From owner-freebsd-pf@FreeBSD.ORG Wed Aug 27 19:45:39 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 97713106566B for ; Wed, 27 Aug 2008 19:45:39 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA09.emeryville.ca.mail.comcast.net (qmta09.emeryville.ca.mail.comcast.net [76.96.30.96]) by mx1.freebsd.org (Postfix) with ESMTP id 83F588FC0A for ; Wed, 27 Aug 2008 19:45:39 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA08.emeryville.ca.mail.comcast.net ([76.96.30.12]) by QMTA09.emeryville.ca.mail.comcast.net with comcast id 7Nzt1a00H0FhH24A9XVf4G; Wed, 27 Aug 2008 19:29:39 +0000 Received: from koitsu.dyndns.org ([67.180.253.227]) by OMTA08.emeryville.ca.mail.comcast.net with comcast id 7XVe1a0024v8bD78UXVeRH; Wed, 27 Aug 2008 19:29:38 +0000 X-Authority-Analysis: v=1.0 c=1 a=C901Kp35y-4A:10 a=QycZ5dHgAAAA:8 a=egIPmGsHOi9HuvhW0GsA:9 a=3G21QCYxEgfEwk6KcDIA:7 a=nBNsyNgCyerfE6GLavQPX0CTZ2EA:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id 09FE217B81A; Wed, 27 Aug 2008 12:29:38 -0700 (PDT) Date: Wed, 27 Aug 2008 12:29:38 -0700 From: Jeremy Chadwick To: Michal Buchtik Message-ID: <20080827192938.GA1711@icarus.home.lan> References: <64de5c8b0808270347p2d8cf9ccydd63cae3b1ea6a14@mail.gmail.com> <1219864968.1536.14.camel@manwe.buchtikov.borsice.sfn> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1219864968.1536.14.camel@manwe.buchtikov.borsice.sfn> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf Subject: Re: ALTQ and shaping an existing session X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Aug 2008 19:45:39 -0000 On Wed, Aug 27, 2008 at 09:22:48PM +0200, Michal Buchtik wrote: > Rajkumar S pí??e v st 27. 08. 2008 v 16:17 +0530: > > The problem is that even when a new ip is added to or removed from > > already existing sessions from the newly added ip continues > > to have previous shaping configuration. All new sessions are shaped as > > expected. I have tried rules without "keep state", but results are the > > same. Is this the expected behavior of pf? Can the shaping be > > performed for existing sessions also when an ip is added to ? > > I have same problem. The only way I found is kill existing states of > affected ip's. But this is uncomfortable for users. Is there another > solution? It sounds like the root of this problem is that "flags S/SA" is implicit on RELENG_7 for TCP rules. "keep state" is also implicit (on TCP, UDP, and ICMP rules). The only solutions I see, both of which have consequences: 1) Use "flags any", but this *is not* something you would want to use in conjunction with "keep state", since you only want to cause pf to begin tracking state when SYN of SYN+ACK is set, and not on FIN, RST, or other combinations. There is probably some combination of rules you could set up which could utilise "flags any" correctly, but the risks are high. 2) Add "no state" to rules you want shaping to occur on. This has the added drawback of pf not being able to keep track of state on such packets (performance hit), and you'll need to tune your pf rules to match on traffic going both directions (since there's no longer a state kept) Max, does this sound correct? -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |