pf config to isolate two vnet/netgraph VLAN jail groups?

2021-03-10 Thread Zenny 
Hi,

Any suggestion to restrict any transaction/interaction/traffic between
NATted netgraph vlans (vi0 and vi1) in this case, but not with the
bridged external nic ($ext_if in pf) in a setup (digraph) as of below
(netdiagram is attached).

I appreciate if anyone can suggest some inputs to isolate two netgraph
vlans which cannot reach each other, but is accessible to and from the
internet via NATted external NIC. I use pf, fyi.

Cheers and stay safe!

/z


digraph "netgraph" {
graph [
fontsize = "14"
fontname = "Times-Roman"
fontcolor = "black"
]
node [
fontsize = "12"
fontname = "Times-Roman"
fontcolor = "black"
shape = "record"
style = "solid"
]
edge [
fontsize = "10"
fontname = "Times-Roman"
fontcolor = "black"
dir = "none"
style = "solid"
]
"1" [
fontsize = "12"
fontname = "Times-Roman"
fontcolor = "black"
label = "{em0:|{ether|[1]:}}"
shape = "record"
style = "solid"
]
"c5" [
fontsize = "12"
fontname = "Times-Roman"
fontcolor = "black"
label = "{vi1_c2:|{eiface|[c5]:}}"
shape = "record"
style = "solid"
]
"86" [
fontsize = "12"
fontname = "Times-Roman"
fontcolor = "black"
label = "{vi0_v2:|{eiface|[86]:}}"
shape = "record"
style = "solid"
]
"a8" [
fontsize = "12"
fontname = "Times-Roman"
fontcolor = "black"
label = "{vi1:|{eiface|[a8]:}}"
shape = "record"
style = "solid"
]
"69" [
fontsize = "12"
fontname = "Times-Roman"
fontcolor = "black"
label = "{vi0:|{eiface|[69]:}}"
shape = "record"
style = "solid"
]
"eb" [
fontsize = "12"
fontname = "Times-Roman"
fontcolor = "black"
label = "{ngctl15171:|{socket|[eb]:}}"
shape = "record"
style = "solid"
]
"ae" [
fontsize = "12"
fontname = "Times-Roman"
fontcolor = "black"
label = "{vi1br:|{bridge|[ae]:}}"
shape = "record"
style = "solid"
]
"6f" [
fontsize = "12"
fontname = "Times-Roman"
fontcolor = "black"
label = "{vi0br:|{bridge|[6f]:}}"
shape = "record"
style = "solid"
]
"b3" [
fontsize = "12"
fontname = "Times-Roman"
fontcolor = "black"
label = "{vi1_c1:|{eiface|[b3]:}}"
shape = "record"
style = "solid"
]
"74" [
fontsize = "12"
fontname = "Times-Roman"
fontcolor = "black"
label = "{vi0_v1:|{eiface|[74]:}}"
shape = "record"
style = "solid"
]
"d8" [
fontsize = "12"
fontname

-- 
Cheers,
/z = "Times-Roman"
fontcolor = "black"
label = "{vi1_c3:|{eiface|[d8]:}}"
shape = "record"
style = "solid"
]
"99" [
fontsize = "12"
fontname = "Times-Roman"
fontcolor = "black"
label = "{vi0_v3:|{eiface|[99]:}}"
shape = "record"
style = "solid"
]
{
graph [
fontsize = "14"
fontname = "Times-Roman"
fontcolor = "black"
]
node [
fontsize = "12"
fontname = "Times-Roman"
fontcolor = "black"
shape = "record"
style = "solid"
]
edge [
fontsize = "10"
fontname = "Times-Roman"
fontcolor = "black"
dir = "none"
style = "solid"
]
"1"
"c5"
"86"
"a8"
"69"
"eb"
"ae"
"6f"
"b3"
"74"
"d8"
"99"
}
subgraph

[Bug 254171] 13.0-RC1: pf: vnet: jail leaves a unnecessary swi1 thread in intr process

2021-03-10 Thread bugzilla-noreply 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254171

Kristof Provost  changed:

   What|Removed |Added

 Status|New |In Progress
   Assignee|p...@freebsd.org  |k...@freebsd.org
 CC||k...@freebsd.org

--- Comment #1 from Kristof Provost  ---
Confimed. That's due to a bit of an unfortunate design choice in swi_remove()
which means we have to call intr_event_destroy() ourselves (and track the
intr_event...).

It also affects pfsync, but both are fairly straightforward to fix. See
https://reviews.freebsd.org/D29211

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

[Bug 254171] 13.0-RC1: pf: vnet: jail leaves a unnecessary swi1 thread in intr process

2021-03-10 Thread bugzilla-noreply 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254171

Mark Linimon  changed:

   What|Removed |Added

   Assignee|b...@freebsd.org|p...@freebsd.org

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: pfctl segmentation fault in pfctl_optimize.c

2021-03-10 Thread Kristof Provost 

On 9 Mar 2021, at 11:05, Patrick Lamaiziere wrote:

Hello,

FreeBSD 11.4-RELEASE-p3 / amd64

Yesterday while loading a ruleset, pfctl core dumped with a
segmentation fault (see gdb below)

We are recently using some big tables so may be this is what triggered 
the problem (?), i can't reproduce this.


I've found something on t...@openbsd.org that looks closely related:
https://www.mail-archive.com/tech@openbsd.org/msg42870.html

At first glance that looks like a sane change, but I can’t reproduce 
the crash described there.


Can you reproduce your crash? I try to avoid making changes I can’t 
write a test for.


Best regards,
Kristof
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

load balancing port redirects

2021-03-10 Thread mike tancsa 
Is there any way in pf to redirect one port to a range of ports ? e.g

rdr pass log on $public_nic proto tcp from any  to $public_nat_ip port
80 -> $web_server port 80:100


Much like round robin load balancing on outbound nat, I want to round
robin through ports if possible.

    ---Mike

___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"