Current problem reports assigned to freebsd-pf@FreeBSD.org
Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/144311 pf [pf] [icmp] massive ICMP storm on lo0 occurs when usin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 47 problems total. ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Re: pf and ftp
Hi, out of curiousity: How do you deal with the FTP problem (only allowing passive FTP access) on a bridge where rdr rules in conjunction with ftp-proxy can not be used? Thanks in advance for any info & kind regards, Holger signature.asc Description: Digital signature
pf route-to breaks pfil processing order
Hello everyone. Here's the problem: I need to forward some outgoing traffic to some local service. Traffic goes from my machine, not from local network, so i cannot use pf rdr rule, because it handles only incoming traffic. So, i'm using ipfw fwd rule for that: # ipfw add 100 fwd 192.168.1.1,3127 ip from me to any 80 out Here i redirect all outgoing traffic to another local proxy. (Nope, i can not use parent proxy). Everything is fine and works ok until I turn on pf and create route-to rule: pass out on le0 out route-to (le0 192.168.1.254) from any to yandex.ru Besides i'm using dummynet pipes for traffic shaping, so i need ipfw to process incoming packets before pf (and after pf for outgoing packets): # ipfw disable firewall # ipfw enable firewall So, the problem goes here: Here's the path of the outgoing packet inside the kernel: ip_output() -> ... -> pfil_run_hooks() -> ... -> pf_test() pf_test checks the packets, searches for state etc. Finally it checks if the packet should be redirected by "route-to", "reply-to" or "dup-to" options pf.c, line 7125, pf_test(): -- if (r->rt) /* pf_route can free the mbuf causing *m0 to become NULL */ pf_route(m0, r, dir, ifp, s, &pd); pf_route() itself performs some routing actions, rewrites nexthop and if, and (sic!) sends the packet _directly_ to the specified interface: pf.c, line 6239, pf_route() PF_UNLOCK(); error = (*ifp->if_output)(ifp, m0, sintosa(dst), ro->ro_rt); PF_LOCK(); Original packet is deleted as if it's been blocked by firewall. So, any packet that is processed by pf_route would not then be processed with ipfw, would not be diverted into pipes etc. (actually i believe it wouldn't also be processed by altq). For example in my case the tcp connection wouldn't be redirected by ipfw. So' heres the questions: 1) for what purpose pf_route invokes if_output by itself? 2) why rewritten packets can't be left intact so they would be normally processed by ipfw, altq etc and send to interfaces by uip_output()? I'm asking that because when ipfw redirects packets they are processed this way and nothing bad happens. Thanks -- Alexey Guskov Areal company ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
