From owner-freebsd-ipfw@FreeBSD.ORG Sun Aug 31 18:52:14 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 421D516A4BF; Sun, 31 Aug 2003 18:52:14 -0700 (PDT) Received: from gateway.posi.net (adsl-63-201-90-66.dsl.snfc21.pacbell.net [63.201.90.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C7B943F93; Sun, 31 Aug 2003 18:52:12 -0700 (PDT) (envelope-from kbyanc@posi.net) Received: from localhost (localhost [127.0.0.1]) by gateway.posi.net (8.12.6/8.12.8) with ESMTP id h811qAYl013788; Sun, 31 Aug 2003 18:52:11 -0700 (PDT) (envelope-from kbyanc@posi.net) Date: Sun, 31 Aug 2003 18:52:10 -0700 (PDT) From: Kelly Yancey To: Clemens Fischer In-Reply-To: Message-ID: <20030831184821.C13778-100000@gateway.posi.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-ipfw@FreeBSD.org cc: luigi@FreeBSD.org Subject: Re: hostnames resolving problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Sep 2003 01:52:14 -0000 On 30 Aug 2003, Clemens Fischer wrote: > * Kelly Yancey: > > > diff -u -p -r1.4.2.17 ipfw2.c > > --- ipfw2.c 25 Jul 2003 08:23:07 -0000 1.4.2.17 > > +++ ipfw2.c 29 Aug 2003 19:14:33 -0000 > > @@ -1879,6 +1879,10 @@ lookup_host (char *host, struct in_addr > > if ((he = gethostbyname(host)) == NULL) > > return(-1); > > *ipaddr = *(struct in_addr *)he->h_addr_list[0]; > > + if (he->h_addr_list[1] != NULL) { > > + warn("%s resolved to multiple addresses, only using %s", > > + host, inet_ntoa(*ipaddr)); > > + } > > that would not be my cup of tea, because by this ipfw(8) becomes > "unscriptable", ie. i'd have to grep(1) for messages and start from > scratch again. i guess this problem should be detected and handled > ahead of running ipfw(8). note that you can always use `-p > preprocessor' for this. > No you don't, it just warns, not exits. You'll get warnings telling you that what you are doing is a Bad Idea, but you can send them to /dev/null if you don't care. Kelly -- Kelly Yancey -- kbyanc@{posi.net,FreeBSD.org} FreeBSD, The Power To Serve: http://www.freebsd.org/ From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 1 06:32:15 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1AAB516A4BF for ; Mon, 1 Sep 2003 06:32:15 -0700 (PDT) Received: from exchange.wan.no (exchange.wan.no [80.86.128.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4F8F44005 for ; Mon, 1 Sep 2003 06:32:13 -0700 (PDT) (envelope-from sten.daniel.sorsdal@wan.no) X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Mon, 1 Sep 2003 15:29:36 +0200 Message-ID: <0AF1BBDF1218F14E9B4CCE414744E70F07DF31@exchange.wanglobal.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: IPFW2, sets and dynamic rules. Thread-Index: AcNwjWH80Y/wEWgcTiOihCS6ZKFkfg== From: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= To: Subject: IPFW2, sets and dynamic rules. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Sep 2003 13:32:15 -0000 Being a complete ipfw idiot, i hoped someone could clarify this to me. I wrote a simple firewall script that uses dynamic rules (stateful = rules). It's basically like this (handwritten, real script is alot bigger); =3D=3D=3D=3D=3D ipfw set disable 1 ipfw -q delete set 1 ipfw set disable 1 ipfw add 100 set 1 check-state ipfw add 101 set 1 skipto 1000 ip from any to any in via fxp0 // = internet ipfw add 102 set 1 skipto 2000 ip from any to any out via fxp0=09 ipfw add 103 set 1 skipto 3000 ip from any to any in via fxp1 // lan ipfw add 104 set 1 skipto 4000 ip from any to any out via fxp1 ipfw add 105 set 1 allow ip from any to any ipfw add 1000 set 1 deny ip from any to any ipfw add 2000 set 1 allow ip from me to any keep-state ipfw add 2001 set 1 deny ip from any to any ipfw add 3000 set 1 allow tcp from 192.168.0.0/16 to any setup = keep-state ipfw add 3001 set 1 allow udp from 192.186.0.0/16 to any keep-state ipfw add 3002 set 1 deny ip from any to any ipfw add 4000 set 1 allow ip from me to any keep-state ipfw add 4001 set 1 deny ip from any to any ipfw set swap 0 1 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D after the swap, the dynamic rules that were added when runnin on set 0 = to begin with (same script). does seem to work at first glance however if i add a rule at say 100 and = shift all other rules down,=20 and re-run the script then what happens with the dynamic rules? the tcp = connections break. do the dynamic rules always point to the same set or do the point to the = new set when i run swap? do i need to enable set 1 afterwards to make it work? how is then the = line of rule execution, when two sets are enabled?=20 are there any ways to change the set 0 rules while still retaining the = functionality of the old dynamic rules? - Sten From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 1 06:53:34 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 26B5616A4E9 for ; Mon, 1 Sep 2003 06:53:34 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 641B843F85 for ; Mon, 1 Sep 2003 06:53:33 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h81DrVkN070702; Mon, 1 Sep 2003 06:53:31 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h81DrVKW070701; Mon, 1 Sep 2003 06:53:31 -0700 (PDT) (envelope-from rizzo) Date: Mon, 1 Sep 2003 06:53:30 -0700 From: Luigi Rizzo To: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= Message-ID: <20030901065330.A70435@xorpc.icir.org> References: <0AF1BBDF1218F14E9B4CCE414744E70F07DF31@exchange.wanglobal.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5.1i In-Reply-To: <0AF1BBDF1218F14E9B4CCE414744E70F07DF31@exchange.wanglobal.net>; from sten.daniel.sorsdal@wan.no on Mon, Sep 01, 2003 at 03:29:36PM +0200 cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW2, sets and dynamic rules. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Sep 2003 13:53:34 -0000 dynamic rules do not survive a delete, so your "delete set 1" is what kills your connections. cheers luigi On Mon, Sep 01, 2003 at 03:29:36PM +0200, Sten Daniel Sørsdal wrote: > > Being a complete ipfw idiot, i hoped someone could clarify this to me. > > I wrote a simple firewall script that uses dynamic rules (stateful rules). > It's basically like this (handwritten, real script is alot bigger); > > ===== > > ipfw set disable 1 > ipfw -q delete set 1 > ipfw set disable 1 > > ipfw add 100 set 1 check-state > ipfw add 101 set 1 skipto 1000 ip from any to any in via fxp0 // internet > ipfw add 102 set 1 skipto 2000 ip from any to any out via fxp0 > ipfw add 103 set 1 skipto 3000 ip from any to any in via fxp1 // lan > ipfw add 104 set 1 skipto 4000 ip from any to any out via fxp1 > ipfw add 105 set 1 allow ip from any to any > > ipfw add 1000 set 1 deny ip from any to any > > ipfw add 2000 set 1 allow ip from me to any keep-state > ipfw add 2001 set 1 deny ip from any to any > > ipfw add 3000 set 1 allow tcp from 192.168.0.0/16 to any setup keep-state > ipfw add 3001 set 1 allow udp from 192.186.0.0/16 to any keep-state > ipfw add 3002 set 1 deny ip from any to any > > ipfw add 4000 set 1 allow ip from me to any keep-state > ipfw add 4001 set 1 deny ip from any to any > > ipfw set swap 0 1 > > ============ > > after the swap, the dynamic rules that were added when runnin on set 0 to begin with (same script). > does seem to work at first glance however if i add a rule at say 100 and shift all other rules down, > and re-run the script then what happens with the dynamic rules? the tcp connections break. > > do the dynamic rules always point to the same set or do the point to the new set when i run swap? > > do i need to enable set 1 afterwards to make it work? how is then the line of rule execution, when > two sets are enabled? > > are there any ways to change the set 0 rules while still retaining the functionality of the old > dynamic rules? > > > - Sten > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 1 07:03:35 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8DDE016A4BF for ; Mon, 1 Sep 2003 07:03:35 -0700 (PDT) Received: from exchange.wan.no (exchange.wan.no [80.86.128.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4586C43FDF for ; Mon, 1 Sep 2003 07:03:34 -0700 (PDT) (envelope-from sten.daniel.sorsdal@wan.no) X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Mon, 1 Sep 2003 16:00:57 +0200 Message-ID: <0AF1BBDF1218F14E9B4CCE414744E70F1F3EAA@exchange.wanglobal.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: IPFW2, sets and dynamic rules. Thread-Index: AcNwkBWw5ofDqpPRTaqhYX+Df/b2OgAAV43A From: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= To: "Luigi Rizzo" cc: freebsd-ipfw@freebsd.org Subject: RE: IPFW2, sets and dynamic rules. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Sep 2003 14:03:35 -0000 Yes but that is only to empty an ancient (possibly empty) ruleset. Notice the swap in the last bit.=20 But do dynamic rules keep tabs on which 'set' they belong to? If so, do their 'set' information get swapped also? >=20 > dynamic rules do not survive a delete, so your "delete set 1" is what > kills your connections. >=20 > cheers > luigi >=20 > On Mon, Sep 01, 2003 at 03:29:36PM +0200, Sten Daniel S=F8rsdal wrote: > >=20 > > Being a complete ipfw idiot, i hoped someone could clarify=20 > this to me. > >=20 [.snip.] > >=20 > > do the dynamic rules always point to the same set or do the=20 > point to the new set when i run swap? > >=20 > > do i need to enable set 1 afterwards to make it work? how=20 > is then the line of rule execution, when > > two sets are enabled?=20 > >=20 > > are there any ways to change the set 0 rules while still=20 > retaining the functionality of the old > > dynamic rules? > >=20 - Sten From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 1 07:09:30 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B9F7B16A4BF for ; Mon, 1 Sep 2003 07:09:30 -0700 (PDT) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id AD16343FBD for ; Mon, 1 Sep 2003 07:09:29 -0700 (PDT) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id 1221D10BF8C; Mon, 1 Sep 2003 16:09:27 +0200 (CEST) Date: Mon, 1 Sep 2003 16:09:26 +0200 From: "Simon L. Nielsen" To: Sten Daniel =?iso-8859-1?Q?S=F8rsdal?= Message-ID: <20030901140925.GC396@FreeBSD.org> References: <0AF1BBDF1218F14E9B4CCE414744E70F07DF31@exchange.wanglobal.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IDYEmSnFhs3mNXr+" Content-Disposition: inline In-Reply-To: <0AF1BBDF1218F14E9B4CCE414744E70F07DF31@exchange.wanglobal.net> User-Agent: Mutt/1.5.4i cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW2, sets and dynamic rules. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Sep 2003 14:09:30 -0000 --IDYEmSnFhs3mNXr+ Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.09.01 15:29:36 +0200, Sten Daniel S=F8rsdal wrote: > are there any ways to change the set 0 rules while still retaining the > functionality of the old dynamic rules? As Luigi said when you delete a rule the coresponding dynamic rules a deleted as well. I use the following hack which allows one reload without deleting running connections. I basically move all the "old" rules to a disabled set, so they still exist but aren't active. That way the dynamic rules aren't deleted. set_nospoof=3D"2" set_bandwidth=3D"3" set_std=3D"4" set_nitro=3D"5" set_bogon=3D"6" set_old=3D"30" # All the default active sets : sets_normal=3D"0 $set_nospoof $set_bandwidth $set_std $set_nitro $set_b= ogon" # Clean old set ${fwcmd} delete set ${set_old} ${fwcmd} set enable ${set_old} # Move all rules to special set for s in $sets_normal; do ${fwcmd} set move ${s} to ${set_old} done # Disable normal sets so we can safely add to them ${fwcmd} set disable $sets_normal ${fwcmd} add set ${set_std} reset tcp from any to any 113 # A lot of other rules # Now we switch to the new sets ${fwcmd} set disable ${set_old} enable ${sets_normal} Note that this just copy/pasted from my firewall script, but you should get the idea. This is not pretty, but it works. --=20 Simon L. Nielsen FreeBSD Documentation Team --IDYEmSnFhs3mNXr+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/U1MVh9pcDSc1mlERAoocAJ4mJY5fL3fsl727E31sathv6L/dQgCglN2S 3EM9cZvWiF/LDaODdHso0wA= =EATq -----END PGP SIGNATURE----- --IDYEmSnFhs3mNXr+-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 1 07:41:40 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E87AE16A4BF; Mon, 1 Sep 2003 07:41:40 -0700 (PDT) Received: from exchange.wan.no (exchange.wan.no [80.86.128.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id A398043F93; Mon, 1 Sep 2003 07:41:39 -0700 (PDT) (envelope-from sten.daniel.sorsdal@wan.no) X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Mon, 1 Sep 2003 16:39:03 +0200 Message-ID: <0AF1BBDF1218F14E9B4CCE414744E70F07DF32@exchange.wanglobal.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: IPFW2, sets and dynamic rules. Thread-Index: AcNwkkw4pkw41KHXSMa+QBrRNEivMgAAYx+w From: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= To: "Simon L. Nielsen" cc: freebsd-ipfw@freebsd.org Subject: RE: IPFW2, sets and dynamic rules. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Sep 2003 14:41:41 -0000 > > are there any ways to change the set 0 rules while still=20 > retaining the > > functionality of the old dynamic rules? >=20 > As Luigi said when you delete a rule the coresponding dynamic rules a > deleted as well. His answer is correct and im an idiot/impatient (i need my answers=20 straight forward, and can't do this pondering bit). >=20 > I use the following hack which allows one reload without deleting > running connections. I basically move all the "old" rules to=20 > a disabled > set, so they still exist but aren't active. That way the=20 > dynamic rules > aren't deleted. >=20 isnt this the same thing as a swapping of 0 and 1 ? after a swap, set 0 will contain the new rules and set 1 will=20 contain the old but will be disabled.=20 [.snip.] >=20 > Note that this just copy/pasted from my firewall script, but=20 > you should > get the idea. >=20 > This is not pretty, but it works. Thank you for your example script, it made perfectly sense now. I now do a rotation of 1 through 15 like this; ipfw set disable 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 enable 0 ipfw -q delete set 16 for HN in 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 =20 do ipfw set move $HN to $(( $HN + 1 ))=20 done alias allow=3D"addrule allow" # addrule() adds each rule to set 1=20 allow deny=3D"addrule deny" [...] allow tcp from any to any setup keep-state [...] swap 0 1 a redundant enable 0 but i like it my script to make sure nobody manually did something. The mistake i did was i re-ran my firewall rules too many times. (the original script only allowed for one execution and the next=20 would kill the dynamic rule). - Sten From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 1 11:03:50 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9DD5316A4C3 for ; Mon, 1 Sep 2003 11:03:50 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 105A744030 for ; Mon, 1 Sep 2003 11:01:49 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h81I1mUp002876 for ; Mon, 1 Sep 2003 11:01:48 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h81I1ml6002870 for ipfw@freebsd.org; Mon, 1 Sep 2003 11:01:48 -0700 (PDT) Date: Mon, 1 Sep 2003 11:01:48 -0700 (PDT) Message-Id: <200309011801.h81I1ml6002870@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Sep 2003 18:03:50 -0000 Current FreeBSD problem reports Critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/03/23] kern/50216 ipfw kernel panic on 5.0-current when use ipfw 1 problem total. Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/08/25] kern/55984 ipfw [patch] time based firewalling support fo 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 1 22:14:39 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1A84316A4BF for ; Mon, 1 Sep 2003 22:14:39 -0700 (PDT) Received: from bjpu.edu.cn (egw.bjpu.edu.cn [202.112.78.77]) by mx1.FreeBSD.org (Postfix) with ESMTP id 859B543FFB for ; Mon, 1 Sep 2003 22:14:37 -0700 (PDT) (envelope-from liukang@bjpu.edu.cn) Received: (eyou gateway send program); Tue, 02 Sep 2003 13:15:46 +0800 X-EYOU-ORIGINAL-IP: 202.112.78.224 X-EYOU-ENVELOPE-MAILFROM: liukang@bjpu.edu.cn Received: from unknown (HELO lkatschool) (unknown@202.112.78.224) by 202.112.78.77 with ; Tue, 02 Sep 2003 13:15:46 +0800 From: "Kang Liu" To: Date: Tue, 2 Sep 2003 13:11:50 +0800 Message-ID: <000001c37110$b7e92070$e04e70ca@lkatschool> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 cc: ipfw@freebsd.org Subject: [patch]run ipfw2 with incomplete options will make a coredump X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Sep 2003 05:14:39 -0000 >Submitter-Id: current-users >Originator: Kang Liu >Organization: Beijing University of Technology >Confidential: no >Synopsis: [patch]run ipfw2 with incomplete options will make a coredump >Severity: critical >Priority: high >Category: bin >Class: sw-bug >Release: FreeBSD 4.9-PRERELEASE i386 >Environment: System: FreeBSD cnproxy.bjpu.edu.cn 4.9-PRERELEASE FreeBSD 4.9-PRERELEASE #33: Sun Aug 31 15:58:08 CST 2003 root@cnproxy.bjpu.edu.cn:/usr/obj/usr/src/sys/CNPROXY i386 >Description: run ipfw2 enable/disable with incomplete options will make a coredump with signal 10. this problem can be reproduced on the latest 5.1current, I do not have a 4.8 running ipfw2, but I think -stable with ipfw2 may have the same problem. The src has been freezed for 4.9, but this problem is so serious, Can anyone test and commit it? >How-To-Repeat: on a latest 5.1 machine,run: # ipfw disable (or ipfw enable) Bus error (core dumped) a ipfw.core would be produced In /var/log/message: date time hosename kernel: pid num (ipfw), uid 0: exited on signal 10 (core dumped) >Fix: I think a better way is to check "ac" instead of check "av". --- ipfw2.c.orig Tue Sep 2 12:54:28 2003 +++ ipfw2.c Tue Sep 2 12:54:54 2003 @@ -1643,7 +1643,7 @@ ac--; av++; - if (*av == NULL) { + if (ac == 0) { warnx("missing keyword to enable/disable\n"); } else if (strncmp(*av, "firewall", strlen(*av)) == 0) { sysctlbyname("net.inet.ip.fw.enable", NULL, 0, From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 2 09:08:54 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BCFB916A4BF for ; Tue, 2 Sep 2003 09:08:54 -0700 (PDT) Received: from mout2.freenet.de (mout2.freenet.de [194.97.50.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id 387524401E for ; Tue, 2 Sep 2003 09:08:52 -0700 (PDT) (envelope-from ino-qc@spotteswoode.de.eu.org) Received: from [194.97.55.147] (helo=mx4.freenet.de) by mout2.freenet.de with asmtp (Exim 4.21) id 19uDi7-0003Lh-02 for freebsd-ipfw@FreeBSD.org; Tue, 02 Sep 2003 18:08:51 +0200 Received: from p3e9baab9.dip.t-dialin.net ([62.155.170.185] helo=spotteswoode.dnsalias.org) by mx4.freenet.de with asmtp (ID inode@freenet.de) (Exim 4.21 #5) id 19uDi6-0001bv-Jc for freebsd-ipfw@FreeBSD.org; Tue, 02 Sep 2003 18:08:50 +0200 Received: (qmail 6614 invoked by uid 0); 2 Sep 2003 16:08:50 -0000 Date: 2 Sep 2003 18:08:49 +0200 Message-ID: From: "Clemens Fischer" To: "Kelly Yancey" In-Reply-To: <20030831184821.C13778-100000@gateway.posi.net> (Kelly Yancey's message of "Sun, 31 Aug 2003 18:52:10 -0700 (PDT)") References: <20030831184821.C13778-100000@gateway.posi.net> User-Agent: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-ipfw@FreeBSD.org cc: luigi@FreeBSD.org Subject: Re: hostnames resolving problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Sep 2003 16:08:54 -0000 * Kelly Yancey: > On 30 Aug 2003, Clemens Fischer wrote: > >> that would not be my cup of tea, because by this ipfw(8) becomes >> "unscriptable", ie. i'd have to grep(1) for messages and start from >> scratch again. i guess this problem should be detected and handled >> ahead of running ipfw(8). note that you can always use `-p >> preprocessor' for this. > > No you don't, it just warns, not exits. You'll get warnings > telling you that what you are doing is a Bad Idea, but you can send > them to /dev/null if you don't care. i know, but this doesn't put me at ease. since hosts can choose do implement DNS round-robin any time, this might not only be a bad idea, it might well be plain wrong, and i wouldn't even know. the patch should error-exit IMO, or people who need this feature should dream up their own m4 macros to handle this "feature". clemens From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 3 17:37:16 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 76EED16A4BF for ; Wed, 3 Sep 2003 17:37:16 -0700 (PDT) Received: from imul.math.uni.lodz.pl (imul.math.uni.lodz.pl [212.191.65.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A3F643FF5 for ; Wed, 3 Sep 2003 17:37:15 -0700 (PDT) (envelope-from mg@fork.pl) Received: from localhost (localhost.math.uni.lodz.pl [127.0.0.1]) 203202595 for ; Thu, 4 Sep 2003 02:36:02 +0200 (CEST) Received: from by localhost (amavisd-new, port ) id 2m6vauCa for ; Thu, 4 Sep 2003 02:36:01 +0200 (CEST) Received: from fork.pl (imul.math.uni.lodz.pl [212.191.65.2]) 9C1D224F9 for ; Thu, 4 Sep 2003 02:36:00 +0200 (CEST) Message-ID: <3F56895B.9060309@fork.pl> Date: Thu, 04 Sep 2003 02:37:47 +0200 From: Marcin Gryszkalis Organization: fork.pl User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5b) Gecko/20030827 X-Accept-Language: en-us, en, pl MIME-Version: 1.0 To: ipfw@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at math.uni.lodz.pl Subject: punch_fw and passive mode X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Sep 2003 00:37:16 -0000 Hi I have little problem with natd's punch_fw option and passive mode ftp clients connecting from inside of firewall (from behind nat). It just does nothing for passive connection. For active mode 2 rules are added and everything works ok. I looked at the sources and It seems to be that way by design, there's such piece of code in alias_ftp.c ------------------------- if (ntohs(tc->th_dport) == FTP_CONTROL_PORT_NUMBER) { /* * When aliasing a client, check for the PORT/EPRT command. */ if (ParseFtpPortCommand(sptr, dlen)) ftp_message_type = FTP_PORT_COMMAND; else if (ParseFtpEprtCommand(sptr, dlen)) ftp_message_type = FTP_EPRT_COMMAND; } else { /* * When aliasing a server, check for the 227/229 reply. */ if (ParseFtp227Reply(sptr, dlen)) ftp_message_type = FTP_227_REPLY; else if (ParseFtp229Reply(sptr, dlen)) { ftp_message_type = FTP_229_REPLY; true_addr.s_addr = pip->ip_src.s_addr; } } ------------------------- what would be broken if we remove this client-server if-else? ------------------------- if (ParseFtpPortCommand(sptr, dlen)) ftp_message_type = FTP_PORT_COMMAND; else if (ParseFtpEprtCommand(sptr, dlen)) ftp_message_type = FTP_EPRT_COMMAND; else if (ParseFtp227Reply(sptr, dlen)) ftp_message_type = FTP_227_REPLY; else if (ParseFtp229Reply(sptr, dlen)) { ftp_message_type = FTP_229_REPLY; true_addr.s_addr = pip->ip_src.s_addr; } ------------------------- regards -- Marcin Gryszkalis http://fork.pl <>< From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 4 11:47:53 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EC20416A4BF for ; Thu, 4 Sep 2003 11:47:53 -0700 (PDT) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7168043F85 for ; Thu, 4 Sep 2003 11:47:53 -0700 (PDT) (envelope-from billf@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1098) id 6827F2ED43F; Thu, 4 Sep 2003 11:47:53 -0700 (PDT) Date: Thu, 4 Sep 2003 11:47:53 -0700 From: Bill Fumerola To: Sten Daniel S?rsdal Message-ID: <20030904184753.GB57940@elvis.mu.org> References: <0AF1BBDF1218F14E9B4CCE414744E70F07DF28@exchange.wanglobal.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0AF1BBDF1218F14E9B4CCE414744E70F07DF28@exchange.wanglobal.net> User-Agent: Mutt/1.4.1i X-Operating-System: FreeBSD 4.8-MUORG-20030805 i386 cc: freebsd-ipfw@freebsd.org Subject: Re: verrevpath - denies local multicast. Is this intended? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Sep 2003 18:47:54 -0000 On Fri, Aug 29, 2003 at 02:45:55PM +0200, Sten Daniel S?rsdal wrote: > > when using verrevpath it seems to drop local multicast packets suck as RIP2. > i use it as suggested; deny log ip from any to any not verrevpath > > logentry: > Aug 29 14:32:08 fictious /kernel: ipfw: 1011 Deny UDP 80.86.140.54:520 224.0.0.9:520 in via fxp1 > > does this mean it should deny multicast and broadcasts or that it really should > verify that the multicast path is correct? i won't speak to what it should do, but... just add a specific rule before '1011' that allows rip2 traffic to that multicast addr. use 224.0.0.0/4 if you don't want to deal with it again. -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 4 21:49:52 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C00A116A4BF for ; Thu, 4 Sep 2003 21:49:52 -0700 (PDT) Received: from sccrmhc12.comcast.net (sccrmhc12.comcast.net [204.127.202.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB4D643FFB for ; Thu, 4 Sep 2003 21:49:51 -0700 (PDT) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (12-234-156-182.client.attbi.com[12.234.156.182](untrusted sender)) by comcast.net (sccrmhc12) with ESMTP id <20030905044950012007m08je>; Fri, 5 Sep 2003 04:49:50 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.8p1/8.12.8) with ESMTP id h854mLJp073084; Thu, 4 Sep 2003 21:48:21 -0700 (PDT) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.8p1/8.12.8/Submit) id h854mJ9L073083; Thu, 4 Sep 2003 21:48:19 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Thu, 4 Sep 2003 21:48:19 -0700 From: "Crist J. Clark" To: Sten Daniel S?rsdal Message-ID: <20030905044819.GA72999@blossom.cjclark.org> References: <0AF1BBDF1218F14E9B4CCE414744E70F07DF28@exchange.wanglobal.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0AF1BBDF1218F14E9B4CCE414744E70F07DF28@exchange.wanglobal.net> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-ipfw@freebsd.org Subject: Re: verrevpath - denies local multicast. Is this intended? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Sep 2003 04:49:52 -0000 On Fri, Aug 29, 2003 at 02:45:55PM +0200, Sten Daniel S?rsdal wrote: > > when using verrevpath it seems to drop local multicast packets suck as RIP2. > i use it as suggested; deny log ip from any to any not verrevpath > > logentry: > Aug 29 14:32:08 fictious /kernel: ipfw: 1011 Deny UDP 80.86.140.54:520 224.0.0.9:520 in via fxp1 What does, # route get 80.86.140.54 Return? If it's fxp1, I'm not sure what might be going wrong. > i read in /sys/netinet/ip_fw2.c: > > /* > * The 'verrevpath' option checks that the interface that an IP packet > * arrives on is the same interface that traffic destined for the > * packet's source address would be routed out of. This is a measure > * to block forged packets. This is also commonly known as "anti-spoofing" > * or Unicast Reverse Path Forwarding (Unicast RFP) in Cisco-ese. The > * name of the knob is purposely reminisent of the Cisco IOS command, > * > * ip verify unicast reverse-path > * > * which implements the same functionality. But note that syntax is > * misleading. The check may be performed on all IP packets whether unicast, > * multicast, or broadcast. > */ > > does this mean it should deny multicast and broadcasts or that it really should > verify that the multicast path is correct? The _only_ thing it does is check that the interface a packet arrives on is the same interface that it would route out of to reach the source address of the packet. All that matters in this case is where 80.86.140.54 gets routed to. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 5 09:19:20 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E2A9716A4C0 for ; Fri, 5 Sep 2003 09:19:20 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id A442043FF5 for ; Fri, 5 Sep 2003 09:19:18 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 19987 invoked from network); 5 Sep 2003 16:11:34 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 5 Sep 2003 16:11:33 -0000 Received: (qmail 85369 invoked by uid 1000); 5 Sep 2003 16:19:15 -0000 Date: Fri, 5 Sep 2003 19:19:15 +0300 From: Peter Pentchev To: Glen Gibb Message-ID: <20030905161915.GG556@straylight.oblivion.bg> References: <200308270107.h7R17L23047514@genesis.ridley.unimelb.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline In-Reply-To: <200308270107.h7R17L23047514@genesis.ridley.unimelb.edu.au> User-Agent: Mutt/1.5.4i cc: ipfw@FreeBSD.org cc: bug-followup@FreeBSD.org Subject: Re: docs/56021: Documentation incorrect for mac in ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Sep 2003 16:19:21 -0000 On Wed, Aug 27, 2003 at 11:07:21AM +1000, Glen Gibb wrote: > > >Number: 56021 > >Category: docs > >Synopsis: Documentation incorrect for mac in ipfw2 > >Originator: Glen Gibb > >Release: FreeBSD 5.1-CURRENT i386 [snip] > >Description: > > The man page for ipfw (IPFW2) is incomplete/misleading in regards to > the "mac" option in the RULE OPTIONS section. > > The man page states that the address can be "optionally followed by a > mask indicating how many bits are significant, as in MAC > 10:20:30:40:50:60/33 any". This IS correct but it does not mention the > second method of specifying a bit mask, that is by following the > address with an ampersand (&) followed by the bitmask whcich is > specified using the same format as the address. For example, if we > wanted to match any mac address that ended with 60, we could use the > following mask: > > MAC 00:00:00:00:50:60&00:00:00:00:00:ff What do you think about the following patch? G'luck, Peter -- Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence was in the past tense. Index: src/sbin/ipfw/ipfw.8 =================================================================== RCS file: /home/ncvs/src/sbin/ipfw/ipfw.8,v retrieving revision 1.131 diff -u -r1.131 ipfw.8 --- src/sbin/ipfw/ipfw.8 22 Jul 2003 07:41:24 -0000 1.131 +++ src/sbin/ipfw/ipfw.8 5 Sep 2003 16:12:41 -0000 @@ -1046,11 +1046,31 @@ .Cm any keyword (matching any MAC address), or six groups of hex digits separated by colons, -and optionally followed by a mask indicating how many bits are -significant, as in +and optionally followed by a mask indicating the significant bits. +The mask may be specified using either of the following methods: +.Bl -enum -width indent +.It +A slash +.Pq / +followed by the number of significant bits. +For example, an address with 33 significant bits could be specified as: .Pp .Dl "MAC 10:20:30:40:50:60/33 any" .Pp +.It +An ampersand +.Pq & +followed by a bitmask specified as six groups of hex digits separated +by colons. +For example, an address in which the last 16 bits are significant could +be specified as: +.Pp +.Dl "MAC 10:20:30:40:50:60&00:00:00:00:00:ff any" +.Pp +Note that the ampersand character has a special meaning in many shells +and should generally be escaped. +.Pp +.El Note that the order of MAC addresses (destination first, source second) is the same as on the wire, but the opposite of the one used for From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 5 09:50:40 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2FEC116A4BF for ; Fri, 5 Sep 2003 09:50:40 -0700 (PDT) Received: from gradlab.ucsd.edu (gradlab.ucsd.edu [132.239.55.107]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B79A43FDF for ; Fri, 5 Sep 2003 09:50:39 -0700 (PDT) (envelope-from ycheng@cs.ucsd.edu) Received: (from ycheng@localhost) by gradlab.ucsd.edu (8.11.6/8.11.6) id h85Godg01405 for ipfw@freebsd.org; Fri, 5 Sep 2003 09:50:39 -0700 (PDT) Date: Fri, 5 Sep 2003 09:50:39 -0700 From: Yuchung Cheng To: ipfw@freebsd.org Message-ID: <20030905095038.D28924@cs.ucsd.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Subject: dummynet and modem pipes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Sep 2003 16:50:40 -0000 when simulating modem pipes using dummynet, how do we simulate the modem compressions? one way is to pick a compress rate, say 2, and setup fake larger bandwidth, but do different traffic (html, jpg, mpg) affect the compression latency or compression rate significantly? tia -yuchung From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 5 11:25:00 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BDB0716A4F2 for ; Fri, 5 Sep 2003 11:25:00 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C8F144005 for ; Fri, 5 Sep 2003 11:25:00 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h85IOxkN078613; Fri, 5 Sep 2003 11:24:59 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h85IOxZs078612; Fri, 5 Sep 2003 11:24:59 -0700 (PDT) (envelope-from rizzo) Date: Fri, 5 Sep 2003 11:24:59 -0700 From: Luigi Rizzo To: Yuchung Cheng Message-ID: <20030905112459.A78583@xorpc.icir.org> References: <20030905095038.D28924@cs.ucsd.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030905095038.D28924@cs.ucsd.edu>; from ycheng@cs.ucsd.edu on Fri, Sep 05, 2003 at 09:50:39AM -0700 cc: ipfw@freebsd.org Subject: Re: dummynet and modem pipes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Sep 2003 18:25:00 -0000 On Fri, Sep 05, 2003 at 09:50:39AM -0700, Yuchung Cheng wrote: > when simulating modem pipes using dummynet, how do we simulate the > modem compressions? one way is to pick a compress rate, say 2, and setup basically there is no way to accurately simulate modem compression. As a rule of thumb, for bulk traffic you can think that the main effect is the bandwidth changes (the exact ratio depends on the type of traffic), whereas for interactive apps (e.g. rpc and the like) more than compression what affects you is the additional delay that the modem causes to decide that it is time to build&send a new packet. also you'd need to take care of ip compression, not just what happens in the modem itself cheers luigi > fake larger bandwidth, but do different traffic (html, jpg, mpg) affect > the compression latency or compression rate significantly? tia > > -yuchung > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 5 13:14:31 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C11E716A4C0 for ; Fri, 5 Sep 2003 13:14:31 -0700 (PDT) Received: from accord.grasslake.net (accord.grasslake.net [209.98.56.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8ADF443FF2 for ; Fri, 5 Sep 2003 13:14:27 -0700 (PDT) (envelope-from swb@grasslake.net) Received: from swbgx150 (honda.grasslake.net [192.168.1.1]) by accord.grasslake.net (8.12.9/8.12.9) with SMTP id h85KEIt5016021; Fri, 5 Sep 2003 15:14:19 -0500 (CDT) (envelope-from swb@grasslake.net) Message-ID: <0cfe01c373ea$4a386fe0$62229fc0@ad.campbellmithun.com> From: "Shawn Barnhart" To: "Yuchung Cheng" , References: <20030905095038.D28924@cs.ucsd.edu> Date: Fri, 5 Sep 2003 15:14:19 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Re: dummynet and modem pipes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Sep 2003 20:14:31 -0000 ----- Original Message ----- From: "Yuchung Cheng" To: Sent: Friday, September 05, 2003 11:50 Subject: dummynet and modem pipes > when simulating modem pipes using dummynet, how do we simulate the > modem compressions? one way is to pick a compress rate, say 2, and setup > fake larger bandwidth, but do different traffic (html, jpg, mpg) affect > the compression latency or compression rate significantly? tia Our Cisco RAS equipment usuall reports an "efficiency improvement factor" of 1.2, which I presume means a compression rate of about 20%. I'd say give it 10% more bandwidth and call it a day, since a fair amount of info will be precompressed and uncompressable. From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 5 13:28:12 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B764B16A4BF for ; Fri, 5 Sep 2003 13:28:12 -0700 (PDT) Received: from fw1.internett.de (fw1.internett.de [195.30.142.24]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3426843FE9 for ; Fri, 5 Sep 2003 13:28:11 -0700 (PDT) (envelope-from michael@nettmail.de) Received: from mx5.internett.de (mx5.internett.de [195.30.142.17]) with ESMTP id h85KS8o26426 for ; Fri, 5 Sep 2003 22:28:08 +0200 Received: (from wwwrun@localhost)id h85KS7R31543 for freebsd-ipfw@freebsd.org; Fri, 5 Sep 2003 22:28:07 +0200 To: freebsd-ipfw@freebsd.org Message-ID: <1062793687.3f58f1d78476d@mx5.internett.de> Date: Fri, 05 Sep 2003 22:28:07 +0200 (CEST) From: michael References: <20030905190041.E059216A4E8@hub.freebsd.org> In-Reply-To: <20030905190041.E059216A4E8@hub.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Originating-IP: 80.184.155.144 X-Virus-Scanned: by AMaViS-perl11-milter (http://amavis.org/) Subject: Re: dummynet and modem pipes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Sep 2003 20:28:12 -0000 > > when simulating modem pipes using dummynet, how do we simulate the > modem compressions? one way is to pick a compress rate, say 2, and > setup > fake larger bandwidth, but do different traffic (html, jpg, mpg) affect > > the compression latency or compression rate significantly? tia > > -yuchung > Hi, my idea was may a little bit idiotic or stupid may have you probed an ppp-tunnel through 2 Nic's and throug 2 Modempipes on each host. Teh compression can not be directly the sam as Hardware-Compression, may the Compression in the ppp-protocoll should be good to deal with it. may be for test's it's enough accuracy regards michael From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 5 14:42:46 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 659A316A4BF for ; Fri, 5 Sep 2003 14:42:46 -0700 (PDT) Received: from gradlab.ucsd.edu (gradlab.ucsd.edu [132.239.55.107]) by mx1.FreeBSD.org (Postfix) with ESMTP id DBC1543FBF for ; Fri, 5 Sep 2003 14:42:45 -0700 (PDT) (envelope-from ycheng@cs.ucsd.edu) Received: (from ycheng@localhost) by gradlab.ucsd.edu (8.11.6/8.11.6) id h85Lgjw01771; Fri, 5 Sep 2003 14:42:45 -0700 (PDT) Date: Fri, 5 Sep 2003 14:42:45 -0700 From: Yuchung Cheng To: Luigi Rizzo Message-ID: <20030905144245.A472@cs.ucsd.edu> References: <20030905095038.D28924@cs.ucsd.edu> <20030905112459.A78583@xorpc.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030905112459.A78583@xorpc.icir.org>; from rizzo@icir.org on Fri, Sep 05, 2003 at 11:24:59AM -0700 cc: ipfw@freebsd.org Subject: Re: dummynet and modem pipes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Sep 2003 21:42:46 -0000 On 09-05-2003, Luigi Rizzo wrote: > basically there is no way to accurately simulate modem compression. > As a rule of thumb, for bulk traffic you can think that the main > effect is the bandwidth changes (the exact ratio depends on the > type of traffic), whereas for interactive apps (e.g. rpc and the > like) more than compression what affects you is the additional > delay that the modem causes to decide that it is time to build&send > a new packet. > > also you'd need to take care of ip compression, not just what > happens in the modem itself > i assume you mean ip header compression over ppp. the simulation traffic is mainly short web flows (~ 10-20K), so i think header compression does not matter much (40 bytes vs payload 500 or 1500 bytes) compared to modem compression. for html, the compress rate can be as high as 3 based on real measurements. it that true? thanks. -yuchung From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 6 07:59:54 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3106016A4BF for ; Sat, 6 Sep 2003 07:59:54 -0700 (PDT) Received: from spf13.us4.outblaze.com (205-158-62-67.outblaze.com [205.158.62.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7630843FF5 for ; Sat, 6 Sep 2003 07:59:53 -0700 (PDT) (envelope-from ivo@bsdmail.org) Received: from 205-158-62-68.outblaze.com (205-158-62-68.outblaze.com [205.158.62.68]) by spf13.us4.outblaze.com (Postfix) with QMQP id BE9D3180049A for ; Sat, 6 Sep 2003 14:59:50 +0000 (GMT) Received: (qmail 43399 invoked from network); 6 Sep 2003 14:59:50 -0000 Received: from unknown (HELO ws5-7.us4.outblaze.com) (205.158.62.156) by 205-158-62-153.outblaze.com with SMTP; 6 Sep 2003 14:59:50 -0000 Received: (qmail 30663 invoked by uid 1001); 6 Sep 2003 15:02:45 -0000 Message-ID: <20030906150245.30662.qmail@bsdmail.com> Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit MIME-Version: 1.0 X-Mailer: MIME-tools 5.41 (Entity 5.404) Received: from [193.68.7.67] by ws5-7.us4.outblaze.com with http for ivo@bsdmail.org; Sat, 06 Sep 2003 17:02:45 +0200 From: "Ivo Vachkov" To: freebsd-ipfw@freebsd.org Date: Sat, 06 Sep 2003 17:02:45 +0200 X-Originating-Ip: 193.68.7.67 X-Originating-Server: ws5-7.us4.outblaze.com Subject: Burst X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Sep 2003 14:59:54 -0000 Hi all, I've been doing some research on traffic shaping features on several platforms and I coudn't find is there a way to implement *burst* on FreeBSD. I know Cisco has it and Linux (iproute2/tc + TBF) has it, but none of the BSD seems to have similar feature (at least I couldn't find ...). So can you point me out a way to implement such using IPFW+Dummynet if one exists. Thank you in advance. Ivo Vachkov P.S. I wrote some code to implement burst using divert(4) sockets, but it's still too bare. If you can point me documentation, descibing traffic engeneering techniques/algorithms I'll be thankfull too -- _______________________________________________ Get your free email from http://mymail.bsdmail.com Powered by Outblaze From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 6 08:24:17 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 61FF616A4C0 for ; Sat, 6 Sep 2003 08:24:17 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D28A43FE9 for ; Sat, 6 Sep 2003 08:24:13 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h86FO6kN002985; Sat, 6 Sep 2003 08:24:06 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h86FO6T9002984; Sat, 6 Sep 2003 08:24:06 -0700 (PDT) (envelope-from rizzo) Date: Sat, 6 Sep 2003 08:24:06 -0700 From: Luigi Rizzo To: Ivo Vachkov Message-ID: <20030906082406.A1562@xorpc.icir.org> References: <20030906150245.30662.qmail@bsdmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030906150245.30662.qmail@bsdmail.com>; from ivo@bsdmail.org on Sat, Sep 06, 2003 at 05:02:45PM +0200 cc: freebsd-ipfw@freebsd.org Subject: Re: Burst X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Sep 2003 15:24:17 -0000 [similar msg on -net, so i will respond here...] On Sat, Sep 06, 2003 at 05:02:45PM +0200, Ivo Vachkov wrote: > Hi all, > > I've been doing some research on traffic shaping features on several platforms and I coudn't find is there a way to implement *burst* on FreeBSD. I know Cisco has it and Linux (iproute2/tc + TBF) has it, but none of the BSD seems to have similar feature (at least I couldn't find ...). it depends on what you want "burst" for. Dummynet works as what i call a "shaper": it releases traffic at the desired rate (with two constraints -- packets cannot be split, and all events are rounded to the closest clock tick). If packets arrive at a dummynet pipe faster than the output rate, they are buffered in a queue, whose size (in packets or bytes) you can configure as a parameter of the pipe. As a consequence, the pipe is able to absorb a burst as large as the queue size (and release it with the desired rate). In this respect, a "burst" means allowing packets to be released in advance with respect to their correct time (but then of course remember what you did so you never exceed the programmed bandwidth by more than the burst size). Effectively, dummynet has a burst of 0 bytes. Now, I believe you can change the behaviour of dummynet to implement a burst by changing, near line 555 in ip_dummynet:ready_event() - if (len_scaled > q->numbytes ) + if (len_scaled > q->numbytes + q->burst_size) and adding the relevant parameter (burst_size) to the pipe's configuration. You probably need to change the SET_TICKS() macro to account for the burst size too. cheers luigi > So can you point me out a way to implement such using IPFW+Dummynet if one exists. Thank you in advance. > > Ivo Vachkov > > P.S. I wrote some code to implement burst using divert(4) sockets, but it's still too bare. If you can point me documentation, descibing traffic engeneering techniques/algorithms I'll be thankfull too > -- > _______________________________________________ > Get your free email from http://mymail.bsdmail.com > > Powered by Outblaze > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 6 08:25:38 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0532016A4BF for ; Sat, 6 Sep 2003 08:25:38 -0700 (PDT) Received: from newnet.co.uk (newnet.co.uk [212.87.80.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id EF83643FA3 for ; Sat, 6 Sep 2003 08:25:36 -0700 (PDT) (envelope-from peter@newnet.co.uk) Received: from newnet.co.uk (peter.port [212.87.87.37]) by newnet.co.uk (8.12.6/8.12.3) with ESMTP id h86FPRxv095781; Sat, 6 Sep 2003 16:25:28 +0100 (BST) (envelope-from peter@newnet.co.uk) Message-ID: <3F59FC86.3080306@newnet.co.uk> Date: Sat, 06 Sep 2003 16:25:58 +0100 From: Peter V Coates-Buglear User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:1.1) Gecko/20020826 X-Accept-Language: en MIME-Version: 1.0 To: Ivo Vachkov References: <20030906150245.30662.qmail@bsdmail.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Newnet-MailScanner: Found to be clean cc: freebsd-ipfw@freebsd.org Subject: Re: Burst X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Sep 2003 15:25:38 -0000 Hi, Something like this should work using probability with a pipe rule ipfw add prob 0.33 pipe 1 ip from A to B ipfw add pipe 2 ip from A to B ipfw pipe 1 config ... ipfw pipe 2 config ... Peter Ivo Vachkov wrote: > Hi all, > > I've been doing some research on traffic shaping features on several platforms and I coudn't find is there a way to implement *burst* on FreeBSD. I know Cisco has it and Linux (iproute2/tc + TBF) has it, but none of the BSD seems to have similar feature (at least I couldn't find ...). > > So can you point me out a way to implement such using IPFW+Dummynet if one exists. Thank you in advance. > > Ivo Vachkov > > P.S. I wrote some code to implement burst using divert(4) sockets, but it's still too bare. If you can point me documentation, descibing traffic engeneering techniques/algorithms I'll be thankfull too -- ____________________________________________________ Message scanned for viruses and dangerous content by and believed to be clean From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 6 13:05:48 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77FF616A4BF for ; Sat, 6 Sep 2003 13:05:48 -0700 (PDT) Received: from spf13.us4.outblaze.com (205-158-62-67.outblaze.com [205.158.62.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id 25FE043FBD for ; Sat, 6 Sep 2003 13:05:45 -0700 (PDT) (envelope-from ivo@bsdmail.org) Received: from 205-158-62-68.outblaze.com (205-158-62-68.outblaze.com [205.158.62.68]) by spf13.us4.outblaze.com (Postfix) with QMQP id BB81D1801347 for ; Sat, 6 Sep 2003 20:05:44 +0000 (GMT) Received: (qmail 20789 invoked from network); 6 Sep 2003 20:05:42 -0000 Received: from unknown (HELO ws5-6.us4.outblaze.com) (205.158.62.148) by 205-158-62-153.outblaze.com with SMTP; 6 Sep 2003 20:05:42 -0000 Received: (qmail 10412 invoked by uid 1001); 6 Sep 2003 20:06:59 -0000 Message-ID: <20030906200659.10411.qmail@bsdmail.com> Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit MIME-Version: 1.0 X-Mailer: MIME-tools 5.41 (Entity 5.404) Received: from [193.68.7.67] by ws5-6.us4.outblaze.com with http for ivo@bsdmail.org; Sat, 06 Sep 2003 22:06:58 +0200 From: "Ivo Vachkov" To: freebsd-ipfw@freebsd.org Date: Sat, 06 Sep 2003 22:06:58 +0200 X-Originating-Ip: 193.68.7.67 X-Originating-Server: ws5-6.us4.outblaze.com Subject: Re: Burst X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Sep 2003 20:05:48 -0000 Obviously I've understood terms wrong. When I said "burst" I was thinking of limitting the speed of active connection when some conditions apply. Example: ISP has 10Mbps connection to internet and every user/client has 1Mbps pipe to Internet. So every user has fast browsing, mail, news, ICQ/AIM/etc. But when a user tries to download a big file (.ISO/.AVI/.MPG) the connection, even active, is limitted to 64kbps whithout limitting other connections. So his download keeps running at low speed, while browsing/mail/etc is still fast. The software applies limits when some numbers of bytes passed throught the connection. NB!!! Other connections are NOT shaped until they reach the predefined condition. They became shaped only after that. My "workaround" is as follows: ipfw add divert 8670 ip from any to $CLIENT_IP + a daemon called *burstd* which binds to diverted port 8670, conunts the bytes for every connection to that IP and apply the limits when predefinied byte count is exceeded. It's far away from perfect, although quite accurate, so I was asking for another way to implement a solution to this situation. Ivo Vachkov -- _______________________________________________ Get your free email from http://mymail.bsdmail.com Powered by Outblaze