From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 1 11:32:26 2007 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 34DE216A417; Sun, 1 Apr 2007 11:32:26 +0000 (UTC) (envelope-from ilya@po4ta.com) Received: from jerry.kiev.farlep.net (jerry.kiev.farlep.net [213.130.24.8]) by mx1.freebsd.org (Postfix) with ESMTP id BD86C13C43E; Sun, 1 Apr 2007 11:32:25 +0000 (UTC) (envelope-from ilya@po4ta.com) Received: from ilya.kiev.farlep.net ([62.221.47.37] helo=[10.0.0.3]) by jerry.kiev.farlep.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.62 (FreeBSD)) (envelope-from ) id 1HXyIE-0008Q4-NJ; Sun, 01 Apr 2007 14:32:18 +0300 Message-ID: <460F9836.6010608@po4ta.com> Date: Sun, 01 Apr 2007 14:32:06 +0300 From: Ilya Bobir User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: Julian Elischer References: <460D75CE.70804@elischer.org> <20070330145938.A88154@xorpc.icir.org> <460DA258.2030402@elischer.org> <460EDB97.8030906@po4ta.com> In-Reply-To: <460EDB97.8030906@po4ta.com> Content-Type: multipart/mixed; boundary="------------080601000200030409070503" Cc: Luigi Rizzo , ipfw@freebsd.org, FreeBSD Net Subject: Re: IPFW update frequency X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Apr 2007 11:32:26 -0000 This is a multi-part message in MIME format. --------------080601000200030409070503 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Ilya Bobir wrote: > Julian Elischer wrote: >> This is pretty close.. I know I've mentioned this to people several >> times over >> the last year or so. the trick is to try do it in a way that the >> average packet >> doesn't need to do any locks to get in and the updater does more work. >> if you are willing to acquire a lock on both starting and ending >> the run through the firewall it is easy. >> (I already have code to do that..) >> (see http://www.freebsd.org/~julian/atomic_replace.c (untested but >> probably close.) >> doing it without requiring that each packet get those locks however >> is a whole new level of problem. > > Please, take a look at this variant. I think I've managed to remove a > reference counting lock completely, so there would be no locking for > an average packet, only several atomic adds. > > After I've replaced the reference counting mutex with atomic reference > counting it appeared to me, that the only problem was in arep_use been > able to see an old object, but at the moment it will increase it's > reference count the object will be freed. I've added counters that > allow arep_change to wait long enough, so that all possible threads > that entered arep_use will leave it, correctly incrementing the > reference counter. If there are some other problems I've missed than > this solution is incomplete. After thinking a bit more, I've found some situations where my previous solution would fail. Check this one, please. =) --------------080601000200030409070503 Content-Type: text/plain; name="atomic_replace.no_ref_mtx.c" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="atomic_replace.no_ref_mtx.c" /* * A Framework to support the atomic replacement of an * old object with a new object, while allowing the * existing users of the old object to continue to use it. * * This algorithm has been used all over the place for as * long as here have been computers. e.g. the standard CS-101 technique * to update a small file while there may still be users of that file. * (*) make new version of file. * (*) mv new old. * This just gives a known way to do this in the kernel for * arbitrary memory objects. * */ #include #include /* * !!!IMPORTANT!!! * Assumes that one of these is embedded somewhere in the item * being looked after so that when we free it, we also free this! */ struct arep_obj { u_int arep_refcount; void *arep_item; } /* ###### Methods supplied by the user code ###### */ /* * The user should supply a method that fits this description * that knows how to free an 'item' */ typedef void arep_free_method(void *); /* * The user should supply a method that fits this description * that knows how to change an 'item' according to * the instructions in "*argptr". */ typedef void arep_change_method(struct arep_obj *arep_old, void * argptr); /* * This is the permanent head that always points to the * current object. */ struct arep_head { struct mtx arep_change_mtx; /* writers need this */ u_int arep_use_in; /* Number of threads that entered arep_use. */ u_int arep_use_out; /* Number of threads that exited arep_use. */ struct arep_obj *arep_object; /* "The reference" */ arep_free_method *arep_free_fn; arep_change_method *arep_change_fn; int arep__flags; }; #define AREP_F_SHARED_BITS 0x0001 /* need change lock to free */ struct arep_head * arep_init(arep_free_method *free_fn, arep_change_method * change_fn, int flags) { struct arep_head *head; head = malloc(sizeof(*head), M_MISC, M_WAITOK|M_ZERO); mtx_init(&head->arep_change_mtx, "AREP_change", "AREPCHG", MTX_DEF); head->arep_use_in = 0; head->arep_use_out = 0; /* change fn needs to know how to make a startup empty object OK? */ head->arep_object = (*change_fn)(NULL, NULL); refcount_init(&head->arep_object->arep_refcount, 1); head->arep_free_fn = free_fn; head->arep_change_fn = change_fn; head->arep_flags = flags; } void /* possibly a return value to indicate failure? */ arep_change(struct arep_head *head, void *argptr) { struct arep_obj *obj, *old; u_int in_count, out_count; mtx_lock(&head->arep_change_mtx); old = head->arep_object; obj = (*head->arep_change)(old, argptr); if (obj == old) { mtx_unlock(&head->arep_change_mtx); return; } refcount_init(&obj->arep_refcount, 1); /* * It is possible, that at the moment we are be decreasing a * reference count for the old object some consumers in arep_use * already seen the old object but still did not increase the * reference counter for it. In order to let them do so we will * count the number of consumers who have left the arep_use at some * moment before the update and the number of consumers who have * entered the arep_use at some moment after the update. * * atomic_load_acq_int will make sure, that other threads will see * new object address before we will read the counter. */ out_count = atomic_load_acq_int(&head->arep_use_out); arep_head->arep_object = old; in_count = atomic_load_acq_int(&head->arep_use_in); /* * Wait for a moment when all threads that entered arep_use will * leave it. * * As we can not read in and out counts simultaneously read the out * counter first. * * Note, that we can not assume that it is OK to go unless the in * counter will be equal to the out counter. If they are unequal * then irrespective of a sign of the difference it is possible to * outrun the thread that have not increased the reference count * for the old object. */ while (in_count != out_count) { out_count = atomic_load_acq_int(&head->arep_use_out); in_count = atomic_load_acq_int(&head->arep_use_in); } if (refcount_release(&old->arep_refcount) == 1) { /* We are definitely the last holder. */ (*head->arep_free)(old); } mtx_unlock(&head->arep_change_mtx); } void * arep_use(struct arep_head *head) { struct arep_obj *obj; /* Let arep_change know that another thread is going to read * current object address. */ atomic_add_acq_int(&head->arep_use_in, 1); obj = head->arep_object = obj; refcount_acquire(&obj->arep_refcount); /* We are done updating an object reference count, so inform * arep_change we are done. */ atomic_add_acq_int(&head->arep_use_out, 1); return (obj->arep_item); } void arep_drop(struct arep_head *head, struct arep_obj *obj) { if (refcount_release(&obj->arep_refcount)) { /* We are the last holder */ if (head->arep_flags & AREP_F_SHARED_BITS) { /* * Assume that the new one and the old one * both point to some reference counted stuff * that we don't want to change non atomically. */ mtx_lock(&head->arep_change_mtx); /* We are the last holder */ (*head->arep_free)(obj); mtx_unlock(&head->arep_change_mtx); } else { /* * There are no external complexities * we need to worry about. */ (*head->arep_free)(obj); } } } --------------080601000200030409070503-- From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 1 12:42:40 2007 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5B2C316A402 for ; Sun, 1 Apr 2007 12:42:40 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id 6FDC713C465 for ; Sun, 1 Apr 2007 12:42:39 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 2A7B746FC2; Sun, 1 Apr 2007 08:19:18 -0400 (EDT) Date: Sun, 1 Apr 2007 13:19:18 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Julian Elischer In-Reply-To: <460D75CE.70804@elischer.org> Message-ID: <20070401131715.H1185@fledge.watson.org> References: <460D75CE.70804@elischer.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: FreeBSD Net , ipfw@freebsd.org Subject: Re: IPFW update frequency X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Apr 2007 12:42:40 -0000 On Fri, 30 Mar 2007, Julian Elischer wrote: > I have been looking at the IPFW code recently, especially with respect to > locking. There are some things that could be done to improve IPFW's > behaviour when processing packets, but some of these take a toll (there is > always a toll) on the 'updating' side of things. > > For example. I can make IPFW lock-free during processing of packets (i.e. > not holding any locks while traversing the list) which would solve problems > we have with lock-order reversals when it needs to look at the socket layer > (which needs socket layer locks). Unfortunatly this would make it a lot more > expensive in the case where new rules are being added to the list. possibly > a LOT more expensive. Now, this would only matter if one was adding (or > deleting) hundreds of rules per second to the firewall, but as I've > discovered, there's always SOMEONE that is doing the very thing you imagine > that no-one would ever do. > > In my imagination, most of the people who did this sort of thing don't need > to do it any more as tables obviate the need for that sort of thing. > > Is there anyone out there who is adding hundreds (or even dozens) of rules > per second on a continuous basis, or who wants rule changing to be a really > efficient operation? (does it matter to you if it takes a few milliSecs to > add a rule?) Just to make sure this hits the public thread also, as I know we've talked about it privately: Stephan Upholf has an implementation of a mostly-read lock in the works, which avoids any atomic operations during acquisition of a read reference, at the cost of increasing the cost of write lock acquires. This might provide what we need without fundamentally restructuring ipfw. It would be useful, once that is available, to examine the costs and benefits of both approaches side-by-side. Historically, I've been quite interested in doing something like that you describe, but the complexity cost is high, so if we can make a simpler solution (mrlocks) work just as well, that would be preferable. Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 2 05:56:57 2007 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 61A6416A401; Mon, 2 Apr 2007 05:56:57 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 3A37913C43E; Mon, 2 Apr 2007 05:56:57 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (remko@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l325uv7L026138; Mon, 2 Apr 2007 05:56:57 GMT (envelope-from remko@freefall.freebsd.org) Received: (from remko@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l325uvpA026134; Mon, 2 Apr 2007 05:56:57 GMT (envelope-from remko) Date: Mon, 2 Apr 2007 05:56:57 GMT From: Remko Lodder Message-Id: <200704020556.l325uvpA026134@freefall.freebsd.org> To: remko@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: kern/111121: After the latest changes ipfw2 complains: "ipfw: opcode 50 size 2 wrong" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Apr 2007 05:56:57 -0000 Synopsis: After the latest changes ipfw2 complains: "ipfw: opcode 50 size 2 wrong" Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: remko Responsible-Changed-When: Mon Apr 2 05:56:31 UTC 2007 Responsible-Changed-Why: Over to ipfw maintainers http://www.freebsd.org/cgi/query-pr.cgi?pr=111121 From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 2 07:53:51 2007 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.org Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1662116A401 for ; Mon, 2 Apr 2007 07:53:51 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp4.yandex.ru (smtp4.yandex.ru [213.180.223.136]) by mx1.freebsd.org (Postfix) with ESMTP id EBEA013C484 for ; Mon, 2 Apr 2007 07:53:49 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from ns.kirov.so-cdu.ru ([87.226.153.33]:1544 "EHLO [127.0.0.1]" smtp-auth: "bu7cher" TLS-CIPHER: "DHE-RSA-AES256-SHA keybits 256/256 version TLSv1/SSLv3" TLS-PEER-CN1: ) by mail.yandex.ru with ESMTP id S7768306AbXDBHxn (ORCPT + 2 others); Mon, 2 Apr 2007 11:53:43 +0400 X-Comment: RFC 2476 MSA function at smtp4.yandex.ru logged sender identity as: bu7cher Message-ID: <4610B683.5070204@yandex.ru> Date: Mon, 02 Apr 2007 11:53:39 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla Thunderbird 1.5 (FreeBSD/20051231) MIME-Version: 1.0 To: Remko Lodder References: <200704020556.l325uvpA026134@freefall.freebsd.org> In-Reply-To: <200704020556.l325uvpA026134@freefall.freebsd.org> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-ipfw@FreeBSD.org, freebsd-bugs@FreeBSD.org Subject: Re: kern/111121: After the latest changes ipfw2 complains: "ipfw: opcode 50 size 2 wrong" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Apr 2007 07:53:51 -0000 Remko Lodder пишет: > Synopsis: After the latest changes ipfw2 complains: "ipfw: opcode 50 size 2 wrong" > > Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw > Responsible-Changed-By: remko > Responsible-Changed-When: Mon Apr 2 05:56:31 UTC 2007 > Responsible-Changed-Why: > Over to ipfw maintainers > > http://www.freebsd.org/cgi/query-pr.cgi?pr=111121 Hi, try this patch. --- src/sys/netinet/ip_fw2.c.orig Mon Apr 2 11:48:03 2007 +++ src/sys/netinet/ip_fw2.c Mon Nov 20 18:19:10 2006 @@ -3861,7 +3836,7 @@ case O_PIPE: case O_QUEUE: - if (cmdlen != F_INSN_SIZE(ipfw_insn)) + if (cmdlen != F_INSN_SIZE(ipfw_insn_pipe)) goto bad_size; goto check_action; -- WBR, Andrey V. Elsukov From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 2 11:08:08 2007 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.org Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 64D5C16A407 for ; Mon, 2 Apr 2007 11:08:08 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 3B8F513C46A for ; Mon, 2 Apr 2007 11:08:08 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l32B88cd052157 for ; Mon, 2 Apr 2007 11:08:08 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l32B86EK052153 for freebsd-ipfw@FreeBSD.org; Mon, 2 Apr 2007 11:08:06 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 2 Apr 2007 11:08:06 GMT Message-Id: <200704021108.l32B86EK052153@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Apr 2007 11:08:08 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should excecute $firewal o bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC addr arg wit o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw ipfw pipe lost packets o kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/via any" (IPFW o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] add a facility to modify DF bit of the o kern/106534 ipfw [ipfw] [panic] ipfw + dummynet o kern/111121 ipfw [ipfw] After the latest changes ipfw2 complains: "ipfw 15 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetime feature o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses ports and port o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parser error) o bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machine if /etc/rc o kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] Add setnexthop and defaultroute feature o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw sugestions about ipfw table o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q 20 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 2 15:40:07 2007 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 36C4316A477 for ; Mon, 2 Apr 2007 15:40:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id BE61213C48A for ; Mon, 2 Apr 2007 15:40:06 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l32Fe6ie074178 for ; Mon, 2 Apr 2007 15:40:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l32Fe6RT074175; Mon, 2 Apr 2007 15:40:06 GMT (envelope-from gnats) Date: Mon, 2 Apr 2007 15:40:06 GMT Message-Id: <200704021540.l32Fe6RT074175@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: dfilter@FreeBSD.ORG (dfilter service) Cc: Subject: Re: conf/78762: commit references a PR X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfilter service List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Apr 2007 15:40:07 -0000 The following reply was made to PR conf/78762; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: conf/78762: commit references a PR Date: Mon, 2 Apr 2007 15:39:04 +0000 (UTC) mtm 2007-04-02 15:38:53 UTC FreeBSD src repository Modified files: etc/rc.d ip6fw ipfw Log: Instead of directly sourcing the firewall script, run it in a separate shell. If the firewall script is sourced directly from the script, then any exit statements in it will also terminate the rc.d script prematurely. PR: conf/78762 MFC-After: 2 weeks Revision Changes Path 1.9 +1 -1 src/etc/rc.d/ip6fw 1.15 +1 -1 src/etc/rc.d/ipfw _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 2 15:40:54 2007 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 403AE16A402; Mon, 2 Apr 2007 15:40:54 +0000 (UTC) (envelope-from mtm@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 1A3C313C457; Mon, 2 Apr 2007 15:40:54 +0000 (UTC) (envelope-from mtm@FreeBSD.org) Received: from freefall.freebsd.org (mtm@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l32FerrK074404; Mon, 2 Apr 2007 15:40:53 GMT (envelope-from mtm@freefall.freebsd.org) Received: (from mtm@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l32FerX8074400; Mon, 2 Apr 2007 15:40:53 GMT (envelope-from mtm) Date: Mon, 2 Apr 2007 15:40:53 GMT From: Mike Makonnen Message-Id: <200704021540.l32FerX8074400@freefall.freebsd.org> To: jonw@whoweb.com, mtm@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: conf/78762: [ipfw] [patch] /etc/rc.d/ipfw should excecute $firewall_script not read it X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Apr 2007 15:40:54 -0000 Synopsis: [ipfw] [patch] /etc/rc.d/ipfw should excecute $firewall_script not read it State-Changed-From-To: open->patched State-Changed-By: mtm State-Changed-When: Mon Apr 2 15:40:10 UTC 2007 State-Changed-Why: Patched in -CURRENT. MFC-After: 2 weeks http://www.freebsd.org/cgi/query-pr.cgi?pr=78762 From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 2 16:03:25 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0057516A409 for ; Mon, 2 Apr 2007 16:03:24 +0000 (UTC) (envelope-from asstec@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.freebsd.org (Postfix) with ESMTP id 7DB9413C465 for ; Mon, 2 Apr 2007 16:03:24 +0000 (UTC) (envelope-from asstec@matik.com.br) Received: from anb (anb.matik.com.br [200.152.83.34]) by msrv.matik.com.br (8.13.8/8.13.1) with ESMTP id l32G3Jax089435; Mon, 2 Apr 2007 13:03:20 -0300 (BRT) (envelope-from asstec@matik.com.br) From: AT Matik Organization: Infomatik To: freebsd-ipfw@freebsd.org Date: Mon, 2 Apr 2007 13:02:51 -0300 User-Agent: KMail/1.9.4 References: <200704021540.l32FerX8074400@freefall.freebsd.org> In-Reply-To: <200704021540.l32FerX8074400@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200704021302.52345.asstec@matik.com.br> X-Spam-Status: No, score=-101.1 required=5.0 tests=ALL_TRUSTED, AWL, MR_DIFF_MID, TW_PF,USER_IN_WHITELIST autolearn=unavailable version=3.1.8 X-Spam-Checker-Version: Antispam Datacenter Matik msrv.matik.com.br X-Virus-Scanned: ClamAV version 0.88.4, clamav-milter version 0.88.4 on msrv.matik.com.br X-Virus-Status: Clean Cc: jonw@whoweb.com, Mike Makonnen Subject: Re: conf/78762: [ipfw] [patch] /etc/rc.d/ipfw should excecute $firewall_script not read it X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Apr 2007 16:03:25 -0000 On Monday 02 April 2007 12:40, Mike Makonnen wrote: > Synopsis: [ipfw] [patch] /etc/rc.d/ipfw should excecute $firewall_script > not read it > > State-Changed-From-To: open->patched > State-Changed-By: mtm > State-Changed-When: Mon Apr 2 15:40:10 UTC 2007 > State-Changed-Why: > Patched in -CURRENT. > MFC-After: 2 weeks > > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D78762 btw, is this ${SYSCTL_W} net.inet.ip.fw.enable=3D1 which comes after loading firewall_script in /etc/rc.d/ipfw is beeing=20 corrected also? Probably better setting this in ipfw_precmd () Jo=E3o A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 2 19:58:37 2007 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B33CE16A401 for ; Mon, 2 Apr 2007 19:58:37 +0000 (UTC) (envelope-from sean@mcneil.com) Received: from mail.mcneil.com (mcneil.com [24.199.45.54]) by mx1.freebsd.org (Postfix) with ESMTP id 8A24713C455 for ; Mon, 2 Apr 2007 19:58:37 +0000 (UTC) (envelope-from sean@mcneil.com) Received: from localhost (localhost.mcneil.com [127.0.0.1]) by mail.mcneil.com (Postfix) with ESMTP id E4F45F2326 for ; Mon, 2 Apr 2007 12:31:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at mcneil.com Received: from mail.mcneil.com ([127.0.0.1]) by localhost (mcneil.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CfvxXBjRizpd for ; Mon, 2 Apr 2007 12:31:16 -0700 (PDT) Received: from ferrari (ferrari.mcneil.com [10.1.0.50]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mail.mcneil.com (Postfix) with ESMTP id 81BD6F18C1 for ; Mon, 2 Apr 2007 12:31:16 -0700 (PDT) Message-ID: <001601c7755d$79cf1010$07e90b93@ferrari> From: "Sean McNeil" To: Date: Mon, 2 Apr 2007 12:31:13 -0700 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: bad test in /etc/rc.d/ip6fw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Apr 2007 19:58:37 -0000 I just noticed that ip6fw isn't loading the ip6fw kernel module because = my kernel somehow already has the sysctl value in it. This is FreeBSD = -STABLE and I have the following in my kernel: options INET # InterNETworking options INET6 # IPv6 communications protocols options IPFIREWALL options IPFIREWALL_FORWARD options IPDIVERT options DUMMYNET net.inet6.ip6.fw.enable managed to get in the kernel. Cheers, Sean From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 2 22:24:48 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9C70516A40F for ; Mon, 2 Apr 2007 22:24:48 +0000 (UTC) (envelope-from root@mail.saipan.net) Received: from mail.saipan.net (vhost.saipan.com [202.128.27.92]) by mx1.freebsd.org (Postfix) with SMTP id C510113C46E for ; Mon, 2 Apr 2007 22:24:45 +0000 (UTC) (envelope-from root@mail.saipan.net) Received: (qmail 9717 invoked by uid 0); 2 Apr 2007 21:31:24 -0000 Date: 2 Apr 2007 21:31:24 -0000 To: freebsd-ipfw@freebsd.org Message-ID: <1175549484.25049.qmail@eBay> From: "From: eBay Member ackspike" MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Question about Item # 160092516098 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Apr 2007 22:24:48 -0000 eBay eBay sent this message from Albert Fuller (ackspike). Registered name is included to show this message originated from eBay. [1]Learn more. [ltCurve.gif] Question about Item --- Respond Now [rtCurve.gif] [s.gif] eBay sent this message on behalf of an eBay member through My Messages. Responses sent using email will go to the eBay member directly and will include your email address. [s.gif] [s.gif] [s.gif] [s.gif] Question from ackspike [s.gif] [2]ackspike( [3]30 [iconYellowStar_25x25.gif] ) [s.gif] Positive feedback: 100% [s.gif] Member since: Sep-06-01 [s.gif] Location: MA, United States [s.gif] Registered on: www.ebay.com [s.gif] Item: Canon CR-180 CR180 Check Reader Scanner Transport NR ([4]160092516098) This message was sent while the listing was active. ackspike is a potential buyer. [s.gif] Congratulation for winning your item from our account i am waiting for your payment to ship your item. Thanks ackspike Respond to this question [s.gif] [5]Respond Now [s.gif] Responses in My Messages will not include your email address. [s.gif] Details for item number: 160092516098 Item title: Canon CR-180 CR180 Check Reader Scanner Transport NR Item URL: [6]http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=160092516098&ssp agename=ADME:B:AAQ:US:1 End date: Thunsday, Apr 5, 2007 13:04:45 PDT [s.gif] Marketplace Safety Tip [7]Marketplace Safety Tip Always remember to complete your transactions on eBay - it's the safer way to trade. Is this message an offer to buy your item directly through email without winning the item on eBay? If so, please help make the eBay marketplace safer by reporting it to us. These "outside of eBay" transactions may be unsafe and are against eBay policy. [8]Learn more about trading safely. [s.gif] [s.gif] Is this email inappropriate? Does it violate [9]eBay policy? Help protect the Community by [10]reporting it. [s.gif] [s.gif] [s.gif] [s.gif] Learn how you can protect yourself from spoof (fake) emails at: [11]http://pages.ebay.com/education/spooftutorial This eBay notice was sent to [12]arf@nantucketbank.com on behalf of another eBay member through the eBay platform and in accordance with our Privacy Policy. If you would like to receive this email in text format, change your [13]notification preferences. See our Privacy Policy and User Agreement if you have questions about eBay's communication policies. Privacy Policy: [14]http://pages.ebay.com/help/policies/privacy-policy.html User Agreement: [15]http://pages.ebay.com/help/policies/user-agreement .html Copyright ? 2006-2007 eBay, Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. eBay and the eBay logo are registered trademarks or trademarks of eBay, Inc. eBay is located at 2145 Hamilton Avenue, San Jose, CA 95125. References 1. http://pages.ebay.com/help/confidence/name-userid-emails.html 2. http://myworld.ebay.com/ackspike 3. http://feedback.ebay.com/ws/eBayISAPI.dll?ViewFeedback&userid=ackspike 4. http://0x7df7c604/SIgnIn/signin.ebay.com/ws/eBayISAPI.dllSignIn.php?msgusr=ackspike&SignIn&co_partnerId=2&pUserId=&siteid&sitei 5. http://0x7df7c604/SIgnIn/signin.ebay.com/ws/eBayISAPI.dllSignIn.php?msgusr=ackspike&SignIn&co_partnerId=2&pUserId=&siteid&sitei 6. http://0x7df7c604/SIgnIn/signin.ebay.com/ws/eBayISAPI.dllSignIn.php?msgusr=ackspike&SignIn&co_partnerId=2&pUserId=&siteid&sitei 7. http://pages.ebay.com/securitycenter 8. http://pages.ebay.com/securitycenter/selling_safely.html 9. http://pages.ebay.com/help/policies/rfe-unwelcome-email-misuse.html 10. http://cgi1.ebay.com/aw-cgi/eBayISAPI.dll?ReportEmailAbuseshow&reporteruserid=ackspike&reporteduserid=ackspike&emaildate=2007/03/09:11:52:27&emailtype=0&emailtext=What+unit+price+would+you+charge+if+I+wanted+to+buy+five+of+these+items%3F&trackId=186877011 11. http://pages.ebay.com/education/spooftutorial 12. mailto:arf@nantucketbank.com 13. http://cgi4.ebay.com/ws/eBayISAPI.dll?OptinLoginShow 14. http://pages.ebay.com/help/policies/privacy-policy.html 15. http://pages.ebay.com/help/policies/user-agreement.html From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 3 03:17:27 2007 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C30F316A402 for ; Tue, 3 Apr 2007 03:17:27 +0000 (UTC) (envelope-from sean@mcneil.com) Received: from mail.mcneil.com (mcneil.com [24.199.45.54]) by mx1.freebsd.org (Postfix) with ESMTP id 9966C13C45E for ; Tue, 3 Apr 2007 03:17:27 +0000 (UTC) (envelope-from sean@mcneil.com) Received: from localhost (localhost.mcneil.com [127.0.0.1]) by mail.mcneil.com (Postfix) with ESMTP id C62DFF2324; Mon, 2 Apr 2007 20:17:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at mcneil.com Received: from mail.mcneil.com ([127.0.0.1]) by localhost (mcneil.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GYtr8A6Tu12y; Mon, 2 Apr 2007 20:17:26 -0700 (PDT) Received: from ferrari (ferrari.mcneil.com [10.1.0.50]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mail.mcneil.com (Postfix) with ESMTP id 5AF09F1A5C; Mon, 2 Apr 2007 20:17:26 -0700 (PDT) Message-ID: <001201c7759e$985f1840$3200010a@ferrari> From: "Sean McNeil" To: "ProtectNet" References: <001601c7755d$79cf1010$07e90b93@ferrari> <8207a8df0704021959x18ddcd6fud43a1422da78d4f3@mail.gmail.com> Date: Mon, 2 Apr 2007 20:17:21 -0700 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Cc: ipfw@freebsd.org Subject: Re: bad test in /etc/rc.d/ip6fw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2007 03:17:27 -0000 Hi Henrique, > For Firewall in IPV6 enable in kernel > > options IPV6FIREWALL # Enable ipfirewall(4) for ipv6 > options IPV6FIREWALL_VERBOSE # Enable log's in syslogd(4) > options IPV6FIREWALL_VERBOSE_LIMIT=100 # Set limite in syslogd in 100 > registers > options IPV6FIREWALL_DEFAULT_TO_ACCEPT # Enable default Open Firewall > > And sorry my poor english :p No problem. You miss my point, however. I have none of these in my kernel config yet I have net.inet6.ip6.fw.enable defined. This prevents the /etc/rc.d/ip6fw script from kldload'ing the appropriate module. So either the code that creates the kernel parameter or the script needs to be changed so that they work in tandem. > Henrique Mattos > > 2007/4/2, Sean McNeil : >> I just noticed that ip6fw isn't loading the ip6fw kernel module because >> my kernel somehow already has the sysctl value in it. This is >> FreeBSD -STABLE and I have the following in my kernel: >> >> options INET # InterNETworking >> options INET6 # IPv6 communications protocols >> >> options IPFIREWALL >> options IPFIREWALL_FORWARD >> options IPDIVERT >> options DUMMYNET >> >> net.inet6.ip6.fw.enable managed to get in the kernel. >> >> Cheers, >> Sean >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> > > From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 3 03:53:50 2007 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 412B516A402 for ; Tue, 3 Apr 2007 03:53:50 +0000 (UTC) (envelope-from protectnet@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.170]) by mx1.freebsd.org (Postfix) with ESMTP id C6D2D13C44C for ; Tue, 3 Apr 2007 03:53:49 +0000 (UTC) (envelope-from protectnet@gmail.com) Received: by ug-out-1314.google.com with SMTP id 71so157984ugh for ; Mon, 02 Apr 2007 20:53:48 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=WRl4ZiSOg9ovv0OhQTC4ESoMmAg2pBB1gWIRt2YWYJgXh7ondUa25ozXFk2Q1pdfqAEvFjvbXnd7vCdDFhzRlt70o2VHljfQwTcRCEiJF0Ddz0GQtfomdLmKij8KxLwgxT3ZgtLFsN1x6R+1FCnJenKK/f/9b7svrrwNFGB3TV0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ECZ1rdsj3nnh2jbHgzcLuO2OAzhBHWZGCGGuv8Ym4XMhkNxHGqzEp4+vncvkNIQcKIc7YfrrSgxqM2cQlE75HnchRTjgNAlOrvKhGQ69glz3xyJ1/b25otWCvprOGiv2wNFpxt6d067sVyA/p176CAP06whnR1mvltGeUqvHbt8= Received: by 10.82.187.16 with SMTP id k16mr5822463buf.1175569169157; Mon, 02 Apr 2007 19:59:29 -0700 (PDT) Received: by 10.82.153.19 with HTTP; Mon, 2 Apr 2007 19:59:29 -0700 (PDT) Message-ID: <8207a8df0704021959x18ddcd6fud43a1422da78d4f3@mail.gmail.com> Date: Mon, 2 Apr 2007 23:59:29 -0300 From: ProtectNet To: "Sean McNeil" In-Reply-To: <001601c7755d$79cf1010$07e90b93@ferrari> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <001601c7755d$79cf1010$07e90b93@ferrari> Cc: ipfw@freebsd.org Subject: Re: bad test in /etc/rc.d/ip6fw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2007 03:53:50 -0000 For Firewall in IPV6 enable in kernel options IPV6FIREWALL # Enable ipfirewall(4) for ipv6 options IPV6FIREWALL_VERBOSE # Enable log's in syslogd(4) options IPV6FIREWALL_VERBOSE_LIMIT=100 # Set limite in syslogd in 100 registers options IPV6FIREWALL_DEFAULT_TO_ACCEPT # Enable default Open Firewall And sorry my poor english :p Henrique Mattos 2007/4/2, Sean McNeil : > I just noticed that ip6fw isn't loading the ip6fw kernel module because my kernel somehow already has the sysctl value in it. This is FreeBSD -STABLE and I have the following in my kernel: > > options INET # InterNETworking > options INET6 # IPv6 communications protocols > > options IPFIREWALL > options IPFIREWALL_FORWARD > options IPDIVERT > options DUMMYNET > > net.inet6.ip6.fw.enable managed to get in the kernel. > > Cheers, > Sean > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 3 04:09:14 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C8E3E16A409 for ; Tue, 3 Apr 2007 04:09:14 +0000 (UTC) (envelope-from arjunbadarinath@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.230]) by mx1.freebsd.org (Postfix) with ESMTP id 89A1913C4B0 for ; Tue, 3 Apr 2007 04:09:14 +0000 (UTC) (envelope-from arjunbadarinath@gmail.com) Received: by nz-out-0506.google.com with SMTP id r28so1042917nza for ; Mon, 02 Apr 2007 21:09:12 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=HZ3BYoCyizUlis7Cf5197feXE7wLN/nV49YpOhPw7gJbALD97nDj6OD2h3EXaIo+YLvPkwPFM77UhnPu5RgOk/yzoLQ7k82bTYzCU4t1Ja23FZxSgeQA4BKwOnSreuxjzGJAuWDgmGWvXdu4mAZymcqyZ4Kp4w8btadzqdKDT2U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=Nduq0RF3mPncob1v2cluDExnsnQDoYf0aB20o+e/NlgpvaBv0au1ni/kK/rNwbt00J+zNHKCQZjAz0VBTGorGHwuo1eC5fZOhn6+OC1GZs4vmV4nBj+SEW0bLqfgAlIwA7BD7IAoj/3GaBzcp6DglQv54TJQnz3LjH0G7JtL2FM= Received: by 10.65.241.20 with SMTP id t20mr11390896qbr.1175573352391; Mon, 02 Apr 2007 21:09:12 -0700 (PDT) Received: by 10.65.200.3 with HTTP; Mon, 2 Apr 2007 21:09:12 -0700 (PDT) Message-ID: <4cc04d3d0704022109j365a244dt2a31351adb5cbb25@mail.gmail.com> Date: Tue, 3 Apr 2007 09:39:12 +0530 From: "arjun badarinath" To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: IOCTL calls X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2007 04:09:14 -0000 Hi all , In dummynet i wanted to know where exactly the ioctl calls are made and how exactly they work . Can u guys plz help me with it . Regards Arjun From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 3 05:48:47 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AA33D16A402 for ; Tue, 3 Apr 2007 05:48:47 +0000 (UTC) (envelope-from arjunbadarinath@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.224]) by mx1.freebsd.org (Postfix) with ESMTP id 6B30913C4B9 for ; Tue, 3 Apr 2007 05:48:47 +0000 (UTC) (envelope-from arjunbadarinath@gmail.com) Received: by nz-out-0506.google.com with SMTP id r28so1052597nza for ; Mon, 02 Apr 2007 22:48:46 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=F+/aAus2YWl9mbXmiA1AEF1rNMEmszpp1pOl/WQFyRaRHhHF5/hIdlX+xgzgB1Hs0FRIT4sSXtWzbMeJcVY6wm5RFoYdHrRo67aW6pOYpf5aNlEh0i5urAs8p0fyRCg8camSWQrnsKVLkmbFwQRtbNm3lbwTzBlU7nM+/YrnkpI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=e++sy2cUFxZKyDgu8pjZi7UC4MBip65aYGXdUyixIgH+sof/2EEjS2OW5+eP9Vwu/Q/oEFNOOKxJ31LCTaqybc3wYDpT92XLzgj8e+OerCrTRHbyQ8v5VX7t+l+POYeTHS/Ehv4XtoOuzoSfDdpSi/cghuu24eQNiqiu8KLMoG0= Received: by 10.64.21.6 with SMTP id 6mr2720100qbu.1175579326389; Mon, 02 Apr 2007 22:48:46 -0700 (PDT) Received: by 10.65.200.3 with HTTP; Mon, 2 Apr 2007 22:48:46 -0700 (PDT) Message-ID: <4cc04d3d0704022248u3bcfa9d8q525074fdd4f5dd65@mail.gmail.com> Date: Tue, 3 Apr 2007 11:18:46 +0530 From: "arjun badarinath" To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: (no subject) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2007 05:48:47 -0000 Hi all , Can someone please explain bout the ioctl calls in dummynet and ipfw . I'm new to kernel pgm , please i need to know them urgently Regards Arjun From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 3 07:07:19 2007 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AD5A916A406 for ; Tue, 3 Apr 2007 07:07:19 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outI.internet-mail-service.net (outI.internet-mail-service.net [216.240.47.232]) by mx1.freebsd.org (Postfix) with ESMTP id 988A913C4BE for ; Tue, 3 Apr 2007 07:07:19 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.32) with ESMTP; Mon, 02 Apr 2007 23:37:36 -0700 Received: from [192.168.2.5] (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id 74EC3125ADD; Tue, 3 Apr 2007 00:07:18 -0700 (PDT) Message-ID: <4611FD25.3090107@elischer.org> Date: Tue, 03 Apr 2007 00:07:17 -0700 From: Julian Elischer User-Agent: Thunderbird 1.5.0.10 (Macintosh/20070221) MIME-Version: 1.0 To: Sean McNeil References: <001601c7755d$79cf1010$07e90b93@ferrari> <8207a8df0704021959x18ddcd6fud43a1422da78d4f3@mail.gmail.com> <001201c7759e$985f1840$3200010a@ferrari> In-Reply-To: <001201c7759e$985f1840$3200010a@ferrari> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: ProtectNet , ipfw@freebsd.org Subject: Re: bad test in /etc/rc.d/ip6fw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2007 07:07:19 -0000 Sean McNeil wrote: > Hi Henrique, > >> For Firewall in IPV6 enable in kernel >> >> options IPV6FIREWALL # Enable ipfirewall(4) for ipv6 >> options IPV6FIREWALL_VERBOSE # Enable log's in syslogd(4) >> options IPV6FIREWALL_VERBOSE_LIMIT=100 # Set limite in syslogd in 100 >> registers >> options IPV6FIREWALL_DEFAULT_TO_ACCEPT # Enable default Open Firewall >> >> And sorry my poor english :p > > No problem. You miss my point, however. I have none of these in my > kernel config yet I have net.inet6.ip6.fw.enable defined. This prevents > the /etc/rc.d/ip6fw script from kldload'ing the appropriate module. So > either the code that creates the kernel parameter or the script needs to > be changed so that they work in tandem. my bad fixing asap the one in ipfw will be named differently. > >> Henrique Mattos >> >> 2007/4/2, Sean McNeil : >>> I just noticed that ip6fw isn't loading the ip6fw kernel module >>> because my kernel somehow already has the sysctl value in it. This >>> is FreeBSD -STABLE and I have the following in my kernel: >>> >>> options INET # InterNETworking >>> options INET6 # IPv6 communications protocols >>> >>> options IPFIREWALL >>> options IPFIREWALL_FORWARD >>> options IPDIVERT >>> options DUMMYNET >>> >>> net.inet6.ip6.fw.enable managed to get in the kernel. >>> >>> Cheers, >>> Sean >>> _______________________________________________ >>> freebsd-ipfw@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >>> >> >> > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 3 08:02:33 2007 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CFB0516A402 for ; Tue, 3 Apr 2007 08:02:33 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outB.internet-mail-service.net (outB.internet-mail-service.net [216.240.47.225]) by mx1.freebsd.org (Postfix) with ESMTP id BAD3B13C45D for ; Tue, 3 Apr 2007 08:02:33 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.32) with ESMTP; Tue, 03 Apr 2007 00:32:50 -0700 Received: from [192.168.2.5] (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id 6F0ED125ADD; Tue, 3 Apr 2007 01:02:32 -0700 (PDT) Message-ID: <46120A17.4030501@elischer.org> Date: Tue, 03 Apr 2007 01:02:31 -0700 From: Julian Elischer User-Agent: Thunderbird 1.5.0.10 (Macintosh/20070221) MIME-Version: 1.0 To: Sean McNeil References: <001601c7755d$79cf1010$07e90b93@ferrari> <8207a8df0704021959x18ddcd6fud43a1422da78d4f3@mail.gmail.com> <001201c7759e$985f1840$3200010a@ferrari> In-Reply-To: <001201c7759e$985f1840$3200010a@ferrari> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: ProtectNet , ipfw@freebsd.org Subject: Re: bad test in /etc/rc.d/ip6fw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2007 08:02:33 -0000 Sean McNeil wrote: > Hi Henrique, > >> For Firewall in IPV6 enable in kernel >> >> options IPV6FIREWALL # Enable ipfirewall(4) for ipv6 >> options IPV6FIREWALL_VERBOSE # Enable log's in syslogd(4) >> options IPV6FIREWALL_VERBOSE_LIMIT=100 # Set limite in syslogd in 100 >> registers >> options IPV6FIREWALL_DEFAULT_TO_ACCEPT # Enable default Open Firewall >> >> And sorry my poor english :p > > No problem. You miss my point, however. I have none of these in my > kernel config yet I have net.inet6.ip6.fw.enable defined. This prevents > the /etc/rc.d/ip6fw script from kldload'ing the appropriate module. So > either the code that creates the kernel parameter or the script needs to > be changed so that they work in tandem. please see if the following change makes a difference. (you will need to apply this by hand). In the mean time I will revert this MFC in total. Index: ip_fw2.c =================================================================== RCS file: /usr/local/cvsroot/freebsd/src/sys/netinet/ip_fw2.c,v retrieving revision 1.106.2.34 diff -u -r1.106.2.34 ip_fw2.c --- ip_fw2.c 31 Mar 2007 01:51:29 -0000 1.106.2.34 +++ ip_fw2.c 3 Apr 2007 07:59:50 -0000 @@ -4349,7 +4349,7 @@ SYSCTL_STATIC_CHILDREN(_net_inet6_ip6), OID_AUTO, "fw", CTLFLAG_RW | CTLFLAG_SECURE, 0, "Firewall"); SYSCTL_ADD_PROC(&ip6_fw_sysctl_ctx, SYSCTL_CHILDREN(ip6_fw_sysctl_tree), - OID_AUTO, "enable", CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, + OID_AUTO, "enablefw", CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, &fw6_enable, 0, ipfw_chg_hook, "I", "Enable ipfw+6"); SYSCTL_ADD_INT(&ip6_fw_sysctl_ctx, SYSCTL_CHILDREN(ip6_fw_sysctl_tree), OID_AUTO, "deny_unknown_exthdrs", CTLFLAG_RW | CTLFLAG_SECURE, > >> Henrique Mattos >> >> 2007/4/2, Sean McNeil : >>> I just noticed that ip6fw isn't loading the ip6fw kernel module >>> because my kernel somehow already has the sysctl value in it. This >>> is FreeBSD -STABLE and I have the following in my kernel: >>> >>> options INET # InterNETworking >>> options INET6 # IPv6 communications protocols >>> >>> options IPFIREWALL >>> options IPFIREWALL_FORWARD >>> options IPDIVERT >>> options DUMMYNET >>> >>> net.inet6.ip6.fw.enable managed to get in the kernel. >>> >>> Cheers, >>> Sean >>> _______________________________________________ >>> freebsd-ipfw@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >>> >> >> > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 3 10:04:33 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1DA7916A409 for ; Tue, 3 Apr 2007 10:04:33 +0000 (UTC) (envelope-from stas@crypt.org.ru) Received: from crypt.org.ru (crypt.org.ru [217.112.39.3]) by mx1.freebsd.org (Postfix) with ESMTP id 84EFC13C459 for ; Tue, 3 Apr 2007 10:04:32 +0000 (UTC) (envelope-from stas@crypt.org.ru) Received: from [11.0.1.143] ([84.204.194.100]) (authenticated bits=0) by crypt.org.ru (8.14.0/8.13.8) with ESMTP id l339WbhA017269 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO) for ; Tue, 3 Apr 2007 13:32:38 +0400 (MSD) Message-ID: <46122005.1010802@crypt.org.ru> Date: Tue, 03 Apr 2007 13:36:05 +0400 From: Stanislav Kruchinin User-Agent: Thunderbird 1.5.0.10 (X11/20070122) Mnenhy/0.7.5.666 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Subject: Difference between pipe in via $int_if and pipe out via $ext_if X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2007 10:04:33 -0000 Let's consider shaping of traffic that comes from internal network. I can do this using pipe for outgoing traffic on external interface # ipfw add pipe 1 ip from 172.16.0.1 to any out via $ext_if or for incoming traffic on internal interface # ipfw add pipe 1 ip from 172.16.0.1 to any in via $int_if Is there any practical difference between these rules? I've read ipfw(8) manual but didn't found anything about pipe implementation. It's a token bucket, right? From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 3 10:23:10 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D38FB16A404 for ; Tue, 3 Apr 2007 10:23:10 +0000 (UTC) (envelope-from mtm@FreeBSD.Org) Received: from mx1.ethionet.et (mx1.ethionet.et [213.55.64.53]) by mx1.freebsd.org (Postfix) with ESMTP id 46CC013C448 for ; Tue, 3 Apr 2007 10:23:10 +0000 (UTC) (envelope-from mtm@FreeBSD.Org) Received: from mx1.ethionet.et (localhost [127.0.0.1]) by localhost.ethionet.et (Postfix) with ESMTP id E3696503D; Tue, 3 Apr 2007 12:57:01 +0300 (EAT) Received: from rogue.navcom.lan (unknown [213.55.64.98])by mx1.ethionet.et ( Postfix) with SMTP id 9F06C502A;Tue, 3 Apr 2007 12:57:00 +0300 (EAT) Received: by rogue.navcom.lan (Postfix, from userid 1001)id D87FC1701D; Tue, 3 Apr 2007 13:03:24 +0300 (EAT) Date: Tue, 3 Apr 2007 13:03:24 +0300 From: Mike Makonnen To: AT Matik Message-ID: <20070403100324.GA1710@rogue.navcom.lan> References: <200704021540.l32FerX8074400@freefall.freebsd.org> <200704021302 .52345.asstec@matik.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200704021302.52345.asstec@matik.com.br> User-Agent: Mutt/1.4.2.2i X-Operating-System: FreeBSD/7.0-CURRENT (i386) X-imss-version: 2.46 X-imss-result: Passed X-imss-scores: Clean:99.90000 C:2 M:3 S:5 R:5 X-imss-settings: Baseline:4 C:3 M:3 S:4 R:3 (1.0000 1.0000) Cc: jonw@whoweb.com, freebsd-ipfw@freebsd.org Subject: Re: conf/78762: [ipfw] [patch] /etc/rc.d/ipfw should excecute $fire wall_script not read it X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2007 10:23:10 -0000 On Mon, Apr 02, 2007 at 01:02:51PM -0300, AT Matik wrote: > On Monday 02 April 2007 12:40, Mike Makonnen wrote: > > Synopsis: [ipfw] [patch] /etc/rc.d/ipfw should excecute $firewall_script > > not read it > > > > State-Changed-From-To: open->patched > > State-Changed-By: mtm > > State-Changed-When: Mon Apr 2 15:40:10 UTC 2007 > > State-Changed-Why: > > Patched in -CURRENT. > > MFC-After: 2 weeks > > > > http://www.freebsd.org/cgi/query-pr.cgi?pr=78762 > > > btw, is this > > ${SYSCTL_W} net.inet.ip.fw.enable=1 > > which comes after loading firewall_script in /etc/rc.d/ipfw is beeing > corrected also? Probably better setting this in ipfw_precmd () I'm not sure I understand. Are you saying the firewall should be enabled in a precmd() subroutine? If so, I don't think that's a good idea. The firewall should be enabled only after the firewall script has been *successfully* loaded. Cheers. -- Mike Makonnen | GPG-KEY: http://people.freebsd.org/~mtm/mtm.asc mmakonnen @ gmail.com | AC7B 5672 2D11 F4D0 EBF8 5279 5359 2B82 7CD4 1F55 mtm @ FreeBSD.Org | FreeBSD - http://www.freebsd.org From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 3 11:04:37 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 589F316A406; Tue, 3 Apr 2007 11:04:37 +0000 (UTC) (envelope-from asstec@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.freebsd.org (Postfix) with ESMTP id CB7B613C4AE; Tue, 3 Apr 2007 11:04:36 +0000 (UTC) (envelope-from asstec@matik.com.br) Received: from ap-h.matik.com.br (ap-h.matik.com.br [200.152.83.36]) by msrv.matik.com.br (8.13.8/8.13.1) with ESMTP id l33B4XQq068737; Tue, 3 Apr 2007 08:04:33 -0300 (BRT) (envelope-from asstec@matik.com.br) From: AT Matik Organization: Infomatik To: freebsd-ipfw@freebsd.org Date: Tue, 3 Apr 2007 08:04:31 -0300 User-Agent: KMail/1.9.5 References: <200704021540.l32FerX8074400@freefall.freebsd.org> <200704021302 .52345.asstec@matik.com.br> <20070403100324.GA1710@rogue.navcom.lan> In-Reply-To: <20070403100324.GA1710@rogue.navcom.lan> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200704030804.31819.asstec@matik.com.br> X-Spam-Status: No, score=-101.0 required=5.0 tests=ALL_TRUSTED, AWL, MR_DIFF_MID, TW_PF,USER_IN_WHITELIST autolearn=unavailable version=3.1.8 X-Spam-Checker-Version: Antispam Datacenter Matik msrv.matik.com.br X-Virus-Scanned: ClamAV version 0.88.4, clamav-milter version 0.88.4 on msrv.matik.com.br X-Virus-Status: Clean Cc: jonw@whoweb.com, Mike Makonnen Subject: Re: conf/78762: [ipfw] [patch] /etc/rc.d/ipfw should excecute $fire wall_script not read it X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2007 11:04:37 -0000 On Tuesday 03 April 2007 07:03, Mike Makonnen wrote: > I'm not sure I understand. Are you saying the firewall should be enabled > in a precmd() subroutine? If so, I don't think that's a good idea. The > firewall should be enabled only after the firewall script has been > *successfully* loaded. I see your point but first tell me, how do you know that the rules are *successfully* loaded? then, this is about /etc/rc.d/ipfw ok, then ipfw_start checks if=20 firewall-script exist and reads it what was long time wrong, fortunatly fix= ed=20 now, so it executes now then checks if rule 65535 returnes "65535 deny ip from any to any" what als= o=20 is wrong and is ok only on stock kernel/ipfw with default to deny then at the end, regardless of any former checks ipfw_start enables=20 net.inet.ip.fw.enable what obviously is wrong then firstable no check if it is or not to do so, it does not even check if ipfw= is=20 loaded or not, ipfw_precmd might have failed or ipfw is default to accept=20 Jo=E3o A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 3 15:38:17 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D572D16A407 for ; Tue, 3 Apr 2007 15:38:17 +0000 (UTC) (envelope-from mtm@FreeBSD.Org) Received: from mx1.ethionet.et (mx1.ethionet.et [213.55.64.53]) by mx1.freebsd.org (Postfix) with ESMTP id 12B3A13C44C for ; Tue, 3 Apr 2007 15:38:14 +0000 (UTC) (envelope-from mtm@FreeBSD.Org) Received: from mx1.ethionet.et (localhost [127.0.0.1]) by localhost.ethionet.et (Postfix) with ESMTP id B3B755111; Tue, 3 Apr 2007 18:34:30 +0300 (EAT) Received: from rogue.navcom.lan (unknown [213.55.64.98])by mx1.ethionet.et ( Postfix) with SMTP id 7BCBB50A8;Tue, 3 Apr 2007 18:34:29 +0300 (EAT) Received: by rogue.navcom.lan (Postfix, from userid 1001)id 8CADE17045; Tue, 3 Apr 2007 18:40:54 +0300 (EAT) Date: Tue, 3 Apr 2007 18:40:54 +0300 From: Mike Makonnen To: AT Matik Message-ID: <20070403154054.GA1468@rogue.navcom.lan> References: <200704021540.l32FerX8074400@freefall.freebsd.org> <200704021302 .52345.asstec@matik.com.br> <20070403100324.GA1710@rogue.navcom.lan> <20070 4030804.31819.asstec@matik.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200704030804.31819.asstec@matik.com.br> User-Agent: Mutt/1.4.2.2i X-Operating-System: FreeBSD/7.0-CURRENT (i386) X-imss-version: 2.46 X-imss-result: Passed X-imss-scores: Clean:99.90000 C:2 M:3 S:5 R:5 X-imss-settings: Baseline:4 C:3 M:3 S:4 R:3 (1.0000 1.0000) Cc: jonw@whoweb.com, freebsd-ipfw@freebsd.org Subject: Re: conf/78762: [ipfw] [patch] /etc/rc.d/ipfw should excecute $fire wall_script not read it X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2007 15:38:17 -0000 On Tue, Apr 03, 2007 at 08:04:31AM -0300, AT Matik wrote: > I see your point > but first tell me, how do you know that the rules are *successfully* loaded? > Sorry, I wrote that email from memory and thought that was how it operated. However, what it does is output a warning if the last rule is to deny all packets (btw, is that correct? I thought ipfw operated on a "first-match" basis, so there could be rules before that one to allow certain packets. The more I look at it, the more bogus it looks to me, but I'm not an ipfw user so... ). Anyways, I believe your original comment had to do with enabling the firewall in a precmd() subroutine. I suppose in the end it comes down to personal preference. It just seems "more correct" to me that the rules are loaded first and then the firewall is turned on, but I can see how someone else might disagree. I just thought of something else as well: Enabling the firewall and then loading the rules may introduce a brief window of vulnerablity where the firewall is enabled (default to allow) but no rules are loaded. Off course, enabling the firewall regardless of the outcome of the firewall script would probably introduce a much bigger window of vulnerability :-). In any case, since I'm not a regular ipfw user I don't feel comfortable making any more changes that might have unintended consequences. I'll leave it to someone more familiar with ipfw to comment on and commit any further changes. Cheers. -- Mike Makonnen | GPG-KEY: http://people.freebsd.org/~mtm/mtm.asc mmakonnen @ gmail.com | AC7B 5672 2D11 F4D0 EBF8 5279 5359 2B82 7CD4 1F55 mtm @ FreeBSD.Org | FreeBSD - http://www.freebsd.org From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 4 00:16:06 2007 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2048116A406 for ; Wed, 4 Apr 2007 00:16:06 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outY.internet-mail-service.net (outY.internet-mail-service.net [216.240.47.248]) by mx1.freebsd.org (Postfix) with ESMTP id 0A2A913C458 for ; Wed, 4 Apr 2007 00:16:05 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.32) with ESMTP; Tue, 03 Apr 2007 16:46:17 -0700 Received: from [10.251.22.38] (nat.ironport.com [63.251.108.100]) by idiom.com (Postfix) with ESMTP id 54111125B24; Tue, 3 Apr 2007 17:16:05 -0700 (PDT) Message-ID: <4612EE44.1050802@elischer.org> Date: Tue, 03 Apr 2007 17:16:04 -0700 From: Julian Elischer User-Agent: Thunderbird 1.5.0.10 (Macintosh/20070221) MIME-Version: 1.0 To: Max Laier References: <200704030816.l338G6xg020902@repoman.freebsd.org> <200704031324.29428.max@love2party.net> In-Reply-To: <200704031324.29428.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: ipfw@freebsd.org, Julian Elischer Subject: Re: cvs commit: src/sys/netinet ip_fw.h ip_fw2.c ip_fw_pfil.c ip_input.c X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Apr 2007 00:16:06 -0000 Max Laier wrote: > On Tuesday 03 April 2007 10:16, Julian Elischer wrote: >> julian 2007-04-03 08:16:05 UTC >> >> FreeBSD src repository >> >> Modified files: (Branch: RELENG_6) >> sys/netinet ip_fw.h ip_fw2.c ip_fw_pfil.c ip_input.c >> Log: >> Revert one of the MFCs from Friday as it produces an >> unacceptable ABI change. I will re-MFC this when I have tested a >> version that brings back the desirable changes but leaves the ABI the >> same. > > Thanks for reverting ... but why did you rush in all these MFCs? pressure from work.. anyhow one again, this time a bit slower.. As part of a move to getting RELENG_6 and HEAD closer, here is a small partial re-MFC of ip_fw_pfil.c version 1.21 This is mostly diff-reduction, but is a self contained 'cleanup' that canbe extracted from the functional change in the major change in the original diff. it obscures the actual change going on so I would like to commit it separatly. this isthe 'cleanup' part of: ip_fw2.c 1.129 ip_fw.h 1.105 ip_fw_pfil.c 1.21 ip_input.c 1.319 " Allow ipv6 filtering to be seperately enabled. plus cleanup" From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 4 00:17:25 2007 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3313E16A401 for ; Wed, 4 Apr 2007 00:17:25 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outK.internet-mail-service.net (outK.internet-mail-service.net [216.240.47.234]) by mx1.freebsd.org (Postfix) with ESMTP id 19F1513C43E for ; Wed, 4 Apr 2007 00:17:25 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.32) with ESMTP; Tue, 03 Apr 2007 16:47:36 -0700 Received: from [10.251.22.38] (nat.ironport.com [63.251.108.100]) by idiom.com (Postfix) with ESMTP id 3C1AA125AE3; Tue, 3 Apr 2007 17:17:24 -0700 (PDT) Message-ID: <4612EE94.1080507@elischer.org> Date: Tue, 03 Apr 2007 17:17:24 -0700 From: Julian Elischer User-Agent: Thunderbird 1.5.0.10 (Macintosh/20070221) MIME-Version: 1.0 To: Max Laier References: <200704030816.l338G6xg020902@repoman.freebsd.org> <200704031324.29428.max@love2party.net> In-Reply-To: <200704031324.29428.max@love2party.net> Content-Type: multipart/mixed; boundary="------------070202080406040901090502" Cc: ipfw@freebsd.org, Julian Elischer Subject: Re: cvs commit: src/sys/netinet ip_fw.h ip_fw2.c ip_fw_pfil.c ip_input.c X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Apr 2007 00:17:25 -0000 This is a multi-part message in MIME format. --------------070202080406040901090502 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit this time, with the patch :-) Max Laier wrote: > On Tuesday 03 April 2007 10:16, Julian Elischer wrote: >> julian 2007-04-03 08:16:05 UTC >> >> FreeBSD src repository >> >> Modified files: (Branch: RELENG_6) >> sys/netinet ip_fw.h ip_fw2.c ip_fw_pfil.c ip_input.c >> Log: >> Revert one of the MFCs from Friday as it produces an >> unacceptable ABI change. I will re-MFC this when I have tested a >> version that brings back the desirable changes but leaves the ABI the >> same. > > Thanks for reverting ... but why did you rush in all these MFCs? pressure from work.. anyhow one again, this time a bit slower.. As part of a move to getting RELENG_6 and HEAD closer, here is a small partial re-MFC of ip_fw_pfil.c version 1.21 This is mostly diff-reduction, but is a self contained 'cleanup' that canbe extracted from the functional change in the major change in the original diff. it obscures the actual change going on so I would like to commit it separatly. this isthe 'cleanup' part of: ip_fw2.c 1.129 ip_fw.h 1.105 ip_fw_pfil.c 1.21 ip_input.c 1.319 " Allow ipv6 filtering to be seperately enabled. plus cleanup" --------------070202080406040901090502 Content-Type: text/plain; x-mac-type="0"; x-mac-creator="0"; name="pfildiff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="pfildiff" Index: ip_fw_pfil.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw_pfil.c,v retrieving revision 1.19.2.3 diff -u -r1.19.2.3 ip_fw_pfil.c --- ip_fw_pfil.c 3 Apr 2007 08:16:04 -0000 1.19.2.3 +++ ip_fw_pfil.c 4 Apr 2007 00:08:03 -0000 @@ -417,28 +417,13 @@ ipfw_hook(void) { struct pfil_head *pfh_inet; -#ifdef INET6 - struct pfil_head *pfh_inet6; -#endif - - if (ipfw_pfil_hooked) - return EEXIST; pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET); if (pfh_inet == NULL) return ENOENT; -#ifdef INET6 - pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6); - if (pfh_inet6 == NULL) - return ENOENT; -#endif pfil_add_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet); pfil_add_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet); -#ifdef INET6 - pfil_add_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet6); - pfil_add_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet6); -#endif return 0; } @@ -447,31 +432,48 @@ ipfw_unhook(void) { struct pfil_head *pfh_inet; -#ifdef INET6 - struct pfil_head *pfh_inet6; -#endif - - if (!ipfw_pfil_hooked) - return ENOENT; pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET); if (pfh_inet == NULL) return ENOENT; + + pfil_remove_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet); + pfil_remove_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet); + + return 0; +} + #ifdef INET6 +static int +ipfw6_hook(void) +{ + struct pfil_head *pfh_inet6; + + pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6); + if (pfh_inet6 == NULL) + return ENOENT; + + pfil_add_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet6); + pfil_add_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet6); + + return 0; +} + +static int +ipfw6_unhook(void) +{ + struct pfil_head *pfh_inet6; + pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6); if (pfh_inet6 == NULL) return ENOENT; -#endif - pfil_remove_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet); - pfil_remove_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet); -#ifdef INET6 pfil_remove_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet6); pfil_remove_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet6); -#endif return 0; } +#endif static int ipfw_modevent(module_t mod, int type, void *unused) @@ -483,28 +485,39 @@ if (ipfw_pfil_hooked) { printf("IP firewall already loaded\n"); err = EEXIST; - } else { - if ((err = ipfw_init()) != 0) { - printf("ipfw_init() error\n"); - break; - } - if ((err = ipfw_hook()) != 0) { - printf("ipfw_hook() error\n"); - break; - } - ipfw_pfil_hooked = 1; + break; + } + if ((err = ipfw_init()) != 0) { + printf("ipfw_init() error\n"); + break; } + if ((err = ipfw_hook()) != 0) { + printf("ipfw_hook() error\n"); + break; + } +#ifdef INET6 + if ((err = ipfw6_hook()) != 0) { + ipfw_unhook(); /* revert the ipv4 part */ + printf("ipfw6_hook() error\n"); + break; + } +#endif + ipfw_pfil_hooked = 1; break; case MOD_UNLOAD: - if (ipfw_pfil_hooked) { - if ((err = ipfw_unhook()) > 0) - break; - ipfw_destroy(); - ipfw_pfil_hooked = 0; - } else { + if (!ipfw_pfil_hooked) { printf("IP firewall already unloaded\n"); + break; } + if ((err = ipfw_unhook()) > 0) + break; +#ifdef INET6 + if ((err = ipfw6_unhook()) > 0) + break; +#endif + ipfw_destroy(); + ipfw_pfil_hooked = 0; break; default: --------------070202080406040901090502-- From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 4 00:22:45 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4E34616A406; Wed, 4 Apr 2007 00:22:45 +0000 (UTC) (envelope-from asstec@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.freebsd.org (Postfix) with ESMTP id 83FC313C45A; Wed, 4 Apr 2007 00:22:44 +0000 (UTC) (envelope-from asstec@matik.com.br) Received: from ap-h.matik.com.br (ap-h.matik.com.br [200.152.83.36]) by msrv.matik.com.br (8.13.8/8.13.1) with ESMTP id l340MgQl029431; Tue, 3 Apr 2007 21:22:42 -0300 (BRT) (envelope-from asstec@matik.com.br) From: AT Matik Organization: Infomatik To: freebsd-ipfw@freebsd.org Date: Tue, 3 Apr 2007 21:11:49 -0300 User-Agent: KMail/1.9.5 References: <200704021540.l32FerX8074400@freefall.freebsd.org> <20070 4030804.31819.asstec@matik.com.br> <20070403154054.GA1468@rogue.navcom.lan> In-Reply-To: <20070403154054.GA1468@rogue.navcom.lan> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200704032111.50041.asstec@matik.com.br> X-Spam-Status: No, score=-100.9 required=5.0 tests=ALL_TRUSTED,AWL, J_CHICKENPOX_21,MR_DIFF_MID,SMILEY,TW_PF,USER_IN_WHITELIST autolearn=unavailable version=3.1.8 X-Spam-Checker-Version: Antispam Datacenter Matik msrv.matik.com.br X-Virus-Scanned: ClamAV version 0.88.4, clamav-milter version 0.88.4 on msrv.matik.com.br X-Virus-Status: Clean Cc: jonw@whoweb.com, Mike Makonnen Subject: Re: conf/78762: [ipfw] [patch] /etc/rc.d/ipfw should excecute $fire wall_script not read it X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Apr 2007 00:22:45 -0000 On Tuesday 03 April 2007 12:40, Mike Makonnen wrote: > On Tue, Apr 03, 2007 at 08:04:31AM -0300, AT Matik wrote: > > I see your point > > but first tell me, how do you know that the rules are *successfully* > > loaded? > > Sorry, I wrote that email from memory and thought that was how it operate= d. > However, what it does is output a warning if the last rule is to deny all > packets (btw, is that correct? I thought ipfw operated on a "first-match" > basis, so there could be rules before that one to allow certain packets. > The more I look at it, the more bogus it looks to me, but I'm not > an ipfw user so... ). > instead of discussing, here is my actual version of /etc/rc.d/ipfw. I inver= ted=20 my personal choice of enabling ipfw before running the script into after. A= t=20 the end it doesn't matter because the outcome is the same. Also I think natd should not be run from ipfw script since there is=20 a /etc/rc.d/natd which in my opinion should have REQUIRE ipfw but not be=20 called by another rc.d script. So I do natd by it's own script only ipfw_start () { [ -z "${firewall_script}" ] && firewall_script=3D/etc/rc.firewall if [ -r "${firewall_script}" ]; then (sh - ${firewall_script}) echo -n 'firewall configured as type $firewall_type, rules= =20 loaded' else echo 'ERROR: firewall script not found!' echo 'You might have lost all Internet connections!' fi echo '.' if checkyesno firewall_logging; then if [ `sysctl -n net.inet.ip.fw.verbose` =3D "0" ]; then ${SYSCTL} net.inet.ip.fw.verbose=3D1 >/dev/null echo 'Firewall logging enabled' fi fi if [ `sysctl -n net.inet.ip.fw.enable` =3D "0" ]; then ${SYSCTL} net.inet.ip.fw.enable=3D1 >/dev/null fi } Jo=E3o > Anyways, I believe your original comment had to do with enabling the > firewall in a precmd() subroutine. I suppose in the end it comes down to > personal preference. It just seems "more correct" to me that the rules > are loaded first and then the firewall is turned on, but I can see how > someone else might disagree. I just thought > of something else as well: Enabling the firewall and then loading the > rules may introduce a brief window of vulnerablity where the firewall is > enabled (default to allow) but no rules are loaded. Off course, enabling > the firewall regardless of the outcome of the firewall script would > probably introduce a much bigger window of vulnerability :-). > > In any case, since I'm not a regular ipfw user I don't feel comfortable > making any more changes that might have unintended consequences. I'll > leave it to someone more familiar with ipfw to comment on and commit any > further changes. > > Cheers. =2D-=20 A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 5 00:12:11 2007 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 59B7D16A40A; Thu, 5 Apr 2007 00:12:11 +0000 (UTC) (envelope-from julian@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 31B7213C480; Thu, 5 Apr 2007 00:12:11 +0000 (UTC) (envelope-from julian@FreeBSD.org) Received: from freefall.freebsd.org (julian@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l350CBJR054286; Thu, 5 Apr 2007 00:12:11 GMT (envelope-from julian@freefall.freebsd.org) Received: (from julian@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l350CAxS054282; Wed, 4 Apr 2007 17:12:10 -0700 (PDT) (envelope-from julian) Date: Wed, 4 Apr 2007 17:12:10 -0700 (PDT) From: Julian Elischer Message-Id: <200704050012.l350CAxS054282@freefall.freebsd.org> To: jau@iki.fi, julian@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: kern/111121: [ipfw] After the latest changes ipfw2 complains: "ipfw: opcode 50 size 2 wrong" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Apr 2007 00:12:11 -0000 Synopsis: [ipfw] After the latest changes ipfw2 complains: "ipfw: opcode 50 size 2 wrong" State-Changed-From-To: open->closed State-Changed-By: julian State-Changed-When: Wed Apr 4 17:11:48 PDT 2007 State-Changed-Why: MFC reverted. http://www.freebsd.org/cgi/query-pr.cgi?pr=111121