From owner-freebsd-ipfw@FreeBSD.ORG Mon May 13 04:36:47 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 241926F2; Mon, 13 May 2013 04:36:47 +0000 (UTC) (envelope-from pyunyh@gmail.com) Received: from mail-da0-x230.google.com (mail-da0-x230.google.com [IPv6:2607:f8b0:400e:c00::230]) by mx1.freebsd.org (Postfix) with ESMTP id E5B69366; Mon, 13 May 2013 04:36:46 +0000 (UTC) Received: by mail-da0-f48.google.com with SMTP id h32so2082027dak.21 for ; Sun, 12 May 2013 21:36:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:from:date:to:cc:subject:message-id:reply-to:references :mime-version:content-type:content-disposition:in-reply-to :user-agent; bh=uRqiMIRB/lntrwVS8116ZDQHR+DUul0Z4SDg+lDAeiQ=; b=fFcPQr61o5OcAva3nLPXMjy7pA/gDRdWtZTGdWrKNZBWXI5760l7NSa0PfZFuPsrSM ji+oGZyoRG/FYatzLMyEcQfSX5FbIPhas8PLSvsOCFAZb8zsaBhw+RoCcirmpZcVVsDX A2x9cKotSXHyx+ysPXJ9S7ZIB3jAHWN8SxIIGzlAKkz6msLrJeZNiz9GUHOduUD8t4tV jpc76bFiQ6qdLE0WIjJMbFBWcixTbFFU3Xj8aBokXaXpjGfVxUi9nrZjjrymC7BQKFKH cF917QeVTXnC7Z0HBHSZAOA2H7keR85sYLLxc7UK0zy3uhb7TWxpnNvG8GLae3erXJOV Pzcw== X-Received: by 10.66.161.227 with SMTP id xv3mr27631377pab.82.1368419806728; Sun, 12 May 2013 21:36:46 -0700 (PDT) Received: from pyunyh@gmail.com (lpe4.p59-icn.cdngp.net. [114.111.62.249]) by mx.google.com with ESMTPSA id fr1sm1865753pbb.26.2013.05.12.21.36.42 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Sun, 12 May 2013 21:36:45 -0700 (PDT) Received: by pyunyh@gmail.com (sSMTP sendmail emulation); Mon, 13 May 2013 13:36:39 +0900 From: YongHyeon PYUN Date: Mon, 13 May 2013 13:36:39 +0900 To: Gleb Smirnoff Subject: Re: Problems with ipfw/natd and axe(4) Message-ID: <20130513043639.GA1480@michelle.cdnetworks.com> References: <20130415015850.Y56386@sola.nimnet.asn.au> <20130415160625.K56386@sola.nimnet.asn.au> <20130417133637.W56386@sola.nimnet.asn.au> <20130510200409.GT15182@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20130510200409.GT15182@FreeBSD.org> User-Agent: Mutt/1.4.2.3i Cc: Spil Oss , freebsd-ipfw@freebsd.org, current X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: pyunyh@gmail.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 May 2013 04:36:47 -0000 On Sat, May 11, 2013 at 12:04:09AM +0400, Gleb Smirnoff wrote: > Spil, > > On Fri, May 10, 2013 at 09:06:35AM +0200, Spil Oss wrote: > S> There seems to be quite a bit of overhaul on the firewall code, pf and > S> ipfw have been moved to sys/netpfil? Can there be some regressions in > S> there that I hit? > > Yes, a regression is possible there. However, the issue seems to be > axe(4) specific, since there are no reports on more common NICs. There was no change to axe(4) except added a new device id so it seems the issue is not in driver. In addition, AX88772B engineering sample I have works without problems on CURRENT. I didn't use ipfw(4) or natd though. From owner-freebsd-ipfw@FreeBSD.ORG Mon May 13 11:06:46 2013 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 9E890992 for ; Mon, 13 May 2013 11:06:46 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 8E851843 for ; Mon, 13 May 2013 11:06:46 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r4DB6kOG075897 for ; Mon, 13 May 2013 11:06:46 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r4DB6k8M075895 for freebsd-ipfw@FreeBSD.org; Mon, 13 May 2013 11:06:46 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 13 May 2013 11:06:46 GMT Message-Id: <201305131106.r4DB6k8M075895@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 May 2013 11:06:46 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/178317 ipfw [ipfw] ipfw options need to specifed in specific order o kern/177948 ipfw [ipfw] ipfw fails to parse port ranges (p1-p2) for udp o kern/176503 ipfw [ipfw] ipfw layer2 problem o kern/169206 ipfw [ipfw] ipfw does not flush entries in table o conf/167822 ipfw [ipfw] [patch] start script doesn't load firewall_type o kern/166406 ipfw [ipfw] ipfw does not set ALTQ identifier for ipv6 traf o kern/165939 ipfw [ipfw] bug: incomplete firewall rules loaded if tables o kern/165190 ipfw [ipfw] [lo] [patch] loopback interface is not marking o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw [ipfw] does not support specifying rules with ICMP cod o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. f kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l f kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 42 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Wed May 15 04:57:41 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id A164324C; Wed, 15 May 2013 04:57:41 +0000 (UTC) (envelope-from pyunyh@gmail.com) Received: from mail1.ozon.ru (mx4.ozon.ru [194.186.179.140]) by mx1.freebsd.org (Postfix) with ESMTP id 2A2D78D7; Wed, 15 May 2013 04:57:41 +0000 (UTC) Received: from intmail03msk.ozon (intmail03msk.ozon [10.18.18.171]) by mail1.ozon.ru (Postfix) with ESMTP id 6F0BA71A529; Wed, 15 May 2013 08:57:40 +0400 (MSK) Received: from mail pickup service by intmail03msk.ozon with Microsoft SMTPSVC; Wed, 15 May 2013 08:57:31 +0400 Received: from intmail03msk.ozon ([10.18.18.171]) by intmail02msk.ozon with Microsoft SMTPSVC(6.0.3790.4675); Mon, 13 May 2013 08:37:04 +0400 Received: from mail1.ozon.ru ([194.186.179.140]) by intmail03msk.ozon with Microsoft SMTPSVC(6.0.3790.4675); Mon, 13 May 2013 08:37:03 +0400 Received: from localhost (localhost [127.0.0.1]) by mail1.ozon.ru (Postfix) with ESMTP id 7B766719DE5 for ; Mon, 13 May 2013 08:37:03 +0400 (MSK) X-Virus-Scanned: amavisd-new at ozon.ru Received: from mail1.ozon.ru ([127.0.0.1]) by localhost (mx4.ozon.ru [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id phitLvFHxqrc for ; Mon, 13 May 2013 08:36:55 +0400 (MSK) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received-SPF: pass (freebsd.org: 8.8.178.116 is authorized to use 'owner-freebsd-current@freebsd.org' in 'mfrom' identity (mechanism 'ip4:8.8.178.116' matched)) receiver=mx4.ozon.ru; identity=mfrom; envelope-from="owner-freebsd-current@freebsd.org"; helo=mx2.freebsd.org; client-ip=8.8.178.116 Received: from mx2.freebsd.org (mx2.FreeBSD.org [8.8.178.116]) by mail1.ozon.ru (Postfix) with ESMTP id 41812719E65 for ; Mon, 13 May 2013 08:36:54 +0400 (MSK) Received: from hub.freebsd.org (hub.freebsd.org [IPv6:2001:1900:2254:206c::16:88]) by mx2.freebsd.org (Postfix) with ESMTP id BC3B62904; Mon, 13 May 2013 04:36:49 +0000 (UTC) Received: from hub.freebsd.org (hub.freebsd.org [IPv6:2001:1900:2254:206c::16:88]) by hub.freebsd.org (Postfix) with ESMTP id 8BB987E0; Mon, 13 May 2013 04:36:49 +0000 (UTC) (envelope-from owner-freebsd-current@freebsd.org) Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 241926F2; Mon, 13 May 2013 04:36:47 +0000 (UTC) (envelope-from pyunyh@gmail.com) Received: from mail-da0-x230.google.com (mail-da0-x230.google.com [IPv6:2607:f8b0:400e:c00::230]) by mx1.freebsd.org (Postfix) with ESMTP id E5B69366; Mon, 13 May 2013 04:36:46 +0000 (UTC) Received: by mail-da0-f48.google.com with SMTP id h32so2082027dak.21 for ; Sun, 12 May 2013 21:36:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:from:date:to:cc:subject:message-id:reply-to:references :mime-version:content-type:content-disposition:in-reply-to :user-agent; bh=uRqiMIRB/lntrwVS8116ZDQHR+DUul0Z4SDg+lDAeiQ=; b=fFcPQr61o5OcAva3nLPXMjy7pA/gDRdWtZTGdWrKNZBWXI5760l7NSa0PfZFuPsrSM ji+oGZyoRG/FYatzLMyEcQfSX5FbIPhas8PLSvsOCFAZb8zsaBhw+RoCcirmpZcVVsDX A2x9cKotSXHyx+ysPXJ9S7ZIB3jAHWN8SxIIGzlAKkz6msLrJeZNiz9GUHOduUD8t4tV jpc76bFiQ6qdLE0WIjJMbFBWcixTbFFU3Xj8aBokXaXpjGfVxUi9nrZjjrymC7BQKFKH cF917QeVTXnC7Z0HBHSZAOA2H7keR85sYLLxc7UK0zy3uhb7TWxpnNvG8GLae3erXJOV Pzcw== X-Received: by 10.66.161.227 with SMTP id xv3mr27631377pab.82.1368419806728; Sun, 12 May 2013 21:36:46 -0700 (PDT) Received: from pyunyh@gmail.com (lpe4.p59-icn.cdngp.net. [114.111.62.249]) by mx.google.com with ESMTPSA id fr1sm1865753pbb.26.2013.05.12.21.36.42 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Sun, 12 May 2013 21:36:45 -0700 (PDT) Received: by pyunyh@gmail.com (sSMTP sendmail emulation); Mon, 13 May 2013 13:36:39 +0900 From: YongHyeon PYUN Date: Mon, 13 May 2013 13:36:39 +0900 To: Gleb Smirnoff Subject: Re: Problems with ipfw/natd and axe(4) Message-ID: <20130513043639.GA1480@michelle.cdnetworks.com> References: <20130415015850.Y56386@sola.nimnet.asn.au> <20130415160625.K56386@sola.nimnet.asn.au> <20130417133637.W56386@sola.nimnet.asn.au> <20130510200409.GT15182@FreeBSD.org> Mime-Version: 1.0 Content-Disposition: inline In-Reply-To: <20130510200409.GT15182@FreeBSD.org> User-Agent: Mutt/1.4.2.3i X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: owner-freebsd-current@freebsd.org Sender: owner-freebsd-current@freebsd.org X-OriginalArrivalTime: 13 May 2013 04:37:03.0355 (UTC) FILETIME=[83FDACB0:01CE4F93] Cc: Spil Oss , freebsd-ipfw@freebsd.org, current X-BeenThere: freebsd-ipfw@freebsd.org Reply-To: pyunyh@gmail.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2013 04:57:41 -0000 On Sat, May 11, 2013 at 12:04:09AM +0400, Gleb Smirnoff wrote: > Spil, > > On Fri, May 10, 2013 at 09:06:35AM +0200, Spil Oss wrote: > S> There seems to be quite a bit of overhaul on the firewall code, pf and > S> ipfw have been moved to sys/netpfil? Can there be some regressions in > S> there that I hit? > > Yes, a regression is possible there. However, the issue seems to be > axe(4) specific, since there are no reports on more common NICs. There was no change to axe(4) except added a new device id so it seems the issue is not in driver. In addition, AX88772B engineering sample I have works without problems on CURRENT. I didn't use ipfw(4) or natd though. _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Thu May 16 21:02:48 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id D9B49275 for ; Thu, 16 May 2013 21:02:48 +0000 (UTC) (envelope-from prvs=18484739ba=agave.spring@cadamericas.com) Received: from cadamericas.com (mail02.amotive.com [173.164.153.20]) by mx1.freebsd.org (Postfix) with ESMTP id BC4602C1 for ; Thu, 16 May 2013 21:02:48 +0000 (UTC) Received: from agave.cadamericas.com ([64.183.139.162]) by amotive.com (mail02.amotive.com) (MDaemon PRO v13.0.2) with ESMTP id md50002075486.msg; Thu, 16 May 2013 14:02:47 -0700 X-Spam-Processed: mail02.amotive.com, Thu, 16 May 2013 14:02:47 -0700 (not processed: message from trusted or authenticated source) X-MDRemoteIP: 64.183.139.162 X-Return-Path: prvs=18484739ba=agave.spring@cadamericas.com X-Envelope-From: agave.spring@cadamericas.com X-MDaemon-Deliver-To: freebsd-ipfw@freebsd.org Date: Thu, 16 May 2013 14:01:23 -0700 To: freebsd-ipfw From: CAD Americas Subject: CAD Americas Training Day is Coming to San Jose Message-ID: X-Priority: 3 X-Mailer: PHPMailer 5.2.1 (http://code.google.com/a/apache-extras.org/p/phpmailer/) X-CampTrackID: 933aafe1-279c-2d9c-b6ef-519549d7933c MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: CAD Americas List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 May 2013 21:02:48 -0000 TIME IS RUNNING OUT! Register for CAD Americas Training Days by MAY 7 and S= AVE!=0ACAD AMERICAS TRAINING DAYS ARRIVE IN YOUR AREA SOON Join us for this= one-day training event in your area. Whether your focus is Mechanical Desi= gn, Construction, BIM, Electrical Design or Plant Design, there will be ses= sions that will improve your productivity immediately!=0AJune 4June 6June 7= June 12June 13June 26 June 27=0A Cleveland Cincinnati Detroit Atlanta D= allas San Jose San_Bernardino =0ATAKE HOME NEW TOOLS AND TECHNIQUES THAT = WILL IMPROVE YOUR PERFORMANCE IMMEDIATELY=0A=0A=0A=0A=0ALynn AllenTechnical= Evangelist More =0ARobert GreenCAD Mgmt Expert More =0ASteve SchainAutoCAD= Expert More =0ATod StephensRevit Expert More =0AClick here to see current = session descriptions.Please note that sessions will vary by location =0ALea= rn from well-known industry instructors who will share best practices and t= rends, product tips and tricks, new features =E2=80=A6 and more.=0AImprove = your productivity with new techniques that you can put to work right away.= =0AMeet your peers and exchange ideas on how to best use the CAD tools you = have to meet the demands of your job.=0ATake a closer look at services and = technologies offered by resellers in your area.=0AREGISTER BY MAY 7TH AND S= AVERegister for=C2=A0a CAD Americas Training Day by May 7th and save.=0AEar= ly Bird Rate: $150 (Until May 7th)=0AStandard Rate: $195 (AFTER May 7th)=0A= Student/Faculty Rate: $95 (must present current student ID upon check-in at= registration)=0AREGISTER FOR CAD AMERICAS TRAINING TODAY!=0A=0A=0A=0A=0AJo= in us at=0A=0A=0A=0A=0A=0A=0A=0A=0A=0A=0A=0A=C2=A0INTERNATIONAL SPONSORS=0A= =0A=0A=C2=A0=C2=A0 =C2=A0=C2=A0 =0A=0AEDUCATION SPONSOR=0A=0A=0AMEDIA SPONS= ORS=0A=0A=C2=A0=0AThis email was sent to email address: freebsd-ipfw@freebs= d.org Click here to Opt-Out=0A From owner-freebsd-ipfw@FreeBSD.ORG Sat May 18 04:45:19 2013 Return-Path: Delivered-To: freebsd-ipfw@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 6C027D65; Sat, 18 May 2013 04:45:19 +0000 (UTC) (envelope-from melifaro@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 466E1FF9; Sat, 18 May 2013 04:45:19 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r4I4jJbF012017; Sat, 18 May 2013 04:45:19 GMT (envelope-from melifaro@freefall.freebsd.org) Received: (from melifaro@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r4I4jJ8C012016; Sat, 18 May 2013 04:45:19 GMT (envelope-from melifaro) Date: Sat, 18 May 2013 04:45:19 GMT Message-Id: <201305180445.r4I4jJ8C012016@freefall.freebsd.org> To: melifaro@FreeBSD.org, freebsd-ipfw@FreeBSD.org, melifaro@FreeBSD.org From: melifaro@FreeBSD.org Subject: Re: bin/104921: [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (another variation on PR 91245) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 May 2013 04:45:19 -0000 Synopsis: [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (another variation on PR 91245) Responsible-Changed-From-To: freebsd-ipfw->melifaro Responsible-Changed-By: melifaro Responsible-Changed-When: Sat May 18 04:45:03 UTC 2013 Responsible-Changed-Why: Take http://www.freebsd.org/cgi/query-pr.cgi?pr=104921 From owner-freebsd-ipfw@FreeBSD.ORG Sat May 18 09:38:30 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id DC5B4B8 for ; Sat, 18 May 2013 09:38:30 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id F3C01984 for ; Sat, 18 May 2013 09:38:29 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id r4I9cPHN065703; Sat, 18 May 2013 19:38:25 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 18 May 2013 19:38:25 +1000 (EST) From: Ian Smith To: freebsd-ipfw@freebsd.org Subject: Re: vnet jail with ipfw having logging problem (fwd) Message-ID: <20130518192057.S86776@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: Anders Hagman X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 May 2013 09:38:30 -0000 I'm forwarding this from freebsd-jail as it's clearly an ipfw issue. Sorry, been totally tied up with $otherstuff since then. The below conversation is a bit drawn out and in my case, kinda tetchy, but the bottom line is that Anders here confirms a bug reported by Joe Barbish, that ipfw in a vimage jail is logging its messages to the host's /var/log/security and /var/log/messages and not the jail's, although other things that log (including logger(1)) do so correctly. As mentioned, I hunted the logging down to /sys/netpfil/ipfw/ip_fw_log.c on 9.1, but in the time available haven't found where log() was defined. Am I right assuming something's missed being VNET-ed here somewhere? cheers, Ian ---------- Forwarded message ---------- Date: Thu, 2 May 2013 22:05:49 +0200 From: Anders Hagman To: Ian Smith Cc: freebsd-jail Subject: Re: vnet jail with ipfw having logging problem 2 maj 2013 kl. 18:46 skrev Ian Smith : > On Thu, 2 May 2013 12:09:08 +0200, Anders Hagman wrote: >> Hi > Yo >> 2 maj 2013 kl. 07:42 skrev Ian Smith : >> >>> On Wed, 1 May 2013 17:43:03 -0400, Joe wrote: >>>>>> I have ipfw running inside of a vnet jail on a 9.1-RELEASE host using >>>>> the >>>>>> jail(8) definition statements for starting and stopping the vnet jail. >>>>> As a >>>>>> side note non-vnet jails are working as expected. >>>>>>> The host is running a custom kernel with modules and with >>>>>> options VIMAGE >>>>>> nooptions SCTP >>>>>> options IPFIREWALL >>>>>> options IPFIREWALL_VERBOSE >>>>>> options IPFIREWALL_VERBOSE_LIMIT=10 >>> >>> Please maintain attributions for the archives. I wrote: >>> >>>>> What steps have you taken during testing to override this ridiculously low >>>>> limit on logging? Otherwise, after e.g. just 5 pings and 5 ping responses >>>>> are logged, all logging ceases until issuing 'ipfw resetlog'. >>>> >>>> /usr/src/sys/conf/NOTES says IPFIREWALL_VERBOSE_LIMIT; limits the number of >>>> times a matching entry can be logged. Says nothing about this limit being the >>>> maximum number of log records allowed after which the log file is closed for >>>> business. Are you saying the /usr/src/sys/conf/NOTES info is no longer true? >>> >>> You showed one (1) 'log' rule for each of the host's and jail's ruleset. >>> Once that one rule has been logged 'logamount' times (default as per >>> NOTES is 100, but in your case is 10) then logging for THAT rule stops, >>> therefore with only one 'log' rule, ALL logging stops. Understand? >>> >>> If you take the time to properly study the correct reference, ipfw(8), >>> all of this will become clear. See especially section SYSCTL VARIABLES, >>> and read thoroughly 'log [logamount number]', at the very least. Ignore >>> the Handbook section on ipfw, it's full of errors and misunderstandings. >>> >>>> Without IPFIREWALL_VERBOSE and IPFIREWALL_VERBOSE_LIMIT where does the logged >>>> packets get written to? /var/log/security >>> >>> See above. Both of these options merely set defaults for the sysctls. >>> >>>> I have not used ipfw since it's ipfw2 rewrite so my knowledge is dated. >>> >>> Indeed it is; that's a very long time ago. >>> >>>>>> options IPFIREWALL_DEFAULT_TO_ACCEPT >>>>>> options IPFIREWALL_IPDIVERT >>>>> >>>>> You'd likely do better using in-kernel NAT; natd doesn't get much love. >>>>> >>>> >>>> I kept getting kernel compile errors using "options IPFIREWALL_NAT". I >>>> thought the error was caused by vimage. Now I know "options LIBALIAS" is >>>> required. Could not find info on internet search for IPFIREWALL_NAT with >>>> vimage kernel. >>> >>> Apart from FIREWALL_FORWARD (not even that in 10.x), none of that needs >>> to be in the kernel, it's all loadable as modules; see /etc/rc.d/ipfw. >>> >>> If you're doing NAT in the vimage jail, you must have at least two >>> interfaces assigned to the jail. Care to show your config for that? >>> >>>> Do you have first hand experience getting "ipfw kernel nat" to work in a >>>> vimage jail or having logging work on the host and within the vnet jail? >>> >>> No, but I have just on 15 years experience managing ipfw firewalls :) >> >> When you are new at things you do mistakes, remember. > > I still do mistakes. Trying to teach fishing rather than just tossing > another fish is often one of mine :) I'm glad you had some to spare. I know the game. ;-> > >> To try to answer Joes question: >> >> You don't need to compile anything into the kernel regarding ipfw. >> >> Just load the ipfw module in the host system with: >> >> kldload ipfw >> >> By default a deny all rule is added, so add a allow rule to the host system. >> >> ipfw add 10 allow ip from any to any >> >> To log things you change the sysctl value net.inet.ip.fw.verbose to 1 >> >> sysctl net.inet.ip.fw.verbose=1 >> >> If you keep net.inet.ip.fw.verbose_limit=0 you don't have a log limit, and for tests thats fine. > > Sure, though the default of 100 is plenty for such tests; it's > surprisingly easy to DoS syslogd with e.g. a logged flood ping .. > >> log in to the jail system. Change the sysctl value net.inet.ip.fw.verbose to 1 >> >> sysctl net.inet.ip.fw.verbose=1 >> >> Add a logging firewall rule >> >> ipfw add 10 allow log ip from any to any >> >> Do a ping to an external system. >> Look inside /var/log/security in the jail system and its empty. > > But it does exist, rw for root, with 0 or more bytes, right? And does > the vimage jail's /etc/syslog.conf contain: > security.* /var/log/security > Yes > That is, I'm checking that the jail's syslogd should be handling these. > What happens if you run in the jail, say: > # logger -p security.info Syslog, wherefore art thou, Syslog? > Does that go to the jail's /var/log/security? or the host's? In jail system webben: logger -p security.info Syslog, wherefore art thou, Syslog? tail /var/log/security May 2 21:24:48 webben root: Syslog, wherefore art thou, Syslog? > >> Go to the main host and look at the /var/log/security file and you will find log entries. > > Showing the host's hostname, or the jail's? Can you post some examples? In host system dator5: tail /var/log/security May 2 21:29:15 dator5 kernel: ipfw: 10 Accept TCP 10.2.0.101:80 94.153.64.32:3085 out via vlan101 May 2 21:29:15 dator5 kernel: ipfw: 10 Accept TCP 94.153.64.32:3085 10.2.0.101:80 in via vlan101 > >> I can confirm Joes bug. I don't have a log rule in the main host but still get log messages. >> All log messages are from the log rule in the jail system. >> >> System used: 9.1-RELEASE-p2 >> >> BR >> /Anders > > Ok, before determining that this is an ipfw-only issue - in which case > we need to move it over to freebsd-ipfw@ - can you confirm that normal > syslogging in the jail to /var/log/messages and such is working? > In jail system login anders password ***** tail /var/log/messages May 2 21:41:57 webben login: login_getclass: unknown class 'svensk' May 2 21:42:00 webben last message repeated 3 times > In particular I'm wondering what happens when you do set (say) > net.inet.ip.fw.verbose_limit=10 and then ping from the jail until > logging stops .. you should then see a message such as > > Apr 23 23:42:05 sola kernel: ipfw: limit 500 reached on entry 26400 > > both in /var/log/security and in /var/log/messages since it's logged > as security.notice and default syslog.conf is for *.notice to log to > /var/log/messages .. see the tail of /sys/netpfil/ipfw/ip_fw_log.c > > Yes sure, I'm flying blind, don't have a system with jails here yet, and > am making assumptions about how syslogd(8) should work in jails that I > really don't have time to properly research currently, nor am I properly > across all the security implications of (particularly vimage) jails. > On jail system: sysctl net.inet.ip.fw.verbose_limit=10 Pinging repeatedly. Just continue to log to host system. Add new ipfw log role will use the new limit: ipfw add 5 allow log ip from any to any 00005 allow log logamount 10 ip from any to any New ping test. /var/log/security in host system : May 2 21:52:28 dator5 kernel: ipfw: 5 Accept ICMP:8.0 10.2.0.101 195.49.241.132 out via vlan101 May 2 21:52:28 dator5 kernel: ipfw: 5 Accept ICMP:0.0 195.49.241.132 10.2.0.101 in via vlan101 May 2 21:52:28 dator5 kernel: ipfw: limit 10 reached on entry 5 /var/log/messages in host system : May 2 21:52:28 dator5 kernel: ipfw: limit 10 reached on entry 5 Nothing at all is logged to the jail syslog. BR /Anders