Re: pf broken in 7.0-BETA1 ?

2007-10-28 Thread Abdullah Ibn Hamad Al-Marri 
- Original Message 
 From: Per olof Ljungmark [EMAIL PROTECTED]
 To: Andrew Birukov [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED]
 Sent: Sunday, October 28, 2007 8:47:11 PM
 Subject: Re: pf broken in 7.0-BETA1 ?
 
 Andrew Birukov wrote:
 
  This problem is affected 7.0 only.
  pf rools witch tos in FreeBSD-6.2 work properly.
 
 Just a guess, could this be the problem?
 Warning: When browsing the pf user's guide, please keep in mind that 
 different versions of FreeBSD contain different versions of pf.
 
 I believe pf in 7 is based on OpenBSD 4.1.
 
 --per

I think this should be sent to [EMAIL PROTECTED] and stable, since RELENG_7 is 
branched.

Also the man isn't updated to reflect the changes in 7.0 yet :(

 

Regards, 
-Abdullah Ibn Hamad Al-Marri
Arab Portal
http://www.WeArab.Net/


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

pf broken in 7.0-BETA1 ?

2007-10-28 Thread Andrew Birukov 


pf.conf:
---
ext_if=xl0

altq on $ext_if priq bandwidth 520Kb queue { ssh, traf }
queue ssh priority 1
queue traf  priority 15 priq(default)

pass in all
pass out all

pass out on $ext_if proto tcp from any to any tos 0x10 queue ssh
-

I connected to remote host by ssh.
In tcpdump i see many packets witch tos 0x10.

12:54:46.732928 IP (tos 0x10, ttl 64, id 12486, offset 0, flags [DF],
proto TCP (6), length 52) 10.15.25.2.56587  194.0.91.110.22: ., cksum
0x35d5 (correct), 1919:1919(0) ack 2832 win 8181 nop,nop,timestamp
8630585 535444648
12:54:46.746958 IP (tos 0x10, ttl 64, id 12487, offset 0, flags [DF],
proto TCP (6), length 100) 10.15.25.2.56587  194.0.91.110.22: P
1919:1967(48) ack 2832 win 8195 nop,nop,timestamp 8630598 535444648
12:54:46.900186 IP (tos 0x10, ttl 64, id 12488, offset 0, flags [DF],
proto TCP (6), length 52) 10.15.25.2.56587  194.0.91.110.22: ., cksum
0x33ec (correct), 1967:1967(0) ack 2944 win 8181 nop,nop,timestamp
8630746 535444816
12:54:46.915079 IP (tos 0x10, ttl 64, id 12489, offset 0, flags [DF],
proto TCP (6), length 100) 10.15.25.2.56587  194.0.91.110.22: P
1967:2015(48) ack 2944 win 8195 nop,nop,timestamp 8630760 535444816

tcpdump confirms that the outgoing ssh data packets have tos 0x10, but
the majority of the packets are still going to the default traf queue.

queue ssh on xl0
   [ pkts:  0  bytes:  0  dropped pkts:  0 bytes:
0 ]
   [ qlength:   0/ 50 ]
   [ measured: 0.0 packets/s, 0 b/s ]
queue traf on xl0 priority 15 priq( default )
   [ pkts:   5059  bytes:1130390  dropped pkts: 69 bytes:
80689 ]
   [ qlength:   0/ 50 ]
   [ measured: 3.9 packets/s, 2.15Kb/s ]


This problem is affected 7.0 only.
pf rools witch tos in FreeBSD-6.2 (previous pf version) work properly.

My configuration:
# uname -a
FreeBSD amb.kiev.ua 7.0-BETA1 FreeBSD 7.0-BETA1 #1: Sun Oct 28 10:08:13
ADT 2007 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/AMB.7.0  i386

dmesg output and kernel config file are attached to this letter.

Last time I cvsupped RELENG_7 and reinstall world in this morning.

--
Andrew Biriukov
[EMAIL PROTECTED]

#
# GENERIC -- Generic kernel configuration file for FreeBSD/i386
#
# For more information on this file, please read the handbook section on
# Kernel Configuration Files:
#
#
http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html
#
# The handbook is also available locally in /usr/share/doc/handbook
# if you've installed the doc distribution, otherwise always see the
# FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the
# latest information.
#
# An exhaustive list of options and more detailed explanations of the
# device lines is also present in the ../../conf/NOTES and NOTES files.
# If you are in doubt as to the purpose or necessity of a line, check first
# in NOTES.
#
# $FreeBSD: src/sys/i386/conf/GENERIC,v 1.474.2.1 2007/10/11 06:20:26 kensmith 
Exp $

#cpuI486_CPU
#cpuI586_CPU
cpu I686_CPU
ident   AMB

# To statically compile in device wiring instead of /boot/device.hints
#hints  GENERIC.hints # Default places to look for devices.

makeoptions DEBUG=-g# Build kernel with gdb(1) debug symbols

options SCHED_4BSD  # 4BSD scheduler
#options SCHED_ULE
options PREEMPTION  # Enable kernel thread preemption
options INET# InterNETworking
#optionsINET6   # IPv6 communications protocols
#optionsSCTP# Stream Control Transmission Protocol
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options UFS_GJOURNAL# Enable gjournal-based UFS journaling
options MD_ROOT # MD is a potential root device
#optionsNFSCLIENT   # Network Filesystem Client
#optionsNFSSERVER   # Network Filesystem Server
#optionsNFS_ROOT# NFS usable as /, requires NFSCLIENT
#optionsMSDOSFS # MSDOS Filesystem
#optionsCD9660  # ISO 9660 Filesystem
options PROCFS  # Process filesystem (requires PSEUDOFS)
options PSEUDOFS# Pseudo-filesystem framework
options GEOM_PART_GPT   # GUID Partition Tables.
options GEOM_LABEL  # Provides labelization
options COMPAT_43TTY# BSD 4.3 TTY compat [KEEP THIS!]
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options COMPAT_FREEBSD5 #

Re: pf broken in 7.0-BETA1 ?

2007-10-28 Thread Andrew Birukov 

Ermal Luçi wrote:

Try using

pass out on $ext_if proto tcp from any to any tos 0x10 no keep state queue ssh

and it should work as you expect!


pf.conf
---
ext_if=xl0

altq on $ext_if priq bandwidth 520Kb queue { ssh, traf }
queue ssh priority 1
queue traf  priority 15 priq(default)

pass in all
pass out all

pass out on $ext_if proto tcp from any to any tos 0x10 no keep state 
queue ssh

---

# /etc/rc.d/pf restart
Disabling pf.
pf disabled
Enabling pf.
/etc/pf.conf:10: syntax error
pfctl: Syntax error in config file: pf rules not loaded
pf enabled

Unfortunately syntax error...


--
Andrew Biriukov
[EMAIL PROTECTED]
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: pf broken in 7.0-BETA1 ?

2007-10-28 Thread Ermal Luçi 
Try using

pass out on $ext_if proto tcp from any to any tos 0x10 no keep state queue ssh

and it should work as you expect!

On 10/28/07, Andrew Birukov [EMAIL PROTECTED] wrote:

 pf.conf:
 ---
 ext_if=xl0

 altq on $ext_if priq bandwidth 520Kb queue { ssh, traf }
 queue ssh priority 1
 queue traf  priority 15 priq(default)

 pass in all
 pass out all

 pass out on $ext_if proto tcp from any to any tos 0x10 queue ssh
 -

 I connected to remote host by ssh.
 In tcpdump i see many packets witch tos 0x10.

 12:54:46.732928 IP (tos 0x10, ttl 64, id 12486, offset 0, flags [DF],
 proto TCP (6), length 52) 10.15.25.2.56587  194.0.91.110.22: ., cksum
 0x35d5 (correct), 1919:1919(0) ack 2832 win 8181 nop,nop,timestamp
 8630585 535444648
 12:54:46.746958 IP (tos 0x10, ttl 64, id 12487, offset 0, flags [DF],
 proto TCP (6), length 100) 10.15.25.2.56587  194.0.91.110.22: P
 1919:1967(48) ack 2832 win 8195 nop,nop,timestamp 8630598 535444648
 12:54:46.900186 IP (tos 0x10, ttl 64, id 12488, offset 0, flags [DF],
 proto TCP (6), length 52) 10.15.25.2.56587  194.0.91.110.22: ., cksum
 0x33ec (correct), 1967:1967(0) ack 2944 win 8181 nop,nop,timestamp
 8630746 535444816
 12:54:46.915079 IP (tos 0x10, ttl 64, id 12489, offset 0, flags [DF],
 proto TCP (6), length 100) 10.15.25.2.56587  194.0.91.110.22: P
 1967:2015(48) ack 2944 win 8195 nop,nop,timestamp 8630760 535444816

 tcpdump confirms that the outgoing ssh data packets have tos 0x10, but
 the majority of the packets are still going to the default traf queue.

 queue ssh on xl0
 [ pkts:  0  bytes:  0  dropped pkts:  0 bytes:
  0 ]
 [ qlength:   0/ 50 ]
 [ measured: 0.0 packets/s, 0 b/s ]
 queue traf on xl0 priority 15 priq( default )
 [ pkts:   5059  bytes:1130390  dropped pkts: 69 bytes:
 80689 ]
 [ qlength:   0/ 50 ]
 [ measured: 3.9 packets/s, 2.15Kb/s ]


 This problem is affected 7.0 only.
 pf rools witch tos in FreeBSD-6.2 (previous pf version) work properly.

 My configuration:
 # uname -a
 FreeBSD amb.kiev.ua 7.0-BETA1 FreeBSD 7.0-BETA1 #1: Sun Oct 28 10:08:13
 ADT 2007 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/AMB.7.0  i386

 dmesg output and kernel config file are attached to this letter.

 Last time I cvsupped RELENG_7 and reinstall world in this morning.

 --
 Andrew Biriukov
 [EMAIL PROTECTED]


 #
 # GENERIC -- Generic kernel configuration file for FreeBSD/i386
 #
 # For more information on this file, please read the handbook section on
 # Kernel Configuration Files:
 #
 #
 http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html
 #
 # The handbook is also available locally in /usr/share/doc/handbook
 # if you've installed the doc distribution, otherwise always see the
 # FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the
 # latest information.
 #
 # An exhaustive list of options and more detailed explanations of the
 # device lines is also present in the ../../conf/NOTES and NOTES files.
 # If you are in doubt as to the purpose or necessity of a line, check first
 # in NOTES.
 #
 # $FreeBSD: src/sys/i386/conf/GENERIC,v 1.474.2.1 2007/10/11 06:20:26 
 kensmith Exp $

 #cpuI486_CPU
 #cpuI586_CPU
 cpu I686_CPU
 ident   AMB

 # To statically compile in device wiring instead of /boot/device.hints
 #hints  GENERIC.hints # Default places to look for devices.

 makeoptions DEBUG=-g# Build kernel with gdb(1) debug 
 symbols

 options SCHED_4BSD  # 4BSD scheduler
 #options SCHED_ULE
 options PREEMPTION  # Enable kernel thread preemption
 options INET# InterNETworking
 #optionsINET6   # IPv6 communications protocols
 #optionsSCTP# Stream Control Transmission Protocol
 options FFS # Berkeley Fast Filesystem
 options SOFTUPDATES # Enable FFS soft updates support
 options UFS_ACL # Support for access control lists
 options UFS_DIRHASH # Improve performance on big 
 directories
 options UFS_GJOURNAL# Enable gjournal-based UFS journaling
 options MD_ROOT # MD is a potential root device
 #optionsNFSCLIENT   # Network Filesystem Client
 #optionsNFSSERVER   # Network Filesystem Server
 #optionsNFS_ROOT# NFS usable as /, requires NFSCLIENT
 #optionsMSDOSFS # MSDOS Filesystem
 #optionsCD9660  # ISO 9660 Filesystem
 options PROCFS  # Process filesystem (requires 
 PSEUDOFS)
 options PSEUDOFS# Pseudo-filesystem framework
 options

Re: pf broken in 7.0-BETA1 ?

2007-10-28 Thread Abdullah Ibn Hamad Al-Marri 
- Original Message 
 From: Andrew Birukov [EMAIL PROTECTED]
 To: Ermal Luçi [EMAIL PROTECTED]
 Cc: freebsd-stable@freebsd.org; [EMAIL PROTECTED]
 Sent: Sunday, October 28, 2007 10:34:56 PM
 Subject: Re: pf broken in 7.0-BETA1 ?
 
 Ermal Luçi wrote:
  Try using
  
  pass out on $ext_if proto tcp from any to any tos 0x10 no keep
 state
 
 queue ssh
  
  and it should work as you expect!
 
 pf.conf
 ---
 ext_if=xl0
 
 altq on $ext_if priq bandwidth 520Kb queue { ssh, traf }
 queue ssh priority 1
 queue traf  priority 15 priq(default)
 
 pass in all
 pass out all
 
 pass out on $ext_if proto tcp from any to any tos 0x10 no keep state 
 queue ssh
 ---
 
 # /etc/rc.d/pf restart
 Disabling pf.
 pf disabled
 Enabling pf.
 /etc/pf.conf:10: syntax error
 pfctl: Syntax error in config file: pf rules not loaded
 pf enabled
 
 Unfortunately syntax error...
 
 
 -- 
 Andrew Biriukov
 [EMAIL PROTECTED]


Is this related to your problem?

http://www.nabble.com/Suggestion-with-patch%2C-change-PF-TOS-matching-to-bitmask-tf4697797.html


-- 
Regards, 
-Abdullah Ibn Hamad Al-Marri
Arab Portal
http://www.WeArab.Net/

 



__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: pf broken in 7.0-BETA1 ?

2007-10-28 Thread Paul Schenkeveld 
On Sun, Oct 28, 2007 at 04:34:56PM -0300, Andrew Birukov wrote:
 Ermal Luçi wrote:
 Try using
 
 pass out on $ext_if proto tcp from any to any tos 0x10 no keep state queue 
 ssh
 
 and it should work as you expect!
 
 pf.conf
 ---
 ext_if=xl0
 
 altq on $ext_if priq bandwidth 520Kb queue { ssh, traf }
 queue ssh priority 1
 queue traf  priority 15 priq(default)
 
 pass in all
 pass out all
 
 pass out on $ext_if proto tcp from any to any tos 0x10 no keep state 
 queue ssh
 ---
 
 # /etc/rc.d/pf restart
 Disabling pf.
 pf disabled
 Enabling pf.
 /etc/pf.conf:10: syntax error
 pfctl: Syntax error in config file: pf rules not loaded
 pf enabled
 
 Unfortunately syntax error...

Should be no state according to pf.conf(5)

 -- 
 Andrew Biriukov
 [EMAIL PROTECTED]

Paul Schenkeveld
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: pf broken in 7.0-BETA1 ?

2007-10-28 Thread Andrew Birukov 

Paul Schenkeveld wrote:

On Sun, Oct 28, 2007 at 04:34:56PM -0300, Andrew Birukov wrote:

Ermal Luçi wrote:

Try using

pass out on $ext_if proto tcp from any to any tos 0x10 no keep state queue 
ssh


and it should work as you expect!

pf.conf
---
ext_if=xl0

altq on $ext_if priq bandwidth 520Kb queue { ssh, traf }
queue ssh priority 1
queue traf  priority 15 priq(default)

pass in all
pass out all

pass out on $ext_if proto tcp from any to any tos 0x10 no keep state 
queue ssh

---

# /etc/rc.d/pf restart
Disabling pf.
pf disabled
Enabling pf.
/etc/pf.conf:10: syntax error
pfctl: Syntax error in config file: pf rules not loaded
pf enabled

Unfortunately syntax error...


Should be no state according to pf.conf(5)


Thank's a lot !
That was it!

--
Andrew Biriukov
[EMAIL PROTECTED]
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: pf broken in 7.0-BETA1 ?

2007-10-28 Thread Andrew Birukov 

Abdullah Ibn Hamad Al-Marri wrote:

- Original Message 

From: Andrew Birukov [EMAIL PROTECTED]
To: Ermal Luçi [EMAIL PROTECTED]
Cc: freebsd-stable@freebsd.org; [EMAIL PROTECTED]
Sent: Sunday, October 28, 2007 10:34:56 PM
Subject: Re: pf broken in 7.0-BETA1 ?

Ermal Luçi wrote:

Try using

pass out on $ext_if proto tcp from any to any tos 0x10 no keep

state


 queue ssh

and it should work as you expect!

pf.conf
---
ext_if=xl0

altq on $ext_if priq bandwidth 520Kb queue { ssh, traf }
queue ssh priority 1
queue traf  priority 15 priq(default)

pass in all
pass out all

pass out on $ext_if proto tcp from any to any tos 0x10 no keep state 
queue ssh

---

# /etc/rc.d/pf restart
Disabling pf.
pf disabled
Enabling pf.
/etc/pf.conf:10: syntax error
pfctl: Syntax error in config file: pf rules not loaded
pf enabled

Unfortunately syntax error...


--
Andrew Biriukov
[EMAIL PROTECTED]



Is this related to your problem?

http://www.nabble.com/Suggestion-with-patch%2C-change-PF-TOS-matching-to-bitmask-tf4697797.html

It is not related, but interesting for me.
I am going to try this patch.
Thank you!

--
Andrew Biriukov
[EMAIL PROTECTED]
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]