From owner-freebsd-ipfw@FreeBSD.ORG Sun Jun 10 14:20:39 2012 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 73527106564A; Sun, 10 Jun 2012 14:20:39 +0000 (UTC) (envelope-from melifaro@FreeBSD.org) Received: from mail.ipfw.ru (unknown [IPv6:2a01:4f8:120:6141::2]) by mx1.freebsd.org (Postfix) with ESMTP id A514A8FC15; Sun, 10 Jun 2012 14:20:38 +0000 (UTC) Received: from v6.mpls.in ([2a02:978:2::5] helo=ws.su29.net) by mail.ipfw.ru with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76 (FreeBSD)) (envelope-from ) id 1Sdj0Y-0002Wb-CC; Sun, 10 Jun 2012 18:20:46 +0400 Message-ID: <4FD4AD29.3040204@FreeBSD.org> Date: Sun, 10 Jun 2012 18:20:25 +0400 From: "Alexander V. Chernikov" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:9.0) Gecko/20120121 Thunderbird/9.0 MIME-Version: 1.0 To: Hiroki Sato References: <4F96D11B.2060007@FreeBSD.org> <20120425.020518.406495893112283552.hrs@allbsd.org> <4F96E71B.9020405@FreeBSD.org> <20120427.084414.1142593201575277510.hrs@allbsd.org> In-Reply-To: <20120427.084414.1142593201575277510.hrs@allbsd.org> Content-Type: multipart/mixed; boundary="------------070804010107020305000604" Cc: freebsd-ipfw@FreeBSD.org Subject: Re: CFR: ipfw0 pseudo-interface clonable X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jun 2012 14:20:39 -0000 This is a multi-part message in MIME format. --------------070804010107020305000604 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit On 27.04.2012 03:44, Hiroki Sato wrote: > "Alexander V. Chernikov" wrote > in<4F96E71B.9020405@FreeBSD.org>: > > me> On 24.04.2012 21:05, Hiroki Sato wrote: > me> > "Alexander V. Chernikov" wrote > me> > in<4F96D11B.2060007@FreeBSD.org>: > me> > > me> > me> On 24.04.2012 19:26, Hiroki Sato wrote: > me> > me> > Any objection to commit this patch? The primary motivation for > me> > this > me> > me> > change is that presence of the interface by default increases > me> > size of > me> > me> > the interface list, which is returned by NET_RT_IFLIST sysctl > me> > even > me> > me> > when the sysadmin does not need it. Also this pseudo-interface > me> > can > me> > me> > confuse the sysadmin and/or network-related userland utilities > me> > like > me> > me> > SNMP agent. With this patch, one can use ifconfig(8) to > me> > me> > create/destroy the pseudo-interface as necessary. > me> > me> > me> > me> ipfw_log() log_if usage is not protected, so it is possible to > me> > trigger > me> > me> use-after-free. > me> > > me> > Ah, right. I will revise lock handling and resubmit the patch. > me> > > me> > me> Maybe it is better to have some interface flag which makes > me> > me> NET_RT_IFLIST skip given interface ? > me> > > me> > I do not think so. NET_RT_IFLIST should be able to list all of the > me> > interfaces because it is the purpose. > me> Okay, another try (afair already discussed somewhere): > me> Do we really need all BPF providers to have ifnets? > me> It seems that removing all bp_bif depends from BPF code is not so hard > me> task. > > Hmm, I cannot imagine how to decouple ifnet from the bpf code because > bpf heavily depends on it in its API (you probably know better than > me). Do you have any specific idea? Proof-of-concept patch attached. Unfortunately, there are problems with this approach, too. pcap_findalldevs() uses external to BPF method (possibly NET_RT_IFLIST), so programs relying on that function for showing some kind of combo-box (like wireshark) with all possible variant won't allow user to specify such interface. Additionally, tcpdump assumes that passed interface name is real and warns us that SIOCGIFADDR returns error. > > -- Hiroki --------------070804010107020305000604 Content-Type: text/plain; name="bpf_fake.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="bpf_fake.diff" diff --git a/sys/net/bpf.c b/sys/net/bpf.c index 6bff58e..d8ecc02 100644 --- a/sys/net/bpf.c +++ b/sys/net/bpf.c @@ -654,7 +654,7 @@ bpf_attachd(struct bpf_d *d, struct bpf_if *bp) CTR3(KTR_NET, "%s: bpf_attach called by pid %d, adding to %s list", __func__, d->bd_pid, d->bd_writer ? "writer" : "active"); - if (op_w == 0) + if ((op_w == 0) && (bp->bif_ifp != NULL)) EVENTHANDLER_INVOKE(bpf_track, bp->bif_ifp, bp->bif_dlt, 1); } @@ -696,7 +696,8 @@ bpf_upgraded(struct bpf_d *d) CTR2(KTR_NET, "%s: upgrade required by pid %d", __func__, d->bd_pid); - EVENTHANDLER_INVOKE(bpf_track, bp->bif_ifp, bp->bif_dlt, 1); + if (bp->bif_ifp != NULL) + EVENTHANDLER_INVOKE(bpf_track, bp->bif_ifp, bp->bif_dlt, 1); } /* @@ -744,14 +745,14 @@ bpf_detachd_locked(struct bpf_d *d) bpf_bpfd_cnt--; /* Call event handler iff d is attached */ - if (error == 0) + if ((error == 0) && (ifp != NULL)) EVENTHANDLER_INVOKE(bpf_track, ifp, bp->bif_dlt, 0); /* * Check if this descriptor had requested promiscuous mode. * If so, turn it off. */ - if (d->bd_promisc) { + if (d->bd_promisc && ifp != NULL) { d->bd_promisc = 0; CURVNET_SET(ifp->if_vnet); error = ifpromisc(ifp, 0); @@ -1034,7 +1035,10 @@ bpfwrite(struct cdev *dev, struct uio *uio, int ioflag) return (ENXIO); } - ifp = d->bd_bif->bif_ifp; + if ((ifp = d->bd_bif->bif_ifp) == NULL) { + d->bd_wdcount++; + return (ENXIO); + } if ((ifp->if_flags & IFF_UP) == 0) { d->bd_wdcount++; @@ -1266,8 +1270,10 @@ bpfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, if (d->bd_bif == NULL) error = EINVAL; else { - ifp = d->bd_bif->bif_ifp; - error = (*ifp->if_ioctl)(ifp, cmd, addr); + if ((ifp = d->bd_bif->bif_ifp) == NULL) + error = EINVAL; + else + error = (*ifp->if_ioctl)(ifp, cmd, addr); } break; } @@ -1322,6 +1328,13 @@ bpfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, error = EINVAL; break; } + + if (d->bd_bif->bif_ifp == NULL) { + /* Silently ignore fake interfaces */ + error = 0; + break; + } + if (d->bd_promisc == 0) { error = ifpromisc(d->bd_bif->bif_ifp, 1); if (error == 0) @@ -1398,8 +1411,13 @@ bpfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct ifnet *const ifp = d->bd_bif->bif_ifp; struct ifreq *const ifr = (struct ifreq *)addr; - strlcpy(ifr->ifr_name, ifp->if_xname, - sizeof(ifr->ifr_name)); + if (ifp == NULL) { + /* Fake interface */ + strlcpy(ifr->ifr_name, d->bd_bif->ifname, + sizeof(ifr->ifr_name)); + } else + strlcpy(ifr->ifr_name, ifp->if_xname, + sizeof(ifr->ifr_name)); } BPF_UNLOCK(); break; @@ -1844,10 +1862,19 @@ bpf_setif(struct bpf_d *d, struct ifreq *ifr) BPF_LOCK_ASSERT(); theywant = ifunit(ifr->ifr_name); - if (theywant == NULL || theywant->if_bpf == NULL) - return (ENXIO); + if (theywant == NULL || theywant->if_bpf == NULL) { + /* Check for fake interface existance */ + LIST_FOREACH(bp, &bpf_iflist, bif_next) { + if (bp->bif_ifp != NULL) + continue; + if (!strcmp(bp->ifname, ifr->ifr_name)) + break; + } - bp = theywant->if_bpf; + if (bp == NULL) + return (ENXIO); + } else + bp = theywant->if_bpf; /* Check if interface is not being detached from BPF */ BPFIF_RLOCK(bp); @@ -2072,7 +2099,8 @@ bpf_tap(struct bpf_if *bp, u_char *pkt, u_int pktlen) if (gottime < bpf_ts_quality(d->bd_tstamp)) gottime = bpf_gettime(&bt, d->bd_tstamp, NULL); #ifdef MAC - if (mac_bpfdesc_check_receive(d, bp->bif_ifp) == 0) + if (bp->bif_ifp == NULL || + (mac_bpfdesc_check_receive(d, bp->bif_ifp) == 0)) #endif catchpacket(d, pkt, pktlen, slen, bpf_append_bytes, &bt); @@ -2082,6 +2110,7 @@ bpf_tap(struct bpf_if *bp, u_char *pkt, u_int pktlen) BPFIF_RUNLOCK(bp); } +/* Note i CAN be NULL */ #define BPF_CHECK_DIRECTION(d, r, i) \ (((d)->bd_direction == BPF_D_IN && (r) != (i)) || \ ((d)->bd_direction == BPF_D_OUT && (r) == (i))) @@ -2131,7 +2160,8 @@ bpf_mtap(struct bpf_if *bp, struct mbuf *m) if (gottime < bpf_ts_quality(d->bd_tstamp)) gottime = bpf_gettime(&bt, d->bd_tstamp, m); #ifdef MAC - if (mac_bpfdesc_check_receive(d, bp->bif_ifp) == 0) + if ((bp->bif_ifp == NULL) || + (mac_bpfdesc_check_receive(d, bp->bif_ifp) == 0)) #endif catchpacket(d, (u_char *)m, pktlen, slen, bpf_append_mbuf, &bt); @@ -2187,7 +2217,8 @@ bpf_mtap2(struct bpf_if *bp, void *data, u_int dlen, struct mbuf *m) if (gottime < bpf_ts_quality(d->bd_tstamp)) gottime = bpf_gettime(&bt, d->bd_tstamp, m); #ifdef MAC - if (mac_bpfdesc_check_receive(d, bp->bif_ifp) == 0) + if ((bp->bif_ifp == NULL) || + (mac_bpfdesc_check_receive(d, bp->bif_ifp) == 0)) #endif catchpacket(d, (u_char *)&mb, pktlen, slen, bpf_append_mbuf, &bt); @@ -2481,6 +2512,44 @@ bpfattach2(struct ifnet *ifp, u_int dlt, u_int hdrlen, struct bpf_if **driverp) } /* + * Attach fake interface to bpf. ifname is interface name to be attached, + * dlt is the link layer type, and hdrlen is the fixed size of the link header + * (variable length headers are not yet supporrted). + */ +void +bpfattach3(char *ifname, u_int dlt, u_int hdrlen, struct bpf_if **driverp) +{ + struct bpf_if *bp; + int len; + + len = strlen(ifname) + 1; + + /* Assume bpf_if to be properly aligned */ + bp = malloc(sizeof(*bp) + len, M_BPF, M_NOWAIT | M_ZERO); + if (bp == NULL) + panic("bpfattach"); + + LIST_INIT(&bp->bif_dlist); + LIST_INIT(&bp->bif_wlist); + bp->ifname = (char *)(bp + 1); + strlcpy(bp->ifname, ifname, len); + bp->bif_dlt = dlt; + rw_init(&bp->bif_lock, "bpf interface lock"); + KASSERT(*driverp == NULL, ("bpfattach3: driverp already initialized")); + *driverp = bp; + + BPF_LOCK(); + LIST_INSERT_HEAD(&bpf_iflist, bp, bif_next); + BPF_UNLOCK(); + + bp->bif_hdrlen = hdrlen; + + if (bootverbose) + printf("%s: bpf attached\n", bp->ifname); +} + + +/* * Detach bpf from an interface. This involves detaching each descriptor * associated with the interface. Notify each descriptor as it's detached * so that any sleepers wake up and get ENXIO. @@ -2543,6 +2612,67 @@ bpfdetach(struct ifnet *ifp) } /* + * Detach bpf from the fake interface. This involves detaching each descriptor + * associated with the interface. Notify each descriptor as it's detached + * so that any sleepers wake up and get ENXIO. + */ +void +bpfdetach3(char *ifname) +{ + struct bpf_if *bp; + struct bpf_d *d; +#ifdef INVARIANTS + int ndetached; + + ndetached = 0; +#endif + + BPF_LOCK(); + /* Find all bpf_if struct's which reference ifp and detach them. */ + do { + LIST_FOREACH(bp, &bpf_iflist, bif_next) { + if (bp->bif_ifp != NULL) + continue; + if (!strcmp(bp->ifname, ifname)) + break; + } + if (bp != NULL) + LIST_REMOVE(bp, bif_next); + + if (bp != NULL) { +#ifdef INVARIANTS + ndetached++; +#endif + while ((d = LIST_FIRST(&bp->bif_dlist)) != NULL) { + bpf_detachd_locked(d); + BPFD_LOCK(d); + bpf_wakeup(d); + BPFD_UNLOCK(d); + } + /* Free writer-only descriptors */ + while ((d = LIST_FIRST(&bp->bif_wlist)) != NULL) { + bpf_detachd_locked(d); + BPFD_LOCK(d); + bpf_wakeup(d); + BPFD_UNLOCK(d); + } + + /* + * Since this interface is fake we can free our + * structure immediately. + */ + rw_destroy(&bp->bif_lock); + free(bp, M_BPF); + } + } while (bp != NULL); + BPF_UNLOCK(); + +#ifdef INVARIANTS + if (ndetached == 0) + printf("bpfdetach: %s was not attached\n", ifname); +#endif +} +/* * Interface departure handler. * Note departure event does not guarantee interface is going down. */ @@ -2591,6 +2721,9 @@ bpf_getdltlist(struct bpf_d *d, struct bpf_dltlist *bfl) LIST_FOREACH(bp, &bpf_iflist, bif_next) { if (bp->bif_ifp != ifp) continue; + /* Compare fake interfaces by name */ + if (ifp == NULL && strcmp(d->bd_bif->ifname, bp->ifname)) + continue; if (bfl->bfl_list != NULL) { if (n >= bfl->bfl_len) return (ENOMEM); @@ -2620,7 +2753,13 @@ bpf_setdlt(struct bpf_d *d, u_int dlt) ifp = d->bd_bif->bif_ifp; LIST_FOREACH(bp, &bpf_iflist, bif_next) { - if (bp->bif_ifp == ifp && bp->bif_dlt == dlt) + if (bp->bif_ifp != ifp) + continue; + + if (ifp == NULL && strcmp(d->bd_bif->ifname, bp->ifname)) + continue; + + if (bp->bif_dlt == dlt) break; } @@ -2715,8 +2854,10 @@ bpfstats_fill_xbpf(struct xbpf_d *d, struct bpf_d *bd) d->bd_hlen = bd->bd_hlen; d->bd_bufsize = bd->bd_bufsize; d->bd_pid = bd->bd_pid; - strlcpy(d->bd_ifname, - bd->bd_bif->bif_ifp->if_xname, IFNAMSIZ); + if (bd->bd_bif->bif_ifp != NULL) + strlcpy(d->bd_ifname, bd->bd_bif->bif_ifp->if_xname, IFNAMSIZ); + else + strlcpy(d->bd_ifname, bd->bd_bif->ifname, IFNAMSIZ); d->bd_locked = bd->bd_locked; d->bd_wcount = bd->bd_wcount; d->bd_wdcount = bd->bd_wdcount; diff --git a/sys/net/bpf.h b/sys/net/bpf.h index ba2b8ce..808e8a7 100644 --- a/sys/net/bpf.h +++ b/sys/net/bpf.h @@ -1226,6 +1226,7 @@ struct bpf_if { struct rwlock bif_lock; /* interface lock */ LIST_HEAD(, bpf_d) bif_wlist; /* writer-only list */ int flags; /* Interface flags */ + char *ifname; /* Fake interface name */ #endif }; @@ -1236,7 +1237,9 @@ void bpf_mtap(struct bpf_if *, struct mbuf *); void bpf_mtap2(struct bpf_if *, void *, u_int, struct mbuf *); void bpfattach(struct ifnet *, u_int, u_int); void bpfattach2(struct ifnet *, u_int, u_int, struct bpf_if **); +void bpfattach3(char *, u_int, u_int, struct bpf_if **); void bpfdetach(struct ifnet *); +void bpfdetach3(char *); void bpfilterattach(int); u_int bpf_filter(const struct bpf_insn *, u_char *, u_int, u_int); diff --git a/sys/netinet/ipfw/ip_fw_log.c b/sys/netinet/ipfw/ip_fw_log.c index 983fe3b..e1eb817 100644 --- a/sys/netinet/ipfw/ip_fw_log.c +++ b/sys/netinet/ipfw/ip_fw_log.c @@ -89,64 +89,28 @@ ipfw_log_bpf(int onoff) { } #else /* !WITHOUT_BPF */ -static struct ifnet *log_if; /* hook to attach to bpf */ - -/* we use this dummy function for all ifnet callbacks */ -static int -log_dummy(struct ifnet *ifp, u_long cmd, caddr_t addr) -{ - return EINVAL; -} - -static int -ipfw_log_output(struct ifnet *ifp, struct mbuf *m, - struct sockaddr *dst, struct route *ro) -{ - if (m != NULL) - m_freem(m); - return EINVAL; -} - -static void -ipfw_log_start(struct ifnet* ifp) -{ - panic("ipfw_log_start() must not be called"); -} +static struct bpf_if *log_bpfif = NULL; /* hook to attach to bpf */ +#define BPF_IFNAME "ipfw0" +#define IPFW_MTAP(_if_bpf,_data,_dlen,_m) do { \ + if (bpf_peers_present(_if_bpf)) { \ + M_ASSERTVALID(_m); \ + bpf_mtap2((_if_bpf),(_data),(_dlen),(_m)); \ + } \ +} while (0) static const u_char ipfwbroadcastaddr[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; - void ipfw_log_bpf(int onoff) { - struct ifnet *ifp; - if (onoff) { - if (log_if) - return; - ifp = if_alloc(IFT_ETHER); - if (ifp == NULL) + if (log_bpfif) return; - if_initname(ifp, "ipfw", 0); - ifp->if_mtu = 65536; - ifp->if_flags = IFF_UP | IFF_SIMPLEX | IFF_MULTICAST; - ifp->if_init = (void *)log_dummy; - ifp->if_ioctl = log_dummy; - ifp->if_start = ipfw_log_start; - ifp->if_output = ipfw_log_output; - ifp->if_addrlen = 6; - ifp->if_hdrlen = 14; - if_attach(ifp); - ifp->if_broadcastaddr = ipfwbroadcastaddr; - ifp->if_baudrate = IF_Mbps(10); - bpfattach(ifp, DLT_EN10MB, 14); - log_if = ifp; + bpfattach3(BPF_IFNAME, DLT_EN10MB, 14, &log_bpfif); } else { - if (log_if) { - ether_ifdetach(log_if); - if_free(log_if); - } - log_if = NULL; + if (log_bpfif != NULL) + bpfdetach3(BPF_IFNAME); + log_bpfif = NULL; } } #endif /* !WITHOUT_BPF */ @@ -167,16 +131,16 @@ ipfw_log(struct ip_fw *f, u_int hlen, struct ip_fw_args *args, if (V_fw_verbose == 0) { #ifndef WITHOUT_BPF - if (log_if == NULL || log_if->if_bpf == NULL) + if (log_bpfif == NULL) return; if (args->eh) /* layer2, use orig hdr */ - BPF_MTAP2(log_if, args->eh, ETHER_HDR_LEN, m); + IPFW_MTAP(log_bpfif, args->eh, ETHER_HDR_LEN, m); else /* Add fake header. Later we will store * more info in the header. */ - BPF_MTAP2(log_if, "DDDDDDSSSSSS\x08\x00", ETHER_HDR_LEN, m); + IPFW_MTAP(log_bpfif, "DDDDDDSSSSSS\x08\x00", ETHER_HDR_LEN, m); #endif /* !WITHOUT_BPF */ return; } --------------070804010107020305000604-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 11 11:07:26 2012 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 21C601065688 for ; Mon, 11 Jun 2012 11:07:26 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 0BA698FC14 for ; Mon, 11 Jun 2012 11:07:26 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q5BB7P9l053335 for ; Mon, 11 Jun 2012 11:07:25 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q5BB7PTh053333 for freebsd-ipfw@FreeBSD.org; Mon, 11 Jun 2012 11:07:25 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 11 Jun 2012 11:07:25 GMT Message-Id: <201206111107.q5BB7PTh053333@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jun 2012 11:07:26 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/167822 ipfw [ipfw] [patch] start script doesn't load firewall_type o kern/166406 ipfw [ipfw] ipfw does not set ALTQ identifier for ipv6 traf o kern/165190 ipfw [ipfw] [lo] [patch] loopback interface is not marking f kern/163873 ipfw [ipfw] ipfw fwd does not work with 'via interface' in o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int o kern/156770 ipfw [ipfw] [dummynet] [patch]: performance improvement and f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw [ipfw] does not support specifying rules with ICMP cod o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n p kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l f kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o bin/65961 ipfw [ipfw] ipfw2 memory corruption inside add() o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 45 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 14 14:10:04 2012 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7E64B106566C for ; Thu, 14 Jun 2012 14:10:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 6442E8FC0A for ; Thu, 14 Jun 2012 14:10:04 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q5EEA4pC010415 for ; Thu, 14 Jun 2012 14:10:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q5EEA4KK010413; Thu, 14 Jun 2012 14:10:04 GMT (envelope-from gnats) Date: Thu, 14 Jun 2012 14:10:04 GMT Message-Id: <201206141410.q5EEA4KK010413@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: Alter Cc: Subject: Re: kern/156770: [ipfw] [dummynet] [patch]: performance improvement and several extensions X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Alter List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jun 2012 14:10:04 -0000 The following reply was made to PR kern/156770; it has been noted by GNATS. From: Alter To: bug-followup@FreeBSD.org, Alter Cc: Subject: Re: kern/156770: [ipfw] [dummynet] [patch]: performance improvement and several extensions Date: Thu, 14 Jun 2012 17:11:18 +0200 Hello bug-followup, I've made unified diff for this patch: http://alter.org.ua/soft/fbsd/ipfw/ipfw.72.20120614u.patch.gz About porting: seems, I'll port it to 8.x soon. Also, there were some discussions about various features of this patch and dividing it into separate patches (one for each feature). What I can do almost immediately is making single patch with some subset of new features. Even with some additional sysctls or #define's (to enable/disable feature). I just need to know the final decision and feature list. -- Best regards, Alter mailto:alter@alter.org.ua From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 15 12:40:03 2012 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (unknown [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C7D6E106566C for ; Fri, 15 Jun 2012 12:40:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id AB76B8FC0A for ; Fri, 15 Jun 2012 12:40:03 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q5FCe3Uf024403 for ; Fri, 15 Jun 2012 12:40:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q5FCe3tc024402; Fri, 15 Jun 2012 12:40:03 GMT (envelope-from gnats) Date: Fri, 15 Jun 2012 12:40:03 GMT Message-Id: <201206151240.q5FCe3tc024402@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: "Alexander V. Chernikov" Cc: Subject: Re: kern/156770: [ipfw] [dummynet] [patch]: performance improvement and several extensions X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Alexander V. Chernikov" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jun 2012 12:40:03 -0000 The following reply was made to PR kern/156770; it has been noted by GNATS. From: "Alexander V. Chernikov" To: bug-followup@FreeBSD.org, alter@alter.org.ua Cc: Subject: Re: kern/156770: [ipfw] [dummynet] [patch]: performance improvement and several extensions Date: Fri, 15 Jun 2012 16:35:56 +0400 Hello Alexandr! I'm afraid singe huge patch for legacy release is not the promising start. Since development model assumes new code being committed to -current first, you should probably port these features to -current (it does not differ from 8-STABLE much). It is also much easier to discuss/import features by small chunks instead of single huge change, so splitting every feature into separate diff is possibly a good thing to do. Please note that some of functionality (skipto tablearg, interface tables are already implemented in a different way). Personally for me index table for fast skipto/pipes, mapped tables and io_fast patch looks very promising, so we can discuss directly if you're interested.