJDqSbSuZbtknFFMw3pRVmeha OaTtRupNw9awOu6Gy8xfSum8G323dAW+ZG3KPY1zL/MhA6mp9Ku/sF8kx+6DhvpT tdWJvaVz2+zkWSMHgg1U1W2t5YizjBX5gc9COhrK0/VlWBCG3KRkYrKu7zUNTv54 41f7NCp3YHasmaptMsaXJbSax5igySDjcvBNdNBrGuXM8n2eJjGp2gMBz75NcjpV 3FAT9igeRg3zMVwc/jiuvsZdSunCuY4VGOANx/woSZo6berLVxda1FbmV4UjRQSx 3LgfrW5o1zPeWw+0xBXHKsDncPpVf+xo7uEx3u6VD/CWwG+uMZrTtbT7OsawhVC4 GMdvQU+Vp3OabVrI0FPYc+tQXqjyyCOvTtT1IVvm60y6YsmM8Ej/AOv+la9DA5Xx xC0/gK7wAXiKMOM4G8A/pmvn+6jKzEgeYD9eDX07qth/aHhq9s8cywso+v8A+uvm aWVY5HR3w6kqwx0IoTaLUVJasqhW/wCeR/M0VIZou7/oaKrmYuSPcQzw4xyfwpPt MQ6KTURjwOlN2UWQczJTdL1C003Of4RURX+dJt5ppITlI6zw7q2+L7I7qrj7gJ6+ 1drpt4FSQEKCx5I9OleQIzQypIhwykEGuw0bWYrzYbiRY54zgLnG4VlUhpdGtOd/ dZ2FrZQi6fYe+eDXSWg8lxjOR6VyemapbsXLMqlTjGecV0NtqEbRGQMNx6ZNY3Np NnY2rl1Gc1ad1iALEAe9YFjq8bISZFxgYINVL/xCkyeWjpnPrnHar5lYwcW2dSkw aTcSCoXjFKFMjM38OeKztJ3tYRlgQzDPPateFNuBg4Hf1qou5m1YmRB5fXIPavmX 4gaP/YvjK+t0QrFK3nxj1Vv/AK+a+nAG46bfSvLfi54fjuPs2tGBpBGnkSlc/KuS QePcmr5uXUqnDnfLfc8NPvRXRR6HaXsX+jXJjlHaUgqfx7UUe2gbyy/EX0VzJC59 aZtzmpv8aaetFyGiBlpoHzVO4/GmDhhmrRm1qRuuDRG/kypKBkoQ2PXFWbeA3d0k KsFLcAntVq+0n+z5QjzLK23cdo6fWi9twjBylaJpvHLCq3FsTJHKAxPcZq9B4geG Lb+dReFpvOtpIHOSj8D2NdK+lRuMmJWz6rXPJa6nWtjIstZumiWJGyBz1NdNoGnv fXMbcuQQxLD5V/xNWtN0+zh58hM/Su101Y1iBTAGOgpKF2ZzlZGjbW4iiVRzgYye 9WkUKelRocKD7U+NsnjpWyRytk46VjeI7eK90i5s5RujmjKMPY1qSSBFrJu284US CG9z581vTpvDGqeVGWkt2GQW60V2vj63WWWIAfMAP5misXy9T1qM63L7j0PMe1NH 3qKK1OIRhx+GKrSdaKKuJlULujHZfiTuqkj61sGHzImLHk5zRRWdZ6nqZVTi4ybM /RLlrbWGH8J4P516xprrNDRRRL4jjXwv1NSG22t7VuWSbQKKKaMZbGsjfKKmjbii irMWV7mTOQKoXEojgZiegNFFJjSPLvEVy17qJVRzjr7UUUVyS3PrMFCKoo//2f/b AEMABQMEBAQDBQQEBAUFBQYHDAgHBwcHDwsLCQwRDxISEQ8RERMWHBcTFBoVEREY IRgaHR0fHx8TFyIkIh4kHB4fHv/bAEMBBQUFBwYHDggIDh4UERQeHh4eHh4eHh4e Hh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHv/AABEIAMIA mAMBIgACEQEDEQH/xAAdAAAABwEBAQAAAAAAAAAAAAAAAgMEBQYHAQgJ/8QAPhAA AQMDAwIEAwYDBwMFAAAAAQIDEQAEIQUSMQZBEyJRYQdxgRQykaGxwSNC0QgVM2KC 4fBSkvEXQ1ODsv/EABsBAAMBAQEBAQAAAAAAAAAAAAIDBAEABQYH/8QAKBEAAgIC AgEEAgIDAQAAAAAAAAECEQMhEjEEEyJBUQUyMzQ1QmFx/9oADAMBAAIRAxEAPwCr az8Sutb9Cw5rRtUHG21aS1+cbh+NVW8urq/Jdv75+4XMhb7ylk/9xqsqvrx3cQ+U n/LCf0pqtxSjK1qWfdRNS+nJ9noqcI9RLCu7tGQoKeb+Sc/pTZzVrZJlLa3CfbaK hdwBiuFXzolhSM9d1oknNVcJPhsoRPeZpq9fXbkgukD0FNpos5IIpihFC3kf2dU4 sqBUpRk9yaOk8f0pGRXQr0/Wir6FOX2LEmM80msmJmuFUkZoqjJiZraOsMDJNcBE 81ySFYzmhnjmso6wDk10cUUmu9vato6zk135Vzvmhiea0w6fpXDxQEGI+ldIV6E1 xxxUHmhXSmfb2oViMofqZQQrgRSZt09iR7incGDwc/SgBPaP/FT8mXvGmMFsLAwZ zAoiml9xM0+KcCAcq/ek1p+7xxNEpinjoYneDwRQk05KY70raWa7pza2IAMqUR5R TOQlxYwAkYyK5kqgCaslrorKFCGrm5cPZDO4fpT0WQtcBhbTsZK207vok8V3qIzi VAtuDJQqJ5jFKJYeWPKy4R6hJq2hp5bfiqfccCTnxnSlI9gnvRlKvUtwHGEoHASk ifqJrOR3Gin+E7mGl/8AaaJtWFAbSPnVzaeuz/ih0txMwSmPrFMr8tvoIAbcC/um An8K3mZRWghXfHzo2zGTThSEqUrw0KSpBgpVzSXats2hLaJzmpDTrewUCq9fcbSC MNt7ifzFM6MFKAgEgHJok9gtX0TFnpttqGp6fp1idyrp9LSVK8pUVECTkwKiEqYn zpXt7wRR0OuIdSplThUgyhacKTHcGk0bQJ2/hWsGKYa6FvvSbbxPDKRhZzPehRXN pMhMAD1oVgRIGIJgwo1zO4qM8nH0pTb5DxPMV07QQnBE/tUZ6VCPCUmO9JuJgJkd qVXtJE4HP5GjKbQhnxHDEDyiaKO2Lm6WxMNISoLdVsQTMnP4U4VfWyW9jSVNonuc /hUU8sOKJ7+pPP8ASjMJO7yoQr55p3HRG5NvRKW1wRIZQ2ok8pWEn9afo1RyfCLb qF9ytwyfxqNt2A45C2WgoDG0kE1a+nOlta1NtKLfSbu5aKo2gkJ/Ghk0jYpsZ2yC QFqQkKIhcon8yTS1vY3Ph7m2yW43SlMj8AZrTumvhLelQdvUG0QoghAc3GPftWk6 R0ZZac0EFKXFJI8xAJiIj2FIlkraKYY18nmG8au7SVu22wKMJcbJx7cTH41B3rx2 L3IUVDBGSBPHpmvXWqdJ2T9upssIUSZO5AV+1Y58UugEaZpr9/bpQrareoJTEV2P Mm6Zs8Cq0Yul8lwuHCgAkn29aXWgOIO5Y3A87eaO3Z+MP4YSqDz3UK4tKkpCeCU+ nMVU3sjppjJaFJwRmnFgUFZCmt5PE0YKhW1afJ7jNGWyLe4bcCpQTg+tajh9pr71 jdNX9slIfZcStuWgtIIMiZEduPxqIdUQJQdwkYq5dL27LvVLLbzbbiPCeVsWJHlZ cUP0FUxBHkwQOcUTQEXs452BEGBMChQOTJJ9TQodh0SiwNh7ZzRvLvMdiTx7CiqE CDnNBX3jJzmpEeoxPATJmI3HFM7t1b64KoSD6U6egNme4jntSugaedSv0pAhsGDT oUo2yLLc5cUJaVo95frCba2cdJ7zWg6B8K9UumkOveE1PZRq9dEaHaWjLcJCsfKD Wi2jW1riI71PPyG9IdHx1DspfR/wusrR5D2oupfWnISBABitW060trJkNsNJQkf9 Iio+1UARyc1JtrJG2O1L5t9hcBYEqVHafWnLTXqKatgJPmOT+VPrdQKZPMVif2d0 AtAqECe9U74l2zQ0G4StCXELbV94cGKu6E5GMdjUF17YqudCdDO7eASE7ZBxxXUa ns8R3Nuu21VbSFKbPiHaRwD2pzcvMu2TPiNoS9JSqE5kVPdQ6UhnVnmFoU0sqxPH M8mmGsaaDHhpJUJWkCCCmrYzTJckHFkOw2FuhpQAUQCg/tTpxkN25ZIUSTuSCPyo 95ZLCErgFQQlwEHgTH9DUlpzYurPYY3oO6ZyRR2LoL008GupELKZUlh5MH1LKh+9 VK3Qog7Y8qJ+lXnp60KOskQkONpZcc/0+Gof0qmWvkD/AG/hRH1FHdqwKqQgZ9cU K73j2oVgZJqTyCe9cVuPHYZFKLTII/zCKKoSTAOe5qP5PTYyvCdyQOCM1cPhuyPB W9tH3zPyqnaiDuSJiRGKuHw0fCHHWiPKMx+9Nyfx6JMLXr7Nm6aUkISXJmT9fnVu YumilDcmSJjvVC0p9RWkoUYHpVx0YKcKSZ3c8V5+7pF84k3bLKiAB71ISpCeYmiW 1uAJjzRTr7Pu2kn5CmKLEN0FZStwjNSbDG1IJkfWm7DlswnxHVhAHJJptf8AVWh2 BUh69TuA+6MmjjjVbMd9JEw0pQICacFIdQW1pEGqvbdUW96tCbBKlgnmN0/USKm7 PUEvpEtOJPfynH5VyjQLKF8SvhpZ62h24sCbe8SmQqfKonkRWA37Vzpuuf3NqlsG rptwRvMEe6TxGBXsYoKkSJz61lPx56Ab17SDrVgNl/aiV7R99HcfOig6dHS9yPPe ptsovXVZIaHhrbV2BkTjvg0noq21ugNnaFHBUeDtyMfKjONXIEXLZU+2owsgeZIB 59OD+VGtQGFu3Hgq8JZkpxCVCfrViWiN3Yq4Xmri8et17R9hUBGCgSB+iqp7TW4X G3+VvcZ7CQP3q3azcC20p5sNrQsjZKhyhUH9jVSQ4UqdABhxvb+YP7USejmqlsbq GQKFAng5/ahXHEqU+YE8Sk0UkJ7cCaOoZ83Y+tJrOFd84z86i+T0xlegBTRiQR+f NTPQby06qtIiC3JqL1BJLKCRIChMen/BTjoh7br6kqJAU0ofhBqlbxsirjmRu3R7 QcbbWoZJ7Zq7WV9Z2mHX20qHAKgDWQ6J/ferjwdLfDCUmPFWYSnE/Oat1n0Ky022 5q/UDi3PvYTtn6kknPeKiUKL5yXyajpuq2jzaVNug7vrT5Tqnk7GjKu1Y+vXNK0B xLDWpIIJhClrCkq9goYq39F9Vt3TicwZ45rHJ3sD0+W0WS90xxSS7cOKQjjNUvWR 0lb3iv71cLqlEEtKcVk+4HAz/NitJ6hfbudDDqQsYMqHMxisc6dQxpHULtxf2Rul KWokuqlRJJ8w7cRntwMVzfuph4oNxbS2Xzp3rvpi2Wxpdk20y6oobaYQ0QQpUBKA EJOVdhVysOpLRVyWPASrYooUptaVbFAwUqT95JBwQRis36L0dtvXLjVWb+7slXDw fIQ5sAWEbAoiSArbglIEj8KvLdhYpBW0pK3SoqW5grWomSVHkknJNOckoriTLG3J rIizqfYfSkpgZ5rimEOoW24lKkrEEEYIqGsmChwKQTtn1qeaHkHJAoE23YMocDzf 8U+gVt60ti0b273klBQMQtUAHH/Ipj018M9Zu737HftLYJUCl1tY2TMKBHIPBOMi vQvUNqw/qdi46wHB4rZz6ziktccasdZYdVpa3m2WArxmnIIKiQZTGQNoP1onJpUF iSlLrZhHxk6NtrT4XXbjLQN3oV026XCIUu3eWWik+u1cH5E15/YfUy7uSn7wgiJr 3P1DY6Nrukao66kqYetkIvWwTKkIcSucZ4SeM14x64tWGOtNbZsW0t2aNQfSwmCA lsOKCRnOBHOap8f9RfnNPJ1WiCcIUolIIBzBoV1bZBiRgUKakSW0SSpAUO/sKTWV QuAAeOOaOZCoHBpNZVJHcGoV2es2FdQVKKPocds0bou3L/UiEkQPDWT+FdBJIkTB 7U66OAY6wYTna6laM+pSabF+1onyx90WaN/e9zoWjA2SUB8nY2SOO8+/EUu/oNv1 F0+2u7vr0am7PjKWfUgggyQAAIgCaVZ0xOo3LSXpCG07UgCcmrzbWamLXw21RAwY qaOVw6WyyeGORVIq3XTLTnRabFxqyT4t4u5UplkJUklIG1tISkITjt3PAFM/ho4u zYtVvFUyE555qc1+zQ+3tcJXiTP0qJsmVJNtbJ++SFY9K7JklkXuG4cEcK9p6E6a LFzpoYdIUCAINR2tdH6c48XjbpknkUh0qV+C2jiIFXNBQWfCeAkplJNEoqS2Szk4 StMotrpFvZKHhNJMiMDipKz3rcCTKUg/hT65aQHVFJCdpkilLFsBxJAzPrXKO6Dl P5ZJ2rKEoG0SPcU9W2QyF5H7Vy1QI/WnSwFNevr707iQznshNT2lppa//bWD84ik up7m3YJ8ZaEpDAUn/qkyNvyxNOb5slqIkzFN9R0K11O7sdRui5vbbSC2FeQkTB/M /lQU/gPE4qasiuk7C4dN4u8aKLa5aKAleN4PtXjn4jeC313r7bCUpaTqdylCRwkB 1QA/CvanXOvWGgJ0ttRT9u1W9ZsLNkHJKlALXHolJJ+ZSO9eI/iEsHr7qJQ8s6td QP8A7lVThhwjQrysvq5LK+oxM5wT+dCirUFzkjt+dCmon2PnCSTzBjHpRVAyokRJ Oa6Vcq4ERRc7ld5Jiokj1WBIzEY5FJpul2Ops3SOWXAuPrRgMgHsnFNr4DxTjBzR wWxWX9bPQfSi23rhtYMochYgYgiRV3cZ8RsBsACMmsm+FWoB7RLJxazvaSW1f6SQ B+EVsOnlDgAJ+9kVM41IrjP2plc162CbcACAT5o71V9GeQ1qyrx9MW9urYTOEpHc mtO1TT0PtJEpyO/41m+saMu1bvrN9lu4sruSsd0n+h5oFqRRCSlE2fpG8tvGZWgp UFiU5nBp1p/Wo1Dq290JzpfWkW1qQlN+60EsrMkSjM7SQYVGfaRWU/CVNzo6/Ct7 4vWdsT4TNwZgR2PoPSYq9/8AqJp4uFMOo3IQIWtI8ojJ/OmrIuiHJBcvssWopha3 WSY3EZ7icU501YUQVDFVpzrDSi2p0rBEgEHsTx+lOND6s0u5vU2ri0MhaylKleUA +hmh9SN9gyT49F5tB/FKoKY8oE4IwZ/56U8B8ojE4yM0wtAovDzmCMcRT1KhO088 5/SqYuyGXZFaqiWgSOSZMGc4o32xFpoAuSwq4LKCQhJ5gflTnUWv4aijLhEyo+9R +jqBcftXClwHBgYrOmameV7rrnU+oPippPV3UAcRY2GoNEtspUtFm1uwgDucSTEk 59AMs6nvW7/qTVL9kKS1c3rz6EqEFKVOKUAfeDVs+KVrcaJ1Z1BpVmlxhDOoO4ST CkbipBj12rAFUEOLUmVXQSSYKTNUwftAzam2ckhNCupM83CM/wCWhRC7JBRhJBia 4ojcR6j880UKHMKjOYoviSQAFGo+LPT5oNny5702vpKxPpSxUceUx8vnRHUFxRUQ eMCiiqdgTfKJb/hRqHgvP2C1QlZ8VI9SPvAfMVvHTeoJLUKVO3ivLdo87ZPtv25U hxte5Kq2npnW/tdg1cW5G9SeP+kjkUGVK7GYm3HizT9X1a2smFOvupQlIxJyTWY9 X9Rrvh4ViI3EgGZOOfnTfrY6trLVo1aFbra3DuSP5ZEj6c/jXda0XV+l9Mtbizat LoLBSsqWQUEeke85qarZRBVSLH8PtOftWfFunEh1SDsSScbuZHyqz6T0voFo2rxn DdKWorXCtqU5Bz7YrPtCTq1+Q65qQtpI3JbSJSO+SCfX0rQen9D08vpNwF3TnigJ U+4VY9YOPwpkYpdlTwRirbJrZ0yLZxtqxQ+OF+ASonmMgQeTSPTmkvu6q+/daOLW 18SbVt07l7f8w4E571c9N062QQsgKUOEgCB9Kkk26C5vAE9ya6WOLPPyZYK1Ec2C lC3QpQhQgR6U4YUFHzpJI4PaOab2ttbtvOrQlIW5G9QGTAx86UaU4hwNiVEJAOMU 2Do8+XZ3U1N+Ao7jIIkx6/8AmmOloV9oc2kAQM+8/vTjUHJtnSg7lbYCf1oaS0Ur AG7btgT9P6fnRvbMWjy5/antPsHxOcfaKkKv7Rp4kHBiUH6+WsWuLRta1LUVSozy IFek/wC2nYBmx6d1/wALdtecs3CP8w3p/wDyuvMi79JG1LA/1GiSnWilPFXu7Di1 ZH8pPzVQpA38RFun8aFdxkDzwr4Fft9uMJDh/KuHUGRENqV8zTPwgPSieHnii4xF 85IenUURhkj/AF0mq/PZpBxiaaqb8vArhSAr1olGILyTocm+X2QgfITVm6A6hXaa h9juXAhl8+VXZKv96p6UV1ScSOQcf1rZQi9GRyyTs9BaTdv27iGytIBlUExOY/rV m1O4b1C0XavEJIBUkdhWLdFdUl1CNNvikO4Sh1RyRH61oFhcqs7FKbx3fsOCVkmC fftXn5YcGenin6itFr0Cwt1jxAlJk8jirTZpQ2pKIKwI2mqz09cW7NsClxKGxlOf xNWXTrhCmy6Fg7gVJHMCl3Zs5P5ZctIuFLbmCM5qwsj+GVZ4niapmhau0vwRICVe o7+lTlxrbVukhxYCuUwcimxarZJkTvRKquggpSpRAPJA4rlq6ULedd2qMwI9Yn9K z3Vtc8W9HgvHepwo3iMFQhImc4JgetXaxJVYtbAZKUnPrFap2BKFDrww+8tSv8OA Ex2OZ/apC0ZSUhJnBzB9DTe0SEQ0lclBhcHj/en4htCihBUQPujvT4iZdmd/2k+n T1F8I9ZYZbC7mzQL5iRMFvKo99m8fWvBxzBBwa+mz7aHWVNuI3JWkpUk9wRkV4U6 76D0rp7rDU9DcuL22Nu+fB+6oFpWUESB29+xrVkUP2KfG8PJ5b4Y6tfbMyxiZmhV p1TpC9YtFXdg6jULdI3OBsQtA9dvf6TQpsM0JLTBz+D5OGfGcSG2gkY70mtvIEDm KdAYzmiLQJHMSaWpfAcoIaqRyfTj3pNaPMZ7U8WkFGcGOKRcTk0UWJlAQQnzHFBa IB4pVCPPjvxRnkiAB3NHeweOhtBSrcDBBke1W/QNYvbzRn7VxZdcYiO6ik4/L96q hSASPWpXpC5VZa6w+qAysFp2eCFf71k4prYWBuM1XyXnROon0W7dvcOgK3J3T2T6 D/nerzpnUKE2KPGUTKP5T5px6VStT6aRcK+0WZCHSCIGAfc0yOldQtCUNBZSRG1w Hjjk158oKTtHqtVpo0nQur0IublLzpAbWrYoKwO0e3FG1Lq5+7dbaYLm5SCEBCpJ PYT9RWeaPoWuOFA+xOBMgjIJ4Azn2/OtH6T6K1db4U4lu1QQAVqPiK7ZA4Bx3ntQ PH8IG4rbLH0RbP3uoJcuEJWChIZbIBKgDBcUOwkkjiZ7Vs1rb+GkTnvxUF0hoNvp LSigl150/wAR1YlR4H4COKtbSAE8QAKfix0efmnyZxlJMgiOM07aSBxzSKYkxMUu jiqUiaTOuCvPX9q3o57VPsfUWkISq/tWi2+gcutzKY9xJ+hNegnnAhHOao/VaRdq UhRmPal5NIf4s3CdpnjbpPXXWr/wStTT6TwrB9xH7UKsnxl6Xb0zqMajZoDS1L3k pxmaFSTxpu46Ptvx/wCUnDHxyLl9P/hnRnPzrjp7SOfrRtsifSKTXBOR3qtdnyTW gADIMx/5pFaSVHOCKcQZT8qScECCCYHNHFgTWhCQlYyBBo6VJdfaR6rA96bXA8/f mldLRv1K2ScguCn1qyRzadF1vel9DsdJFy89eOXTgCWmgsAFREknHA45qram0WkB ISEiJAHAq6agv7XqKlJ+42kNtz2A5/PNQXVFuG7TxgOOTFSeryyUfS4/xXpeE8su zQfh7fDUtFtnlkFZQErz/MDBP5VcVaWVo3oIBiPxrIfhDqCmfGYJ8oclP1H+1bzo a23mAUnHoRzS5RXOiFTbxqYnojf2YBPh7SDmMzV06fuElwJXuPzqEaswCClJj2qc 01gDaQFAzRKIicrLnaOIhOw1JFcJmcVBaeFAQYxUolQ25maeiCfY5ZJXnIHvTlS9 qJpowqMz2ot49tTWi3sQv7k7oqEvkhQK1cxTt1ZU8VE/SorqC6FtZLWVQY70DVjc a3oxL4yhF1eJaBEBQk+1Corq+6N/q/hiVkrM+yZ4oV585bP0L8R+OU/HUpGMq+5R XOaFCrj4sMv7iaSc/ahQoogZOhi/9/6/tSmmkjULYgx/EFChVP8AqRR/cv8AYZ59 ajut8aOY/wDlH6ihQrzIfyn6P5X+Ol/4NehsLTGPMOK3roxRNumSTgd6FCmT/kPj 4f1kXVkmV571M2HJ+lChTERsmrMnaM96fgmRmhQpiJpdjxj7tNr0ncKFCtQK7I65 /wAFw94qmdbKV/dI8x+4O/tQoUL6HYf2Ri1vnXnZzhP6UKFCvMl2fq3gf14n/9nC fQQTEQgAPQIbIwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAFiEEjhEGTm79gfJn9CW5 47RQr217OhQFAmHm4WQFCSDp4TkACgkQ47RQr217OhQBjACg5doVnQi1EWqYBYfG Gng5GbAjzFgAoLNune7VnnNx48e0+LkwinrzOZ9+wsBcBBIBAgAGBQJTOmTrAAoJ EEdDue8wbF4nuSAH/1HeNXO+Di9iqUBSldhKqjCddSyUs/Kebs9Nue4oIjans4Bi QCGDovDTKP4gB+SXhvkX8sE2uuNUtMx2R5SGx6Lyfo6nRl92FlUgGP6wLGYJCYhN 5KI+5cKjpg9N2SjdEy/jEv8CAkp2WQj9R+ug96edgyHI+G82ffV3z4pIQ99n/VJH B9PPqBbO+42jj9SzseB9t7zKFVSccv2KAYRlQD8fiEbsrfMA9RVyQr4oeRxnXkFx lPXD9526BBvz3+fbhjNKTkPJq6NOE6FLjuEx1RkYV6g/OOHtuetp3UkJfSNFct/q rXWHS//R637Y5MoIpVYLAtXoF27LatMSCM1sbODOwE0EQu9XKRAEAI1xDin4/TuH mE1nInxAKTGM3pffmlpoTUaqlISbjTuNFAxe924kSdHI3fJolYWRsXKiHY52VJsZ /DpK/rWu2VOENijcOwdt1SndY8wympWlBrQm7/KZ7xXQQicMM3YRydr8a3u85BjK 1OMeTnf/dmGUQoF9tvSHPMu5rr3kLcuLAAMGA/wPxSg0JCLtehlTrvYPGQSywYtR 0odnonpv3n5n2UtQD0e0OTrn+iiTHhIAQimPcqhKfcIPewbfd6It8z9B9SPKy5q4 +YaBBP1RIwnOF0kN6q7YZkPWxPHzw2SIKHTxtYfnZTsw0KFMSjP2GXWyplfFZHoG wJhJ4PayZPdICfu0LcJjBBgRCAAjFiEEjhEGTm79gfJn9CW547RQr217OhQFAmHm 4dIFCSK58akACgkQ47RQr217OhTnKwCgy4RBOdeNLR+QKkwTQwxsljOGTKsAn0/u W/A6kYnaL/cp0Pqqz5Hm/y7W =3DD1n3 -----END PGP PUBLIC KEY BLOCK----- --------------XdZ3TlwBS89DHIs6uDnnAO8I-- --------------pqXkeU03T6ZnaH5H3EBwPiHw-- --------------8oMtuU00uy18mM1k6XqfdAqx Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wmMEABEIACMWIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCYqcNxgUDAAAAAAAKCRDjtFCvbXs6FGwG AJ0XG/gU0IPXeCqFlGwQk7dQUGMABgCeNP4QZL6vTAyP1THBfiPoj7oPBho= =+edB -----END PGP SIGNATURE----- --------------8oMtuU00uy18mM1k6XqfdAqx-- From nobody Mon Jun 13 12:33:54 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 69B148532F2 for ; Mon, 13 Jun 2022 12:33:58 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LM9wk2X1qz3PZF; Mon, 13 Jun 2022 12:33:58 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1655123638; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=rMwThDqA+L8c8GupbOR4JuAT/6gpl6TTX2fjnPHcyLY=; b=y1+PiMbfn0/aGMoNC/QjN9O2R1ca/s+vFAgYXSU+dzN4icYssHH2gSOJcHx3lHc9KFUy2s lvfidefhx+d29kcQJxMvF7QO/wczu3/D7y0lMslRzi7aN2t0nAFZMuf/lVlI0zZfOqgVf5 do6dDyT+dNczGt52HblEyoMUquw25QOf2+S1Kuam9dP0SP1fMVVSmzmlKNsCkPX9y/Poy9 tw1HJADGRiO6Om3aG9bRL7ejEAujtfcF4ZWI7pxc4kR5Hi1IYO9lkAT2iuHIkPuQs15x3F hUeyPBk8N7X2Lhj6RDkvy5Gzj1v5PV5oi57fvbytitfzYaYv7H0k4QHLJJ6HeQ== Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 0AC6D2BD95; Mon, 13 Jun 2022 12:33:58 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id A1BF91A098; Mon, 13 Jun 2022 14:33:55 +0200 (CEST) From: Kristof Provost To: Kajetan Staszkiewicz Cc: freebsd-pf@freebsd.org Subject: Re: route-to, interfaces and pfsync Date: Mon, 13 Jun 2022 14:33:54 +0200 X-Mailer: MailMate (1.14r5852) Message-ID: In-Reply-To: <95f8e87d-2145-362b-2e37-79282054caa0@tuxpowered.net> References: <95f8e87d-2145-362b-2e37-79282054caa0@tuxpowered.net> List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_MailMate_602FCB38-8C30-4B32-8A59-499F580BA7FC_=" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1655123638; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=rMwThDqA+L8c8GupbOR4JuAT/6gpl6TTX2fjnPHcyLY=; b=C99RXScdG8PcCalhoph6MAMyn7lLbmzWk4J+UPhLL33FGknLMXibk+diqwIDGpEx3ZT8FU PRLosmTKPKviHZZT+3QTO4OxbrAcMpVU+IWLF++xjiZIxF6XCfurCp4vUbawIESJGPTclF ZzWs9GhnoF/AcPB3KAClJtD+/l18m73kSo7820Dk+v7N2bJBUZNIFVu95PTZeFUnFEdZ2M Pef4SQqznSMN/TYZnRBMzKKZMWwuvX63yphDhOvvzVFfkSBIp38dpC+R3SBLstPHeeTwrm /hIQLJzLIcdgsXFk5aCaf/Wri3GrOU+NmVg81nd2jK6FQ/E9+jiW88e0VWGAOQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1655123638; a=rsa-sha256; cv=none; b=XfncetU63XuRcRCbfbPd7z4AeiL/O+m9QU3i1VFxxzz6PqeJMEcjAlfbKVrMGzQtQd+/jG ox1o6oU8tNMTvGvtcr9oKnqffO40+myN1PoqePoMOVnkk3iZvDb5JMJCgVVSlqV1oGhEeB qR7UWpDmY9UzBi9imCejqFzH9RMd0L18TDWnvt0ku+Ngsh3B6bhFaioioEtbO0a8Sv+AB4 fR5Rop2AcQBMQD6LspVypgAnb2lZm77gm0Rqc9CAq/X2sHJDjoclURMMkxrnX6UOK14iT3 HlYfR+ol0eEQwsQDnGq6jOCr6jCdZq/D1mx1Dm5depy+QOFWKohMhdkUkGVTWQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --=_MailMate_602FCB38-8C30-4B32-8A59-499F580BA7FC_= Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable On 13 Jun 2022, at 12:13, Kajetan Staszkiewicz wrote: > Hello Group, > > I see there is some developement = > (https://github.com/freebsd/freebsd-src/commit/81ef217ad428c29be669aac2= 166d194db31817a7) = > happening around the route-to target and pfsync. I personally took a = > different approach to the same issue = > (https://github.com/innogames/freebsd/commit/ce0b078c15a3be1aa3e608a937= 449e8448309fd2), = > because I had trouble having indentical ruleset on 2 routers forming a = > redundant pair, so that the synced state would match the ruleset. Also = > once the ruleset is changed, I think the approach which got merged = > won't really work due to the rules not being there anymore once the = > ruleset is changed. Please correct me if I'm wrong. > You=E2=80=99re correct. The fix you point to will only help if the rules = on = both sides are the same. > This brings us to OpenBSD. They have decided to drop the interface = > from route-to targets = > (https://github.com/openbsd/src/commit/5812a4ad62ca07807ac0bc59f22eb881= 3e6069bc). = > How about we do the same? If porting this change from OpenBSD has a = > chance of getting aproved and merged, I'd be willing to work on it. > That=E2=80=99s a breaking syntax change, at there=E2=80=99s at least one = major = FreeBSD/pf user that relies heavily on route-to (i.e. pfSense). So = something that=E2=80=99d break that is not going to be easy. However, (without having looked at the patch in great detail) we might = be able to support both the old style `route-to (epair0a 1.2.3.4)` and a = new `route-to (1.2.3.4)` or even `route-to (@1.2.3.4)` or something if = that disambiguates better. If we can ensure the old style keeps working = (with any limitations it currently has), which also supporting the new = style that=E2=80=99d give everyone a chance to migrate. We could then rem= ove = the old style in say 15.0. Best regards, Kristof --=_MailMate_602FCB38-8C30-4B32-8A59-499F580BA7FC_= Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On 13 Jun 2022, at 12:13, Kajetan Staszkiewicz wrote:

=

Hello Group,

I see there is some developement (https://github.com/freebsd/freebsd-src/commit/81ef217ad428c29be669aac2= 166d194db31817a7) happening around the route-to target and pfsync. I = personally took a different approach to the same issue (https://github.com/innogames/freebsd/commit/ce0b078c15a3be1aa3e608= a937449e8448309fd2), because I had trouble having indentical ruleset = on 2 routers forming a redundant pair, so that the synced state would mat= ch the ruleset. Also once the ruleset is changed, I think the approach wh= ich got merged won't really work due to the rules not being there anymore= once the ruleset is changed. Please correct me if I'm wrong.


You=E2=80=99re correct. The fix you point to will only he= lp if the rules on both sides are the same.

This brings us to OpenBSD. They hav= e decided to drop the interface from route-to targets (= https://github.com/openbsd/src/commit/5812a4ad62ca07807ac0bc59f22eb8813e6= 069bc). How about we do the same? If porting this change from OpenBSD= has a chance of getting aproved and merged, I'd be willing to work on it= =2E


That=E2=80=99s a breaking syntax change, at there=E2=80=99= s at least one major FreeBSD/pf user that relies heavily on route-to (i.e= =2E pfSense). So something that=E2=80=99d break that is not going to be e= asy.

However, (without having looked at the patch in great det= ail) we might be able to support both the old style route-to (epair= 0a 1.2.3.4) and a new route-to (1.2.3.4) or even route-to (@1.2.3.4) or something if that disambiguates better. I= f we can ensure the old style keeps working (with any limitations it curr= ently has), which also supporting the new style that=E2=80=99d give every= one a chance to migrate. We could then remove the old style in say 15.0.<= /p>

Best regards,
Kristof

--=_MailMate_602FCB38-8C30-4B32-8A59-499F580BA7FC_=-- From nobody Mon Jun 13 17:49:54 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id ABD8083B590 for ; Mon, 13 Jun 2022 17:50:05 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LMJxS5DjTz3Jdc for ; Mon, 13 Jun 2022 17:50:04 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: by mail-ej1-x62d.google.com with SMTP id h23so12545655ejj.12 for ; Mon, 13 Jun 2022 10:50:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tuxpowered-net.20210112.gappssmtp.com; s=20210112; h=message-id:date:mime-version:user-agent:to:cc:references:from :subject:in-reply-to; bh=tfE/bXyUmRyLPGsxPIiPrIVBRAArlKB87NO1dORQqJ8=; b=2CU6ejXairBkOXzKy8scykcMCpV5ZJNexkgql5vpo2Miw3ln42Wbns2aDssF2ec9/Z dZI9wnK+A3BiRrL293fSE9fuv5DUoRbZ0WhZCohaSPAVHVJqdRPgSwKYfUHuxQgkt++5 jJ3HGy7bdOxYBNMYIr/F1eYCS79anOoulmstik66bSQ5dcKVtuXo4Cc4Ts+T+fEcL7pH wOQH1NhO1MXcV4UwKJC7kwtohEd9ColKuP1EtD6bycPAf5mI+fzbDIOY/YHEMJZvYjG3 Z1WaUJgnRYi79EP9g/Z/pM8dS4VK5LFfdHVIjeE4HMV8MW8EQWB+w6WCM8+7dTigEprb lQyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:to:cc :references:from:subject:in-reply-to; bh=tfE/bXyUmRyLPGsxPIiPrIVBRAArlKB87NO1dORQqJ8=; b=EKAC0cbv7cJA72IHCXhn0Brt3uxxsfEDb9xwO7GsfDhOthXUx+oHYmqBd+oNYpE8IW mCtGdF00GX62yEznapss+L9RmXo9WD47s9PyddmxHqurduJZocg3cY6ODMRyr8tMyTOa uO59CsV/BVn7JYgXIuLLN+14azO0VmNa3wD5r0i3sh9gApLchK9/I1o/Ya9GLcIZdqQT 1pOMBkbrK2R21ulRWtvQKM0EhywU3p2JyS7duO5dl8mIDlfsd5RgCb7FM9qWC3ap+MBS kkQ06iiClWf+UJ35vcFbuHbLnhW4H+ki5DgBUZXVSnsBgRBqNF8w4t77/hsIc++05v0N zfZQ== X-Gm-Message-State: AOAM53226nAhiutr+OvzLu0lHPYFrXzK7oZK0BdfFAFt+yfh6smh+YRd wUaHdjRRXzXiD4sjAfU9MYfFyA== X-Google-Smtp-Source: ABdhPJyzvoKsfKnSUVjMD62I77/+dSuPb+NZlvMhLLpqXF10iclrWpcAXPpNUclawESbAgh4LjGj8w== X-Received: by 2002:a17:907:97c4:b0:711:ea9a:103b with SMTP id js4-20020a17090797c400b00711ea9a103bmr875716ejc.155.1655142602825; Mon, 13 Jun 2022 10:50:02 -0700 (PDT) Received: from [172.17.100.253] ([212.48.107.10]) by smtp.gmail.com with ESMTPSA id m26-20020a056402051a00b0042dd2f2bec7sm5380424edv.56.2022.06.13.10.50.01 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 13 Jun 2022 10:50:02 -0700 (PDT) Message-ID: <11a48cd5-ac1e-b4bf-7d17-feacdcade9dc@tuxpowered.net> Date: Mon, 13 Jun 2022 19:49:54 +0200 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.10.0 To: Kristof Provost Cc: freebsd-pf@freebsd.org References: <95f8e87d-2145-362b-2e37-79282054caa0@tuxpowered.net> From: Kajetan Staszkiewicz Subject: Re: route-to, interfaces and pfsync In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------0upwvgqF4atoxZ98tZkhJc8G" X-Rspamd-Queue-Id: 4LMJxS5DjTz3Jdc X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tuxpowered-net.20210112.gappssmtp.com header.s=20210112 header.b=2CU6ejXa; dmarc=none; spf=pass (mx1.freebsd.org: domain of vegeta@tuxpowered.net designates 2a00:1450:4864:20::62d as permitted sender) smtp.mailfrom=vegeta@tuxpowered.net X-Spamd-Result: default: False [-5.38 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; HAS_ATTACHMENT(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[tuxpowered-net.20210112.gappssmtp.com:+]; MIME_BASE64_TEXT(0.10)[]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-1.00)[-1.000]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:+,4:~,5:~]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; MIME_UNKNOWN(0.10)[application/pgp-keys]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.98)[-0.981]; R_DKIM_ALLOW(-0.20)[tuxpowered-net.20210112.gappssmtp.com:s=20210112]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; DMARC_NA(0.00)[tuxpowered.net]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::62d:from]; MLMMJ_DEST(0.00)[freebsd-pf]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------0upwvgqF4atoxZ98tZkhJc8G Content-Type: multipart/mixed; boundary="------------Fl9Hbh1UbAzV0iCqNrX05Nmk"; protected-headers="v1" From: Kajetan Staszkiewicz To: Kristof Provost Cc: freebsd-pf@freebsd.org Message-ID: <11a48cd5-ac1e-b4bf-7d17-feacdcade9dc@tuxpowered.net> Subject: Re: route-to, interfaces and pfsync References: <95f8e87d-2145-362b-2e37-79282054caa0@tuxpowered.net> In-Reply-To: --------------Fl9Hbh1UbAzV0iCqNrX05Nmk Content-Type: multipart/mixed; boundary="------------cA7V4n1LclYiwiMVi4AmGfwv" --------------cA7V4n1LclYiwiMVi4AmGfwv Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64 T24gMjAyMi0wNi0xMyAxNDozMywgS3Jpc3RvZiBQcm92b3N0IHdyb3RlOg0KDQo+PiBUaGlz IGJyaW5ncyB1cyB0byBPcGVuQlNELiBUaGV5IGhhdmUgZGVjaWRlZCB0byBkcm9wIHRoZSBp bnRlcmZhY2UNCj4+IGZyb20gcm91dGUtdG8gdGFyZ2V0cw0KPj4gKGh0dHBzOi8vZ2l0aHVi LmNvbS9vcGVuYnNkL3NyYy9jb21taXQvNTgxMmE0YWQ2MmNhMDc4MDdhYzBiYzU5ZjIyZWI4 ODEzZTYwNjliYw0KPj4gPGh0dHBzOi8vZ2l0aHViLmNvbS9vcGVuYnNkL3NyYy9jb21taXQv NTgxMmE0YWQ2MmNhMDc4MDdhYzBiYzU5ZjIyZWI4ODEzZTYwNjliYz4pLg0KPj4gSG93IGFi b3V0IHdlIGRvIHRoZSBzYW1lPyBJZiBwb3J0aW5nIHRoaXMgY2hhbmdlIGZyb20gT3BlbkJT RCBoYXMgYQ0KPj4gY2hhbmNlIG9mIGdldHRpbmcgYXByb3ZlZCBhbmQgbWVyZ2VkLCBJJ2Qg YmUgd2lsbGluZyB0byB3b3JrIG9uIGl0Lg0KPiANCj4gDQo+IFRoYXTigJlzIGEgYnJlYWtp bmcgc3ludGF4IGNoYW5nZSwgYXQgdGhlcmXigJlzIGF0IGxlYXN0IG9uZSBtYWpvciANCj4g RnJlZUJTRC9wZiB1c2VyIHRoYXQgcmVsaWVzIGhlYXZpbHkgb24gcm91dGUtdG8gKGkuZS4g cGZTZW5zZSkuIFNvIA0KPiBzb21ldGhpbmcgdGhhdOKAmWQgYnJlYWsgdGhhdCBpcyBub3Qg Z29pbmcgdG8gYmUgZWFzeS4NCj4gDQo+IEhvd2V2ZXIsICh3aXRob3V0IGhhdmluZyBsb29r ZWQgYXQgdGhlIHBhdGNoIGluIGdyZWF0IGRldGFpbCkgd2UgbWlnaHQgDQo+IGJlIGFibGUg dG8gc3VwcG9ydCBib3RoIHRoZSBvbGQgc3R5bGUgfHJvdXRlLXRvIChlcGFpcjBhIDEuMi4z LjQpfCBhbmQgYSANCj4gbmV3IHxyb3V0ZS10byAoMS4yLjMuNCl8IG9yIGV2ZW4gfHJvdXRl LXRvIChAMS4yLjMuNCl8IG9yIHNvbWV0aGluZyBpZiANCj4gdGhhdCBkaXNhbWJpZ3VhdGVz IGJldHRlci4gSWYgd2UgY2FuIGVuc3VyZSB0aGUgb2xkIHN0eWxlIGtlZXBzIHdvcmtpbmcg DQo+ICh3aXRoIGFueSBsaW1pdGF0aW9ucyBpdCBjdXJyZW50bHkgaGFzKSwgd2hpY2ggYWxz byBzdXBwb3J0aW5nIHRoZSBuZXcgDQo+IHN0eWxlIHRoYXTigJlkIGdpdmUgZXZlcnlvbmUg YSBjaGFuY2UgdG8gbWlncmF0ZS4gV2UgY291bGQgdGhlbiByZW1vdmUgdGhlIA0KPiBvbGQg c3R5bGUgaW4gc2F5IDE1LjAuDQoNCkhvdyBhYm91dCBJIG1ha2UgdGhlIHBhcnNlciBhY2Nl cHQgdGhlIHN5bnRheCB3aXRoIHRoZSBpbnRlcmZhY2UgYW5kIA0Kd2l0aG91dCBpdCBhbmQg dGhlbiBpZ25vcmUgdGhlIGludGVyZmFjZSwgYW5kIHRoZSBwZiBDIGNvZGUgd2lsbCBiZSBh bGwgDQpkb25lIHdpdGhvdXQgdGhlIGludGVyZmFjZT8gV291bGQgdGhhdCBoYXZlIGEgY2hh bmNlIG9mIGJlaW5nIGFjY2VwdGVkIA0KaW50byAxNC4wPw0KDQotLSANCnwgcG96ZHJhd2lh bSAvIGdyZWV0aW5ncyB8IFBvd2VyZWQgYnkgbWFjT1MsIERlYmlhbiBhbmQgRnJlZUJTRCB8 DQp8ICBLYWpldGFuIFN0YXN6a2lld2ljeiAgfCAgd3d3OiBodHRwOi8vdmVnZXRhLnR1eHBv d2VyZWQubmV0ICAgfA0KYC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLV4tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLScNCg== --------------cA7V4n1LclYiwiMVi4AmGfwv Content-Type: application/pgp-keys; name="OpenPGP_0xE3B450AF6D7B3A14.asc" Content-Disposition: attachment; filename="OpenPGP_0xE3B450AF6D7B3A14.asc" Content-Description: OpenPGP public key Content-Transfer-Encoding: quoted-printable -----BEGIN PGP PUBLIC KEY BLOCK----- xsDiBELvVycRBADVGZM8mHAsH+R87EBg4O+QTOkL0TjroqamohMlCdBEZgFGcGVo KA9c9Az6e7xpk90DuaWYrzBKJ+I5drx2ddqdqejLhgNm3QZubE8Cf9cCxBAxnxBZ HzmmgVJMOg93lJUQe9L1BstntodE2xz4jSBB++Zh9eZgRqbn/EICcQmmKwCg9pQf nXRAMr4tFxhsFenxa/JCvFMEAK/03irNfB8DezORCfpt7lZuwL5oRJ/TvpoCfwgV kNd6gTLMgSQpKbFytLzAAmRsE+EwVpBosUzKt4vzmW4bllgPao14TyuVcViah27/ da3fHm1HIMkjvro/ONtUivInn+5L33S0meT3KyuKofwc1A6KucNxhv4rG7RsXuhw ZZmQA/0QVni2wq7yc6t15dfCxuDCxG7yXp4pE5Dghp/MMwtsleIxJ3JdHaTZ9aIr YT2Rxw8mTXUs89pDi7PCqXA2N4C+RvkoZI0Q6cWs6jHNZGiZRVzkw38r8ctqtAlc fzlAynX5+Ym9oiNMJ/c/4fAiFrWerMR1rFWDSD56ltQHk0X0oM0sS2FqZXRhbiBT dGFzemtpZXdpY3ogPHZlZ2V0YUB0dXhwb3dlcmVkLm5ldD7CewQTEQgAOwYLCQgH AwIDFQIDAxYCAQIeAQIXgAIZARYhBI4RBk5u/YHyZ/QlueO0UK9tezoUBQJh5uFk BQkg6eE5AAoJEOO0UK9tezoUpTsAnjocqf0LNDr30r8u7gDDM8YzB/H5AKDUsN8m ncg2cPsaZ5i62/Yum6tRN8LAXAQSAQIABgUCUzpk6wAKCRBHQ7nvMGxeJ8MNB/9W dxBiFLsdY2O55xg3yeUIqFV7F5/rj8BiUhCVop29ZZlyF3UntiXke9cnvE6i9GwR tsSDzjredMkcFPSxoOTX7i7z00o7/T55lh8UyloiuclNNDMPfL4w45TA5FgJqy9m PkqW6bgRW3gIj7tGxQi5JGwRDPxHklQAq8YXTewYqQFnrr0ou7mS1x2dr4NBeVWI bKMloMa7xSEPUv7S/0WhdKkhHAjYEQhDYKpsHj4Viixso0h+y+3BrY/S2Wxj342q sZ83ayi+C3+WxVIvV8s48hxZP8oiEigvDNV96n8QczGdSnvpyE3pA6OXCIeBU3PB 2QybN0BogyILVO59mqUiwmEEExECACEGCwkIBwMCAxUCAwMWAgECHgECF4AFAkOj aI8FCQKVROgACgkQ47RQr217OhQhEACeIHG5T0oAWCEUJ52Wxtpzs9/aphoAn0nV 9xSz7HtWGLpbIUQilSpVJb4FwlsEExECABsGCwkIBwMCAxUCAwMWAgECHgECF4AF AkV5kY4ACgkQ47RQr217OhSgLgCdFGUj0FQFTM7obIW0yxGjDT9sVZAAoJFj1Gu1 HmWp4LBW4gQ5S6FIucUdwmQEExECACQGCwkIBwMCAxUCAwMWAgECHgECF4ACGQEF AlaLmmcFCRWebDYACgkQ47RQr217OhSp0gCfULVBuGhzIZQV/aBYcwYHgCMLDNUA nA2P8BHk8OuyhBvhLa9Cj+EeC8QzwnsEExECADsGCwkIBwMCAxUCAwMWAgECHgEC F4ACGQEWIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCWIKQgQUJF3Rs2gAKCRDjtFCv bXs6FFadAKDPAumjUx1LgK4OjeUrSdqknmSs/QCg1Lhxp60CrB1S5QBupZFY9Ss/ yXzCewQTEQIAOwYLCQgHAwIDFQIDAxYCAQIeAQIXgAIZARYhBI4RBk5u/YHyZ/Ql ueO0UK9tezoUBQJaZheUBQkZV/PtAAoJEOO0UK9tezoUCrwAn0OtbIHQKC5J1F07 gdV/rCnsfTRKAJ9RsXfYrpptWHAcog1d7N5dRZubf8J7BBMRAgA7BgsJCAcDAgMV AgMDFgIBAh4BAheAAhkBFiEEjhEGTm79gfJn9CW547RQr217OhQFAlwPrnoFCRsB dQkACgkQ47RQr217OhSewgCgrz15daI7vHeCR8L7mYNc2dHHqKgAoLLg0T/Szy9M MD8/fJgnavqisMM0zThLYWpldGFuIFN0YXN6a2lld2ljeiA8a2FqZXRhbi5zdGFz emtpZXdpY3pAaW5ub2dhbWVzLmRlPsJ/BBMRCAA/AhsjBgsJCAcDAgYVCAIJCgsE FgIDAQIeAQIXgBYhBI4RBk5u/YHyZ/QlueO0UK9tezoUBQJh5uFkBQkg6eE5AAoJ EOO0UK9tezoU574AoNc+GQ+a2vhl6uBhgJJmgVObIKcUAKDW0ktLllJopxxf0gQ0 SFwIj17Oas05S2FqZXRhbiBTdGFzemtpZXdpY3ogPGthamV0YW4uc3Rhc3praWV3 aWN6QGlubm9nYW1lcy5jb20+wn4EExEIAD4CGyMFCwkIBwIGFQgJCgsCBBYCAwEC HgECF4AWIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCYebhZAUJIOnhOQAKCRDjtFCv bXs6FFKWAKDi8X+qi2rgVcZGlqFw4H9sSZbrNwCdH63qeyIJuXw3n7Fv1B2cD+0C kCbCfgQTEQIAPgIbIwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYhBI4RBk5u/YHy Z/QlueO0UK9tezoUBQJcD66HBQkbAXUJAAoJEOO0UK9tezoU1lEAoOh+JsqEvH5w laBJNs0bHk1Y8NrMAKCzpnA15ZwlSMKEgsMZcvRhmKtTb9H/AAAsF/8AACwSARAA AQEAAAAAAAAAAAAAAAD/2P/gABBKRklGAAEBAQBIAEgAAP/hEmpFeGlmAABNTQAq AAAACAALAQ8AAgAAAAkAAACSARAAAgAAAA0AAACbARIAAwAAAAEAAQ0IARoABQAA AAEAAACoARsABQAAAAEAAACwASgAAwAAAAEAAgAAATEAAgAAACQAAAC4ATIAAgAA ABQAAADcAhMAAwAAAAEAAgwIgpgAAgAAAAUAAADwh2kABAAAAAEAAAD1AAAEO0ZV SklGSUxNAEZpbmVQaXhTMlBybwAAAABIAAAAAQAAAEgAAAABRGlnaXRhbCBDYW1l cmEgRmluZVBpeFMyUHJvIFZlcjEuMDAAMjAwNTowNzoyNyAxNjozNjo0MgAgICAg AAAmgpoABQAAAAEAAALDgp0ABQAAAAEAAALLiCIAAwAAAAEAA3NyiCcAAwAAAAEB kHp7kAAABwAAAAQwMjIwkAMAAgAAABQAAALTkAQAAgAAABQAAALnkQEABwAAAAQB AgMAkQIABQAAAAEAAAL7kgEACgAAAAEAAAMDkgIABQAAAAEAAAMLkgMACgAAAAEA AAMTkgQACgAAAAEAAAMbkgcAAwAAAAEABXt4kggAAwAAAAEAAIODkgkAAwAAAAEA AH1+kgoABQAAAAEAAAMjknwABwAAAOIAAAMroAAABwAAAAQwMTAwoAEAAwAAAAEA AQAIoAIABAAAAAEAABCgoAMABAAAAAEAAAsgog4ABQAAAAEAAAQNog8ABQAAAAEA AAQVohAAAwAAAAEAAwjQohcAAwAAAAEAAggoowAABwAAAAEDIgiAowEABwAAAAEB IgjYpAEAAwAAAAEAAAgwpAIAAwAAAAEAAAiIpAMAAwAAAAEAAAjgpAUAAwAAAAEA JQg4pAYAAwAAAAEAAAiQpAgAAwAAAAEAAAjopAkAAwAAAAEAAAhApAoAAwAAAAEA AAiYpAwAAwAAAAEAAAjwoAUABAAAAAEAAAQdAAAAAAAAAAoAAACWAAADIAAAAGQy MDA1OjA3OjI3IDE2OjM2OjQyADIwMDU6MDc6MjcgMTY6MzY6NDIAAAAADwAAAAoA AAGQAAAAZAAAAlgAAABkAAAA6QAAAGT////OAAAAZAAACcQAAABkRlVKSUZJTE0M AAAAEAAAAAcABAAAADAxMzAAEAIACAAAANIAAAABEAMAAQAAAAMAAAACEAMAAQAA AAAAAAADEAMAAQAAAAAAAAAEEAMAAQAAAAAAAAAQEAMAAQAAAAIAAAAREAoAAQAA ANoAAAAhEAMAAQAAAAAAAAAiEAMAAQAAAAEAAAAwEAMAAQAAAAAAAAAxEAMAAQAA AAABAAAyEAMAAQAAAAEAAAAAEQMAAQAAAAAAAAABEQMAAQAAAAAAAAAAEgMAAQAA AAAAAAAAAAAATk9STUFMIAAAAAAACgAAAAAAB0UAAAABAAAHRQAAAAEAAgABAAIA AAAEUjk4AAACAAcAAAAEMDEwMAAAAAAACAEDAAMAAAABAAbYogESAAMAAAABAAEA MgEaAAUAAAABAAAEoQEbAAUAAAABAAAEqQEoAAMAAAABAAIAAAITAAMAAAABAAIB AQIBAAQAAAABAAAEsQICAAQAAAABAAANsQAAAAAAAABIAAAAAQAAAEgAAAAB/9j/ 4AAQSkZJRgABAQAAAQABAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8U HRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwL DBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy MjIyMjIyMjIyMjL/wAARCACYAHcDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAA AAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEG E1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RF RkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKj pKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP0 9fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgEC BAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLR ChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0 dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbH yMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwDBv/F2 uXilZL9o1z92ABP1HP61gTXUZYvJMXc9SSWJP1rMZnbO8s345qMnHbFZct9zp5kt kaLX8XZGOPbrUT37EnYgWqW6kzTUEJzZNJcSv1c/QVEGyef1puaM1diG7kuaYxpu 7ig9aYhaM0lHalYAooo70AFFPSGR/urSeW3pTEMop7IV+8CPTIooAtkD9aaVHoKk 9T6mk+tY3OlohZBg8Coygz0qww4PakCDhnOF9apMzkrEC27yHCKSasLp0hGHIU9x kcfrUy3EUQ2xNge461ZiugF+4NvqqLn88Zp3ZGhWOnxKuAsjn+9uGPy5qQWFsq8+ Yx9geKuQPuJdBz9ev5VMtrNKu4Rl09BS5hqN9jM/s+2dSULjHqeapSweW+1SD6et a91G8QUPA0ZHJwAP5Vl3Em5wMnAPBNUncTViDGKQcHNTFQwJwAaiKlTyKYidLiVU 2B22Acrnj8qZJL5gjC4XYu0kd+Sc/r+lSRxo0YOCTnk0lwEUqqxqpVcHGfm68/59 KZNlchcs2MsW44JPSihhx0xRRcouYGPxpG78U7PT60hPFYHUNAUAs/TvVV23tx07 VLKWc7f0rf0Pww2obHm3oh9BitNIq7MHeTsjAhhdjhR+ldBpHhjUdRdTbW+QGwWJ C13th4P0yBEzGzkd2PWussLaG1iCRIqKPSs3U7FKnY4zTPh2Uw966Bv7qE/zzXW2 vh+ztV2xRfma08ktViNQRxUN3LWhzmo+GrO8i2vANuO3WvIPE2kLpOryQsm2JiSh 619ClMg8Zrx74i2rPqAIByrkU4OzCWqOFMDLHuUZQ9GFRqvI3j5KtvHLDb42naSC QR0piDZIoYZRv0rcwGxJ5fmKemAQal1VVX7FtUDdbKTx1O5qkmhKIzgcADntio9S UmSx3HgwL+W5qaZLWpnHk80UpHJooKLeOfxpD34qQj+dMI+U1itzplsGnxifUYlb ODnj8K9Q0RVREUEACvMNIbZqcTepI/SvSdPmwVCflSq7io25WdajrgAEZ9qtwnjg cVnWCF8Ejk9a144cDA4rJIp6ChycgCrkQfHPAqvGI4/vNiobvxBYWYw8mTVKJJqo Qe35VzfirwomtW5eJyswOQfWtS21MzjckD7eK0UZpF+6y/WnYWzPBb2wks7k2V5E 0cgJVdy/e/xFZtxAsUjoxXaMAH3Hr+dexeN/DX9taZ5sJCXMB3qducjHIryGaF1d 1nUs4zuz3961g7kTQpy+nEdSFx9faqOqktdW6hAoSJVA9e/9a0YE8tBGY2fHJI7j /wDVWTfTGW93Y+6QB+FWjO2xSPWilbOTRTAu45/z6U088U445pmRn1rA62iC2JW8 iGcEOB+tej6VdQW6B55Ao9680cFbhCP74I/Ou8sPsttvu71d6p/ARkeg+tVUs7Gd HS6Ont/FNssixxozAnhvWulttTSdRgYz71x5169aOBI9MEdvOMK+4HAwcccd/Q8Z rOu7y4sfECWy3AuI+CJQu3nuuO/1qHGSVyk4yfKenPYq8JmZsgc4Fcumpedfyx2N gkzRfekY4A/Tmuj0ORruxKFj81Y9z4duLe7aWKT7xyTU36lqKTaZZ0XxLc6hYyzC FEkTaEh3HcxJIIOV4wBmuit9TdowsyYbHOKyLHfaxFSFB9xWrApn+YjiqbvsZ8lt y8hVxnsR0rgfEHg0ajroEbmMSMSGC5x8uf516AibEHpUBi3ajBIPf+VNaEHH6b4T i0a3a6OZbmAjnZjIz/ga8o8ZaS2keJ7yONSIHlLwnGODg4/DNe6XQOn3Dywu215G JU9Mk8/qTXm3xbh/4m1g5+68BYL6c81VPcut8CPM3Ys2T1oqRgCxGAKK2OYsHrTM +3FPOS1MxwOa5zsZHKArRy44Vhnj3ruvshvAkK4Csdxz39K4aY/uq7/wnP8AaLS1 eQ5YqVP4Ej+lEtkKHxM3IrUW8CKigFRgHJ4rHvLfdqP2mQ72A+8eoxXWtD5gGAMe lc/q0bJMqgf6xgv51kdETovCssiWnJOSxx9K7JkEsXz/AHsZB9a4jw5qlq2+3BHn W77HX8ufpXYrdXTXsiS2SC1UDZJ5nzE9+McfnWqVkYVNym0Qz2Oa0LOMBQAKolWW QFeQf0rRg+6B09aFuTN6FzYPLIqo2UniODw2OKug8VRuwVYH0PNU0YJkEOlt9suJ rmUSZYmMN0QfjXj3xQ1SDU9UspLZ2eKON4tx6MVbkj2zXoHxH1a9stBRLI+Wty4R 51YhlHoCOmeh9q8T1ibdDZ2oxutkdWYEEMSxPFXBJDqSbSuZbtknFFMw3pRVmeha OaTtRupNw9awOu6Gy8xfSum8G323dAW+ZG3KPY1zL/MhA6mp9Ku/sF8kx+6DhvpT tdWJvaVz2+zkWSMHgg1U1W2t5YizjBX5gc9COhrK0/VlWBCG3KRkYrKu7zUNTv54 41f7NCp3YHasmaptMsaXJbSax5igySDjcvBNdNBrGuXM8n2eJjGp2gMBz75NcjpV 3FAT9igeRg3zMVwc/jiuvsZdSunCuY4VGOANx/woSZo6berLVxda1FbmV4UjRQSx 3LgfrW5o1zPeWw+0xBXHKsDncPpVf+xo7uEx3u6VD/CWwG+uMZrTtbT7OsawhVC4 GMdvQU+Vp3OabVrI0FPYc+tQXqjyyCOvTtT1IVvm60y6YsmM8Ej/AOv+la9DA5Xx xC0/gK7wAXiKMOM4G8A/pmvn+6jKzEgeYD9eDX07qth/aHhq9s8cywso+v8A+uvm aWVY5HR3w6kqwx0IoTaLUVJasqhW/wCeR/M0VIZou7/oaKrmYuSPcQzw4xyfwpPt MQ6KTURjwOlN2UWQczJTdL1C003Of4RURX+dJt5ppITlI6zw7q2+L7I7qrj7gJ6+ 1drpt4FSQEKCx5I9OleQIzQypIhwykEGuw0bWYrzYbiRY54zgLnG4VlUhpdGtOd/ dZ2FrZQi6fYe+eDXSWg8lxjOR6VyemapbsXLMqlTjGecV0NtqEbRGQMNx6ZNY3Np NnY2rl1Gc1ad1iALEAe9YFjq8bISZFxgYINVL/xCkyeWjpnPrnHar5lYwcW2dSkw aTcSCoXjFKFMjM38OeKztJ3tYRlgQzDPPateFNuBg4Hf1qou5m1YmRB5fXIPavmX 4gaP/YvjK+t0QrFK3nxj1Vv/AK+a+nAG46bfSvLfi54fjuPs2tGBpBGnkSlc/KuS QePcmr5uXUqnDnfLfc8NPvRXRR6HaXsX+jXJjlHaUgqfx7UUe2gbyy/EX0VzJC59 aZtzmpv8aaetFyGiBlpoHzVO4/GmDhhmrRm1qRuuDRG/kypKBkoQ2PXFWbeA3d0k KsFLcAntVq+0n+z5QjzLK23cdo6fWi9twjBylaJpvHLCq3FsTJHKAxPcZq9B4geG Lb+dReFpvOtpIHOSj8D2NdK+lRuMmJWz6rXPJa6nWtjIstZumiWJGyBz1NdNoGnv fXMbcuQQxLD5V/xNWtN0+zh58hM/Su101Y1iBTAGOgpKF2ZzlZGjbW4iiVRzgYye 9WkUKelRocKD7U+NsnjpWyRytk46VjeI7eK90i5s5RujmjKMPY1qSSBFrJu284US CG9z581vTpvDGqeVGWkt2GQW60V2vj63WWWIAfMAP5misXy9T1qM63L7j0PMe1NH 3qKK1OIRhx+GKrSdaKKuJlULujHZfiTuqkj61sGHzImLHk5zRRWdZ6nqZVTi4ybM /RLlrbWGH8J4P516xprrNDRRRL4jjXwv1NSG22t7VuWSbQKKKaMZbGsjfKKmjbii irMWV7mTOQKoXEojgZiegNFFJjSPLvEVy17qJVRzjr7UUUVyS3PrMFCKoo//2f/b AEMABQMEBAQDBQQEBAUFBQYHDAgHBwcHDwsLCQwRDxISEQ8RERMWHBcTFBoVEREY IRgaHR0fHx8TFyIkIh4kHB4fHv/bAEMBBQUFBwYHDggIDh4UERQeHh4eHh4eHh4e Hh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHv/AABEIAMIA mAMBIgACEQEDEQH/xAAdAAAABwEBAQAAAAAAAAAAAAAAAgMEBQYHAQgJ/8QAPhAA AQMDAwIEAwYDBwMFAAAAAQIDEQAEIQUSMQZBEyJRYQdxgRQykaGxwSNC0QgVM2KC 4fBSkvEXQ1ODsv/EABsBAAMBAQEBAQAAAAAAAAAAAAIDBAEABQYH/8QAKBEAAgIC AgEEAgIDAQAAAAAAAAECEQMhEjEEEyJBUQUyMzQ1QmFx/9oADAMBAAIRAxEAPwCr az8Sutb9Cw5rRtUHG21aS1+cbh+NVW8urq/Jdv75+4XMhb7ylk/9xqsqvrx3cQ+U n/LCf0pqtxSjK1qWfdRNS+nJ9noqcI9RLCu7tGQoKeb+Sc/pTZzVrZJlLa3CfbaK hdwBiuFXzolhSM9d1oknNVcJPhsoRPeZpq9fXbkgukD0FNpos5IIpihFC3kf2dU4 sqBUpRk9yaOk8f0pGRXQr0/Wir6FOX2LEmM80msmJmuFUkZoqjJiZraOsMDJNcBE 81ySFYzmhnjmso6wDk10cUUmu9vato6zk135Vzvmhiea0w6fpXDxQEGI+ldIV6E1 xxxUHmhXSmfb2oViMofqZQQrgRSZt09iR7incGDwc/SgBPaP/FT8mXvGmMFsLAwZ zAoiml9xM0+KcCAcq/ek1p+7xxNEpinjoYneDwRQk05KY70raWa7pza2IAMqUR5R TOQlxYwAkYyK5kqgCaslrorKFCGrm5cPZDO4fpT0WQtcBhbTsZK207vok8V3qIzi VAtuDJQqJ5jFKJYeWPKy4R6hJq2hp5bfiqfccCTnxnSlI9gnvRlKvUtwHGEoHASk ifqJrOR3Gin+E7mGl/8AaaJtWFAbSPnVzaeuz/ih0txMwSmPrFMr8tvoIAbcC/um An8K3mZRWghXfHzo2zGTThSEqUrw0KSpBgpVzSXats2hLaJzmpDTrewUCq9fcbSC MNt7ifzFM6MFKAgEgHJok9gtX0TFnpttqGp6fp1idyrp9LSVK8pUVECTkwKiEqYn zpXt7wRR0OuIdSplThUgyhacKTHcGk0bQJ2/hWsGKYa6FvvSbbxPDKRhZzPehRXN pMhMAD1oVgRIGIJgwo1zO4qM8nH0pTb5DxPMV07QQnBE/tUZ6VCPCUmO9JuJgJkd qVXtJE4HP5GjKbQhnxHDEDyiaKO2Lm6WxMNISoLdVsQTMnP4U4VfWyW9jSVNonuc /hUU8sOKJ7+pPP8ASjMJO7yoQr55p3HRG5NvRKW1wRIZQ2ok8pWEn9afo1RyfCLb qF9ytwyfxqNt2A45C2WgoDG0kE1a+nOlta1NtKLfSbu5aKo2gkJ/Ghk0jYpsZ2yC QFqQkKIhcon8yTS1vY3Ph7m2yW43SlMj8AZrTumvhLelQdvUG0QoghAc3GPftWk6 R0ZZac0EFKXFJI8xAJiIj2FIlkraKYY18nmG8au7SVu22wKMJcbJx7cTH41B3rx2 L3IUVDBGSBPHpmvXWqdJ2T9upssIUSZO5AV+1Y58UugEaZpr9/bpQrareoJTEV2P Mm6Zs8Cq0Yul8lwuHCgAkn29aXWgOIO5Y3A87eaO3Z+MP4YSqDz3UK4tKkpCeCU+ nMVU3sjppjJaFJwRmnFgUFZCmt5PE0YKhW1afJ7jNGWyLe4bcCpQTg+tajh9pr71 jdNX9slIfZcStuWgtIIMiZEduPxqIdUQJQdwkYq5dL27LvVLLbzbbiPCeVsWJHlZ cUP0FUxBHkwQOcUTQEXs452BEGBMChQOTJJ9TQodh0SiwNh7ZzRvLvMdiTx7CiqE CDnNBX3jJzmpEeoxPATJmI3HFM7t1b64KoSD6U6egNme4jntSugaedSv0pAhsGDT oUo2yLLc5cUJaVo95frCba2cdJ7zWg6B8K9UumkOveE1PZRq9dEaHaWjLcJCsfKD Wi2jW1riI71PPyG9IdHx1DspfR/wusrR5D2oupfWnISBABitW060trJkNsNJQkf9 Iio+1UARyc1JtrJG2O1L5t9hcBYEqVHafWnLTXqKatgJPmOT+VPrdQKZPMVif2d0 AtAqECe9U74l2zQ0G4StCXELbV94cGKu6E5GMdjUF17YqudCdDO7eASE7ZBxxXUa ns8R3Nuu21VbSFKbPiHaRwD2pzcvMu2TPiNoS9JSqE5kVPdQ6UhnVnmFoU0sqxPH M8mmGsaaDHhpJUJWkCCCmrYzTJckHFkOw2FuhpQAUQCg/tTpxkN25ZIUSTuSCPyo 95ZLCErgFQQlwEHgTH9DUlpzYurPYY3oO6ZyRR2LoL008GupELKZUlh5MH1LKh+9 VK3Qog7Y8qJ+lXnp60KOskQkONpZcc/0+Gof0qmWvkD/AG/hRH1FHdqwKqQgZ9cU K73j2oVgZJqTyCe9cVuPHYZFKLTII/zCKKoSTAOe5qP5PTYyvCdyQOCM1cPhuyPB W9tH3zPyqnaiDuSJiRGKuHw0fCHHWiPKMx+9Nyfx6JMLXr7Nm6aUkISXJmT9fnVu YumilDcmSJjvVC0p9RWkoUYHpVx0YKcKSZ3c8V5+7pF84k3bLKiAB71ISpCeYmiW 1uAJjzRTr7Pu2kn5CmKLEN0FZStwjNSbDG1IJkfWm7DlswnxHVhAHJJptf8AVWh2 BUh69TuA+6MmjjjVbMd9JEw0pQICacFIdQW1pEGqvbdUW96tCbBKlgnmN0/USKm7 PUEvpEtOJPfynH5VyjQLKF8SvhpZ62h24sCbe8SmQqfKonkRWA37Vzpuuf3NqlsG rptwRvMEe6TxGBXsYoKkSJz61lPx56Ab17SDrVgNl/aiV7R99HcfOig6dHS9yPPe ptsovXVZIaHhrbV2BkTjvg0noq21ugNnaFHBUeDtyMfKjONXIEXLZU+2owsgeZIB 59OD+VGtQGFu3Hgq8JZkpxCVCfrViWiN3Yq4Xmri8et17R9hUBGCgSB+iqp7TW4X G3+VvcZ7CQP3q3azcC20p5sNrQsjZKhyhUH9jVSQ4UqdABhxvb+YP7USejmqlsbq GQKFAng5/ahXHEqU+YE8Sk0UkJ7cCaOoZ83Y+tJrOFd84z86i+T0xlegBTRiQR+f NTPQby06qtIiC3JqL1BJLKCRIChMen/BTjoh7br6kqJAU0ofhBqlbxsirjmRu3R7 QcbbWoZJ7Zq7WV9Z2mHX20qHAKgDWQ6J/ferjwdLfDCUmPFWYSnE/Oat1n0Ky022 5q/UDi3PvYTtn6kknPeKiUKL5yXyajpuq2jzaVNug7vrT5Tqnk7GjKu1Y+vXNK0B xLDWpIIJhClrCkq9goYq39F9Vt3TicwZ45rHJ3sD0+W0WS90xxSS7cOKQjjNUvWR 0lb3iv71cLqlEEtKcVk+4HAz/NitJ6hfbudDDqQsYMqHMxisc6dQxpHULtxf2Rul KWokuqlRJJ8w7cRntwMVzfuph4oNxbS2Xzp3rvpi2Wxpdk20y6oobaYQ0QQpUBKA EJOVdhVysOpLRVyWPASrYooUptaVbFAwUqT95JBwQRis36L0dtvXLjVWb+7slXDw fIQ5sAWEbAoiSArbglIEj8KvLdhYpBW0pK3SoqW5grWomSVHkknJNOckoriTLG3J rIizqfYfSkpgZ5rimEOoW24lKkrEEEYIqGsmChwKQTtn1qeaHkHJAoE23YMocDzf 8U+gVt60ti0b273klBQMQtUAHH/Ipj018M9Zu737HftLYJUCl1tY2TMKBHIPBOMi vQvUNqw/qdi46wHB4rZz6ziktccasdZYdVpa3m2WArxmnIIKiQZTGQNoP1onJpUF iSlLrZhHxk6NtrT4XXbjLQN3oV026XCIUu3eWWik+u1cH5E15/YfUy7uSn7wgiJr 3P1DY6Nrukao66kqYetkIvWwTKkIcSucZ4SeM14x64tWGOtNbZsW0t2aNQfSwmCA lsOKCRnOBHOap8f9RfnNPJ1WiCcIUolIIBzBoV1bZBiRgUKakSW0SSpAUO/sKTWV QuAAeOOaOZCoHBpNZVJHcGoV2es2FdQVKKPocds0bou3L/UiEkQPDWT+FdBJIkTB 7U66OAY6wYTna6laM+pSabF+1onyx90WaN/e9zoWjA2SUB8nY2SOO8+/EUu/oNv1 F0+2u7vr0am7PjKWfUgggyQAAIgCaVZ0xOo3LSXpCG07UgCcmrzbWamLXw21RAwY qaOVw6WyyeGORVIq3XTLTnRabFxqyT4t4u5UplkJUklIG1tISkITjt3PAFM/ho4u zYtVvFUyE555qc1+zQ+3tcJXiTP0qJsmVJNtbJ++SFY9K7JklkXuG4cEcK9p6E6a LFzpoYdIUCAINR2tdH6c48XjbpknkUh0qV+C2jiIFXNBQWfCeAkplJNEoqS2Szk4 StMotrpFvZKHhNJMiMDipKz3rcCTKUg/hT65aQHVFJCdpkilLFsBxJAzPrXKO6Dl P5ZJ2rKEoG0SPcU9W2QyF5H7Vy1QI/WnSwFNevr707iQznshNT2lppa//bWD84ik up7m3YJ8ZaEpDAUn/qkyNvyxNOb5slqIkzFN9R0K11O7sdRui5vbbSC2FeQkTB/M /lQU/gPE4qasiuk7C4dN4u8aKLa5aKAleN4PtXjn4jeC313r7bCUpaTqdylCRwkB 1QA/CvanXOvWGgJ0ttRT9u1W9ZsLNkHJKlALXHolJJ+ZSO9eI/iEsHr7qJQ8s6td QP8A7lVThhwjQrysvq5LK+oxM5wT+dCirUFzkjt+dCmon2PnCSTzBjHpRVAyokRJ Oa6Vcq4ERRc7ld5Jiokj1WBIzEY5FJpul2Ops3SOWXAuPrRgMgHsnFNr4DxTjBzR wWxWX9bPQfSi23rhtYMochYgYgiRV3cZ8RsBsACMmsm+FWoB7RLJxazvaSW1f6SQ B+EVsOnlDgAJ+9kVM41IrjP2plc162CbcACAT5o71V9GeQ1qyrx9MW9urYTOEpHc mtO1TT0PtJEpyO/41m+saMu1bvrN9lu4sruSsd0n+h5oFqRRCSlE2fpG8tvGZWgp UFiU5nBp1p/Wo1Dq290JzpfWkW1qQlN+60EsrMkSjM7SQYVGfaRWU/CVNzo6/Ct7 4vWdsT4TNwZgR2PoPSYq9/8AqJp4uFMOo3IQIWtI8ojJ/OmrIuiHJBcvssWopha3 WSY3EZ7icU501YUQVDFVpzrDSi2p0rBEgEHsTx+lOND6s0u5vU2ri0MhaylKleUA +hmh9SN9gyT49F5tB/FKoKY8oE4IwZ/56U8B8ojE4yM0wtAovDzmCMcRT1KhO088 5/SqYuyGXZFaqiWgSOSZMGc4o32xFpoAuSwq4LKCQhJ5gflTnUWv4aijLhEyo+9R +jqBcftXClwHBgYrOmameV7rrnU+oPippPV3UAcRY2GoNEtspUtFm1uwgDucSTEk 59AMs6nvW7/qTVL9kKS1c3rz6EqEFKVOKUAfeDVs+KVrcaJ1Z1BpVmlxhDOoO4ST CkbipBj12rAFUEOLUmVXQSSYKTNUwftAzam2ckhNCupM83CM/wCWhRC7JBRhJBia 4ojcR6j880UKHMKjOYoviSQAFGo+LPT5oNny5702vpKxPpSxUceUx8vnRHUFxRUQ eMCiiqdgTfKJb/hRqHgvP2C1QlZ8VI9SPvAfMVvHTeoJLUKVO3ivLdo87ZPtv25U hxte5Kq2npnW/tdg1cW5G9SeP+kjkUGVK7GYm3HizT9X1a2smFOvupQlIxJyTWY9 X9Rrvh4ViI3EgGZOOfnTfrY6trLVo1aFbra3DuSP5ZEj6c/jXda0XV+l9Mtbizat LoLBSsqWQUEeke85qarZRBVSLH8PtOftWfFunEh1SDsSScbuZHyqz6T0voFo2rxn DdKWorXCtqU5Bz7YrPtCTq1+Q65qQtpI3JbSJSO+SCfX0rQen9D08vpNwF3TnigJ U+4VY9YOPwpkYpdlTwRirbJrZ0yLZxtqxQ+OF+ASonmMgQeTSPTmkvu6q+/daOLW 18SbVt07l7f8w4E571c9N062QQsgKUOEgCB9Kkk26C5vAE9ya6WOLPPyZYK1Ec2C lC3QpQhQgR6U4YUFHzpJI4PaOab2ttbtvOrQlIW5G9QGTAx86UaU4hwNiVEJAOMU 2Do8+XZ3U1N+Ao7jIIkx6/8AmmOloV9oc2kAQM+8/vTjUHJtnSg7lbYCf1oaS0Ur AG7btgT9P6fnRvbMWjy5/antPsHxOcfaKkKv7Rp4kHBiUH6+WsWuLRta1LUVSozy IFek/wC2nYBmx6d1/wALdtecs3CP8w3p/wDyuvMi79JG1LA/1GiSnWilPFXu7Di1 ZH8pPzVQpA38RFun8aFdxkDzwr4Fft9uMJDh/KuHUGRENqV8zTPwgPSieHnii4xF 85IenUURhkj/AF0mq/PZpBxiaaqb8vArhSAr1olGILyTocm+X2QgfITVm6A6hXaa h9juXAhl8+VXZKv96p6UV1ScSOQcf1rZQi9GRyyTs9BaTdv27iGytIBlUExOY/rV m1O4b1C0XavEJIBUkdhWLdFdUl1CNNvikO4Sh1RyRH61oFhcqs7FKbx3fsOCVkmC fftXn5YcGenin6itFr0Cwt1jxAlJk8jirTZpQ2pKIKwI2mqz09cW7NsClxKGxlOf xNWXTrhCmy6Fg7gVJHMCl3Zs5P5ZctIuFLbmCM5qwsj+GVZ4niapmhau0vwRICVe o7+lTlxrbVukhxYCuUwcimxarZJkTvRKquggpSpRAPJA4rlq6ULedd2qMwI9Yn9K z3Vtc8W9HgvHepwo3iMFQhImc4JgetXaxJVYtbAZKUnPrFap2BKFDrww+8tSv8OA Ex2OZ/apC0ZSUhJnBzB9DTe0SEQ0lclBhcHj/en4htCihBUQPujvT4iZdmd/2k+n T1F8I9ZYZbC7mzQL5iRMFvKo99m8fWvBxzBBwa+mz7aHWVNuI3JWkpUk9wRkV4U6 76D0rp7rDU9DcuL22Nu+fB+6oFpWUESB29+xrVkUP2KfG8PJ5b4Y6tfbMyxiZmhV p1TpC9YtFXdg6jULdI3OBsQtA9dvf6TQpsM0JLTBz+D5OGfGcSG2gkY70mtvIEDm KdAYzmiLQJHMSaWpfAcoIaqRyfTj3pNaPMZ7U8WkFGcGOKRcTk0UWJlAQQnzHFBa IB4pVCPPjvxRnkiAB3NHeweOhtBSrcDBBke1W/QNYvbzRn7VxZdcYiO6ik4/L96q hSASPWpXpC5VZa6w+qAysFp2eCFf71k4prYWBuM1XyXnROon0W7dvcOgK3J3T2T6 D/nerzpnUKE2KPGUTKP5T5px6VStT6aRcK+0WZCHSCIGAfc0yOldQtCUNBZSRG1w Hjjk158oKTtHqtVpo0nQur0IublLzpAbWrYoKwO0e3FG1Lq5+7dbaYLm5SCEBCpJ PYT9RWeaPoWuOFA+xOBMgjIJ4Azn2/OtH6T6K1db4U4lu1QQAVqPiK7ZA4Bx3ntQ PH8IG4rbLH0RbP3uoJcuEJWChIZbIBKgDBcUOwkkjiZ7Vs1rb+GkTnvxUF0hoNvp LSigl150/wAR1YlR4H4COKtbSAE8QAKfix0efmnyZxlJMgiOM07aSBxzSKYkxMUu jiqUiaTOuCvPX9q3o57VPsfUWkISq/tWi2+gcutzKY9xJ+hNegnnAhHOao/VaRdq UhRmPal5NIf4s3CdpnjbpPXXWr/wStTT6TwrB9xH7UKsnxl6Xb0zqMajZoDS1L3k pxmaFSTxpu46Ptvx/wCUnDHxyLl9P/hnRnPzrjp7SOfrRtsifSKTXBOR3qtdnyTW gADIMx/5pFaSVHOCKcQZT8qScECCCYHNHFgTWhCQlYyBBo6VJdfaR6rA96bXA8/f mldLRv1K2ScguCn1qyRzadF1vel9DsdJFy89eOXTgCWmgsAFREknHA45qram0WkB ISEiJAHAq6agv7XqKlJ+42kNtz2A5/PNQXVFuG7TxgOOTFSeryyUfS4/xXpeE8su zQfh7fDUtFtnlkFZQErz/MDBP5VcVaWVo3oIBiPxrIfhDqCmfGYJ8oclP1H+1bzo a23mAUnHoRzS5RXOiFTbxqYnojf2YBPh7SDmMzV06fuElwJXuPzqEaswCClJj2qc 01gDaQFAzRKIicrLnaOIhOw1JFcJmcVBaeFAQYxUolQ25maeiCfY5ZJXnIHvTlS9 qJpowqMz2ot49tTWi3sQv7k7oqEvkhQK1cxTt1ZU8VE/SorqC6FtZLWVQY70DVjc a3oxL4yhF1eJaBEBQk+1Corq+6N/q/hiVkrM+yZ4oV585bP0L8R+OU/HUpGMq+5R XOaFCrj4sMv7iaSc/ahQoogZOhi/9/6/tSmmkjULYgx/EFChVP8AqRR/cv8AYZ59 ajut8aOY/wDlH6ihQrzIfyn6P5X+Ol/4NehsLTGPMOK3roxRNumSTgd6FCmT/kPj 4f1kXVkmV571M2HJ+lChTERsmrMnaM96fgmRmhQpiJpdjxj7tNr0ncKFCtQK7I65 /wAFw94qmdbKV/dI8x+4O/tQoUL6HYf2Ri1vnXnZzhP6UKFCvMl2fq3gf14n/9nC fQQTEQgAPQIbIwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAFiEEjhEGTm79gfJn9CW5 47RQr217OhQFAmHm4WQFCSDp4TkACgkQ47RQr217OhQBjACg5doVnQi1EWqYBYfG Gng5GbAjzFgAoLNune7VnnNx48e0+LkwinrzOZ9+wsBcBBIBAgAGBQJTOmTrAAoJ EEdDue8wbF4nuSAH/1HeNXO+Di9iqUBSldhKqjCddSyUs/Kebs9Nue4oIjans4Bi QCGDovDTKP4gB+SXhvkX8sE2uuNUtMx2R5SGx6Lyfo6nRl92FlUgGP6wLGYJCYhN 5KI+5cKjpg9N2SjdEy/jEv8CAkp2WQj9R+ug96edgyHI+G82ffV3z4pIQ99n/VJH B9PPqBbO+42jj9SzseB9t7zKFVSccv2KAYRlQD8fiEbsrfMA9RVyQr4oeRxnXkFx lPXD9526BBvz3+fbhjNKTkPJq6NOE6FLjuEx1RkYV6g/OOHtuetp3UkJfSNFct/q rXWHS//R637Y5MoIpVYLAtXoF27LatMSCM1sbODOwE0EQu9XKRAEAI1xDin4/TuH mE1nInxAKTGM3pffmlpoTUaqlISbjTuNFAxe924kSdHI3fJolYWRsXKiHY52VJsZ /DpK/rWu2VOENijcOwdt1SndY8wympWlBrQm7/KZ7xXQQicMM3YRydr8a3u85BjK 1OMeTnf/dmGUQoF9tvSHPMu5rr3kLcuLAAMGA/wPxSg0JCLtehlTrvYPGQSywYtR 0odnonpv3n5n2UtQD0e0OTrn+iiTHhIAQimPcqhKfcIPewbfd6It8z9B9SPKy5q4 +YaBBP1RIwnOF0kN6q7YZkPWxPHzw2SIKHTxtYfnZTsw0KFMSjP2GXWyplfFZHoG wJhJ4PayZPdICfu0LcJjBBgRCAAjFiEEjhEGTm79gfJn9CW547RQr217OhQFAmHm 4dIFCSK58akACgkQ47RQr217OhTnKwCgy4RBOdeNLR+QKkwTQwxsljOGTKsAn0/u W/A6kYnaL/cp0Pqqz5Hm/y7W =3DD1n3 -----END PGP PUBLIC KEY BLOCK----- --------------cA7V4n1LclYiwiMVi4AmGfwv-- --------------Fl9Hbh1UbAzV0iCqNrX05Nmk-- --------------0upwvgqF4atoxZ98tZkhJc8G Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wmMEABEIACMWIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCYqd4wgUDAAAAAAAKCRDjtFCvbXs6FO91 AKDcphF+tpDBtauPh9AAYbgXkFIj1QCgy+DSj2FPNi4KKxqBQWdghrFhudc= =/4P6 -----END PGP SIGNATURE----- --------------0upwvgqF4atoxZ98tZkhJc8G-- From nobody Mon Jun 13 18:06:41 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id DEF5E83DEE1 for ; Mon, 13 Jun 2022 18:06:43 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LMKJg6134z3Lyf; Mon, 13 Jun 2022 18:06:43 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1655143603; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=j3Toh60N75+DWqg95Q+EGdOmjROBmnLo98GTJ2yUOgA=; b=cXtrPv22Mq1m/QBo1zqghS8sc4owWiH4gdcTb/S4S8dATHxtPWPXGOpgN7YnGLeZixARmM +spzFSTMq8jhjpepunBh6lM9pW3HMlvUCC4lJ6yGIyny4BAjFzA+l1J6F0m/uCaqe0Rm2A qEt+HkkSunLsHIQi1waDVKaoey+pvrfLBmfrAzrnbHCMhBgY5ESpFpkUHf7pAvQ+DXgj7R rsvM4B9xHLLYmdTOR7aU7ax6eF0evprWqhAVVLF3Vpch5ceTiObWAcIuQnX9KvfVvPYagK wriFX7q2exklyAoE3hAIHJqjYIMs9t1KI80Sy6ccbyjjk9HbbOsCuUB+WHPszg== Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 951DD2E760; Mon, 13 Jun 2022 18:06:43 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 157591A899; Mon, 13 Jun 2022 20:06:42 +0200 (CEST) From: Kristof Provost To: Kajetan Staszkiewicz Cc: freebsd-pf@freebsd.org Subject: Re: route-to, interfaces and pfsync Date: Mon, 13 Jun 2022 20:06:41 +0200 X-Mailer: MailMate (1.14r5852) Message-ID: In-Reply-To: <11a48cd5-ac1e-b4bf-7d17-feacdcade9dc@tuxpowered.net> References: <95f8e87d-2145-362b-2e37-79282054caa0@tuxpowered.net> <11a48cd5-ac1e-b4bf-7d17-feacdcade9dc@tuxpowered.net> List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1655143603; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=j3Toh60N75+DWqg95Q+EGdOmjROBmnLo98GTJ2yUOgA=; b=BeR2jxeADHKL2pzVjsQiTJn1yX0EbkhEh01V9zRkMmmqOadUdbE83utbcz5c+Qae41q78o wxnui8hZGs3J72RP8HmVq9MBYoHCNHlul8iviwBdBAXgVrtKEgVIWii75ihb9bGcVPSuWB ubfJEK0NpQ35CiJu2jWmmfIDAowSnzFQwoxkKg/gZVYyb67PTWqy3z+E3oUOgjFbuIUQj/ cEgwlUDrE2wpxNsr7cwBGBKWjaA0rXcC9fE9J3KpVGKsOpaDQ2JIMC+vnPcPEusZlysC1L v/L9wMz6aY+ifQnavdL3IDVD/L3A2h7344+K9Z4uOT4YlgXw9EqOKfYnnykdFw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1655143603; a=rsa-sha256; cv=none; b=pJJGHTevhnn/5fuUtsV3UsbV4Usrol/w4DzfAKsBOU9KscuAx3bwR7MOKcr+DzWyMbxAIY 0OTY4Jrb/2ru7tbTaVdS28iX6YKQ7cc1bJ5YpomrdTX+nb8bhYuicPD3B/CsvC1n+3LfbH 6KbGekkXZgzdJ3kAQyiJfl4IGSlzRTd1BkYV9zM4+Y4wu4M+yeSQwscUjjqZnNptd5YlQ2 rosvZk2IhcG3Vd7vIH3HCozvZfEifSthYBxNmFdgU0dzTs0tno7+CdsR/9u3t4qXQOkWR7 ttvWrqeSMe5zWDSJYvGNOXtFVqcIqYqzILsDObcD6Z9gWRYRbST6BK9zQj0BwA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N On 13 Jun 2022, at 19:49, Kajetan Staszkiewicz wrote: > On 2022-06-13 14:33, Kristof Provost wrote: >>> This brings us to OpenBSD. They have decided to drop the interface >>> from route-to targets >>> (https://github.com/openbsd/src/commit/5812a4ad62ca07807ac0bc59f22eb8= 813e6069bc >>> ). >>> How about we do the same? If porting this change from OpenBSD has a >>> chance of getting aproved and merged, I'd be willing to work on it. >> >> >> That=E2=80=99s a breaking syntax change, at there=E2=80=99s at least o= ne major FreeBSD/pf user that relies heavily on route-to (i.e. pfSense). = So something that=E2=80=99d break that is not going to be easy. >> >> However, (without having looked at the patch in great detail) we might= be able to support both the old style |route-to (epair0a 1.2.3.4)| and a= new |route-to (1.2.3.4)| or even |route-to (@1.2.3.4)| or something if t= hat disambiguates better. If we can ensure the old style keeps working (w= ith any limitations it currently has), which also supporting the new styl= e that=E2=80=99d give everyone a chance to migrate. We could then remove = the old style in say 15.0. > > How about I make the parser accept the syntax with the interface and wi= thout it and then ignore the interface, and the pf C code will be all don= e without the interface? Would that have a chance of being accepted into = 14.0? > That=E2=80=99d be a pretty significant behaviour change, so I=E2=80=99m n= ot a fan. It=E2=80=99s bound to trip people up. Kristof From nobody Wed Jul 6 08:31:54 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 092AB1D03108 for ; Wed, 6 Jul 2022 08:32:08 +0000 (UTC) (envelope-from tdtemccna@gmail.com) Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LdCT32Ghmz4nmc for ; Wed, 6 Jul 2022 08:32:07 +0000 (UTC) (envelope-from tdtemccna@gmail.com) Received: by mail-lf1-x12f.google.com with SMTP id t24so24685973lfr.4 for ; Wed, 06 Jul 2022 01:32:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to:cc; bh=qNJS8bXJjIJEOjJk4e4xeTOXLNTgbklFiRogoFnIe/0=; b=cSTHS6ZBK37eDE4m3SJNlPWl1DDuTij34QTBXX3nnXa2LTEPAdep3lxn7WcBLRroQ9 cpEXgSYHtl2hIwF5xncuIQm1yOkXQp6FVCZlf2vL3KVRepApr+5P02D8yqcGPqXA+trq sfzt3aXfiWyWG/zNyS6XVOxDSpX7I5cCVUi1r6DfFeCCms7cQXqun/quEoALM8GzYOWj p/+lfOuFEHRyJ6Y/8aW0fPDVnTdOpt6CN7upLzW+R43rT0rzaDUKwsLPXE9UCqua/QWy VYMXUXpKcj7LeU4wNf2CHRHNghTGb11TRl0Y8fJuuo0xso4SHva51jpnBn53HkWLfnaK xHTg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=qNJS8bXJjIJEOjJk4e4xeTOXLNTgbklFiRogoFnIe/0=; b=2ESL585xNuZ1sCCgNg4ZltRh5K2Ze5jmhzg7D0dnVXOXL4VX6ZcvAArfDrjR2SJBXy uxgydL25fTofdaHo2/wlLzbW0FMip0r1u8Vvij5Dr2cmlSvLloU3CxPaFIWRMcf3XTTi Y3B/uqBTkUBhELP0BX0peKiTLUyC0lcS6fEi0KLeh6AJgUTQMJPpzIqmcQA+zpD5Ukd2 I2wc0ep51n5rVPGsdvWBwrlk/uNjn0ULNjkOB0Sj9JFBqY23ScKuQd77Y9rvNriiIYRZ Lna5/woUlXqevEzLlFbQF9ZHCngyrZ0dEO1qhGI1MEfmzjRQyvVKWHF2EobnGF6RfLPs j14A== X-Gm-Message-State: AJIora9EAjcF632JyUM+vXzAGN6sAixR8SnXcr69ULtzxs5xO/e3q+6E 1+zz3u760RjfXgx5orwdzLadmErS8xYv/EhdC7v17hYQctdWMg== X-Google-Smtp-Source: AGRyM1shqUTRwVALL9AmWsBqMNjWz9d+o9xtuxLMGhlqxvmLFj7o74HTE4Sbq0ZCc0ynwOewqFtjuv7/JQKzey1sB0M= X-Received: by 2002:a05:6512:1590:b0:47f:6e14:a782 with SMTP id bp16-20020a056512159000b0047f6e14a782mr25482864lfb.131.1657096325903; Wed, 06 Jul 2022 01:32:05 -0700 (PDT) List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 From: Turritopsis Dohrnii Teo En Ming Date: Wed, 6 Jul 2022 16:31:54 +0800 Message-ID: Subject: FreeBSD is a great operating system! To: freebsd-pf@freebsd.org Cc: ceo@teo-en-ming-corp.com Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4LdCT32Ghmz4nmc X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=cSTHS6ZB; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of tdtemccna@gmail.com designates 2a00:1450:4864:20::12f as permitted sender) smtp.mailfrom=tdtemccna@gmail.com X-Spamd-Result: default: False [-4.00 / 15.00]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; TO_DN_NONE(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; SUBJECT_ENDS_EXCLAIM(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::12f:from]; MLMMJ_DEST(0.00)[freebsd-pf]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Subject: FreeBSD is a great operating system! Good day from Singapore, I think FreeBSD is a great operating system! I support FreeBSD because the most popular pfSense firewall, the extremely popular OPNsense firewall and the BSD Router Project are all powered by FreeBSD! macOS is also based on FreeBSD! I use pfSense community edition firewall in my home. I am planning to try out OPNsense firewall next. I will continue to support FreeBSD! It is a great operating system! FreeBSD is a very good network operating system. Regards, Mr. Turritopsis Dohrnii Teo En Ming Targeted Individual in Singapore 6 July 2022 Wed Blogs: https://tdtemcerts.blogspot.com https://tdtemcerts.wordpress.com From nobody Tue Jul 19 20:02:40 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4LnVB0458Lz4WwJ7 for ; Tue, 19 Jul 2022 20:02:48 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smarthost1.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LnV9z2Q6gz4MVF for ; Tue, 19 Jul 2022 20:02:47 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19]) by smarthost1.sentex.ca (8.16.1/8.16.1) with ESMTPS id 26JK2e6t083501 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Tue, 19 Jul 2022 16:02:40 -0400 (EDT) (envelope-from mike@sentex.net) Received: from [IPV6:2607:f3e0:0:4:5933:dca:7616:52ec] ([IPv6:2607:f3e0:0:4:5933:dca:7616:52ec]) by pyroxene2a.sentex.ca (8.16.1/8.15.2) with ESMTPS id 26JK2d1G045044 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Tue, 19 Jul 2022 16:02:40 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <7126c3de-2eab-733a-863d-0a38c409919e@sentex.net> Date: Tue, 19 Jul 2022 16:02:40 -0400 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.0.2 Content-Language: en-US To: "freebsd-pf@freebsd.org" From: mike tancsa Subject: updating "self" in RELENG_13 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.84 on 64.7.153.18 X-Rspamd-Queue-Id: 4LnV9z2Q6gz4MVF X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:1::12 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [-3.40 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[199.212.134.19:received]; FROM_HAS_DN(0.00)[]; R_DKIM_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-pf@freebsd.org]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_ALL(0.00)[]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_EQ_ADDR_ALL(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; FREEFALL_USER(0.00)[mike]; DMARC_NA(0.00)[sentex.net]; MID_RHS_MATCH_FROM(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; ARC_NA(0.00)[] X-ThisMailContainsUnwantedMimeParts: N I have an endpoint where interfaces come and go or change IP addresses due to dynamic IPs being handed out.  One thing I noticed is that if I want to make use of the "self" keyword, the automatic table that it abstracts away does not get automatically updated with new IP addresses.  If I manually do a pfctl -f /etc/pf.conf, it fixes the issue.  So to automate it, I looked at devd to create % cat /etc/devd/interface.conf notify 0 {     match "system"        "IFNET";     match "type"          "(LINK_DOWN|LINK_UP)";     action "/usr/local/bin/interface-change.sh $subsystem $interface"; }; and in the script I call /sbin/pfctl -f /etc/pf.conf But the next issue I ran into is the interface often comes up before its given an IP. So to make it work I had to add a sleep 5 ; /sbin/pfctl -f /etc/pf.conf & Not really happy with this method as sleeps are a bit hackish and probably wont reliably work.  Anyone else run into this issue and how do you work around it ? Or am I approaching it the wrong way ? I also noticed that if I do something like  ifconfig lo0 192.168.99.2/32 alias devd does not fire     ---Mike From nobody Wed Jul 20 07:08:47 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Lnmyd07VLz4XGVp for ; Wed, 20 Jul 2022 07:08:57 +0000 (UTC) (envelope-from shuriku@shurik.kiev.ua) Received: from mail.flex-it.com.ua (mail.flex-it.com.ua [193.239.74.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Lnmyc04G2z3xXg for ; Wed, 20 Jul 2022 07:08:55 +0000 (UTC) (envelope-from shuriku@shurik.kiev.ua) Received: from [46.211.87.228] (helo=[192.168.1.179]) by mail.flex-it.com.ua with esmtpsa (TLS1.3) tls TLS_AES_128_GCM_SHA256 (Exim 4.95 (FreeBSD)) (envelope-from ) id 1oE3pA-0008W4-AG for pf@freebsd.org; Wed, 20 Jul 2022 10:08:48 +0300 Message-ID: <5e97f42c-6099-7556-f440-39d549fcbfeb@shurik.kiev.ua> Date: Wed, 20 Jul 2022 10:08:47 +0300 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: updating "self" in RELENG_13 Content-Language: en-US To: pf@freebsd.org References: <7126c3de-2eab-733a-863d-0a38c409919e@sentex.net> From: Oleksandr Kryvulia In-Reply-To: <7126c3de-2eab-733a-863d-0a38c409919e@sentex.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4Lnmyc04G2z3xXg X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of shuriku@shurik.kiev.ua designates 193.239.74.7 as permitted sender) smtp.mailfrom=shuriku@shurik.kiev.ua X-Spamd-Result: default: False [-3.30 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:35297, ipnet:193.239.72.0/22, country:UA]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[pf@freebsd.org]; MIME_TRACE(0.00)[0:+]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; DMARC_NA(0.00)[shurik.kiev.ua]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_HAS_DN(0.00)[]; TO_DN_NONE(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N 19.07.22 23:02, mike tancsa пише: > I have an endpoint where interfaces come and go or change IP addresses > due to dynamic IPs being handed out.  One thing I noticed is that if I > want to make use of the "self" keyword, the automatic table that it > abstracts away does not get automatically updated with new IP > addresses.  If I manually do a pfctl -f /etc/pf.conf, it fixes the > issue.  So to automate it, I looked at devd to create > > % cat /etc/devd/interface.conf > notify 0 { >     match "system"        "IFNET"; >     match "type"          "(LINK_DOWN|LINK_UP)"; >     action "/usr/local/bin/interface-change.sh $subsystem $interface"; > }; > > and in the script I call /sbin/pfctl -f /etc/pf.conf > > But the next issue I ran into is the interface often comes up before > its given an IP. So to make it work I had to add a > > sleep 5 ; /sbin/pfctl -f /etc/pf.conf & > > Not really happy with this method as sleeps are a bit hackish and > probably wont reliably work.  Anyone else run into this issue and how > do you work around it ? Or am I approaching it the wrong way ? > > I also noticed that if I do something like > >  ifconfig lo0 192.168.99.2/32 alias > > devd does not fire > >     ---Mike > Hi, using interface groups instead makes sense for you? From nobody Wed Jul 20 09:55:16 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Lnrfl06N2z4WbDs for ; Wed, 20 Jul 2022 09:55:27 +0000 (UTC) (envelope-from meka@tilda.center) Received: from c3po.tilda.center (c3po.tilda.center [108.61.164.129]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Lnrfk0w8yz3FSZ for ; Wed, 20 Jul 2022 09:55:25 +0000 (UTC) (envelope-from meka@tilda.center) Received: from tilda.center (109-93-255-137.static.isp.telekom.rs [109.93.255.137]) by c3po.tilda.center (Postfix) with ESMTPSA id 957AB2A6F1; Wed, 20 Jul 2022 11:55:16 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tilda.center; s=c3po; t=1658310916; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=0trvibzawWoLgRL0hQ8em+wcRSZXxBLQqDnNodyTIqQ=; b=AykB/v2CtvlaR6mUESipnp9HL5TfhhhqVeKKHq9ERJFutgeYtG0Dxbmn+Vbz9+I8Adrfvc k5S5j8Y7fPh3v+18UrT848zcX5Euv5tT7bLibNCf+1HMfEEvweTlJDFAzJGzTYhJcR9ixM oM90Msk7PZnw4BWhF9U5Plz8fAUXUE4= Date: Wed, 20 Jul 2022 11:55:16 +0200 From: Goran =?utf-8?B?TWVracSH?= To: Oleksandr Kryvulia Cc: pf@freebsd.org Subject: Re: updating "self" in RELENG_13 Message-ID: <20220720095516.ojesxrxt2lfietez@tilda.center> References: <7126c3de-2eab-733a-863d-0a38c409919e@sentex.net> <5e97f42c-6099-7556-f440-39d549fcbfeb@shurik.kiev.ua> List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="jjkcauamy3yydfdk" Content-Disposition: inline In-Reply-To: <5e97f42c-6099-7556-f440-39d549fcbfeb@shurik.kiev.ua> X-Rspamd-Queue-Id: 4Lnrfk0w8yz3FSZ X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tilda.center header.s=c3po header.b="AykB/v2C"; dmarc=pass (policy=reject) header.from=tilda.center; spf=pass (mx1.freebsd.org: domain of meka@tilda.center designates 108.61.164.129 as permitted sender) smtp.mailfrom=meka@tilda.center X-Spamd-Result: default: False [-5.39 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_MIXED_CHARSET(0.71)[subject]; DMARC_POLICY_ALLOW(-0.50)[tilda.center,reject]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; R_SPF_ALLOW(-0.20)[+mx]; R_DKIM_ALLOW(-0.20)[tilda.center:s=c3po]; MIME_TRACE(0.00)[0:+,1:+,2:~]; MLMMJ_DEST(0.00)[pf@freebsd.org]; ASN(0.00)[asn:20473, ipnet:108.61.164.0/22, country:US]; FROM_EQ_ENVFROM(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; DKIM_TRACE(0.00)[tilda.center:+]; RCVD_COUNT_TWO(0.00)[2]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N --jjkcauamy3yydfdk Content-Type: text/plain; charset=utf-8 Content-Disposition: inline On Wed, Jul 20, 2022 at 10:08:47AM +0300, Oleksandr Kryvulia wrote: > Hi, using interface groups instead makes sense for you? Hello, I couldn't find the syntax for groups in PF. What is the proper way to rewrite, for example, the following using group (maybe name it egress to resemble OpenBSD?): ext_if = "re0" nat on $ext_if inet from 192.168.0.0/24 to any -> ($ext_if) Regards, meka --jjkcauamy3yydfdk Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE1WIFkXy2ZeMKjjKEWj1TknovrLYFAmLX0QEACgkQWj1Tknov rLZ61w/9FUY0tknZ6BB2dc/Z+13xODtJZ6XQl5eHUquSgMfPeFkMgPg/4vNRQ9VT Jabtgd0yaVlGPz0r1REYQW29yx8E0wrAPlt3cXE8cFEcLBFE1xid4PQzHgARXQYF 9cxzMcOGpdAH5zMwg9Ynmw9Gy/giZhZ8IxxIdOQ8zCNKoW9iR0KaqNEhS9fMFTXb XvrunI2H0dCAD+UGWsdP6Yhl0w5QLN54oTCKvQoYB9mF6XRL4SA/Kkm72nI1A6af ijQoF6M/mXcPiRRWIyLyqMQ/iMeF9Fn8YtDeHs26tN9Dbb/Q0OtnfmHpR/2+DTme szuDTKxA4f8C1b2q9BuzZbHi+JnAjBUFLv4ZqtEOhasLunWsj298jqbK6DaoZMSg IL8V7fiLPyN2EJmf3iwQLdtvCDqf/baK0uttwssQ7TjTYTfPbxVVoaS6xxG6YmZJ e1MqJhsVxfMITuajsk/REymeDpNKQMuhSp9GKIV4Z62UiOdZPXhc5nqN35yUSckX iO0hX9ijmGtqjs6GvyZ9HzuSt5Ugs1TsWW0Lr1H0LT7pr9O2Y57YDTYBZqgb4cpS MLkC7zKJldbwE2UCvFELKDQUlSkkEIGlqffqiU07J+rNj52k7dNDZy/Dd14uqPKO L7IAdQaKxoEq9bG/SvpgHJQuati3Ksrf0M8yDeLDZyMm0LqfnNM= =vh38 -----END PGP SIGNATURE----- --jjkcauamy3yydfdk-- From nobody Wed Jul 20 09:59:17 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4LnrlF5FbMz4WbYp for ; Wed, 20 Jul 2022 09:59:21 +0000 (UTC) (envelope-from shuriku@shurik.kiev.ua) Received: from mail.flex-it.com.ua (mail.flex-it.com.ua [193.239.74.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4LnrlD6p7Wz3FnW for ; Wed, 20 Jul 2022 09:59:20 +0000 (UTC) (envelope-from shuriku@shurik.kiev.ua) Received: from [46.211.87.228] (helo=[192.168.1.179]) by mail.flex-it.com.ua with esmtpsa (TLS1.3) tls TLS_AES_128_GCM_SHA256 (Exim 4.95 (FreeBSD)) (envelope-from ) id 1oE6UA-000NfD-4K for pf@freebsd.org; Wed, 20 Jul 2022 12:59:18 +0300 Message-ID: Date: Wed, 20 Jul 2022 12:59:17 +0300 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: updating "self" in RELENG_13 Content-Language: uk-UA To: pf@freebsd.org References: <7126c3de-2eab-733a-863d-0a38c409919e@sentex.net> <5e97f42c-6099-7556-f440-39d549fcbfeb@shurik.kiev.ua> <20220720095516.ojesxrxt2lfietez@tilda.center> From: Oleksandr Kryvulia In-Reply-To: <20220720095516.ojesxrxt2lfietez@tilda.center> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4LnrlD6p7Wz3FnW X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of shuriku@shurik.kiev.ua designates 193.239.74.7 as permitted sender) smtp.mailfrom=shuriku@shurik.kiev.ua X-Spamd-Result: default: False [-3.30 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; R_SPF_ALLOW(-0.20)[+mx:c]; MIME_GOOD(-0.10)[text/plain]; MLMMJ_DEST(0.00)[pf@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:35297, ipnet:193.239.72.0/22, country:UA]; ARC_NA(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; DMARC_NA(0.00)[shurik.kiev.ua]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_HAS_DN(0.00)[]; TO_DN_NONE(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N 20.07.22 12:55, Goran Mekić пише: > On Wed, Jul 20, 2022 at 10:08:47AM +0300, Oleksandr Kryvulia wrote: >> Hi, using interface groups instead makes sense for you? > Hello, > > I couldn't find the syntax for groups in PF. What is the proper way to > rewrite, for example, the following using group (maybe name it egress to > resemble OpenBSD?): > > ext_if = "re0" > nat on $ext_if inet from 192.168.0.0/24 to any -> ($ext_if) ifconfig re0 group ext_if then in pf.conf: nat on ext_if inet from 192.168.0.0/24 to any -> (ext_if) From nobody Wed Jul 20 12:45:28 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4LnwQz5Gtbz4Wxk9 for ; Wed, 20 Jul 2022 12:45:31 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smarthost1.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LnwQy6CYvz3SvC for ; Wed, 20 Jul 2022 12:45:30 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19]) by smarthost1.sentex.ca (8.16.1/8.16.1) with ESMTPS id 26KCjSiL085423 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 20 Jul 2022 08:45:28 -0400 (EDT) (envelope-from mike@sentex.net) Received: from [IPV6:2607:f3e0:0:4:4c4:1e6c:8e03:d8c0] ([IPv6:2607:f3e0:0:4:4c4:1e6c:8e03:d8c0]) by pyroxene2a.sentex.ca (8.16.1/8.15.2) with ESMTPS id 26KCjRID013480 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Wed, 20 Jul 2022 08:45:28 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <27e13b77-fc6a-1a15-78e9-c09c2cc8d0ae@sentex.net> Date: Wed, 20 Jul 2022 08:45:28 -0400 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.0.2 Subject: Re: updating "self" in RELENG_13 Content-Language: en-US To: Oleksandr Kryvulia , pf@freebsd.org References: <7126c3de-2eab-733a-863d-0a38c409919e@sentex.net> <5e97f42c-6099-7556-f440-39d549fcbfeb@shurik.kiev.ua> From: mike tancsa In-Reply-To: <5e97f42c-6099-7556-f440-39d549fcbfeb@shurik.kiev.ua> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.84 on 64.7.153.18 X-Rspamd-Queue-Id: 4LnwQy6CYvz3SvC X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:1::12 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [-3.40 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[199.212.134.19:received]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; MLMMJ_DEST(0.00)[pf@freebsd.org]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; R_DKIM_NA(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; FREEFALL_USER(0.00)[mike]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; DMARC_NA(0.00)[sentex.net]; TO_DN_SOME(0.00)[]; ARC_NA(0.00)[] X-ThisMailContainsUnwantedMimeParts: N On 7/20/2022 3:08 AM, Oleksandr Kryvulia wrote: > 19.07.22 23:02, mike tancsa пише: >> I have an endpoint where interfaces come and go or change IP >> addresses due to dynamic IPs being handed out.  One thing I noticed >> is that if I want to make use of the "self" keyword, the automatic >> table that it abstracts away does not get automatically updated with >> new IP addresses.  If I manually do a pfctl -f /etc/pf.conf, it fixes >> the issue.  So to automate it, I looked at devd to create >> >> % cat /etc/devd/interface.conf >> notify 0 { >>     match "system"        "IFNET"; >>     match "type"          "(LINK_DOWN|LINK_UP)"; >>     action "/usr/local/bin/interface-change.sh $subsystem $interface"; >> }; >> >> and in the script I call /sbin/pfctl -f /etc/pf.conf >> >> But the next issue I ran into is the interface often comes up before >> its given an IP. So to make it work I had to add a >> >> sleep 5 ; /sbin/pfctl -f /etc/pf.conf & >> >> Not really happy with this method as sleeps are a bit hackish and >> probably wont reliably work.  Anyone else run into this issue and how >> do you work around it ? Or am I approaching it the wrong way ? >> >> I also noticed that if I do something like >> >>  ifconfig lo0 192.168.99.2/32 alias >> >> devd does not fire >> >>     ---Mike >> > > Hi, using interface groups instead makes sense for you? > Maybe. The rules as written are nice and easy to read in this case.  If possible I would like to keep using self, but might have to reconsider if there is no easy way to update via devd or some other mechanism     ---Mike From nobody Wed Aug 10 08:53:28 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4M2kHX4qsmz4YC3C for ; Wed, 10 Aug 2022 08:53:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4M2kHX3n0jz42P6 for ; Wed, 10 Aug 2022 08:53:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4M2kHX2rTqz15Qx for ; Wed, 10 Aug 2022 08:53:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 27A8rSxJ058874 for ; Wed, 10 Aug 2022 08:53:28 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 27A8rSkv058873 for pf@FreeBSD.org; Wed, 10 Aug 2022 08:53:28 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 265649] [pf]: regression: PF ignores translation settings on gre(4) Date: Wed, 10 Aug 2022 08:53:28 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1660121608; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=oESAOBO9s1tWYUTYcD7BKkDe5evB3QnKa4s9Od9xzx4=; b=nNVf0t+tH0Wbyh9cICifktwCcEneX8nwhmU+xLhGOCVSJvKmOQtaIShYKVJKwsTXa0d+qA yKuAFgi+JO7jPHGDHe5xTOVpxOi1HwScBiMn8uqpopCaIF75owQ02udmg6yy9VImkV0AVm lijZUgcdDUEHRCC8JM1hmlfF2x83TUnwdWb7kBEO5OdtZO7JWp7LHjG5AdDqCnOS5p2P8L +BZLD5RsF9UY9aAasNvrg/hwLfwsfGTouLCn6iLWMh9gcevuGTOTbKvlSIkxc2DmHZTuQ8 W6XXr+b8WEULRTqL7iigvlCz46GCYv++5oIdk9IZmPJBB1vHGUEN3UKDi+NxAw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1660121608; a=rsa-sha256; cv=none; b=t3MobmuTlNh2BBvvkMfPaLdaj4FbIzBqj7s6pM5fG+LkNrjB//LHEWYgTu2dprw6st3UxI uTwqDHIAY8wLQ3AywjhwbrYAxCsOtJ4g2P5Fv9YjdJLKvukaiHcRwDJSzqdduEac9n4fI0 ph4blLdxoDdKoJhhVIQuQRjJosYQmkScpUdiGNEBEnq3tyBtE20MOdG9e3CaH+exjirAnE XHp+PdWfq8r5RgZ9tVoR2t+qlkZUd57qPijJZ/ESffe6+9fSfKQZ14L+dw0KkibCN4I6W2 e7ZCwg6FnyfJT4WeIwBUQXH9U/smptg0gRBsyx+K7vNwTRglLVN7Lv6nISPQXQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D265649 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@FreeBSD.org |pf@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Thu Aug 25 09:26:49 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MCyKM3z4pz4bJht; Thu, 25 Aug 2022 09:27:03 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [IPv6:2001:678:618::40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "plan-b.pwste.edu.pl", Issuer "GEANT OV RSA CA 4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MCyKL2DdMz3gvt; Thu, 25 Aug 2022 09:27:02 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from [IPV6:2a02:22e0:cf00:1ff:a4cc:8dd9:9ea2:dad0] (mzar@[IPv6:2a02:22e0:cf00:1ff:a4cc:8dd9:9ea2:dad0]) (authenticated bits=0) by plan-b.pwste.edu.pl (8.17.1/8.17.1) with ESMTPSA id 27P9Qphi054393 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Thu, 25 Aug 2022 11:26:52 +0200 (CEST) (envelope-from zarychtam@plan-b.pwste.edu.pl) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=plan-b.pwste.edu.pl; s=plan-b-mailer; t=1661419612; bh=eyrW82YES24f/gJt4HpeDXaG4QieKgICbbhUc+cIQ70=; h=Date:To:References:From:Subject:In-Reply-To; b=SYeTVbAhNDQi+zAxTY++BKBFtMeToFLzXR5xwu1WsIacvhCc0wqMvPPwGUslXMU9z RoS6QMzS8ARA4wAEzk7mdoNbpxnJ3cT+XeJFLwjgY9uYSYJuyGyQCFd8xv3lQVlVIH sbKUftI4EM9piE0U/VOnTKJ24wPDDPY6Xkr6UEF+CSGGjSOc3USfYKGvnYA5J8seji GiAA0BjjRok17zXE3EEBSDRvpab51Hwl6O7HL6xXpNc23VcYSwGE1VKFR2hcliDRhc 4PkK7nwMFhDzbUlNPBiMYAD5akRlP4o3NjADPjbBJAgFSlf5mvUyfGO41SXSGay1oe eYrc0w7xOT4Lg== Message-ID: <80c07d5f-0fe3-03b5-28ed-b714ffa9438a@plan-b.pwste.edu.pl> Date: Thu, 25 Aug 2022 11:26:49 +0200 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:91.0) Gecko/20100101 Thunderbird/91.12.0 Content-Language: en-US To: =?UTF-8?Q?Carlos_L=c3=b3pez_Mart=c3=adnez?= , freebsd-net@FreeBSD.org, freebsd-pf@freebsd.org References: From: Marek Zarychta Subject: Re: How to apply brute force rate limitings with rdr and pass rules under FreeBSD 13? In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------0h32qINcVxI2WqR0IbKv0XMl" X-Rspamd-Queue-Id: 4MCyKL2DdMz3gvt X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=plan-b.pwste.edu.pl header.s=plan-b-mailer header.b=SYeTVbAh; dmarc=pass (policy=none) header.from=plan-b.pwste.edu.pl; spf=none (mx1.freebsd.org: domain of zarychtam@plan-b.pwste.edu.pl has no SPF policy when checking 2001:678:618::40) smtp.mailfrom=zarychtam@plan-b.pwste.edu.pl X-Spamd-Result: default: False [-4.79 / 15.00]; SIGNED_PGP(-2.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-0.997]; NEURAL_HAM_MEDIUM(-0.99)[-0.990]; DMARC_POLICY_ALLOW(-0.50)[plan-b.pwste.edu.pl,none]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; R_DKIM_ALLOW(-0.20)[plan-b.pwste.edu.pl:s=plan-b-mailer]; MIME_BASE64_TEXT(0.10)[]; FROM_HAS_DN(0.00)[]; R_SPF_NA(0.00)[no SPF record]; MLMMJ_DEST(0.00)[freebsd-pf@freebsd.org,freebsd-net@FreeBSD.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; RCVD_VIA_SMTP_AUTH(0.00)[]; ASN(0.00)[asn:206006, ipnet:2001:678:618::/48, country:PL]; MID_RHS_MATCH_FROM(0.00)[]; DKIM_TRACE(0.00)[plan-b.pwste.edu.pl:+]; HAS_ATTACHMENT(0.00)[]; TO_DN_SOME(0.00)[]; ARC_NA(0.00)[]; FREEMAIL_TO(0.00)[outlook.com,FreeBSD.org,freebsd.org]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------0h32qINcVxI2WqR0IbKv0XMl Content-Type: multipart/mixed; boundary="------------goXdTVzda565V5DT3zUwfVOy"; protected-headers="v1" From: Marek Zarychta To: =?UTF-8?Q?Carlos_L=c3=b3pez_Mart=c3=adnez?= , freebsd-net@FreeBSD.org, freebsd-pf@freebsd.org Message-ID: <80c07d5f-0fe3-03b5-28ed-b714ffa9438a@plan-b.pwste.edu.pl> Subject: Re: How to apply brute force rate limitings with rdr and pass rules under FreeBSD 13? References: In-Reply-To: --------------goXdTVzda565V5DT3zUwfVOy Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64 VyBkbml1IDI1LjA4LjIwMjIgb8KgMTA6NDgsIENhcmxvcyBMw7NwZXogTWFydMOtbmV6IHBp c3plOg0KPiBCdXQgdW5kZXIgRnJlZWJzZCB3aGVuIEkgdHJ5IHRvIGNvbWJpbmUgInBhc3Mi IHdpdGggInJkciIgcnVsZXMsIGl0IA0KPiBkb2Vzbid0IHdvcmtzLiBGb3IgZXhhbXBsZToN Cj4gDQo+IHJkciBvbiBlZ3Jlc3MgaW5ldCBwcm90byB0Y3AgZnJvbSAhPGludGVybmFsX25l dHdvcmtzPiB0byBlZ3Jlc3MgcG9ydCANCj4gJHRjcF9zZXJ2aWNlcyAtPiAkaW50ZXJuYWxf c2VydmVyDQo+IA0KPiBwYXNzIGluIG9uIGVncmVzcyBpbmV0IHByb3RvIHRjcCBmcm9tICE8 aW50ZXJuYWxfbmV0d29ya3M+IHRvIChlZ3Jlc3M6MCkgDQo+IHBvcnQgJHRjcF9zZXJ2aWNl cyBmbGFncyBTL1NBIGtlZXAgc3RhdGUgKG1heC1zcmMtY29ubiAxMDAsIA0KPiBtYXgtc3Jj LWNvbm4tcmF0ZSAxNS81LCBvdmVybG9hZCA8YnJ1dGVmb3JjZT4gZmx1c2ggZ2xvYmFsKQ0K DQpyZHIgY29tZXMgZmlyc3QsIHNvIHByb2JhYmx5IHRoZSBzZWNvbmQgcnVsZSBzaG91bGQg YmU6DQpwYXNzIGluIG9uIGVncmVzcyBpbmV0IHByb3RvIHRjcCBmcm9tICE8aW50ZXJuYWxf bmV0d29ya3M+IHRvIA0KeyhlZ3Jlc3M6MCksICRpbnRlcm5hbF9zZXJ2ZXJ9IHBvcnQgLi4u DQpvciBtYXliZSBvbmx5Og0KcGFzcyBpbiBvbiBlZ3Jlc3MgaW5ldCBwcm90byB0Y3AgZnJv bSAhPGludGVybmFsX25ldHdvcmtzPiB0byANCiRpbnRlcm5hbF9zZXJ2ZXIgcG9ydCAuLi4N CmRlcGVuZGluZyBvbiB0aGUgZGVzaXJlZCBiZWhhdmlvciBhbmQgdGhlIGNvbXBsZXRlIHNl dCBvZiBydWxlcy4NCg0KSXQncyBhbHNvIHdvcnRoIG1lbnRpb25pbmcgaGVyZSB0aGF0IFBG LXNwZWNpZmljIEZyZWVCU0QgbWFpbGluZyBsaXN0IA0KZXhpc3RzOiBmcmVlYnNkLXBmQGZy ZWVic2Qub3JnDQoNClJlZ2FyZHMsDQotLSANCk1hcmVrIFphcnljaHRhDQo= --------------goXdTVzda565V5DT3zUwfVOy-- --------------0h32qINcVxI2WqR0IbKv0XMl Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wsB5BAABCAAjFiEEnjwyTmqn2oNX6C8qHZW8vIFppoIFAmMHQFkFAwAAAAAACgkQHZW8vIFppoJI 7ggAswTNPh8WBf1fEs1/27Mlz3Whi3+5CR+U2dFFKG4GyJCUle55Wc5UA9KlYJFgt8iAk+Q44y0M iw+by6Z3sMvZEqvKeYyBwgCPwJmZrTDhDg4hSpvQUngkzOzdBeo2Ks3ACGNWLQz6/R1AgB0HhAN+ 6xZMqwtxfk+suBfEjlBxaLpCyRxSbpILtZbpbdewt16Z+f8RlktkU1H4gvvBv6GiYJmTnXhXr0Ni XjRlyLYVVKktdmk0nWJGrKkuJsBdVpGsQyO78pl6hm44kzoN4lcYRWzqscssDJnpe3tGY76QiHmc z36wSpE6TA+aB+pi45bSvwmelkowMqeqM4V0PsUo8w== =OXZ8 -----END PGP SIGNATURE----- --------------0h32qINcVxI2WqR0IbKv0XMl-- From nobody Thu Aug 25 09:46:30 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MCylt4P02z4bLv4; Thu, 25 Aug 2022 09:46:34 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [IPv6:2001:678:618::40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "plan-b.pwste.edu.pl", Issuer "GEANT OV RSA CA 4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MCyls4Vfjz3kL2; Thu, 25 Aug 2022 09:46:33 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from [IPV6:2a02:22e0:cf00:1ff:a4cc:8dd9:9ea2:dad0] (mzar@[IPv6:2a02:22e0:cf00:1ff:a4cc:8dd9:9ea2:dad0]) (authenticated bits=0) by plan-b.pwste.edu.pl (8.17.1/8.17.1) with ESMTPSA id 27P9kUuq054445 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Thu, 25 Aug 2022 11:46:31 +0200 (CEST) (envelope-from zarychtam@plan-b.pwste.edu.pl) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=plan-b.pwste.edu.pl; s=plan-b-mailer; t=1661420791; bh=G1SlgJ1zQ1JAsdpm++Tsb9mYTTw8gw0dTTF6Q4JGXO4=; h=Date:To:References:From:Subject:In-Reply-To; b=l58NrZYooVM3b4QP7/U1UEuK9CI//vecPz4VYSOUgF3IlDbwTrMXNcSw4lsiAzeTF 2uoImQ7cQYGMBcQTuu1eIA6KSQWnNo1Rzw/ZFBOpesZ40RBbDCbzBZlZPuNOND3gq4 hgOtSZKEuVCeDjCxcMk12nKTQnKWcRFsOWOWTbqA9BIU4WWRv7MdslilS1eBnAutGC +7EhzZ84GSlmYYGjNkN1cBrFmOxBPTOcfcT9vxluoXgBT/6AwlM1b+wamA243VaMFV lFApZQRFlUpGL3DhE+JPh1xzX2Ghny+xfARPdScLhX2M6TSjChmtaer9gs7f1T0pni uZv1Xm1Ov3n8w== Message-ID: <59f85cee-aa5f-f59b-a31d-f2c146eeb086@plan-b.pwste.edu.pl> Date: Thu, 25 Aug 2022 11:46:30 +0200 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:91.0) Gecko/20100101 Thunderbird/91.12.0 Content-Language: pl To: =?UTF-8?Q?Carlos_L=c3=b3pez_Mart=c3=adnez?= , freebsd-net@FreeBSD.org, freebsd-pf@freebsd.org References: <80c07d5f-0fe3-03b5-28ed-b714ffa9438a@plan-b.pwste.edu.pl> From: Marek Zarychta Subject: Re: How to apply brute force rate limitings with rdr and pass rules under FreeBSD 13? In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------qk073AZS5wSvyiyj40vItIs0" X-Rspamd-Queue-Id: 4MCyls4Vfjz3kL2 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=plan-b.pwste.edu.pl header.s=plan-b-mailer header.b=l58NrZYo; dmarc=pass (policy=none) header.from=plan-b.pwste.edu.pl; spf=none (mx1.freebsd.org: domain of zarychtam@plan-b.pwste.edu.pl has no SPF policy when checking 2001:678:618::40) smtp.mailfrom=zarychtam@plan-b.pwste.edu.pl X-Spamd-Result: default: False [-4.77 / 15.00]; SIGNED_PGP(-2.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-0.999]; NEURAL_HAM_MEDIUM(-0.97)[-0.971]; DMARC_POLICY_ALLOW(-0.50)[plan-b.pwste.edu.pl,none]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; R_DKIM_ALLOW(-0.20)[plan-b.pwste.edu.pl:s=plan-b-mailer]; MIME_BASE64_TEXT(0.10)[]; FROM_HAS_DN(0.00)[]; R_SPF_NA(0.00)[no SPF record]; MLMMJ_DEST(0.00)[freebsd-pf@freebsd.org,freebsd-net@FreeBSD.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; RCVD_VIA_SMTP_AUTH(0.00)[]; ASN(0.00)[asn:206006, ipnet:2001:678:618::/48, country:PL]; MID_RHS_MATCH_FROM(0.00)[]; DKIM_TRACE(0.00)[plan-b.pwste.edu.pl:+]; HAS_ATTACHMENT(0.00)[]; TO_DN_SOME(0.00)[]; ARC_NA(0.00)[]; FREEMAIL_TO(0.00)[outlook.com,FreeBSD.org,freebsd.org]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------qk073AZS5wSvyiyj40vItIs0 Content-Type: multipart/mixed; boundary="------------T4qkFxbWjbQ6ihUgL6neW1J6"; protected-headers="v1" From: Marek Zarychta To: =?UTF-8?Q?Carlos_L=c3=b3pez_Mart=c3=adnez?= , freebsd-net@FreeBSD.org, freebsd-pf@freebsd.org Message-ID: <59f85cee-aa5f-f59b-a31d-f2c146eeb086@plan-b.pwste.edu.pl> Subject: Re: How to apply brute force rate limitings with rdr and pass rules under FreeBSD 13? References: <80c07d5f-0fe3-03b5-28ed-b714ffa9438a@plan-b.pwste.edu.pl> In-Reply-To: --------------T4qkFxbWjbQ6ihUgL6neW1J6 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64 VyBkbml1IDI1LjA4LjIwMjIgb8KgMTE6MzIsIENhcmxvcyBMw7NwZXogTWFydMOtbmV6IHBp c3plOg0KPiANCj4gDQo+IE9uIDI1LzA4LzIwMjIgMTE6MjYsIE1hcmVrIFphcnljaHRhIHdy b3RlOg0KPj4gVyBkbml1IDI1LjA4LjIwMjIgb8KgMTA6NDgsIENhcmxvcyBMw7NwZXogTWFy dMOtbmV6IHBpc3plOg0KPj4+IEJ1dCB1bmRlciBGcmVlYnNkIHdoZW4gSSB0cnkgdG8gY29t YmluZSAicGFzcyIgd2l0aCAicmRyIiBydWxlcywgaXQgDQo+Pj4gZG9lc24ndCB3b3Jrcy4g Rm9yIGV4YW1wbGU6DQo+Pj4NCj4+PiByZHIgb24gZWdyZXNzIGluZXQgcHJvdG8gdGNwIGZy b20gITxpbnRlcm5hbF9uZXR3b3Jrcz4gdG8gZWdyZXNzIHBvcnQgDQo+Pj4gJHRjcF9zZXJ2 aWNlcyAtPiAkaW50ZXJuYWxfc2VydmVyDQo+Pj4NCj4+PiBwYXNzIGluIG9uIGVncmVzcyBp bmV0IHByb3RvIHRjcCBmcm9tICE8aW50ZXJuYWxfbmV0d29ya3M+IHRvIA0KPj4+IChlZ3Jl c3M6MCkgcG9ydCAkdGNwX3NlcnZpY2VzIGZsYWdzIFMvU0Ega2VlcCBzdGF0ZSAobWF4LXNy Yy1jb25uIA0KPj4+IDEwMCwgbWF4LXNyYy1jb25uLXJhdGUgMTUvNSwgb3ZlcmxvYWQgPGJy dXRlZm9yY2U+IGZsdXNoIGdsb2JhbCkNCj4+DQo+PiByZHIgY29tZXMgZmlyc3QsIHNvIHBy b2JhYmx5IHRoZSBzZWNvbmQgcnVsZSBzaG91bGQgYmU6DQo+PiBwYXNzIGluIG9uIGVncmVz cyBpbmV0IHByb3RvIHRjcCBmcm9tICE8aW50ZXJuYWxfbmV0d29ya3M+IHRvIA0KPj4geyhl Z3Jlc3M6MCksICRpbnRlcm5hbF9zZXJ2ZXJ9IHBvcnQgLi4uDQo+PiBvciBtYXliZSBvbmx5 Og0KPj4gcGFzcyBpbiBvbiBlZ3Jlc3MgaW5ldCBwcm90byB0Y3AgZnJvbSAhPGludGVybmFs X25ldHdvcmtzPiB0byANCj4+ICRpbnRlcm5hbF9zZXJ2ZXIgcG9ydCAuLi4NCj4+IGRlcGVu ZGluZyBvbiB0aGUgZGVzaXJlZCBiZWhhdmlvciBhbmQgdGhlIGNvbXBsZXRlIHNldCBvZiBy dWxlcy4NCj4+DQo+PiBJdCdzIGFsc28gd29ydGggbWVudGlvbmluZyBoZXJlIHRoYXQgUEYt c3BlY2lmaWMgRnJlZUJTRCBtYWlsaW5nIGxpc3QgDQo+PiBleGlzdHM6IGZyZWVic2QtcGZA ZnJlZWJzZC5vcmcNCj4+DQo+PiBSZWdhcmRzLA0KPiANCj4gVGhhbmtzIE1hcmVrIC4uLiBC dXQgaWYgcmRyIGNvbWVzIGZpcnN0LCBwYXNzIHJ1bGUgd2lsbCBiZSBub3QgYXBwbGllZCAN Cj4gcmlnaHQ/IEkgbWVhbiwgaG93IGNhbiBJIGFwcGx5IHJhdGUgbGltaXRpbmcgb3B0aW9u cyAiZmxhZ3MgUy9TQSBrZWVwIA0KPiBzdGF0ZSAobWF4LXNyYy1jb25uIDEwMC4uLi4iIGlu IGEgcmRyIHJ1bGU/DQo+IA0KPiANCg0KInJkciIgbmVlZHMgInBhc3MiIGF0IHNvbWUgcG9p bnQuIFVuZm9ydHVuYXRlbHksIEkga25vdyBvZiBubyByZWFsIA0KbW9kZXJuLCBkZWNlbnQg UEYtRkFRIGZvciBGcmVlQlNELiBQcm9iYWJseSBkaWdnaW5nIHRoZSBpbnRlcm5ldCBhcmNo aXZlIA0Kd291bGQgaGVscCBmaW5kIHNvbWV0aGluZyBtb3JlIHJlbGV2YW50IGxpa2UgdGhp cyBQb2xpc2ggdHJhbnNsYXRpb25bMV0gDQp3aGljaCBoYXNuJ3QgYmVlbiBwdXJnZWQgZnJv bSBTb3VyY2VGb3JnZSB5ZXQuDQoNClsxXSBodHRwOi8vb3BlbmJzZHBsLnNvdXJjZWZvcmdl Lm5ldC93d3cvZmFxL3BmL3BsL3Jkci5odG1sDQotLSANCk1hcmVrIFphcnljaHRhDQo= --------------T4qkFxbWjbQ6ihUgL6neW1J6-- --------------qk073AZS5wSvyiyj40vItIs0 Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wsB5BAABCAAjFiEEnjwyTmqn2oNX6C8qHZW8vIFppoIFAmMHRPYFAwAAAAAACgkQHZW8vIFppoJ4 OAgAwYZ+ARQfPnho2L62rCwhBSMsT81/QZOcGFEMy9YuCqDGFdJ7kShi2U1OdYNSlK+HJZFdli4U YpQ+SpZnw6b8w0xe83DekHqEbP54VQ55/8EEf3yMK19apbUgBx+swHeAzanneYULgWgHHx4TR1JT /5gVmOrv5ziiYS7KFXpwrL3iXB4lDHt5uC+ltgIChHDdfd/brOvDByev0r9gMaqB9dGW4V3ry8t3 n+7buFSlUy5+TgF1P86F2/MrceHFI9nyR0nn4bQOAAsKVuk438qJp5jDqvK/kTc5oH6aqVsl4H9p cJ3GRd2vQtV8NwygEq7p+DlVDRoL+9svqEVnbV5LMA== =+8dx -----END PGP SIGNATURE----- --------------qk073AZS5wSvyiyj40vItIs0-- From nobody Thu Aug 25 10:06:00 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MCzBN30J2z4bNgp; Thu, 25 Aug 2022 10:06:04 +0000 (UTC) (envelope-from clopmz@outlook.com) Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05olkn2070.outbound.protection.outlook.com [40.92.91.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "DigiCert Cloud Services CA-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MCzBM43Hdz3mv4; Thu, 25 Aug 2022 10:06:03 +0000 (UTC) (envelope-from clopmz@outlook.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BhCgJ/cBtmpcSI9nWACU4OOohjqTt1AcCDr96OUW3jkPGq3dgxSFt6sogaZKgqjKhVxtj5nmHfvW9ucHr6LOVY6JU21/jLghCKit1UvrWvbYEJwf9aG7JhfZCKjRG6ad8EBibu2x8zsx03nwGC97vONML+P8UbwbdsuU55WU+4PO8Wn/EOXuobL24BgGkB+2c+zM8EaqCdjZFtR/CPRnqBAENjgllcnvbcnkLw4+T3DCLVjT6GA9QkiKC8PAOzTTrUmeJH3IzUF8/g8ILI2GFwGWwftHYgf+dK8WhwA8Kyj7dTVcYUZFp1k5d+tCyAeUBIrzCRrk6CaYPvrUOO67VQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=g0LyxkH2rBcyOeQy1reYic+7/qoBvRQeX1IsZJf4IUo=; b=VIva95lMhg4eQy2qF3ypmQ8x4ZVm0/Lf1QjVs8V/jAjNufGyA87yAkn/6TlExy1mtQXyRfbMjY2MDF0Z/ghcsFi88iFrQSr4BONwU8D3vRsPQfx6o550fhz3kv1+OlnoPWzFY63UnXhu1b81atCvAm8dNsAk9jxtxG+JSLUXwxR1tfkFEbfoiG8JGt6IGGJ+fSwFvasML5Q/q6sOPJmJ2K/VMHVzA6knLMT0j0Gb6m8QvvOFaYpNdUhZy2VpU11bUeNN4G/c4+Rs7ibFvVNdbBoHsKw5Jlv53O+zk5UWZScz96uEQeJ9JOnRYF2PWSA2iobtEzVXjFlVRyEFLivzmg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=g0LyxkH2rBcyOeQy1reYic+7/qoBvRQeX1IsZJf4IUo=; b=GfPN7HyFsskq8nHpNJ3NiXXECyAQ412IPHh65PhsuHHGhH44WhbbmUv0tAJK1zMqJLZdbOIqQI0Aq5KijlG7MfsKTYwXWtTlWSlz7NVoKOGH97AVY1F8GeKA/BrzQmwz3AU0hGBfxcVh3YpqqlxDqra9gD7bhrW5MSELZLR9KBKZAdi+1Q/kb2FpSPBpUtKk4EvfjChkdIdXr0YoMSujmrXec+bi3MjaQ9Zo5bcGuk/WjTzG0K9z4X4Y3ci951wEQX0mz8NhQHdKN5aU7GftiZrZHN74l+C1n1C+emDiwJ5cfJPvpVw1sJ9F8HsBhxIf726oBV6sjfmuptKsnRUKOw== Received: from PRAP251MB0567.EURP251.PROD.OUTLOOK.COM (2603:10a6:102:29a::16) by DB9P251MB0233.EURP251.PROD.OUTLOOK.COM (2603:10a6:10:2cc::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5566.15; Thu, 25 Aug 2022 10:06:01 +0000 Received: from PRAP251MB0567.EURP251.PROD.OUTLOOK.COM ([fe80::ad16:61d5:b534:cb68]) by PRAP251MB0567.EURP251.PROD.OUTLOOK.COM ([fe80::ad16:61d5:b534:cb68%4]) with mapi id 15.20.5566.015; Thu, 25 Aug 2022 10:06:01 +0000 Message-ID: Date: Thu, 25 Aug 2022 12:06:00 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.13.0 Subject: Re: How to apply brute force rate limitings with rdr and pass rules under FreeBSD 13? To: Marek Zarychta , freebsd-net@FreeBSD.org, freebsd-pf@freebsd.org References: <80c07d5f-0fe3-03b5-28ed-b714ffa9438a@plan-b.pwste.edu.pl> <59f85cee-aa5f-f59b-a31d-f2c146eeb086@plan-b.pwste.edu.pl> From: =?UTF-8?Q?Carlos_L=c3=b3pez_Mart=c3=adnez?= In-Reply-To: <59f85cee-aa5f-f59b-a31d-f2c146eeb086@plan-b.pwste.edu.pl> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-TMN: [CxRuUXnI//Q1+x6ufsw03pn9O6EXm/j0] X-ClientProxiedBy: PR3PR09CA0002.eurprd09.prod.outlook.com (2603:10a6:102:b7::7) To PRAP251MB0567.EURP251.PROD.OUTLOOK.COM (2603:10a6:102:29a::16) X-Microsoft-Original-Message-ID: <66fce91b-1a18-2a56-c7be-ab342b93d8fe@outlook.com> List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: a796fe85-d51a-4d0a-1bb7-08da86816a34 X-MS-TrafficTypeDiagnostic: DB9P251MB0233:EE_ X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: M1+JZ0RUAcfTahvBvwqghkUa7GZ+4iOJzbMKkDohASAJolUsi1ZwyjV6k1uex4rjXXB68mijj+iVynY1AeMaWbpoKIlK5gLnX+O8fQnviYVoHJGhRe7QlFqIeUzb5lMPRaZVzx2NTDJpLx0XNnBNfSMB5sgw8FISPxpIGbaGggKlttUvwdpzpv1HfTqGjstZS3UNpvN5eoLO4Ur1QSl99cpZHYAk7w1Qp9bAhkrW8K4obTdI1d98LERyOmWSJ8DsAd+1koiF7e9le3F2C8NnbU1yCQb9IJ5naWwMf524CvnLw6C7777eM9qRtnb9UpOF22UnddheZVI39OZSHTPp5ShHfzQ7SCRvMcmgX24jvHl3A4BK6kQv8DG3ZbHhCGE7/7Duqdnc7EDPQFIQ8j7NP2OASAzyCZKKS5lAayV3vWsUlN8n9o80fhzsxJPlbY2fVKj7kxInmVzvenMS3sJ3GNPWmLT4XESU6gTh9NV0niYMahjlxKwXo8P8HGV0GXmtvBdWtoPhsTHOF3AhtvyPzD7URZkeTPSBvFm22HNxf0CFnxVTmnMs3srPXI+8pO5EyylpLuOXMP0exF5V+XrTQZ8S/DC86HVoUHMi+hvHbL6MzOh+Sz2bqUOTT7/epdQKnfIHJyGZfxtWYa4gsKTVEA== X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?OC9BRGtnSW8xYnZXanJneXpSQXVnSjA5azZSWGlURDhGd2JIOTRGSDFjZTZw?= =?utf-8?B?SFVjOGppVUpUZGJYZDJGMnJIM0YyeEM4bHZYb1N4VWl1Q01wYUxna2FRQURl?= =?utf-8?B?VVVtQzF3RVlxbjZqTVJ5bGRtYlN1Sys2UWZTS3UzVjJWK0J6a1dXK240aHVt?= =?utf-8?B?NHNVN2xZTVVvOFBvY2ROUzI1bDFtaXhXZ2NsL1FkQUV5RHQ0cm1SbHR4V1d2?= =?utf-8?B?eFVUai9ZTS9oV2hieVFCSzNRREpVNEN5MmJxc1FwbHhFa1hvRWdxcFRRSVc0?= =?utf-8?B?YUdaS1FmRitrdnJvZW9HZVN6RG5tS2x6RllHWEZjNFBibWd2N25sNlZwcmQr?= =?utf-8?B?MzJ5dk5TeUJwaGNzbmlrYzA0YTMydFlxUTI5RzhXYVdtYjkzRDRHbDhQV01Y?= =?utf-8?B?Wmp1WUlONjlyMkNWNnpFanU2UjNwenZxQTNXYVFhdHl5WitmdXpZM1d4aThO?= =?utf-8?B?MXBzZ3dSa0JuNktham9OVlBCODBlUEFQbVNJTTE0ZFlORnhXVHJ2SHg2OE5t?= =?utf-8?B?a0FzWWJYSXRzaEFtUWNmZW51c3hxa0Z2clZCVUQ1TEJCSGF6eGJpa3JFdzAr?= =?utf-8?B?ZEdJSlMyS0RqVWJycXk1MjBIdDJMZFRkQlN1b1p5elNmTnNHdEx1SGdYRFQv?= =?utf-8?B?aDdQbDlwbS9GeERWWTRwK0g1TlR3bmhYQTVBampSTjhLTzRRbExrdTVLNEFi?= =?utf-8?B?ZmNNa3R6OERFbklEczhMU0QwUDlQYzZLbUNoRXF3WDZaZjRWSU5SbnlhZGUy?= =?utf-8?B?eXFIUDlaRmhJaTVuSm5idUVPMzdML3hRQU5RemVmQk9XVTZpc0ZobnJ6Zkxv?= =?utf-8?B?ZmxiUzBZcDZYTlpPUjRpWjNGK0RlVEhKRWNpbDNhdGJlditvMU1SeGxNclJN?= =?utf-8?B?RWlTVExUVlhIZFdGU3A0UHNGNFQzOEVSYjdQTURuSzRQSWdpTDI3bVRsU0FY?= =?utf-8?B?dFdzL01XaDJEZldRUU9GTnR1dDRFcVhmaHgzSU5mZ3hIZW9pY3I1NHo2VjBh?= =?utf-8?B?R0l4c0Fmd0RvVXkwaTlXMXo0dDc1bjEvZDNadUtYcHptelUrb1BtOXEyMW9K?= =?utf-8?B?bk8ramN6NlRJelRqRGd2Z0NpVlM4WmR4MytZTklzcWswbFNQL1V4NmthVmlO?= =?utf-8?B?SVR5dk95cHZ6MjBjSThPazFrRkdFbW9XQUZvOG44VFVjZm1keFdpL042bmlx?= =?utf-8?B?dlBpd3oxdmF5R0RLNmZEQ25yVG5TdGJBUCtEQTZ2ditYM3Q3dWllU1VqN2V5?= =?utf-8?B?b1BVQXhpQ2xnOER0K2laSlZoOE1rMmFydGxicGE5dHVjZGJzaVpScTBZRmQ3?= =?utf-8?B?VFRLcnM0dFlXSFhyczY5am9OakEvdW1UdHVhbnF0TC9iVUFkUTdVUEk1TGwz?= =?utf-8?B?Y2U0V1FjTTZjWWlySjhGWk42OE04aiswN1ZmN0VZRGpWMG0vMDBEcmxhbklO?= =?utf-8?B?U0dsRC9SNk5UaVlvcDBXeDRCaXVyMVNJS0t5dFVIMTFKRjJVc1p0anF1OGJ6?= =?utf-8?B?OVVqYVRINGpFQVQ1MXJONWY2ckVkZ0dpemthbUNzWVVMK0diTllnajBDNUhT?= =?utf-8?B?enIzdTlqVHI2YVA3SldvSDl4TUpTQ0dXUjVqbVVtaVdZbDdCYlRDVjNNamNR?= =?utf-8?B?OVlVN2RxR3A4RWtpWmtNa2xoQzdXZ2NSaG5RdFQ2VjNxelhkSFlsNUFpNFRN?= =?utf-8?B?MWQ0eC9EVkJxMlc5aUtiQS90L3R1R0IvMmdJVitiWnhtSEl0dSs2YlNnPT0=?= X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: a796fe85-d51a-4d0a-1bb7-08da86816a34 X-MS-Exchange-CrossTenant-AuthSource: PRAP251MB0567.EURP251.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Aug 2022 10:06:01.9080 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9P251MB0233 X-Rspamd-Queue-Id: 4MCzBM43Hdz3mv4 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=outlook.com header.s=selector1 header.b=GfPN7HyF; arc=pass ("microsoft.com:s=arcselector9901:i=1"); dmarc=pass (policy=none) header.from=outlook.com; spf=pass (mx1.freebsd.org: domain of clopmz@outlook.com designates 40.92.91.70 as permitted sender) smtp.mailfrom=clopmz@outlook.com X-Spamd-Result: default: False [-0.59 / 15.00]; FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN(2.50)[]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_SHORT(-0.98)[-0.980]; NEURAL_HAM_LONG(-0.94)[-0.939]; NEURAL_HAM_MEDIUM(-0.70)[-0.701]; R_MIXED_CHARSET(0.53)[subject]; DMARC_POLICY_ALLOW(-0.50)[outlook.com,none]; R_DKIM_ALLOW(-0.20)[outlook.com:s=selector1]; R_SPF_ALLOW(-0.20)[+ip4:40.92.0.0/15]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[40.92.91.70:from]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_NONE(0.00)[outlook.com:dkim]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; ASN(0.00)[asn:8075, ipnet:40.80.0.0/12, country:US]; MID_RHS_MATCH_FROMTLD(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; FREEMAIL_FROM(0.00)[outlook.com]; RCVD_TLS_LAST(0.00)[]; DKIM_TRACE(0.00)[outlook.com:+]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-net@FreeBSD.org,freebsd-pf@freebsd.org]; FREEMAIL_ENVFROM(0.00)[outlook.com]; RWL_MAILSPIKE_POSSIBLE(0.00)[40.92.91.70:from] X-ThisMailContainsUnwantedMimeParts: N On 25/08/2022 11:46, Marek Zarychta wrote: > W dniu 25.08.2022 o 11:32, Carlos López Martínez pisze: >> >> >> On 25/08/2022 11:26, Marek Zarychta wrote: >>> W dniu 25.08.2022 o 10:48, Carlos López Martínez pisze: >>>> But under Freebsd when I try to combine "pass" with "rdr" rules, it >>>> doesn't works. For example: >>>> >>>> rdr on egress inet proto tcp from ! to egress >>>> port $tcp_services -> $internal_server >>>> >>>> pass in on egress inet proto tcp from ! to >>>> (egress:0) port $tcp_services flags S/SA keep state (max-src-conn >>>> 100, max-src-conn-rate 15/5, overload flush global) >>> >>> rdr comes first, so probably the second rule should be: >>> pass in on egress inet proto tcp from ! to >>> {(egress:0), $internal_server} port ... >>> or maybe only: >>> pass in on egress inet proto tcp from ! to >>> $internal_server port ... >>> depending on the desired behavior and the complete set of rules. >>> >>> It's also worth mentioning here that PF-specific FreeBSD mailing list >>> exists: freebsd-pf@freebsd.org >>> >>> Regards, >> >> Thanks Marek ... But if rdr comes first, pass rule will be not applied >> right? I mean, how can I apply rate limiting options "flags S/SA keep >> state (max-src-conn 100...." in a rdr rule? >> >> > > "rdr" needs "pass" at some point. Unfortunately, I know of no real > modern, decent PF-FAQ for FreeBSD. Probably digging the internet archive > would help find something more relevant like this Polish translation[1] > which hasn't been purged from SourceForge yet. > > [1] http://openbsdpl.sourceforge.net/www/faq/pf/pl/rdr.html Uhmm ... maybe it is a bug? Or not implemented feture? If I put "rdr pass on egress....." redirection works, but no rate limiting option is applied .... -- Best regards, C. L. Martinez From nobody Thu Aug 25 10:16:18 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MCzQf1zdlz4Z9mG; Thu, 25 Aug 2022 10:16:42 +0000 (UTC) (envelope-from kisscoolandthegangbang@hotmail.fr) Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-oln040092074051.outbound.protection.outlook.com [40.92.74.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "DigiCert Cloud Services CA-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MCzQd2mvGz3pPf; Thu, 25 Aug 2022 10:16:41 +0000 (UTC) (envelope-from kisscoolandthegangbang@hotmail.fr) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iqV8fHRRhHm0y9nlsM5EW6NkFI7O2V92ExfrG8dgT/JVMueX+Z1BUUTwTdZgLSxY2XwN6c4WZPd068SLFYLR4E7X7Vt4R8qsyBCuxZuRFDxO1psq9dOYiVyMGB5c5pavSVKXqS1icb2aAxt2gCpakM6uNiM2gWd/Dm6dPtqNjn2sTuPEKnp2ZSqUlbzgp3+m+/t6fJArVijSWpVLXcEqmP/BjQkL4GXZPbIqtXOkeQ4awRwrYtawbEnNMYfHg2NpWDd8+daMlR55Va3kbclxeb4qji1f4uB3+9cfm6OnA8O4L0u8Lh1iWSsTYDcRofxqm91XGKkbqpqR14M0J5tx7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=iUVslDciXK9gdLc6ufr/UCxYyxGvk8PfAxpMDxLdF/Q=; b=CMGW8jwZEPLvw4Vs4p0Ilmlb6swRJdtd3AB0sSZWCNyIWqmg7cSyPbdOB4cKE5SC/OnH3g1MmkbR+jrvXnBYlaYXjj+CsdQSxVym61UxfoVcbKl8s2YGj8ztNWv6cchjyQdppsR9zFlf8EMjfM08JNCBylEzgAeDeO2qSacsMoKN/S8mj3o9j4tB3BPnDUIWz2AlEBwM9PuXROMminbj1Ro1VMsC3AhS2fh05BHLOlMSdTyX3Y3yDxYebaAwFJM3iDYFn3OYzPmB6aL67kdBd/sqTPnfSdYD3KDVGRAJRxVxZHqnGpA8a3gGEbnzzyDNb188obUn46P+2g/DkQK7zA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none Received: from HE1PR0402MB3452.eurprd04.prod.outlook.com (2603:10a6:7:82::29) by DB7PR04MB5131.eurprd04.prod.outlook.com (2603:10a6:10:1c::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5566.15; Thu, 25 Aug 2022 10:16:39 +0000 Received: from HE1PR0402MB3452.eurprd04.prod.outlook.com ([fe80::a12a:8828:18bb:d606]) by HE1PR0402MB3452.eurprd04.prod.outlook.com ([fe80::a12a:8828:18bb:d606%4]) with mapi id 15.20.5546.022; Thu, 25 Aug 2022 10:16:39 +0000 Date: Thu, 25 Aug 2022 12:16:18 +0200 From: kaycee gb To: freebsd-pf@freebsd.org Cc: freebsd-net@FreeBSD.org Subject: Re: How to apply brute force rate limitings with rdr and pass rules under FreeBSD 13? Message-ID: In-Reply-To: References: <80c07d5f-0fe3-03b5-28ed-b714ffa9438a@plan-b.pwste.edu.pl> X-Mailer: Claws Mail 3.17.6 (GTK+ 2.24.31; x86_64-slackware-linux-gnu) Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-TMN: [285SSq85CTvse9ofJXzUC8sK6O26nqBI] X-ClientProxiedBy: FR3P281CA0010.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:1d::9) To HE1PR0402MB3452.eurprd04.prod.outlook.com (2603:10a6:7:82::29) X-Microsoft-Original-Message-ID: <20220825121618.3a4d0107@slackstro.home.lan> List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 12d6e17e-c0ea-44f2-eeaf-08da8682e605 X-MS-TrafficTypeDiagnostic: DB7PR04MB5131:EE_ X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: KCg6f2S8HwS3VxC91Co91FP8ZzS3dDd/0awNXZSanL36Xw33O44yr9h5YIccD/Ze6z7rBmsF6pFn18z+aDieAFyuLhnUWHXRlCdkr62+RKDhyNeK84yM1VauCVFrzun6Cpg/pYdWeo6r5sTXg3ItlrsHj8ewUBwV2O+tVIkE2bxKU3XK+rySNzG7fG/Y9S/s22X8D5lNUgtpE2/CzVE2rcyblUwqheJB+0pMn+/KThFtfmEEFIyfAzHMCHT6mnp25dsv+A/IiTKuHoXSjXrYLtazhpndLk1/mJWfXOXQKCG/xejz+tFUagcGMqkkU9Y/kGg1QpF+Xj31yOR6ppwgfDqC8tFX5EpI9PtszJY3UDJ3DbbqCVJLDx/OVa0uRncLu5osIOBGHyTRQWnJz3QEBNSPAiB92QNhUQ31bDJHfE57wKkpEjysNpHgsRlR2h9AyiOgqQ98oL8GqPtGUMHYUo1OYwVbZU+4JZ8znTRIjxJJ3P9kpbPXhiuLDHHqT79bVKOAw/5W51epFeyuH/t0njlqSxqFBVRCiFNO/jOWh5gIva4OyNs2s4Lc+aWsY3gfWps7XpYc1+hshk1Z1KBX0herBRqfeaHiNHZ232yzRchPCWXN1mat0SN4kfaFCPOQQMhL/UY5L1aSSEldMCK7SsKqAFCzsu1D1nUF6nSVJJVaENkoIsUjf/9wC9QX/m+i X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?YXUxOTQyK2VUSWJRRGUrTXZPSzhZUzlHcmMxVGRGVThBbU9iTUFwU3loMHkz?= =?utf-8?B?NS9XU2pPUkxHQ2tEVElaN3gvUkREU1pwc2tWa0VUTEJ6UkltM1NQUmQ3Q3l6?= =?utf-8?B?dlJUY3pkZGk3S1B5dlY2UHJ4RHJvMFJaL08vd3IzM2d5U1BjVG04VGVLeU5H?= =?utf-8?B?MFpyNGZWM3E5ZHpSM1ZMbW9PV2RLVERuYmtaK3FXTC95QjkxcWxac0NlVjBx?= =?utf-8?B?N3Z0V2VWZmk2Z1d3YlRObkIrWGw5UVJNblptNUx4Q2UrbWNQSkp2OUp5a3hk?= =?utf-8?B?TExPUnFDejlCTlovVkphU0hmL2V6WWlCU2xYK24xOS83d0JBSVJFenJYOUFY?= =?utf-8?B?UDAwejkzZXR1ZzU0K3NpUW10ek1YYVZUdFJ6cFdUQnpOVDl3OWJscTZFM0RN?= =?utf-8?B?UDgxdnlQdUMvKzJBdmo2ZTR5ekZPRkVONmZ0Y1pWTVR1VTlkWlZQbHlyd05I?= =?utf-8?B?eVJQT0czcFBQeFpQTXdhRmRXbTg0bUVYT3k5bHorRVA1cjA2bEg1ekU0ek1h?= =?utf-8?B?TWpwTGhwbVV5WktxMUZXQ3Bmb24wVzBhd2tqdkEzRWpiOXRhQ21wQStReTdR?= =?utf-8?B?L3h4dEVqQ045SWU1SmtDclF6TTl4QXNXamZpVVBVTDNnWjZNR1JqdG9FTDNN?= =?utf-8?B?WFRQWWpnRG5OZUdkMFVRaDAzSWlDeTgrNkhOZFBRai92Yms0aDRGd0M1UmJz?= =?utf-8?B?UEQrbGdRYVlQZjhSY0pTWGRiei9IeUY5U1o0NGFTMFRNUGdmSFdXWmh2N1Ra?= =?utf-8?B?djVZVGVwMUl2TCtCTExJRk1OMzhPYTJ3Vit0cEgxeURaZTY2U3llTXdaWEpa?= =?utf-8?B?a3ZDajZsZ0ZoWFNEMkM0cGhwWkpsam9nZXJmcXJneTI4by9JK3ZGT1pOVjd2?= =?utf-8?B?VzVGZzJhYlZ5L0xRL1FkZHlLZDdReTFKQkV2N245RHV5SE9URWtQeHZFSGhZ?= =?utf-8?B?YWF3MFdzK01rbk1sL2swQVlVdHNBOVhONit1M2d5OTM1SFowU0tha1VyLzJB?= =?utf-8?B?Umdzcm02blluZytMbm9ieXlDRGhYclQ1QzNIc1BwYThjQXJkbU4zeXVOd3JE?= =?utf-8?B?V2ZLRkFVNmJxekl3RG90d01LSmZaZWtMSjBvSlBtNnlQN1ZJNklVdkpyU0FX?= =?utf-8?B?WkZ4YWJ3RENTazMyK1NWeEp5cFdUSCtqTk1aeHZLU2NvV1NPQjIvbi9ldURy?= =?utf-8?B?ME8zeW82ZzZNR2xRSjI1Q25hSzdId2c0dkJnM2JZa1hBa2R5SWcvSVNNY2FR?= =?utf-8?B?UTVlc2s2cVNSSTE5NU02TTNGeCtTcll1QUxRTHJHNEZrbGd1d3U0TS9CTkZX?= =?utf-8?B?OVpIWHBYQ3l0eDdHbjN1N0FlMUN5cVo3UDczYmVIczQrUkdhZEpLcmp5R3h4?= =?utf-8?B?ak13TVpZZjUxSlhjTTZqU3hSR2RENU41TGFBVmkwQll4c1FxRGttU0ZZTXk4?= =?utf-8?B?dURIdWtMMlpDK0U0RUNXeGViT0kzdnNjZDVpSkZCMmFMTk5adUt2bzQ0NG9w?= =?utf-8?B?TFBETXRqdVo0WE9nNlNkVDJydEYzc3VBMFk4RUsvUDlYaUhzbUlQWGlseVR3?= =?utf-8?B?dTFxcjZ2OHEwdjBDdWZMVUNSMDJNQ2V4a1BQU01EOVVWcm9kTXppZFV0Nm80?= =?utf-8?B?L1d4Ymx1UjQ0RXo2TlJ5MmZDYnlHUVp1TFY0L243L1FhbTFnajFJWWdQbXd5?= =?utf-8?B?U09wMHRDKzY3NS9TTzErajRQaHo3WEowM24zcDc5dURqWjd6cExNQkY2NzRP?= =?utf-8?Q?JalSTn2y5oMjSv+kNU=3D?= X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-03a34.templateTenant X-MS-Exchange-CrossTenant-Network-Message-Id: 12d6e17e-c0ea-44f2-eeaf-08da8682e605 X-MS-Exchange-CrossTenant-AuthSource: HE1PR0402MB3452.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Aug 2022 10:16:39.7958 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR04MB5131 X-Rspamd-Queue-Id: 4MCzQd2mvGz3pPf X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; arc=pass ("microsoft.com:s=arcselector9901:i=1"); dmarc=pass (policy=none) header.from=hotmail.fr; spf=pass (mx1.freebsd.org: domain of kisscoolandthegangbang@hotmail.fr designates 40.92.74.51 as permitted sender) smtp.mailfrom=kisscoolandthegangbang@hotmail.fr X-Spamd-Result: default: False [-3.44 / 15.00]; SUBJECT_ENDS_QUESTION(1.00)[]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1]; NEURAL_HAM_SHORT(-0.98)[-0.978]; NEURAL_HAM_LONG(-0.92)[-0.920]; NEURAL_HAM_MEDIUM(-0.74)[-0.743]; DMARC_POLICY_ALLOW(-0.50)[hotmail.fr,none]; R_SPF_ALLOW(-0.20)[+ip4:40.92.0.0/15]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; MLMMJ_DEST(0.00)[freebsd-pf@freebsd.org,freebsd-net@FreeBSD.org]; R_DKIM_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:8075, ipnet:40.80.0.0/12, country:US]; RCVD_IN_DNSWL_NONE(0.00)[40.92.74.51:from]; RCVD_TLS_LAST(0.00)[]; FREEMAIL_ENVFROM(0.00)[hotmail.fr]; FREEMAIL_FROM(0.00)[hotmail.fr]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_NONE(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[40.92.74.51:from] X-ThisMailContainsUnwantedMimeParts: N Le Thu, 25 Aug 2022 11:32:57 +0200, Carlos L=C3=B3pez Mart=C3=ADnez a =C3=A9crit : > On 25/08/2022 11:26, Marek Zarychta wrote: > > W dniu 25.08.2022 o=C2=A010:48, Carlos L=C3=B3pez Mart=C3=ADnez pisze: = =20 > [...] =20 > >=20 > > rdr comes first, so probably the second rule should be: > > pass in on egress inet proto tcp from ! to=20 > > {(egress:0), $internal_server} port ... > > or maybe only: > > pass in on egress inet proto tcp from ! to=20 > > $internal_server port ... > > depending on the desired behavior and the complete set of rules. > >=20 > > It's also worth mentioning here that PF-specific FreeBSD mailing list=20 > > exists: freebsd-pf@freebsd.org > >=20 > > Regards, =20 >=20 > Thanks Marek ... But if rdr comes first, pass rule will be not applied=20 > right? I mean, how can I apply rate limiting options "flags S/SA keep=20 > state (max-src-conn 100...." in a rdr rule? >=20 >=20 Hi, It should be applied.=20 If you have a rdr pass ... rule you can't apply options like rate limiting IIRC.=20 As Marek said, you need both rdr and pass rules and his example seems good.= =20 You rdr rule with > > or maybe only: > > pass in on egress inet proto tcp from ! to=20 > > $internal_server port ... Is what I would do. Have you tried it ? Or maybe a "pass in quick ..." variant. I'm a fan of quick option.=20 Another option would be to use tag option rdr on egress ... tag INTSERVICES -> ... pass in on egress tagged INTSERVICES flags ...=20 or with quick option pass in quick on egress tagged INTSERVICES flags ...=20 Hope that helps.=20 K. From nobody Thu Aug 25 10:16:59 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MCzR40Mnlz4Z9rD for ; Thu, 25 Aug 2022 10:17:04 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [IPv6:2001:678:618::40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "plan-b.pwste.edu.pl", Issuer "GEANT OV RSA CA 4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MCzR25NTlz3qFj for ; Thu, 25 Aug 2022 10:17:02 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from [IPV6:2a02:22e0:cf00:1ff:a4cc:8dd9:9ea2:dad0] (mzar@[IPv6:2a02:22e0:cf00:1ff:a4cc:8dd9:9ea2:dad0]) (authenticated bits=0) by plan-b.pwste.edu.pl (8.17.1/8.17.1) with ESMTPSA id 27PAH0Ob054564 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Thu, 25 Aug 2022 12:17:00 +0200 (CEST) (envelope-from zarychtam@plan-b.pwste.edu.pl) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=plan-b.pwste.edu.pl; s=plan-b-mailer; t=1661422620; bh=sF82jOpJKsNyve6ooucctPiCQk6h5UA8PMIu+3qVVUA=; h=Date:Subject:To:References:From:In-Reply-To; b=aK0DjRFqzFrSf6G1D/h4TjSar2O0lBWpLFk3vHFozNqpdDQZiuvu32S6XOyimfx4/ dzfqzQifY6JLTeGgOPi9H/7zNvJCr74oFXYe13T10pkWFr12gI18tWWFsbssVLZdV/ miZHKa9amfb7GNnleqp0kwjWfS3uojSTRHyON32GwpXcpbwDcw1jJNcW7/dw3ToLZv tt2iGvtDchVqhymwMImARwFfILcpGRYIjk60YptgX9l6qpTg/e1Nz0d+xRG4HQyMSY vz3fRdO+p8ks3/akJxqTa3E1XwvPa+bTlIpexIo5QucJkwiyVRHY6lEEcX4HkQOgqF r+gVqEm+tsvwg== Message-ID: <0ddd0b1e-4288-204c-bf63-517741a9e523@plan-b.pwste.edu.pl> Date: Thu, 25 Aug 2022 12:16:59 +0200 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:91.0) Gecko/20100101 Thunderbird/91.12.0 Subject: Re: How to apply brute force rate limitings with rdr and pass rules under FreeBSD 13? Content-Language: en-US To: =?UTF-8?Q?Carlos_L=c3=b3pez_Mart=c3=adnez?= , freebsd-pf@freebsd.org References: <80c07d5f-0fe3-03b5-28ed-b714ffa9438a@plan-b.pwste.edu.pl> <59f85cee-aa5f-f59b-a31d-f2c146eeb086@plan-b.pwste.edu.pl> From: Marek Zarychta In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------mO3FKeblzqOnEZYdQ69FAi1c" X-Rspamd-Queue-Id: 4MCzR25NTlz3qFj X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=plan-b.pwste.edu.pl header.s=plan-b-mailer header.b=aK0DjRFq; dmarc=pass (policy=none) header.from=plan-b.pwste.edu.pl; spf=none (mx1.freebsd.org: domain of zarychtam@plan-b.pwste.edu.pl has no SPF policy when checking 2001:678:618::40) smtp.mailfrom=zarychtam@plan-b.pwste.edu.pl X-Spamd-Result: default: False [-4.77 / 15.00]; SIGNED_PGP(-2.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-0.97)[-0.974]; DMARC_POLICY_ALLOW(-0.50)[plan-b.pwste.edu.pl,none]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; R_DKIM_ALLOW(-0.20)[plan-b.pwste.edu.pl:s=plan-b-mailer]; MIME_BASE64_TEXT(0.10)[]; R_SPF_NA(0.00)[no SPF record]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MLMMJ_DEST(0.00)[freebsd-pf@freebsd.org]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[plan-b.pwste.edu.pl:+]; HAS_ATTACHMENT(0.00)[]; TO_DN_SOME(0.00)[]; ASN(0.00)[asn:206006, ipnet:2001:678:618::/48, country:PL]; RCPT_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; FREEMAIL_TO(0.00)[outlook.com,freebsd.org]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------mO3FKeblzqOnEZYdQ69FAi1c Content-Type: multipart/mixed; boundary="------------7gNtgAQ8VA3dFUNwg0F5fIg0"; protected-headers="v1" From: Marek Zarychta To: =?UTF-8?Q?Carlos_L=c3=b3pez_Mart=c3=adnez?= , freebsd-pf@freebsd.org Message-ID: <0ddd0b1e-4288-204c-bf63-517741a9e523@plan-b.pwste.edu.pl> Subject: Re: How to apply brute force rate limitings with rdr and pass rules under FreeBSD 13? References: <80c07d5f-0fe3-03b5-28ed-b714ffa9438a@plan-b.pwste.edu.pl> <59f85cee-aa5f-f59b-a31d-f2c146eeb086@plan-b.pwste.edu.pl> In-Reply-To: --------------7gNtgAQ8VA3dFUNwg0F5fIg0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64 VyBkbml1IDI1LjA4LjIwMjIgb8KgMTI6MDYsIENhcmxvcyBMw7NwZXogTWFydMOtbmV6IHBp c3plOg0KPiANCj4gDQo+IE9uIDI1LzA4LzIwMjIgMTE6NDYsIE1hcmVrIFphcnljaHRhIHdy b3RlOg0KPj4gVyBkbml1IDI1LjA4LjIwMjIgb8KgMTE6MzIsIENhcmxvcyBMw7NwZXogTWFy dMOtbmV6IHBpc3plOg0KPj4+DQo+Pj4NCj4+PiBPbiAyNS8wOC8yMDIyIDExOjI2LCBNYXJl ayBaYXJ5Y2h0YSB3cm90ZToNCj4+Pj4gVyBkbml1IDI1LjA4LjIwMjIgb8KgMTA6NDgsIENh cmxvcyBMw7NwZXogTWFydMOtbmV6IHBpc3plOg0KPj4+Pj4gQnV0IHVuZGVyIEZyZWVic2Qg d2hlbiBJIHRyeSB0byBjb21iaW5lICJwYXNzIiB3aXRoICJyZHIiIHJ1bGVzLCBpdCANCj4+ Pj4+IGRvZXNuJ3Qgd29ya3MuIEZvciBleGFtcGxlOg0KPj4+Pj4NCj4+Pj4+IHJkciBvbiBl Z3Jlc3MgaW5ldCBwcm90byB0Y3AgZnJvbSAhPGludGVybmFsX25ldHdvcmtzPiB0byBlZ3Jl c3MgDQo+Pj4+PiBwb3J0ICR0Y3Bfc2VydmljZXMgLT4gJGludGVybmFsX3NlcnZlcg0KPj4+ Pj4NCj4+Pj4+IHBhc3MgaW4gb24gZWdyZXNzIGluZXQgcHJvdG8gdGNwIGZyb20gITxpbnRl cm5hbF9uZXR3b3Jrcz4gdG8gDQo+Pj4+PiAoZWdyZXNzOjApIHBvcnQgJHRjcF9zZXJ2aWNl cyBmbGFncyBTL1NBIGtlZXAgc3RhdGUgKG1heC1zcmMtY29ubiANCj4+Pj4+IDEwMCwgbWF4 LXNyYy1jb25uLXJhdGUgMTUvNSwgb3ZlcmxvYWQgPGJydXRlZm9yY2U+IGZsdXNoIGdsb2Jh bCkNCj4+Pj4NCj4+Pj4gcmRyIGNvbWVzIGZpcnN0LCBzbyBwcm9iYWJseSB0aGUgc2Vjb25k IHJ1bGUgc2hvdWxkIGJlOg0KPj4+PiBwYXNzIGluIG9uIGVncmVzcyBpbmV0IHByb3RvIHRj cCBmcm9tICE8aW50ZXJuYWxfbmV0d29ya3M+IHRvIA0KPj4+PiB7KGVncmVzczowKSwgJGlu dGVybmFsX3NlcnZlcn0gcG9ydCAuLi4NCj4+Pj4gb3IgbWF5YmUgb25seToNCj4+Pj4gcGFz cyBpbiBvbiBlZ3Jlc3MgaW5ldCBwcm90byB0Y3AgZnJvbSAhPGludGVybmFsX25ldHdvcmtz PiB0byANCj4+Pj4gJGludGVybmFsX3NlcnZlciBwb3J0IC4uLg0KPj4+PiBkZXBlbmRpbmcg b24gdGhlIGRlc2lyZWQgYmVoYXZpb3IgYW5kIHRoZSBjb21wbGV0ZSBzZXQgb2YgcnVsZXMu DQo+Pj4+DQo+Pj4+IEl0J3MgYWxzbyB3b3J0aCBtZW50aW9uaW5nIGhlcmUgdGhhdCBQRi1z cGVjaWZpYyBGcmVlQlNEIG1haWxpbmcgDQo+Pj4+IGxpc3QgZXhpc3RzOiBmcmVlYnNkLXBm QGZyZWVic2Qub3JnDQo+Pj4+DQo+Pj4+IFJlZ2FyZHMsDQo+Pj4NCj4+PiBUaGFua3MgTWFy ZWsgLi4uIEJ1dCBpZiByZHIgY29tZXMgZmlyc3QsIHBhc3MgcnVsZSB3aWxsIGJlIG5vdCAN Cj4+PiBhcHBsaWVkIHJpZ2h0PyBJIG1lYW4sIGhvdyBjYW4gSSBhcHBseSByYXRlIGxpbWl0 aW5nIG9wdGlvbnMgImZsYWdzIA0KPj4+IFMvU0Ega2VlcCBzdGF0ZSAobWF4LXNyYy1jb25u IDEwMC4uLi4iIGluIGEgcmRyIHJ1bGU/DQo+Pj4NCj4+Pg0KPj4NCj4+ICJyZHIiIG5lZWRz ICJwYXNzIiBhdCBzb21lIHBvaW50LiBVbmZvcnR1bmF0ZWx5LCBJIGtub3cgb2Ygbm8gcmVh bCANCj4+IG1vZGVybiwgZGVjZW50IFBGLUZBUSBmb3IgRnJlZUJTRC4gUHJvYmFibHkgZGln Z2luZyB0aGUgaW50ZXJuZXQgDQo+PiBhcmNoaXZlIHdvdWxkIGhlbHAgZmluZCBzb21ldGhp bmcgbW9yZSByZWxldmFudCBsaWtlIHRoaXMgUG9saXNoIA0KPj4gdHJhbnNsYXRpb25bMV0g d2hpY2ggaGFzbid0IGJlZW4gcHVyZ2VkIGZyb20gU291cmNlRm9yZ2UgeWV0Lg0KPj4NCj4+ IFsxXSBodHRwOi8vb3BlbmJzZHBsLnNvdXJjZWZvcmdlLm5ldC93d3cvZmFxL3BmL3BsL3Jk ci5odG1sDQo+IA0KPiBVaG1tIC4uLiBtYXliZSBpdCBpcyBhIGJ1Zz8gT3Igbm90IGltcGxl bWVudGVkIGZldHVyZT8gSWYgSSBwdXQgInJkciANCj4gcGFzcyBvbiBlZ3Jlc3MuLi4uLiIg cmVkaXJlY3Rpb24gd29ya3MsIGJ1dCBubyByYXRlIGxpbWl0aW5nIG9wdGlvbiBpcyANCj4g YXBwbGllZCAuLi4uDQo+IA0KDQpQbGVhc2UgdGFrZSBhIGxvb2sgYXQgcGYuY29uZig1KSwg aXQncyBzdGlsbCB2YWxpZCBhbmQgcmVsZXZhbnQgc291cmNlIA0Kb2YgaW5mb3JtYXRpb24g aG93IHRvIG1hc3RlciB5b3VyIHJ1bGVzZXQuIFRyeSB0byBzZXBhcmF0ZSAicmRyIiBmcm9t IA0KInBhc3MiIGFuZCB1c2UgdHdvIHJ1bGVzIGxpa2UgYmVmb3JlLiBUaGUgInBhc3MiIHJ1 bGUgbWlnaHQgaGF2ZSBhbiANCiJvdmVybG9hZCDin6h0YWJsZeKfqSIgc3RhdGUgbGltaXRp bmcgb3B0aW9uIGFuZCB0aGlzIHNob3VsZCB3b3JrLg0KDQoNCi0tIA0KTWFyZWsgWmFyeWNo dGENCg== --------------7gNtgAQ8VA3dFUNwg0F5fIg0-- --------------mO3FKeblzqOnEZYdQ69FAi1c Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wsB5BAABCAAjFiEEnjwyTmqn2oNX6C8qHZW8vIFppoIFAmMHTBwFAwAAAAAACgkQHZW8vIFppoKh owf/cRzPaB5jHH3IvSe3aFmUjfvaohYA3jDsavQv+Rqw1nmp9Gfj/+jBB7WqTzCi1JviSW2QuFLA u85axz61w73xx4MBm6TcGifxAOvG4C8MvzSo2Pr5AWwzruZ8wplvNI3ttz5oG1zQUXwmVMufS+YQ jFjq2ZZsyiUqTuy4sQ8BdmWZg+FZYC+0MdLbiZp/Tgzu+McGF09GjAh8xib8hS9Ipx61l25WzWlo edJOnzxcfw79Qm/nmJ1ncERbuaD3LoBpzqFiBCoVtseTGtmitkDoCD6uaOixm/qKXVhZulm0hFoJ cNRRmcJ+Iu8cLHXd23mZo869QLWw55hhi7ioMEFsTw== =+x0T -----END PGP SIGNATURE----- --------------mO3FKeblzqOnEZYdQ69FAi1c-- From nobody Thu Aug 25 11:12:39 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MD0gV6FXQz4ZHN5 for ; Thu, 25 Aug 2022 11:12:54 +0000 (UTC) (envelope-from marcel@herrbischoff.com) Received: from mailpod.herrbischoff.com (mailpod.herrbischoff.com [157.90.240.191]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mailpod.herrbischoff.com", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MD0gT6mXpz3wrT for ; Thu, 25 Aug 2022 11:12:53 +0000 (UTC) (envelope-from marcel@herrbischoff.com) Received: from mailpod.herrbischoff.com (localhost [127.0.0.1]) by mailpod.herrbischoff.com (OpenSMTPD) with ESMTP id efc5f155 for ; Thu, 25 Aug 2022 13:12:44 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=herrbischoff.com; h=date :from:to:subject:message-id:references:mime-version:content-type :in-reply-to; s=hrbf; bh=ntiLDdTBmBwOUnxGPotPpbehjLq/hAJeo3G9WBA UJ4Y=; b=gcLLBNXH87iekuoV+ikMR17vPwidcXSkFpdJuY63kDZF4gbwooT4vDY QFW4t4hxN/LJsvy1mE77oCE4RxDcPRIhjd8/qhWk48sToYT0kV36aSo80OeNXCPz gBvpEB+NGirha8QXnvDSo7fqJHdVKKIEMisFvtZTQk+cz9PlKIOdPLjMwsPMrpdp vwTq68AAuw8kpOhNkdZYdBD+EUi7svTXHljOiJMur2PP+BkPIS1ikfMG1pYk59H7 +EMX1jC3YPuSQCJVdH3E+NIsmxvg2nzFczUBvyQ/2mj91QS8549ci3rtvgZLq+hv TA7PiiKSoYL9zWrUAN2dwgwMMO4iWAQ== DomainKey-Signature: a=rsa-sha1; c=nofws; d=herrbischoff.com; h=date :from:to:subject:message-id:references:mime-version:content-type :in-reply-to; q=dns; s=hrbf; b=Us8gnPdT29pg80rkDqX9VjfwppKXiSgW5 IHKkDemE9jA6FVNYdD2izbyqvU9wXYlgFe0BL6nHmcp2ie5ICtN2A8cBFHdEmC8n WQFJdnjtiXiCunEHwTRctpPuu1wdn7Jv7Jly5Cm68OSy9whVmD/iw5+b6hOl4vZS HOWMdi+ZgxbXV4mHLxsQBc9pZm2MgpW7y4r67PGhPzpFi8312KH48USJYpIMUqHe nqyXcISLPsF3M+DQfvxAth54ZBC4UjTRc5fEVrAaXfT3mDGCLhxyj0uAZ+Ojic9D J/2QXKfW3du5XPLFQ1Sd47o0h8pB/2Lu72PzmgW5LlibE9jNudXKw== Received: by mailpod.herrbischoff.com (OpenSMTPD) with ESMTPSA id 64e0ef88 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) auth=yes user=marcel@herrbischoff.com for ; Thu, 25 Aug 2022 13:12:43 +0200 (CEST) Date: Thu, 25 Aug 2022 13:12:39 +0200 From: Marcel Bischoff To: pf@freebsd.org Subject: Re: How to apply brute force rate limitings with rdr and pass rules under FreeBSD 13? Message-ID: References: <80c07d5f-0fe3-03b5-28ed-b714ffa9438a@plan-b.pwste.edu.pl> <59f85cee-aa5f-f59b-a31d-f2c146eeb086@plan-b.pwste.edu.pl> List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <59f85cee-aa5f-f59b-a31d-f2c146eeb086@plan-b.pwste.edu.pl> X-Rspamd-Queue-Id: 4MD0gT6mXpz3wrT X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=herrbischoff.com header.s=hrbf header.b=gcLLBNXH; dmarc=pass (policy=reject) header.from=herrbischoff.com; spf=pass (mx1.freebsd.org: domain of marcel@herrbischoff.com designates 157.90.240.191 as permitted sender) smtp.mailfrom=marcel@herrbischoff.com X-Spamd-Result: default: False [-5.00 / 15.00]; DWL_DNSWL_MED(-2.00)[herrbischoff.com:dkim]; NEURAL_HAM_LONG(-1.00)[-1.000]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[herrbischoff.com,reject]; R_DKIM_ALLOW(-0.20)[herrbischoff.com:s=hrbf]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; MLMMJ_DEST(0.00)[pf@freebsd.org]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:157.90.0.0/16, country:DE]; DKIM_TRACE(0.00)[herrbischoff.com:+]; FROM_EQ_ENVFROM(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_TLS_LAST(0.00)[]; FROM_HAS_DN(0.00)[]; FREEFALL_USER(0.00)[marcel]; ARC_NA(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[pf@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N On 22/08/25, Marek Zarychta wrote: >Unfortunately, I know of no real modern, decent PF-FAQ for FreeBSD. Same here. I wondered several times why that is. PF on FreeBSD is quite different from PF on OpenBSD, so the latter's documentation often gets you just halfway there. Does anyone know of (and would care to share) a collection of annotated examples, covering common pitfalls as well? /\/\ From nobody Thu Aug 25 12:26:26 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MD2JR0ZMgz4ZRZf; Thu, 25 Aug 2022 12:26:31 +0000 (UTC) (envelope-from clopmz@outlook.com) Received: from EUR03-AM7-obe.outbound.protection.outlook.com (mail-am7eur03olkn2010.outbound.protection.outlook.com [40.92.59.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "DigiCert Cloud Services CA-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MD2JQ0tBJz4322; Thu, 25 Aug 2022 12:26:30 +0000 (UTC) (envelope-from clopmz@outlook.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hahGu+sODApZVh1lLS/eGTrOFWE5zbZTZxPpFzCVDjruGJMw9c4sFtpSrMtkiaXCdT4k951EcdzFGhPFZ117ZWQRaFULGGRrxDvy72hR6Z9h0ICSgu2o+D6jbQfDF1eyuAX/j6NJojrHunijynEv5xJaXyMZSvOzwD21ua7m/Embb3WtwI40PvcR3Zp/FpGiybBxD3e1IuVEAnAD6za+CHyCijxDPJZsjelsOVCnGPd8d/iTSdw9b02J3b1drnNnJVzmSAR2uLEH1EtbFmvKgLnjpkxuJ7VLSAfVaT8BvMrdYoaYVM8KpicGr8jqs+TA61hcpgl77S289tqQ9vh5Fg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0xJ6tCXWb4PozqYSKjCP4LG4HMSxqFFmh5j9uA7tuW4=; b=cmSkX4DVBZyUTJ5+ftedJJCWQzpStc/R6Ax6XXOC+cxdbhaGyp43O2AbjKYpA1kKTiYzmPTJp4Mr+BYYMLpjf9qHh/Hm7AEnINDvEkZ08HIe17BlLhCXw+vx9fT0zd1nWxr2XhEM96Rp3Kd5PdNmQnJXpNtfWr030S0bGujB48v0cr8i6UZzSmzjQIyfnd2pFTI3hVqb9E+XeY5Bj8fV7jJXD91vSpXSTgyW4yaErChKNSGrUfc00zHHOh23nO7rjdYlfbHXjEtdlXymPObrNFHxlVbygdWIs/+UIs3mZZRwTqR7E4Ke3GygSNak02z1wrpbwwqPobbEYWbiUPvY7w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0xJ6tCXWb4PozqYSKjCP4LG4HMSxqFFmh5j9uA7tuW4=; b=Zg/211rOVeHziIESqgbKDPT6g3Ey5DiX2ZjzpgYIda6VXBdOnSXC/RDq/bVSA8edvzbPJFmkOt7JSz2hIJApYNASd1Zxd7BAF/qR2IrcY23z3TfPHauXCTe8tG7ybYHF9FPFxjwdgrrDRv2VJsBhP6qvgjih2vHAwbpegTmH7/lbOooS6lYUc5H57TDmYpzrwxjZRYc1KuI786K/KcbjVNOdhRIxhBGwQvWxw0JHgEHYbMN/rSXgWyGMjLO60ZjTDw5JslDYcSdNz7iWu4IbW62nxQM2BuDvu9B2xzvG7Qtoec9XZKaiBvRPcnTDMNA9A21MYWdqoXsfHoRi2IC5Ag== Received: from PRAP251MB0567.EURP251.PROD.OUTLOOK.COM (2603:10a6:102:29a::16) by AS8P251MB0119.EURP251.PROD.OUTLOOK.COM (2603:10a6:20b:401::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5566.15; Thu, 25 Aug 2022 12:26:28 +0000 Received: from PRAP251MB0567.EURP251.PROD.OUTLOOK.COM ([fe80::ad16:61d5:b534:cb68]) by PRAP251MB0567.EURP251.PROD.OUTLOOK.COM ([fe80::ad16:61d5:b534:cb68%4]) with mapi id 15.20.5566.015; Thu, 25 Aug 2022 12:26:28 +0000 Message-ID: Date: Thu, 25 Aug 2022 14:26:26 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.13.0 Subject: Re: How to apply brute force rate limitings with rdr and pass rules under FreeBSD 13? To: freebsd-pf@freebsd.org, freebsd-net@FreeBSD.org References: <20220825122023.08491369.grembo@freebsd.org> From: =?UTF-8?Q?Carlos_L=c3=b3pez_Mart=c3=adnez?= In-Reply-To: <20220825122023.08491369.grembo@freebsd.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-TMN: [ItrCKwFYB8DYgCmRdd3HESRX24nP86M9] X-ClientProxiedBy: PR0P264CA0100.FRAP264.PROD.OUTLOOK.COM (2603:10a6:100:19::16) To PRAP251MB0567.EURP251.PROD.OUTLOOK.COM (2603:10a6:102:29a::16) X-Microsoft-Original-Message-ID: List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: b711472e-78e0-4f88-23da-08da869508cf X-MS-TrafficTypeDiagnostic: AS8P251MB0119:EE_ X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: WDEH5kb7W9yCO2MQ3AhaZdXswarYoDLQdJcWRNMpc1K2aS+9L8Rom9O1E9GC4NHezSYCNROK1nM7Dm61Dn+kK6hGGRI1zoINM9WfyZ2PCZ8i6EPPu11S51yN+ykAp+0odpRnlea7t2mRJ4yIkXJ28RiTXvUONavF/NBY7F9zxRMi/7NepINoP+XIL5qp2rIwsZvTvnI+gQuQY/u+ACaVFaeku3sfap14A/znA/XNYkggWFyqEwZ15zmWWpagHCv44I5xErD4sN5teYXaGQE3omy/mIdA/xKYm1aE3HXbxJE/emklNg0OedaG0PlpG4onroitN+A2HrN7S64kZFkqbH1cKkDO/++V1rughjLYmy7Pexf5NLk3bog8uYBxcegwBfecdPgU0A3z18KvXD3s4EUX8mQxXk7r4FROFIQze0sFxLLeKIsL1jH9yiV/TXhfuSnqy6UcLiJXXDVV9YuyjGgrxBhNIuMW5qX1D2jT7YapuC94iEXPigCPm3M4siNvIFVbuWeXnY39Gv61SgcvMVHRw54x19Vq0rZoOjQ88mH+/tT9xiwdysCEcPtzmdo6EsbH47ZSBeqeg0Pt4rQ8mhDkrJ0xdRJJRDjXqN5/CY6GxmcV6Y6SIzTAYz66Ubvsc0d/KBgBard7Nv0DCNgh9uDabz44aAxQ5b9ZXAPDg+d49gSkiarm5pb9nDdoetLa X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?dE5QakF6bUlQMERuN0xtT0R3S0FjRmN1K1F4Sk4zVDBLNjFOc3N2Y0IvQXMw?= =?utf-8?B?Q1NOWWdlMGQ4MlN4ZkNOOGVqaDd0Mnk1THZJcUxkZHFlbXkyaVhCSllQbzNk?= =?utf-8?B?amtYKzQxbGZIZUdRd0lVYXVJRFk5dDZQQjVDbEZHZ284bitDdXM0K2lUV3ZL?= =?utf-8?B?b2lzNmlNK1BPb1pkVk1rWWJpOFF1b2lCclpTTmtiS2l3dDZDVldHdHBaK1FE?= =?utf-8?B?Skc0cE1pRmRMMUtHaHIxeVRYWEtxdlVFbzVOZnhTVDR3V2dDQ2psVGJUVmRX?= =?utf-8?B?T3c1NnlBQ3RhOHBoWUkzZ3FYQXFFc1ZZWDRkY2dWUFVsT1VOWlE1Mnoxd3FV?= =?utf-8?B?cTNneDVnZGEreDlGWlN5T0hkdGMrM0hTekd2YnRBVGc3M2FOdUFab0Z2enF1?= =?utf-8?B?eDladTBlQmx6clM4aDNzK3NJZy9LZ0lJcmNXRkdEM1ZlYmZBRXpwS0krSmox?= =?utf-8?B?aGczRnEwbU9CdSthbFFMWFV0VTV5RlFyY2taaktTNjdYNk8ySGdvdUpLbk1z?= =?utf-8?B?cDA5amZKSXl4eDd1WVhCRitQUFhjaHZWclZNTVhUaVdoK21kSW9CYVVrUVhL?= =?utf-8?B?cEVxSTZma2dQSGRNOExTR3g0cjBMWEY4U0JPLzkxVENsQUQzRUEweURrVDdD?= =?utf-8?B?VVdpUnJ3d3h5MVphcCtEVmtUQWUyYThkSHlXQWtIMUtibHltNnIzemF3N3Vh?= =?utf-8?B?OHFwTnVDVE5PMXlMcllDTXMySUVSZGVZZW1EQTJRZUQ0QzJJaFIwS0ZLYWM0?= =?utf-8?B?anp2Um5iQTl2UTYwR2pjRUlaTk9rN3lQdVlHOVdaby9zbjhzNGp2cE5oRlBH?= =?utf-8?B?ZVVFTXdNSTloN09leE1CWUNpZVZOSFZQVjVQNzR4NThXU25uWE91UWpsamFX?= =?utf-8?B?NVdxbGIxcTl2WHpLZmFVUXhsMndlbTVOSld5bWorQkt0UmtlRzZmUWNiK2xV?= =?utf-8?B?ZXBsUVlXakN0eWtCUVdqa3Vud2Z4RXo1L2xqcVBxUUtVNHUxWG95UE1MYkph?= =?utf-8?B?dWx3Y1dsZjVwNFlUWjAvYmovajZEYnJyVlpabGdzMTJvSEw3Wi9aY2p0N095?= =?utf-8?B?dFlUZ1FKZldFV2dtQ2RQM1BJR0FGcmh1RFI3bURwVW5VVjR0QmlkZUhnVW5U?= =?utf-8?B?YkkwL3BFOXlTbW1VQ0ErVTYxSFhXWFNYOGJ0R0NYWWtoRTJEazFSM3JnQUdG?= =?utf-8?B?c2FLRzQ0Y2x1Q3FkV1dZMHgwdWdLQXhLTEtBcm1uYnJMdmMwZG5BdnJOZXo5?= =?utf-8?B?ZlB6aGk4WkdtVG16T2NtMzVWR2xJcG9ZWUhuV3FLVmtxNlJIbmR6SXRHSEd0?= =?utf-8?B?STM3NFRqcjYwZWFxMll1MTREL0paRU9kcnVJczhyMXZxN0R1WUFCRXp2Tkpj?= =?utf-8?B?eC8rT0VQU2E1S3lZejJYMm9UeGg1WDI1VTR0c2RISkJHL0hkdzUyamdxUm9u?= =?utf-8?B?c2lHOWFvMGd5ZFpGQm44azN2N21uellRS0pqT3ozSk9DMU9MZnlZZ2JsV2RP?= =?utf-8?B?elBrWTl1RFNWeDFyamtTREszQUFhek5Ka2tCd2h1ejBCTVNFR29ET2RYcE1u?= =?utf-8?B?L3dOQVdWMG16L0lXUmZVL2FzV0Q0UVo3Ly9sV3BEYXFMRDRkOU5NNmMwQkZJ?= =?utf-8?B?ZTcvS0lzT0ZvMmJ5UWMrSUJDejhxaGQ5NUo2OUtwN2FhVm81Q3FDc1h6TEFK?= =?utf-8?B?YnpzUm5EcWgvSmlEMllvRHRQd1FISDN2S0oxQTJuR0pZcGg1bUtpVzRnPT0=?= X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: b711472e-78e0-4f88-23da-08da869508cf X-MS-Exchange-CrossTenant-AuthSource: PRAP251MB0567.EURP251.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Aug 2022 12:26:28.5512 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8P251MB0119 X-Rspamd-Queue-Id: 4MD2JQ0tBJz4322 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=outlook.com header.s=selector1 header.b="Zg/211rO"; arc=pass ("microsoft.com:s=arcselector9901:i=1"); dmarc=pass (policy=none) header.from=outlook.com; spf=pass (mx1.freebsd.org: domain of clopmz@outlook.com designates 40.92.59.10 as permitted sender) smtp.mailfrom=clopmz@outlook.com X-Spamd-Result: default: False [-0.62 / 15.00]; FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN(2.50)[]; SUBJECT_ENDS_QUESTION(1.00)[]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1]; NEURAL_HAM_SHORT(-0.99)[-0.985]; NEURAL_HAM_MEDIUM(-0.90)[-0.899]; NEURAL_HAM_LONG(-0.77)[-0.767]; R_MIXED_CHARSET(0.53)[subject]; DMARC_POLICY_ALLOW(-0.50)[outlook.com,none]; R_DKIM_ALLOW(-0.20)[outlook.com:s=selector1]; R_SPF_ALLOW(-0.20)[+ip4:40.92.0.0/15]; MIME_GOOD(-0.10)[text/plain]; FREEMAIL_FROM(0.00)[outlook.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_TLS_LAST(0.00)[]; DWL_DNSWL_NONE(0.00)[outlook.com:dkim]; FREEMAIL_ENVFROM(0.00)[outlook.com]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_NONE(0.00)[]; ASN(0.00)[asn:8075, ipnet:40.80.0.0/12, country:US]; MID_RHS_MATCH_FROMTLD(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[outlook.com:+]; FROM_EQ_ENVFROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-pf@freebsd.org,freebsd-net@FreeBSD.org] X-ThisMailContainsUnwantedMimeParts: N On 25/08/2022 12:20, Michael Gmelin wrote: > > > On Thu, 25 Aug 2022 10:48:45 +0200 > Carlos López Martínez wrote: > >> Hi all, >> >> I am tryping to rate limit public connections for certain services to >> avoid brutforce attacks under a FreeBSD 13.1 firewall. Under OpenBSD >> is "pretty simple" with a rule like: >> >> table persist >> block quick from >> pass inet proto tcp from ! to (egress:0) port >> $tcp_services \ >> flags S/SA keep state \ >> (max-src-conn 100, max-src-conn-rate 15/5, \ >> overload flush global) rdr-to $internal_server >> >> But under Freebsd when I try to combine "pass" with "rdr" rules, it >> doesn't works. For example: >> >> rdr on egress inet proto tcp from ! to egress port >> $tcp_services -> $internal_server >> >> pass in on egress inet proto tcp from ! to >> (egress:0) port $tcp_services flags S/SA keep state (max-src-conn >> 100, max-src-conn-rate 15/5, overload flush global) >> >> Any idea about what am I doing wrong? > > Your pass rule won't match the rdr rule, as it is matched *after* > rdr was applied. So at this point the target address is not egress:0, > anymore, but $internal_server. > > If your traffic passes anyway, it's probably matched by some other more > general rule. > > You could simplify your config by using tags, which could look like > this: > > rdr on egress inet proto tcp from ! to \ > egress port $tcp_services tag pass_rate_limit -> $internal_server > > pass in quick flags S/SA keep state (max-src-conn 100, \ > max-src-conn-rate 15/5, overload flush global) \ > tagged pass_rate_limit > > Using the "pass quick" rule early in your pf.conf will make sure it is > applied instead of other matching rules. > > Cheers > Michael > It is working now using "rdr on egress... tag..." and "pass in quick .... tagged ...." Many thanks Michael and kaycee -- Best regards, C. L. Martinez From nobody Thu Sep 1 12:36:13 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MJLBP6XDQz4bVpW for ; Thu, 1 Sep 2022 12:36:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MJLBP4r8zz3yB7 for ; Thu, 1 Sep 2022 12:36:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4MJLBP3nwzzT0g for ; Thu, 1 Sep 2022 12:36:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 281CaDOL083961 for ; Thu, 1 Sep 2022 12:36:13 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 281CaDjf083960 for pf@FreeBSD.org; Thu, 1 Sep 2022 12:36:13 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 265649] [pf]: regression: PF ignores translation settings on gre(4) Date: Thu, 01 Sep 2022 12:36:13 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: eugene@zhegan.in X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1662035773; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bNfmc1q5Ht1Eo9WScSb/+oa0c4TfqlUqZC75PsWfh64=; b=ONI0IQ2ii28c09P6mfzzdgq3w4eor1jtzUjlDBPTxVkl4BsIP3yEB1A5azGpZGEdlTCcXA cj4VERUktXgxxtsQb8zvyMQzxmpdqnvWpHUafh0rQ7n9UmwrQW62eu+GBkqDipo37I1iUf IA4ezATp3ItCwvnw/epKsbzx9pgTQCTiHJ5RFpJxB6WAYEYtTNdJbNmpWE6ZQ1EMuG7qdj m1udkSpFR/W8zXyPpT9PN6pG1fEF3yXXz53mdQXTqoWJjejR7jj2in+9OhSsApJj6EgRGF yz4vJZAmyvdnwPpyJJH+UnFHPuZqBZGufCV2JbgeczTd/X1+g5uWcJ5EXLQH9Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1662035773; a=rsa-sha256; cv=none; b=RqASOLAZtdQHq2bmrIHel1zOO4qaaXIQcn61Oiqr25DNneS0MZV+HBgSf0dxdHcfvC2tkA 9QK/3PbxoVZ5JXKtX9MpCRbuAdekg8GC/t0ON5gTaYN+fAfdUyOsUcHgb0obTPzF3wd5WY wLU1o+DGOpriG/G3VpoNAJUY01vUV/f56MTC2nSFDRJcIBEG6P47CPmR1mdwBqrULzZS9z ZggSToN8iIQBgx0ZgCSZPVIlMWlOB2pwnK1I8dTpDvASf3jUn4MJ3D9YGMKQZQvZC7DfY8 NfUiV8v7Lut+trSRnNaFScH6PxP4DAnAuXiJLxUn0xIbaL3U//g+znvhzsddUw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D265649 --- Comment #1 from Eugene M. Zheganin --- Furthermore, PF seems to merely ignore the gre proto entirely, these rules = also seems to be non-working on 13.x for gre (I see untranslated IP src for gre packets leaving the router): nat on $oif proto { tcp, udp, icmp, gre } from to any -> $natip1 nat on $oif2 proto { tcp, udp, icmp, gre } from to any -> $oip2 --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Mon Sep 12 08:50:11 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MR0fn2FQpz4bvBg for ; Mon, 12 Sep 2022 08:50:25 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: from mail-yb1-xb29.google.com (mail-yb1-xb29.google.com [IPv6:2607:f8b0:4864:20::b29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MR0fl4zggz3WVv for ; Mon, 12 Sep 2022 08:50:23 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: by mail-yb1-xb29.google.com with SMTP id g5so11630664ybg.11 for ; Mon, 12 Sep 2022 01:50:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date; bh=Bk16bQh20EYiAqeiK5w3EgnjYAkuhbD2vTdDmu9EZmo=; b=mb22wQGYc1+MddlmAW5TP9oSMRfdw+vXzZX0yYj8/PlyAiSGODeIprP6iG9X2zFi+i 7+K7kVQsc9hcf7HwWeVWZ6Km7g07+GP8cvkxiMsDooAuAn9JSmObFRzTcn5pj/hexlcT e8ui0XXAQPO+KdRJdVofNFGLVTNz8J89VsLImdCk1DPt0D7HS8nXCb6GpUpkaeMhJPJo 9GMBUjHvMVWDZ7AXLmCzYMO/pYaXU3jvhYYZ8T+VdFBropeRSUIgq7P7tUE3fru4hWCF wXXEhs+PFUXejrW2l38NAaY2ysMgp058KjvQUsZ1Da1pCoFxca3gZrkhlfrWnQb/vdpK Yd/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date; bh=Bk16bQh20EYiAqeiK5w3EgnjYAkuhbD2vTdDmu9EZmo=; b=DoK6zPbBLLd7SpY6Qc6nEmLBO0APOmAyPgWqULGcST5UPjag4AxuYDRZ9qS2ZnrRIn X0qhL1ymzssT8V0NKKF8hJf1c1tdarIyo7z0H9l/wx3aZOmQG9o0RlRWfd7hOAANO1SW YqgkoT6i/vBWdowgMKt+M8SRn57buDxOr8ns4DvJxmISkYFdCBYF5kObQNlrNfGWrKUa O4zwxbYXRqgNrvOAAULvnutvyoGsZLaOy5hCYMsqQlfFIsGdlxIomFw6+w71Xb7XZmCu cLWf7LGoVF4SZSr3LmpzNlSvV68gq1E0DEIjNObBcJafzc/LKzrT6ct8eUfQd7+bPmhN JTLw== X-Gm-Message-State: ACgBeo0IDNbd2sm2dQeUj0XcvYkMXNEuRXqsUAwyeVKrUf/sT55j7yg4 yot0uGcG0DRdsm0Myjg0ITupFoFzXF24d8CwTOpfiv7n X-Google-Smtp-Source: AA6agR730yD7Oac0p88kJ4g5mA2IzCjEztskNZ/3V7MRAAjkpO6+xIIgAIHGu7MHvgjBGPREj8B2QS5K/KSeqCEn4X8= X-Received: by 2002:a25:3b03:0:b0:696:5b34:39eb with SMTP id i3-20020a253b03000000b006965b3439ebmr20419614yba.497.1662972622262; Mon, 12 Sep 2022 01:50:22 -0700 (PDT) List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 From: =?UTF-8?B?w5Z6a2FuIEtJUklL?= Date: Mon, 12 Sep 2022 11:50:11 +0300 Message-ID: Subject: pfctl -v -sr performance To: freebsd-pf@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4MR0fl4zggz3WVv X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=mb22wQGY; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of ozkan.kirik@gmail.com designates 2607:f8b0:4864:20::b29 as permitted sender) smtp.mailfrom=ozkan.kirik@gmail.com X-Spamd-Result: default: False [-3.17 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_MIXED_CHARSET(0.83)[subject]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::b29:from]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; TAGGED_FROM(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; TO_DN_NONE(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; MLMMJ_DEST(0.00)[freebsd-pf@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N Hi, I'm using the FreeBSD stable/12 branch. My pf ruleset has 8000 rules. I'm collecting hit counters with a 5 seconds interval. But the command pfctl -v -sr -a "anchorname" takes about 15 seconds. Is it possible to speed up ? Thanks, Regards From nobody Mon Sep 19 14:52:00 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MWSLm6fgWz4d5JC for ; Mon, 19 Sep 2022 14:52:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MWSLm5fhbz3Qyy for ; Mon, 19 Sep 2022 14:52:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4MWSLm4l8TzQ7b for ; Mon, 19 Sep 2022 14:52:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 28JEq0oQ035739 for ; Mon, 19 Sep 2022 14:52:00 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 28JEq05w035738 for pf@FreeBSD.org; Mon, 19 Sep 2022 14:52:00 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 266477] PF does not obey ICMP rate limits Date: Mon, 19 Sep 2022 14:52:00 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1663599120; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rTe9ISIDO4SSL5dC4aEGex82r/4qgbZJMTVX6WPRzJY=; b=PtIiJswKVAwR3vGo3jvlaI8BkSZwZVdJOSc298r587K8dwbNyAx8YAEuRwDq/qmWy8CtE+ SclSfUKm8Nsq50kd/nxPb4biw6THvMV2gj/QolpqwDDmE3UT4HWcor9ymBvIEDKzlmDpMh mSgnZaIj63o+ScDt+sr7e9HwKuJduY3cJukOYiPcuBgCULdQbeZsV9i6C+TOUjTK96ELwX KFE79+qnrGGLgQ3QnXKd+NKBKnAtCRUTLtZ5DyJDTRX5g3/Qj9JUtDsUtkkiaJPTpjr2yj uRxT87/YKIA5S9x/sqeqfQbHcc48iG7wWm62Swv3mFccRH6ABy/82E7wvhchXg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1663599120; a=rsa-sha256; cv=none; b=vQW+sg6nhhhbNVlCZA2jPUdz7uDHA13DhHjFpU3CoSWw/TDUB02FoO6YjqvuMPHBmvr7ME eK+pNdQfzF7UnefuS35AgEHUSndbAe8U3dKbz1BKs2uyMvyf4QlFrXL2WzpfzCh/RyVbOv BnfYkQm9TC5nBecYY4jQmdUpboeh3h6se6t3Gu4oEeAEjFShldGHIqNkPoNn6Td6Y2oqPE bMGyE9+RHADZCCW79vxY3nMg6rro+qEwsI28g4EXgG5RDqneHLUJfQ+sgw+NhKVBjDe832 nL3Nt2dMnvrxagPNd+cnx49QJ5ON4224g1+Q3MnpPiasfE9t2lTOzJ86l5hsQA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D266477 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@FreeBSD.org |pf@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Sat Sep 24 13:32:50 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MZVMB6dsTz4cgS8 for ; Sat, 24 Sep 2022 13:32:54 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MZVMB5svlz41fY; Sat, 24 Sep 2022 13:32:54 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1664026374; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=eM8RZUsIL9v2B8UVxl77FfqPtXIMcJZZESrurYsIEOc=; b=TnFnS4F905c+dnBf7Do6WQaMlK0ZlwPTF/CrjtjXU+UmTgMf55OP2Q6HIxfZ2Cf5EAnYN9 97yr0AnUxpBjBY7F+2E/FMT+hbklyD6gi1aUjd9QfRxTlBHv9oFuyzS9JHKTqPa5orPP52 6TlG4GCN0NQEgcNykKEIUHA4aksV4mKa1R+01IHRW+vT8CD9TTJIEOTc9aT89Owj6Qs3C+ uI+UThgRKZZ6T5E3ZUdtTemQDNLpjVkq1/Yklb0WvsHUU3RmMhxHlHaZQypuCkRdeOl+hQ NqLwrdCv+jGCDcyQykaFQ6Cu41AMDRK9EieyqDd2L6a6+oFxfcd4lsoSgwcS1A== Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 4MZVMB3M1KzWnH; Sat, 24 Sep 2022 13:32:54 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id D1E7E2C53B; Sat, 24 Sep 2022 15:32:51 +0200 (CEST) From: Kristof Provost To: FreeBSD pf Cc: Eirik =?utf-8?q?=C3=98verby?= Subject: RFC: enabling pf syncookies by default Date: Sat, 24 Sep 2022 15:32:50 +0200 X-Mailer: MailMate (1.14r5852) Message-ID: List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_MailMate_B0ABA760-8B22-4E97-877C-F6677A50B102_=" Content-Transfer-Encoding: 8bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1664026374; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=eM8RZUsIL9v2B8UVxl77FfqPtXIMcJZZESrurYsIEOc=; b=Esb+NfeYl1Yl8lPOCt/+NaEd91EkS/7EGHYKXmK4TJGv3ldgiV/ZXc3QrtgqFedqB7jYx/ dvzfQzL9L8PZQ8ZraB9XjSMgSB1HCxglOwHwySfW3mxAJSoZOHGKPl+r164veZSI4DhvNk GZSoj5krMzuHV1cYJZPbz1y66f7xsohLR4gWfr3zbj1gTJ5RYh2GeJTpGjePEd6NYYUoZR iRCBQTxjhz8KA3e/Qf7Zl1xhjyLYv12oxNl9D3g5f1Az2HgRobkuZSUoKeu9yjmDxocH/f AjDgdgAABqzlmm2F/sEmMOB9pYILYekJsNNtI7Y95+cPOM+Xi5aTtVZNggkdew== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1664026374; a=rsa-sha256; cv=none; b=YEmNMhR+MSjOHmaaMF0Zwn+7C+lepYkBc1zUEmD5c3o+BmiRL/H8xcxqExqtQsk+Wx/FPL H9NuYiKXVs3J4wg8Rno6t8UeBDEsPt9jARr3WQKJOhWyl877Ters91ioYmT/xMzIUwMD6a yt8GC+PAYYq92vNUp9Vg3fBqTusxzevBZ5D62nvL1i+6TVq87cXqb/JZIQzPDCZ4uyEUFE qwseGGgZyoBZWqa0F7nYP1L8eQ3tXPqpqB9TxSdgHj2u/IG7fqZ/A7IQbaNgwNp6s7CvRl t6nFipY+/ugyOLrfkCLSpLNlH1xyyV4fJFtE3jNQuX01KzaWcVrUUTk9cynRyw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --=_MailMate_B0ABA760-8B22-4E97-877C-F6677A50B102_= Content-Type: text/plain; charset=UTF-8; format=flowed; markup=markdown Content-Transfer-Encoding: 8bit Hi, During EuroBSDCon 2022 Eirik asked why we don’t enable pf’s syncookie feature (in adaptive mode) by default. I don’t really have a good answer, so I’m inclined to make this change. For those not familiar with it, syncookies are a mechanism to resist syn flood DoS attacks. They’re enabled by default in the IP stack, but if you’re running pf a syn flood would still exhaust pf’s state table, even if the network stack itself could cope. In adaptive mode all pf does is track the number of half-open states (as created when a SYN packet arrives). If that exceeds a set limit the syncookie feature activates. The upside of that is that all we pay for is the counting of the number of half-open states, which has no meaningful performance impact, at least until we exceed the high water mark. Does anyone see a good reason not to do so? Best regards, Kristof Proposed patch: commit 77b5994c89945e52eb23ec6f5810a1186abc6df4 (HEAD -> main) Author: Kristof Provost Date: Sat Sep 24 14:49:25 2022 +0200 pf: default syncookies to adaptive mode The cost of enabling syncookies in adaptive mode is very low (basically a single atomic add when we create a new half-open state), and the payoff when under SYN flood is huge. So, enable adaptive mode by default. Suggested by: Eirik Øverby diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 84235031f8e6..4e1eafe016f1 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -311,6 +311,8 @@ pfattach_vnet(void) { u_int32_t *my_timeout = V_pf_default_rule.timeout; + bzero(&V_pf_status, sizeof(V_pf_status)); + pf_initialize(); pfr_initialize(); pfi_initialize_vnet(); @@ -379,7 +381,6 @@ pfattach_vnet(void) my_timeout[PFTM_ADAPTIVE_START] = PFSTATE_ADAPT_START; my_timeout[PFTM_ADAPTIVE_END] = PFSTATE_ADAPT_END; - bzero(&V_pf_status, sizeof(V_pf_status)); V_pf_status.debug = PF_DEBUG_URGENT; V_pf_pfil_hooked = 0; diff --git a/sys/netpfil/pf/pf_syncookies.c b/sys/netpfil/pf/pf_syncookies.c index 6a375411d8ea..c16d9f3509fd 100644 --- a/sys/netpfil/pf/pf_syncookies.c +++ b/sys/netpfil/pf/pf_syncookies.c @@ -126,7 +126,12 @@ pf_syncookies_init(void) { callout_init(&V_pf_syncookie_status.keytimeout, 1); PF_RULES_WLOCK(); - pf_syncookies_setmode(PF_SYNCOOKIES_NEVER); + V_pf_syncookie_status.hiwat = PF_SYNCOOKIES_HIWATPCT * + V_pf_limits[PF_LIMIT_STATES].limit / 100; + V_pf_syncookie_status.lowat = PF_SYNCOOKIES_LOWATPCT * + V_pf_limits[PF_LIMIT_STATES].limit / 100; + pf_syncookies_setmode(PF_SYNCOOKIES_ADAPTIVE); + PF_RULES_WUNLOCK(); } --=_MailMate_B0ABA760-8B22-4E97-877C-F6677A50B102_= Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

Hi,

During EuroBSDCon 2022 Eirik asked why we don=E2=80=99t e= nable pf=E2=80=99s syncookie feature (in adaptive mode) by default.

I don=E2=80=99t really have a good answer, so I=E2=80=99m= inclined to make this change.

For those not familiar with it, syncookies are a mechanis= m to resist syn flood DoS attacks. They=E2=80=99re enabled by default in = the IP stack, but if you=E2=80=99re running pf a syn flood would still ex= haust pf=E2=80=99s state table, even if the network stack itself could co= pe.

In adaptive mode all pf does is track the number of half-= open states (as created when a SYN packet arrives). If that exceeds a set= limit the syncookie feature activates.
The upside of that is that all we pay for is the counting of the number o= f half-open states, which has no meaningful performance impact, at least = until we exceed the high water mark.

Does anyone see a good reason not to do so?

Best regards,
Kristof

Proposed patch:

commit 77b5994c89945e52eb23ec6f5810a1186abc6df4 (HEAD ->=
; main)
Author: Kristof Provost <kp@FreeBSD.org>
Date:   Sat Sep 24 14:49:25 2022 +0200

    pf: default syncookies to adaptive mode

    The cost of enabling syncookies in adaptive mode is very low (basical=
ly
    a single atomic add when we create a new half-open state), and the
    payoff when under SYN flood is huge.

    So, enable adaptive mode by default.

    Suggested by:   Eirik =C3=98verby

diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 84235031f8e6..4e1eafe016f1 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -311,6 +311,8 @@ pfattach_vnet(void)
 {
        u_int32_t *my_timeout =3D V_pf_default_rule.timeout;

+       bzero(&V_pf_status, sizeof(V_pf_status));
+
        pf_initialize();
        pfr_initialize();
        pfi_initialize_vnet();
@@ -379,7 +381,6 @@ pfattach_vnet(void)
        my_timeout[PFTM_ADAPTIVE_START] =3D PFSTATE_ADAPT_START;
        my_timeout[PFTM_ADAPTIVE_END] =3D PFSTATE_ADAPT_END;

-       bzero(&V_pf_status, sizeof(V_pf_status));
        V_pf_status.debug =3D PF_DEBUG_URGENT;

        V_pf_pfil_hooked =3D 0;
diff --git a/sys/netpfil/pf/pf_syncookies.c b/sys/netpfil/pf/pf_syncookie=
s.c
index 6a375411d8ea..c16d9f3509fd 100644
--- a/sys/netpfil/pf/pf_syncookies.c
+++ b/sys/netpfil/pf/pf_syncookies.c
@@ -126,7 +126,12 @@ pf_syncookies_init(void)
 {
        callout_init(&V_pf_syncookie_status.keytimeout, 1);
        PF_RULES_WLOCK();
-       pf_syncookies_setmode(PF_SYNCOOKIES_NEVER);
+       V_pf_syncookie_status.hiwat =3D PF_SYNCOOKIES_HIWATPCT *
+           V_pf_limits[PF_LIMIT_STATES].limit / 100;
+       V_pf_syncookie_status.lowat =3D PF_SYNCOOKIES_LOWATPCT *
+           V_pf_limits[PF_LIMIT_STATES].limit / 100;
+       pf_syncookies_setmode(PF_SYNCOOKIES_ADAPTIVE);
+
        PF_RULES_WUNLOCK();
 }
--=_MailMate_B0ABA760-8B22-4E97-877C-F6677A50B102_=-- From nobody Tue Sep 27 19:24:50 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4McV224KWzz4cjpV for ; Tue, 27 Sep 2022 19:24:58 +0000 (UTC) (envelope-from lyndon@orthanc.ca) Received: from orthanc.ca (orthanc.ca [208.79.93.154]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4McV213w9nz46qS; Tue, 27 Sep 2022 19:24:57 +0000 (UTC) (envelope-from lyndon@orthanc.ca) Received: from orthanc.ca (localhost [127.0.0.1]) by orthanc.ca (OpenSMTPD) with ESMTP id ded123e4; Tue, 27 Sep 2022 12:24:50 -0700 (PDT) From: "Lyndon Nerenberg (VE7TFX/VE6BBM)" To: Kristof Provost cc: FreeBSD pf , Eirik =?utf-8?q?=C3=98verby?= Subject: Re: RFC: enabling pf syncookies by default In-reply-to: References: Comments: In-reply-to Kristof Provost message dated "Sat, 24 Sep 2022 15:32:50 +0200." List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-ID: <35170.1664306690.1@orthanc.ca> Content-Transfer-Encoding: 8bit Date: Tue, 27 Sep 2022 12:24:50 -0700 Message-ID: X-Rspamd-Queue-Id: 4McV213w9nz46qS X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of lyndon@orthanc.ca designates 208.79.93.154 as permitted sender) smtp.mailfrom=lyndon@orthanc.ca X-Spamd-Result: default: False [-3.29 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; NEURAL_HAM_LONG(-0.99)[-0.986]; R_SPF_ALLOW(-0.20)[+ip4:208.79.93.154]; MIME_GOOD(-0.10)[text/plain]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-pf@freebsd.org]; ASN(0.00)[asn:25795, ipnet:208.79.88.0/21, country:US]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; ARC_NA(0.00)[]; TO_DN_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; DMARC_NA(0.00)[orthanc.ca]; RCPT_COUNT_THREE(0.00)[3]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Kristof Provost writes: > For those not familiar with it, syncookies are a mechanism to resist syn > flood DoS attacks. They’re enabled by default in the IP stack, but if > you’re running pf a syn flood would still exhaust pf’s state table, > even if the network stack itself could cope. I'm not sure of the lineage of pf's syncookie code in FreeBSD, but before you do this you should look at the recent set of patches Henning committed to the OpenBSD -snapshot pf source. We found an evil bug lurking in pf where, if a single source address was recycling source ports fast enough to re-use the same source addr:port pair while the old connection still had a FINWAIT2 state table entry, the new connection attempt would get dropped on the floor. The patch cleaned up most of the problem, but when we recently put the patched pf into production we were still seeing dropped connection requests. We haven't been able to specifically reproduce the problem yet, but if you're front-ending a busy web site, e.g., I would be wary of enabling syncookies at the moment until this bug gets stamped out once and for all. --lyndon From nobody Wed Sep 28 09:44:25 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Mcs5m6MYgz4dRtq for ; Wed, 28 Sep 2022 09:44:28 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Mcs5m5rgfz49F3; Wed, 28 Sep 2022 09:44:28 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1664358268; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jZeWS3UWzGwu60Y0N7GMSH+83ZT6sD+HWgd6QXq17z8=; b=HvNu+QvuoliYHHH5x5lTwIa4ZsWrj1DFGsTVINJdlMoG5vkSQiZzMERzTX+RMVaO64ZT2W Jy+XxoDlSzJyONdFkqnedpWcO9ZuSc40Z+59OFQnpKr7WJyOnWKVZGMp8OEM3BsvgDqe1G zpu6QQvwML53Mddyxt1l/4YJGkwX6sv3ncDflGeHc3AuxkFcvKr6ADqyOQ7ULVDOywpige H+iqReMVeMYPWCa9dcAzlQN5z/VsTCU0YxvK8icSArUDzGftK3r9AP+42eeADhn5ukD+/x BfTPowxNDtUevsyqlaOFGtumQ3pB4v86PJE0LFlh12WISc7EDcc+yWPWBPOBUA== Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 4Mcs5m4C2SzrD0; Wed, 28 Sep 2022 09:44:28 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 5EF6832F6B; Wed, 28 Sep 2022 11:44:26 +0200 (CEST) From: Kristof Provost To: "Lyndon Nerenberg (VE7TFX/VE6BBM)" Cc: FreeBSD pf , Eirik =?utf-8?q?=C3=98verby?= Subject: Re: RFC: enabling pf syncookies by default Date: Wed, 28 Sep 2022 11:44:25 +0200 X-Mailer: MailMate (1.14r5852) Message-ID: In-Reply-To: References: List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1664358268; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jZeWS3UWzGwu60Y0N7GMSH+83ZT6sD+HWgd6QXq17z8=; b=EXmyVf43A2Awh36tXDYaZjx/rWWZi9G3MLZDHPw/20eM/zeUftQrPUcf/Tf+0JeFAzdyc1 3aG/hoMQI27AQkgY6Yua6cC5oO4xBp/NEK2jo1vm8003gAnENmoCaF0Fsi+uIuIHHFzB1+ M76aby0PZ/rlcxmDi38JRh5MN5yFbbkHkjPTjMSszlJpOSlH8Ve32o1d4G7g5qARNlYqaU 8M+uPsGWzjeMhauzgZBceSDBAC18BwO6bxwv2xbH2qU29S5mtQkuYYg04mA1GU2WniFBUg CVVWj9vnAQ9cpUrX2wEggUwQ6kskBLKvvQux8jSi6DxCQS2wc8xV00FGN/GQLw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1664358268; a=rsa-sha256; cv=none; b=ZnVDWHwhzu8QGcEMZMH0v2nMl2TL0g92PWqIYYUjFZHG/U+WhtX1xxm8K9mI5fG2oscD99 f/AofI/NrUKe07oKJdumDxiBBcw5+wS2sZyWZwZViYXvOHBcBPVA8gk+7DIGJdVNIKBOg6 sjpNf79j6JO6odUSnpWpWyHpSNogYl26ikGhwcropJhC7RyS3w3cY9TVEA+e0+W4kAR5H6 bBJmivG36RlPmZSMcN3Yf+iAZ+rAqlRrNI8dq0fmuMgDIEFVvxbG6nbxUZV2VoyRbGecdh sPTx8v1qF9IJMfQ+IkVBQ1ZvlmhadBjixHray9Dy/Gr7o7YmrkpmqBU3foos9g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N On 27 Sep 2022, at 21:24, Lyndon Nerenberg (VE7TFX/VE6BBM) wrote: > Kristof Provost writes: > >> For those not familiar with it, syncookies are a mechanism to resist s= yn >> flood DoS attacks. They=E2=80=99re enabled by default in the IP stack,= but if >> you=E2=80=99re running pf a syn flood would still exhaust pf=E2=80=99s= state table, >> even if the network stack itself could cope. > > I'm not sure of the lineage of pf's syncookie code in FreeBSD, but > before you do this you should look at the recent set of patches > Henning committed to the OpenBSD -snapshot pf source. > > We found an evil bug lurking in pf where, if a single source address > was recycling source ports fast enough to re-use the same source > addr:port pair while the old connection still had a FINWAIT2 state > table entry, the new connection attempt would get dropped on the > floor. The patch cleaned up most of the problem, but when we > recently put the patched pf into production we were still seeing > dropped connection requests. We haven't been able to specifically > reproduce the problem yet, but if you're front-ending a busy web > site, e.g., I would be wary of enabling syncookies at the moment > until this bug gets stamped out once and for all. > Thanks for this update. Henning told me about the fast re-use issue durin= g EuroBSD, and I had looking at that on my todo list. I=E2=80=99ve not yet heard any reports of similar issues on FreeBSD, but = that doesn=E2=80=99t mean they don=E2=80=99t exist of course. At a minimum I=E2=80=99ll hold off on making this change until I=E2=80=99= ve had a chance to work out if we=E2=80=99re affected by the issue Hennin= g fixed or not. Eirik, do you have instrumentation to work out if this is happening to yo= u? Best regards, Kristof From nobody Wed Sep 28 10:00:48 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4McsSf5SNfz4dTYf for ; Wed, 28 Sep 2022 10:00:50 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4McsSf53F0z3DrN; Wed, 28 Sep 2022 10:00:50 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1664359250; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=weL1v8/9exIDzkZYuTsDYOZVgK1f4Ddr+TaCXF7taP0=; b=BBrFKXuYfwyIczynO7kFOq+8mdKfh+a00rY8VdNCGiOKcZIESRkGn01k4vD9ZnXWWJBsxy qpjKA825WxAflRevMG7vobqNk9ixuAL98ZdYqiGH3P8ae8ecf3TgI8x+fzOkVwmeO4P9u/ GEiYzRAjq2nApbuWbXzTaKKD0gHGTWc30x7rrvEVcdvhWeTyQLg/xIG1xIgQMpWj6a5p1g /Pm2Tu34ARlnEUpXJJtMORU8pThMq62qvwX44mII0zDLC73ajbCR/tg4LOke+gwiRT5hMF sGWwHZ4WyTD5npRqodXdJfV5hzBjXKfqNFeahb2LV5WopkGhjhzU1kcOqt7WRw== Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 4McsSf3NQ4zrFY; Wed, 28 Sep 2022 10:00:50 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 08DC932F79; Wed, 28 Sep 2022 12:00:48 +0200 (CEST) From: Kristof Provost To: Eirik =?utf-8?q?=C3=98verby?= Cc: "Lyndon Nerenberg (VE7TFX/VE6BBM)" , FreeBSD pf Subject: Re: RFC: enabling pf syncookies by default Date: Wed, 28 Sep 2022 12:00:48 +0200 X-Mailer: MailMate (1.14r5852) Message-ID: <110D82E0-1A45-4665-9FB6-55001FB2BC34@FreeBSD.org> In-Reply-To: <6e1bfd9b47bd851de7b0c57862e960f0d80afe67.camel@modirum.com> References: <6e1bfd9b47bd851de7b0c57862e960f0d80afe67.camel@modirum.com> List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1664359250; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=weL1v8/9exIDzkZYuTsDYOZVgK1f4Ddr+TaCXF7taP0=; b=FoQYaLMQ8krZjXaeP+op7O+8x+5JLKCD1PWQYbjrWYUQ7gZZJaXSTqC4y4eEeQ8MVb5lCy 5Ypg17KcWFBwO8aAjqZ/CTF35sL+kb0WCiWOTge1v2Hmp84PHFiJgpUXDuNzarR0JaOogU eUFfdeTBEbXGLs+cBWb5BAOLeBF4Sp1Y9FcwvnIiHBLOGV9xvBjpxmesKOHia58AvmS7af 7TNRYjsLPSAdOsoijfKYO8gkmJ/WMJyZ0qvkjPQ3F1eIf1hyz3xetaT9g33zFxjyIXTXmg VF9hIbxVNCm7yaC6pzWJHcBF5ScbUsGHC++jUOCAg89uteu10yCctYocrth9yQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1664359250; a=rsa-sha256; cv=none; b=opfkxloWya2SQ3MKQcpz39D7HQmPQ6mTdwGuta/HEclFjgB5+y5WgQp5nsdo/Rt/o2o9cT NPF2SP4GaFVBAPOXgovqS4p/Id5B2F3NxQLXMW2YEBc/+drEKmao2n/4LXNkszCm+2poL6 ZH+DGfBsHzqRaUSbpsSj9s4UPwBa7/+X8TKRblch08mch0MHnUpyRSDksJMjrQKoUOrK9F DtoAd7DVKVGdl+Z9Kq1haHFYLfQrDg8pU37a2PZMYQtQ49YaeTLPBJEAB91BoRA28wJufW XaT5IRiZcP9N2BeBAvDh1+WdEyzI7zaXvB2lmDNBLmn+LDcrwdodia5JDyxmfA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N On 28 Sep 2022, at 11:53, Eirik =C3=98verby wrote: > On Wed, 2022-09-28 at 11:44 +0200, Kristof Provost wrote: >> On 27 Sep 2022, at 21:24, Lyndon Nerenberg (VE7TFX/VE6BBM) wrote: >>> Kristof Provost writes: >>> >>>> For those not familiar with it, syncookies are a mechanism to resist= syn >>>> flood DoS attacks. They=E2=80=99re enabled by default in the IP stac= k, but if >>>> you=E2=80=99re running pf a syn flood would still exhaust pf=E2=80=99= s state table, >>>> even if the network stack itself could cope. >>> >>> I'm not sure of the lineage of pf's syncookie code in FreeBSD, but >>> before you do this you should look at the recent set of patches >>> Henning committed to the OpenBSD -snapshot pf source. >>> >>> We found an evil bug lurking in pf where, if a single source address >>> was recycling source ports fast enough to re-use the same source >>> addr:port pair while the old connection still had a FINWAIT2 state >>> table entry, the new connection attempt would get dropped on the >>> floor. The patch cleaned up most of the problem, but when we >>> recently put the patched pf into production we were still seeing >>> dropped connection requests. We haven't been able to specifically >>> reproduce the problem yet, but if you're front-ending a busy web >>> site, e.g., I would be wary of enabling syncookies at the moment >>> until this bug gets stamped out once and for all. >>> >> Thanks for this update. Henning told me about the fast re-use issue du= ring EuroBSD, and I had looking at that on my todo list. >> >> I=E2=80=99ve not yet heard any reports of similar issues on FreeBSD, b= ut that doesn=E2=80=99t mean they don=E2=80=99t exist of course. >> >> At a minimum I=E2=80=99ll hold off on making this change until I=E2=80= =99ve had a chance to work out if we=E2=80=99re affected by the issue Hen= ning fixed or not. >> >> Eirik, do you have instrumentation to work out if this is happening to= you? > > Sadly no - we'd need some guidance on that. But I assume it would only > be an issue if we're above the watermark for adaptive mode, right? > Yes. While we=E2=80=99re inactive in adaptive mode there=E2=80=99s no dif= ference in behaviour. Kristof From nobody Thu Sep 29 16:01:42 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MddQj1FyNz4ddCV for ; Thu, 29 Sep 2022 16:01:49 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MddQj0rHkz40TY; Thu, 29 Sep 2022 16:01:49 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1664467309; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=iMUakl7Ta6tyEWEh7zkYpnIyBmk9WxBSU2mlbe6Xgbc=; b=UARpDYgsw6Fb8MI2PSdt6z37VSXwL4+B2pquWCb2dzWF67RiTcuUnVAY7lLMDk6ChiuNUN oVf+VxFRIPJb3BsJQx/AFJ3JhV/h1gkHtiCJf1brHqr9olsMKvUfmTdAt4iwOPpNhuM8RJ s4PwtW7DIV6aAn/Z29uYdRn3lvzCrDBhjHA90LI016c89kzpl493Pl60J3f3zEx2eXVmpG Q9luwww/VBDmVryAmuy9svd5KP7/5hSi6EccfCGXG0ubDGElzUthTUrA9oeJJN7eVTz7Qc I1phwmtIAwL9B1r5rgrYzBYb5RmcgRc4Q13YH4ZHQ1okcMLctGISd7G4E2vHfw== Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 4MddQh6KVrzxQv; Thu, 29 Sep 2022 16:01:48 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id E59DF3ABD7; Thu, 29 Sep 2022 18:01:46 +0200 (CEST) From: Kristof Provost To: "Lyndon Nerenberg (VE7TFX/VE6BBM)" Cc: FreeBSD pf , Eirik =?utf-8?q?=C3=98verby?= Subject: Re: RFC: enabling pf syncookies by default Date: Thu, 29 Sep 2022 18:01:42 +0200 X-Mailer: MailMate (1.14r5852) Message-ID: <451789B9-8490-43F5-A614-E55B90C08898@FreeBSD.org> In-Reply-To: References: List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1664467309; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=iMUakl7Ta6tyEWEh7zkYpnIyBmk9WxBSU2mlbe6Xgbc=; b=NDQOWK3/0ZoxasHKBwK55Pt5XrOkfVtXMysfy1XD1PO7iYej6f6lMtX6c1TvSU6Bcsgkvd TRvFLkwxx3IeHPPaVFnivMO9Orecsj2INjknNP/KDSYxl91zV+1emQ3X6+ckSS4v/bQFc7 /QIkJb49F06BxmFZuUQ/L0K+H9h9o+Wgwoase7gPMnI5BGWx/7PyIhIdkx3cjOfAxwka/Z A5FTQPmOv7ufFZpFXoDBu7Yoo/3STP/7IgbVrjdfR5xe+SbWxtP2Ll4Ywl9MSFVJqEAo9K Rs7Ov9iyMCfw6YtijnibTb92/oFQct2ssQonQG6gyW9U22OfbStko2KkFlXkMw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1664467309; a=rsa-sha256; cv=none; b=qHgS3EKSblb6jlnkUan6SZeZMGvMRUnyBjy6Pri7+9pZAmHgkZBinmwL175a+viRTwqJmz aWpvu77RVoW9ON8ciCAyEZizTDyWvuyWjXW6KT8kHEKbY/R5Hj1uuPWQiTkQTtIWmHNDPV qlrpT57zwhejFxm6rJOs00lDn0t9BxQGWbgxWuzqVqmJx5URbN3rqA8v/XZMmrPcs6TD4k SS7L7piorsu5MCDxJHwdzGlzlFD5fIWooKzjxARu5Y9yfyXOry8gsAum4gYwTg4jPif1TV hlHmNtrwEp59av7JnuYBVcPuEqRjglUFYJi5cpG9Ap/9s52q1De0DwI0P8sEcQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N On 28 Sep 2022, at 11:44, Kristof Provost wrote: > Thanks for this update. Henning told me about the fast re-use issue dur= ing EuroBSD, and I had looking at that on my todo list. > So I=E2=80=99ve found a bit of time to look at this, and I think I unders= tand the problem now, and I=E2=80=99m also pretty sure it affects FreeBSD= too. Porting the OpenBSD fix to FreeBSD should be possible without too m= uch difficulty. That said, I=E2=80=99m going to try to build a test case for this first, = to make sure I actually understand the problem correctly. In the mean time, I=E2=80=99ll drop my notes-to-self here, in case anyone= else wants to play (or tell me I=E2=80=99m wrong): > Basic scenario: we have a closed connection (In TCPS_FIN_WAIT_2), and g= et a new connection (i.e. SYN) re-using the tuple. > Without syncookies we look at the SYN, and completely unlink the old, c= losed state on the SYN. > With syncookies we send a generated SYN|ACK back, and drop the SYN, nev= er looking at the state table. > So when the ACK turns up, as the last part of connection setup, we=E2=80= =99ve not actually removed the old state, so we find it, and don=E2=80=99= t do the syncookie dance, or allow the new connection to get set up. Best regards, Kristof From nobody Wed Oct 5 16:41:44 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MjL240shsz4V9q8 for ; Wed, 5 Oct 2022 16:41:48 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MjL240B8dz3rHG; Wed, 5 Oct 2022 16:41:48 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1664988108; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=F7TN8h7gP5E0Ll5E5iEhGNZb9xUvO9Rboas+wOr+pDk=; b=SBea5XZccgm3FifaUsIJSybO7iMbFPzwBY1F34NrLHAbGSJKRYuJrf0Jeg2BmJFtt0oZXC t1UcNIdJemAAAjR0CLGcc8C1JVo2RG9yJQ/XOLZEXmXQlof9vxOPFlgAmPfMBhx3Tyx7ao UedmloJtcQAr+AAclwOx06kXZfaWjSC9jXzl9tFpHfyDTi7prt2m1T2QCLPq/66Mu1zQRy y1VbuyfWN1RdxEXlvmm1+4ikk5uUfmEs6fs7Rlyl0GHr+hONeTHPOjGRDItayTu5j6myrJ L9iXH/BaEfQvXe/CRsXKjnV1BWsqGjOPgT2Vgon0SHj5/LovkaAC+Nky2vDBcw== Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 4MjL235lcbzTR7; Wed, 5 Oct 2022 16:41:47 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 65D8670FA; Wed, 5 Oct 2022 18:41:45 +0200 (CEST) From: Kristof Provost To: "Lyndon Nerenberg (VE7TFX/VE6BBM)" Cc: FreeBSD pf , Eirik =?utf-8?q?=C3=98verby?= Subject: Re: RFC: enabling pf syncookies by default Date: Wed, 05 Oct 2022 17:41:44 +0100 X-Mailer: MailMate (1.14r5852) Message-ID: <58A14C48-3248-4D41-884C-93190AAFCD2C@FreeBSD.org> In-Reply-To: References: List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1664988108; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=F7TN8h7gP5E0Ll5E5iEhGNZb9xUvO9Rboas+wOr+pDk=; b=tF2H3jRqfVs7rvNajLuhhWt8SVDT01RdcAuiPiu2B4DH9EUUJU3Zzju3LN0NpG4xDE1TZr VIbV5CnQEZH/PdgViK0tdpO2/khKyOMeOdyQFzx181BNbbOsDj3X4SguXBfCkP1l5jM1IQ istxpRI31IH6aRngUspPsNF/39lajMtwD81KaxO861yaAfJ3uuKaiAmJ6LfKNe1Lii1R59 oSV0AubxZYkoIK8vtwHfir98yzWyRD4jzyzW3UHzG85tphseMPo0ETKjxpUARiyPWcE1Vx H0+6FOJvlWnqA7FUU9OIqvEFdvdS3ZwF7Bev9S5b5XCvxyeao17TPmgG7KW7jg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1664988108; a=rsa-sha256; cv=none; b=DmqnkeAwSAoBKVBl0G1XYJuXOSt7brtc8tTuJlWyNNxGnXydKzbQti+JDX2IVaW2y6bxvJ qQ27x0xc+e9bO5oHbI/iROih70qj3qpj7w5bTcg4q8qfbqumkI0Nv/26uPPXCNTabk592a qE9yQzhlUz0ZVpADLQHhgWNTVG4Irs/x3Or21hdhMo8SrgO4q8u2D860lCN0fQBQDUUtuc ifG5TN4L03Rc1RvBRwCXHs8DkEacCkbSjbPZbHsJrYk86CWonvSCve/lccss4bzkH5xvSz v91nVe4twK9oKMJBzEcXlRt+Cpz9wmzHDiD30ZqG+Hs6ekCNICATm+uxGqIwrA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N On 27 Sep 2022, at 20:24, Lyndon Nerenberg (VE7TFX/VE6BBM) wrote: > Kristof Provost writes: > >> For those not familiar with it, syncookies are a mechanism to resist s= yn >> flood DoS attacks. They=E2=80=99re enabled by default in the IP stack,= but if >> you=E2=80=99re running pf a syn flood would still exhaust pf=E2=80=99s= state table, >> even if the network stack itself could cope. > > I'm not sure of the lineage of pf's syncookie code in FreeBSD, but > before you do this you should look at the recent set of patches > Henning committed to the OpenBSD -snapshot pf source. > > We found an evil bug lurking in pf where, if a single source address > was recycling source ports fast enough to re-use the same source > addr:port pair while the old connection still had a FINWAIT2 state > table entry, the new connection attempt would get dropped on the > floor. The patch cleaned up most of the problem, but when we > recently put the patched pf into production we were still seeing > dropped connection requests. We haven't been able to specifically > reproduce the problem yet, but if you're front-ending a busy web > site, e.g., I would be wary of enabling syncookies at the moment > until this bug gets stamped out once and for all. > I=E2=80=99ve put together a test case for the initial issue: https://revi= ews.freebsd.org/D36886 That=E2=80=99s not ready to go in, because the bug it tests for isn=E2=80= =99t fixed yet. I hope to port the openbsd fix tomorrow, but it=E2=80=99s= the sort of thing that needs an hour or two of concentration, so .. mayb= e, maybe not. Kristof From nobody Wed Oct 5 19:11:05 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MjPLT6PnGz4drpx for ; Wed, 5 Oct 2022 19:11:13 +0000 (UTC) (envelope-from lyndon@orthanc.ca) Received: from orthanc.ca (orthanc.ca [208.79.93.154]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4MjPLT0HlDz43Sg; Wed, 5 Oct 2022 19:11:12 +0000 (UTC) (envelope-from lyndon@orthanc.ca) Received: from orthanc.ca (localhost [127.0.0.1]) by orthanc.ca (OpenSMTPD) with ESMTP id b54834b2; Wed, 5 Oct 2022 12:11:05 -0700 (PDT) From: "Lyndon Nerenberg (VE7TFX/VE6BBM)" To: Kristof Provost cc: FreeBSD pf , Eirik =?utf-8?q?=C3=98verby?= Subject: Re: RFC: enabling pf syncookies by default In-reply-to: <58A14C48-3248-4D41-884C-93190AAFCD2C@FreeBSD.org> References: <58A14C48-3248-4D41-884C-93190AAFCD2C@FreeBSD.org> Comments: In-reply-to Kristof Provost message dated "Wed, 05 Oct 2022 17:41:44 +0100." List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <18663.1664997065.1@orthanc.ca> Date: Wed, 05 Oct 2022 12:11:05 -0700 Message-ID: X-Rspamd-Queue-Id: 4MjPLT0HlDz43Sg X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of lyndon@orthanc.ca designates 208.79.93.154 as permitted sender) smtp.mailfrom=lyndon@orthanc.ca X-Spamd-Result: default: False [-3.29 / 15.00]; NEURAL_HAM_LONG(-1.00)[-0.999]; NEURAL_HAM_MEDIUM(-1.00)[-0.996]; NEURAL_HAM_SHORT(-0.99)[-0.993]; R_SPF_ALLOW(-0.20)[+ip4:208.79.93.154]; MIME_GOOD(-0.10)[text/plain]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-pf@freebsd.org]; ASN(0.00)[asn:25795, ipnet:208.79.88.0/21, country:US]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; ARC_NA(0.00)[]; TO_DN_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; DMARC_NA(0.00)[orthanc.ca]; RCPT_COUNT_THREE(0.00)[3]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Kristof Provost writes: > That=E2=80=99s not ready to go in, because the bug it tests for isn=E2=80= > =99t fixed yet. I hope to port the openbsd fix tomorrow, but it=E2=80=99s= > the sort of thing that needs an hour or two of concentration, so .. mayb= > e, maybe not. Something to watch out for ... Henning's fix might not have completely solved the problem. A few weeks ago we deployed the "fixed" pf code into production. When we enabled global syncookies we immediately started receiving reports from customers about hung connections -- the same problem that motivated the initial fix. The customer complaints are predominantely coming from folks who enable Apple's Private Relay service. Private Relay tries hard to preserve your network geolocation, so they re-map addresses into small chunks of address space that originate from the same geographical location as the client. And that provokes the address:port reuse behaviour that first triggered the bug. In the short term we had to disable syncookies to get our customers back online. Right now I'm working on shuffling together enough hardware so we can try to reproduce the problem inhouse, and continue chasing down the bug. --lyndon From nobody Thu Oct 6 02:22:09 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MjZwr0gPkz4dgTl for ; Thu, 6 Oct 2022 02:23:08 +0000 (UTC) (envelope-from doctor@doctor.nl2k.ab.ca) Received: from doctor.nl2k.ab.ca (doctor.nl2k.ab.ca [204.209.81.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4MjZwq25T2z3bjd for ; Thu, 6 Oct 2022 02:23:07 +0000 (UTC) (envelope-from doctor@doctor.nl2k.ab.ca) Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD)) (envelope-from ) id 1ogGWX-000H1R-Mg for freebsd-pf@freebsd.org; Wed, 05 Oct 2022 20:22:09 -0600 Date: Wed, 5 Oct 2022 20:22:09 -0600 From: The Doctor To: freebsd-pf@freebsd.org Subject: Updates for Serendipity and Wordpress Message-ID: List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Rspamd-Queue-Id: 4MjZwq25T2z3bjd X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=quarantine) header.from=nl2k.ab.ca; spf=pass (mx1.freebsd.org: domain of doctor@doctor.nl2k.ab.ca designates 204.209.81.1 as permitted sender) smtp.mailfrom=doctor@doctor.nl2k.ab.ca X-Spamd-Result: default: False [2.20 / 15.00]; INTRODUCTION(2.00)[]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_SPAM_MEDIUM(1.00)[0.999]; NEURAL_HAM_SHORT(-1.00)[-0.999]; DMARC_POLICY_ALLOW(-0.50)[nl2k.ab.ca,quarantine]; R_SPF_ALLOW(-0.20)[+a]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-pf@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:6171, ipnet:204.209.81.0/24, country:CA]; RCVD_TLS_LAST(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_NONE(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N Can a pf block updates from Serenditpity AND Wordpress? -- Member - Liberal International This is doctor@nk.ca Ici doctor@nk.ca Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising! Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b The best way to get out of work is by doing it. -unknown Beware https://mindspring.com From nobody Fri Oct 7 14:30:06 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MkW1C3Xszz4dsMv for ; Fri, 7 Oct 2022 14:30:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MkW1C1hTxz3wN5 for ; Fri, 7 Oct 2022 14:30:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4MkW1C0mNGzd7J for ; Fri, 7 Oct 2022 14:30:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 297EU7v9045191 for ; Fri, 7 Oct 2022 14:30:07 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 297EU71U045190 for pf@FreeBSD.org; Fri, 7 Oct 2022 14:30:07 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 266477] PF does not obey ICMP rate limits Date: Fri, 07 Oct 2022 14:30:06 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1665153007; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gSqKDZpxqZ970Rj7c0I+3AiPlZOKkDNdz5HFotBmhWc=; b=tWf/gFyDOdOdNsNLrTegUXxGDWkNjIjI38mpsh7CvMO3vYT2BjwbHvPexwm6k4ECeg55Ky 8LNYX/KcBAlOVwqTg0MHJAguE6s7Smm7j6zhCQavkJr43EWMPL0TwiWCastNuaDUzGlsAH anuwhJCMx/V7hqiACWgiePnv/6PI5JM3dhjHNnCDCvIF/gPYfC5blGAry2XenVdQSwtKHS Injd+vNWuyS869R7vqOXuGwQ2krNkwDMmH6D79BHcuT9/2s3ZybSvD786wSXcVuHwGoB4c N5UjzbewTHHRQe0iPvTKPkAYyJyzpyvb/CoikruPU7gBL/s6xCiNjQf+aWd2mg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1665153007; a=rsa-sha256; cv=none; b=fjEAPT9rs1EEiG9Y7SROiMHBFJLanyRqOgvijmjebaYaBhYi8hR7Y3yn41QbZf0t1SJ7zB 1kN8fWRcdE4a7S8JOmU4byEFIA2WhB03ZHiTR8iSObX2Jy6eqCbFWooUabq72Bo+zXgefH 1miRnCH64CXTY69hlA50xwbYKN9HOfF05KARYQCFqrTAFQejrze+wslDsJZBoVe0cotb3A TOeDqdg4olMsvxth9LvwBatDrOCDEQbhwajMOCGKogXy18vDwyFMS9UsX3J2QJuFRucuAd xwB5vVI0vsyvRYOglzCFdaXhWPQ4dppqHdMkcUpMd1Q6FtuLFxhOI1HaYksuBg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D266477 --- Comment #2 from Kristof Provost --- Proposed patch: https://reviews.freebsd.org/D36903 --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Mon Oct 10 07:04:34 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Mm8zm6kH7z4dh3M for ; Mon, 10 Oct 2022 07:04:36 +0000 (UTC) (envelope-from infoomatic@gmx.at) Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Mm8zl6Pktz3SD4 for ; Mon, 10 Oct 2022 07:04:35 +0000 (UTC) (envelope-from infoomatic@gmx.at) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1665385474; bh=NALA/eOIBYLNsCvHwqD7sh4WmWXb/Q1LZEShmMf0XWw=; h=X-UI-Sender-Class:Date:To:From:Subject; b=Vf2TuXh1zhrQv4zqTdULcWTU72K2130KTwz+n0RrRzP3By60360LXBtVDw3BUrAMF 5cIJtXhOv8oGlxoQv9T5LYzV2Vy4gD6DJqBbcUGsMZt9ji+rs87wdcNoibI2wQfWdt viRZbP3PmUaSs47Zg0mD4+20i6/SA2VYicgK+Stc= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from [10.0.1.209] ([178.114.225.246]) by mail.gmx.net (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MCbIn-1opnaz2hV5-009jro for ; Mon, 10 Oct 2022 09:04:34 +0200 Message-ID: Date: Mon, 10 Oct 2022 09:04:34 +0200 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101 Thunderbird/102.3.0 Content-Language: en-US To: freebsd-pf@FreeBSD.org From: infoomatic Subject: PF: nat on ipsec Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:P463QOnCsaSol5vVFqYrYMBazn43lcxPl1WM1XaNLWG4QBqirfK +jkIsXFtSs+vywGYjOhU1BL+ZNi/U3QYU3xt1RsFSLXQBydGhjD409tuyccwFyBRVDsUfRw rUjulcbGTvF939DWzx5x2frEtx4Sij9hsYc56Hu63QCioe95l1oWQ07EG4b/qESCYO5KBJp juGoEav3qSV5N/wfGcp8A== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:/yQEIrkhQ0U=:c7Bo2+5wx5ZShrZKQkRV17 /KUlGmTPX23ePBXnahKi9Cg/SJFNUfH8O5VfehtS7Ureb2J3K9l4HTaIe9P1WvpPmMAiGNMkq U5qq2EfxFovlc9gl40hLxWXIimGZn3fXf+6TYlqAyU+YBKWDTFsaYWiCl1/8M3NJN5MoeD823 8p494+cYUbE5ZezJDjcrc5CxdYoeERtj+gnvKxspHSMC9rLfGmOQ+lJeWkhdsptXL7Q0p9m0O PSLSkc3WALKikSYy/tphdQNjtGQ1Muak40TOp3xQOBj6r94TyE0BkKWhdaVfCDx+dD9HCjIld Ow+8wOHjq1fLmrCiR32VUMdELMWVsOe5vxhuUCM8C88w8S+6ySI1DploGP0PHQT0tDf39D0za U57j9lLlQmv9ni4mLzDyWdfR9cNb/bvAY7MHfzl9AuteKUxlyMRUDJMGDEamFCvsljp3BqscS 4Dmxz9NfDZT0+MoXSKotaWpIC4G9ZZ5/fzfalaiioTQKKExx5YmZIq1jvUI1cnbXzh8hQAaEX 0wirjlIsXezdgiIq8+1g2wIbEJOGsTxhs8IgeFl/Yp5crhxpqoZYbsU8BGx17IRW9EDXI7M+S VGwaNI0mvYbr2Vgs9HIW9PUHGR7akfnuGOjyRQJlvPEGPCM8ud/zWXGrN2axlUjb08zvAPFkz zfTYqi0JnwZyAndfvcyiou64+D9ixPIfNlOVpuymljgod7SjfIdwszDGAz9sl44MW5YhdAU0Y KblzMK0LLbVlOxII0h5Lolj6hQ94TUuPK/M3JMYhm7UiwNa8NkEtdDD2QSSZlSemrZ0F8u6au OG4fxRJmaSie7fcwgQ8GUWAlyk4mkO/7UA1N68cPdGlL9qKb16VQLObzU0qUBfNxC2CTioGtN LPBgenRbYRSncF/egDTA3lmW0XON4fnzwWOtotGw8zwPPRFVpmOhCFSRdGU3HG4tR860fYpIk 9hC0LgK5gynwJK2kowcd1t59gEvA2wGkaQ8AjTM2IdL3MNKq1S61Ll9lxSNpv3em3hcdwzOE2 Nbisb4MG+TsA5e75F7QaNZ3Ym/N5Dt0XfkakYUnRN098REi3PNDU/4nXb8Oz3CItglZuEx5Mt Gza/i6LkOTAATP0WANYsAYspTE5MoPxlvJlyGG/+Og5VZ5BIeUhHpJdVvya2Kzg3yzUL2NhE/ l5Q+SmHWn+QMWivoWoc+pFYQM4AokQcMOLzQuXHCK4jQ8CSSxqmbGhPmVLWJanKk/mzM5N+6e msZCk+zcsTxzUsmetG5Ou9fZiHJQTH1wfFv9j722FFcpZcvvpsC+6TttYf6vDG3o/zFaxhX1g /G5pch49iDJ3zLAaXFiWyN/wn0j1vXYqAhyCEmsGtV1pOUa6oaveIGHL2+4X0Owv9b5xQhCdI aSKMZmJHzdNlgHMPZqvSB/ymBR8mppQ8GypORa5bKyp/BOv52e6SmcW7jz6gbqPaux0Hva3Iq zlZ2gP35O91metlZBOpDN4D0nOQr6W3oVDT0DdsOQVT/wp2d8B7039eo0IX4k7wYu5oTtBHnH aCRaR+pAFyzTevzLIBiMS6Q5peKyZHEWZJIbPlO3wN1zE X-Rspamd-Queue-Id: 4Mm8zl6Pktz3SD4 X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmx.net header.s=badeba3b8450 header.b=Vf2TuXh1; dmarc=pass (policy=none) header.from=gmx.at; spf=pass (mx1.freebsd.org: domain of infoomatic@gmx.at designates 212.227.15.18 as permitted sender) smtp.mailfrom=infoomatic@gmx.at X-Spamd-Result: default: False [-5.09 / 15.00]; DWL_DNSWL_LOW(-1.00)[gmx.net:dkim]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.987]; DMARC_POLICY_ALLOW(-0.50)[gmx.at,none]; R_DKIM_ALLOW(-0.20)[gmx.net:s=badeba3b8450]; R_SPF_ALLOW(-0.20)[+ip4:212.227.15.0/25:c]; RCVD_IN_DNSWL_LOW(-0.10)[212.227.15.18:from]; MIME_GOOD(-0.10)[text/plain]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; MLMMJ_DEST(0.00)[freebsd-pf@FreeBSD.org]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; RWL_MAILSPIKE_POSSIBLE(0.00)[212.227.15.18:from]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; DKIM_TRACE(0.00)[gmx.net:+]; TO_DN_NONE(0.00)[]; FREEMAIL_FROM(0.00)[gmx.at]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmx.at]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Hi guys, hope someone can help me with my problem trying to NAT ipsec. The setup: I use a FreeBSD host with an opnsense VM and a vnet jail. The host uses em0 with an external interface, one bridge with an ipv4 address and tap interface to connect opnsense and one bridge without ipv4 address with tap of opnsense + epair of the jail to connect those two. Opnsense is doing ipsec (strongswan) to our AWS infrastructure, the jail is simulating a client on the "LAN" interface of opnsense. NAT on the host is setup with pf and works as expected except for ipsec: so outgoing tcp/udp packets from the jail pass through opnsense, get natted and then pass the host where they again get natted. The outgoing rules on the host nat pass on em0 proto udp from 192.168.251.100 to any -> $ip_out nat pass on em0 proto tcp from 192.168.251.100 to any -> $ip_out The incoming rules redirecting ipsec traffic to opnsense rdr pass proto udp to $ip_out port 4500 -> 192.168.251.100 rdr pass proto udp to $ip_out port 500 -> 192.168.251.100 On the host, I can see that pf is not translating the packets, using tcpdump on pflog0 shows me: 00:00:08.270916 rule 22/0(match): block out on em0: 192.168.251.100.4500 > 3.123.51.34.4500: UDP-encap: ESP(spi=3D0xc1de5460,seq=3D0xa1), length 1= 272 00:00:00.000010 rule 22/0(match): block out on em0: 192.168.251.100 > 3.123.51.34: ip-proto-17 where 3.123.51.34 is the ipsec endpoint on AWS side. Every other packet outgoing from the jail shows of course the external ipv4 address, however, as you can see above, ipsec traffic does not get translated, packets try to pass the hosts em0 interface with the internal ipv4 address of opnsense "WAN" interface. I hope there is a solution I have not found to this strange problem, any advice highly appreciated. Thanks! Best regards, Robert [1] posted this + graphics already to: https://forums.freebsd.org/threads/pf-nating-ipsec.86692/ From nobody Mon Oct 10 15:01:13 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MmMZM6s66z4fbRt for ; Mon, 10 Oct 2022 15:01:47 +0000 (UTC) (envelope-from mgrooms@shrew.net) Received: from mx2.shrew.net (mx2.shrew.net [38.97.5.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4MmMZM1Mm2z45W6 for ; Mon, 10 Oct 2022 15:01:47 +0000 (UTC) (envelope-from mgrooms@shrew.net) Received: from mail.shrew.net (mail.shrew.prv [10.24.10.20]) by mx2.shrew.net (8.15.2/8.15.2) with ESMTP id 29AF1eOq007984 for ; Mon, 10 Oct 2022 10:01:40 -0500 (CDT) (envelope-from mgrooms@shrew.net) Received: from [10.22.200.32] (unknown [136.49.68.36]) by mail.shrew.net (Postfix) with ESMTPSA id 0C2D418C7EA for ; Mon, 10 Oct 2022 10:01:35 -0500 (CDT) Message-ID: Date: Mon, 10 Oct 2022 10:01:13 -0500 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101 Thunderbird/102.3.1 Subject: Re: PF: nat on ipsec Content-Language: en-US To: pf@freebsd.org References: From: Matthew Grooms In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (mx2.shrew.net [10.24.10.11]); Mon, 10 Oct 2022 10:01:40 -0500 (CDT) X-Rspamd-Queue-Id: 4MmMZM1Mm2z45W6 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mgrooms@shrew.net designates 38.97.5.132 as permitted sender) smtp.mailfrom=mgrooms@shrew.net X-Spamd-Result: default: False [-3.23 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-0.998]; NEURAL_HAM_SHORT(-0.94)[-0.935]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:174, ipnet:38.0.0.0/8, country:US]; MLMMJ_DEST(0.00)[pf@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; DMARC_NA(0.00)[shrew.net]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_THREE(0.00)[3]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[pf@freebsd.org]; TO_DN_NONE(0.00)[]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N On 10/10/22 02:04, infoomatic wrote: > Hi guys, > > hope someone can help me with my problem trying to NAT ipsec. The setup: > I use a FreeBSD host with an opnsense VM and a vnet jail. The host uses > em0 with an external interface, one bridge with an ipv4 address and tap > interface to connect opnsense and one bridge without ipv4 address with > tap of opnsense + epair of the jail to connect those two. Opnsense is > doing ipsec (strongswan) to our AWS infrastructure, the jail is > simulating a client on the "LAN" interface of opnsense. NAT on the host > is setup with pf and works as expected except for ipsec: so outgoing > tcp/udp packets from the jail pass through opnsense, get natted and then > pass the host where they again get natted. > > > The outgoing rules on the host > > nat pass on em0 proto udp from 192.168.251.100 to any -> $ip_out > > nat pass on em0 proto tcp from 192.168.251.100 to any -> $ip_out > > > The incoming rules redirecting ipsec traffic to opnsense > > rdr pass proto udp to $ip_out port 4500 -> 192.168.251.100 > rdr pass proto udp to $ip_out port 500 -> 192.168.251.100 > > > On the host, I can see that pf is not translating the packets, using > tcpdump on pflog0 shows me: > > 00:00:08.270916 rule 22/0(match): block out on em0: 192.168.251.100.4500 > > 3.123.51.34.4500: UDP-encap: ESP(spi=0xc1de5460,seq=0xa1), length 1272 > > 00:00:00.000010 rule 22/0(match): block out on em0: 192.168.251.100 > > 3.123.51.34: ip-proto-17 > > > where 3.123.51.34 is the ipsec endpoint on AWS side. Every other packet > outgoing from the jail shows of course the external ipv4 address, > however, as you can see above, ipsec traffic does not get translated, > packets try to pass the hosts em0 interface with the internal ipv4 > address of opnsense "WAN" interface. > > > I hope there is a solution I have not found to this strange problem, any > advice highly appreciated. Thanks! I'm not sure if I understood all the details here, but: NAT happens on egress. For traffic to be processed by IPsec, your traffic must have source and destination addresses that match the appropriate IPsec policy. Waiting until its being sent outbound ( where NAT occurs ) is usually too late. Hope this helps, -Matthew From nobody Mon Oct 10 15:38:47 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MmNP741vQz4ffDh for ; Mon, 10 Oct 2022 15:38:51 +0000 (UTC) (envelope-from infoomatic@gmx.at) Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MmNP62R4nz47jP for ; Mon, 10 Oct 2022 15:38:50 +0000 (UTC) (envelope-from infoomatic@gmx.at) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1665416327; bh=aw8Thwa+jX4779/+TsYHQvdJ8/Vli836meo4bDaJank=; h=X-UI-Sender-Class:Date:Subject:To:References:From:In-Reply-To; b=Fq7fcZo41aIyKiVsww/xOPELHZFX0tFBM7wmz7P0IlfbW6qCIE0C6vBojxEUhCpUq uAUmUCOjTzb6Nbh9pxfM78OqCAznVLgaDShCTkE2bVtTf+K3My8Yg7/oP3GFivXV8g jACu/3qdDOrUsid/EbLRu0+Byjx1TW5gMcZecFQ0= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from [10.0.1.209] ([178.114.225.246]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MfHEJ-1pOeXk2Q9L-00go9L for ; Mon, 10 Oct 2022 17:38:47 +0200 Message-ID: <1ba3e340-e204-15b0-d395-a942c97c39f5@gmx.at> Date: Mon, 10 Oct 2022 17:38:47 +0200 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101 Thunderbird/102.3.0 Subject: Re: PF: nat on ipsec To: pf@freebsd.org References: Content-Language: en-US From: infoomatic In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:Zwor9ENw/otBSaYkfCiZIlCPAVxpoAcUmEcgRbgKm+LHEHF5CkF YIPojgDXNZX8UrokBTBS/30m9fDtUp74EqnAvEvRZpfTcCKcqM+nNL7MqhF5oVvst4qiCJ2 bwpHgPjeoSJneUXyexKQTzc/imdcwTe+waELgXvCe6VSjvR8cEMFJRsvpiktF6hfE1anqYi 0eOLeTqNgvCovoQhhvK6w== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:+l9H65yHfgg=:MhfqPxU6aHWvJmZbvrvpgY c1CLzmCbRR5dmo8UuPKvs2aB2yahXdlaVRPKk8eIoITYgWn+qWKmlwMecAZcObnmhVLPAlNUj 7ry0VSgTS3B+F5DSBf/H0xm1ggk7j1Z3AOb1DUpNeGQWJDXjdpO3jtRDRyWtKBVvd7U73BvB1 bWn+a/8G4Prn/enYEJ4DNP39quHKDYv7equVzG9pZMuLXQWl73ztyJrvxsps9Nd/l22G/uAVO CcSVyIkfTB8HXOG28Wgl7q+jUdIEPKcrK9wP9UK9BdX6i3pKSTrEBwoH0SybD1LaQxvr3bMET 0pnOsMXuxzbyb9bK4Umam24tuV+5kdnyiGer5KsgGY1XgWQKUfQ9KEq9f2qkM5sdsdGUD4ThO De9GpzedZTbHKoRol/FCKfmCc88nIYjG2xeIqfPYXM2rSL69vc9jSLozXjlJrj+H0K8ihgh4O EnifC4ZlF/WGR1LFcU538jUg/9Q12T73z7J9wvTQPSmS6pdgngQt6VEgSlmrbttvpavlHuiGa wat3ZCKOzHSf+DybYyQK3lXW0m/ZdO9VQ/PwGv09nzLWx8aZEDDJQrVfW48g129EGy7pry8O3 wqKK/cLR8UgbknqV1nSNlGA2v8lDliJmdhUDfNSfWK0N2BArsx7L5KkAQ7y8Y3uUKlWoFzzPC qoaWHZlejeEL/q2018wnOmUM9hyNiiXXfoWNsX72L2lkqhnwhV4E64pod0rdbs1mKPZw7K9LK MtuoOMhKF1MlQcVqRDtWgRjA27QjU9IMnGuuFaJ1jt4cU0RI/M45z4FrVTgdt4txuFUjpyL9w p6S9D7zX0oCjXx/Rk7frzF1+9iu8tioHcBFMtnTwo0Jm2Zrav6xXvr0O24ZeKdVfZrNa4CucF QL7L89IJO65HtlGRKqtIcpkMDJmF2sLUg35VJoQXbaEmRKImsSaGRWDvftWhN4EeaCpT46FfV KIDmnuFKoZe9qwBZx4bzEABtyVjS5/pP7HasyujZJWW8Rf3V0PFZOfE4VJog0KshQ/dlj7Uxl eiGmNA9u/uwUWXwJcIFrDf5iPBjh6KKHVihsjO6AmaBeSGnbYWEiTvIsUlSqCp2t2A785ruoJ /HiZrQFYZhUpJtnuiK/TE1xS7Uj3vkslbdLgWTEWwiVx+DlB0Mx4dI/m+CoI8GeJlgXfcmhXA EXham7mqLfjuE9Jn89VsuiK6TZdnLLFh3FAG8U16aRr3BkM/zDaKNJG0L5Qr29NPspYIEbqii WlRnaD7Xmr8hvy1q0e9JNTTDhVuH0H8e8TJE7wywovweWQeyYej9FrIZeC0k7iUNmJ4v7ckYK HibHJOid2XaCbhysUdIM18oHxTK/Qd+kIgx7GWDAuZLiISwkUadXsNy9Z/wn6Hg4ApszryoF2 uQVyFhBY0FXCmlSQkSIBn3TaG15qOYEdggkNXzSwNabHyF4lCo50ROWAxamO6lCgM2Q1bRO0t CUuehC39kVJ703aAMprzohWrPjDYOpK5tVXK0NbjCHNuAtoZOCHpIPdZbmo3yNV/GfarCCBI1 qDcsshTq26+N7NGdCI1QX4iZ7zp58Op/5IABk0v9GrS3x X-Rspamd-Queue-Id: 4MmNP62R4nz47jP X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmx.net header.s=badeba3b8450 header.b=Fq7fcZo4; dmarc=pass (policy=none) header.from=gmx.at; spf=pass (mx1.freebsd.org: domain of infoomatic@gmx.at designates 212.227.17.20 as permitted sender) smtp.mailfrom=infoomatic@gmx.at X-Spamd-Result: default: False [-5.10 / 15.00]; DWL_DNSWL_LOW(-1.00)[gmx.net:dkim]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[gmx.at,none]; R_DKIM_ALLOW(-0.20)[gmx.net:s=badeba3b8450]; R_SPF_ALLOW(-0.20)[+ip4:212.227.17.0/27:c]; RCVD_IN_DNSWL_LOW(-0.10)[212.227.17.20:from]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[pf@freebsd.org]; MLMMJ_DEST(0.00)[pf@freebsd.org]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[gmx.net:+]; TO_DN_NONE(0.00)[]; FREEMAIL_FROM(0.00)[gmx.at]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmx.at]; MIME_TRACE(0.00)[0:+]; MID_RHS_MATCH_FROM(0.00)[]; ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N On 10.10.22 17:01, Matthew Grooms wrote: > > I'm not sure if I understood all the details here, but: NAT happens on > egress. For traffic to be processed by IPsec, your traffic must have > source and destination addresses that match the appropriate IPsec > policy. Waiting until its being sent outbound ( where NAT occurs ) is > usually too late. > thanks for your response. The source and destination addresses in the configuration are OK. Every non-ipsec packet coming from opnsense is translated as in the pf.conf on the host. The problem is: as soon as it is an ipsec packet, the host does not translate it but instead forwards the packet with the original private ip through the physical interface with the public ip address (which of course is prohibited by a rule further down in pf.conf). I have tried to add various nat + rdr rules which explicitly use various protocols from /etc/protocols e.g. "proto ipencap" but this does not change the behaviour. It seems like the host realizes it is an ipsec packet and just refuses to nat that packet. Out of curiosity I ordered another hardware host where I installed Linux, created a VM with opnsense (with the same config, the only adaption was the public ip-address in the ipsec configuration) and a client on opnsense's LAN interface. I used iptables and it worked as expected ... every packet on egress is translated to the outgoing ip address. Best regards, Robert From nobody Mon Oct 10 15:51:33 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MmNhK3dF1z4fghM for ; Mon, 10 Oct 2022 15:52:01 +0000 (UTC) (envelope-from mgrooms@shrew.net) Received: from mx2.shrew.net (mx2.shrew.net [38.97.5.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4MmNhJ75Q9z49fN for ; Mon, 10 Oct 2022 15:52:00 +0000 (UTC) (envelope-from mgrooms@shrew.net) Received: from mail.shrew.net (mail.shrew.prv [10.24.10.20]) by mx2.shrew.net (8.15.2/8.15.2) with ESMTP id 29AFq0jq008073 for ; Mon, 10 Oct 2022 10:52:00 -0500 (CDT) (envelope-from mgrooms@shrew.net) Received: from [10.22.200.32] (unknown [136.49.68.36]) by mail.shrew.net (Postfix) with ESMTPSA id 02FC8187E20 for ; Mon, 10 Oct 2022 10:51:54 -0500 (CDT) Message-ID: Date: Mon, 10 Oct 2022 10:51:33 -0500 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101 Thunderbird/102.3.1 Subject: Re: PF: nat on ipsec Content-Language: en-US To: pf@freebsd.org References: <1ba3e340-e204-15b0-d395-a942c97c39f5@gmx.at> From: Matthew Grooms In-Reply-To: <1ba3e340-e204-15b0-d395-a942c97c39f5@gmx.at> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (mx2.shrew.net [10.24.10.11]); Mon, 10 Oct 2022 10:52:00 -0500 (CDT) X-Rspamd-Queue-Id: 4MmNhJ75Q9z49fN X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mgrooms@shrew.net designates 38.97.5.132 as permitted sender) smtp.mailfrom=mgrooms@shrew.net X-Spamd-Result: default: False [-3.27 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; NEURAL_HAM_LONG(-0.97)[-0.970]; R_SPF_ALLOW(-0.20)[+mx:c]; MIME_GOOD(-0.10)[text/plain]; FROM_EQ_ENVFROM(0.00)[]; MLMMJ_DEST(0.00)[pf@freebsd.org]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; DMARC_NA(0.00)[shrew.net]; ASN(0.00)[asn:174, ipnet:38.0.0.0/8, country:US]; RCVD_COUNT_THREE(0.00)[3]; ARC_NA(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; FROM_HAS_DN(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[pf@freebsd.org]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N On 10/10/22 10:38, infoomatic wrote: > On 10.10.22 17:01, Matthew Grooms wrote: >> >> I'm not sure if I understood all the details here, but: NAT happens on >> egress. For traffic to be processed by IPsec, your traffic must have >> source and destination addresses that match the appropriate IPsec >> policy. Waiting until its being sent outbound ( where NAT occurs ) is >> usually too late. >> > thanks for your response. The source and destination addresses in the > configuration are OK. Every non-ipsec packet coming from opnsense is > translated as in the pf.conf on the host. The problem is: as soon as it > is an ipsec packet, the host does not translate it but instead forwards > the packet with the original private ip through the physical interface > with the public ip address (which of course is prohibited by a rule > further down in pf.conf). I have tried to add various nat + rdr rules > which explicitly use various protocols from /etc/protocols e.g. "proto > ipencap" but this does not change the behaviour. It seems like the host > realizes it is an ipsec packet and just refuses to nat that packet. > > > Out of curiosity I ordered another hardware host where I installed > Linux, created a VM with opnsense (with the same config, the only > adaption was the public ip-address in the ipsec configuration) and a > client on opnsense's LAN interface. I used iptables and it worked as > expected ... every packet on egress is translated to the outgoing ip > address. > IPsec traffic flow is complicated. Have a look at enc. It's been instrumental in helping me fix this class of issue in several instances. YMMV. https://www.freebsd.org/cgi/man.cgi?query=enc&sektion=4 Good luck! :) -Matthew From nobody Mon Oct 10 15:59:50 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MmNsb32zmz4fhSb for ; Mon, 10 Oct 2022 16:00:03 +0000 (UTC) (envelope-from andre@andre.adm.br) Received: from mail-qt1-x830.google.com (mail-qt1-x830.google.com [IPv6:2607:f8b0:4864:20::830]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MmNsZ4k6cz4BrB for ; Mon, 10 Oct 2022 16:00:02 +0000 (UTC) (envelope-from andre@andre.adm.br) Received: by mail-qt1-x830.google.com with SMTP id x8so210726qtv.9 for ; Mon, 10 Oct 2022 09:00:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=andre-adm-br.20210112.gappssmtp.com; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=kbDZ/jaFgmhCKhr6sKgM4x9ztPvSf4aRahCelKqRJA8=; b=LApFXYeWmlD6V4XGjjW2tPhJiytXZENJBClRpGTylgPZ4efHBwiisKYPvLbub/rvFc x2pPvAU1YNgDe5P/3MGTL6MlTnNp2ui7XamsxgJcwZx6oMTQXIOwPd+bLNudGe4+Txl1 fb7Jj9x3WxDO2JP5C5jGyJselM35kONJaGRjuv3YKuw92/CV74ddgA1VPRJwg0hXYk/R ItofxJ/emJMNWEaXR3qIMXr7cwVyTKT9j9ptfzjmNhvlRx5OjQRoNRUmdlSPP7XEehaE Cg5Nbqca8Mu7c9wyPBKvgIVyXmudhXS/vYTHTpNOsfYxlzJdHRL1M+zUJ8jA8Oj0GSFT j2Mw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=kbDZ/jaFgmhCKhr6sKgM4x9ztPvSf4aRahCelKqRJA8=; b=yK6ok14jB28TEI+A0HLA1vRpzjIn6eEbXyQP6GW9Fq5HIbgx/72J2bocFgWrFeA0L8 Zvgdia7emlP/OdjKuT0LbRvVClcUnqA1G3xefHwJIS9KKtZLf3OeVp3vb9Sio/OHwOKL LQtTHF0XxGAN8YUh3ljjRUxK+KKE6UAEoLhOu1E97gWGsyfXHimUXJCG5uvhQl26pCV9 y97SqOSHX/z4oGH36swmf3sEI4WZrL79syKkk1LAM0Q2ZV+QblgtIeIRv49Wz97I3jtN 2Mi2iGSuvh7OWesI9vzc60oK7QH7vNhqjFx7HcewVbUMBgGD6a0jQwwSRH1obi4pCL/q qZEg== X-Gm-Message-State: ACrzQf24orpe44KMmuv2HA3ssq3Y60zINrEzzRTeY03AkAt4z2KEkJC4 +TD58m5OC5byTdWS5c7yYO+Bkm7Pk875ueRTeO7H9KUJ8b0= X-Google-Smtp-Source: AMsMyM5dMLcRq8//yRlToNvXiyzy2hs+wqcXnJM55eRkHay465dH2hF91r+aYSVWmC99mOk1l5P0dJmbPZHD9iqU26U= X-Received: by 2002:ac8:5c08:0:b0:398:8400:501b with SMTP id i8-20020ac85c08000000b003988400501bmr8332028qti.645.1665417601269; Mon, 10 Oct 2022 09:00:01 -0700 (PDT) List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 References: <1ba3e340-e204-15b0-d395-a942c97c39f5@gmx.at> In-Reply-To: From: =?UTF-8?Q?Andr=C3=A9_S=2E_Almeida?= Date: Mon, 10 Oct 2022 12:59:50 -0300 Message-ID: Subject: Re: PF: nat on ipsec To: pf@freebsd.org Content-Type: multipart/alternative; boundary="00000000000086db7f05eab04043" X-Rspamd-Queue-Id: 4MmNsZ4k6cz4BrB X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=andre-adm-br.20210112.gappssmtp.com header.s=20210112 header.b=LApFXYeW; dmarc=none; spf=pass (mx1.freebsd.org: domain of andre@andre.adm.br designates 2607:f8b0:4864:20::830 as permitted sender) smtp.mailfrom=andre@andre.adm.br X-Spamd-Result: default: False [-2.87 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MIXED_CHARSET(0.62)[subject]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; R_DKIM_ALLOW(-0.20)[andre-adm-br.20210112.gappssmtp.com:s=20210112]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; MLMMJ_DEST(0.00)[pf@freebsd.org]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::830:from]; MIME_TRACE(0.00)[0:+,1:+,2:~]; DKIM_TRACE(0.00)[andre-adm-br.20210112.gappssmtp.com:+]; FROM_EQ_ENVFROM(0.00)[]; DMARC_NA(0.00)[andre.adm.br]; RCVD_TLS_LAST(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; FREEFALL_USER(0.00)[andre]; ARC_NA(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_HAS_DN(0.00)[]; TO_DN_NONE(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[pf@freebsd.org]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N --00000000000086db7f05eab04043 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Take a look at the sysctl option "net.inet.ipsec.filtertunnel", it needs to be active for NAT to work with IPSec - Andre Em seg., 10 de out. de 2022 =C3=A0s 12:52, Matthew Grooms escreveu: > On 10/10/22 10:38, infoomatic wrote: > > On 10.10.22 17:01, Matthew Grooms wrote: > >> > >> I'm not sure if I understood all the details here, but: NAT happens on > >> egress. For traffic to be processed by IPsec, your traffic must have > >> source and destination addresses that match the appropriate IPsec > >> policy. Waiting until its being sent outbound ( where NAT occurs ) is > >> usually too late. > >> > > thanks for your response. The source and destination addresses in the > > configuration are OK. Every non-ipsec packet coming from opnsense is > > translated as in the pf.conf on the host. The problem is: as soon as it > > is an ipsec packet, the host does not translate it but instead forwards > > the packet with the original private ip through the physical interface > > with the public ip address (which of course is prohibited by a rule > > further down in pf.conf). I have tried to add various nat + rdr rules > > which explicitly use various protocols from /etc/protocols e.g. "proto > > ipencap" but this does not change the behaviour. It seems like the host > > realizes it is an ipsec packet and just refuses to nat that packet. > > > > > > Out of curiosity I ordered another hardware host where I installed > > Linux, created a VM with opnsense (with the same config, the only > > adaption was the public ip-address in the ipsec configuration) and a > > client on opnsense's LAN interface. I used iptables and it worked as > > expected ... every packet on egress is translated to the outgoing ip > > address. > > > > IPsec traffic flow is complicated. Have a look at enc. It's been > instrumental in helping me fix this class of issue in several instances. > YMMV. > > https://www.freebsd.org/cgi/man.cgi?query=3Denc&sektion=3D4 > > Good luck! :) > > -Matthew > > -- Andr=C3=A9 S. Almeida http://www.andre.adm.br +55 (48) 98812-3932 --00000000000086db7f05eab04043 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Take a look at the sysctl option "net.inet.ipsec.fil= tertunnel", it needs to be active for NAT to work with IPSec
=

=C2=A0- Andre=C2=A0

Em se= g., 10 de out. de 2022 =C3=A0s 12:52, Matthew Grooms <mgrooms@shrew.net> escreveu:
On 10/10/22 10:38, infoomatic wrote:
> On 10.10.22 17:01, Matthew Grooms wrote:
>>
>> I'm not sure if I understood all the details here, but: NAT ha= ppens on
>> egress. For traffic to be processed by IPsec, your traffic must ha= ve
>> source and destination addresses that match the appropriate IPsec<= br> >> policy. Waiting until its being sent outbound ( where NAT occurs )= is
>> usually too late.
>>
> thanks for your response. The source and destination addresses in the<= br> > configuration are OK. Every non-ipsec packet coming from opnsense is > translated as in the pf.conf on the host. The problem is: as soon as i= t
> is an ipsec packet, the host does not translate it but instead forward= s
> the packet with the original private ip through the physical interface=
> with the public ip address (which of course is prohibited by a rule > further down in pf.conf). I have tried to add various nat + rdr rules<= br> > which explicitly use various protocols from /etc/protocols e.g. "= proto
> ipencap" but this does not change the behaviour. It seems like th= e host
> realizes it is an ipsec packet and just refuses to nat that packet. >
>
> Out of curiosity I ordered another hardware host where I installed
> Linux, created a VM with opnsense (with the same config, the only
> adaption was the public ip-address in the ipsec configuration) and a > client on opnsense's LAN interface. I used iptables and it worked = as
> expected ... every packet on egress is translated to the outgoing ip > address.
>

IPsec traffic flow is complicated. Have a look at enc. It's been
instrumental in helping me fix this class of issue in several instances. YMMV.

https://www.freebsd.org/cgi/man.cgi?q= uery=3Denc&sektion=3D4

Good luck! :)

-Matthew

--
Andr=C3=A9 S.= Almeida
+55 (48) 98812-3932
--00000000000086db7f05eab04043-- From nobody Mon Oct 10 17:13:50 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MmQVn5f18z4fpr8 for ; Mon, 10 Oct 2022 17:13:53 +0000 (UTC) (envelope-from infoomatic@gmx.at) Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MmQVm5X3Zz4LC0 for ; Mon, 10 Oct 2022 17:13:52 +0000 (UTC) (envelope-from infoomatic@gmx.at) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1665422031; bh=a5nsKSAU5fwqzTAqxQEaWrCe30H5HjWu50ZClbS8ld4=; h=X-UI-Sender-Class:Date:Subject:To:References:From:In-Reply-To; b=SZhEdjM8j4M6lnDiTOVWvvU2chwhU/moUgPwAVMEMBWCwj10CDI72IMncLivQEkOx 5gX4gSk+TxPhD9tcX4S3y4orjfreIPxN+quRTRtYh9XhwTjoKMzr8JSa4676QSKesy Lpq3qQS3GMIsdMXFKV0bLN7dy2XAt4e3WMPybeCs= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from [10.0.1.209] ([178.114.225.246]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1M1Hdq-1okhEa3L3K-002oZ8 for ; Mon, 10 Oct 2022 19:13:50 +0200 Content-Type: multipart/alternative; boundary="------------UuMV0yrLoj0v70HRyQCRiXVQ" Message-ID: <9d014241-53e0-99dd-4e4e-283fb40c10bd@gmx.at> Date: Mon, 10 Oct 2022 19:13:50 +0200 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101 Thunderbird/102.3.0 Subject: Re: PF: nat on ipsec Content-Language: en-US To: pf@freebsd.org References: <1ba3e340-e204-15b0-d395-a942c97c39f5@gmx.at> From: infoomatic In-Reply-To: X-Provags-ID: V03:K1:kdPt9m4oCfbJv5MwkD3Ismwc7F9KRdEa14KV86fR7tn5Zw1Z15h V4TIyK0QLi6QMdRpU5ECpqjvIqxFLKiv+hD/tCCEVUymAXu61MgokUkS7sukh5PnMSe9nmS l9Tl/9hn4SNhohjXvh7e2QaibC/S7caiyHzNN7QpASRJGwMCyqG3rMj0ovho9GMfNHUTjo6 znT8rkXDCyGFhkEPS+6FA== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:/TDzV/4RMfQ=:o3nZMr4uxPEO1n9SsPnD5B mshr+h1Numo8ZKbIbG4wO2nUn9w97pc46QnDKgCNE7xa+NzwebgE/2tPrF7rkyKM21aHnxO5C 1MIDuuOEkmPFtojN10DhUps+1b+MmCxHqOzNDlLURjuJOFFD4XXPfzR5bGxKZAnWVL8BLBgiW xAsVtdz/4eoo8CaJosvoRsC3QAAM0B6FdfOGaw9m+94b5bsJiz7NkbSYX0q8dQqXQP07uBxaZ R0qBUHGNNh6XRUxjh2b5m5SDx/h6LbL+QSdvUsM+2gctdgn92RLFqpxsqw1lhK3AYXsuXH9Yx 55/6fiMNsmSGwkVHz82HD7zrvBmUAc0HGdUicwHOaGQhOGYpT+Dl7P4ptF+wo+n7LFXDs2eaQ 6Sj2P7kUeaby3T4UVd7XqeaXLyk2V7f4FpbIxcZasZPKv/OB37y9qZF5+j2U2Ph1YxNu8GLCw 54PqfUUzvODKaJRsnoeivcLpRA02g2/vsZf5AuY5Gz24d5X50yFnAEzOAcdJJtLvzuZx2SXMX TeSvyI4WyK5sWIVTBkW3l2tZtbYnEtEGtjUNJzVjmUFrPk5HFbeUzKaTWlDV5GP0q5QFJNJ8W YWvE2yy+e1IpnBkS6aVjXdBmA5tQRndSZhoSGITRyVP+t34ApFlmjJAFY6dqOIDCL8cZzO7ab LTDDAXF3emGtasCOmPTROu+Di6uAc8b5jGPCIlScNXd0xH/frXZluK9+bwQf2fBoc1poxshQS UFi0N+KEqynBeXJlO9DmfJpQtgBdpZ0Jdo3+pHF6NexfD6iNMaNgJ+cRaeDHenBpjxMh6Sj2g Uc30+kMyvy+TtDrVxlC+0Nw8uY+vuSaToH7gk8a1b1Fk2h7VOK33y0aJP67/mU/mzK3pTug11 4rSLN9Sp/MtdkGqADOQ4RdA6bzfhGQZcJ0jqzdswIZYhTujftga+Czg0wRtIs6E+K0X8QHUSM xK51QY8vFtALWQKWCTHGHndXUyY0+qtSUzddOjDcSQNUfvbbdzeNs7/xN7Kz9MxXVipIesriw DZnVU5wys3z4+v6//OGRXnKRiMLdD77yT1RkMAzR+dFDteiyHhPVLjdVPEo5lA2tDqLBLRHgT oyu5Mb4IyhmXgtePM6nNUhWllcJoePSeYK5C/OreaszVTO8NM0lXQ0NHGOclRZfNCa9KlEBDS soJ504jwJUKmrFv+aq/zqxIc+XANFmGSkXRBppVgOu2++hUZBLaUpora2xsQQAYSutvvOYVdX tdxDW36z3ndOJXdi9l8hkoA0G9p9z1i1/DcPM62f45Mtos9+lQMK5gocQhbHbe2GUguy72ita 2/tbXFmwCfZfNLEHeuz6Afxd6VWq7ca5OEPzZG11gL69Lpdp5xoscYf+sRdL8uxUpIbZ0DFF7 E58aroH7xnUP5OkNneNE8pe9JFB+G+hVmKDGyy5gn86CFoLWfsi+UGn5S7UvW8rMj9HFEYciW 7irWvbhltSXbjA8/c9vNmAH2FqyUNyJvtVHSdGxpEhl5OwsJdlxCWLrBzq9xXaRQsrTqst1WQ FlOMhHesv2Lll9Ubhp05ISo4IkGMfwgPQYwAPYomTn7/5 X-Rspamd-Queue-Id: 4MmQVm5X3Zz4LC0 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmx.net header.s=badeba3b8450 header.b=SZhEdjM8; dmarc=pass (policy=none) header.from=gmx.at; spf=pass (mx1.freebsd.org: domain of infoomatic@gmx.at designates 212.227.17.21 as permitted sender) smtp.mailfrom=infoomatic@gmx.at X-Spamd-Result: default: False [-3.45 / 15.00]; DWL_DNSWL_LOW(-1.00)[gmx.net:dkim]; URI_COUNT_ODD(1.00)[5]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[gmx.at,none]; NEURAL_HAM_LONG(-0.35)[-0.346]; R_SPF_ALLOW(-0.20)[+ip4:212.227.17.0/27:c]; R_DKIM_ALLOW(-0.20)[gmx.net:s=badeba3b8450]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[212.227.17.21:from]; FROM_HAS_DN(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[pf@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; MLMMJ_DEST(0.00)[pf@freebsd.org]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[gmx.net:+]; TO_DN_NONE(0.00)[]; FREEMAIL_FROM(0.00)[gmx.at]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmx.at]; MIME_TRACE(0.00)[0:+,1:+,2:~]; MID_RHS_MATCH_FROM(0.00)[]; ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N This is a multi-part message in MIME format. --------------UuMV0yrLoj0v70HRyQCRiXVQ Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable On 10.10.22 17:59, Andr=C3=A9 S. Almeida wrote: > Take a look at the sysctl option "net.inet.ipsec.filtertunnel", it > needs to be active for NAT to work with IPSec > thank you, unfortunately this did not change anything. > IPsec traffic flow is complicated. Have a look at enc. It's been > instrumental in helping me fix this class of issue in several > instances. > YMMV. > > https://www.freebsd.org/cgi/man.cgi?query=3Denc&sektion=3D4 > > > Good luck! :) > thanks. Yeah I know, that's why I have always tried to stick to OpenVPN, however, with AWS it's not (yet?) possible. I just don't get it why on earth I need to tinker around on the host when the tunnel is being created inside the opnsense VM, and sadly the solution on Linux consists of just 2 simple iptables rules (basically rdr all ipv4 traffic to the vm and then nat the vms ipv4 traffic). --------------UuMV0yrLoj0v70HRyQCRiXVQ Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On 10.10.22 17:59, Andr=C3=A9 S. Almeid= a wrote:
Take a look at the sysctl option "net.inet.ipsec.filtertunnel", it needs to be active for NAT to work with IPSec

thank you, unfortunately this did not change anything.


IPsec traffic flow is complicated. Have a look at enc. It's been
instrumental in helping me fix this class of issue in several instances.
YMMV.

https://www.freebsd.org/cgi/man.cgi?query=3Denc&sektion=3D4

Good luck! :)

thanks. Yeah I know, that's why I have always tried to stick to OpenVPN, however, with AWS it's not (yet?) possible.

I just don't get it why on earth I need to tinker around on the host when the tunnel is being created inside the opnsense VM, and sadly the solution on Linux consists of just 2 simple iptables rules (basically rdr all ipv4 traffic to the vm and then nat the vms ipv4 traffic).


--------------UuMV0yrLoj0v70HRyQCRiXVQ-- From nobody Tue Oct 11 11:08:57 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MmtMJ1SDzz4fW1W for ; Tue, 11 Oct 2022 11:09:00 +0000 (UTC) (envelope-from infoomatic@gmx.at) Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MmtMH1Sl4z3Tnh for ; Tue, 11 Oct 2022 11:08:59 +0000 (UTC) (envelope-from infoomatic@gmx.at) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1665486538; bh=Lkt71vuCZwYQA4vXmR09MlGWooJ6KVosF29D17/yjhk=; h=X-UI-Sender-Class:Date:Subject:To:References:From:In-Reply-To; b=jw8r3F2mb2rW9cx8DlMW1PiVwIulaYD2SCYpIIOvImUp4xHEMoFjU0K1uvgz/oAJw 6c1VgYtBL9J9a0Xf+DdLxymTgypUkT7iZ0T4qeDO6/YqoMbTjVQ8ItavO+xr3QVik8 tn0PLXaLrI8YVKX0fs83LsYEbAWP4VWkHLItF3mE= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from [10.0.1.209] ([178.114.236.102]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MnakX-1pP08q3PQD-00jXVY for ; Tue, 11 Oct 2022 13:08:57 +0200 Content-Type: multipart/alternative; boundary="------------0glmfJ3re0Wcpg5eEbGFHgDL" Message-ID: Date: Tue, 11 Oct 2022 13:08:57 +0200 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101 Thunderbird/102.3.0 Subject: Re: PF: nat on ipsec Content-Language: en-US To: pf@freebsd.org References: <1ba3e340-e204-15b0-d395-a942c97c39f5@gmx.at> From: infoomatic In-Reply-To: X-Provags-ID: V03:K1:4rBa7C+AyskZlhVcAA9yHLmFJoqBP57LjbKPbpCkZ9i7SZOGRn/ xZ2xWn13q9YVBagcxg3dWJVpTG3d1G294LyWHND+lrLWPJQjMp4/DwYqg9yHNb/jzwNRChB H21YCZVMWr9mV6q2+2VtI9/HnQM0VbBbSUhMPyvw7y3tFCEvma2cNBbGfWEthBA/3AVXAEU zbFcH3/d9WVvbZNZRpz2w== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:lA9/7epuaug=:c9NiosX04iSbq0BCwGRQQQ xLNvvOBGtYdf3cQyGjy5mZvpyvNxHw6piR73Cg2tDRv15NwvY7FrrElYXLaGdk0oo32WFYl8u 7gWtOtk4yvNZ96vQ56JEMOPtRWjN42cWd3an9caMlkbjqG/qOlRk8ULRotuPP1kLWq6J8TWjR LrQIJTNPSYyZEBUs+4TCskCN+TXYLsXj8QcpXN+jq9GBszZOgF6zNMauLZHWFoh3C+01/vham 9x/HjS0ceheIp0ab8esmjwzU8IOa6spheT6XjxOapuytnfTpzr52UwOB0iG21MVRvDM+UMzsO x1SPRIJqY7cVh/ZMuDJQ3F8rKz5d4dPkc37VTIdH590x0y/Ppy1DWo6pyJo3h8xsMehzWf8UP DAcaqYINEl5TOM3XPM0JwfP7XXu4zuuZhy+OXuXka1PdIncXGsjEeoEkSl0TKTJp19+BRbMY8 GBWTpkDe/bvLaDY8f0FJyP2hrdWpjpAQevetAmjTI0XKotQsZ6hMXswJcO3Sm2xt2bIHPkRrs Jzo6znHhstXM0lF2rj9C2HFC4/xAdY0f7BdLFai44qZdj75qOXAhkAEs1fh/oYoXXv2tDaCXx mfAV3BBvOElHovVwNysFN3j8eC1bAzrRvv+zyOhn6AiRpgOe9tFjL0ijpkdMpDlUtc3ino746 Aa5OyrIlvDVqG15hTBsUSr45bOVQwYEQhSvDNxaqazY7C/Rt19I39oK8xWmmXIbjty/0aFOf/ UObq38I0cCSz8uceW7GgMFWk6dIKY/zA7LmeihjK5ZSMcpANIOJ+z7C7aOFO4f87N+LOt+Zmk qm604N6aUdByGm+2m7j7g7TnNuRzz1uR0m0IfVPJS2W7lV0AgWDI4FpNLDgk120ycnimNWxpu 9A1IW/m4/ynxTNoyXVJVt5eR4zQOEceldGQDtBfHyc8t9nV99UyTceEpr1Tr1NHv/FjAkYqaU vxM+mhfDmX4tlXjiH/w5q/O+Hpc6XfjvvacdMkYQ3e6SEsuZFF7VVNCuBfxJkKhmwF2j/rGzo PPwijv9kK0KXHrv6CC3kMn7o/44RwPEGe7B6+xH1f0V3cLXG8PMc0DSaiGA4gVd9VnTgCSKIm d0fNG2mc1c/4XyNszGaBqpN3VSIsFvrhJdEujHvJmxj60gEf0FFTJvbpgBaBEMjA9me9u1K5g WHle56EsMC2A4Cc4JE5oJ0z8pL X-Rspamd-Queue-Id: 4MmtMH1Sl4z3Tnh X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmx.net header.s=badeba3b8450 header.b=jw8r3F2m; dmarc=pass (policy=none) header.from=gmx.at; spf=pass (mx1.freebsd.org: domain of infoomatic@gmx.at designates 212.227.17.20 as permitted sender) smtp.mailfrom=infoomatic@gmx.at X-Spamd-Result: default: False [-4.08 / 15.00]; DWL_DNSWL_LOW(-1.00)[gmx.net:dkim]; URI_COUNT_ODD(1.00)[5]; NEURAL_HAM_SHORT(-1.00)[-0.998]; NEURAL_HAM_LONG(-1.00)[-0.997]; NEURAL_HAM_MEDIUM(-0.98)[-0.984]; DMARC_POLICY_ALLOW(-0.50)[gmx.at,none]; R_DKIM_ALLOW(-0.20)[gmx.net:s=badeba3b8450]; R_SPF_ALLOW(-0.20)[+ip4:212.227.17.0/27]; RCVD_IN_DNSWL_LOW(-0.10)[212.227.17.20:from]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; MLMMJ_DEST(0.00)[pf@freebsd.org]; PREVIOUSLY_DELIVERED(0.00)[pf@freebsd.org]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[gmx.net:+]; TO_DN_NONE(0.00)[]; FREEMAIL_FROM(0.00)[gmx.at]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmx.at]; MIME_TRACE(0.00)[0:+,1:+,2:~]; MID_RHS_MATCH_FROM(0.00)[]; ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N This is a multi-part message in MIME format. --------------0glmfJ3re0Wcpg5eEbGFHgDL Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable > IPsec traffic flow is complicated. Have a look at enc. It's been > instrumental in helping me fix this class of issue in several > instances. > YMMV. > > https://www.freebsd.org/cgi/man.cgi?query=3Denc&sektion=3D4 > > I have no clue why the host should try to do anything with the packets except for changing source and destination address (NAT). The tunnel is setup between AWS and the VM on the host. The ssh connection from AWS to a client "behind" opnsense works. However, as soon as I try to make a ssh connection from the jail ("behind" opnsense) to AWS, the packets from my local vpn endpoint (opnsense VM) do not get NATed on the host. The host just tries to forward those UDP Port 4500 packets with the private ipv4 address of the opnsense VM as source on the egress interface with the public interface. This of course should not happen. Routing problems can be ruled out, the exact same configuration is working on a Linux host hosting the same opnsense VM. A simple |sysctl net.ipv4.ip_forward=3D1 && iptables -t nat -A POSTROUTING --source 192.168.251.100 -j SNAT --to-source $public_vpn_ip| did the trick. There is a strange problem here, maybe it is not pf related, maybe something in the stack interferes with those packets. Anyone knows/could guess if this works with ipfw instead? --------------0glmfJ3re0Wcpg5eEbGFHgDL Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit
IPsec traffic flow is complicated. Have a look at enc. It's been
instrumental in helping me fix this class of issue in several instances.
YMMV.

https://www.freebsd.org/cgi/man.cgi?query=enc&sektion=4


I have no clue why the host should try to do anything with the packets except for changing source and destination address (NAT).

The tunnel is setup between AWS and the VM on the host. The ssh connection from AWS to a client "behind" opnsense works.

However, as soon as I try to make a ssh connection from the jail ("behind" opnsense) to AWS, the packets from my local vpn endpoint (opnsense VM) do not get NATed on the host. The host just tries to forward those UDP Port 4500 packets with the private ipv4 address of the opnsense VM as source on the egress interface with the public interface. This of course should not happen. Routing problems can be ruled out, the exact same configuration is working on a Linux host hosting the same opnsense VM. A simple

sysctl net.ipv4.ip_forward=1 && iptables -t nat -A POSTROUTING --source 192.168.251.100 -j SNAT --to-source $public_vpn_ip

did the trick. There is a strange problem here, maybe it is not pf related, maybe something in the stack interferes with those packets.

Anyone knows/could guess if this works with ipfw instead?

--------------0glmfJ3re0Wcpg5eEbGFHgDL-- From nobody Tue Oct 11 17:53:07 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Mn3LL0m6Tz4f4bx for ; Tue, 11 Oct 2022 17:53:46 +0000 (UTC) (envelope-from fddi@comcast.net) Received: from resqmta-a1p-077721.sys.comcast.net (resqmta-a1p-077721.sys.comcast.net [IPv6:2001:558:fd01:2bb4::a]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Mn3LK0wSjz3Cjn for ; Tue, 11 Oct 2022 17:53:45 +0000 (UTC) (envelope-from fddi@comcast.net) Received: from resomta-a1p-077050.sys.comcast.net ([96.103.145.228]) by resqmta-a1p-077721.sys.comcast.net with ESMTP id iItloOOWAU3fbiJRhoEdMp; Tue, 11 Oct 2022 17:53:37 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=20190202a; t=1665510817; bh=4NxVZmrd/JzAKEwd1vfdTFNHHPm0gtl96lfCZe4rubk=; h=Received:Received:Message-ID:Date:MIME-Version:To:From:Subject: Content-Type; b=OXejgVpr1QrsJ9FkV9bglnKEObS0DwOaDSCx7OrXwxEOPdu/iwJd9tc9KWoeqjZ7G Tz7Sl11oDIygrG6GUf7+AAq9zriuPd11I9sbXezpP0OWjRc8xMtIyPEBzMTBnJnMqU 74Sqp8weg3NjJ/iT01hsRLlB063iFuTFGq0PA/dsSb0s1FN6I4RneiL3EJrZia7JdI td1lHDPBSl0YVsfefwoOhoOaW7qp5NPkBfxed/O+NU3r/7M5H9EAX60lNGAZ7LmEur rJZAwBnIpK38fcHP8baN6o/5/uiNBuRJDxbfhLmU9l6BejTxboDbzMf91w7w1Xyiri /zpZGU8ABGXtQ== Received: from [198.129.117.144] ([198.129.117.144]) by resomta-a1p-077050.sys.comcast.net with ESMTPSA id iJRDozEI6iaR9iJREo9YBY; Tue, 11 Oct 2022 17:53:13 +0000 X-Xfinity-VAAS: gggruggvucftvghtrhhoucdtuddrgedvfedrfeejiedguddugecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucevohhmtggrshhtqdftvghsihdpqfgfvfdppffquffrtefokffrnecuuegrihhlohhuthemuceftddunecunecujfgurhepkfffgggfvffhufgtgfesthejredttdefjeenucfhrhhomhepfhguughiuceofhguughisegtohhmtggrshhtrdhnvghtqeenucggtffrrghtthgvrhhnpedvuefgiedtteeihefgveetfeejgedttdeghfelieffuedtfedtkeevvefggeduffenucffohhmrghinhepghhithhhuhgsrdgtohhmnecukfhppeduleekrdduvdelrdduudejrddugeegnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplgduleekrdduvdelrdduudejrddugeegngdpihhnvghtpeduleekrdduvdelrdduudejrddugeegpdhmrghilhhfrhhomhepfhguughisegtohhmtggrshhtrdhnvghtpdhnsggprhgtphhtthhopedupdhrtghpthhtohepfhhrvggvsghsugdqphhfsehfrhgvvggsshgurdhorhhg X-Xfinity-VMeta: sc=0.00;st=legit Message-ID: Date: Tue, 11 Oct 2022 10:53:07 -0700 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.3.1 To: freebsd-pf@FreeBSD.org Content-Language: en-US From: fddi Subject: logging NAT sessions (connection tracking) Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4Mn3LK0wSjz3Cjn X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=comcast.net header.s=20190202a header.b=OXejgVpr; dmarc=pass (policy=none) header.from=comcast.net; spf=pass (mx1.freebsd.org: domain of fddi@comcast.net designates 2001:558:fd01:2bb4::a as permitted sender) smtp.mailfrom=fddi@comcast.net X-Spamd-Result: default: False [-0.97 / 15.00]; HFILTER_HELO_5(3.00)[resqmta-a1p-077721.sys.comcast.net]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.97)[-0.975]; DMARC_POLICY_ALLOW(-0.50)[comcast.net,none]; R_SPF_ALLOW(-0.20)[+ip6:2001:558:fd01:2bb4::/64]; R_DKIM_ALLOW(-0.20)[comcast.net:s=20190202a]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; MLMMJ_DEST(0.00)[freebsd-pf@freebsd.org]; ASN(0.00)[asn:7922, ipnet:2001:558::/29, country:US]; FROM_EQ_ENVFROM(0.00)[]; FREEMAIL_ENVFROM(0.00)[comcast.net]; MIME_TRACE(0.00)[0:+]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FREEMAIL_FROM(0.00)[comcast.net]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; DKIM_TRACE(0.00)[comcast.net:+]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DWL_DNSWL_NONE(0.00)[comcast.net:dkim] X-ThisMailContainsUnwantedMimeParts: N Hello, I foudn no obvious or easy way to log NAT sessions. I have a bunch of NAT boxes implementd with FreeBSD 13.1 and PF. I need to log NAT sessions but so far I still have to figure out a good way to do it. I ended up using this: https://github.com/italovalcy/pfnattrack but I am not sure it is working well. It seems like not to be "Real time" and logs are delayed. Any way I could do something similar with pflog ? Anybody has a working solution for NAT session logging ? Thanks Rick From nobody Wed Oct 12 00:49:42 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MnDZG3vNCz4drtV for ; Wed, 12 Oct 2022 00:49:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MnDZG0gPYz3nrK for ; Wed, 12 Oct 2022 00:49:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4MnDZF6t5Lz183S for ; Wed, 12 Oct 2022 00:49:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 29C0nfY7069479 for ; Wed, 12 Oct 2022 00:49:41 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 29C0nfZQ069478 for pf@FreeBSD.org; Wed, 12 Oct 2022 00:49:41 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 258601] kernel panic/pagefault caused by pfctl -s info Date: Wed, 12 Oct 2022 00:49:42 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: crash, panic X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: koobs@FreeBSD.org X-Bugzilla-Status: Closed X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: keywords Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1665535782; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=QGGL3ICqmOsoPSNi/bZs/YzmC2bL075TNaf3cooWxVM=; b=M8ztOcvwCup73whwxt1VO370CIFRJ2EkZ5LEd9hFuDUnZy+JAJbBdyxEu3vvBrWZxITjOQ 4cJQy24iq9lEcL1s+AEz1Ved4mIbmv3aJJAw4d0aHAfeEZMGuBIjKhZEoy0Uf7A6pT5Yzm NXiRThfgBBg0jKJRJcA+ze4Y41gPWcxauPWSpv4mroMaYrck3Cnx5blVYM4YG+5B+1bsZ3 fenaHepifNfZ98V2RQjgftG5DxDiTvqG7TIFOSA6aw2oRpZpfzxdiJpFppKvNLCYklxI4w yweY4nNTSCutcUYV8/zoDwu9TnOHUbCrYcLTLp3o4v7l73+Lsrj/L3bOSHhxZQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1665535782; a=rsa-sha256; cv=none; b=UiNyDoRF2OIElk713EV30IWLPw7B2FIaAIRgHGFK2be9v/hFusmAXKjfBTvg4Xp2dQ+p6x mloj2r64FMpjklHX1U2Ez9GuDROi5dYN+O2qxXyGo6vLyaF6uxcBDW0pagIjCli86OARCw UP0drEcCBLESw0MXYqg0T6calwatGlLB4IcWchIgMBtT3s/JXpafb7APUtaUq4eZV0OWVG leJop8G4q7Wuh1DbYViwDaClcuQH8Z1ivjhEz79z6XXY8LdXmTlq+um95KT43CYXqLepG3 bJFIPkxpzkVnqPZqG9DjLLsF6jPI8UbaHaoY2NgMeVhxGWu+qW+rQyoTqvm15w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D258601 Kubilay Kocak changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |crash --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Wed Oct 12 00:50:50 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MnDbb4w5Pz4dsVh for ; Wed, 12 Oct 2022 00:50:51 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MnDbb2VlBz3txy for ; Wed, 12 Oct 2022 00:50:51 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4MnDbb1dC9z18Nf for ; Wed, 12 Oct 2022 00:50:51 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 29C0opHR072896 for ; Wed, 12 Oct 2022 00:50:51 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 29C0opXe072895 for pf@FreeBSD.org; Wed, 12 Oct 2022 00:50:51 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 258196] Kernel panic on pf_free_state with HardenedBSD Date: Wed, 12 Oct 2022 00:50:50 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 12.2-STABLE X-Bugzilla-Keywords: crash, panic X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: koobs@FreeBSD.org X-Bugzilla-Status: Closed X-Bugzilla-Resolution: Overcome By Events X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: keywords Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1665535851; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=j9S8ym1LuPwA9RhaOIMU4OeKd9L1lKLuXqAQo2jRrF8=; b=iL14Qn3zakJJvVQyWTO9SjZPg25kXcE37u1pDDRg9c6JCmW9epm7/SEbhprbBnP61Rf+0J wu+6i+skrLd570u2JzcZLJkAwtLhVAoPCvN8LoA5qiD8s+RMz859MTAyYDI3FCJyx5HSNJ PJRkwVyitzTUuZX31gkoR89a7LeAJLTWKI73k1xNeMHCfi7Ky4n3fOA4agwTB5To0Pu8mS GBjHCd/O7SJ2lrBxem3kd0szQyXYxI+ZY16/JdIkm+e38CA5ITGsbQdwEDRykJAXiAinil u1AuTNXobicTixhR+iK0VGCOwnEMFoXzuvGhd6UtMG2okm2310qsr8ZeumbRCQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1665535851; a=rsa-sha256; cv=none; b=QVhZzZW2hrDYPO24GdfVUYB3Ati7m+GkNyDehfZFlUIACeGISwnBoresQlokqIAaMDDjfe IaD8qmWkL8sx1VAZR1CjpqiOQhPmTA/w2g/k+yuIZP5ZOzjm9RolpKZVBXlfgkWTfV8oVy ZPE5dx4hvR/5lOUhutV1TKzo1UYf/xbYBo8NksmJDpKKsMR+xa+L3wzW6ZpDTFe3Lwh/R3 DALmKCR/GTaXUifeWblwIZMIv2npBiuFE3qV/Dq295QXiZGhwatwki2kGGsICmTx9HfNxP F0bRa327zd1PvlHx2725gFmfGetsE16ngLc14N2KDXLx2KVuxDt/KxcQB7S+NA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D258196 Kubilay Kocak changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |crash --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Fri Oct 14 09:25:32 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MpgwX5h4Bz4g22g for ; Fri, 14 Oct 2022 09:25:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MpgwX4gSBz3j6f for ; Fri, 14 Oct 2022 09:25:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4MpgwX3mWzzkLR for ; Fri, 14 Oct 2022 09:25:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 29E9PWBe041308 for ; Fri, 14 Oct 2022 09:25:32 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 29E9PWIt041307 for pf@FreeBSD.org; Fri, 14 Oct 2022 09:25:32 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 266477] PF does not obey ICMP rate limits Date: Fri, 14 Oct 2022 09:25:32 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: commit-hook@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1665739532; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=OjxWugd1/qHY1TBZ2aztLoE9ZaigiJ3UjtBpMnbe3Ck=; b=hkWRTEy264XSzt2/dmsAl5oFi0X9r8ZFutmf9wtMVG0wjI2+w/sCJidklED5uRFwgxkJQn +Re/n4f12HJBSD/Yjsx4LQYgYYvhJ90IntL2IjdFs7qB3RhQ7jAcTQvku3zXOvRD4yGqdw hUu7d3qN/4y+8/908GhlUOEKTLzKsxl7jW3eNvKFnrEOyGmkP33MqFP5vz5c0ogYdAd8OY vb6b3QhSC9FIntJwjV/TLTIcYQ4j0SAGl1UrmlP7OP/3lVVug+FWzCfyNMNIEdEcnniXgn n2RQQ+wR9Lf0JmgO3dfAdtAWYd5BWefMg8KEB0bNVdhz9+E4YaNi6mfmVd1TXg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1665739532; a=rsa-sha256; cv=none; b=pROmuovk4O7XrL4NTfFjdw9MjLdAzcXT44viTHHNSjehbwu1QhGXMnWLDog/OX9nPlRXvN Ge+Sow4J4kpi3yv1aebAtbmf0rhSD3PumH8aHV4zOOHB5/pS/UQDIPEgcai6IIf8504P2S DRhKpIpOQLmKmQKHHSXeEC0RO8r59ryvYim2N4GHyvMkMy36tyDuyfYjNA3ykwcdmx69ns KAjlgkH8qXkeavWewCDQlvNUMPiav8kkDyWfr2N8pmthkKtPB8BQsBqsRyaoFL/A7K8HqU qzjg7CYBEOcC34Mq4s4GNPXhGslc6q43ogNEV6cCHWW/TRLtZ3JB9qvUP5o/yQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D266477 --- Comment #3 from commit-hook@FreeBSD.org --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3Da974702e274cbed52ae9ad9ecef8501e2= 67b822d commit a974702e274cbed52ae9ad9ecef8501e267b822d Author: Kristof Provost AuthorDate: 2022-10-07 14:22:57 +0000 Commit: Kristof Provost CommitDate: 2022-10-14 08:36:16 +0000 pf: apply the network stack's ICMP rate limiting to ICMP errors sent by= pf PR: 266477 Event: Aberdeen Hackathon 2022 Differential Revision: https://reviews.freebsd.org/D36903 sys/netinet/icmp6.h | 1 + sys/netinet6/icmp6.c | 3 +-- sys/netpfil/pf/pf.c | 26 ++++++++++++++++++++++++++ 3 files changed, 28 insertions(+), 2 deletions(-) --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Mon Oct 17 12:36:10 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Mrc166xtmz4fpYn for ; Mon, 17 Oct 2022 12:36:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Mrc1656Wkz3Lwr for ; Mon, 17 Oct 2022 12:36:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Mrc164C9Lzq1J for ; Mon, 17 Oct 2022 12:36:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 29HCaAaY031345 for ; Mon, 17 Oct 2022 12:36:10 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 29HCaAeT031344 for pf@FreeBSD.org; Mon, 17 Oct 2022 12:36:10 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 254577] [PATCH] pf: Implement the NAT source port selection of MAP-E Customer Edge Date: Mon, 17 Oct 2022 12:36:10 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 12.2-STABLE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: grahamperrin@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: keywords Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1666010170; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Q7NRtsY1frwX/5JzhZzY2EZvKc//cZFzHsuASvc+F/Y=; b=ZSMdfn2s6jZF0Udp5f+oXmCbPoa7SN6m+zn6PULynaZlX55A5+uyUMgVAs4+XxS3dZ9+X8 ae4okhtITjFVBEme9d1t5yC5j/t11KZfMknzsO+d6STE4hKTHseW2Y7ARac91zopvtTAkH ApyucGpXCIsvGKa2oSfO4s7a1Gb+ioTPV6u/48xC52GcO1e1mP5WBFH/zghBuMvlB1FQxE 2/1VuPtmxe+1ZEiu8SecJoNTqbdTF/L3OEmiJP5aa2K7eNBK3ptjYvix0cWgqSu4ji77r+ 9RE1qtar5wR5IakvhhWsrA4j2PVsDxb8SFivrhci8J7RNQgivApTQkYI6NwOgA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1666010170; a=rsa-sha256; cv=none; b=WmHJf6Alt6x772FK+6srr/MwJazrYr2U5NFBXijl1PJ7n+4qENhwf4LNdH6HVWOstbz84Y 1vOuGqdblFKO9SIa8HU56xq4nDvWab266212FXGZvXX6ujNiisX5wTfxSd2BULaJAxSA5r 6jG04GsmNa2A5i2IuaFgirpkk8sFE5PEecO6Q7GMSkBLM4KXlyfUUTJA6Frk31G73qWVD0 uP7rO9OVJcGaI7iRmHZ6k3eXXFyRsTbM4D1iRgfiVrl6qRThUbeJXBWCbJAXPTXcDVWZI/ 1FPqGU6PmLH4FZJuiHiEvz3ra/UFK6vVF63KtOiRaK1ptFI7AD0TLsZn5bEPsA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254577 Graham Perrin changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |patch --- Comment #7 from Graham Perrin --- Keyword:=20 patch or patch-ready =E2=80=93 in lieu of summary line prefix:=20 [patch] * bulk change for the keyword * summary lines may be edited manually (not in bulk).=20 Keyword descriptions and search interface:=20 --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Mon Oct 17 12:38:00 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Mrc3D5PdXz4fq8t for ; Mon, 17 Oct 2022 12:38:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Mrc3D1PSqz3Vqh for ; Mon, 17 Oct 2022 12:38:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Mrc3D0VVqzpwq for ; Mon, 17 Oct 2022 12:38:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 29HCc0rc033505 for ; Mon, 17 Oct 2022 12:38:00 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 29HCc0pZ033457 for pf@FreeBSD.org; Mon, 17 Oct 2022 12:38:00 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 176268] [pf] [patch] synproxy not working with route-to Date: Mon, 17 Oct 2022 12:38:00 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 9.1-PRERELEASE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: grahamperrin@freebsd.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: keywords Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1666010280; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=uUEKTk7+AugkgtoH+cu7n3DfFpa0+zsc/GU+SCa7y4k=; b=R/5JRDtZApLJZWlFB3SgFJBE60YUNx/2gwWBHWfahyvRkAgL+KJTMd0JEzvmtfMuT1Ne49 5DULzSVnRXjWP1Q5BEHa2i2M2ar1IYYHa09/YZTVlhfVl4g43y0q2Sg1xv7M6UBEX1KUUt V/zOSVhRQNEIJPO03TyV3DPKjG2hYJ9njii8k7cQ1H0Mq46U9zqKvTxMZa//goK7E19YFl wN7JbkfuC5+PoOZTMHhBjJq8JyC3Kb0aGpfbTtV/DSRMH3CXjJ3Se/FRg0zacmDErCRsf5 A7Qa9vswZMdLk5G47S7IUryhyrD/RVI/zj5aa9VnW4rhBt9FEmKH6AHfpweXSw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1666010280; a=rsa-sha256; cv=none; b=mRjRbhwasC9lrCxc+h4fil3kvxXBVounrCkDXMv1eUhf2pARoVl9N91bNYhNscddC2Oe9/ YQU8ix8BDydmC3drzZT2e6swCktf/MjZKDvEquB5+DQTyTK/gf1MQ99+FmqwwZRL8WouCA PW7sU3/tycTiYT0Crb1+3vUgFxhsxmrCZra7oeJmkvSG77VC+T2KyuplGJPXMg9JX+MpGc aJjw/jcXSNxDHoMlEvKGfT6FRbasMsWBk7HuYWgp3pIHuTULmCTAqQ6vb0pZgCFnBGzO7Z f/EoPF/4sDfURkZbbtUuFpvIWIdaoE2K7AnHY7tCfsTt7t07hUNIcxENpM0k6g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D176268 Graham Perrin changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |patch --- Comment #4 from Graham Perrin --- Keyword:=20 patch or patch-ready =E2=80=93 in lieu of summary line prefix:=20 [patch] * bulk change for the keyword * summary lines may be edited manually (not in bulk).=20 Keyword descriptions and search interface:=20 --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Mon Oct 17 12:39:35 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Mrc531Kn7z4fr18 for ; Mon, 17 Oct 2022 12:39:35 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Mrc526QkPz3dx0 for ; Mon, 17 Oct 2022 12:39:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Mrc525SjyzqPj for ; Mon, 17 Oct 2022 12:39:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 29HCdYdm036545 for ; Mon, 17 Oct 2022 12:39:34 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 29HCdYFS036544 for pf@FreeBSD.org; Mon, 17 Oct 2022 12:39:34 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 143504] [patch] outgoing states are not killed by authpf(8) Date: Mon, 17 Oct 2022 12:39:35 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 7.2-RELEASE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: grahamperrin@freebsd.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: keywords Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1666010374; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=O864EVGQrL10kv3G/Y7CIHA53bD/9uvb/o5FG+8F2FU=; b=BDrPNM7uPdJO/ZixoWgEViFBjpAL+jGcX14kbeLGOio6HhZ+Fdt/io+dY/L/a9p0q5u87P wJZufF/44nygLP+eyz5MY8Sqpfq/uExABm8Z+xIJO7JIEnuJ6w16xGLQO4aA9H8ecQ+355 HOk/BnB9YeyVg+LZjBFKvP1DFoUHoBG4gX3KFgrzdR1Soc4DVHc22ooQqOTaaCOeT3hiMt vjMqVLib1iBHItnF6HXtQkJ5fafKu/D2co/VZLAngkZBgzJb0K5V2jBvXa7aQmF1+TDFbC yQcQzBRNVeWiht2CvAbxCgVXJ1m7qI7DOCvlHa2ftf6VjHGflHr2wLR1B5ArEA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1666010374; a=rsa-sha256; cv=none; b=stVi6L13VoyAlIZtlq9MXtVsozWzHfmX1EveGxe+CrIJZXUWQpzg3gU8QHafYCBOAJxm1s Gs4dPdY+UrPF8TgGy4Q6gf03kp0qC3XKBMy8HGbHQ12vAZ+NJYvStpGVA/FIuX+oQsfvbR roQrVv34oSwFROIq+BRuBGy20X6KgJuZSlJxHuFpGDKq+IX+nQh9o/Fxken4Zx1626VNxn neM/jeW1HHOdiv+LT+eoepNkHRbw5UV1rvthEuLBFaHD8+TvkstqWE92ctVwPl93jby0Ky AK920cqH2ljfLWI94l17a7cIsn3Tc3R05pGP2JP5Lp3XKvtl3K84lKBdX7UeEw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D143504 Graham Perrin changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |patch --- Comment #4 from Graham Perrin --- Keyword:=20 patch or patch-ready =E2=80=93 in lieu of summary line prefix:=20 [patch] * bulk change for the keyword * summary lines may be edited manually (not in bulk).=20 Keyword descriptions and search interface:=20 --=20 You are receiving this mail because: You are on the CC list for the bug.= From nobody Mon Oct 17 12:39:46 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Mrc5H416Sz4fr1g for ; Mon, 17 Oct 2022 12:39:47 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Mrc5H2W5Sz3fwr for ; Mon, 17 Oct 2022 12:39:47 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Mrc5H1WdkzqGB for ; Mon, 17 Oct 2022 12:39:47 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 29HCdlrI036912 for ; Mon, 17 Oct 2022 12:39:47 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 29HCdlcb036911 for pf@FreeBSD.org; Mon, 17 Oct 2022 12:39:47 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 86635] [patch] pfctl(8): allow new page character (^L) in pf.conf Date: Mon, 17 Oct 2022 12:39:46 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 6.0-BETA5 X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: grahamperrin@freebsd.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: keywords Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1666010387; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=EuVhhVRaNimJ5hfepkGYswXdJwCzPp++XDqYpW4w1fM=; b=VbnJuw7mL555FuB6f9IPJgilviTIN20pNXJQSzoYVrGNez+aGTKj8/cFlxz+OtjyIhzyuj ubiGazL8KJmzCtlpalUREk0alLuhSqlxjK/icbLKlwNZ+zrRpbMSyiA5VQLDx9apF5Pwc2 +xTZvPBn495B6iT2yZzkgi5lzDgPX4Wc1A38TxKKXrSq2qX+vqmg4YMu2mkYIlWYmQLfQI tQYvOu7091lRks8iYzei8EajYChWJP9Xbf5sdENvIqDZeII/uc1KaBtTk/74vpeuP8n9Dx eRlVUin0w9zggKnw2oYQIkigyyMZ8uSlfrq0PCi59yjNF9Y3UQrrljIUgGZYmA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1666010387; a=rsa-sha256; cv=none; b=PPG4Lz+lkFxiUwNMF3WjhpLjVroj/8UVgk4+knxm8imWDjoYf5kkExZ/aBw/4qpprduO7L NrtWaCtg+YJ7ivq0KIxlQiQpLbKLMRTzmDDuO0AqxiQ74+43/CZhNq682UnO/VneyIRMdT UMb0lKDzbtJOUmLR47tj7PemLleYyz8/t4XbtjqoWnPEq7Avsa5iSEgrSy9MT1RUwOUrbv G4bUEYubSn+c04xA6vHfssrYxqNQU59Q7kZlko+GTlV8IfaOsj8ogf8HOAFKHfT4pltlZ3 q5Bx+u87J4NYN5zusUg7kt4GFkukQ9nlx6LEXBDJl+RQyKciAslyc0iV6kmIfQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D86635 Graham Perrin changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |patch --- Comment #3 from Graham Perrin --- Keyword:=20 patch or patch-ready =E2=80=93 in lieu of summary line prefix:=20 [patch] * bulk change for the keyword * summary lines may be edited manually (not in bulk).=20 Keyword descriptions and search interface:=20 --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Mon Oct 17 12:39:53 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Mrc5P371Dz4frNQ for ; Mon, 17 Oct 2022 12:39:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Mrc5P11STz3g3f for ; Mon, 17 Oct 2022 12:39:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Mrc5N755MzqGG for ; Mon, 17 Oct 2022 12:39:52 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 29HCdqP9037142 for ; Mon, 17 Oct 2022 12:39:52 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 29HCdqgs037141 for pf@FreeBSD.org; Mon, 17 Oct 2022 12:39:52 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 127042] [pf] [patch] pf recursion panic if interface group is the same as the new interface name Date: Mon, 17 Oct 2022 12:39:53 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: Unspecified X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: grahamperrin@freebsd.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: keywords Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1666010393; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=369zcXxHrtGfwoh8DtuCWMuviZtmuJQEQVwYftlFFvU=; b=n+PIZXJjw/sm8zvG04SX0fvs78LY3D33aH2xIXjyfborV5Zo7QwKssw2dGDTMRzKcx+fDr yY0N1iumWLY6Zf+E+DzJ/AY0p6wZV/kk94I96wmKVqROSsXiYg9wGQPIxoLKjtZd8EQZ2l zQsZEGgZ+NC4dl8MF9VeuMMXPWJPZ4iGayl1PyUO+iZTEz2Sd4j46Dx9aqVQvfmeBp0Mpb g2uvTJDSsy6bzP+nWl7m5jbc6x0blIUo0I1BbaAtMTB7mQfk+JFoCnXHpgnsOed0DpkP7D DQyHAHnUac2arVNA0vrhOd5i3TiVRJ5CnfoMk7wDAbiBSaUgv+yxj1RAjM8/QA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1666010393; a=rsa-sha256; cv=none; b=lkgSE7AXUYM4QYbWY41fWFjRS9ycxRA2PTA9aBjmVFmgBjtfi24RNpXekQYHlunzkBlnEt +MTfSFAGShGqNvMWpJ64Vg0+uXFFRd3WxlenJroiECwCiS3XxzrV/yUmCIekpcE94lPA/9 QUjuki6QhfZg0MXsZBNASkUEJcx9RuUdKznWuqkm2TbADXPQkarKqR+ZVJgWXffz1SLd8J ylYvady1BeiRm7AaEeB8j8+8DPAU5FvfUptTvRxHqLcbgf9DKm3kuYTbfFOwrpAho29xRr n2+P34Xhakh91LIG7SOV1d5iGcrxeok7j4MR2jxJShCZ/smK4jcJBFChZc9ZDw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D127042 Graham Perrin changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |patch --- Comment #4 from Graham Perrin --- Keyword:=20 patch or patch-ready =E2=80=93 in lieu of summary line prefix:=20 [patch] * bulk change for the keyword * summary lines may be edited manually (not in bulk).=20 Keyword descriptions and search interface:=20 --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Thu Oct 20 07:13:24 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MtKKh2W85z4g6Sf for ; Thu, 20 Oct 2022 07:41:28 +0000 (UTC) (envelope-from gb@unistra.fr) Received: from smr1.u-strasbg.fr (smr1.u-strasbg.fr [130.79.222.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4MtKKf509cz46Vk for ; Thu, 20 Oct 2022 07:41:26 +0000 (UTC) (envelope-from gb@unistra.fr) Received: from xenon.localdomain (mojito.u-strasbg.fr [130.79.116.2]) by smr1.u-strasbg.fr (Postfix) with ESMTP id 4BFE16033C for ; Thu, 20 Oct 2022 09:41:23 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=unistra.fr; s=smr; t=1666251684; bh=miHaU1IX0XObZ7bzjn3oJbjQkBzBinS/B5L2jO11mvY=; h=Date:From:To:Subject:References:In-Reply-To:From; b=jdb4ETGHpLN9NNJbakEU2Ug02hQTtN8YJF1cOc5Xv8xQm6OvI2cB90RLEL8MC7Try EiiP2tJ8DLAVgpMWuMbt+mFYSLGNi1tU7sTbvabRfL7kA3bsGc2sre211IA5rWZKq6 L7K2qQEKIdATxkJFDgPaNnKbaNQys7PDV9elXiYs= Received: by xenon.localdomain (Postfix, from userid 1001) id AA6C62C528A; Thu, 20 Oct 2022 09:13:24 +0200 (CEST) Date: Thu, 20 Oct 2022 09:13:24 +0200 From: Guy Brand To: pf@freebsd.org Subject: Re: logging NAT sessions (connection tracking) Message-ID: References: List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: x-gpg-fingerprint: B716ABC5666A325219F3024D1622A7B686EFCC9D x-gpg-key: 0x1622A7B686EFCC9D X-Rspamd-Queue-Id: 4MtKKf509cz46Vk X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=unistra.fr header.s=smr header.b=jdb4ETGH; dmarc=none; spf=pass (mx1.freebsd.org: domain of gb@unistra.fr designates 130.79.222.217 as permitted sender) smtp.mailfrom=gb@unistra.fr X-Spamd-Result: default: False [-5.18 / 15.00]; DWL_DNSWL_MED(-2.00)[unistra.fr:dkim]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_LONG(-0.94)[-0.940]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; RCVD_IN_DNSWL_MED(-0.20)[130.79.222.217:from]; R_DKIM_ALLOW(-0.20)[unistra.fr:s=smr]; R_SPF_ALLOW(-0.20)[+ip4:130.79.222.208/28]; MIME_GOOD(-0.10)[text/plain]; NEURAL_HAM_MEDIUM(-0.04)[-0.042]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[unistra.fr:+]; RCVD_TLS_LAST(0.00)[]; MLMMJ_DEST(0.00)[pf@freebsd.org]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; DMARC_NA(0.00)[unistra.fr]; TO_DN_NONE(0.00)[]; ASN(0.00)[asn:2259, ipnet:130.79.0.0/16, country:EU]; PREVIOUSLY_DELIVERED(0.00)[pf@freebsd.org]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N On Oct 11, 2022 at 10:53 -0700, fddi wrote: Hello, > I foudn no obvious or easy way to log NAT sessions. > I have a bunch of NAT boxes implementd with FreeBSD 13.1 and PF. > I need to log NAT sessions but so far I still have to figure out a good way > to do it. > > I ended up using this: > https://github.com/italovalcy/pfnattrack > > but I am not sure it is working well. It seems like not to be "Real time" > and logs are delayed. > > Any way I could do something similar with pflog ? > Anybody has a working solution for NAT session logging ? We've been using pfnattrack, slightly modified, for several years now and it does the job. It's deployed to log NAT sessions on our campus wifi infrastructure with thousands of clients connecting every day. I can share our modifications here if there is an interest. We did not found something else that would do the job (pflog based or not). Regards -- Guy From nobody Thu Oct 20 16:50:50 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MtYXb6tdvz4g36y for ; Thu, 20 Oct 2022 16:51:43 +0000 (UTC) (envelope-from fddi@comcast.net) Received: from resqmta-h1p-028592.sys.comcast.net (resqmta-h1p-028592.sys.comcast.net [IPv6:2001:558:fd02:2446::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4MtYXZ48kJz4Hqy for ; Thu, 20 Oct 2022 16:51:42 +0000 (UTC) (envelope-from fddi@comcast.net) Received: from resomta-h1p-027908.sys.comcast.net ([96.102.179.197]) by resqmta-h1p-028592.sys.comcast.net with ESMTP id lWYJo0PsOSl18lYlPo1xiy; Thu, 20 Oct 2022 16:51:23 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=20190202a; t=1666284683; bh=tarsik/pQhL2FxAsL3X/8jE1QnYrKi/TOMS4ATnU2J4=; h=Received:Received:Message-ID:Date:MIME-Version:Subject:To:From: Content-Type; b=hE7DDr6bwEUn1X73jMafarNqX+Cm1gaSHMhQWqTfy/KyaXZJl0hNP0v2JE9DZcd5+ o5wwC7162zAEXwCo4pU8pB0jqgrzCACTISC0CxXHmb08+J5c+kz589m4jnzYxF0Xu2 WTVMROVCKaYqP7LY6Sk5NZOkhKFy0J8HJaM0AjinE+Qdln6TBIsMme7lJ8xHRM+v8Z fsGLaiaRrGsR41CAfUE6cEqF8ZL7nJvCvLUWJvxhpENZnxWDWqbxAj8WGrMjdbpxdo Vt5D2J87O7gIXcC99PeSFN3PMeYwGVU62LB3I134hhfMZ7PYFdMhe2JuefHcQzlV5y PzX8d93z7PPBQ== Received: from [198.129.117.144] ([198.129.117.144]) by resomta-h1p-027908.sys.comcast.net with ESMTPSA id lYkto36gydCbRlYkuoOEbV; Thu, 20 Oct 2022 16:50:59 +0000 X-Xfinity-VAAS: gggruggvucftvghtrhhoucdtuddrgedvfedrfeeliedguddtgecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucevohhmtggrshhtqdftvghsihdpqfgfvfdppffquffrtefokffrnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefkffggfgfuvfhfhfgjtgfgsehtjeertddtfeejnecuhfhrohhmpehfugguihcuoehfugguihestghomhgtrghsthdrnhgvtheqnecuggftrfgrthhtvghrnhepteegveeuhfeutddtkefgfeffgeekhfelueehudeigfehieeuvdfgtedtgeehfeehnecuffhomhgrihhnpehgihhthhhusgdrtghomhenucfkphepudelkedruddvledruddujedrudeggeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopegludelkedruddvledruddujedrudeggegnpdhinhgvthepudelkedruddvledruddujedrudeggedpmhgrihhlfhhrohhmpehfugguihestghomhgtrghsthdrnhgvthdpnhgspghrtghpthhtohepvddprhgtphhtthhopehgsgesuhhnihhsthhrrgdrfhhrpdhrtghpthhtohepphhfsehfrhgvvggsshgurdhorhhg X-Xfinity-VMeta: sc=-100.00;st=legit Message-ID: <4fa4e31a-449d-5b79-5d59-12de4bbd7651@comcast.net> Date: Thu, 20 Oct 2022 09:50:50 -0700 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.3.2 Subject: Re: logging NAT sessions (connection tracking) Content-Language: en-US To: Guy Brand , pf@freebsd.org References: From: fddi In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4MtYXZ48kJz4Hqy X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=comcast.net header.s=20190202a header.b=hE7DDr6b; dmarc=pass (policy=none) header.from=comcast.net; spf=pass (mx1.freebsd.org: domain of fddi@comcast.net designates 2001:558:fd02:2446::5 as permitted sender) smtp.mailfrom=fddi@comcast.net X-Spamd-Result: default: False [-1.00 / 15.00]; HFILTER_HELO_5(3.00)[resqmta-h1p-028592.sys.comcast.net]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[comcast.net,none]; R_SPF_ALLOW(-0.20)[+ip6:2001:558:fd02:2446::/64]; R_DKIM_ALLOW(-0.20)[comcast.net:s=20190202a]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; MLMMJ_DEST(0.00)[pf@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:7922, ipnet:2001:558::/29, country:US]; FREEMAIL_ENVFROM(0.00)[comcast.net]; RCVD_VIA_SMTP_AUTH(0.00)[]; DKIM_TRACE(0.00)[comcast.net:+]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; TO_DN_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; FREEMAIL_FROM(0.00)[comcast.net]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DWL_DNSWL_NONE(0.00)[comcast.net:dkim] X-ThisMailContainsUnwantedMimeParts: N thanks a lot for your answer. I would greatly appreciate to take a look at your modification if you are keen to share it. Really appreciated. Rick On 10/20/22 12:13 AM, Guy Brand wrote: > On Oct 11, 2022 at 10:53 -0700, fddi wrote: > > Hello, > >> I foudn no obvious or easy way to log NAT sessions. >> I have a bunch of NAT boxes implementd with FreeBSD 13.1 and PF. >> I need to log NAT sessions but so far I still have to figure out a good way >> to do it. >> >> I ended up using this: >> https://github.com/italovalcy/pfnattrack >> >> but I am not sure it is working well. It seems like not to be "Real time" >> and logs are delayed. >> >> Any way I could do something similar with pflog ? >> Anybody has a working solution for NAT session logging ? > We've been using pfnattrack, slightly modified, for several years now > and it does the job. It's deployed to log NAT sessions on our campus > wifi infrastructure with thousands of clients connecting every day. > I can share our modifications here if there is an interest. > > We did not found something else that would do the job (pflog based or > not). > > Regards > From nobody Tue Oct 25 17:38:28 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MxfLh6btZz4gRwm for ; Tue, 25 Oct 2022 17:38:52 +0000 (UTC) (envelope-from gb@unistra.fr) Received: from smr2.u-strasbg.fr (smr2.u-strasbg.fr [130.79.222.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4MxfLg2mWmz3DTN for ; Tue, 25 Oct 2022 17:38:51 +0000 (UTC) (envelope-from gb@unistra.fr) Received: from xenon.localdomain (mojito.u-strasbg.fr [130.79.116.2]) by smr2.u-strasbg.fr (Postfix) with ESMTP id 52ED61E1666 for ; Tue, 25 Oct 2022 19:38:47 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=unistra.fr; s=smr; t=1666719528; bh=w8BUrhL8aTlVEUlDWlDZREgj51oRNHDiAO5sRY6Fn3E=; h=Date:From:To:Subject:References:In-Reply-To:From; b=CDEQPh7uGYjjGp520KHJs+vkZjSLktmVzVaDNKckmpcI3Kw0XYo/AOReCEZTSA76M 8kPgJr1y8/sdTZg7e2426ny1K6Oj0r9tocmOwFxfVYgCPcbvm5kTWvkg35prqoXpt6 hpWZw24FoQRYtPD/f6R317PHb0Cy64k1TnRSHfLk= Received: by xenon.localdomain (Postfix, from userid 1001) id D70BA2C55F4; Tue, 25 Oct 2022 19:38:28 +0200 (CEST) Date: Tue, 25 Oct 2022 19:38:28 +0200 From: Guy Brand To: pf@freebsd.org Subject: Re: logging NAT sessions (connection tracking) Message-ID: References: <4fa4e31a-449d-5b79-5d59-12de4bbd7651@comcast.net> List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="HB3ry6+WaBysnelJ" Content-Disposition: inline In-Reply-To: <4fa4e31a-449d-5b79-5d59-12de4bbd7651@comcast.net> x-gpg-fingerprint: B716ABC5666A325219F3024D1622A7B686EFCC9D x-gpg-key: 0x1622A7B686EFCC9D X-Rspamd-Queue-Id: 4MxfLg2mWmz3DTN X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=unistra.fr header.s=smr header.b=CDEQPh7u; dmarc=none; spf=pass (mx1.freebsd.org: domain of gb@unistra.fr designates 130.79.222.218 as permitted sender) smtp.mailfrom=gb@unistra.fr X-Spamd-Result: default: False [-6.12 / 15.00]; DWL_DNSWL_MED(-2.00)[unistra.fr:dkim]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-0.97)[-0.966]; NEURAL_HAM_SHORT(-0.96)[-0.959]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; RCVD_IN_DNSWL_MED(-0.20)[130.79.222.218:from]; R_SPF_ALLOW(-0.20)[+ip4:130.79.222.208/28]; R_DKIM_ALLOW(-0.20)[unistra.fr:s=smr]; MIME_GOOD(-0.10)[multipart/mixed,text/plain]; DKIM_TRACE(0.00)[unistra.fr:+]; MLMMJ_DEST(0.00)[pf@freebsd.org]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:+,4:+]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[unistra.fr]; RCPT_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:2259, ipnet:130.79.0.0/16, country:EU]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; PREVIOUSLY_DELIVERED(0.00)[pf@freebsd.org]; HAS_ATTACHMENT(0.00)[]; TO_DN_NONE(0.00)[]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N --HB3ry6+WaBysnelJ Content-Type: text/plain; charset=utf-8 Content-Disposition: inline On Oct 20, 2022 at 09:50 -0700, fddi wrote: Hi, > I would greatly appreciate to take a look at your modification if you are > keen to share it. Please find them attached. They should apply without conflict to commit 62105136d9037c. Best. -- Guy --HB3ry6+WaBysnelJ Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="0003-Reformat-ouput.patch" Content-Transfer-Encoding: quoted-printable =46rom c134a81d26e67a88a744ad68a351f107aa1638a5 Mon Sep 17 00:00:00 2001 =46rom: John Doe Date: Wed, 18 Sep 2019 10:14:18 +0200 Subject: [PATCH 3/3] Reformat ouput - rewrite format function - Add DEBUG mode --- Makefile | 13 +++- pf_nattrack.c | 162 +++++++++++++++++++++++++++----------------------- pf_nattrack.h | 3 + 3 files changed, 102 insertions(+), 76 deletions(-) diff --git a/Makefile b/Makefile index 2db0e00..d8df33d 100644 --- a/Makefile +++ b/Makefile @@ -1,8 +1,12 @@ CC =3D cc -CFLAGS =3D -g -DDEBUG +#CFLAGS =3D -g -DDEBUG +CFLAGS =3D -g=20 +CFLAGS =3D -O2 OBJS =3D pf_nattrack.o list.o hash.o +BIN =3D pf_nattrack +DST =3D /local/bin =20 -pf_nattrack:$(OBJS) +$(BIN):$(OBJS) $(CC) $(CFLAGS) -o $(.TARGET) $(.ALLSRC) =20 hash.o:hash.c @@ -11,5 +15,8 @@ list.o:list.c pf_nattrack.h =20 pf_nattrack.o:pf_nattrack.c pf_nattrack.h hash.h =20 +install: + mkdir -p $(DST) + cp $(BIN) $(DST) clean: - rm -f $(OBJS) + rm -f $(OBJS) $(BIN) diff --git a/pf_nattrack.c b/pf_nattrack.c index 83c73f1..3e45778 100644 --- a/pf_nattrack.c +++ b/pf_nattrack.c @@ -6,6 +6,7 @@ #include #include #include +#include =20 // network libs #include @@ -27,6 +28,9 @@ static uint32_t pf_hashseed; =20 struct pf_nattrack_hash *pfnt_hash; =20 +// Time between each loop +#define WAIT_INTERVAL PFTM_INTERVAL + /* * hashkey() * @@ -63,86 +67,95 @@ void initialize() { * * function used to print out an error message */ -static void -printerror(char *s) +static void printerror(char *s) { - char *msg; - msg =3D strerror(errno); - fprintf(stderr, "ERROR: %s: %s\n", s, msg); - return; + char *msg; + msg =3D strerror(errno); + fprintf(stderr, "ERROR: %s: %s\n", s, msg); + return; } =20 =20 +/* + * print_addr_port() + *=20 + * print field name, address (for given address family) and port number + */ +void format_addr_port(char *str, int size, sa_family_t af, struct pf_addr = *addr, u_int16_t port) { + char buf[MAXSTRSIZE]; + + bzero((void *)buf, MAXSTRSIZE); + snprintf(str , size , "%s:%d" + , ((inet_ntop(af, addr, buf, sizeof(buf)) =3D=3D NULL) ? "?" := buf) + , port + ); +} + /* * print_nattrack() * * print out the NAT tuple */ -void print_nattrack(struct pf_nattrack *nt, int opts) { - char buf[INET_ADDRSTRLEN]; - time_t rawtime; - struct tm * timeinfo; - char fmttime[80]; =20 - time (&rawtime); - timeinfo =3D localtime (&rawtime); - strftime(fmttime,80,"%Y-%m-%d,%H:%M:%S",timeinfo); +void print_nattrack(struct pf_nattrack *nt, int opts) { + char line[MAXLINESIZE]; + char osrc[MAXSTRSIZE], tsrc[MAXSTRSIZE], tdst[MAXSTRSIZE]; =20 if (!nt) return; + switch (nt->af) { - case AF_INET: - // date/time and protocol - printf("%s proto=3D%u", fmttime, nt->proto); - - // original source address and port - printf(" osrc=3D"); - if (inet_ntop(nt->af, &nt->c.osrc, buf, sizeof(buf)) =3D=3D NULL) - printf("?"); - else - printf("%s", buf); - printf(":%u", nt->c.osport); - - // translated source address and port - printf(" tsrc=3D"); - if (inet_ntop(nt->af, &nt->c.tsrc, buf, sizeof(buf)) =3D=3D NULL) - printf("?"); - else - printf("%s", buf); - printf(":%u", nt->c.tsport); - - // original destination address and port - printf(" odst=3D"); - if (inet_ntop(nt->af, &nt->c.odst, buf, sizeof(buf)) =3D=3D NULL) - printf("?"); - else - printf("%s", buf); - printf(":%u", nt->c.odport); - - // translated destination address and port - printf(" tdst=3D"); - if (inet_ntop(nt->af, &nt->c.tdst, buf, sizeof(buf)) =3D=3D NULL) - printf("?"); - else - printf("%s", buf); - printf(":%u", nt->c.tdport); - - printf(" duration=3D%u", nt->duration); - // TODO: should store interface? - - printf("\n"); - break; - default: - printf("ERROR: unknown or unsupportted address family\n"); + case AF_INET: + // original source address and port + format_addr_port(osrc, MAXSTRSIZE, nt->af, &nt->c.osrc, nt->c.osp= ort); + // translated source address and port + format_addr_port(tsrc, MAXSTRSIZE, nt->af, &nt->c.tsrc, nt->c.tsp= ort); + // translated destination address and port + format_addr_port(tdst, MAXSTRSIZE, nt->af, &nt->c.tdst, nt->c.tdp= ort); + + snprintf(line , MAXLINESIZE + , "proto=3D%u osrc=3D%s tsrc=3D%s tdst=3D%s duration=3D%u" + , nt->proto, osrc, tsrc, tdst, nt->duration + ); + // TODO: should store interface? + + //printf("%s\n",line); + syslog(LOG_DEBUG|LOG_LOCAL6, "%s", line); + break; + default: + printf("ERROR: unknown or unsupported address family\n"); } } =20 +/* + * Display and free each element=20 + */ void free_list(struct pf_nattrack_list **l) { struct pf_nattrack_list *item; struct pf_nattrack_hash *pfnth; + int count =3D 0; + double delay; + + // number of states to display =20 + item =3D *l; + while(item) { + count++; + item =3D item->next; + } + + if(count =3D=3D 0)=20 + return; + + // time to wait between each event sent + delay =3D ( (WAIT_INTERVAL) * 1.0E6 / count) ; + + // calculate pause to match sending rate =20 while(*l) { item =3D *l; + print_nattrack(item->nt, 0); + usleep(delay); + pfnth =3D &pfnt_hash[hashkey(item->nt)]; ldel(&pfnth->list, item->ref); ldel(l, item); @@ -153,10 +166,10 @@ void free_list(struct pf_nattrack_list **l) { } =20 uint8_t convert_state(struct pfsync_state *state, struct pf_nattrack *node= ) { - struct pfsync_state_key *orig, *trans; + struct pfsync_state_key *orig, *trans; uint8_t src, dst; =20 - if (state->direction =3D=3D PF_OUT) { + if (state->direction =3D=3D PF_OUT) { src =3D 1; dst =3D 0; orig =3D &state->key[PF_SK_STACK]; trans =3D &state->key[PF_SK_WIRE]; @@ -174,8 +187,10 @@ uint8_t convert_state(struct pfsync_state *state, stru= ct pf_nattrack *node) { PF_AEQ(&orig->addr[dst], &trans->addr[dst], state->af) && orig->port[src] =3D=3D trans->port[src] && orig->port[dst] =3D=3D trans->port[dst])) { - //printf("NO_NAT!\n"); - return 0; + #ifdef DEBUG + printf("NO_NAT!\n"); + #endif + return 0; } =20 memset(node, 0, sizeof(struct pf_nattrack)); @@ -195,10 +210,6 @@ uint8_t convert_state(struct pfsync_state *state, stru= ct pf_nattrack *node) { return 1; } =20 -/* -uint8_t pf_getstates(struct pf_nattrack *node) { -} -*/ =20 int main() { struct pf_nattrack_hash *pfnth =3D NULL; @@ -216,10 +227,11 @@ int main() { } =20 do { - //printf("\n\n=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\n"); - //printf("Nova rodada\n"); - //printf("=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\n"); - + #ifdef DEBUG + printf("\n\n=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\n"); + printf("New turn\n"); + printf("=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\n"); + #endif freelist =3D lastlist; lastlist =3D NULL; =20 @@ -251,7 +263,7 @@ int main() { if (len =3D=3D 0 && ps.ps_len !=3D 0) len =3D ps.ps_len; if (ps.ps_len =3D=3D 0) - goto done; /* no states */ + goto done; /* no states */ len *=3D 2; } p =3D ps.ps_states; @@ -263,12 +275,16 @@ int main() { item =3D lfind(pfnth->list, &node); =20 if (item) { - //printf("Item found! Deleting from freelist\n"); + #ifdef DEBUG + printf("Item found! Deleting from freelist\n"); + #endif item2 =3D item->ref; *(item2->nt) =3D node; ldel(&freelist, item2); } else { - //printf("Not found. Inserting...\n"); + #ifdef DEBUG + printf("Not found. Inserting...\n"); + #endif nodep =3D (struct pf_nattrack *)malloc(sizeof(struct pf_nattra= ck)); *nodep =3D node; item =3D (struct pf_nattrack_list *)malloc( @@ -287,7 +303,7 @@ done: free(inbuf); free_list(&freelist); =20 - sleep(PFTM_INTERVAL); + // sleep(PFTM_INTERVAL); } while(1); =20 free_list(&lastlist); diff --git a/pf_nattrack.h b/pf_nattrack.h index 97f95b2..8aadf8c 100644 --- a/pf_nattrack.h +++ b/pf_nattrack.h @@ -35,4 +35,7 @@ void ldel(struct pf_nattrack_list **head, struct pf_nattr= ack_list *no); struct pf_nattrack_list *lfind(struct pf_nattrack_list *head,=20 struct pf_nattrack *nt); =20 +#define MAXSTRSIZE 256 +#define MAXLINESIZE 2048 + #endif --=20 2.38.1 --HB3ry6+WaBysnelJ Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="0002-Adding-a-makefile.patch" Content-Transfer-Encoding: quoted-printable =46rom bd431425d129177081754930485ba4461493f14e Mon Sep 17 00:00:00 2001 =46rom: John Doe Date: Mon, 25 Sep 2017 13:01:19 +0200 Subject: [PATCH 2/3] Adding a makefile --- Makefile | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 Makefile diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..2db0e00 --- /dev/null +++ b/Makefile @@ -0,0 +1,15 @@ +CC =3D cc +CFLAGS =3D -g -DDEBUG +OBJS =3D pf_nattrack.o list.o hash.o + +pf_nattrack:$(OBJS) + $(CC) $(CFLAGS) -o $(.TARGET) $(.ALLSRC) + +hash.o:hash.c + +list.o:list.c pf_nattrack.h + +pf_nattrack.o:pf_nattrack.c pf_nattrack.h hash.h + +clean: + rm -f $(OBJS) --=20 2.38.1 --HB3ry6+WaBysnelJ Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="0001-Remove-function-reading-on-stdin.patch" Content-Transfer-Encoding: quoted-printable =46rom 7bc51eaab3ae53d753dbbb72ec0b82642130e4db Mon Sep 17 00:00:00 2001 =46rom: John Doe Date: Mon, 25 Sep 2017 13:01:07 +0200 Subject: [PATCH 1/3] Remove function reading on stdin --- pf_nattrack.c | 86 --------------------------------------------------- 1 file changed, 86 deletions(-) diff --git a/pf_nattrack.c b/pf_nattrack.c index 4b4290a..83c73f1 100644 --- a/pf_nattrack.c +++ b/pf_nattrack.c @@ -200,51 +200,6 @@ uint8_t pf_getstates(struct pf_nattrack *node) { } */ =20 -struct pf_nattrack * read_input(struct pf_nattrack *node) { - char osrc[30], tsrc[30], dst[30], dir[10]; - int o_sport, t_sport, dport; - - scanf("\n%[^:]:%d (%[^:]:%d) %s %[^:]:%d",osrc, &o_sport, tsrc, &t_spor= t, dir, dst, &dport); - //printf("osrc=3D%s o_sport=3D%d tsrc=3D%s t_sport=3D%d dst=3D%s dport= =3D%d\n", osrc, o_sport, tsrc, t_sport, dst, dport); - - memset(node, 0, sizeof(struct pf_nattrack)); - - // original source address and port - if (!inet_pton(AF_INET, osrc, &node->c.osrc.v4)) { - printf("ERROR: invalid v4 addr (osrc=3D%s)\n", osrc); - return NULL; - } - node->c.osport =3D o_sport; - - // translated source address and port - if (!inet_pton(AF_INET, tsrc, &node->c.tsrc.v4)) { - printf("ERROR: invalid v4 addr (osrc=3D%s)\n", tsrc); - return NULL; - } - node->c.tsport =3D t_sport; - - // original destination address and port - // TODO: change to odst - if (!inet_pton(AF_INET, dst, &node->c.odst.v4)) { - printf("ERROR: invalid v4 addr (odst=3D%s)\n", dst); - return NULL; - } - node->c.odport =3D dport; - - // translated destination address and port - // TODO: change to tdst - if (!inet_pton(AF_INET, dst, &node->c.tdst.v4)) { - printf("ERROR: invalid v4 addr (odst=3D%s)\n", dst); - return NULL; - } - node->c.tdport =3D dport; - - node->af =3D AF_INET; - - return node; -} - - int main() { struct pf_nattrack_hash *pfnth =3D NULL; struct pf_nattrack_list *item, *item2; @@ -334,47 +289,6 @@ done: =20 sleep(PFTM_INTERVAL); } while(1); - /* comentando para trabalhar com o get_states - while ( scanf("\n%d", &i) !=3D EOF && i !=3D 0) { - if (!read_input(&node)) continue; - - pfnth =3D &pfnt_hash[hashkey(&node)]; - - item =3D lfind(pfnth->list, &node); - - if (item) { - //printf("Item found! Deleting from freelist\n"); - item2 =3D item->ref; - ldel(&freelist, item2); - } else { - //printf("Not found. Inserting...\n"); - nodep =3D (struct pf_nattrack *)malloc(sizeof(struct pf_nattra= ck)); - *nodep =3D node; - item =3D (struct pf_nattrack_list *)malloc( - sizeof(struct pf_nattrack_list)); - item->nt =3D nodep; - item2 =3D (struct pf_nattrack_list *)malloc( - sizeof(struct pf_nattrack_list)); - item2->nt =3D nodep; - ladd(&pfnth->list, item); - item->ref =3D item2; - } - ladd(&lastlist, item2); - item2->ref =3D item; - } - //printf("done\n"); - //printf("-> removendo itens da freelist\n"); - free_list(&freelist); - //printf("-> items armazenados:\n"); - //for(i=3D0; i <=3D pf_hashmask; i++) { - // for(item=3Dpfnt_hash[i].list; item; item=3Ditem->next) { - // print_nattrack(item->nt, 0); - // } - //} - - //printf("Nova rodada? (1 =3D sim) "); - } while(scanf("\n%d", &i) !=3D EOF && i !=3D 0); - */ // comentando para get_states =20 free_list(&lastlist); free(pfnt_hash); --=20 2.38.1 --HB3ry6+WaBysnelJ-- From nobody Tue Oct 25 18:55:31 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Mxh3V5hZlz4gdS6 for ; Tue, 25 Oct 2022 18:55:50 +0000 (UTC) (envelope-from fddi@comcast.net) Received: from resqmta-a1p-077721.sys.comcast.net (resqmta-a1p-077721.sys.comcast.net [IPv6:2001:558:fd01:2bb4::a]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Mxh3V04hYz3Ph2 for ; Tue, 25 Oct 2022 18:55:49 +0000 (UTC) (envelope-from fddi@comcast.net) Received: from resomta-a1p-077058.sys.comcast.net ([96.103.145.239]) by resqmta-a1p-077721.sys.comcast.net with ESMTP id nJmjoluRokjIInP5SoYLaX; Tue, 25 Oct 2022 18:55:42 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=20190202a; t=1666724142; bh=ToyzYbZuqS8iEKmi1HX66cbi72qoQ/XvJxZ9nHl3+Ug=; h=Received:Received:Message-ID:Date:MIME-Version:Subject:To:From: Content-Type; b=L8ucyiVYj6Plehy9CMCMoGVjzzCqVyLejQCsLI6KSQ1qq5lOeriB1VU5RtZdSmrnd hsrsxNbV9Cl3LDokozd/SRTDzGC4IuFlmz+l9vtAgMMQWnKl4VtaedTu2f0kBHOtk3 P71Xch1BA/dBSHbDsiOBKTjGqUBVIKcoGBDGaK7ieN9TwkQZ13at5hkRoDNZgMrxp7 WnTuKkG4HzQVvJsmUy2rvFbEIhDjY4RfU87FAaIQqb8QVEHi1BHNS9JhChBqXwKmJ/ nR1jdECzriQdBDO5s+RPfuyK+ub9x3SIjzjRF4JW5snc67grfZTxpYnAzg91cQ8juU UYPdSuMTJvlag== Received: from [198.129.117.144] ([198.129.117.144]) by resomta-a1p-077058.sys.comcast.net with ESMTPSA id nP5HoFMoVeGY2nP5JoNaM0; Tue, 25 Oct 2022 18:55:39 +0000 X-Xfinity-VAAS: gggruggvucftvghtrhhoucdtuddrgedvgedrtddtgddutddvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuvehomhgtrghsthdqtfgvshhipdfqfgfvpdfpqffurfetoffkrfenuceurghilhhouhhtmecufedtudenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepkfffgggfuffvfhfhjggtgfesthejredttdefjeenucfhrhhomhepfhguughiuceofhguughisegtohhmtggrshhtrdhnvghtqeenucggtffrrghtthgvrhhnpeevfeelfeefjeelhfefvdelveefhffhvdetveeggfdukeehveehvdetgeettefgvdenucfkphepudelkedruddvledruddujedrudeggeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopegludelkedruddvledruddujedrudeggegnpdhinhgvthepudelkedruddvledruddujedrudeggedpmhgrihhlfhhrohhmpehfugguihestghomhgtrghsthdrnhgvthdpnhgspghrtghpthhtohepvddprhgtphhtthhopehgsgesuhhnihhsthhrrgdrfhhrpdhrtghpthhtohepphhfsehfrhgvvggsshgurdhorhhg X-Xfinity-VMeta: sc=-100.00;st=legit Message-ID: <50113025-2f9a-31d3-105a-67f20f6d955c@comcast.net> Date: Tue, 25 Oct 2022 11:55:31 -0700 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.3.3 Subject: Re: logging NAT sessions (connection tracking) Content-Language: en-US To: Guy Brand , pf@freebsd.org References: <4fa4e31a-449d-5b79-5d59-12de4bbd7651@comcast.net> From: fddi In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4Mxh3V04hYz3Ph2 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=comcast.net header.s=20190202a header.b=L8ucyiVY; dmarc=pass (policy=none) header.from=comcast.net; spf=pass (mx1.freebsd.org: domain of fddi@comcast.net designates 2001:558:fd01:2bb4::a as permitted sender) smtp.mailfrom=fddi@comcast.net X-Spamd-Result: default: False [-1.00 / 15.00]; HFILTER_HELO_5(3.00)[resqmta-a1p-077721.sys.comcast.net]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-0.999]; NEURAL_HAM_SHORT(-1.00)[-0.998]; DMARC_POLICY_ALLOW(-0.50)[comcast.net,none]; R_SPF_ALLOW(-0.20)[+ip6:2001:558:fd01:2bb4::/64]; R_DKIM_ALLOW(-0.20)[comcast.net:s=20190202a]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; MLMMJ_DEST(0.00)[pf@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:7922, ipnet:2001:558::/29, country:US]; FREEMAIL_ENVFROM(0.00)[comcast.net]; RCVD_VIA_SMTP_AUTH(0.00)[]; DKIM_TRACE(0.00)[comcast.net:+]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; TO_DN_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; FREEMAIL_FROM(0.00)[comcast.net]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DWL_DNSWL_NONE(0.00)[comcast.net:dkim] X-ThisMailContainsUnwantedMimeParts: N thanks a lot, really appreciated. On 10/25/22 10:38 AM, Guy Brand wrote: > On Oct 20, 2022 at 09:50 -0700, fddi wrote: > > Hi, > >> I would greatly appreciate to take a look at your modification if you are >> keen to share it. > Please find them attached. They should apply without conflict to commit > 62105136d9037c. > > Best. > From nobody Tue Oct 25 19:09:59 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MxhN406V4z4gg3M for ; Tue, 25 Oct 2022 19:10:12 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [IPv6:2001:678:618::40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "plan-b.pwste.edu.pl", Issuer "GEANT OV RSA CA 4" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MxhN21w6bz3Qgd for ; Tue, 25 Oct 2022 19:10:10 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from [IPV6:2a02:22e0:cf00:1ff:5c80:87be:3c9f:192d] (mzar@[IPv6:2a02:22e0:cf00:1ff:5c80:87be:3c9f:192d]) (authenticated bits=0) by plan-b.pwste.edu.pl (8.17.1/8.17.1) with ESMTPSA id 29PJ9x49022469 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Tue, 25 Oct 2022 21:10:00 +0200 (CEST) (envelope-from zarychtam@plan-b.pwste.edu.pl) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=plan-b.pwste.edu.pl; s=plan-b-mailer; t=1666725000; bh=9UBacSpMt8Bu4G5ScOXQmyP44ZJzRz+raaRda+k1Kk8=; h=Date:Subject:To:References:From:In-Reply-To; b=Ben5J90TP83Ndtnfj+6d36RsdsKFMa5ZQ6CtUAQgExpJeAX0N4Ern3usXAHaIRMp+ bd5xCsXIAH4sXaBSjcaKdE8EspuwmZYkukd2COX1UedCEbkdKvypyi0nGCnO+mnbGV Lr56kDsgDTQp8nYQTFMxSwf1a7B7WUriniA7ojCjEqRROmKFBhEhbYyKElhJolRkFh ImOAIHJO4oFUBBy4hii6qcgMZHPGuTQ7uKWaXwFPDPCYtCsrA12vZwoAZiMpzy2Hhj jF0E3gk192+fpsgJHVVovAK9tRQEN/Grz+YlPhtxio5FvjzpSNv3utnqMIbqMevNTv MyAgkZEXpCllA== Message-ID: <7552b156-9cea-55e7-7ddd-0fb9759a521c@plan-b.pwste.edu.pl> Date: Tue, 25 Oct 2022 21:09:59 +0200 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101 Thunderbird/102.4.0 Subject: Re: logging NAT sessions (connection tracking) To: pf@freebsd.org References: <4fa4e31a-449d-5b79-5d59-12de4bbd7651@comcast.net> Content-Language: pl, en-US From: Marek Zarychta In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------kwgZTgSSK0v96tzouCepCUfQ" X-Rspamd-Queue-Id: 4MxhN21w6bz3Qgd X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=plan-b.pwste.edu.pl header.s=plan-b-mailer header.b=Ben5J90T; dmarc=pass (policy=none) header.from=plan-b.pwste.edu.pl; spf=none (mx1.freebsd.org: domain of zarychtam@plan-b.pwste.edu.pl has no SPF policy when checking 2001:678:618::40) smtp.mailfrom=zarychtam@plan-b.pwste.edu.pl X-Spamd-Result: default: False [-5.80 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_LONG(-1.00)[-0.999]; NEURAL_HAM_SHORT(-1.00)[-0.999]; NEURAL_HAM_MEDIUM(-1.00)[-0.998]; DMARC_POLICY_ALLOW(-0.50)[plan-b.pwste.edu.pl,none]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; R_DKIM_ALLOW(-0.20)[plan-b.pwste.edu.pl:s=plan-b-mailer]; MIME_BASE64_TEXT(0.10)[]; MLMMJ_DEST(0.00)[pf@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[plan-b.pwste.edu.pl:+]; ASN(0.00)[asn:206006, ipnet:2001:678:618::/48, country:PL]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; HAS_ATTACHMENT(0.00)[]; FROM_HAS_DN(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; R_SPF_NA(0.00)[no SPF record]; TO_DN_NONE(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[pf@freebsd.org]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------kwgZTgSSK0v96tzouCepCUfQ Content-Type: multipart/mixed; boundary="------------PkQgUGHkeCZA3pTBUC2hVTmh"; protected-headers="v1" From: Marek Zarychta To: pf@freebsd.org Message-ID: <7552b156-9cea-55e7-7ddd-0fb9759a521c@plan-b.pwste.edu.pl> Subject: Re: logging NAT sessions (connection tracking) References: <4fa4e31a-449d-5b79-5d59-12de4bbd7651@comcast.net> In-Reply-To: --------------PkQgUGHkeCZA3pTBUC2hVTmh Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64 VyBkbml1IDI1LjEwLjIwMjIgb8KgMTk6MzgsIEd1eSBCcmFuZCBwaXN6ZToNCj4gT24gT2N0 IDIwLCAyMDIyIGF0IDA5OjUwIC0wNzAwLCBmZGRpIHdyb3RlOg0KPiANCj4gSGksDQo+IA0K Pj4gSSB3b3VsZCBncmVhdGx5IGFwcHJlY2lhdGUgdG8gdGFrZSBhIGxvb2sgYXQgeW91ciBt b2RpZmljYXRpb24gaWYgeW91IGFyZQ0KPj4ga2VlbiB0byBzaGFyZSBpdC4NCj4gDQo+IFBs ZWFzZSBmaW5kIHRoZW0gYXR0YWNoZWQuIFRoZXkgc2hvdWxkIGFwcGx5IHdpdGhvdXQgY29u ZmxpY3QgdG8gY29tbWl0DQo+IDYyMTA1MTM2ZDkwMzdjLg0KPiANCj4gQmVzdC4NCj4gDQoN ClRoYW5rcyBmb3Igc2hhcmluZyB5b3VyIHdvcmsgd2l0aCBsaXN0IHN1YnNjcmliZXMuIEhh dmUgeW91IHRyaWVkIHRvIA0KdXBzdHJlYW0gdGhlc2UgcGF0Y2hlcz8NCi0tIA0KTWFyZWsg WmFyeWNodGENCg0K --------------PkQgUGHkeCZA3pTBUC2hVTmh-- --------------kwgZTgSSK0v96tzouCepCUfQ Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wsB5BAABCAAjFiEEnjwyTmqn2oNX6C8qHZW8vIFppoIFAmNYNIcFAwAAAAAACgkQHZW8vIFppoJB SQgAjZ8d60dJ7jHlvstwLhX58ZZwOCqSiCakJ3Doxvv7Lwg8TOwt7uC58o5Vm0lgc31bTxR+J1Vv vtEiH2xb0me2J1N0Je8zOI2y1+FZxGesJBhmp9R/lfSucvgsKLlsSOr+APZFUskfFwdQDzqmBpez zPw1GBzqc5uIDv0oLnzejHwlxUThLa86zQO8nlAf8k/+yxxYKOLCkysIrtTgBPoA1FSAhXAWa9y6 caB0vMuHH3BkRxCZjlF77edkf6I7ptbv1kwi/suPBR9tLlzLxfImYOFZrIcCeYFctgb8Ct0jPmBY WHTIcTQDSWkndhtVafE/6TVcPYhpV+0SVJbPjRQDVg== =KEUj -----END PGP SIGNATURE----- --------------kwgZTgSSK0v96tzouCepCUfQ-- From nobody Wed Nov 16 18:33:24 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NCBVL3rZVz4hGcC for ; Wed, 16 Nov 2022 18:32:26 +0000 (UTC) (envelope-from meka@tilda.center) Received: from c3po.tilda.center (c3po.tilda.center [108.61.164.129]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4NCBVK52G8z3hLY for ; Wed, 16 Nov 2022 18:32:25 +0000 (UTC) (envelope-from meka@tilda.center) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tilda.center header.s=c3po header.b="iBc/5EK+"; spf=pass (mx1.freebsd.org: domain of meka@tilda.center designates 108.61.164.129 as permitted sender) smtp.mailfrom=meka@tilda.center; dmarc=pass (policy=reject) header.from=tilda.center Received: from tilda.center (109-93-255-137.static.isp.telekom.rs [109.93.255.137]) by c3po.tilda.center (Postfix) with ESMTPSA id 8BD9F1E9E5 for ; Wed, 16 Nov 2022 19:32:11 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tilda.center; s=c3po; t=1668623531; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=tip8nsledXU6dlPZomfLv/1p9PLIV7w9sY3xFPhZLXU=; b=iBc/5EK+77RXuAb7twZBymKOH8IWGDmuxODMnu5m2qKxVucl4zuVRM/oMaPWlPjTeIbYMc y5gQX3CCxcJyz4NOPCuGd3X09rlG//UAXPUm7Jpu9cFQiI2ubIoN7MmI7MpOL1h+fV7nlM asXFOlRJUkpTy3VwmtZlOJEhTOjGAJI= Date: Wed, 16 Nov 2022 19:33:24 +0100 From: Goran =?utf-8?B?TWVracSH?= To: pf@freebsd.org Subject: How to use dummynet Message-ID: <20221116183324.anduvhfex5ctdfb6@tilda.center> List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="aqlkd35d4ft25uif" Content-Disposition: inline X-Spamd-Result: default: False [-5.26 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.991]; R_MIXED_CHARSET(0.83)[subject]; DMARC_POLICY_ALLOW(-0.50)[tilda.center,reject]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; R_SPF_ALLOW(-0.20)[+mx]; R_DKIM_ALLOW(-0.20)[tilda.center:s=c3po]; ASN(0.00)[asn:20473, ipnet:108.61.164.0/22, country:US]; FROM_EQ_ENVFROM(0.00)[]; MLMMJ_DEST(0.00)[pf@freebsd.org]; MIME_TRACE(0.00)[0:+,1:+,2:~]; DKIM_TRACE(0.00)[tilda.center:+]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_HAS_DN(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[pf@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Rspamd-Queue-Id: 4NCBVK52G8z3hLY X-Spamd-Bar: ----- X-ThisMailContainsUnwantedMimeParts: N --aqlkd35d4ft25uif Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Hello! I know PF now supports dummynet in 14-CURRENT, but I couldn't find the syntax for it and general doc on how to use it. I could probably figure out some bits and pieces from the code but if there is anything written, I would be glad if someone could point it out. Regards, meka --aqlkd35d4ft25uif Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE1WIFkXy2ZeMKjjKEWj1TknovrLYFAmN1LPQACgkQWj1Tknov rLY7Gg/+K56dcO3DHwDg+s72iWLibxWWcTNSF/bFo4HXxslwJTHQHp4+2aJ35Ogi l+wBbPPvmGINtdBekdBgcfD+J8faG8q7cHBY4XTkZ24Bm4U1Uuau5GPxp/v3s2Tv 6PJrarhSVSeifqb26XMMZRyRnks7wI6PL+B0roOOP2kpl9ExJM8pFof32BWGGAqA 1FAs3mP5n+pSjSZflFIlnKSZJk9Dd8PHPAQdimLLv1Ht4qgVQuCY2ZwOfxPvrFL5 VMYdGW+5Ddkc8e/yNb2AB6qkFCOTQ9Pdtsw+jA014wG3WXsgBBU/OlmqZbsMNBqS T4uyn0gTwqdbnKWtqZy3B8Lj+iBUlhUEAjCLrWoTt1REb53xRlHZnWyyklM8RAuj ed85Dca+TsFJvmHn2OcepJbkiBgQlOUC5gRPoZVd6JhuroA6d91b/BgdDnWzCEFl 9a04Xxbvl9nZwZAGnZup0IuK4p/CJG6+1IMNzryiE2r3FST4yO0rsxsqMF9Zer4l 7ZXb/4/E89bjrFQt/DXIYJG7e+X4qPJQb0F253iEVvBvkFDSxypNrkZP2Qqv5Qmy J7nvQMHxM6kmGaPO1hdqvCeTWOuDyTK2bV6hBo6f44y9fzzbHr8yHrrsVASxFlYM zlQhjuescHhX4I5LDrpS/+hFByQ0fp++7GQTqr5sgtPpNd9u4Cs= =DPAZ -----END PGP SIGNATURE----- --aqlkd35d4ft25uif-- From nobody Thu Nov 17 00:06:20 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NCKvk3fwxz4hVHV for ; Thu, 17 Nov 2022 00:06:26 +0000 (UTC) (envelope-from meka@tilda.center) Received: from c3po.tilda.center (c3po.tilda.center [108.61.164.129]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4NCKvj01D0z4K5L for ; Thu, 17 Nov 2022 00:06:24 +0000 (UTC) (envelope-from meka@tilda.center) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tilda.center header.s=c3po header.b=JUsMB8Hq; spf=pass (mx1.freebsd.org: domain of meka@tilda.center designates 108.61.164.129 as permitted sender) smtp.mailfrom=meka@tilda.center; dmarc=pass (policy=reject) header.from=tilda.center Received: from tilda.center (109-93-255-137.static.isp.telekom.rs [109.93.255.137]) by c3po.tilda.center (Postfix) with ESMTPSA id D3E6E1EE25 for ; Thu, 17 Nov 2022 01:06:13 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tilda.center; s=c3po; t=1668643574; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=bVYlSLWl75K1nk/CU84Oh4pmIgnxUTB2QzZ1fSRG02Q=; b=JUsMB8Hqsuby3R5lmUvWv4xjbRhM0z1hS0WAUXtvVJs2FcuYYUlqmTIXKRm2N/oj1o775w qdqLt20eSZqWs/vAKojvKZWXhNL/08SFQ8hXf9OdwTk9UVjCSfZCJh9ZqzvZPJxkLH8QbQ Tl0Sr5lSetd+xpcvl4aCZiUPXrAcWAE= Date: Thu, 17 Nov 2022 01:06:20 +0100 From: Goran =?utf-8?B?TWVracSH?= To: pf@freebsd.org Subject: Re: How to use dummynet Message-ID: <20221117000620.susp2ii55zg6363w@tilda.center> References: <20221116183324.anduvhfex5ctdfb6@tilda.center> List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="qfasrxwzpxbvgwuv" Content-Disposition: inline In-Reply-To: <20221116183324.anduvhfex5ctdfb6@tilda.center> X-Spamd-Result: default: False [-5.34 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.96)[-0.958]; R_MIXED_CHARSET(0.71)[subject]; DMARC_POLICY_ALLOW(-0.50)[tilda.center,reject]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; R_SPF_ALLOW(-0.20)[+mx]; R_DKIM_ALLOW(-0.20)[tilda.center:s=c3po]; ASN(0.00)[asn:20473, ipnet:108.61.164.0/22, country:US]; FROM_EQ_ENVFROM(0.00)[]; MLMMJ_DEST(0.00)[pf@freebsd.org]; MIME_TRACE(0.00)[0:+,1:+,2:~]; DKIM_TRACE(0.00)[tilda.center:+]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_HAS_DN(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[pf@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Rspamd-Queue-Id: 4NCKvj01D0z4K5L X-Spamd-Bar: ----- X-ThisMailContainsUnwantedMimeParts: N --qfasrxwzpxbvgwuv Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 16, 2022 at 07:33:24PM +0100, Goran Meki=C4=87 wrote: > Hello! >=20 > I know PF now supports dummynet in 14-CURRENT, but I couldn't find the > syntax for it and general doc on how to use it. I could probably figure > out some bits and pieces from the code but if there is anything written, > I would be glad if someone could point it out. >=20 > Regards, > meka Hello, To answer my own question, there are two parts, one configured in pf.conf, = the other configured through dnctl. # dnctl pipe 1 config bw 300KByte/s In /etc/pf.conf: pass in quick inet from to any dnpipe 1 I used "scp -4" for the test. One more useful command is # dnctl pipe show I wonder if VNET works, but I'll research that on other occasion. I figured out this much from tests for PF, so I'm not sure that's all there is to dummynet. Regards, meka --qfasrxwzpxbvgwuv Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE1WIFkXy2ZeMKjjKEWj1TknovrLYFAmN1evgACgkQWj1Tknov rLbYfRAAlzasbSZbl6Mwdw7DNiiIxoLBWiobFy7vMutML+EmEwiD4pOq2+ryoHhx ryAVptPkM+k5DhJ7wGq8vnw5JlSLzQFNn3XYoq9f6QEENesqzINmVGDyDvDfeTIQ lVeKegikMUCLjbQmRk4CIgoad2H6Z0k6wYJXMMPRKoKxgp2bEcDh7K6oC366VU8W 5EhdbQZxesQDnAZCtmSsBnAnlqdqbO3+uGYKGUQuotGkapyFaCDthLBdt71JVfCn eVlHhu4sq4Dh/fDS4qXi0hoAnVw9BU99WQAt4KDS7a3kI9Lr37nGusCFnQSsvRHH RKmrEx1C1f4/Dc4T43jcs/97SB6i+w4me/jZA3+BaScmmi6x9eAo8lQN+wgjKhrE foEINgR3s91006M/54He0Uee5ety2As8IIEYGc1OvnLSOEaBP0mnIn4RvUYg4GBm rooCqKRXpvOZF1h1Nvapg8nHREvTJjgyD04evhMc4p2XSGdetdYim6ehfzBCtF3Q HxHWH0JpEetH9VSIYPpwle4AOLTj5dt2ZocBOmB4Go23QSId2HRc5JlcdKGuL3eq d60CT8p6bdJR6NEwRI+0s2Thp+ZsEANis8KHPN35EDs78uDmxw0SDQnArCtJuGK4 EEsaup+Uf5vIhoGUGPnpKAy8edXchkUCiB3H3eoXXtJt1DTIWnU= =L5f7 -----END PGP SIGNATURE----- --qfasrxwzpxbvgwuv-- From nobody Tue Nov 29 18:54:17 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NMBMn423kz4jWCX for ; Tue, 29 Nov 2022 18:54:29 +0000 (UTC) (envelope-from meka@tilda.center) Received: from c3po.tilda.center (c3po.tilda.center [108.61.164.129]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4NMBMm4jxxz3DxC for ; Tue, 29 Nov 2022 18:54:28 +0000 (UTC) (envelope-from meka@tilda.center) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tilda.center header.s=c3po header.b=PsFbMszR; spf=pass (mx1.freebsd.org: domain of meka@tilda.center designates 108.61.164.129 as permitted sender) smtp.mailfrom=meka@tilda.center; dmarc=pass (policy=reject) header.from=tilda.center Received: from tilda.center (109-93-255-137.static.isp.telekom.rs [109.93.255.137]) by c3po.tilda.center (Postfix) with ESMTPSA id 6DD1D36D55 for ; Tue, 29 Nov 2022 19:54:06 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tilda.center; s=c3po; t=1669748046; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=Q18duiOcTjcGB8+0dQcp0HLMOffXwc9qP/I25LIsP54=; b=PsFbMszRQPCLFmn1s6c+szG/iL1VaubFMb2TT1GHE+lc5e8a3Re0DvHHuDia0UMpGdHGwD sC6c/U1kZUaYiS3+W1xg1RSsrEaWi5LWhE3x2wlVunQnyu5Dx8gR2ziV9b2p9AjVutMAgn 8ghCk9mz55yJ58GaIltlBCUaBG3V4qc= Date: Tue, 29 Nov 2022 19:54:17 +0100 From: Goran =?utf-8?B?TWVracSH?= To: pf@freebsd.org Subject: Anchor not found Message-ID: <20221129185417.zdnwj66y7546yg7f@tilda.center> List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="tzse2dxpcoyopbjy" Content-Disposition: inline X-Spamd-Result: default: False [-5.08 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MIXED_CHARSET(1.00)[subject]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.98)[-0.976]; DMARC_POLICY_ALLOW(-0.50)[tilda.center,reject]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; R_SPF_ALLOW(-0.20)[+mx]; R_DKIM_ALLOW(-0.20)[tilda.center:s=c3po]; ASN(0.00)[asn:20473, ipnet:108.61.164.0/22, country:US]; FROM_EQ_ENVFROM(0.00)[]; MLMMJ_DEST(0.00)[pf@freebsd.org]; MIME_TRACE(0.00)[0:+,1:+,2:~]; DKIM_TRACE(0.00)[tilda.center:+]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_HAS_DN(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[pf@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Rspamd-Queue-Id: 4NMBMm4jxxz3DxC X-Spamd-Bar: ----- X-ThisMailContainsUnwantedMimeParts: N --tzse2dxpcoyopbjy Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Hello, No matter what anchor hierarchy I try to make, pfctl always reports it can not find it: # pfctl -sa | grep myanchor anchor "myanchor/*" all # pfctl -a myanchor -s A Anchor 'myanchor' not found. # echo "pass out" | pfctl -a "myanchor" -f - # pfctl -a myanchor -s A Anchor 'myanchor' not found. # echo "pass out" | pfctl -a "myanchor/1" -f - # pfctl -a myanchor -s A myanchor/1 Anchor 'myanchor' not found. I'm running FreeBSD 14-CURRENT on amd64 with the kernel and base compiled from bc9a5b049797fb7484dc1448f5d806955499f1f0 On 13.1 I do not see this error. --tzse2dxpcoyopbjy Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE1WIFkXy2ZeMKjjKEWj1TknovrLYFAmOGVVQACgkQWj1Tknov rLarKQ//XVlmcFsspf6rJAtQzndSZ+zPKOpDMMRiBjwabJCR5plCT9x1JYDeTUYI D/ft6+6PMhTUk7y5K3eE8zbsDLVYDgwa10WhC2Z5CWqERQUEtFEPZOI+aeWgS5kr A86mChAKW/pl7h2V1h8OYJluX6A7pIJ4O2zyyiLP/MeurKGbI3Ae4MTR8ltwmTDi gZf+HbrXNKXlDVh0wgoodWiu3i/Jv7LHhj6oAlhOJvHd9QOkkCXLTcV3nUOpN5+C qEydhtG4RX1orKR8bcY1nBZHGFIUS7uvFspsNvXeSm9oFkiKU/7+kKJnYz2dbyaF HuHH/Nmoh4MU6ZHZq5Y0PvcHAwkJBjCnBha0SrwIVvao0w87rOqTm0TRmTONVY9H 3e50dooU02Gi1ciQzCXdyDWKU28a+8bCH6ZE0H+ViY4z2CaroUeEDE1UHjrH+GwD WfKLsRmF0/NNK1ipOohpf44q0DvJ501ZfY5kQlBi/V4SVaabo7Th1/m//1GDpm2p elSDHyaLtOXJQbwRG+ovMe/2t/bGXWsgYGTRnreFSotUHbjI0cAVQjZayRB8YzpN hsf2bn73L3+suwZINkdYxyInlzojt3YlYEiescOiDUHMSNj1aenrwvK+0Fpa4Jaa 3/hqCF6+5VJGZYaDd58HlsUZe3BftfMMA5gAWRN8jSkoKNE8gWA= =TcR5 -----END PGP SIGNATURE----- --tzse2dxpcoyopbjy-- From nobody Wed Nov 30 16:18:34 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NMksQ3mF7z4hvst for ; Wed, 30 Nov 2022 16:18:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NMksQ2cS9z40ww for ; Wed, 30 Nov 2022 16:18:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1669825114; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wJw6RJ0gYYugXUqiYMXlYB6PSfGU+DHGI4CvW8Pq2ME=; b=Yl94kP2w588MSrxZStoHcKbpSWb7z6kuaCPz+3IWUMBPCwtCb2V/5teXvgHxO7b4t2PYxD 9f0IA/PXOH6B/sGv4L01g5Zqyily/+9CeIqqhLW+mWyX+8UjWw8xwaP+KQfRcnO1kZVkfL EfYAChWvaDa4P2aCpIFjZb4gYpk44C3quSlbTvfDx8t5DjGQaLtIxwQlwRo5EbyPELfuXW uh/il6yxKm/6SeQukxeBpXvVcLsedu/2xj1ErmvUMLkIcGuy9apgBbWZKHCumIcdcmzk39 FN3pqow5m8w17bl9pajPvG6Ib6MCemfgVWdVdqcW2b6jHnutVEhUqkJWjcHCbQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1669825114; a=rsa-sha256; cv=none; b=oRUqawpMzYzLLJZYE2WRigbs5zlxlhNOU6fr/jsBNkZ6/6Mqkhg+GVJW8J1jGWeogiXb1U yNOgsNvBjESqyXoH2v9jnPW7R4V0v9f3ppgp+0vq4tbe7PcyCpTWi60/OGC958/IQhdeh3 rliv8AtxM02qiV2kWMqvFf9scpEJv1yTLpoi9x2VO+6UFI/ZlBPzBve8c1GZ3bmsistJEl c9RjDvgFLtWzb2EawZV7alFXa9UsOzRDju1Qoz+Y6NinP4hNvbpYG2qt3zgCHhvUa0mJeG S4Cawjg3jcmSFrnjCpapszvu/7yLOEIzjzg/8gWF20UJb5rKxEYNtfz4/6zFXQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NMksQ1gS0z13BX for ; Wed, 30 Nov 2022 16:18:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 2AUGIYtP057074 for ; Wed, 30 Nov 2022 16:18:34 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 2AUGIYFP057073 for pf@FreeBSD.org; Wed, 30 Nov 2022 16:18:34 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 257218] pfi_ifnet leak on interface removal Date: Wed, 30 Nov 2022 16:18:34 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_status Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D257218 Kristof Provost changed: What |Removed |Added ---------------------------------------------------------------------------- Status|New |Open --- Comment #1 from Kristof Provost --- Thanks! I've posted the patch with a small variation here: https://reviews.freebsd.org/D37569 and a test case here: https://reviews.freebsd.org/D37570 --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Thu Dec 8 16:11:15 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NSfKY0m92z4jq50; Thu, 8 Dec 2022 16:11:29 +0000 (UTC) (envelope-from jjasen@gmail.com) Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NSfKX3XRTz3vXX; Thu, 8 Dec 2022 16:11:28 +0000 (UTC) (envelope-from jjasen@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=IczFkb+x; spf=pass (mx1.freebsd.org: domain of jjasen@gmail.com designates 2a00:1450:4864:20::233 as permitted sender) smtp.mailfrom=jjasen@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-lj1-x233.google.com with SMTP id q7so2047254ljp.9; Thu, 08 Dec 2022 08:11:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=I0ChDR3Yn2VDRlFad+h1RQ8vy72032656wSqZUvNf4I=; b=IczFkb+x9bKlMpYFelaip+cUI7QE/9YySHfBn91lSR85blad1l9ut0i5jnfeKNIS/i YfuFurPc53uPlnD7pIOfqBOnRDDgHMlX6FD4PAGgPjVb7ZuChl2smyoCA64SJOvI93Qx FCF9J49KwQc1jFyTdpAOO3d3N/JMxLpMYYmMs8QqsHfyF7+7aVhnwoMYPnAOigjxKWIi Bk8LxxfsqCY42HdabXOR5eSYS+MmraCx2OYDvfsJtdoVB7ReKT7RxkL8ie5bt9U+4BC6 IYTdZ8wIqFJofnaQ0wDd2n2ZVQhEk+u/Z70H6cy/xK0zHlQctmxVmWNeY0ZrbVrUyMSi Q6pg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=I0ChDR3Yn2VDRlFad+h1RQ8vy72032656wSqZUvNf4I=; b=tToGV6VZCQaqlQATaBownOIJa0xSPBJBA0+PYPB5cYDncOjWU1h/ftvxfrqb2xfVKK igWmwFs7wDrBQakH+giTZboXY9YzOk/tQn1sJfz3rJYrj+SSjEx2EjvD7GIkYDyvEh1q O/2NbijJ87As9ABTQSGj0c303HrKP65kduwgZOziBQBl2rGfVm5p4kp5CVApyjAZKbZH tt3e9RiymOV6Z4K8+EzeU5sN38VP1o+VVdFPRMSPThnvflyADNDDBSCqrqAOTTjBrvu6 avOC175EJNW3jdV5n6h3fKt5JrMuVYU4E62F6DlaNwldLyCUD06FCpyHcaMjbBVi1A7D eA7w== X-Gm-Message-State: ANoB5plDDCS2G5oTU6tT5CSkQdxVO+XL16EuyXJk/Xoja27rXVv/iSft oCxN1cWh1K1Gg44HzuLANbmLunNMao2IWCtm1s4SoIiyWb8= X-Google-Smtp-Source: AA0mqf59zTlUT2bGDSMw36zFJEIOVzxeP9eA3d0cvQAU3j7Elg9h0H3QrWsaXh/m4TYt5thY4nwExenNNPufi31U8BY= X-Received: by 2002:a05:651c:1146:b0:26f:a9e1:9181 with SMTP id h6-20020a05651c114600b0026fa9e19181mr28921531ljo.223.1670515886391; Thu, 08 Dec 2022 08:11:26 -0800 (PST) List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 From: John Jasen Date: Thu, 8 Dec 2022 11:11:15 -0500 Message-ID: Subject: crash and panic using pfsync on 13.1-RELEASE (Bug 268246) To: FreeBSD Net , FreeBSD Net Content-Type: multipart/alternative; boundary="0000000000000006c705ef534af8" X-Spamd-Result: default: False [-3.63 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.63)[-0.627]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; MIME_TRACE(0.00)[0:+,1:+,2:~]; MLMMJ_DEST(0.00)[freebsd-net@freebsd.org,freebsd-pf@freebsd.org]; MID_RHS_MATCH_FROMTLD(0.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; FREEMAIL_ENVFROM(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; ARC_NA(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; FREEMAIL_FROM(0.00)[gmail.com]; FROM_HAS_DN(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::233:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_ALL(0.00)[]; RCVD_TLS_LAST(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-Rspamd-Queue-Id: 4NSfKX3XRTz3vXX X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N --0000000000000006c705ef534af8 Content-Type: text/plain; charset="UTF-8" Hi folks -- I opened this on Freebsd 13.1. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268246 I'm stumped, as I have about half a dozen other systems just like this one, which do not exhibit this condition. Don't know if it matters, but this is the backup firewall in a carp configuration. kgdb /usr/lib/debug/boot/kernel/kernel.debug /var/crash/vmcore.0 Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0x18 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff80cadb90 stack pointer = 0x28:0xfffffe0204794bc0 frame pointer = 0x28:0xfffffe0204794c20 code segment = base r x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 12 (swi1: pfsync) trap number = 12 panic: page fault cpuid = 0 time = 1670433489 KDB: stack backtrace: #0 0xffffffff80c694a5 at kdb_backtrace+0x65 #1 0xffffffff80c1bb5f at vpanic+0x17f #2 0xffffffff80c1b9d3 at panic+0x43 #3 0xffffffff810afdf5 at trap_fatal+0x385 #4 0xffffffff810afe4f at trap_pfault+0x4f #5 0xffffffff810875b8 at calltrap+0x8 #6 0xffffffff80dca82f at ip_fragment+0x24f #7 0xffffffff80dca1e3 at ip_output+0x1163 #8 0xffffffff8225a851 at pfsyncintr+0x151 #9 0xffffffff80bdbcfa at ithread_loop+0x25a #10 0xffffffff80bd8a9e at fork_exit+0x7e #11 0xffffffff8108862e at fork_trampoline+0xe Uptime: 43m36s Dumping 7356 out of 130983 MB:..1%..11%..21%..31%..41%..51%..61%..71%..81%..91% --0000000000000006c705ef534af8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi folks -- I opened this on Freebsd 13.1.
=
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268246

I'm stumped, as I have about half a dozen other= systems just like this one, which do not exhibit this condition.

Don't know if it matters, but this is the backup f= irewall in a carp configuration.


kgdb /usr/lib/debug/boot/kernel/kernel.debug /var/crash/vmcore.0 
Fatal trap 12: page fault while in kernel mode
cpuid =3D 0; apic id =3D 00
fault virtual address   =3D 0x18
fault code              =3D supervisor read data, page not present
instruction pointer     =3D 0x20:0xffffffff80cadb90
stack pointer           =3D 0x28:0xfffffe0204794bc0
frame pointer           =3D 0x28:0xfffffe0204794c20
code segment            =3D base r=
x0, limit 0xfffff, type 0x1b
                        =3D DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        =3D interrupt enabled, resume, IOPL =3D 0
current process         =3D 12 (swi1: pfsync)
trap number             =3D 12
panic: page fault
cpuid =3D 0
time =3D 1670433489
KDB: stack backtrace:
#0 0xffffffff80c694a5 at kdb_backtrace+0x65
#1 0xffffffff80c1bb5f at vpanic+0x17f
#2 0xffffffff80c1b9d3 at panic+0x43
#3 0xffffffff810afdf5 at trap_fatal+0x385
#4 0xffffffff810afe4f at trap_pfault+0x4f
#5 0xffffffff810875b8 at calltrap+0x8
#6 0xffffffff80dca82f at ip_fragment+0x24f
#7 0xffffffff80dca1e3 at ip_output+0x1163
#8 0xffffffff8225a851 at pfsyncintr+0x151
#9 0xffffffff80bdbcfa at ithread_loop+0x25a
#10 0xffffffff80bd8a9e at fork_exit+0x7e
#11 0xffffffff8108862e at fork_trampoline+0xe
Uptime: 43m36s
Dumping 7356 out of 130983 MB:..1%..11%..21%..31%..41%..51%..61%..71%..81%.=
.91%
--0000000000000006c705ef534af8-- From nobody Wed Dec 14 09:21:01 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NX8xB1Jrzz4k8VP for ; Wed, 14 Dec 2022 09:21:02 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NX8x96NYbz3xx2 for ; Wed, 14 Dec 2022 09:21:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1671009661; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tFr+6yIpyEm8VQRwDpC4DUN92VDosB/CuTFuvkxtPuc=; b=oLIOOp+ugJhaZck/x75hmsKBXVnfMBtlJfiLXmnXQo6FAwLQ3ORrGA03M5CeyKwa9vAV/r PnQRkqllVcrsY7FZVzUTvOMnKv6Y8DM8Y/xFHqwDqLCbpalQ9aqeZ1d2hpfC++IzWKxE7K ed/duEg7eupF5c76jgf5e0pi8xdet/7l28uvVhf+MPoU9yQCLTEG1KX37IEhNPj+Q6nS0E +I1RvjaUfqg8yh7/XPMG3AK0Gd5DprE+CJZrHJZD8EPgk0UEY4yfe1zffVHh0OkyGahy4d 2eP3+sbM9l1vwImR0K48fFkQkKVyhLbVaLTqlJccuRCwVFi9clLalqi+4FIr2A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1671009661; a=rsa-sha256; cv=none; b=djo3cxkLVV3wRqrlIUUf1KJ+ox+IOBWvhyTnrurL42ZjfVsbJyqXY+2/xW/d/s16G5mTNT j2Z5mcnTZAnyd22Ap/P1PPIdtRwgGXefg3n/gUI0WanV5IhPgB5CEvVOh9QyVsY2/686hP Z0VNd9ZUAmtHAm0qGN7mfc2lQ9sSNt7r8KIiYJXbs42x0+ciCz+zlkgPtP/SQpbL8ub1HU x/1tuSQsOAJ2MKKNfCc0u3z/BVIrlaNsjOmP3TORu64fZjYKdSu8OP9iO+JJ+1MbLMvqbb NAo3bhSNLLBE9czTuxvwdumJyIk1MqN6gs0nVPrx4LRrYhKu30rH7MikRdLmQA== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NX8x95SgwzpGm for ; Wed, 14 Dec 2022 09:21:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 2BE9L14f060773 for ; Wed, 14 Dec 2022 09:21:01 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 2BE9L1m9060772 for pf@FreeBSD.org; Wed, 14 Dec 2022 09:21:01 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 257218] pfi_ifnet leak on interface removal Date: Wed, 14 Dec 2022 09:21:01 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: commit-hook@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D257218 --- Comment #2 from commit-hook@FreeBSD.org --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3Dbfeef0d32a0036bf6bec93a439e0466ef= e6f4482 commit bfeef0d32a0036bf6bec93a439e0466efe6f4482 Author: Nick Reilly AuthorDate: 2022-11-30 14:19:44 +0000 Commit: Kristof Provost CommitDate: 2022-12-14 09:19:01 +0000 pf: fix pfi_ifnet leak on interface removal The detach of the interface and group were leaving pfi_ifnet memory behind. Check if the kif still has references, and clean it up if it doesn't On interface detach, the group deletion was notified first and then a change notification was sent. This would recreate the group in the kif layer. Reorder the change to before the delete. PR: 257218 MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D37569 sys/net/if.c | 3 +-- sys/netpfil/pf/pf_if.c | 23 ++++++++++++++++++----- 2 files changed, 19 insertions(+), 7 deletions(-) --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Wed Dec 28 09:04:08 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NhlvD1yPCz2cHq6 for ; Wed, 28 Dec 2022 09:04:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NhlvD0v8bz46wm for ; Wed, 28 Dec 2022 09:04:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1672218248; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6uM8x2gDoG3nI7WaAV/HF6rrm/YjcIxq7FkqxEu1jpw=; b=EZBYI+sYRJFzzJL6vSuq7W27aPa8DPKcUWMS3FnimR3KLowwhwzm1qEuD9YnDhuGnGgojd BFk3IdwEEEdgCxpNwArYD67Ay5Ve8T9LhpCQ6SsTPgV5ClOhWtx4Qc07hKSG6Xgv+MocDa OXGxfCOqS1LRZ3hyuZkDCZKqbqck7MOWtCkENKGvoiVxNoWfwqMC+FUQRP49Ra7J/u4hEX YvvrwZvHhlb87I/QvNGCF+jIvK3nSV7P3Koxh/q/LM0x1tvgTKRQtHxBxEj7wpJaSZReFL gkP0AdvvDIqFZ4sRxAyXxQGuKK7FAisKLDQPCBdng9F3AVSM6QQbVEQxrDPgpQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1672218248; a=rsa-sha256; cv=none; b=Wmm+UEHCjk8ytbq0o8/3bCJqIx64sFypQ/h/lYnBVGRuBOMHBzOfbPcCqTMaeIP3pvnqiv I5YSM9b1FqeFvH/FR0e3UzH+esekzobHVcRDcK1SoaNKhtn+vAwJGLoRTaJ3L3F3hfftiN 4MHoCKxKDKJlPHRWz69/bxHop1+chdbWVQ3dY8U1yip4aGgWI9Nf2CtMuRsBkJXoItDprE L+raQuf5TuYTaxiv6Gg3hBDIkM95v9useR06toZFgXbgeTq5oKKjZxkFP1vNqCa6cogWp7 CvptTtQtz7AzJbDzqOSgdnfbS9QHnh6SZ9jxQj0/ip/iTNwsTqihzFF6vqPWTw== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NhlvC74HszkMZ for ; Wed, 28 Dec 2022 09:04:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 2BS947k7003104 for ; Wed, 28 Dec 2022 09:04:07 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 2BS947u0003103 for pf@FreeBSD.org; Wed, 28 Dec 2022 09:04:07 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 257218] pfi_ifnet leak on interface removal Date: Wed, 28 Dec 2022 09:04:08 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: commit-hook@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D257218 --- Comment #3 from commit-hook@FreeBSD.org --- A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3D5f7454d8904ca68697dda569f71af6ef5= ec178c7 commit 5f7454d8904ca68697dda569f71af6ef5ec178c7 Author: Nick Reilly AuthorDate: 2022-11-30 14:19:44 +0000 Commit: Kristof Provost CommitDate: 2022-12-28 04:56:08 +0000 pf: fix pfi_ifnet leak on interface removal The detach of the interface and group were leaving pfi_ifnet memory behind. Check if the kif still has references, and clean it up if it doesn't On interface detach, the group deletion was notified first and then a change notification was sent. This would recreate the group in the kif layer. Reorder the change to before the delete. PR: 257218 MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D37569 (cherry picked from commit bfeef0d32a0036bf6bec93a439e0466efe6f4482) sys/net/if.c | 3 +-- sys/netpfil/pf/pf_if.c | 23 ++++++++++++++++++----- 2 files changed, 19 insertions(+), 7 deletions(-) --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Wed Dec 28 09:08:09 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Nhlzs67XHz2cJ6K for ; Wed, 28 Dec 2022 09:08:09 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Nhlzs41MZz48Qg for ; Wed, 28 Dec 2022 09:08:09 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1672218489; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qtF0cJcEmzZsxMNORxToViSz89ZZ3VLfzzrzgkKDnvo=; b=VFHD3cc19JpjKJkIiLv3jtD1RoHd4ShaoNfIeQQVMAMP0qyMNxakJ6v+uEinCgxY0vnCPk wp0m+pVBRBg3AQQ7yOcNdLn/sD+COTkcwAxD7RQMIllU1AHQegkGcwLeSd6RuslaU64JO0 r13ZPnf9gX8meAc/PHbNXzwA9+bA7pvt2Xm0F6N671dkcMOqI1O9sbTVes3UjpBhyWp+w4 vlgB7YKNql6/DXBaV0bW9Lozb1m6CjB+hjQEjUN/CjQCPY0wV5RWWWeqHNj8n4hYyritJo h7+jhb0yZ42f6DeLzXjsfiA2VDJD3DWDVIeQPd/TkYClKax2jkW7aHe6seqklw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1672218489; a=rsa-sha256; cv=none; b=Mk7gTZB0wH2m9W5JpZjehLS36J7CcY0u1xKp0KhZvgzH1UmlVBPzbH5Bt2yJhnzO7KwIzC 03J6BmPZBm9HA13ZGAfY05jp6Jc13sL6ezNWzxyfjkg6PWobR/cBGkqvK3rxbVzK8JZ2it 37o2Z/kJERgFgNojooEO4TbbK1tcrmghsBnxj7+ccWtXXlrdp5DacReWvFzXrLrqhKRVsh XcW9hfgZ2LyCxjmT4BEKpOJ1yg3PmlwYKkx0D6vy/HwPCtKEvA4GTWORauYZxDYyUog5Ur adhGHQXMx4MaGDcVPjMJFtQ0MPXTXuAkMDYqVDQ0Wq1URZQRVdLKq33lnNMh8w== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Nhlzs36clzkjP for ; Wed, 28 Dec 2022 09:08:09 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 2BS989nC004755 for ; Wed, 28 Dec 2022 09:08:09 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 2BS989lu004754 for pf@FreeBSD.org; Wed, 28 Dec 2022 09:08:09 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 257218] pfi_ifnet leak on interface removal Date: Wed, 28 Dec 2022 09:08:09 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: commit-hook@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D257218 --- Comment #4 from commit-hook@FreeBSD.org --- A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3D909167374fefcfa4981e4a43ee48872dc= f76d0e2 commit 909167374fefcfa4981e4a43ee48872dcf76d0e2 Author: Nick Reilly AuthorDate: 2022-11-30 14:19:44 +0000 Commit: Kristof Provost CommitDate: 2022-12-28 04:56:08 +0000 pf: fix pfi_ifnet leak on interface removal The detach of the interface and group were leaving pfi_ifnet memory behind. Check if the kif still has references, and clean it up if it doesn't On interface detach, the group deletion was notified first and then a change notification was sent. This would recreate the group in the kif layer. Reorder the change to before the delete. PR: 257218 MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D37569 (cherry picked from commit bfeef0d32a0036bf6bec93a439e0466efe6f4482) sys/net/if.c | 3 +-- sys/netpfil/pf/pf_if.c | 23 ++++++++++++++++++----- 2 files changed, 19 insertions(+), 7 deletions(-) --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Sat Dec 31 10:05:18 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Nkd6R60k3z2lGm7 for ; Sat, 31 Dec 2022 10:05:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Nkd6R4N8Vz3wG9 for ; Sat, 31 Dec 2022 10:05:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1672481119; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Wx4eyBQcWALV9O+sPod/GVjo3iVwaslTAOET9iIaeoM=; b=j8lgg3Vl/x6zd6elO85j4xrgMjvg3FG7G9S3nNwgyOUAe4INAotvXAH1Qnp6a8VWxjSiZp MKDSxPZGWVLuCaIRNI72+wDlsFUI4A816aiUVvZonJHNgAMWeB+7NVnGMSGi3MEscNXwzV 61DhZuXI4lVNEYtS8z+WZRkSAHT7IG2NCy4AGA4PK2lg1F4eqyV5ZyY2dJA1cR0KT55QF3 a6sTRyShFbD/XqJENrlGFixSPx3T+99L8+KEIAjgpixwUfaeskpj5NCWrq8STOpD6SnCKt OWZZtDinsylSwXi4XQ5Oi4Fe8jsh/ceyX6jYslZBBPmT4VH2UytGUf5iTLoLsg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1672481119; a=rsa-sha256; cv=none; b=YBqG6DazdtjYQvEGhvbK5UMo7xmvM7GygsciybSIzzhueDEQMYRaF7Bwy/H83xucHnSydw VaDbU+YssjJVUEs7QOaNltZkJenIdVuBHjyDds+1lz5nfCErXY+cwFcNUWNGZWqcAiqSpX vx4qtWpWyjduQ6aUlUQQ3bXIgNMh8U6np/Ftv/quloEK2HR2u/6ZS+Rr7y+lpbz0g05r0U NjQM7xWsDjgTpSs5XFX4W/fj2WatKpFYNYMscOmKU1dEAEFNX1zixa+amsKvHOfRKoNkLD mhO8o+fUCLSSFL4A5feV/7DJV+KMMECHdhNZ+Jhw23EZq8oHQJh4/Uzhvn2BQg== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Nkd6R3MsxzkPm for ; Sat, 31 Dec 2022 10:05:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 2BVA5JVZ058221 for ; Sat, 31 Dec 2022 10:05:19 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 2BVA5Jss058220 for pf@FreeBSD.org; Sat, 31 Dec 2022 10:05:19 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 87074] pf does not log dropped packets when max-* stateful tracking options watermark are reached Date: Sat, 31 Dec 2022 10:05:18 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 5.4-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: grahamperrin@freebsd.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: short_desc cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D87074 Graham Perrin changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|[pf] pf does not log |pf does not log dropped |dropped packets when max-* |packets when max-* stateful |stateful tracking options |tracking options watermark |watermark are reached |are reached CC| |grahamperrin@freebsd.org --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Mon Jan 2 23:41:23 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NmC780cWJz2nmkC for ; Mon, 2 Jan 2023 23:41:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NmC776gv2z4Lly for ; Mon, 2 Jan 2023 23:41:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1672702883; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ne5Qe3kVcK0k49ix/y4PqeGqi6fgTPr6n32djSsJ0yM=; b=mEvInlalxuGpHmon5GBgTlRbJGEh1GlYLgd4jJDIlyR1omDV3V5GK9VHNmfFZRtS5rYjEB aF1VeWTL2pnIR+OPsN5nNHZ1zjYGW252KrOxe7efRXeQt44pX+QMZBFYTzfhjilEtZj16b dYP8lsnksU1kmIidITj5tdRuzATq7p4rohB3dkpWzVJW+DZQMLkjT60dH/o8ROHBpPI6dx To2R9uGd8PLnCxKlZd0/vmIj867jpKOvMeyI3Ci1lhYi0dTTkqrhKxoRcd8w8X7uN1xXFf asSLSABys7NDgs1CGQ/SYzR5SJq17UtcSM9hIVRVVKpUr9ZFfbd+7c7Bz0CAow== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1672702883; a=rsa-sha256; cv=none; b=hrfZvBUieq7ToLLtjkxN59oXacsjkX6fLJiDXM+WqU/Uk4/zPkH66M3oz59B2nihiBBcPV FOj78ImO1av7W4tNUmmdVT9zeQx6m22+pxVZn3WSx8XDme6M46qnmGnJgN/MZb/u9uDHfy X6tkkEOT547zt2EnIwmkxGgJqQFzfPonC90UR0KWH+N2diQ5cvKCf+OSkXS0HravlCuZu8 cvovYTSUBCrlFuEbnKdQSuym24Np7d4Xg+keiKw5FuIl7zME4nZlhMYv4sa9iGPxU+8Iav emyjoOm/OsDSGcFvPCSI2g5JA7p9CpPcnWmWTtUH/WQsY707fleGI2jlB5zPgg== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NmC775mF9z1PMf for ; Mon, 2 Jan 2023 23:41:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 302NfNIf011164 for ; Mon, 2 Jan 2023 23:41:23 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 302NfN6u011163 for pf@FreeBSD.org; Mon, 2 Jan 2023 23:41:23 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 268717] [pf] rdr rules don't work for traffic originating at localhost Date: Mon, 02 Jan 2023 23:41:23 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268717 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@FreeBSD.org |pf@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Tue Jan 3 15:58:23 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NmcpR6hK3z2p1nN for ; Tue, 3 Jan 2023 15:58:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NmcpR4rKYz3mRw for ; Tue, 3 Jan 2023 15:58:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1672761503; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KAIxSTGUOwpwjn84lI5mAzg7PrPSZoZc30gP/KZbtQ8=; b=BixwhLWolFmyCmfWaFLMAaIaRrGyzQGW/7hLwbtNI4F3uUQCtiOZQQVcucbk5gju9WZub9 MQJKstAVxvVlPv2jGdw0+A8HT+pBQPu98OlTzL9XCjBVssEP782Lbcm8qKqwP1HOh7O1zT yYGTavh5yVC38P43BeL+vk9AodJd9UE42bqGX2F+0e7bQw4zWdOpxWoA4NbEbrOKdSU1lm A4NZJDpvM/zAVrc6QeTBsbE9if5hDXi+upE/gCFrjYQvwcpa8dMg1u1n4pEiCm0Vn7yh1O 45vlGEsRL3m144shkNt5L43MbfVdkmkfVI2u3zlPHSOSe4wuBWC9ZM5X15Slcg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1672761503; a=rsa-sha256; cv=none; b=T9ZmziHHT78NGRykR+gsz5SbXPvvniRX+KZSHc8KSIA5ZCYCQOg1kq9k5H6klB2LoD9Gff ph6MyG1SSDZiS9/LPvwttqoZq7cPgk6RPDxfoz4n1tsZa31R2fGPBOUFbW29jB3tqRFzwq dHSk3lTpGO0I1Bhx5Jr6SB2k4kmC7uSG8m4F+L72TMBFn6o9H2DGBXH8wZJWPC4nYFdTf6 j4FzJCQx583eFKLDRWNY2eTn8t1JU1QpEt3t13GCFK+GLSde/bskITtU5FYXopO+Tm/LR5 bA3cqyD+9x7hAq1rM2J8cPbjxUSq/snNhdexzjhc4vq4PTP5gYFE+A5YFUeRwQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NmcpR3vrjzd3q for ; Tue, 3 Jan 2023 15:58:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 303FwNeU038671 for ; Tue, 3 Jan 2023 15:58:23 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 303FwNAv038670 for pf@FreeBSD.org; Tue, 3 Jan 2023 15:58:23 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 268717] [pf] rdr rules don't work for traffic originating at localhost Date: Tue, 03 Jan 2023 15:58:23 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: dfr@rabson.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268717 --- Comment #2 from dfr@rabson.org --- Created attachment 239234 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D239234&action= =3Dedit second test scenario showing redirect failing if both ends are on the same bridge --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Tue Jan 3 15:59:07 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NmcqH2hlWz2p1dF for ; Tue, 3 Jan 2023 15:59:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NmcqH1DsVz3mr9 for ; Tue, 3 Jan 2023 15:59:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1672761547; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=VHu0BLB38TXytlyEGod9GC0JQpadkeYwhIIJgye9ozI=; b=B1pP4sviRIqPQNTCYrztYu1F/m6J66rFFOrSSkypBJXAOtlFnbGHIU1vSrz4J4fZ/m2VKL NSmrNNbcRqv1qNkl46V17QmOnsSCsHypcQxwdAnu1EdIStEljIQdrBR7weFeLF02WSdaiS fkdxi8Mx+95uA96nZLZdPlUS2A4qFzYMqpHlwF3GXxTmihGjXmrNNWmXuhYm8AhFKAln8m CmewR+JVqjF3vlcl5l2cXR0CzoeopeyfWZq5a2t+hIDR6o+uaLV7enPPROrdAyqDSNUlk1 y+l7/WlwJ91CjK9HxhUHnZmmgQADcA2naNneA8c63jFpz4sLOXniwLNhbA6g4w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1672761547; a=rsa-sha256; cv=none; b=Rvk0a1cp8CnFsepp0wR3NhTLDSd+0nYmS9xg6C4YVWMr+0eDsydhvd56wV+S3WfmpzUW+h yuING0daMTeUVjL3kSYENmaLOS/R/Y81zwTkf2J3Tg7LuhUZ3zW4fhcI2mmPzdXj4SyyC5 wgrHlL6fBsqWqFmlyH2gELnJMid4k6GuXGXaf2MUu7SPchS+6T6AEnGceuXt51cIWkCVBz 8mTSEJ9Zt4IeQPOJPe4kPa7XebVtYm490udPzQsJwEcB/Ogy9ERNsECkh2qZdie8Mx9gNz iBBbsm5rNiHsEf6QYXQhIuIv4AMofXj1q9m1ud398ug2m7E1HTUnt4bANdM3bg== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NmcqH0KyTzcwW for ; Tue, 3 Jan 2023 15:59:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 303Fx6IY039011 for ; Tue, 3 Jan 2023 15:59:06 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 303Fx6EG039009 for pf@FreeBSD.org; Tue, 3 Jan 2023 15:59:06 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 268717] [pf] rdr rules don't work for traffic originating at localhost Date: Tue, 03 Jan 2023 15:59:07 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: dfr@rabson.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268717 --- Comment #3 from dfr@rabson.org --- Further testing show more strangeness. If I add a second vnet jail on the s= ame bridge and attempt the telnet that should redirect, it also fails. The rule matches when the host receives the SYN and is re-written and directed to the first jail. The SYN+ACK reply doesn't match the state entry and is transmit= ted without reversing the redirect. I've added a second test script to set this up - run the script then 'jexec testvnet2 telnet 10.123.0.1 8080' --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Tue Jan 3 16:34:38 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NmdcH0y6rz2p5ls for ; Tue, 3 Jan 2023 16:34:39 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NmdcG6YCYz3r58 for ; Tue, 3 Jan 2023 16:34:38 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1672763678; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=OJrFshWp0iLz+Xl68uNgI0zDp9YjaqhiHE6JUwlw/6g=; b=G/OILk7vCvZyv70/M3YthI2AMCPOGLZzmFSeItCJkwR3pUOkfLtGy8ItTm2M51BOVQjRT1 emnwkx5nOvJpK/5hbL2kdeJ/1WayLS0upTJ8D/ADSVA3+vsC1z77sqXQ4mFzZZhbNcmY3f cd3GTz1cPkastpnt6TdJGRpQEUGgM6sKrbVQpm4YzwvmkV0tdlWxmjA/5OyxtmQSHQaDeO yuYXLsZ3+4LXYgRSN2Pj6WzrYun+HjTFFnUfT+XNwAkKvvzDn12OdM3OpzfE8XHtJeE8Gg 5UcC0uSTOK418EYe3di7fse3ECSem6LaxyvJ4KSuzNYPa5cXSUtyVXJUCVlzww== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1672763678; a=rsa-sha256; cv=none; b=x993esmX6Btuv3OpOmU+SQm5UNO9y/iUFVpkEV+RCZrE4y/tCMtOW1wUAO5NdhKJXH9Eu9 dnJPFaNt2N7XlhRJ3b5GQuWo7n6C5lpJG/iT3VB+1kV7JIYWbbjEk5ALuOG6F5m+JmjUyi vUgIAzDsXaGhV5vkGD1BnyiZRKj0GLk/LT6zJscUANOsrTzEKz61y6S+9xBAgu1ingvQG8 Y8jTvW6JdfdNwUpQYvcHfk4ZpX5WnRc6uPX+/udko78yNyGDY+9zZ7clbcPTOQNi1bKAHd RAh3ESZqjeC32hngPRenmzotel5w5i1ecWUPJB/yyliMpuTh5ryfJfIEsM+i1w== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NmdcG5X10zd5v for ; Tue, 3 Jan 2023 16:34:38 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 303GYcta099769 for ; Tue, 3 Jan 2023 16:34:38 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 303GYceu099768 for pf@FreeBSD.org; Tue, 3 Jan 2023 16:34:38 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 268717] [pf] rdr rules don't work for traffic originating at localhost Date: Tue, 03 Jan 2023 16:34:38 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: dfr@rabson.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268717 --- Comment #4 from dfr@rabson.org --- The second scenario with two vnet jails on the same bridge is possibly the bridge 'helping' by delivering the SYN+ACK reply directly, without allowing= PF to re-write. Adding debug printfs to pf seems to show that it never sees the reply. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Tue Jan 3 16:45:18 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NmdrZ1Gbbz2p770 for ; Tue, 3 Jan 2023 16:45:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NmdrY72ZWz3rr5 for ; Tue, 3 Jan 2023 16:45:17 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1672764318; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=on8iyit4Izxo+CsZSDg/r6piSS2b36OvcuyXxy5syzc=; b=WuYVCYNrRqq3bIzNEq8Kb9kaAHUCw6EnOTra7LK2GoOALYnNQfhNgcuLN0QvXXOK9Ncy6z q/DAxBLkah0vlzzoIzBeSg2bS0SVqmrgD1OrpP4GeUhDlpGOEBgH1GuPh0paUPj1MqyzZN SgSMC8iuzpTqhdsye30ol1N4UTdutyZ8WasRI47ziQyYdwZl9juQMkkzNbMOgrjDmOWGlw Qv7wgaF3Phm/JbdR1OvTOGFV7d6UwnuZiuMGBnGQzDcYugneZp3oYJAKfvaX8JPq1x9RFX HitcIOOZRbDcNgjxBG7GP+N5WvpkrBXWnYQ8R9Wckzmoefo+rQp95zAYIkgDOw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1672764318; a=rsa-sha256; cv=none; b=VPr/DxYW4+dA/LtK2aIeJau/tzXuItW+SSJtH9ENxLCm00M4ta8F8p5InGK58whjm4qkAH vgcPft+gCJYnJUUsPLe0JwC7t7b+gkVjM8QJ/kT6NLXpLjkpUBa/GMbZl8NSgItEqDsMwj JQl2WrCGm1wyoM3aHssZIqSQ73qerP4SDY6dc1wsoNuiQ1PDDtKh0rYFBVHHnQ0e8WdSq1 l70R8D9rlI+pIjEO+Q0Un8B9MqdgA91JCXEAQATy2/EfgqHzoPXvfpHmsIMkEXwBhByGUA WW4eSVGOcSZiR1lxoa8O9+lYf3Ksux3jtivUQIFD1jwlC0+pf97WyEZhzXAKcA== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NmdrY68vvzf79 for ; Tue, 3 Jan 2023 16:45:17 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 303GjHQT015697 for ; Tue, 3 Jan 2023 16:45:17 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 303GjHuK015696 for pf@FreeBSD.org; Tue, 3 Jan 2023 16:45:17 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 268717] [pf] rdr rules don't work for traffic originating at localhost Date: Tue, 03 Jan 2023 16:45:18 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: dfr@rabson.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268717 --- Comment #5 from dfr@rabson.org --- Turns out I was missing 'sysctl net.link.bridge.pfil_member=3D1' for the two jails redirecting via a bridge scenario so ignore that part. Adding this doesn't affect the original scenario with the host originating the redirect= ed connection. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Thu Jan 5 08:35:25 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NnftP6qZfz2r4FF for ; Thu, 5 Jan 2023 08:35:25 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NnftP3vZ0z4cDH for ; Thu, 5 Jan 2023 08:35:25 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1672907725; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5cbfx7GBHZ1sdt2ol4mi+dsTos3kgvzghBjoe/94K4I=; b=GIJ7GeW1K6j3DnYd6OmC623mEXItfMFadrq3IhkKVyStoSyshWYTP5kuZ0bEBNNHTSxuSF hXj5ArkGADxenxSzo4OeNHFcg8bTu3L3ZxSZileOgGasckZCxAR9tT+spGePH4Cw28SVPM Pxy+7wYNby8B90yik95zA47gERdqELwluq7a600Oc5Y78OevJMrYlR5aa+cwM747WuSGMh VUWQXyDeSrgxHb1vzwgHVck1jY+ZwKPNXRn3GSu6v1hUXkPlOYmmuU+ZWOb5qMmGaNbOAm dR3b+EyplJWXUTMO5u4NWgGJlb/+RCBpWEtyduL3Ni4QGOtrckBJYC6uLbFvJw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1672907725; a=rsa-sha256; cv=none; b=FxsN+6Nya/BZWO1qOjhk0vVGgJCEspuIvFr+Z51ZrQRwdX47n7NGLKZUjMcMTdElJx6CCQ eoD1Xn8ToN5m4OLXdUP9JHJXaYmzeylnPhxXTqmUYcnl9AqzDfZ9/6HjKmg4Y/WWxvXjF/ xYDpn/c80MnqqAzrb2lTuRI/NHNYVK0wsl7EgwDVQTCN0HioTo0zEshiJIDK9NjXGOv/5n C8TLv+76yqDuUBGZSwtyDSwChGjLysT7/WnGN/2d7bWiKmK9aU6u1wK4Kqs5fIP5J+pShY vol5QuwApbOn4a7XhwUZo/BmpLKTR31u4x+xHtdGTPBFklv3AMtmnSB4Iuwsng== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NnftP2sLPzkgZ for ; Thu, 5 Jan 2023 08:35:25 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 3058ZPSH042872 for ; Thu, 5 Jan 2023 08:35:25 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 3058ZPHR042871 for pf@FreeBSD.org; Thu, 5 Jan 2023 08:35:25 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 268717] [pf] rdr rules don't work for traffic originating at localhost Date: Thu, 05 Jan 2023 08:35:25 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: dfr@rabson.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268717 --- Comment #6 from dfr@rabson.org --- Created attachment 239274 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D239274&action= =3Dedit possible fix for redirects initiated by localhost Redirect rules are triggered on PF_IN events to allow the rule to replace t= he destination address+port and also on PF_OUT events to reverse the replaceme= nt for packets flowing back towards the original source address. If the source= is a local address, this second event is not triggered since the return packet= is delivered to the local protocol stack. A possible fix is to simulate the PF_OUT event for packets destined for loc= al processing, allowing the second part of the redirect to be applied. This do= es conflict with source address validation in 14-current which I'm disabling f= or testing. That could be mitigated by relaxing source address validation to a= llow packets with non-local source addresses pre-filtering. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Fri Jan 6 02:39:02 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Np6wk59x5z2pF31 for ; Fri, 6 Jan 2023 02:39:02 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Np6wk2TFNz4Cbq for ; Fri, 6 Jan 2023 02:39:02 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1672972742; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7TFuxoAY7ZIfzXVb7CDmGMU+h3RCA1V+xM+C8YSsmuw=; b=ld0DfVNGPAIWF4kWqsRaOXW7Q78Q0IBVsV+RBLcodXmtXlR5Mil8Up583OJn5/UU7hr7w2 UT4mwOMs8qOJtH47dGoE+WSHoYDC0wjmbGltNtUaCSHuTx2KoOIbWryjwDANZzbcjmtlsO QFfV8mbAqMzF2Zu/n9iZ4PcaxUtKNtd1r2O/OsiweEXoUm5dqzRi0mLYeXyYew12dc+yZu 5pEGwmPTN5NmLoMSEhYaCj8S9bjsWM9U8TnF+Xv209Obs9DhwwVK2wyKwdtc9wpGMR2QFS 9vcXRZw+6TYxdMNn+ljXTiFLNLCmShwNH8E2gFgU5UX40Otdn+t05JUMNA5Kdw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1672972742; a=rsa-sha256; cv=none; b=rLcGdAT963OR1NQaQOCvY0JTjkKtK4WPDbcgDLfhDgXUow4v6wKf7vJMp6N3GHYzsiD4gb 3r8QPCYlSI6JRjNmcOdGcaU3yMK3edBGf9WEvMetTaaYZZ2DxmNt5SeG15SAZwe+C465nm ULxpwIkJvgeApfgrG80hwmZj/pQ0FKOrF4oJV743h8unFTr4yDcHsltcAn1Sw2msXMixzs KZcBbywV9luTwz7ZB8HEWk3XnUsTHRk7vXyO1jxUf0PGGDcDzhuHHKkDwHWhIu/qELwJrf 39nsq2CC1k4nm0AQoS6tlpf7SjI2PLkclTI1a+BKTZAaD3k7klwdJL1MMeMT5g== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Np6wk1S45zDxM for ; Fri, 6 Jan 2023 02:39:02 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 3062d2Oo022650 for ; Fri, 6 Jan 2023 02:39:02 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 3062d240022649 for pf@FreeBSD.org; Fri, 6 Jan 2023 02:39:02 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 268717] [pf] rdr rules don't work for traffic originating at localhost Date: Fri, 06 Jan 2023 02:39:02 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268717 Kristof Provost changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kp@freebsd.org --- Comment #7 from Kristof Provost --- (In reply to dfr from comment #6) I've been poking at this a bit as well (briefly, because I'm supposed to be= on vacation), and I believe your diagnosis may be correct. To summarise what I've done so far: after turning your script into a atf-sh test case I can reproduce the problem, and poke at things with dtrace. The test script sets up a vnet jail (IP 192.0.2.1) with an rdr rule redirec= ting traffic for 192.0.2.1:8080 to 192.0.2.2:8080. The following D script: #!/usr/sbin/dtrace -s fbt:pf:pf_state_insert:entry { s =3D (struct pf_state_key *)arg2; printf("%x -> %x, %d:%d af %d proto %d\n", s->addr[0].pfa.v4.s_addr, s->addr[1].pfa.v4.s_addr, ntohs(s->port[0]), ntohs(s->port[1]), s->af, s->proto); s =3D (struct pf_state_key *)arg3; printf("%x -> %x, %d:%d af %d proto %d", s->addr[0].pfa.v4.s_addr, s->addr[1].pfa.v4.s_addr, ntohs(s->port[0]), ntohs(s->port[1]), s->af, s->proto); stack(); } fbt:pf:pf_find_state:entry { s =3D (struct pf_state_key *)arg1; printf("%x -> %x, %d:%d af %d proto %d", s->addr[0].pfa.v4.s_addr, s->addr[1].pfa.v4.s_addr, ntohs(s->port[0]), ntohs(s->port[1]), s->af, s->proto); } fbt:pf:pf_find_state:return { printf("=3D> %p", arg1); } produces=20 dtrace: script '/home/kp/pf.dtrace' matched 3 probes CPU ID FUNCTION:NAME 5 80283 pf_find_state:entry 10200c0 -> 10200c0, 8080:40477 = af 2 proto 6 5 80284 pf_find_state:return =3D> 0 6 80283 pf_find_state:entry 10200c0 -> 10200c0, 40477:8080 = af 2 proto 6 6 80284 pf_find_state:return =3D> 0 6 80537 pf_state_insert:entry 10200c0 -> 10200c0, 40477:8080 = af 2 proto 6 10200c0 -> 20200c0, 40477:8080 af 2 proto 6 pf.ko`pf_test_rule+0x282b pf.ko`pf_check_in+0x25 kernel`pfil_mbuf_in+0x55 kernel`ip_input+0x3c6 kernel`swi_net+0x191 kernel`ithread_loop+0x279 kernel`fork_exit+0x80 kernel`0xffffffff810a44ae 6 80283 pf_find_state:entry 20200c0 -> 10200c0, 8080:40477 = af 2 proto 6 6 80284 pf_find_state:return =3D> 0 So I think that matches your diagnosis, in that we're creating states (both= the original 192.0.2.1 to 192.0.2.1 and rdr'd 192.0.2.1 to 192.0.2.2 traffic, b= ut only on PF_IN. When the reply comes in we don't find a corresponding state,= and things don't work. I'm rather wary of inserting special case handling for this in pf_test(). I wonder if we don't need to add a pfil call in the if_lo handling somewhere,= to make that traffic match the normal (i.e. non-loopback) traffic patter. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Fri Jan 6 08:13:21 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NpGLV3hGpz2p2FB for ; Fri, 6 Jan 2023 08:13:22 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NpGLT71Svz3kV7 for ; Fri, 6 Jan 2023 08:13:21 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1672992802; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rxGiZ793lj4Y6+q3iJkyZ5IZfaRT2NYX8soIV1+luUU=; b=mJT2yVo+jZXDI99qW/zrjCPPrkWATxMBVn0GV2/Lf0TZ9yU+r1Dh8/1PHwAUshUuH46rCX tI74DFclrAEAH3UeSM4ze4WXhWY07emegJRTOekh7uM0a6OYkEBu13KSzEBuAOstiGJkr/ WqW02mf0jqoBOqQjJhPLZqpX+kVu00g0p0QeXNDv8sRZ8FHE1/OXvrbLYIDYkSEnrRjp+5 kRjc6LU3qEdlwdVauF4lChbmAZa1hEMrElJogSDTl+sXscQ6uAmPU/CtNJxaPBwWcleJqg 21w5VkcYhdh+YwW5JmthLgXarvXIjmWgeiu9dfgttF4me0UahG5ME+k75LbdwA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1672992802; a=rsa-sha256; cv=none; b=uAxmBTqNUoxkFVAg2lwR2z1aXbhXlOUo8dlgdGwES4Ogq0rNlp8mgJhn/kn5h8qdufqi/e HJ0s/DGro1cf5pQqtz15wLhVCcHsvtWd8l0t08T1574DYLM1RFMKQ7sMucdOQppGMha4rr A4VZrE7Yo4ZGyHjYRZKjeRN5Id9ykcyOMNhMOckgRHD4io7Bj3o2GeuNxw4U4t3jvDaEyE wBy80l3Hh/To3U21tkowfm8TtMZtniGKCTRbhjY6wekUJUo25vcF579iBq4hy+vaQXkDUo T6kWrPZXRXNtMW9Z4g4h6qYDC4iSfys8hvESPzXJZe+E6tS32dERVn6JCI4N3A== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NpGLT5pP0zNNS for ; Fri, 6 Jan 2023 08:13:21 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 3068DLOn008822 for ; Fri, 6 Jan 2023 08:13:21 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 3068DLMT008821 for pf@FreeBSD.org; Fri, 6 Jan 2023 08:13:21 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 268717] [pf] rdr rules don't work for traffic originating at localhost Date: Fri, 06 Jan 2023 08:13:21 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: dfr@rabson.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268717 --- Comment #8 from dfr@rabson.org --- I was also wary of adding complexity to pf_test although there is some precedent here - pf_route does recurse back to pf_test. The other idea I had was to add a second packet filter call from ip_input and ip6_input at the p= oint where the packet is accepted as local but before its handed off to tcp (or = udp) but that seemed a riskier option. Perhaps the PF_OUT test for packets with local destination could be perform= ed in pf_route which would leave pf_test alone? --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Tue Jan 10 09:21:24 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Nrlg964rmz2rBsH for ; Tue, 10 Jan 2023 09:21:25 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Nrlg86RqPz4PDQ for ; Tue, 10 Jan 2023 09:21:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1673342484; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=2p6bGAet7e/Xa4LyvPHE4PewFQ7UA7kdmQ3zLvlytXI=; b=R6j2Sp+qHomBdUTJdGRUORg/Td5pjp2ihqIwwqQs7zmVeyyDiKA79OU7ZmT1pt2wFtLq0G 5QsmWyxLH7DlSIbp/i5mcMcUkAZDHqO6O33VvkRXKN1eKMQ/OPa2hPcIEhT+PthRuPrHwz uiY01uJKFpTAAlSKNHBpMnJwXW6bqQB3tKGvNhYyV41+SNxT7mHfwKepFUbZ89rT5VX+43 PjP6WLH0IH5zAE1ii2FcEai+MpoQik+S0hrLEjh5gl1aoIcdhL4m8YRS3MwYN479wjc6ul 7u/MvwssTOgkVNPen7pqbOpihntac9zbFuwhTQzt0hNAzG/mZQin9UhKIU4ncA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1673342484; a=rsa-sha256; cv=none; b=Z7wdZ8t+BelJybqb+c9d/bi7QGboTpjhuKmh0pJ9fvIPhqJN3X7qwSu/M5GCtmA11W2iO4 tmIPPVdYBdaEywFt5cMlhkefpLNVH79cv76aGI+PGrPvE2KkN4x1i3bBBZ8kyrG/cZw6Qi nP7AkfeHv+EWdYoCXxjAYW7xwsq/XU4uRNnYRikm7VN4n1mPCAg9rEWGnuCPYD0yaVKoWt Rb/0MLewgTkVzkc3750jGE/PVdGz8//ZM9NTDmWJ8mhpDlpT0WtaXfVPjZCq4mPo6tNrVn w0flDxRIwSdMA/q4afgROImGgi/zxFyGhoSKchKdE6kftMRMDpIOFGfou/tKzQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Nrlg85Xslz1366 for ; Tue, 10 Jan 2023 09:21:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 30A9LO05025311 for ; Tue, 10 Jan 2023 09:21:24 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 30A9LOSL025310 for pf@FreeBSD.org; Tue, 10 Jan 2023 09:21:24 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 268717] [pf] rdr rules don't work for traffic originating at localhost Date: Tue, 10 Jan 2023 09:21:24 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268717 --- Comment #9 from Kristof Provost --- (In reply to dfr from comment #8) We don't hit pf_route() in this scenario, so I don't think that'd help. I'm going to have to find a bit of time to sit down and concentrate on this before I can say something more useful. I hope to do so next week. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Tue Jan 10 11:19:52 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NrpHr4BV4z2pDCH for ; Tue, 10 Jan 2023 11:19:52 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NrpHr3B6Bz3KBs for ; Tue, 10 Jan 2023 11:19:52 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1673349592; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=seqoGV+sIQKp7sk2yG5dkJjlkpWJ5l5A47lwptF1/Vs=; b=GJYkndOS5ZRfrumeH7fcWaVEiNNI/gVmImlBQRdrcvBrBkNrIyhXGUnVW/XpHf3HuAPfLA OLMnHKaaPNBdjnETVEtJlYURyjxA6DQKD1ocfPXIHDqFiE3LZUNR4UtXYWqlmgbu7AtG/t VnNJSoPJ9RomRCLZo/euidqaYMX4yiXWNW1XeJMiDslbojfJh1MIV32+HNPbGrNIQ8Qi6U wJeLGxS/kvwgKXvKcayTnbMPDgN6IX/lJpnCijNy8jsYE4eQJiragCB9PK4or6wPH68JNP A5S79bee6qIhcQwieWcW7+1t49Z4e2HvQrM5FcT351ulpzhDjR2P1CIWoPTT+w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1673349592; a=rsa-sha256; cv=none; b=eYvdz6DONgLkssX9KxcN3Gk/tgpVxSl+VOFw9+if2qCPQUia5c5MxGEp9wXA61JxVfq7o3 kU//G3g9qcoYO53RmoeRXEGlrVGaq4u4//q+G9+wut7u3log0NbO3SM/SH5AUqNtvz2mVh 3oYBY0N2X3diSTebnlwKjWbaz7c9wCFTAqxFUPCvGqHqAuzxRayqM3pDxJAamVwF9Wnqjk Lewffl/ZoHOn9+Xb0ckChJWK9HqCq1NaEgvRv/YEad1bWD5fI/8wK+nKnmua4s1TMLAhAg Vttk5ZxyaY4IaeVxN1lytCODbiquqzepyGaCWBngqDdH2ZdELMoTf70+0/4wEA== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NrpHr286Rz15fx for ; Tue, 10 Jan 2023 11:19:52 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 30ABJq58006659 for ; Tue, 10 Jan 2023 11:19:52 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 30ABJqHj006657 for pf@FreeBSD.org; Tue, 10 Jan 2023 11:19:52 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 268717] [pf] rdr rules don't work for traffic originating at localhost Date: Tue, 10 Jan 2023 11:19:52 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: dfr@rabson.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268717 --- Comment #10 from dfr@rabson.org --- You are right - in this case, r->rt will be NULL. I'm not particularly advocating for my attempted fix but I do think this feature is useful - I originally wanted this to work for 'publishing' ports in podman/docker containers to the host which is a very common pattern in the Linux world. A= long the way, I noticed that bastillebsd uses the same kind of redirect rule and= is also affected. Thanks for taking the time to look at this - its been on my TODO list for months and I'm just happy to see some progress. --=20 You are receiving this mail because: You are the assignee for the bug.=