Subtle change in pf behavior from 6.2 to 6.3-PRE
Greetings,
I recently upgraded my system from a 6.2-PRE from Dec '06
to 6.3-PRE as of 4 Nov.
I discovered an interesting and subtle change in the way pf
behaves between the two versions.
In the past I had the following (slightly incorrect) rule in
my pf.conf:
pass out on $ext_if proto { tcp, udp, icmp } all keep state
It seemed to do the right thing; it kept state on all
outbound traffic and allowed the return traffic.
However, with the newer pf, it appears that the desired
incantation is now
pass out on $ext_if proto tcp all flags S/SA keep state
pass out on $ext_if proto { udp, icmp } all keep state
The symptom of the problem that I noticed was that innd was
getting EPERM attempting to talk to other systems, and that
my web server couldn't be talked to by Linux browsers.
Groping around and turning on debugging on pf led me to the
(apparently) usual:
Nov 8 16:59:48 wattres kernel: pf: BAD state: TCP :25
:25 :48418 [lo=2541394648 high=2541394831 win=33304
modulator=0] [lo=2408093130 high=2408126434 win=183 modulator=0] 4:4 PA
seq=2541394648 ack=2408093130 len=214 ackskew=0 pkts=3:3 dir=out,fwd
Which finally led me to the hint that the flags weren't getting
stored correctly by the earlier pass rules.
Whee. Breadcrumbs for someone to google up some dark and
stormy night.
--
Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.5" / 37N 20' 15.3"
Internet: steve @ Watt.COM Whois: SW32-ARIN
Free time? There's no such thing. It just comes in varying prices...
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Pthreads signals
In <[EMAIL PROTECTED]>, Daniel Eischen <[EMAIL PROTECTED]> wrote: >On Wed, 28 Mar 2007, Peter Holmes wrote: > >> How do signals work with pthreads in FreeBSD. How are process signals >> delivered? > >The best explanation of signals and threads in general >is in the POSIX spec, or Butenhof's book. > > http://www.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html I suspect the question was rather more specific than that, due to bad experiences with LinuxThreads. Does FreeBSD have a proper signal delivery model, where thread masks are per-signal, and signals sent to the process when all threads within the process have the signal blocked remain pending against the process so any thread may accept the signal using sigwait()/sigtimedwait()/sigwaintinfo(). I suspect the answer is yes, but I haven't played with threads on recent versions enough. -- Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.5" / 37N 20' 15.3" Internet: steve @ Watt.COM Whois: SW32-ARIN Free time? There's no such thing. It just comes in varying prices... ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: any real documentation of the boot2 prompt?
In <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote: >Václav Haisman wrote: >> What does lsdev or whatever it was say? Does it show any devices besides >> the raw disks? > >So I booted from CD and ran lsdev, and showed something like this (from >memory) > >0: Drive A >2: Disk 0 > 1: FFS You need to get into your SCSI BIOS (don't know what the key sequence is for 3ware, it's ^A for Adaptec) at the correct time and enable the disk for booting. As shown here, there's no chance of it being bootable. -- Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.5" / 37N 20' 15.3" Internet: steve @ Watt.COM Whois: SW32-ARIN Free time? There's no such thing. It just comes in varying prices... ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: 5.4-RC2 freezing - ATA related?
In <[EMAIL PROTECTED]>, [EMAIL PROTECTED] writes: >From: "Peter Jeremy" <[EMAIL PROTECTED]> >> On Wed, 2005-May-18 06:43:37 -0600, Elliot Finley wrote: >> >Had the system lock up again. This is with the new ATA mkIII patches on >> >http://people.freebsd.org/~sos/ATA. >> > >> >I didn't get the crashdump (forgot to set dumpdev), but I did get 'ps' >and >> >'show lockedvnods' output from DDB. The output is in the form of >> >screenshots combined into a single .pdf which can be accessed here >> >http://www.efinley.com/Binder1.pdf >> >> That shows a deadlock-to-root in your /dev/ar0s1a (presumably root) >> filesystem. The perl process (pid 487) has an exclusive lock on >> the FS mountpoint - this is blocking 130 other processes. Pid 487 >> is itself waiting on another filesystem lock (you can't determine >> the actual lock tree without more poking around kernel memory). >> >> The vnode locks are held by processes: >> PID namewaiting on >> 487 perl [ufs c3c1c1b4] >> 57 syncer [snaplk c535f500] (holds 2 locks) >> 476 perl [ufs c87e4f1c] >> 489 perl [snaplk c535f500] (holds 2 locks) >> 3337 mksnap_ffs [getblk d77656f4] >> >> Looking through the process list, cron has started a "dump -L" which >> is trying to create a filesystem snapshot. That has wedged on >> "getblk" (trying to perform physical disk I/O) and is probably the >> root of your problem. Nothing else is waiting on physical I/O. >> >> I'd say that your first guess was right: This is a bug in the ATA >> code and is probably a job for sos. > >I took the -L option off of my dump command in my daily dump script. I've >gone two days without locking up which is unusual. I think that may be what >was tickling the bug that was locking me up. This is a filesystem lock problem, not an ATA driver problem. I analyzed it, and posted the results to -hackers last week, with the subject "snapshots and innds". The problem is that there is an invariant being broken in msync() -- Kirk describes it fully in his reply to my message. -- Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.8" / 37N 20' 14.9" Internet: steve @ Watt.COM Whois: SW32 Free time? There's no such thing. It just comes in varying prices... ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Status of ATA tagging in Stable
In article <[EMAIL PROTECTED]>, Kevin Oberman <[EMAIL PROTECTED]> wrote: >I have a P3 system running STABLE built on March 7. I installed a new >IBM DTLA disk drive and was distressed at its slowness, so I tried >turning on tagging to see if that would help. It seemed to, until... > >3 AM when my periodic tasks started running. The system lost all disk >access and logged lots of errors (a few of which I added to the end of >this message). This combination worked beautifully until the ATA MFC just after 4.5, and it has since been declared that those IBM drives don't do tagging correctly. Since I've got a semi-production server with the DTLAs in it, I gave up on tagging, just using UDMA, it's good enough. -- Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.8" / 37N 20' 14.9" Internet: steve @ Watt.COM Whois: SW32 Free time? There's no such thing. It just comes in varying prices... ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
dirbad panic "mangled entry" in 4.6-S from yesterday
wants more info. I ran daily by hand, but it didn't happen. Might have something to do with the news expiration running at the same time as daily. We'll see tonight. -- Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.8" / 37N 20' 14.9" Internet: steve @ Watt.COM Whois: SW32 Free time? There's no such thing. It just comes in varying prices... To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
Re: Why sshd:PermitRootLogin = no ?
[EMAIL PROTECTED] wrote: >I'm afraid I don't understand your point. If without-password >makes sshd useful to a larger subsection of users without effecting >security on the original subsection, why wouldn't you want to make >the change? Just because it may not make a difference for YOU doesn't >mean that it wouldn't be a useful change to make. But it *can't* make it useful to any more users. How do you get the authorized-hosts file updated? You edit it. How do you get the configuration changed to without-password from none? You edit it. Same work, no obvious advantage to without-password over no, and better obvservance of "install in the most secure way possible". Just like the discard port is disabled in inetd.conf -- same concept. -- Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.8" / 37N 20' 14.9" Internet: steve @ Watt.COM Whois: SW32 Free time? There's no such thing. It just comes in varying prices... To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
Sendmail rantlet
Greetings! I appear to be somewhat confused about the expected way to maintain a sendmail configuration. I very carefully created a file named /etc/mail/`hostname`.mc, configured it 'til it was "just so", and then did the expected make in /etc/mail. Some weeks later, I decide it's time to re-STABLEize myself, so I do the usual build/install/mergemaster cycle. Mergemaster said it wanted to mess with sendmail.cf, and I told it not to. I was rather astonished to discover that the installworld had overwritten my lovingly crafted `hostname`.mc with a copy of freebsd.mc. That seems (to me) to be almost as rude, or possibly more so, as overwriting rc.conf or passwd during the installworld rather than allowing mergemaster to do its job. Am I missing the point of the `hostname`.mc -> `hostname`.cf rule in the /etc/mail/Makefile, or is something seriously violating POLA? -- Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.8" / 37N 20' 14.9" Internet: steve @ Watt.COM Whois: SW32 Free time? There's no such thing. It just comes in varying prices... To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
Re: Is -stable broken, or am I?
In article <[EMAIL PROTECTED]> I wrote: >I did a cvsup of -stable last night (0106Z on 9 Feb), and did a >"make buildworld". It failed during the stage 3 tools build: > >-- >>>> stage 3: cross tools >-- [ environment setup deleted ] > make -f Makefile.inc1 cross-tools > >[ deletia ] > >building standard binutils library >ranlib libbinutils.a >===> addr2line [ cleaned out -I list ] >cc -O -pipe -D_GNU_SOURCE -o addr2line addr2line.o ../libbinutils/libbinutils.a >../libbfd/libbfd.a ../libiberty/libiberty.a >./libbinutils/libbinutils.a(bucomm.o): In function `make_tempname': >./libiberty/libiberty.a(cplus-dem.o): In function `cplus_demangle': >cplus-dem.o(.text+0x815): undefined reference to `cplus_demangle_new_abi' >*** Error code 1 A little more information: I had updated the box from 4.2-RELEASE to -STABLE in early January, and all went fine. I have an identical (so I thought) installation at home, and it works fine. So I checked things like /etc/make.conf. They're (now) the same, and one system still works, and one doesn't. So I tried blowing away /usr/src/contrib/binutils and redoing the buildworld. Still no good. Any guesses on what I should try next? Thanks, -- Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.8" / 37N 20' 14.9" Internet: steve @ Watt.COM Whois: SW32 Free time? There's no such thing. It just comes in varying prices... To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
Is -stable broken, or am I?
I did a cvsup of -stable last night (0106Z on 9 Feb), and did a "make buildworld". It failed during the stage 3 tools build: -- >>> stage 3: cross tools -- cd /usr/src; MAKEOBJDIRPREFIX=/usr/obj/usr/src/i386 DESTDIR=/usr/obj/usr/src/i3 86 INSTALL="sh /usr/src/tools/install.sh" MACHINE_ARCH=i386 TOOLS_PREFIX=/usr /obj/usr/src/i386 PATH=/usr/obj/usr/src/i386/usr/sbin:/usr/obj/usr/src/i386/usr /bin:/usr/obj/usr/src/i386/usr/games:/sbin:/bin:/usr/sbin:/usr/bin TARGET_ARCH= i386 make -f Makefile.inc1 -DNOMAN -DNOINFO -DNOHTML -DNO_FORTRAN -DNO_GDB cros s-tools [ deletia ] building standard binutils library ranlib libbinutils.a ===> addr2line cc -O -pipe -D_GNU_SOURCE -I- -I. -I/usr/src/gnu/usr.bin/binutils/addr2line -I/u sr/src/gnu/usr.bin/binutils/addr2line/../libbfd/i386 -I/usr/src/gnu/usr.bin/binu tils/addr2line/../../../../contrib/binutils/include -I/usr/src/gnu/usr.bin/binut ils/addr2line/../libbinutils -I/usr/src/gnu/usr.bin/binutils/addr2line/../../../ ../contrib/binutils/binutils -I/usr/obj/usr/src/i386/usr/include -c /usr/src/g nu/usr.bin/binutils/addr2line/../../../../contrib/binutils/binutils/addr2line.c cc -O -pipe -D_GNU_SOURCE -I- -I. -I/usr/src/gnu/usr.bin/binutils/addr2line -I/u sr/src/gnu/usr.bin/binutils/addr2line/../libbfd/i386 -I/usr/src/gnu/usr.bin/binu tils/addr2line/../../../../contrib/binutils/include -I/usr/src/gnu/usr.bin/binut ils/addr2line/../libbinutils -I/usr/src/gnu/usr.bin/binutils/addr2line/../../../ ../contrib/binutils/binutils -I/usr/obj/usr/src/i386/usr/include -o addr2line addr2line.o ../libbinutils/libbinutils.a ../libbfd/libbfd.a ../libiberty/libib erty.a ../libbinutils/libbinutils.a(bucomm.o): In function `make_tempname': bucomm.o(.text+0x35b): warning: mktemp() possibly used unsafely; consider using mkstemp() ../libiberty/libiberty.a(cplus-dem.o): In function `cplus_demangle': cplus-dem.o(.text+0x815): undefined reference to `cplus_demangle_new_abi' *** Error code 1 Stop in /usr/src/gnu/usr.bin/binutils/addr2line. *** Error code 1 [ and a cascade of "Stop in" deleted ] I wiped /usr/obj this morning, and tried again, and got the same failure. Clues? -- Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.8" / 37N 20' 14.9" Internet: steve @ Watt.COM Whois: SW32 Free time? There's no such thing. It just comes in varying prices... To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
