From owner-freebsd-bugs@FreeBSD.ORG Sun Mar 11 20:48:12 2007 Return-Path: X-Original-To: freebsd-bugs@freebsd.org Delivered-To: freebsd-bugs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A6A5E16A402 for ; Sun, 11 Mar 2007 20:48:12 +0000 (UTC) (envelope-from frank@knobbe.us) Received: from mailb.knobbe.us (mailb.knobbe.us [66.179.47.215]) by mx1.freebsd.org (Postfix) with SMTP id 7120013C4C4 for ; Sun, 11 Mar 2007 20:48:12 +0000 (UTC) (envelope-from frank@knobbe.us) Received: from localhost (HELO mail.knobbe.us) by localhost with SMTP; 11 Mar 2007 15:21:29 -0500 Received: from localhost (HELO ??) by localhost with SMTP; 11 Mar 2007 15:21:28 -0500 From: Frank Knobbe To: freebsd-bugs@freebsd.org, freebsd-hackers@freebsd.org Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-BKrFh2QutLa+J4NTn9iE" Date: Sun, 11 Mar 2007 15:21:26 -0500 Message-Id: <1173644486.23887.21.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.8.3 FreeBSD GNOME Team Port Cc: darrenr@freebsd.org, darrenr@pobox.com Subject: Fix for bug in IPFilters ipfs tool X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Mar 2007 20:48:12 -0000 --=-BKrFh2QutLa+J4NTn9iE Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Greetings, A couple years ago, I had sent a patch to Darren for ipfs in ipfilter (patched on FreeBSD 5.3). I never heard back from him, and assumed that either it wasn't in proper format or already being worked on or he was too busy. Now that I'm upgrading my systems to FBSD 6.2, I encountered the same problem, and roughly the same fix has to be applied again, so it doesn't appear like it had been looked at. Hence I'm posting again (this time to the list). My setup is such that I have two router connections from my hosting provider which I feed to two small switched which are linked with a cross-over cable. The server has two network cards which connect to each switch. Only one card is active at a time. I got a script running that pings the default gateway and when it fails, it does the following: - Bring interface A down, and B up. - Remove the IP address from i/f A and assign to i/f B. - Run sed over rc.conf, ipf.rules and ipnat.rules and change the interface name from A to B. - Save currently active ipfilter rules (using ipfstat), run sed over those to change the i/f name, and reload them. - And finally, save the ipfilter state table, run ipfs over it to change the i/f names, and reload the state table. This way the server achieves complete redundancy. Any router, switch, cable, NIC can fail, and the server will switch to the other network card while preserving connection states. Works like a charm. But only after I had worked on ipfs. Out of the box, ipfs did not properly make the interface change in the saved state files. In FBSD 6.2, the command to change the interfaces (-i) is even disabled, probably because it never worked :) Below is a patch that will fix ipfs such that it is able to successfully change the interface names in the saved state files. The patch below also enables the -i flag again. After applying this patch, one can change interfaces as outlined above, and have ipfs rename them in the state files, allowing a clean fail-over between interfaces within ipfilter and also preserving the connection state. Any established connection will remain active. This is my first bug/fix report, so please be gentle if I cross-posted too much. I would appreciate if someone could apply the patch to ipfs.c so that other users can make use of it. The version of ipfs this was diff'ed from is: /* $FreeBSD: src/contrib/ipfilter/tools/ipfs.c,v 1.3.2.1 2006/08/24 07:37:1 0 guido Exp $ */ ---8<----------------------------------------------------------------------= -- --- ipfs.c.org Sun Mar 11 14:19:32 2007 +++ ipfs.c Sun Mar 11 14:21:24 2007 @@ -133,6 +133,14 @@ strcpy(ips.ips_is.is_ifname[1], s); rw =3D 1; } + if (!strncmp(ips.ips_is.is_ifname[2], ifs, olen + 1)) { + strcpy(ips.ips_is.is_ifname[2], s); + rw =3D 1; + } + if (!strncmp(ips.ips_is.is_ifname[3], ifs, olen + 1)) { + strcpy(ips.ips_is.is_ifname[3], s); + rw =3D 1; + } if (rw =3D=3D 1) { if (lseek(fd, pos, SEEK_SET) !=3D pos) { perror("lseek"); @@ -190,6 +198,14 @@ strcpy(nat->nat_ifnames[1], s); rw =3D 1; } + if (!strncmp(nat->nat_ifnames[2], ifs, olen + 1)) { + strcpy(nat->nat_ifnames[2], s); + rw =3D 1; + } + if (!strncmp(nat->nat_ifnames[3], ifs, olen + 1)) { + strcpy(nat->nat_ifnames[3], s); + rw =3D 1; + } if (rw =3D=3D 1) { if (lseek(fd, pos, SEEK_SET) !=3D pos) { perror("lseek"); @@ -216,7 +232,7 @@ char *dirname =3D NULL, *filename =3D NULL, *ifs =3D NULL; =20 progname =3D argv[0]; - while ((c =3D getopt(argc, argv, "d:f:lNnSRruvWw")) !=3D -1) + while ((c =3D getopt(argc, argv, "d:f:i:lNnSRruvWw")) !=3D -1) switch (c) { case 'd' : ---8<----------------------------------------------------------------------= -- Regards, Frank --=20 It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. --=-BKrFh2QutLa+J4NTn9iE Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBF9GTGjt2fjCi9PsERArphAJ9lFAJb2spQg5go0KZ2Xypm6v5+FgCcCS98 FyHYq3xUgqpbEMV3DgdOKdg= =ndEO -----END PGP SIGNATURE----- --=-BKrFh2QutLa+J4NTn9iE--