Re: pf ALTQ bandwidth limited to a 32bit value (4294Mb)
Ermal, Thanks for the diff. When we tried it on FreeBSD 8.2-p2, ALTq would no long start. We also looked into the source under /usr/src/sys/contrib/altq/altq. Sadly, most of the changes we made either broke altq completely or had no effect. If you have any other ideas we would be happy to try them out. -- Calomel @ https://calomel.org Open Source Research and Reference On Thu, Jul 07, 2011 at 09:28:13AM -0400, Ermal Lu?i wrote: On Wed, Jul 6, 2011 at 5:25 PM, Calomel Org infallibilismindefeasibil...@calomel.org wrote: ALTQ using hfsc is limited to a maximum parent bandwidth of 4294Mb. This value is 2^32 or 4,294,967,296 bits. If you set the bandwidth any higher, altq will flip back to zero. This bug was found when trying to test 10 gigabit and 40 gigabit bandwidth models. These tests were done on OpenBSD 32bit and 64bit as well as FreeBSD 32bit and 64bit. If anyone else can verify this independently and agree with the results I would be happy to register it as a bug. How to replicate: A quick test is setting the bandwidth to 4294Mb and doing a pfctl -sq to check altq. ?altq on $ExtIf bandwidth 4294Mb hfsc queue { ack, web} ?queue root_em0 on em0 bandwidth 4.29Gb priority 0 {ack, web} Now set the bandwidth to 4295Mb and notice altq has flip to zero and add the 32.70Kb difference. ?altq on $ExtIf bandwidth 4295Mb hfsc queue { ack, web } ?queue root_em0 on em0 bandwidth 32.70Kb priority 0 {ack, web} Again, we can set the bandwidth to a multiple of two(2) to 8589Mb. The bandwidth value flips to zero once and the result is 4.29Gb. ?altq on $ExtIf bandwidth 8589Mb hfsc queue { ack, web} ?queue root_em0 on em0 bandwidth 4.29Gb priority 0 {ack, web} If we add one more megabit to 8590Mb the value flips twice and we are left with 65.41Kb. ?altq on $ExtIf bandwidth 8590Mb hfsc queue { ack, web} ?queue root_em0 on em0 bandwidth 65.41Kb priority 0 {ack, web} It is true that there is a limit because of data type used. Though it cannot be fixed easily on i386 but on amd64 this should work. Index: sys/contrib/pf/net/pfvar.h === --- sys/contrib/pf/net/pfvar.h (revision 223824) +++ sys/contrib/pf/net/pfvar.h (working copy) @@ -1491,13 +1491,13 @@ /* scheduler spec */ u_int8_t scheduler; /* scheduler type */ u_int16_ttbrsize; /* tokenbucket regulator size */ - u_int32_tifbandwidth; /* interface bandwidth */ + u_int64_tifbandwidth; /* interface bandwidth */ /* queue spec */ char qname[PF_QNAME_SIZE]; /* queue name */ char parent[PF_QNAME_SIZE]; /* parent name */ u_int32_tparent_qid;/* parent queue id */ - u_int32_tbandwidth; /* queue bandwidth */ + u_int64_tbandwidth; /* queue bandwidth */ u_int8_t priority; /* priority */ #ifdef __FreeBSD__ u_int8_t local_flags; /* dynamic interface */ Thanks. -- ? Calomel @ https://calomel.org ? Open Source Research and Reference ___ freebsd...@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to freebsd-pf-unsubscr...@freebsd.org -- Ermal ___ freebsd...@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to freebsd-pf-unsubscr...@freebsd.org
pf ALTQ bandwidth limited to a 32bit value (4294Mb)
ALTQ using hfsc is limited to a maximum parent bandwidth of 4294Mb. This value is 2^32 or 4,294,967,296 bits. If you set the bandwidth any higher, altq will flip back to zero. This bug was found when trying to test 10 gigabit and 40 gigabit bandwidth models. These tests were done on OpenBSD 32bit and 64bit as well as FreeBSD 32bit and 64bit. If anyone else can verify this independently and agree with the results I would be happy to register it as a bug. How to replicate: A quick test is setting the bandwidth to 4294Mb and doing a pfctl -sq to check altq. altq on $ExtIf bandwidth 4294Mb hfsc queue { ack, web} queue root_em0 on em0 bandwidth 4.29Gb priority 0 {ack, web} Now set the bandwidth to 4295Mb and notice altq has flip to zero and add the 32.70Kb difference. altq on $ExtIf bandwidth 4295Mb hfsc queue { ack, web } queue root_em0 on em0 bandwidth 32.70Kb priority 0 {ack, web} Again, we can set the bandwidth to a multiple of two(2) to 8589Mb. The bandwidth value flips to zero once and the result is 4.29Gb. altq on $ExtIf bandwidth 8589Mb hfsc queue { ack, web} queue root_em0 on em0 bandwidth 4.29Gb priority 0 {ack, web} If we add one more megabit to 8590Mb the value flips twice and we are left with 65.41Kb. altq on $ExtIf bandwidth 8590Mb hfsc queue { ack, web} queue root_em0 on em0 bandwidth 65.41Kb priority 0 {ack, web} Thanks. -- Calomel @ https://calomel.org Open Source Research and Reference
Re: PF BINAT on entire /24 subnet
Paolo, You may need to use the bitmask directive. bitmask - grafts the network portion of the pool address over top of the address that is being modified (source address for nat-to rules, destination address for rdr-to rules). Example: if the address pool is 192.0.2.1/24 and the address being modified is 10.0.0.50, then the resulting address will be 192.0.2.50. If the address pool is 192.0.2.1/25 and the address being modified is 10.0.0.130, then the resulting address will be 192.0.2.2. http://www.openbsd.org/faq/pf/pools.html -- Calomel @ https://calomel.org Open Source Research and Reference On Sat, Jun 05, 2010 at 11:41:43AM -0400, Paolo Reyes Balleza wrote: Hello all, I was using pf's (OBSD 4.6) binat for openvpn purposes with 192.168.0.0/24 binatted to 192.0.2.0/24 since I can't renumber the local LAN to avoid the overlap. This doesn't work with current: match on tun0 from 192.168.0.0/24 to any binat-to 192.0.2.0/24 for the entire subnet any more. Everything gets routed to 192.168.0.0 no matter what external host address I use. It used to be that 192.0.2.1 would map out to 192.168.0.1. One to one mapping does work though. Is this the new behaviour of pf? Just asking because it'd be a PITA to map each host. Cheers and thanks in advance.
Re: pf and ftp-proxy active/passive problems
Teemu, We have to be careful when testing ftp. Different ftp binaries for different OS's use different default options. For example, the ftp binary on OpenBSD v4.7 uses passive ftp by default, so the the commands ftp and ftp -p are exactly the same. Some older Solaris machines use active only and ftp on Ubuntu 10.04 uses active by default. Passive should work from your firewall, but active (PORT) probably will not. Active will only work if you accept a connection from any ip from port 20 to any upper port on the firewall. Not very common. The machine behind the firewall should be able to do active and passive because the ftp-proxy, if setup correctly, will anchor the proper rules to allow both connection types. For more testing you can setup the ftp-proxy daemon to log its connections to /var/log/daemon using, /usr/sbin/ftp-proxy -D7 -v. You may also want to add the log variable to your Pf rules so you can watch the logs with tcpdump -n -e -ttt -v -i pflog0. Then make sure you are using the correct ftp arguments for your ftp binary to make a passive and active connection on your LAN machine. Check the man page on the machine behind the firewall. Once you have a reliable set of test responses you should have a better idea of where the problem is. Make sense? BTW, we have examples of Pf and ftp-proxy on our site; see signature. I checked out your pf.conf. If you have time you may want to try putting your ps3 and NHL10 rules in an anchor to clean things up. How about adding QOS so the gamers get higher network priority? :) -- Calomel @ https://calomel.org Open Source Research and Reference On Thu, Jun 03, 2010 at 02:14:53AM -0400, Teemu Rinta-aho wrote: On Jun 3, 2010, at 3:51 AM, Calomel Org wrote: Teemu, Are you sure the ftp server you are connecting to supports active and passive ftp? You may want to try your test against ftp.openbsd.org. That is a very good point. I thought so as I got both modes working from different nodes, but I am not sure any more. I tried to ftp.openbsd.org and the results are different indeed. From a host behind my pf machine: host$ ftp ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 229 Entering Extended Passive Mode (|||60318|) ftp: Can't connect to `129.128.5.191': Connection refused 200 EPRT command successful. 150 Opening ASCII mode data connection for '/bin/ls'. total 8 drwxr-xr-x 2 0 0 512 May 4 2009 etc drwxr-xr-x 3 0 0 512 Jul 21 2009 pub 226 Transfer complete. host$ ftp -p ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 229 Entering Extended Passive Mode (|||63762|) ftp: Can't connect to `129.128.5.191': Connection refused From the pf machine: fw$ ftp ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 150 Opening ASCII mode data connection for '/bin/ls'. total 8 drwxr-xr-x 2 0 0 512 May 4 2009 etc drwxr-xr-x 3 0 0 512 Jul 21 2009 pub 226 Transfer complete. fw$ ftp -p ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 150 Opening ASCII mode data connection for '/bin/ls'. total 8 drwxr-xr-x 2 0 0 512 May 4 2009 etc drwxr-xr-x 3 0 0 512 Jul 21 2009 pub 226 Transfer complete. If that doesn't ring a bell and you still have time and interest, my pf.conf is at http://www.rinta-aho.org/tmp/pf.conf Thanks! Teemu
Re: PF Tables scoping.
James, I can confirm. If a table is created by an anchor with the same name as an existing table the following error is printed: pfctl: warning: namespace collision with BLOCKTEMP global table. The anchors table is different from the main pf table. pfctl -vvs Tables --a-rhC BLOCKTEMP Addresses: 12 Cleared: Wed Dec 31 19:00:00 1969 pfctl -a games -vvs Tables --a-r-C BLOCKTEMP games Addresses: 0 Cleared: Wed Jun 2 16:40:14 2010 -- Calomel @ https://calomel.org Open Source Research and Reference On Wed, Jun 02, 2010 at 04:23:54PM -0400, James Records wrote: On Wed, Jun 2, 2010 at 10:48 AM, James Records james.records gmail.comwrote: Hi All, Having an issue with anchors and tables again, I had this same issue a couple of years ago in 4.5 but never got any response, hoping someone can shed some light onto what I'm missing here, or if this is even supported, I'm trying to use an overload rule inside of an anchor to populate a table defined outside of all anchors. I haven't seen anything that specifically says this isn't supported, but if thats the case I'd like to get it clarified. Here are snippets of pf.conf that don't work, and one that does, and an explanation of why I can't just use the one that does work without side effects. Thanks in advance, J Doesn't work: ## Tables ### ## table blocked_sites persist # Blocked Sites # anchor Blocked_Sites { block in quick from blocked_sites to any } ## ### TEST_IN ### ## anchor TEST_IN { pass in log quick on em0 inet proto tcp \ from any to TEST_IN_dst \ port { 443 } keep state \ (max 100, source-track rule, max-src-nodes 10, max-src-states 20, max-src-conn 20, max-src-conn-rate 2/15, overload blocked_sites flush) } But remove the anchor from the overload rule and it works fine: ### Tables ### table blocked_sites persist # Blocked Sites # anchor Blocked_Sites { block in quick from blocked_sites to any } ### ### TEST_IN ### ### #anchor TEST_IN { pass in log quick on em0 inet proto tcp \ from any to TEST_IN_dst \ port { 443 } keep state \ (max 100, source-track rule, max-src-nodes 10, max-src-states 20, max-src-conn 20, max-src-conn-rate 2/15, overload blocked_sites flush) #} This would be simple enough but I want to be able to parse my logs using the anchor names, this isn't possible using the 2nd method. The docs say this should just work from everything I can tell, I can read from a global table from within an anchor but am failing to write to it from within an anchor using the overload rule Just an update, I've done some more digging, it seems like I'm running into an issue where its creating a new table inside the anchor, I'm thinking this is just a bug where the table gets created because it doesn't look outside of the anchor to see if one already exists, but I just want to get another pair of eyes to confirm. Thanks J pfctl -vvs Tables -pa--h-blocked_sites Addresses: 0 Cleared: Wed Jun 2 06:10:20 2010 References: [ Anchors: 3 Rules: 0 ] Evaluations: [ NoMatch: 162Match: 0 ] In/Block:[ Packets: 0 Bytes: 0 ] In/Pass: [ Packets: 0 Bytes: 0 ] In/XPass:[ Packets: 0 Bytes: 0 ] Out/Block: [ Packets: 0 Bytes: 0 ] Out/Pass:[ Packets: 0 Bytes: 0 ] Out/XPass: [ Packets: 0 Bytes: 0 ] $ pfctl -a TEST_IN -vvs Tables --a-r--blocked_sites TEST_IN Addresses: 1 Cleared: Wed Jun 2 01:55:11 2010 References: [ Anchors: 0 Rules: 5 ] Evaluations: [ NoMatch: 114Match: 69 ] In/Block:[ Packets: 69 Bytes: 6732 ] In/Pass: [ Packets: 0 Bytes: 0 ] In/XPass:[ Packets: 0 Bytes: 0 ] Out/Block: [ Packets: 0 Bytes: 0 ] Out/Pass:[ Packets: 0 Bytes: 0 ] Out/XPass: [ Packets: 0 Bytes: 0 ]
Re: pf and ftp-proxy active/passive problems
Teemu, Are you sure the ftp server you are connecting to supports active and passive ftp? You may want to try your test against ftp.openbsd.org. This is a linux machine behind a pf firewall (openbsd v4.7) using ftp-proxy. Both active (PORT) and passive listings seem to work. $ ftp ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 200 PORT command successful. 150 Opening ASCII mode data connection for '/bin/ls'. total 8 drwxr-xr-x 2 0 0 512 May 4 2009 etc drwxr-xr-x 3 0 0 512 Jul 21 2009 pub 226 Transfer complete. $ ftp -p ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 227 Entering Passive Mode (129,128,5,191,214,178) 150 Opening ASCII mode data connection for '/bin/ls'. total 8 drwxr-xr-x 2 0 0 512 May 4 2009 etc drwxr-xr-x 3 0 0 512 Jul 21 2009 pub 226 Transfer complete. Was this the problem? -- Calomel @ https://calomel.org Open Source Research and Reference On Wed, Jun 02, 2010 at 07:23:24PM -0400, Teemu Rinta-aho wrote: Hi all, (First, sorry if you receive this e-mail multiple times, I changed my smtp server as the first one doesn't seem to get mails to this list.) my firewall (OpenBSD 4.7) is running packet filter with NAT and tcp-proxy to provide FTP for hosts in the network behind the firewall/NAT. The problem is that a host behind the firewall, connecting to an FTP server in the internet through the firewall, active mode works but passive doesn't. On firewall's external interface I can see packets going to the FTP server but no reply packets. Trying FTP directly from the firewall, passive mode works but active doesn't (ftp client says 425 Could not open data connection to port 55476: Connection refused). In this case ftp-proxy is not used as the firewall should be just like any other ftp client. I have updated my pf.conf as per the 4.7 upgrade instructions and I have run tcpdump to network interfaces as well as pflog0, but so far I don't understand what might be wrong. I tried to see pf rules or states inserted by ftp-proxy with commands like 'pfctl -a ftp-proxy/* -sr' but either it doesn't print anything and trying 'pfctl -a '*' -sr' I get: anchor * all { pfctl: DIOCGETRULES: Invalid argument } ... Any help appreciated. It is not a showstopper but pretty annoying, as e.g. Firefox defaults to passive mode. Teemu
Re: AMD power reduction
You can use apm. It will only save a few watts, but it may reduce the cooling costs by reducing the heat generated by the CPU. If you have _many_ machines you can easily reduce the temperature of the server room by a few degrees C. Advanced Power Management control https://calomel.org/apm_control.html -- Calomel @ https://calomel.org Open Source Research and Reference On Fri, Feb 05, 2010 at 11:37:16AM -0500, Jean-Francois wrote: Le vendredi 05 fivrier 2010 11:17:51, vous avez icrit : On 04/02/2010 23:02, Jean-Francois wrote: All, I am looking forward to reduce the TDP for a server planned to be built. As low as possible shall be best, is AMD cool'n quiet operating with latest OpenBSD ? Regards Depending on what you where looking at, you can reduce the voltages (if your BIOS has this much control) and this will lower power/heat. I've done this on PC's with bad HSF in hot temperatures. Though, like over clocking, it's an art that requires testing, trying and patience to find the lowest/highest while still being stable Hello, I think of doing this too. What I would like to understand is if I will be able to use the frequency change 1000 / 2000 MHz dynamic load based. Regards
Re: possible to configure PF to simulate latency and 1% packet loss?
Andres, You can add packet loss by using the probability argument on a pf rule. You use either a block or pass rule. probability number A probability attribute can be attached to a rule, with a value set between 0 and 1, bounds not included. In that case, the rule will be honored using the given probability value only. For ex- ample, the following rule will drop 20% of incoming ICMP packets: block in proto icmp probability 20% I do not believe you can add latency timings using PF. I agree, this would be very helpful for testing. -- Calomel @ https://calomel.org Open Source Research and Reference On Fri, Jan 22, 2010 at 03:13:09PM -0500, Andres Salazar wrote: Hello, Is it possible to do some rule in pf to simulate 300ms of latency? This is for testing purposes. A plus would be to simulate 1% packet loss. Many Thanks!!
Re: PF cluestick please - low priority queue spills over into normal queue
Aaron, When you say, seem to spill over into the normal queue do you mean the bittor queue is borrowing bandwidth from the total amount of bandwidth available? You may need to set a limit on the bittor queue if you want to limit its bandwidth. The OpenBSD Faq says, CBQ queues are arranged in an hierarchical manner. At the top of the hierarchy is the root queue which defines the total amount of bandwidth available. Child queues are created under the root queue, each of which can be assigned some portion of the root queue's bandwidth. For example, queues might be defined as follows: Root Queue (2Mbps) Queue A (1Mbps) Queue B (500Kbps) Queue C (500Kbps) Also, you can use HFSC queueing for this as well. Hierarchical Fair Service Curve (HFSC) of OpenBSD https://calomel.org/pf_hfsc.html -- Calomel @ https://calomel.org Open Source Research and Reference On Tue, Jan 05, 2010 at 07:14:59PM -0500, Aaron Mason wrote: Hi all, I've got the following pf.conf file for limiting bittorrent connections and providing higher priority to a game server. While the latter works wonderfully, the bittorrent connections seem to spill over into the normal queue and it's driving me crazy. My /etc/pf.conf file is as follows: set skip on lo # Setting some constants prio_port = { 22 53 5900 } shiori = 192.168.2.241/32 chechemaru = 192.168.2.251/32 wired_if = rl0 wlan_if= ath0 hi_bw = 33Mb norm_bw = 20Mb lo_bw = 178415b altq on $wired_if cbq bandwidth 54Mb queue { wired_hi, wired_norm, wired_lo } queue wired_hi bandwidth $hi_bw priority 2 queue wired_norm bandwidth $norm_bw cbq(default) priority 3 queue wired_lo bandwidth $lo_bw priority 4 altq on $wlan_if cbq bandwidth 54Mb queue { wlan_hi, wlan_norm, wlan_lo } queue wlan_hi bandwidth $hi_bw priority 2 queue wlan_norm bandwidth $norm_bw cbq(default) priority 3 queue wlan_lo bandwidth $lo_bw priority 4 # SSH and DNS traffic as well pass out quick on $wired_if proto { tcp udp } to any port $prio_port \ queue wired_hi pass out quick on $wired_if proto { tcp udp } from any port $prio_port \ queue wired_hi pass out quick on $wlan_if proto { tcp udp } to any port $prio_port \ queue wlan_hi pass out quick on $wlan_if proto { tcp udp } from any port $prio_port \ queue wlan_hi #High priority to Shiori pass out quick on $wired_if to $shiori queue wired_hi pass out quick on $wlan_if from $shiori queue wlan_hi #Low priority and limiting to Chechemaru #NOTE: BT connections are bidirectional, hence the seemingly \ #redundant rules pass out quick on $wired_if to $chechemaru queue wired_lo pass out quick on $wired_if from $chechemaru queue wired_lo pass out quick on $wlan_if to $chechemaru queue wlan_lo pass out quick on $wlan_if from $chechemaru queue wlan_lo # Everything else gets normal priority # pass out quick on $wired_if queue wired_norm #pass block in on ! lo0 proto tcp to port 6000:6010 A typical output from pftop shows the contents of http://paste2.org/p/596043 - notice the upstream going crazy. Unfortunately pfTop hasn't been updated to take advantage of the changes to pf, so it refuses to display the rules. I'd do it myself if I had a better understanding of how pf worked within, but I'm not quite at that stage yet. A very hard cluestick is greatly appreciated, to go along with the concussion I am suffering from banging my head on the desk. Regards -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: online documentation for new smtpd
For official docs I think the man pages are it. They should contain everything you need to get a working smtpd.conf . We put together a page with a few working examples. Opensmptd works fine for a low volume mail server and is very stable. It has been running for a few months with no issues. OpenSMTPD how to (smtpd.conf) https://calomel.org/opensmtpd.html -- Calomel @ https://calomel.org Open Source Research and Reference On Tue, Jul 21, 2009 at 12:23:31PM -0400, Lars Nooden wrote: I find the two manpages, smtpd(8) and smtpd.conf(5), in current. Is there an official online documentation or project page available for the new stmpd? Regards -Lars