From owner-freebsd-ipfw Sun Feb 27 4:45: 5 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from alpha.cnc.una.py (alpha.cnc.una.py [200.10.228.103]) by hub.freebsd.org (Postfix) with ESMTP id 5884C37B542 for ; Sun, 27 Feb 2000 04:44:55 -0800 (PST) (envelope-from jsegovia@alpha.cnc.una.py) Received: from jss ([200.10.228.69]) by alpha.cnc.una.py (8.9.3/8.9.3) with ESMTP id JAA29398 for ; Sun, 27 Feb 2000 09:45:20 -0400 (GMT-0400) Message-Id: <200002271345.JAA29398@alpha.cnc.una.py> From: jsegovia@cnc.una.py To: freebsd-ipfw@FreeBSD.ORG Date: Sun, 27 Feb 2000 09:46:24 -0400 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: cpp change breaks ipfw In-reply-to: <38B8BAC5.9927A56E@acm.org> X-mailer: Pegasus Mail for Win32 (v3.12a) Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I had the same problem; the "fix" I found was to call cpp with -traditional. The cpp manpage is rather quiet about what exactly "traditional" means but at least that solved my problem. Juan -- Centro Nacional de Computacion Universidad Nacional de Asuncion Tel. +595 (21) 585 550 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Feb 27 12: 8:46 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from chmls06.mediaone.net (chmls06.mediaone.net [24.128.1.71]) by hub.freebsd.org (Postfix) with ESMTP id 0E16B37B60E for ; Sun, 27 Feb 2000 12:08:31 -0800 (PST) (envelope-from bloom@acm.org) Received: from acm.org (reyim.ne.mediaone.net [24.218.251.241]) by chmls06.mediaone.net (8.8.7/8.8.7) with ESMTP id PAA24620; Sun, 27 Feb 2000 15:08:02 -0500 (EST) Message-ID: <38B98413.CB910261@acm.org> Date: Sun, 27 Feb 2000 15:07:47 -0500 From: Jim Bloom X-Mailer: Mozilla 4.7 [en]C-MOENE (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: jsegovia@cnc.una.py Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: cpp change breaks ipfw References: <200002271345.JAA29398@alpha.cnc.una.py> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Thanks for the hint. Now all I need to do is modify ipfw to pass additional arguments to the preprocessor. Jim Bloom bloom@acm.org jsegovia@cnc.una.py wrote: > > I had the same problem; the "fix" I found was to call > cpp with -traditional. The cpp manpage is rather quiet about > what exactly "traditional" means but at least that solved > my problem. > > Juan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Feb 27 12:17:38 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from relay.ucb.crimea.ua (UCB-Async4-CRISCO.CRIS.NET [212.110.129.130]) by hub.freebsd.org (Postfix) with ESMTP id 26B3F37B699 for ; Sun, 27 Feb 2000 12:17:14 -0800 (PST) (envelope-from ru@ucb.crimea.ua) Received: (from ru@localhost) by relay.ucb.crimea.ua (8.9.3/8.9.3/UCB) id WAA75137; Sun, 27 Feb 2000 22:16:31 +0200 (EET) (envelope-from ru) Date: Sun, 27 Feb 2000 22:16:31 +0200 From: Ruslan Ermilov To: Jim Bloom Cc: jsegovia@cnc.una.py, freebsd-ipfw@FreeBSD.org Subject: Re: cpp change breaks ipfw Message-ID: <20000227221631.A70300@relay.ucb.crimea.ua> Mail-Followup-To: Jim Bloom , jsegovia@cnc.una.py, freebsd-ipfw@FreeBSD.org References: <200002271345.JAA29398@alpha.cnc.una.py> <38B98413.CB910261@acm.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: <38B98413.CB910261@acm.org>; from Jim Bloom on Sun, Feb 27, 2000 at 03:07:47PM -0500 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Feb 27, 2000 at 03:07:47PM -0500, Jim Bloom wrote: > Thanks for the hint. Now all I need to do is modify ipfw to pass additional > arguments to the preprocessor. > What's wrong with echo cpp -traditional $@ > ipfw-preproc ipfw -p ipfw-preproc ... > Jim Bloom > bloom@acm.org > > jsegovia@cnc.una.py wrote: > > > > I had the same problem; the "fix" I found was to call > > cpp with -traditional. The cpp manpage is rather quiet about > > what exactly "traditional" means but at least that solved > > my problem. > > > > Juan > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank, ru@FreeBSD.org FreeBSD committer, +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Feb 27 14:10:27 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from reyim.ne.mediaone.net (reyim.ne.mediaone.net [24.218.251.241]) by hub.freebsd.org (Postfix) with ESMTP id 3740237B6D9 for ; Sun, 27 Feb 2000 14:10:20 -0800 (PST) (envelope-from bloom@acm.org) Received: from acm.org (localhost [127.0.0.1]) by reyim.ne.mediaone.net (8.9.3/8.9.3) with ESMTP id RAA00510; Sun, 27 Feb 2000 17:08:31 -0500 (EST) (envelope-from bloom@acm.org) Message-ID: <38B9A05F.57D2DD6D@acm.org> Date: Sun, 27 Feb 2000 17:08:31 -0500 From: Jim Bloom Reply-To: bloom@acm.org X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.0-CURRENT i386) X-Accept-Language: en MIME-Version: 1.0 To: Ruslan Ermilov Cc: jsegovia@cnc.una.py, freebsd-ipfw@FreeBSD.ORG Subject: Re: cpp change breaks ipfw References: <200002271345.JAA29398@alpha.cnc.una.py> <38B98413.CB910261@acm.org> <20000227221631.A70300@relay.ucb.crimea.ua> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Ruslan Ermilov wrote: > > On Sun, Feb 27, 2000 at 03:07:47PM -0500, Jim Bloom wrote: > > Thanks for the hint. Now all I need to do is modify ipfw to pass additional > > arguments to the preprocessor. > > > What's wrong with > echo cpp -traditional $@ > ipfw-preproc > ipfw -p ipfw-preproc ... That's what I did (including adding a chmod) as a temporary way to get around the problem. If that is the recommend solution to the problem, please commit the following patch to ipfw.8. This will at least alert people to the fact that this problem exists in 4.0. Thanks. Jim Bloom bloom@acm.org Index: ipfw.8 =================================================================== RCS file: /users/ncvs/src/sbin/ipfw/ipfw.8,v retrieving revision 1.62 diff -u -r1.62 ipfw.8 --- ipfw.8 2000/02/10 14:25:26 1.62 +++ ipfw.8 2000/02/27 21:58:12 @@ -1021,6 +1021,13 @@ .Ar tee rule should not be immediately accepted, but should continue going through the rule list. This may be fixed in a later version. +.Pp +The preprocessor +.Xr cpp 1 +no longer works correctly. It requires the argument +.Ar -traditional +to avoid problems with spacing. There is no way for this program to pass +the argument directly. .Sh AUTHORS .An Ugen J. S. Antsilevich , .An Poul-Henning Kamp , To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Feb 27 16:49:11 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from builder.freebsd.org (builder.FreeBSD.ORG [204.216.27.24]) by hub.freebsd.org (Postfix) with ESMTP id CEA4B37B770 for ; Sun, 27 Feb 2000 16:49:09 -0800 (PST) (envelope-from green@FreeBSD.org) Received: from 1Cust17.tnt3.waldorf.md.da.uu.net (localhost [127.0.0.1]) by builder.freebsd.org (Postfix) with ESMTP id BE620132DD; Sun, 27 Feb 2000 16:46:51 -0800 (PST) Date: Sun, 27 Feb 2000 19:49:07 -0500 (EST) From: Brian Fundakowski Feldman X-Sender: green@green.dyndns.org To: Luigi Rizzo Cc: jsegovia@cnc.una.py, freebsd-ipfw@FreeBSD.ORG Subject: Re: keep-state and fwd In-Reply-To: <200002260950.KAA17547@info.iet.unipi.it> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, 26 Feb 2000, Luigi Rizzo wrote: > I am looking at a fix to make dynamic rules understand 'forward' > (basically do the address rewrite in one direction, and behave > as a 'pass' rule in the other one. > > I hope to fix this for the release of -current . Need any help at all? There's not much time to fix problems, so if there are more people working to fix them, we can take care of everything found. Of course, since this code that you know best... :) > cheers > luigi > -----------------------------------+------------------------------------- > Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione > http://www.iet.unipi.it/~luigi/ . Universita` di Pisa > TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy) > Mobile +39-347-0373137 > -----------------------------------+------------------------------------- -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Feb 27 23:37:26 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from relay.ucb.crimea.ua (UCB-Async4-CRISCO.CRIS.NET [212.110.129.130]) by hub.freebsd.org (Postfix) with ESMTP id 0FAE237B5C9; Sun, 27 Feb 2000 23:37:13 -0800 (PST) (envelope-from ru@ucb.crimea.ua) Received: (from ru@localhost) by relay.ucb.crimea.ua (8.9.3/8.9.3/UCB) id JAA46669; Mon, 28 Feb 2000 09:37:03 +0200 (EET) (envelope-from ru) Date: Mon, 28 Feb 2000 09:37:03 +0200 From: Ruslan Ermilov To: Jim Bloom , "David O'Brien" Cc: jsegovia@cnc.una.py, freebsd-ipfw@FreeBSD.ORG Subject: Re: cpp change breaks ipfw Message-ID: <20000228093703.B43907@relay.ucb.crimea.ua> Mail-Followup-To: Jim Bloom , David O'Brien , jsegovia@cnc.una.py, freebsd-ipfw@FreeBSD.ORG References: <200002271345.JAA29398@alpha.cnc.una.py> <38B98413.CB910261@acm.org> <20000227221631.A70300@relay.ucb.crimea.ua> <38B9A05F.57D2DD6D@acm.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: <38B9A05F.57D2DD6D@acm.org>; from Jim Bloom on Sun, Feb 27, 2000 at 05:08:31PM -0500 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Feb 27, 2000 at 05:08:31PM -0500, Jim Bloom wrote: > Ruslan Ermilov wrote: > > > > On Sun, Feb 27, 2000 at 03:07:47PM -0500, Jim Bloom wrote: > > > Thanks for the hint. Now all I need to do is modify ipfw to pass additional > > > arguments to the preprocessor. > > > > > What's wrong with > > echo cpp -traditional $@ > ipfw-preproc > > ipfw -p ipfw-preproc ... > > > That's what I did (including adding a chmod) as a temporary way to get > around the problem. If that is the recommend solution to the problem, > please commit the following patch to ipfw.8. This will at least alert > people to the fact that this problem exists in 4.0. Thanks. > I don't think that documenting another program's changed behaviour is the right thing to do. Maybe David can shed some light on this? -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank, ru@FreeBSD.org FreeBSD committer, +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Feb 28 1:47:16 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from relay.nuxi.com (nuxi.cs.ucdavis.edu [169.237.7.38]) by hub.freebsd.org (Postfix) with ESMTP id 744D337B892; Mon, 28 Feb 2000 01:47:11 -0800 (PST) (envelope-from obrien@NUXI.com) Received: from dragon.nuxi.com (root@d60-024.leach.ucdavis.edu [169.237.60.24]) by relay.nuxi.com (8.9.3/8.9.3) with ESMTP id BAA74402; Mon, 28 Feb 2000 01:47:08 -0800 (PST) (envelope-from obrien@dragon.nuxi.com) Received: (from obrien@localhost) by dragon.nuxi.com (8.9.3/8.9.1) id BAA25838; Mon, 28 Feb 2000 01:47:14 -0800 (PST) (envelope-from obrien) Date: Mon, 28 Feb 2000 01:47:13 -0800 From: "David O'Brien" To: Jim Bloom Cc: freebsd-current@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: cpp change breaks ipfw Message-ID: <20000228014713.A25772@dragon.nuxi.com> Reply-To: obrien@freebsd.org References: <38B8BAC5.9927A56E@acm.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <38B8BAC5.9927A56E@acm.org>; from bloom@acm.org on Sun, Feb 27, 2000 at 12:48:53AM -0500 X-Operating-System: FreeBSD 4.0-CURRENT Organization: The NUXI BSD group X-PGP-Fingerprint: B7 4D 3E E9 11 39 5F A3 90 76 5D 69 58 D9 98 7A X-Pgp-Keyid: 34F9F9D5 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Feb 27, 2000 at 12:48:53AM -0500, Jim Bloom wrote: > but on a new version of current this expands to > > add pass tcp from 192.168.2.5 : 255.255.254.0 to any 25 setup > > Note the extra spaces around the colon. This is required by the ANSI-C spec. Tokens replaced by `cpp' shall be seperated by white space. > There are several options here: > 1) Fix cpp to not emit the extra spaces Would break the ANSI-C spec. > 3) Document the cpp is not a valid preprocessor for ipfw on the manual page. ``cpp'' really isn't a general purpose pre-processor -- it is exclusively designed with the needs and usage of C in mind. ``m4'' is a much better general purpose processor. That said ``/usr/bin/cpp -traditional'' will do what you want it to do. -- -- David (obrien@NUXI.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Feb 28 3:14:48 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from waldorf.cs.uni-dortmund.de (waldorf.cs.uni-dortmund.de [129.217.4.42]) by hub.freebsd.org (Postfix) with ESMTP id DA87037B78B; Mon, 28 Feb 2000 03:14:41 -0800 (PST) (envelope-from Kai.Grossjohann@CS.Uni-Dortmund.DE) Received: from marcy.cs.uni-dortmund.de (marcy.cs.uni-dortmund.de [129.217.20.159]) by waldorf.cs.uni-dortmund.de with ESMTP id MAA05278; Mon, 28 Feb 2000 12:14:05 +0100 (MET) Received: from lucy.cs.uni-dortmund.de (lucy [129.217.20.160]) by marcy.cs.uni-dortmund.de id MAA09286; Mon, 28 Feb 2000 12:14:04 +0100 (MET) Received: (from grossjoh@localhost) by lucy.cs.uni-dortmund.de (8.9.3/8.9.3/Debian 8.9.3-6) id MAA03941; Mon, 28 Feb 2000 12:14:04 +0100 X-Authentication-Warning: lucy.cs.uni-dortmund.de: grossjoh set sender to Kai.Grossjohann@CS.Uni-Dortmund.DE using -f To: Jim Bloom Cc: freebsd-current@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: cpp change breaks ipfw References: <38B8BAC5.9927A56E@acm.org> From: Kai.Grossjohann@CS.Uni-Dortmund.DE (Kai=?iso-8859-1?q?_Gro=DFjohann?=) Date: 28 Feb 2000 12:14:04 +0100 In-Reply-To: Jim Bloom's message of "Sun, 27 Feb 2000 00:48:53 -0500" Message-ID: Lines: 24 User-Agent: Gnus/5.0804 (Gnus v5.8.4) Emacs/20.5 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Jim Bloom writes: > On the old version of current this expands to > > add pass tcp from 192.168.2.5:255.255.254.0 to any 25 setup > > but on a new version of current this expands to > > add pass tcp from 192.168.2.5 : 255.255.254.0 to any 25 setup You might wish to try this: /---- | #define rule(ADDR,MASK) \ | add pass tcp from ADDR ## : ## MASK to any 25 setup | | rule(192.168.2.5,255.255.254.0) \---- Does it do what you want? Somewhat clumsy, but it does seem to work. kai -- ~/.signature: No such file or directory To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Feb 28 4:41: 8 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from chmls05.mediaone.net (ne.mediaone.net [24.128.1.70]) by hub.freebsd.org (Postfix) with ESMTP id 107D737B6FE; Mon, 28 Feb 2000 04:41:05 -0800 (PST) (envelope-from bloom@acm.org) Received: from acm.org (reyim.ne.mediaone.net [24.218.251.241]) by chmls05.mediaone.net (8.8.7/8.8.7) with ESMTP id HAA22387; Mon, 28 Feb 2000 07:40:29 -0500 (EST) Message-ID: <38BA6CAF.7F855F3@acm.org> Date: Mon, 28 Feb 2000 07:40:15 -0500 From: Jim Bloom X-Mailer: Mozilla 4.7 [en]C-MOENE (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Ruslan Ermilov Cc: "David O'Brien" , jsegovia@cnc.una.py, freebsd-ipfw@FreeBSD.ORG Subject: Re: cpp change breaks ipfw References: <200002271345.JAA29398@alpha.cnc.una.py> <38B98413.CB910261@acm.org> <20000227221631.A70300@relay.ucb.crimea.ua> <38B9A05F.57D2DD6D@acm.org> <20000228093703.B43907@relay.ucb.crimea.ua> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I agree 100%. I'm going to change ipfw so that the syntax for the preprocessor becomes: ipfw [-q] [-p preprocessor [preprocessor_arguments]] file This will allow for a passing -traditional to cpp and a wider array of preprocessor in general. It does allow one to make mistakes more easily, but is a general solution to the problem. I'll post the changes when I am done. Jim Bloom bloom@acm.org Ruslan Ermilov wrote: > > I don't think that documenting another program's changed behaviour is the > right thing to do. Maybe David can shed some light on this? > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Feb 28 4:48: 1 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from chmls05.mediaone.net (ne.mediaone.net [24.128.1.70]) by hub.freebsd.org (Postfix) with ESMTP id AD76637B7B5; Mon, 28 Feb 2000 04:47:58 -0800 (PST) (envelope-from bloom@acm.org) Received: from acm.org (reyim.ne.mediaone.net [24.218.251.241]) by chmls05.mediaone.net (8.8.7/8.8.7) with ESMTP id HAA24221; Mon, 28 Feb 2000 07:47:55 -0500 (EST) Message-ID: <38BA6E6D.239DEDB1@acm.org> Date: Mon, 28 Feb 2000 07:47:41 -0500 From: Jim Bloom X-Mailer: Mozilla 4.7 [en]C-MOENE (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Kai =?iso-8859-1?Q?Gro=DFjohann?= Cc: freebsd-current@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: cpp change breaks ipfw References: <38B8BAC5.9927A56E@acm.org> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG No. It has the same bug. That method of concatenation only works for st= rings. Jim Bloom bloom@acm.org Kai Gro=DFjohann wrote: > /---- > | #define rule(ADDR,MASK) \ > | add pass tcp from ADDR ## : ## MASK to any 25 setup > | > | rule(192.168.2.5,255.255.254.0) > \---- > = > Does it do what you want? Somewhat clumsy, but it does seem to work. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Feb 28 5:48:59 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from waldorf.cs.uni-dortmund.de (waldorf.cs.uni-dortmund.de [129.217.4.42]) by hub.freebsd.org (Postfix) with ESMTP id 5F94937B73F; Mon, 28 Feb 2000 05:48:55 -0800 (PST) (envelope-from Kai.Grossjohann@CS.Uni-Dortmund.DE) Received: from marcy.cs.uni-dortmund.de (marcy.cs.uni-dortmund.de [129.217.20.159]) by waldorf.cs.uni-dortmund.de with ESMTP id OAA10012; Mon, 28 Feb 2000 14:48:18 +0100 (MET) Received: from lucy.cs.uni-dortmund.de (lucy [129.217.20.160]) by marcy.cs.uni-dortmund.de id OAA10325; Mon, 28 Feb 2000 14:48:18 +0100 (MET) Received: (from grossjoh@localhost) by lucy.cs.uni-dortmund.de (8.9.3/8.9.3/Debian 8.9.3-6) id OAA04092; Mon, 28 Feb 2000 14:48:18 +0100 X-Authentication-Warning: lucy.cs.uni-dortmund.de: grossjoh set sender to Kai.Grossjohann@CS.Uni-Dortmund.DE using -f To: Jim Bloom Cc: freebsd-current@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: cpp change breaks ipfw References: <38B8BAC5.9927A56E@acm.org> <38BA6E6D.239DEDB1@acm.org> From: Kai.Grossjohann@CS.Uni-Dortmund.DE (Kai=?iso-8859-1?q?_Gro=DFjohann?=) Date: 28 Feb 2000 14:48:17 +0100 In-Reply-To: Jim Bloom's message of "Mon, 28 Feb 2000 07:47:41 -0500" Message-ID: Lines: 30 User-Agent: Gnus/5.0804 (Gnus v5.8.4) Emacs/20.5 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Jim Bloom writes: > No. It has the same bug. That method of concatenation only works > for strings. Well, I tried it and got the following: /---- | $ cat foo | #define rule(ADDR,MASK) add pass tcp from ADDR ## : ## MASK to any 25 setup | rule(192.168.2.5,255.255.254.0) | $ type cpp | cpp is hashed (/usr/bin/cpp) | $ cpp foo | # 1 "foo" | | add pass tcp from 192.168.2.5:255.255.254.0 to any 25 setup | $ cpp --version | 2.95.2 \---- Note that there is no space in ``192.168.2.5:255.255.254.0''. I thought that this is what you wanted? If this isn't what you wanted, I'm sorry for the misunderstanding. I cvsupped my -current on Friday or Saturday, is that too old? kai -- ~/.signature: No such file or directory To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Feb 28 6:19:11 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from chmls06.mediaone.net (chmls06.mediaone.net [24.128.1.71]) by hub.freebsd.org (Postfix) with ESMTP id D484437B5B4; Mon, 28 Feb 2000 06:19:06 -0800 (PST) (envelope-from bloom@acm.org) Received: from acm.org (reyim.ne.mediaone.net [24.218.251.241]) by chmls06.mediaone.net (8.8.7/8.8.7) with ESMTP id JAA23899; Mon, 28 Feb 2000 09:18:59 -0500 (EST) Message-ID: <38BA83C4.8457CC69@acm.org> Date: Mon, 28 Feb 2000 09:18:44 -0500 From: Jim Bloom X-Mailer: Mozilla 4.7 [en]C-MOENE (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Kai =?iso-8859-1?Q?Gro=DFjohann?= Cc: freebsd-current@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: cpp change breaks ipfw References: <38B8BAC5.9927A56E@acm.org> <38BA6E6D.239DEDB1@acm.org> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Kai Gro=DFjohann wrote: > = > /---- > | $ cat foo > | #define rule(ADDR,MASK) add pass tcp from ADDR ## : ## MASK to any 25= setup > | rule(192.168.2.5,255.255.254.0) > | $ type cpp > | cpp is hashed (/usr/bin/cpp) > | $ cpp foo > | # 1 "foo" > | > | add pass tcp from 192.168.2.5:255.255.254.0 to any 25 setup > | $ cpp --version > | 2.95.2 > \---- > = > Note that there is no space in ``192.168.2.5:255.255.254.0''. I > thought that this is what you wanted? If this isn't what you wanted, > I'm sorry for the misunderstanding. That small test works fine, but doesn't solve the problem I was having. = Try this small test case to see my problem: #define addr 192.186.2.5 #define mask 255.255.240.0 #define rule(ADDR,MASK) add pass tcp from ADDR ## : ## MASK to any 25 set= up rule(addr,mask) This also does not work if addr and mask are defined on the command line.= The problem arises from using another defined value as the string being concatenated. The concatenation works for constants though. Jim Bloom bloom@acm.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Feb 28 9:12:24 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from reyim.ne.mediaone.net (reyim.ne.mediaone.net [24.218.251.241]) by hub.freebsd.org (Postfix) with ESMTP id B396537B8F8 for ; Mon, 28 Feb 2000 09:12:09 -0800 (PST) (envelope-from bloom@acm.org) Received: from acm.org (localhost [127.0.0.1]) by reyim.ne.mediaone.net (8.9.3/8.9.3) with ESMTP id MAA01180; Mon, 28 Feb 2000 12:09:32 -0500 (EST) (envelope-from bloom@acm.org) Message-ID: <38BAABCC.BCA300AB@acm.org> Date: Mon, 28 Feb 2000 12:09:32 -0500 From: Jim Bloom Reply-To: bloom@acm.org X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.0-CURRENT i386) X-Accept-Language: en MIME-Version: 1.0 To: Ruslan Ermilov Cc: jsegovia@cnc.una.py, freebsd-ipfw@FreeBSD.org Subject: [PATCH] Re: cpp change breaks ipfw References: <200002271345.JAA29398@alpha.cnc.una.py> <38B98413.CB910261@acm.org> <20000227221631.A70300@relay.ucb.crimea.ua> Content-Type: multipart/mixed; boundary="------------901026C53DF8383680A7EA79" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. --------------901026C53DF8383680A7EA79 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To provide an easy workaround for the problem with cpp putting spaces around expanded macros which causes problems for ipfw, i modified ipfw to take arbitrary parameter and pass them to the preprocessor. With cpp, -traditional may be passed on the command line. This patch also allows for a much wider range of preprocessors since it allows for arbitrary syntax in the arguments. I'm sure several people will have problems with ipfw when 4.0 is released because of the change to cpp. Will someone please test this patch again and commit it. Thanks. Jim Bloom bloom@acm.org --------------901026C53DF8383680A7EA79 Content-Type: text/plain; charset=us-ascii; name="ipfw.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ipfw.patch" Index: ipfw.8 =================================================================== RCS file: /users/ncvs/src/sbin/ipfw/ipfw.8,v retrieving revision 1.63 diff -u -r1.63 ipfw.8 --- ipfw.8 2000/02/28 15:21:12 1.63 +++ ipfw.8 2000/02/28 16:35:26 @@ -12,14 +12,8 @@ .Op Fl q .Oo .Fl p Ar preproc -.Oo Fl D -.Sm off -.Ar macro -.Op = Ar value -.Sm on +.Op Ar preproc-options .Oc -.Op Fl U Ar macro -.Oc .Ar file .Nm ipfw .Op Fl f | q @@ -225,11 +219,8 @@ is being run (e.g. when they are mounted over NFS). Once .Fl p -has been specified, optional -.Fl D -and -.Fl U -specifications can follow and will be passed on to the preprocessor. +has been specified, optional arguments for the preprocessor +can follow and will be passed on to the preprocessor. This allows for flexible configuration files (like conditionalizing them on the local hostname) and the use of macros to centralize frequently required arguments like IP addresses. Index: ipfw.c =================================================================== RCS file: /users/ncvs/src/sbin/ipfw/ipfw.c,v retrieving revision 1.80 diff -u -r1.80 ipfw.c --- ipfw.c 2000/02/13 11:46:59 1.80 +++ ipfw.c 2000/02/28 16:26:16 @@ -1917,28 +1917,8 @@ qflag = pflag = i = 0; lineno = 0; - while ((c = getopt(ac, av, "D:U:p:q")) != -1) + while (!pflag && (c = getopt(ac, av, "p:q")) != -1) switch(c) { - case 'D': - if (!pflag) - errx(EX_USAGE, "-D requires -p"); - if (i > MAX_ARGS - 2) - errx(EX_USAGE, - "too many -D or -U options"); - args[i++] = "-D"; - args[i++] = optarg; - break; - - case 'U': - if (!pflag) - errx(EX_USAGE, "-U requires -p"); - if (i > MAX_ARGS - 2) - errx(EX_USAGE, - "too many -D or -U options"); - args[i++] = "-U"; - args[i++] = optarg; - break; - case 'p': pflag = 1; cmd = optarg; @@ -1956,8 +1936,15 @@ av += optind; ac -= optind; - if (ac != 1) - show_usage("extraneous filename arguments"); + + if (pflag) { + while (--ac > 0 && i < MAX_ARGS) { + args[i++] = *av++; + } + if (i >= MAX_ARGS) + errx(EX_USAGE, + "too many arguments to preprocessor"); + } if ((f = fopen(av[0], "r")) == NULL) err(EX_UNAVAILABLE, "fopen: %s", av[0]); --------------901026C53DF8383680A7EA79-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Feb 28 13:44:28 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from waldorf.cs.uni-dortmund.de (waldorf.cs.uni-dortmund.de [129.217.4.42]) by hub.freebsd.org (Postfix) with ESMTP id 1A97E37B8FD; Mon, 28 Feb 2000 13:44:23 -0800 (PST) (envelope-from Kai.Grossjohann@CS.Uni-Dortmund.DE) Received: from marcy.cs.uni-dortmund.de (marcy.cs.uni-dortmund.de [129.217.20.159]) by waldorf.cs.uni-dortmund.de with ESMTP id WAA22119; Mon, 28 Feb 2000 22:43:48 +0100 (MET) Received: from lucy.cs.uni-dortmund.de (lucy [129.217.20.160]) by marcy.cs.uni-dortmund.de id WAA13987; Mon, 28 Feb 2000 22:43:48 +0100 (MET) Received: (from grossjoh@localhost) by lucy.cs.uni-dortmund.de (8.9.3/8.9.3/Debian 8.9.3-6) id WAA12945; Mon, 28 Feb 2000 22:43:47 +0100 X-Authentication-Warning: lucy.cs.uni-dortmund.de: grossjoh set sender to Kai.Grossjohann@CS.Uni-Dortmund.DE using -f To: Jim Bloom Cc: freebsd-current@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: cpp change breaks ipfw References: <38B8BAC5.9927A56E@acm.org> <38BA6E6D.239DEDB1@acm.org> <38BA83C4.8457CC69@acm.org> From: Kai.Grossjohann@CS.Uni-Dortmund.DE (Kai=?iso-8859-1?q?_Gro=DFjohann?=) Date: 28 Feb 2000 22:43:47 +0100 In-Reply-To: Jim Bloom's message of "Mon, 28 Feb 2000 09:18:44 -0500" Message-ID: Lines: 9 User-Agent: Gnus/5.0804 (Gnus v5.8.4) Emacs/20.5 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Jim Bloom writes: > That small test works fine, but doesn't solve the problem I was having. Oops. Sorry. kai -- ~/.signature: No such file or directory To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Feb 28 16:36:37 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from ns.itga.com.au (ns.itga.com.au [202.53.40.210]) by hub.freebsd.org (Postfix) with ESMTP id 7C31D37B9CC; Mon, 28 Feb 2000 16:36:29 -0800 (PST) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (lightning.itga.com.au [192.168.71.20]) by ns.itga.com.au (8.9.3/8.9.3) with ESMTP id LAA11065; Tue, 29 Feb 2000 11:36:25 +1100 (EST) (envelope-from gnb@itga.com.au) Received: from itga.com.au (lightning.itga.com.au [192.168.71.20]) by lightning.itga.com.au (8.9.3/8.9.3) with ESMTP id LAA23453; Tue, 29 Feb 2000 11:36:19 +1100 (EST) Message-Id: <200002290036.LAA23453@lightning.itga.com.au> X-Mailer: exmh version 2.0.1 12/23/97 From: Gregory Bond To: Jim Bloom Cc: Kai =?iso-8859-1?Q?Gro=DFjohann?= , freebsd-current@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: cpp change breaks ipfw In-reply-to: Your message of Mon, 28 Feb 2000 09:18:44 -0500. Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Date: Tue, 29 Feb 2000 11:36:19 +1100 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > #define addr 192.186.2.5 > #define mask 255.255.240.0 > = > #define rule(ADDR,MASK) add pass tcp from ADDR ## : ## MASK to any 25 s= etup > rule(addr,mask) This is a well-known artifact of the ANSI C rules. You need to do two le= vels = of macro in order to get the macro args expanded in the paste operator: #define addr 1.2.3.4 #define mask 255.255.255.0 #define hn(A,M) A ## : ## M #define rule(A,M) add pass tcp from hn(A,M) to any 25 setup rule(addr, mask) which produces add pass tcp from 1.2.3.4:255.255.255.0 to any 25 setup = when fed through an ANSI preprocessor (i.e. not "gcc -E" and not /usr/bin= /cpp on 3.x!). This also works if (e.g.) addr is defined on the command line.= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Feb 28 16:43:24 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from ns.itga.com.au (ns.itga.com.au [202.53.40.210]) by hub.freebsd.org (Postfix) with ESMTP id 24BE937B9D3; Mon, 28 Feb 2000 16:43:18 -0800 (PST) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (lightning.itga.com.au [192.168.71.20]) by ns.itga.com.au (8.9.3/8.9.3) with ESMTP id LAA11104; Tue, 29 Feb 2000 11:43:15 +1100 (EST) (envelope-from gnb@itga.com.au) Received: from itga.com.au (lightning.itga.com.au [192.168.71.20]) by lightning.itga.com.au (8.9.3/8.9.3) with ESMTP id LAA24884; Tue, 29 Feb 2000 11:43:15 +1100 (EST) Message-Id: <200002290043.LAA24884@lightning.itga.com.au> X-Mailer: exmh version 2.0.1 12/23/97 From: Gregory Bond Cc: Jim Bloom , Kai =?iso-8859-1?Q?Gro=DFjohann?= , freebsd-current@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: cpp change breaks ipfw In-reply-to: Your message of Tue, 29 Feb 2000 11:36:19 +1100. Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 29 Feb 2000 11:43:15 +1100 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I wrote: > when fed through an ANSI preprocessor (i.e. not "gcc -E" and not /usr/bin/cpp > on 3.x!). This also works if (e.g.) addr is defined on the command line. and of course I _meant_ to write "(i.e. "gcc -E" and not /usr/bin/cpp..." gcc -E _is_ an ANSI cpp. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Feb 28 19:11:23 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 58DFF37B9DA for ; Mon, 28 Feb 2000 19:11:20 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id WAA32249; Mon, 28 Feb 2000 22:13:58 -0500 (EST) (envelope-from cjc) Date: Mon, 28 Feb 2000 22:13:58 -0500 From: "Crist J. Clark" To: Jim Bloom Cc: Ruslan Ermilov , jsegovia@cnc.una.py, freebsd-ipfw@FreeBSD.ORG Subject: Re: [PATCH] Re: cpp change breaks ipfw Message-ID: <20000228221358.C31743@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <200002271345.JAA29398@alpha.cnc.una.py> <38B98413.CB910261@acm.org> <20000227221631.A70300@relay.ucb.crimea.ua> <38BAABCC.BCA300AB@acm.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <38BAABCC.BCA300AB@acm.org>; from bloom@acm.org on Mon, Feb 28, 2000 at 12:09:32PM -0500 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, Feb 28, 2000 at 12:09:32PM -0500, Jim Bloom wrote: > To provide an easy workaround for the problem with cpp putting spaces > around expanded macros which causes problems for ipfw, i modified ipfw > to take arbitrary parameter and pass them to the preprocessor. With > cpp, -traditional may be passed on the command line. This patch also > allows for a much wider range of preprocessors since it allows for > arbitrary syntax in the arguments. Patch looks good, but it seems to me the easiest way to modify ipfw to pass more arguments to the preprocessor would just allow the '-p' optarg to be a partial command line. That is, to use the traditional flag you would, # ipfw -p "cpp -traditional" -D... -U ... file Is there a reason that would not work? -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Feb 29 9:55:15 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id 3C6C537BD55 for ; Tue, 29 Feb 2000 09:55:00 -0800 (PST) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id SAA32091; Tue, 29 Feb 2000 18:51:55 +0100 (CET) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200002291751.SAA32091@info.iet.unipi.it> Subject: Re: keep-state and fwd In-Reply-To: <200002251834.OAA26064@alpha.cnc.una.py> from "jsegovia@cnc.una.py" at "Feb 25, 2000 02:35:29 pm" To: jsegovia@cnc.una.py Date: Tue, 29 Feb 2000 18:51:55 +0100 (CET) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG ok, just committed a fix on -current, code for -stable should follow shortly. Now it works as expected for both local and externally initiated connections. Please try it out /home/ncvs/src/sys/netinet/ip_fw.c,v <-- ip_fw.c new revision: 1.131; previous revision: 1.130 cheers luigi > I'd like to know if anyone is using ipfw with keep-state > and fwd (forwarding). I'm having trouble getting it > to work. > > For example, if I have the following: > > ipfw add 10 check-state > ipfw add 20 deny tcp from any to any established > ipfw add 30 fwd 127.0.0.1,2525 tcp from _my_net_ to any 25 setup \ > keep-state > ipfw add 40 allow tcp from _my_net_ to any setup keep-state > ipfw add 50 deny tcp from any to any > > And then > $ telnet 127.0.0.1 25 > > I get an instant panic (double fault) > > If I telnet to another machine > $ telnet some_other_machine 25 > > the connection is never established but an error is also > never returned. > > If keep-state is not used (that is, fwd without keep-state) > everything works fine but unfortunately I need ipfw to be > stateful. > > I'm using -current and cvsup'd yesterday. > > Any help greatly appreciated. > > Juan > -- > Centro Nacional de Computacion > Universidad Nacional de Asuncion > Tel. +595 (21) 585 550 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Feb 29 10:23:39 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from bubba.whistle.com (bubba.whistle.com [207.76.205.7]) by hub.freebsd.org (Postfix) with ESMTP id 10A8C37BC61 for ; Tue, 29 Feb 2000 10:23:37 -0800 (PST) (envelope-from archie@whistle.com) Received: (from archie@localhost) by bubba.whistle.com (8.9.3/8.9.2) id KAA17444; Tue, 29 Feb 2000 10:23:37 -0800 (PST) From: Archie Cobbs Message-Id: <200002291823.KAA17444@bubba.whistle.com> Subject: Re: ipfw and the GRE protocol In-Reply-To: <002701bf8090$4934b460$43110d0a@chade> from "Chad K. Bisk" at "Feb 26, 2000 02:32:53 pm" To: ckbisk@bigfoot.com (Chad K. Bisk) Date: Tue, 29 Feb 2000 10:23:37 -0800 (PST) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Chad K. Bisk writes: > How does rule 65535 ever get packets? > > freebsd# ipfw list > 00100 divert 8668 ip from any to any via ed1 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 10.0.0.0/8 to any in recv ed1 > 00400 deny ip from 111.222.33.0/24 to any in recv fxp0 > 00500 deny ip from 192.168.0.0/16 to any via ed1 > 00600 deny ip from any to 192.168.0.0/16 via ed1 > 00700 deny ip from 172.16.0.0/12 to any via ed1 > 00800 deny ip from any to 172.16.0.0/12 via ed1 > 00900 allow tcp from any to any established > 01000 allow tcp from any to 111.222.33.44 25 setup > 01100 allow tcp from any to 111.222.33.44 53 setup > 01200 allow tcp from any to 111.222.33.44 80 setup > 01300 allow tcp from any to any setup > 01400 allow udp from any 53 to 111.222.33.44 > 01500 allow udp from 111.222.33.44 to any 53 > 01600 allow udp from any 123 to 111.222.33.44 > 01700 allow udp from 111.222.33.44 to any 123 > 65000 allow ip from any to any > 65535 deny ip from any to any > freebsd# ipfw show > 00100 538708 242885311 divert 8668 ip from any to any via ed1 > 00100 12 832 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 912 110044 deny ip from 10.0.0.0/8 to any in recv ed1 > 00400 0 0 deny ip from 111.222.33.0/24 to any in recv fxp0 > 00500 0 0 deny ip from 192.168.0.0/16 to any via ed1 > 00600 0 0 deny ip from any to 192.168.0.0/16 via ed1 > 00700 0 0 deny ip from 172.16.0.0/12 to any via ed1 > 00800 0 0 deny ip from any to 172.16.0.0/12 via ed1 > 00900 935726 468654385 allow tcp from any to any established > 01000 18 792 allow tcp from any to 111.222.33.44 25 setup > 01100 2 80 allow tcp from any to 111.222.33.44 53 setup > 01200 3 124 allow tcp from any to 111.222.33.44 80 setup > 01300 23818 1088084 allow tcp from any to any setup > 01400 204 43821 allow udp from any 53 to 111.222.33.44 > 01500 3190 197690 allow udp from 111.222.33.44 to any 53 > 01600 3113 236588 allow udp from any 123 to 111.222.33.44 > 01700 3153 239628 allow udp from 111.222.33.44 to any 123 > 65000 66466 9761689 allow ip from any to any > 65535 4 463 deny ip from any to any > > It gets 2 during startup and 2 later fairly consistently. It's getting packets when the other rules are not there.. presumably breif windows of time at startup and restart, etc. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Feb 29 11:20:15 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from crufty.research.bell-labs.com (crufty.research.bell-labs.com [204.178.16.49]) by hub.freebsd.org (Postfix) with SMTP id 3D0D137BC2F; Tue, 29 Feb 2000 11:20:07 -0800 (PST) (envelope-from raz@lucent.com) Received: from chair.dnrc.bell-labs.com ([135.180.161.201]) by crufty; Tue Feb 29 14:18:21 EST 2000 Received: from lucent.com (razpc [135.180.160.74]) by chair.dnrc.bell-labs.com (8.9.3/8.9.3) with ESMTP id OAA01847; Tue, 29 Feb 2000 14:18:19 -0500 (EST) Message-ID: <38BC1B82.6C7B2273@lucent.com> Date: Tue, 29 Feb 2000 14:18:26 -0500 From: dan raz X-Mailer: Mozilla 4.61 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: questions@freebsd.org, freebsd-ipfw@freebsd.org Cc: shavitt@lucent.com Subject: Re: Problems with divert/ipfw References: <38BADE14.B200B010@lucent.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG It seems that divert was disabled for some unknown reason. Here is the relevant lines from the /var/log/message file: Feb 29 11:06:38 heshvan /kernel: npx0 on motherboard Feb 29 11:06:38 heshvan /kernel: npx0: INT 16 interface Feb 29 11:06:38 heshvan /kernel: Intel Pentium detected, installing workaround for F00F bug Feb 29 11:06:38 heshvan /kernel: IP packet filtering initialized, divert enabled, rule-based forwarding enabled, unlimited logging Feb 29 11:06:38 heshvan /kernel: IP Filter: initialized. Default = pass all, Logging = disabled Feb 29 11:06:38 heshvan /kernel: changing root device to wd0s2a Feb 29 11:06:38 heshvan /kernel: IP packet filtering initialized, divert disabled, rule-based forwarding disabled, logging disabled Feb 29 11:06:48 heshvan mrouted[124]: mrouted version 3.9-beta3+IOS12 Note, that first divert is enabled, and then after mounting / IP packet filtering is reinitialize, but now divert is disabled. Any idea why this happens????? When we try single-user mode the second initialization of IP packet filtering does not happened. dan raz wrote: > > Hi, > > This problem seems to be related to an earlier posting by > Feiyi Wang which did not seem to be answered. > > We are using FreeBSD 3.2 with ipfw and divert. > > We have several machines that work fine, but in two of them (not at the same > time) we see the following phenomenon: > A counter for a divert ipfw rule is increased, but the program that listens > on the divert socket (with recvfrom) does not get any data. > > The odd thing is that these two machines worked perfectly well > for several months until they decided not to (of course, we did not change > the kernel, ipfw rules or the listening program). > Warm/cold reboot does not help. > Our guess is that some log file is full or conf file might be corrupted > but we could not find any. > > Any suggestions? > > -- > > Danny Raz Tel: 732-949-6712 > Room 4G-637 Fax: 732-949-0399 > Bell-Labs email: raz@dnrc.bell-labs.com > 101 Crawfords Corner Road > Holmdel, NJ 07733 - 3030 > WWW: http://www.cs.bell-labs.com/~raz -- Danny Raz Tel: 732-949-6712 Room 4G-637 Fax: 732-949-0399 Bell-Labs email: raz@dnrc.bell-labs.com 101 Crawfords Corner Road Holmdel, NJ 07733 - 3030 WWW: http://www.cs.bell-labs.com/~raz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 3 6:12: 8 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from crufty.research.bell-labs.com (crufty.research.bell-labs.com [204.178.16.49]) by hub.freebsd.org (Postfix) with SMTP id D756A37B5B2; Fri, 3 Mar 2000 06:12:03 -0800 (PST) (envelope-from raz@lucent.com) Received: from chair.dnrc.bell-labs.com ([135.180.161.201]) by crufty; Fri Mar 3 09:11:22 EST 2000 Received: from lucent.com (razpc [135.180.160.74]) by chair.dnrc.bell-labs.com (8.9.3/8.9.3) with ESMTP id JAA06540; Fri, 3 Mar 2000 09:11:20 -0500 (EST) Message-ID: <38BFC80D.73CFB75B@lucent.com> Date: Fri, 03 Mar 2000 09:11:25 -0500 From: dan raz X-Mailer: Mozilla 4.61 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-net@freebsd.org Cc: freebsd-ipfw@freebsd.org, shavitt@lucent.com Subject: A problem with verifing ipfw loaded in rc_network References: <38BFC3FD.3B01BA34@lucent.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG We have a booting problem that is coming from the rc.network code. In our boot process, the ipfw is loaded with the appropriate flags (i.e. divert enable) but then rc.network fails to recognize it and it reloads ipfw to the kernel with a no-divert flag. The result is that the divert sockets do not work. Here is the relevant lines from the /var/log/message file: ......... Feb 29 11:06:38 heshvan /kernel: npx0: INT 16 interface Feb 29 11:06:38 heshvan /kernel: Intel Pentium detected, installing workaround for F00F bug Feb 29 11:06:38 heshvan /kernel: IP packet filtering initialized, divert enabled, rule-based forwarding enabled, unlimited logging Feb 29 11:06:38 heshvan /kernel: IP Filter: initialized. Default = pass all, Logging = disabled Feb 29 11:06:38 heshvan /kernel: changing root device to wd0s2a Feb 29 11:06:38 heshvan /kernel: IP packet filtering initialized, divert disabled, rule-based forwarding disabled, logging disabled Feb 29 11:06:48 heshvan mrouted[124]: mrouted version 3.9-beta3+IOS12 ................. Note, that first divert is enabled, and then after mounting / IP packet filtering is reinitialize, but now divert is disabled. It took us a while to track the problem to rc.network and related questions were posted in freebsd-questions, and freebsd-ipfw. This is the relevant code from rc.network: > # Initialize IP filtering using ipfw > echo "" > /sbin/ipfw -q flush > /dev/null 2>&1 > if [ $? = 0 ] ; then > firewall_in_kernel=1 > else > firewall_in_kernel=0 > fi > > if [ $firewall_in_kernel = 0 -a "x$firewall_enable" = "xYES" ] ; then > if kldload ipfw; then > firewall_in_kernel=1 # module loaded successfully > echo "Kernel firewall module loaded." > else > echo "Warning: firewall kernel module failed to load." > fi > fi > It should verify that the ipfw is in kernel, and if not reload it. In our case the test (sbin/ipfw -q flush > /dev/null 2>&1 if [ $? = 0 ] ) does not work. We could not figure out why the simple test does not work, but we deleted these lines from rc.network and all seems to be working fine. Any ideas or suggestions? Danny -- Danny Raz Tel: 732-949-6712 Room 4G-637 Fax: 732-949-0399 Bell-Labs email: raz@dnrc.bell-labs.com 101 Crawfords Corner Road Holmdel, NJ 07733 - 3030 WWW: http://www.cs.bell-labs.com/~raz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 3 15:59:53 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 655DA37B6F8 for ; Fri, 3 Mar 2000 15:59:42 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id TAA70423; Fri, 3 Mar 2000 19:00:39 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Fri, 3 Mar 2000 19:00:38 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Luigi Rizzo Cc: ipfw@freebsd.org Subject: ipdivert and ethernet bridging Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I have a 3.4-STABLE box which I have enabled ethernet bridging, bridging and ipfw, and also ipdivert, as I would like to transform/process some packets as they pass through the bridge using a userland process. However, the results so far seem not to be good--while the packet due indeed disappear from processing at the divert rule, they never reappear following it, or reach the userland process :-(. Packets originating locally on the bridge box seem to be processed fine. I was wondering if you had any thoughts on whether this should be something that works, or how I could get it to work? I'm not averse to using -current instead, if necessary. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Mar 4 9:54:14 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id A6ACD37B826 for ; Sat, 4 Mar 2000 09:54:11 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id MAA48897; Sat, 4 Mar 2000 12:59:38 -0500 (EST) (envelope-from cjc) Date: Sat, 4 Mar 2000 12:59:38 -0500 From: "Crist J. Clark" To: dan raz Cc: freebsd-ipfw@FreeBSD.ORG, shavitt@lucent.com Subject: Re: A problem with verifing ipfw loaded in rc_network Message-ID: <20000304125938.A48777@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <38BFC3FD.3B01BA34@lucent.com> <38BFC80D.73CFB75B@lucent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <38BFC80D.73CFB75B@lucent.com>; from raz@lucent.com on Fri, Mar 03, 2000 at 09:11:25AM -0500 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, Mar 03, 2000 at 09:11:25AM -0500, dan raz wrote: > We have a booting problem that is coming from the rc.network code. > In our boot process, the ipfw is loaded with the appropriate flags > (i.e. divert enable) but then rc.network fails to recognize it and > it reloads ipfw to the kernel with a no-divert flag. The result is that > the divert sockets do not work. > > Here is the relevant lines from the /var/log/message file: > ......... > Feb 29 11:06:38 heshvan /kernel: npx0: INT 16 interface > Feb 29 11:06:38 heshvan /kernel: Intel Pentium detected, installing > workaround for F00F bug > Feb 29 11:06:38 heshvan /kernel: IP packet filtering initialized, divert > enabled, rule-based forwarding enabled, > unlimited logging > Feb 29 11:06:38 heshvan /kernel: IP Filter: initialized. Default = pass all, > Logging = disabled > Feb 29 11:06:38 heshvan /kernel: changing root device to wd0s2a > Feb 29 11:06:38 heshvan /kernel: IP packet filtering initialized, divert > disabled, rule-based forwarding disabled, > logging disabled > Feb 29 11:06:48 heshvan mrouted[124]: mrouted version 3.9-beta3+IOS12 > ................. > Note, that first divert is enabled, and then after mounting / > IP packet filtering is reinitialize, but now divert is disabled. > It took us a while to track the problem to rc.network > and related questions were posted in freebsd-questions, and freebsd-ipfw. > > This is the relevant code from rc.network: > > > # Initialize IP filtering using ipfw > > echo "" > > /sbin/ipfw -q flush > /dev/null 2>&1 > > if [ $? = 0 ] ; then > > firewall_in_kernel=1 > > else > > firewall_in_kernel=0 > > fi > > > > if [ $firewall_in_kernel = 0 -a "x$firewall_enable" = "xYES" ] ; then > > if kldload ipfw; then > > firewall_in_kernel=1 # module loaded successfully > > echo "Kernel firewall module loaded." > > else > > echo "Warning: firewall kernel module failed to load." > > fi > > fi > > > > It should verify that the ipfw is in kernel, and if not reload it. > In our case the test (sbin/ipfw -q flush > /dev/null 2>&1 if [ $? = 0 ] ) > does not work. We could not figure out why > the simple test does not work, but we deleted these lines from rc.network > and all seems to be working fine. > > Any ideas or suggestions? Can you edit the above line to just be, /sbin/ipfw flush if [ $? = 0 ] ; then And then reboot to see what messages come out? Or have you tried that? One small thing that comes up a lot in the rc* scripts, shouldn't it really be, [ $? -eq 0 ] Rather than, [ $? = 0 ] Well, I guess they do work the way they are, and the first is a bit prettier. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message