On Fri, Mar 18, 2016 at 5:38 PM, David S. wrote:
> Dear All,
>
> This is my first post, my name is David and I'm currently developing
> FreeBSD as a BGP router and traffic shaper for my network.
>
> I already setup PF + ALTQ and working great, the bandwidth speed is match
> with my queue rule but
On Thu, Mar 1, 2018 at 9:43 AM, Joe Jones
wrote:
> Hi Kristo,
>
> It's just the master that crashed, the backup can take over.
>
> We think the panic we got by compiling with witness and invariant may be a
> red herring.
>
> We are now looking rules like
>
> nat on $isp_if from to any -> sticky
(sorry for the top post)
If you really want to spend time on it, the best option is to pull out the
pool concept used by the rules/nat... and manage it outside of the
rules/states but in its own module referenced by the former ones.
This would allow extensibility and propper reasoning about it.
On Mon, Apr 1, 2019 at 9:47 AM Rodney W. Grimes <
freebsd-...@gndrsh.dnsmgr.net> wrote:
> > On 1 Apr 2019, at 15:48, Rodney W. Grimes wrote:
> > > [ Charset UTF-8 unsupported, converting... ]
> > >> On 01.04.2019 16:30, Rodney W. Grimes wrote:
> > >> It seems it is too late:
> > >>https://marc
On Mon, Apr 1, 2019 at 2:06 PM Rodney W. Grimes <
freebsd-...@gndrsh.dnsmgr.net> wrote:
> > On 1 Apr 2019, at 18:47, Rodney W. Grimes wrote:
> > > I know for a fact that there is desire, with financials avaliable,
> > > to get our code updated. I do not think there is any specific
> > > criteria
You can use tagging for that with prob rules and then use route-to on tags.
Since PF will use route-to only if the rule when route-to is matched
you can do like
pass bla.. prob 30% ..bla tag ROUTE1
pass bla.. prob 70% ..bla tag ROUTE2
pass bla route-to ($whatever1) tagged ROUTE1
pass bla route-t
This is ng_pf node based on ng_ipfw code and idea.
It allows interaction of PF and netgraph.
Below are the node features and a dummy example of how to use it.
Patch is attached.
Features,
1- By default it sends any packet that matches the rule to netgraph.
Syntax: pass in from any to any netgraph
i am wrong)
On 5/30/07, Alexander Motin <[EMAIL PROTECTED]> wrote:
Hi.
Ermal Luçi wrote:
> 4- The node has these messages:
> #ifdef NG_PF_DEBUG
> NGM_PF_GET_STATS, (number of packets in/out)
> NGM_PF_CLR_STATS,
> NGM_PF_GETCLR_STATS,
> #endif
What
OK, here it is with stats activated :).
On 5/30/07, Alexander Motin <[EMAIL PROTECTED]> wrote:
Ermal Luçi wrote:
> the only reason i made them available only for debugging is cause of
> int32_t types of those counter and these could overflow easily on
> busy environments.
On 5/30/07, Alexander Motin <[EMAIL PROTECTED]> wrote:
Ermal Luçi wrote:
> OK, here it is with stats activated :).
One more: all binary netgraph messages are hidden from user-level in
ng_pf.h. They are all covered with #ifdef _KERNEL. Specially?
No special need just forgotten by me
On 06/16/07 21:29, Adam McDougall wrote:
> On Sat, Jun 16, 2007 at 05:20:39PM +0200, Volker wrote:
...
> If that doesn't help, I recommend rewriting your rules a bit and use
> 'set state-policy if-bound' (which I'm using most as I find it better
> to administer). Unfortunately I don't have
altq on {$wan, $wan2 } priq queue { idle_1, normal_1, high_1}
queue idle_1 priq(default)
queue normal_1 priority 2
queue high_1 priority 3
pass in quick on $lan route-to { ($wan $wan_gw), ($wan2 $wan2_gw) } \
round-robin inet from ($lan:network) to any flags S/SA keep state queue high_1
should d
Attached is the patch against -CURRENT for integrating PF with dummynet!
It gives full dummynet support in pf.conf syntax and removes dummynet
depndency to ipfw.
You can configure a pipe/queue using the same ipfw syntax the only
difference is that i call those 'dnpipe'/'dnqueue' respectivley.
GRE
Try using
pass out on $ext_if proto tcp from any to any tos 0x10 no keep state queue ssh
and it should work as you expect!
On 10/28/07, Andrew Birukov <[EMAIL PROTECTED]> wrote:
>
> pf.conf:
> ---
> ext_if="xl0"
>
> altq on $ext_if priq
Hello Daniel,
can i ask why ALTQ_WFQ is not integrated into PF?!
It is just about ENOTIME or you found some other issues with those
schedulers. Cause i am interested on integrating this schedulres on PF
and want to ask first if there is other issue other than time one?!
On Nov 12, 2007 4:18 PM,
If you want to know something more for HFSC in this link there is some
explanation on how to use and configure it to suit your needs.
The link:
http://forum.pfsense.org/index.php?PHPSESSID=efbbb6e4e74cdefced188b28de395e46&topic=2484.0
___
freebsd-pf@fre
The following reply was made to PR kern/120057; it has been noted by GNATS.
From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" <[EMAIL PROTECTED]>
To: "Max Laier" <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: kern/120057: [patch] Allow proper settings of ALTQ_HFSC. The check
i wron
The following reply was made to PR kern/120057; it has been noted by GNATS.
From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" <[EMAIL PROTECTED]>
To: "Max Laier" <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: kern/120057: [patch] Allow proper settings of ALTQ_HFSC. The check
i wron
The following reply was made to PR kern/120057; it has been noted by GNATS.
From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" <[EMAIL PROTECTED]>
To: "Max Laier" <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: kern/120057: [patch] Allow proper settings of ALTQ_HFSC. The check
i wron
On Wed, Mar 5, 2008 at 7:39 PM, Kuat Eshengazin <[EMAIL PROTECTED]> wrote:
> Hi,
>
>
> I'm testing a device with application layer firewall and one of the features
> requires HTTP connection from multiple IP-addresses.
> Device logs clients ip addresses and then depending on statistic calculatio
2008/4/16 Oleksandr Samoylyk <[EMAIL PROTECTED]>:
> Dear freebsd-pf subscribers,
>
> What can such messages from system message buffer mean?
>
> ULLpf
> _tepsft_:t epsft_:g eptf__mgteatg_ mrteatgu rrneetdu rNnUeLdL N
> ULLpf_
> tepsft_:t epsft_:g eptf__mgteatg_ mrteatgu rrneetdu rNnUeLdL
> NU
This one is for RELENG_7[_0] but should apply ok to CURRENT too.
http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/tools/patches/RELENG_7_0/ipsec_altq.diff?rev=1.2;content-type=text%2Fplain
For RELENG_6 check the freebsd-ipfw@ list i sent one there in reply to a thread.
Ermal
___
On Thu, May 8, 2008 at 1:58 PM, Daniel Roethlisberger <[EMAIL PROTECTED]> wrote:
> CZUCZY Gergely <[EMAIL PROTECTED]> 2008-05-08:
>> On Thu, 08 May 2008 11:36:26 +0300 Oleksandr Samoylyk
>> <[EMAIL PROTECTED]> wrote:
>> > >> That iptables rule worked for any destination.
>> > > You cannot rewrite a
On Wed, Oct 15, 2008 at 10:27 PM, Jeremy Chadwick <[EMAIL PROTECTED]> wrote:
> On Wed, Oct 15, 2008 at 12:00:50PM -0500, Peter Clark wrote:
>> Hello,
>>
>> I am not sure if I should be here or over at a pf specific list but here
>> is my problem.
>
> I've changed the CC list, so this will now go to
On Wed, Oct 15, 2008 at 11:04 PM, Jon Radel <[EMAIL PROTECTED]> wrote:
> Ermal Luçi wrote:
>> On Wed, Oct 15, 2008 at 10:27 PM, Jeremy Chadwick <[EMAIL PROTECTED]> wrote:
>>> On Wed, Oct 15, 2008 at 12:00:50PM -0500, Peter Clark wrote:
>>>> Hello,
>
On Mon, Nov 3, 2008 at 7:03 AM, Peter Jeremy
<[EMAIL PROTECTED]> wrote:
> On 2007-Oct-27 19:45:59 +0000, Ermal Luçi <[EMAIL PROTECTED]> wrote:
>>Attached is the patch against -CURRENT for integrating PF with dummynet!
>>
>>It gives full dummynet support in pf
On Wed, Dec 3, 2008 at 8:33 PM, Alessandro Silveira
<[EMAIL PROTECTED]> wrote:
> Hi,
>
> I have a Storage with high input traffic in a network, in add
> 192.168.16.8, and a playout in add 192.168.16.50.
>
> I am using Packet Filter for to ensure low delay in streams of video
> with samba, using rea
On Fri, Feb 13, 2009 at 3:56 AM, Sam Fourman Jr. wrote:
>>> So I would like to hear some ideas on how we could use FreeBSD or any other
>>> BSD
>>> to limit bandwidth per customer( say one customer (with root access)
>>> per server )
>>>
>> There was not much to report at that point. However, p
Try the modified configuration it should give you what are you after.
altq on $int_if cbq bandwidth 10Mb queue { me, comp, mach, dd}
queue on $int_if comp bandwidth 2Mb cbq
queue on $int_if me bandwidth 5Mb cbq(borrow)
queue on $int_if mach bandwidth 2Mb cbq
queue on $int_if dd bandwidth 1Mb cbq(
On Tue, May 26, 2009 at 1:00 PM, Karsten Schmidt wrote:
> The following reply was made to PR kern/132176; it has been noted by GNATS.
>
> From: Karsten Schmidt
> To: bug-follo...@freebsd.org, l...@ngc.net.ua
> Cc:
> Subject: Re: kern/132176: [pf] pf stalls connection when using route-to
> [regre
On Sat, Jun 6, 2009 at 6:49 PM, wrote:
> Vlad Galu ha escrito:
>
>> On Sat, Jun 6, 2009 at 5:57 AM, wrote:
>>>
>>> Hi folks!
>>>
>>> I´m trying to figure out if there is a way to make connection marking in
>>> a
>>> similar way as the iptables´s CONNMARK target does?
>>>
>>> Does pf supports thi
On Mon, Jun 8, 2009 at 10:53 PM, David DeSimone wrote:
> v...@tesla.cujae.edu.cu wrote:
>>
>> by the way, anyone knows if there are plans to include connection mark
>> capabilities to pf.
>>
>> i say this because until now is the only way i´ve found to solve my
>> issue.
>
> I think the real quest
2009/12/11 John Dakos [ Enovation Technologies ]
>
> Hello all.
>
> I'm running Squid Version 3.0.STABLE20 on FreeBSD 8 Release with PF and
> ..
>
> --enable-pf-transparent'
>
> Squid is worked but in my cashe.log I have clientNatLookup: PF open
> failed: (13) Permission denied every ti
On Tue, Dec 15, 2009 at 7:21 AM, Linda Messerschmidt <
linda.messerschm...@gmail.com> wrote:
> Hi all,
>
> I have a PF machine that is giving fits. I see a lot of weird behavior.
>
> 1) TCP connections (mainly port 80) sometimes take 3 seconds to get
> started instead of being virtually instant.
e VMs into one FreeBSD
>>>> box using jails and vimages.
>>>>
>>>> Does any FreeBSD branch / vimage release combination support separate pf
>>>> AND ipfw configurations per jail? I need ipfw+pf/altq for HFSC queuing
>>>> to simulate the queuein
On Thu, Jun 24, 2010 at 3:12 PM, Rafael Henrique Faria
wrote:
> Hi.
>
> I'm working on a Brige between a router Cisco 7200, and a 3Com 7900 switch.
> I have several subnetworks, and I need to balance the bandwidth between then.
>
> The Brigde is running: "FreeBSD dell05 8.1-PRERELEASE FreeBSD
> 8.
2010/6/24 Rafael Henrique Faria :
> Just to be more clean:
>
> My pf.conf:
>
> wan_if="bce0"
>
> set limit { states 10, frags 2 }
> set loginterface $wan_if
> set optimization normal
> set block-policy drop
> set fingerprints "/etc/pf.os"
> set skip on lo
>
> altq on $wan_if cbq bandwi
Hello,
the link http://people.freebsd.org/~eri/pf45_1.diff has the patch for
pf(4) as of OpenBSD 4.5 version.
The patch is against HEAD.
After OpenBSD 4.5 the syntax has changed and this is the reason for
such an 'old' version patch.
After importing this one the work will go on the newest version
On Fri, Nov 5, 2010 at 1:33 AM, Ricky Charlet wrote:
> Has anyone out there run altq with cbq with bandwidth limits set around 40 ~
> 50 Mb and seen it work well (actual through put allowed to come near that
> speed)?
>
> Thanks
> ---
> Ricky Charlet
> Adara Networks
> USA 408-433-4942
>
I can
On Sun, Feb 20, 2011 at 7:46 PM, Eir Nym wrote:
> On 20 February 2011 21:38, Chris Buechler wrote:
>> On Sun, Feb 20, 2011 at 1:27 PM, Eir Nym wrote:
>>>
>>> I've found them, but there no status about.
>>>
>>
>> You aren't looking very hard, it's been discussed at length on this
>> list, check t
On Sun, Feb 20, 2011 at 11:16 PM, Maxim Khitrov wrote:
> On Sun, Feb 20, 2011 at 4:16 PM, jhell wrote:
>>
>> On Sun, 20 Feb 2011 13:27, eirnym@ wrote:
>>>
>>> On 20 February 2011 06:50, jhell wrote:
On Fri, 18 Feb 2011 03:26, eirnym@ wrote:
>
> I heard while ago about packet fi
On Wed, Jun 29, 2011 at 6:42 AM, Peter Jeremy
wrote:
> Following up on some very old mail...
>
> On 2008-Nov-04 16:53:52 +0100, Ermal Luçi wrote:
>>actually this is the latest against RELENG_7 which is confirmed to
>>work with full features of pf(4) like route-to/r
On Sat, Jul 2, 2011 at 5:33 PM, Pierre Lamy wrote:
>
>
> On 6/29/2011 1:22 PM, Fabian Keil wrote:
>>
>> "Bjoern A. Zeeb" wrote:
>>
>>> Begin forwarded message:
>>>
From: "Bjoern A. Zeeb"
Date: June 28, 2011 11:57:25 AM GMT+00:00
To: src-committ...@freebsd.org, svn-src-...@freebsd.o
On Tue, Jul 5, 2011 at 3:47 PM, Fabian Keil
wrote:
> Ermal Luçi wrote:
>
>> On Sat, Jul 2, 2011 at 5:33 PM, Pierre Lamy wrote:
>> >
>> >
>> > On 6/29/2011 1:22 PM, Fabian Keil wrote:
>> >>
>> >> "Bjoern A. Zeeb" wrote:
&
On Wed, Jul 6, 2011 at 5:25 PM, Calomel Org
wrote:
> ALTQ using hfsc is limited to a maximum parent bandwidth of 4294Mb.
> This value is 2^32 or 4,294,967,296 bits. If you set the bandwidth any
> higher, altq will flip back to zero. This "bug" was found when trying
> to test 10 gigabit and 40 giga
On Thu, Jul 7, 2011 at 9:35 PM, David O'Brien wrote:
> On Wed, Jun 29, 2011 at 07:22:24PM +0200, Fabian Keil wrote:
>> "Bjoern A. Zeeb" wrote:
>> > In short; please test!
>>
>> I didn't experience any real problems yet, but running
>
> Hi Bjoern,
> Unfortunately I've had MAJOR network problems si
2011/7/11 Murat SÜRÜCÜ :
> Hello,
>
> I used PF and dummynet together about two years and worked fine.
> Recently i have upgraded the system 7.2 to 8.2 and dummynet doesn't work
> anymore.
> If any packet belong the client IP puts any pipe, it drops and pflog says it
> blocked by last pf rule. But
On Wed, Jul 13, 2011 at 3:00 AM, Peter Jeremy
wrote:
> On 2011-Jun-29 16:26:34 +0800, Ermal Luçi wrote:
>>On Wed, Jun 29, 2011 at 6:42 AM, Peter Jeremy
>> wrote:
>>> Has anyone adapted the PF+dummynet patches for 8.x or 9.x?
>>
>>Well the patch is this
>&
way as i told you is to be careful when loading the modules
or when joining to pfil.
>
>
> Murat
>
>
> -Original Message-
> From: owner-freebsd...@freebsd.org [mailto:owner-freebsd...@freebsd.org] On
> Behalf Of Murat SÜRÜCÜ
> Sent: Tuesday, July 12, 2011 8:55 AM
>
On Wed, Aug 17, 2011 at 2:37 PM, Florian Smeets wrote:
> On 17.08.2011 14:30, Bjoern A. Zeeb wrote:
>>
>> On Aug 17, 2011, at 12:27 PM, Florian Smeets wrote:
>>
>>> On 08.07.2011 19:02, David O'Brien wrote:
On Fri, Jul 08, 2011 at 02:26:37PM +0200, Ermal Lui wrote:
>
> On Thu, Ju
On Wed, Aug 17, 2011 at 3:05 PM, Florian Smeets wrote:
> On 17.08.2011 14:58, Ermal Luçi wrote:
>>
>> On Wed, Aug 17, 2011 at 2:37 PM, Florian Smeets wrote:
>>>
>>> On 17.08.2011 14:30, Bjoern A. Zeeb wrote:
>>>>
>>>> On Aug 17, 2011, at
On Mon, Aug 22, 2011 at 4:23 AM, Peter Jeremy
wrote:
> [This is fairly old but has recently bubbled to the top of my TODO list]
>
> On 2011-Jul-13 23:35:44 +0800, Ermal Luçi wrote:
>>I reverted back from having the pipes configured in pfctl because it
>>will be a catching ga
On Sat, Oct 15, 2011 at 4:20 PM, wrote:
> Synopsis: [carp] carp+pf delay with high state limit
>
> State-Changed-From-To: open->closed
> State-Changed-By: glebius
> State-Changed-When: Sat Oct 15 14:20:00 UTC 2011
> State-Changed-Why:
> Not a bug. This is a feature. pfsync(4) suppresses carp(4)
>
2011/10/17 Gleb Smirnoff :
> On Mon, Oct 17, 2011 at 02:18:38PM +0200, Ermal Lu?i wrote:
> E> On Sat, Oct 15, 2011 at 4:20 PM, wrote:
> E> > Synopsis: [carp] carp+pf delay with high state limit
> E> >
> E> > State-Changed-From-To: open->closed
> E> > State-Changed-By: glebius
> E> > State-Changed
The following reply was made to PR kern/114095; it has been noted by GNATS.
From: =?ISO-8859-1?Q?Ermal_Lu=E7i?=
To: Gleb Smirnoff
Cc: nerijus.ambra...@ktu.lt, freebsd-pf@freebsd.org, bug-follo...@freebsd.org
Subject: Re: kern/114095: [carp] carp+pf delay with high state limit
Date: Mon, 17 Oct 2
2011/10/26 Виталий Владимирович :
>
> Recently I worked around traffic prioritization of my router
> (FreeBSD9-BETA3). I would like to prioritization traffic coming from external
> interface and coming from internal LAN.
>
> ## ALTQ
>
> altq on $ext_if hfsc bandwidth 800Kb qlimit 500 queue {std
2011/11/14 Виталий Владимирович :
>
> Hi.
> Some years ago I have read in freebsd-pf@ that exist patch PF+dummynet from
> eri@. Now I am searching on Internet but nothing except this: pfsense-tools /
> patches / RELENG_9_0 on GitHUB. Is anybody use it with FreeBSD 9? I have
> applied dummynet.
2011/11/14 Виталий Владимирович :
>
>
> --- Original message ---
> From: "Ermal Lu i"
> To: "Виталий Владимирович"
> Date: 14 November 2011, 19:15:31
> Subject: Re: PF + dummynet
>
>
>
>> 2011/11/14 Виталий Владимирович :
>> >
>> > Hi.
>> > Some years ago I have read in freebsd-pf@ that ex
On Fri, Jan 20, 2012 at 11:04 PM, Walt Elam wrote:
> I would like to help with the development of the PF port for FreeBSD but am
> not quite sure how to get involved. More specifically, I would like to help
> get something ported over that accepts the new rule syntax since it becomes
> increasing
On Sun, Jan 22, 2012 at 3:50 AM, Bjoern A. Zeeb <
bzeeb-li...@lists.zabbadoz.net> wrote:
>
> On 21. Jan 2012, at 23:26 , Greg Hennessy wrote:
>
> >>>
> >> There is one catch.
> >> FreeBSD does not want to break compatibility of old syntax and that is
> why
> >> i did not port the latest version of
On Sun, Jan 22, 2012 at 12:26 AM, Greg Hennessy wrote:
> > >
> > There is one catch.
> > FreeBSD does not want to break compatibility of old syntax and that is
> why
> > i did not port the latest version of pf(4).
>
> Shades of the versioning/maintenance issues surrounding putting Perl in
> the ba
On Sun, Jan 22, 2012 at 11:41 AM, Tilman Keskinöz wrote:
> * Bjoern A. Zeeb [Sat, 21 Jan 2012 21:01:41 +]:
> >
> > On 21. Jan 2012, at 20:52 , Tilman Keskinöz wrote:
> >
> >>
> >> On Jan 21, 2012, at 21:01 , Fabian Keil wrote:
> >>
> >>> Tilman Keskinöz wrote:
> >>>
> Same here.
>
The following reply was made to PR kern/163208; it has been noted by GNATS.
From: =?ISO-8859-1?Q?Ermal_Lu=E7i?=
To: =?ISO-8859-1?Q?Tilman_Keskin=F6z?=
Cc: bug-follo...@freebsd.org, freebsd-pf@freebsd.org
Subject: Re: kern/163208: [pf] PF state key linking mismatch
Date: Mon, 23 Jan 2012 12:16:38
The following reply was made to PR kern/163208; it has been noted by GNATS.
From: =?ISO-8859-1?Q?Ermal_Lu=E7i?=
To: =?ISO-8859-1?Q?Tilman_Keskin=F6z?=
Cc: bug-follo...@freebsd.org
Subject: Re: kern/163208: [pf] PF state key linking mismatch
Date: Mon, 23 Jan 2012 17:21:21 +0100
On Mon, Jan 23,
On Thu, Jan 26, 2012 at 3:38 PM, David Siebörger wrote:
> Hi,
>
> I have a pair of FreeBSD 9.0-RELEASE firewalls which are crashing
> repeatedly. I've been able to connect to one of them with remote kgdb
> after it crashed (see kgdb session attached), but I haven't been able to
> get to the botto
On Fri, Jan 27, 2012 at 3:36 AM, Greg Hennessy wrote:
> Hi Peter,
>
> That doesn't sound unreasonable, bearing in mind how much we all $ENJOY using
> the operating system precisely because the interfaces are defined and stable
> between major releases.
> I would not have expected PF 4.7 and abov
On Fri, Jan 27, 2012 at 7:47 AM, David Siebörger wrote:
> On Thursday, 26 January 2012 5:35 PM Ermal Luçi wrote:
>> Are you doing frequent updating of tables or loading larde lists of
>> addresses in them?
>
> The machine crashed again, and this time I ran ps in ddb. It sho
On Thu, Feb 23, 2012 at 8:44 AM, Ali Mdidech wrote:
> Hi List,
>
> I've a box that panics multiple times randomly since a year whatever
> the release is (8 or 9)
> The crash dump shows that the problem is related to pf.
> Is this some sort of identified bug?
> Below some info and my pf.conf file.
The following reply was made to PR kern/166411; it has been noted by GNATS.
From: =?ISO-8859-1?Q?Ermal_Lu=E7i?=
To: bug-follo...@freebsd.org, baluste...@gmail.com
Cc:
Subject: Re: kern/166411: [pf] simply enabling pf makes udpxy not to work
Date: Wed, 28 Mar 2012 11:41:05 +0200
Normally this
Hello,
On Thu, Apr 12, 2012 at 1:16 PM, Theodor-Iulian Ciobanu
wrote:
> Hello,
>
> I came across this same issue yesterday on a system I have just set up.
> I'm currently using the default kernel:
>
> FreeBSD changeme 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30
> UTC 2012 r...@farrell
On Fri, Apr 13, 2012 at 12:29 AM, Theodor-Iulian Ciobanu
wrote:
> On Thu, 12 Apr 2012 15:01:46 +0200
> Ermal Luçi wrote:
>
>> Hello,
>>
>> On Thu, Apr 12, 2012 at 1:16 PM, Theodor-Iulian Ciobanu
>> wrote:
>> > Hello,
>> >
>> > I came
2012/4/16 Gleb Smirnoff :
> On Sun, Apr 15, 2012 at 12:00:21PM +, Gleb Smirnoff wrote:
> T> On Sun, Apr 15, 2012 at 11:10:03AM +, Gleb Smirnoff wrote:
> T> T> I have a vague suspicion on what is happening. Your description of
> T> T> the problem looks like if a packet processing in t
2012/4/17 Gleb Smirnoff :
> On Tue, Apr 17, 2012 at 10:06:15AM +0200, Ermal Lu?i wrote:
> E> 2012/4/16 Gleb Smirnoff :
> E> > On Sun, Apr 15, 2012 at 12:00:21PM +, Gleb Smirnoff wrote:
> E> > T> On Sun, Apr 15, 2012 at 11:10:03AM +, Gleb Smirnoff wrote:
> E> > T> T> I have a vague susp
On Tue, Apr 17, 2012 at 10:38 AM, Ermal Luçi wrote:
> 2012/4/17 Gleb Smirnoff :
>> On Tue, Apr 17, 2012 at 10:06:15AM +0200, Ermal Lu?i wrote:
>> E> 2012/4/16 Gleb Smirnoff :
>> E> > On Sun, Apr 15, 2012 at 12:00:21PM +, Gleb Smirnoff wrote:
>> E> &
2012/4/17 Gleb Smirnoff :
> On Tue, Apr 17, 2012 at 10:38:31AM +0200, Ermal Lu?i wrote:
> E> 2012/4/17 Gleb Smirnoff :
> E> >
> E> > In this case crash or freeze is fixed, but still packet is dropped.
> Example
> E> > of such rule:
> E> >
> E> > pass in on igb0 fastroute proto tcp from any to $
On Tue, Apr 17, 2012 at 6:32 PM, Bjoern A. Zeeb
wrote:
>
> On 17. Apr 2012, at 09:48 , Gleb Smirnoff wrote:
>
>> Replying on only on paragrapg, everything else agreed.
>>
>> On Tue, Apr 17, 2012 at 11:33:27AM +0200, Ermal Lu?i wrote:
>> E> The only problem i might see is when running more than on
2012/4/17 Gleb Smirnoff :
> On Tue, Apr 17, 2012 at 12:46:08PM +0400, Gleb Smirnoff wrote:
> T> We can make the assignment like:
> T>
> T> if (ifp->if_flags & IFF_LOOPBACK)
> T> m->m_flags |= M_SKIP_FIREWALL;
>
> I've tested this plus MTAG_PERSISTENT on pf tags, and it looks like this
> works.
On Wed, May 16, 2012 at 2:15 PM, Adam Strohl
wrote:
> Hello,
>
> I've noticed that when I use "synproxy state" on a rule and a connection
> comes in to an IP on a CARP interface the connection opens but never gets
> passed on to the process as it should.
>
> For example:
>
> pass in on $ext_if pro
iirc this is from fastforwarding being enabled.
Just from memory though, cause i remember seeing this panic as well.
Again, from memory this is fastforwarding related, try disabling it.
If it was pf(4) surely in pfSense would have been seen more frequently
and in pfSense fastforwarding is not used
On Wed, May 23, 2012 at 9:05 AM, Joerg Pulz wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
>
> On Tue, 22 May 2012, Ermal Luçi wrote:
>
>> iirc this is from fastforwarding being enabled.
>> Just from memory though, cause i remember seeing this panic as
On Fri, Jun 1, 2012 at 10:25 AM, Joerg Pulz wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
>
> On Tue, 29 May 2012, Daniel Hartmeier wrote:
>
>> On Sun, May 27, 2012 at 06:30:09PM +, Joerg Pulz wrote:
>>
>>> i've seen 12 more "pf_route: m0->m_len < sizeof(struct ip)" messages
>>>
The following reply was made to PR kern/168190; it has been noted by GNATS.
From: =?ISO-8859-1?Q?Ermal_Lu=E7i?=
To: Joerg Pulz
Cc: Daniel Hartmeier , bug-follo...@freebsd.org,
freebsd-pf@freebsd.org
Subject: Re: kern/168190: [pf] panic when using pf and route-to (maybe: bad
fragment handling?)
On Fri, Jun 8, 2012 at 8:17 AM, Gleb Smirnoff wrote:
> Hello, networkers!
>
> [net@ in Cc, but further discussion should go on pf@]
>
> As you already probably know, or some may be don't yet know, the pf(4)
> subsystem in FreeBSD is currently working under a single mutex. This mutex
> is acquir
On Tue, Jul 10, 2012 at 3:31 AM, Hao Bryan Cheng wrote:
> Hello all,
>
> I am working on converting a captive portal system from ipfw to pf (in
> order to support port-block allocation in many-to-one NAT) on systems
> currently running FreeBSD 8.2.
>
> Most of the firewall rewrite went without inc
Hi Gleb,
On Wed, Sep 5, 2012 at 8:36 PM, Gleb Smirnoff wrote:
> Thomas,
>
> On Wed, Sep 05, 2012 at 04:28:23PM +0200, Thomas Steen Rasmussen wrote:
> T> Your work seems very exciting from a performance standpoint, and it
> T> is certainty something I am looking forward to. Please don't take the
Hi Gleb,
On Wed, Sep 5, 2012 at 1:51 PM, Gleb Smirnoff wrote:
> Hi!
>
> [announce goes both to net@ and pf@, but any discussion should
>go on on p...@freebsd.org only, please]
>
> As you already may now, last half a year I've been working on
> making pf SMP-scalable and faster in genera
On Thu, Sep 6, 2012 at 8:46 AM, Gleb Smirnoff wrote:
> Ermal,
>
> On Wed, Sep 05, 2012 at 10:02:17PM +0200, Ermal Lu?i wrote:
> E> as already shared with you the opinion the new 're-arrangement' of
> E> data structure together with new syntax
> E> is more helpful to SMP in general, so complement
Hello Ian,
On Fri, Sep 7, 2012 at 11:26 AM, Ian FREISLICH wrote:
>> > I won't keep OpenBSD-pf and FreeBSD-pf in parallel in FreeBSD. The
>> > OpenBSD-pf port have proved to be poorly maintained. After last
>> > import that was made by you, at least the following regressions were
>> > introduced:
On Fri, Sep 7, 2012 at 2:05 PM, Ian FREISLICH wrote:
> =?ISO-8859-1?Q?Ermal_Lu=E7i?= wrote:
>> > - the "pf: state key linking mismatch" which affects pf as far back
>> > as we've been prepared to test (FreeBSD-8.0). Although it only
>> > became visible in the logs in -CURRENT before 9-RELEASE wit
On Sun, Sep 9, 2012 at 7:53 PM, wishmaster wrote:
>
>
>> Everyone agrees that altq needs to vanish, we know other code
>> exists/has been pondered; we'll see who might come forward.
>
> May be integrating pf with well-known dummynet?
> ___
This alread
Just as a note,
this is an issue especially when using bridge+carp+pf.
On Tue, Sep 11, 2012 at 1:00 PM, Gleb Smirnoff wrote:
> The following reply was made to PR kern/124364; it has been noted by GNATS.
>
> From: Gleb Smirnoff
> To: Vladimir Shapkin
> Cc: bug-follo...@freebsd.org
> Subject: ke
The issue is that this hides the problem per se.
The ioctl and pfctl loading of ruleset is not ready for handling failures here!
/me Does not understand why people do not ask for review first?
On Tue, Sep 18, 2012 at 2:53 PM, Sergey Kandaurov wrote:
> On 18 September 2012 16:34, Gleb Smirnoff w
On Tue, Sep 18, 2012 at 6:15 PM, Gleb Smirnoff wrote:
> Ermal,
>
> On Tue, Sep 18, 2012 at 06:02:06PM +0200, Ermal Lu?i wrote:
> E> The issue is that this hides the problem per se.
>
> What had hidden problem per se, was the following code:
>
> PF_UNLOCK();
>
On Tue, Nov 20, 2012 at 7:46 AM, Odhiambo Washington wrote:
> On Tue, Nov 20, 2012 at 5:23 AM, Paul Webster <
> paul.g.webs...@googlemail.com
> > wrote:
>
> > Good day all,
> >
> > I am aware this is a much discussed subject since the upgrade of PF, I
> > believe the final decision was that to man
d.
He actually broke if-bound state but that's another story.
> Sami
>
>
> On Tue, Nov 20, 2012 at 9:55 AM, Ermal Luçi wrote:
>
>> On Tue, Nov 20, 2012 at 7:46 AM, Odhiambo Washington > >wrote:
>>
>> > On Tue, Nov 20, 2012 at 5:23 AM, Paul Webster <
On Wed, Nov 21, 2012 at 8:56 AM, Gleb Smirnoff wrote:
> Mark,
>
> On Tue, Nov 20, 2012 at 03:43:17PM +0100, Mark Martinec wrote:
> M> For one thing, I'm desperately awaiting NAT64 support (the 'af-to'
> M> translation rule in newer pf (5.1?), committed on 2011-10).
>
> Backport this exact featu
On Wed, Nov 21, 2012 at 3:52 PM, Gleb Smirnoff wrote:
> On Wed, Nov 21, 2012 at 03:44:13PM +0100, Ermal Lu?i wrote:
> E> Cherry-picking would be when tehre is reasonable similarities.
> E> Also another argument to do this would be simplicity on locking as well
> as
> E> i told you when you starte
On Thu, Nov 22, 2012 at 3:13 PM, Ian FREISLICH wrote:
> =?ISO-8859-1?Q?Ermal_Lu=E7i?= wrote:
> > On Tue, Nov 20, 2012 at 9:07 AM, Sami Halabi wrote:
> > > This was actually discussed much before, as I read it would make some
> > > issues with the new pf-smp work done by gleb.
> > >
> > Not reall
On Thu, Nov 22, 2012 at 3:13 PM, Ian FREISLICH wrote:
> =?ISO-8859-1?Q?Ermal_Lu=E7i?= wrote:
> > On Tue, Nov 20, 2012 at 9:07 AM, Sami Halabi wrote:
> > > This was actually discussed much before, as I read it would make some
> > > issues with the new pf-smp work done by gleb.
> > >
> > Not reall
On Fri, Nov 23, 2012 at 8:50 AM, Ian FREISLICH wrote:
> > > Today its a null op. So it voids the keyword which should be
> deprecated in
> > > FreeBSD or should be reintroduced!
> > > Also it may break people assumptions on it.
> >
> > So I take it that "set state-policy if-bound" will no longer
1 - 100 of 138 matches
Mail list logo
