From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 1 09:53:36 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B1B675B3 for ; Mon, 1 Jun 2015 09:53:36 +0000 (UTC) (envelope-from nazari.s11@gmail.com) Received: from mbob.nabble.com (mbob.nabble.com [162.253.133.15]) by mx1.freebsd.org (Postfix) with ESMTP id 9E62F1040 for ; Mon, 1 Jun 2015 09:53:36 +0000 (UTC) (envelope-from nazari.s11@gmail.com) Received: from msam.nabble.com (unknown [162.253.133.85]) by mbob.nabble.com (Postfix) with ESMTP id 95B88DF2447 for ; Mon, 1 Jun 2015 02:44:27 -0700 (PDT) Date: Mon, 1 Jun 2015 02:44:27 -0700 (MST) From: samira To: freebsd-ipfw@freebsd.org Message-ID: <1433151867517-6015918.post@n5.nabble.com> Subject: chnage source of IPFW MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jun 2015 09:53:36 -0000 Hello every one, I want to add a parameter in commands for ipfw, like " ipfw add allow udp from any to any *udpdatalen 10 * ". I changes in /usr/src/sbin/ipfw/ipfw2.c like tcpdatalen option and now i have udpdatalen command correctly in cli, but when i add argument(10) this error occurred. " *ipfw: getsockopt(IP_FW_ADD): Invalid argument* " also I define variables in /usr/src/sys/netinet/ip_fw.h and change .c files in /usr/src/sys/net pfil/ and build kernel and did not changed that error. Thank you for all of your comments and help. -- View this message in context: http://freebsd.1045724.n5.nabble.com/chnage-source-of-IPFW-tp6015918.html Sent from the freebsd-ipfw mailing list archive at Nabble.com. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 1 13:32:23 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 76033D99 for ; Mon, 1 Jun 2015 13:32:23 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward8l.mail.yandex.net (forward8l.mail.yandex.net [IPv6:2a02:6b8:0:1819::8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Certum Level IV CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 306FD181D for ; Mon, 1 Jun 2015 13:32:23 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp2h.mail.yandex.net (smtp2h.mail.yandex.net [IPv6:2a02:6b8:0:f05::116]) by forward8l.mail.yandex.net (Yandex) with ESMTP id 631E31A412E7; Mon, 1 Jun 2015 16:32:20 +0300 (MSK) Received: from smtp2h.mail.yandex.net (localhost [127.0.0.1]) by smtp2h.mail.yandex.net (Yandex) with ESMTP id CE7B71706E50; Mon, 1 Jun 2015 16:32:19 +0300 (MSK) Received: from unknown (unknown [2a02:6b8:0:6::a8]) by smtp2h.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id tmXUCti3l6-WJCqpx5u; Mon, 1 Jun 2015 16:32:19 +0300 (using TLSv1.2 with cipher AES128-SHA (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1433165539; bh=7ATczC9RSjYxpXZuJC52kCxTY2sQCTJ9vi765Ntl/fA=; h=Message-ID:Date:From:User-Agent:MIME-Version:To:Subject: References:In-Reply-To:Content-Type; b=uGd+MUvXMzf6mTpbNtVsRHJMNJpHX7t8n0CnCAbfyCiu8EdOek7u9MHi3y8ArpeN1 +7Yb4sTfULOY9lX+bxMZ8lznnz2mPeGBa6q86IJQ+pWGex8/Bq+fs3Zb8pOEi+tVkK muHsfRe3jzuCBV/n4LkWKNpILrSW3y8cFdbCYEiQ= Authentication-Results: smtp2h.mail.yandex.net; dkim=pass header.i=@yandex.ru Message-ID: <556C5E5E.1040601@yandex.ru> Date: Mon, 01 Jun 2015 16:30:06 +0300 From: "Andrey V. Elsukov" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: samira , freebsd-ipfw@freebsd.org Subject: Re: chnage source of IPFW References: <1433151867517-6015918.post@n5.nabble.com> In-Reply-To: <1433151867517-6015918.post@n5.nabble.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="nCiqHs4vXOt9vFR8MKMbMRhm0R4H1isof" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jun 2015 13:32:23 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --nCiqHs4vXOt9vFR8MKMbMRhm0R4H1isof Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 01.06.2015 12:44, samira wrote: > Hello every one, > I want to add a parameter in commands for ipfw, like " ipfw add allow = udp > from any to any *udpdatalen 10 * ". >=20 > I changes in /usr/src/sbin/ipfw/ipfw2.c like tcpdatalen option and now = i > have udpdatalen command correctly in cli, but when i add argument(10) t= his > error occurred. > " *ipfw: getsockopt(IP_FW_ADD): Invalid argument* " >=20 > also I define variables in /usr/src/sys/netinet/ip_fw.h and change .c f= iles > in /usr/src/sys/net pfil/ and build kernel and did not changed that err= or. >=20 > Thank you for all of your comments and help. Probably, you need to modify ip_fw_sockopt.c:check_ipfw_rule_body() function. --=20 WBR, Andrey V. Elsukov --nCiqHs4vXOt9vFR8MKMbMRhm0R4H1isof Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJVbF5fAAoJEAHF6gQQyKF6abMH/32R/HDry/nWf1JokSiG1EnH IVityiHofqrcpGtEkimk+r0eIv+KHKjjdeKszPBw59H6MeVYWa6WsYrNZzfifFXJ XiY/yv+PZlKhTo7SwrJxkngXtjpvn1qGe9jOOt8CbdM6h9tCe4Bh+mxE8c3BmUYq RGKzp5Bh51nh12/eQT2Pmrd3S1n2BMMjY6lIJ2zq/XDSt9Fy0yp+xvA6mAqZbkpm hxUQsa0gDlvjz8w6rVdfcdEQfKOFUeN1/hqmFCGahkSCBuiX1erxsidnpbLSRFUP EDPoeypsgXMB1hFnq39sG12zgovx7nqqW0F0d2OmThY9Y1u8+rnSeG/161bUJVw= =Kq10 -----END PGP SIGNATURE----- --nCiqHs4vXOt9vFR8MKMbMRhm0R4H1isof-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 1 14:22:45 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EF105863 for ; Mon, 1 Jun 2015 14:22:45 +0000 (UTC) (envelope-from rizzo.unipi@gmail.com) Received: from mail-la0-x236.google.com (mail-la0-x236.google.com [IPv6:2a00:1450:4010:c03::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5EDAC1433 for ; Mon, 1 Jun 2015 14:22:45 +0000 (UTC) (envelope-from rizzo.unipi@gmail.com) Received: by laei3 with SMTP id i3so15024156lae.3 for ; Mon, 01 Jun 2015 07:22:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=TzmKOQhojZQhVnTFFyJ16M2ga7N/PxmaVc9Om+PZD04=; b=fb+kGbse6ft5YTUQUrvKVoFtmnV7VDFJHTvXEUPHdtu1/SXGe6LGSl6ZCy/gX17yeW 8qfSPa3P3d+5V+c3pb2dNL02VNJwCno8ZZDvH9VhN6tg9KDjO1qdWCtEi6rdaISUj5de XCowLYuzkXpKiuPGKwIgXPdxfBnEYbo1cf8k5HH/ZxzXhd7MT9CfFQ/FxcjNumR+xq0k gJ4V6lI0vJn72APMGiiRyXkvhG52HcUMkX+TcaIeTdhNwWXMgd8FVfxYYVxGPFRSBmTy gsj43O9YKJYMlAl3Zls49V6EecRnWmLr3xMGalMdH3w9mqrcxvxbhJwkyIucE7ASn7hi GeTw== MIME-Version: 1.0 X-Received: by 10.152.5.72 with SMTP id q8mr21116044laq.83.1433168563595; Mon, 01 Jun 2015 07:22:43 -0700 (PDT) Sender: rizzo.unipi@gmail.com Received: by 10.114.230.103 with HTTP; Mon, 1 Jun 2015 07:22:43 -0700 (PDT) In-Reply-To: <1433151867517-6015918.post@n5.nabble.com> References: <1433151867517-6015918.post@n5.nabble.com> Date: Mon, 1 Jun 2015 16:22:43 +0200 X-Google-Sender-Auth: DDRO0Ele0WZUB0csEezs_HG7fk8 Message-ID: Subject: Re: chnage source of IPFW From: Luigi Rizzo To: samira Cc: "freebsd-ipfw@freebsd.org" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jun 2015 14:22:46 -0000 On Mon, Jun 1, 2015 at 11:44 AM, samira wrote: > Hello every one, > I want to add a parameter in commands for ipfw, like " ipfw add allow ud= p > from any to any *udpdatalen 10 * ". > =E2=80=8Badding commands is doable but it requires you to touch multiple parts of the code, namely: - the parsing function in userspace - the decoding function in userspace - the validate function in the kernel (typically one case in a large switch() statement) - the function implementation in the kernel (one case in another, even bigger switch statement) For things like "udpdatalen X" you might be better off doing something like " ... udp iplen X+20 ..." cheers luigi =E2=80=8B > > I changes in /usr/src/sbin/ipfw/ipfw2.c like tcpdatalen option and now i > have udpdatalen command correctly in cli, but when i add argument(10) thi= s > error occurred. > " *ipfw: getsockopt(IP_FW_ADD): Invalid argument* " > > also I define variables in /usr/src/sys/netinet/ip_fw.h and change .c fil= es > in /usr/src/sys/net pfil/ and build kernel and did not changed that error= . > > Thank you for all of your comments and help. > > > > > > > > -- > View this message in context: > http://freebsd.1045724.n5.nabble.com/chnage-source-of-IPFW-tp6015918.html > Sent from the freebsd-ipfw mailing list archive at Nabble.com. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > --=20 -----------------------------------------+------------------------------- Prof. Luigi RIZZO, rizzo@iet.unipi.it . Dip. di Ing. dell'Informazione http://www.iet.unipi.it/~luigi/ . Universita` di Pisa TEL +39-050-2217533 . via Diotisalvi 2 Mobile +39-338-6809875 . 56122 PISA (Italy) -----------------------------------------+------------------------------- From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 1 14:31:26 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2C355A87 for ; Mon, 1 Jun 2015 14:31:26 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id E6F4E1654 for ; Mon, 1 Jun 2015 14:31:25 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from [127.0.0.1] (unknown [89.113.128.32]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 3D3D2161B for ; Mon, 1 Jun 2015 17:31:24 +0300 (MSK) Message-ID: <556C6CBB.5010803@FreeBSD.org> Date: Mon, 01 Jun 2015 17:31:23 +0300 From: Lev Serebryakov Reply-To: lev@FreeBSD.org Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: Please, review my change to ipfw, I want to commit it :) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jun 2015 14:31:26 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 https://reviews.freebsd.org/D1776 It was discussed in this list some time ago, but looks like everything stuck. Any comments/objections? This patch works on my router since first patch version without problems and allows me to greatly simplify my firewall. - -- // Lev Serebryakov -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJVbGy7XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePyo0QAN40kckbK0SYrXkaQU+9hEtY Tiw24H5x5WFcYoNLBVfsr5sqRqk+FlR7RD8WEteBF8dt/M/Oa3HKFUYiFo2TxyW0 dLyzh/6LbC+mJAMv5IloiP250zMdFHcBagffa1+soZb8bm7DFXPCxmy+bM2n2dON 8c9ywhYp/RM/cAxlWvCpOyHBsYe6IBAqJKJoP3Ql8ES34WhBOhaFiYnQVf/ZzdbS WCiogVC6YxOdwo4AzM/Xq9OaWiN8tAPmeDa34MM5Sbc3oPW+tEvWr1NUsse/PLgK BOKKKpJDD+V+92u9w5peSS75Cn+WWG9l/Siie677WhA6rKDgNZKICH7j9k8dg8iN I/m08LIZDttfxhvVy//WrG+LHKKHNLddUvKkC5xqnqEJ51Pw/i174EkaeX+Qddgx qwB83GyN5o5io1GwYRASYFOV3HstnuKwJYevLFV3aNAj13Iu9bSMSfbfarpGgQ8Q HYbRekg+wlXg42FqrcYjkQ/HYiuSIZFhp7nikx4BYvnT0bP/FK4SfiQonGzABxEf JDp3hrLZUMcxQ/T4VNvTOcUzTUCsFDBcM/x8R0lz2v3gyreP45fumkhmP1g7+s4V p2LMTuRio2u9ct1PhQXtGueQUCPKLtmgXb0jW7VsyfEK3YCCjdJTyU5wo8EyUKQX JwzrcNt+HGJvtiPN6TSz =gc++ -----END PGP SIGNATURE----- From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 2 04:50:29 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8EF8BBD1 for ; Tue, 2 Jun 2015 04:50:29 +0000 (UTC) (envelope-from nazari.s11@gmail.com) Received: from mbob.nabble.com (mbob.nabble.com [162.253.133.15]) by mx1.freebsd.org (Postfix) with ESMTP id 7B2C71775 for ; Tue, 2 Jun 2015 04:50:29 +0000 (UTC) (envelope-from nazari.s11@gmail.com) Received: from msam.nabble.com (unknown [162.253.133.85]) by mbob.nabble.com (Postfix) with ESMTP id 5160BE01ACE for ; Mon, 1 Jun 2015 21:50:28 -0700 (PDT) Date: Mon, 1 Jun 2015 21:50:28 -0700 (MST) From: samira To: freebsd-ipfw@freebsd.org Message-ID: <1433220628089-6016130.post@n5.nabble.com> In-Reply-To: <556C5E5E.1040601@yandex.ru> References: <1433151867517-6015918.post@n5.nabble.com> <556C5E5E.1040601@yandex.ru> Subject: Re: chnage source of IPFW MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jun 2015 04:50:29 -0000 In ip_fw_sockopt.c does not exist the check_ipfw_rule_body() function but in the check_ipfw_struct() I check opcode of new command and no change state and give that error! -- View this message in context: http://freebsd.1045724.n5.nabble.com/Change-source-of-IPFW-tp6015918p6016130.html Sent from the freebsd-ipfw mailing list archive at Nabble.com. From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 2 04:59:22 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 68A0FDE0 for ; Tue, 2 Jun 2015 04:59:22 +0000 (UTC) (envelope-from nazari.s11@gmail.com) Received: from mbob.nabble.com (mbob.nabble.com [162.253.133.15]) by mx1.freebsd.org (Postfix) with ESMTP id 53AC71971 for ; Tue, 2 Jun 2015 04:59:22 +0000 (UTC) (envelope-from nazari.s11@gmail.com) Received: from msam.nabble.com (unknown [162.253.133.85]) by mbob.nabble.com (Postfix) with ESMTP id 361F5E01B7C for ; Mon, 1 Jun 2015 21:59:22 -0700 (PDT) Date: Mon, 1 Jun 2015 21:59:21 -0700 (MST) From: samira To: freebsd-ipfw@freebsd.org Message-ID: <1433221161964-6016132.post@n5.nabble.com> In-Reply-To: References: <1433151867517-6015918.post@n5.nabble.com> Subject: Re: chnage source of IPFW MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jun 2015 04:59:22 -0000 realy I want to detect rtp packets in add it by udpoption. so i add ucpdatalen similar to tcpdatalen for pilot. I think Only step 1 and 4 is done in stes that you said. now where is decoding functions? -- View this message in context: http://freebsd.1045724.n5.nabble.com/Change-source-of-IPFW-tp6015918p6016132.html Sent from the freebsd-ipfw mailing list archive at Nabble.com. From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 2 13:03:57 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9D54DB42; Tue, 2 Jun 2015 13:03:57 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5D95F1089; Tue, 2 Jun 2015 13:03:55 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id t52CdeQJ008209; Tue, 2 Jun 2015 22:39:40 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Tue, 2 Jun 2015 22:39:40 +1000 (EST) From: Ian Smith To: Lev Serebryakov cc: freebsd-ipfw@freebsd.org Subject: Re: Please, review my change to ipfw, I want to commit it :) In-Reply-To: <556C6CBB.5010803@FreeBSD.org> Message-ID: <20150602214303.V91076@sola.nimnet.asn.au> References: <556C6CBB.5010803@FreeBSD.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jun 2015 13:03:57 -0000 On Mon, 1 Jun 2015 17:31:23 +0300, Lev Serebryakov wrote: > https://reviews.freebsd.org/D1776 > > It was discussed in this list some time ago, but looks like > everything stuck. > > Any comments/objections? > > This patch works on my router since first patch version without > problems and allows me to greatly simplify my firewall. I just glanced over the code for rough gist, looking for intent rather than correctness - which I would miss. I also reviewed your earlier posts about this, and think I'm almost starting to get it .. First, it seems this code won't hurt anyone who doesn't know about it :) and so could probably be MFC'd before too long without likely damage. Second, thanks Julian for language patches, it's helped me follow it. It would be nice if skip-immediate-action could be shortened, especially where printed by ip_fw2.c .. skip-action may be enough? defer-action? But mainly, I think this needs some practical, not too complex examples that clearly show just how these can work with various flows, perhaps a section for ipfw(8) EXAMPLES? E.g, some rule sections dealing with NAT states vs IPFW dynamic states that show how to deal with the very issues and twisty constructs needed without these, that you pointed out earlier, could be really helpful. cheers, Ian From owner-freebsd-ipfw@FreeBSD.ORG Sat Jun 6 05:59:05 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9F13BD09; Sat, 6 Jun 2015 05:59:05 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A736D1A1A; Sat, 6 Jun 2015 05:59:03 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id t565wobJ087601; Sat, 6 Jun 2015 15:58:51 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 6 Jun 2015 15:58:50 +1000 (EST) From: Ian Smith To: Lev Serebryakov cc: freebsd-ipfw@freebsd.org Subject: Re: Please, review my change to ipfw, I want to commit it :) In-Reply-To: <20150602214303.V91076@sola.nimnet.asn.au> Message-ID: <20150606154353.M91076@sola.nimnet.asn.au> References: <556C6CBB.5010803@FreeBSD.org> <20150602214303.V91076@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jun 2015 05:59:05 -0000 Lev, a further thought. I've seen melifaro's new comments, but can't comment on those except that we are agreed on really needing some usage examples. On Tue, 2 Jun 2015 22:39:40 +1000, Ian Smith wrote: > It would be nice if skip-immediate-action could be shortened, especially > where printed by ip_fw2.c .. skip-action may be enough? defer-action? This use of 'skip' bugs me in another way; it could easily be confused by some with skipto, just by use of the word. Various example rulesets actually use $skip as shorthand for 'skipto $somerule', for example. I think that 'defer' - put off to a later time, postpone - or perhaps less favourably but similar enough, 'delay', would provide clearer meaning here, especially if the deferred action is itself a 'skipto'. cheers, Ian From owner-freebsd-ipfw@FreeBSD.ORG Sat Jun 6 11:52:37 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 387E6B18; Sat, 6 Jun 2015 11:52:37 +0000 (UTC) (envelope-from bycn82@gmail.com) Received: from mail-vn0-x233.google.com (mail-vn0-x233.google.com [IPv6:2607:f8b0:400c:c0f::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E59131955; Sat, 6 Jun 2015 11:52:36 +0000 (UTC) (envelope-from bycn82@gmail.com) Received: by vnbf129 with SMTP id f129so1895292vnb.2; Sat, 06 Jun 2015 04:52:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=DUHhljDhhgrztz7fVM7d46fvuVm/AFOQU9dTaM6ax/I=; b=kA0RAXpPtd5qSryZuXV4thm1brlePDcG8QoSlY1jl6abFefhfDSl2+gCQmIwyCXOWN xpBnoT9mdm3T0suMuAAyILRp1xnY7DOizHjUXsLHn4Cw4muOxWrmbNcbtRtzDHspMJlS LDMnONwasZoETmdKmfFrSJhZYNBMzDgcC6+uFJuKbl0/ioMzR7av9M3q5zDMY4XSj9nq p4/bJM1UFgZTvokLSsJVCz3+HsoVLO/5IgcTUU3hglk1NCcVwpMNvZTbKmCoO/sWcVUk WfLiKW6kXOWMjP3OQCDUBEULteMsx3ass8FhwDAt1+lcLNHz2Z5T4ZicLUSf3W0+drAX 5y4A== MIME-Version: 1.0 X-Received: by 10.52.65.38 with SMTP id u6mr14358134vds.24.1433591555348; Sat, 06 Jun 2015 04:52:35 -0700 (PDT) Received: by 10.31.174.6 with HTTP; Sat, 6 Jun 2015 04:52:35 -0700 (PDT) In-Reply-To: <20150606154353.M91076@sola.nimnet.asn.au> References: <556C6CBB.5010803@FreeBSD.org> <20150602214303.V91076@sola.nimnet.asn.au> <20150606154353.M91076@sola.nimnet.asn.au> Date: Sat, 6 Jun 2015 19:52:35 +0800 Message-ID: Subject: Re: Please, review my change to ipfw, I want to commit it :) From: bycn82 To: Ian Smith Cc: Lev Serebryakov , freebsd-ipfw Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jun 2015 11:52:37 -0000 *Hello,* *Can you please explain what is going one again,* *Sorry I did not follow the emails, I am not checking the FB email for a while, * *I think I missed some emails.* *e.g * *what is the purpose of the "*skip-immediate-action" *Regards,* *Bycn82* On 6 June 2015 at 13:58, Ian Smith wrote: > Lev, a further thought. > > I've seen melifaro's new comments, but can't comment on those except > that we are agreed on really needing some usage examples. > > On Tue, 2 Jun 2015 22:39:40 +1000, Ian Smith wrote: > > > It would be nice if skip-immediate-action could be shortened, especially > > where printed by ip_fw2.c .. skip-action may be enough? defer-action? > > This use of 'skip' bugs me in another way; it could easily be confused > by some with skipto, just by use of the word. Various example rulesets > actually use $skip as shorthand for 'skipto $somerule', for example. > > I think that 'defer' - put off to a later time, postpone - or perhaps > less favourably but similar enough, 'delay', would provide clearer > meaning here, especially if the deferred action is itself a 'skipto'. > > cheers, Ian > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Sat Jun 6 13:48:47 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D76931B9; Sat, 6 Jun 2015 13:48:47 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 57F4711FC; Sat, 6 Jun 2015 13:48:46 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id t56DmgA6003422; Sat, 6 Jun 2015 23:48:43 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 6 Jun 2015 23:48:42 +1000 (EST) From: Ian Smith To: bycn82 cc: Lev Serebryakov , freebsd-ipfw Subject: Re: Please, review my change to ipfw, I want to commit it :) In-Reply-To: Message-ID: <20150606233816.S91076@sola.nimnet.asn.au> References: <556C6CBB.5010803@FreeBSD.org> <20150602214303.V91076@sola.nimnet.asn.au> <20150606154353.M91076@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jun 2015 13:48:47 -0000 On Sat, 6 Jun 2015 19:52:35 +0800, bycn82 wrote: > *Hello,* > *Can you please explain what is going one again,* > *Sorry I did not follow the emails, I am not checking the FB email for a > while, * > *I think I missed some emails.* > *e.g * > *what is the purpose of the "*skip-immediate-action" > *Regards,* > *Bycn82* Hi Bill, please send plain text mail rather than HTML to the lists, thanks. Probably best to start at the several threads from February - some of which you did participate in - from: http://lists.freebsd.org/pipermail/freebsd-ipfw/2015-February/thread.html and then this thread from here on 1st June: http://lists.freebsd.org/pipermail/freebsd-ipfw/2015-June/005872.html which points to the review at: https://reviews.freebsd.org/D1776 cheers, Ian From owner-freebsd-ipfw@FreeBSD.ORG Sat Jun 6 15:41:45 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B5C91CDC; Sat, 6 Jun 2015 15:41:45 +0000 (UTC) (envelope-from bycn82@gmail.com) Received: from mail-vn0-x232.google.com (mail-vn0-x232.google.com [IPv6:2607:f8b0:400c:c0f::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6FA451C2D; Sat, 6 Jun 2015 15:41:45 +0000 (UTC) (envelope-from bycn82@gmail.com) Received: by vnbg1 with SMTP id g1so12450289vnb.3; Sat, 06 Jun 2015 08:41:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=w5Ny63pMgLIhYLtEPTZmAFve4oFCR5oUJLEDol0TuhY=; b=P+QlAS2qZwoksorqT7mX+SiOFjhTQ9XutY7xcypyMj9SrYRv4OSyTw8Kf1RQ4jxzf4 EPWRYw5Cfkvs4VLIyfjUKtRzEVxzU7Ozb1x3e+to5g2Wo6IA5DktbWxxqzXnOoj4UxTc /MNaAlShKd5dgnaT0pwEBh1ypOIDrxUhtvssp/pp0razY/oY1env56gypOyubffVtNjc /VxO7mkcKORIMmoVGcsc9ViFqGfb50T4E5P7/wU77JKSyIflNlSReK/mtoYB+baY/CqN JvkXzat0p6cy4SmD8dwahqevLN+2dU39Ba4XksnGTtb9StRgT2xoZTyhVhEjO7DpUFcL Qxlw== MIME-Version: 1.0 X-Received: by 10.52.143.197 with SMTP id sg5mr13591462vdb.15.1433605304427; Sat, 06 Jun 2015 08:41:44 -0700 (PDT) Received: by 10.31.174.6 with HTTP; Sat, 6 Jun 2015 08:41:44 -0700 (PDT) In-Reply-To: <20150606233816.S91076@sola.nimnet.asn.au> References: <556C6CBB.5010803@FreeBSD.org> <20150602214303.V91076@sola.nimnet.asn.au> <20150606154353.M91076@sola.nimnet.asn.au> <20150606233816.S91076@sola.nimnet.asn.au> Date: Sat, 6 Jun 2015 23:41:44 +0800 Message-ID: Subject: Re: Please, review my change to ipfw, I want to commit it :) From: bycn82 To: Ian Smith Cc: freebsd-ipfw , Lev Serebryakov Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jun 2015 15:41:45 -0000 Hi, i saw my previous email in this thread,but i think i replied that without fully read all the emails. i like the state-deny and allow, actually i tried this, in my opinion, the state is a "shortcut" or "soft link" which links to another rule when the packet match the state. it will directly skip-to the rule. and the destination rule can be allow or deny or others. Regards, Bill Yuan On 6 June 2015 at 21:48, Ian Smith wrote: > On Sat, 6 Jun 2015 19:52:35 +0800, bycn82 wrote: > > > *Hello,* > > *Can you please explain what is going one again,* > > *Sorry I did not follow the emails, I am not checking the FB email for a > > while, * > > *I think I missed some emails.* > > *e.g * > > *what is the purpose of the "*skip-immediate-action" > > *Regards,* > > *Bycn82* > > Hi Bill, > > please send plain text mail rather than HTML to the lists, thanks. > > Probably best to start at the several threads from February - some of > which you did participate in - from: > > http://lists.freebsd.org/pipermail/freebsd-ipfw/2015-February/thread.html > > and then this thread from here on 1st June: > > http://lists.freebsd.org/pipermail/freebsd-ipfw/2015-June/005872.html > > which points to the review at: > > https://reviews.freebsd.org/D1776 > > cheers, Ian > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sat Jun 6 17:01:52 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C094738F; Sat, 6 Jun 2015 17:01:52 +0000 (UTC) (envelope-from bycn82@gmail.com) Received: from mail-vn0-x232.google.com (mail-vn0-x232.google.com [IPv6:2607:f8b0:400c:c0f::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 79FB91E66; Sat, 6 Jun 2015 17:01:52 +0000 (UTC) (envelope-from bycn82@gmail.com) Received: by vnbf190 with SMTP id f190so12601243vnb.5; Sat, 06 Jun 2015 10:01:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=/9Nn1CW4cF0/l42n8AKYm9cgsnig9exHlSh2b37exdQ=; b=FCEQN+BCVrcnsrd4QjE6/zSLJRs8jORaIo30YpV8xR91GLInXWkQ+bQAQ1mg/3oxgW wRTS4Tvcix8hI20Zxz6rPzXzDPX8O2C0B6AfyQKNwxbFZyqJ+86Bxq/7MWXYZ1C8ezfM On+Di4fMnS83QSRfvLgDFaKqC1blYskQ1s+fszFrecJOHjLu4b7jS2iaYbhtRpSpeJog uwaKjURLz+k9+Oe3Z/rfHL4AXx6cw1QOPFKbNx+3MsmMv/I7pYrrODjsbm+U+lRsNEHM e4x443am67vbdeBj3LKr7BxSxj8Y1TEVIZu66m0GECBzUbngJhu84fqlMOVsXGtV3hhd akWA== MIME-Version: 1.0 X-Received: by 10.52.30.201 with SMTP id u9mr16176563vdh.95.1433610111699; Sat, 06 Jun 2015 10:01:51 -0700 (PDT) Received: by 10.31.174.6 with HTTP; Sat, 6 Jun 2015 10:01:51 -0700 (PDT) In-Reply-To: References: <556C6CBB.5010803@FreeBSD.org> <20150602214303.V91076@sola.nimnet.asn.au> <20150606154353.M91076@sola.nimnet.asn.au> <20150606233816.S91076@sola.nimnet.asn.au> Date: Sun, 7 Jun 2015 01:01:51 +0800 Message-ID: Subject: Re: Please, review my change to ipfw, I want to commit it :) From: bycn82 To: Ian Smith Cc: freebsd-ipfw , Lev Serebryakov Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jun 2015 17:01:52 -0000 hi correct me if i am wrong. below is the rule you listed in your email. add 1000 skipto 2000 all from any to any out xmit outIface add 1010 skipto 3000 all from any to any in recv outIface add 2000 skipto 2010 from any to any keep-state add 2010 nat NR from any to any out // Note this "out" in out section! add 2020 allow all from any to any add 3000 nat NR from any to any add 3010 check-state // Use dynamic rule based on 2000 so for the our going traffic, it will hit below rules 1000 skipto 2000 skipto and keep-state 2010 nat return traffic will 1010 skipto 3000 nat so i dont see any traffic to check-state and i did not follow up the ipfw in FB for a while, but below is the rules i test in my dfly environment. ipfw3 nat 1 config if em0 ipfw3 add 1 check-state ipfw3 add 2 nat 1 icmp via em0 keep-state ipfw3 add 3 allow icmp via em1 So actually i still did not get the point :( i still dont understand what is "skipto-nat-allow" On 6 June 2015 at 23:41, bycn82 wrote: > Hi, > > i saw my previous email in this thread,but i think i replied that > without fully read all the emails. > > i like the state-deny and allow, > > actually i tried this, in my opinion, the state is a "shortcut" or > "soft link" which links to another rule > when the packet match the state. it will directly skip-to the rule. > and the destination rule can be allow or deny or others. > > > > Regards, > Bill Yuan > > On 6 June 2015 at 21:48, Ian Smith wrote: >> On Sat, 6 Jun 2015 19:52:35 +0800, bycn82 wrote: >> >> > *Hello,* >> > *Can you please explain what is going one again,* >> > *Sorry I did not follow the emails, I am not checking the FB email for a >> > while, * >> > *I think I missed some emails.* >> > *e.g * >> > *what is the purpose of the "*skip-immediate-action" >> > *Regards,* >> > *Bycn82* >> >> Hi Bill, >> >> please send plain text mail rather than HTML to the lists, thanks. >> >> Probably best to start at the several threads from February - some of >> which you did participate in - from: >> >> http://lists.freebsd.org/pipermail/freebsd-ipfw/2015-February/thread.html >> >> and then this thread from here on 1st June: >> >> http://lists.freebsd.org/pipermail/freebsd-ipfw/2015-June/005872.html >> >> which points to the review at: >> >> https://reviews.freebsd.org/D1776 >> >> cheers, Ian >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"