From owner-freebsd-ipfw Wed Oct 31 17:41:34 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.aciri.org (iguana.aciri.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id AAB8637B40B; Wed, 31 Oct 2001 17:41:26 -0800 (PST) Received: (from rizzo@localhost) by iguana.aciri.org (8.11.3/8.11.1) id fA11bt226212; Wed, 31 Oct 2001 17:37:55 -0800 (PST) (envelope-from rizzo) Date: Wed, 31 Oct 2001 17:37:55 -0800 From: Luigi Rizzo To: stable@freebsd.org Subject: HEADS UP: a bunch of ipfw MFC in the next 1-2 days Message-ID: <20011031173755.F23297@iguana.aciri.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.23i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG [Bcc to -net and -ipfw because of relevance] Hi, I am about to merge into stable a number of modifications that have been committed to current over the past month or two. The most significant ones are: * the merge of ipfw rule descriptor and chain pointer. No functional change, but the internal data structures and code are way more readable; * Bill Fenner's code to make ipfw/dummynet/bridge KLD'able BOTH THESE THINGS REQUIRES REBUILDING OF ipfw.ko and /sbin/ipfw * a new type of dynamic rule that lets you limit the number of simultaneous connections matching certain criteria (with the usual aggregation based on port/address masks) * fix spl*() protection in same parts of the code (only relevant for RELENG_4); * misc fixes that have or should arise while diff'ing old and new version of the files in HEAD and RELENG_4 (it happens more frequently than people can imagine, especially for those critical parts of the system for which we are almost doing independent implementations); While i am carefully reviewing and testing the code before committing, and try to do the commit at once, we all do mistakes sometime. So, please test the new code and submit feedback and bug reports as i complete the commits, put please don't rush and install the new code on a production machine two seconds after my first commit. We are sufficiently far away from the next release to do this commit now and shake down any bugs that should occur. cheers luigi ----------------------------------+----------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . ACIRI/ICSI (on leave from Univ. di Pisa) http://www.iet.unipi.it/~luigi/ . 1947 Center St, Berkeley CA 94704 Phone: (510) 666 2927 ----------------------------------+----------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Nov 2 8:44:46 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from hotmail.com (f11.law8.hotmail.com [216.33.241.11]) by hub.freebsd.org (Postfix) with ESMTP id 9EC9137B408 for ; Fri, 2 Nov 2001 08:44:43 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 2 Nov 2001 08:44:42 -0800 Received: from 62.22.84.43 by lw8fd.law8.hotmail.msn.com with HTTP; Fri, 02 Nov 2001 16:44:42 GMT X-Originating-IP: [62.22.84.43] From: "John Massier" Cc: ipfw@FreeBSD.ORG Subject: IN/OUT Date: Fri, 02 Nov 2001 17:44:42 +0100 Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Message-ID: X-OriginalArrivalTime: 02 Nov 2001 16:44:42.0985 (UTC) FILETIME=[AC110590:01C163BD] Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, I´m a newbie in IPFW and i´m a bit confused with something. I can´t see the difference when you add a new rule between using to imply the way of the packet and using in/out. What´s the real use of in/out?? Does this way imply direction?? Or in/out are only used for specify interfaces?? Thank you. _________________________________________________________________ Descargue GRATUITAMENTE MSN Explorer en http://explorer.msn.es/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Nov 2 11:45:21 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from gull.prod.itd.earthlink.net (gull.mail.pas.earthlink.net [207.217.120.84]) by hub.freebsd.org (Postfix) with ESMTP id 6829F37B408 for ; Fri, 2 Nov 2001 11:45:18 -0800 (PST) Received: from dialup-209.247.136.94.dial1.sanjose1.level3.net ([209.247.136.94] helo=blossom.cjclark.org) by gull.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 15zkFh-0000X8-00; Fri, 02 Nov 2001 11:45:17 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fA2JiqQ09309; Fri, 2 Nov 2001 11:44:52 -0800 (PST) (envelope-from cjc) Date: Fri, 2 Nov 2001 11:44:52 -0800 From: "Crist J. Clark" To: John Massier Cc: ipfw@FreeBSD.ORG Subject: Re: IN/OUT Message-ID: <20011102114452.M4360@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: ; from j_massier@hotmail.com on Fri, Nov 02, 2001 at 05:44:42PM +0100 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Nov 02, 2001 at 05:44:42PM +0100, John Massier wrote: > Hi, I´m a newbie in IPFW and i´m a bit confused with something. > > I can´t see the difference when you add a new rule between using source to destination> to imply the way of the packet and using in/out. > > What´s the real use of in/out?? Does this way imply direction?? Or in/out > are only used for specify interfaces?? In a typical firewall when a packet passes through we have a situation like, wire ----> firewall ----> wire in out Where "in" and "out" are marked appropriately. Note that I have _not_ specified internal or external interfaces of the firewall. Generally, "in" indicates the packet has just been received by the machine from the network, and "out" means that the packet is about to be put out onto the wire. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Nov 2 14:26:18 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mute.Verbose.ORG (mute.verbose.org [216.15.97.34]) by hub.freebsd.org (Postfix) with ESMTP id 81DEB37B408 for ; Fri, 2 Nov 2001 14:26:16 -0800 (PST) Received: from mute.Verbose.ORG (localhost [127.0.0.1]) by mute.Verbose.ORG (8.11.6/8.11.5) with ESMTP id fA2MQF999075; Fri, 2 Nov 2001 14:26:15 -0800 (PST) (envelope-from randy@mute.Verbose.ORG) Message-Id: <200111022226.fA2MQF999075@mute.Verbose.ORG> To: "John Massier" Cc: ipfw@FreeBSD.ORG Subject: Re: IN/OUT In-Reply-To: Message from "John Massier" of "Fri, 02 Nov 2001 17:44:42 +0100." Date: Fri, 02 Nov 2001 14:26:15 -0800 From: Randy Primeaux Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG John, in or out is in relation to an interface. in from the wire out to the wire "John Massier" writes: > What´s the real use of in/out?? Does this way imply direction?? Or in/out > are only used for specify interfaces?? -- Randy Primeaux randy@Verbose.ORG Verbose Networking To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Nov 2 16:43:11 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.aciri.org (iguana.aciri.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 4C8CA37B408; Fri, 2 Nov 2001 16:42:58 -0800 (PST) Received: (from rizzo@localhost) by iguana.aciri.org (8.11.3/8.11.1) id fA30dO046366; Fri, 2 Nov 2001 16:39:24 -0800 (PST) (envelope-from rizzo) Date: Fri, 2 Nov 2001 16:39:24 -0800 From: Luigi Rizzo To: undisclosed-recipients: ; Subject: HEADS UP [luigi@FreeBSD.org: cvs commit: src/sys/dev/ed if_ed.c src/sys/net bridge.c bridge.h if_ethersubr.c src/sys/netinet ip_dummynet.c ip_dummynet.h ip_fw.c ip_fw.h ip_input.c ip_output.c raw_ip.c src/sbin/ipfw ipfw.8 ipfw.c] Message-ID: <20011102163924.A46186@iguana.aciri.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.23i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG [Bcc to net@freebsd.org ipfw@freebsd.org stable@freebsd.org] As announced... please give a try to this code and report any bugs. cheers luigi ----- Forwarded message from Luigi Rizzo ----- Date: Fri, 2 Nov 2001 16:36:11 -0800 (PST) From: Luigi Rizzo Subject: cvs commit: src/sys/dev/ed if_ed.c src/sys/net bridge.c bridge.h if_ethersubr.c src/sys/netinet ip_dummynet.c ip_dummynet.h ip_fw.c ip_fw.h ip_input.c ip_output.c raw_ip.c src/sbin/ipfw ipfw.8 ipfw.c To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org luigi 2001/11/02 16:36:11 PST Modified files: (Branch: RELENG_4) sys/dev/ed if_ed.c sys/net bridge.c bridge.h if_ethersubr.c sys/netinet ip_dummynet.c ip_dummynet.h ip_fw.c ip_fw.h ip_input.c ip_output.c raw_ip.c sbin/ipfw ipfw.8 ipfw.c Log: Mega-MFC for ipfw/bridge/dummynet features and fixes added over the past couple of months: * merge of ipfw rule descriptor and chain pointer. No functional change, but the internal data structures and code are way more readable; * BillF code to make ipfw/dummynet/bridge KLD'able. NOTA BENE: this still has some rough edges, which are mostly due to bugs in kldload() rather than in this code. * add a new type of dynamic rule that lets you limit the number of simultaneous connections matching certain criteria (with the usual aggregation based on port/address masks) * fix spl*() protection in same parts of the code; This code also includes some minor bugfixes and code cleanup that I will port to CURRENT as soon as i have a chance. I have tested the code as much as i could, but there is really a million combinations so I might have missed some corner case. Please report if you have problem building things. The only thing known not to work is bridge.ko -- it does forward correctly, but packets directed to the bridge itself are only received from one interface (i suspect some missing initialization), and there are some other issues at unloading time. Please use the statically compiled code for the time being. NOTE ON KLD: It appears that kldload/unload is unable to handle the case of (erroneously) loading/unloading a module which is already compiled in. What happens is that load fails, but the module is listed as loaded, and then the system panics if you attempt an unloading of the module. This problem need fixing in the module loading/unloading code, which is not in my area of competence. Revision Changes Path 1.63.2.17 +41 -18 src/sbin/ipfw/ipfw.8 1.80.2.20 +75 -20 src/sbin/ipfw/ipfw.c 1.173.2.13 +6 -11 src/sys/dev/ed/if_ed.c 1.16.2.15 +223 -102 src/sys/net/bridge.c 1.4.2.3 +18 -45 src/sys/net/bridge.h 1.70.2.18 +29 -22 src/sys/net/if_ethersubr.c 1.24.2.12 +119 -94 src/sys/netinet/ip_dummynet.c 1.10.2.4 +10 -12 src/sys/netinet/ip_dummynet.h 1.131.2.27 +561 -457 src/sys/netinet/ip_fw.c 1.47.2.10 +87 -34 src/sys/netinet/ip_fw.h 1.130.2.28 +9 -20 src/sys/netinet/ip_input.c 1.99.2.19 +6 -13 src/sys/netinet/ip_output.c 1.64.2.9 +19 -24 src/sys/netinet/raw_ip.c ----- End forwarded message ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message