From owner-freebsd-ipfw Mon Feb 24 11: 4:55 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2828837B401 for ; Mon, 24 Feb 2003 11:04:54 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id ACAA343F75 for ; Mon, 24 Feb 2003 11:04:53 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id h1OJ4rNS066554 for ; Mon, 24 Feb 2003 11:04:53 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id h1OJ4qdr066549 for ipfw@freebsd.org; Mon, 24 Feb 2003 11:04:52 -0800 (PST) Date: Mon, 24 Feb 2003 11:04:52 -0800 (PST) Message-Id: <200302241904.h1OJ4qdr066549@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues 1 problem total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2003/01/05] bin/46785 ipfw [patch] add sets information to ipfw2 -h o [2003/01/15] bin/47120 ipfw [patch] Sanity check in ipfw(8) o [2003/01/18] bin/47196 ipfw ipfw won't format correctly output from ' 4 problems total. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Feb 25 17:50: 3 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C7E0B37B401 for ; Tue, 25 Feb 2003 17:49:56 -0800 (PST) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 734C243F85 for ; Tue, 25 Feb 2003 17:49:55 -0800 (PST) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id CA95A10BF83; Wed, 26 Feb 2003 02:49:53 +0100 (CET) Date: Wed, 26 Feb 2003 02:49:53 +0100 From: "Simon L. Nielsen" To: Mikel King Cc: ipfw@freebsd.org Subject: Re: ipfw question Message-ID: <20030226014952.GH385@nitro.dk> References: <3E5592C2.7000902@ocsny.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="tsOsTdHNUZQcU9Ye" Content-Disposition: inline In-Reply-To: <3E5592C2.7000902@ocsny.com> User-Agent: Mutt/1.5.3i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --tsOsTdHNUZQcU9Ye Content-Type: multipart/mixed; boundary="3MwIy2ne0vdjdPXF" Content-Disposition: inline --3MwIy2ne0vdjdPXF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.02.20 21:45:22 -0500, Mikel King wrote: > In any event, it would be nice to have a rule option to define a=20 > specific logfac/file for a certain rule or group of rules. And of course= =20 > this begs the question of would such a rule impeade performance? I wanted to try a bit of kernel hacking so I have implemented support for this. The only negative impact on performance I can see (with my patch) is that each log rule will now use 4 more bytes of memory... The attached patch is for -CURRENT and is not totally finished but it works for me. I plan to send it has a PR when it has been cleaned up more, but comments for this version are very welcome. The usage is pretty simple : ipfw add deny log logprio local0.debug udp from any to me 137-139 --=20 Simon L. Nielsen --3MwIy2ne0vdjdPXF Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ipfw2-syslog.patch" Content-Transfer-Encoding: quoted-printable Index: sys/netinet/ip_fw.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/mirror/freebsd/ncvs/src/sys/netinet/ip_fw.h,v retrieving revision 1.75 diff -u -d -r1.75 ip_fw.h --- sys/netinet/ip_fw.h 24 Oct 2002 22:32:13 -0000 1.75 +++ sys/netinet/ip_fw.h 26 Feb 2003 01:33:50 -0000 @@ -246,6 +246,7 @@ ipfw_insn o; u_int32_t max_log; /* how many do we log -- 0 =3D all */ u_int32_t log_left; /* how many left to log */ + u_int32_t prio; /* the level / facility to log to */ } ipfw_insn_log; =20 /* Index: sys/netinet/ip_fw2.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/mirror/freebsd/ncvs/src/sys/netinet/ip_fw2.c,v retrieving revision 1.27 diff -u -d -r1.27 ip_fw2.c --- sys/netinet/ip_fw2.c 19 Feb 2003 05:47:34 -0000 1.27 +++ sys/netinet/ip_fw2.c 26 Feb 2003 01:33:50 -0000 @@ -418,6 +418,7 @@ char *action; int limit_reached =3D 0; char action2[40], proto[48], fragment[28]; + int log_prio =3D LOG_SECURITY | LOG_INFO; =20 fragment[0] =3D '\0'; proto[0] =3D '\0'; @@ -442,6 +443,7 @@ if (cmd->opcode =3D=3D O_PROB) cmd +=3D F_LEN(cmd); =20 + log_prio =3D (int) l->prio; action =3D action2; switch (cmd->opcode) { case O_DENY: @@ -577,7 +579,7 @@ (ip_off & IP_MF) ? "+" : ""); } if (oif || m->m_pkthdr.rcvif) - log(LOG_SECURITY | LOG_INFO, + log(log_prio, "ipfw: %d %s %s %s via %s%d%s\n", f ? f->rulenum : -1, action, proto, oif ? "out" : "in", @@ -585,7 +587,7 @@ oif ? oif->if_unit : m->m_pkthdr.rcvif->if_unit, fragment); else - log(LOG_SECURITY | LOG_INFO, + log(log_prio, "ipfw: %d %s %s [no if info]%s\n", f ? f->rulenum : -1, action, proto, fragment); Index: sbin/ipfw/ipfw2.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/mirror/freebsd/ncvs/src/sbin/ipfw/ipfw2.c,v retrieving revision 1.21 diff -u -d -r1.21 ipfw2.c --- sbin/ipfw/ipfw2.c 12 Jan 2003 03:31:10 -0000 1.21 +++ sbin/ipfw/ipfw2.c 26 Feb 2003 01:33:50 -0000 @@ -43,6 +43,8 @@ #include #include #include +#define SYSLOG_NAMES +#include =20 #include #include @@ -347,6 +349,50 @@ }; =20 /** + * Decode a symbolic name to a numeric value + * + * The pencode and decode functions are "stolen" from usr.bin/logger/logge= r.c + */ +int +pencode(char *s) +{ + char *save; + int fac, lev; + + for (save =3D s; *s && *s !=3D '.'; ++s); + if (*s) { + *s =3D '\0'; + fac =3D decode(save, facilitynames); + if (fac < 0) + errx(1, "unknown facility name: %s", save); + *s++ =3D '.'; + } + else { + fac =3D LOG_SECURITY; + s =3D save; + } + lev =3D decode(s, prioritynames); + if (lev < 0) + errx(1, "unknown priority name: %s", save); + return ((lev & LOG_PRIMASK) | (fac & LOG_FACMASK)); +} + +int +decode(char *name, CODE *codetab) +{ + CODE *c; + + if (isdigit(*name)) + return (atoi(name)); + + for (c =3D codetab; c->c_name; c++) + if (!strcasecmp(name, c->c_name)) + return (c->c_val); + + return (-1); +} + +/** * match_token takes a table and a string, returns the value associated * with the string (0 meaning an error in most cases) */ @@ -934,10 +980,12 @@ } } if (logptr) { + printf(" log"); if (logptr->max_log > 0) - printf(" log logamount %d", logptr->max_log); - else - printf(" log"); + printf(" logamount %d", logptr->max_log); + if (logptr->prio !=3D LOG_SECURITY | LOG_INFO) /* XXX convert to text */ + printf(" logprio %u.%u", + LOG_FAC(logptr->prio), LOG_PRI(logptr->prio)); } =20 /* @@ -1695,7 +1743,7 @@ { =20 fprintf(stderr, "ipfw syntax summary:\n" -"ipfw add [N] [prob {0..1}] ACTION [log [logamount N]] ADDR OPTIONS\n" +"ipfw add [N] [prob {0..1}] ACTION [log [logamount N] [logprio level= ]] ADDR OPTIONS\n" "ipfw {pipe|queue} N config BODY\n" "ipfw [pipe] {zero|delete|show} [N{,N}]\n" "\n" @@ -2638,7 +2686,7 @@ action =3D next_cmd(action); =20 /* - * [log [logamount N]] -- log, optional + * [log [logamount N] [logprio level]] -- log, optional * * If exists, it goes first in the cmdbuf, but then it is * skipped in the copy section to the end of the buffer. @@ -2648,6 +2696,7 @@ =20 cmd->len =3D F_INSN_SIZE(ipfw_insn_log); cmd->opcode =3D O_LOG; + c->prio =3D LOG_SECURITY | LOG_INFO; av++; ac--; if (ac && !strncmp(*av, "logamount", strlen(*av))) { ac--; av++; @@ -2655,6 +2704,12 @@ c->max_log =3D atoi(*av); if (c->max_log < 0) errx(EX_DATAERR, "logamount must be positive"); + ac--; av++; + } + if (ac && !strncmp(*av, "logprio", strlen(*av))) { + ac--; av++; + NEED1("logprio requires argument"); + c->prio =3D (u_int32_t) pencode(*av); ac--; av++; } cmd =3D next_cmd(cmd); --3MwIy2ne0vdjdPXF-- --tsOsTdHNUZQcU9Ye Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+XB1A8kocFXgPTRwRAg9dAJ9MYieVm2Qntpqs5vOLiFglus3UlQCgqiqf fGvyb4wuNfYA41Hv4Kz98Qs= =XiB+ -----END PGP SIGNATURE----- --tsOsTdHNUZQcU9Ye-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 28 2:10:11 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E89C37B401; Fri, 28 Feb 2003 02:10:10 -0800 (PST) Received: from www3.mailru.com (www3.mailru.com [80.68.244.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE2FE43F85; Fri, 28 Feb 2003 02:10:08 -0800 (PST) (envelope-from denb@front.ru) Received: by HotBOX.Ru WebMail v2.1 id h1SAA3VD087527 for ; Date: Fri, 28 Feb 2003 13:10:03 +0300 (MSK) Message-Id: <200302281010.h1SAA3VD087527@www3.mailru.com> From: denb To: ipfw@freebsd.org Cc: hackers@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 8bit X-Mailer: Free WebMail HotBOX.ru X-Proxy-IP: [212.1.229.5] X-Originating-IP: [172.16.0.3] Subject: Question about divert in ipfw2 on 5.0 release Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I write program simular to natd, witch receives packets at divert port X. Question: On ipfw1 (FreeBSD 4.7) this rules work excellent: ipfw add divert X from any to any Y ipfw add divert X from any Y to any We're diverting all received and sended packets (from\to port Y) to divert port X. But these rules are not working together with ipfw2 (5.0 Release). Each single rule works fine, but when i combine them together only first of them triggers. The order doesn't matter. What am I doing wrong? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 28 4:57:12 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9376937B401; Fri, 28 Feb 2003 04:57:10 -0800 (PST) Received: from relay.macomnet.ru (relay.macomnet.ru [195.128.64.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id DCE8043FBF; Fri, 28 Feb 2003 04:57:08 -0800 (PST) (envelope-from maxim@FreeBSD.org) Received: from news1.macomnet.ru (news1.macomnet.ru [195.128.64.14]) by relay.macomnet.ru (8.11.6/8.11.6) with ESMTP id h1SCv4F673848; Fri, 28 Feb 2003 15:57:04 +0300 (MSK) Date: Fri, 28 Feb 2003 15:57:04 +0300 (MSK) From: Maxim Konovalov To: denb Cc: ipfw@FreeBSD.org, hackers@FreeBSD.org Subject: Re: Question about divert in ipfw2 on 5.0 release In-Reply-To: <200302281010.h1SAA3VD087527@www3.mailru.com> Message-ID: <20030228155353.I91707@news1.macomnet.ru> References: <200302281010.h1SAA3VD087527@www3.mailru.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, On 13:10+0300, Feb 28, 2003, denb wrote: > I write program simular to natd, witch receives packets at divert port X. > Question: > On ipfw1 (FreeBSD 4.7) this rules work excellent: > > ipfw add divert X from any to any Y > ipfw add divert X from any Y to any > > We're diverting all received and sended packets (from\to port Y) to divert port X. > But these rules are not working together with ipfw2 (5.0 Release). Each single rule > works fine, but when i combine them together only first of them triggers. The order > doesn't matter. > > What am I doing wrong? Can't reproduce: # ipfw add 1 divert 1111 tcp from any to any 1973 00001 divert 1111 tcp from any to any dst-port 1973 # ipfw add 2 divert 1111 tcp from any 1973 to any 00002 divert 1111 tcp from any 1973 to any # nc localhost 1973 # nc -p 1973 localhost 21 # ipfw show 1 2 00001 1 60 divert 1111 tcp from any to any dst-port 1973 00002 1 60 divert 1111 tcp from any 1973 to any What am I doing wrong? :-) -- Maxim Konovalov, maxim@macomnet.ru, maxim@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Mar 1 8:20:55 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 364D337B401 for ; Sat, 1 Mar 2003 08:20:54 -0800 (PST) Received: from nic-naa.net (216-220-241-233.midmaine.com [216.220.241.233]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6761243FA3 for ; Sat, 1 Mar 2003 08:20:53 -0800 (PST) (envelope-from brunner@nic-naa.net) Received: from nic-naa.net (localhost.nic-naa.net [127.0.0.1]) by nic-naa.net (8.12.7/8.12.6) with ESMTP id h21GJVtY071364 for ; Sat, 1 Mar 2003 11:19:31 -0500 (EST) (envelope-from brunner@nic-naa.net) Message-Id: <200303011619.h21GJVtY071364@nic-naa.net> To: freebsd-ipfw@freebsd.org Subject: Starting out with IPFW on 5.0 Date: Sat, 01 Mar 2003 11:19:31 -0500 From: Eric Brunner-Williams in Portland Maine Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, I recently installed 5.0 on a set of boxes I'm deploying as part of an ISP. I'd like to install packet filter rule sets on these. I'm stumped by the change in device creation. In simpler times, MAKEDEV wrapped the mknod(8) dirty work. This apparently isn't the case now. So, from the 5.0 source (no cvsup), I've made the following changes to GENERIC: > # Firewall > options IPFIREWALL #firewall > options IPFIREWALL_VERBOSE #enable logging to syslogd(8) > options IPFIREWALL_FORWARD #enable transparent proxy support > options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity > options IPFIREWALL_DEFAULT_TO_ACCEPT #use ipf to close, not open > > # Do not decrement the ttl, hide firewall from traceroute class tools > options IPSTEALTH #support for stealth forwarding This builds and runs, but there are no devices -- /dev/{ipauth,ipl,ipstate}, so I've missed substantial clue. Pointers appreciated. These nodes actually aren't intended to anything other than be hosts. Thanks in advance, Eric To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message