Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p Open|237973 | pf: implement egress keyword to simplify rules ac 2 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p Open|237973 | pf: implement egress keyword to simplify rules ac 2 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p Open|237973 | pf: implement egress keyword to simplify rules ac 2 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p Open|237973 | pf: implement egress keyword to simplify rules ac 2 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p Open|237973 | pf: implement egress keyword to simplify rules ac 2 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p Open|237973 | pf: implement egress keyword to simplify rules ac 2 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p Open|237973 | pf: implement egress keyword to simplify rules ac 2 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p Open|237973 | pf: implement egress keyword to simplify rules ac 2 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p Open|237973 | pf: implement egress keyword to simplify rules ac 2 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 237973] pf: implement egress keyword to simplify rules across different hardware
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237973 Kristof Provost changed: What|Removed |Added Assignee|k...@freebsd.org |p...@freebsd.org --- Comment #2 from Kristof Provost --- (Reassigned to pf@, because this is not on my short-term todo list.) -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 196087] pf loses states during rdr
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=196087 Kristof Provost changed: What|Removed |Added Resolution|--- |Overcome By Events Status|New |Closed -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 230619] pf: tables use non SMP-friendly counters
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=230619 --- Comment #10 from commit-h...@freebsd.org --- A commit references this bug: Author: kp Date: Fri Mar 29 14:34:52 UTC 2019 New revision: 345692 URL: https://svnweb.freebsd.org/changeset/base/345692 Log: MFC r345177: pf :Use counter(9) in pf tables. The counters of pf tables are updated outside the rule lock. That means state updates might overwrite each other. Furthermore allocation and freeing of counters happens outside the lock as well. Use counter(9) for the counters, and always allocate the counter table element, so that the race condition cannot happen any more. PR: 230619 Submitted by: Kajetan Staszkiewicz Changes: _U stable/12/ stable/12/sys/net/pfvar.h stable/12/sys/netpfil/pf/pf_table.c -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 230619] pf: tables use non SMP-friendly counters
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=230619 --- Comment #9 from commit-h...@freebsd.org --- A commit references this bug: Author: kp Date: Fri Mar 29 14:34:51 UTC 2019 New revision: 345691 URL: https://svnweb.freebsd.org/changeset/base/345691 Log: MFC r345177: pf :Use counter(9) in pf tables. The counters of pf tables are updated outside the rule lock. That means state updates might overwrite each other. Furthermore allocation and freeing of counters happens outside the lock as well. Use counter(9) for the counters, and always allocate the counter table element, so that the race condition cannot happen any more. PR: 230619 Submitted by: Kajetan Staszkiewicz Changes: _U stable/11/ stable/11/sys/net/pfvar.h stable/11/sys/netpfil/pf/pf_table.c -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 236829] pf does not respect timeout values at all
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=236829 Mark Linimon changed: What|Removed |Added Assignee|b...@freebsd.org|p...@freebsd.org -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 196087] pf loses states during rdr
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=196087 Kristof Provost changed: What|Removed |Added CC||k...@freebsd.org --- Comment #3 from Kristof Provost --- Does this problem still happen on 12.0? The problem description doesn't immediately ring any bells with me, so unless we can reproduce it or get access to a failing setup I don't think there's much we can do. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 231977] Multiple references to non-existent default PF configuration file (/etc/pf.conf)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231977 Benedict Reuschling changed: What|Removed |Added Status|In Progress |Closed Resolution|--- |FIXED --- Comment #12 from Benedict Reuschling --- Just committed the MFC, so no reason to keep this PR open any longer. Thanks for reporting it! -- You are receiving this mail because: You are on the CC list for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 231977] Multiple references to non-existent default PF configuration file (/etc/pf.conf)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231977 --- Comment #11 from commit-h...@freebsd.org --- A commit references this bug: Author: bcr Date: Fri Mar 22 06:02:07 UTC 2019 New revision: 345404 URL: https://svnweb.freebsd.org/changeset/base/345404 Log: MFC r345080: Extend descriptions and comments about the need to create /etc/pf.conf. FreeBSD removed the default /etc/pf.conf file in previous releases, but the documentation kept mentioning it like any other file present in the system. Change pf.conf(5) to mention in the description of the default ruleset location that this file needs to be created manually. Also, the default rc.conf file had it's comment extended a bit to let people know that this file does not exist by default. PR: 231977 Submitted by: koobs@ Reviewed by: kp@, 0mp@ Approved by: kp@ Differential Revision:https://reviews.freebsd.org/D19530 Changes: _U stable/12/ stable/12/libexec/rc/rc.conf stable/12/share/man/man5/pf.conf.5 -- You are receiving this mail because: You are on the CC list for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 226411] PF does not properly keep state with GRE in IPSec
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226411 --- Comment #10 from Kristof Provost --- Sadly not. This bug is actually still on my todo list, so I haven't forgotten about it yet, but it's some way down the list right now. If you're friend is very motivated a test case we can plug into the existing pf tests would likely be very helpful. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 226411] PF does not properly keep state with GRE in IPSec
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226411 Shawn Webb changed: What|Removed |Added CC||shawn.w...@hardenedbsd.org --- Comment #9 from Shawn Webb --- Hey all, A friend of mine was curious about getting this bug resolved. He still sees it today on some of his systems. Are there any updates? Thanks for the hard work! -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 230619] pf: tables use non SMP-friendly counters
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=230619 --- Comment #8 from commit-h...@freebsd.org --- A commit references this bug: Author: kp Date: Fri Mar 15 11:08:45 UTC 2019 New revision: 345177 URL: https://svnweb.freebsd.org/changeset/base/345177 Log: pf :Use counter(9) in pf tables. The counters of pf tables are updated outside the rule lock. That means state updates might overwrite each other. Furthermore allocation and freeing of counters happens outside the lock as well. Use counter(9) for the counters, and always allocate the counter table element, so that the race condition cannot happen any more. PR: 230619 Submitted by: Kajetan Staszkiewicz Reviewed by: glebius MFC after:2 weeks Differential Revision:https://reviews.freebsd.org/D19558 Changes: head/sys/net/pfvar.h head/sys/netpfil/pf/pf_table.c -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 231977] Multiple references to non-existent default PF configuration file (/etc/pf.conf)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231977 --- Comment #10 from Benedict Reuschling --- Patch committed to head, waiting until the MFC has happened before closing this PR. -- You are receiving this mail because: You are on the CC list for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 231977] Multiple references to non-existent default PF configuration file (/etc/pf.conf)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231977 --- Comment #9 from commit-h...@freebsd.org --- A commit references this bug: Author: bcr Date: Tue Mar 12 20:08:38 UTC 2019 New revision: 345080 URL: https://svnweb.freebsd.org/changeset/base/345080 Log: Extend descriptions and comments about the need to create /etc/pf.conf. FreeBSD removed the default /etc/pf.conf file in previous releases, but the documentation kept mentioning it like any other file present in the system. Change pf.conf(5) to mention in the description of the default ruleset location that this file needs to be created manually. Also, the default rc.conf file had it's comment extended a bit to let people know that this file does not exist by default. PR: 231977 Submitted by: koobs@ Reviewed by: kp@, 0mp@ Approved by: kp@ MFC after:10 days Differential Revision:https://reviews.freebsd.org/D19530 Changes: head/libexec/rc/rc.conf head/share/man/man5/pf.conf.5 -- You are receiving this mail because: You are on the CC list for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 230619] pf: tables use non SMP-friendly counters
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=230619 Kristof Provost changed: What|Removed |Added Status|New |In Progress --- Comment #7 from Kristof Provost --- Patch posted for review: https://reviews.freebsd.org/D19558 -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 231977] Multiple references to non-existent default PF configuration file (/etc/pf.conf)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231977 Kubilay Kocak changed: What|Removed |Added Keywords|needs-qa| Flags|mfc-stable10?, | |mfc-stable11? | --- Comment #8 from Kubilay Kocak --- Since this resulted in a docs (not base) change, mfc-* requests are no longer applicable -- You are receiving this mail because: You are on the CC list for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 231977] Multiple references to non-existent default PF configuration file (/etc/pf.conf)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231977 --- Comment #4 from Kristof Provost --- (In reply to Benedict Reuschling from comment #2) Good question, but I don't really have a strong opinion. ipfw has a default configuration in /etc/rc.firewall, but ipf doesn't. We could certainly use /usr/share/examples/pf/pf.conf as the 'default' pf.conf, as it's all commented out and it already refers to the man pages and the examples in /usr/share/examples/pf. It's probably better to update the documentation though, and do the same for pf as for ipf: no default config, but point at the examples from the documentation. -- You are receiving this mail because: You are on the CC list for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 231977] Multiple references to non-existent default PF configuration file (/etc/pf.conf)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231977 --- Comment #7 from Benedict Reuschling --- I've opened a review on Phabricator to discuss the outstanding file changes here: https://reviews.freebsd.org/D19530 -- You are receiving this mail because: You are on the CC list for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 231977] Multiple references to non-existent default PF configuration file (/etc/pf.conf)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231977 --- Comment #5 from Benedict Reuschling --- OK, I also think that changing the handbook text is easier. I've changed the sentence to mention that there is not default /etc/pf.conf ruleset and point people to the /usr/share/examples/pf directory. -- You are receiving this mail because: You are on the CC list for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 231977] Multiple references to non-existent default PF configuration file (/etc/pf.conf)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231977 --- Comment #6 from commit-h...@freebsd.org --- A commit references this bug: Author: bcr Date: Sun Mar 10 15:22:55 UTC 2019 New revision: 52854 URL: https://svnweb.freebsd.org/changeset/doc/52854 Log: Mention that FreeBSD does not ship with /etc/pf.conf by default. Previous versions of FreeBSD provided a standard /etc/pf.conf, but that was removed without changing the documentation. Update the handbook to mention it and point people to the directory /usr/share/examples/pf/ where example firewall rules are available. PR: 231977 Submitted by: koobs@ Discussed with: kp@ Changes: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml -- You are receiving this mail because: You are on the CC list for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 231977] Multiple references to non-existent default PF configuration file (/etc/pf.conf)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231977 bc...@lafn.org changed: What|Removed |Added CC||bc...@lafn.org --- Comment #3 from bc...@lafn.org --- There are a number of pf examples in /usr/share/pf. How about having a simple pf.conf that permits everything and includes a reference to /usr/share/pf for examples. I wish I had known about them before. I just found them today. -- You are receiving this mail because: You are on the CC list for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 231977] Multiple references to non-existent default PF configuration file (/etc/pf.conf)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231977 Benedict Reuschling changed: What|Removed |Added Status|Open|In Progress --- Comment #2 from Benedict Reuschling --- Adding Kristof for input on this. Kristof, what do you think is better: a) provide a default /etc/pf.conf that only contains a simple, commented ruleset as examples or b) Change the documentation to tell users they need to create an /etc/pf.conf as it is no longer provided with the base system install/upgrade? -- You are receiving this mail because: You are on the CC list for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 201695] [PATCH] pf.conf syntax (interface:0) incorrectly results in IPv6 link-local address
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201695 --- Comment #4 from commit-h...@freebsd.org --- A commit references this bug: Author: kp Date: Sat Mar 9 10:33:47 UTC 2019 New revision: 344965 URL: https://svnweb.freebsd.org/changeset/base/344965 Log: MFC r339836, r340286, r341358: pf tests: Test ':0' ignoring link-local addresses Fix test: sys.netpfil.pf.pass_block.noalias Replace hard-coded epair0b with the variable holds the real epair interface used for testing. pf tests: Make pass_block:noalias more robust Send several ICMPv6 echo requests. We've seen occasional failures with a single request. PR: 201695 Changes: _U stable/12/ stable/12/tests/sys/netpfil/pf/pass_block.sh -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 183198] [pf] pf tables not loaded if only used inside anchor
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=183198 Kristof Provost changed: What|Removed |Added CC||a.kraso...@yahoo.com --- Comment #15 from Kristof Provost --- *** Bug 236221 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 196314] pf nested inline anchors does not work
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=196314 --- Comment #8 from commit-h...@freebsd.org --- A commit references this bug: Author: kp Date: Sat Mar 2 12:30:59 UTC 2019 New revision: 344720 URL: https://svnweb.freebsd.org/changeset/base/344720 Log: pf tests: Test for nested inline anchor issue PR: 196314 MFC after:1 week Changes: head/tests/sys/netpfil/pf/pass_block.sh -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 229092] [pf] [pfsync] States created by route-to rules pfsynced without interface
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229092 --- Comment #21 from Kristof Provost --- (In reply to Kajetan Staszkiewicz from comment #20) You are of course correct here. I'd like to try to write a test case for this. Do you have any suggestions on how to best reproduce (as simple a version as possible of) the problematic behaviour? vnet lets us create arbitrary numbers of pf/pfsync instances, so it should be possible to reproduce this. See /usr/src/tests/sys/netpfil/pf/pfsync.sh if you're interested in examples. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 229092] [pf] [pfsync] States created by route-to rules pfsynced without interface
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229092
--- Comment #20 from Kajetan Staszkiewicz ---
'rt' contains values from enum { PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO,
PF_DUPTO, PF_REPLYTO }. I don't see how those could be squashed into a single
flag, as they dictate differenct actions to be taken against packet.
--
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 203715] [pf] 'dup-to' option doesn't duplicate packets
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203715 Kristof Provost changed: What|Removed |Added Resolution|--- |Overcome By Events Status|New |Closed --- Comment #1 from Kristof Provost --- FreeBSD 11.0 is no longer supported. If this problem can be reproduced on 12.0 or 11.2 please re-open this bug, ideally with a reproduction script. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 208140] panic: page fault in pf
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208140 Kristof Provost changed: What|Removed |Added Resolution|--- |Overcome By Events Status|New |Closed --- Comment #14 from Kristof Provost --- FreeBSD 10.2 is no longer supported. If this problem is still present in 12.0 or 11.2 please re-open this bug. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 209259] kernel panic when using PF and NAT
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209259 Kristof Provost changed: What|Removed |Added Resolution|--- |Overcome By Events Status|New |Closed CC||k...@freebsd.org --- Comment #1 from Kristof Provost --- FreeBSD 10.3 is no longer supported. If the problem can be reproduced on 12.0 or 11.2 please re-open this bug. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 212873] pf kernel abort at boot in pf_purge_expired_fragments
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212873 Kristof Provost changed: What|Removed |Added Status|New |Closed Resolution|--- |Overcome By Events --- Comment #2 from Kristof Provost --- Please re-open this bug if the problem can be reproduced. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 223093] /dev/pf locks disrupt other pf-dependent services (ftp-proxy, tftp-proxy, relayd, pfctl, etc)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223093 Kristof Provost changed: What|Removed |Added Status|New |Closed Resolution|--- |Overcome By Events --- Comment #4 from Kristof Provost --- 10.4 is no longer supported, and this is a missing feature in the listed tools, not in pf. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 229092] [pf] [pfsync] States created by route-to rules pfsynced without interface
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229092 --- Comment #19 from Kristof Provost --- There's a typo in the KASSERT (r_dir = PF_IN). I wonder if 'rt' can't be a flag. That'd give us more room for other extensions later. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 229092] [pf] [pfsync] States created by route-to rules pfsynced without interface
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229092 --- Comment #18 from Kajetan Staszkiewicz --- My 2nd patch stores missing state->rt information in currently unused part of struct pfsync_state. That should make it compatible. A router running non-patched kernel will simply not transmit any data there when sending states and ignore all data when receiving them from a patched router. So that part should be safe. What looks potentially unsafe is guessing of target interface. Although it is already badly broken, as packets are leaving router via route matching destination on unpatched kerel. Is guessing of target interface done correctly? Can I use fib lookup functions just like this? No locking needed? -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 229092] [pf] [pfsync] States created by route-to rules pfsynced without interface
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229092 --- Comment #17 from Kristof Provost --- Right, for 3. we come back to the compatibility issue. pfsync has to remain able to run with different versions, so while we could potentially extend the protocol to include this information we *have* to make sure doing so won't break a host that doesn't understand the new fields. And vice versa: a host which doesn't include the information must be able to send state to a host which expects the extra information. That's probably possible, but it'll need some special care. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 229092] [pf] [pfsync] States created by route-to rules pfsynced without interface
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229092
--- Comment #16 from Kajetan Staszkiewicz ---
(In reply to Kristof Provost from comment #15)
> (In reply to Kajetan Staszkiewicz from comment #13)
>
>> - Any rule using interface IP addresses in unnamed table {} will end up
>> being different on 2 routers unless named {} is used.
>
> Ah, because pf generates a random id for the table?
I think so.
> I'd argue that that's
> something the rules sync script (if there is one)
I don't "sync" rules. I "generate" on central database and upload to
loadbalancers. Generated files look identical, line by line. (+/- Python
issue, I will comment on it later).
> should account for, but I'd
Taking that into account is exactly what was needed in my case. Consider
such two rules:
1. allow in on $IFACE from { $HOST1 $HOST2 }
Table used here is unnamed, anonymous, dynamic or however it is called
in the world of pf. There is no guarantee of its name and thus even if
configuration is generated centrally, it will result in ruleset having
different checksum on each loadbalancer.
But is there even any real table used at all? I remember something about
dynamically generated table names but what I see is expansion of ruleset
during loading into separate rules. e.g. rule:
rdr on $if_public inet6 proto ipv6-icmp from any to $if_public ->
got expanded to 2 rules:
rdr on public inet6 proto ipv6-icmp from any tofe80::6a05:caff:fe0b:dd02 ->
round-robin
rdr on public inet6 proto ipv6-icmp from any to 2a00:XX ->
round-robin
(BTW, expansion to link-local addresses seems a bug to me, I will report
it separately).
2. table { $HOST1 $HOST2 }
pass in on $IFACE from
Here table is named. Ruleset is now consitent between loadbalancers no
matter the contents of table.
> be happy to take patches to make that 'random id' predictable (and consistent
> across hosts).
Maybe one day but for now I already forced usage of named tables everywhere.
>> - Same thing for SNAT rules, although I'm unsure if those are included in
>> pfchecksum.
>
> I'm not sure what you mean by SNAT rules.
Sorry, of course I meant NAT rules in pf. I very much prefer nftables
terminology of SNAT and DNAT, they just make way more sense.
> The pf_setup_pfsync_matching()
> function checksums all rules, other than the scrub rules.
That just adds one more type of rules that can screw up checksum, as I
expected.
>> - If ruleset is dynamically generated by a script, data structure might not
>> have explicit ordering and produce different result on each run: for me it
>> was Python and its dictionaries and sets.
>
> I don't understand this one.
Data structures like sets and hashes have no explicit ordering, at least
in Python. I think I was getting consistent results with Python 2.7 but
totally random when moved to 3.5 Things put to them will be retrieved in
some random order. One database of rules will produce functionally
identical (at least as long as they are "quick" rules) firewall but with
rules in different order. Of course pf can't do anything about it and
this is expeced, see next paragraph.
> It shouldn't matter how rules are generated, the
> kernel will calculate a checksum. Or do you mean to say pf should compensate
> for bugs
That is not a bug.
> in synchronisation scripts?
No, it definitely should not. All I'm saying that it is another trap
I've encountered while fighting with this topic and that it is very hard
to make the ruleset identical from point of view of pf and we should not
expect identical rulesets.
> I don't really see a way around the requirement for the ruleset to be
> identical
> on all pfsync synced hosts.
But is there really such requirement with current status of pf?
I think the whole discussion wandered away from the main topic. Let's
get back on track.
Current situation:
1. Identical pf.conf will result in different checksum in many cases due
to interface addresses, dynamic table names and/or rule expansion from
unnamed tables.
2. pfsync of normal firewall states which only pass or nat traffic don't
need identical ruleset at all.
3. pfsync of states from route/dup/reply-to rules is *fully broken*.
Let me repeat once again: none of *working* functionalities of pf seems
to require identical ruleset. Mybeee label counters?
I want to focus on fixing issue 3. There are multiple aproaches:
1. Old patch which depends on ruleset being identical and reconstructing
missing information from rules.
2. New patch which sends part of missing information (state->rt) over
pfsync and discovers interface to use from normal route lookup.
3. Modify pfsync structure to io include both state->rt and state->rt_kif.
I would *love* to have 3. implemmented but for now I work with 2.
because 1. was way too unrealiable.
How should we progress?
--
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-pf@freebsd.org mailing list
[Bug 229092] [pf] [pfsync] States created by route-to rules pfsynced without interface
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229092
--- Comment #15 from Kristof Provost ---
(In reply to Kajetan Staszkiewicz from comment #13)
> - Any rule using interface IP addresses in unnamed table {} will end up being
> different on 2 routers unless named {} is used.
Ah, because pf generates a random id for the table? I'd argue that that's
something the rules sync script (if there is one) should account for, but I'd
be happy to take patches to make that 'random id' predictable (and consistent
across hosts).
> - Same thing for SNAT rules, although I'm unsure if those are included in
> pfchecksum.
I'm not sure what you mean by SNAT rules. The pf_setup_pfsync_matching()
function checksums all rules, other than the scrub rules.
> - If ruleset is dynamically generated by a script, data structure might not
> have explicit ordering and produce different result on each run: for me it
> was Python and its dictionaries and sets.
I don't understand this one. It shouldn't matter how rules are generated, the
kernel will calculate a checksum. Or do you mean to say pf should compensate
for bugs in synchronisation scripts?
I don't really see a way around the requirement for the ruleset to be identical
on all pfsync synced hosts.
--
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 229092] [pf] [pfsync] States created by route-to rules pfsynced without interface
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229092 --- Comment #14 from Kajetan Staszkiewicz --- To sum it up: I don't think it is feasible to have any functionality depending on ruleset being identical. It is really hard to achieve it and it might not be worth the effort. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 229092] [pf] [pfsync] States created by route-to rules pfsynced without interface
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229092
--- Comment #13 from Kajetan Staszkiewicz ---
(In reply to Kristof Provost from comment #12)
pfcksum only checks if loaded rules are the same, it does not ensure rules are
the same on 2 routers. There are a few ways to have different rulesets, let me
give you a little list I came across while trying to make pfsync work:
- Any rule using interface IP addresses in unnamed table {} will end up being
different on 2 routers unless named {} is used.
- Same thing for SNAT rules, although I'm unsure if those are included in
pfchecksum.
- If ruleset is dynamically generated by a script, data structure might not
have explicit ordering and produce different result on each run: for me it was
Python and its dictionaries and sets.
- In a dynamical environment it might happen that the ruleset is different for
short periods of time when new configuration is applied as it will never be
applied at exactly the same time on both routers. For me on some loadbalancers
new configuration is applied tens of times a day.
--
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 229092] [pf] [pfsync] States created by route-to rules pfsynced without interface
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229092 --- Comment #12 from Kristof Provost --- (In reply to Kajetan Staszkiewicz from comment #11) Wouldn't the pfcksum protect us from having different rules in the first place? -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 229092] [pf] [pfsync] States created by route-to rules pfsynced without interface
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229092 Kajetan Staszkiewicz changed: What|Removed |Added Attachment #194342|0 |1 is obsolete|| CC||veg...@tuxpowered.net --- Comment #11 from Kajetan Staszkiewicz --- Created attachment 201346 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=201346=edit Reconstruct interface route by standard fib lookup I found another issue. Even if we can somehow reconstruct route interface, there is still a requirement for having identical ruleset on both routers because it is rule->rt which makes Route-to, Duplicate-to and Reply-to targets work. This information is never kept in state. Attached patch solves this issue by copying rule->rt to state->rt (new field). Pfsync struct got this field too. Route interface is reconstructed by normal lookup in routing table in fib 0. Warning: for "no state" rules stil rule->rt must be used and I have coded it but not tested. For stateful ruleset all seems fine for route-to target. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 234874] pf: pfr_update_stats: assertion failed.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234874 --- Comment #7 from commit-h...@freebsd.org --- A commit references this bug: Author: kp Date: Tue Jan 22 01:07:20 UTC 2019 New revision: 343290 URL: https://svnweb.freebsd.org/changeset/base/343290 Log: MFC r343041 pf: silence a runtime warning Sometimes, for negated tables, pf can log 'pfr_update_stats: assertion failed'. This warning does not clarify anything for users, so silence it, just as OpenBSD has. PR: 234874 Changes: _U stable/11/ stable/11/sys/netpfil/pf/pf_table.c -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 234874] pf: pfr_update_stats: assertion failed.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234874 --- Comment #6 from commit-h...@freebsd.org --- A commit references this bug: Author: kp Date: Tue Jan 22 01:07:19 UTC 2019 New revision: 343289 URL: https://svnweb.freebsd.org/changeset/base/343289 Log: MFC r343041 pf: silence a runtime warning Sometimes, for negated tables, pf can log 'pfr_update_stats: assertion failed'. This warning does not clarify anything for users, so silence it, just as OpenBSD has. PR: 234874 Changes: _U stable/12/ stable/12/sys/netpfil/pf/pf_table.c -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 234874] pf: pfr_update_stats: assertion failed.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234874 Kristof Provost changed: What|Removed |Added Resolution|--- |FIXED Status|New |Closed -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 211796] missing htonl calls in pf range check
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211796 --- Comment #7 from Oleksandr Tymoshenko --- There is a commit referencing this PR, but it's still not closed and has been inactive for some time. Closing the PR as fixed but feel free to re-open it if the issue hasn't been completely resolved. Thanks -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 211796] missing htonl calls in pf range check
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211796 Oleksandr Tymoshenko changed: What|Removed |Added Status|New |Closed CC||go...@freebsd.org Resolution|--- |FIXED --- Comment #6 from Oleksandr Tymoshenko --- There is a commit referencing this PR, but it's still not closed and has been inactive for some time. Closing the PR as fixed but feel free to re-open it if the issue hasn't been completely resolved. Thanks -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 209475] pf didn't check if enough free RAM for net.pf.states_hashsize
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209475 Oleksandr Tymoshenko changed: What|Removed |Added Status|New |Closed CC||go...@freebsd.org Resolution|--- |FIXED --- Comment #35 from Oleksandr Tymoshenko --- There is a commit referencing this PR, but it's still not closed and has been inactive for some time. Closing the PR as fixed but feel free to re-open it if the issue hasn't been completely resolved. Thanks -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 122773] [pf] pf doesn't log uid or pid when configured to
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=122773 --- Comment #9 from Kristof Provost --- Note that while we do log the uid we don’t log the pid. Offhand I think that that was a nontrivial bit of extra work. I have no immediate plans to implement that, so I’m okay with keeping this closed. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 230619] pf: tables use non SMP-friendly counters
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=230619 --- Comment #6 from Kajetan Staszkiewicz --- I totally forgot about this patch too :) I'll fix the memory allocation flag and run it in testing environment and come back to you in a few days. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 230619] pf: tables use non SMP-friendly counters
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=230619 --- Comment #5 from Kristof Provost --- Apologies for taking this long to get back to this. I've had other priorities in the past few months. I'm not sure about the M_WAITOK in pfr_create_kentry(), because the initial allocation there (for the pfr_kentry) is M_NOWAIT. It'll have to be another M_NOWAIT allocation, with appropriate error handling. The same applies to pfr_create_ktable(). In 'case PFRW_GET_ASTATS' it might make sense to move that code into its own function, if only to avoid the line length issues. It's so broken up now that it's not very readable any more. Other than those minor points, I think this is ready to go in. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 234874] pf: pfr_update_stats: assertion failed.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234874 --- Comment #5 from commit-h...@freebsd.org --- A commit references this bug: Author: kp Date: Tue Jan 15 08:59:52 UTC 2019 New revision: 343041 URL: https://svnweb.freebsd.org/changeset/base/343041 Log: pf: silence a runtime warning Sometimes, for negated tables, pf can log 'pfr_update_stats: assertion failed'. This warning does not clarify anything for users, so silence it, just as OpenBSD has. PR: 234874 MFC after:1 week Changes: head/sys/netpfil/pf/pf_table.c -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 234874] pf: pfr_update_stats: assertion failed.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234874 --- Comment #3 from rozhuk...@gmail.com --- (In reply to Kristof Provost from comment #1) All info in private email, if you need more - I will send. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 234874] pf: pfr_update_stats: assertion failed.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234874
--- Comment #2 from rozhuk...@gmail.com ---
if ((ke == NULL || ke->pfrke_not) != notrule) {
if (op_pass != PFR_OP_PASS)
printf("pfr_update_stats: assertion failed.\n");
op_pass = PFR_OP_XPASS;
}
if (op_pass != PFR_OP_PASS && V_pf_status.debug >= PF_DEBUG_MISC)
Probably good fix.
--
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 234874] pf: pfr_update_stats: assertion failed.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234874 Kristof Provost changed: What|Removed |Added CC||k...@freebsd.org --- Comment #1 from Kristof Provost --- Can you provide some more information on your setup? (i.e. network configuration, pf rules, ...) This had previously been reported, but then it appeared to be the result of a configuration problem: https://lists.freebsd.org/pipermail/freebsd-pf/2018-June/008841.html I don't yet fully understand the conditions that trigger this log, so I need more information. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 234874] pf: pfr_update_stats: assertion failed.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234874 Mark Linimon changed: What|Removed |Added Assignee|b...@freebsd.org|p...@freebsd.org -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 233581] Bugg in PF or in PF man-page?
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233581 --- Comment #12 from peos42 --- Hi Kristof This is small :) However... To try to give you something smaller I started by removing the pass in quick on lo0 inet proto tcp from 1.2.3.4 to 1.2.3.4 port 953 flags S/SAFR keep state from the main host pf.conf and reloaded PF. The weird thing is that "rndc relosd" still works in the jail. I restarted the jail and it still works. As it should!!! The ONLY thing I have done since my initial post where it didn't work is to upgrade host and jail from 11.2-p4 to 11.2p5. ? -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 233581] Bugg in PF or in PF man-page?
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233581 --- Comment #11 from Kristof Provost --- (In reply to peos42 from comment #10) Yes, there have been changes around set skip handling (mostly for groups). See comment #1. Do you have a smaller test case? -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 233581] Bugg in PF or in PF man-page?
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233581
--- Comment #10 from peos42 ---
Have not tested on head. Is something fixed regarding this?
Config posted below as requested. Note that IPv4 and IPv6 addresses are
substituted to fake.
###
### FROM MAIN HOST
###
22:09:30 huey:~ # ifconfig -a
vtnet0: flags=8843 metric 0 mtu 1500
options=6c07bb
ether 00:16:3c:7f:67:0e
hwaddr 00:16:3c:7f:67:0e
inet 1.2.3.4 netmask 0xff00 broadcast 1.2.3.255
inet6 fe80::216:3cff:fe7f:670e%vtnet0 prefixlen 64 scopeid 0x1
inet6 ::6:6df:: prefixlen 48
nd6 options=21
media: Ethernet 10Gbase-T
status: active
lo0: flags=8049 metric 0 mtu 16384
options=63
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet 127.0.0.1 netmask 0xff00
nd6 options=21
groups: lo
pflog0: flags=141 metric 0 mtu 33160
groups: pflog
22:09:32 huey:~ #
Note that the PF below will be rebuilt from scratch with variables and tagging
etc. But for this case it doesn't matter
22:10:21 huey:~ # more /etc/pf.conf |grep -v ^#|sed '/^$/d'
set skip on lo0
block all
pass out quick on { lo0 vtnet0 } inet proto {tcp gre esp udp icmp ipv6} all
keep state
pass out quick on { lo0 vtnet0 } inet6 proto {tcp gre esp udp icmp6} all keep
state
pass out quick on { lo0 vtnet0 } inet6 all keep state
antispoof quick for vtnet0
pass in log quick on vtnet0 inet proto icmp from any to vtnet0 icmp-type { 8
code 0 , 3 code 3 , 11 code 0 } keep state
pass in quick on vtnet0 inet6 proto { ipv6-icmp } from any to any keep state
block in log quick on vtnet0 proto tcp from to
vtnet0 port { 22 }
pass in log quick on vtnet0 inet proto tcp from any to vtnet0 port { 22 }
flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30,
max-src-conn 20, max-src-conn-rate 3/30, overload
flush global)
pass in log quick on vtnet0 inet6 proto tcp from any to vtnet0 port { 22 }
flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30,
max-src-conn 20, max-src-conn-rate 3/30, overload
flush global)
block in log quick on vtnet0 proto tcp from to vtnet0
port { 10022 }
pass in log quick on vtnet0 inet proto tcp from any to vtnet0 port { 10022 }
flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30,
max-src-conn 20, max-src-conn-rate 3/30, overload
flush global)
pass in log quick on vtnet0 inet6 proto tcp from any to vtnet0 port { 10022 }
flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30,
max-src-conn 20, max-src-conn-rate 3/30, overload
flush global)
pass in quick on vtnet0 inet proto tcp from any to vtnet0 port { 53 } flags
S/SAFR keep state
pass in quick on vtnet0 inet6 proto tcp from any to vtnet0 port { 53 } flags
S/SAFR keep state
pass in quick on vtnet0 inet proto udp from any to vtnet0 port { 53 } keep
state
pass in quick on vtnet0 inet6 proto udp from any to vtnet0 port { 53 } keep
state
pass in quick on lo0 inet proto tcp from 1.2.3.4 to 1.2.3.4 port 953 flags
S/SAFR keep state
block in log quick on vtnet0 proto tcp from to
vtnet0 port { 20022 }
pass in log quick on vtnet0 inet proto tcp from any to vtnet0 port { 20022 }
flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30,
max-src-conn 20, max-src-conn-rate 3/30, overload
flush global)
pass in log quick on vtnet0 inet6 proto tcp from any to vtnet0 port { 20022 }
flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30,
max-src-conn 20, max-src-conn-rate 3/30, overload
flush global)
pass in log quick on vtnet0 inet proto tcp from any to vtnet0 port { 25 465
587 } flags S/SAFR keep state
pass in log quick on vtnet0 inet6 proto tcp from any to vtnet0 port { 25 465
587 } flags S/SAFR keep state
block in log quick on vtnet0 proto tcp from to vtnet0
port { 30022 }
pass in log quick on vtnet0 inet proto tcp from any to vtnet0 port { 30022 }
flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30,
max-src-conn 20, max-src-conn-rate 3/30, overload
flush global)
pass in log quick on vtnet0 inet6 proto tcp from any to vtnet0 port { 30022 }
flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30,
max-src-conn 20, max-src-conn-rate 3/30, overload
flush global)
pass in log quick on vtnet0 inet proto tcp from any to vtnet0 port { 80 443 }
flags S/SAFR keep state
pass in log quick on vtnet0 inet6 proto tcp from any to vtnet0 port { 80 443
} flags S/SAFR keep state
22:10:24 huey:~ #
###
### FROM DNS JAIL HOST
"rndc reload" does NOT work in this jail if the following pf.conf row is
removed from the main host...
pass in quick on lo0 inet proto tcp from 1.2.3.4 to 1.2.3.4 port 953 flags
S/SAFR keep state
On OpenBSD this is not needed as "set skip on lo0" works... But all this I have
already written in earlier
[Bug 233581] Bugg in PF or in PF man-page?
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233581 --- Comment #9 from Kristof Provost --- (In reply to peos42 from comment #8) Please include full pf.conf, ifconfig output and command line. Have you tested this on head as well? -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 233581] Bugg in PF or in PF man-page?
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233581 --- Comment #8 from peos42 --- I have now tested on my primary firewall that is OpenBSD 6.4. There I have "set skip on lo0". And I can in the firewall ping with the source IP of one of my interfaces and the target IP the set to the same. And I do not have to add a pass rule from that IP, to that IP, on lo0. On FreeBSD as stated I have to add a pass rule for incoming traffic on lo0 for this to work even though "set skip on lo0" is in the ruleset. So it works on OpenBSD... I guess that supports what I am saying. /Peo -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 233581] Bugg in PF or in PF man-page?
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233581 --- Comment #7 from peos42 --- I added this --ONLY-- to get it working... pass in quick on lo0 inet proto tcp from 1.2.3.4 to 1.2.3.4 port 953 flags S/SAFR keep state That is... Pass *IN* on lo0 and *NOT* vtnet0 So please explain your last comment so I understand. Regards Peo -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 233581] Bugg in PF or in PF man-page?
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233581 --- Comment #6 from Kristof Provost --- Your packet goes out lo0 and in vtnet0. So without the pass rule it’s blocked. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 233581] Bugg in PF or in PF man-page?
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233581 --- Comment #5 from peos42 --- Seems I cannot edit previous post. So here is an addition.. You say.. --snip-- but your block all rule is stopping it from being accepted on *vtnet0*, where your IP address is assigned. You do need the rule to actually accept traffic. --snip-- If you read my post I had to add a **pass in quick on lo0** an NOT vtnet0 Peo -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Bug 233581] Bugg in PF or in PF man-page?
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233581 --- Comment #4 from peos42 --- Hmmm >From man page regarding "set skip" --snip-- List interfaces for which packets should not be filtered. Packets passing in or out on such interfaces are passed as if pf was disabled, i.e. pf does not process them in any way. --snip-- I think the text is clear in the man page... Packets are passed as if PF was disabled. It also states that PF should not process them in any way. Two comments on this.. # 1 If a PF default block rule blocks traffic on lo0 for me when "set skip on lo0" on active. Then PF *IS* processing packages which the man page clearly say it should not! # 2 Lets assume you are right... Then the default block rule should also block 127.0.0.1 over lo0 so that as well have to be explicitly allowed. But it does not! So you comment Well... I do not agree. But please tell me if I misinterpret something. /Peo -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
