Hi all,
I've tried an OpenBSD/i386 3.9-beta snapshots 2 weeks ago. It worked
perfectly until now that I have build an AP with it, with an Nintendo
USB connector. 2 times, pf died and vomit continuously things like :
Feb 11 21:31:30 puffy /bsd: pf_test: pf_get_mtag returned NULL
Feb 11 21:31:30 puffy /bsd: pf_test: pf_get_mtag returned NULL
Feb 11 21:32:51 puffy /bsd: pf_test: pf_get_mtag returned NULL
Feb 11 21:35:08 puffy /bsd: pf_test6: pf_get_mtag returned NULL
Feb 11 21:35:08 puffy /bsd: pf_test: pf_get_mtag returned NULL
Feb 11 21:35:08 puffy /bsd: pf_test6: pf_get_mtag returned NULL
And all routing/connections died with it... :(
It appears 2 times :
* 1 time under heavy network load (rsnapshot'ing through wifi)
* 1 time with a very weak radio signal
I think it's a "beta effect" and I'm sure it will be fixed on 3.9-release :)
I use an OpenVPN L2-bridge to sure my AP. Here is the ifconfig while
using my AP :
$ ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
groups: lo
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=0<> mtu 1460
enc0: flags=0<> mtu 1536
ne3:
flags=8b63<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 1500
lladdr 00:10:60:f6:71:29
media: Ethernet manual
inet6 fe80::210:60ff:fef6:7129%ne3 prefixlen 64 scopeid 0x5
rl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:40:f4:c3:9a:27
description: LAN interface
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.200.254 netmask 0xffffff00 broadcast 192.168.200.255
inet6 fe80::240:f4ff:fec3:9a27%rl0 prefixlen 64 scopeid 0x6
ural0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0d:0b:c3:cb:bb
media: IEEE802.11 autoselect hostap (autoselect mode 11b hostap)
status: active
ieee80211: nwid w3lC0m3_H0m3 chan 11 bssid 00:0d:0b:c3:cb:bb 100dBm
inet 192.168.13.254 netmask 0xffffff00 broadcast 255.255.255.0
inet6 fe80::20d:bff:fec3:cbbb%ural0 prefixlen 64 scopeid 0x7
tun0: flags=9943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,LINK0,MULTICAST> mtu 1500
lladdr 00:bd:b2:0a:21:01
inet6 fe80::2bd:b2ff:fe0a:2101%tun0 prefixlen 64 scopeid 0x9
pppoe0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1492
dev: ne3 state: session
sid: 0x602 PADI retries: 0 PADR retries: 0 time: 01:29:52
groups: pppoe egress
inet 217.175.191.229 --> 0.0.0.1 netmask 0xffffffff
inet6 fe80::210:60ff:fef6:7129%pppoe0 -> prefixlen 64 scopeid 0xa
bridge0: flags=41<UP,RUNNING> mtu 1500
groups: bridge
The brconfig :
$ brconfig -a
bridge0: flags=41<UP,RUNNING>
Configuration:
priority 32768 hellotime 2 fwddelay 15 maxage 20
Interfaces:
tun0 flags=3<LEARNING,DISCOVER>
port 9 ifpriority 128 ifcost 55
rl0 flags=7<LEARNING,DISCOVER,BLOCKNONIP>
port 6 ifpriority 128 ifcost 55
ne3 flags=7<LEARNING,DISCOVER,BLOCKNONIP>
port 5 ifpriority 128 ifcost 55
Addresses (max cache: 100, timeout: 240):
00:0d:56:3e:c9:fb ne3 1 flags=0<>
00:30:88:00:45:40 ne3 1 flags=0<>
74:61:70:00:00:00 tun0 1 flags=0<>
00:90:a3:b3:b1:07 ne3 1 flags=0<>
00:12:bf:0e:42:2f ne3 1 flags=0<>
Here's my dmesg :
OpenBSD 3.9-beta (GENERIC) #595: Mon Jan 30 12:13:55 MST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium II ("GenuineIntel" 686-class, 512KB L2 cache) 233 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR
real mem = 33071104 (32296K)
avail mem = 22089728 (21572K)
using 429 buffers containing 1757184 bytes (1716K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(63) BIOS, date 09/07/98, BIOS32 rev. 0 @ 0xfc2c0
apm0 at bios0: Power Management spec V1.2
apm0: battery life expectancy 100%
apm0: AC on, battery charge high, estimated 2:40 hours
apm0: flags 20102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf01c0/96 (4 entries)
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #2 is the last bus
WARNING: can't reserve area for I/O APIC.
WARNING: can't reserve area for Local APIC.
bios0: ROM list: 0xc0000/0xc000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX" rev 0x02
cbb0 at pci0 dev 2 function 0 "Toshiba ToPIC97 CardBus" rev 0x05: irq 11
cbb1 at pci0 dev 2 function 1 "Toshiba ToPIC97 CardBus" rev 0x05: irq 11
vga1 at pci0 dev 4 function 0 "Chips and Technologies 65555" rev 0xc6
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <TOSHIBA MK4310MAT>
wd0: 16-sector PIO, LBA, 4126MB, 8452080 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <TEAC, CD-224E, 7.5A> SCSI0 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev 0x01: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x02: SMI
iic0 at piixpm0
admtemp0 at iic0 addr 0x4e: adm1021
"Toshiba Fast Infrared Type O" rev 0x23 at pci0 dev 10 function 0 not configured
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 1 device 0 cacheline 0x0, lattimer 0x0
pcmcia0 at cardslot0
cardslot1 at cbb1 slot 1 flags 0
cardbus1 at cardslot1: bus 2 device 0 cacheline 0x0, lattimer 0x0
pcmcia1 at cardslot1
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
sb0 at isa0 port 0x220/24 irq 5 drq 1: dsp v3.01
midi0 at sb0: <SB MIDI UART>
audio0 at sb0
opl0 at sb0: model OPL3
midi1 at opl0: <SB Yamaha OPL3>
wss0 at isa0 port 0x530/8 irq 10 drq 0: CS4231 or AD1845 (vers 4)
audio1 at wss0
pcppi0 at isa0 port 0x61
midi2 at pcppi0: <PC speaker>
spkr0 at pcppi0
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask eb4d netmask eb4d ttymask fbcf
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
ne3 at pcmcia0 function 0 "PCMCIA, FastEthernet, V" port 0xa300/32,
address 00:10:60:f6:71:29
rl0 at cardbus1 dev 0 function 0 "Realtek, Rtl8139": irq 11, address
00:40:f4:c3:9a:27
rlphy0 at rl0 phy 0: RTL internal phy
ural0 at uhub0 port 1
ural0: Nintendo Nintendo Wi-Fi USB Connector, rev 2.00/0.01, addr 2
ural0: MAC/BBP RT2570 (rev 0x05), RF RT2526, address 00:0d:0b:c3:cb:bb
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
pppoe0: phase establish
pppoe0: phase authenticate
pppoe0: phase network
pppoe0: LCP keepalive timeout<6>pppoe0: phase terminate
pppoe0: phase establish
pppoe0: phase dead
pppoe0: phase establish
pppoe0: up
pppoe0: phase authenticate
pppoe0: phase network
my pf.conf looks like (I know it could be "sub-optimal" !) :
# $OpenBSD: pf.conf,v 1.29 2005/08/23 02:52:58 henning Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
# Definitions generales
int_if = "rl0"
ext_if = "pppoe0"
wlan_if = "ural0"
vpn_if = "tun0"
pbook_bcarnazzi = "192.168.200.11"
pc_mathilde = "192.168.200.12"
tcp_services = "{ ssh http https ftp smtp }"
icmp_types = "echoreq"
pbook_p2p_tcp = "{ 6246 1823 2296 4095 6881 4900 }"
pbook_p2p_udp = "{ 6881 }"
table <priv_nets> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,
10.0.0.0/8 }
table <spamd> persist
table <spamd-white> persist
# Options
set block-policy return
set loginterface $ext_if
# Normalisation
scrub in all
scrub out on $ext_if max-mss 1440
# Gestion de la QoS
altq on $ext_if priq bandwidth 128Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)
# Translation d'adresses
nat on $ext_if from $int_if:network to ! $int_if:network -> ($ext_if)
# Redirections
rdr on $int_if proto tcp from any to ! $int_if:0 port 21 -> 127.0.0.1 port 8021
# P2P
rdr on $ext_if proto tcp from any to any port $pbook_p2p_tcp -> $pbook_bcarnazzi
rdr on $ext_if proto udp from any to any port $pbook_p2p_udp -> $pbook_bcarnazzi
# Gestion du FTP
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
## FILTRAGE
# QoS
pass out on $ext_if proto tcp from $ext_if to any flags S/SA \
keep state queue (q_def, q_pri)
pass in on $ext_if proto tcp from any to $ext_if flags S/SA \
keep state queue (q_def, q_pri)
# Politique par defaut
block all
# Loopback
pass quick on lo0 all
pass quick on tun0 all
# RFC 1918
block drop in quick on $ext_if from <priv_nets> to any
block drop out quick on $ext_if from any to <priv_nets>
# Antispoof
antispoof log quick for $ext_if inet
antispoof log quick for $int_if inet
antispoof log quick for $wlan_if inet
antispoof log quick for lo inet
# Antiscan
block drop in log quick on $ext_if from any os NMAP
# Externe
pass out on ne3 to 192.168.200.1 keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
# P2P
pass in on $ext_if proto tcp from any to $pbook_bcarnazzi port $pbook_p2p_tcp \
flags S/SA synproxy state
pass in on $ext_if proto udp from any to $pbook_bcarnazzi port $pbook_p2p_udp \
keep state
# Connexion a un FTP actif externe
#pass in on $ext_if inet proto tcp from port 20 to ($ext_if) \
# user proxy flags S/SA keep state
# ICMP
pass in inet proto icmp all icmp-type $icmp_types keep state
# Interne
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass in on $wlan_if proto tcp from $wlan_if:network to $wlan_if:0 port
ssh keep state
pass in on $wlan_if proto udp from $wlan_if:network to $wlan_if:0 port
1194 keep state
pass out on $wlan_if from any to $wlan_if:network keep state
# Traffic sortant
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp, gre } all keep state
# Gestion du FTP
anchor "ftp-proxy/*"
I think I also found a small bug with pf : when some empty macro
definitions like :
udp_services = "{ }"
are used in rules like :
pass in on $ext_if inet proto udp from any to ($ext_if) \
port $udp_services keep state
it makes pf goes zombi (do nothing).
Thank you,
Bruno.
