rebind 2 2022/6/28 12:40:06;
expire 2 2022/6/28 18:40:06;
}
A+
Dave
--
Marek Zarychta
OpenPGP_signature
Description: OpenPGP digital signature
in on egress inet proto tcp from ! to
$internal_server port ...
depending on the desired behavior and the complete set of rules.
It's also worth mentioning here that PF-specific FreeBSD mailing list
exists: freebsd...@freebsd.org
Regards,
--
Marek Zarychta
OpenPGP_signature
Description: OpenPGP digital signature
W dniu 25.08.2022 o 11:32, Carlos López Martínez pisze:
On 25/08/2022 11:26, Marek Zarychta wrote:
W dniu 25.08.2022 o 10:48, Carlos López Martínez pisze:
But under Freebsd when I try to combine "pass" with "rdr" rules, it
doesn't works. For example:
rdr on egress
r audience and support. Is the survey
on Twitter required?
Cheers
--
Marek Zarychta
OpenPGP_signature
Description: OpenPGP digital signature
urged with time.
[1] https://cgit.freebsd.org/src/tree/sys/net/toeplitz.c
[2]
https://github.com/DragonFlyBSD/DragonFlyBSD/blob/master/sys/net/toeplitz.c
[3] https://cgit.freebsd.org/src/tree/sys/net/toeplitz.h
Yours sincerely
--
Marek Zarychta
OpenPGP_signature
Description: OpenPGP digital signature
required in one of the jails.
Cheers
--
Marek Zarychta
OpenPGP_signature
Description: OpenPGP digital signature
W dniu 19.03.2023 o 14:42, tue...@freebsd.org pisze:
On 19. Mar 2023, at 14:12, Marek Zarychta wrote:
Dear subscribers of the list,
TCP algo modules can be loaded/unloaded/changed on the fly. In FreeBSD
14-CURRENT one can even change it on an active socket with tcpsso(8) utility,
but there
Dnia Sun, Mar 19, 2023 at 06:35:29PM +0100, tue...@freebsd.org napisał(a):
> > On 19. Mar 2023, at 16:59, Marek Zarychta
> > wrote:
> >
> > W dniu 19.03.2023 o 14:42, tue...@freebsd.org pisze:
> >>> On 19. Mar 2023, at 14:12, Marek Zarychta
> >>
https://cgit.freebsd.org/src/tree/sys/net/if_bridge.c#n1206
Cheers
--
Marek Zarychta
OpenPGP_signature
Description: OpenPGP digital signature
W dniu 15.01.2024 o 15:35, Michael Grimm pisze:
route_tunnel0="fd00:a:a:a::/64 fd00:a:a:a::254"
Please try:
route_tunnel0="-6 -net fd00:a:a:a::/64 fd00:a:a:a::254"
--
Marek Zarychta
Linux emulation though. Anyway, without options NETLINK or
netlink.ko module loaded it won't be possible as rtsock interface
doesn't support that.
Cheers
--
Marek Zarychta
ke it hasn't been
fully implemented, so I believed Linux iproute2 tools might be required.
--
Marek Zarychta
onfig vlan8 create vlandev bge0 vlan 8 up
# ifconfig vlan8 inet6 -ifdisabled auto_linklocal
# route add -net 10.11.13.0/24 -inet6 fe80::360a:11ff:fe1b:404e%vlan8
add net 10.11.13.0: gateway fe80::360a:11ff:fe1b:404e%vlan8 fib 0
--
Marek Zarychta
W dniu 13.03.2024 o 18:59, Marek Zarychta pisze:
W dniu 13.03.2024 o 16:31, Benoit Chesneau pisze:
Hrm I thought it was implemented via
https://reviews.freebsd.org/rG62e1a437f3285e785d9b35a476d36a469a90028d
Wasn't it merged ? (also pretty sure I did test it in freebsd 13).
FWIW: it
routes be stored).
It's also possible to set and use non-default FIB for DNS lookups and
maintenance tasks like pkg upgrade (setfib -1 pkg ). This approach
is probably more straightforward to conduct.
--
Marek Zarychta
nge
proposed for the legacy IP protocol?
--
Marek Zarychta
Today Michael Sierchio wrote:
There is an argument to be made that all such components of the "base"
system should be packages, and managed that way. That would
facilitate removal or addition of things like MTAs, Route daemons for
various protocols, etc. and permit them to be updated independ
245103
4. https://github.com/freebsd/freebsd-src/blob/main/sys/netinet6/icmp6.c#L2735
Best regards
--
Marek Zarychta
W dniu 7.06.2024 o 15:55, Zhenlei Huang pisze:
As discussed with Marek in Telegram, those looks pretty safe to MFC. I can do
the MFC if no explicit objections.
Great to hear !
--
Marek Zarychta
e are neglecting the IPv6 field
again and this is our common sin.
--
Marek Zarychta
recommend specific
> deployment scenarios? I've seen references to netgraph which could be
> used with jails. Does it have better performance and scalability and
> could replace epair and bridge combination?
>
> Thanks.
Have you tried to use kernel built with "options RSS" ?
>From my experience it could help in some specific scenarios.
--
Marek Zarychta
Building another module that would add the necessary IPSEC_SUPPORT
> knobs so TCPMD5 loads without needing to modify the shipped kernel?
>
+1
It would be even better to exchange IPSEC with IPSEC_SUPPORT in GENERIC.
Both modules: IPSEC as well as TCPMD5 could be loaded at boot time or later.
Best regards,
--
Marek Zarychta
signature.asc
Description: PGP signature
asy and elegant way to solve this? Like binding IP address
> to fib? I wouldn't like to have to fire up pf on host and meddle with
> reply-to rules in order to achieve this, I'd rather revert to old setup
> of separate physical servers for each network.
>
Hi,
try after to set "ifconfig bce1 fib 2" after disabling PF.
This should do the work.
--
Marek Zarychta
signature.asc
Description: PGP signature
On Tue, Oct 17, 2017 at 08:28:16PM +0200, Marko Cupać wrote:
> On Mon, 16 Oct 2017 20:07:28 +0200
> Marek Zarychta wrote:
>
> > Hi,
> >
> > try after to set "ifconfig bce1 fib 2" after disabling PF.
> > This should do the work.
>
> Hi Mare
aces do not support TX/RX checksums in hardware TCP MD5
signatures seem to be incorrect on 11.1-STABLE.
It is wasn't documented anywhere, I have changed NICs.
See the original thread:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219453
Best regards,
--
Marek Zarychta
signature.asc
Description: PGP signature
ten as a CGI script in Perl or PHP.
I also recommend incorporating net-mgmt/pftabled to manage the PF table
directly from this portal without any risk of privilege escalation.
Bear also in mind, that all initial client request should be redirected
by HTTP server with "Status: 302 Moved" r
iple interfaces (i.e.
> so that the additional igb0-3 effectively work as a 4-port switch)?
>
Please consider bonding all NICs as one bridge(4) interface. Then
multiple IPs could be assigned to such interface.
--
Marek Zarychta
signature.asc
Description: PGP signature
here
>
> And when the interface associates it gives the output attached below for
> ifconfig and netstat; but nothing is working, esp. not
There is net/dual-dhclient in ports. Please give it a try.
#pkg install dual-dhclient
Then add this lines to /etc/rc.conf:
rtsold_enable="YES"
dhclient_program="/usr/local/sbin/dual-dhclient"
wlans_ath0="wlan0"
ifconfig_wlan0="country DE WPA SYNCDHCP"
ifconfig_wlan0_ipv6="inet6 accept_rtadv"
# and optionally
#ipv6_privacy="YES"
This should do the work.
--
Marek Zarychta
signature.asc
Description: OpenPGP digital signature
, dst 2001:xyz:zxy::f00b,
nxt 58, rcvif vlan4, outif vlan2
Dear subscribes, could you please prompt how to get rid of this noise?
So far I have not found appropriate sysctl for disabling this messages.
--
Marek Zarychta
signature.asc
Description: OpenPGP digital signature
not forward src
> >> fe80:10::yxz:a50f:fc89:e1a0, dst 2001:xyz:zxy::f00b, nxt 58, rcvif vlan4,
> >> outif
> >> vlan2
> >>
> >> Dear subscribes, could you please prompt how to get rid of this noise?
> >> So far I have not found appropriate sysctl
for reporting!
>
Thank you for the expedited fix in both STABLE branches. I can confirm
that issue has been resolved.
--
Marek Zarychta
signature.asc
Description: PGP signature
these days and works
fine in 99% of network scenarios. From the other hand the ability to
completely disable legacy IP should be considered as well. Some people
consider IPv6 only network to be providing a sufficient degree of
freedom but in 2019 we still lack DHCPv6 client in base.
--
Marek Z
ould
> behave as if the loopback interface originates and forwards the
> packet.
>
> Or could I assign an explicit non-global scope to the tunnel address?
> Or ... (whatever works). Any help much appreciated.
>
Setting source address for MTA will be sufficient in this case. For
example Sendmail requires ClientPortOptions to be set in .mc config file:
CLIENT_OPTIONS(`Family=inet6, Addr=::1')
--
Marek Zarychta
signature.asc
Description: OpenPGP digital signature
t does the job.
pfctl -sr | wc -l
498
Any advice how to debug this or find triggering PF rule?
Why setting "WITHOUT_ASSERT_DEBUG=yes" is ignored by PF code?
--
Marek Zarychta
signature.asc
Description: PGP signature
ep state
If your machine is not forwarding packets, then take a look at setfbib (1)
because PF "route-to" is IMHO reserved for routing purposes only.
Best regards,
--
Marek Zarychta
signature.asc
Description: PGP signature
On Thu, Apr 06, 2017 at 09:08:49AM +0200, Nils Beyer wrote:
> Marek Zarychta wrote:
> > pass in quick on $ext_if_1 \
> > [...]
> > pass in quick on $ext_if_2 reply-to ($ext_if_2 $ip_gw_2) \
> > [...]
> > pass in quick on $ext_if_1 \
> > [...]
> &g
e. Always the same address which I'm trying to reach. How can I
> ensure that CARP address is never used as source for connections
> outgoing from Loadbalancer? I've read manpage of ifconfig but I've seen
> only flags regarding IPv6 address choice.
>
I believe this behavi
issue as non-exploitable on their systems?
[1]
https://lists.freebsd.org/pipermail/svn-src-all/2020-November/204977.html
--
Marek Zarychta
On 10/28/2020 4:27 PM, Alexander V. Chernikov wrote:
28.10.2020, 20:25, "Alexander V. Chernikov" :
28.10.2020, 18:34, "M
this implementation?
Best regards,
--
Marek Zarychta
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
W dniu 21.01.2021 o 20:03, Marek Zarychta pisze:
Dear subscribers,
please let me know if is it possible to use IPv6 addressed endpoint
for the tunnel? I have tried to specify the address enclosed in []
followed by the port number, for example: [2001:db8:0:1::1]:54333,
have tried without it
uld be parsed if supplied in the correct form
ie.: [IPv6_address]:port.
Perhaps the endpoint length is not correctly calculated for IPv6 sockets
or there is an overflow which happens there?
ср, 3 февр. 2021 г., 23:13 Marek Zarychta
mailto:zarych...@plan-b.pwste.edu.pl>>:
W dniu 21.
less#571)
rebuild_fd: switching algo to dpdk_lpm4
Should I be bothered about it?
With kind regards,
--
Marek Zarychta
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
W dniu 24.02.2021 o 22:40, Alexander V. Chernikov pisze:
> 24.02.2021, 10:50, "Olivier Cochard-Labbé" :
>> On Wed, Feb 24, 2021 at 1:22 AM Marek Zarychta <
>> zarych...@plan-b.pwste.edu.pl> wrote:
>>
>>> >
>>>
&
t;>>> the installer. Linode uses Linux/KVM hosts for their virtual machines so
>>>> it's running on that virtual adapter.
>>>>
>>>> I asked on the forums, another user recommended going to the mailing lists
>>>> instead. Does anyone know
W dniu 16.03.2021 o 15:35, tue...@freebsd.org pisze:
>> On 16. Mar 2021, at 15:18, Marek Zarychta
>> wrote:
>>
>> W dniu 16.03.2021 o 12:50, tue...@freebsd.org pisze:
>>>> On 16. Mar 2021, at 11:55, Blake Hartshorn
>>>> wrote:
>>>>
&
ot. I have other entries in sysctl.conf that work, did
> these sysctls change in 13?
>
Please try loading if_bridge from /boot/loader.conf to make it working.
According to rcorder(8) it looks like /etc/rc.d/sysctl is executed prior
to /etc/rc.d/kld.
--
Marek Zarychta
OpenPGP_signature
Description: OpenPGP digital signature
yet, since it seems to be not recognizable by arp(8).
Best regards,
--
Marek Zarychta
OpenPGP_signature
Description: OpenPGP digital signature
0 interface.
Is it known problem? Is anyone else experiencing this? Should a PR be
submitted in this case?
Regards,
--
Marek Zarychta
OpenPGP_signature
Description: OpenPGP digital signature
W dniu 09.09.2021 o 16:28, Marek Zarychta pisze:
> Dear subscribers,
>
> after recent updates of wpa_supplicant in stable/13 my laptop can't
> connect to EPA/PEAP secured WiFi network. WPA2 secured connection works
> fine. I am using iwn(4) as the wlan(4) interface. It complet
not reported this since so far - no one
was able to confirm, so I suspected broken hardware or incompatible
switch firmware.
--
Marek Zarychta
OpenPGP_signature
Description: OpenPGP digital signature
sec
[ 5] 2.00-3.00 sec 118 MBytes 990 Mbits/sec
[ 5] 3.00-3.69 sec 81.8 MBytes 989 Mbits/sec
I am setting MTU to 8996 since early 13-BETA? or maybe PRERELEASE.
12-STABLE at the beginning of 2021 was fine with the default settings
and MTU 9000 set for igb(4) on the same hardware.
ot;mtu 9000 -vlanmtu -vlanhwtag -vlanhwfilter -vlanhwtso -vlanhwcsum
up"
It doesn't change anything. I am using workaround since the early
transition to 13 branch, but recently conducted small investigation and
finally submitted the PR[1]
[1] https://bugs.freebsd.org/bugzilla/sh
52 matches
Mail list logo