I felt sorry the -T tag option was present in Linux and not on FBSD because I got to a situation where it would really be useful for me. So I decided to stuff my hands on the grease can. What this does is to give the option to put a tag instead of a queue, to the dynamic rules that ftp-proxy creates on the fly. The option to put a queue is nice but it confines the rule to THAT queue only, and you cannot create queues with the same name on different interfaces. You could specify 2 interfaces on the same altq rule, but then again, both interfaces will be confined to the same queue tunings. The -T "tag" option however, besides tagging the packets for the rule, takes the "quick" keyword out of it, so rule processing can continue, to later find a rule that has the keyword "tagged tag", and be sent to any queue you want. A really welcomed flexibility. The lines bellow were taken during an ftp session to ftp.openbsd.com from a LAN client station. ================================ # Server [20:14:03] [~]>pfctl -vv -sA ftp-proxy ftp-proxy/15780.1 # Server [20:15:01] [~]> pfctl -vv -a ftp-proxy/15780.1 -sr @0 pass in log inet proto tcp from 172.16.3.145 to 129.128.5.191 port = 61076 flags S/SA keep state (max 1) tag ftp_proxy rtable 0 [ Evaluations: 4 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 62 pid 15780 ] @1 pass out log inet proto tcp from 189.12.120.67 to 129.128.5.191 port = 61076 flags S/SA keep state (max 1) tag ftp_proxy rtable 0 [ Evaluations: 4 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 62 pid 15780 ] # Server [20:15:11] [~]>pfctl -vv -sA ftp-proxy ftp-proxy/15780.1 # Server [20:15:16] [~]> pfctl -vv -a ftp-proxy/15780.1 -sn @0 nat inet proto tcp from 172.16.3.145 to 129.128.5.191 port = 61076 rtable 0 -> 189.12.120.67 [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 62 pid 15780 ] @0 rdr inet proto tcp from 172.16.3.145 to 129.128.5.191 port = 51973 rtable 0 -> 129.128.5.191 port 61076 [ Evaluations: 6 Packets: 8 Bytes: 1485 States: 0 ] [ Inserted: uid 62 pid 15780 ] # Server [20:15:23] [~]> pfctl -vv -a ftp-proxy/15780.1 -sn pfctl: DIOCGETRULES: Invalid argument # Server [20:16:12] [~]>pfctl -vv -sA ftp-proxy ================================ The nat, rdr and pass rules are correctly created and tagged. Observe the times to see that ftp-proxy removes the rule really fast. To apply the patch, copy it to /usr/src/contrib/pf/ftp-proxy/ then, cd /usr/src/usr.sbin/ftp-proxy/ftp-proxy make [clean] make install Fix: Patch attached with submission follows: How-To-Repeat: NA
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped
Keyword: patch or patch-ready – in lieu of summary line prefix: [patch] * bulk change for the keyword * summary lines may be edited manually (not in bulk). Keyword descriptions and search interface: <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>