Re: performace impact of excessive use of the "quick" keyword in pf.conf?
* Peus, Christoph <christoph.p...@uni-wh.de> [2015-06-15 20:40]: > I'm currently planning for a complete reorganization i.e. rewrite of a > historically grown pf.conf of about 300 rules. Up to now each and every rule > uses the "quick" keyword, which effectively turns the "last match" concept of > pf into a "first match" one. Does that make any sense? mostly a matter of personal preference. quick performs slightly better obviously; I highly doubt w/ just 300 rules you'll even get a measurable difference tho. > Of course.. as evaluation stops at a matching rule with "quick" one may expect > that the average time it takes to decide whether a packet is passed or blocked > is significantly lower and therefore overall performance of pf will be better > with always using "quick". But is this true? depends on your definition of significant :) > Does this make sense if the CPUs > are idling most of the time? Are there any rules of thumb when to use "quick" > and when to avoid it? in general, don't worry too much about performance impact from the way you write your rules. in 99+% of the cases pf is so efficient that it doesn't matter anyway, and the ruleset optimizer, skip steps et al do their job so that you can concentrate on a ruleset optimized for the human dealing with it, not the machine. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: OpenBGPD 5.4 - No route received when neighbor from a AS is down
* Michel Blais mic...@targointernet.com [2015-05-07 17:59]: I have 2 BGP peer from different provider (AS5769 and AS22652). It's happen 2 times that I was not able to ping my neighbor ($peervid1) at AS5769 connected to em1 but still able to ping AS22652 neighbor on em1 ($peerfibn1). The bug is that when it's happen, I don't have any external routes in the RIB. If I check neighbors via bgpclt show, I see that AS22652 is connected since last collomn show a number while last collone of AS5769 will show in alternace active or connecting. sounds like your routes from AS22652 aren't considered valid, could be due to the nexthop. bgpctl show rib show nexthops should give clues. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: help with bgpd error messages
* Marko Cupać marko.cu...@mimar.rs [2015-05-06 12:01]: I am on 5.7 release + errata patches now, and bgpd crashed again: May 6 10:06:07 bgp1 bgpd[11681]: neighbor 82.117.192.121 (sbb): sync error I guess bug is not solved in 5.7 release then. Maybe 5.7 stable? Sigh. THERE IS NO BUG. As I told you before, sync error means the first 16 bytes of the BGP message aren't all-ones as required by the Standards. Either the equipment on the other side is severly broken or something is very screwed up with the network in between. bgp packets. Regardless of that, I think bgpd shouldn't just shutdown itself no matter what payload it gets? the later shutdown indeed shouldn't happen. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: How pf chooses nics on bridges?
* Listas IT listas...@dna.uba.ar [2015-04-28 21:20]: Why is it that blocked packets appear sometimes on fxp0 and sometimes on vether0? it's simply the interface the packet came in on. Thank you. I get that. The question is why sometimes it logs fxp0 and sometimes is vether0 as both are the same physical nic? it logs whatever teh receiving interface is, as set by the lower layers of the stack. why that is sometimes vether and sometimes the underlaying if I can't tell w/o code digging. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: How pf chooses nics on bridges?
* Listas IT listas...@dna.uba.ar [2015-04-28 11:25]: We have a 5.6-stable box doing transparent filtering with pf. blog log all is default on ruleset. The bridge is composed of fxp0 and vether0 on int net 192.168.192/23 and xl0 (internet). While doing normal work pflog0 shows this: 06:19:08.497855 rule 17/(match) block in on vether0: 192.168.193.41.3138 77.234.44.65.80: tcp 0 (DF) 06:19:08.546275 rule 17/(match) block in on fxp0: 192.168.193.28.59751 77.234.44.76.443: tcp 0 (DF) 06:19:08.582708 rule 17/(match) block in on fxp0: 192.168.192.146.61276 23.202.94.13.80: tcp 0 (DF) 06:19:08.869587 rule 17/(match) block in on vether0: 192.168.193.12.2103 77.234.44.77.443: tcp 0 (DF) 06:19:08.872942 rule 17/(match) block in on vether0: 192.168.193.12.2104 77.234.42.76.443: tcp 0 (DF) 06:19:09.000769 rule 17/(match) block in on vether0: 192.168.193.41.3138 77.234.44.65.80: tcp 0 (DF) 06:19:09.046083 rule 17/(match) block in on fxp0: 192.168.193.28.59751 77.234.44.76.443: tcp 0 (DF) vether0 is 192.168.192.119 ie in the same net as fxp0 and def gw for the net. There are no static rules for any of those destination sites. Why is it that blocked packets appear sometimes on fxp0 and sometimes on vether0? it's simply the interface the packet came in on. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: OpenBGPd Route Server
* Stuart Henderson s...@spacehopper.org [2015-04-16 22:41]: (filtering is just slow rather than buggy afaik; but then AIUI this wasn't supposed to be the final implementation of filters ;) amazing how long temporary solutions can last... -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
RIP Paul Schenkeveld
It is very sad to have to communicate that our friend, Paul Schenkeveld, has passed away. Just recently Paul held a tutorial at AsiaBSDcon 2015; as we know he enjoyed - or rather lived for - BSD conferences. He was particularily proud of the 2011 EuroBSDcon in Maarssen, for which he was the prime organizer. The Stichting EuroBSDcon (the Foundation behind every EuroBSDcon since then) came to life in the aftermath of the 2011 con, Paul was the driving force. He always wanted to create a community event for everybody involved with the BSDs, in particular, he always wanted EuroBSDcon to be a conference for ALL the BSD-derived Operating Systems, in a fair and balanced way. This desire last not least led him to get me on the foundation board. Let us remember him for his enthusiasm, his warm and open nature, his endless desire to help where possible, and his accomplishments. Just two weeks ago I had a very long, private conversation with him in Tokyo. I can't believe this should have been the last time to talk to each other. I've lost a great friend. Rest in peace, Paul.
Re: pflog0 showing traffic for rule with no logging requested
* Martin Gignac martin.gig...@gmail.com [2015-02-24 14:46]: 08:24:27.831052 rule 1/(match) pass in on vlan308: 10.120.108.2 224.0.0.1: igmp query [tos 0xc0] [ttl 1] 08:26:36.645149 rule 1/(match) pass in on vlan308: 10.120.108.2 224.0.0.1: igmp query [tos 0xc0] [ttl 1] Two things which I don't understand: 1. Why is pflog0 showing packets for a rule (1:pass all flags S/SA) that does not even have logging enabled? pf forces a drop of some packets. I. e. those matching a state but failing the tcp sequence number against the window check, or with ip options set, or fragments if defrag is turned off (on by default) and there is no rule specifically matching fragments. since these have no rule to refer to, they refer to the default rule, which happens to be a pass one. and that pass is shown. can admittedly be misleading. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: CPU criteria for OpenBSD firewall
* ML mail mlnos...@yahoo.com [2015-02-18 23:32]: Stupid question but if you would have to choose between two different Intel CPUs for an OpenBSD firewall using 4 to 6 Intel NICs with all /24 networks behind and around 50-60 Mbit/s average traffic would you rather choose the CPU with higher Frequency and less cores or for a CPU with lower frequency but more cores? The #1 criteria is memory bandwidth and even more so latency. Thus, more cache helps. Then it's the speed of a single core. Our kernel is mostly biglocked still, so almost everything is going to run on CPU (core) 0. There is ongoing work to unlock at least parts of the network stack to profit from multiple cores, but that doesn't help you right now, and even then I'd be super surprised if the faster cores wouldn't win against more cores, pushing packets isn't one of the workloads that is well suited for MP, due to quite a lot of shared data structures (think routing table, pf state table, ...). For example: - E5-2630Lv3, 20M Cache, 1.80 GHz, 8 cores: - E5-2637v3, 15M Cache, 3.50 GHz, 4 cores: the latter. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: CPU criteria for OpenBSD firewall
* ML mail mlnos...@yahoo.com [2015-02-19 09:07]: I might also experiment if I should use bsd.mp or the standard non SMP bsd. you'll want amd64, not i386. MP vs SP should make little difference, I use the MP kernels these days. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: pf on 5.6: rule counter with proto esp not working
* Axel Rau axel@chaos1.de [2015-02-16 14:34]: I failed to setup a queue on outgoing esp traffic and noticed that the rule counters are all 0 and do not advance: @155 pass out quick on vlan2 inet proto esp from any to road_worrier_nets:8 set ( queue vpn ) keep state (if-bound) [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 28769 State Creations: 0 ] this pretty damn certainly means that your traffic doesn't match that rule. There is no proto specific handling at that stage. and... pass in on egress proto esp all [ Evaluations: 47477 Packets: 2949816 Bytes: 1681517248 States: 1 ] [ Inserted: uid 0 pid 11764 State Creations: 12] -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: How to optimize PF queues handling?
* Federico Giannici giann...@neomedia.it [2015-02-04 01:11]: I have done an experiment: I replaced in every rule the set queue XXX with tag XXX (XXX is always different so the PF optimizer doesn't collapse multiple rules in tables). In this way we found that, leaving the some amount of filter rules and only removing the queue, the CPU used in interrupts decreased from about 55% to 15% (traffic was not full in that moment). something is fishy here, since queue foo just tags, which coincidently is very much like tag foo - really almost identical codewise. since you're running 5.5, I'll assume ALTQ and thus the problem being gone :) -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: How to optimize PF queues handling?
* Federico Giannici giann...@neomedia.it [2015-03-09 16:51]: On 03/09/15 15:24, Henning Brauer wrote: * Federico Giannici giann...@neomedia.it [2015-02-04 01:11]: I have done an experiment: I replaced in every rule the set queue XXX with tag XXX (XXX is always different so the PF optimizer doesn't collapse multiple rules in tables). In this way we found that, leaving the some amount of filter rules and only removing the queue, the CPU used in interrupts decreased from about 55% to 15% (traffic was not full in that moment). something is fishy here, since queue foo just tags, which coincidently is very much like tag foo - really almost identical codewise. OK, but only for the rules evaluation. Then, in the case of queues, all the bandwidths (maximum, granted, etc) must be evaluated. I think here is the different and slow code. huh. then there's sth pretty damn inefficient with a high # of queues. since you're running 5.5, I'll assume ALTQ and thus the problem being gone :) Yes, 5.5 but using the new queues definition (not oldqueue). damn. that means it is something I should look into. Are you saying that the queues code has been replaced AFTER 5.5? I'm really demonstrating that I often forget which release had what, 5.5 is already long ago... -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: pf queuing and dropped packets
Hey, * Daniel Melameth dan...@melameth.com [2015-01-23 22:38]: I noticed the following when downloading a large file: queue tcp_ack parent root on fxp0 bandwidth 2M qlimit 50 [ pkts: 289461 bytes: 15631434 dropped pkts: 16 bytes:864 ] [ qlength: 0/ 50 ] [ measured: 3660.9 packets/s, 1.58Mb/s ] While the number of dropped packets is very small and probably insignificant, I would have expected zero dropped packets as little else is competing for the ~12Mbps that's available in the parent queue/circuit. I thought this might be related to qlength, but since this is, apparently, zero during the time of the download I'm not certain what would be causing this. What might I be missing here and how do I resolve (I don't want to set a min here if it can be avoided). First, get over the misconception that dropped packets are bad. The opposite is almost true. With tcp, dropping a packet signals the sender to slow down. You're seeing the few dropped packets because your queue at some time hit its limits. Comparing an ever-growing counter (drops) with an averaged, somewhat current rate can be very misleading. FWIW, net.inet.ip.ifq.drops=0. 100% unrelated. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Mapping pf syslog rule numbers to lines in pf.conf
* James Shupe jsh...@hermetek.com [2015-01-26 21:47]: On 1/26/2015 2:42 PM, Alan McKay wrote: I have some firewall blocks I want to investigate and of course they are reported as matching a specific rule number - but I am not sure how to map that back to a line in my pf.conf pfctl -sr -R rulenum pfctl -vvsr is the usual way, shows all rules prefixed w/ the rule #, as well as some per-rule counters. Further details can be found in the man page. indeed :) -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: [Tor-BSD] Recognizing Randomness Exhaustion
* Libertas liber...@mykolab.com [2015-01-02 06:25]: I've tuned PF parameters in the past, but it doesn't seem to be the issue. My current pfctl and netstat -m outputs suggest that there are more than enough available resources and no reported failures. just a sidenote, it is safe to bump the default state limit, very far even on anything semi-modern. the default limit of 10k states is good for workstations and the like or tiny embedded-style deployments. I've gone up to 2M, things get a bit slow if your state table really is that big but everything keeps working. I remember someone on tor-...@list.nycbug.org suggesting that it could be at least partially due to PF being slower than other OS's firewalls. I feel offended :) Pretty certainly not. However, we're now finding that a profusion of gettimeofday() syscalls may be the issue. It was independently discovered by the operator of IPredator, the highest-bandwidth Tor relay: https://ipredator.se/guide/torserver#performance My 800 KB/s exit node had up to 7,000 gettimeofday() calls a second, along with hundreds of clock_gettime() calls. those aren't all that cheap... -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Shadow TCP stacks
* Ian Grant ian.a.n.gr...@googlemail.com [2014-10-20 01:02]: On Sun, Oct 19, 2014 at 1:40 AM, Giancarlo Razzolini I believe that OpenBSD does that. But don't expect them to add a security through obscurity layer to their kernel because I guess they wont. Well, they don't have a choice, because OpenBSD is open source, or haven't you heard? OpenBSD being open source does not imply that you decide what we ship... -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: NetMap in OpenBSD
* Mikael mikael.tr...@gmail.com [2014-10-14 10:24]: NetMap (http://info.iet.unipi.it/~luigi/netmap/) in OpenBSD would be a great idea. for what? to create even more broken userland networking stuff? We kinda like our stack. What's the interest out there for NetMap on OBSD? roughly somewhere between 0 and zero. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: NetMap in OpenBSD
* Mikael mikael.tr...@gmail.com [2014-10-14 14:57]: 2014-10-14 11:02 GMT+02:00 Henning Brauer hb-open...@ml.bsws.de: * Mikael mikael.tr...@gmail.com [2014-10-14 10:24]: NetMap (http://info.iet.unipi.it/~luigi/netmap/) in OpenBSD would be a great idea. We kinda like our stack. Of course, OBSD has a very good stack as it is, but it has no NetMap functionality yeah, and that is good. netmap bypasses teh stack and you look at reimplementing the stack in userland, repeating mistakes, bugs and whatnot from many decades. i.e. there's no way for a userland application to do high speed packet-level IO. there are plenty of methods actually. userland reimplementing the stack for the sake of speed is beyond idiotic. i rather spend the time to make the stack even faster than it already is. There is a whole world of need of network monitoring and manipulation and other specialized networking software. I read a collection of buzzwords with nothing specific. A solution in dire need of a problem. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: NetMap in OpenBSD
* Mikael mikael.tr...@gmail.com [2014-10-14 16:35]: 2014-10-14 16:15 GMT+02:00 Henning Brauer hb-open...@ml.bsws.de: i.e. there's no way for a userland application to do high speed packet-level IO. there are plenty of methods actually. Like what? bpf, for example. but since you still don't mention what problem you're trying to solve... userland reimplementing the stack[...] I didn't necessarily/specifically suggest that. but that's what you effectively HAVE TO DO with netmap, unless you're creating some layer2 bridge (which belongs in kernel space), or just want to listen (there is bpf for that). There is a whole world of need of network monitoring and manipulation and other specialized networking software. I read a collection of buzzwords with nothing specific. A solution in dire need of a problem. Will be more clear on this one following your response. Last for completing reflections - Most devices in a system can be accessed with good performance from userland as it is now, for instance block devices, USB, serial ports, video and audio. Ethernet is a rare exception and NetMap solved this in a neat way - bolloks. foremost, in almost all cases you don't speak ethernet, you speak IP (just like you don't speak USB to access a umass in userland). Prior to NetMap, those who wanted to make high-performance ethernet IO in userland would run their app as root and effectively implement NIC hardware drivers in userland. NetMap generalized this entire problem to one hardware-agnostic interface. ok, still bla bla without a use case, not even speaking about a valid one or one that is common enough to push yet another network subsystem into the kernel. still stinks like a solution in need of a problem. netmap is luigi's research framework, and he used it for some cool research an sure will do so more in the future. no more, no less. All this stack bypassing and (partial and buggy) reimplementation in userland baloony has to stop. Introducing interop and security issues just to look a little better in made up microbenchmarks, without any real world relevance, what an awesome deal. The time needed to port netmap (which includes touching EVERY NIC driver) plus the time for the fruitless attempt to get IP processing close to right in userland to make a specific application a little faster is spent much better improving the network stack itself - for all applications. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: NetMap in OpenBSD
* Henning Brauer hb-open...@ml.bsws.de [2014-10-14 20:52]: netmap is luigi's research framework, and he used it for some cool research an sure will do so more in the future. no more, no less. I should clarify: I am aware of a few use cases that profit enormously from netmap. Let's look at what netmap really is, pardon some slight inaccuracies for the sake of clarity: netmap is a ring buffer shoveling raw packets from the NIC's RX ring into userland and vice versa (to the TX ring of course). As such it is similar to BPF, but bpf does more, which is one reason why netmap is faster. Now these use cases are relatively rare; introducing yet another interface that is somewhat like an existing doesn't come for free - neither is the porting work done by sending an email to misc, nor is maintainance free. IPX and appletalk have their use cases too, and yet we deleted them - because they are to rare to justify the maintainance burden. Now if you want to spend time on improving these few use cases, that time is much better spent improving the existing interface imo - with all the existing consumers profiting. There's plenty of room without changing anything userland visible, esp. the no-filter case can probably speed up significantly without too much effort. Might even bring some ideas from netmap in (some would probably require minimal adjustments for existing consumers to profit, still way less effort than converting to a new interface). And let me repeat: all attempts to reimplement the IP stack in userland are not smart, heck, even dangerous. Not all cases fall into that category, but working w/ and in the network stack for more than a decade, I keep thinking I have a pretty good idea on what great ideas some people end up with. Luigi and I discussed netmap before, at length. We even mostly agree, it's for some very specific cases only. We disagree on the question whether it belongs into a general purpose OS kernel, plus, as I keep mentioning - it's not done by porting it, there is ongoing maintainance - our manpower is limited and we're not remotely out of ideas on how to improve networking for everyone. Now pardon me, beer is calling :) -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: NAT logging and limits using pf
* Stuart Henderson s...@spacehopper.org [2014-10-05 22:49]: Normal PF logging isn't particularly well-suited to CGNAT-type requirements, in order to record both the internal address and the nat mapping you need to log both the inbound and outbound packets and piece it together from the two separate log entries. nope, pflog has both the original and the rewritten address(es). -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: packet filter: question about parentheses around self
* Harald Dunkel ha...@afaics.de [2014-10-07 13:46]: A related question: I wonder how well (self) and (group) perform, compared to tables listing IP addresses? Is (self) evaluated every time for each rule using it, once per connection, in certain intervals, or only if one of the network interfaces are actually changed? the latter, they are tables internally that get updated on changes. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: How does pkg_add know I'm tracking -stable?
* Joel Rees joel.r...@gmail.com [2014-09-23 10:12]: I've built both /usr/src and /usr/xenocara after updating to -stable, and I've updated /usr/ports to -stable, but there are no instructions to do a build at the top of /usr/ports. Can I assume that would be because you generally don't want to build the whole ports tree? pretty much. I'm reading the faq, and looks like pkg_add doesn't have any option to tell it whether to add from -stable or -current or -release . There are warnings not to mix packages from -stable and -current , correct and I think it at indicates not to mix -stable and -release . incorrect. -stbale is -release + fixes, the entire point of -stable is that it is 100% compatible with release - it just sees a few fixes. But I don't see any way to tell pkg_add which. pkg_add doesn't know or care about release/stable/current/frankenstein. The packages itself are built against a certain set of libraries and thus care (and pkg_add checks that). libraries don't change versions in -stable, pretty much by definition. to a smaller extent the same applies to syscalls and some other interfaces, but we get into nitpicking. you tell pkg_add a source for your packages, that's it. It looks like pkg_add references and uses the ports directory nope -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Queueing examples on pf.conf man page
* Zé Loff zel...@zeloff.org [2014-09-22 14:57]: Apologies in advance for reposting this, but I was afraid my original message would get overlooked left inside its original (and slightly unrelated) thread (pf queue max bug). pf.conf's man page shows some minor inconsistencies on the definition of queues. In some cases the queue parameters appear separated by commas: queue ssh parent std bandwidth 10M, min 5M, max 25M and in some cases without commas: queue ssh_interactive parent ssh bandwidth 10M min 5M Are both cases correctly parsed? yes And even if so, should the man page be fixed for consistency? I honestly don't see the point. Commas are optional in most places and neither form (with/without) is preferred in any way. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: pf queue max bug
* Atanas Vladimirov vl...@bsdbg.net [2014-09-16 12:58]: As I said this was my working pf.conf for new queueing system on i386. I think that the problem is elsewhere. When you set the queue max bandwidth it must not exceed that value. if the sums of the target bandwidth exceed interface speed or min/target exceed max, all bets are off. fix your queue defs. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Pointers/reference
* Rodrigo Mosconi open...@mosconi.mat.br [2014-09-12 16:18]: I`m studying a discipline about Quality of service and traffic engineering, and I have to do a work about queuing disciplines on network devices. I need to choose a product and compare how there queuing policy is close enough to the Generalized Packet System. I would like to make this with OpenBSD, and I would like some pointers on where to look about the implementation to identify the model used. pf.conf(5) sys/net/hfsc.* sys/net/if.* sys/net/pf.c pf_ioctl.c sbin/pfctl/* -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: OpenBGPD not installing routes that happen to originate from the same ASN in another location into the RIB
* Gregory Edigarov ediga...@qarea.com [2014-09-12 20:28]: On 09/12/14 19:07, Henning Brauer wrote: * Paul S. cont...@winterei.se [2014-08-28 11:19]: Earlier today, however, I discovered that routes that I'm announcing under the same ASN (in another location) are being received and put into the RIB -- but never into the kernel's FIB. that's correct behaviour, routes from the same AS aren't supposed to be distributed via BGP but your IGP. IGP is correct solution in most cases, but it doesn't cover the situation when you need to accept a route originated from your remote location or a customer connected to your remote location. and your remote location is a few AS hops away from you. That's not how BGP works. that's where 'allow-as in' come into play. although i would agree that it is a hack. indeed. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: pfsync and trunk
* Tony Sarendal t...@polarcap.org [2014-09-03 06:48]: The initial request disappearing and the firewalls staying demoted forever are independent issues. sure about that? the demotion counter for the interface group pfsyncX is part of (usually carp) is kept raised until the bulk transfer finishes. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: PF Tagging
* andy a...@brandwatch.com [2014-09-02 21:12]: Hoping this is a pretty dumb question and someone can just shoot me down with an instant answer but is there any reason why I can't compare against multiple tags? because list expansion for that case is not implemented in the parser. not hard to do at all... -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: TCP checksum problems with NAT (maybe vlans/tun)
* Matt Hamilton ma...@netsight.co.uk [2014-09-06 14:11]: Based on the info above it would seem that the routing table thinks the packet should be routed to bnx0 based on the IP address. bnx0 supports HW tcp checksums, so the OS does not create the checksum itself. But the packet never goes out bnx0, it is picked up by the bridge and sent down tun0 instead. tun interfaces do no recompute the tcp checksum and so by the time the packet gets to my laptop the checksum has never been correctly calculated and my laptop ignores the packet. So what do we need to do to fix this? Is getting the tun interface to calculate the checksums the way to go? seems like you manage to hit a case where the %*#^(*@!^(_! bridge confuzzles interfaces. AGAIN. did I mention the bridge has to die? -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: pf: reassemble tcp
* Sonic sonicsm...@gmail.com [2014-09-05 17:12]: On Fri, Sep 5, 2014 at 4:42 AM, Kapetanakis Giannis bil...@edu.physics.uoc.gr wrote: yeah, don't use reassemble tcp. it's not perfect. Isn't that default behavior? hell, no. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: pf: reassemble tcp
* Kapetanakis Giannis bil...@edu.physics.uoc.gr [2014-09-06 00:50]: I'm asking about reassemble tcp. According to some 2010's threads in misc@ it used to cause problems to some users. I'm wondering what's the status now. unchanged. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: OpenBGPD not installing routes that happen to originate from the same ASN in another location into the RIB
* Paul S. cont...@winterei.se [2014-08-28 11:19]: Earlier today, however, I discovered that routes that I'm announcing under the same ASN (in another location) are being received and put into the RIB -- but never into the kernel's FIB. that's correct behaviour, routes from the same AS aren't supposed to be distributed via BGP but your IGP. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: pf block return sends rst through wrong interface
* Thomas Pfaff tpf...@tp76.info [2014-08-28 13:51]: I have a router with two external interfaces, ext_if1 and ext_if2, where everything gets routed through ext_if2 by default (gateway) except for a few daemons on ext_if1. pass in on $ext_if1 inet proto tcp from any to $ext_if1 \ port ssh reply-to ($ext_if1 $ext_gw1) This seems to work as expected, sending return traffic through ext_if1 rather than the default gateway. The problem is when a connection attempt is made on $ext_if1 to a blocked port (set block-policy return). RST is sent through ext_if2 rather than ext_if1, thus showing up at the destination with the wrong source address. I'm unable to find a rule that will get the router to send RST through the correct interface, so other than using block-policy drop to not send RST, is there a way to make it send through the correct interface (ext_if1 in this case)? pf-generated packets like these RSTs bypass the ruleset, thus never hit your reply-to. I'm not aware of a solution. (route-to and reply-to are stupid to begin with. Avoid at all cost.) -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Help, please, understanding AHCI error on amd64
* Paul de Weerd we...@weirdnet.nl [2014-08-27 17:32]: On Wed, Aug 27, 2014 at 03:21:13PM +, Christian Weisgerber wrote: | On 2014-08-25, Dave Anderson d...@daveanderson.com wrote: | | Yup, time for a new disk. I'm off to do some research on who makes the | most reliable ones these days. [Suggestions from anyone knowledgable | are welcome.] | | Here's a bold suggestion: Don't buy consumer drives. The guys that buy LOTS disagree. https://www.backblaze.com/blog/what-hard-drive-should-i-buy/ they ONLY use (and thus, compare) consumer drives, and they explain why. For them, the cost of losing a drive is smaller than the additional cost of better drives. That calculation goes different for most people - IF the better (enterprise, 24x7, raid, NAS, whatever they call it today) are actually better than the consumer grade ones. Having an nontrivial (3-digit) amount of both, I don't really see a difference in reliability, but these numbers are too small for proper statistics and I haven't done any scientific examination, rather looking over our HDD tracking out of curiosity. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: etc56.tgz missing in SHA256[.sig]
* Martijn Rijkeboer mart...@bunix.org [2014-08-27 19:49]: The files http://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/SHA256[.sig] don't have a hash for etc56.tgz and the etc56.tgz file is also older that the other base files. Is this an error or did I miss something? the etc set goes away. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: New queueing system and HZ value limits
* Adam Thompson athom...@athompso.net [2014-08-21 19:13]: Unless I've mis-understood all the emails and reports about this, it affects low-bandwidth queues, not low-bandwidth interfaces. In other words, limiting traffic to 50Mbps on a 1Gb link will work fine, limiting it to 50kbps on the same link will not. Yes/no? pretty much. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: named does not start?
* Christer Solskogen christer.solsko...@gmail.com [2014-08-22 08:20]: On Thu, Aug 21, 2014 at 7:41 PM, Henning Brauer hb-open...@ml.bsws.de wrote: named is even still in base in -current (atm at least), let alone 5.5. Okay? Are you sure about current? kidding? I've just upgraded the day before yesterday IIRC the second last snapshot was from 8th of August. there are often (usually small) differences between -current and snapshots. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: New queueing system and HZ value limits
* Federico Giannici giann...@neomedia.it [2014-08-22 09:51]: On 08/22/14 08:22, Henning Brauer wrote: * Adam Thompson athom...@athompso.net [2014-08-21 19:13]: Unless I've mis-understood all the emails and reports about this, it affects low-bandwidth queues, not low-bandwidth interfaces. In other words, limiting traffic to 50Mbps on a 1Gb link will work fine, limiting it to 50kbps on the same link will not. Yes/no? pretty much. I can imagine that it could be rather complicated to give the exact numbers, but can you give me an idea where the problem comes from, and maybe where I can find more info about it? kinda obvious: BW measurement and go/holdoff decision is (at most) once per tick. ticks @ HZ, aka 100 ticks per second with HZ=100. If the NIC can transfer too much data within one tick, the bw shaping becomes inaccurate. Obviously worse the bigger the difference between interface speed and desired queue speed is. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: New queueing system and HZ value limits
* Stuart Henderson s...@spacehopper.org [2014-08-22 13:51]: On 2014-08-22, Henning Brauer hb-open...@ml.bsws.de wrote: * Federico Giannici giann...@neomedia.it [2014-08-22 09:51]: On 08/22/14 08:22, Henning Brauer wrote: * Adam Thompson athom...@athompso.net [2014-08-21 19:13]: Unless I've mis-understood all the emails and reports about this, it affects low-bandwidth queues, not low-bandwidth interfaces. In other words, limiting traffic to 50Mbps on a 1Gb link will work fine, limiting it to 50kbps on the same link will not. Yes/no? pretty much. I can imagine that it could be rather complicated to give the exact numbers, but can you give me an idea where the problem comes from, and maybe where I can find more info about it? kinda obvious: BW measurement and go/holdoff decision is (at most) once per tick. ticks @ HZ, aka 100 ticks per second with HZ=100. If the NIC can transfer too much data within one tick, the bw shaping becomes inaccurate. Obviously worse the bigger the difference between interface speed and desired queue speed is. Any idea why this was so much less of a problem with altq? it wasn't... the hfsc core was the same, and cbq worked exactly the same way too. People might not have paid as much attention? I dunno. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: named does not start?
* Christer Solskogen christer.solsko...@gmail.com [2014-08-20 22:14]: On Wed, Aug 20, 2014 at 9:23 PM, Alan McKay alan.mc...@gmail.com wrote: On Wed, Aug 20, 2014 at 3:08 PM, Christer Solskogen christer.solsko...@gmail.com wrote: named_flags= Try named_flags= I had the same issue with httpd in 5.5. It seems that ntpd lets you have blank afer =, but not httpd Not running named on this system so dunno : ntpd_flags= # enabled during install httpd_flags= # for normal use: It might also have something do with that named is not in base anymore (I figured that out now) named is even still in base in -current (atm at least), let alone 5.5. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: openbgpd ipv6 nexthop
* Mickael Torres cont...@mtorres.fr [2014-08-19 20:16]: I'm using openbgpd on a pair of carped firewall (openbsd 5.5-stable) to announce IPv4 routes to a cisco 7600. send a few extra prefixes, these bad switches from 1999 that marketing painted differently to call it router really like that. trying to do the same for IPv6, the set nexthop statement in the bgpd.conf has no effect. The cisco receives the prefixes with the non-carp IP of each firewall as nexthop. that smells like a bug. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: rc.local mystery executables
* Scott Bonds sc...@ggr.com [2014-08-19 02:28]: The funny thing is that I have a book on Snort on my reading list. Time to read it. or you use the time for something useful instead. did I say snake oil? ewps. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Adding RPKI/ROA support to OpenBGPd
* Denis Fondras open...@ledeuns.net [2014-08-15 21:20]: Here is the first patch towards adding RPKI/ROA support to OpenBGPd. It aims at renaming variables functions to prepare the ground for bigger changes. Is it OK ? No. These changes have nothing to do with RPKI (in fact they are complete noops, no effect whatsoever), seem arbitary and break style by resulting in too long lines. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Good thing
* Gustav Fransson Nyvell gus...@nyvell.se [2014-08-11 09:04]: Good thing OpenBSD didn't go down the multiple versions path. Good thing OpenBSD doesn't attract more idiots like you. Go away. Everybody else: don't feed the troll. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: hp proliant dl 320e gen 8 for openbsd 5.5 64 bit ?
* Indunil Jayasooriya induni...@gmail.com [2014-08-07 15:23]: Try to change the harddrive settings in BIOS. They are probably defaulting to raid-mode, which doesn't work under OpenBSD. i.e - does NOT this server's Hardware Raid (Mirror) work under OpenBSD? Will I have to go with Software RAID? there is no hardware raid in your server, it is fake. the bios etc know the bare minimum to boot from it, the actual raid functionality is in the driver. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Relationship Between VLANs and Physical Interfaces in PF
* Andy a...@brandwatch.com [2014-08-05 18:06]: Correct me if I'm wrong here Henning, but we have always used the approach of only ever assigning queues to the physical interface (whether it has VLANs or not), as this means that both the physical interfaces untagged network, plus all the tagged networks on that interface get to share the queues. correct. Having lots of physical internal interfaces with queues on each simply means you have to divide our total WAN download bandwidth across the interfaces as they cannot borrow from each other. obviously, cross-interface borrowing doesn't work indeed :) But if you use VLANS and place the queues on the physical interface, if the public WIFI VLAN for example is not using any bandwidth, the internal LAN can use all the bandwidth until the public WIFI wants some. yup Considering all this, there should never be a good reason to apply queues to the VLAN interfaces at all? I can't see any. There's always an interface (or a stack of interfaces even) with a queue underneath, so THAT is the point to do the queueing. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Relationship Between VLANs and Physical Interfaces in PF
* Giancarlo Razzolini grazzol...@gmail.com [2014-08-05 18:36]: On 05-08-2014 03:36, Henning Brauer wrote: the 90s are over. Yep, I know Henning. Vlan's are pretty secure. But they add complexity and if you use physical separation you can mitigate problems caused by misconfiguration. Either on OpenBSD itself or on the switches. As I said, my personal preference is to physically separate the networks. But I've used vlans and I will use again, surely. I just don't like to use them, specifically, when I don't have control of the entire network. Your preferences are your preferences, you're free to do that - just like you're free to stab a knife in your eye. however, classification can happen anywhere, so assign queues on your vlan interface and create them on the physical one, things will Just Work (tm). sth like match out on vlanX queue foo really just tags the packet should go to queue foo. once the packet hits an outbound interface, we check wether queue foo exists there and if so use it. This is one of the greatest features of pf, in my opinion. This flexibility is what make pf what it is. this bit is not so much pf actually. we have stopped looking at pf as an isolated component many many years ago, and instead take the whole picture approach - so it's really our network stack. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Relationship Between VLANs and Physical Interfaces in PF
* Giancarlo Razzolini grazzol...@gmail.com [2014-08-05 00:02]: On 04-08-2014 18:09, Eric Dilmore wrote: I just set up a new OpenBSD 5.5 gateway for a small nonprofit. The gateway has one external interface and one internal, with the internal network split into several VLANs: one for secure traffic, one for guests, one for internal phones, and one for our external Asterisk phone server. Vlans work, but they add complexity. I'd prefer physical interfaces separating the networks, both for performance and security reasons. the 90s are over. However, I believe that pf queues are tied to an outbound interface. None of the rules I have attempted on the internal interface have matched at all. I can specify each vlan explicitly, but the internal interface itself doesn't seem to match any packets. tcpdump shows traffic passing both in and out when I specify the internal interface. The most indicated way is to queue your downloads on the internal interface and your uploads on the external interface. If I'm not mistaken, you need to set the queues on each vlan if. you are mistaken, queueing on vlan is pretty meaningless. however, classification can happen anywhere, so assign queues on your vlan interface and create them on the physical one, things will Just Work (tm). sth like match out on vlanX queue foo really just tags the packet should go to queue foo. once the packet hits an outbound interface, we check wether queue foo exists there and if so use it. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Relationship Between VLANs and Physical Interfaces in PF
* David Dahlberg david.dahlb...@fkie.fraunhofer.de [2014-08-05 10:17]: Am Dienstag, den 05.08.2014, 08:36 +0200 schrieb Henning Brauer: queueing on vlan is pretty meaningless. however, classification can happen anywhere, so assign queues on your vlan interface and create them on the physical one, things will Just Work (tm). Strangely, the following (simplified) setup seems to work here on 5.5 nevertheless: queue vlan33q on vlan33 bandwidth 2M, max 2M match out on vlan33 all set queue vlan33q In pfctl -sq this looks exactly like I expected and it does exactly what I intended it to do. except that the underlaying physical if's queue destroys the effects - not necessarily always, but most of the time. by just chaning your queue def to queue vlan33q on vlan33's vlandev bandwidth 2M, max 2M (no, NOT literal .., you expand that yourself) does what you intended in the first place. But as you (if anybody) indeed should known, what happens. Please tell me, what the above config actually does. Will the first line silently add a vlan33q to re0 that still does what it is intended? no, it does queueing on vlan33. but since we end up queueing the packets on vlan33's vlandev again, the effects often just aren't there. queueing is a lot about timing... at some point we used vlans with a queue depth of 1, since there really is no point in queueing there at all, but that exposed some otehr bugs. we might eventually go back to that. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: pfctl: DIOCADDQUEUE: No such process
* Loïc Blot loic.b...@unix-experience.fr [2014-07-23 17:12]: pfctl: DIOCADDQUEUE: No such process that most likely means you're trying to create a queue on a nonexistant inmterface. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: carp setup firewall
* Kim Zeitler kim.zeit...@konzept-is.de [2014-07-25 11:19]: we have a similar setup here, with only a /29 range of external addresses. Until now, we have had no problems so far running this using only one external carp IF (using a private IP) and adding all external addresses as aliases. But we do not use bi-nat for our DMZ Servers. there really is nothing wrong with aliases on carp interfaces. you ahve to keep them in sync of course. just like the vhid and the passphrase... -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: PF queuing max bandwidth
* Matt Carey cvstealth2...@yahoo.com [2014-07-15 03:18]: While trying to upgrade a pf ruleset from 5.4 to 5.5 and make use of the new queuing system, I'm running into an issue where the traffic isn't getting throttled to what I set for a max on a given queue. Below is the old ruleset that works well under 5.4: altq on trunk0 bandwidth 9.70Mb hfsc queue { q_voip, q_normal} queue q_voip bandwidth 1Mb hfsc(realtime 1Mb) queue q_normal bandwidth 8.70Mb qlimit 500 hfsc(default red ecn upperlimit 8.70Mb) Belw is the new ruleset that I have for 5.5: queue std on trunk0 bandwidth 10M, max 10M queue q_voip parent std bandwidth 1M, min 1M qlimit 500 queue q_normal parent std bandwidth 8M, max 8M default qlimit 500 When looking at the measured throughput on the q_normal queue it isn't being ceilinged @ the 8MB from the config: # pfctl - -s queue queue std on trunk0 bandwidth 10M, max 10M qlimit 50 [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue q_voip parent std on trunk0 bandwidth 1M, min 1M qlimit 500 [ pkts: 90 bytes: 57032 dropped pkts: 0 bytes: 0 ] [ qlength: 0/500 ] [ measured: 3.4 packets/s, 19.38Kb/s ] queue q_normal parent std on trunk0 bandwidth 8M, max 8M default qlimit 500 [ pkts: 101676 bytes: 98995630 dropped pkts: 0 bytes: 0 ] [ qlength: 0/500 ] [ measured: 1192.5 packets/s, 9.32Mb/s ] The interface config is pretty simple, 2 ports bundled together into a LACP trunk then WAN hangs off a vlan on that trunk. Any help would be appreciated. really sounds like you're getting into the ballpark area where the timer resolution isn't good enough to hit your rather small bandwidth on - assumption here - rather high bandwidth interfaces. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Dragonflybsd's pf concurrent instead of single-threaded
* Franco Fichtner slash...@gmail.com [2014-07-08 10:48]: On 08 Jul 2014, at 04:55, Henning Brauer hb-open...@ml.bsws.de wrote: And the possible pf MP gains are drasticly overrated anyway. I'm not sure. Maybe that's a stance that fits OpenBSD well, but in networking as a whole that's not applicable. There's a good market for 10G, 40G not so much but it exists (as in drivers make their way into BSDs). Hardware vendors get ready for 100G; I've seen one of those cards and it does reveal a good deal of bottlenecks inside modern kernels. sigh. it is obvious you have very little idea on what you're talking about here. this has NOTHING to do with the problem or the question at hand. So maybe all that needs to change is the perception of pf(4) ports in other BSDs to be ``very old versions that need to be brought up to date'', because doing so wouldn't solve the most pressing issues we are confronted with pf(4) outside of OpenBSD -- the code itself is stable and the features are well-defined as is. guess the fact that the pf code in OpenBSD is roughly 4 times as fast as elsewhere doesn't matter. after all, it's not about the results but shiny labels, right? pah humbug. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Dragonflybsd's pf concurrent instead of single-threaded
* InterNetX - Robert Garrett robert.garr...@internetx.com [2014-07-08 09:42]: Uprading pf with [dfly's] set of changes to support [dfly's] locking mechanisms, is a seriously non trivial exercise. and 100% wasted as done. starting off an old, ancient, pf, which is roughly 4 times slower than todays (but hey, you can throw cores at it, make intel the power companies even richer, increase pollution, and whatnot), and making sure we can never take these changes back even if we wanted to. how bright! -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: libmessage (New crazy sh*t)
* Gustav Fransson Nyvell gus...@nyvell.se [2014-07-06 03:22]: I made this thing because I wanted or need a way to message between processes that know nothing about each other, using a central name. that's usually called a named pipe. or an mmap'ed file. Without requiring any network. So, some basic message passing, across the OS. It's implemented using sqlite3 which in my case is not good, ok, I stop reading here. Using a fickle rocket launcher to light a candle. That might be the main reason why software today is so miserable. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: libmessage (New crazy sh*t)
* Gustav Fransson Nyvell gus...@nyvell.se [2014-07-06 15:25]: Of course, I'm looking for problems in imsg, now... sorry. no, you're missing the point entirely and have been misguided by others. what you are apparently after is what is usually called a message bus/queue. reliable message delivery to n clients. imsg is not that, imsg is for IPC between two processes. 1:1, no storage, if the listener isn't there - tough shit. with the horrible MQ implementations out there this might not even be one of the more ridiculous ones. which by no means is any blessing, it just means the entire area is a collection of poo. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Dragonflybsd's pf concurrent instead of single-threaded
* Franco Fichtner slash...@gmail.com [2014-07-08 11:20]: On 08 Jul 2014, at 09:58, Henning Brauer hb-open...@ml.bsws.de wrote: this has NOTHING to do with the problem or the question at hand. So then what has it to do with? You tell me I missed the obvious but don't provide your arguments. it's so obvious... two things needing to access the same data structures cannot run in parallel. packet filters CAN profit from MP, but it is way less than people keep thinking. Lucky, I've been asked to leave this mailing list not by me... -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Dragonflybsd's pf concurrent instead of single-threaded
* sven falempin sven.falem...@gmail.com [2014-07-08 14:16]: On Mon, Jul 7, 2014 at 11:55 PM, Henning Brauer hb-open...@ml.bsws.de wrote: * Franco Fichtner slash...@gmail.com [2014-07-06 00:29]: Missing SMP support is the fork in the road. The window of opportunity seems to be closing. A penny for Henning's thoughts on this... my thoughts are only worth pennies? :) ok, first thought: where's your diff? Not directed at Franco specifically. I don't owe anybody anything. OpenBSD hacking is supposed to be fun for me. on a technical note - making pf MP is utterly useless if the underlaying subsystems aren't. pool isn't, mbuf isn't, network stack isn't - the list is long. Where to start ? prediction tends to show the base speed of processing unit is reaching a maximum and multicores is the next things. The network stack ? mbuf ? pool(9) - underway/getting there. mbuf then it gets interesting. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Dragonflybsd's pf concurrent instead of single-threaded
* Joris Giovannangeli jo...@giovannangeli.fr [2014-07-08 17:47]: Posting such a topic in such a list might probably sound a bit aggressive, but this patch should not be misinterpreted. I think it's clear to everybody that it would be great to update pf in dragonfly, but that's a lot of work and nobody is working on this. This patch followed a complaint on the mailing list about the slowness of pf on dragonfly, and I guess that making it SMP was the faster way (one day of work) to solve this issue. I don't think that anybody ever claimed that pf had become faster or better on dfly than on openbsd, or that openBSD is lagging behind. i didn't take it as such. Some others might have. making it SMP was the faster way (one day of work) - far off. updating your pf cannot take that much time. people keep thinking it is hard due to some of its tentacles. but really, you leave these ptrs at NULL and be done. can work on providing these hooks later if you want the associated performance gains. my offer to help anybody who seriously wants to update pf in fbsd to a non-ancient version herewith extends to dfly. help as in answer questions and give advice and the like. it's so obvious... two things needing to access the same data structures cannot run in parallel. i slightly oversimplified here, of course. packet filters CAN profit from MP, but it is way less than people keep thinking. This is obvious indeed, that's why the goal of this patch is to avoid the need to access the same data structures. This is due to the design of the dragonfly network stack. Packets are hashed, for instance with tcp they are hashed using the two tuples (host, port) for destination and origin, and they are dispatched to a fixed cpu according to this hash. The packet is then handled by this cpu, and the thread is pinned to this cpu. Things are more complex in practice due to hardware hashes, forwarding and other things i'm not an expert on the topic, but basically, it reduce the amount of sharing needed. yeah, I know. that is certainly not the stupidest approach ever seen. wether it is the smartest i'm not certain. not judging here. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Dragonflybsd's pf concurrent instead of single-threaded
* Franco Fichtner slash...@gmail.com [2014-07-06 00:29]: Missing SMP support is the fork in the road. The window of opportunity seems to be closing. A penny for Henning's thoughts on this... my thoughts are only worth pennies? :) ok, first thought: where's your diff? Not directed at Franco specifically. I don't owe anybody anything. OpenBSD hacking is supposed to be fun for me. on a technical note - making pf MP is utterly useless if the underlaying subsystems aren't. pool isn't, mbuf isn't, network stack isn't - the list is long. And the possible pf MP gains are drasticly overrated anyway. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Dragonflybsd's pf concurrent instead of single-threaded
thanks for the laugh. * Loïc Blot loic.b...@unix-experience.fr [2014-07-07 10:21]: It's a very interesting diff. If i have time i'll test it on -CURRENT on the two next weeks. -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Network Engineer http://www.unix-experience.fr Le jeudi 03 juillet 2014 à 11:35 -0500, patric conant a écrit : This seems relevant to a lot of interest. commit 3a0038bfb239dd522057809c52d7d23dd2134c38 Author: Matthew Dillon dillon at apollo.backplane.com http://lists.dragonflybsd.org/mailman/listinfo/commits Date: Thu Jun 26 20:40:32 2014 -0700 pf - make the bulk of PF concurrent under normal operation * state and ip fragment tables are now per-cpu. * packet paths acquire pf_token shared instead of exclusive. Packet processing runs concurrently. * Any dynamic rules updates will run synchronously for now. * State expiration from the pfpurge thread runs synchronously for now. More work can be done here. * ioctl (and also pfsync) paths acquire pf_token exclusively. That is, primarily pfctl commands. This includes rules updates and state scans. More work can be done here. Summary of changes: sys/net/pf/Makefile| 2 + sys/net/pf/if_pfsync.c | 85 +++--- sys/net/pf/if_pfsync.h | 2 + sys/net/pf/pf.c| 260 -- sys/net/pf/pf_ioctl.c | 427 +++-- sys/net/pf/pf_norm.c | 118 -- sys/net/pf/pfvar.h | 17 +- 7 files changed, 588 insertions(+), 323 deletions(-) http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/3a0038bfb239dd522057809c52d7d23dd2134c38 -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: openssh
* Mihai Popescu mih...@gmail.com [2014-07-02 17:05]: Better buy a hardisk, copy your data and mail it abroad. Seriously. A truck full of harddisks is a transport link with fantastic bandwidth. Latency kinda sucks, tho. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: CARP without IP on the physical interfaces of carp group?
* Peus, Christoph christoph.p...@uni-wh.de [2014-06-30 17:24]: Is it really possible to use CARP without IPs assigned to the physical interfaces? Sure. How does the communication between the interfaces of a group work if there are no IPs assigned to them? multicast Which disadvantages could this mode of operation have compared to the classic mode with IPs assigned? the backup node might not be able to reach the network on the carp if -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: CARP without IP on the physical interfaces of carp group?
* Adam Thompson athom...@athompso.net [2014-06-30 19:15]: traffic with IPSec. Other uses are possible, but questionable because they may break lower-level assumptions. (or so I believe, anyway. I'm sure Henning will correct me if not.) I don't think carppeer uses than manually specifying the IP on the carpdev of the other node are very well tested, so there might be surprises, but I really don't why other uses shouldn't work as long as the nodes see each other. FWIW, I don't use carppeer even though it could save me substantial IP address space, for a couple of reasons: 1) I want the canary-in-the-coal-mine to inform me of any layer 2 weirdness 2) I prefer predictability and normal use cases 3) if I ever stop using CARP and switch to HSRP or VRRP, I'll need those addresses again you are creating massive confusion here regarding carppeer and unnumbered carpdevs - those really have nothing to do with each other. That said, I do use unnumbered carpdevs in some cases and places. If carp0 has 10.0.0/24, and carp0 is backup on nodeX, nodeX might not be able to reach 10.0.0/24. No more, no less. Can hurt, esp when the default gateway is in that net, but is perfectly fine in many cases. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: CARP without IP on the physical interfaces of carp group?
* Adam Thompson athom...@athompso.net [2014-06-30 21:31]: Nor is using carpdev [the typical case], although I have the impression that use of carpdev (and therefore only needing 1 IP address) is increasing. I consider carpdev that natural use, we're stacking interfaces after all. I even wouldn't be surprised if the !carpdev case bites the bullet at some point, should we change/redesign basics. There's nothing up in that direction tho, call it a vague feeling. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: crowding out bsd using systemd?
* ian kremlin i...@kremlin.cc [2014-06-29 01:05]: due to its unportability (as it's written in pure C) that doesn't make the slightest sense. pure C can be and often is perfectly portable. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: LAN vs VLAN interface performance
* Adam Thompson athom...@athompso.net [2014-06-23 07:20]: On 14-06-21 01:03 PM, Chris Cappuccio wrote: Adam Thompson [athom...@athompso.net] wrote: Yes, OT... But unless you've chosen to do something silly (like enabling MVRP, or blindly allowing all VLANs to an untrusted host) saying VLANs aren't secure is about as useful as ICMP isn't secure. Please explain how VLANs are not secure when you have control of the devices on both ends of an 802.1Q-tagged link? That's no more or less secure than having multiple links to a switch running un-tagged ports on different VLANs. Or are you saying I should have a separate physical switch for each subnet? This is well documented by security researchers who were proving these bugs at the time. And this was some 14 years ago. If you're still using a 14+ year old switch that hasn't failed by now, (even a nice, high-end one) you are doing better than many others. Realize that these issues were taken fairly seriously by vendors because vlans were being used as a security mechanism. Henning already described it best as last century's myths. Technically this isn't actually a myth: I know that some VLAN-hopping bugs did exist, but they've been long-since squashed. Which is why I compared it to the ICMP is evil dogma... perhaps a better comparison would be the autonegotiation is evil dogma, which also was true back in the days of Cisco 2900XLs with their (ahem) interesting implementation of 802.3u's autonegotiation clause. The correct response to that today isn't don't use autonegotiation, it's don't use Cisco 2900XL switches. I'd really say don't use cisco switches - pick any vendor who gives at least a little about quality. The correct response to VLAN security concerns today isn't don't use VLANs for security, it's use Cisco/Juiniper switches if possible, or at least tier-2 gear, and implement mitigation techniques. The answer is NOT use cisco/juniper, the answer is really anything reasonable. I can't really judge on the plastic boxes (SOHO) since I just don't really have experience with that kind of gear, but even those should get that right these days. The VLAN hopping bugs really were from the early days when vendors tried to quickly bolt-on vlan support after the fact, some screwed that up royally. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: LAN vs VLAN interface performance
* Chris Cappuccio ch...@nmedia.net [2014-06-21 20:05]: Right now all routers and firewalls should be on SP kernels or you will actually have worse performance. This is not true any more and hasn't been for some time. It is, however, true that the extra cores buy you little to nothing for the kernel side, i. e. a pure packet forwarding firewall (no proxies) or a static-routing router won't really benefit. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: LAN vs VLAN interface performance
* Chris Cappuccio ch...@nmedia.net [2014-06-23 20:24]: Henning Brauer [lists-open...@bsws.de] wrote: * Chris Cappuccio ch...@nmedia.net [2014-06-21 20:05]: Right now all routers and firewalls should be on SP kernels or you will actually have worse performance. This is not true any more and hasn't been for some time. It is, however, true that the extra cores buy you little to nothing for the kernel side, i. e. a pure packet forwarding firewall (no proxies) or a static-routing router won't really benefit. I have a sandy bridge Xeon box with PF NAT that handles a daily 200 to 700Mbps. It has a single myx interface using OpenBSD 5.5 (not current). It does nothing but PF NAT and related routing. No barage of vlans or interfaces. No dynamic routing. Nothing else. 60,000 to 100,000 states. With an MP kernel, kern.netlivelocks increases by something like 150,000 per day!! I The packet loss was notable. With an SP kernel, the 'netlivelock' counter barely moves. Maybe 100 per day on average, but for the past week, maybe 5. as already said in private, I'm not seeing anything like that which makes me wonder what is different for you. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: LAN vs VLAN interface performance
* Boris Goldberg bo...@twopoint.com [2014-06-20 15:51]: There is no real security separation between vlans. sigh. stop spreading myths from the last century. Also OT - is OBSD handling 10 gigabit interfaces at full capacity already? yes -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: LAN vs VLAN interface performance
* ML mail mlnos...@yahoo.com [2014-06-19 09:22]: I have four /24 subnets and currently have one subnet per ethernet interface (1Gbit/s) on my openbsd firewall. Now I was wondering if in terms of performance (especially latency/pps) it is better to have one subnet per ethernet interface like I have now or to have the four subnets on one single interface using vlan interfaces? in theory, having those 4 on vlans on the same hw if allows for more effective interrupt mitigation, offset by the cost of inserting the vlan header (in = 5.5, made it essentially free after) and running through vlan_start/vlan_input. Should not make much of a difference in practice. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: libssl 25?
* Gustav Fransson Nyvell gus...@nyvell.se [2014-06-19 16:16]: On 06/19/14 16:12, Nigel Taylor wrote: On 06/19/14 13:17, Gustav Fransson Nyvell wrote: |library ssl.25.0 not found /usr/lib/libssl is in the base so you go to an OpenBSD version that matches the packages. As running current that's an upgrade to a more recent snapshot. But I'm running -current. From CVS. Last update was 24h ago. It should be more recent than snapshots. Or very close. I've had this problem for a few days. looks like your source tree (potentially due to the anoncvs mirror you used) wasn't really up to date, then. brahe@quigon $ cat /usr/src/lib/libssl/ssl/shlib_version major=25 minor=0 This e-mail is confidential oh damn, I retract my answer then -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: 5.5 pf priority
* Andy a...@brandwatch.com [2014-06-02 18:21]: So whilst the impact may be minimal, if I have a busy firewall (BIG GIANT and all that..) so the CPU is working very hard, I would want prio the prioritize my voice/video packets inwards during ingress and queue on the other side during egress. that works. no guarantees on any effect, tho :) Theoretically the packets dropped due to CPU thrashing would be limited to the lower prio packets..?!? depends on which layer drops it... if MCLGETI kicks in (likely, it is a bit too agressive for machines only/mostly forwarding packets, but OpenBSD has a lot more uses than just that - compromise) you have zero control over what gets dropped since the NIC does it already. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: 5.5 pf priority
* sven falempin sven.falem...@gmail.com [2014-06-02 22:11]: I just read info about Source quench icmp packet and those are apparently armful but i did not find any measurement or 'proof' of that. dunno about yours (but have a strong suspicion) - my icmp source quench packets don't have arms. Maybe i slide a bit of topic, i saw openBSD has Explicit Congestion Notification is there a relationship between the dropped packet and this ? (i do not completly understand ECN yet) Shaping on ingress is (in most case) a waste of time, but shaping on egress will be if the previous hop flood with udp or non TCP data, i wonder why this Source quench is so poor and abandoned. I don't know what to say about this really... but I feel I have to, since others might think it made sense in any way. The only advice I can really give here: get a book on tcp/ip basics. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: 5.5 pf priority
* Paco Esteban p...@onna.be [2014-05-29 12:11]: On Thu, 29 May 2014, Marko Cupać wrote: On Wed, 28 May 2014 21:40:58 +0200 Henning Brauer lists-open...@bsws.de wrote: I'm pretty damn sure I added reset prio if queueing is on thing. yes, in IF_ENQUEUE - hfsc_enqueue m-m_pkthdr.pf.prio = IFQ_MAXPRIO; I would like to give priority to certain traffic, for example: prio 7: tcp acks prio 6: domain prio 5: ssh-mgmt, vnc, rdp prio 4: web prio 3: smtp, imap, pop prio 2: ftp, ssh-payload prio 1: default/other prio 0: p2p But I would also like to guarantee minimum bandwidth to low-priority traffic (in upper example I would like to avoid ftp coming to a grinding halt in moments when higher priority traffic eats up all the bandwidth). I thought I knew how to achieve this, but now I am not so sure. Is it possible with current pf? Any suggestions? I'm also interested in this. I tought I was doing it with the example I sent but, after Henning's comments ... let's think it through. prio has really only a non-neglible effect when you are bandwidth constrained. with bandwidth shaping (hfsc underneath), you don't want to overcommit. thus, you are priorizing by picking what traffic goes to what queue and what bandwidth setting those have. mixing in another priorization would have zero (or close to zero) effect. so giving you an extra prio button there would probably make feel you better (like in other implementations), but (also like the others) have no or close to no effect. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: 5.5 pf priority
* Marko Cupać marko.cu...@mimar.rs [2014-05-28 10:15]: I have a number of 5.4 firewalls which rely on ALTQ with HFSC for packet queueing. I'd like to upgrade to 5.5, but I'm confused with new queueing mechanism. If I understand well, in 5.5 order of queues has nothing to do with priority, only with bandwidth allocation (as opposed to ALTQ + HFSC on 5.4 where higher queue has higher prioritiy). If I want to change priority from default 3, on 5.5 I need to specify it on each filter rule, and there is no way to do it centrally? prio is ignored when bandwidth shaping is on. priority in ALTQ-HFSC was an illusion really. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: 5.5 pf priority
* Marko Cupać marko.cu...@mimar.rs [2014-05-28 18:12]: On Wed, 28 May 2014 14:12:42 +0200 Henning Brauer lists-open...@bsws.de wrote: prio is ignored when bandwidth shaping is on. priority in ALTQ-HFSC was an illusion really. Hi Henning, knowing your role in pf development, I take your answer as authoritative. However, this would imply that pf.conf(5) has misleading line in QUEUEING section which suggests the following rule: pass out on em0 inet proto tcp from any to any port 22 \ set (queue(ssh_bulk, ssh_interactive), prio (3, 6)) Who should I trust? :) I'm pretty damn sure I added reset prio if queueing is on thing. yes, in IF_ENQUEUE - hfsc_enqueue m-m_pkthdr.pf.prio = IFQ_MAXPRIO; alas, the manpage is wrong - seems to be an oversight when converting it from altq. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: bgpd/session.c+rde.c code explanation
* Denis Fondras open...@ledeuns.net [2014-05-05 20:26]: I am hacking around OpenBGPd and there is a portion of code I can't quite understand. I wonder why pipe_m2r[2] is passed as a parameter to pid_t session_main(int pipe_m2s[2], int pipe_s2r[2], int pipe_m2r[2], int pipe_s2rctl[2]) (in session.c) and pipe_s2r[2] is passed to pid_t rde_main(int pipe_m2r[2], int pipe_s2r[2], int pipe_m2s[2], int pipe_s2rctl[2], int debug) (in rde.c) It seems the only usage in both these functions is a close() call. What is the point of passing the parameters ? I thought it would be close()'d from main() in bgpd.c. well, rde_main and session_main fork()... -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: bgpd/session.c+rde.c code explanation
* Denis Fondras open...@ledeuns.net [2014-05-06 10:12]: well, rde_main and session_main fork()... While I'm at it, I can't see where conf = calloc(1, sizeof(struct bgpd_config)) is free()'d. please, if you want to help, be MUCH more precise (and get clear on what side of the fork() we are). With a report like that I had to go through large parts of code to ecventually maybe spot what you are referring to. That doesn't help, that just costs time. I appreciate the effort, but please make it easier to consume for us :) -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: bgpd/session.c+rde.c code explanation
* Denis Fondras open...@ledeuns.net [2014-05-06 14:49]: By the OS, which cleans up after the process exits. If it wasn't that way, we'd all have a much shorter uptime... Thank you Jérémie :) I had not considered it as I can see ... free(ibuf_rde); ... free(ibuf_main); ... at the end of session_main() in session.c. we tend to have explicit free()s in bgpd since that allows us to find memory leaks easier using instrumented alloc/free routines. so not freeing conf isn't a bug, but makes the leak finding harder. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: bgpd/session.c+rde.c code explanation
* Claudio Jeker cje...@diehard.n-r-g.com [2014-05-06 17:41]: This was done to be able to spot memory leaks on shutdown. Not used that part of the code in a long time. Maybe it is time to remove this bad habit. nah, being able to apply leakfinder.shar to find memleaks is still valuable. yes, requires a bit of work since a few free()s are missing for that to give real results, but shouldn't be much. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: pf multiple match rules
* Marko Cupać marko.cu...@mimar.rs [2014-05-06 12:55]: Hi, with the following two match lines: match out on $ext_if from 192.168.1.0/24 to any nat-to X.X.X.X match out on $ext_if from 192.168.1.55 to any nat-to Y.Y.Y.Y and the following pass line: pass in on $int_if inet proto tcp from 192.168.1.55 to any will the packets be translated to X.X.X.X or Y.Y.Y.Y? unable to say without knowing X.X.X.X. packets hitting the first rule will get their src rewritten to X.X.X.X. if X.X.X.X happens to be 192.168.1.55, these packets will match your second match rule, if X.X.X.X is anything else, they won't. If Y.Y.Y.Y happens to be 192.168.1.55, these packets will match the pass rule, otherwise they won't. I'm really saying here that rewrites are applied immediately (hurts a little to say that since I know the internals, but that's what the user visible side is). -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: pftop and systat with new queueing
* Marko Cupać marko.cu...@mimar.rs [2014-05-06 17:55]: Was nice to see those values in real time. Are they gone for good, or developers need some time to adjust them for new queueing mechanism? that's what it comes down to. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: event handling in OpenBGPd
* Claudio Jeker cje...@diehard.n-r-g.com [2014-05-05 10:50]: On Sun, May 04, 2014 at 10:39:33PM +0200, Vincent Gross wrote: I am considering to write a daemon of some kind, and I was going over OpenBGPd's sources to get some good fine-grained design examples. I noticed that although all IO's are asynchronous, libevent is not used, but I can't figure out why. I'm not a libevent-fan. So I didn't use it. For bgpd, libevent+kqueue vs poll plain doesn't matter, the number of sockets is too low. So, is libevent not used by accident or by design ? in the latter case, what is precisely the feature/design consideration that made it unsuitable ? Don't use bgpd as an example. It was one of the first privsep daemon we did and at that time it was done without libevent. ospfd and all the later daemons use libevent. Their event loop is therefor a lot simpler. So yeah not using libevent in bgpd could be considered an accident. not an accident. however, when I wrote the initial bgpd bits, I didn't think there would be so many daemons using its framework 10 years later. so things changed, and there's no problem with that. wether you use libevent or not is a matter of taste imho unless we're potentially dealing with a very large number of sockets, in which case kqueue has advantages over poll. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: After the upgrade with the last snapshot all traffic flow only on default queue
* Atanas Vladimirov vl...@bsdbg.net [2014-04-23 21:30]: `pfctl -vvs queue` shows that traffic flow only on default queue. ewps... I feel stupid. repaired. sorry. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: pf/pfstat New Queue Reporting
* Daniel Melameth dan...@melameth.com [2014-04-23 17:56]: Anyone else seeing this? I also noticed pps and bps were missing from systat queues, but I assume this is expected hmm, no, that worked for me. did I forget to commit sth? -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: systat queues pps and bps (was pf/pfstat New Queue Reporting)
* Daniel Melameth dan...@melameth.com [2014-04-23 18:27]: On Wed, Apr 23, 2014 at 9:58 AM, Henning Brauer lists-open...@bsws.de wrote: * Daniel Melameth dan...@melameth.com [2014-04-23 17:56]: Anyone else seeing this? I also noticed pps and bps were missing from systat queues, but I assume this is expected hmm, no, that worked for me. did I forget to commit sth? Here's the output from systat queues from a test system: QUEUE BW SCH PR PKTS BYTES DROP_P DROP_B QLEN BORR SUSP P/S B/S root1G 0 0 0 00 regular1G69 14428 0 00 icmp 1M10 980 0 00 The P/S and B/S are always blank. ahh, I see. I'll happily admit that I was satisfied as soon as I saw the queues show up with the pkts/bytes counters, the stats reporting is a rather small bit in the entire subsystem and there's only so much your brain can handle at a time. analysis / verification / diffs are welcome, of course. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Question on queues
* Heinrich Rebehn heinrich.reb...@rebehn.net [2014-04-20 22:51]: queue rootq on tun0 bandwidth 100M queue std parent rootq bandwidth 95M queue test parent rootq bandwidth 20K, max 20K default - why is queue “test” allowing 1.02Mb/s although the limit is 20K? timer resolution isn't good enough to go that low on such a fast interface. - is it correct that the parent queue “rootq does not show any usage? yes, only leaf queues can get traffic with the hfsc algorithm. i'd really like to see that change, but it isn't easy at all. - is queueing supposed to work at all on tun(4) devices? yes. as in, it works but probably has no effect since shit is buffered after again. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: OpenBSD - Linux compatibility
* Mihai Popescu mih...@gmail.com [2014-04-21 17:21]: Is there a paper explaining the purpose of Linux compatibility in OpenBSD? I'm not from UNIX time and I'm curious when and why this feature was added. it's the only binay compat left, we deleted all the others. it is useful to some to run closed-source software. at least one of our developers cares enough to update it every once in a while so that newer stuff works. i personally haven't used it in ages, probably more than a decade - but pplz requirements vary. to understand the purpose of the binary compats, you really have to go way back in history. there was a time when the only way to run a grapical browser on openbsd was to use the netscape binary under BSDi emulation (I think it was BSDi, not 100% certain) on i386 or the solaris binary under emulation on a sparc. there was no open source graphical browser back then. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Virtual firewalls with OpenBSD and PF
* Andy Lemin a...@brandwatch.com [2014-04-09 00:14]: For PF, I wouldn't recommend using anchors as I *think* their slower where on earth are people getting this ridiculous ideas from? You also want to be using tables if you want performance. that sentence makes no sense whatsoever. Sent from my iPhone fiddling with the pf rules on that PoS too? -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: feature patch - replace /etc/crontab by /etc/cron.d/
* Sélène sel...@bsd.zplay.eu [2014-04-11 12:25]: Le 2014-04-09 00:48, czark...@gmail.com a écrit : Remy said: here is a simple patch to replace /etc/crontab by /etc/cron.d/. FWIW why? I find it far easier to have multiples crontab files in /etc/cron.d/ i find /dev/var/local/etc.d/$hostname/etc/cron.d/modern/* easier. and now? -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: NTP timeout question
* Jeff Simmons jsimm...@goblin.punk.net [2014-03-08 04:42]: Using OpenNPTD from stable. Syncing to two redundant satellite receivers that provide ntp service and also radio programming. The satellite receivers tend to lose time sync occasionally, but regain it fairly quickly. NPTD reports: reply from 192.168.1.102: not synced (alarm), next query 3156s Is there a way to make ntpd ignore these alarms, or perhaps set them to a time less than fifty minutes (average)? not without changing code. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: pf and nat
* Giancarlo Razzolini grazzol...@gmail.com [2014-03-24 15:46]: First of all, I hardly see why you want or need to use if-bound, since it most likely hurts pf performance. it doesn't. however, if-bound is stupid except very few cases, i. e. on encX. Secondly, the proper way of doing nat, is using match rules, not pass. sez who? nat-to on pass rules is perfectly fine. using a match rule is just more practical in most scenarios. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: OPENBSD FUNDING SOLUTION -- COME AND PARTICIPATE
* Chris Cappuccio ch...@nmedia.net [2014-01-18 21:25]: Mike, [...], You were henning's roommate err, no. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: unreliable connections
* Stuart Henderson s...@spacehopper.org [2014-01-27 13:18]: On 2014/01/26 14:53, Chris Smith wrote: On Thu, Jan 16, 2014 at 8:26 PM, Stuart Henderson s...@spacehopper.org wrote: This could be an MTU or RWIN-related issue. Could my issue have anything to with the miscounting bug for inbound with pf on mentioned in the following commit? CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2014/01/23 16:51:29 Modified files: sys/net: if_bridge.c pf.c sys/netinet: ip_input.c ip_output.c ip_var.h tcp_input.c tcp_var.h udp_usrreq.c udp_var.h sys/netinet6 : ip6_output.c Log message: since the cksum rewrite the counters for hardware checksummed packets are are lie, since the software engine emulates hardware offloading and that is later indistinguishable. so kill the hw cksummed counters. introduce software checksummed packet counters instead. tcp/udp handles ip ipvshit, ip cksum covered, 6 has no ip layer cksum. as before we still have a miscounting bug for inbound with pf on, to be fixed in the next step. found by, prodding ok naddy And if so was the next step taken and is this miscounting bug fixed? No this is just counting for statistics. and the next step has been taken right after. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: unreliable connections
* Chris Smith obsd_m...@chrissmith.org [2014-03-17 23:41]: I think the source of this reported problem has been found, and happily fixed (the preliminary results are promising). Basically I needed to find some way to get the backups to complete reliably so I started a 20 count ping job a minute before the rsync job (actually an rsnapshot job which connected twice) which did allow the backup both backup connections to work (where previously just the second one connected reliably). In checking the logs for the backup status, the stats from the ping job were also there and these logs showed some dup ping packets on a fairly regular basis as well as some non-answers. As I was then able to get the same inconsistent ping results from the gateway itself (the inside address of the cable modem) I asked the ISP (Comcast) to replace the cable modem. They were fine with that suggestion and the replacement went in today, and I am so far not able to reproduce the inconsistent ping results to any of the /29 address, including the gateway. I'll know for sure once I stop the ping job and the backups still run reliably. that sounds like arp problems, namely very slowarp resolution. I've seen that before, it was very obvious some L2 gear was to blame, but details escaped me by now. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: When are default 'set prio' priorities set?
* Maxim Khitrov m...@mxcrypt.com [2013-12-22 18:44]: On Fri, Dec 20, 2013 at 4:11 PM, Maxim Khitrov m...@mxcrypt.com wrote: I was under the impression that the packet priority was always set to 3 prior to the pf ruleset evaluation (ignoring VLAN and CARP for a moment), and that 'set prio' on an inbound rule only affected returning traffic that matched the state entry. Here's an artificial example: pass out on $wan pass in on $lan set prio 7 What will be the priority of outbound packets on the $wan interface, 3 or 7? Looking at the code in pf.c, the priority is copied to m-m_pkthdr.pf.prio, but I'm not sure where this value is initialized or reset. I think I figured this out, but I would appreciate a confirmation. The m_pkthdr.pf.prio value is set to IFQ_DEFPRIO (3) in sys/kern/uipc_mbuf.c when a new mbuf is allocated. It is not modified after that except by pf rules. Therefore, packets going out on $wan in my example will have their priority set to 7. Essentially, priorities behave the same as tags. The difference is that priorities are saved in the state entries, so all subsequent packets coming in on $lan and matching an existing state will have a priority of 7 when going out on $wan. Returning packets will keep a default priority of 3 after crossing $wan, but this will be changed to 7 when they match the state outbound on $lan. Correct? pretty much, there are a few cases (liek carp announcements) that get a higher priority by default. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Packet Filter nat-to issue
* Loïc Blot loic.b...@unix-experience.fr [2014-02-28 11:33]: Is this normal ? yes. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/