Re: set skip on interface rule doesn't show up in pfctl -sr
* Giancarlo Razzolini [EMAIL PROTECTED] [2006-07-04 16:07]: My question is not only about ftp-proxy, i only used it to exemplify. My question is: if i tag a packet that is entering one interface and in the same rule (rdr pass, for example) i send this packet to an interface which is skipped by pf. I want to know if when this packet get out of this interface it will still be tagged or not. The only thing that the man page says is that tags are internal markers. So i'm supposing that if i send them to an interface skipped by pf, the tag will not be on the packets getting out of it. Just want to get sure about this, cause all my tests point to this conclusion. there is no notion of these tags in IP. they are only there as long as the packets are inside the kernel. when they leave the machine (by whatever interface) they're gone, and if the leave kernel space (think userland proxies) they're gone too. -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: set skip on interface rule doesn't show up in pfctl -sr
On Mon, Jul 03, 2006 at 09:15:15PM -0300, Giancarlo Razzolini wrote: Henning Brauer wrote: skip steps and set skip have noting to do with each other. set skip basically disables pf on a per-interface basis. skip steps is an optimization in rule processing you can safely ignore. it Just Works in the background and saves you CPU cycles :) It does not have much to do with the topic but, if i do enable skip on an interface, if i send packets to the skipped interface with tags on them, these tags will be lost? I'm asking because i did some tagging and sent to the ftp-proxy running in the lo0 interface, and the tags were gone when the ftp-proxy did the connection on behalf of the user. I need this to do qos. If this is pre-3.9 ftp-proxy, well, it should be obvious that it works that way, no? Use multiple ftp-proxy processes, running under different usernames/groups, and tag on username/group. Joachim
Re: set skip on interface rule doesn't show up in pfctl -sr
Joachim Schipper wrote: On Mon, Jul 03, 2006 at 09:15:15PM -0300, Giancarlo Razzolini wrote: Henning Brauer wrote: skip steps and set skip have noting to do with each other. set skip basically disables pf on a per-interface basis. skip steps is an optimization in rule processing you can safely ignore. it Just Works in the background and saves you CPU cycles :) It does not have much to do with the topic but, if i do enable skip on an interface, if i send packets to the skipped interface with tags on them, these tags will be lost? I'm asking because i did some tagging and sent to the ftp-proxy running in the lo0 interface, and the tags were gone when the ftp-proxy did the connection on behalf of the user. I need this to do qos. If this is pre-3.9 ftp-proxy, well, it should be obvious that it works that way, no? Use multiple ftp-proxy processes, running under different usernames/groups, and tag on username/group. Joachim My question is not only about ftp-proxy, i only used it to exemplify. My question is: if i tag a packet that is entering one interface and in the same rule (rdr pass, for example) i send this packet to an interface which is skipped by pf. I want to know if when this packet get out of this interface it will still be tagged or not. The only thing that the man page says is that tags are internal markers. So i'm supposing that if i send them to an interface skipped by pf, the tag will not be on the packets getting out of it. Just want to get sure about this, cause all my tests point to this conclusion. Thanks, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: set skip on interface rule doesn't show up in pfctl -sr
* Daniel Ouellet [EMAIL PROTECTED] [2006-07-03 21:44]: Is there a special reason why we couldn't see the set skip on interface in the display of the rules in pf with the regular: pfctl -sr it is not a rule. -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: set skip on interface rule doesn't show up in pfctl -sr
From: [EMAIL PROTECTED] Is there a special reason why we couldn't see the set skip on interface in the display of the rules in pf with the regular: pfctl -sr If this was to be implemented, it might be more appropriate to show in the runtime state (pfctl -si) than the rule output. DS
Re: set skip on interface rule doesn't show up in pfctl -sr
it is not a rule. OK, not a rule, but still shouldn't it be possible or useful to see that in effect? If you make changes for testing or what not and you use this temporary, etc on a box of 10+ interfaces, just my thinking, but I was expecting to see this in display of how the pf was working. Yes it might be stupid to forget to remove it or what ever, but if you do check the active rules to see what's in action and skip doesn't show up there, one might think all is good and don't check the details configuration to see if that would be there or not. Just a thought. Someone might put this in effect and then an other admin check the rules, don't see it and think all is good and look else where just to find out after many hours that this set skip is bypassing the configurations. May not be a rule, but still have effect in the working configuration. Doesn't it make sense to see it?
Re: set skip on interface rule doesn't show up in pfctl -sr
On 7/3/06, Daniel Ouellet [EMAIL PROTECTED] wrote: it is not a rule. OK, not a rule, but still shouldn't it be possible or useful to see that in effect? If you make changes for testing or what not and you use this temporary, etc on a box of 10+ interfaces, just my thinking, but I was expecting to see this in display of how the pf was working. Yes it might be stupid to forget to remove it or what ever, but if you do check the active rules to see what's in action and skip doesn't show up there, one might think all is good and don't check the details configuration to see if that would be there or not. Just a thought. Someone might put this in effect and then an other admin check the rules, don't see it and think all is good and look else where just to find out after many hours that this set skip is bypassing the configurations. May not be a rule, but still have effect in the working configuration. Doesn't it make sense to see it? Indeed it does, but not by hacking up `-s rules`. pfctl(8) lists all the various things you can display with -s. 'options' (as per pf.conf(5)) do not seem to be among them, however, which I agree is unfortunate. It also doesn't help that the manpage say, next to, -s Rule: Note that the ``skip step'' optimization done automatically by the kernel will skip evaluation of rules where possible. which seems to imply that `-s rules` has something to do with `set skip`. I don't know a lot about the architecture of pf (I plan to learn soon though) so maybe this is completely stupid, but I suggest adding modes for `pfctl -s` to match everything listed in pf.conf(5). -Nick
Re: set skip on interface rule doesn't show up in pfctl -sr
On 2006/07/03 16:26, Nick Guenther wrote: I don't know a lot about the architecture of pf (I plan to learn soon though) so maybe this is completely stupid, but I suggest adding modes for `pfctl -s` to match everything listed in pf.conf(5). `-s config' to produce a usable pf.conf from in-memory configuration would be quite appealing...
Re: set skip on interface rule doesn't show up in pfctl -sr
If this was to be implemented, it might be more appropriate to show in the runtime state (pfctl -si) than the rule output. I don't know. May be may be not. But I got cut with this. I had a sysadmin do changes in a pretty big multi interface box and he use the set skip to test new rules on individual interface as I guess it started to be to big, I can't explain. But in any case, I started to see pass that some strange things that shouldn't be there and looking at the pfctl -sr at work, I never saw anything that would explain it. After many hours of work, I thought that may be there might be a bug somehow. Look in that directions and a few more days pass. Someone time the most obvious is not what jump at you and in the end, I started to look in more details to the rules instead of the pfctl -sr until I saw the set skip in there. So, in the end, it is very stupid that I agree with 100%! No one else to blame then the sysadmin and myself to assume that pfctl -sr would show me what's active at the time. I felt into that trap and that's why I was asking if it wouldn't make sense to see what's actually active when you are looking at the live configuration running on the system. I took for granted that looking at the live rules was telling me that's what is actively filter. Believe me, I will not felt into that trap again, but I thought after a many hours that I could have saved, that may be it might be very useful for someone else may be. I just thought that if you look at the live configuration, it should show the life configuration. That was just my take on it after a real life trap that I don't have anyone to blame then myself for not looking at the details configuration line by line sooner. In any case, thanks for the feedback. That's a mistake I will not repeat again! (; Daniel
Re: set skip on interface rule doesn't show up in pfctl -sr
Indeed it does, but not by hacking up `-s rules`. pfctl(8) lists all the various things you can display with -s. 'options' (as per pf.conf(5)) do not seem to be among them, however, which I agree is unfortunate. It also doesn't help that the manpage say, next to, -s Rule: Note that the ``skip step'' optimization done automatically by the kernel will skip evaluation of rules where possible. which seems to imply that `-s rules` has something to do with `set skip`. I don't know about all the options. I kind of think these are more operations limits or something. I am sure I don't use the right words here, but the options would be for optimization of efficiency of busy system. In low usage, the options wouldn't be in the way in any case. I see the set skip as all or nothing, oppose to options that are capacity related. I could be wrong, but I don't see that as the same thing at all. The show rules, or what ever it may be call should show the go/no go stuff and if you want optimization, then you can always looks else where for capacity related issues. I don't think the two should be at the same place here, but again, that's just my thinking. Look logical to me, but I am not saying I hold all the truth here either.
Re: set skip on interface rule doesn't show up in pfctl -sr
Daniel Ouellet wrote: If this was to be implemented, it might be more appropriate to show in the runtime state (pfctl -si) than the rule output. I don't know. May be may be not. But I got cut with this. I had a sysadmin do changes in a pretty big multi interface box and he use the set skip to test new rules on individual interface as I guess it started to be to big, I can't explain. But in any case, I started to see pass that some strange things that shouldn't be there and looking at the pfctl -sr at work, I never saw anything that would explain it. After many hours of work, I thought that may be there might be a bug somehow. Look in that directions and a few more days pass. Someone time the most obvious is not what jump at you and in the end, I started to look in more details to the rules instead of the pfctl -sr until I saw the set skip in there. So, in the end, it is very stupid that I agree with 100%! No one else to blame then the sysadmin and myself to assume that pfctl -sr would show me what's active at the time. I felt into that trap and that's why I was asking if it wouldn't make sense to see what's actually active when you are looking at the live configuration running on the system. I took for granted that looking at the live rules was telling me that's what is actively filter. Believe me, I will not felt into that trap again, but I thought after a many hours that I could have saved, that may be it might be very useful for someone else may be. I just thought that if you look at the live configuration, it should show the life configuration. That was just my take on it after a real life trap that I don't have anyone to blame then myself for not looking at the details configuration line by line sooner. In any case, thanks for the feedback. That's a mistake I will not repeat again! (; Daniel pfctl -sI -vv shows you if an interface is skipped or not. My 2 cents, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: set skip on interface rule doesn't show up in pfctl -sr
set skip on interface in the display of the rules in pf with the regular: pfctl -sr it is not a rule. I guess one could argue that: set block-policy option is not a rule either, but it does show up however: Example 1: In pf.conf snip set block-policy return block all snip pfctl -sr snip block return all snip Example 2: In pf.conf snip set block-policy drop block all snip pfctl -sr snip block drop all snip This set option does show up here. OK, it can be argue that it might be a rule as well, but it is enter as set option in the same section as set skip. Daniel
Re: set skip on interface rule doesn't show up in pfctl -sr
Henning Brauer wrote: * Daniel Ouellet [EMAIL PROTECTED] [2006-07-03 21:44]: Is there a special reason why we couldn't see the set skip on interface in the display of the rules in pf with the regular: pfctl -sr it is not a rule. It is an option. Would it be beneficial to add an Options modifier to pfctl's -s arg in order to verify all options? # pfctl -s Options Options:Values: loginterfaceem0 optimizationnormal block-policydrop state-policyfloating skip on lo0 fxp1 ... -pachl
Re: set skip on interface rule doesn't show up in pfctl -sr
On 7/3/06, Giancarlo Razzolini [EMAIL PROTECTED] wrote: pfctl -sI -vv shows you if an interface is skipped or not. My 2 cents, -w is not documented in pfctl(8). What does it do? On 7/3/06, Clint Pachl [EMAIL PROTECTED] wrote: Henning Brauer wrote: * Daniel Ouellet [EMAIL PROTECTED] [2006-07-03 21:44]: Is there a special reason why we couldn't see the set skip on interface in the display of the rules in pf with the regular: pfctl -sr it is not a rule. It is an option. Would it be beneficial to add an Options modifier to pfctl's -s arg in order to verify all options? # pfctl -s Options Options:Values: loginterfaceem0 optimizationnormal block-policydrop state-policyfloating skip on lo0 fxp1 ... -pachl That's what I and Stuart Henderson said. Methinks it is a good idea. -Nick
Re: set skip on interface rule doesn't show up in pfctl -sr
Nick Guenther wrote: -w is not documented in pfctl(8). What does it do? It is not -w it is -v that stands for -v(erbose). If you use it twice (-vv) it increase the verbose level. It is in the pfctl man page. My regards, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: set skip on interface rule doesn't show up in pfctl -sr
On 7/3/06, Nick Guenther [EMAIL PROTECTED] wrote:
On 7/3/06, Giancarlo Razzolini [EMAIL PROTECTED] wrote:
pfctl -sI -vv shows you if an interface is skipped or not.
-w is not documented in pfctl(8). What does it do?
It most certainly is.
Try -vv ('v' 'v', as in 'victor' 'victor'), avoid typing your dmesg at
all costs! =)
Re: set skip on interface rule doesn't show up in pfctl -sr
* Nick Guenther [EMAIL PROTECTED] [2006-07-03 22:35]: unfortunate. It also doesn't help that the manpage say, next to, -s Rule: Note that the ``skip step'' optimization done automatically by the kernel will skip evaluation of rules where possible. which seems to imply that `-s rules` has something to do with `set skip`. skip steps and set skip have noting to do with each other. set skip basically disables pf on a per-interface basis. skip steps is an optimization in rule processing you can safely ignore. it Just Works in the background and saves you CPU cycles :) -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: set skip on interface rule doesn't show up in pfctl -sr
Henning Brauer wrote: skip steps and set skip have noting to do with each other. set skip basically disables pf on a per-interface basis. skip steps is an optimization in rule processing you can safely ignore. it Just Works in the background and saves you CPU cycles :) It does not have much to do with the topic but, if i do enable skip on an interface, if i send packets to the skipped interface with tags on them, these tags will be lost? I'm asking because i did some tagging and sent to the ftp-proxy running in the lo0 interface, and the tags were gone when the ftp-proxy did the connection on behalf of the user. I need this to do qos. My regards, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
