From durian@shadetreesoftware.com  Tue Jul  1 17:57:34 2008
Return-Path: <durian@shadetreesoftware.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E542B1065674
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  1 Jul 2008 17:57:34 +0000 (UTC)
	(envelope-from durian@shadetreesoftware.com)
Received: from shadetreesoftware.com (ast.shadetreesoftware.com [206.168.112.32])
	by mx1.freebsd.org (Postfix) with ESMTP id BA9878FC26
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  1 Jul 2008 17:57:34 +0000 (UTC)
	(envelope-from durian@shadetreesoftware.com)
Received: from shadetreesoftware.com (localhost [127.0.0.1])
	by shadetreesoftware.com (8.14.2/8.14.2) with ESMTP id m61HP9pX040130
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 1 Jul 2008 11:25:09 -0600 (MDT)
	(envelope-from durian@shadetreesoftware.com)
Received: (from durian@localhost)
	by shadetreesoftware.com (8.14.2/8.14.2/Submit) id m61HP9fd040129;
	Tue, 1 Jul 2008 11:25:09 -0600 (MDT)
	(envelope-from durian)
Message-Id: <200807011725.m61HP9fd040129@shadetreesoftware.com>
Date: Tue, 1 Jul 2008 11:25:09 -0600 (MDT)
From: Mike Durian <durian@shadetreesoftware.com>
Reply-To: Mike Durian <durian@shadetreesoftware.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: cups breaks with PF interfaction in 7.0
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         125153
>Category:       ports
>Synopsis:       print/cups breaks with PF interfaction in 7.0
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    dinoex
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 01 18:00:15 UTC 2008
>Closed-Date:    Thu Jul 10 15:12:53 CEST 2008
>Last-Modified:  Thu Jul 10 14:20:05 UTC 2008
>Originator:     Mike Durian
>Release:        FreeBSD 7.0-STABLE i386
>Organization:
>Environment:
System: FreeBSD cedar.shadetreesoftware.com 7.0-STABLE FreeBSD 7.0-STABLE #2: Sun Jun 29 12:37:20 MDT 2008 root@cedar.shadetreesoftware.com:/usr/obj/usr/src/sys/SHADETREE i386


	
>Description:
	Cups, specificall the socket backend, fails with what I believe
	to be a pf firewall interaction in 7.0-STABLE.  This did fail
	in 6.3.

	The socket back end sends some data to the printer, but eventually
	gets a write(2) failure.  The errno is EPERM, which is think
	is only generated by the firewall.  At least the write(2) man page
	doesn't document it.

	In my case, I am trying to print a document through a VPN.
	I have a gif tunnel set up with ipsec as described in the
	FreeBSD handbook and some web site.

	Here is my test case.  /tmp/foo.pcl is a pre-rendered version
	of the cups test page.

	> DEVICE_URI=socket://superfly.boogie.com:9100 ktrace -f /tmp/cups_socket.out /usr/local/libexec/cups/backend/socket 1 durian foo 1 "" /tmp/foo.pcl
	INFO: Attempting to connect to host superfly.boogie.com on port 9100
	STATE: +connecting-to-device
	STATE: -connecting-to-device
	INFO: Connected to superfly.boogie.com...
	DEBUG: Connected to 192.168.1.5:9100 (IPv4)...
	PAGE: 1 1
	DEBUG: backendRunLoop(print_fd=3, device_fd=4, use_bc=1, side_cb=0x8048f20)
	DEBUG: Read 8192 bytes of print data...
	STATE: -media-empty-error
	STATE: -offline-error
	INFO: Printer is now on-line.
	DEBUG: Wrote 8192 bytes of print data...
	DEBUG: Read 8192 bytes of print data...
	DEBUG: Wrote 8192 bytes of print data...
	DEBUG: Read 8192 bytes of print data...
	DEBUG: Wrote 8192 bytes of print data...
	DEBUG: Read 8192 bytes of print data...
	DEBUG: Wrote 8192 bytes of print data...
	DEBUG: Read 8192 bytes of print data...
	DEBUG: Wrote 8192 bytes of print data...
	DEBUG: Read 8192 bytes of print data...
	DEBUG: Wrote 8192 bytes of print data...
	DEBUG: Read 8192 bytes of print data...
	DEBUG: Wrote 8192 bytes of print data...
	DEBUG: Read 8192 bytes of print data...
	DEBUG: Wrote 8192 bytes of print data...
	DEBUG: Read 8192 bytes of print data...
	DEBUG: Wrote 8192 bytes of print data...
	DEBUG: Read 8192 bytes of print data...
	DEBUG: Wrote 8192 bytes of print data...
	DEBUG: Read 8192 bytes of print data...
	DEBUG: Wrote 8192 bytes of print data...
	DEBUG: Read 8192 bytes of print data...
	ERROR: Unable to write print data: Operation not permitted
	INFO: Print file sent, waiting for printer to finish...



	The ktrace is rather large.  Rather than include it all here,
	I'll just excerpt the falling write(2):

	 39702 socket   RET   read 8192/0x2000
	 39702 socket   CALL  write(0x2,0xbfbfb3d0,0x28)
	 39702 socket   GIO   fd 2 wrote 40 bytes
	       "DEBUG: Read 8192 bytes of print data...
	       "
	 39702 socket   RET   write 40/0x28
	 39702 socket   CALL  select(0x5,0xbfbfbae0,0xbfbfba60,0,0)
	 39702 socket   RET   select 1
	 39702 socket   CALL  write(0x4,0xbfbfbb78,0x2000)
	 39702 socket   RET   write -1 errno 1 Operation not permitted
	 39702 socket   CALL  write(0x2,0xbfbfb3d0,0x3b)
	 39702 socket   GIO   fd 2 wrote 59 bytes
	       "ERROR: Unable to write print data: Operation not permitted
	       "

	I suspect someone will want more data on my pf.conf file and
	vpn setup.  Please contact me and let me know what you'd like to
	see.

	I can work around the problem by adding IPSEC_FILTERTUNNEL to
	the kernel build, but that has its own adverse effect on
	asterisk.  Since I did not need IPSEC_FILTERTUNNEL in 6.3,
	I believe there is a new bug somewhere and have opted for
	VoIP over printing.

	The far end of the VPN is also running 7.0.

>How-To-Repeat:
	Set up a VPN using gif and ipsec.  Try using cups to print
	to port 9100 on a printer on the far end of the VPN.
>Fix:

	Adding "options IPSEC_FILTERTUNNEL" to the kernel config file
	can work around this problem, but is not a viable solution for
	me due to some bad interactions with asterisk.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->dinoex 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Jul 2 02:54:21 UTC 2008 
Responsible-Changed-Why:  
Over to maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=125153 
State-Changed-From-To: open->feedback 
State-Changed-By: dinoex 
State-Changed-When: Mon Jul 7 12:30:11 CEST 2008 
State-Changed-Why:  

< Cups, specificall the socket backend, fails with what I believe 
< to be a pf firewall interaction in 7.0-STABLE.  This did fail 
< in 6.3. 

so your setup fails both in 6.3 and 7.0-7.0-STABLE. ? 

What is the behaviour you expect? 


http://www.freebsd.org/cgi/query-pr.cgi?pr=125153 

From: Mike Durian <durian@shadetreesoftware.com>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: ports/125153: print/cups breaks with PF interfaction in 7.0
Date: Mon, 7 Jul 2008 07:52:20 -0600

 That was a typo.  The setup did not fail in 6.3.
 
 I need to do a bit more testing, but I believe I have fixed
 the problem.  Adding an explicit "no state" qualifier to
 my VPN pass lines in pf.conf seems to help.  Since "no state"
 is the default in 6.3, but not in 7.0, that would explain the
 behavior change.
 
 mike
 
State-Changed-From-To: feedback->closed 
State-Changed-By: dinoex 
State-Changed-When: Thu Jul 10 15:12:26 CEST 2008 
State-Changed-Why:  
Not a problem in cups. 
Thanks for the feeback. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=125153 

From: Mike Durian <durian@shadetreesoftware.com>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: ports/125153: print/cups breaks with PF interfaction in 7.0
Date: Thu, 10 Jul 2008 08:12:25 -0600

 I have now verified that adding "no state" to the pf rules applicable
 to our VPN allows us to print remotely again.  It is now safe to close
 this PR.
 
 As a side note, for people who might be searching the database, I
 also discovered that our bacula backups would fail like cups failed.
 Some data would get through, then an EPERM error.  Adding "no state"
 also fixed that problem.
 
 mike
 
>Unformatted:
