On 25 Apr 2021, at 7:56, Özkan KIRIK wrote:
SCTP protocol header has src port and dst port fields. But pf doesn't
supports.
# echo "pass log (to pflog0) quick proto SCTP from any to any port
13873" | pfctl -f -
stdin:1: port only applies to tcp/udp
stdin:1: skipping rule due to errors
stdin:
On 27 Mar 2021, at 12:54, Kristof Provost wrote:
> I hope to post preliminary patches in the coming week.
>
- https://reviews.freebsd.org/D29556
- https://reviews.freebsd.org/D29557
- https://reviews.freebsd.org/D29558
- https://reviews.freebsd.org/D29559
-
On 29 Mar 2021, at 17:16, Cy Schubert wrote:
In message <18dc1ea9-abfc-4a06-8710-a3068370e...@freebsd.org>,
"Kristof
Provost
" writes:
On 29 Mar 2021, at 16:03, Cy Schubert wrote:
In message <24e09373-ebcd-4ed1-8b59-a44e687f2...@freebsd.org>,
"Kristof
Provost
"
On 29 Mar 2021, at 16:03, Cy Schubert wrote:
In message <24e09373-ebcd-4ed1-8b59-a44e687f2...@freebsd.org>,
"Kristof
Provost
" writes:
Hi,
There are several patches in the pipeline that require changes in
pfâs
interface between kernel and userspace.
In the past these have
Hi,
There are several patches in the pipeline that require changes in pf’s
interface between kernel and userspace.
In the past these have been handled in multiple ways. Either by simply
making the change, breaking binary compatibility, or by introducing a v2
ioctl (e.g. DIOCADDALTQV1).
While
On 12 Mar 2021, at 14:00, Patrick Lamaiziere wrote:
I've read the code of pfctl a bit. If pfctl crashes in
pfctl_optimize_ruleset, is there a risk to leave pf in a bad state ?
Looks like the rules are sent to pf via ioctl after the optimization
so a crash before should be harmless (?).
That s
On 9 Mar 2021, at 11:05, Patrick Lamaiziere wrote:
Hello,
FreeBSD 11.4-RELEASE-p3 / amd64
Yesterday while loading a ruleset, pfctl core dumped with a
segmentation fault (see gdb below)
We are recently using some big tables so may be this is what triggered
the problem (?), i can't reproduce th
On 9 Feb 2021, at 15:50, Marek Zarychta wrote:
Dear list,
I am observing changed behaviour of the rule "set skip on lo". This
rule previously allowed for communication between the host and the
jail no only on loopback interfaces, but also on shared network
interfaces, for example, if a host h
On 3 Feb 2021, at 7:11, R. Tyler Croy wrote:
I noticed this evening that pflog0 is propagated into my vnet-based
jails
(12.2-RELEASE) and I'm somewhat surprised to see it there.
My host's /etc/rc.conf simply has `pflog_enable="YES"`, so nothing too
esoteric. My /etc/jail.conf doesn't do anythin
On 5 Jan 2021, at 20:35, Dobri Dobrev wrote:
You are correct, Kristof.
If I place the table in the rdr rule - it starts keeping counters,
however,
what is the point of having the ability to place a table in a
rdr-anchor
rule in the first place, if it won't be able to keep counters?
Tables ar
On 5 Jan 2021, at 14:42, Dobri Dobrev wrote:
#
# /etc/pf.conf:
set timeout tcp.first 45
set timeout tcp.opening 45
set timeout tcp.closing 15
set timeout tcp.finwait 15
set timeout tcp.closed 10
set
On 12 Dec 2020, at 15:07, Franco Fichtner wrote:
There's no reason for this to be a tunable. It's perfectly safe to
change this at runtime.
Well, RWTUN would have enabled both boot and runtime which is also
"perfectly safe". :)
Good idea. Done in 368588.
I expect to be bothering people abou
On 14 Oct 2020, at 21:35, J David wrote:
On Wed, Oct 14, 2020 at 3:20 PM Kristof Provost
wrote:
I’ve not dug very deep yet, but I wonder if we shouldn’t have to
teach pf to change the source port to avoid conflicting states in the
first place.
That was my first thought as well, framed
On 14 Oct 2020, at 21:16, J David wrote:
On Wed, Oct 14, 2020 at 1:59 PM Kristof Provost
wrote:
There’s good reason to do this, as we have to be able to match
state
on both the pre-translation side (when processing LAN -> WAN traffic)
and post-translation (WAN -> LAN).
So, basical
On 14 Oct 2020, at 18:52, J David wrote:
On 12 Oct 2020, at 23:48, Andreas Longwitz wrote:
pf gives this messages in debug mode (pfctl -x loud).
Yes, with that setting I'm also seeing those messages.
On Tue, Oct 13, 2020 at 5:35 PM Kristof Provost
wrote:
I see the same ‘stack key a
On 12 Oct 2020, at 23:48, Andreas Longwitz wrote:
Hello,
now I can confirm (on FreeBSD 10 Stable) what you see on fb2 when your
program udp_client is running on fb1. pf creates a state for the first
packet only, for the other packets pf failes to create a state with
messages like
pf: stack key
On 10 Jul 2020, at 22:37, Ultima wrote:
Hey Kristof,
(It’s already possible to use pf on top of a bridge in
bump-in-the-wire mode. Given the gotchas in that code I **strongly**
recommend people don’t use that functionality.)
Do you mind going into details on the gotchas or providing links?
On 10 Jul 2020, at 19:57, l.m.v.br...@xs4all.nl wrote:
Hello,
I am using pfSense, build on top of pf. And of course pfSense/pf is a
terrific firewall, however the world is changing in the direction of
IPV6 and that leads to new issues and related new requirements.
One of the major issues is
On 26 Jun 2020, at 13:56, Özkan KIRIK wrote:
My goal is save pkt/byte counters of each expired/killed/closed states
into
a txt file.
What is the right way to do this in userspace ?
There’s no real right way to do this using pf. There are a couple of
things that’ll get close, but no 100% solut
On 22 Jun 2020, at 2:06, David Mehler wrote:
Thanks for all your replies.
Donald, the IPv6 dns is working fine in this situation.
Kristof, here's what I originally had in my pf.conf file for ICMP:
pass out quick on $ext_if proto { icmp, icmp6 } modulate state
pass in quick on $ext_if proto { i
On 21 Jun 2020, at 23:11, David Mehler wrote:
Anyone a pf expert wanting to make some extra money?
I'm in need of consulting, I'm having an issue with my PF
configuration, I've got a much longer message with output and netstat
and all that, if anyone is interested email me privately with rates
a
On 29 Feb 2020, at 0:35, Sean Yeh wrote:
Hi FreeBSD-pf members,
I hope you guys are enjoying your weekend!
I was wondering if any of you happened to know if the code for the
ALTQ
feature of pf could be separated and used for NetBSD's pf function.
I'm
currently investigating methods to improve
On 27 Feb 2020, at 10:08, J.R. Oldroyd wrote:
I read back and found the thread last August "Update to PF from
OpenBSD
6.5".
I was going to ask the same thing but, given the complexities
discussed
in the responses there, perhaps the question should be asked a
different
way round.
How much wo
> On 28 Dec 2019, at 12:52, Andreas Longwitz wrote:
>
> In the meantime I have understand I was wrong about the code snippet
>
>> mc2 = m_dup(m, M_NOWAIT);
>> if (mc2 != NULL) {
>> /* Keep the layer3 header aligned */
>> int i = min(mc2->m_pkthdr.len, max_protohdr);
>> mc2
On 27 Dec 2019, at 21:49, Franco Fichtner wrote:
Hi,
On 27. Dec 2019, at 6:45 PM, Kristof Provost
wrote:
What are you trying to accomplish?
Some people believe that "last match" is a great metric to audit rules
for
intrusion detection and all sorts ruleset optimisation and
On 26 Dec 2019, at 1:20, Özkan KIRIK wrote:
> Hi,
>
> I need last match timestamps for each rule. ipfw has an option for this.
> But pfctl -v -sr command doesnt show last match timestamp.
> Is there way to gather this information in pf?
>
Pf does not track this.
What are you trying to accomplish?
On 26 Dec 2019, at 1:13, Özkan KIRIK wrote:
Hi,
I want to block SYN with data packets.
I read the pf.conf manual, but couldn't find a clear way to do this.
Is it possible to match packets greater then N bytes using pf on
FreeBSD
12.1 stable?
There isn’t a way to express this in pf right now
On 23 Dec 2019, at 12:00, Andreas Longwitz wrote:
On one of my servers a saw some messages
dssinet kernel:
[zone: pf frag entries] PF frag entries limit reached
The output of the command
vmstat -z | grep "pf frag entries"
was
pf frag entries:40, 5000,0, 5000, 18760, 0,
On 6 Sep 2019, at 2:51, ravi new wrote:
In packet filter rule ,there is a text called "tracker" what is use of
this?
I’ve not seen ‘tracker’ before in pf rules. Do you have an
example?
Can i find syntax of packet filter rules of freebsd.
man 5 pf.conf
Regards,
Kristof
___
On 20 Aug 2019, at 12:32, Goran Mekić wrote:
> On Tue, Aug 20, 2019 at 11:49:18AM +0200, Kristof Provost wrote:
>> One thing I’ve thought of trying, and that might be an interesting stepping
>> stone, is to create a port (/usr/ports/net/opf or whatever) of OpenBSD’s pf.
>> In
On 20 Aug 2019, at 11:36, Tom Marcoen wrote:
Hey all,
I'm quite new to FreeBSD so appologies if this is a stupid question.
Is there a good reason for not upgrading PF to the version from
OpenBSD
6.5?
There are several reasons why updating pf is a non-trivial problem.
From an e-mail I sent o
On 29 Jul 2019, at 22:15, Rodney W. Grimes wrote:
>> On 29 Jul 2019, at 20:22, mike tancsa wrote:
>>> On 7/29/2019 1:51 PM, Kristof Provost wrote:
>> In general I?d expect quality of service and bandwidth limits to only
>> be effective in the upstream direction (when
On 29 Jul 2019, at 20:22, mike tancsa wrote:
On 7/29/2019 1:51 PM, Kristof Provost wrote:
Also beware of gotchas with things like IPv6 fragment handling or
route-to.
I do not consider mixing firewalls to be a supported configuration.
If
it breaks you get to keep the pieces.
Thanks, I was
> On 2019-07-29 18:44:00 (+0100), Paul Webster via freebsd-pf
> wrote:
> >
> > Sent from Mail for Windows 10
> >
> > From: mike tancsa
> > Sent: 29 July 2019 17:06
> > To: freebsd-pf@freebsd.org
> > Subject: pf and dummynet
> >
> > I have a box I need to shape inbound and outbound traffic. It
> On 22 May 2019, at 04:53, The Doctor via freebsd-questions
> wrote:
>
> How do I set up in /etc/rc.conf an eth1 that will
> attach ifself to the back of the router in my packet filtering (pf) box,
> namely the $ext_if ?
>
You want to set a macro in your pf.conf, as documented in its man pag
On 1 Apr 2019, at 23:06, Rodney W. Grimes wrote:
On 1 Apr 2019, at 18:47, Rodney W. Grimes wrote:
Those are:
- scalability
The project funding source is OS agnostic, would it help if the
OpenBSD pf implementation was redone in a way that it had fine
grained locking. Would it be possible to a
On 1 Apr 2019, at 18:47, Rodney W. Grimes wrote:
I know for a fact that there is desire, with financials avaliable,
to get our code updated. I do not think there is any specific
criteria desired, other than moved closer to the OpenBSD version.
It’s a good goal, but there are three major issues
On 19 Feb 2019, at 22:53, Andreas Longwitz wrote:
Kristof Provost wrote:
Because fetching a counter is a rather expansive function we
should use
counter_u64_fetch() in pf_state_expires() only when necessary. A
"rdr
pass" rule should not cause more effort than separate
On 18 Feb 2019, at 18:30, Andreas Longwitz wrote:
Ok, thanks, I will commit the patch shortly. I do not see a point in
waiting
for two more weeks, sure report me if anything goes wrong.
your patch for counter(9) on i386 definitely solves my problem
discussed
in this thread.
Because fetchin
On 25 Jan 2019, at 9:37, James B. Byrne via freebsd-pf wrote:
I have limited knowledge of PF being in the process of transitioning
from 20+ years of RHEL/CentOS to FreeBSD. Neither do I possess a
great fund of knowledge respecting IP routing. That said this is my
problem:
On a small test LA
On 2018-12-13 13:06:00 (+0100), Kristof Provost wrote:
> On 2018-12-13 12:35:05 (+0100), Goran Mekić wrote:
> > On Thu, Dec 13, 2018 at 09:30:12AM +0100, Kristof Provost wrote:
> > > On 2018-12-13 01:02:32 (+0100), Goran Mekić wrote:
> > > > I can't start P
On 2018-12-13 12:35:05 (+0100), Goran Mekić wrote:
> On Thu, Dec 13, 2018 at 09:30:12AM +0100, Kristof Provost wrote:
> > On 2018-12-13 01:02:32 (+0100), Goran Mekić wrote:
> > > I can't start PF as service from vnet jail. I have devfs rule to unhide
> > > bpf (fo
On 2018-12-13 01:02:32 (+0100), Goran Mekić wrote:
> I can't start PF as service from vnet jail. I have devfs rule to unhide
> bpf (for dhclient) and pf that the jail is using. I can run "pfctl -e -f
> /etc/pf.conf" but "service pf start" fails with:
>
> kldload: can't load pf: Operation not perm
On 13 Nov 2018, at 22:01, Andreas Longwitz wrote:
Are there any hints why the counter pf_default_rule->states_cur
could get a negative value ?
I’m afraid I have no idea right now.
OK, in the meantime I did some more research and I am now quite sure
the
problem with the bogus pf_def
kristof closed this revision.
kristof added a comment.
Herald added subscribers: farrokhi, ae.
Assorted pf VIMAGE fixes have been done, and pf is now usable inside VIMAGE
jails.
CHANGES SINCE LAST ACTION
https://reviews.freebsd.org/D1309/new/
REVISION DETAIL
https://reviews.freebsd.org/D
On 27 Oct 2018, at 5:22, Andreas Longwitz wrote:
Thanks very much for answer especially for the hint to openbsd.
I wonder if there’s an integer overflow in the of_state_expires()
calculation.
The OpenBSD people have a cast to u_int64_t in their version:
|timeout = (u_int64_t)timeout * (end - s
On 15 Oct 2018, at 15:26, Andreas Longwitz wrote:
On two of my FreeBSD 10 (r338093) firewall servers some incoming ssh
connections stopped to work because pf started to create states with
expire time zero (instead of 86400 sec) for translation statements
like
rdr pass on em0 proto tcp from any
On 14 Aug 2018, at 0:32, Kajetan Staszkiewicz wrote:
On Monday, 13 August 2018 17:59:15 CEST Kristof Provost wrote:
How about this?
https://github.com/innogames/freebsd/commit/
d44a0d9487285fac8ed1d7372cc99cca83f616e6
That looks good to me.
There’s a few minor issues, things like inconsistent
On 13 Aug 2018, at 17:06, Kajetan Staszkiewicz wrote:
> On Monday, 13 August 2018 15:22:33 CEST Kristof Provost wrote:
>> rules (and associated tables) won’t just go away while there’s still
>> state,
>
> This is mostly what I wanted to ask about in this message. How is it ens
On 13 Aug 2018, at 0:09, Kajetan Staszkiewicz wrote:
Hello group,
Can anybody help me iwth pf_table.c and all operations on tables,
especially
pfr_update_stats? I'm working on implementing stats for redirection
targets,
that is for nat or route-to.
I'm going through the code and I've found o
On 2 Jul 2018, at 16:17, Kristof Provost wrote:
Hi Jakub,
On 30 Jun 2018, at 17:07, Jakub Chromy wrote:
I've just installed a 11.2-RELEASE guest under bhyve (hypervisor is
11.1-RELEASE)... and I cant use Virtio network interface with PF:
odine:/boot/kernel# /sbin/pfctl -n -f ~/loca
On 2 Jul 2018, at 16:44, Felix J. Ogris wrote:
this is a fresh install of 11.2-RELEASE amd64 with a minimal pf rule
set. After the first reload/resync, any traffic on an interface that
is skipped via an interface group statement in pf.conf is rejected:
Thanks for the report.
I think that’s th
Hi Jakub,
On 30 Jun 2018, at 17:07, Jakub Chromy wrote:
I've just installed a 11.2-RELEASE guest under bhyve (hypervisor is
11.1-RELEASE)... and I cant use Virtio network interface with PF:
odine:/boot/kernel# /sbin/pfctl -n -f ~/local/tmp/pf.work
*pfctl: pfi_get_ifaces: Bad file descriptor*
On 25 Jun 2018, at 22:12, Joseph Ward wrote:
My current pf.conf contains the following lines (with a lot of other
stuff redacted for irrelevance):
ext_if="em0"
...
block log all
pass in on $ext_if proto tcp from any to any port 22 flags S/SA keep
state
and it works great; ssh is able to get
On 24 Jun 2018, at 21:07, Marek Zarychta wrote:
On Sun, Jun 24, 2018 at 01:56:07PM +0200, Kristof Provost wrote:
On 23 Jun 2018, at 18:46, Marek Zarychta wrote:
On Sat, Jun 23, 2018 at 05:27:29PM +0200, Marek Zarychta wrote:
On Sun, Oct 16, 2016 at 08:17:13PM +0200, Marek Zarychta wrote:
The
On 23 Jun 2018, at 18:46, Marek Zarychta wrote:
On Sat, Jun 23, 2018 at 05:27:29PM +0200, Marek Zarychta wrote:
On Sun, Oct 16, 2016 at 08:17:13PM +0200, Marek Zarychta wrote:
The issue occurred first two years ago, after upgrade from 8 to 9
branch. Now this i386 machine is running 11.0-STABLE
On 18 Jun 2018, at 0:19, Chris H wrote:
Sorry. Looks like I might be coming to the party a little late. But
I'm
currently running a 9.3 box that runs as a IP (service) filter for
much
of a network. While I've patched the box well enough to keep it safe
to
continue running. I am reluctant to up(
On 14 Jun 2018, at 19:40, Dave Horsfall wrote:
I can't get access to kernel sauce right now, but I'm hitting over
1,000 entries from woodpeckers[*] etc; is there some upper limit, or
is it just purely dynamic?
aneurin% freebsd-version
10.4-RELEASE-p9
Ian already gave some good information
Hi Fatemeh,
On 11 Jun 2018, at 7:51, Fatemeh Mehdizadeh wrote:
Hi all,
I'm using pf to create nat. I'm on FreeBSD9.2.
Note that FreeBSD 9.2 is not a supported version. It went out of support
at the end of 2014.
(See https://www.freebsd.org/security/unsupported.html)
I would strongly recommend
On 14 Mar 2018, at 18:30, Steven Crangle wrote:
I was looking for some advice on the type of locking required to stop
a box panicking that utilises both napt and ip address prefixes.
My colleague made a post a while ago, and we ended up getting
distracted fixing other panics that showed up. Bu
On 1 Mar 2018, at 15:37, Joe Jones wrote:
yes we use pfsync. Yesterday we tried with pfsync switched off, the
box still locked up but this time without a panic.
We make the DIOCRADDADDRS ioctl on the master and the backup (we use
CARPed pairs).
Interesting. It might be related to pfsync. Is
On 28 Feb 2018, at 9:52, Kristof Provost wrote:
On 27 Feb 2018, at 20:40, Joe Jones wrote:
we have a kernel panic after compiling with witness and invariant
Feb 27 13:49:33 sovapn1 kernel: lock order reversal:
Feb 27 13:49:33 sovapn1 kernel: 1st 0xfe000fed78b8 pf_idhash
(pf_idhash) @ /usr
On 27 Feb 2018, at 20:40, Joe Jones wrote:
we have a kernel panic after compiling with witness and invariant
Feb 27 13:49:33 sovapn1 kernel: lock order reversal:
Feb 27 13:49:33 sovapn1 kernel: 1st 0xfe000fed78b8 pf_idhash
(pf_idhash) @ /usr/src/sys/netpfil/pf/pf.c:1078
Feb 27 13:49:33 sova
On 26 Feb 2018, at 17:06, Joe Jones wrote:
Hi Kristof,
we are not updating rules during the test although in production we
will reload the rule set from time to time. We are constantly adding
and removing from tables though, using the DIOCRADDADDRS and
DIOCRDELADDRS ioctl, also DIOCKILLSTATE
On 14 Feb 2018, at 23:47, Joe Jones wrote:
Hi,
we are running test traffic through our system, after between 1 and 12
hours we get a kernel panic, always in the pfr_pool_get function in
/usr/src/sys/netpfil/pf/pf_table.c line 2140. After a bit of
investigation I confirmed that ke2 is set to n
On 14 Dec 2017, at 8:16, Kristof Provost wrote:
On 7 Dec 2017, at 18:02, John Jasen wrote:
On Wed, Dec 6, 2017 at 5:01 PM, Kristof Provost
wrote:
On 6 Dec 2017, at 21:25, John Jasen wrote:
On 12/04/2017 02:47 PM, Kristof Provost wrote:
Okay, so this is interesting:
25013: ioctl
On 7 Dec 2017, at 18:02, John Jasen wrote:
On Wed, Dec 6, 2017 at 5:01 PM, Kristof Provost
wrote:
On 6 Dec 2017, at 21:25, John Jasen wrote:
On 12/04/2017 02:47 PM, Kristof Provost wrote:
Okay, so this is interesting:
25013: ioctl(4,0xc04c4417 { IORW 0x44('D'), 23, 76 },0x7f
On 6 Dec 2017, at 21:25, John Jasen wrote:
On 12/04/2017 02:47 PM, Kristof Provost wrote:
On 4 Dec 2017, at 19:57, John Jasen wrote:
Depending on circumstances, we see a lot or a very few of the
following
messages:
"pf connection lookup failed (no rdr?)"
That means
On 4 Dec 2017, at 19:57, John Jasen wrote:
Depending on circumstances, we see a lot or a very few of the
following
messages:
"pf connection lookup failed (no rdr?)"
That means the state lookup (using ioctl(DIOCNATLOOK)) failed.
There seem to be a couple of possible reasons why that might happe
On 2 Dec 2017, at 4:56, John Jasen wrote:
> Attempts to run tftp-proxy across a freebsd system running pf result in
> very slow performance and an endless amount of:
>
> "pf connection lookup failed (no rdr?)"
> Is there something that has regressed in 11.1, or am I missing something?
>
I’m not aw
On 7 Nov 2017, at 23:43, irukandji via freebsd-pf wrote:
> Hi Everyone,
>
> Problem: isolating jail away from internal network and host "hosting"
> it.
> Environment: jail with 192.168.1.100, host 192.168.1.200, VIMAGE
> enabled kernel, VNET (vnet0:JID) over bridge interface (bridge0),
> single net
On 15 Sep 2017, at 11:31, Dave Cottlehuber wrote:
Can you explain what $if:0 resolves to, for example how does it relate
to to the primary ipv4/6 addresses bound to that interface?
I couldn't find a reference in the usual ifconfig manpages about this
(ifname:#) format, the BNF grammar for pf.co
On 14 Sep 2017, at 16:21, Dave Cottlehuber wrote:
Outgoing traffic (from a jail) via PF NAT over a LAGG/LACP sometimes
has
the *backup* CARP IP address assigned to it.
###
running configs ##
pfctl indeed shows its a round-robin
On 1 Aug 2017, at 11:30, Kajetan Staszkiewicz wrote:
> Hey, group.
>
> A thought came to me: is it really the best thing to panic when errors are
> encountered within pf? I understand there are situations where it is safer for
> the kernel to not continue running like some low-level operations in m
On 30 Jul 2017, at 22:19, Heikki Paatela wrote:
I was having kernel panics with 10.2-RELEASE earlier, caused by
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202351. It would
seem
that some change that has happened between 11.0 and 11.1 has
introduced a
similar problem.
The patch fixed th
On 14 Apr 2017, at 8:24, Max wrote:
"pfctl -F info" command doesn't clear limit counters (shown in "pfctl
-vsi" output).
I think, should be
--- sys/netpfil/pf/pf_ioctl.c.orig 2017-04-14 09:10:25.17138
+0300
+++ sys/netpfil/pf/pf_ioctl.c 2017-04-14 09:13:21.55365 +0300
@@ -1835,
On 29 Mar 2017, at 22:06, Chris H wrote:
OK. My association with FreeBSD has made me a prime
target for every male hormone distributor on the net.
Fact is; I can guarantee ~89 SPAM attempts in under 5
minutes, after creating a pr on bugzilla. At first I
was angry, and frustrated. But decided to m
On 28 Mar 2017, at 9:33, Eugene M. Zheganin wrote:
I need to implement QoS on a 10G interface (ix(4)) with bandwidth of
4-5 Gbit/sec. In general I'm using pf on FreeBSD, since I like it more
than ipfw. But I'm aware that it's kind of ancient and wasn't updated
for a long time from the upstream
On 21 Mar 2017, at 12:44, Miroslav Lachman wrote:
Kristof Provost wrote on 2017/03/21 10:18:
On 21 Mar 2017, at 9:43, Marin Bernard wrote:
If there is no SA, it is impossible for a peer to ping another. As
soon
as IKE creates a SA, however, ping starts working. As you can see,
the last rule
On 21 Mar 2017, at 9:43, Marin Bernard wrote:
Thanks for answering. Yes, I know that pf accepts rules mentioning
inexistent
interfaces. What puzzles me here is that my ruleset is actually
working.
With peer0 = 1.2.3.4 and peer1 = 5.6.7.8, the following ruleset works
as
expected:
-
peers =
On 20 Mar 2017, at 23:08, Marin Bernard wrote:
Yet, it appears that pf is able to handle references to enc(4) in its
ruleset
even if the kernel does not support it. Is it expected behaviour? Is
it
safe to use such a configuration on a production machine ?
pf accepts rules for interfaces that d
So it turns out I shouldn't commit things when jet lagged.
You want r314810 in head. The other one was mistakenly done in stable/11. It
needed to go there sooner or later so I'm just going to leave it.
Regards,
Kristof
> On 5 Mar 2017, at 22:19, Kristof Provost wrote:
>
On 5 Mar 2017, at 21:42, Kristof Provost wrote:
There’s only a couple of calls to uma_zfree() in
pf_get_translations().
These are:
* uma_zfree(V_pf_state_key_z, skp);
* uma_zfree(V_pf_state_key_z, *nkp);
* uma_zfree(V_pf_state_key_z, *skp);
Going by the inconsistent pointer use the first
On 27 Feb 2017, at 21:08, Ross wrote:
Hello
One of my machines panics almost every day. It is always like this:
first
there is a number of messages about "sonewconn: pcb
0xf80085478740:
pru_attach() failed" at the same time and then panic. Here's an
example:
... many lines of sonewco
On 9 Jan 2017, at 18:25, Marek Zarychta wrote:
On Sun, Jan 08, 2017 at 07:08:10PM +0100, Kristof Provost wrote:
On 8 Jan 2017, at 15:55, Marek Zarychta wrote:
The problem description doesn’t ring any bells with me, but I’m
also
not sure
I’ve fully understood it. Can you document a minimal
On 9 Jan 2017, at 18:25, Marek Zarychta wrote:
On Sun, Jan 08, 2017 at 07:08:10PM +0100, Kristof Provost wrote:
On 8 Jan 2017, at 15:55, Marek Zarychta wrote:
The problem description doesn’t ring any bells with me, but I’m
also
not sure
I’ve fully understood it. Can you document a minimal
On 8 Jan 2017, at 15:55, Marek Zarychta wrote:
Is it a bug to be officially submitted or it will not be possible to
use
reply-to for UDP traffic anymore?
The problem description doesn’t ring any bells with me, but I’m also
not sure
I’ve fully understood it. Can you document a minimal reproduc
On 11 Oct 2016, at 10:34, Kamil Choudhury wrote:
I've seen some mention of checksum issues on NAT limiting performance,
but that
seems to have been fixed as of 10.2 in an errata. Have I stumbled upon
an actual
problem, or have I misconfigured something?
It’s worth trying the workaround (i.e. d
On 6 Oct 2016, at 15:01, Mark Martinec wrote:
Just adding recognition to a parser for a couple of DSCP constants
to be mapped to TOS is not the solution. Keep in mind that DSCP
is a 6-bit field, and TOS is an 8-bit field. The remaining two bits
are used for ECN (Explicit Congestion Notification).
On 6 Oct 2016, at 10:30, Franco Fichtner wrote:
On 06 Oct 2016, at 10:10 AM, Kristof Provost wrote:
On 6 Oct 2016, at 6:57, Eugene M. Zheganin wrote:
pf still lacks the DSCP handling, will it be difficult/expensive to
add
this ? AFAIK ipfw got this recently.
pf has set-tos and tos keywords
On 6 Oct 2016, at 6:57, Eugene M. Zheganin wrote:
> pf still lacks the DSCP handling, will it be difficult/expensive to add
> this ? AFAIK ipfw got this recently.
>
pf has set-tos and tos keywords. What is it not letting you do?
Regards,
Kristof
___
free
On 28 Sep 2016, at 13:53, Franco Fichtner wrote:
The main culprit of pfil not working correctly is pf's
route-to and reply-to (and the tag formerly known as fastroute)
as they would call if_output directly on the ifnet and consume
their packets this way. That transmit code is also copied from
if_
kristof abandoned this revision.
REVISION DETAIL
https://reviews.freebsd.org/D1944
EMAIL PREFERENCES
https://reviews.freebsd.org/settings/panel/emailpreferences/
To: kristof, trociny, gnn, zec, rodrigc, glebius, eri, bz, nvass-gmx.com
Cc: ryan_timewasted.me, mmoll, javier_ovi_yahoo.com, farr
kristof commandeered this revision.
kristof edited reviewers, added: nvass-gmx.com; removed: kristof.
kristof added a comment.
I'm commandeering this so it can be closed, because the patch fro bz@
(https://reviews.freebsd.org/D6924) has been included.
REVISION DETAIL
https://reviews.freebsd
On 10 Aug 2016, at 16:23, Radek Krejča wrote:
> this patch seems to be working.
>
Thanks for testing!
> I will post bugreport.
>
The patch has already been committed to head (r303663).
A bug would still be useful so I don’t forget to merge it back to 11 and 10.
Regards,
Kristof
__
On 10 Aug 2016, at 14:38, Radek Krejča wrote:
I have changed bandwidth to 100%, 90% or 95%. Syntax OK, but value
stops at 1.27Gbit (it looks, that 1Gbit is default)
When I give ifconfig, I see:
media: Ethernet autoselect (10Gbase-SR )
It looks that "autodetection" of pf is broken to.
I was
On 10 Aug 2016, at 11:19, Radek Krejča wrote:
That looks like you might be hitting the maximum of an unsigned
integer.
Try using relative specifications (i.e. as a percentage) instead.
Yes, I think so. But I dont know, that I can say relative
specification for inteface bandwidth. Could you show
On 10 Aug 2016, at 9:28, Radek Krejča wrote:
I need to shape 10G traffic, but I cant make bandwidth higher than
4.26 Gbit:
pfctl shows:
altq on int0 cbq bandwidth 4.26Gb tbrsize 36000 queue {
default_nat..
but in pf.conf is:
altq on $int_if cbq bandwidth 8550Mb queue { default_
On 31 Jul 2016, at 19:46, Radek Krejča wrote:
I need to set TOS to 0 and remark it with rules.
I am trying to use scrub to set tos to 0, but I have problem:
scrub all fragment reassemble no-df set-tos 0
give Illegal value
but scrub all fragment reassemble no-df set-tos 1
is working.
I am try
On 20 May 2016, at 18:57, Max wrote:
20.05.2016 11:53, Kristof Provost пишет:
On 19 May 2016, at 19:49, Max wrote:
The number of used frags (almost) never decreases. I don't have
enough experience in programming. But I guess that the problem may
be in "frag->fr_timeout = tim
1 - 100 of 135 matches
Mail list logo
