Re: if_epair altq support problem

On Fri, Mar 24, 2017 at 5:48 PM, Özkan KIRIK <ozkan.ki...@gmail.com> wrote: > Hi again, > This patch works perfectly also. > Thank you so much. > Is it possible to commit this patch to repo? > https://svnweb.freebsd.org/changeset/base/315877 > > On Thu, Mar 23, 2017

Re: if_epair altq support problem

y :) > > On Thu, Mar 23, 2017 at 9:46 PM, Ermal Luçi <e...@freebsd.org> wrote: > >> >> On Thu, Mar 23, 2017 at 11:06 AM, Özkan KIRIK <ozkan.ki...@gmail.com> >> wrote: >> >>> Thank you, I'm waiting for 10.3 fix :) >>> have a nice

Re: if_epair altq support problem

/* We need to play some tricks here for the second interface. */ strlcpy(name, epairname, len); error = if_clone_create(name, len, (caddr_t)scb); On Wed, Mar 22, 2017 at 11:44 PM, Ermal Luçi <e...@freebsd.org> wrote: > >> >> On Wed, Mar 22, 2017 at 10:50 AM, Özkan KIRIK &l

Re: if_epair altq support problem

to >> 10.3 RELENG ? >> >> Thanks, for confirming that it fixes your issues. Yeah, on 10.3 its almost the same fix i will deal with it. > Regards >> >> On Wed, Mar 22, 2017 at 6:59 AM, Ermal Luçi <e...@freebsd.org> wrote: >> >>> >>> >&g

Re: if_epair altq support problem

On Tue, Mar 21, 2017 at 5:26 AM, Özkan KIRIK wrote: > Hello, > > I sent this email also to freebsd-pf list. But I think that the main > problem is belongs to sys/net/if_epair.c. > > I'm using FreeBSD 10.3-p17 amd64. epair pseudo device is listed as > supperted deviced at

Re: [Bug 203735] Transparent interception of ipv6 with squid and pf causes panic

On Sun, Mar 19, 2017 at 9:41 PM, wrote: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203735 > > Kristof Provost changed: > >What|Removed |Added >

Re: pf bug with tun interfaces ?

On Thu, Mar 16, 2017 at 6:12 AM, Mike Tancsa <m...@sentex.net> wrote: > On 3/16/2017 2:15 AM, Ermal Luçi wrote: > > > > > > On Wed, Mar 15, 2017 at 7:33 PM, Kristof Provost <kris...@sigsegv.be > > <mailto:kris...@sigsegv.be>> wrote: > >

Re: pf bug with tun interfaces ?

On Wed, Mar 15, 2017 at 7:33 PM, Kristof Provost wrote: > On 15 Mar 2017, at 22:10, Mike Tancsa wrote: > >> On 3/15/2017 4:28 AM, Kristof Provost wrote: >> >>> I don’t see any obvious reason why that would happen. >>> >>> Can you reduce this to a minimal test setup and

Re: ipsec with ipfw

On Sat, Mar 11, 2017 at 2:16 PM, Slawa Olhovchenkov wrote: > On Sun, Mar 12, 2017 at 12:53:44AM +0330, Hooman Fazaeli wrote: > > > Hi, > > > > As you know the ipsec/setkey provide limited syntax to define security > > policies: only a single subnet/host, protocol number and

Re: How to enable ECMP flow based forwarding ?

On Wed, Feb 15, 2017 at 9:39 AM, Ermal Luçi <e...@freebsd.org> wrote: > > > On Wed, Feb 15, 2017 at 9:32 AM, Olivier Cochard-Labbé < > oliv...@freebsd.org> wrote: > >> On Wed, Feb 15, 2017 at 6:17 PM, Ermal Luçi <e...@freebsd.org> wrote: >&

Re: How to enable ECMP flow based forwarding ?

On Wed, Feb 15, 2017 at 9:32 AM, Olivier Cochard-Labbé <oliv...@freebsd.org> wrote: > On Wed, Feb 15, 2017 at 6:17 PM, Ermal Luçi <e...@freebsd.org> wrote: > >> >> >>> Yeah but for 11 branch still is. >> >> > > ​FIB4 KPI was MFC to 11-st

Re: How to enable ECMP flow based forwarding ?

On Tue, Feb 14, 2017 at 10:15 PM, Andrey V. Elsukov <bu7c...@yandex.ru> wrote: > On 14.02.2017 22:52, Ermal Luçi wrote: > > I think you need to implement some code first. The fastfwd has not > > supported MPATH and tryforward also doesn't support it. For IPv4 you >

Re: How to enable ECMP flow based forwarding ?

On Tue, Feb 14, 2017 at 6:13 AM, Andrey V. Elsukov wrote: > On 14.02.2017 03:23, Olivier Cochard-Labbé wrote: > > Hi, > > > > I'm testing FreeBSD ECMP behavior by adding "options RADIX_MPATH" to my > > kernel configuration (11-stable). > > Now I can configure two identical

Re: all network people please review this proposal: because someone is going to commit it soon. D5017

On Fri, Jan 20, 2017 at 7:15 AM, Slawa Olhovchenkov wrote: > On Fri, Jan 20, 2017 at 11:00:18PM +0800, Julian Elischer wrote: > > > Unless eri gets to it first I will. > > > > see https://reviews.freebsd.org/D5017 > > > > If you have a server, you can put an arbitrary number of

Re: pf & NAT issue

On Fri, Jan 20, 2017 at 1:17 PM, Bakul Shah wrote: > On Fri, 20 Jan 2017 13:12:07 PST =?UTF-8?Q?Ermal_Lu=C3=A7i?= < > e...@freebsd.org> wrote: > > --001a1148cecc40685805468d1ad2 > > Content-Type: text/plain; charset=UTF-8 > > > > On Fri, Jan 20, 2017 at 12:59 PM, Bakul Shah

Re: pf & NAT issue

On Fri, Jan 20, 2017 at 12:59 PM, Bakul Shah wrote: > On Fri, 20 Jan 2017 21:43:33 +0100 "Kristof Provost" > wrote: > > On 20 Jan 2017, at 21:31, Bakul Shah wrote: > > >> 11:56:28.168693 IP 192.168.125.7.65042 > 149.20.1.200.21: Flags [P.], > > >> seq

Re: [RFC/RFT] projects/ipsec

On Tue, Dec 27, 2016 at 6:10 AM, Andrey V. Elsukov wrote: > On 27.12.2016 16:15, Jim Thompson wrote: > >> In it's initial state if_ipsec allows to use only one set of >>> encryption parameters (because only one sainfo anonyumous is >>> possible), so at this time it doesn't

Re: carp on if_bridge deadlock

This should apply https://reviews.freebsd.org/D3133 Somehow it is still pending on gnn@ for some reason! On Sat, Oct 3, 2015 at 12:10 AM, Nikos Vassiliadis wrote: > Hi, > > I am trying to use carp over an if_bridge and am getting > this LOR: > >> login: lock order reversal: >>

Re: Near-term pf plans

On Wed, Aug 26, 2015 at 1:43 PM, Kristof Provost kris...@sigsegv.be wrote: On 2015-08-25 19:56:59 (+0200), Ermal Luçi ermal.l...@gmail.com wrote: On Sun, Aug 23, 2015 at 5:09 PM, Kristof Provost k...@freebsd.org wrote: I'm inclined to say that ifgroups and interfaces should share

Re: Near-term pf plans

On Sun, Aug 23, 2015 at 5:09 PM, Kristof Provost k...@freebsd.org wrote: Hi, Some of you may have noticed that I fixed a couple of pf issues (or in some cases broke things. Sorry Allan.) recently. Here's a quick list of my current priorities: - PR 127042, 202178: This is a panic when

[Differential] [Updated] D1944: PF and VIMAGE fixes

eri added a reviewer: eri. REVISION DETAIL https://reviews.freebsd.org/D1944 EMAIL PREFERENCES https://reviews.freebsd.org/settings/panel/emailpreferences/ To: nvass-gmx.com, bz, trociny, kristof, gnn, zec, rodrigc, glebius, eri Cc: farrokhi, julian, robak, freebsd-virtualization-list,

Re: strongswan ikev2 slow on FreeBSD (DigitalOcean)

AESNI is not hooked yet to the IPsec stack. On Thu, Jul 2, 2015 at 2:42 AM, Zhihao Yuan lich...@gmail.com wrote: It might be hypervisor's problem because they use KVM, but here are some information I have: DO smallest instance. uname -a FreeBSD megashadow2 10.2-PRERELEASE FreeBSD

Re: pf block policy for IPv6 and IPv4

On Mon, Jun 15, 2015 at 5:13 PM, Christopher Hilton ch...@vindaloo.com wrote: On Jun 10, 2015, at 5:12 PM, Christopher Sean Hilton ch...@vindaloo.com wrote: Good afternoon and thank you in advance. I'm running FreeBSD 9.3-STABLE: FreeBSD anza.example.com 9.3-STABLE \

Re: RFC: Dropping support for scrub fragment crop/drop-ovl

On Fri, Jun 12, 2015 at 11:43 AM, Kristof Provost k...@freebsd.org wrote: Hi all, I've recently been looking at bug 200330. I broke things while adding the reassembly support for ipv6 to pf. Those issues should be fixed now, but having looked at the fragment crop/drop-ovl code, I'm

Re: FreeBSD makes linux think other subet is in same lan.

On Wed, May 6, 2015 at 2:51 PM, Martin Larsson martin.larss...@gmail.com wrote: This is a small summary of https://forums.freebsd.org/threads/routing-issue-with-ipsec-windows-works-linux-doesnt.51201/ . Setup: My side 192.168.1.0/24 Freebsd (default gateway and ipsec gateway,

Re: moving ALTQ out of contrib

On Wed, Apr 15, 2015 at 2:26 PM, Gleb Smirnoff gleb...@freebsd.org wrote: On Wed, Apr 15, 2015 at 09:38:23AM +0200, Luigi Rizzo wrote: LWith the new ifnet KPI, that is now being developed in projects/ifnet, L the ALTQ will need some tweaking. It is discontinued by initial author L for

Re: VIMAGE + pf security fix?

The fix for that was imported with the new import of pf(4) AFARIR. On Thu, Nov 20, 2014 at 7:07 PM, Craig Rodrigues rodr...@freebsd.org wrote: On Wed, Nov 19, 2014 at 6:05 AM, Bjoern A. Zeeb b...@freebsd.org wrote: For people to use pf with VIMAGE we first MUST have the security fix

Re: Checksumming outgoing packets in PF vs in ip[6]_output

Yes confirmed it will solve that issue as well. On Thu, Nov 13, 2014 at 9:30 PM, J David j.david.li...@gmail.com wrote: On Wed, Nov 5, 2014 at 9:28 AM, Ilya Bakulin i...@bakulin.de wrote: Of course it was interesting what does the upstream PF do (@ OpenBSD). Seems they have made the

Re: Checksumming outgoing packets in PF vs in ip[6]_output

for Ermal to send an updated version of his patch that may really solve the problem! On 2014-11-14 09:17, Ermal Luçi wrote: Yes confirmed it will solve that issue as well. On Thu, Nov 13, 2014 at 9:30 PM, J David j.david.li...@gmail.com wrote: On Wed, Nov 5, 2014 at 9:28 AM, Ilya Bakulin i

Re: Checksumming outgoing packets in PF vs in ip[6]_output

completely :-( So I'm waiting for Ermal to send an updated version of his patch that may really solve the problem! On 2014-11-14 09:17, Ermal Luçi wrote: Yes confirmed it will solve that issue as well. On Thu, Nov 13, 2014 at 9:30 PM, J David j.david.li...@gmail.com wrote: On Wed, Nov

Re: Broken IPsec + enc +pf/ipfw

On Wed, Oct 22, 2014 at 9:28 PM, Matthew Grooms mgro...@shrew.net wrote: On 10/21/2014 1:39 PM, Kyle Williams wrote: On Tue Oct 21 11:35:15 2014, Matthew Grooms wrote: Hey Kyle, Thanks for lending a hand. I tested a few myself last night but had no luck. This morning I received an email

Re: [Bug 193053] ixgbe(4) IXGBE_LEGACY_TX + ALTQ path broken

In pfSense the driver has been modified to compile a hybrid mode. Meaning have activated both LEGACY and new transmit queue model. It works correctly and avoids the problems of recompiling with ALTQ. It also solves the problem on having performance impacts when ALTQ is not in use. There are

Re: pf stuck

Probably is better you ask this on freebsd-pf@. Though this sounds like state limit reached. On Mon, Sep 29, 2014 at 7:32 PM, Andrea Venturoli m...@netfence.it wrote: Hello. Today a box of mine (8.4p16/amd64) stopped working as a router; I don't have a clear picture, but the internal nets

Re: IP fast forwarding and setkey

If for you is an option pfSense has all the hard work done for you and you can use it for such installations. On Sun, Sep 21, 2014 at 12:08 PM, Paul S. cont...@winterei.se wrote: Hi folks, I plan to make an edge router out of a freebsd system with OpenBGPD + FreeBSD 10, or such. I've been

Re: IP fast forwarding and setkey

be worth it to just try to build their fork, if that's the case. Thank you for responding! Yeah OpenBGPd port of pfSense has the support for installing SPDs without setkey. On 9/21/2014 午後 07:26, Ermal Luçi wrote: If for you is an option pfSense has all the hard work done for you and you can

Re: 9/STABLE Panic at netisr_dispatch_src w/ em(4) + PF

From experience LEGACY_TX + ALTQ is not usable and it will panic similar to what you have shown above. I had to fix this for pfSense and the only way to get a stable driver was to have both if_transmit and if_start model activated in the driver. Finding the paths that needs this 'hybrid' is a bit

Re: Some gruesome moments with performance of FreeBSD at over 20K interfaces

From experience with large number of interfaces and configuring them. Its not that the kernel cannot handle it the problem is that you call generic utilities to do this job. I.E. to setup an ip on the interface ifconfig has first to get the whole list of interfaces to determine if that interface

Re: Re[2]: Some gruesome moments with performance of FreeBSD at over 20K interfaces

Another note related to Q-in-Q. You would probably be better of creating standard vlans for the first vlan layer and use ng_vlan for the second++ part of the Q-in-Q on top of the first ones. This also give better usability and will speedup a bit your times. On Thu, Apr 10, 2014 at 1:22 PM,

Re: netisr 0 : %100 and other netisr threads are waiting

Hello, what are you using to divert packets, ipfw(4) or pf(4)? Can you show your configuration on that as well! On Fri, Apr 4, 2014 at 6:54 AM, Özkan KIRIK ozkan.ki...@gmail.com wrote: Hi, I am trying to use suricata on FreeBSD 10 amd64. FreeBSD behaves as a VLAN router and NAT Box.

Re: Using pf.conf with public access points.

Usually pf(4) does support having dynamic ips inside its ruleset. For example just putting the interface name as address or putting $iface:0 for first address etc... Take a look an man page of pf.conf and search for the string 'Interface names and interface group names can' On Sun, Mar 9, 2014

Re: FreeBSD:: How to set VLAN priority?

This is a patch originially written from rwatson@ iirc. https://github.com/pfsense/pfsense-tools/blob/master/patches/RELENG_10_0/pf_802.1p.diff Remove the pf(4) craft and it should work for you. On Wed, Jun 26, 2013 at 6:27 PM, John-Mark Gurney j...@funkthat.com wrote: Alex Liptsin wrote

Re: [PATH] ALTQ(9) codel algorithm implementation

On Fri, Jun 14, 2013 at 12:34 PM, Andre Oppermann an...@freebsd.org wrote: On 14.06.2013 11:51, Gleb Smirnoff wrote: Ermal, On Mon, Jun 10, 2013 at 03:43:12PM +0200, Ermal Lu?i wrote: E at location [1] can be found a patch for Codel[3] algorithm implementation. E E Triggered by a mail

Re: [PATCH] stf(4) 6rd implementation

On Wed, Jun 12, 2013 at 10:02 AM, Hiroki Sato h...@freebsd.org wrote: Ermal Luçi e...@freebsd.org wrote in capbzqg3rn-weh-cka-qxf+-3lyjm9s6nzrskz5cxng5lzty...@mail.gmail.com: er Hello, er er at location [1] can be found a patch for making stf(4) understand 6rd. er It supports variable

Re: [PATCH] multiple instances of ipfw(4)

Hello Luigi, On Mon, Jun 10, 2013 at 7:30 PM, Luigi Rizzo ri...@iet.unipi.it wrote: On Mon, Jun 10, 2013 at 06:52:01PM +0200, Ermal Lu?i wrote: On Mon, Jun 10, 2013 at 5:01 PM, Luigi Rizzo ri...@iet.unipi.it wrote: ... if i understand well, this has no runtime overhead as the ifp has

Re: [PATCH] dummynet(4) patch for pf(4)

Hello, i made the corrections to the patch to make it more readble. Can some other eyes give a look and say if that have anything against it. Patch is at same location. On Mon, Jun 10, 2013 at 4:01 PM, Luigi Rizzo ri...@iet.unipi.it wrote: On Mon, Jun 10, 2013 at 03:45:01PM +0200, Ermal Lu?i

[PATCH] stf(4) 6rd implementation

Hello, at location [1] can be found a patch for making stf(4) understand 6rd. It supports variable masks for the ipv4 network as well. The patch has been tested on pfSense. It adds to new option to ifconfig for defining the 6rd border router at ISP. ifconfig $stf stfv4net $ipv4network/$mask

Re: [PATCH] multiple instances of ipfw(4)

Hello, reviving this old thread since i had time to bring the patch to FreeBSD 10 and unified the whole controlling under ipfw(8) binary. For reminder, the patch located at [1] provides multiple instances for ipfw(4). Basically you can control which interfaces belong to which context/ruleset to

[PATH] ALTQ(9) codel algorithm implementation

Hello, at location [1] can be found a patch for Codel[3] algorithm implementation. Triggered by a mail to the mailing lists[2] of OpenBSD i completed the implementation for FreeBSD. It allows to use codel as the single configured discipline on an interface. Also it can be used as a sub

[PATCH] CARP using rw locks and unified timer

Hello, at the location [1] is a patch for making carp(4): - use rw locks - unify the timers in carp to a single one for accuracy and predictability This patch has been tested in pfSense for a long time and recently it has been moved to FreeBSD 10. It also fixed some races and LORs present in the

[PATCH] dummynet(4) patch for pf(4)

Hello, the patch at location [1] implements support for dummynet into pf(4). The patch has been tested and confirmed working without issues into pfSense. Any objections to integrating this into FreeBSD? [1]

Re: [PATCH] multiple instances of ipfw(4)

On Mon, Jun 10, 2013 at 5:01 PM, Luigi Rizzo ri...@iet.unipi.it wrote: On Mon, Jun 10, 2013 at 3:30 PM, Ermal Luçi e...@freebsd.org wrote: Hello, reviving this old thread since i had time to bring the patch to FreeBSD 10 and unified the whole controlling under ipfw(8) binary

Re: forwarding/ipfw/pf evolution (in pps) on -current

Hello, would you mind running a performance test with a snapshot of tomorrow from this link http://snapshots.pfsense.org/ There are some optimizations in pfSense and it would be nicer to compare to FreeBSD itself how it behaves. That is before the lock changes in HEAD since its FreeBSD 8.

Re: Best way for an app to accept traffic on 30,000+ interfaces?

On Thu, Mar 21, 2013 at 1:59 AM, Mark D markd-freebsd-...@bushwire.netwrote: (Hopefully this isn't too out-of-scope for this list..) I have an application in mind that I'd like to have accept/respond to UDP queries sent to perhaps 30K contiguous IP addresses (most likely IPV6 addresses

Re: Best way for an app to accept traffic on 30,000+ interfaces?

On Thu, Mar 21, 2013 at 2:54 PM, Fleuriot Damien m...@my.gd wrote: On Mar 21, 2013, at 9:25 AM, Ermal Luçi e...@freebsd.org wrote: On Thu, Mar 21, 2013 at 1:59 AM, Mark D markd-freebsd-...@bushwire.net wrote: (Hopefully this isn't too out-of-scope for this list..) I have

Re: Quagga not support password for neighbor

You need a kernel with TCP_SIGNATURE option and insert policy routes with setkey. On Thu, Mar 21, 2013 at 4:06 PM, Vladislav Prodan univers...@ukr.netwrote: FreeBSD 8.2-STABLE quagga-0.99.21 Free RIPv1, RIPv2, OSPFv2, BGP4, IS-IS route software BGP.as1(config-router)# neighbor

Re: carp regression in 9.1 ?

On Sun, Mar 17, 2013 at 11:03 AM, Eugene M. Zheganin e...@norma.perm.ruwrote: Hi. On 14.03.2013 20:47, Fleuriot Damien wrote: I'm experiencing this odd behavior with 9.1 r24791 for amd64. You should definitely sit on 8.x until 10.x will become stable, or upgrade to 10.x from 9.x (at

Re: [patch] Source entries removing is awfully slow.

On Mon, Mar 11, 2013 at 4:05 PM, Kajetan Staszkiewicz veg...@tuxpowered.net wrote: There are some things I find flawed in your patch: 1. +#if 0 if (killed 0) pf_purge_expired_src_nodes(1); +#endif This means that after using `pfctl -K` the src

Re: [patch] Source entries removing is awfully slow.

On Fri, Mar 8, 2013 at 9:51 PM, Kajetan Staszkiewicz veg...@tuxpowered.netwrote: Dnia piątek, 8 marca 2013 o 21:11:43 Ermal Luçi napisał(a): Is this FreeBSD 9.x or HEAD? I found the problem and developed the patch on 9.1. Can you please test this more 'beautiful' patch. Its similar

Re: [patch] Source entries removing is awfully slow.

Also do not forget to rebuild pfctl so that statistics are shown correctly. On Sat, Mar 9, 2013 at 1:14 PM, Ermal Luçi e...@freebsd.org wrote: On Fri, Mar 8, 2013 at 9:51 PM, Kajetan Staszkiewicz veg...@tuxpowered.net wrote: Dnia piątek, 8 marca 2013 o 21:11:43 Ermal Luçi napisał

Re: [patch] Source entries removing is awfully slow.

On Sat, Mar 9, 2013 at 2:37 PM, Kajetan Staszkiewicz veg...@tuxpowered.netwrote: Dnia sobota, 9 marca 2013 o 13:14:16 Ermal Luçi napisał(a): On Fri, Mar 8, 2013 at 9:51 PM, Kajetan Staszkiewicz veg...@tuxpowered.netwrote: Dnia piątek, 8 marca 2013 o 21:11:43 Ermal Luçi napisał

Re: [patch] interface routes

On Thu, Mar 7, 2013 at 2:51 PM, Andre Oppermann an...@freebsd.org wrote: On 07.03.2013 14:38, Ermal Luçi wrote: On Thu, Mar 7, 2013 at 12:55 PM, Andre Oppermann an...@freebsd.orgmailto: an...@freebsd.org wrote: On 07.03.2013 12:43, Alexander V. Chernikov wrote: On 07.03.2013

Re: [patch] Source entries removing is awfully slow.

Is this FreeBSD 9.x or HEAD? On Fri, Mar 8, 2013 at 2:19 PM, Kajetan Staszkiewicz veg...@tuxpowered.netwrote: Hello there! In my enviroment, where I use FreeBSD machines as loadbalancers, after a server is detected as dead, loadbalancer removes the the broken server from a table used in

Re: [patch] interface routes

On Thu, Mar 7, 2013 at 12:55 PM, Andre Oppermann an...@freebsd.org wrote: On 07.03.2013 12:43, Alexander V. Chernikov wrote: On 07.03.2013 11:39, Andre Oppermann wrote: On 07.03.2013 07:34, Alexander V. Chernikov wrote: Hello list! There is a known long-lived issue with interface routes

Re: Default route changes unexpectedly

On Wed, Mar 6, 2013 at 9:38 AM, Krzysztof Barcikowski krzys...@airnet.opole.pl wrote: W dniu 2013-03-06 09:25, Andre Oppermann pisze: Can you describe your traffic forwarding setup in more detail? Is it only pf, or do you run netgraph, or other things as well? Do you use flow routing?

Re: ng_ether naming

Hello, it looks good, for just interface renaming scope. The problem of it is that you need to check if the ifnet pointer needs updated as well. For coming and going interfaces like vlans you would have to update some pointers as well at least the ifnet one. The complete patch would rather

Re: igb and ALTQ in 9.1-rc3

On Tue, Dec 11, 2012 at 2:05 PM, Barney Cordoba barney_cord...@yahoo.comwrote: --- On Tue, 12/11/12, Gleb Smirnoff gleb...@freebsd.org wrote: From: Gleb Smirnoff gleb...@freebsd.org Subject: Re: igb and ALTQ in 9.1-rc3 To: Jack Vogel jfvo...@gmail.com Cc: Clement Hermann (nodens)

Re: igb and ALTQ in 9.1-rc3

On Tue, Dec 11, 2012 at 3:56 PM, Karim Fodil-Lemelin fodillemlinka...@gmail.com wrote: On 11/12/2012 9:15 AM, Ermal Luçi wrote: On Tue, Dec 11, 2012 at 2:05 PM, Barney Cordoba barney_cord...@yahoo.com **wrote: --- On Tue, 12/11/12, Gleb Smirnoff gleb...@freebsd.org wrote: From: Gleb

Re: igb and ALTQ in 9.1-rc3

On Tue, Dec 11, 2012 at 9:06 PM, Karim Fodil-Lemelin fodillemlinka...@gmail.com wrote: On 11/12/2012 11:27 AM, Ermal Luçi wrote: On Tue, Dec 11, 2012 at 3:56 PM, Karim Fodil-Lemelin fodillemlinka...@gmail.com wrote: On 11/12/2012 9:15 AM, Ermal Luçi wrote: On Tue, Dec 11, 2012 at 2:05

ipfw(4) dynamic states/rules and its callout

Hello, i was looking at ipfw dynamic code for dynamic states/rules and see that it unconditionally schedules a callout even if there is not work to do. Wouldn't it be best to reschedule it when there is something to do to avoid having a useless callout/event run every time on the system? Is

Re: IPv6 aliases don't work on carp interface

On Wed, Oct 31, 2012 at 9:59 AM, tsaregorodtsev.de...@itmh.ru tsaregorodtsev.de...@itmh.ru wrote: Hi, I've run into a problem while adding IPv6 aliases on carp interface on FreeBSD 8.1. All IPv6 aliases on carp interface are unreachable from other devices but the first IPv6 on carp interface

Re: IPv6 aliases don't work on carp interface

On Wed, Oct 31, 2012 at 10:56 AM, Gleb Smirnoff gleb...@freebsd.org wrote: Denis, On Wed, Oct 31, 2012 at 02:59:48PM +0600, tsaregorodtsev.de...@itmh.ru wrote: t I've run into a problem while adding IPv6 aliases on carp interface on FreeBSD 8.1. t All IPv6 aliases on carp interface are

Re: IPv6 aliases don't work on carp interface

On Wed, Oct 31, 2012 at 1:21 PM, tsaregorodtsev.de...@itmh.ru tsaregorodtsev.de...@itmh.ru wrote: On 31.10.2012 16:42, Ermal Luçi wrote: On Wed, Oct 31, 2012 at 9:59 AM, tsaregorodtsev.de...@itmh.ru tsaregorodtsev.de...@itmh.ru wrote: Hi, I've run into a problem while adding IPv6 aliases

Re: [PATCH] resolve byte order mess in ip_input/ip_output/pfil(9)

Hello Gleb, it would be better to switch to net byte order allover rather than trade one for the other. This makes it even more tricky to understand the code than it is. If you do the work its better to do the full thing in one shot and switch to netbyte order. speaking of pf(4) side of things

Re: GIF tunnel doesnt like fragmented packets?

On Wed, Jul 11, 2012 at 4:27 AM, Chris Benesch chris.bene...@gmail.com wrote: So I'm trying to set up a tunnel with Hurricane Electric.  Works great on OpenBSD BTW, took only a minute or two. There is no support for fragmented ipv6 packets in pf(4) for FreeBSD. So heres rc.conf

Re: [CFT] SMP-friendly pf

On Fri, Jun 8, 2012 at 8:17 AM, Gleb Smirnoff gleb...@freebsd.org wrote:  Hello, networkers!  [net@ in Cc, but further discussion should go on pf@]  As you already probably know, or some may be don't yet know, the pf(4) subsystem in FreeBSD is currently working under a single mutex. This

Re: [PATCH] multiple instances of ipfw(4)

2012/2/8 Gleb Smirnoff gleb...@freebsd.org: On Tue, Jan 31, 2012 at 12:02:04PM +0100, Luigi Rizzo wrote: L if i understand what the patch does, i think it makes sense to be L able to hook ipfw instances to specific interfaces/sets of interfaces, L as it permits the writing of more readable

Re: [PATCH] multiple instances of ipfw(4)

On Tue, Jan 31, 2012 at 12:02 PM, Luigi Rizzo ri...@iet.unipi.it wrote: On Mon, Jan 30, 2012 at 01:01:13PM +0100, Ermal Lu?i wrote: Hello, from needs on pfSense a patch for allowing multiple intances of ipfw(4) in kernel to co-exist was developed. It can be found here

Re: [PATCH] multiple instances of ipfw(4)

On Mon, Jan 30, 2012 at 10:08 PM, Vadim Goncharov vadim_nucli...@mail.ru wrote: Hi Ermal Lu?i! On Mon, 30 Jan 2012 13:01:13 +0100; Ermal Lu?i wrote about '[PATCH] multiple instances of ipfw(4)': from needs on pfSense a patch for allowing multiple intances of ipfw(4) in kernel to co-exist

[PATCH] multiple instances of ipfw(4)

Hello, from needs on pfSense a patch for allowing multiple intances of ipfw(4) in kernel to co-exist was developed. It can be found here https://raw.github.com/bsdperimeter/pfsense-tools/master/patches/RELENG_9_0/CP_multi_instance_ipfw.diff It is used in conjuction with this tool

Re: [PATCH] multiple instances of ipfw(4)

On Mon, Jan 30, 2012 at 3:36 PM, Ivan Voras ivo...@freebsd.org wrote: On 30/01/2012 13:01, Ermal Luçi wrote: Surely i know that this is not the best way to implement generically ... probably, because it's similar to VNET... It depends on the comparison. The same argument would hold true

Re: pf not seeing inbound packets on netgraph interface

On Wed, Jan 4, 2012 at 5:29 AM, Ed Carrel aza...@carrel.org wrote: Hi freebsd-net, I originally sent this to -questions@, but was redirected here by that list. My original question is below: I am running into a roadblock getting PF to filter traffic on a Netgraph interface representing an

Re: Transitioning if_addr_lock to an rwlock

2011/12/27 Gleb Smirnoff gleb...@freebsd.org: On Tue, Dec 27, 2011 at 11:29:02AM +0100, Ermal Lu?i wrote: E 2011/12/27 Gleb Smirnoff gleb...@freebsd.org: E On Thu, Dec 22, 2011 at 11:30:01AM -0500, John Baldwin wrote: E J You can find the patch for 8.x at E J

Re: Transitioning if_addr_lock to an rwlock

2011/12/27 Gleb Smirnoff gleb...@freebsd.org: On Thu, Dec 22, 2011 at 11:30:01AM -0500, John Baldwin wrote: J You can find the patch for 8.x at J http://www.freebsd.org/~jhb/patches/if_addr_rwlock.patch Just my two pennies: for head/ patching if ip_carp.c should be straightforward: 1)

Re: Arg. TCP slow start killing me.

On Mon, Nov 14, 2011 at 7:54 AM, Erich Weiler wei...@soe.ucsc.edu wrote: Have you considered empty ACK prioritization? I implemented this a year ago on a pair of production edge routers and noticed significant improvement on throughput. I have production code examples if you require them, but

Re: carp for IPv6?

On Tue, Jul 5, 2011 at 7:32 AM, Michael Sinatra mich...@rancid.berkeley.edu wrote: On 07/04/11 21:29, Doug Barton wrote: On 07/04/2011 21:20, Doug Barton wrote: On 07/04/2011 20:26, Michael Sinatra wrote: On 07/04/11 19:59, Doug Barton wrote: If I try to set up a carp interface for IPv6

Re: [PATCH] New feature in Packet Filter

On Thu, Apr 7, 2011 at 10:21 AM, Quentin Narvor quentin.nar...@gmail.com wrote: Hello, My name is Quentin Narvor and I am currently working on intrusion detection. I use Freebsd 8.2 and I recently needed pf to be able to dynamically fill in tables according pass rule. For performances

Re: [PATCH] New feature in Packet Filter

On Thu, Apr 7, 2011 at 5:14 PM, Quentin Narvor quentin.nar...@gmail.com wrote: 2011/4/7 Ermal Luçi e...@freebsd.org On Thu, Apr 7, 2011 at 10:21 AM, Quentin Narvor quentin.nar...@gmail.com wrote: Hello, My name is Quentin Narvor and I am currently working on intrusion detection. I use

Re: mpd- no ng_l2tp coming up

On Fri, Mar 18, 2011 at 3:25 PM, Da Rock freebsd-...@herveybayaustralia.com.au wrote: On 03/19/11 00:03, Mike Tancsa wrote: On 3/18/2011 6:44 AM, Da Rock wrote: First, the connection from Android (apparently uses mtpd- I just found out) fails at SCCRP- apparently it doesn't respond to the

Re: SIP module for libalias?

2010/12/28 Lev Serebryakov l...@serebryakov.spb.ru: Hello, Freebsd-net.  Is  here  any plans to write SIP module for libalias? It seems, that some alternative packet filters/NATs have support for SIP, like we have for FTP.  Is here any good solution for SIP via ipfw-nat other than

[PATCH] pf(4) patch from OpenBSD 4.5

Hello, the link http://people.freebsd.org/~eri/pf45_1.diff has the patch for pf(4) as of OpenBSD 4.5 version. The patch is against HEAD. After OpenBSD 4.5 the syntax has changed and this is the reason for such an 'old' version patch. After importing this one the work will go on the newest

Re: Unknown Behavior of PF+ALTQ on a Bridge

On Thu, Jun 24, 2010 at 3:12 PM, Rafael Henrique Faria rafaelhfa...@cenadigital.com.br wrote: Hi. I'm working on a Brige between a router Cisco 7200, and a 3Com 7900 switch. I have several subnetworks, and I need to balance the bandwidth between then. The Brigde is running: FreeBSD dell05

Re: Unknown Behavior of PF+ALTQ on a Bridge

2010/6/24 Rafael Henrique Faria rafaelhfa...@cenadigital.com.br: Just to be more clean: My pf.conf: wan_if=bce0 set limit { states 10, frags 2 } set loginterface $wan_if set optimization normal set block-policy drop set fingerprints /etc/pf.os set skip on lo altq on

[PATCH] ipfw pipe bandwidth parameter parser.

Hello, on FreeBSD-STABLE at least ipfw wrongly interprets dummynet configurations of the type: pipe 10 config bw 1.5Mb ^^^ as being 1bit/s configuration. Which is quite wrong in real production usage. This simple patch fixes it http://tinyurl.com/33j6odw. I am not

Re: Is this correct?

On Fri, Apr 2, 2010 at 7:11 PM, Bjoern A. Zeeb bzeeb-li...@lists.zabbadoz.net wrote: On Fri, 19 Mar 2010, Ermal Luçi wrote: Hi, Shouldn't this check be if (m-m_len sizeof (struct ip)) { instead of if (m-m_len sizeof (struct ip)) { Should it be or = ? I would say = since that is what

Is this correct?

Shouldn't this check be if (m-m_len sizeof (struct ip)) { instead of if (m-m_len sizeof (struct ip)) { in http://fxr.watson.org/fxr/source/netipsec/ipsec.c?im=excerpts#L595 Regards, -- Ermal ___ freebsd-net@freebsd.org mailing list

CSUM_TSO question...

Hello all, i was reading ip_output() code today and stumbled accross this http://fxr.watson.org/fxr/source/netinet/ip_output.c#L587. Can anybody shad any light on the check being done ? (m-m_pkthdr.csum_flags ifp-if_hwassist CSUM_TSO) != 0 || Shouldn't it be just (m-m_pkthdr.csum_flags

Re: kern/141646: [em] em(4) + lagg(4) + vlan(4) generates ISL-tagged frames instead of 802.1q-tagged frames

On Fri, Jan 29, 2010 at 11:47 PM, Jack Vogel jfvo...@gmail.com wrote: What's with the encrypted messages entered in this bug suddenly? An important update - I have root caused this. Turns out its kinda interesting. The reason there is a problem is due to the stacked pseudo devices, since

Ng_ether and its hook names.

Hello, is there any reason that ng_ether does not have a event handler for interface changes? I am asking this since it would be reasonable to expect that when an interface name changes or an interface disappears ng_ether does the right action of renaming the hook or removing altogether. If it

How does one build ng_vlan(4) inside the kernel?!

Hello list, i searched for this but could not find an answer. How does one build ng_vlan as part of the kernel? NETGRAPH_VLAN does not exist as an option to include in the kernel and when building ng_vlan as a module and you use a gzipped kernel the module doe snot load since it says kernel is a

Re: How does one build ng_vlan(4) inside the kernel?!

On Tue, Nov 10, 2009 at 5:11 PM, pluknet pluk...@gmail.com wrote: 2009/11/10 Ermal Luçi ermal.l...@gmail.com: Hello list, i searched for this but could not find an answer. How does one build ng_vlan as part of the kernel? NETGRAPH_VLAN does not exist as an option to include in the kernel

  1   2   >