Re: Is there an upper limit to PF's tables?

On 06/14/2018 03:44 PM, Miroslav Lachman wrote: Dave Horsfall wrote on 2018/06/14 19:40: I can't get access to kernel sauce right now, but I'm hitting over 1,000 entries from woodpeckers[*] etc; is there some upper limit, or is it just purely dynamic?    aneurin% freebsd-version    10.4-RELEA

Re: Is there an upper limit to PF's tables?

On 06/14/2018 01:40 PM, Dave Horsfall wrote: I can't get access to kernel sauce right now, but I'm hitting over 1,000 entries from woodpeckers[*] etc; is there some upper limit, or is it just purely dynamic?   aneurin% freebsd-version   10.4-RELEASE-p9 You're ultimately physically bound by m

Re: AW: Issue using altq_priq unter FreeBSD 11.1 - help needed

On 10/16/17 12:32, Rolf Dahmen wrote: Thx, Doug Understood. We need to define some "pass" commands to map the traffic to dedicated queues. We´ve studied the "pf manual" and are not quite sure how the pass actions should look like. We have already configured the below listed tables in "ipfw.ru

Re: udp - weird behavior of reply-to

On 01/09/17 17:17, Marek Zarychta wrote: On Mon, Jan 09, 2017 at 09:58:38PM +0100, Kristof Provost wrote: On 9 Jan 2017, at 18:25, Marek Zarychta wrote: On Sun, Jan 08, 2017 at 07:08:10PM +0100, Kristof Provost wrote: On 8 Jan 2017, at 15:55, Marek Zarychta wrote: The problem description doesn

Re: PF TAGged jail traffic fails pass rule on egress

I do not know enough about how jails and their networking work to be much more help. I'd suggest reading up on how the network is handled for jails. IPFW can filter based on jail ID. I don't know if that will you. Ian -- Ian Freislich On 12/18/16 15:39, Beeblebrox via freebs

Re: Poor PF performance with 2.5k rdr's

t to try disabling HT if that's possible these days to reduce L1 contention with the HT instance on each core. I may be talking total rubbish regarding HT and cache architecture but I think it's worth a try. Ian -- Ian Freislich On 12/11/16 11:22, chris g wrote: > Hello, > > I&

Re: PF TAGged jail traffic fails pass rule on egress

On 12/07/16 09:10, Beeblebrox via freebsd-pf wrote: > Hello, > > I have a PF problem with TAG evaluation and am completely stumped. It should > be very straight forward, but it's not working. Here's what I'm trying to do: > * I have several jails on cloned lo2 > * Allow only specified port traffic

Re: Traffic shaping incomming traffic for all vlans

anagement. I'd suggest to carefully read the 'QUEUEING' section in pf.conf(5) and if you can't make it work post your rules. Ian -- Ian Freislich -- Cape Augusta Digital Properties, LLC a Cape Augusta Company *Breach of confidentiality & accidental breach of confid

Re: Large scale NAT with PF - some weird problem

Milan Obuch wrote: > > No, there were not much states per problematic IP, maybe just tens of > them for one or couple internal IPs. That's weird. What's the output of 'pfctl -sa' (without the states). Ian -- Ian Freislich _

Re: Large scale NAT with PF - some weird problem

you will run out of NAT space. If the round-robin works with a smaller pool, then I suspect Glebius will be interested. Ian -- Ian Freislich ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: Large scale NAT with PF - some weird problem

IP being public, second one > 0.0.0.0 - where they could come from? Also, there are only couple of > them, but in one is something even a bit more weird - in parens is > 'states 4294967295', which seems a bit absurd to me, also, worth to > mention, it is 0x in hexadecim

Re: Large scale NAT with PF - some weird problem

ED:FIN_WAIT_2 If all your addresses "a.b.c.X" are the same, it's not round-robin and that's your problem. Ian -- Ian Freislich ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: Large scale NAT with PF - some weird problem

Milan Obuch wrote: > On Sun, 21 Jun 2015 07:19:51 -0400 > Ian FREISLICH wrote: > > > Milan Obuch wrote: > > > Ian FREISLICH wrote: > > > > > > > How many NAT states in your table? > > > > > > How can I find out? Is t

Re: Large scale NAT with PF - some weird problem

Milan Obuch wrote: > Ian FREISLICH wrote: > > > How many NAT states in your table? > > How can I find out? Is there another statistics collected I can gert > out of pfctl? pfctl -s nat -v Ian -- Ian Freislich ___ freebsd-p

Re: Large scale NAT with PF - some weird problem

Hi, How many NAT states in your table? I had a router translating a /20 and a /22 to a /24 and doing transparent interception of those and a /16 to a proxy pool and I never saw this. My state table was about 38 to 85 with a search rate about quadruple yours. If you can, give 10-STAB

icmp-type echoreq not matching resulting ttl exceeded

route going: pass out inet proto icmp from to any Ian -- Ian Freislich ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: PF sanity check

we've never run into memory issues. Mem: 311M Active, 759M Inact, 1936M Wired, 1647M Buf, 13G Free Ian -- Ian Freislich ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: skipto keyword in pf

t be surprised if your NATs and RDRs mysteriously > aren't applied I haven't experienced this and I have loads of anchors and NAT and RDRs that aren't loaded in an anchor. Perhaps I have too much traffic to tell if some of it bypasses a NAT rule, but as far as I can tell it doe

Re: skipto keyword in pf

t 3128 I highly suggest you read the pf.conf manual page. It has a lot of good instructions and useful information, particularly the rule grammar at the end of the page. Ian -- Ian Freislich ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: Upgrading FreeBSD to use the NEW pf syntax.

re. I had to modify the rule as follows to get a connection refused: block return out log proto tcp from 41.154.88.19 to 41.154.0.151 port { ssh } to get: [41.154.88.19] ~/graphing $ telnet 41.154.0.151 22 Trying 41.154.0.151... telnet: connect to address 41.154.0.151: Connection refused telnet: Unable

Re: Upgrading FreeBSD to use the NEW pf syntax.

issue with route-to and reply-to when using ifbound state, but that problem existed before Gleb's work. Ian -- Ian Freislich ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Panic when carp backup reboots.

at intr_event_execute_handlers+0xfd ithread_loop() at ithread_loop+0x9e fork_exit() at fork_exit+0x11e fork_trampoline() at fork_trampoline+0xe --- trap 0, rip = 0, rsp = 0xff8463866cb0, rbp = 0 --- The routers are connected together with a cross-over cable for pfsync. Ian -- Ian Freisl

Re: [HEADS UP] merging projects/pf into head

However, try to look at traces of other threads in this dump. I'll have to compile a new kernel which drops into the kernel debugger. But I'm not sure how to inspect the other threads. Should I try running with the netisr defaults and without fastforwarding? Ian -- Ian Freislich ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: [HEADS UP] merging projects/pf into head

netisr_maxqlen=8192 CPU usage is down from about 17% to 5% for our traffic load. We're averaging about 400k states, peaking at 550k states (220Mbit/s of pfsync traffic!!) and 426329 routes. Ian -- Ian Freislich ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: [CFT] SMP-friendly pf

Oguz Yilmaz wrote: > Hi Gleb, > > Is it required to build world? What is the shortest way to test? You need to rebuild your kernel, pfctl and snmp_pf. Ian -- Ian Freislich ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.or

Re: pf spurious packet drops [was: [HEADS UP] merging projects/pf into head]

"Bjoern A. Zeeb" wrote: > On Fri, 7 Sep 2012, Ian FREISLICH wrote: > > > I don't think Gleb is is being personal about this. Facts are > > facts and pf is currently unusable for me, even at home because > > of spuriously dropped packets. > >

Re: [HEADS UP] merging projects/pf into head

orts on current@. I posted to current@ http://www.freebsd.org/cgi/getmsg.cgi?fetch=164206+169604+/usr/local/www/db/text/2012/freebsd-current/20120812.freebsd-current Which is how I came to this list on mail from Gleb. I can tell you that this is not peculiar to

Re: [HEADS UP] merging projects/pf into head

ery difficult to simulate a production environment outside of the production environment. People generally don't want production to break. Ian -- Ian Freislich ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: [HEADS UP] merging projects/pf into head

nificant load. Ian -- Ian Freislich ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: packet forwarding/firewall performance question

he effect on a modern FreeBSD. As to the OP, on a VIA Epia LN - C7-1GHz with vr interfaces maxed out at 100Mbit/s. Putting gigE interfaces in the PCI slot made no difference. The bottle-neck appeared to be the number of interrupts the cards generated and the amount of time servicing interrupts