From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 28 14:41:32 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9499216A4CE for ; Sun, 28 Nov 2004 14:41:32 +0000 (GMT) Received: from yearning.mcc.ac.uk (yearning.mcc.ac.uk [130.88.203.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1187343D58 for ; Sun, 28 Nov 2004 14:41:32 +0000 (GMT) (envelope-from jcm@FreeBSD-uk.eu.org) Received: from dogma.freebsd-uk.eu.org ([130.88.200.97]) by yearning.mcc.ac.uk with esmtp (Exim 4.43 (FreeBSD)) id 1CYQF1-000HVh-49 for freebsd-ipfw@freebsd.org; Sun, 28 Nov 2004 14:41:31 +0000 Received: from dogma.freebsd-uk.eu.org (localhost [127.0.0.1]) iASEfUlZ020863 for ; Sun, 28 Nov 2004 14:41:30 GMT (envelope-from jcm@dogma.freebsd-uk.eu.org) Received: (from jcm@localhost) by dogma.freebsd-uk.eu.org (8.12.10/8.12.6/Submit) id iASEfUke020862 for freebsd-ipfw@freebsd.org; Sun, 28 Nov 2004 14:41:30 GMT Date: Sun, 28 Nov 2004 14:41:29 +0000 From: Jonathon McKitrick To: freebsd-ipfw@freebsd.org Message-ID: <20041128144129.GA20832@dogma.freebsd-uk.eu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i Subject: Fwd: Is this a hole in my firewall? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Nov 2004 14:41:32 -0000 Here are my rules: root@neptune:~# ipfw show 00100 0 0 check-state 00200 2 144 allow ip from me to any keep-state out xmit tun0 00300 0 0 allow ip from any to any keep-state out xmit tun0 00400 0 0 deny tcp from any to any in recv tun0 established 00500 0 0 allow ip from any to any via vr0 00600 0 0 allow ip from any to any via lo0 00700 0 0 deny ip from any to 127.0.0.0/8 00800 0 0 deny ip from 127.0.0.0/8 to any 00900 0 0 allow tcp from any to me 22 keep-state in recv vr0 setup 01000 0 0 allow icmp from any to any via tun0 icmptype 0,3,8,11,12 01100 0 0 deny log logamount 100 ip from any to any 65535 0 0 deny ip from any to any I added rule 300 so that my laptop on my wireless network can connect, ping, and get DNS and DHCP. Is there a better way to specify this? jm -- From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 29 11:02:32 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2020B16A4CE for ; Mon, 29 Nov 2004 11:02:32 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0E5F943D41 for ; Mon, 29 Nov 2004 11:02:32 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id iATB2VtQ008512 for ; Mon, 29 Nov 2004 11:02:31 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id iATB2Vki008507 for ipfw@freebsd.org; Mon, 29 Nov 2004 11:02:31 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 29 Nov 2004 11:02:31 GMT Message-Id: <200411291102.iATB2Vki008507@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Nov 2004 11:02:32 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported 7 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 29 19:24:28 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D9C3516A4CE for ; Mon, 29 Nov 2004 19:24:28 +0000 (GMT) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9EFA743D1F for ; Mon, 29 Nov 2004 19:24:28 +0000 (GMT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.13.0/8.13.0) with ESMTP id iATJPEUr008288 for ; Mon, 29 Nov 2004 11:25:14 -0800 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.13.0/8.13.0/Submit) id iATJPEYR008287 for ipfw@freebsd.org; Mon, 29 Nov 2004 11:25:14 -0800 Date: Mon, 29 Nov 2004 11:25:14 -0800 From: Brooks Davis To: ipfw@freebsd.org Message-ID: <20041129192514.GA7331@odin.ac.hmc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="oyUTqETQ0mS9luUI" Content-Disposition: inline User-Agent: Mutt/1.4.1i X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.0 required=8.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on odin.ac.hmc.edu Subject: strncmp usage in ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Nov 2004 19:24:29 -0000 --oyUTqETQ0mS9luUI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable The ipfw program uses the following idiom quite a bit: char *var; if (!strncmp(var, "str", strlen(var))) ... I'm pretty sure that in most cases the desired comparison is actually: if (!strcmp(var, "str")) The program with the first is that all the following strings match: "" "s" "st" "str" It's remotely possible this was deliberate since we should not see the "" case and this would allow partial commands, but I'm not sure and this creates problems with maintainability. For example, if "str" were "ip" and you added a line above it containing "ip6" you'd always match "ip6" leaving difficult to spot dead code in the "ip" case. Was use of this idiom deliberate or accidental? -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --oyUTqETQ0mS9luUI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBq3eZXY6L6fI4GtQRAjViAJ9xlLMhRVB3kvwI+Fbsg+0aiCO45gCgxms2 pTYTwSo7aLVZUgHVMsqr8aw= =RDMx -----END PGP SIGNATURE----- --oyUTqETQ0mS9luUI-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 29 20:26:16 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8461F16A4CE for ; Mon, 29 Nov 2004 20:26:16 +0000 (GMT) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.86]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6915E43D66 for ; Mon, 29 Nov 2004 20:26:16 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin08-en2 [10.13.10.153]) by smtpout.mac.com (Xserve/MantshX 2.0) with ESMTP id iATKQFYp014787; Mon, 29 Nov 2004 12:26:15 -0800 (PST) Received: from [10.1.1.245] (nfw1.codefab.com [199.103.21.225]) (authenticated bits=0) by mac.com (Xserve/smtpin08/MantshX 4.0) with ESMTP id iATKQDn6008764; Mon, 29 Nov 2004 12:26:15 -0800 (PST) In-Reply-To: <20041129192514.GA7331@odin.ac.hmc.edu> References: <20041129192514.GA7331@odin.ac.hmc.edu> Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Mon, 29 Nov 2004 15:26:12 -0500 To: Brooks Davis X-Mailer: Apple Mail (2.619) cc: ipfw@freebsd.org Subject: Re: strncmp usage in ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Nov 2004 20:26:16 -0000 On Nov 29, 2004, at 2:25 PM, Brooks Davis wrote: > char *var; > if (!strncmp(var, "str", strlen(var))) > ... > [ ... ] > Was use of this idiom deliberate or accidental? I can't speak for the author, but using the "n"-for-length variant of the string and printf() family of functions is considered an important saftey practice, especially for network/firewall/IDS software which may be exposed to externally generated data which contains deliberately malicious string lengths. Since the topic came up, it's also potentially dangerous to write code like: char errstr[1024]; /* ...intervening code... */ snprintf(errstr, 1024, "..."); ...because people making changes to the code may change the size of errstr without changing the 1024 in the snprintf(). Using a macro for the size is better practice: #define ERRLEN (1024) char errstr[ERRLEN]; /* ...intervening code... */ snprintf(errstr, ERRLEN, "..."); ...but the strong recommendation I've seen is to always use sizeof(): snprintf(errstr, sizeof(errstr), ...) This brings me back to your point with regard to partial matches; it might be the case that the IPFW code could use char arrays and sizeof(var) rather than char *'s and strlen(var) for some cases? The former approach would not only address your concerns, Brooks, but also be faster. Otherwise, I suspect that: char *var; if (!strncmp(var, "str", strlen(var))) ... ...should become: #define STR "str" char *var; if (!strncmp(var, STR, sizeof(STR))) ... -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 29 22:16:20 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 36E5616A4CE for ; Mon, 29 Nov 2004 22:16:20 +0000 (GMT) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C72243D54 for ; Mon, 29 Nov 2004 22:16:20 +0000 (GMT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.13.0/8.13.0) with ESMTP id iATMH70v008328; Mon, 29 Nov 2004 14:17:07 -0800 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.13.0/8.13.0/Submit) id iATMH7dC008327; Mon, 29 Nov 2004 14:17:07 -0800 Date: Mon, 29 Nov 2004 14:17:07 -0800 From: Brooks Davis To: Charles Swiger Message-ID: <20041129221707.GA2571@odin.ac.hmc.edu> References: <20041129192514.GA7331@odin.ac.hmc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="UlVJffcvxoiEqYs2" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.0 required=8.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on odin.ac.hmc.edu cc: Brooks Davis cc: ipfw@freebsd.org Subject: Re: strncmp usage in ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Nov 2004 22:16:20 -0000 --UlVJffcvxoiEqYs2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 29, 2004 at 03:26:12PM -0500, Charles Swiger wrote: > On Nov 29, 2004, at 2:25 PM, Brooks Davis wrote: > >char *var; > >if (!strncmp(var, "str", strlen(var))) > > ... > >[ ... ] > >Was use of this idiom deliberate or accidental? >=20 > I can't speak for the author, but using the "n"-for-length variant of=20 > the string and printf() family of functions is considered an important=20 > saftey practice, especially for network/firewall/IDS software which may= =20 > be exposed to externally generated data which contains deliberately=20 > malicious string lengths. That's true for string creation functions, but not for strncmp The only valid use of strncmp is to do comparisons between strings where one string is known to not be NUL-terminated or to look for a sub-string. It is not a safety function. > This brings me back to your point with regard to partial matches; it=20 > might be the case that the IPFW code could use char arrays and=20 > sizeof(var) rather than char *'s and strlen(var) for some cases? The=20 > former approach would not only address your concerns, Brooks, but also=20 > be faster. Otherwise, I suspect that: >=20 > char *var; > if (!strncmp(var, "str", strlen(var))) > ... >=20 > ...should become: >=20 > #define STR "str" > char *var; > if (!strncmp(var, STR, sizeof(STR))) > ... This is exactly equivalent in functionality to: char *var; if (!strcmp(var, "str")) ... We know that "str" is NUL-terminated because the C standard says it is so we will stop at or before the sizeof("str")th character. In either case we are not protected from the possibility that var contains a bogus string if the bogosity occurs before we get to the end of "str". In fact, there's no way to be sure of that except creating the string correctly in the first place! -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --UlVJffcvxoiEqYs2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBq5/iXY6L6fI4GtQRAiC6AKCkR4REbX9HG+Cori0z2rjMLqMvzACfc8b6 MwUsxCXthWLuoam/GOQ7ZgQ= =CtBz -----END PGP SIGNATURE----- --UlVJffcvxoiEqYs2-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 29 22:58:26 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E55616A4CE for ; Mon, 29 Nov 2004 22:58:26 +0000 (GMT) Received: from out-1.mail.amis.net (out-1.mail.amis.net [212.18.32.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 403B943D5C for ; Mon, 29 Nov 2004 22:58:25 +0000 (GMT) (envelope-from matej.puntar@guest.arnes.si) Received: from localhost (in-3.mail.amis.net [212.18.32.22]) by out-1.mail.amis.net (Postfix) with ESMTP id 146E35B4DB7 for ; Mon, 29 Nov 2004 23:58:24 +0100 (CET) Received: from in-3.mail.amis.net ([127.0.0.1]) by localhost (in-3.mail.amis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 18226-02 for ; Mon, 29 Nov 2004 23:58:21 +0100 (CET) Received: from piranha.amis.net (piranha.amis.net [212.18.32.3]) by in-3.mail.amis.net (Postfix) with ESMTP id 70072FB9B6 for ; Mon, 29 Nov 2004 23:58:21 +0100 (CET) Received: from [10.0.0.2] (cpe-213-157-234-39.ftth.amis.net [213.157.234.39]) by piranha.amis.net (Postfix) with ESMTP id 58FCCFD9F for ; Mon, 29 Nov 2004 23:58:21 +0100 (CET) Message-ID: <41AB954D.5060105@guest.arnes.si> Date: Mon, 29 Nov 2004 22:31:57 +0100 From: Matej User-Agent: Mozilla Thunderbird 0.9 (X11/20041122) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org X-Enigmail-Version: 0.89.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at amis.net X-Spam-Status: No, hits=-5.587 required=5 tests=ALL_TRUSTED, AWL, BAYES_00, DNS_FROM_RFC_WHOIS X-Spam-Level: Subject: dummynet and NAT X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Nov 2004 22:58:26 -0000 Hello Can you help me I would like to split upload and download bw dynamically and seperetly, between 5 users (equally) and a server. I need to reserve some bw e.g.: 128 Kbits download, 56 Kbits upload for the server (10.0.0.1) that is also the router and 5 users 10.0.0.2 - 10.0.0.6 and I also need to set priority traffic: smtp, imap, pop3, skype, http, ftp, ... in this order. I have 768 download, 128 upload. I can't get it to work. I don't know where to put pipes and queues definitions. I tryed a lot of thins but everything brakes NAT. net.inet.ip.fw.one_pass: 1 This are my firewall rules at the moment: ################ #/etc/firewall.rules ################ #!/bin/sh cmd="ipfw -q add" skip="skipto 500" pif=rl0 ks="keep-state" ipfw -q -f flush $cmd 002 allow all from any to any via rl1 # exclude Lan traffic $cmd 003 allow all from any to any via lo0 # exclude loopback traffic $cmd 100 divert natd ip from any to any in via $pif $cmd 101 check-state # Authorized outbound packets $cmd 135 $skip all from any to any out via $pif $ks # Deny all inbound traffic from non-routable reserved address spaces $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for doc's $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast # Authorized inbound packets # WWW $cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 1 # SSH $cmd 421 allow tcp from any to me 22 in via $pif setup limit src-addr 1 # SMTP mail $cmd 422 allow tcp from any to me 25 in via $pif setup limit src-addr 1 # SSL IMAP $cmd 423 allow tcp from any to me 993 in via $pif setup limit src-addr 1 # SSL POP3 $cmd 424 allow tcp from any to me 995 in via $pif setup limit src-addr 1 $cmd 450 deny log ip from any to any # This is skipto location for outbound stateful rules $cmd 500 divert natd ip from any to any out via $pif $cmd 510 allow ip from any to any ######################## end of rules ################## If you find any bad ideas in my firewall rules please comment. I already got tips for dynamic equally spliting bw from Martes Wigglesworth >Martes Wigglesworth wrote: >The answer from all documentation that I have read, would be simply >empliment a single pipe 1 of bw xKbit/s and configure dynamic pipes that >use the same pipe, hence splitting up the bandwidth dynamicly. Since >the queue is a copy of the first one, then all dynamic pipe have the >same queue weight, and will then have an equal segment of the bandwidth >of the pipe that they are attached to, in this case pipe 1. >Example: > >ipfw add queue 1 log ip from any to ${internaldudes} in recv ${extif} >ipfw queue 1 config pipe 1 mask dst-ip 0xffffffff >ipfw pipe 1 config bw 256Kbit/s > >In the above example, any ip traffic comming into a natd box with >interface ${extif} attached to the internet, and ${internaldudes} being >those ips that are behind the gateway. Whenever a host connects to the >box, and has traffic come to it from the internet, a dynamic queue will >drain bandwidth for pipe 1. Due to this functionality, the pipe 1 bw >will get devided between the pipes that are created. When there is no >client, then the queue is deleted. > >If you have multiple subnets, like me, then and you want to specify the >internal interfaces, then use the following, thanks to Nicolas, earlier >today: >${fwcmd_add} deny udp from 0.0.0.0 68 to 255.255.255.255 67 in \{ recv ${if_m} or recv ${if_g} \} Thank you all MAtej From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 30 11:18:56 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9894816A4CE for ; Tue, 30 Nov 2004 11:18:56 +0000 (GMT) Received: from mail.jrv.org (rrcs-24-73-246-106.sw.biz.rr.com [24.73.246.106]) by mx1.FreeBSD.org (Postfix) with ESMTP id 21D1F43D1F for ; Tue, 30 Nov 2004 11:18:56 +0000 (GMT) (envelope-from james@jrv.org) Received: from [127.0.0.1] (zippy.housenet.jrv [192.168.3.156]) (authenticated bits=0) by mail.jrv.org (8.12.11/8.12.10) with ESMTP id iAUBIsix052178 for ; Tue, 30 Nov 2004 05:18:55 -0600 (CST) (envelope-from james@jrv.org) Message-ID: <41AC571E.2020503@jrv.org> Date: Tue, 30 Nov 2004 05:18:54 -0600 From: "James R. Van Artsalen" User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: FreeBSD 5.3 routing IPFW FWD'd packets? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Nov 2004 11:18:56 -0000 FreeBSD 5.3 may send IPFW FWD forwarded packets to a destination other than the one specified in the FWD action. FreeBSD 5.2.1 works as expected. I have two WAN links but only one local Ethernet. The system has an IP alias. Each application can decide which WAN link to use by using one or the other IP address. In 5.2.1 and earlier I used IPFW to send packets sourced on the IP alias address to the second WAN router. The system IP address is 192.168.3.155/8 and the IP alias is 192.168.254.155/8. One WAN gateway is the default route and is at 192.168.3.145 and the other WAN gateway is at 192.168.254.145. To use the main WAN one just opens a socket as usual, which gets a source address of 192.168.3.155. To use the second WAN the socket is opened with the source address set to 192.168.254.155. The following IPFW rules state that a direct access to 192.168.254/8 proceeds unmolested, but any packet sourced on the IP alias address of 192.168.254.155 and not to 192.168.254/8 is forwarded to the second WAN gateway at 192.168.254.145 (which will send it to the Internet). ${fwcmd} 64000 add allow ip from any to 192.168.254.0/24 ${fwcmd} 64005 add fwd 192.168.254.145 log ip from 192.168.254.155 to any With FreeBSD 5.2.1 when rule 64005 matches the packet goes to 192.168.254.145 as the FWD specifies. But with FreeBSD 5.3 the logs on the gateways show that the packet goes to 192.168.3.145, the system default gateway, instead of 192.168.254.145 as specified. The syslog shows the packets are in fact matching rule 64005. Packets sent to the directly reachable net 192.168.254/8 (rule 64000) seem to work. Is it possible that packets are somehow being routed after being FWD'd by IPFW? From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 30 11:25:05 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DEF0D16A4CE for ; Tue, 30 Nov 2004 11:25:05 +0000 (GMT) Received: from bis.bonn.org (f-1.bis.bonn.org [217.110.117.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6819043D41 for ; Tue, 30 Nov 2004 11:25:02 +0000 (GMT) (envelope-from ap@bnc.net) X-BIS-SpamCatcher-Score: 2 [X] Received: from [194.39.192.125] (account bnc-mail@mailrelay.mailomat.net HELO bnc.net) by bis.bonn.org (CommuniGate Pro SMTP 4.2) with ESMTP-TLS id 302326; Tue, 30 Nov 2004 12:24:59 +0100 Received: by bnc.net (CommuniGate Pro PIPE 4.2b2) with PIPE id 787146; Tue, 30 Nov 2004 12:24:59 +0100 Received: from [194.39.192.247] (account ap HELO [194.39.192.247]) by bnc.net (CommuniGate Pro SMTP 4.2b2) with ESMTP-TLS id 787139; Tue, 30 Nov 2004 12:24:50 +0100 In-Reply-To: <41AC571E.2020503@jrv.org> References: <41AC571E.2020503@jrv.org> Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <7261A3E8-42C2-11D9-AC2A-000A95A0BB90@bnc.net> Content-Transfer-Encoding: 7bit From: Achim Patzner Date: Tue, 30 Nov 2004 12:24:49 +0100 To: "James R. Van Artsalen" X-Mailer: Apple Mail (2.619) X-MailScanner-Information: Please contact info@mailomat.net for more information (colossus) X-MailScanner: Found to be clean cc: freebsd-ipfw@freebsd.org Subject: Re: FreeBSD 5.3 routing IPFW FWD'd packets? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Nov 2004 11:25:06 -0000 > FreeBSD 5.3 may send IPFW FWD forwarded packets to a destination other > than the one specified in the FWD action. FreeBSD 5.2.1 works as > expected. I sent a PR on that one already... It cost me a few hundred local pearls for data routed in the wrong direction (--> no donations to the FreeBSD Foundation for the next few years). > Packets sent to the directly reachable net 192.168.254/8 (rule 64000) > seem to work. Is it possible that packets are somehow being routed > after being FWD'd by IPFW? The counters show that the rule is applied, too. Just the "fwd" part is not happening. Achim From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 30 12:19:37 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 152A716A4CF for ; Tue, 30 Nov 2004 12:19:37 +0000 (GMT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC12543D5A for ; Tue, 30 Nov 2004 12:19:36 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.8) with ESMTP id iAUCJaCg091829; Tue, 30 Nov 2004 04:19:36 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id iAUCJW2b091828; Tue, 30 Nov 2004 04:19:32 -0800 (PST) (envelope-from rizzo) Date: Tue, 30 Nov 2004 04:19:32 -0800 From: Luigi Rizzo To: Brooks Davis Message-ID: <20041130041932.B91746@xorpc.icir.org> References: <20041129192514.GA7331@odin.ac.hmc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20041129192514.GA7331@odin.ac.hmc.edu>; from brooks@one-eyed-alien.net on Mon, Nov 29, 2004 at 11:25:14AM -0800 cc: ipfw@freebsd.org Subject: Re: strncmp usage in ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Nov 2004 12:19:37 -0000 i believe the original, old ipfw code used strncmp() to allow for abbreviations. When i rewrote ipfw2 i did not feel like removing the feature for fear of introducing backward compatibility problems with existing files. However I agree that this introduces a maintainability nightmare and i believe we should move to strcmp(), especially given that with ipfw2 new option names are coming out quite frequently. cheers luigi On Mon, Nov 29, 2004 at 11:25:14AM -0800, Brooks Davis wrote: > The ipfw program uses the following idiom quite a bit: > > char *var; > if (!strncmp(var, "str", strlen(var))) > ... > > I'm pretty sure that in most cases the desired comparison is actually: > > if (!strcmp(var, "str")) > > The program with the first is that all the following strings match: > > "" > "s" > "st" > "str" > > It's remotely possible this was deliberate since we should not see the > "" case and this would allow partial commands, but I'm not sure and this > creates problems with maintainability. For example, if "str" were "ip" > and you added a line above it containing "ip6" you'd always match "ip6" > leaving difficult to spot dead code in the "ip" case. > > Was use of this idiom deliberate or accidental? > > -- Brooks > > -- > Any statement of the form "X is the one, true Y" is FALSE. > PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 30 18:42:00 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA3D616A4CF for ; Tue, 30 Nov 2004 18:42:00 +0000 (GMT) Received: from mail.jrv.org (rrcs-24-73-246-106.sw.biz.rr.com [24.73.246.106]) by mx1.FreeBSD.org (Postfix) with ESMTP id 79BF443D45 for ; Tue, 30 Nov 2004 18:42:00 +0000 (GMT) (envelope-from james@jrv.org) Received: from [127.0.0.1] (zippy.housenet.jrv [192.168.3.156]) (authenticated bits=0) by mail.jrv.org (8.12.11/8.12.10) with ESMTP id iAUIfZg9063263; Tue, 30 Nov 2004 12:41:37 -0600 (CST) (envelope-from james@jrv.org) Message-ID: <41ACBEDF.3020001@jrv.org> Date: Tue, 30 Nov 2004 12:41:35 -0600 From: "James R. Van Artsalen" User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Achim Patzner References: <41AC571E.2020503@jrv.org> <7261A3E8-42C2-11D9-AC2A-000A95A0BB90@bnc.net> In-Reply-To: <7261A3E8-42C2-11D9-AC2A-000A95A0BB90@bnc.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: FreeBSD 5.3 routing IPFW FWD'd packets? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Nov 2004 18:42:01 -0000 Achim Patzner wrote: > Packets sent to the directly reachable net 192.168.254/8 (rule 64000) > seem to work. Is it possible that packets are somehow being routed > after being FWD'd by IPFW? > > The counters show that the rule is applied, too. Just the "fwd" part > is not happening. I'm suspicious of this code in netinet/ip_output.c: #ifdef IPFIREWALL_FORWARD ... fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); if (fwd_tag) { if (!in_localip(ip->ip_src) && !in_localaddr(ip->ip_dst)) { dst = (struct sockaddr_in *)&ro->ro_dst; bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in)); m->m_flags |= M_SKIP_FIREWALL; m_tag_delete(m, fwd_tag); goto again; } else { m_tag_delete(m, fwd_tag); /* Continue. */ } } #endif passout: this seems to be where FWD is handled in this case. The problem is that 33 lines above I see this code: /* Jump over all PFIL processing if hooks are not active. */ if (inet_pfil_hook.ph_busy_count == -1) goto passout; It looks like me like IPFW forwarding isn't going to happen here unless there is some PFIL around. From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 30 19:26:20 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 30D4D16A4CE for ; Tue, 30 Nov 2004 19:26:20 +0000 (GMT) Received: from bis.bonn.org (f-1.bis.bonn.org [217.110.117.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id B06E643D55 for ; Tue, 30 Nov 2004 19:26:18 +0000 (GMT) (envelope-from ap@bnc.net) X-BIS-SpamCatcher-Score: 2 [X] Received: from [194.39.192.125] (account bnc-mail@mailrelay.mailomat.net HELO bnc.net) by bis.bonn.org (CommuniGate Pro SMTP 4.2) with ESMTP-TLS id 302735; Tue, 30 Nov 2004 20:26:14 +0100 Received: by bnc.net (CommuniGate Pro PIPE 4.2b2) with PIPE id 787312; Tue, 30 Nov 2004 20:26:14 +0100 Received: from [194.39.192.247] (account ap HELO [194.39.192.247]) by bnc.net (CommuniGate Pro SMTP 4.2b2) with ESMTP-TLS id 787310; Tue, 30 Nov 2004 20:26:02 +0100 In-Reply-To: <41ACBEDF.3020001@jrv.org> References: <41AC571E.2020503@jrv.org> <7261A3E8-42C2-11D9-AC2A-000A95A0BB90@bnc.net> <41ACBEDF.3020001@jrv.org> Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Achim Patzner Date: Tue, 30 Nov 2004 20:26:01 +0100 To: "James R. Van Artsalen" X-Mailer: Apple Mail (2.619) X-MailScanner-Information: Please contact info@mailomat.net for more information (colossus) X-MailScanner: Found to be clean cc: freebsd-ipfw@freebsd.org Subject: Re: FreeBSD 5.3 routing IPFW FWD'd packets? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Nov 2004 19:26:20 -0000 (the sound you're hearing in the background is my head hitting the wall) Am 30.11.2004 um 19:41 schrieb James R. Van Artsalen: > this seems to be where FWD is handled in this case. The problem is > that 33 lines above I see this code: As it didn't seem interesting to me I didn't even look at that... > > /* Jump over all PFIL processing if hooks are not active. */ > if (inet_pfil_hook.ph_busy_count == -1) > goto passout; > > It looks like me like IPFW forwarding isn't going to happen here > unless there is some PFIL around. Yes. Erasing it solved the mysterious non-fwding-bug for me. Would you please have one with * $FreeBSD: src/sys/netinet/ip_output.c,v 1.225.2.5 2004/10/03 17:04:40 mlaier Exp $ as he probably broke it (as far as I remember he is merrily ipf-ing around). Achim From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 30 19:57:29 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB9A116A4CF for ; Tue, 30 Nov 2004 19:57:29 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id 383E943D83 for ; Tue, 30 Nov 2004 19:57:29 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.208] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CZE7s-00074R-00; Tue, 30 Nov 2004 20:57:28 +0100 Received: from [217.227.149.76] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CZE7r-0006sC-00; Tue, 30 Nov 2004 20:57:28 +0100 From: Max Laier To: freebsd-ipfw@freebsd.org Date: Tue, 30 Nov 2004 20:57:59 +0100 User-Agent: KMail/1.7.1 References: <41AC571E.2020503@jrv.org> <7261A3E8-42C2-11D9-AC2A-000A95A0BB90@bnc.net> <41ACBEDF.3020001@jrv.org> In-Reply-To: <41ACBEDF.3020001@jrv.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1539543.4BNNkCIXkr"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200411302058.07224.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: "James R. Van Artsalen" Subject: Re: FreeBSD 5.3 routing IPFW FWD'd packets? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Nov 2004 19:57:30 -0000 --nextPart1539543.4BNNkCIXkr Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 30 November 2004 19:41, James R. Van Artsalen wrote: > Achim Patzner wrote: > > Packets sent to the directly reachable net 192.168.254/8 (rule 64000) > > seem to work. Is it possible that packets are somehow being routed > > after being FWD'd by IPFW? > > > > The counters show that the rule is applied, too. Just the "fwd" part > > is not happening. > > I'm suspicious of this code in netinet/ip_output.c: > > #ifdef IPFIREWALL_FORWARD > ... > fwd_tag =3D m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); > if (fwd_tag) { > if (!in_localip(ip->ip_src) && !in_localaddr(ip->ip_dst))= { > dst =3D (struct sockaddr_in *)&ro->ro_dst; > bcopy((fwd_tag+1), dst, sizeof(struct > sockaddr_in)); m->m_flags |=3D M_SKIP_FIREWALL; > m_tag_delete(m, fwd_tag); > goto again; > } else { > m_tag_delete(m, fwd_tag); > /* Continue. */ > } > } > #endif > > passout: > > this seems to be where FWD is handled in this case. The problem is that > 33 lines above I see this code: > > /* Jump over all PFIL processing if hooks are not active. */ > if (inet_pfil_hook.ph_busy_count =3D=3D -1) > goto passout; > > It looks like me like IPFW forwarding isn't going to happen here unless > there is some PFIL around. That should be taken care of as IPFW is a PFIL consumer now. The only probl= em=20 I can think of - right now - is that your kernel is missing "options=20 IPFIREWALL_FORWARD". You might still want to try to move the "passout:"-lab= el=20 up just above the "#ifdef IPFIREWALL_FORWARD" line. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1539543.4BNNkCIXkr Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBrNDPXyyEoT62BG0RAqdMAJ9ZnNwxTeRwAC0eBqkcqtElrEVN0wCfStmd o/5qYBKVLHEUEyNnY7/OTwQ= =PPks -----END PGP SIGNATURE----- --nextPart1539543.4BNNkCIXkr-- From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 30 20:30:06 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A88216A4CE for ; Tue, 30 Nov 2004 20:30:06 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id BCA0943D49 for ; Tue, 30 Nov 2004 20:30:05 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.208] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CZEdQ-0002pB-00; Tue, 30 Nov 2004 21:30:04 +0100 Received: from [84.128.137.129] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CZEdP-0002xp-00; Tue, 30 Nov 2004 21:30:03 +0100 From: Max Laier To: freebsd-ipfw@freebsd.org Date: Tue, 30 Nov 2004 21:30:31 +0100 User-Agent: KMail/1.7.1 References: <41AC571E.2020503@jrv.org> <41ACBEDF.3020001@jrv.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart6054756.bIHUBdL3ML"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200411302130.42147.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: "James R. Van Artsalen" Subject: Re: FreeBSD 5.3 routing IPFW FWD'd packets? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Nov 2004 20:30:06 -0000 --nextPart6054756.bIHUBdL3ML Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 30 November 2004 20:26, Achim Patzner wrote: <...> > Would you please have one with > > * $FreeBSD: src/sys/netinet/ip_output.c,v 1.225.2.5 2004/10/03 > 17:04:40 mlaier Exp $ > > as he probably broke it (as far as I remember he is merrily ipf-ing > around). Okay, this is cheap! 1) The problem above was introduced in rev. 1.225.2.4 (not my fault!). 2) I have done many good to IPFW lately. For instance, IPFW wouldn't be MPs= afe=20 if I didn't merge the MT_TAG removal. 3) It's PF (packet filter) and it's working great - go figure! =46ix should be on the list already. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart6054756.bIHUBdL3ML Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBrNhyXyyEoT62BG0RAjpzAJ9AUtrM+foXnvj//uJPQwF1+A4QAACcCgt7 TkVre6V686MlxY9m/DUJabY= =dW3t -----END PGP SIGNATURE----- --nextPart6054756.bIHUBdL3ML-- From owner-freebsd-ipfw@FreeBSD.ORG Wed Dec 1 09:51:17 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 330D516A4CE for ; Wed, 1 Dec 2004 09:51:17 +0000 (GMT) Received: from zibbi.icomtek.csir.co.za (zibbi.icomtek.csir.co.za [146.64.24.58]) by mx1.FreeBSD.org (Postfix) with ESMTP id C2AB843D5D for ; Wed, 1 Dec 2004 09:51:03 +0000 (GMT) (envelope-from jhay@icomtek.csir.co.za) Received: from zibbi.icomtek.csir.co.za (localhost [127.0.0.1]) iB19owa8046669; Wed, 1 Dec 2004 11:51:01 +0200 (SAST) (envelope-from jhay@zibbi.icomtek.csir.co.za) Received: (from jhay@localhost)iB19oqIa046668; Wed, 1 Dec 2004 11:50:52 +0200 (SAST) (envelope-from jhay) Date: Wed, 1 Dec 2004 11:50:52 +0200 From: John Hay To: Max Laier Message-ID: <20041201095052.GA43515@zibbi.icomtek.csir.co.za> References: <41AC571E.2020503@jrv.org> <7261A3E8-42C2-11D9-AC2A-000A95A0BB90@bnc.net> <41ACBEDF.3020001@jrv.org> <200411302058.07224.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200411302058.07224.max@love2party.net> User-Agent: Mutt/1.4.1i cc: freebsd-ipfw@freebsd.org cc: "James R. Van Artsalen" Subject: Re: FreeBSD 5.3 routing IPFW FWD'd packets? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Dec 2004 09:51:17 -0000 On Tue, Nov 30, 2004 at 08:57:59PM +0100, Max Laier wrote: > On Tuesday 30 November 2004 19:41, James R. Van Artsalen wrote: > > Achim Patzner wrote: > > > Packets sent to the directly reachable net 192.168.254/8 (rule 64000) > > > seem to work. Is it possible that packets are somehow being routed > > > after being FWD'd by IPFW? > > > > > > The counters show that the rule is applied, too. Just the "fwd" part > > > is not happening. Just apply the patch in kern/71910 and you should be happy again. It works for me and a few others. John -- John Hay -- John.Hay@icomtek.csir.co.za / jhay@FreeBSD.org From owner-freebsd-ipfw@FreeBSD.ORG Wed Dec 1 13:40:29 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 446C916A4D0 for ; Wed, 1 Dec 2004 13:40:29 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C66443D3F for ; Wed, 1 Dec 2004 13:40:29 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id iB1DeS68060236 for ; Wed, 1 Dec 2004 13:40:29 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id iB1DeSF8060235; Wed, 1 Dec 2004 13:40:28 GMT (envelope-from gnats) Date: Wed, 1 Dec 2004 13:40:28 GMT Message-Id: <200412011340.iB1DeSF8060235@freefall.freebsd.org> To: ipfw@FreeBSD.org From: Gleb Smirnoff Subject: Re: kern/73910: [ipfw] serious bug on forwarding of packets after NAT X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Gleb Smirnoff List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Dec 2004 13:40:29 -0000 The following reply was made to PR kern/73910; it has been noted by GNATS. From: Gleb Smirnoff To: Achim Patzner Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: kern/73910: [ipfw] serious bug on forwarding of packets after NAT Date: Wed, 1 Dec 2004 16:32:00 +0300 Achim, can you check whether patch from kern/71910 helps in your case? -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE From owner-freebsd-ipfw@FreeBSD.ORG Wed Dec 1 14:35:07 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA31416A4CE for ; Wed, 1 Dec 2004 14:35:07 +0000 (GMT) Received: from mail.jrv.org (rrcs-24-73-246-106.sw.biz.rr.com [24.73.246.106]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6D12743D46 for ; Wed, 1 Dec 2004 14:35:07 +0000 (GMT) (envelope-from james@jrv.org) Received: from [127.0.0.1] (zippy.housenet.jrv [192.168.3.156]) (authenticated bits=0) by mail.jrv.org (8.12.11/8.12.10) with ESMTP id iB1EYmKm014197; Wed, 1 Dec 2004 08:34:56 -0600 (CST) (envelope-from james@jrv.org) Message-ID: <41ADD688.4090807@jrv.org> Date: Wed, 01 Dec 2004 08:34:48 -0600 From: "James R. Van Artsalen" User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: John Hay References: <41AC571E.2020503@jrv.org> <7261A3E8-42C2-11D9-AC2A-000A95A0BB90@bnc.net> <41ACBEDF.3020001@jrv.org> <200411302058.07224.max@love2party.net> <20041201095052.GA43515@zibbi.icomtek.csir.co.za> In-Reply-To: <20041201095052.GA43515@zibbi.icomtek.csir.co.za> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: Max Laier cc: freebsd-ipfw@freebsd.org Subject: Re: FreeBSD 5.3 routing IPFW FWD'd packets? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Dec 2004 14:35:07 -0000 John Hay wrote: >On Tue, Nov 30, 2004 at 08:57:59PM +0100, Max Laier wrote: > > >>On Tuesday 30 November 2004 19:41, James R. Van Artsalen wrote: >> >> >>>>Packets sent to the directly reachable net 192.168.254/8 (rule 64000) >>>>seem to work. Is it possible that packets are somehow being routed >>>>after being FWD'd by IPFW? >>>> >>>> >Just apply the patch in kern/71910 and you should be happy again. It works >for me and a few others. > > > Thanks. But, if that is a problem then why is this code in ip_fastfwd.c not also a problem? Shouldn't this get the same change as kern/71910? #ifdef IPFIREWALL_FORWARD if (fwd_tag) { if (!in_localip(ip->ip_src) && !in_localaddr(ip->ip_dst)) dest.s_addr = ((struct sockaddr_in *)(fwd_tag+1))->sin_addr.s_addr; m_tag_delete(m, fwd_tag); } #endif /* IPFIREWALL_FORWARD */ From owner-freebsd-ipfw@FreeBSD.ORG Wed Dec 1 15:17:30 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 92FA816A4CE for ; Wed, 1 Dec 2004 15:17:30 +0000 (GMT) Received: from zibbi.icomtek.csir.co.za (zibbi.icomtek.csir.co.za [146.64.24.58]) by mx1.FreeBSD.org (Postfix) with ESMTP id F106643D6E for ; Wed, 1 Dec 2004 15:17:23 +0000 (GMT) (envelope-from jhay@icomtek.csir.co.za) Received: from zibbi.icomtek.csir.co.za (localhost [127.0.0.1]) iB1FHHa8057385; Wed, 1 Dec 2004 17:17:17 +0200 (SAST) (envelope-from jhay@zibbi.icomtek.csir.co.za) Received: (from jhay@localhost)iB1FHGYT057384; Wed, 1 Dec 2004 17:17:16 +0200 (SAST) (envelope-from jhay) Date: Wed, 1 Dec 2004 17:17:16 +0200 From: John Hay To: "James R. Van Artsalen" Message-ID: <20041201151716.GA57183@zibbi.icomtek.csir.co.za> References: <41AC571E.2020503@jrv.org> <7261A3E8-42C2-11D9-AC2A-000A95A0BB90@bnc.net> <41ACBEDF.3020001@jrv.org> <200411302058.07224.max@love2party.net> <20041201095052.GA43515@zibbi.icomtek.csir.co.za> <41ADD688.4090807@jrv.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <41ADD688.4090807@jrv.org> User-Agent: Mutt/1.4.1i cc: Max Laier cc: freebsd-ipfw@freebsd.org Subject: Re: FreeBSD 5.3 routing IPFW FWD'd packets? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Dec 2004 15:17:30 -0000 > >> > >>>>Packets sent to the directly reachable net 192.168.254/8 (rule 64000) > >>>>seem to work. Is it possible that packets are somehow being routed > >>>>after being FWD'd by IPFW? > >>>> > >>>> > >Just apply the patch in kern/71910 and you should be happy again. It works > >for me and a few others. > > > > > > > Thanks. But, if that is a problem then why is this code in ip_fastfwd.c > not also a problem? > Shouldn't this get the same change as kern/71910? > > #ifdef IPFIREWALL_FORWARD > if (fwd_tag) { > if (!in_localip(ip->ip_src) && > !in_localaddr(ip->ip_dst)) > dest.s_addr = ((struct sockaddr_in > *)(fwd_tag+1))->sin_addr.s_addr; > m_tag_delete(m, fwd_tag); > } > #endif /* IPFIREWALL_FORWARD */ It looks like it. It is probably not part of the patch because the original person did not use (and me neither) fast forwarding. John -- John Hay -- John.Hay@icomtek.csir.co.za / jhay@FreeBSD.org From owner-freebsd-ipfw@FreeBSD.ORG Wed Dec 1 17:35:53 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7280E16A4CE for ; Wed, 1 Dec 2004 17:35:53 +0000 (GMT) Received: from mail.jrv.org (rrcs-24-73-246-106.sw.biz.rr.com [24.73.246.106]) by mx1.FreeBSD.org (Postfix) with ESMTP id 10DB443D5C for ; Wed, 1 Dec 2004 17:35:53 +0000 (GMT) (envelope-from james@jrv.org) Received: from [127.0.0.1] (zippy.housenet.jrv [192.168.3.156]) (authenticated bits=0) by mail.jrv.org (8.12.11/8.12.10) with ESMTP id iB1HZWSh018491; Wed, 1 Dec 2004 11:35:34 -0600 (CST) (envelope-from james@jrv.org) Message-ID: <41AE00E4.9020508@jrv.org> Date: Wed, 01 Dec 2004 11:35:32 -0600 From: "James R. Van Artsalen" User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Max Laier References: <41AC571E.2020503@jrv.org> <41ACBEDF.3020001@jrv.org> <200411302130.42147.max@love2party.net> In-Reply-To: <200411302130.42147.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: FreeBSD 5.3 routing IPFW FWD'd packets? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Dec 2004 17:35:53 -0000 Max Laier wrote: >Fix should be on the list already. > > There is a similar bogus label "passin" and goto in ip_input.c that needs to be fixed. ip_fastfwd.c has both a passin and passout label & goto problem. From owner-freebsd-ipfw@FreeBSD.ORG Thu Dec 2 16:03:55 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8C20E16A4CE for ; Thu, 2 Dec 2004 16:03:55 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.184]) by mx1.FreeBSD.org (Postfix) with ESMTP id AFE7543D31 for ; Thu, 2 Dec 2004 16:03:54 +0000 (GMT) (envelope-from reinhard.haller@interactive-net.de) Received: from [212.227.126.205] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CZtQv-0005Jg-00 for freebsd-ipfw@freebsd.org; Thu, 02 Dec 2004 17:03:53 +0100 Received: from [217.232.137.8] (helo=interactive.dnsalias.net) (TLSv1:EDH-RSA-DES-CBC3-SHA:168) (Exim 3.35 #1) id 1CZtQv-0001Tr-00 for freebsd-ipfw@freebsd.org; Thu, 02 Dec 2004 17:03:53 +0100 Received: from fs-inter.interactive.de ([192.168.0.1]) by interactive.dnsalias.net with smtp (Exim 4.42 (FreeBSD)) id 1CZtQs-0000FG-Kw for freebsd-ipfw@freebsd.org; Thu, 02 Dec 2004 17:03:50 +0100 Received: from dom-inter-Message_Server by fs-inter.interactive.de with Novell_GroupWise; Thu, 02 Dec 2004 17:03:50 +0100 Message-Id: X-Mailer: Novell GroupWise 5.5.5 Date: Thu, 02 Dec 2004 17:03:33 +0100 From: "Reinhard Haller" To: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline X-ACL-rcpt: freebsd-ipfw@freebsd.org X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:826490dd1e74a3d8dbafa5d2e0d2dc05 Subject: preprocessor questions X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Dec 2004 16:03:55 -0000 Hi, I'm using cpp as preprocessor for my firewall rules. I'd problems specifying macros. #define RULE __LINE__ #define ldap 389 #define ldaps 636 #define all_ldap 389,636 sample1: add RULE pass tcp from 192.168.0.0/24 to any ldap,ldaps setup keep-state sample2: add RULE pass tcp from 192.168.0.0/24 to any all_ldap setup keep-state Sample 1 produces an error, while sample 2 is working. Why? Trying to specifiy hosts by name doesn't work either. #define PGP_SERVER 63.251.255.12 #define NAME_PGP keyserver.pgp.com sample3: add RULE pass tcp from 192.168.0.0/24 to PGP_SERVER all_ldap setup keep-state sample4: add RULE pass tcp from 192.168.0.0/24 to NAME_PGP all_ldap setup keep-state Sample 4 ends up in an error message. Any ideas? Thanks Reinhard From owner-freebsd-ipfw@FreeBSD.ORG Thu Dec 2 19:05:46 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A1B2B16A4CE for ; Thu, 2 Dec 2004 19:05:46 +0000 (GMT) Received: from lilzmailso01.liwest.at (lilzmailso01.liwest.at [212.33.55.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2713543D1F for ; Thu, 2 Dec 2004 19:05:46 +0000 (GMT) (envelope-from dgw@liwest.at) Received: from cm248-230.liwest.at ([81.10.248.230]) by lilzmailso01.liwest.at with esmtp (Exim 4.24) id 1CZwIE-0004iz-IF; Thu, 02 Dec 2004 20:07:06 +0100 From: Daniela To: "Reinhard Haller" , Date: Thu, 2 Dec 2004 21:13:32 +0000 User-Agent: KMail/1.5.3 References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200412022113.32652.dgw@liwest.at> Subject: Re: preprocessor questions X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dgw@liwest.at List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Dec 2004 19:05:46 -0000 On Thursday 02 December 2004 16:03, Reinhard Haller wrote: > Hi, > > I'm using cpp as preprocessor for my firewall rules. > > I'd problems specifying macros. > > #define RULE __LINE__ > #define ldap 389 > #define ldaps 636 > #define all_ldap 389,636 > > sample1: > add RULE pass tcp from 192.168.0.0/24 to any ldap,ldaps setup > keep-state > > sample2: > add RULE pass tcp from 192.168.0.0/24 to any all_ldap setup > keep-state > > Sample 1 produces an error, while sample 2 is working. Why? Are you using IPFW 2? If no, the problem is that the preprocessor adds leading and trailing spaces to the macro expansions. In C, this doesn't matter, but IPFW doesn't like it. If you absolutely need to keep it this way, use IPFW 2. Or modify the preprocessor. From owner-freebsd-ipfw@FreeBSD.ORG Fri Dec 3 08:11:00 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A75D916A4CE for ; Fri, 3 Dec 2004 08:11:00 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3AC8843D45 for ; Fri, 3 Dec 2004 08:11:00 +0000 (GMT) (envelope-from reinhard.haller@interactive-net.de) Received: from [212.227.126.207] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1Ca8Wp-0008T4-00 for freebsd-ipfw@freebsd.org; Fri, 03 Dec 2004 09:10:59 +0100 Received: from [217.232.138.28] (helo=interactive.dnsalias.net) (TLSv1:EDH-RSA-DES-CBC3-SHA:168) (Exim 3.35 #1) id 1Ca8Wp-0006bJ-00 for freebsd-ipfw@freebsd.org; Fri, 03 Dec 2004 09:10:59 +0100 Received: from fs-inter.interactive.de ([192.168.0.1]) by interactive.dnsalias.net with smtp (Exim 4.42 (FreeBSD)) id 1Ca8Wb-0000ok-K5 for freebsd-ipfw@freebsd.org; Fri, 03 Dec 2004 09:10:45 +0100 Received: from dom-inter-Message_Server by fs-inter.interactive.de with Novell_GroupWise; Fri, 03 Dec 2004 09:10:44 +0100 Message-Id: X-Mailer: Novell GroupWise 5.5.5 Date: Fri, 03 Dec 2004 09:10:21 +0100 From: "Reinhard Haller" To: , Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline X-ACL-rcpt: freebsd-ipfw@freebsd.org X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:826490dd1e74a3d8dbafa5d2e0d2dc05 Subject: Antw: Re: preprocessor questions X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Dec 2004 08:11:00 -0000 Hi Daniela, >>>> Daniela 02.12.2004 22:13 >>> >On Thursday 02 December 2004 16:03, Reinhard Haller wrote: >> Hi, >> >> I'm using cpp as preprocessor for my firewall rules. >> >> I'd problems specifying macros. >> >> #define RULE __LINE__ >> #define ldap 389 >> #define ldaps 636 >> #define all_ldap 389,636 >> >> sample1: >> add RULE pass tcp from 192.168.0.0/24 to any ldap,ldaps setup >> keep-state >> >> sample2: >> add RULE pass tcp from 192.168.0.0/24 to any all_ldap setup >> keep-state >> >> Sample 1 produces an error, while sample 2 is working. Why? > >Are you using IPFW 2? If no, the problem is that the preprocessor adds leading >and trailing spaces to the macro expansions. In C, this doesn't matter, but >IPFW doesn't like it. If you absolutely need to keep it this way, use IPFW 2. >Or modify the preprocessor. In fact the rule add RULE pass tcp from 192.168.0.0/24 to any 389, 636 setup and the rule add RULE pass tcp from 192.168.0.0/24 to any 389 , 636 setup for ipfw aren't identical as they should be (The second produces an error message, caused by the blank between the number and the comma). This is a feature shared by IPFW1 and IPFW2 (I'm using the latter one). Reinhard From owner-freebsd-ipfw@FreeBSD.ORG Sat Dec 4 11:55:31 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 97D4E16A4CE for ; Sat, 4 Dec 2004 11:55:31 +0000 (GMT) Received: from lilzmailso01.liwest.at (lilzmailso01.liwest.at [212.33.55.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7DC0843D2D for ; Sat, 4 Dec 2004 11:55:30 +0000 (GMT) (envelope-from dgw@liwest.at) Received: from cm248-230.liwest.at ([81.10.248.230]) by lilzmailso01.liwest.at with esmtp (Exim 4.24) id 1CaYX3-0003g1-Qw; Sat, 04 Dec 2004 12:56:57 +0100 From: Daniela To: "Reinhard Haller" , Date: Sat, 4 Dec 2004 14:03:38 +0000 User-Agent: KMail/1.5.3 References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200412041403.38980.dgw@liwest.at> Subject: Re: Antw: Re: preprocessor questions X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dgw@liwest.at List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Dec 2004 11:55:31 -0000 On Friday 03 December 2004 08:10, Reinhard Haller wrote: > Hi Daniela, > > >>>> Daniela 02.12.2004 22:13 >>> > > > >On Thursday 02 December 2004 16:03, Reinhard Haller wrote: > >> Hi, > >> > >> I'm using cpp as preprocessor for my firewall rules. > >> > >> I'd problems specifying macros. > >> > >> #define RULE __LINE__ > >> #define ldap 389 > >> #define ldaps 636 > >> #define all_ldap 389,636 > >> > >> sample1: > >> add RULE pass tcp from 192.168.0.0/24 to any ldap,ldaps setup > >> keep-state > >> > >> sample2: > >> add RULE pass tcp from 192.168.0.0/24 to any all_ldap setup > >> keep-state > >> > >> Sample 1 produces an error, while sample 2 is working. Why? > > > >Are you using IPFW 2? If no, the problem is that the preprocessor adds > > leading > > >and trailing spaces to the macro expansions. In C, this doesn't > > matter, but > > >IPFW doesn't like it. If you absolutely need to keep it this way, use > > IPFW 2. > > >Or modify the preprocessor. > > In fact the rule > > add RULE pass tcp from 192.168.0.0/24 to any 389, 636 setup > > and the rule > > add RULE pass tcp from 192.168.0.0/24 to any 389 , 636 setup > > for ipfw aren't identical as they should be (The second produces an > error message, caused by the blank between the number and the > comma). > > This is a feature shared by IPFW1 and IPFW2 (I'm using the latter > one). Ah yes. But you could try the command line switch "-traditional". IIRC this will inhibit the generation of spaces.