Re: svn commit: r345760 - in head: contrib/pf sys/netpfil/pf sbin/pfctl

On Mon, Apr 1, 2019 at 2:06 PM Rodney W. Grimes < freebsd-...@gndrsh.dnsmgr.net> wrote: > > On 1 Apr 2019, at 18:47, Rodney W. Grimes wrote: > > > I know for a fact that there is desire, with financials avaliable, > > > to get our code updated. I do not think there is any specific > > > criteria

Re: svn commit: r345760 - in head: contrib/pf sys/netpfil/pf sbin/pfctl

On Mon, Apr 1, 2019 at 9:47 AM Rodney W. Grimes < freebsd-...@gndrsh.dnsmgr.net> wrote: > > On 1 Apr 2019, at 15:48, Rodney W. Grimes wrote: > > > [ Charset UTF-8 unsupported, converting... ] > > >> On 01.04.2019 16:30, Rodney W. Grimes wrote: > > >> It seems it is too late: > > >>

Re: pf tables locking

(sorry for the top post) If you really want to spend time on it, the best option is to pull out the pool concept used by the rules/nat... and manage it outside of the rules/states but in its own module referenced by the former ones. This would allow extensibility and propper reasoning about it.

Re: Kernel Panic

On Thu, Mar 1, 2018 at 9:43 AM, Joe Jones wrote: > Hi Kristo, > > It's just the master that crashed, the backup can take over. > > We think the panic we got by compiling with witness and invariant may be a > red herring. > > We are now looking rules like > > nat on

Re: Invalid queue upload statistic

On Fri, Mar 18, 2016 at 5:38 PM, David S. wrote: > Dear All, > > This is my first post, my name is David and I'm currently developing > FreeBSD as a BGP router and traffic shaper for my network. > > I already setup PF + ALTQ and working great, the bandwidth speed is match >

Re: Machine freezes when loading pf ruleset

On Wed, Aug 26, 2015 at 4:09 PM, Kolontai Andrej andrej.kolon...@verwaltung.uni-muenchen.de wrote: 1.5k rules seems like a lot for PF to handle. Is that 1.5k rules you've written in the conf, or 1.5k rules from `pfctl -sr | wc -l' ? Yes, that's what is in the conf files. The latter

Re: Near-term pf plans

On Wed, Aug 26, 2015 at 1:43 PM, Kristof Provost kris...@sigsegv.be wrote: On 2015-08-25 19:56:59 (+0200), Ermal Luçi ermal.l...@gmail.com wrote: On Sun, Aug 23, 2015 at 5:09 PM, Kristof Provost k...@freebsd.org wrote: I'm inclined to say that ifgroups and interfaces should share

Re: Near-term pf plans

On Sun, Aug 23, 2015 at 5:09 PM, Kristof Provost k...@freebsd.org wrote: Hi, Some of you may have noticed that I fixed a couple of pf issues (or in some cases broke things. Sorry Allan.) recently. Here's a quick list of my current priorities: - PR 127042, 202178: This is a panic when

[Differential] [Updated] D1944: PF and VIMAGE fixes

eri added a reviewer: eri. REVISION DETAIL https://reviews.freebsd.org/D1944 EMAIL PREFERENCES https://reviews.freebsd.org/settings/panel/emailpreferences/ To: nvass-gmx.com, bz, trociny, kristof, gnn, zec, rodrigc, glebius, eri Cc: farrokhi, julian, robak, freebsd-virtualization-list,

Re: Large scale NAT with PF - some weird problem

On Tue, Jun 23, 2015 at 10:12 AM, Milan Obuch freebsd...@dino.sk wrote: On Tue, 23 Jun 2015 09:49:57 +0200 Ian FREISLICH ian.freisl...@capeaugusta.com wrote: Milan Obuch wrote: As a first step, I did small upgrade, so now I run FreeBSD 9.3-STABLE #0 r284695: Mon Jun 22 08:55:29 CEST

Re: RFC: Dropping support for scrub fragment crop/drop-ovl

On Fri, Jun 12, 2015 at 11:43 AM, Kristof Provost k...@freebsd.org wrote: Hi all, I've recently been looking at bug 200330. I broke things while adding the reassembly support for ipv6 to pf. Those issues should be fixed now, but having looked at the fragment crop/drop-ovl code, I'm

Re: Checksumming outgoing packets in PF vs in ip[6]_output

for Ermal to send an updated version of his patch that may really solve the problem! On 2014-11-14 09:17, Ermal Luçi wrote: Yes confirmed it will solve that issue as well. On Thu, Nov 13, 2014 at 9:30 PM, J David j.david.li...@gmail.com wrote: On Wed, Nov 5, 2014 at 9:28 AM, Ilya Bakulin i

Re: Checksumming outgoing packets in PF vs in ip[6]_output

completely :-( So I'm waiting for Ermal to send an updated version of his patch that may really solve the problem! On 2014-11-14 09:17, Ermal Luçi wrote: Yes confirmed it will solve that issue as well. On Thu, Nov 13, 2014 at 9:30 PM, J David j.david.li...@gmail.com wrote: On Wed, Nov

Re: [Bug 172648] [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet checksum on SYN ACK

Give this patch inline a try: --- a/patches/releng/10.1/pf_reply-to.enahnce.diff +++ b/patches/releng/10.1/pf_reply-to.enahnce.diff @@ -1,8 +1,33 @@ +diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c +index 837b617..b6c37a9 100644 +--- a/sys/netinet6/ip6_output.c

Re: Getting tables to work in PF

On Mon, Nov 3, 2014 at 10:13 AM, Dave Horsfall d...@horsfall.org wrote: On Mon, 3 Nov 2014, Ermal Luçi wrote: Probably you forgot to clear the states! I was under the impression that state applied to keep state i.e. outgoing connections. Nonetheless: aneurin# pfctl -s state

Re: Getting tables to work in PF

Probably you forgot to clear the states! On Mon, Nov 3, 2014 at 4:54 AM, Dave Horsfall d...@horsfall.org wrote: FreeBSD 8.2-RELEASE-p3 binary (yeah, I need to update, but my DVD reader is busted). After seeing an obnoxious spammer on 216.66.15.120 (it doesn't take 550 5.7.1 as a hint), I

Re: pf stuck

Probably is better you ask this on freebsd-pf@. Though this sounds like state limit reached. On Mon, Sep 29, 2014 at 7:32 PM, Andrea Venturoli m...@netfence.it wrote: Hello. Today a box of mine (8.4p16/amd64) stopped working as a router; I don't have a clear picture, but the internal nets

Re: Future of pf in FreeBSD ? - does it have one ?

On Wed, Jul 9, 2014 at 2:42 PM, Mark Martinec mark.martinec+free...@ijs.si wrote: On 2014-07-09 0:32, Kristian K. Nielsen wrote: f) IPv6 support?- it seem to be more and more challenged in the current version of pf in FreeBSD and I am (as well as others) introducing more and more IPv6 in

Re: pf and fragmented packets

On Sat, Dec 28, 2013 at 9:39 AM, Rui Paulo rpa...@freebsd.org wrote: Hi, I found two problems with pf where fragmented packets behind a NAT don't get properly transmitted/translated. This affects things like the PS3, PS Vita and probably other consoles. The first problem is when I send a

Re: [patch] Source entries removing is awfully slow.

Hello, can you specify what does not fit on the current interface from pfctl? -k and -K have different scopes. You already can specify src/dst today through them. The only not possible thing is specifying ports/id for protocols that support them tcp/udp/icmp, mostly because the switch/parsing

Re: icmp-type echoreq not matching resulting ttl exceeded

On Fri, Nov 29, 2013 at 1:28 PM, Ian FREISLICH i...@clue.co.za wrote: Hi At some point this stopped working. I was able to use traceroute -I This rule let the echo request out and the resulting TTL exceeded was matched and allowed back in. Which freeBSD version you are testing this?

Re: icmp-type echoreq not matching resulting ttl exceeded

On Fri, Nov 29, 2013 at 2:53 PM, Ian FREISLICH i...@clue.co.za wrote: =?ISO-8859-1?Q?Ermal_Lu=E7i?= wrote: On Fri, Nov 29, 2013 at 1:28 PM, Ian FREISLICH i...@clue.co.za wrote: At some point this stopped working. I was able to use traceroute -I This rule let the echo request out and the

Re: [PATCH] dummynet(4) patch for pf(4)

Hello, i made the corrections to the patch to make it more readble. Can some other eyes give a look and say if that have anything against it. Patch is at same location. On Mon, Jun 10, 2013 at 4:01 PM, Luigi Rizzo ri...@iet.unipi.it wrote: On Mon, Jun 10, 2013 at 03:45:01PM +0200, Ermal Lu?i

[PATCH] dummynet(4) patch for pf(4)

Hello, the patch at location [1] implements support for dummynet into pf(4). The patch has been tested and confirmed working without issues into pfSense. Any objections to integrating this into FreeBSD? [1]

Re: Reloading anchors with many streams

On Wed, May 15, 2013 at 11:31 AM, Manoj Ganesan manoj.gane...@gmail.comwrote: Hey everyone, I'm just beginning to use FreeBSD + PF, for a use-case of multiple (1000s of) UDP streams, each attached via an anchor. When I unload/flush one of these anchors (say I tear down a stream), does it

Re: Reloading anchors with many streams

On Wed, May 15, 2013 at 1:28 PM, Manoj Ganesan manoj.gane...@gmail.comwrote: On Wed, May 15, 2013 at 12:06 PM, Ermal Luçi e...@freebsd.org wrote: On Wed, May 15, 2013 at 11:31 AM, Manoj Ganesan manoj.gane...@gmail.comwrote: Hey everyone, I'm just beginning to use FreeBSD + PF

Re: peer address over pf rdr

On Thu, Apr 18, 2013 at 9:11 AM, Radek Krejča radek.kre...@starnet.czwrote: Hello, I need to get in some cases ip address of our customer over nat to my www page (eg. for stopping spam and give our customer info). I wrote daemon which listen on port where is traffic of our customers

Re: [patch] Reloading pf rules breaks connections on lo0

On Thu, Mar 28, 2013 at 3:03 PM, Andreas Longwitz longw...@incore.dewrote: Ermal Luçi wrote: I say intended because so it behaves on the upstream. By introducing another not needed option you introduce another hack on top of the already hackish 'set skip' one. The correct 'fix

Re: [pach] Reloading pf rules breaks connections on lo0

That is intended behavior. There is an option -m to merge the configs which should not break it. On Wed, Mar 20, 2013 at 2:49 PM, Andreas Longwitz longw...@incore.dewrote: Am 04.03.2013 16:47, schrieb Andreas Longwitz: I run FreeBSD 8 Stable with pf enabled and have the line set skip

Re: [patch] Source entries removing is awfully slow.

On Mon, Mar 11, 2013 at 4:05 PM, Kajetan Staszkiewicz veg...@tuxpowered.net wrote: There are some things I find flawed in your patch: 1. +#if 0 if (killed 0) pf_purge_expired_src_nodes(1); +#endif This means that after using `pfctl -K` the src

Re: [patch] Source entries removing is awfully slow.

On Fri, Mar 8, 2013 at 9:51 PM, Kajetan Staszkiewicz veg...@tuxpowered.netwrote: Dnia piątek, 8 marca 2013 o 21:11:43 Ermal Luçi napisał(a): Is this FreeBSD 9.x or HEAD? I found the problem and developed the patch on 9.1. Can you please test this more 'beautiful' patch. Its similar

Re: [patch] Source entries removing is awfully slow.

Also do not forget to rebuild pfctl so that statistics are shown correctly. On Sat, Mar 9, 2013 at 1:14 PM, Ermal Luçi e...@freebsd.org wrote: On Fri, Mar 8, 2013 at 9:51 PM, Kajetan Staszkiewicz veg...@tuxpowered.net wrote: Dnia piątek, 8 marca 2013 o 21:11:43 Ermal Luçi napisał

Re: [patch] Source entries removing is awfully slow.

On Sat, Mar 9, 2013 at 2:37 PM, Kajetan Staszkiewicz veg...@tuxpowered.netwrote: Dnia sobota, 9 marca 2013 o 13:14:16 Ermal Luçi napisał(a): On Fri, Mar 8, 2013 at 9:51 PM, Kajetan Staszkiewicz veg...@tuxpowered.netwrote: Dnia piątek, 8 marca 2013 o 21:11:43 Ermal Luçi napisał

Re: Routing return NAT traffic based on interface

On Wed, Dec 5, 2012 at 3:51 PM, Peter McAlpine pe...@aoeu.ca wrote: First off, thanks for all the suggestions from both of you. My email filters were messed up causing me to miss your replies. On 19 November 2012 18:56, David DeSimone f...@verio.net wrote: If I understand the poster's

Re: Upgrading FreeBSD to use the NEW pf syntax.

On Fri, Nov 23, 2012 at 8:50 AM, Ian FREISLICH i...@cloudseed.co.za wrote: Today its a null op. So it voids the keyword which should be deprecated in FreeBSD or should be reintroduced! Also it may break people assumptions on it. So I take it that set state-policy if-bound will no

Re: Upgrading FreeBSD to use the NEW pf syntax.

On Thu, Nov 22, 2012 at 3:13 PM, Ian FREISLICH i...@clue.co.za wrote: =?ISO-8859-1?Q?Ermal_Lu=E7i?= wrote: On Tue, Nov 20, 2012 at 9:07 AM, Sami Halabi sodyn...@gmail.com wrote: This was actually discussed much before, as I read it would make some issues with the new pf-smp work done by

Re: Upgrading FreeBSD to use the NEW pf syntax.

On Thu, Nov 22, 2012 at 3:13 PM, Ian FREISLICH i...@clue.co.za wrote: =?ISO-8859-1?Q?Ermal_Lu=E7i?= wrote: On Tue, Nov 20, 2012 at 9:07 AM, Sami Halabi sodyn...@gmail.com wrote: This was actually discussed much before, as I read it would make some issues with the new pf-smp work done by

Re: Upgrading FreeBSD to use the NEW pf syntax.

On Wed, Nov 21, 2012 at 3:52 PM, Gleb Smirnoff gleb...@freebsd.org wrote: On Wed, Nov 21, 2012 at 03:44:13PM +0100, Ermal Lu?i wrote: E Cherry-picking would be when tehre is reasonable similarities. E Also another argument to do this would be simplicity on locking as well as E i told you

Re: Upgrading FreeBSD to use the NEW pf syntax.

actually broke if-bound state but that's another story. Sami On Tue, Nov 20, 2012 at 9:55 AM, Ermal Luçi e...@freebsd.org wrote: On Tue, Nov 20, 2012 at 7:46 AM, Odhiambo Washington odhia...@gmail.com wrote: On Tue, Nov 20, 2012 at 5:23 AM, Paul Webster paul.g.webs...@googlemail.com

Re: Upgrading FreeBSD to use the NEW pf syntax.

On Tue, Nov 20, 2012 at 7:46 AM, Odhiambo Washington odhia...@gmail.comwrote: On Tue, Nov 20, 2012 at 5:23 AM, Paul Webster paul.g.webs...@googlemail.com wrote: Good day all, I am aware this is a much discussed subject since the upgrade of PF, I believe the final decision was that

Re: svn commit: r240646 - head/sys/contrib/altq/altq

On Tue, Sep 18, 2012 at 6:15 PM, Gleb Smirnoff gleb...@freebsd.org wrote: Ermal, On Tue, Sep 18, 2012 at 06:02:06PM +0200, Ermal Lu?i wrote: E The issue is that this hides the problem per se. What had hidden problem per se, was the following code: PF_UNLOCK();

Re: svn commit: r240646 - head/sys/contrib/altq/altq

The issue is that this hides the problem per se. The ioctl and pfctl loading of ruleset is not ready for handling failures here! /me Does not understand why people do not ask for review first? On Tue, Sep 18, 2012 at 2:53 PM, Sergey Kandaurov pluk...@freebsd.org wrote: On 18 September 2012

Re: kern/124364: [pf] [panic] Kernel panic with pf + bridge

Just as a note, this is an issue especially when using bridge+carp+pf. On Tue, Sep 11, 2012 at 1:00 PM, Gleb Smirnoff gleb...@freebsd.org wrote: The following reply was made to PR kern/124364; it has been noted by GNATS. From: Gleb Smirnoff gleb...@freebsd.org To: Vladimir Shapkin

Re: [HEADS UP] merging projects/pf into head

On Sun, Sep 9, 2012 at 7:53 PM, wishmaster artem...@ukr.net wrote: Everyone agrees that altq needs to vanish, we know other code exists/has been pondered; we'll see who might come forward. May be integrating pf with well-known dummynet? ___

Re: [HEADS UP] merging projects/pf into head

On Thu, Sep 6, 2012 at 8:46 AM, Gleb Smirnoff gleb...@freebsd.org wrote: Ermal, On Wed, Sep 05, 2012 at 10:02:17PM +0200, Ermal Lu?i wrote: E as already shared with you the opinion the new 're-arrangement' of E data structure together with new syntax E is more helpful to SMP in general, so

Re: [HEADS UP] merging projects/pf into head

Hello Ian, On Fri, Sep 7, 2012 at 11:26 AM, Ian FREISLICH i...@clue.co.za wrote: I won't keep OpenBSD-pf and FreeBSD-pf in parallel in FreeBSD. The OpenBSD-pf port have proved to be poorly maintained. After last import that was made by you, at least the following regressions were

Re: [HEADS UP] merging projects/pf into head

On Fri, Sep 7, 2012 at 2:05 PM, Ian FREISLICH i...@clue.co.za wrote: =?ISO-8859-1?Q?Ermal_Lu=E7i?= wrote: - the pf: state key linking mismatch which affects pf as far back as we've been prepared to test (FreeBSD-8.0). Although it only became visible in the logs in -CURRENT before 9-RELEASE

Re: [HEADS UP] merging projects/pf into head

Hi Gleb, On Wed, Sep 5, 2012 at 8:36 PM, Gleb Smirnoff gleb...@freebsd.org wrote: Thomas, On Wed, Sep 05, 2012 at 04:28:23PM +0200, Thomas Steen Rasmussen wrote: T Your work seems very exciting from a performance standpoint, and it T is certainty something I am looking forward to. Please

Re: [HEADS UP] merging projects/pf into head

Hi Gleb, On Wed, Sep 5, 2012 at 1:51 PM, Gleb Smirnoff gleb...@freebsd.org wrote: Hi! [announce goes both to net@ and pf@, but any discussion should go on on p...@freebsd.org only, please] As you already may now, last half a year I've been working on making pf SMP-scalable and

Re: Question regarding packet forwarding and Squid

On Tue, Jul 10, 2012 at 3:31 AM, Hao Bryan Cheng hbch...@berkeley.edu wrote: Hello all, I am working on converting a captive portal system from ipfw to pf (in order to support port-block allocation in many-to-one NAT) on systems currently running FreeBSD 8.2. Most of the firewall rewrite

Re: [CFT] SMP-friendly pf

On Fri, Jun 8, 2012 at 8:17 AM, Gleb Smirnoff gleb...@freebsd.org wrote:  Hello, networkers!  [net@ in Cc, but further discussion should go on pf@]  As you already probably know, or some may be don't yet know, the pf(4) subsystem in FreeBSD is currently working under a single mutex. This

Re: kern/168190: [pf] panic when using pf and route-to (maybe: bad fragment handling?)

The following reply was made to PR kern/168190; it has been noted by GNATS. From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= e...@freebsd.org To: Joerg Pulz joerg.p...@frm2.tum.de Cc: Daniel Hartmeier dan...@benzedrine.cx, bug-follo...@freebsd.org, freebsd-pf@freebsd.org Subject: Re: kern/168190: [pf] panic

Re: kern/168190: [pf] panic when using pf and route-to (maybe: bad fragment handling?)

On Wed, May 23, 2012 at 9:05 AM, Joerg Pulz joerg.p...@frm2.tum.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 22 May 2012, Ermal Luçi wrote: iirc this is from fastforwarding being enabled. Just from memory though, cause i remember seeing this panic as well. Again, from

Re: kern/168190: [pf] panic when using pf and route-to (maybe: bad fragment handling?)

iirc this is from fastforwarding being enabled. Just from memory though, cause i remember seeing this panic as well. Again, from memory this is fastforwarding related, try disabling it. If it was pf(4) surely in pfSense would have been seen more frequently and in pfSense fastforwarding is not

Re: PF synproxy state doesn't work on CARP IPs

On Wed, May 16, 2012 at 2:15 PM, Adam Strohl adams-free...@ateamsystems.com wrote: Hello, I've noticed that when I use synproxy state on a rule and a connection comes in to an IP on a CARP interface the connection opens but never gets passed on to the process as it should. For example:

Re: kern/164402: [pf] pf crashes with a particular set of rules when first matching packet arrives

2012/4/16 Gleb Smirnoff gleb...@freebsd.org: On Sun, Apr 15, 2012 at 12:00:21PM +, Gleb Smirnoff wrote: T  On Sun, Apr 15, 2012 at 11:10:03AM +, Gleb Smirnoff wrote: T  T    I have a vague suspicion on what is happening. Your description of T  T  the problem looks like if a packet

Re: kern/164402: [pf] pf crashes with a particular set of rules when first matching packet arrives

On Tue, Apr 17, 2012 at 10:38 AM, Ermal Luçi e...@freebsd.org wrote: 2012/4/17 Gleb Smirnoff gleb...@freebsd.org: On Tue, Apr 17, 2012 at 10:06:15AM +0200, Ermal Lu?i wrote: E 2012/4/16 Gleb Smirnoff gleb...@freebsd.org: E On Sun, Apr 15, 2012 at 12:00:21PM +, Gleb Smirnoff wrote: E T

Re: kern/164402: [pf] pf crashes with a particular set of rules when first matching packet arrives

On Tue, Apr 17, 2012 at 6:32 PM, Bjoern A. Zeeb bzeeb-li...@lists.zabbadoz.net wrote: On 17. Apr 2012, at 09:48 , Gleb Smirnoff wrote:  Replying on only on paragrapg, everything else agreed. On Tue, Apr 17, 2012 at 11:33:27AM +0200, Ermal Lu?i wrote: E The only problem i might see is when

Re: kern/164402: [pf] pf crashes with a particular set of rules when first matching packet arrives

2012/4/17 Gleb Smirnoff gleb...@freebsd.org: On Tue, Apr 17, 2012 at 12:46:08PM +0400, Gleb Smirnoff wrote: T We can make the assignment like: T T if (ifp-if_flags IFF_LOOPBACK) T      m-m_flags |= M_SKIP_FIREWALL; I've tested this plus MTAG_PERSISTENT on pf tags, and it looks like this

Re: Panic in packet filter

On Fri, Apr 13, 2012 at 12:29 AM, Theodor-Iulian Ciobanu thciob...@nth.ro wrote: On Thu, 12 Apr 2012 15:01:46 +0200 Ermal Luçi e...@freebsd.org wrote: Hello, On Thu, Apr 12, 2012 at 1:16 PM, Theodor-Iulian Ciobanu thciob...@nth.ro wrote: Hello, I came across this same issue yesterday

Re: Panic in packet filter

Hello, On Thu, Apr 12, 2012 at 1:16 PM, Theodor-Iulian Ciobanu thciob...@nth.ro wrote: Hello, I came across this same issue yesterday on a system I have just set up. I'm currently using the default kernel: FreeBSD changeme 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012

Re: kern/166411: [pf] simply enabling pf makes udpxy not to work

The following reply was made to PR kern/166411; it has been noted by GNATS. From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= e...@freebsd.org To: bug-follo...@freebsd.org, baluste...@gmail.com Cc: Subject: Re: kern/166411: [pf] simply enabling pf makes udpxy not to work Date: Wed, 28 Mar 2012 11:41:05 +0200

Re: Panic in packet filter

On Thu, Feb 23, 2012 at 8:44 AM, Ali Mdidech a...@moua7.com wrote: Hi List, I've a box that panics multiple times randomly since a year whatever the release is (8 or 9) The crash dump shows that the problem is related to pf. Is this some sort of identified bug? Below some info and my

Re: Getting Involved

On Fri, Jan 27, 2012 at 3:36 AM, Greg Hennessy greg.henne...@nviz.net wrote: Hi Peter, That doesn't sound unreasonable, bearing in mind how much we all $ENJOY using the operating system precisely because the interfaces are defined and stable between major releases. I would not have

Re: pf crashes in pfr_update_stats()

On Fri, Jan 27, 2012 at 7:47 AM, David Siebörger d.siebor...@ru.ac.za wrote: On Thursday, 26 January 2012 5:35 PM Ermal Luçi wrote: Are you doing frequent updating of tables or loading larde lists of addresses in them? The machine crashed again, and this time I ran ps in ddb.  It shows pfctl

Re: pf crashes in pfr_update_stats()

On Thu, Jan 26, 2012 at 3:38 PM, David Siebörger d.siebor...@ru.ac.za wrote: Hi, I have a pair of FreeBSD 9.0-RELEASE firewalls which are crashing repeatedly.  I've been able to connect to one of them with remote kgdb after it crashed (see kgdb session attached), but I haven't been able to

Re: Getting Involved

On Sun, Jan 22, 2012 at 3:50 AM, Bjoern A. Zeeb bzeeb-li...@lists.zabbadoz.net wrote: On 21. Jan 2012, at 23:26 , Greg Hennessy wrote: There is one catch. FreeBSD does not want to break compatibility of old syntax and that is why i did not port the latest version of pf(4). Shades

Re: Getting Involved

On Sun, Jan 22, 2012 at 12:26 AM, Greg Hennessy greg.henne...@nviz.netwrote: There is one catch. FreeBSD does not want to break compatibility of old syntax and that is why i did not port the latest version of pf(4). Shades of the versioning/maintenance issues surrounding putting Perl

Re: kern/163208: [pf] PF state key linking mismatch

On Sun, Jan 22, 2012 at 11:41 AM, Tilman Keskinöz ar...@freebsd.org wrote: * Bjoern A. Zeeb [Sat, 21 Jan 2012 21:01:41 +]: On 21. Jan 2012, at 20:52 , Tilman Keskinöz wrote: On Jan 21, 2012, at 21:01 , Fabian Keil wrote: Tilman Keskinöz ar...@freebsd.org wrote: Same here.

Re: kern/163208: [pf] PF state key linking mismatch

The following reply was made to PR kern/163208; it has been noted by GNATS. From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= e...@freebsd.org To: =?ISO-8859-1?Q?Tilman_Keskin=F6z?= ar...@freebsd.org Cc: bug-follo...@freebsd.org, freebsd-pf@freebsd.org Subject: Re: kern/163208: [pf] PF state key linking

Re: kern/163208: [pf] PF state key linking mismatch

The following reply was made to PR kern/163208; it has been noted by GNATS. From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= e...@freebsd.org To: =?ISO-8859-1?Q?Tilman_Keskin=F6z?= ar...@freebsd.org Cc: bug-follo...@freebsd.org Subject: Re: kern/163208: [pf] PF state key linking mismatch Date: Mon, 23 Jan

Re: Getting Involved

On Fri, Jan 20, 2012 at 11:04 PM, Walt Elam wre...@gmail.com wrote: I would like to help with the development of the PF port for FreeBSD but am not quite sure how to get involved. More specifically, I would like to help get something ported over that accepts the new rule syntax since it

Re: PF + dummynet

2011/11/14 Виталий Владимирович artem...@ukr.net:  --- Original message ---  From: Ermal Lu i e...@freebsd.org  To: Виталий Владимирович artem...@ukr.net  Date: 14 November 2011, 19:15:31  Subject: Re: PF + dummynet 2011/11/14 Виталий Владимирович artem...@ukr.net:  Hi.  Some

Re: ALTQ with HFSC

2011/10/26 Виталий Владимирович artem...@ukr.net:  Recently I worked around traffic prioritization of my router (FreeBSD9-BETA3). I would like to prioritization traffic coming from external interface and coming from internal LAN. ## ALTQ altq on $ext_if hfsc bandwidth 800Kb qlimit 500

Re: kern/114095: [carp] carp+pf delay with high state limit

On Sat, Oct 15, 2011 at 4:20 PM, gleb...@freebsd.org wrote: Synopsis: [carp] carp+pf delay with high state limit State-Changed-From-To: open-closed State-Changed-By: glebius State-Changed-When: Sat Oct 15 14:20:00 UTC 2011 State-Changed-Why: Not a bug. This is a feature. pfsync(4)

Re: kern/114095: [carp] carp+pf delay with high state limit

2011/10/17 Gleb Smirnoff gleb...@freebsd.org: On Mon, Oct 17, 2011 at 02:18:38PM +0200, Ermal Lu?i wrote: E On Sat, Oct 15, 2011 at 4:20 PM,  gleb...@freebsd.org wrote: E Synopsis: [carp] carp+pf delay with high state limit E E State-Changed-From-To: open-closed E State-Changed-By:

Re: [PATCH] PF+dummynet

On Mon, Aug 22, 2011 at 4:23 AM, Peter Jeremy peter.jer...@alcatel-lucent.com wrote: [This is fairly old but has recently bubbled to the top of my TODO list] On 2011-Jul-13 23:35:44 +0800, Ermal Luçi e...@freebsd.org wrote: I reverted back from having the pipes configured in pfctl because

Re: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules

On Wed, Aug 17, 2011 at 2:37 PM, Florian Smeets f...@freebsd.org wrote: On 17.08.2011 14:30, Bjoern A. Zeeb wrote: On Aug 17, 2011, at 12:27 PM, Florian Smeets wrote: On 08.07.2011 19:02, David O'Brien wrote: On Fri, Jul 08, 2011 at 02:26:37PM +0200, Ermal Lui wrote: On Thu, Jul 7, 2011

Re: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules

On Wed, Aug 17, 2011 at 3:05 PM, Florian Smeets f...@freebsd.org wrote: On 17.08.2011 14:58, Ermal Luçi wrote: On Wed, Aug 17, 2011 at 2:37 PM, Florian Smeetsf...@freebsd.org  wrote: On 17.08.2011 14:30, Bjoern A. Zeeb wrote: On Aug 17, 2011, at 12:27 PM, Florian Smeets wrote

Re: FreeBSD 8.2 + pf + ipfw (dummynet)

you is to be careful when loading the modules or when joining to pfil. Murat -Original Message- From: owner-freebsd...@freebsd.org [mailto:owner-freebsd...@freebsd.org] On Behalf Of Murat SÜRÜCÜ Sent: Tuesday, July 12, 2011 8:55 AM To: 'Ermal Luçi' Cc: freebsd-pf@freebsd.org

Re: [PATCH] PF+dummynet

On Wed, Jul 13, 2011 at 3:00 AM, Peter Jeremy peter.jer...@alcatel-lucent.com wrote: On 2011-Jun-29 16:26:34 +0800, Ermal Luçi e...@freebsd.org wrote: On Wed, Jun 29, 2011 at 6:42 AM, Peter Jeremy peter.jer...@alcatel-lucent.com wrote: Has anyone adapted the PF+dummynet patches for 8.x or 9.x

Re: FreeBSD 8.2 + pf + ipfw (dummynet)

2011/7/11 Murat SÜRÜCÜ msur...@karaelmas.edu.tr: Hello, I used PF and dummynet together about two years and worked fine. Recently i have upgraded the system 7.2 to 8.2 and dummynet doesn't work anymore. If any packet belong the client IP puts any pipe, it drops and pflog says it blocked by

Re: pf ALTQ bandwidth limited to a 32bit value (4294Mb)

On Wed, Jul 6, 2011 at 5:25 PM, Calomel Org infallibilismindefeasibil...@calomel.org wrote: ALTQ using hfsc is limited to a maximum parent bandwidth of 4294Mb. This value is 2^32 or 4,294,967,296 bits. If you set the bandwidth any higher, altq will flip back to zero. This bug was found when

Re: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules

On Tue, Jul 5, 2011 at 3:47 PM, Fabian Keil freebsd-lis...@fabiankeil.de wrote: Ermal Luçi e...@freebsd.org wrote: On Sat, Jul 2, 2011 at 5:33 PM, Pierre Lamy pie...@userid.org wrote: On 6/29/2011 1:22 PM, Fabian Keil wrote: Bjoern A. Zeebb...@freebsd.org  wrote: Begin forwarded

Re: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules

On Sat, Jul 2, 2011 at 5:33 PM, Pierre Lamy pie...@userid.org wrote: On 6/29/2011 1:22 PM, Fabian Keil wrote: Bjoern A. Zeebb...@freebsd.org  wrote: Begin forwarded message: From: Bjoern A. Zeebb...@freebsd.org Date: June 28, 2011 11:57:25 AM GMT+00:00 To: src-committ...@freebsd.org,

Re: [PATCH] PF+dummynet

On Wed, Jun 29, 2011 at 6:42 AM, Peter Jeremy peter.jer...@alcatel-lucent.com wrote: Following up on some very old mail... On 2008-Nov-04 16:53:52 +0100, Ermal Luçi ermal.l...@gmail.com wrote: actually this is the latest against RELENG_7 which is confirmed to work with full features of pf(4

Re: PF from OpenBSD 4.7

On Sun, Feb 20, 2011 at 11:16 PM, Maxim Khitrov m...@mxcrypt.com wrote: On Sun, Feb 20, 2011 at 4:16 PM, jhell jh...@dataix.net wrote: On Sun, 20 Feb 2011 13:27, eirnym@ wrote: On 20 February 2011 06:50, jhell jh...@dataix.net wrote: On Fri, 18 Feb 2011 03:26, eirnym@ wrote: I heard while

Re: PF from OpenBSD 4.7

On Sun, Feb 20, 2011 at 7:46 PM, Eir Nym eir...@gmail.com wrote: On 20 February 2011 21:38, Chris Buechler cbuech...@gmail.com wrote: On Sun, Feb 20, 2011 at 1:27 PM, Eir Nym eir...@gmail.com wrote: I've found them, but there no status about. You aren't looking very hard, it's been

Re: Questioning altq (cbq) performance above 4Mb on gif or above 40 Mb on e1000

On Fri, Nov 5, 2010 at 1:33 AM, Ricky Charlet rchar...@adaranet.com wrote: Has anyone out there run altq with cbq with bandwidth limits set around 40 ~ 50 Mb and seen it work well (actual through put allowed to come near that speed)? Thanks --- Ricky Charlet Adara Networks USA

[PATCH] pf(4) patch from OpenBSD 4.5

Hello, the link http://people.freebsd.org/~eri/pf45_1.diff has the patch for pf(4) as of OpenBSD 4.5 version. The patch is against HEAD. After OpenBSD 4.5 the syntax has changed and this is the reason for such an 'old' version patch. After importing this one the work will go on the newest

Re: Unknown Behavior of PF+ALTQ on a Bridge

On Thu, Jun 24, 2010 at 3:12 PM, Rafael Henrique Faria rafaelhfa...@cenadigital.com.br wrote: Hi. I'm working on a Brige between a router Cisco 7200, and a 3Com 7900 switch. I have several subnetworks, and I need to balance the bandwidth between then. The Brigde is running: FreeBSD dell05

Re: Unknown Behavior of PF+ALTQ on a Bridge

2010/6/24 Rafael Henrique Faria rafaelhfa...@cenadigital.com.br: Just to be more clean: My pf.conf: wan_if=bce0 set limit { states 10, frags 2 } set loginterface $wan_if set optimization normal set block-policy drop set fingerprints /etc/pf.os set skip on lo altq on

Re: Lots of weird PF behavior on 7.2-STABLE

On Tue, Dec 15, 2009 at 7:21 AM, Linda Messerschmidt linda.messerschm...@gmail.com wrote: Hi all, I have a PF machine that is giving fits. I see a lot of weird behavior. 1) TCP connections (mainly port 80) sometimes take 3 seconds to get started instead of being virtually instant. 2)

Re: FW: clientNatLookup: PF open failed: (13) Permission denied

2009/12/11 John Dakos [ Enovation Technologies ] gda...@enovation.gr Hello all. I'm running Squid Version 3.0.STABLE20 on FreeBSD 8 Release with PF and .. --enable-pf-transparent' Squid is worked but in my cashe.log I have clientNatLookup: PF open failed: (13) Permission

Re: Connmark target

On Mon, Jun 8, 2009 at 10:53 PM, David DeSimonef...@verio.net wrote: v...@tesla.cujae.edu.cu v...@tesla.cujae.edu.cu wrote: by the way, anyone knows if there are plans to include connection mark capabilities to pf. i say this because until now is the only way i´ve found to solve my issue.

Re: Connmark target

On Sat, Jun 6, 2009 at 6:49 PM, v...@tesla.cujae.edu.cu wrote: Vlad Galu d...@dudu.ro ha escrito: On Sat, Jun 6, 2009 at 5:57 AM, v...@tesla.cujae.edu.cu wrote: Hi folks! I´m trying to figure out if there is a way to make connection marking in a similar way as the iptables´s CONNMARK

Re: kern/132176: [pf] pf stalls connection when using route-to [regression]

On Tue, May 26, 2009 at 1:00 PM, Karsten Schmidt gu...@guggemand.dk wrote: The following reply was made to PR kern/132176; it has been noted by GNATS. From: Karsten Schmidt gu...@guggemand.dk To: bug-follo...@freebsd.org, l...@ngc.net.ua Cc: Subject: Re: kern/132176: [pf] pf stalls

Re: PF + ALTQ - Bandwidth per customer

On Fri, Feb 13, 2009 at 3:56 AM, Sam Fourman Jr. sfour...@gmail.com wrote: So I would like to hear some ideas on how we could use FreeBSD or any other BSD to limit bandwidth per customer( say one customer (with root access) per server ) There was not much to report at that point.   However,

Re: Optimize HFSC

On Wed, Dec 3, 2008 at 8:33 PM, Alessandro Silveira [EMAIL PROTECTED] wrote: Hi, I have a Storage with high input traffic in a network, in add 192.168.16.8, and a playout in add 192.168.16.50. I am using Packet Filter for to ensure low delay in streams of video with samba, using real time,

Re: [PATCH] PF+dummynet

On Mon, Nov 3, 2008 at 7:03 AM, Peter Jeremy [EMAIL PROTECTED] wrote: On 2007-Oct-27 19:45:59 +, Ermal Luçi [EMAIL PROTECTED] wrote: Attached is the patch against -CURRENT for integrating PF with dummynet! It gives full dummynet support in pf.conf syntax and removes dummynet depndency

  1   2   >