Update on altq and interface groups
Hi list, I know this question has been asked before, but I'm after an up-to-date answer, or at least a confirmation. Has support for interface groups been implemented for altq? By that, I mean the possibility to use an interface group name with baltq on GROUPb to set up similar queues for each of the interfaces of the group. This could be used to not have to explicitly name the interfaces but rather refer to their current role. The outgoing traffic for all the interfaces could also be classified with only one ruleset of bpass out on GROUPbs. Unfortunately, the changelogs and my small experiments (see below) seem to hint that it's not supported. But maybe I'm (doing it) wrong? opera...@mudrublic:~$ /sbin/ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33200 (...) ath0: flags=8963UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 (...) groups: wlan internal (...) sis0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 (...) groups: egress (...) Relevant beginning of pfctl.conf: UPLINK_BANDWIDTH = 90Mb set skip on lo set loginterface public altq on egress priq bandwidth $UPLINK_BANDWIDTH queue {std_out, interactive_out, dns_out, tcp_ack_out} queue std_out priq(default) queue interactive_out priority 4 prirq(red) queue dns_out priority 5 queue tcp_ack_out priority 6 (...) pass out on egress proto tcp to any flags S/SA keep state queue(std_out, tcp_ack_out) pass out on egress proto { tcp udp } to any port domain keep state queue dns_out pass out on egress proto tcp to any port ssh flags S/SA keep state queue(std_out, interactive_out) $ sudo pfctl -vf /etc/pf.conf set skip on { lo } set loginterface public UPLINK_BANDWIDTH = 90Mb pfctl: SIOCGIFMTU: Device not configured This error doesn't happen if I replace egress with sis0 in the baltq onb line (pretty bad omen, I guess...). $ uname -a OpenBSD mudrublic.narf.ssji.net 4.6 GENERIC#58 i386 Thanks. -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Update on altq and interface groups
On Mon, Jul 5, 2010 at 8:50 AM, Olivier Mehani sht...@ssji.net wrote: I know this question has been asked before, but I'm after an up-to-date answer, or at least a confirmation. Has support for interface groups been implemented for altq? No. http://marc.info/?l=openbsd-miscm=127453585925685w=2
Re: pf, altq and interface groups
* Daniel Melameth dan...@melameth.com [2010-05-22 03:58]: I've considered migrating my macro-based interface names to interface groups, but, it appears, altq does not grok interface groups--and pfctl spits back a pfctl: SIOCGIFMTU: Device not configured when I try. Am I missing something here? pf.conf's BNF, it appears, says I'm not... no ifgroup support for altq - and it is not easy to add either. the BNF is simplified, otherwise it would explode. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
pf, altq and interface groups
I've considered migrating my macro-based interface names to interface groups, but, it appears, altq does not grok interface groups--and pfctl spits back a pfctl: SIOCGIFMTU: Device not configured when I try. Am I missing something here? pf.conf's BNF, it appears, says I'm not...
altq and interface groups
Hi, setup: 4.2 with tun0 being a pppoe(8) int and tun1 being a ssh-vpn over tun0. altq is running on tun0. I know that altq doesn't support interface groups (and that support is not planned (see http://marc.info/?l=openbsd-miscm=112431574118264w=2)) but is there a way around this? Currently altq sees all traffic on tun1 on tun0 as default instead of ssh, which it is. Best Martin
Interface groups configuration
Hello, Is there a native way to configure interface groups in hostname.if instead of doing manually ifconfig if ... group mygroup or calling ifconfig from the hostname.if file like this ... !ifconfig if group mygroup ? This is not documented in hostname.if(5). thanks
Re: Interface groups configuration
On Nov 2, 2006, at 6:43 AM, Luca Corti wrote: Hello, Is there a native way to configure interface groups in hostname.if instead of doing manually ifconfig if ... group mygroup or calling ifconfig from the hostname.if file like this ... !ifconfig if group mygroup ? This is not documented in hostname.if(5). Sure it is. It tells you that options come last. Example: # cat /etc/hostname.em1 inet 192.168.0.1 255.255.255.0 192.168.0.255 description LAN group internal -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Interface groups configuration
On Thu, Nov 02, 2006 at 12:43:22PM +0100, Luca Corti wrote: Hello, Is there a native way to configure interface groups in hostname.if instead of doing manually ifconfig if ... group mygroup or calling ifconfig from the hostname.if file like this ... !ifconfig if group mygroup ? This is not documented in hostname.if(5). it is documented...the options part of hostname.if(5) are ifconfig(8) options, as noted in the man page. so you could do: inet 10.0.0.1 255.255.255.0 10.0.0.255 group bob jmc
Interface groups PF route-to
Hi all, I've been trying to get interface groups going on a machine and have met with a possibly interesting problem. I have declared an interface to be part of a group, and that group shows up correctly if I `ifconfig foogroup` or `pfctl -s Interfaces` I have a setup where I have one VPN come in over one ISP link, and another over a second (from different remote IPs to different local IPs). I have the following macros defined, [NB: Yes I changed the IPs] link2_if = em0 #link2_if = MyIFGroup link2_gw = 1.1.1.1 link2_ip1 = 1.1.1.20 remote_link0_ip1 = 200.200.200.200 To test, I comment out the 'em0' line and uncomment the IFGroup line. I also have the following rules in place to correctly handle my VPN on that link pass in log quick on $link2_if reply-to ($link2_if $link2_gw)\ proto esp from $remote_link0_ip1 to $link2_ip1 keep state pass out log quick on $link2_if route-to ($link2_if $link2_gw)\ proto esp from $link2_ip1 to $remote_link0_ip1 keep state pass in log on $link2_if reply-to ($link2_if $link2_gw)\ proto udp from $remote_link0_ip1 port = isakmp to $link2_if\ port = isakmp keep state pass out log quick on $link2_if route-to ($link2_if $link2_gw)\ proto udp from $link2_if port = isakmp to $remote_link0_ip1\ port = isakmp keep state What I find is that when I go over to using the MyIFGroup declaration, my rules stop matching and the VPN doesn't get established on the group'd interface (the other VPN comes up fine). Is there something I'm missing ?? From reading the posts and 'man ifconfig' about interface groups I'm pretty sure I just have to assign an interface to the group and nothing more. Is that correct ?? Any help appreciated, Cheers Dave
Re: trunk in interface groups?
* Per-Olov Sj?holm [EMAIL PROTECTED] [2006-02-23 22:08]: Hi misc Saw a post from june 2005 by Henning regarding the work he and Ryan did on code cleanup and the addition code of interface groups. I think I am on my way to abuse these groups as simple alias to make PF totaly independant from the hardware and put all my interface stuff in the hostname.if files only. The question: Is it possible to add a trunk interface as well to an interface group and then refer to that group as an interface in PF? the type of an interface should (I'm inclined to say: must) not matter for interface groups. -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: pf and interface groups in 3.8
after some private mails... * Peter Fraser [EMAIL PROTECTED] [2005-11-20 21:30]: I was trying out the interface groups of pf 3.8, I was surprised to get a syntax error with: pass out quick proto { tcp udp } from egress to any port domain flags S/SA keep state as said before, I initially forgot the code for static expansion. this is in -current for some time now tho. which seems to use self in these case as an undefined interface group, I would have expected that self would have been implemented a interface group of all the interfaces on the computer. it is, and happens to work just fine :) pf is very unhappy if you use: set loginterface egress After this statement I could not get pf to work again unless I rebooted. this has been confirmed to be an operator error. while you cannot set loginterface to a group (yet, at least), it does _not_ leave pf in a non-working state or the like. also it is not obvious to me what happens when you use: antispoof quick for Inside where Inside is an interface group containing several interfaces. I expect that antispoof only works as a group, rather than on each interface individually as said - see for yourself. need -current due to above mentioned missing static expansion, then see with echo antispoof for Inside | pfctl -nvf - -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
pf and interface groups in 3.8
I was trying out the interface groups of pf 3.8, I was surprised to get a syntax error with: pass out quick proto { tcp udp } from egress to any port domain flags S/SA keep state you do not get an error message for pass out quick proto { tcp udp } from (egress) to any port domain flags S/SA keep state Also as a result of this experimentation. I discover that syntactically you can say: antispoof $dbg quick for self or pass out quick on self proto { tcp udp } from (egress) to any port domain flags S/SA keep state which seems to use self in these case as an undefined interface group, I would have expected that self would have been implemented a interface group of all the interfaces on the computer. pf is very unhappy if you use: set loginterface egress After this statement I could not get pf to work again unless I rebooted. also it is not obvious to me what happens when you use: antispoof quick for Inside where Inside is an interface group containing several interfaces. I expect that antispoof only works as a group, rather than on each interface individually
Re: pf tables and interface groups
* Henning Brauer [EMAIL PROTECTED] [2005-10-12 17:17]: no, I managed to miss implementing the static expansion, the way more complicated dynamic expansion for interface groups works fine. I'll add the static one asap. so here's the diff for that. disclaimer: I hacked that at a conference, beeing dead tired, careful reading testing appreciated. Index: pfctl_parser.c === RCS file: /cvs/src/sbin/pfctl/pfctl_parser.c,v retrieving revision 1.220 diff -u -p -r1.220 pfctl_parser.c --- pfctl_parser.c 13 Oct 2005 13:27:06 - 1.220 +++ pfctl_parser.c 13 Oct 2005 14:36:35 - @@ -66,6 +66,7 @@ void print_fromto(struct pf_rule_addr struct pf_rule_addr *, u_int8_t, u_int8_t, int); int ifa_skip_if(const char *filter, struct node_host *p); +struct node_host *ifa_grouplookup(const char *, int); struct node_host *host_if(const char *, int); struct node_host *host_v4(const char *, int); struct node_host *host_v6(const char *, int); @@ -1165,10 +1166,28 @@ struct node_host * ifa_exists(const char *ifa_name) { struct node_host*n; + struct ifgroupreq ifgr; + int s; if (iftab == NULL) ifa_load(); + /* check wether this is a group */ + if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1) + err(1, socket); + bzero(ifgr, sizeof(ifgr)); + strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name)); + if (ioctl(s, SIOCGIFGMEMB, (caddr_t)ifgr) == 0) { + /* fake a node_host */ + if ((n = calloc(1, sizeof(*n))) == NULL) + err(1, calloc); + if ((n-ifname = strdup(ifa_name)) == NULL) + err(1, strdup); + close(s); + return (n); + } + close(s); + for (n = iftab; n; n = n-next) { if (n-af == AF_LINK !strncmp(n-ifname, ifa_name, IFNAMSIZ)) return (n); @@ -1178,11 +1197,56 @@ ifa_exists(const char *ifa_name) } struct node_host * +ifa_grouplookup(const char *ifa_name, int flags) +{ + struct ifg_req *ifg; + struct ifgroupreqifgr; + int s, len; + struct node_host*n, *h = NULL, *hn; + + if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1) + err(1, socket); + bzero(ifgr, sizeof(ifgr)); + strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name)); + if (ioctl(s, SIOCGIFGMEMB, (caddr_t)ifgr) == -1) { + close(s); + return (NULL); + } + + len = ifgr.ifgr_len; + if ((ifgr.ifgr_groups = calloc(1, len)) == NULL) + err(1, calloc); + if (ioctl(s, SIOCGIFGMEMB, (caddr_t)ifgr) == -1) + err(1, SIOCGIFGMEMB); + + for (ifg = ifgr.ifgr_groups; ifg len = sizeof(struct ifg_req); + ifg++) { + len -= sizeof(struct ifg_req); + n = ifa_lookup(ifg-ifgrq_member, flags); + if (h == NULL) + h = n; + else { + for (hn = h; hn-next != NULL; hn = hn-next) + ; /* nothing */ + hn-next = n; + n-tail = hn; + } + } + free(ifgr.ifgr_groups); + close(s); + + return (h); +} + +struct node_host * ifa_lookup(const char *ifa_name, int flags) { struct node_host*p = NULL, *h = NULL, *n = NULL; int got4 = 0, got6 = 0; const char *last_if = NULL; + + if ((h = ifa_grouplookup(ifa_name, flags)) != NULL) + return (h); if (!strncmp(ifa_name, self, IFNAMSIZ)) ifa_name = NULL;
Re: pf tables and interface groups
* Ryan Puckett [EMAIL PROTECTED] [2005-10-07 22:36]: Under the Tables section in the pf.conf(5) man page, it is indicated that tables can be created with a valid interface group. I'm taking this to mean I can do the following: table all-of-my-vlans { vlan } or better yet: table outside { egress } but when loading up the ruleset or even trying to manually add the table via command line pfctl -t outside -T add egress I receive: no IP address found for egress I have no problems when specifying the exact interface such as vlan0. So my question is: did I misread this? no, I managed to miss implementing the static expansion, the way more complicated dynamic expansion for interface groups works fine. I'll add the static one asap. however, you probably don't want that anyway. extending your example slightly. table all-of-my-vlans { vlan } pass to all-of-my-vlans is equal to pass to (vlan) except that the latter saves some tiny amounts of memory, and, more important, gets dynamically updated when vlan interfaces get added or removed or IPs change on any vlan interface. -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
pf tables and interface groups
Under the Tables section in the pf.conf(5) man page, it is indicated that tables can be created with a valid interface group. I'm taking this to mean I can do the following: table all-of-my-vlans { vlan } or better yet: table outside { egress } but when loading up the ruleset or even trying to manually add the table via command line pfctl -t outside -T add egress I receive: no IP address found for egress I have no problems when specifying the exact interface such as vlan0. So my question is: did I misread this? Thanks -Ryan
Re: pf tables and interface groups
Sorry, should have indicated I'm using OpenBSD version 3.8 dmesg: OpenBSD 3.8-current (GENERIC) #169: Sun Oct 2 15:06:50 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class, 512KB L2 cache) 549 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 670658560 (654940K) avail mem = 604418048 (590252K) using 4278 buffers containing 33636352 bytes (32848K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(1e) BIOS, date 02/23/00, BIOS32 rev. 0 @ 0xfd7a0 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xfd7a0/0x860 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries) pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x6600 0xce800/0x800 0xcf000/0x800 0xe/0x4000! 0xe4000/0xc000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x03 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x03 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Rage Magnum rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x02 pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility pciide0: channel 0 ignored (disabled) atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: TOSHIBA, DVD-ROM SD-M1222, 1004 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 7 function 2 Intel 82371AB USB rev 0x01: irq 9 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered Intel 82371AB Power rev 0x02 at pci0 dev 7 function 3 not configured yds0 at pci0 dev 12 function 0 Yamaha 740C rev 0x03: irq 10 xl0 at pci0 dev 13 function 0 3Com 3c905B 100Base-TX rev 0x30: irq 11, address 00:50:da:22:7c:7e exphy0 at xl0 phy 24: 3Com internal media interface ahc1 at pci0 dev 14 function 0 Adaptec AHA-29160 U160 rev 0x02: irq 5 scsibus1 at ahc1: 16 targets sd0 at scsibus1 targ 0 lun 0: SEAGATE, ST39236LW, 0004 SCSI3 0/direct fixed sd0: 8761MB, 14384 cyl, 3 head, 415 sec, 512 bytes/sec, 17942584 sec total xl1 at pci0 dev 15 function 0 3Com 3c905C 100Base-TX rev 0x74: irq 10, address 00:01:02:46:25:77 bmtphy0 at xl1 phy 24: Broadcom 3C905C internal PHY, rev. 6 xl2 at pci0 dev 16 function 0 3Com 3c905C 100Base-TX rev 0x74: irq 9, address 00:01:02:73:ec:be bmtphy1 at xl2 phy 24: Broadcom 3C905C internal PHY, rev. 6 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom0: console pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask f365 netmask ff65 ttymask ffe7 pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support ahc1: target 0 using 16bit transfers ahc1: target 0 synchronous at 20.0MHz, offset = 0x1f dkcsum: sd0 matches BIOS drive 0x80 root on sd0a rootdev=0x400 rrootdev=0xd00 rawdev=0xd02 ac97: codec id 0x41445303 (Analog Devices AD1819) ac97: codec features Analog Devices Phat Stereo audio0 at yds0 opl0 at yds0: model OPL3 midi1 at opl0: DS-1 integrated Yamaha OPL3 mpu at yds0 not configured mpu at yds0 not configured mpu at yds0 not configured mpu at yds0 not configured On Fri, 2005-10-07 at 14:30 -0600, Ryan Puckett wrote: Under the Tables section in the pf.conf(5) man page, it is indicated that tables can be created with a valid interface group. I'm taking this to mean I can do the following: table all-of-my-vlans { vlan } or better yet: table outside { egress } but when loading up the ruleset or even trying to manually add the table via command line pfctl -t outside -T add egress I receive: no IP address found for egress I have no problems when specifying the exact interface such as vlan0. So my question is: did I misread this? Thanks -Ryan
interface groups and altq
Do interface groups support altq? It would appear that they do not, but I might have a borked kernel/pfctl utility, so wanted to ask the list to make sure. When I try to put altq on an interface group, i get the following when parsing my pf.conf: $ sudo pfctl -f /etc/pf.conf -n pfctl: SIOCGIFDATA: Device not configured $ However if I change the altq line to use the actual interface, it works: $ sudo pfctl -f /etc/pf.conf -n $ here is my pf.conf and dmesg, although the simple answer will probably be either, yes or no. ### MACROS ### ext_if=egress int_if=intnet ext_ip=( $ext_if ) int_ip=( $int_if ) kyle=172.17.101.7/32 terrance=172.17.101.1/32 kenny=192.168.17.5/32 tweak=192.168.17.62/32 craig=192.168.17.61/32 wendy=192.168.17.60/32 table high_hosts { $kyle, $kenny } table low_hosts { $tweak, $craig, $wendy } ext_net=$ext_if:network int_net=$int_if:network unpriv== 1024 ### OPTIONS ### set limit states 2 set optimization aggressive set block-policy drop set skip on lo0 ### TRAFFIC NORMALIZATION ### scrub in all no-df random-id fragment reassemble ### QUEUEING ### # external interface queue list #altq on $ext_if priq queue { std_ext, high_ext, low_ext } #queue std_ext on $ext_if priq( default, red ) #queue high_ext on $ext_if priority 10 priq( red ) #queue low_ext on $ext_if priority 0 priq( red ) # internal interface queue list altq on le2 priq queue { std_int, high_int, low_int } queue std_int on le2 priq( default, red ) queue high_int on le2 priority 10 priq( red ) queue low_int on le2 priority 0 priq( red ) ### TRANSLATION ### ### PACKET FILTERING ### block in log all block out log all pass in quick on $ext_if inet proto tcp from high_hosts port $unpriv to $ext_ip port ssh flags S/FSRPA modulate state queue high_ext pass in quick on $ext_if inet proto tcp from low_hosts port $unpriv to $ext_ip port ssh flags S/FSRPA modulate state queue low_ext pass in quick on $ext_if inet proto tcp from any port $unpriv to $ext_ip port ssh flags S/FSRPA modulate state queue std_ext pass in quick on $int_if inet proto tcp from high_hosts port $unpriv to $int_ip port ssh flags S/FSRPA modulate state queue high_int pass in quick on $int_if inet proto tcp from low_hosts port $unpriv to $int_ip port ssh flags S/FSRPA modulate state queue low_int pass out quick on $ext_if inet proto udp from $ext_ip to $kyle port ntp modulate state queue high_ext pass out quick on $ext_if inet proto udp from $ext_ip to $terrance port domain modulate state queue high_ext pass out quick on $ext_if inet proto tcp from $ext_ip port $unpriv to anoncvs_hosts port 5999 flags S/FSRPA modulate state queue high_ext pass out quick on $ext_if inet proto tcp from $ext_ip port $unpriv to any port www flags S/FSRPA modulate state queue std_ext OpenBSD 3.8-beta (GENERIC) #85: Sun Aug 14 13:55:19 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 3.20GHz (GenuineIntel 686-class) 3.20 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,PNI real mem = 133734400 (130600K) avail mem = 115433472 (112728K) using 1658 buffers containing 6791168 bytes (6632K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(77) BIOS, date 04/21/04, BIOS32 rev. 0 @ 0xfd880 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries) pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1a00! 0xca000/0x1000 0xcb000/0x1000 0xdc000/0x4000! 0xe4000/0x4000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x01 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x01 pci1 at ppb0 bus 1 pcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x08 pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 ignored (disabled) atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: NECVMWar, VMware IDE CDR10, 1.00 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 Intel 82371AB Power rev 0x08 at pci0 dev 7 function 3 not configured vga1 at pci0 dev 15 function 0 VMware Virtual SVGA II rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) bha3 at pci0 dev 16 function 0 BusLogic MultiMaster rev 0x01: irq 11, BusLogic 9xxC SCSI bha3: model BT-958, firmware 5.07B bha3: sync, parity scsibus1 at bha3: 8 targets sd0 at scsibus1 targ 0 lun 0: VMware,, VMware Virtual S, 1.0 SCSI2 0/direct fixed sd0: 2048MB, 261 cyl, 255 head, 63 sec, 512 bytes/sec, 4194304 sec total sd1 at scsibus1 targ
Re: interface groups and altq
* Jason Crawford [EMAIL PROTECTED] [2005-08-17 18:47]: Do interface groups support altq? in the sense of queuing on interface groups, no, not really. -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: interface groups and altq
On 8/17/05, Henning Brauer [EMAIL PROTECTED] wrote: * Jason Crawford [EMAIL PROTECTED] [2005-08-17 18:47]: Do interface groups support altq? in the sense of queuing on interface groups, no, not really. Is this a work in progress? Planned but after 3.8? Or is this not possible? Thanks, Jason
Re: interface groups and altq
* Jason Crawford [EMAIL PROTECTED] [2005-08-17 21:55]: On 8/17/05, Henning Brauer [EMAIL PROTECTED] wrote: * Jason Crawford [EMAIL PROTECTED] [2005-08-17 18:47]: Do interface groups support altq? in the sense of queuing on interface groups, no, not really. Is this a work in progress? Planned but after 3.8? Or is this not possible? in theory it should be possible, but it is everything but trivial. I have no plans in that direction myself currently. -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: PF, Interface-groups and nat
* Erik Wikstrvm [EMAIL PROTECTED] [2005-07-06 22:54]: set loginterface if_ext All seems fine, running pfctl -n on it produces nothing, but when trying to load the rules I get DIOSETSTATUSIF, and no rules are loaded. What am I doing wrong? oh hmm loginterface does not support groups. -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: PF, Interface-groups and nat
Try running pfctl -nf; use both switches. This should give you an error (syntax error) to which it refers you to a line where something went wrong.
Re: PF, Interface-groups and nat
On 2005-07-07 18:47, Vivek Ayer wrote: Try running pfctl -nf; use both switches. This should give you an error (syntax error) to which it refers you to a line where something went wrong. Sorry, I was being unclear, I did use -nf. However I did get rid of that problem by setting a real interface as the loginterface instead of the group. Unfortunately that did not make things much better. Computers on the local network were able to ping the OpenBSD-box but not the other way around, I just got Sendto: No route to host. Nor could any of the computers on the network get through to the internet, or rather, I suspect that they could send out their requests but the router didn't manage to send any data back. Strange though that the echo-replys got through. -- Erik Wikstrvm
Re: PF, Interface-groups and nat
--On 07 July 2005 20:22 +0200, Erik WikstrC6m wrote: Computers on the local network were able to ping the OpenBSD-box but not the other way around, I just got Sendto: No route to host. Carefully verify your rules - easiest way is to make sure you 'log' on all your block rules then monitor the pflog0 interface with tcpdump as described in the manual. Assuming you have a default route (if connecting outside the subnet), or the host is responding to ARP requests (if it's within the subnet), this error usually indicates that you don't have a PF rule permitting the packet's transmission.
PF, Interface-groups and nat
Hi I'm trying to set up a small home-network with both wired and wireless access, so I've put the following NICs in a box: ath0: internal wireless 192.168.1.1 rl0: internal wired 192.168.0.1 rl1: external wired DHCP I've used the following pf.conf (a slight adaption from the example in the pf-FAQ): # macros tcp_services = { 22, 113 } icmp_types = echoreq # options set block-policy return set loginterface rl1 # scrub scrub in all # nat/rdr nat on rl1 from ath0:network to any - (rl1) nat on rl1 from rl0:network to any - (rl1) # filter rules block all pass quick on lo0 all pass in on rl1 inet proto tcp from any to (rl1) \ port $tcp_services flags S/SA keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass in on ath0 from ath0:network to any keep state pass out on ath0 from any to ath0:network keep state pass in on rl0 from rl0:network to any keep state pass out on rl0 from any to rl0:network keep state pass out on rl1 proto tcp all modulate state flags S/SA pass out on rl1 proto { udp, icmp } all keep state Then I tried to use interface-groups (cool feature, and it seems like it might reduce the pf.conf-file and make it easier to maintain) and put rl1 in group if_ext and the other two NICs in if_int and tried to adapt pf.conf accordingly and got this: # macros tcp_services = { 22, 113 } icmp_types = echoreq # options set block-policy return set loginterface if_ext # scrub scrub in all # nat/rdr nat on if_ext from (if_int:network) to any - (if_ext) # filter rules block all pass quick on lo0 all pass in on if_ext inet proto tcp from any to (if_ext) \ port $tcp_services flags S/SA keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass in on if_int from (if_int:network) to any keep state pass out on if_int from any to (if_int:network) keep state pass out on if_ext proto tcp all modulate state flags S/SA pass out on if_ext proto { udp, icmp } all keep state All seems fine, running pfctl -n on it produces nothing, but when trying to load the rules I get DIOSETSTATUSIF, and no rules are loaded. What am I doing wrong? -- Erik Wikstrvm
pf and interface groups
Hi I'm trying to set up a box as a router for my home network, I have 3 NICs, one external, one wireless, and one internal. I've put the external in group if_ext and the wireless and the internal in group if_int, the reason for this is that it gives me a little more generic pf.conf (and it's fun). However I've got a problem, on some places I use the :network- modifier on the interface-groupnames, which of course does not work. I've tried replacing if_int with the macro if_int = { rl0, ath0 } and use $if_int:network but that, ofcourse does not work either. So I'm wondering what's the best approach that keeps the rules fairly generic? -- Erik Wikstrvm
Re: pf and interface groups
Gah, should have read more carfully, using (if_ext:network) works just fine. -- Erik Wikstrvm
Re: interface groups and pf
Hi all. And is ALTQ will work on such groups? For example, I had altq on $ext_if_1 priq bandwidth 10Mb queue { q_pri_1, q_def_1 } queue q_pri_1 priority 7 queue q_def_1 priority 1 priq(default) altq on $ext_if_2 priq bandwidth 10Mb queue { q_pri_2, q_def_2 } queue q_pri_2 priority 7 queue q_def_2 priority 1 priq(default) So, can I dispense just one altq? altq on $grp priq bandwidth 10Mb queue { q_pri, q_def } queue q_pri priority 7 queue q_def priority 1 priq(default) -- engineer
Re: interface groups and pf
where do one get the the 1 litre stella bottle? /Isak tony sarendal wrote: pf is the best thing since the 1-litre stella bottle. It's good to see that it continues to improve. This is cool stuff. /Tony S
Re: interface groups and pf
Henning Brauer wrote: So, after cleaning up the interface abstraction code in pf with Ryan before the Hackathon, I worked on interface groups integration to pf. ... joining to others: great work. So for now isakmpd have not need to listen on the routing socket by itself to be truly dynamic with interfaces' changes. Instead of it, isakmpd should refer to interface groups just like refers to interface names and default route for now. It it correct understanding of the future of isakmpd in this area? Thanks.
interface groups and pf
So, after cleaning up the interface abstraction code in pf with Ryan before the Hackathon, I worked on interface groups integration to pf. An interface group, is, well, a group of interfaces (surprised, anyone?). Interfaces can join and leave interface groups any time, and can be member in an arbitary number of groups. The join and leave is done via ifconfig: ifconfig sk1 group dmz makes sk1 join the group dmz, and ifconfig sk1 -group dmz removes sk1 from that group again. A group is removed when it does not have any members any more and pf does not refer to it. So far, so good. Now, pf can use interface groups instead of interfaces basically everywhere now. Sounds simple, but is quite powerful. For example, you can (ab-)use interface groups as a kind of aliasing. Just a group with one member, and refer to that. For example, hang your dmz of an interface group called dmz - if you do this in a consistent manner, your ruleset is entirely independent from the underlying hardware, you make interfaces join the groups in their respective hostname.if files which are machine dependent anyway. now, if you add a second dmz interface for whatever reasons with the same policy, you don't even have to modify (usually not even reload) your ruleset - just make the 2nd dmz interface join the group :) that of course makes much more sense for your external interface, where you might get a second internet connection, or customer-facing interfaces which have the same policies. pf can refer to interfaces and interface groups which do not exist (yet) - once the interface / the group shows up, it will be atached to the construct pf uses and (without ruleset reloads!) things Just Work. Moreover, you can use the brace notation for a dynamic interface name to ip address translation, as in, pass in on tun0 proto tcp to (tun0) port ssh keep state and the like. Internally, pf uses a table named after the interface inside the _pf anchor, and updates the table whenever there are address changes on that interface. That works for interface groups too, now - including correct handling of interfaces joining and leaving the group in question, of course. so, if you put all your customer-facing interfaces (vlans or physical, or any combination... as long as it is interfaces :) ) in a group customers, (customers) correctly expands to all ip addresses on your customer-facing interfaces - and (customer:network) to all networks on them. And suddenly nice things like block in on egress from (customer:network) work. For clonable interfaces (almost all virtual ones are, tun, ppp, lo, vlan, etc), the clones are all member of an interface class group, for example, all loopback interfaces are part of the lo interface group, all vlan interfaces are part of the vlan group, etc. this is especially useful in cases where interfaces get created by a daemon on a next free basis, like tun with userland ppp. now, we had a sick idea for a while, and since we finally had all the parts together now I could implement it - there is an egress interface group now which follows the default routes. This interface group contains all interfaces which IPv4 and IPv6 default routes point to - usually, that is one. It even understands multipath routes already, despite them not being useful yet. The group is updated (actually, rebuilt) every time there is changes/additions/deletions of an IPv4 or IPv6 default route. So, imagine that on your notebook, where you are sometimes on wireless and sometimes on wired network connections - just write your pf.conf so that it refers to the egress group instead of wi0 and em0, and it will Just Work :)
Re: interface groups and pf
Cool how's your new notebook?
Re: interface groups and pf
Marvelous work. Thank you. :)
Re: interface groups and pf
Truely amazing work Henning. OpenBSD already leads the way (at least in my opinion) for a packet filter, whether it's commercial or open source, and these latest additions will make my life so much easier. If there is any more testing that needs to be done, I have many spare computers, almost completely unused T1 (only by me and two other co-workers), a /28 of IP addresses (6 currently used, but I could trim that down a few), and a cabinet drawer full of spare nics at work and I'm in charge of it all, so I could do some testing when I have some spare time. Again, thanks so much for this amazing work. Jason On 6/16/05, Henning Brauer [EMAIL PROTECTED] wrote: So, after cleaning up the interface abstraction code in pf with Ryan before the Hackathon, I worked on interface groups integration to pf. An interface group, is, well, a group of interfaces (surprised, anyone?). Interfaces can join and leave interface groups any time, and can be member in an arbitary number of groups. The join and leave is done via ifconfig: ifconfig sk1 group dmz makes sk1 join the group dmz, and ifconfig sk1 -group dmz removes sk1 from that group again. A group is removed when it does not have any members any more and pf does not refer to it. So far, so good. Now, pf can use interface groups instead of interfaces basically everywhere now. Sounds simple, but is quite powerful. For example, you can (ab-)use interface groups as a kind of aliasing. Just a group with one member, and refer to that. For example, hang your dmz of an interface group called dmz - if you do this in a consistent manner, your ruleset is entirely independent from the underlying hardware, you make interfaces join the groups in their respective hostname.if files which are machine dependent anyway. now, if you add a second dmz interface for whatever reasons with the same policy, you don't even have to modify (usually not even reload) your ruleset - just make the 2nd dmz interface join the group :) that of course makes much more sense for your external interface, where you might get a second internet connection, or customer-facing interfaces which have the same policies. pf can refer to interfaces and interface groups which do not exist (yet) - once the interface / the group shows up, it will be atached to the construct pf uses and (without ruleset reloads!) things Just Work. Moreover, you can use the brace notation for a dynamic interface name to ip address translation, as in, pass in on tun0 proto tcp to (tun0) port ssh keep state and the like. Internally, pf uses a table named after the interface inside the _pf anchor, and updates the table whenever there are address changes on that interface. That works for interface groups too, now - including correct handling of interfaces joining and leaving the group in question, of course. so, if you put all your customer-facing interfaces (vlans or physical, or any combination... as long as it is interfaces :) ) in a group customers, (customers) correctly expands to all ip addresses on your customer-facing interfaces - and (customer:network) to all networks on them. And suddenly nice things like block in on egress from (customer:network) work. For clonable interfaces (almost all virtual ones are, tun, ppp, lo, vlan, etc), the clones are all member of an interface class group, for example, all loopback interfaces are part of the lo interface group, all vlan interfaces are part of the vlan group, etc. this is especially useful in cases where interfaces get created by a daemon on a next free basis, like tun with userland ppp. now, we had a sick idea for a while, and since we finally had all the parts together now I could implement it - there is an egress interface group now which follows the default routes. This interface group contains all interfaces which IPv4 and IPv6 default routes point to - usually, that is one. It even understands multipath routes already, despite them not being useful yet. The group is updated (actually, rebuilt) every time there is changes/additions/deletions of an IPv4 or IPv6 default route. So, imagine that on your notebook, where you are sometimes on wireless and sometimes on wired network connections - just write your pf.conf so that it refers to the egress group instead of wi0 and em0, and it will Just Work :)
Re: interface groups and pf
On Thu, 16 Jun 2005 20:55:48 +0200, Henning Brauer [EMAIL PROTECTED] wrote: So, after cleaning up the interface abstraction code in pf with Ryan before the Hackathon, I worked on interface groups integration to pf. Henning, Ryan and all involved -Very Amazing Work. Thank You! JCR
Re: Interface groups
* Frank Denis (Jedi/Sector One) [EMAIL PROTECTED] [2005-06-05 22:22]: Since -current changed a bit the way interface groups are working, is there a simple way to emulate the old behavior? Specifically, I have a pptp server using poptop that creates a lot of tun interfaces. But these interfaces are not automatically assigned to an interface group. So is there still a way to match tun* in pf rules? not currently. I plan to bring back the interface class groups for cloned interfaces, tho there is a bit prerequisite work to do (there is no easy way to detect cloned interfaces yet) -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)