Current problem reports assigned to freebsd-pf@FreeBSD.org

2011-10-17 Thread FreeBSD bugmaster 
Note: to view an individual PR, use:
  http://www.freebsd.org/cgi/query-pr.cgi?pr=(number).

The following is a listing of current problems submitted by FreeBSD users.
These represent problem reports covering all versions including
experimental development code and obsolete releases.


S Tracker  Resp.  Description

o kern/160370  pf [pf] Incorrect pfctl check of pf.conf
o kern/159390  pf [pf] [panic] mutex pf task mtx owned at /usr/src/sys/c
o kern/159029  pf [pf] [panic] m_copym, offset > size of mbuf chain when
o kern/158873  pf [pf] [panic] When I launch pf daemon, I have a kernel 
o kern/158636  pf [pf] if_pfsync.c fails to build when NBPFILTER == 0
o kern/155736  pf [pf] [altq] borrow from parent queue does not work wit
o kern/153307  pf [pf] Bug with PF firewall
o kern/148290  pf [pf] "sticky-address" option of Packet Filter (PF) blo
o kern/148260  pf [pf] [patch] pf rdr incompatible with dummynet
o kern/147789  pf [pf] Firewall PF no longer drops connections by sendin
o kern/143543  pf [pf] [panic] PF route-to causes kernel panic
o bin/143504   pf [patch] outgoing states are not killed by authpf(8)
o conf/142961  pf [pf] No way to adjust pidfile in pflogd
o conf/142817  pf [patch] etc/rc.d/pf: silence pfctl
o kern/141905  pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty
o kern/140697  pf [pf] pf behaviour changes - must be documented
o kern/137982  pf [pf] when pf can hit state limits, random IP failures 
o kern/136781  pf [pf] Packets appear to drop with pf scrub and if_bridg
o kern/135948  pf [pf] [gre] pf not natting gre protocol
o kern/135162  pf [pfsync] pfsync(4) not usable with GENERIC kernel
o kern/134996  pf [pf] Anchor tables not included when pfctl(8) is run w
o kern/133732  pf [pf] max-src-conn issue
o kern/132769  pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and  rtent
f kern/132176  pf [pf] pf stalls connection when using route-to [regress
o conf/130381  pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st
o kern/129861  pf [pf] [patch] Argument names reversed in pf_table.c:_co
o kern/127920  pf [pf] ipv6 and synproxy don't play well together
o conf/127814  pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w
o kern/127439  pf [pf] deadlock in pf
f kern/127345  pf [pf] Problem with PF on FreeBSD7.0 [regression]
o kern/127121  pf [pf] [patch] pf incorrect log priority
o kern/127042  pf [pf] [patch] pf recursion panic if interface group is 
o kern/125467  pf [pf] pf keep state bug while handling sessions between
s kern/124933  pf [pf] [ip6] pf does not support (drops) IPv6 fragmented
o kern/124364  pf [pf] [panic] Kernel panic with pf + bridge
o kern/122773  pf [pf] pf doesn't log uid or pid when configured to
o kern/122014  pf [pf] [panic] FreeBSD 6.2 panic in pf
o kern/120281  pf [pf] [request] lost returning packets to PF for a rdr 
o kern/120057  pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c
o bin/118355   pf [pf] [patch] pfctl(8) help message options order false
o kern/114567  pf [pf] [lor] pf_ioctl.c + if.c
s conf/110838  pf [pf] tagged parameter on nat not working on FreeBSD 5.
o kern/103283  pf pfsync fails to sucessfully transfer some sessions
o kern/103281  pf pfsync reports bulk update failures
o kern/93825   pf [pf] pf reply-to doesn't work
o sparc/93530  pf [pf] Incorrect checksums when using pf's route-to on s
o kern/92949   pf [pf] PF + ALTQ problems with latency
o bin/86635pf [patch] pfctl(8): allow new page character (^L) in pf.
o kern/82271   pf [pf] cbq scheduler cause bad latency

49 problems total.

___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: kern/114095: [carp] carp+pf delay with high state limit

2011-10-17 Thread Ermal Luçi 
On Sat, Oct 15, 2011 at 4:20 PM,   wrote:
> Synopsis: [carp] carp+pf delay with high state limit
>
> State-Changed-From-To: open->closed
> State-Changed-By: glebius
> State-Changed-When: Sat Oct 15 14:20:00 UTC 2011
> State-Changed-Why:
> Not a bug. This is a feature. pfsync(4) suppresses carp(4)
> preemption until new recently booted node downloads full
> table of pf(4) states from its peer.
>

This is not true on FreeBSD.
The issue might be from other reasons.

>
> http://www.freebsd.org/cgi/query-pr.cgi?pr=114095
> ___
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
>



-- 
Ermal
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

PF & Inside NAT

2011-10-17 Thread Eric Masson 
Hello,

Does the PF 4.5 port present in -current & 9-STABLE support inside NAT
please (somewhat like the reverse nat available with libalias) ?

Kind Regards

Éric Masson

-- 
 Je n'ai pas envie de perdre mon temps à leur APD à la con. Mais j'ai
 besoin du certificat qu'y est délivré, pour passer le permis. J'ai
 entendu qu'on le trouvait sur Internet. Quelqu'un aurait-il des infos?
 -+- DC in GNU : Neuneu s'achète une conduite -+-
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: kern/114095: [carp] carp+pf delay with high state limit

2011-10-17 Thread Gleb Smirnoff 
On Mon, Oct 17, 2011 at 02:18:38PM +0200, Ermal Lu?i wrote:
E> On Sat, Oct 15, 2011 at 4:20 PM,   wrote:
E> > Synopsis: [carp] carp+pf delay with high state limit
E> >
E> > State-Changed-From-To: open->closed
E> > State-Changed-By: glebius
E> > State-Changed-When: Sat Oct 15 14:20:00 UTC 2011
E> > State-Changed-Why:
E> > Not a bug. This is a feature. pfsync(4) suppresses carp(4)
E> > preemption until new recently booted node downloads full
E> > table of pf(4) states from its peer.
E> 
E> This is not true on FreeBSD.
E> The issue might be from other reasons.

This is a surprise for me that this feature had been removed!

It used to be in stable/6:

http://fxr.watson.org/fxr/ident?v=FREEBSD60;i=carp_suppress_preempt

And I always treated that variable in CARP as shared with pf. Why did
they removed this feature from pfsync?

P.S. Since PR is about 6.2-RELEASE, then I have closed it correctly.

-- 
Totus tuus, Glebius.
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: kern/114095: [carp] carp+pf delay with high state limit

2011-10-17 Thread Gleb Smirnoff 
The following reply was made to PR kern/114095; it has been noted by GNATS.

From: Gleb Smirnoff 
To: Ermal Lu?i 
Cc: nerijus.ambra...@ktu.lt, freebsd-pf@FreeBSD.org, bug-follo...@freebsd.org
Subject: Re: kern/114095: [carp] carp+pf delay with high state limit
Date: Mon, 17 Oct 2011 17:17:42 +0400

 On Mon, Oct 17, 2011 at 02:18:38PM +0200, Ermal Lu?i wrote:
 E> On Sat, Oct 15, 2011 at 4:20 PM,   wrote:
 E> > Synopsis: [carp] carp+pf delay with high state limit
 E> >
 E> > State-Changed-From-To: open->closed
 E> > State-Changed-By: glebius
 E> > State-Changed-When: Sat Oct 15 14:20:00 UTC 2011
 E> > State-Changed-Why:
 E> > Not a bug. This is a feature. pfsync(4) suppresses carp(4)
 E> > preemption until new recently booted node downloads full
 E> > table of pf(4) states from its peer.
 E> 
 E> This is not true on FreeBSD.
 E> The issue might be from other reasons.
 
 This is a surprise for me that this feature had been removed!
 
 It used to be in stable/6:
 
 http://fxr.watson.org/fxr/ident?v=FREEBSD60;i=carp_suppress_preempt
 
 And I always treated that variable in CARP as shared with pf. Why did
 they removed this feature from pfsync?
 
 P.S. Since PR is about 6.2-RELEASE, then I have closed it correctly.
 
 -- 
 Totus tuus, Glebius.
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: PF & Inside NAT

2011-10-17 Thread Damien Fleuriot 
On 10/17/11 2:50 PM, Eric Masson wrote:
> Hello,
> 
> Does the PF 4.5 port present in -current & 9-STABLE support inside NAT
> please (somewhat like the reverse nat available with libalias) ?
> 
> Kind Regards
> 
> Éric Masson
> 

I totally did not understand whatever you're trying to say.
En d'autres termes, j'ai rien compris.

What do you call "inside nat" ?

If you're referring to the mechanism where a client calls a public IP on
your firewall, and PF rewrites it to an internal IP, what you want is
the rdr mechanism.

These will still work, seeing the new rules syntax for PF only appears
in 4.7
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: PF & Inside NAT

2011-10-17 Thread Bjoern A. Zeeb 

On 17. Oct 2011, at 14:09 , Damien Fleuriot wrote:

> On 10/17/11 2:50 PM, Eric Masson wrote:
>> Hello,
>> 
>> Does the PF 4.5 port present in -current & 9-STABLE support inside NAT
>> please (somewhat like the reverse nat available with libalias) ?
>> 
>> Kind Regards
>> 
>> Éric Masson
>> 
> 
> I totally did not understand whatever you're trying to say.
> En d'autres termes, j'ai rien compris.
> 
> What do you call "inside nat" ?
> 
> If you're referring to the mechanism where a client calls a public IP on
> your firewall, and PF rewrites it to an internal IP, what you want is
> the rdr mechanism.
> 
> These will still work, seeing the new rules syntax for PF only appears
> in 4.7

Inside NAT means when the packet arrives at the system rather than leaving it,
as in before any ipsec or routing decision;  for  long time pf had no concept
of this, and yes, the pf in FreeBSD still lacks it.

/bz

-- 
Bjoern A. Zeeb You have to have visions!
 Stop bit received. Insert coin for new address family.

___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: PF & Inside NAT

2011-10-17 Thread Eric Masson 
Damien Fleuriot  writes:

Hi Damien,

> I totally did not understand whatever you're trying to say.
> En d'autres termes, j'ai rien compris.

Pas grave ;)

> What do you call "inside nat" ?

The ability to trigger nat via incoming packets (useful in a nat before
vpn scenario), just like libalias does when a rule contains the reverse
keyword (see ipfw(8)).

Inside NAT is the name given on some ciscos for example.

Seems Ermal was working on $subject a few months ago.

Regards

Éric Masson

-- 
 70% de frjv sont des newbies ? Et une fois qu'ils ne le sont plus que
 font-ils ? Ils quittent frjv parce que c'est trop à chier ? Parce que
 s'ils y restent et gardent leur comportement, ça devient des neuneux.
 -+- XB in:  - Tu seras un neuneu mon fils -+-
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: PF & Inside NAT

2011-10-17 Thread Eric Masson 
"Bjoern A. Zeeb"  writes:

Hello Bjoern,

> of this, and yes, the pf in FreeBSD still lacks it.

Ok. Thanks a lot for the answer.

Regards

Éric Masson

-- 
 ça reste finalement une décision personnelle, sans contraintes
 externes, puisqu'il n'y a rien à prouver dans ce domaine aux
 variables exogènes de contrôle
 -+- JPJ -  - Neuneu se pousse du col -+-
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: kern/114095: [carp] carp+pf delay with high state limit

2011-10-17 Thread Ermal Luçi 
2011/10/17 Gleb Smirnoff :
> On Mon, Oct 17, 2011 at 02:18:38PM +0200, Ermal Lu?i wrote:
> E> On Sat, Oct 15, 2011 at 4:20 PM,   wrote:
> E> > Synopsis: [carp] carp+pf delay with high state limit
> E> >
> E> > State-Changed-From-To: open->closed
> E> > State-Changed-By: glebius
> E> > State-Changed-When: Sat Oct 15 14:20:00 UTC 2011
> E> > State-Changed-Why:
> E> > Not a bug. This is a feature. pfsync(4) suppresses carp(4)
> E> > preemption until new recently booted node downloads full
> E> > table of pf(4) states from its peer.
> E>
> E> This is not true on FreeBSD.
> E> The issue might be from other reasons.
>
> This is a surprise for me that this feature had been removed!
>
> It used to be in stable/6:
>
> http://fxr.watson.org/fxr/ident?v=FREEBSD60;i=carp_suppress_preempt
>
> And I always treated that variable in CARP as shared with pf. Why did
> they removed this feature from pfsync?
>

OpenBSD has it but FreeBSD is SMP capable and global vars without
synchronization do not work well.
To support that you have to add cross-dependencies and synchronization
between the two.

Not only synchronization though even some housekeeping around
I will probably give a look at this again after 9.0.

> P.S. Since PR is about 6.2-RELEASE, then I have closed it correctly.
>
> --
> Totus tuus, Glebius.
>



-- 
Ermal
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: kern/114095: [carp] carp+pf delay with high state limit

2011-10-17 Thread Gleb Smirnoff 
On Mon, Oct 17, 2011 at 08:47:31PM +0200, Ermal Lu?i wrote:
E> > This is a surprise for me that this feature had been removed!
E> >
E> > It used to be in stable/6:
E> >
E> > http://fxr.watson.org/fxr/ident?v=FREEBSD60;i=carp_suppress_preempt
E> >
E> > And I always treated that variable in CARP as shared with pf. Why did
E> > they removed this feature from pfsync?
E> 
E> OpenBSD has it but FreeBSD is SMP capable and global vars without
E> synchronization do not work well.
E> To support that you have to add cross-dependencies and synchronization
E> between the two.
E> 
E> Not only synchronization though even some housekeeping around
E> I will probably give a look at this again after 9.0.

Well, a possible race when pfsync clears its increment to
carp_suppress_preempt but the CPU where carp callout is running
doesn't notice it doesn't see it due to cache is harmless.
It just mean that preemption would happen not right after
pfsync has finished downloading states, but a couple of seconds
later.

-- 
Totus tuus, Glebius.
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: kern/114095: [carp] carp+pf delay with high state limit

2011-10-17 Thread Gleb Smirnoff 
The following reply was made to PR kern/114095; it has been noted by GNATS.

From: Gleb Smirnoff 
To: Ermal Lu?i 
Cc: nerijus.ambra...@ktu.lt, freebsd-pf@FreeBSD.org, bug-follo...@freebsd.org
Subject: Re: kern/114095: [carp] carp+pf delay with high state limit
Date: Mon, 17 Oct 2011 23:13:48 +0400

 On Mon, Oct 17, 2011 at 08:47:31PM +0200, Ermal Lu?i wrote:
 E> > This is a surprise for me that this feature had been removed!
 E> >
 E> > It used to be in stable/6:
 E> >
 E> > http://fxr.watson.org/fxr/ident?v=FREEBSD60;i=carp_suppress_preempt
 E> >
 E> > And I always treated that variable in CARP as shared with pf. Why did
 E> > they removed this feature from pfsync?
 E> 
 E> OpenBSD has it but FreeBSD is SMP capable and global vars without
 E> synchronization do not work well.
 E> To support that you have to add cross-dependencies and synchronization
 E> between the two.
 E> 
 E> Not only synchronization though even some housekeeping around
 E> I will probably give a look at this again after 9.0.
 
 Well, a possible race when pfsync clears its increment to
 carp_suppress_preempt but the CPU where carp callout is running
 doesn't notice it doesn't see it due to cache is harmless.
 It just mean that preemption would happen not right after
 pfsync has finished downloading states, but a couple of seconds
 later.
 
 -- 
 Totus tuus, Glebius.
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: kern/114095: [carp] carp+pf delay with high state limit

2011-10-17 Thread Ermal Luçi 
The following reply was made to PR kern/114095; it has been noted by GNATS.

From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= 
To: Gleb Smirnoff 
Cc: nerijus.ambra...@ktu.lt, freebsd-pf@freebsd.org, bug-follo...@freebsd.org
Subject: Re: kern/114095: [carp] carp+pf delay with high state limit
Date: Mon, 17 Oct 2011 20:47:31 +0200

 2011/10/17 Gleb Smirnoff :
 > On Mon, Oct 17, 2011 at 02:18:38PM +0200, Ermal Lu?i wrote:
 > E> On Sat, Oct 15, 2011 at 4:20 PM, =A0 wrote:
 > E> > Synopsis: [carp] carp+pf delay with high state limit
 > E> >
 > E> > State-Changed-From-To: open->closed
 > E> > State-Changed-By: glebius
 > E> > State-Changed-When: Sat Oct 15 14:20:00 UTC 2011
 > E> > State-Changed-Why:
 > E> > Not a bug. This is a feature. pfsync(4) suppresses carp(4)
 > E> > preemption until new recently booted node downloads full
 > E> > table of pf(4) states from its peer.
 > E>
 > E> This is not true on FreeBSD.
 > E> The issue might be from other reasons.
 >
 > This is a surprise for me that this feature had been removed!
 >
 > It used to be in stable/6:
 >
 > http://fxr.watson.org/fxr/ident?v=3DFREEBSD60;i=3Dcarp_suppress_preempt
 >
 > And I always treated that variable in CARP as shared with pf. Why did
 > they removed this feature from pfsync?
 >
 
 OpenBSD has it but FreeBSD is SMP capable and global vars without
 synchronization do not work well.
 To support that you have to add cross-dependencies and synchronization
 between the two.
 
 Not only synchronization though even some housekeeping around
 I will probably give a look at this again after 9.0.
 
 > P.S. Since PR is about 6.2-RELEASE, then I have closed it correctly.
 >
 > --
 > Totus tuus, Glebius.
 >
 
 
 
 --=20
 Ermal
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"