Re: pf: match vs. pass - nat and rdr

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: nixlists

Subject: Re: pf: match vs. pass - nat and rdr

Date: Tuesday, January 5, 2010 - 7:49 pm

On Tue, Jan 5, 2010 at 8:34 PM, Robert <robert@openbsd.pap.st> wrote:

....

quoted text> nat and rdr are now declared with match rules.

But  'pass' still works:

pass out on em0 inet from 192.168.1.0/24 to any flags S/SA keep state
nat-to (em0) round-robin

quoted text>> An issue today was the box totally froze after I removed one of the
>> redundant rules, did 'pfctl -f /etc/pf.conf', and ran 'systat queues'.
>> As soon as I ran systat it froze dead. Not even a panic.
>
> You say you killed a box by trying to load a ruleset?
> Checked the config with -n before loading?

No, I am saying I killed the box by removing a single existing rule
from the ruleset and running systat.  it froze as soon as I ran
'systat queues' . After a reboot the box has no trouble running the
ruleset.

quoted text> The queues on the internal interface in that example are used to limit
> download speeds from the "internet". Can't do that on the external
> interface. And yes, if not done right those rules would mess with
> traffic that is internal and should not have hit those queues in the
> first place.

Hmm... I simply copied the example, and my internal interface became
bandwidth-limited as in the example.

Thanks.

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

pf: match vs. pass - nat and rdr, nixlists, (Tue Jan 5, 4:15 pm)

Re: pf: match vs. pass - nat and rdr, Robert, (Tue Jan 5, 6:34 pm)

Re: pf: match vs. pass - nat and rdr, nixlists, (Tue Jan 5, 7:49 pm)

Re: pf: match vs. pass - nat and rdr, Henning Brauer, (Fri Jan 8, 8:31 pm)


linux-kernel:
Ken Chen	[patch] sched: fix inconsistency when redistribute per-cpu tg->cfs_rq shares.
Ingo Molnar	Re: [PATCH v3] x86: merge the simple bitops and move them to bitops.h
Andi Kleen	Re: - romsignature-checksum-cleanup-2.patch removed from -mm tree
Axel Lin	[PATCH] tc6393xb: fix wrong goto labels for error handling
Matthew Wilcox	Re: 2.6.22-rc3-mm1
git:
Johannes Schindelin	Re: [PATCH 05/21] Make parse_tag_buffer_internal() handle item == NULL
Johannes Sixt	Re: [PATCH] Fix handle leak in builtin-pack-objects
Linus Torvalds	Re: [PATCH, take 1] Linear-time/space rename logic (exact renames only)
Alex Riesen	Re: [PATCH] fmt-merge-msg: avoid open "-\|" list form for Perl 5.6
Nicolas Pitre	Re: [PATCH 2/2] Implement a simple delta_base cache
git-commits-head:
Linux Kernel Mailing List	V4L/DVB (8018): Add em2860 chip ID
Linux Kernel Mailing List	PCI: fix kernel oops on bridge removal
Linux Kernel Mailing List	rtl8187: use DMA-aware buffers with usb_control_msg
Linux Kernel Mailing List	Blackfin: use KERN_ALERT in all kgdb_test output
Linux Kernel Mailing List	MIPS: Bonito64: Make Loongson independent from Bonito64 code.
linux-netdev:
Richard Cochran	Re: [PATCH v3 3/3] ptp: Added a clock that uses the eTSEC found on the MPC85xx.
David Miller	Re: [RFC] bridge: STP timer management range checking
Herbert Xu	Re: [RFC PATCH 00/17] virtual-bus
Lennert Buytenhek	Re: [PATCH 3/6] [NET] dsa: add support for original DSA tagging format
Herbert Xu	Re: [2/2] igb: Replace LRO with GRO
freebsd-current:
Boris Samorodov	Re: twa + dump = sbwait
Andrey	Re: RELENG_7 and HEAD: bge causes system hang
韓家標 Bill Hacker	Re: ZFS honesty
samira	sata atapi on ich9r
JoaoBR	Re: I like my rc.d boot messages :(