From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 11 16:15:36 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 05749106566B for ; Sun, 11 Apr 2010 16:15:36 +0000 (UTC) (envelope-from tjg@soe.ucsc.edu) Received: from mail-01.cse.ucsc.edu (mail-01.cse.ucsc.edu [128.114.48.32]) by mx1.freebsd.org (Postfix) with ESMTP id E0F548FC15 for ; Sun, 11 Apr 2010 16:15:35 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by mail-01.cse.ucsc.edu (Postfix) with ESMTP id A06B3100829A for ; Sun, 11 Apr 2010 08:57:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at mail-01.cse.ucsc.edu Received: from mail-01.cse.ucsc.edu ([127.0.0.1]) by localhost (mail-01.cse.ucsc.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YdsdIG2YsqHc for ; Sun, 11 Apr 2010 08:57:28 -0700 (PDT) Received: from mail-01.cse.ucsc.edu (mail-01.cse.ucsc.edu [128.114.48.32]) by mail-01.cse.ucsc.edu (Postfix) with ESMTP id 84B161008254 for ; Sun, 11 Apr 2010 08:57:28 -0700 (PDT) Date: Sun, 11 Apr 2010 08:57:28 -0700 (PDT) From: Tim Gustafson To: freebsd-ipfw@freebsd.org Message-ID: <1819469327.513811271001448449.JavaMail.root@mail-01.cse.ucsc.edu> In-Reply-To: <954074760.513761271001257209.JavaMail.root@mail-01.cse.ucsc.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [98.234.59.118] X-Mailer: Zimbra 5.0.20_GA_3127.RHEL5_64 (ZimbraWebClient - FF3.0 ([unknown])/5.0.20_GA_3127.RHEL5_64) Subject: Problems with ipfw in FreeBSD 8.0 / amd64 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Apr 2010 16:15:36 -0000 Hi, After a build/update to RELENG_8, I'm getting this as the last rule from "ipfw list" 00000 ip from any to any And then I get these through syslog: ipfw: ouch!, skip past end of rules, denying packet The box then becomes unavailable over TCP. I know that there is some development work going on to clean up ipfw; that's fine. My question is does anyone know if this is a problem in RELENG_8_0_0_RELEASE as well? Should I change my csup tag to RELENG_8_0_0_RELEASE and then do another build/install cycle to fix the problem, or will the problem still be there? Also, I know this a volunteer effort so I have no right to be pushy, but is there any ETR on this so that I can start tracking RELENG_8 again? Tim Gustafson Baskin School of Engineering UC Santa Cruz tjg@soe.ucsc.edu 831-459-5354 From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 12 11:07:03 2010 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 34B1B106567C for ; Mon, 12 Apr 2010 11:07:03 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 17DF68FC14 for ; Mon, 12 Apr 2010 11:07:03 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o3CB72DB042469 for ; Mon, 12 Apr 2010 11:07:02 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o3CB72gq042467 for freebsd-ipfw@FreeBSD.org; Mon, 12 Apr 2010 11:07:02 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 12 Apr 2010 11:07:02 GMT Message-Id: <201004121107.o3CB72gq042467@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Apr 2010 11:07:03 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/145305 ipfw [ipfw] ipfw problems, panics, data corruption, ipv6 so o kern/145167 ipfw [ipfw] ipfw nat does not follow its documentation o kern/144869 ipfw [ipfw] [panic] Instant kernel panic when adding NAT ru o kern/144269 ipfw [ipfw] problem with ipfw tables o kern/144187 ipfw [ipfw] deadlock using multiple ipfw nat and multiple l o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143653 ipfw [ipfw] [patch] ipfw nat redirect_port "buf is too smal o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/143474 ipfw [ipfw] ipfw table contains the same address o kern/139581 ipfw [ipfw] "ipfw pipe" not limiting bandwidth o kern/139226 ipfw [ipfw] install_state: entry already present, done o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 69 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 12 15:50:04 2010 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3C80B1065674 for ; Mon, 12 Apr 2010 15:50:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id F18DA8FC22 for ; Mon, 12 Apr 2010 15:50:03 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o3CFo3HB088286 for ; Mon, 12 Apr 2010 15:50:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o3CFo3Mc088283; Mon, 12 Apr 2010 15:50:03 GMT (envelope-from gnats) Date: Mon, 12 Apr 2010 15:50:03 GMT Message-Id: <201004121550.o3CFo3Mc088283@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: Ian Smith Cc: Subject: Re: kern/132553: [ipfw] ipfw doesn't understand ftp-data port X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Ian Smith List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Apr 2010 15:50:04 -0000 The following reply was made to PR kern/132553; it has been noted by GNATS. From: Ian Smith To: bug-followup@FreeBSD.org Cc: cwf-ml@arcor.de Subject: Re: kern/132553: [ipfw] ipfw doesn't understand ftp-data port Date: Tue, 13 Apr 2010 01:42:36 +1000 (EST) Cristoph, the need to escape '-' characters in service names should indeed be obvious and has been very well documented for many years. ports: {port | port-port}[,ports] For protocols which support port numbers (such as TCP and UDP), optional ports may be specified as one or more ports or port ranges, separated by commas but no spaces, and an optional not operator. The `-' notation specifies a range of ports (including boundaries). Service names (from /etc/services) may be used instead of numeric port values. The length of the port list is limited to 30 ports or ranges, though one can specify larger ranges by using an or-block in the options section of the rule. A backslash (`\') can be used to escape the dash (`-') character in a service name (from a shell, the backslash must be typed twice to avoid the shell itself interpreting it as an escape character). ipfw add count tcp from any ftp\\-data-ftp to any That's pasted from ipfw(8) on 5.5-STABLE, because it was a) convenient, b) old enough and c) appears identically in the 9-CURRENT manual. In case still not obvious, without escaping '-' it will attempt parsing a range between two ports. 'ftp' is a valid port. 'data' is not, and -1 is a fair result; the error message seems not at all unreasonable. Actually, make it ~12 years: 2.2.6-RELEASE ipfw(8) had the same example line, as did some 4.x manuals I checked. Please help close solved PRs! From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 12 17:47:12 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 91C7F1065676 for ; Mon, 12 Apr 2010 17:47:12 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-pv0-f182.google.com (mail-pv0-f182.google.com [74.125.83.182]) by mx1.freebsd.org (Postfix) with ESMTP id 63ED38FC12 for ; Mon, 12 Apr 2010 17:47:12 +0000 (UTC) Received: by pvc7 with SMTP id 7so3667661pvc.13 for ; Mon, 12 Apr 2010 10:47:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:received:message-id:subject:from:to:content-type; bh=JIupp9a/O5nxmiT8/x7kx0eROy1eChlMtBxo7boGHWI=; b=kYZ1XNBulsPnhGyUy0rOzKc9aLiiPVUaqMIMx5Z2m0kpUfFbZz/ymwl0pA2fDGq/0p OO5SzLcPIAQC/QjmB6v8YvsmDBbJqnK5WGBen/wmekfvINJd6uMsJRBEMz1bwXk16pqN 3PCnhZSkJ+gAcpI+DOZl4Ai15YI+/nHsGF6OM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=SLgGCjagNpbQgwBwhC5oHQXMwSTp7RblfGZ+lM4OGg7X3q5ssYBPbKkNMZYHE/mbMI 2pGfxyGwPhSfxO2XUZ65sUAEcO4zIxRZ1jALpdLTIvCsSq85nh/2+pH4CRnRsgQpFs0u O9Q/Y2F2PCIrhFNs16POhXz4cLc+d4sG5wrow= MIME-Version: 1.0 Received: by 10.231.14.76 with HTTP; Mon, 12 Apr 2010 10:47:11 -0700 (PDT) In-Reply-To: <1819469327.513811271001448449.JavaMail.root@mail-01.cse.ucsc.edu> References: <954074760.513761271001257209.JavaMail.root@mail-01.cse.ucsc.edu> <1819469327.513811271001448449.JavaMail.root@mail-01.cse.ucsc.edu> Date: Mon, 12 Apr 2010 10:47:11 -0700 Received: by 10.141.101.19 with SMTP id d19mr3788370rvm.154.1271094431143; Mon, 12 Apr 2010 10:47:11 -0700 (PDT) Message-ID: From: Freddie Cash To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Problems with ipfw in FreeBSD 8.0 / amd64 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Apr 2010 17:47:12 -0000 On Sun, Apr 11, 2010 at 8:57 AM, Tim Gustafson wrote: > After a build/update to RELENG_8, I'm getting this as the last rule from > "ipfw list" > > 00000 ip from any to any > > And then I get these through syslog: > > ipfw: ouch!, skip past end of rules, denying packet > > The box then becomes unavailable over TCP. > > I know that there is some development work going on to clean up ipfw; > that's fine. My question is does anyone know if this is a problem in > RELENG_8_0_0_RELEASE as well? Should I change my csup tag to > RELENG_8_0_0_RELEASE and then do another build/install cycle to fix the > problem, or will the problem still be there? > > Also, I know this a volunteer effort so I have no right to be pushy, but is > there any ETR on this so that I can start tracking RELENG_8 again? > Use RELENG_8_0. That's the security branch for 8.0-RELEASE. -- Freddie Cash fjwcash@gmail.com From owner-freebsd-ipfw@FreeBSD.ORG Sat Apr 17 06:18:40 2010 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 866551065673; Sat, 17 Apr 2010 06:18:40 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5D7CF8FC1F; Sat, 17 Apr 2010 06:18:40 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o3H6IeiJ007719; Sat, 17 Apr 2010 06:18:40 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o3H6IeXQ007715; Sat, 17 Apr 2010 06:18:40 GMT (envelope-from linimon) Date: Sat, 17 Apr 2010 06:18:40 GMT Message-Id: <201004170618.o3H6IeXQ007715@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/145733: [ipfw] [patch] ipfw flaws with ipv6 fragments X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Apr 2010 06:18:40 -0000 Old Synopsis: [patch] ipfw flaws with ipv6 fragments New Synopsis: [ipfw] [patch] ipfw flaws with ipv6 fragments Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Sat Apr 17 06:18:13 UTC 2010 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=145733