From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 27 09:08:37 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 437B91065674 for ; Mon, 27 Sep 2010 09:08:37 +0000 (UTC) (envelope-from nr1c0re@gmail.com) Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id 024118FC18 for ; Mon, 27 Sep 2010 09:08:36 +0000 (UTC) Received: by qyk7 with SMTP id 7so4571216qyk.13 for ; Mon, 27 Sep 2010 02:08:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=8UeJUsmy61gS2OeVgJvXkrrQQ3/Qb7729S1aq6thLek=; b=Vh2UZDn8Nn3Nj0c+rD+guqaX+pihz5t88O5tXlh5Y1NFk/4ksxuubzMDOgyBD678gF LDxSCExw7Um4/jR87KWbwi+iVXpkoDSuyrD6lDIqnuzz9ZpvtW99FwFEX6qFhDA4BavY dcPnPBVvhFczW+6VCNdIE+mqRjBfwJpBftovM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=TMIXykl+8h1GZMx1WrKThfDHc5L90OBKF9TREAGs+TGckDUx0PllPGtp9yB0SFXmfO 3TAz6l3OqP+HLu+em/dx8EY4Ds/Nfl8j9qAD/SfM1/sYnAg2f33n5Tg8gSyK4N2HfH/9 jkpS7lb7jbZZS86i7ZcYPUDimJngpoEmAKxeI= MIME-Version: 1.0 Received: by 10.224.60.133 with SMTP id p5mr5324517qah.22.1285576715730; Mon, 27 Sep 2010 01:38:35 -0700 (PDT) Received: by 10.229.214.142 with HTTP; Mon, 27 Sep 2010 01:38:35 -0700 (PDT) Date: Mon, 27 Sep 2010 12:38:35 +0400 Message-ID: From: c0re To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: ipfw.ko and IPFIREWALL_FORWARD in GENERIC X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Sep 2010 09:08:37 -0000 Hello freebsd-ipfw! Is there any possibility to see IPFIREWALL_FORWARD option for ipfw.ko in GENERIC? Were there any patches about that? I like freebsd-update, but lacking IPFIREWALL_FORWARD in GENERIC stops me from using freebsd-update. From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 27 09:48:58 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BA3A31065673 for ; Mon, 27 Sep 2010 09:48:58 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 2B4D18FC16 for ; Mon, 27 Sep 2010 09:48:57 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id o8R9muhN039697; Mon, 27 Sep 2010 19:48:56 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Mon, 27 Sep 2010 19:48:56 +1000 (EST) From: Ian Smith To: c0re In-Reply-To: Message-ID: <20100927193740.Q90633@sola.nimnet.asn.au> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw.ko and IPFIREWALL_FORWARD in GENERIC X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Sep 2010 09:48:58 -0000 On Mon, 27 Sep 2010, c0re wrote: > Is there any possibility to see IPFIREWALL_FORWARD option for ipfw.ko > in GENERIC? > Were there any patches about that? > I like freebsd-update, but lacking IPFIREWALL_FORWARD in GENERIC stops > me from using freebsd-update. In a nutshell, no. This thread covers why not .. or at least, not yet: http://lists.freebsd.org/pipermail/freebsd-ipfw/2010-March/004148.html cheers, Ian From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 27 10:22:26 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D045A1065673 for ; Mon, 27 Sep 2010 10:22:26 +0000 (UTC) (envelope-from nr1c0re@gmail.com) Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id 870978FC20 for ; Mon, 27 Sep 2010 10:22:26 +0000 (UTC) Received: by qyk7 with SMTP id 7so4646440qyk.13 for ; Mon, 27 Sep 2010 03:22:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=cEMQf15z7Npy2a8umUxpsqZyCAcde1RfdfxnwJ768kQ=; b=eTvHEj8NbLbO5gkFe9igTtnTzeaRoZe7oZGtXPbDIOI+tiOt9FmWcEAVPlvScBfJWQ ATC5auoWKJZtK/UcJOnyDPZskCP2Dxs08AnRkPdDy512luq7U16fOJYWYGZ8tMhyqOmm r0GHByCStzix0YxGHl2z8QZ1R8pFFUaZ4f1ow= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=r6RgZDS0LWFU5ukFq5XF53AdriH5FVGENAbaT50/iOVPNbwhYO4MXQzEqMdMe2RBCf EBhi2Ev8Y8OhOFU50VSGbwoy197P+1lpmqik5ZLeWFXtct/aA4+bfMjo39mNbSdMH8/2 bm/YqXC+2ucRNNOYOa6HnKwf2ttXb1j00uEes= MIME-Version: 1.0 Received: by 10.224.112.204 with SMTP id x12mr5299481qap.170.1285582945524; Mon, 27 Sep 2010 03:22:25 -0700 (PDT) Received: by 10.229.214.142 with HTTP; Mon, 27 Sep 2010 03:22:24 -0700 (PDT) In-Reply-To: <20100927193740.Q90633@sola.nimnet.asn.au> References: <20100927193740.Q90633@sola.nimnet.asn.au> Date: Mon, 27 Sep 2010 14:22:24 +0400 Message-ID: From: c0re To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: ipfw.ko and IPFIREWALL_FORWARD in GENERIC X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Sep 2010 10:22:26 -0000 Thanks Ian. Looks like switching to pf is the only option now. 2010/9/27 Ian Smith : > On Mon, 27 Sep 2010, c0re wrote: > > =A0> Is there any possibility to see IPFIREWALL_FORWARD option for ipfw.k= o > =A0> in GENERIC? > =A0> Were there any patches about that? > =A0> I like freebsd-update, but lacking IPFIREWALL_FORWARD in GENERIC sto= ps > =A0> me from using freebsd-update. > > In a nutshell, no. =A0This thread covers why not .. or at least, not yet: > http://lists.freebsd.org/pipermail/freebsd-ipfw/2010-March/004148.html > > cheers, Ian > From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 27 11:06:57 2010 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0B3EB1065670 for ; Mon, 27 Sep 2010 11:06:57 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E49B08FC21 for ; Mon, 27 Sep 2010 11:06:56 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o8RB6uUe023498 for ; Mon, 27 Sep 2010 11:06:56 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o8RB6ufV023494 for freebsd-ipfw@FreeBSD.org; Mon, 27 Sep 2010 11:06:56 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 27 Sep 2010 11:06:56 GMT Message-Id: <201009271106.o8RB6ufV023494@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Sep 2010 11:06:57 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/150798 ipfw [ipfw] ipfw2 fwd rule matches packets but does not do o kern/150141 ipfw [ipfw]: Not working kernel nat freeBSD 8.1 o kern/149572 ipfw [ipfw] ipfw kernel nat not working properly o kern/148928 ipfw [ipfw] Problem with loading of ipfw NAT rules during s o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148157 ipfw [ipfw] IPFW in kernel nat BUG found in FreeBSD 8.1-PRE o conf/148144 ipfw [patch] add ipfw_nat support for rc.firewall simple ty o conf/148137 ipfw [ipfw] call order of natd and ipfw startup scripts o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/147720 ipfw [ipfw] ipfw dynamic rules and fwd o kern/145733 ipfw [ipfw] [patch] ipfw flaws with ipv6 fragments o kern/145305 ipfw [ipfw] ipfw problems, panics, data corruption, ipv6 so o kern/145167 ipfw [ipfw] ipfw nat does not follow its documentation o kern/144269 ipfw [ipfw] problem with ipfw tables o kern/144187 ipfw [ipfw] deadlock using multiple ipfw nat and multiple l o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143653 ipfw [ipfw] [patch] ipfw nat redirect_port "buf is too smal o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/143474 ipfw [ipfw] ipfw table contains the same address f kern/142951 ipfw [dummynet] using pipes&queues gives OUCH! pipe should o kern/139581 ipfw [ipfw] "ipfw pipe" not limiting bandwidth o kern/139226 ipfw [ipfw] install_state: entry already present, done o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip o kern/122109 ipfw [ipfw] ipfw nat traceroute problem s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet] 6.3-RELEASE-p1 page fault in dummynet (corr o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 81 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 28 23:30:06 2010 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 755F01065672 for ; Tue, 28 Sep 2010 23:30:06 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id C92B68FC16 for ; Tue, 28 Sep 2010 23:30:04 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o8SNU4ei022393 for ; Tue, 28 Sep 2010 23:30:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o8SNU4kg022392; Tue, 28 Sep 2010 23:30:04 GMT (envelope-from gnats) Date: Tue, 28 Sep 2010 23:30:04 GMT Message-Id: <201009282330.o8SNU4kg022392@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: dfilter@FreeBSD.ORG (dfilter service) Cc: Subject: Re: kern/145167: commit references a PR X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfilter service List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Sep 2010 23:30:06 -0000 The following reply was made to PR kern/145167; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/145167: commit references a PR Date: Tue, 28 Sep 2010 23:23:28 +0000 (UTC) Author: luigi Date: Tue Sep 28 23:23:23 2010 New Revision: 213254 URL: http://svn.freebsd.org/changeset/base/213254 Log: fix breakage in in-kernel NAT: the code did not honor net.inet.ip.fw.one_pass and always moved to the next rule in case of a successful nat. This should fix several related PR (waiting for feedback before closing them) PR: 145167 149572 150141 MFC after: 3 days Modified: head/sys/netinet/ipfw/ip_fw_pfil.c Modified: head/sys/netinet/ipfw/ip_fw_pfil.c ============================================================================== --- head/sys/netinet/ipfw/ip_fw_pfil.c Tue Sep 28 22:46:13 2010 (r213253) +++ head/sys/netinet/ipfw/ip_fw_pfil.c Tue Sep 28 23:23:23 2010 (r213254) @@ -231,6 +231,11 @@ again: break; case IP_FW_NAT: + /* honor one-pass in case of successful nat */ + if (V_fw_one_pass) + break; /* ret is already 0 */ + goto again; + case IP_FW_REASS: goto again; /* continue with packet */ _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 28 23:30:07 2010 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1CF691065673 for ; Tue, 28 Sep 2010 23:30:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9982A8FC18 for ; Tue, 28 Sep 2010 23:30:06 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o8SNU6ou022406 for ; Tue, 28 Sep 2010 23:30:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o8SNU65v022405; Tue, 28 Sep 2010 23:30:06 GMT (envelope-from gnats) Date: Tue, 28 Sep 2010 23:30:06 GMT Message-Id: <201009282330.o8SNU65v022405@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: dfilter@FreeBSD.ORG (dfilter service) Cc: Subject: Re: kern/149572: commit references a PR X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfilter service List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Sep 2010 23:30:07 -0000 The following reply was made to PR kern/149572; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/149572: commit references a PR Date: Tue, 28 Sep 2010 23:23:28 +0000 (UTC) Author: luigi Date: Tue Sep 28 23:23:23 2010 New Revision: 213254 URL: http://svn.freebsd.org/changeset/base/213254 Log: fix breakage in in-kernel NAT: the code did not honor net.inet.ip.fw.one_pass and always moved to the next rule in case of a successful nat. This should fix several related PR (waiting for feedback before closing them) PR: 145167 149572 150141 MFC after: 3 days Modified: head/sys/netinet/ipfw/ip_fw_pfil.c Modified: head/sys/netinet/ipfw/ip_fw_pfil.c ============================================================================== --- head/sys/netinet/ipfw/ip_fw_pfil.c Tue Sep 28 22:46:13 2010 (r213253) +++ head/sys/netinet/ipfw/ip_fw_pfil.c Tue Sep 28 23:23:23 2010 (r213254) @@ -231,6 +231,11 @@ again: break; case IP_FW_NAT: + /* honor one-pass in case of successful nat */ + if (V_fw_one_pass) + break; /* ret is already 0 */ + goto again; + case IP_FW_REASS: goto again; /* continue with packet */ _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 28 23:30:10 2010 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 80269106570A for ; Tue, 28 Sep 2010 23:30:10 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 549B68FC0C for ; Tue, 28 Sep 2010 23:30:10 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o8SNUA4j022678 for ; Tue, 28 Sep 2010 23:30:10 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o8SNUAgn022665; Tue, 28 Sep 2010 23:30:10 GMT (envelope-from gnats) Date: Tue, 28 Sep 2010 23:30:10 GMT Message-Id: <201009282330.o8SNUAgn022665@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: dfilter@FreeBSD.ORG (dfilter service) Cc: Subject: Re: kern/150141: commit references a PR X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfilter service List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Sep 2010 23:30:10 -0000 The following reply was made to PR kern/150141; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/150141: commit references a PR Date: Tue, 28 Sep 2010 23:23:29 +0000 (UTC) Author: luigi Date: Tue Sep 28 23:23:23 2010 New Revision: 213254 URL: http://svn.freebsd.org/changeset/base/213254 Log: fix breakage in in-kernel NAT: the code did not honor net.inet.ip.fw.one_pass and always moved to the next rule in case of a successful nat. This should fix several related PR (waiting for feedback before closing them) PR: 145167 149572 150141 MFC after: 3 days Modified: head/sys/netinet/ipfw/ip_fw_pfil.c Modified: head/sys/netinet/ipfw/ip_fw_pfil.c ============================================================================== --- head/sys/netinet/ipfw/ip_fw_pfil.c Tue Sep 28 22:46:13 2010 (r213253) +++ head/sys/netinet/ipfw/ip_fw_pfil.c Tue Sep 28 23:23:23 2010 (r213254) @@ -231,6 +231,11 @@ again: break; case IP_FW_NAT: + /* honor one-pass in case of successful nat */ + if (V_fw_one_pass) + break; /* ret is already 0 */ + goto again; + case IP_FW_REASS: goto again; /* continue with packet */ _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 1 09:47:08 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 819F3106566B for ; Fri, 1 Oct 2010 09:47:08 +0000 (UTC) (envelope-from cosmic17@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id 3F3E88FC13 for ; Fri, 1 Oct 2010 09:47:07 +0000 (UTC) Received: by ywt2 with SMTP id 2so1162511ywt.13 for ; Fri, 01 Oct 2010 02:47:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=yvr7nggUCwOfWfFBrOs7ADCuJwHcwTwYyJjVBs+P5jM=; b=eewgSNkn8Ymj4q05Bxlff6B+HbaWAiAIGxzDDF6vt4PpVVQETcrx650Wyw4iaNs8f1 W7vtyIvGez+AeVjM4R7fky9E7FTC71xznSlxGE3TUVYYTcoLW+AGSI1YSYyVV1OxL43l nAYAcoJs50gVU54G8z/l+F0a4+gCdLj6HbM/s= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=bFStHuDgjh33fd0aztpfNkOCkFOibDlXafBChgBjYhFkElLxZFyb20Y7wmYH8SY+7P dzgC+76Jl7v0fcok1iJMlX2c19z/X/8sBsHquWZdi+6OOrcZc+OXVrMxsdH1d+y5F1J5 XvEconeBmbLINEMxqW9VTb3ejiFGMem+iiZTM= MIME-Version: 1.0 Received: by 10.151.27.6 with SMTP id e6mr672740ybj.262.1285924633876; Fri, 01 Oct 2010 02:17:13 -0700 (PDT) Received: by 10.220.161.149 with HTTP; Fri, 1 Oct 2010 02:17:13 -0700 (PDT) Date: Fri, 1 Oct 2010 13:17:13 +0400 Message-ID: From: =?KOI8-R?B?7snLz8zByiDkzdXIwQ==?= To: freebsd-ipfw@freebsd.org X-Mailman-Approved-At: Fri, 01 Oct 2010 11:13:03 +0000 Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Strange behavior of packet scheduling in ipfw3 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Oct 2010 09:47:08 -0000 Hello! The system is: FreeBSD mysystem 8.0-STABLE-201005 FreeBSD 8.0-STABLE-201005 #0: Wed Jul 28 12:04:29 MSD 2010 root@mysystem:/usr/src/sys/amd64/compile/MYKERNEL amd64 There is firewall "ipfw3" from Luigi Rizzo with packet scheduling. There is part of firewall config (tariff with 1Mbit/s speed, for example), below (the rules for another speeds are the same): $IPFW pipe 11 config bw 1040Kbit/s mask dst-ip 0xffffffff $IPFW pipe 12 config bw 1040Kbit/s mask src-ip 0xffffffff ########pipe 11 $IPFW sched 11 config type QFQ mask dst-ip 0xffffff00 $IPFW queue 111 config sched 11 weight 10 $IPFW queue 112 config sched 11 weight 8 $IPFW queue 113 config sched 11 weight 4 $IPFW queue 114 config sched 11 weight 1 $IPFW add queue 111 ip from any to table\(10\) via igb0 out proto udp src-port 5060 $IPFW add queue 112 ip from any to table\(10\) via igb0 out proto tcp src-port 80,443,8080 $IPFW add queue 113 ip from any to table\(10\) via igb0 out proto tcp src-port 5223, 2009, 2106, 3724, 6112, 6881-6999, 7777, 27000-27050, 42292 $IPFW add queue 113 ip from any to table\(10\) via igb0 out proto icmp $IPFW add queue 114 ip from any to table\(10\) via igb0 out $IPFW add queue 111 ip from any to table\(10\) via igb2 out proto udp src-port 5060 $IPFW add queue 112 ip from any to table\(10\) via igb2 out proto tcp src-port 80,443,8080 $IPFW add queue 113 ip from any to table\(10\) via igb2 out proto tcp src-port 5223, 2009, 2106, 3724, 6112, 6881-6999, 7777, 27000-27050, 42292 $IPFW add queue 113 ip from any to table\(10\) via igb2 out proto icmp $IPFW add queue 114 ip from any to table\(10\) via igb2 out ########pipe 12 $IPFW sched 12 config type QFQ mask src-ip 0xffffff00 $IPFW queue 121 config sched 12 weight 10 $IPFW queue 122 config sched 12 weight 8 $IPFW queue 123 config sched 12 weight 4 $IPFW queue 124 config sched 12 weight 1 $IPFW add queue 1210 ip from table\(11\) to any via igb1 out proto udp dst-port 5060 $IPFW add queue 122 ip from table\(11\) to any via igb1 out proto tcp dst-port 80,443,8080 $IPFW add queue 123 ip from table\(11\) to any via igb1 out proto tcp dst-port 5223, 2009, 2106, 3724, 6112, 6881-6999, 7777, 27000-27050, 42292 $IPFW add queue 123 ip from table\(11\) to any via igb1 out proto icmp $IPFW add queue 124 ip from table\(11\) to any via igb1 out $IPFW add queue 121 ip from table\(11\) to any via igb3 out proto udp dst-port 5060 $IPFW add queue 122 ip from table\(11\) to any via igb3 out proto tcp dst-port 80,443,8080 $IPFW add queue 123 ip from table\(11\) to any via igb3 out proto tcp dst-port 5223, 2009, 2106, 3724, 6112, 6881-6999, 7777, 27000-27050, 42292 $IPFW add queue 123 ip from table\(11\) to any via igb3 out proto icmp $IPFW add queue 124 ip from table\(11\) to any via igb3 out Firstly, we have been tested firewall by ourself. And we had no any bad results or any problems or maybe we have not seen them in our synthetic tests. After that we have started this firewall in production. A few months later we received a message from our subscriber with speed 1Mbit/s. He had a problems with online game (big answer delay from the server). We spent a lot of time to solve this problem. Finaly we solved it. The reason was in packet scheduling: 1. we`ve tried to give to subscriber another channel (4Mbit/s) with packet scheduling - there are no such problems; 2. we`ve tried to "turn off" the packet scheduling on 1Mbit channel - there are no such problems. The utilization of subscibers channel was always 0.4Mbit/s. But the traffic from this subscriber was go on under the packet scheduling rules. That`s very strange because of: 1. net.inet.ip.dummynet.io_fast=1; 2. subscribers channel utilization 0.4Mbit/s. As I know with this option, with this firewall config and with this channel utilization (0.4Mbit/s) traffic should bypass the pipe without packet scheduling. Why subscribers traffic with all these conditions doesn`t bypass through pipe without any delays? Why his traffic was on packet scheduling rules? Thanks.