PF queueing confusion
Hello there, I have noticed some weirdness when using "pfctl -s queue -v" so I have decided to investigate. I have a quite simple pf setup: I have defined 3 queues for my external interface in my pf.conf: queue ext on $Ext bandwidth 900K queue normal parent ext bandwidth 386K, max 850K qlimit 10 default queue high parent ext bandwidth 193K qlimit 10 queue low parent ext bandwidth 193K, max 540Kb qlimit 10 I have noticed that the "high" queue got the wide majority of traffic, so I have removed all the rules referencing it from pf.conf and, surprisingly, this is the result after reloading the ruleset: # pfctl -s queue -v [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] queue ext on pppoe0 bandwidth 900K qlimit 50 [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] queue normal parent ext bandwidth 386K, max 850K default qlimit 10 [ pkts: 1555 bytes: 130921 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 10 ] queue high parent ext bandwidth 193K qlimit 10 [ pkts: 19303 bytes: 28319771 dropped pkts:179 bytes: 255401 ] [ qlength: 0/ 10 ] queue low parent ext bandwidth 193K, max 540K qlimit 10 [ pkts: 4863 bytes:4044635 dropped pkts:487 bytes: 176124 ] Still a lot of data is sent through the "high" queue, even if no rules in pf.conf is referencing it. As a counter-proof, I can remove the queue creation line from pf.conf and reload the ruleset without triggering any error, so the queue is definitely not referenced. What could be wrong? Thank You -- GPG Key Fingerprint: DAD1 E3E3 C3E9 36FB C570 F405 9B5F 7108 A1D0 2FFF
Re: PF queueing confusion
Il 10/05/2017 14:45, Daniel Melameth ha scritto: >> queue ext on $Ext bandwidth 900K >> queue normal parent ext bandwidth 386K, max 850K qlimit 10 default >> queue high parent ext bandwidth 193K qlimit 10 >> queue low parent ext bandwidth 193K, max 540Kb qlimit 10 > > You'll have to post your pf.conf. The whole pf.conf is very long but I have checked multiple times and there is no rule with the "set queue high" or "set queue ( *, high )" syntax.
Re: PF queueing confusion
Il 10/05/2017 20:56, Luis Coronado ha scritto: > but perhaps someone else would be able to see something that you didn't, > hence the requirement to share the file. I understand, but it contains sensitive information that I prefer not to share. If you could tell me what to look for, I will look for it. I have also checked "pfctl -s rules | grep high" and it returns no data. To the best of my knowledge, this confirms that there is no pf rule explicitly sending packets to the "high" queue... but lots of packets are queued there anyway, so I am supposing there should be some other queueing mechanism that I do not know of. Apart from using the "set queue" directive in pf.conf, what could cause this behaviour?
Re: PF queueing confusion
Looks like I've solved by only renaming the queues. Instead of naming them "high", "normal" and "low", I have now named them "exthi", "extstd" and "extlo" and then everything seems to work as expended. Maybe "high" is a (maybe undocumented) reserved queue name?
Re: PF queueing confusion
Il 11/05/2017 01:42, Erling Westenvik ha scritto: > Check out pfctl(8) and the -F option. The issue might be resolvable > simply by flushing one or more of the filter parameters you'll find > there. I had always assumed that loading a new ruleset with pfctl -f also implied "-F all". This explains a lot :) Thank you
Hi There! I am trying to install OpenBSD
This is my first message on the list so, first of all, hello everybody! :) I've recently bought a dedicated PC, planning to use it as a firewall by installing OpenBSD on it. I have downloaded the install80.iso, checked the sha sum, and read the installation guide. I have burned the iso to a cd-rom and checked the sha sum again on the machine I am trying to install. I have tested the hardware and the general functionality of the machine with common open source tools (memtest and succesfully installing a linux distro). When I boot the i386 OpenBSD 5.8 CD, it loads the kernel and writes a lot of blue stuff, then stops at: wdc_atapi_intr: warning: reading only 0 of 18 bytes For those who have a browser, here is a full screenshoot: http://imagebin.ca/v/2VR8MRMArdG7 I've tried to look for this error using a search engine, but I surprisingly got zero results. Any help will be appreciated. Thank you! Gabriele Tozzi -- GPG Key Fingerprint: DAD1 E3E3 C3E9 36FB C570 F405 9B5F 7108 A1D0 2FFF
Re: Hi There! I am trying to install OpenBSD
> I have no solution for you but some search results > > http://daemonforums.org/showthread.php?t=4752 > http://openbsd-archive.7691.n7.nabble.com/Atapiscsi-problem-on-VIA-NAB7100-VIA-VT6420-td184350.html > http://openbsd-archive.7691.n7.nabble.com/Second-SATA-channel-in-Via-VT3237S-td191011.html Thank you! The third link spotted my problem: it's an old OpenBSD bug that, apparently, never got fixed. It looks like I'll have to install OpenBSD some other day. Gabriele GPG Key Fingerprint: DAD1 E3E3 C3E9 36FB C570 F405 9B5F 7108 A1D0 2FFF
Re: Hi There! I am trying to install OpenBSD
> I would try to install older version, to be sure, it is not related to > installer version... > > > Check /usr/src/sys/dev/atapiscsi/atapiscsi.c and line 1042. A bit > above, there is the following comment: > 1028 /* Exceptional case - drive want to transfer more > 1029data than we have buffer for */ > > Though, no idea/time to see how to fix it. > Thank you for your answers. Apparently support for that chipset got broke "between 4.4 and 4.5". I tried 5.6 before, but it didn't work, and 4.4 is way too old for my needs. I would check the source, but I am not a C developer. It looks like it's over. Bests, Gabriele GPG Key Fingerprint: DAD1 E3E3 C3E9 36FB C570 F405 9B5F 7108 A1D0 2FFF
Re: Hi There! I am trying to install OpenBSD
> Or just use only that first SATA (and PATA) port? > e.g., Gabriele, if there's only one disk in there, try to recable it to > the other SATA slot. Yes, it works with just one drive installed, but having no USB boot support and being unable to use a CD Drive, I'll have to find a fancy way to install. Maybe an old IDE cd-drive. But there is no space for it in the case, so I'll have to remove it and reconnect it every time I'll need maintenance (eg. system upgrades). Well, yes, this could be a way... Thanks Gabriele GPG Key Fingerprint: DAD1 E3E3 C3E9 36FB C570 F405 9B5F 7108 A1D0 2FFF
Hardware compatibility (was: Hi There! I am trying to install OpenBSD)
I really wanted to install OpenBSD so, this morning I went back to the shop and the kind guy accepted to replace the bugged motherboard with a different one for a reasonable extra. This one is an overkill for my needs (it has a 1.8Ghz 64bit atom CPU!!!), but good news: I've finally managed to install OpenBSD. It's amazing to see how everything fit in a bit more than 200Mb! # df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/sd0a 1007M 42.3M914M 4%/ /dev/sd0d 1007M6.0K957M 0%/tmp /dev/sd0e 7.9G164M7.3G 2%/usr /dev/sd0f 7.9G2.6M7.5G 0%/var Now, back to the topic, I kindly have two questions, to avoid mistakes of the past: 1. The CPU is and Intel Atom D425. The OpenBSD manual says that "Some Intel processors lack support for important PAE NX bit. But I couldn't find a list of them. Is there a way for me to check if this one supports W^X on amd64? 2. Unfortunately this board has only 1 network card, but I need at least 3. Having only 1 PCI-E slot available for expansion, I am forced to buy a many-in-one network card. Because of budget issues, I have narrowed my choice to: - Intel Pro 1000 PT dual - Intel Pro 1000 VT quad The PT variant is listed in the (em) module documentation, but with no explicit reference to the dual version. The VT is not listed at all, but also it is not explicitly excluded. Does anyone had some good or bad experiences with those cards and OpenBSD? Thank you again Gabriele GPG Key Fingerprint: DAD1 E3E3 C3E9 36FB C570 F405 9B5F 7108 A1D0 2FFF
Re: Hardware compatibility
> That was early on, but you should probably see NXE in the dmesg of all > intel cpus these days. > > [...] > > I'm not certain I have tried exactly Pro 1000 PT Dual, but all intel gig > dual cards > I did try worked like a charm. I assume the quads work out nicely too. The card arrived today and it worked out-of-the box. I have now installed amd64 version and it has NXE enabled. Thank you! Gabriele Tozzi -- GPG Key Fingerprint: DAD1 E3E3 C3E9 36FB C570 F405 9B5F 7108 A1D0 2FFF
PF and interface changing IP
Hi there, I have a pppoe0 interface setup like this (hostname.pppoe0): inet 0.0.0.0 255.255.255.255 NONE \ pppoedev re0 \ authproto pap \ authname 'myuser' \ authkey 'mypass' up dest 0.0.0.1 !/sbin/route add default 0.0.0.1 !/sbin/pfctl -f /etc/pf.conf !/etc/rc.d/isc_named restart !/etc/rc.d/aiccu restart Then I have setup PF to allow incoming ssh traffic. Here is my rule: pass in on pppoe0 inet proto tcp to pppoe0 port ssh keep state The interface has a dynamic IP. I was relying on the "!/sbin/pfctl -f /etc/pf.conf" rule to reload my PF when the IP changes but, apparently, it is not working as expected: it looks like the interface can change its IP without being restarted, so PF never gets reloaded and keeps using the old IP. I am now thinking of placing a cron job that just reloads PF once in a while. Is there a cleaner way to reload PF when the IP changes? Or maybe even a better way to write the rule so that it auto-updates without the need to reload PF at all? Thank you Gabriele Tozzi -- GPG Key Fingerprint: DAD1 E3E3 C3E9 36FB C570 F405 9B5F 7108 A1D0 2FFF
Re: PF and interface changing IP
Thank you for all your answers. I did not know about the "new" parentheses feature. Solved :) Gabriele Tozzi -- GPG Key Fingerprint: DAD1 E3E3 C3E9 36FB C570 F405 9B5F 7108 A1D0 2FFF
