From owner-freebsd-pf@FreeBSD.ORG Mon Dec 6 14:23:16 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 85C4816A4CE for ; Mon, 6 Dec 2004 14:23:16 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9259E43D5E for ; Mon, 6 Dec 2004 14:23:15 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.162] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CbJlR-00086X-00; Mon, 06 Dec 2004 15:22:57 +0100 Received: from [217.227.154.210] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CbJl4-0001jv-00; Mon, 06 Dec 2004 15:22:34 +0100 From: Max Laier To: freebsd-pf@freebsd.org, yongari@kt-is.co.kr Date: Mon, 6 Dec 2004 15:23:09 +0100 User-Agent: KMail/1.7.1 References: <20041201045203.262D443D5C@mx1.FreeBSD.org> <7c8f27920412051617123672bf@mail.gmail.com> <20041206024700.GA744@kt-is.co.kr> In-Reply-To: <20041206024700.GA744@kt-is.co.kr> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2149442.7Z0pZl6GtG"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200412061523.21530.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: gtg062h@mail.gatech.edu Subject: Re: FreeBSD bridge + filtering, BIG problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Dec 2004 14:23:16 -0000 --nextPart2149442.7Z0pZl6GtG Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 06 December 2004 03:47, Pyun YongHyeon wrote: > On Sun, Dec 05, 2004 at 07:17:05PM -0500, Josh Kayse wrote: > > [...] > > > I managed to get your patch to apply to FreeBSD RELENG_5. > > > > I have a question about the bridge_fragment function though. Would > > this prevent packets from linux NFS clients from working, the > > fragmented ones with the DF flag set? Thanks for any information. > > I guess this has nothing to do with bridge. AFAIK, linux is known > to generate fragmented packets with DF bit set. Normally, scrub > rule of pf drops the fragmented packet that was told not to > framgent(i.e. DF bit set) > You may need an additional option "no-df" to pass the packet in > scrub rule. > > > I'll post the patch later if anyone wants it. It hasn't been > > Great! I believe, your patch would be quite useful to FreeBSD > pf/ipf users. > > > thoroughly tested but is currently running on a bridge setup in my > > test lab with my work machine behind it. > > One note, don't be fooled by "netstat -m" output after patching your > system. Its statistics were broken on 5.3R. For instance, on my P3 SMP: > > 19926 mbufs in use > 4294938777/19136 mbuf clusters in use (current/max) > ^^^^^^^^^^^^^^^^ > 0/4/5040 sfbufs in use (current/peak/max) > 4142247 KBytes allocated to network > ^^^^^^^^^^^^^^ > 0 requests for sfbufs denied > 0 requests for sfbufs delayed > 0 requests for I/O initiated by sendfile > 270 calls to protocol drain routines $vmstat -z | grep -i mbuf Has atomic counters that should[tm] be correct. So double-check with that=20 command. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2149442.7Z0pZl6GtG Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBtGtZXyyEoT62BG0RAu9TAJ4rqh2nhGBpj/cbifH+HivMcfEmnwCeOIjh zt7s2hjN+IXVtfYQF6osqEg= =i2tN -----END PGP SIGNATURE----- --nextPart2149442.7Z0pZl6GtG--